diff --git a/Pipfile.lock b/Pipfile.lock index 2416e3258..f56216248 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68" + "sha256": "7353b17b3a357cace77fb11fbbc501c2b619c7644c676d360f67f70a7feeb9c8" }, "pipfile-spec": 6, "requires": { @@ -18,42 +18,43 @@ "default": { "attrs": { "hashes": [ - "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", - "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6", + "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.2.0" + "markers": "python_version >= '3.5'", + "version": "==22.1.0" }, "certifi": { "hashes": [ - "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", - "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3", + "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18" ], - "version": "==2021.5.30" + "index": "pypi", + "version": "==2022.12.7" }, "charset-normalizer": { "hashes": [ - "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", - "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597", + "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df" ], "markers": "python_version >= '3'", - "version": "==2.0.4" + "version": "==2.0.12" }, "deprecated": { "hashes": [ - "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771", - "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1" + "sha256:43ac5335da90c31c24ba028af536a91d41d53f9e6901ddb021bcc572ce44e38d", + "sha256:64756e3e14c8c5eea9795d93c524551432a0be75629f8f29e67ab8caf076c76d" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.2.12" + "version": "==1.2.13" }, "idna": { "hashes": [ - "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", - "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" + "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", + "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" ], "markers": "python_version >= '3'", - "version": "==3.2" + "version": "==3.4" }, "jsonschema": { "hashes": [ @@ -80,30 +81,31 @@ }, "pyrsistent": { "hashes": [ - "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2", - "sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7", - "sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea", - "sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426", - "sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710", - "sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1", - "sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396", - "sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2", - "sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680", - "sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35", - "sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427", - "sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b", - "sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b", - "sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f", - "sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef", - "sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c", - "sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4", - "sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d", - "sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78", - "sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b", - "sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72" + "sha256:055ab45d5911d7cae397dc418808d8802fb95262751872c841c170b0dbf51eed", + "sha256:111156137b2e71f3a9936baf27cb322e8024dac3dc54ec7fb9f0bcf3249e68bb", + "sha256:187d5730b0507d9285a96fca9716310d572e5464cadd19f22b63a6976254d77a", + "sha256:21455e2b16000440e896ab99e8304617151981ed40c29e9507ef1c2e4314ee95", + "sha256:2aede922a488861de0ad00c7630a6e2d57e8023e4be72d9d7147a9fcd2d30712", + "sha256:3ba4134a3ff0fc7ad225b6b457d1309f4698108fb6b35532d015dca8f5abed73", + "sha256:456cb30ca8bff00596519f2c53e42c245c09e1a4543945703acd4312949bfd41", + "sha256:71d332b0320642b3261e9fee47ab9e65872c2bd90260e5d225dabeed93cbd42b", + "sha256:879b4c2f4d41585c42df4d7654ddffff1239dc4065bc88b745f0341828b83e78", + "sha256:9cd3e9978d12b5d99cbdc727a3022da0430ad007dacf33d0bf554b96427f33ab", + "sha256:a178209e2df710e3f142cbd05313ba0c5ebed0a55d78d9945ac7a4e09d923308", + "sha256:b39725209e06759217d1ac5fcdb510e98670af9e37223985f330b611f62e7425", + "sha256:bfa0351be89c9fcbcb8c9879b826f4353be10f58f8a677efab0c017bf7137ec2", + "sha256:bfd880614c6237243ff53a0539f1cb26987a6dc8ac6e66e0c5a40617296a045e", + "sha256:c43bec251bbd10e3cb58ced80609c5c1eb238da9ca78b964aea410fb820d00d6", + "sha256:d690b18ac4b3e3cab73b0b7aa7dbe65978a172ff94970ff98d82f2031f8971c2", + "sha256:d6982b5a0237e1b7d876b60265564648a69b14017f3b5f908c5be2de3f9abb7a", + "sha256:dec3eac7549869365fe263831f576c8457f6c833937c68542d08fde73457d291", + "sha256:e371b844cec09d8dc424d940e54bba8f67a03ebea20ff7b7b0d56f526c71d584", + "sha256:e5d8f84d81e3729c3b506657dddfe46e8ba9c330bf1858ee33108f8bb2adb38a", + "sha256:ea6b79a02a28550c98b6ca9c35b9f492beaa54d7c5c9e9949555893c8a9234d0", + "sha256:f1258f4e6c42ad0b20f9cfcc3ada5bd6b83374516cd01c0960e3cb75fdca6770" ], - "markers": "python_version >= '3.6'", - "version": "==0.18.0" + "markers": "python_version >= '3.7'", + "version": "==0.19.2" }, "python-dateutil": { "hashes": [ @@ -115,10 +117,11 @@ }, "python-utils": { "hashes": [ - "sha256:18fbc1a1df9a9061e3059a48ebe5c8a66b654d688b0e3ecca8b339a7f168f208", - "sha256:352d5b1febeebf9b3cdb9f3c87a3b26ef22d3c9e274a8ec1e7048ecd2fac4349" + "sha256:22990259324eae88faa3389d302861a825dbdd217ab40e3ec701851b3337d592", + "sha256:7e329c427a6d23036cfcc4501638afb31b2ddc8896f25393562833874b8c6e0a" ], - "version": "==2.5.6" + "markers": "python_version >= '3.7'", + "version": "==3.4.5" }, "pyyaml": { "hashes": [ @@ -165,38 +168,59 @@ }, "ruamel.yaml": { "hashes": [ - "sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67", - "sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815" + "sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7", + "sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af" ], "index": "pypi", - "version": "==0.17.10" + "version": "==0.17.21" }, "ruamel.yaml.clib": { "hashes": [ - "sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd", - "sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0", - "sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277", - "sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104", - "sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd", - "sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78", - "sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99", - "sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527", - "sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84", - "sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7", - "sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468", - "sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b", - "sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94", - "sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233", - "sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb", - "sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5", - "sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe", - "sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751", - "sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502", - "sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed", - "sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c" + "sha256:045e0626baf1c52e5527bd5db361bc83180faaba2ff586e763d3d5982a876a9e", + "sha256:15910ef4f3e537eea7fe45f8a5d19997479940d9196f357152a09031c5be59f3", + "sha256:184faeaec61dbaa3cace407cffc5819f7b977e75360e8d5ca19461cd851a5fc5", + "sha256:1f08fd5a2bea9c4180db71678e850b995d2a5f4537be0e94557668cf0f5f9497", + "sha256:2aa261c29a5545adfef9296b7e33941f46aa5bbd21164228e833412af4c9c75f", + "sha256:3110a99e0f94a4a3470ff67fc20d3f96c25b13d24c6980ff841e82bafe827cac", + "sha256:3243f48ecd450eddadc2d11b5feb08aca941b5cd98c9b1db14b2fd128be8c697", + "sha256:370445fd795706fd291ab00c9df38a0caed0f17a6fb46b0f607668ecb16ce763", + "sha256:40d030e2329ce5286d6b231b8726959ebbe0404c92f0a578c0e2482182e38282", + "sha256:41d0f1fa4c6830176eef5b276af04c89320ea616655d01327d5ce65e50575c94", + "sha256:4a4d8d417868d68b979076a9be6a38c676eca060785abaa6709c7b31593c35d1", + "sha256:4b3a93bb9bc662fc1f99c5c3ea8e623d8b23ad22f861eb6fce9377ac07ad6072", + "sha256:5bc0667c1eb8f83a3752b71b9c4ba55ef7c7058ae57022dd9b29065186a113d9", + "sha256:721bc4ba4525f53f6a611ec0967bdcee61b31df5a56801281027a3a6d1c2daf5", + "sha256:763d65baa3b952479c4e972669f679fe490eee058d5aa85da483ebae2009d231", + "sha256:7bdb4c06b063f6fd55e472e201317a3bb6cdeeee5d5a38512ea5c01e1acbdd93", + "sha256:8831a2cedcd0f0927f788c5bdf6567d9dc9cc235646a434986a852af1cb54b4b", + "sha256:91a789b4aa0097b78c93e3dc4b40040ba55bef518f84a40d4442f713b4094acb", + "sha256:92460ce908546ab69770b2e576e4f99fbb4ce6ab4b245345a3869a0a0410488f", + "sha256:99e77daab5d13a48a4054803d052ff40780278240a902b880dd37a51ba01a307", + "sha256:a234a20ae07e8469da311e182e70ef6b199d0fbeb6c6cc2901204dd87fb867e8", + "sha256:a7b301ff08055d73223058b5c46c55638917f04d21577c95e00e0c4d79201a6b", + "sha256:be2a7ad8fd8f7442b24323d24ba0b56c51219513cfa45b9ada3b87b76c374d4b", + "sha256:bf9a6bc4a0221538b1a7de3ed7bca4c93c02346853f44e1cd764be0023cd3640", + "sha256:c3ca1fbba4ae962521e5eb66d72998b51f0f4d0f608d3c0347a48e1af262efa7", + "sha256:d000f258cf42fec2b1bbf2863c61d7b8918d31ffee905da62dede869254d3b8a", + "sha256:d5859983f26d8cd7bb5c287ef452e8aacc86501487634573d260968f753e1d71", + "sha256:d5e51e2901ec2366b79f16c2299a03e74ba4531ddcfacc1416639c557aef0ad8", + "sha256:debc87a9516b237d0466a711b18b6ebeb17ba9f391eb7f91c649c5c4ec5006c7", + "sha256:df5828871e6648db72d1c19b4bd24819b80a755c4541d3409f0f7acd0f335c80", + "sha256:ecdf1a604009bd35c674b9225a8fa609e0282d9b896c03dd441a91e5f53b534e", + "sha256:efa08d63ef03d079dcae1dfe334f6c8847ba8b645d08df286358b1f5293d24ab", + "sha256:f01da5790e95815eb5a8a138508c01c758e5f5bc0ce4286c4f7028b8dd7ac3d0", + "sha256:f34019dced51047d6f70cb9383b2ae2853b7fc4dce65129a5acd49f4f9256646" ], - "markers": "python_version < '3.10' and platform_python_implementation == 'CPython'", - "version": "==0.2.6" + "markers": "python_version < '3.11' and platform_python_implementation == 'CPython'", + "version": "==0.2.7" + }, + "setuptools": { + "hashes": [ + "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", + "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" + ], + "markers": "python_version >= '3.7'", + "version": "==65.6.3" }, "six": { "hashes": [ @@ -206,6 +230,14 @@ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.16.0" }, + "termcolor": { + "hashes": [ + "sha256:67cee2009adc6449c650f6bcf3bdeed00c8ba53a8cda5362733c53e0a39fb70b", + "sha256:fa852e957f97252205e105dd55bbc23b419a70fec0085708fc0515e399f304fd" + ], + "index": "pypi", + "version": "==2.1.1" + }, "urllib3": { "hashes": [ "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", @@ -216,69 +248,191 @@ }, "wrapt": { "hashes": [ - "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7" + "sha256:00b6d4ea20a906c0ca56d84f93065b398ab74b927a7a3dbd470f6fc503f95dc3", + "sha256:01c205616a89d09827986bc4e859bcabd64f5a0662a7fe95e0d359424e0e071b", + "sha256:02b41b633c6261feff8ddd8d11c711df6842aba629fdd3da10249a53211a72c4", + "sha256:07f7a7d0f388028b2df1d916e94bbb40624c59b48ecc6cbc232546706fac74c2", + "sha256:11871514607b15cfeb87c547a49bca19fde402f32e2b1c24a632506c0a756656", + "sha256:1b376b3f4896e7930f1f772ac4b064ac12598d1c38d04907e696cc4d794b43d3", + "sha256:21ac0156c4b089b330b7666db40feee30a5d52634cc4560e1905d6529a3897ff", + "sha256:257fd78c513e0fb5cdbe058c27a0624c9884e735bbd131935fd49e9fe719d310", + "sha256:2b39d38039a1fdad98c87279b48bc5dce2c0ca0d73483b12cb72aa9609278e8a", + "sha256:2cf71233a0ed05ccdabe209c606fe0bac7379fdcf687f39b944420d2a09fdb57", + "sha256:2fe803deacd09a233e4762a1adcea5db5d31e6be577a43352936179d14d90069", + "sha256:3232822c7d98d23895ccc443bbdf57c7412c5a65996c30442ebe6ed3df335383", + "sha256:34aa51c45f28ba7f12accd624225e2b1e5a3a45206aa191f6f9aac931d9d56fe", + "sha256:36f582d0c6bc99d5f39cd3ac2a9062e57f3cf606ade29a0a0d6b323462f4dd87", + "sha256:380a85cf89e0e69b7cfbe2ea9f765f004ff419f34194018a6827ac0e3edfed4d", + "sha256:40e7bc81c9e2b2734ea4bc1aceb8a8f0ceaac7c5299bc5d69e37c44d9081d43b", + "sha256:43ca3bbbe97af00f49efb06e352eae40434ca9d915906f77def219b88e85d907", + "sha256:4fcc4649dc762cddacd193e6b55bc02edca674067f5f98166d7713b193932b7f", + "sha256:5a0f54ce2c092aaf439813735584b9537cad479575a09892b8352fea5e988dc0", + "sha256:5a9a0d155deafd9448baff28c08e150d9b24ff010e899311ddd63c45c2445e28", + "sha256:5b02d65b9ccf0ef6c34cba6cf5bf2aab1bb2f49c6090bafeecc9cd81ad4ea1c1", + "sha256:60db23fa423575eeb65ea430cee741acb7c26a1365d103f7b0f6ec412b893853", + "sha256:642c2e7a804fcf18c222e1060df25fc210b9c58db7c91416fb055897fc27e8cc", + "sha256:6a9a25751acb379b466ff6be78a315e2b439d4c94c1e99cb7266d40a537995d3", + "sha256:6b1a564e6cb69922c7fe3a678b9f9a3c54e72b469875aa8018f18b4d1dd1adf3", + "sha256:6d323e1554b3d22cfc03cd3243b5bb815a51f5249fdcbb86fda4bf62bab9e164", + "sha256:6e743de5e9c3d1b7185870f480587b75b1cb604832e380d64f9504a0535912d1", + "sha256:709fe01086a55cf79d20f741f39325018f4df051ef39fe921b1ebe780a66184c", + "sha256:7b7c050ae976e286906dd3f26009e117eb000fb2cf3533398c5ad9ccc86867b1", + "sha256:7d2872609603cb35ca513d7404a94d6d608fc13211563571117046c9d2bcc3d7", + "sha256:7ef58fb89674095bfc57c4069e95d7a31cfdc0939e2a579882ac7d55aadfd2a1", + "sha256:80bb5c256f1415f747011dc3604b59bc1f91c6e7150bd7db03b19170ee06b320", + "sha256:81b19725065dcb43df02b37e03278c011a09e49757287dca60c5aecdd5a0b8ed", + "sha256:833b58d5d0b7e5b9832869f039203389ac7cbf01765639c7309fd50ef619e0b1", + "sha256:88bd7b6bd70a5b6803c1abf6bca012f7ed963e58c68d76ee20b9d751c74a3248", + "sha256:8ad85f7f4e20964db4daadcab70b47ab05c7c1cf2a7c1e51087bfaa83831854c", + "sha256:8c0ce1e99116d5ab21355d8ebe53d9460366704ea38ae4d9f6933188f327b456", + "sha256:8d649d616e5c6a678b26d15ece345354f7c2286acd6db868e65fcc5ff7c24a77", + "sha256:903500616422a40a98a5a3c4ff4ed9d0066f3b4c951fa286018ecdf0750194ef", + "sha256:9736af4641846491aedb3c3f56b9bc5568d92b0692303b5a305301a95dfd38b1", + "sha256:988635d122aaf2bdcef9e795435662bcd65b02f4f4c1ae37fbee7401c440b3a7", + "sha256:9cca3c2cdadb362116235fdbd411735de4328c61425b0aa9f872fd76d02c4e86", + "sha256:9e0fd32e0148dd5dea6af5fee42beb949098564cc23211a88d799e434255a1f4", + "sha256:9f3e6f9e05148ff90002b884fbc2a86bd303ae847e472f44ecc06c2cd2fcdb2d", + "sha256:a85d2b46be66a71bedde836d9e41859879cc54a2a04fad1191eb50c2066f6e9d", + "sha256:a9a52172be0b5aae932bef82a79ec0a0ce87288c7d132946d645eba03f0ad8a8", + "sha256:aa31fdcc33fef9eb2552cbcbfee7773d5a6792c137b359e82879c101e98584c5", + "sha256:b014c23646a467558be7da3d6b9fa409b2c567d2110599b7cf9a0c5992b3b471", + "sha256:b21bb4c09ffabfa0e85e3a6b623e19b80e7acd709b9f91452b8297ace2a8ab00", + "sha256:b5901a312f4d14c59918c221323068fad0540e34324925c8475263841dbdfe68", + "sha256:b9b7a708dd92306328117d8c4b62e2194d00c365f18eff11a9b53c6f923b01e3", + "sha256:d1967f46ea8f2db647c786e78d8cc7e4313dbd1b0aca360592d8027b8508e24d", + "sha256:d52a25136894c63de15a35bc0bdc5adb4b0e173b9c0d07a2be9d3ca64a332735", + "sha256:d77c85fedff92cf788face9bfa3ebaa364448ebb1d765302e9af11bf449ca36d", + "sha256:d79d7d5dc8a32b7093e81e97dad755127ff77bcc899e845f41bf71747af0c569", + "sha256:dbcda74c67263139358f4d188ae5faae95c30929281bc6866d00573783c422b7", + "sha256:ddaea91abf8b0d13443f6dac52e89051a5063c7d014710dcb4d4abb2ff811a59", + "sha256:dee0ce50c6a2dd9056c20db781e9c1cfd33e77d2d569f5d1d9321c641bb903d5", + "sha256:dee60e1de1898bde3b238f18340eec6148986da0455d8ba7848d50470a7a32fb", + "sha256:e2f83e18fe2f4c9e7db597e988f72712c0c3676d337d8b101f6758107c42425b", + "sha256:e3fb1677c720409d5f671e39bac6c9e0e422584e5f518bfd50aa4cbbea02433f", + "sha256:ee2b1b1769f6707a8a445162ea16dddf74285c3964f605877a20e38545c3c462", + "sha256:ee6acae74a2b91865910eef5e7de37dc6895ad96fa23603d1d27ea69df545015", + "sha256:ef3f72c9666bba2bab70d2a8b79f2c6d2c1a42a7f7e2b0ec83bb2f9e383950af" ], - "version": "==1.12.1" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.14.1" } }, "develop": { "aiohttp": { "hashes": [ - "sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe", - "sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe", - "sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5", - "sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8", - "sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd", - "sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb", - "sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c", - "sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87", - "sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0", - "sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290", - "sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5", - "sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287", - "sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde", - "sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf", - "sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8", - "sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16", - "sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf", - "sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809", - "sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213", - "sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f", - "sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013", - "sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b", - "sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9", - "sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5", - "sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb", - "sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df", - "sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4", - "sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439", - "sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f", - "sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22", - "sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f", - "sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5", - "sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970", - "sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009", - "sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc", - "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a", - "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95" + "sha256:02f9a2c72fc95d59b881cf38a4b2be9381b9527f9d328771e90f72ac76f31ad8", + "sha256:059a91e88f2c00fe40aed9031b3606c3f311414f86a90d696dd982e7aec48142", + "sha256:05a3c31c6d7cd08c149e50dc7aa2568317f5844acd745621983380597f027a18", + "sha256:08c78317e950e0762c2983f4dd58dc5e6c9ff75c8a0efeae299d363d439c8e34", + "sha256:09e28f572b21642128ef31f4e8372adb6888846f32fecb288c8b0457597ba61a", + "sha256:0d2c6d8c6872df4a6ec37d2ede71eff62395b9e337b4e18efd2177de883a5033", + "sha256:16c121ba0b1ec2b44b73e3a8a171c4f999b33929cd2397124a8c7fcfc8cd9e06", + "sha256:1d90043c1882067f1bd26196d5d2db9aa6d268def3293ed5fb317e13c9413ea4", + "sha256:1e56b9cafcd6531bab5d9b2e890bb4937f4165109fe98e2b98ef0dcfcb06ee9d", + "sha256:20acae4f268317bb975671e375493dbdbc67cddb5f6c71eebdb85b34444ac46b", + "sha256:21b30885a63c3f4ff5b77a5d6caf008b037cb521a5f33eab445dc566f6d092cc", + "sha256:21d69797eb951f155026651f7e9362877334508d39c2fc37bd04ff55b2007091", + "sha256:256deb4b29fe5e47893fa32e1de2d73c3afe7407738bd3c63829874661d4822d", + "sha256:25892c92bee6d9449ffac82c2fe257f3a6f297792cdb18ad784737d61e7a9a85", + "sha256:2ca9af5f8f5812d475c5259393f52d712f6d5f0d7fdad9acdb1107dd9e3cb7eb", + "sha256:2d252771fc85e0cf8da0b823157962d70639e63cb9b578b1dec9868dd1f4f937", + "sha256:2dea10edfa1a54098703cb7acaa665c07b4e7568472a47f4e64e6319d3821ccf", + "sha256:2df5f139233060578d8c2c975128fb231a89ca0a462b35d4b5fcf7c501ebdbe1", + "sha256:2feebbb6074cdbd1ac276dbd737b40e890a1361b3cc30b74ac2f5e24aab41f7b", + "sha256:309aa21c1d54b8ef0723181d430347d7452daaff93e8e2363db8e75c72c2fb2d", + "sha256:3828fb41b7203176b82fe5d699e0d845435f2374750a44b480ea6b930f6be269", + "sha256:398701865e7a9565d49189f6c90868efaca21be65c725fc87fc305906be915da", + "sha256:43046a319664a04b146f81b40e1545d4c8ac7b7dd04c47e40bf09f65f2437346", + "sha256:437399385f2abcd634865705bdc180c8314124b98299d54fe1d4c8990f2f9494", + "sha256:45d88b016c849d74ebc6f2b6e8bc17cabf26e7e40c0661ddd8fae4c00f015697", + "sha256:47841407cc89a4b80b0c52276f3cc8138bbbfba4b179ee3acbd7d77ae33f7ac4", + "sha256:4a4fbc769ea9b6bd97f4ad0b430a6807f92f0e5eb020f1e42ece59f3ecfc4585", + "sha256:4ab94426ddb1ecc6a0b601d832d5d9d421820989b8caa929114811369673235c", + "sha256:4b0f30372cef3fdc262f33d06e7b411cd59058ce9174ef159ad938c4a34a89da", + "sha256:4e3a23ec214e95c9fe85a58470b660efe6534b83e6cbe38b3ed52b053d7cb6ad", + "sha256:512bd5ab136b8dc0ffe3fdf2dfb0c4b4f49c8577f6cae55dca862cd37a4564e2", + "sha256:527b3b87b24844ea7865284aabfab08eb0faf599b385b03c2aa91fc6edd6e4b6", + "sha256:54d107c89a3ebcd13228278d68f1436d3f33f2dd2af5415e3feaeb1156e1a62c", + "sha256:5835f258ca9f7c455493a57ee707b76d2d9634d84d5d7f62e77be984ea80b849", + "sha256:598adde339d2cf7d67beaccda3f2ce7c57b3b412702f29c946708f69cf8222aa", + "sha256:599418aaaf88a6d02a8c515e656f6faf3d10618d3dd95866eb4436520096c84b", + "sha256:5bf651afd22d5f0c4be16cf39d0482ea494f5c88f03e75e5fef3a85177fecdeb", + "sha256:5c59fcd80b9049b49acd29bd3598cada4afc8d8d69bd4160cd613246912535d7", + "sha256:653acc3880459f82a65e27bd6526e47ddf19e643457d36a2250b85b41a564715", + "sha256:66bd5f950344fb2b3dbdd421aaa4e84f4411a1a13fca3aeb2bcbe667f80c9f76", + "sha256:6f3553510abdbec67c043ca85727396ceed1272eef029b050677046d3387be8d", + "sha256:7018ecc5fe97027214556afbc7c502fbd718d0740e87eb1217b17efd05b3d276", + "sha256:713d22cd9643ba9025d33c4af43943c7a1eb8547729228de18d3e02e278472b6", + "sha256:73a4131962e6d91109bca6536416aa067cf6c4efb871975df734f8d2fd821b37", + "sha256:75880ed07be39beff1881d81e4a907cafb802f306efd6d2d15f2b3c69935f6fb", + "sha256:75e14eac916f024305db517e00a9252714fce0abcb10ad327fb6dcdc0d060f1d", + "sha256:8135fa153a20d82ffb64f70a1b5c2738684afa197839b34cc3e3c72fa88d302c", + "sha256:84b14f36e85295fe69c6b9789b51a0903b774046d5f7df538176516c3e422446", + "sha256:86fc24e58ecb32aee09f864cb11bb91bc4c1086615001647dbfc4dc8c32f4008", + "sha256:87f44875f2804bc0511a69ce44a9595d5944837a62caecc8490bbdb0e18b1342", + "sha256:88c70ed9da9963d5496d38320160e8eb7e5f1886f9290475a881db12f351ab5d", + "sha256:88e5be56c231981428f4f506c68b6a46fa25c4123a2e86d156c58a8369d31ab7", + "sha256:89d2e02167fa95172c017732ed7725bc8523c598757f08d13c5acca308e1a061", + "sha256:8d6aaa4e7155afaf994d7924eb290abbe81a6905b303d8cb61310a2aba1c68ba", + "sha256:92a2964319d359f494f16011e23434f6f8ef0434acd3cf154a6b7bec511e2fb7", + "sha256:96372fc29471646b9b106ee918c8eeb4cca423fcbf9a34daa1b93767a88a2290", + "sha256:978b046ca728073070e9abc074b6299ebf3501e8dee5e26efacb13cec2b2dea0", + "sha256:9c7149272fb5834fc186328e2c1fa01dda3e1fa940ce18fded6d412e8f2cf76d", + "sha256:a0239da9fbafd9ff82fd67c16704a7d1bccf0d107a300e790587ad05547681c8", + "sha256:ad5383a67514e8e76906a06741febd9126fc7c7ff0f599d6fcce3e82b80d026f", + "sha256:ad61a9639792fd790523ba072c0555cd6be5a0baf03a49a5dd8cfcf20d56df48", + "sha256:b29bfd650ed8e148f9c515474a6ef0ba1090b7a8faeee26b74a8ff3b33617502", + "sha256:b97decbb3372d4b69e4d4c8117f44632551c692bb1361b356a02b97b69e18a62", + "sha256:ba71c9b4dcbb16212f334126cc3d8beb6af377f6703d9dc2d9fb3874fd667ee9", + "sha256:c37c5cce780349d4d51739ae682dec63573847a2a8dcb44381b174c3d9c8d403", + "sha256:c971bf3786b5fad82ce5ad570dc6ee420f5b12527157929e830f51c55dc8af77", + "sha256:d1fde0f44029e02d02d3993ad55ce93ead9bb9b15c6b7ccd580f90bd7e3de476", + "sha256:d24b8bb40d5c61ef2d9b6a8f4528c2f17f1c5d2d31fed62ec860f6006142e83e", + "sha256:d5ba88df9aa5e2f806650fcbeedbe4f6e8736e92fc0e73b0400538fd25a4dd96", + "sha256:d6f76310355e9fae637c3162936e9504b4767d5c52ca268331e2756e54fd4ca5", + "sha256:d737fc67b9a970f3234754974531dc9afeea11c70791dcb7db53b0cf81b79784", + "sha256:da22885266bbfb3f78218dc40205fed2671909fbd0720aedba39b4515c038091", + "sha256:da37dcfbf4b7f45d80ee386a5f81122501ec75672f475da34784196690762f4b", + "sha256:db19d60d846283ee275d0416e2a23493f4e6b6028825b51290ac05afc87a6f97", + "sha256:db4c979b0b3e0fa7e9e69ecd11b2b3174c6963cebadeecfb7ad24532ffcdd11a", + "sha256:e164e0a98e92d06da343d17d4e9c4da4654f4a4588a20d6c73548a29f176abe2", + "sha256:e168a7560b7c61342ae0412997b069753f27ac4862ec7867eff74f0fe4ea2ad9", + "sha256:e381581b37db1db7597b62a2e6b8b57c3deec95d93b6d6407c5b61ddc98aca6d", + "sha256:e65bc19919c910127c06759a63747ebe14f386cda573d95bcc62b427ca1afc73", + "sha256:e7b8813be97cab8cb52b1375f41f8e6804f6507fe4660152e8ca5c48f0436017", + "sha256:e8a78079d9a39ca9ca99a8b0ac2fdc0c4d25fc80c8a8a82e5c8211509c523363", + "sha256:ebf909ea0a3fc9596e40d55d8000702a85e27fd578ff41a5500f68f20fd32e6c", + "sha256:ec40170327d4a404b0d91855d41bfe1fe4b699222b2b93e3d833a27330a87a6d", + "sha256:f178d2aadf0166be4df834c4953da2d7eef24719e8aec9a65289483eeea9d618", + "sha256:f88df3a83cf9df566f171adba39d5bd52814ac0b94778d2448652fc77f9eb491", + "sha256:f973157ffeab5459eefe7b97a804987876dd0a55570b8fa56b4e1954bf11329b", + "sha256:ff25f48fc8e623d95eca0670b8cc1469a83783c924a602e0fbd47363bb54aaca" ], "markers": "python_version >= '3.6'", - "version": "==3.7.4.post0" + "version": "==3.8.3" + }, + "aiosignal": { + "hashes": [ + "sha256:54cd96e15e1649b75d6c87526a6ff0b6c1b0dd3459f43d9ca11d48c339b68cfc", + "sha256:f8376fb07dd1e86a584e4fcdec80b36b7f81aac666ebc724e2c090300dd83b17" + ], + "markers": "python_version >= '3.7'", + "version": "==1.3.1" }, "antlr4-python3-runtime": { "hashes": [ - "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33" + "sha256:f224469b4168294902bb1efa80a8bf7855f24c99aef99cbefc1bcd3cce77881b" ], "markers": "python_version >= '3'", - "version": "==4.8" + "version": "==4.9.3" }, "async-timeout": { "hashes": [ - "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", - "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3" + "sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15", + "sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c" ], - "markers": "python_full_version >= '3.5.3'", - "version": "==3.0.1" + "markers": "python_version >= '3.6'", + "version": "==4.0.2" }, "attackcti": { "hashes": [ @@ -290,34 +444,27 @@ }, "attrs": { "hashes": [ - "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", - "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6", + "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.2.0" + "markers": "python_version >= '3.5'", + "version": "==22.1.0" }, "certifi": { "hashes": [ - "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", - "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3", + "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18" ], - "version": "==2021.5.30" - }, - "chardet": { - "hashes": [ - "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", - "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==4.0.0" + "index": "pypi", + "version": "==2022.12.7" }, "charset-normalizer": { "hashes": [ - "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", - "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597", + "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df" ], "markers": "python_version >= '3'", - "version": "==2.0.4" + "version": "==2.0.12" }, "colorama": { "hashes": [ @@ -401,79 +548,197 @@ "index": "pypi", "version": "==6.2.0" }, + "frozenlist": { + "hashes": [ + "sha256:008a054b75d77c995ea26629ab3a0c0d7281341f2fa7e1e85fa6153ae29ae99c", + "sha256:02c9ac843e3390826a265e331105efeab489ffaf4dd86384595ee8ce6d35ae7f", + "sha256:034a5c08d36649591be1cbb10e09da9f531034acfe29275fc5454a3b101ce41a", + "sha256:05cdb16d09a0832eedf770cb7bd1fe57d8cf4eaf5aced29c4e41e3f20b30a784", + "sha256:0693c609e9742c66ba4870bcee1ad5ff35462d5ffec18710b4ac89337ff16e27", + "sha256:0771aed7f596c7d73444c847a1c16288937ef988dc04fb9f7be4b2aa91db609d", + "sha256:0af2e7c87d35b38732e810befb9d797a99279cbb85374d42ea61c1e9d23094b3", + "sha256:14143ae966a6229350021384870458e4777d1eae4c28d1a7aa47f24d030e6678", + "sha256:180c00c66bde6146a860cbb81b54ee0df350d2daf13ca85b275123bbf85de18a", + "sha256:1841e200fdafc3d51f974d9d377c079a0694a8f06de2e67b48150328d66d5483", + "sha256:23d16d9f477bb55b6154654e0e74557040575d9d19fe78a161bd33d7d76808e8", + "sha256:2b07ae0c1edaa0a36339ec6cce700f51b14a3fc6545fdd32930d2c83917332cf", + "sha256:2c926450857408e42f0bbc295e84395722ce74bae69a3b2aa2a65fe22cb14b99", + "sha256:2e24900aa13212e75e5b366cb9065e78bbf3893d4baab6052d1aca10d46d944c", + "sha256:303e04d422e9b911a09ad499b0368dc551e8c3cd15293c99160c7f1f07b59a48", + "sha256:352bd4c8c72d508778cf05ab491f6ef36149f4d0cb3c56b1b4302852255d05d5", + "sha256:3843f84a6c465a36559161e6c59dce2f2ac10943040c2fd021cfb70d58c4ad56", + "sha256:394c9c242113bfb4b9aa36e2b80a05ffa163a30691c7b5a29eba82e937895d5e", + "sha256:3bbdf44855ed8f0fbcd102ef05ec3012d6a4fd7c7562403f76ce6a52aeffb2b1", + "sha256:40de71985e9042ca00b7953c4f41eabc3dc514a2d1ff534027f091bc74416401", + "sha256:41fe21dc74ad3a779c3d73a2786bdf622ea81234bdd4faf90b8b03cad0c2c0b4", + "sha256:47df36a9fe24054b950bbc2db630d508cca3aa27ed0566c0baf661225e52c18e", + "sha256:4ea42116ceb6bb16dbb7d526e242cb6747b08b7710d9782aa3d6732bd8d27649", + "sha256:58bcc55721e8a90b88332d6cd441261ebb22342e238296bb330968952fbb3a6a", + "sha256:5c11e43016b9024240212d2a65043b70ed8dfd3b52678a1271972702d990ac6d", + "sha256:5cf820485f1b4c91e0417ea0afd41ce5cf5965011b3c22c400f6d144296ccbc0", + "sha256:5d8860749e813a6f65bad8285a0520607c9500caa23fea6ee407e63debcdbef6", + "sha256:6327eb8e419f7d9c38f333cde41b9ae348bec26d840927332f17e887a8dcb70d", + "sha256:65a5e4d3aa679610ac6e3569e865425b23b372277f89b5ef06cf2cdaf1ebf22b", + "sha256:66080ec69883597e4d026f2f71a231a1ee9887835902dbe6b6467d5a89216cf6", + "sha256:783263a4eaad7c49983fe4b2e7b53fa9770c136c270d2d4bbb6d2192bf4d9caf", + "sha256:7f44e24fa70f6fbc74aeec3e971f60a14dde85da364aa87f15d1be94ae75aeef", + "sha256:7fdfc24dcfce5b48109867c13b4cb15e4660e7bd7661741a391f821f23dfdca7", + "sha256:810860bb4bdce7557bc0febb84bbd88198b9dbc2022d8eebe5b3590b2ad6c842", + "sha256:841ea19b43d438a80b4de62ac6ab21cfe6827bb8a9dc62b896acc88eaf9cecba", + "sha256:84610c1502b2461255b4c9b7d5e9c48052601a8957cd0aea6ec7a7a1e1fb9420", + "sha256:899c5e1928eec13fd6f6d8dc51be23f0d09c5281e40d9cf4273d188d9feeaf9b", + "sha256:8bae29d60768bfa8fb92244b74502b18fae55a80eac13c88eb0b496d4268fd2d", + "sha256:8df3de3a9ab8325f94f646609a66cbeeede263910c5c0de0101079ad541af332", + "sha256:8fa3c6e3305aa1146b59a09b32b2e04074945ffcfb2f0931836d103a2c38f936", + "sha256:924620eef691990dfb56dc4709f280f40baee568c794b5c1885800c3ecc69816", + "sha256:9309869032abb23d196cb4e4db574232abe8b8be1339026f489eeb34a4acfd91", + "sha256:9545a33965d0d377b0bc823dcabf26980e77f1b6a7caa368a365a9497fb09420", + "sha256:9ac5995f2b408017b0be26d4a1d7c61bce106ff3d9e3324374d66b5964325448", + "sha256:9bbbcedd75acdfecf2159663b87f1bb5cfc80e7cd99f7ddd9d66eb98b14a8411", + "sha256:a4ae8135b11652b08a8baf07631d3ebfe65a4c87909dbef5fa0cdde440444ee4", + "sha256:a6394d7dadd3cfe3f4b3b186e54d5d8504d44f2d58dcc89d693698e8b7132b32", + "sha256:a97b4fe50b5890d36300820abd305694cb865ddb7885049587a5678215782a6b", + "sha256:ae4dc05c465a08a866b7a1baf360747078b362e6a6dbeb0c57f234db0ef88ae0", + "sha256:b1c63e8d377d039ac769cd0926558bb7068a1f7abb0f003e3717ee003ad85530", + "sha256:b1e2c1185858d7e10ff045c496bbf90ae752c28b365fef2c09cf0fa309291669", + "sha256:b4395e2f8d83fbe0c627b2b696acce67868793d7d9750e90e39592b3626691b7", + "sha256:b756072364347cb6aa5b60f9bc18e94b2f79632de3b0190253ad770c5df17db1", + "sha256:ba64dc2b3b7b158c6660d49cdb1d872d1d0bf4e42043ad8d5006099479a194e5", + "sha256:bed331fe18f58d844d39ceb398b77d6ac0b010d571cba8267c2e7165806b00ce", + "sha256:c188512b43542b1e91cadc3c6c915a82a5eb95929134faf7fd109f14f9892ce4", + "sha256:c21b9aa40e08e4f63a2f92ff3748e6b6c84d717d033c7b3438dd3123ee18f70e", + "sha256:ca713d4af15bae6e5d79b15c10c8522859a9a89d3b361a50b817c98c2fb402a2", + "sha256:cd4210baef299717db0a600d7a3cac81d46ef0e007f88c9335db79f8979c0d3d", + "sha256:cfe33efc9cb900a4c46f91a5ceba26d6df370ffddd9ca386eb1d4f0ad97b9ea9", + "sha256:d5cd3ab21acbdb414bb6c31958d7b06b85eeb40f66463c264a9b343a4e238642", + "sha256:dfbac4c2dfcc082fcf8d942d1e49b6aa0766c19d3358bd86e2000bf0fa4a9cf0", + "sha256:e235688f42b36be2b6b06fc37ac2126a73b75fb8d6bc66dd632aa35286238703", + "sha256:eb82dbba47a8318e75f679690190c10a5e1f447fbf9df41cbc4c3afd726d88cb", + "sha256:ebb86518203e12e96af765ee89034a1dbb0c3c65052d1b0c19bbbd6af8a145e1", + "sha256:ee78feb9d293c323b59a6f2dd441b63339a30edf35abcb51187d2fc26e696d13", + "sha256:eedab4c310c0299961ac285591acd53dc6723a1ebd90a57207c71f6e0c2153ab", + "sha256:efa568b885bca461f7c7b9e032655c0c143d305bf01c30caf6db2854a4532b38", + "sha256:efce6ae830831ab6a22b9b4091d411698145cb9b8fc869e1397ccf4b4b6455cb", + "sha256:f163d2fd041c630fed01bc48d28c3ed4a3b003c00acd396900e11ee5316b56bb", + "sha256:f20380df709d91525e4bee04746ba612a4df0972c1b8f8e1e8af997e678c7b81", + "sha256:f30f1928162e189091cf4d9da2eac617bfe78ef907a761614ff577ef4edfb3c8", + "sha256:f470c92737afa7d4c3aacc001e335062d582053d4dbe73cda126f2d7031068dd", + "sha256:ff8bf625fe85e119553b5383ba0fb6aa3d0ec2ae980295aaefa552374926b3f4" + ], + "markers": "python_version >= '3.7'", + "version": "==1.3.3" + }, "idna": { "hashes": [ - "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", - "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" + "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", + "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" ], "markers": "python_version >= '3'", - "version": "==3.2" + "version": "==3.4" }, "more-itertools": { "hashes": [ - "sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d", - "sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a" + "sha256:250e83d7e81d0c87ca6bd942e6aeab8cc9daa6096d12c5308f3f92fa5e5c1f41", + "sha256:5a6257e40878ef0520b1803990e3e22303a41b5714006c32a3fd8304b26ea1ab" ], - "markers": "python_version >= '3.5'", - "version": "==8.8.0" + "markers": "python_version >= '3.7'", + "version": "==9.0.0" }, "multidict": { "hashes": [ - "sha256:018132dbd8688c7a69ad89c4a3f39ea2f9f33302ebe567a879da8f4ca73f0d0a", - "sha256:051012ccee979b2b06be928a6150d237aec75dd6bf2d1eeeb190baf2b05abc93", - "sha256:05c20b68e512166fddba59a918773ba002fdd77800cad9f55b59790030bab632", - "sha256:07b42215124aedecc6083f1ce6b7e5ec5b50047afa701f3442054373a6deb656", - "sha256:0e3c84e6c67eba89c2dbcee08504ba8644ab4284863452450520dad8f1e89b79", - "sha256:0e929169f9c090dae0646a011c8b058e5e5fb391466016b39d21745b48817fd7", - "sha256:1ab820665e67373de5802acae069a6a05567ae234ddb129f31d290fc3d1aa56d", - "sha256:25b4e5f22d3a37ddf3effc0710ba692cfc792c2b9edfb9c05aefe823256e84d5", - "sha256:2e68965192c4ea61fff1b81c14ff712fc7dc15d2bd120602e4a3494ea6584224", - "sha256:2f1a132f1c88724674271d636e6b7351477c27722f2ed789f719f9e3545a3d26", - "sha256:37e5438e1c78931df5d3c0c78ae049092877e5e9c02dd1ff5abb9cf27a5914ea", - "sha256:3a041b76d13706b7fff23b9fc83117c7b8fe8d5fe9e6be45eee72b9baa75f348", - "sha256:3a4f32116f8f72ecf2a29dabfb27b23ab7cdc0ba807e8459e59a93a9be9506f6", - "sha256:46c73e09ad374a6d876c599f2328161bcd95e280f84d2060cf57991dec5cfe76", - "sha256:46dd362c2f045095c920162e9307de5ffd0a1bfbba0a6e990b344366f55a30c1", - "sha256:4b186eb7d6ae7c06eb4392411189469e6a820da81447f46c0072a41c748ab73f", - "sha256:54fd1e83a184e19c598d5e70ba508196fd0bbdd676ce159feb412a4a6664f952", - "sha256:585fd452dd7782130d112f7ddf3473ffdd521414674c33876187e101b588738a", - "sha256:5cf3443199b83ed9e955f511b5b241fd3ae004e3cb81c58ec10f4fe47c7dce37", - "sha256:6a4d5ce640e37b0efcc8441caeea8f43a06addace2335bd11151bc02d2ee31f9", - "sha256:7df80d07818b385f3129180369079bd6934cf70469f99daaebfac89dca288359", - "sha256:806068d4f86cb06af37cd65821554f98240a19ce646d3cd24e1c33587f313eb8", - "sha256:830f57206cc96ed0ccf68304141fec9481a096c4d2e2831f311bde1c404401da", - "sha256:929006d3c2d923788ba153ad0de8ed2e5ed39fdbe8e7be21e2f22ed06c6783d3", - "sha256:9436dc58c123f07b230383083855593550c4d301d2532045a17ccf6eca505f6d", - "sha256:9dd6e9b1a913d096ac95d0399bd737e00f2af1e1594a787e00f7975778c8b2bf", - "sha256:ace010325c787c378afd7f7c1ac66b26313b3344628652eacd149bdd23c68841", - "sha256:b47a43177a5e65b771b80db71e7be76c0ba23cc8aa73eeeb089ed5219cdbe27d", - "sha256:b797515be8743b771aa868f83563f789bbd4b236659ba52243b735d80b29ed93", - "sha256:b7993704f1a4b204e71debe6095150d43b2ee6150fa4f44d6d966ec356a8d61f", - "sha256:d5c65bdf4484872c4af3150aeebe101ba560dcfb34488d9a8ff8dbcd21079647", - "sha256:d81eddcb12d608cc08081fa88d046c78afb1bf8107e6feab5d43503fea74a635", - "sha256:dc862056f76443a0db4509116c5cd480fe1b6a2d45512a653f9a855cc0517456", - "sha256:ecc771ab628ea281517e24fd2c52e8f31c41e66652d07599ad8818abaad38cda", - "sha256:f200755768dc19c6f4e2b672421e0ebb3dd54c38d5a4f262b872d8cfcc9e93b5", - "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281", - "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80" + "sha256:018c8e3be7f161a12b3e41741b6721f9baeb2210f4ab25a6359b7d76c1017dce", + "sha256:01b456046a05ff7cceefb0e1d2a9d32f05efcb1c7e0d152446304e11557639ce", + "sha256:114a4ab3e5cfbc56c4b6697686ecb92376c7e8c56893ef20547921552f8bdf57", + "sha256:12e0d396faa6dc55ff5379eee54d1df3b508243ff15bfc8295a6ec7a4483a335", + "sha256:190626ced82d4cc567a09e7346340d380154a493bac6905e0095d8158cdf1e38", + "sha256:1f5d5129a937af4e3c4a1d6c139f4051b7d17d43276cefdd8d442a7031f7eef2", + "sha256:21e1ce0b187c4e93112304dcde2aa18922fdbe8fb4f13d8aa72a5657bce0563a", + "sha256:24e8d513bfcaadc1f8b0ebece3ff50961951c54b07d5a775008a882966102418", + "sha256:2523a29006c034687eccd3ee70093a697129a3ffe8732535d3b2df6a4ecc279d", + "sha256:26fbbe17f8a7211b623502d2bf41022a51da3025142401417c765bf9a56fed4c", + "sha256:2b66d61966b12e6bba500e5cbb2c721a35e119c30ee02495c5629bd0e91eea30", + "sha256:2cf5d19e12eff855aa198259c0b02fd3f5d07e1291fbd20279c37b3b0e6c9852", + "sha256:2cfda34b7cb99eacada2072e0f69c0ad3285cb6f8e480b11f2b6d6c1c6f92718", + "sha256:3541882266247c7cd3dba78d6ef28dbe704774df60c9e4231edaa4493522e614", + "sha256:36df958b15639e40472adaa4f0c2c7828fe680f894a6b48c4ce229f59a6a798b", + "sha256:38d394814b39be1c36ac709006d39d50d72a884f9551acd9c8cc1ffae3fc8c4e", + "sha256:4159fc1ec9ede8ab93382e0d6ba9b1b3d23c72da39a834db7a116986605c7ab4", + "sha256:445c0851a1cbc1f2ec3b40bc22f9c4a235edb3c9a0906122a9df6ea8d51f886c", + "sha256:47defc0218682281a52fb1f6346ebb8b68b17538163a89ea24dfe4da37a8a9a3", + "sha256:4cc5c8cd205a9810d16a5cd428cd81bac554ad1477cb87f4ad722b10992e794d", + "sha256:4ccf55f28066b4f08666764a957c2b7c241c7547b0921d69c7ceab5f74fe1a45", + "sha256:4fb3fe591956d8841882c463f934c9f7485cfd5f763a08c0d467b513dc18ef89", + "sha256:526f8397fc124674b8f39748680a0ff673bd6a715fecb4866716d36e380f015f", + "sha256:578bfcb16f4b8675ef71b960c00f174b0426e0eeb796bab6737389d8288eb827", + "sha256:5b51969503709415a35754954c2763f536a70b8bf7360322b2edb0c0a44391f6", + "sha256:5e58ec0375803526d395f6f7e730ecc45d06e15f68f7b9cdbf644a2918324e51", + "sha256:62db44727d0befea68e8ad2881bb87a9cfb6b87d45dd78609009627167f37b69", + "sha256:67090b17a0a5be5704fd109f231ee73cefb1b3802d41288d6378b5df46ae89ba", + "sha256:6cd14e61f0da2a2cfb9fe05bfced2a1ed7063ce46a7a8cd473be4973de9a7f91", + "sha256:70740c2bc9ab1c99f7cdcb104f27d16c63860c56d51c5bf0ef82fc1d892a2131", + "sha256:73009ea04205966d47e16d98686ac5c438af23a1bb30b48a2c5da3423ec9ce37", + "sha256:791458a1f7d1b4ab3bd9e93e0dcd1d59ef7ee9aa051dcd1ea030e62e49b923fd", + "sha256:7f9511e48bde6b995825e8d35e434fc96296cf07a25f4aae24ff9162be7eaa46", + "sha256:81c3d597591b0940e04949e4e4f79359b2d2e542a686ba0da5e25de33fec13e0", + "sha256:8230a39bae6c2e8a09e4da6bace5064693b00590a4a213e38f9a9366da10e7dd", + "sha256:8b92a9f3ab904397a33b193000dc4de7318ea175c4c460a1e154c415f9008e3d", + "sha256:94cbe5535ef150546b8321aebea22862a3284da51e7b55f6f95b7d73e96d90ee", + "sha256:960ce1b790952916e682093788696ef7e33ac6a97482f9b983abdc293091b531", + "sha256:99341ca1f1db9e7f47914cb2461305665a662383765ced6f843712564766956d", + "sha256:9aac6881454a750554ed4b280a839dcf9e2133a9d12ab4d417d673fb102289b7", + "sha256:9d359b0a962e052b713647ac1f13eabf2263167b149ed1e27d5c579f5c8c7d2c", + "sha256:9dbab2a7e9c073bc9538824a01f5ed689194db7f55f2b8102766873e906a6c1a", + "sha256:a27b029caa3b555a4f3da54bc1e718eb55fcf1a11fda8bf0132147b476cf4c08", + "sha256:a8b817d4ed68fd568ec5e45dd75ddf30cc72a47a6b41b74d5bb211374c296f5e", + "sha256:ad7d66422b9cc51125509229693d27e18c08f2dea3ac9de408d821932b1b3759", + "sha256:b46e79a9f4db53897d17bc64a39d1c7c2be3e3d4f8dba6d6730a2b13ddf0f986", + "sha256:baa96a3418e27d723064854143b2f414a422c84cc87285a71558722049bebc5a", + "sha256:beeca903e4270b4afcd114f371a9602240dc143f9e944edfea00f8d4ad56c40d", + "sha256:c2a1168e5aa7c72499fb03c850e0f03f624fa4a5c8d2e215c518d0a73872eb64", + "sha256:c5790cc603456b6dcf8a9a4765f666895a6afddc88b3d3ba7b53dea2b6e23116", + "sha256:cb4a08f0aaaa869f189ffea0e17b86ad0237b51116d494da15ef7991ee6ad2d7", + "sha256:cd5771e8ea325f85cbb361ddbdeb9ae424a68e5dfb6eea786afdcd22e68a7d5d", + "sha256:ce8e51774eb03844588d3c279adb94efcd0edeccd2f97516623292445bcc01f9", + "sha256:d09daf5c6ce7fc6ed444c9339bbde5ea84e2534d1ca1cd37b60f365c77f00dea", + "sha256:d0e798b072cf2aab9daceb43d97c9c527a0c7593e67a7846ad4cc6051de1e303", + "sha256:d325d61cac602976a5d47b19eaa7d04e3daf4efce2164c630219885087234102", + "sha256:d408172519049e36fb6d29672f060dc8461fc7174eba9883c7026041ef9bfb38", + "sha256:d52442e7c951e4c9ee591d6047706e66923d248d83958bbf99b8b19515fffaef", + "sha256:dc4cfef5d899f5f1a15f3d2ac49f71107a01a5a2745b4dd53fa0cede1419385a", + "sha256:df7b4cee3ff31b3335aba602f8d70dbc641e5b7164b1e9565570c9d3c536a438", + "sha256:e068dfeadbce63072b2d8096486713d04db4946aad0a0f849bd4fc300799d0d3", + "sha256:e07c24018986fb00d6e7eafca8fcd6e05095649e17fcf0e33a592caaa62a78b9", + "sha256:e0bce9f7c30e7e3a9e683f670314c0144e8d34be6b7019e40604763bd278d84f", + "sha256:e1925f78a543b94c3d46274c66a366fee8a263747060220ed0188e5f3eeea1c0", + "sha256:e322c94596054352f5a02771eec71563c018b15699b961aba14d6dd943367022", + "sha256:e4a095e18847c12ec20e55326ab8782d9c2d599400a3a2f174fab4796875d0e2", + "sha256:e5a811aab1b4aea0b4be669363c19847a8c547510f0e18fb632956369fdbdf67", + "sha256:eddf604a3de2ace3d9a4e4d491be7562a1ac095a0a1c95a9ec5781ef0273ef11", + "sha256:ee9b1cae9a6c5d023e5a150f6f6b9dbb3c3bbc7887d6ee07d4c0ecb49a473734", + "sha256:f1650ea41c408755da5eed52ac6ccbc8938ccc3e698d81e6f6a1be02ff2a0945", + "sha256:f2c0957b3e8c66c10d27272709a5299ab3670a0f187c9428f3b90d267119aedb", + "sha256:f76109387e1ec8d8e2137c94c437b89fe002f29e0881aae8ae45529bdff92000", + "sha256:f8a728511c977df6f3d8af388fcb157e49f11db4a6637dd60131b8b6e40b0253", + "sha256:fb6c3dc3d65014d2c782f5acf0b3ba14e639c6c33d3ed8932ead76b9080b3544" ], - "markers": "python_version >= '3.6'", - "version": "==5.1.0" + "markers": "python_version >= '3.7'", + "version": "==6.0.3" }, "packaging": { "hashes": [ - "sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7", - "sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14" + "sha256:2198ec20bd4c017b8f9717e00f0c8714076fc2fd93816750ab48e2c41de2cfd3", + "sha256:957e2148ba0e1a3b282772e791ef1d8083648bc131c8ab0c1feba110ce1146c3" ], - "markers": "python_version >= '3.6'", - "version": "==21.0" + "markers": "python_version >= '3.7'", + "version": "==22.0" }, "pathspec": { "hashes": [ - "sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a", - "sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1" + "sha256:88c2606f2c1e818b978540f73ecc908e13999c6c3a383daf3705652ae79807a5", + "sha256:8f6bf73e5758fd365ef5d58ce09ac7c27d2833a8d7da51712eac6e27e35141b0" ], - "version": "==0.9.0" + "markers": "python_version >= '3.7'", + "version": "==0.10.2" }, "pluggy": { "hashes": [ @@ -485,19 +750,11 @@ }, "py": { "hashes": [ - "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", - "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" + "sha256:51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719", + "sha256:607c53218732647dff4acdfcd50cb62615cedf612e72d1724fb1a0cc6405b378" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.10.0" - }, - "pyparsing": { - "hashes": [ - "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", - "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.4.7" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.11.0" }, "pytest": { "hashes": [ @@ -509,10 +766,10 @@ }, "pytz": { "hashes": [ - "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", - "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" + "sha256:222439474e9c98fced559f1709d89e6c9cbf8d79c794ff3eb9f8800064291427", + "sha256:e89512406b793ca39f5971bc999cc538ce125c0e51c27941bef4568b460095e2" ], - "version": "==2021.1" + "version": "==2022.6" }, "pyyaml": { "hashes": [ @@ -557,49 +814,80 @@ "index": "pypi", "version": "==2.26.0" }, + "setuptools": { + "hashes": [ + "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", + "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" + ], + "markers": "python_version >= '3.7'", + "version": "==65.6.3" + }, "simplejson": { "hashes": [ - "sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7", - "sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085", - "sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb", - "sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476", - "sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473", - "sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e", - "sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c", - "sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732", - "sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b", - "sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34", - "sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586", - "sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da", - "sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34", - "sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564", - "sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e", - "sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926", - "sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e", - "sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08", - "sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e", - "sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c", - "sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999", - "sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e", - "sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314", - "sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95", - "sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277", - "sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda", - "sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61", - "sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640", - "sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e", - "sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee", - "sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86", - "sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98", - "sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616", - "sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b", - "sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c", - "sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc", - "sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858", - "sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec" + "sha256:002f069c7bb9a86826616a78f1214fea5b993435720990eecb0bf10955b9cd0e", + "sha256:00b673f0b3caf37a3d993bccf30a97290da6313b6ecc7d66937e9cd906d8f840", + "sha256:07e408222931b1a2aab71e60e5f169fa7c0d74cacd4e0a6a0199716cb18dad76", + "sha256:0de746c8f76355c79fd15eccd7ecde0b137cd911bdcdc463fc5c36ec3d8b98ea", + "sha256:0f33d16fa7b5e2ed6ea85d7b31bc84cf8c73c40cc2c9f87071e0fffcd52f5342", + "sha256:0f49858b5fc802081b71269f4a3aa5c5500ec6553637c9a0630f30a2a6541ea7", + "sha256:17dbc7f71fa5b7e4a2acef38cf0be30461ae6659456a978ce7eeebeb5bdf9e1a", + "sha256:17ec5e408fb6615250c1f18fb4eac3b2b99a85e8613bfc2dfa54827d0bf7f3e1", + "sha256:1b4085151e00ab7ca66f269aff7153f0ec18589cb22e7ceb8b365709c723fdd0", + "sha256:1f169402069f8cf93e359f607725b1d920c4dbe5bda4c520025d5fad8d20c1b7", + "sha256:1fbacdbba3cf5a471c67a9ca6cd270bba9578d5bc22aef6028faebbdb98bbb15", + "sha256:252f7cc5524bb5507a08377a4a75aa7ff4645f3dfca814d38bdbcf0f3c34d1ce", + "sha256:2aeed35db00cdf5d49ff1e7d878afd38c86a5fead0f1d364d539ad4d7a869e0e", + "sha256:2cc76435569e6c19574a8e913cfccbed832249b2b3b360caee9a4caf8ff866bf", + "sha256:448ab14fa67b3ac235a8445d14ec6d56268c3dabbce78720f9efa6d698466710", + "sha256:4609feb2ae66c132c6dcbe01dbfd4f6431afb4ff17303e37ca128fb6297cebd2", + "sha256:46bafa7e794f0e91fde850d906b0dc29a624c726b27e75d23bc8c3e35a48f28b", + "sha256:4a6199d302ec7d889e1aa6b493aa8e40b4dfa4bd85708f8c8f0c64ce5b8e0986", + "sha256:4d8d016f70d241f82189bc9f6d1eb8558b3599861f2c501b3f32da7fdf4e92ac", + "sha256:503da91993cc671fe7ebbf120c3ce868278de8226f158336afde874f7b7aa871", + "sha256:54c63cc7857f16a20aa170ffda9ebce45a3b7ba764b67a5a95bfe7ae613a2710", + "sha256:58a429d2c2fa80834115b923ff689622de8f214cf0dc4afa9f59e824b444ab31", + "sha256:599e9c53d3203bc36ef68efec138ca76d201da7ac06a114fae78536a8c10e35b", + "sha256:5f3dd31309ae5cc9f2df51d2d5cac89722dac3c853042ebefcaf7ad06ca19387", + "sha256:6187cbea7fdede732fe0347ad08cd920ebd9faa30b6c48782cee494051ca97c6", + "sha256:622cf0e1f870f189a0757fdcad7998a0c1dd46b0e53aeac9960556c141319c83", + "sha256:638bdd2deaccd3b8e02b1783280bd82341df5e1faa59c4f0276f03f16eec13ea", + "sha256:6804ad50aaf581df5c982fc101b0d932638066fe191074ded783602eb1c8982a", + "sha256:7a4d9b266ae6db578719f1255c742e76ee4676593087f4f6b79a2bbae2b1dcc5", + "sha256:7a9476dcd72aeba7d55c4800b9cd2204201af3539894b8512d74597e35a3033a", + "sha256:7b95c5cf71c16e4fdaa724719aaf8ccbed533e2df57a20bcff825ceeead27688", + "sha256:8493d2c1a940471b07d7c9c356a3f4eee780df073da2917418d0fe8669b54f99", + "sha256:875cfb43b622672218045dc927a86fc7c4c8111264c1d303aca5de33d5df479e", + "sha256:8d762267c4af617e1798bd0151f626105d06a88f214e3874b77eb89106f899fe", + "sha256:94c17d01e4c65e63deec46c984bb810de5e3a1259eb6bacdca63f3efc9c4c673", + "sha256:96979ff7f0daf47422d5f95d2d006da3210e0490a166bce2529f59f55047fc67", + "sha256:97139bf5134d713710665a6edb9500d69b93642c4b6b44b20800232dbd0f5b39", + "sha256:989b31d586954e65170ad3ec597218a6790c401b82da6193e8a897a06aa7946e", + "sha256:98b4c824f15436f1b22fe6d73c42ffacb246f7efc4d9dbbee542dd72355ecc43", + "sha256:9aff3c24017a7819c76b2f177d4fe8334b3d4cb6f702a2d7c666b3d57c36ffb4", + "sha256:9db78e18624f94d7b5642bf487244f803dab844e771d92e83f85f22da21ffe2d", + "sha256:a0e6dd5a0b8c76fb7522470789f1af793d39d6edbd4e40853e7be550ad49c430", + "sha256:a2f70d8170c7e02166a4c91462581e6ae5f35e3351a6b6c5142adcb04c7153ac", + "sha256:a814227fa08cae435ac7a42dcd2a04a7ec4a3cee23b7f83f9544cd26f452dcc4", + "sha256:aa9ecdd1d7ecbc7d1066c37cfbe52f65adf64b11b22d481a98fe1d3675dfff4b", + "sha256:b2b19d7aa4e9a1e7bf8caaf5f478a790190c60136314f45bb7702cb5a9337266", + "sha256:b4997bd8332cef3923402a07351571788f552f55ea1394ffbfccd4d203a8a05f", + "sha256:b71fef8ee41d59509c7f4afac7f627ed143c9e6db9eb08cfbba85e4c4dc5e67b", + "sha256:bd67d6fad7f4cd7c9cb7fad32d78ce32862fdb574b898447987a5de22fd37d73", + "sha256:ca22993a1a00440392c6c76f39addab8d97c706d2a8bcc2c9b2b6cb2cd7f41df", + "sha256:ce1c0580372d3c9bfa151bd0721a9bd5647b9b2245d0588d813fdbd2eb5d6f22", + "sha256:d522f28f7b252454df86ac3db5a0e1fe5ae03c8fc0cd1592c912b07c9fad6c29", + "sha256:d5d25cc5dad31a10d7a8196125515cc3aa68187c8953459fcaf127c2c8410f51", + "sha256:d9f7a692c11de20cb8ec680584815315e03d1404a6e299d36489b0fb6447d98d", + "sha256:d9fa2ad4cabb5054faa8d4a44b84134b0ec9d1421f5e9264d057d6be4d13c7fa", + "sha256:db53a85f4db0dbd9e5f6277d9153bcaa2ccb87b0d672c6a35f19432b3f2301a3", + "sha256:db9d36c4c7997c2a2513a5d218fd90b53bfeaf7e727f94aaf3576973378b3bce", + "sha256:e80f02e68d25c222471fcc5d1933275b8eb396e5e40b7863e4e0a43b3c810059", + "sha256:e84bd1c29e83ec74a95de070473742eb52d08502f2428eff5751671081e0a0a6", + "sha256:f0e12bdafdf7e32c5ad4a073e325ea0d659d4277af8b3d8eccf3101c56879619", + "sha256:fd56a9e0c63a1f9c37621fe298c77795aefd2a26dca80dcae27688586c40b4bb" ], "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==3.17.3" + "version": "==3.18.0" }, "six": { "hashes": [ @@ -618,10 +906,11 @@ }, "stix2-patterns": { "hashes": [ - "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4", - "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992" + "sha256:07750c5a5af2c758e9d2aa4dde9d8e04bcd162ac2a9b0b4c4de4481d443efa08", + "sha256:ca4d68b2db42ed99794a418388769d2676ca828e9cac0b8629e73cd3f68f6458" ], - "version": "==1.3.2" + "markers": "python_version >= '3.6'", + "version": "==2.0.0" }, "taxii2-client": { "hashes": [ @@ -630,14 +919,6 @@ ], "version": "==2.3.0" }, - "typing-extensions": { - "hashes": [ - "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", - "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", - "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" - ], - "version": "==3.10.0.0" - }, "urllib3": { "hashes": [ "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", @@ -662,46 +943,83 @@ }, "yarl": { "hashes": [ - "sha256:00d7ad91b6583602eb9c1d085a2cf281ada267e9a197e8b7cae487dadbfa293e", - "sha256:0355a701b3998dcd832d0dc47cc5dedf3874f966ac7f870e0f3a6788d802d434", - "sha256:15263c3b0b47968c1d90daa89f21fcc889bb4b1aac5555580d74565de6836366", - "sha256:2ce4c621d21326a4a5500c25031e102af589edb50c09b321049e388b3934eec3", - "sha256:31ede6e8c4329fb81c86706ba8f6bf661a924b53ba191b27aa5fcee5714d18ec", - "sha256:324ba3d3c6fee56e2e0b0d09bf5c73824b9f08234339d2b788af65e60040c959", - "sha256:329412812ecfc94a57cd37c9d547579510a9e83c516bc069470db5f75684629e", - "sha256:4736eaee5626db8d9cda9eb5282028cc834e2aeb194e0d8b50217d707e98bb5c", - "sha256:4953fb0b4fdb7e08b2f3b3be80a00d28c5c8a2056bb066169de00e6501b986b6", - "sha256:4c5bcfc3ed226bf6419f7a33982fb4b8ec2e45785a0561eb99274ebbf09fdd6a", - "sha256:547f7665ad50fa8563150ed079f8e805e63dd85def6674c97efd78eed6c224a6", - "sha256:5b883e458058f8d6099e4420f0cc2567989032b5f34b271c0827de9f1079a424", - "sha256:63f90b20ca654b3ecc7a8d62c03ffa46999595f0167d6450fa8383bab252987e", - "sha256:68dc568889b1c13f1e4745c96b931cc94fdd0defe92a72c2b8ce01091b22e35f", - "sha256:69ee97c71fee1f63d04c945f56d5d726483c4762845400a6795a3b75d56b6c50", - "sha256:6d6283d8e0631b617edf0fd726353cb76630b83a089a40933043894e7f6721e2", - "sha256:72a660bdd24497e3e84f5519e57a9ee9220b6f3ac4d45056961bf22838ce20cc", - "sha256:73494d5b71099ae8cb8754f1df131c11d433b387efab7b51849e7e1e851f07a4", - "sha256:7356644cbed76119d0b6bd32ffba704d30d747e0c217109d7979a7bc36c4d970", - "sha256:8a9066529240171b68893d60dca86a763eae2139dd42f42106b03cf4b426bf10", - "sha256:8aa3decd5e0e852dc68335abf5478a518b41bf2ab2f330fe44916399efedfae0", - "sha256:97b5bdc450d63c3ba30a127d018b866ea94e65655efaf889ebeabc20f7d12406", - "sha256:9ede61b0854e267fd565e7527e2f2eb3ef8858b301319be0604177690e1a3896", - "sha256:b2e9a456c121e26d13c29251f8267541bd75e6a1ccf9e859179701c36a078643", - "sha256:b5dfc9a40c198334f4f3f55880ecf910adebdcb2a0b9a9c23c9345faa9185721", - "sha256:bafb450deef6861815ed579c7a6113a879a6ef58aed4c3a4be54400ae8871478", - "sha256:c49ff66d479d38ab863c50f7bb27dee97c6627c5fe60697de15529da9c3de724", - "sha256:ce3beb46a72d9f2190f9e1027886bfc513702d748047b548b05dab7dfb584d2e", - "sha256:d26608cf178efb8faa5ff0f2d2e77c208f471c5a3709e577a7b3fd0445703ac8", - "sha256:d597767fcd2c3dc49d6eea360c458b65643d1e4dbed91361cf5e36e53c1f8c96", - "sha256:d5c32c82990e4ac4d8150fd7652b972216b204de4e83a122546dce571c1bdf25", - "sha256:d8d07d102f17b68966e2de0e07bfd6e139c7c02ef06d3a0f8d2f0f055e13bb76", - "sha256:e46fba844f4895b36f4c398c5af062a9808d1f26b2999c58909517384d5deda2", - "sha256:e6b5460dc5ad42ad2b36cca524491dfcaffbfd9c8df50508bddc354e787b8dc2", - "sha256:f040bcc6725c821a4c0665f3aa96a4d0805a7aaf2caf266d256b8ed71b9f041c", - "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a", - "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71" + "sha256:009a028127e0a1755c38b03244c0bea9d5565630db9c4cf9572496e947137a87", + "sha256:0414fd91ce0b763d4eadb4456795b307a71524dbacd015c657bb2a39db2eab89", + "sha256:0978f29222e649c351b173da2b9b4665ad1feb8d1daa9d971eb90df08702668a", + "sha256:0ef8fb25e52663a1c85d608f6dd72e19bd390e2ecaf29c17fb08f730226e3a08", + "sha256:10b08293cda921157f1e7c2790999d903b3fd28cd5c208cf8826b3b508026996", + "sha256:1684a9bd9077e922300ecd48003ddae7a7474e0412bea38d4631443a91d61077", + "sha256:1b372aad2b5f81db66ee7ec085cbad72c4da660d994e8e590c997e9b01e44901", + "sha256:1e21fb44e1eff06dd6ef971d4bdc611807d6bd3691223d9c01a18cec3677939e", + "sha256:2305517e332a862ef75be8fad3606ea10108662bc6fe08509d5ca99503ac2aee", + "sha256:24ad1d10c9db1953291f56b5fe76203977f1ed05f82d09ec97acb623a7976574", + "sha256:272b4f1599f1b621bf2aabe4e5b54f39a933971f4e7c9aa311d6d7dc06965165", + "sha256:2a1fca9588f360036242f379bfea2b8b44cae2721859b1c56d033adfd5893634", + "sha256:2b4fa2606adf392051d990c3b3877d768771adc3faf2e117b9de7eb977741229", + "sha256:3150078118f62371375e1e69b13b48288e44f6691c1069340081c3fd12c94d5b", + "sha256:326dd1d3caf910cd26a26ccbfb84c03b608ba32499b5d6eeb09252c920bcbe4f", + "sha256:34c09b43bd538bf6c4b891ecce94b6fa4f1f10663a8d4ca589a079a5018f6ed7", + "sha256:388a45dc77198b2460eac0aca1efd6a7c09e976ee768b0d5109173e521a19daf", + "sha256:3adeef150d528ded2a8e734ebf9ae2e658f4c49bf413f5f157a470e17a4a2e89", + "sha256:3edac5d74bb3209c418805bda77f973117836e1de7c000e9755e572c1f7850d0", + "sha256:3f6b4aca43b602ba0f1459de647af954769919c4714706be36af670a5f44c9c1", + "sha256:3fc056e35fa6fba63248d93ff6e672c096f95f7836938241ebc8260e062832fe", + "sha256:418857f837347e8aaef682679f41e36c24250097f9e2f315d39bae3a99a34cbf", + "sha256:42430ff511571940d51e75cf42f1e4dbdded477e71c1b7a17f4da76c1da8ea76", + "sha256:44ceac0450e648de86da8e42674f9b7077d763ea80c8ceb9d1c3e41f0f0a9951", + "sha256:47d49ac96156f0928f002e2424299b2c91d9db73e08c4cd6742923a086f1c863", + "sha256:48dd18adcf98ea9cd721a25313aef49d70d413a999d7d89df44f469edfb38a06", + "sha256:49d43402c6e3013ad0978602bf6bf5328535c48d192304b91b97a3c6790b1562", + "sha256:4d04acba75c72e6eb90745447d69f84e6c9056390f7a9724605ca9c56b4afcc6", + "sha256:57a7c87927a468e5a1dc60c17caf9597161d66457a34273ab1760219953f7f4c", + "sha256:58a3c13d1c3005dbbac5c9f0d3210b60220a65a999b1833aa46bd6677c69b08e", + "sha256:5df5e3d04101c1e5c3b1d69710b0574171cc02fddc4b23d1b2813e75f35a30b1", + "sha256:63243b21c6e28ec2375f932a10ce7eda65139b5b854c0f6b82ed945ba526bff3", + "sha256:64dd68a92cab699a233641f5929a40f02a4ede8c009068ca8aa1fe87b8c20ae3", + "sha256:6604711362f2dbf7160df21c416f81fac0de6dbcf0b5445a2ef25478ecc4c778", + "sha256:6c4fcfa71e2c6a3cb568cf81aadc12768b9995323186a10827beccf5fa23d4f8", + "sha256:6d88056a04860a98341a0cf53e950e3ac9f4e51d1b6f61a53b0609df342cc8b2", + "sha256:705227dccbe96ab02c7cb2c43e1228e2826e7ead880bb19ec94ef279e9555b5b", + "sha256:728be34f70a190566d20aa13dc1f01dc44b6aa74580e10a3fb159691bc76909d", + "sha256:74dece2bfc60f0f70907c34b857ee98f2c6dd0f75185db133770cd67300d505f", + "sha256:75c16b2a900b3536dfc7014905a128a2bea8fb01f9ee26d2d7d8db0a08e7cb2c", + "sha256:77e913b846a6b9c5f767b14dc1e759e5aff05502fe73079f6f4176359d832581", + "sha256:7a66c506ec67eb3159eea5096acd05f5e788ceec7b96087d30c7d2865a243918", + "sha256:8c46d3d89902c393a1d1e243ac847e0442d0196bbd81aecc94fcebbc2fd5857c", + "sha256:93202666046d9edadfe9f2e7bf5e0782ea0d497b6d63da322e541665d65a044e", + "sha256:97209cc91189b48e7cfe777237c04af8e7cc51eb369004e061809bcdf4e55220", + "sha256:a48f4f7fea9a51098b02209d90297ac324241bf37ff6be6d2b0149ab2bd51b37", + "sha256:a783cd344113cb88c5ff7ca32f1f16532a6f2142185147822187913eb989f739", + "sha256:ae0eec05ab49e91a78700761777f284c2df119376e391db42c38ab46fd662b77", + "sha256:ae4d7ff1049f36accde9e1ef7301912a751e5bae0a9d142459646114c70ecba6", + "sha256:b05df9ea7496df11b710081bd90ecc3a3db6adb4fee36f6a411e7bc91a18aa42", + "sha256:baf211dcad448a87a0d9047dc8282d7de59473ade7d7fdf22150b1d23859f946", + "sha256:bb81f753c815f6b8e2ddd2eef3c855cf7da193b82396ac013c661aaa6cc6b0a5", + "sha256:bcd7bb1e5c45274af9a1dd7494d3c52b2be5e6bd8d7e49c612705fd45420b12d", + "sha256:bf071f797aec5b96abfc735ab97da9fd8f8768b43ce2abd85356a3127909d146", + "sha256:c15163b6125db87c8f53c98baa5e785782078fbd2dbeaa04c6141935eb6dab7a", + "sha256:cb6d48d80a41f68de41212f3dfd1a9d9898d7841c8f7ce6696cf2fd9cb57ef83", + "sha256:ceff9722e0df2e0a9e8a79c610842004fa54e5b309fe6d218e47cd52f791d7ef", + "sha256:cfa2bbca929aa742b5084fd4663dd4b87c191c844326fcb21c3afd2d11497f80", + "sha256:d617c241c8c3ad5c4e78a08429fa49e4b04bedfc507b34b4d8dceb83b4af3588", + "sha256:d881d152ae0007809c2c02e22aa534e702f12071e6b285e90945aa3c376463c5", + "sha256:da65c3f263729e47351261351b8679c6429151ef9649bba08ef2528ff2c423b2", + "sha256:de986979bbd87272fe557e0a8fcb66fd40ae2ddfe28a8b1ce4eae22681728fef", + "sha256:df60a94d332158b444301c7f569659c926168e4d4aad2cfbf4bce0e8fb8be826", + "sha256:dfef7350ee369197106805e193d420b75467b6cceac646ea5ed3049fcc950a05", + "sha256:e59399dda559688461762800d7fb34d9e8a6a7444fd76ec33220a926c8be1516", + "sha256:e6f3515aafe0209dd17fb9bdd3b4e892963370b3de781f53e1746a521fb39fc0", + "sha256:e7fd20d6576c10306dea2d6a5765f46f0ac5d6f53436217913e952d19237efc4", + "sha256:ebb78745273e51b9832ef90c0898501006670d6e059f2cdb0e999494eb1450c2", + "sha256:efff27bd8cbe1f9bd127e7894942ccc20c857aa8b5a0327874f30201e5ce83d0", + "sha256:f37db05c6051eff17bc832914fe46869f8849de5b92dc4a3466cd63095d23dfd", + "sha256:f8ca8ad414c85bbc50f49c0a106f951613dfa5f948ab69c10ce9b128d368baf8", + "sha256:fb742dcdd5eec9f26b61224c23baea46c9055cf16f62475e11b9b15dfd5c117b", + "sha256:fc77086ce244453e074e445104f0ecb27530d6fd3a46698e33f6c38951d5a0f1", + "sha256:ff205b58dc2929191f68162633d5e10e8044398d7a45265f90a0f1d51f85f72c" ], - "markers": "python_version >= '3.6'", - "version": "==1.6.3" + "markers": "python_version >= '3.7'", + "version": "==1.8.2" } } } diff --git a/rules/application/antivirus/av_hacktool.yml b/rules/application/antivirus/av_hacktool.yml index 8c29fdb92..a00032666 100644 --- a/rules/application/antivirus/av_hacktool.yml +++ b/rules/application/antivirus/av_hacktool.yml @@ -19,8 +19,7 @@ detection: - 'HKTL' - 'SecurityTool' - 'ATK/' # Sophos - - Signature|contains: - - 'Hacktool' + - Signature|contains: 'Hacktool' condition: selection fields: - FileName diff --git a/rules/cloud/azure/azure_ad_azurehound_discovery.yml b/rules/cloud/azure/azure_ad_azurehound_discovery.yml new file mode 100644 index 000000000..41bada855 --- /dev/null +++ b/rules/cloud/azure/azure_ad_azurehound_discovery.yml @@ -0,0 +1,23 @@ +title: Discovery Using AzureHound +id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b +status: experimental +description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication. +references: + - https://github.com/BloodHoundAD/AzureHound +author: Janantha Marasinghe +date: 2022/11/27 +tags: + - attack.discovery + - attack.t1087.004 + - attack.t1526 +logsource: + product: azure + service: signinlogs +detection: + selection: + userAgent|contains: 'azurehound' + ResultType: 0 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/web/web_cve_2021_27905_apache_solr_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml new file mode 100644 index 000000000..697558820 --- /dev/null +++ b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml @@ -0,0 +1,36 @@ +title: Potential CVE-2021-27905 Exploitation Attempt +id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 +status: experimental +description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. +references: + - https://twitter.com/Al1ex4/status/1382981479727128580 + - https://twitter.com/sec715/status/1373472323538362371 + - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ + - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 + - https://github.com/murataydemir/CVE-2021-27905 +author: '@gott_cyber' +date: 2022/12/11 +tags: + - attack.initial_access + - attack.t1190 + - cve.2021.27905 +logsource: + category: webserver +detection: + selection_request1: + c-uri|contains|all: + - '/solr/' + - '/debug/dump?' + - 'param=ContentStream' + sc-status: '200' + selection_request2: + cs-method: 'GET' + c-uri|contains|all: + - '/solr/' + - 'command=fetchindex' + - 'masterUrl=' + sc-status: '200' + condition: 1 of selection_* +falsepositives: + - Vulnerability Scanners +level: medium diff --git a/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml new file mode 100644 index 000000000..d4ac076dd --- /dev/null +++ b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml @@ -0,0 +1,26 @@ +title: Potential Credential Dumping Via WER - Application +id: a18e0862-127b-43ca-be12-1a542c75c7c5 +status: experimental +description: Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 +author: Nasreddine Bencherchali +date: 2022/12/07 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'Application Error' + EventID: 1000 + AppName: 'lsass.exe' + ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL + condition: selection +falsepositives: + - Rare legitimate crashing of the lsass process +level: high diff --git a/rules/windows/builtin/security/win_security_etw_modification.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml similarity index 73% rename from rules/windows/builtin/security/win_security_etw_modification.yml rename to rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml index e05e6598e..e7225550f 100644 --- a/rules/windows/builtin/security/win_security_etw_modification.yml +++ b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml @@ -1,5 +1,8 @@ -title: COMPlus_ETWEnabled Registry Modification +title: ETW Logging Disabled In .NET Processes - Registry id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc +related: + - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -12,22 +15,31 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/10/05 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1112 + - attack.t1562 logsource: product: windows service: security detection: - selection: + selection_etw_enabled: EventID: 4657 ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' ObjectValueName: 'ETWEnabled' NewValue: 0 - condition: selection + selection_complus: + EventID: 4657 + ObjectName|endswith: '\Environment\' + ObjectValueName: + - 'COMPlus_ETWEnabled' + - 'COMPlus_ETWFlags' + NewValue: 0 + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml index 78d011da9..9ea2d5750 100644 --- a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml @@ -1,7 +1,7 @@ title: Failed Code Integrity Checks id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable -description: Code integrity failures may indicate tampered executables. +description: Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. author: Thomas Patzke date: 2019/12/03 modified: 2020/08/23 diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 0351da356..4da7fb242 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -6,6 +6,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/07 tags: - attack.execution - attack.privilege_escalation @@ -16,7 +17,7 @@ logsource: service: security definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' detection: - selection: + selection_eid: EventID: 4698 selection_paths: TaskContent|contains: diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml index b19494759..1d43f616a 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -12,6 +12,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/09 tags: - attack.execution - attack.privilege_escalation @@ -27,7 +28,7 @@ detection: - 4699 # Task Deleted Event - 4701 # Task Disabled Event TaskName|contains: - # Add more important tasks> + # Add more important tasks - '\Windows\SystemRestore\SR' - '\Windows\Windows Defender\' - '\Windows\BitLocker' @@ -35,7 +36,11 @@ detection: - '\Windows\WindowsUpdate\' - '\Windows\UpdateOrchestrator\' - '\Windows\ExploitGuard' - condition: selection + filter_ac_power_download: + Task|contains: '\Windows\UpdateOrchestrator\AC Power Download' + filter_sys_username: + SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index 510820c61..32dd4b9af 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -13,7 +13,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2021/11/30 +modified: 2022/12/07 tags: - attack.defense_evasion - attack.t1562.001 @@ -27,14 +27,16 @@ detection: PrivilegeList: 'SeLoadDriverPrivilege' Service: '-' filter: - ProcessName|endswith: - - '\Windows\System32\Dism.exe' - - '\Windows\System32\rundll32.exe' - - '\Windows\System32\fltMC.exe' - - '\Windows\HelpPane.exe' - - '\Windows\System32\mmc.exe' - - '\Windows\System32\svchost.exe' - - '\Windows\System32\wimserv.exe' + - ProcessName: + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\rundll32.exe' + - 'C:\Windows\System32\fltMC.exe' + - 'C:\Windows\HelpPane.exe' + - 'C:\Windows\System32\mmc.exe' + - 'C:\Windows\System32\svchost.exe' + - 'C:\Windows\System32\wimserv.exe' + - 'C:\Windows\System32\RuntimeBroker.exe' + - ProcessName|endswith: - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' diff --git a/rules/windows/builtin/system/win_system_service_install_hacktools.yml b/rules/windows/builtin/system/win_system_service_install_hacktools.yml index 69d804443..7441654f1 100644 --- a/rules/windows/builtin/system/win_system_service_install_hacktools.yml +++ b/rules/windows/builtin/system/win_system_service_install_hacktools.yml @@ -28,8 +28,7 @@ detection: - 'pwdump' - 'gsecdump' - 'cachedump' - - ImagePath|contains: - - 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 + - ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 condition: service and selection falsepositives: - Unknown diff --git a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 9f80f5e71..1c18c99c1 100644 --- a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps author: Bhabesh Raj date: 2020/09/14 -modified: 2021/10/13 +modified: 2022/12/07 tags: - attack.execution - attack.t1059 @@ -15,8 +15,8 @@ logsource: service: windefend detection: selection: - EventID: 1116 - Source_Name: 'AMSI' + EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software. + SourceName: 'AMSI' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_disabled.yml b/rules/windows/builtin/windefend/win_defender_disabled.yml index 7791cd210..432ddf5d0 100644 --- a/rules/windows/builtin/windefend/win_defender_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_disabled.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 date: 2020/07/28 -modified: 2022/05/06 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -17,11 +17,11 @@ logsource: detection: selection: EventID: - - 5001 - - 5010 - - 5012 - - 5101 + - 5001 # Real-time protection is disabled. + - 5010 # Scanning for malware and other potentially unwanted software is disabled. + - 5012 # Scanning for viruses is disabled. + - 5101 # The antimalware platform is expired. condition: selection falsepositives: - - Administrator actions -level: low + - Administrator actions (should be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml index 37b8c1c4d..9ecb61821 100644 --- a/rules/windows/builtin/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/_nullbind/status/1204923340810543109 author: Christian Burkard date: 2021/07/06 -modified: 2022/02/02 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,10 +14,10 @@ logsource: product: windows service: windefend detection: - selection1: - EventID: 5007 + selection: + EventID: 5007 # The antimalware platform configuration changed. NewValue|contains: '\Microsoft\Windows Defender\Exclusions' - condition: selection1 + condition: selection falsepositives: - Administrator actions level: medium diff --git a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml index 4840c3746..692e62478 100644 --- a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml @@ -6,16 +6,17 @@ references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali date: 2022/08/05 +modified: 2022/12/06 tags: - - attack.execution - - attack.t1059 + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: windefend detection: allowed_apps_key: - EventID: 5007 - NewValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' + EventID: 5007 # The antimalware platform configuration changed. + NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' allowed_apps_path: NewValue|contains: # Add more paths you don't allow in your org @@ -25,9 +26,9 @@ detection: - '\PerfLogs\' - '\Windows\Temp\' protected_folders: - EventID: 5007 + EventID: 5007 # The antimalware platform configuration changed. # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths - OldValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' + OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' condition: all of allowed_apps* or protected_folders falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml index 0cfba55f8..8a0b8629b 100644 --- a/rules/windows/builtin/windefend/win_defender_history_delete.yml +++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml @@ -4,23 +4,22 @@ status: test description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software". references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus + - https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e author: Cian Heasley date: 2020/08/13 modified: 2022/10/09 tags: - attack.defense_evasion - - attack.t1070.001 logsource: product: windows service: windefend detection: selection: - EventID: 1013 - EventType: 4 + EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software. condition: selection fields: - EventID - EventType falsepositives: - Deletion of Defender malware detections history for legitimate reasons -level: high +level: low diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml new file mode 100644 index 000000000..81aea09c4 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -0,0 +1,21 @@ +title: Win Defender Restored Quarantine File +id: bc92ca75-cd42-4d61-9a37-9d5aa259c88b +status: experimental +description: Detects the restoration of files from the defender quarantine +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 1009 # The antimalware platform restored an item from quarantine. + condition: selection +falsepositives: + - Legitimate administrator activity restoring a file +level: high diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml new file mode 100644 index 000000000..1aa0edf42 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -0,0 +1,38 @@ +title: Windows Defender Suspicious Configuration Changes +id: 801bd44f-ceed-4eb6-887c-11544633c0aa +related: + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: similar + - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 + type: similar +status: stable +description: Detects suspicious changes to the windows defender configuration +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide + - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 5007 # The antimalware platform configuration changed. + NewValue|contains: + # TODO: Add more suspicious values + - '\Windows Defender\DisableAntiSpyware ' + #- '\Windows Defender\Features\TamperProtection ' # Might produce FP + - '\Windows Defender\Scan\DisableRemovableDriveScanning ' + - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan ' + - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen ' + - '\Real-Time Protection\SpyNetReporting ' + - '\Real-Time Protection\SubmitSamplesConsent ' + # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886 + condition: selection +falsepositives: + - Administrator activity (must be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 5c7202a37..887b9ac52 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -1,11 +1,13 @@ title: Microsoft Defender Tamper Protection Trigger id: 49e5bc24-8b86-49f1-b743-535f332c2856 status: stable -description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection +description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" references: - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection -author: Bhabesh Raj + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Bhabesh Raj, Nasreddine Bencherchali date: 2021/07/05 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,11 +16,17 @@ logsource: service: windefend detection: selection: - EventID: 5013 + EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked. Value|endswith: - - '\Windows Defender\DisableAntiSpyware = 0x1()' - - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' + - '\Windows Defender\DisableAntiSpyware' + - '\Windows Defender\DisableAntiVirus' + - '\Windows Defender\Scan\DisableArchiveScanning' + - '\Windows Defender\Scan\DisableScanningNetworkFiles' + - '\Real-Time Protection\DisableRealtimeMonitoring' + - '\Real-Time Protection\DisableBehaviorMonitoring' + - '\Real-Time Protection\DisableIOAVProtection' + - '\Real-Time Protection\DisableScriptScanning' condition: selection falsepositives: - - Administrator actions + - Administrator might try to disable defender features during testing (must be investigated) level: high diff --git a/rules/windows/builtin/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml index e2bdd262e..4e917229c 100644 --- a/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/rules/windows/builtin/windefend/win_defender_threat.yml @@ -15,10 +15,10 @@ logsource: detection: selection: EventID: - - 1006 - - 1116 - - 1015 - - 1117 + - 1006 # The antimalware engine found malware or other potentially unwanted software. + - 1116 # The antimalware platform detected malware or other potentially unwanted software. + - 1015 # The antimalware platform detected suspicious behavior. + - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software. condition: selection falsepositives: - Unlikely diff --git a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml new file mode 100644 index 000000000..522ab6eb3 --- /dev/null +++ b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml @@ -0,0 +1,24 @@ +title: LSASS Process Dump Artefact In CrashDumps Folder +id: 6902955a-01b7-432c-b32a-6f5f81d8f625 +status: experimental +description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +author: '@pbssubhash' +date: 2022/12/08 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\' + TargetFilename|contains: 'lsass.exe.' + TargetFilename|endswith: '.dmp' + condition: selection +falsepositives: + - Rare legitimate dump of the process by the operating system due to a crash of lsass +level: high diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 9c9c65693..23c65c682 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -1,12 +1,19 @@ title: Creation Of Non-Existent DLLs In System Folders id: df6ecb8b-7822-4f4b-b412-08f524b4576c +related: + - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 + type: similar status: experimental description: Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ + - https://github.com/Wh04m1001/SysmonEoP + - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ author: Nasreddine Bencherchali date: 2022/12/01 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.persistence @@ -22,6 +29,7 @@ detection: - 'C:\Windows\System32\WLBSCTRL.dll' - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter diff --git a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml index 889b3c559..e5532258a 100644 --- a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml @@ -26,8 +26,7 @@ detection: - '\SAM-2023-' # C++ version - '\SAM-haxx' # Early C++ versions - '\Sam.save' # PowerShell version - - TargetFilename: - - 'C:\windows\temp\sam' # C# version of HiveNightmare + - TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection fields: - CommandLine diff --git a/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml b/rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml rename to rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml index 3f768d093..c52e47eb5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml @@ -6,7 +6,7 @@ references: - Malware Sandbox author: frack113 date: 2022/03/09 -modified: 2022/11/08 +modified: 2022/12/07 tags: - attack.resource_development - attack.t1587.001 @@ -76,9 +76,15 @@ detection: Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' Image|endswith: '\mscorsvw.exe' TargetFilename|startswith: 'C:\Windows\assembly\NativeImages_' + filter_vscode: + Image|startswith: 'C:\Users\' + Image|contains: '\AppData\Local\' + Image|endswith: '\Microsoft VS Code\Code.exe' + TargetFilename|contains: '\.vscode\extensions\' condition: selection and not 1 of filter_* falsepositives: - Software installers - Update utilities + - 32bit applications launching their 64bit versions #Please contribute to FP to increase the level level: low diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml index d7c7b4b0c..5f9316e43 100644 --- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml @@ -30,8 +30,7 @@ detection: - '\AppData\Local\Microsoft\OneDrive\OneDrive.exe' - '\msedgewebview2.exe' - '\OneDrive.exe' - - Image|startswith: - - 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' + - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image: null condition: selection_dll and not filter_legit falsepositives: diff --git a/rules/windows/image_load/image_load_foggyweb_nobelium.yml b/rules/windows/image_load/image_load_foggyweb_nobelium.yml index eaf808b22..8c0ca56f2 100644 --- a/rules/windows/image_load/image_load_foggyweb_nobelium.yml +++ b/rules/windows/image_load/image_load_foggyweb_nobelium.yml @@ -1,12 +1,12 @@ title: FoggyWeb Backdoor DLL Loading id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c status: test -description: Detects DLL image load activity as used by FoggyWeb backdoor loader +description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Florian Roth date: 2021/09/27 -modified: 2022/10/09 +modified: 2022/12/09 tags: - attack.resource_development - attack.t1587 @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - Image: C:\Windows\ADFS\version.dll + ImageLoaded: 'C:\Windows\ADFS\version.dll' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 7df5528b4..342b35fc7 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project) date: 2022/08/14 -modified: 2022/10/25 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.persistence @@ -433,6 +433,13 @@ detection: - '\igd10iumd64.dll' - '\igd12umd64.dll' - '\igdusc64.dll' + # Other + - '\WLBSCTRL.dll' + - '\TSMSISrv.dll' + - '\TSVIPSrv.dll' + - '\wow64log.dll' + - '\WptsExtensions.dll' + - '\wbemcomn.dll' filter_generic: ImageLoaded|startswith: - 'C:\Windows\System32\' diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml new file mode 100644 index 000000000..619f4fdf7 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -0,0 +1,43 @@ +title: Sideloading Of Non-Existent DLLs From System Folders +id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 +related: + - id: df6ecb8b-7822-4f4b-b412-08f524b4576c + type: similar +status: experimental +description: Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ + - https://github.com/Wh04m1001/SysmonEoP + - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ + - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + # Add other DLLs + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' + - 'C:\Windows\System32\WptsExtensions.dll' + - 'C:\Windows\System32\wbem\wbemcomn.dll' + filter_ms_signed: + Signed: 'true' + # There could be other signatures (please add when found) + Signature: 'Microsoft Windows' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index bc7467c9c..5d2a23294 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -11,7 +11,7 @@ references: - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 author: Perez Diego (@darkquassar), oscd.community, Ecco date: 2019/10/27 -modified: 2022/09/15 +modified: 2022/12/09 tags: - attack.credential_access - attack.t1003.001 @@ -50,7 +50,7 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Signed: 'FALSE' + Signed: 'false' filter1: - Image|contains: 'Visual Studio' - CommandLine|contains: diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index d707c3081..4a169cff3 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -18,8 +18,7 @@ detection: selection: Description: 'Python Core' filter_generic: - - Image|contains: - - 'Python' # FPs with python38.dll, python.exe etc. + - Image|contains: 'Python' # FPs with python38.dll, python.exe etc. - Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml index a031d7218..d2e43c75c 100755 --- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -22,10 +22,8 @@ detection: Initiated: 'true' SourcePort: 3389 selection2: - - DestinationIp|startswith: - - '127.' - - DestinationIp: - - '::1' + - DestinationIp|startswith: '127.' + - DestinationIp: '::1' condition: selection and selection2 falsepositives: - Unknown diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index 72440a3e0..bfeb4b580 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -43,8 +43,7 @@ detection: - '51.103.' # Microsoft range, caused some FPs - '51.104.' # Microsoft range, caused some FPs - '51.105.' # Microsoft range, caused some FPs - - CommandLine|contains: - - 'PcaSvc.dll,PcaPatchSdbTask' + - CommandLine|contains: 'PcaSvc.dll,PcaPatchSdbTask' filter_update_processes: ParentImage: 'C:\Windows\System32\svchost.exe' RemoteAddress|endswith: ':443' diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 0c1c0c605..06c238c9f 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -27,10 +27,8 @@ detection: - '\Windows\Fonts\' - '\Windows\IME\' - '\Windows\addins\' - - Image|endswith: - - '\$Recycle.bin' - - Image|startswith: - - 'C:\Perflogs\' + - Image|endswith: '\$Recycle.bin' + - Image|startswith: 'C:\Perflogs\' false_positive1: Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location condition: selection and not 1 of false_positive* diff --git a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml new file mode 100644 index 000000000..e1e309369 --- /dev/null +++ b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml @@ -0,0 +1,30 @@ +title: Nslookup PowerShell Download Cradle +id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 +related: + - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 + type: similar +status: experimental +description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records +references: + - https://twitter.com/Alh4zr3d/status/1566489367232651264 +author: Sai Prashanth Pulisetti @pulisettis +date: 2022/12/10 +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: ps_classic_start + definition: fields have to be extract from event +detection: + selection: + HostApplication|contains|all: + - 'powershell' + - 'nslookup' + HostApplication|contains: + - '-q=txt' + - '-querytype=txt' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 862c5127a..3bbce1ac4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -25,8 +25,7 @@ detection: - 'bypass' - 'RemoteSigned' filter: - - ParentImage: - - 'C:\ProgramData\chocolatey\choco.exe' + - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' - ScriptBlockText|contains: - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')" - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')" diff --git a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml new file mode 100644 index 000000000..cef5457d6 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml @@ -0,0 +1,28 @@ +title: Potential Privilege Escalation Using Symlink Between Osk and Cmd +id: e9b61244-893f-427c-b287-3e708f321c6b +status: experimental +description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md + - https://ss64.com/nt/mklink.html +author: frack113 +date: 2022/12/11 +tags: + - attack.credential_access + - attack.t1546.008 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\cmd.exe' + - OriginalFileName: 'Cmd.exe' + selection_cli: + CommandLine|contains|all: + - 'mklink' + - '\osk.exe' + - '\cmd.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml new file mode 100644 index 000000000..cc021edaa --- /dev/null +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -0,0 +1,41 @@ +title: Potential Credential Dumping Via WER +id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 +status: experimental +description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +author: '@pbssubhash , Nasreddine Bencherchali' +date: 2022/12/08 +modified: 2022/12/09 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\Werfault.exe' + - OriginalFileName: 'WerFault.exe' + selection_cli: + ParentUser|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + User|contains: + - 'AUTHORI' + - 'AUTORI' + CommandLine|contains|all: + # Doc: WerFault.exe -u -p -ip -s + # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique + # Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity + - ' -u -p ' + - ' -ip ' + - ' -s ' + filter_lsass: + ParentImage: 'C:\Windows\System32\lsass.exe' + condition: all of selection_* and not 1 of filter_* +falsepositives: + - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. +level: high diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml new file mode 100644 index 000000000..776cd622a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -0,0 +1,40 @@ +title: Potential PE Metadata Tamper Using Rcedit +id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 +status: experimental +description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +references: + - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe + - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 + - https://github.com/electron/rcedit +author: Micah Babinski +date: 2022/12/11 +tags: + - attack.defense_evasion + - attack.t1036.003 + - attack.t1036 + - attack.t1027.005 + - attack.t1027 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\rcedit-x64.exe' + - '\rcedit-x86.exe' + - Description: 'Edit resources of exe' + - Product: 'rcedit' + selection_flags: + CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" + selection_attributes: + CommandLine|contains: + - 'OriginalFileName' + - 'CompanyName' + - 'FileDescription' + - 'ProductName' + - 'ProductVersion' + - 'LegalCopyright' + condition: all of selection_* +falsepositives: + - Legitimate use of the tool by administrators or users to update metadata of a binary +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml index b7c40f826..bb2986d64 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml @@ -20,8 +20,7 @@ detection: - 'localgroup' - 'admin' - '/add' - - CommandLine|contains: - - '\Win64.exe' + - CommandLine|contains: '\Win64.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml index 694b2775a..002083247 100644 --- a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml @@ -8,8 +8,10 @@ description: Detects usage of the Chisel tunneling tool via the commandline argu references: - https://github.com/jpillora/chisel/ - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ + - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ author: Florian Roth date: 2022/09/13 +modified: 2022/12/07 tags: - attack.command_and_control - attack.t1090.001 @@ -25,11 +27,11 @@ detection: - 'exe server ' selection_param2: CommandLine|contains: - - ' --socks5' - - ' --reverse' + - '-socks5' + - '-reverse' - ' r:' - ':127.0.0.1:' - - ' --tls-skip-verify ' + - '-tls-skip-verify ' - ':socks' condition: selection_img or all of selection_param* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index 1d03d645c..906bffd2f 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -1,7 +1,7 @@ -title: COMPlus_ETWEnabled Command Line Arguments +title: ETW Logging Tamper In .NET Processes id: 41421f44-58f9-455d-838a-c398859841d4 status: test -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. +description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr @@ -12,9 +12,10 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1562 @@ -23,7 +24,9 @@ logsource: product: windows detection: selection: - CommandLine|contains: 'COMPlus_ETWEnabled=0' + CommandLine|contains: + - 'COMPlus_ETWEnabled' + - 'COMPlus_ETWFlags' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml b/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml index ba28010ce..c1feb1bd7 100644 --- a/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml +++ b/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml @@ -1,11 +1,12 @@ -title: False Sysinternals Suite Tools +title: Potential Binary Impersonating Sysinternals Tools id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: experimental -description: Rename as a legitimate Sysinternals Suite tool to evade detection +description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 date: 2021/12/20 +modified: 2022/12/08 tags: - attack.execution - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml index fb8f65ecb..ba53f5896 100644 --- a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml +++ b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml @@ -9,7 +9,7 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py author: Ecco, oscd.community, Jonhnathan Ribeiro date: 2019/09/03 -modified: 2021/11/27 +modified: 2022/12/08 tags: - attack.execution - attack.t1047 @@ -46,7 +46,7 @@ detection: - 'cmd.exe' - '/Q' - '/c' - - '\\\\127.0.0.1\' + - '\\\\127.0.0.1\\' - '&1' selection_atexec: ParentCommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml new file mode 100644 index 000000000..924eea112 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -0,0 +1,26 @@ +title: Use of Setres.exe +id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 +status: experimental +description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path +references: + - https://lolbas-project.github.io/lolbas/Binaries/Setres/ + - https://twitter.com/0gtweet/status/1583356502340870144 + - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) +author: '@gott_cyber' +date: 2022/12/11 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\setres.exe' + Image|endswith: '\choice' + condition: all of selection* +falsepositives: + - Legitimate usage of Setres +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml b/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml index 3e83ac024..7fb2f061e 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml @@ -27,8 +27,7 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' + - Image|contains: '\BITSADMIN' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml b/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml index ff534cdd5..ba499f84d 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml @@ -30,8 +30,7 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' + - Image|contains: '\BITSADMIN' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 3a6122f98..cf29b211d 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 date: 2022/01/16 -modified: 2022/10/23 +modified: 2022/12/08 tags: - attack.defense_evasion - attack.t1218.007 @@ -30,7 +30,13 @@ detection: - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - '\MsiExec.exe" /Y "C:\Windows\CCM\' - - '\MsiExec.exe" /Y C:\Windows\CCM\' #also need non-quoted execution + - '\MsiExec.exe" /Y C:\Windows\CCM\' # also need non-quoted execution + - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' + - '\MsiExec.exe" -Y "C:\Windows\CCM\' + - '\MsiExec.exe" -Y C:\Windows\CCM\' #also need non-quoted execution condition: selection and not 1 of filter_* falsepositives: - Legitimate script diff --git a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index f1143d516..bc5a795f5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -1,13 +1,14 @@ -title: Exchange PowerShell Snap-Ins Used by HAFNIUM +title: Exchange PowerShell Snap-Ins Usage id: 25676e10-2121-446e-80a4-71ff8506af47 status: experimental -description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM +description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ -author: FPT.EagleEye + - https://www.intrinsec.com/apt27-analysis/ +author: FPT.EagleEye, Nasreddine Bencherchali date: 2021/03/03 -modified: 2022/07/14 +modified: 2022/12/09 tags: - attack.execution - attack.t1059.001 @@ -17,12 +18,20 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - CommandLine|contains: 'add-pssnapin microsoft.exchange.powershell.snapin' - condition: selection + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli: + CommandLine|contains: 'Add-PSSnapin' + selection_module: + CommandLine|contains: + - 'Microsoft.Exchange.Powershell.Snapin' + - 'Microsoft.Exchange.Management.PowerShell.SnapIn' + condition: all of selection_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 9a09c3246..0e7a7715a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -1,4 +1,4 @@ -title: Renamed ProcDump +title: Renamed ProcDump Execution id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 related: - id: 03795938-1387-481b-9f4c-3f6241e604fe @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2022/08/12 +modified: 2022/12/08 tags: - attack.defense_evasion - attack.t1036.003 @@ -34,5 +34,5 @@ detection: condition: (selection_org or all of selection_args_*) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - - Weird admins who renamed binaries (and should be investigated) + - Administrators who rename binaries (should be investigated) level: high diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml index 012766883..ed5fe8397 100644 --- a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -18,22 +18,11 @@ logsource: category: process_creation product: windows detection: - selection_1_img: - Image|endswith: '\SharpChisel.exe' - selection_1_pe: - Product: 'SharpChisel' - # Covered by Chisel Rule - # selection_2_client_server: - # CommandLine|contains: - # - 'exe client ' - # - 'exe server ' - # selection_2_flags: - # CommandLine|contains: - # - ' --socks5' - # - ' --reverse' - # - ' r:' - # - ':127.0.0.1:' - condition: 1 of selection* + selection: + - Image|endswith: '\SharpChisel.exe' + - Product: 'SharpChisel' + # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage + condition: selection falsepositives: - - Some false positives may occure with other tools with similar commandlines + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index 0878576b8..5af183017 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -6,6 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: frack113 date: 2022/12/05 +modified: 2022/12/07 tags: - attack.privilege_escalation - attack.defense_evasion @@ -16,11 +17,11 @@ logsource: category: process_creation detection: selection_shell: - - Image|endswith: + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - '\cmd.exe' - - OriginalFileName: + - OriginalFileName: - 'PowerShell.EXE' - 'pwsh.dll' - 'Cmd.Exe' @@ -29,7 +30,12 @@ detection: - 'AUTHORI' - 'AUTORI' LogonId: '0x3e7' - condition: all of selection_* + filter_compattelrunner: + ParentImage: 'C:\Windows\System32\CompatTelRunner.exe' + ParentCommandLine|contains: '-m:appraiser.dll -f:DoScheduledTelemetryRun' + OriginalFileName: 'PowerShell.EXE' + CommandLine|contains: '-ExecutionPolicy Restricted -Command Write-Host' + condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index fe79e160d..ea149ab69 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2022/12/06 +modified: 2022/12/07 tags: - attack.defense_evasion - attack.t1202 @@ -42,7 +42,9 @@ detection: # Example FP: # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228 Provider_Name: 'Microsoft-Windows-Kernel-Process' - ParentCommandLine|contains: ' cat-file -s ' + ParentCommandLine|contains: + - ' cat-file -s ' + - 'show --textconv' Image: 'C:\Windows\System32\conhost.exe' filter_image_conhost2: ParentCommandLine: @@ -51,9 +53,10 @@ detection: - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: - ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + ParentCommandLine: + - \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' + - \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' Image: 'C:\Program Files\Git\mingw64\bin\git.exe' - CommandLine|contains: 'show --textconv :' condition: selection and not 1 of filter_* fields: - Image diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml index 31816d30e..970f2a353 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml @@ -1,12 +1,13 @@ -title: Suspicious Conhost Legacy Option +title: Suspicious High IntegrityLevel Conhost Legacy Option id: 3037d961-21e9-4732-b27a-637bcc7bf539 status: experimental -description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application +description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. references: - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29 - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ + - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 -date: 2022/04/04 +date: 2022/12/09 tags: - attack.defense_evasion - attack.t1202 @@ -15,11 +16,12 @@ logsource: category: process_creation detection: selection: + IntegrityLevel: 'High' CommandLine|contains|all: - 'conhost.exe' - '0xffffffff' - '-ForceV1' condition: selection falsepositives: - - Unknown + - Very Likely, including launching cmd.exe via Run As Administrator level: informational diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml index 91cb6862a..6c8c49a0e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/bryon_/status/975835709587075072 author: 'Agro (@agro_sev) oscd.community' date: 2020/10/10 -modified: 2022/02/25 +modified: 2022/12/09 tags: - attack.execution - attack.t1059.001 @@ -20,15 +20,14 @@ logsource: category: process_creation product: windows detection: - selection_1: - Image|endswith: '\sqlps.exe' - selection_2: + selection_parent: ParentImage|endswith: '\sqlps.exe' - selection_3: - OriginalFileName: '\sqlps.exe' - filter: + selection_image: + - Image|endswith: '\sqlps.exe' + - OriginalFileName: 'sqlps.exe' + filter_image: ParentImage|endswith: '\sqlagent.exe' - condition: 1 of selection_* and not filter + condition: selection_parent or (selection_image and not filter_image) falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index a84f52be0..18301a4a1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) date: 2019/06/17 -modified: 2022/10/09 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1055 @@ -20,7 +20,7 @@ detection: CommandLine|contains: '\netlogon\' filter2: - Image|endswith: '\explorer.exe' - - ImageFileName: 'explorer.exe' + - OriginalFileName: 'explorer.exe' condition: selection and not 1 of filter* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml new file mode 100644 index 000000000..84ed9bd12 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml @@ -0,0 +1,25 @@ +title: WMIC Tamper Windows Defender +id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a +status: experimental +description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: frack113 +date: 2022/12/11 +tags: + - attack.credential_access + - attack.t1546.008 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml index 0bf48f7de..c0e5aab00 100644 --- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml @@ -6,11 +6,12 @@ related: - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar status: experimental -description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools +description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools references: - Internal Research author: Nasreddine Bencherchali date: 2022/08/24 +modified: 2022/12/07 tags: - attack.resource_development - attack.t1588.002 @@ -21,33 +22,44 @@ detection: selection: EventType: CreateKey TargetObject|contains: - - '\PsExec' - - '\ProcDump' + # Please add new values while respecting the alphabetical order + - '\Active Directory Explorer' - '\Handle' - '\LiveKd' + - '\ProcDump' - '\Process Explorer' + - '\PsExec' + - '\PsLoggedon' - '\PsLoglist' - '\PsPasswd' - - '\Active Directory Explorer' + - '\PsPing' + - '\PsService' TargetObject|endswith: '\EulaAccepted' filter: Image|endswith: - - '\PsExec.exe' - - '\PsExec64.exe' - - '\procdump.exe' - - '\procdump64.exe' + # Please add new values while respecting the alphabetical order + - '\ADExplorer.exe' + - '\ADExplorer64.exe' - '\handle.exe' - '\handle64.exe' - '\livekd.exe' - '\livekd64.exe' + - '\procdump.exe' + - '\procdump64.exe' - '\procexp.exe' - '\procexp64.exe' + - '\PsExec.exe' + - '\PsExec64.exe' + - '\PsLoggedon.exe' + - '\PsLoggedon64.exe' - '\psloglist.exe' - '\psloglist64.exe' - '\pspasswd.exe' - '\pspasswd64.exe' - - '\ADExplorer.exe' - - '\ADExplorer64.exe' + - '\PsPing.exe' + - '\PsPing64.exe' + - '\PsService.exe' + - '\PsService64.exe' condition: selection and not filter falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml index d9f20e6c5..dc8b279ac 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml @@ -19,8 +19,7 @@ detection: - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - - TargetObject|startswith: - - 'HKLM\SYSTEM\Setup\PrintResponsor\' + - TargetObject|startswith: 'HKLM\SYSTEM\Setup\PrintResponsor\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml new file mode 100644 index 000000000..4780d88a6 --- /dev/null +++ b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml @@ -0,0 +1,28 @@ +title: Potential Ransomware Activity Using LegalNotice Message +id: 8b9606c9-28be-4a38-b146-0e313cc232c1 +status: experimental +description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md +author: frack113 +date: 2022/12/11 +tags: + - attack.impact + - attack.t1491.001 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText' + Details|contains: + - 'encrypted' + - 'Unlock-Password' + - 'paying' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 38c4c79fa..0254cdb81 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -5,9 +5,10 @@ description: Detects tampering of autologger trace sessions which is a technique references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Nasreddine Bencherchali date: 2022/08/01 -modified: 2022/09/18 +modified: 2022/12/09 tags: - attack.defense_evasion logsource: @@ -22,7 +23,7 @@ detection: - '\EventLog-' - '\Defender' TargetObject|endswith: - - '\Enabled' + - '\Enable' - '\Start' Details: DWORD (0x00000000) filter_legitimate: diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml similarity index 70% rename from rules/windows/registry/registry_set/registry_set_etw_disabled.yml rename to rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 93b500a35..f32870645 100644 --- a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -1,5 +1,8 @@ -title: COMPlus_ETWEnabled Registry Modification - Registry +title: ETW Logging Disabled In .NET Processes - Sysmon Registry id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 +related: + - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -12,21 +15,32 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/11/26 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1112 + - attack.t1562 logsource: product: windows category: registry_set detection: - selection: + selection_etw_enabled: EventType: SetValue TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' - condition: selection + selection_complus: + EventType: SetValue + TargetObject|endswith: + - '\COMPlus_ETWEnabled' + - '\COMPlus_ETWFlags' + Details: + - 0 # For REG_SZ type + - 'DWORD (0x00000000)' + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml new file mode 100644 index 000000000..c362fe0e6 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -0,0 +1,27 @@ +title: Lsass Full Dump Request Via DumpType Registry Settings +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 +status: experimental +description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +author: '@pbssubhash' +date: 2022/12/08 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType' + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType' + Details: 'DWORD (0x00000002)' # Full Dump + condition: selection +falsepositives: + - Legitimate application that needs to do a full dump of their process +level: high diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml new file mode 100644 index 000000000..3377d03c1 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -0,0 +1,27 @@ +title: ETW Logging Disabled For rpcrt4.dll +id: 90f342e1-1aaa-4e43-b092-39fda57ed11e +status: experimental +description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll +references: + - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.t1112 + - attack.t1562 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation' + Details: + # This is disabled by default for some reason + - 'DWORD (0x00000000)' # Off + - 'DWORD (0x00000002)' # Off with exceptions + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml new file mode 100644 index 000000000..073cddb27 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -0,0 +1,24 @@ +title: ETW Logging Disabled For SCM +id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +status: experimental +description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) +references: + - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.t1112 + - attack.t1562 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled' + Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1. + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index a288c972d..1c86770c1 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -25,8 +25,7 @@ detection: - 'C:\Temp\' - 'C:\Users\Public\' - 'C:\Users\Default\' - - Details|contains: - - '\AppData\' + - Details|contains: '\AppData\' condition: selection and selection2 fields: - Image diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index ef1c0a2b7..3952c6ac1 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -5,10 +5,10 @@ description: | Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ + - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2022/11/22 +modified: 2022/12/07 tags: - attack.t1562.001 - attack.defense_evasion @@ -23,10 +23,13 @@ detection: - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' filter: Image|endswith: + # Please add the full paths that you use in your environment to tighten the rule - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' - '\procmon.exe' + - '\handle.exe' + - '\handle64.exe' Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS' condition: selection and not filter falsepositives: diff --git a/tests/test_rules.py b/tests/test_rules.py index 5d88c97e9..b58d0884a 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -838,32 +838,59 @@ class TestRules(unittest.TestCase): "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") def test_selection_list_one_value(self): + + def treat_list(file, values, valid_, selection_name): + # rule with only list of Keywords term + if len(values) == 1 and not isinstance(values[0], str): + print( + Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key) + ) + valid_ = False + elif isinstance(values[0], dict): + valid_ = treat_dict(file, values, valid_, selection_name) + return valid_ + + def treat_dict(file, values, valid_, selection_name): + if isinstance(values, list): + for dict_ in values: + for key_ in dict_.keys(): + if isinstance(dict_[key_], list): + if len(dict_[key_]) == 1: + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_) + ) + valid_ = False + else: + dict_ = values + for key_ in dict_.keys(): + if isinstance(dict_[key_], list): + if len(dict_[key_]) == 1: + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_) + ) + valid_ = False + return valid_ + faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part( file_path=file, part_name="detection") if detection: + valid = True for key in detection: + values = detection[key] if isinstance(detection[key], list): - # rule with only list of Keywords term - if len(detection[key]) == 1 and not isinstance(detection[key][0], str): - print( - Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) - valid = False + valid = treat_list(file, values, valid, key) + if isinstance(detection[key], dict): - for sub_key in detection[key]: - # split in 2 if as get a error "int has not len()" - if isinstance(detection[key][sub_key], list): - if len(detection[key][sub_key]) == 1: - print( - Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) - valid = False + valid = treat_dict(file, values, valid, key) + if not valid: faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules using list with only 1 element") + "There are rules using list with only 1 element") def test_unused_selection(self): faulty_rules = [] @@ -882,8 +909,12 @@ class TestRules(unittest.TestCase): continue if selection == "timeframe": continue - if selection in condition: + + # remove special keywords + condition_list = condition.replace("not ", '').replace("1 of ", '').replace("all of ", '').replace(' or ', ' ').replace(' and ', ' ').replace('(', '').replace(')', '').split(" ") + if selection in condition_list: continue + # find all wildcards in condition found = False for wildcard_selection in wildcard_selections.findall(condition): @@ -904,15 +935,27 @@ class TestRules(unittest.TestCase): # add "OriginalFilename" after Aurora switched to SourceFilename # add "ProviderName" after special case powershell classic is resolved # typos is a list of tuples where each tuple contains ("The typo", "The correct version") - typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")] + typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName"), ("ImageFileName", "OriginalFileName")] faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): + # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases + # We check first the logsource to handle special cases + logsource = self.get_rule_part(file_path=file, part_name="logsource").values() + # add more typos in specific logsources below + if "windefend" in logsource: + typos_ = typos + [("New_Value", "NewValue"), ("Old_Value", "OldValue"), ('Source_Name', 'SourceName'), ("Newvalue", "NewValue"), ("Oldvalue", "OldValue"), ('Sourcename', 'SourceName')] + elif "registry_set" in logsource or "registry_add" in logsource or "registry_event" in logsource: + typos_ = typos + [("Targetobject", "TargetObject"), ("Eventtype", "EventType"), ("Newname", "NewName")] + elif "process_creation" in logsource: + typos_ = typos + [("Parentimage", "ParentImage"), ("Integritylevel", "IntegrityLevel"), ("IntegritiLevel", "IntegrityLevel")] + else: + typos_ = typos detection = self.get_rule_part(file_path=file, part_name="detection") if detection: for search_identifier in detection: if isinstance(detection[search_identifier], dict): for field in detection[search_identifier]: - for typo in typos: + for typo in typos_: if typo[0] in field: print(Fore.RED + "Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})".format(file, typo[0], typo[1], search_identifier, field)) faulty_rules.append(file)