From 3bcce887866bddf7c053a2f130906a4586bb4108 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:18:14 +0100 Subject: [PATCH 01/81] fix: fix issue #3742 --- ..._creation_win_creation_mavinject_process_injection.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml index 1754f8f63..b42c2bcfa 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml @@ -12,9 +12,11 @@ references: - https://twitter.com/gN3mes1s/status/941315826107510784 - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth date: 2021/07/12 -modified: 2022/09/07 +modified: 2022/12/05 tags: - attack.defense_evasion - attack.privilege_escalation @@ -26,6 +28,8 @@ logsource: detection: selection_flag: CommandLine|contains: ' /INJECTRUNNING ' + filter_parent: + ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject" selection_renamed: OriginalFileName: - 'mavinject32.exe' @@ -34,7 +38,7 @@ detection: Image|endswith: - '\mavinject32.exe' - '\mavinject64.exe' - condition: selection_flag or (selection_renamed and not filter_renamed) + condition: (selection_flag and not filter_parent) or (selection_renamed and not filter_renamed) fields: - ComputerName - User From d50739ed3e8d3d6f917c0e201ead299b0abc19b1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:18:51 +0100 Subject: [PATCH 02/81] fix: rename rule for lolbin convention --- ...l => proc_creation_win_lolbin_mavinject_process_injection.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{proc_creation_win_creation_mavinject_process_injection.yml => proc_creation_win_lolbin_mavinject_process_injection.yml} (100%) diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml From f81a960044060d7e533a5fdd541895a5b69ddbaa Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:23:48 +0100 Subject: [PATCH 03/81] fix: split mavinject rule --- ...win_lolbin_mavinject_process_injection.yml | 23 +++--------- .../proc_creation_win_renamed_mavinject.yml | 36 +++++++++++++++++++ 2 files changed, 41 insertions(+), 18 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index b42c2bcfa..2229928fb 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -4,7 +4,7 @@ related: - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 type: obsoletes status: experimental -description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag or a renamed execution of the tool +description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md @@ -26,24 +26,11 @@ logsource: category: process_creation product: windows detection: - selection_flag: + selection: CommandLine|contains: ' /INJECTRUNNING ' - filter_parent: + filter: ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject" - selection_renamed: - OriginalFileName: - - 'mavinject32.exe' - - 'mavinject64.exe' - filter_renamed: - Image|endswith: - - '\mavinject32.exe' - - '\mavinject64.exe' - condition: (selection_flag and not filter_parent) or (selection_renamed and not filter_renamed) -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + condition: selection and not filter falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml new file mode 100644 index 000000000..cc6c21e46 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -0,0 +1,36 @@ +title: Rename Mavinject Execution +id: e6474a1b-5390-49cd-ab41-8d88655f7394 +status: experimental +description: Detects execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md + - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection +author: frack113, Florian Roth +date: 2022/12/05 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055.001 + - attack.t1218.013 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: + - 'mavinject32.exe' + - 'mavinject64.exe' + filter: + Image|endswith: + - '\mavinject32.exe' + - '\mavinject64.exe' + condition: selection and not filter +falsepositives: + - Unlikely +level: high From dbf114e7cb395b2b506fb0e7404efebc1819aa26 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 23:52:11 +0100 Subject: [PATCH 04/81] feat: add rules related to scheduled tasks --- .../win_security_disable_event_logging.yml | 4 +- ..._security_susp_scheduled_task_creation.yml | 60 +++++++++++++++++++ ...in_security_susp_scheduled_task_delete.yml | 41 +++++++++++++ ...in_security_susp_scheduled_task_update.yml | 60 +++++++++++++++++++ .../win_rare_schtask_creation.yml | 1 + ...win_task_scheduler_susp_task_locations.yml | 35 +++++++++++ ...proc_creation_win_susp_schtasks_delete.yml | 2 +- 7 files changed, 200 insertions(+), 3 deletions(-) create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml create mode 100644 rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml diff --git a/rules/windows/builtin/security/win_security_disable_event_logging.yml b/rules/windows/builtin/security/win_security_disable_event_logging.yml index f088c7d46..6b3e4985b 100644 --- a/rules/windows/builtin/security/win_security_disable_event_logging.yml +++ b/rules/windows/builtin/security/win_security_disable_event_logging.yml @@ -7,7 +7,7 @@ description: | Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. references: - - https://bit.ly/WinLogsZero2Hero + - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit author: '@neu5ron' date: 2017/11/19 modified: 2021/11/27 @@ -23,7 +23,7 @@ detection: EventID: 4719 AuditPolicyChanges|contains: - '%%8448' # This is "Success removed" - - '%%8450' # This is "Failure removed" + - '%%8450' # This is "Failure removed" condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml new file mode 100644 index 000000000..9678fc815 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Creation +id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 +status: experimental +description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags...etc +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: 4698 + selection_paths: + TaskContent|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContent|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml new file mode 100644 index 000000000..b19494759 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -0,0 +1,41 @@ +title: Important Scheduled Task Deleted/Disabled +id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad +related: + - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 + type: similar + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 + type: similar +status: experimental +description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: + - 4699 # Task Deleted Event + - 4701 # Task Disabled Event + TaskName|contains: + # Add more important tasks> + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml new file mode 100644 index 000000000..6c487bf1b --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Update +id: 614cf376-6651-47c4-9dcc-6b9527f749f4 +status: experimental +description: Detects update to a scheduled task event that contain suspicious keywords. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection_eid: + EventID: 4702 + selection_paths: + TaskContentNew|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContentNew|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml index a3e475175..c614618fc 100644 --- a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml @@ -12,6 +12,7 @@ tags: logsource: product: windows service: taskscheduler + definition: the "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and should be enabled in order for this detection to work detection: selection: EventID: 106 diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml new file mode 100644 index 000000000..57ef589c5 --- /dev/null +++ b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml @@ -0,0 +1,35 @@ +title: Suspicious Scheduled Tasks Locations +id: 424273ea-7cf8-43a6-b712-375f925e481f +status: test +description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: taskscheduler + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' +detection: + selection: + EventID: 129 # Created Task Process + Path|contains: + - 'C:\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Users\Public\' + - 'C:\Temp\' + # Add more suspicious LOLBINs below + - 'C:\Windows\System32\calc.exe' + - 'C:\Windows\System32\regsvr32.exe' + - 'C:\Windows\System32\rundll32.exe' + # If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it + #filter: + # TaskName: '\Exact\Task\Name' + # Path: 'Exact\Path' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml index 84bb696c4..18bf23836 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -4,7 +4,7 @@ related: - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 type: derived status: experimental -description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities references: - Internal Research author: Nasreddine Bencherchali From 4184d05e8074361fa06a73c0e2080772cb771bc1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 00:16:09 +0100 Subject: [PATCH 05/81] fix: escape special "?" character --- .../process_creation/proc_creation_win_susp_conhost.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 74aca0737..11935cf0d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -46,8 +46,9 @@ detection: Image: 'C:\Windows\System32\conhost.exe' filter_image_conhost2: ParentCommandLine: - - '\??\C:\WINDOWS\system32\conhost.exe 0x4' - - '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + # The "?" needs to be escaped as they considered special characters in SIGMA (https://github.com/SigmaHQ/sigma-specification) + - '\\?\?\C:\WINDOWS\system32\conhost.exe 0x4' + - '\\?\?\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' From 72bba4c8224280677105a77fd1c72a370e0119f0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 00:37:07 +0100 Subject: [PATCH 06/81] fix: update rule to be more generic --- .../registry_event_persistence_recycle_bin.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index c60319ecb..337c3cd4e 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -4,8 +4,11 @@ status: experimental description: Detects persistence registry keys for Recycle Bin references: - https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf + - https://persistence-info.github.io/Data/recyclebin.html + - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ author: frack113 date: 2021/11/18 +modified: 2022/12/06 tags: - attack.persistence - attack.t1547 @@ -15,10 +18,10 @@ logsource: detection: selection_create: EventType: RenameKey - NewName: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open + NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open' selection_set: EventType: SetValue - TargetObject: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) + TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)' condition: 1 of selection_* falsepositives: - Unknown From c541d52d44c77595d423fe92dca4fc9a41f4e68c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 01:32:46 +0100 Subject: [PATCH 07/81] fix: update mitre tags and `OriginalFileName` --- .../proc_creation_win_lolbin_wlrmdr.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml index 3fbfaedfd..f8610ea4c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -6,15 +6,18 @@ references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ author: frack113 date: 2022/02/16 -modified: 2022/11/09 +modified: 2022/12/06 tags: - attack.defense_evasion + - attack.t1218 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\wlrmdr.exe' + selection_img: + - Image|endswith: '\wlrmdr.exe' + - OriginalFileName: 'WLRMNDR.EXE' + selection_cli: CommandLine|contains|all: - '-s ' - '-f ' @@ -26,7 +29,7 @@ detection: ParentImage: 'C:\Windows\System32\winlogon.exe' filter_null: ParentImage: '-' - condition: selection and not 1 of filter* + condition: all of selection_* and not 1 of filter* falsepositives: - Unknown level: medium From f673ac923575e20c2c358baa0cabf12b860806eb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 01:41:18 +0100 Subject: [PATCH 08/81] feat: add parent selection --- .../proc_creation_win_lolbin_wlrmdr.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml index f8610ea4c..9849fbac3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -4,7 +4,7 @@ status: experimental description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ -author: frack113 +author: frack113, manasmbellani date: 2022/02/16 modified: 2022/12/06 tags: @@ -14,22 +14,25 @@ logsource: category: process_creation product: windows detection: - selection_img: + selection_child_img: - Image|endswith: '\wlrmdr.exe' - OriginalFileName: 'WLRMNDR.EXE' - selection_cli: + selection_child_cli: CommandLine|contains|all: + # Note that the dash "-" can be replaced with a slash "/" (TODO: Use the "windash" modifier when it's introduced) - '-s ' - '-f ' - '-t ' - '-m ' - '-a ' - '-u ' + selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag + ParentImage|endswith: '\wlrmdr.exe' filter: ParentImage: 'C:\Windows\System32\winlogon.exe' filter_null: ParentImage: '-' - condition: all of selection_* and not 1 of filter* + condition: selection_parent or (all of selection_child_* and not 1 of filter*) falsepositives: - Unknown level: medium From 96574466473d3c62eeb1dc459004658440033ad2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 10:53:57 +0100 Subject: [PATCH 09/81] fix: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../security/win_security_susp_scheduled_task_creation.yml | 2 +- .../taskscheduler/win_task_scheduler_susp_task_locations.yml | 2 +- .../process_creation/proc_creation_win_susp_conhost.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 9678fc815..0351da356 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -1,7 +1,7 @@ title: Suspicious Scheduled Task Creation id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 status: experimental -description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags...etc +description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml index 57ef589c5..3a4008f9c 100644 --- a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml @@ -1,6 +1,6 @@ title: Suspicious Scheduled Tasks Locations id: 424273ea-7cf8-43a6-b712-375f925e481f -status: test +status: experimental description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task author: Nasreddine Bencherchali date: 2022/12/05 diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 11935cf0d..9fc6350aa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -47,8 +47,8 @@ detection: filter_image_conhost2: ParentCommandLine: # The "?" needs to be escaped as they considered special characters in SIGMA (https://github.com/SigmaHQ/sigma-specification) - - '\\?\?\C:\WINDOWS\system32\conhost.exe 0x4' - - '\\?\?\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' From 1c5e4371e7f98eaa7abd690292d9f688b9f29e5e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 10:56:06 +0100 Subject: [PATCH 10/81] fix: add missing modified date --- .../windows/process_creation/proc_creation_win_susp_conhost.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 9fc6350aa..fe79e160d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2022/11/08 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1202 From 850d4fcd50d051fbcd21733be500ce2d9c460482 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 00:20:56 +0100 Subject: [PATCH 11/81] feat: update windefend rules --- .../windefend/win_defender_amsi_trigger.yml | 2 +- .../windefend/win_defender_disabled.yml | 14 +++---- .../windefend/win_defender_exclusions.yml | 10 ++--- .../win_defender_exploit_guard_tamper.yml | 15 ++++---- .../windefend/win_defender_history_delete.yml | 7 ++-- .../win_defender_restored_quarantine_file.yml | 21 ++++++++++ ...defender_suspicious_features_tampering.yml | 38 +++++++++++++++++++ ...win_defender_tamper_protection_trigger.yml | 20 +++++++--- .../builtin/windefend/win_defender_threat.yml | 8 ++-- 9 files changed, 101 insertions(+), 34 deletions(-) create mode 100644 rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml create mode 100644 rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml diff --git a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 9f80f5e71..1f80579fe 100644 --- a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -15,7 +15,7 @@ logsource: service: windefend detection: selection: - EventID: 1116 + EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software. Source_Name: 'AMSI' condition: selection falsepositives: diff --git a/rules/windows/builtin/windefend/win_defender_disabled.yml b/rules/windows/builtin/windefend/win_defender_disabled.yml index 7791cd210..432ddf5d0 100644 --- a/rules/windows/builtin/windefend/win_defender_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_disabled.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 date: 2020/07/28 -modified: 2022/05/06 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -17,11 +17,11 @@ logsource: detection: selection: EventID: - - 5001 - - 5010 - - 5012 - - 5101 + - 5001 # Real-time protection is disabled. + - 5010 # Scanning for malware and other potentially unwanted software is disabled. + - 5012 # Scanning for viruses is disabled. + - 5101 # The antimalware platform is expired. condition: selection falsepositives: - - Administrator actions -level: low + - Administrator actions (should be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml index 37b8c1c4d..580404ce4 100644 --- a/rules/windows/builtin/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/_nullbind/status/1204923340810543109 author: Christian Burkard date: 2021/07/06 -modified: 2022/02/02 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,10 +14,10 @@ logsource: product: windows service: windefend detection: - selection1: - EventID: 5007 - NewValue|contains: '\Microsoft\Windows Defender\Exclusions' - condition: selection1 + selection: + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: '\Microsoft\Windows Defender\Exclusions' + condition: selection falsepositives: - Administrator actions level: medium diff --git a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml index 4840c3746..c2924356e 100644 --- a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml @@ -6,18 +6,19 @@ references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali date: 2022/08/05 +modified: 2022/12/06 tags: - - attack.execution - - attack.t1059 + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: windefend detection: allowed_apps_key: - EventID: 5007 - NewValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' allowed_apps_path: - NewValue|contains: + New_Value|contains: # Add more paths you don't allow in your org - '\Users\Public\' - '\AppData\Local\Temp\' @@ -25,9 +26,9 @@ detection: - '\PerfLogs\' - '\Windows\Temp\' protected_folders: - EventID: 5007 + EventID: 5007 # The antimalware platform configuration changed. # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths - OldValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' + Old_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' condition: all of allowed_apps* or protected_folders falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml index 0cfba55f8..8a0b8629b 100644 --- a/rules/windows/builtin/windefend/win_defender_history_delete.yml +++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml @@ -4,23 +4,22 @@ status: test description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software". references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus + - https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e author: Cian Heasley date: 2020/08/13 modified: 2022/10/09 tags: - attack.defense_evasion - - attack.t1070.001 logsource: product: windows service: windefend detection: selection: - EventID: 1013 - EventType: 4 + EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software. condition: selection fields: - EventID - EventType falsepositives: - Deletion of Defender malware detections history for legitimate reasons -level: high +level: low diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml new file mode 100644 index 000000000..d997b9ae7 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -0,0 +1,21 @@ +title: Win Defender Restored Quarantine File +id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +status: experimental +description: Detects the restoration of files from the defender quarantine +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 1009 # The antimalware platform restored an item from quarantine. + condition: selection +falsepositives: + - Legitimate administrator activity restoring a file +level: high diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml new file mode 100644 index 000000000..49431e1f1 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -0,0 +1,38 @@ +title: Windows Defender Suspicious Configuration Changes +id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +related: + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: similar + - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 + type: similar +status: stable +description: Detects suspicious changes to the windows defender configuration +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide + - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: + # TODO: Add more suspicious values + - '\Windows Defender\DisableAntiSpyware' + - '\Windows Defender\Features\TamperProtection' + - '\Windows Defender\Scan\DisableRemovableDriveScanning' + - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan' + - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen' + - '\Real-Time Protection\SpyNetReporting' + - '\Real-Time Protection\SubmitSamplesConsent' + # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886 + condition: selection +falsepositives: + - Administrator activity (must be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 5c7202a37..887b9ac52 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -1,11 +1,13 @@ title: Microsoft Defender Tamper Protection Trigger id: 49e5bc24-8b86-49f1-b743-535f332c2856 status: stable -description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection +description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" references: - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection -author: Bhabesh Raj + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Bhabesh Raj, Nasreddine Bencherchali date: 2021/07/05 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,11 +16,17 @@ logsource: service: windefend detection: selection: - EventID: 5013 + EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked. Value|endswith: - - '\Windows Defender\DisableAntiSpyware = 0x1()' - - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' + - '\Windows Defender\DisableAntiSpyware' + - '\Windows Defender\DisableAntiVirus' + - '\Windows Defender\Scan\DisableArchiveScanning' + - '\Windows Defender\Scan\DisableScanningNetworkFiles' + - '\Real-Time Protection\DisableRealtimeMonitoring' + - '\Real-Time Protection\DisableBehaviorMonitoring' + - '\Real-Time Protection\DisableIOAVProtection' + - '\Real-Time Protection\DisableScriptScanning' condition: selection falsepositives: - - Administrator actions + - Administrator might try to disable defender features during testing (must be investigated) level: high diff --git a/rules/windows/builtin/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml index e2bdd262e..4e917229c 100644 --- a/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/rules/windows/builtin/windefend/win_defender_threat.yml @@ -15,10 +15,10 @@ logsource: detection: selection: EventID: - - 1006 - - 1116 - - 1015 - - 1117 + - 1006 # The antimalware engine found malware or other potentially unwanted software. + - 1116 # The antimalware platform detected malware or other potentially unwanted software. + - 1015 # The antimalware platform detected suspicious behavior. + - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software. condition: selection falsepositives: - Unlikely From 0d3cb5226691ec196f0f1fd67898000535edffa8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 01:04:25 +0100 Subject: [PATCH 12/81] feat: enhance typos test --- tests/test_rules.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 5d88c97e9..452028809 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -907,12 +907,21 @@ class TestRules(unittest.TestCase): typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")] faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): + # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases + # We check first the logsource to handle special cases + logsource = self.get_rule_part(file_path=file, part_name="logsource") + # The current special cases are: + # - 'windefend' + if "windefend" in logsource.values(): + typos_ = typos + [("NewValue", "New_Value"), ("OldValue", "Old_Value")] + else: + typos_ = typos detection = self.get_rule_part(file_path=file, part_name="detection") if detection: for search_identifier in detection: if isinstance(detection[search_identifier], dict): for field in detection[search_identifier]: - for typo in typos: + for typo in typos_: if typo[0] in field: print(Fore.RED + "Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})".format(file, typo[0], typo[1], search_identifier, field)) faulty_rules.append(file) From a7bfb349eee1daf6565033376dc4cdb11513ade0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:25:52 +0100 Subject: [PATCH 13/81] fix: fix fp found in testing --- .../win_security_user_driver_loaded.yml | 20 ++++++++++--------- .../registry_set_susp_service_installed.yml | 7 +++++-- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index 510820c61..32dd4b9af 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -13,7 +13,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2021/11/30 +modified: 2022/12/07 tags: - attack.defense_evasion - attack.t1562.001 @@ -27,14 +27,16 @@ detection: PrivilegeList: 'SeLoadDriverPrivilege' Service: '-' filter: - ProcessName|endswith: - - '\Windows\System32\Dism.exe' - - '\Windows\System32\rundll32.exe' - - '\Windows\System32\fltMC.exe' - - '\Windows\HelpPane.exe' - - '\Windows\System32\mmc.exe' - - '\Windows\System32\svchost.exe' - - '\Windows\System32\wimserv.exe' + - ProcessName: + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\rundll32.exe' + - 'C:\Windows\System32\fltMC.exe' + - 'C:\Windows\HelpPane.exe' + - 'C:\Windows\System32\mmc.exe' + - 'C:\Windows\System32\svchost.exe' + - 'C:\Windows\System32\wimserv.exe' + - 'C:\Windows\System32\RuntimeBroker.exe' + - ProcessName|endswith: - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index ef1c0a2b7..3952c6ac1 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -5,10 +5,10 @@ description: | Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ + - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2022/11/22 +modified: 2022/12/07 tags: - attack.t1562.001 - attack.defense_evasion @@ -23,10 +23,13 @@ detection: - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' filter: Image|endswith: + # Please add the full paths that you use in your environment to tighten the rule - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' - '\procmon.exe' + - '\handle.exe' + - '\handle64.exe' Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS' condition: selection and not filter falsepositives: From a425ef65e5bd7e2602ee6fd6762dd8fb1065104f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:26:21 +0100 Subject: [PATCH 14/81] feat: update metadata and add more cases for rules --- ...urity_susp_codeintegrity_check_failure.yml | 2 +- .../file_event_win_susp_dropper.yml | 1 + .../proc_creation_win_chisel_usage.yml | 8 +++-- .../proc_creation_win_sharp_chisel_usage.yml | 23 ++++--------- ...add_renamed_sysinternals_eula_accepted.yml | 32 +++++++++++++------ 5 files changed, 35 insertions(+), 31 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml index 78d011da9..19f0bf9c4 100644 --- a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml @@ -1,7 +1,7 @@ title: Failed Code Integrity Checks id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable -description: Code integrity failures may indicate tampered executables. +description: Detects Code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a signe of tampered binaries. author: Thomas Patzke date: 2019/12/03 modified: 2020/08/23 diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml index 3f768d093..ae5f00683 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml @@ -80,5 +80,6 @@ detection: falsepositives: - Software installers - Update utilities + - 32bit applications launching their 64bit versions #Please contribute to FP to increase the level level: low diff --git a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml index 694b2775a..002083247 100644 --- a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml @@ -8,8 +8,10 @@ description: Detects usage of the Chisel tunneling tool via the commandline argu references: - https://github.com/jpillora/chisel/ - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ + - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ author: Florian Roth date: 2022/09/13 +modified: 2022/12/07 tags: - attack.command_and_control - attack.t1090.001 @@ -25,11 +27,11 @@ detection: - 'exe server ' selection_param2: CommandLine|contains: - - ' --socks5' - - ' --reverse' + - '-socks5' + - '-reverse' - ' r:' - ':127.0.0.1:' - - ' --tls-skip-verify ' + - '-tls-skip-verify ' - ':socks' condition: selection_img or all of selection_param* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml index 012766883..ed5fe8397 100644 --- a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -18,22 +18,11 @@ logsource: category: process_creation product: windows detection: - selection_1_img: - Image|endswith: '\SharpChisel.exe' - selection_1_pe: - Product: 'SharpChisel' - # Covered by Chisel Rule - # selection_2_client_server: - # CommandLine|contains: - # - 'exe client ' - # - 'exe server ' - # selection_2_flags: - # CommandLine|contains: - # - ' --socks5' - # - ' --reverse' - # - ' r:' - # - ':127.0.0.1:' - condition: 1 of selection* + selection: + - Image|endswith: '\SharpChisel.exe' + - Product: 'SharpChisel' + # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage + condition: selection falsepositives: - - Some false positives may occure with other tools with similar commandlines + - Unlikely level: high diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml index 0bf48f7de..c0e5aab00 100644 --- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml @@ -6,11 +6,12 @@ related: - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar status: experimental -description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools +description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools references: - Internal Research author: Nasreddine Bencherchali date: 2022/08/24 +modified: 2022/12/07 tags: - attack.resource_development - attack.t1588.002 @@ -21,33 +22,44 @@ detection: selection: EventType: CreateKey TargetObject|contains: - - '\PsExec' - - '\ProcDump' + # Please add new values while respecting the alphabetical order + - '\Active Directory Explorer' - '\Handle' - '\LiveKd' + - '\ProcDump' - '\Process Explorer' + - '\PsExec' + - '\PsLoggedon' - '\PsLoglist' - '\PsPasswd' - - '\Active Directory Explorer' + - '\PsPing' + - '\PsService' TargetObject|endswith: '\EulaAccepted' filter: Image|endswith: - - '\PsExec.exe' - - '\PsExec64.exe' - - '\procdump.exe' - - '\procdump64.exe' + # Please add new values while respecting the alphabetical order + - '\ADExplorer.exe' + - '\ADExplorer64.exe' - '\handle.exe' - '\handle64.exe' - '\livekd.exe' - '\livekd64.exe' + - '\procdump.exe' + - '\procdump64.exe' - '\procexp.exe' - '\procexp64.exe' + - '\PsExec.exe' + - '\PsExec64.exe' + - '\PsLoggedon.exe' + - '\PsLoggedon64.exe' - '\psloglist.exe' - '\psloglist64.exe' - '\pspasswd.exe' - '\pspasswd64.exe' - - '\ADExplorer.exe' - - '\ADExplorer64.exe' + - '\PsPing.exe' + - '\PsPing64.exe' + - '\PsService.exe' + - '\PsService64.exe' condition: selection and not filter falsepositives: - Unlikely From 899b1606f8165f4e303d45179fd8296f81167426 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:38:19 +0100 Subject: [PATCH 15/81] fix: duplicate id --- .../builtin/windefend/win_defender_restored_quarantine_file.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml index d997b9ae7..81aea09c4 100644 --- a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -1,5 +1,5 @@ title: Win Defender Restored Quarantine File -id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +id: bc92ca75-cd42-4d61-9a37-9d5aa259c88b status: experimental description: Detects the restoration of files from the defender quarantine references: From 1d749cee54c6985ce8bf65731aacd3d1c9dc6652 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:44:31 +0100 Subject: [PATCH 16/81] fix: duplicate id --- .../windefend/win_defender_suspicious_features_tampering.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 49431e1f1..3f38a6d85 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -1,5 +1,5 @@ title: Windows Defender Suspicious Configuration Changes -id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +id: 801bd44f-ceed-4eb6-887c-11544633c0aa related: - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f type: similar From b59566ad0f39ed76c36fcc26086c98dd49299106 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 11:52:38 +0100 Subject: [PATCH 17/81] fix: fix FP found in testing --- .../file/file_event/file_event_win_susp_dropper.yml | 7 ++++++- .../process_creation/proc_creation_win_susp_cmd.yml | 12 +++++++++--- .../proc_creation_win_susp_conhost.yml | 11 +++++++---- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml index ae5f00683..c52e47eb5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml @@ -6,7 +6,7 @@ references: - Malware Sandbox author: frack113 date: 2022/03/09 -modified: 2022/11/08 +modified: 2022/12/07 tags: - attack.resource_development - attack.t1587.001 @@ -76,6 +76,11 @@ detection: Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' Image|endswith: '\mscorsvw.exe' TargetFilename|startswith: 'C:\Windows\assembly\NativeImages_' + filter_vscode: + Image|startswith: 'C:\Users\' + Image|contains: '\AppData\Local\' + Image|endswith: '\Microsoft VS Code\Code.exe' + TargetFilename|contains: '\.vscode\extensions\' condition: selection and not 1 of filter_* falsepositives: - Software installers diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index 0878576b8..5af183017 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -6,6 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: frack113 date: 2022/12/05 +modified: 2022/12/07 tags: - attack.privilege_escalation - attack.defense_evasion @@ -16,11 +17,11 @@ logsource: category: process_creation detection: selection_shell: - - Image|endswith: + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - '\cmd.exe' - - OriginalFileName: + - OriginalFileName: - 'PowerShell.EXE' - 'pwsh.dll' - 'Cmd.Exe' @@ -29,7 +30,12 @@ detection: - 'AUTHORI' - 'AUTORI' LogonId: '0x3e7' - condition: all of selection_* + filter_compattelrunner: + ParentImage: 'C:\Windows\System32\CompatTelRunner.exe' + ParentCommandLine|contains: '-m:appraiser.dll -f:DoScheduledTelemetryRun' + OriginalFileName: 'PowerShell.EXE' + CommandLine|contains: '-ExecutionPolicy Restricted -Command Write-Host' + condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index fe79e160d..ea149ab69 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2022/12/06 +modified: 2022/12/07 tags: - attack.defense_evasion - attack.t1202 @@ -42,7 +42,9 @@ detection: # Example FP: # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228 Provider_Name: 'Microsoft-Windows-Kernel-Process' - ParentCommandLine|contains: ' cat-file -s ' + ParentCommandLine|contains: + - ' cat-file -s ' + - 'show --textconv' Image: 'C:\Windows\System32\conhost.exe' filter_image_conhost2: ParentCommandLine: @@ -51,9 +53,10 @@ detection: - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: - ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + ParentCommandLine: + - \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' + - \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' Image: 'C:\Program Files\Git\mingw64\bin\git.exe' - CommandLine|contains: 'show --textconv :' condition: selection and not 1 of filter_* fields: - Image From 9a5a0fed207f4a5e3b2c03ed3a55ebdba7ed7211 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:21:05 +0100 Subject: [PATCH 18/81] feat: update test to include more cases --- .../builtin/windefend/win_defender_amsi_trigger.yml | 4 ++-- .../builtin/windefend/win_defender_exclusions.yml | 2 +- .../windefend/win_defender_exploit_guard_tamper.yml | 6 +++--- .../win_defender_suspicious_features_tampering.yml | 2 +- tests/test_rules.py | 13 ++++++++----- 5 files changed, 15 insertions(+), 12 deletions(-) diff --git a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 1f80579fe..1c18c99c1 100644 --- a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps author: Bhabesh Raj date: 2020/09/14 -modified: 2021/10/13 +modified: 2022/12/07 tags: - attack.execution - attack.t1059 @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software. - Source_Name: 'AMSI' + SourceName: 'AMSI' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml index 580404ce4..9ecb61821 100644 --- a/rules/windows/builtin/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 5007 # The antimalware platform configuration changed. - New_Value|contains: '\Microsoft\Windows Defender\Exclusions' + NewValue|contains: '\Microsoft\Windows Defender\Exclusions' condition: selection falsepositives: - Administrator actions diff --git a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml index c2924356e..692e62478 100644 --- a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml @@ -16,9 +16,9 @@ logsource: detection: allowed_apps_key: EventID: 5007 # The antimalware platform configuration changed. - New_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' + NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' allowed_apps_path: - New_Value|contains: + NewValue|contains: # Add more paths you don't allow in your org - '\Users\Public\' - '\AppData\Local\Temp\' @@ -28,7 +28,7 @@ detection: protected_folders: EventID: 5007 # The antimalware platform configuration changed. # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths - Old_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' + OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' condition: all of allowed_apps* or protected_folders falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 3f38a6d85..3fac677bf 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -21,7 +21,7 @@ logsource: detection: selection: EventID: 5007 # The antimalware platform configuration changed. - New_Value|contains: + NewValue|contains: # TODO: Add more suspicious values - '\Windows Defender\DisableAntiSpyware' - '\Windows Defender\Features\TamperProtection' diff --git a/tests/test_rules.py b/tests/test_rules.py index 452028809..e2cd3cf18 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -909,11 +909,14 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases # We check first the logsource to handle special cases - logsource = self.get_rule_part(file_path=file, part_name="logsource") - # The current special cases are: - # - 'windefend' - if "windefend" in logsource.values(): - typos_ = typos + [("NewValue", "New_Value"), ("OldValue", "Old_Value")] + logsource = self.get_rule_part(file_path=file, part_name="logsource").values() + # add more typos in specific logsources below + if "windefend" in logsource: + typos_ = typos + [("New_Value", "NewValue"), ("Old_Value", "OldValue"), ('Source_Name', 'SourceName'), ("Newvalue", "NewValue"), ("Oldvalue", "OldValue"), ('Sourcename', 'SourceName')] + elif "registry_set" in logsource or "registry_add" in logsource or "registry_event" in logsource: + typos_ = typos + [("Targetobject", "TargetObject"), ("Eventtype", "EventType"), ("Newname", "NewName")] + elif "process_creation" in logsource: + typos_ = typos + [("Parentimage", "ParentImage"), ("Integritylevel", "IntegrityLevel"), ("IntegritiLevel", "IntegrityLevel")] else: typos_ = typos detection = self.get_rule_part(file_path=file, part_name="detection") From 8482d33708ad31025dc02ab1a588ca356185d322 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:27:14 +0100 Subject: [PATCH 19/81] fix: add rule to fp filter --- .github/workflows/known-FPs.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index bbb1f00d1..696bedc49 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,3 +44,4 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe +801bd44f-ceed-4eb6-887c-11544633c0aa;Windows Defender Suspicious Configuration Changes;.* From b1a657b7de08fd2162dacbd0ebd4172d6ff0b1d9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:27:27 +0100 Subject: [PATCH 20/81] fix: add spaces to avoid fp with other keys --- .../win_defender_suspicious_features_tampering.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 3fac677bf..65117fb6b 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -23,13 +23,13 @@ detection: EventID: 5007 # The antimalware platform configuration changed. NewValue|contains: # TODO: Add more suspicious values - - '\Windows Defender\DisableAntiSpyware' - - '\Windows Defender\Features\TamperProtection' - - '\Windows Defender\Scan\DisableRemovableDriveScanning' - - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan' - - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen' - - '\Real-Time Protection\SpyNetReporting' - - '\Real-Time Protection\SubmitSamplesConsent' + - '\Windows Defender\DisableAntiSpyware ' + - '\Windows Defender\Features\TamperProtection ' + - '\Windows Defender\Scan\DisableRemovableDriveScanning ' + - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan ' + - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen ' + - '\Real-Time Protection\SpyNetReporting ' + - '\Real-Time Protection\SubmitSamplesConsent ' # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886 condition: selection From f12975bc6b6af39c2f35493f2cfb6f1bb26bd0e2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:34:56 +0100 Subject: [PATCH 21/81] fix: update description Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../security/win_security_susp_codeintegrity_check_failure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml index 19f0bf9c4..9ea2d5750 100644 --- a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml @@ -1,7 +1,7 @@ title: Failed Code Integrity Checks id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable -description: Detects Code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a signe of tampered binaries. +description: Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. author: Thomas Patzke date: 2019/12/03 modified: 2020/08/23 From d393b57c361f1f25c0558e7a1cc9397c34d05a2d Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 11:49:53 +0530 Subject: [PATCH 22/81] Detection for LSASS Shtinkering --- .../file_event_lsass_shtinkering.yml | 23 +++++++++++++ .../proc_creation_lsass_shtinkering.yml | 32 +++++++++++++++++++ .../registry_add_usermode_dumping_enabled.yml | 23 +++++++++++++ ...ass_usermode_dumping_lsass_shtinkering.yml | 24 ++++++++++++++ 4 files changed, 102 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_lsass_shtinkering.yml create mode 100644 rules/windows/process_creation/proc_creation_lsass_shtinkering.yml create mode 100644 rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml create mode 100644 rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml diff --git a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml new file mode 100644 index 000000000..ccd828eff --- /dev/null +++ b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml @@ -0,0 +1,23 @@ +title: Suspicious LSASS Dump using LSASS Shtinkering +id: 6902955a-01b7-432c-b32a-6f5f81d8f625 +status: experimental +description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains|all: + - 'lsass.exe' + - 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps' + TargetFilename|endswith: '.dmp' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml new file mode 100644 index 000000000..0bb7a5920 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -0,0 +1,32 @@ +title: Suspicious LSASS Dumping using Windows Error Reporting +id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 +status: experimental +description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +date: 2022/12/08 +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + product: windows + category: process_creation +detection: + selection: + - Image|endswith: '\Werfault.exe' + - OriginalFileName: 'WerFault.Exe' + - CommandLine|contains: + - '-u ' + - '-p' + - '-ip ' + - '-s ' + # C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + selection_parent: + ParentImage|endswith: '\7zFM.exe' + filter_lsass: + ParentImage|endswith: 'C:\Windows\System32\lsass.exe' + condition: selection and not filter_lsass +falsepositives: + - Windows Error Reporting might have similar behavior and in that case, check the process associated with "-ip" parameter in CommandLine. +level: high diff --git a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml new file mode 100644 index 000000000..16cc7d143 --- /dev/null +++ b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml @@ -0,0 +1,23 @@ +title: Adding of a registry key for LSASS Shtinkering +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 +status: experimental +description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +date: 2022/12/08 +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + category: registry_add + product: windows +detection: + selection: + EventType: CreateKey + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' + condition: selection +falsepositives: + - Legitimate usage of enabling user mode dumping (Not seen in the wild) +level: high diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml new file mode 100644 index 000000000..b282b2d17 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml @@ -0,0 +1,24 @@ +title: Setting of a registry key's value for LSASS Shtinkering +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 +status: experimental +description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +date: 2022/12/08 +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject: + - HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps + Details: 2 + condition: selection +falsepositives: + - Unknown +level: high From 9ea5fac51c876ed758aa00385f593062b9108aed Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 11:56:40 +0530 Subject: [PATCH 23/81] Update proc_creation_lsass_shtinkering.yml --- .../process_creation/proc_creation_lsass_shtinkering.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index 0bb7a5920..e4887f13c 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -16,7 +16,7 @@ detection: selection: - Image|endswith: '\Werfault.exe' - OriginalFileName: 'WerFault.Exe' - - CommandLine|contains: + - CommandLine|contains|all: - '-u ' - '-p' - '-ip ' From 4bb1df9f6e0631585b219cacbe5d0623a9ef680c Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 12:03:02 +0530 Subject: [PATCH 24/81] Update to remove FP --- .../process_creation/proc_creation_lsass_shtinkering.yml | 2 -- .../registry_add/registry_add_usermode_dumping_enabled.yml | 4 +++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index e4887f13c..1aa5c4f40 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -22,8 +22,6 @@ detection: - '-ip ' - '-s ' # C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 - selection_parent: - ParentImage|endswith: '\7zFM.exe' filter_lsass: ParentImage|endswith: 'C:\Windows\System32\lsass.exe' condition: selection and not filter_lsass diff --git a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml index 16cc7d143..c610cd2d6 100644 --- a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml +++ b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml @@ -17,7 +17,9 @@ detection: EventType: CreateKey TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' - condition: selection + filter: + TargetObject|endswith: '.exe' + condition: selection and not filter falsepositives: - Legitimate usage of enabling user mode dumping (Not seen in the wild) level: high From bea46b2b9ef171d8a989a059085e85196fe7a227 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 12:13:25 +0530 Subject: [PATCH 25/81] Update to modify FP and UUID --- .github/workflows/known-FPs.csv | 1 + ..._shtinkering.yml => registry_set_lsass_usermode_dumping.yml} | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) rename rules/windows/registry/registry_set/{registry_set_lsass_usermode_dumping_lsass_shtinkering.yml => registry_set_lsass_usermode_dumping.yml} (94%) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index bbb1f00d1..9b7911bb3 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,3 +44,4 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe +33efc23c-6ea2-4503-8cfe-bdf82ce8f718;Adding of a registry key for LSASS Shtinkering;\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml similarity index 94% rename from rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml rename to rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index b282b2d17..dab1b1a9c 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,5 +1,5 @@ title: Setting of a registry key's value for LSASS Shtinkering -id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 status: experimental description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. references: From edc99c92a2e2a7eda7516df6f7aef5a562095ef2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:02:56 +0100 Subject: [PATCH 26/81] fix: enhance rules related to Lsass-Shtinkering --- .github/workflows/known-FPs.csv | 1 - .../file_event_lsass_shtinkering.yml | 17 +++++---- .../proc_creation_lsass_shtinkering.yml | 37 +++++++++++-------- .../registry_add_usermode_dumping_enabled.yml | 25 ------------- .../registry_set_lsass_usermode_dumping.yml | 17 +++++---- 5 files changed, 41 insertions(+), 56 deletions(-) delete mode 100644 rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 9b7911bb3..bbb1f00d1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,4 +44,3 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe -33efc23c-6ea2-4503-8cfe-bdf82ce8f718;Adding of a registry key for LSASS Shtinkering;\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps diff --git a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml index ccd828eff..522ab6eb3 100644 --- a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml +++ b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml @@ -1,23 +1,24 @@ -title: Suspicious LSASS Dump using LSASS Shtinkering +title: LSASS Process Dump Artefact In CrashDumps Folder id: 6902955a-01b7-432c-b32a-6f5f81d8f625 status: experimental -description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. references: - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' -modified: 2022/12/08 +date: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: product: windows category: file_event detection: selection: - TargetFilename|contains|all: - - 'lsass.exe' - - 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps' + TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\' + TargetFilename|contains: 'lsass.exe.' TargetFilename|endswith: '.dmp' condition: selection falsepositives: - - Unknown -level: high \ No newline at end of file + - Rare legitimate dump of the process by the operating system due to a crash of lsass +level: high diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index 1aa5c4f40..a88adb413 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -1,30 +1,37 @@ -title: Suspicious LSASS Dumping using Windows Error Reporting +title: Potential Credential Dumping Via Windows Error Reporting id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 status: experimental -description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass references: - https://github.com/deepinstinct/Lsass-Shtinkering -author: '@pbssubhash' + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +author: '@pbssubhash , Nasreddine Bencherchali' date: 2022/12/08 -modified: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: product: windows category: process_creation detection: - selection: + selection_img: - Image|endswith: '\Werfault.exe' - - OriginalFileName: 'WerFault.Exe' - - CommandLine|contains|all: - - '-u ' - - '-p' - - '-ip ' - - '-s ' - # C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + - OriginalFileName: 'WerFault.exe' + selection_cli: + ParentUser|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + User|contains: + - 'AUTHORI' + - 'AUTORI' + CommandLine|contains|all: + # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + - ' -u -p ' + - ' -ip ' + - ' -s ' filter_lsass: - ParentImage|endswith: 'C:\Windows\System32\lsass.exe' - condition: selection and not filter_lsass + ParentImage: 'C:\Windows\System32\lsass.exe' + condition: all of selection_* and not 1 of filter_* falsepositives: - - Windows Error Reporting might have similar behavior and in that case, check the process associated with "-ip" parameter in CommandLine. + - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. level: high diff --git a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml deleted file mode 100644 index c610cd2d6..000000000 --- a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Adding of a registry key for LSASS Shtinkering -id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 -status: experimental -description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. -references: - - https://github.com/deepinstinct/Lsass-Shtinkering -author: '@pbssubhash' -date: 2022/12/08 -modified: 2022/12/08 -tags: - - attack.credential_access -logsource: - category: registry_add - product: windows -detection: - selection: - EventType: CreateKey - TargetObject|contains: - - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' - filter: - TargetObject|endswith: '.exe' - condition: selection and not filter -falsepositives: - - Legitimate usage of enabling user mode dumping (Not seen in the wild) -level: high diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index dab1b1a9c..c362fe0e6 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,24 +1,27 @@ -title: Setting of a registry key's value for LSASS Shtinkering +title: Lsass Full Dump Request Via DumpType Registry Settings id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 status: experimental -description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. +description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. references: - https://github.com/deepinstinct/Lsass-Shtinkering + - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' date: 2022/12/08 -modified: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: category: registry_set product: windows detection: selection: EventType: SetValue - TargetObject: - - HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps - Details: 2 + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType' + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType' + Details: 'DWORD (0x00000002)' # Full Dump condition: selection falsepositives: - - Unknown + - Legitimate application that needs to do a full dump of their process level: high From bfcdcf2b9c21191905f293ae54aaf5599c4c9eb9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:44:59 +0100 Subject: [PATCH 27/81] fix: remove fp filter --- .github/workflows/known-FPs.csv | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 696bedc49..bbb1f00d1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,4 +44,3 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe -801bd44f-ceed-4eb6-887c-11544633c0aa;Windows Defender Suspicious Configuration Changes;.* From 2506d29bc9b0043c6be21a6ccb5c54763139319a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:57:26 +0100 Subject: [PATCH 28/81] feat: add more checks for the test --- tests/test_rules.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 5d88c97e9..22d3bd755 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -882,8 +882,12 @@ class TestRules(unittest.TestCase): continue if selection == "timeframe": continue - if selection in condition: + + # remove special keywords + condition_list = condition.replace("not ", '').replace("1 of ", '').replace("all of ", '').replace(' or ', ' ').replace(' and ', ' ').replace('(', '').replace(')', '').split(" ") + if selection in condition_list: continue + # find all wildcards in condition found = False for wildcard_selection in wildcard_selections.findall(condition): From 0567ca8ca3b055efca601f4f8686d9cdab118b90 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:57:40 +0100 Subject: [PATCH 29/81] fix: fix unused selection --- .../security/win_security_susp_scheduled_task_creation.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 0351da356..4da7fb242 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -6,6 +6,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/07 tags: - attack.execution - attack.privilege_escalation @@ -16,7 +17,7 @@ logsource: service: security definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' detection: - selection: + selection_eid: EventID: 4698 selection_paths: TaskContent|contains: From 18c3c8528d3d2df49701c862d20423220581a29a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 12:13:14 +0100 Subject: [PATCH 30/81] fix: remove tamper protection value --- .../windefend/win_defender_suspicious_features_tampering.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 65117fb6b..1aa0edf42 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -24,7 +24,7 @@ detection: NewValue|contains: # TODO: Add more suspicious values - '\Windows Defender\DisableAntiSpyware ' - - '\Windows Defender\Features\TamperProtection ' + #- '\Windows Defender\Features\TamperProtection ' # Might produce FP - '\Windows Defender\Scan\DisableRemovableDriveScanning ' - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan ' - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen ' From c560baf67337410da12f863dd434c39138acd11b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 16:23:48 +0100 Subject: [PATCH 31/81] feat: enhance test --- tests/test_rules.py | 55 +++++++++++++++++++++++++++++++++------------ 1 file changed, 41 insertions(+), 14 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 22d3bd755..64c355adc 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -838,32 +838,59 @@ class TestRules(unittest.TestCase): "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") def test_selection_list_one_value(self): + + def treat_list(file, values, valid_, selection_name): + # rule with only list of Keywords term + if len(values) == 1 and not isinstance(values[0], str): + print( + Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key) + ) + valid_ = False + elif isinstance(values[0], dict): + valid_ = treat_dict(file, values, valid_, selection_name) + return valid_ + + def treat_dict(file, values, valid_, selection_name): + if isinstance(values, list): + for dict_ in values: + for key_ in dict_.keys(): + if isinstance(dict_[key_], list): + if len(dict_[key_]) == 1: + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_) + ) + valid_ = False + else: + dict_ = values + for key_ in dict_.keys(): + if isinstance(dict_[key_], list): + if len(dict_[key_]) == 1: + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_) + ) + valid_ = False + return valid_ + faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part( file_path=file, part_name="detection") if detection: + valid = True for key in detection: + values = detection[key] if isinstance(detection[key], list): - # rule with only list of Keywords term - if len(detection[key]) == 1 and not isinstance(detection[key][0], str): - print( - Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) - valid = False + valid = treat_list(file, values, valid, key) + if isinstance(detection[key], dict): - for sub_key in detection[key]: - # split in 2 if as get a error "int has not len()" - if isinstance(detection[key][sub_key], list): - if len(detection[key][sub_key]) == 1: - print( - Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) - valid = False + valid = treat_dict(file, values, valid, key) + if not valid: faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules using list with only 1 element") + "There are rules using list with only 1 element") def test_unused_selection(self): faulty_rules = [] From 80ef3b70dc5eee9b1c0a3ccf20429a0c0ceaf82b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 16:23:58 +0100 Subject: [PATCH 32/81] fix: broken single item lists --- rules/application/antivirus/av_hacktool.yml | 3 +-- .../builtin/system/win_system_service_install_hacktools.yml | 3 +-- .../file_event_win_hivenightmare_file_exports.yml | 3 +-- .../image_load/image_load_abusing_azure_browser_sso.yml | 3 +-- .../image_load/image_load_susp_python_image_load.yml | 3 +-- .../net_connection_win_rdp_reverse_tunnel.yml | 6 ++---- .../net_connection_win_rundll32_net_connections.yml | 3 +-- ...connection_win_susp_prog_location_network_connection.yml | 6 ++---- .../posh_ps_set_policies_to_unsecure_level.yml | 3 +-- .../proc_creation_win_apt_hurricane_panda.yml | 3 +-- .../process_creation/proc_creation_win_mmc_spawn_shell.yml | 3 +-- .../proc_creation_win_mshta_spawn_shell.yml | 3 +-- .../registry_event/registry_event_mal_flowcloud.yml | 3 +-- .../registry_set_susp_reg_persist_explorer_run.yml | 3 +-- 14 files changed, 16 insertions(+), 32 deletions(-) diff --git a/rules/application/antivirus/av_hacktool.yml b/rules/application/antivirus/av_hacktool.yml index 8c29fdb92..a00032666 100644 --- a/rules/application/antivirus/av_hacktool.yml +++ b/rules/application/antivirus/av_hacktool.yml @@ -19,8 +19,7 @@ detection: - 'HKTL' - 'SecurityTool' - 'ATK/' # Sophos - - Signature|contains: - - 'Hacktool' + - Signature|contains: 'Hacktool' condition: selection fields: - FileName diff --git a/rules/windows/builtin/system/win_system_service_install_hacktools.yml b/rules/windows/builtin/system/win_system_service_install_hacktools.yml index 69d804443..7441654f1 100644 --- a/rules/windows/builtin/system/win_system_service_install_hacktools.yml +++ b/rules/windows/builtin/system/win_system_service_install_hacktools.yml @@ -28,8 +28,7 @@ detection: - 'pwdump' - 'gsecdump' - 'cachedump' - - ImagePath|contains: - - 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 + - ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 condition: service and selection falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml index 889b3c559..e5532258a 100644 --- a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml @@ -26,8 +26,7 @@ detection: - '\SAM-2023-' # C++ version - '\SAM-haxx' # Early C++ versions - '\Sam.save' # PowerShell version - - TargetFilename: - - 'C:\windows\temp\sam' # C# version of HiveNightmare + - TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection fields: - CommandLine diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml index d7c7b4b0c..5f9316e43 100644 --- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml @@ -30,8 +30,7 @@ detection: - '\AppData\Local\Microsoft\OneDrive\OneDrive.exe' - '\msedgewebview2.exe' - '\OneDrive.exe' - - Image|startswith: - - 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' + - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image: null condition: selection_dll and not filter_legit falsepositives: diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index d707c3081..4a169cff3 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -18,8 +18,7 @@ detection: selection: Description: 'Python Core' filter_generic: - - Image|contains: - - 'Python' # FPs with python38.dll, python.exe etc. + - Image|contains: 'Python' # FPs with python38.dll, python.exe etc. - Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml index a031d7218..d2e43c75c 100755 --- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -22,10 +22,8 @@ detection: Initiated: 'true' SourcePort: 3389 selection2: - - DestinationIp|startswith: - - '127.' - - DestinationIp: - - '::1' + - DestinationIp|startswith: '127.' + - DestinationIp: '::1' condition: selection and selection2 falsepositives: - Unknown diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index 72440a3e0..bfeb4b580 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -43,8 +43,7 @@ detection: - '51.103.' # Microsoft range, caused some FPs - '51.104.' # Microsoft range, caused some FPs - '51.105.' # Microsoft range, caused some FPs - - CommandLine|contains: - - 'PcaSvc.dll,PcaPatchSdbTask' + - CommandLine|contains: 'PcaSvc.dll,PcaPatchSdbTask' filter_update_processes: ParentImage: 'C:\Windows\System32\svchost.exe' RemoteAddress|endswith: ':443' diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 0c1c0c605..06c238c9f 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -27,10 +27,8 @@ detection: - '\Windows\Fonts\' - '\Windows\IME\' - '\Windows\addins\' - - Image|endswith: - - '\$Recycle.bin' - - Image|startswith: - - 'C:\Perflogs\' + - Image|endswith: '\$Recycle.bin' + - Image|startswith: 'C:\Perflogs\' false_positive1: Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location condition: selection and not 1 of false_positive* diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 862c5127a..3bbce1ac4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -25,8 +25,7 @@ detection: - 'bypass' - 'RemoteSigned' filter: - - ParentImage: - - 'C:\ProgramData\chocolatey\choco.exe' + - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' - ScriptBlockText|contains: - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')" - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')" diff --git a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml index b7c40f826..bb2986d64 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml @@ -20,8 +20,7 @@ detection: - 'localgroup' - 'admin' - '/add' - - CommandLine|contains: - - '\Win64.exe' + - CommandLine|contains: '\Win64.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml b/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml index 3e83ac024..7fb2f061e 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml @@ -27,8 +27,7 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' + - Image|contains: '\BITSADMIN' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml b/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml index ff534cdd5..ba499f84d 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml @@ -30,8 +30,7 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' + - Image|contains: '\BITSADMIN' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml index d9f20e6c5..dc8b279ac 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml @@ -19,8 +19,7 @@ detection: - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - - TargetObject|startswith: - - 'HKLM\SYSTEM\Setup\PrintResponsor\' + - TargetObject|startswith: 'HKLM\SYSTEM\Setup\PrintResponsor\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index a288c972d..1c86770c1 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -25,8 +25,7 @@ detection: - 'C:\Temp\' - 'C:\Users\Public\' - 'C:\Users\Default\' - - Details|contains: - - '\AppData\' + - Details|contains: '\AppData\' condition: selection and selection2 fields: - Image From c18f634c021c0ba75c28323fa3640e7ea6071c03 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Thu, 8 Dec 2022 21:08:01 +0500 Subject: [PATCH 33/81] Added more FPs --- .../proc_creation_win_msiexec_execute_dll.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 3a6122f98..67f0c66df 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 date: 2022/01/16 -modified: 2022/10/23 +modified: 2022/12/08 tags: - attack.defense_evasion - attack.t1218.007 @@ -30,7 +30,13 @@ detection: - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - '\MsiExec.exe" /Y "C:\Windows\CCM\' - - '\MsiExec.exe" /Y C:\Windows\CCM\' #also need non-quoted execution + - '\MsiExec.exe" /Y C:\Windows\CCM\', #also need non-quoted execution + - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' + - '\MsiExec.exe" -Y "C:\Windows\CCM\' + - '\MsiExec.exe" -Y C:\Windows\CCM\' #also need non-quoted execution condition: selection and not 1 of filter_* falsepositives: - Legitimate script From ece1d01038e260e0d4867c17ec28890bef3dd490 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 8 Dec 2022 17:34:56 +0100 Subject: [PATCH 34/81] fix: syntax error, additional comma --- .../process_creation/proc_creation_win_msiexec_execute_dll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 67f0c66df..cf29b211d 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -30,7 +30,7 @@ detection: - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - '\MsiExec.exe" /Y "C:\Windows\CCM\' - - '\MsiExec.exe" /Y C:\Windows\CCM\', #also need non-quoted execution + - '\MsiExec.exe" /Y C:\Windows\CCM\' # also need non-quoted execution - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll' - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' From 47b5272fcdb5bd068934bee367b630d7fb932df3 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Fri, 9 Dec 2022 06:21:02 +1100 Subject: [PATCH 35/81] Create azure_ad_azurehound_discovery.yml (#3762) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../azure/azure_ad_azurehound_discovery.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_ad_azurehound_discovery.yml diff --git a/rules/cloud/azure/azure_ad_azurehound_discovery.yml b/rules/cloud/azure/azure_ad_azurehound_discovery.yml new file mode 100644 index 000000000..41bada855 --- /dev/null +++ b/rules/cloud/azure/azure_ad_azurehound_discovery.yml @@ -0,0 +1,23 @@ +title: Discovery Using AzureHound +id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b +status: experimental +description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication. +references: + - https://github.com/BloodHoundAD/AzureHound +author: Janantha Marasinghe +date: 2022/11/27 +tags: + - attack.discovery + - attack.t1087.004 + - attack.t1526 +logsource: + product: azure + service: signinlogs +detection: + selection: + userAgent|contains: 'azurehound' + ResultType: 0 + condition: selection +falsepositives: + - Unknown +level: high From ab18539fcecec8bb5110ace04a91712ed02431d1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Dec 2022 05:18:26 +0000 Subject: [PATCH 36/81] chore(deps): bump certifi from 2021.5.30 to 2022.12.7 Bumps [certifi](https://github.com/certifi/python-certifi) from 2021.5.30 to 2022.12.7. - [Release notes](https://github.com/certifi/python-certifi/releases) - [Commits](https://github.com/certifi/python-certifi/compare/2021.05.30...2022.12.07) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect ... Signed-off-by: dependabot[bot] --- Pipfile.lock | 898 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 608 insertions(+), 290 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index 2416e3258..f56216248 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68" + "sha256": "7353b17b3a357cace77fb11fbbc501c2b619c7644c676d360f67f70a7feeb9c8" }, "pipfile-spec": 6, "requires": { @@ -18,42 +18,43 @@ "default": { "attrs": { "hashes": [ - "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", - "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6", + "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.2.0" + "markers": "python_version >= '3.5'", + "version": "==22.1.0" }, "certifi": { "hashes": [ - "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", - "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3", + "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18" ], - "version": "==2021.5.30" + "index": "pypi", + "version": "==2022.12.7" }, "charset-normalizer": { "hashes": [ - "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", - "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597", + "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df" ], "markers": "python_version >= '3'", - "version": "==2.0.4" + "version": "==2.0.12" }, "deprecated": { "hashes": [ - "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771", - "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1" + "sha256:43ac5335da90c31c24ba028af536a91d41d53f9e6901ddb021bcc572ce44e38d", + "sha256:64756e3e14c8c5eea9795d93c524551432a0be75629f8f29e67ab8caf076c76d" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.2.12" + "version": "==1.2.13" }, "idna": { "hashes": [ - "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", - "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" + "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", + "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" ], "markers": "python_version >= '3'", - "version": "==3.2" + "version": "==3.4" }, "jsonschema": { "hashes": [ @@ -80,30 +81,31 @@ }, "pyrsistent": { "hashes": [ - "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2", - "sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7", - "sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea", - "sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426", - "sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710", - "sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1", - "sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396", - "sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2", - "sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680", - "sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35", - "sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427", - "sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b", - "sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b", - "sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f", - "sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef", - "sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c", - "sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4", - "sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d", - "sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78", - "sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b", - "sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72" + "sha256:055ab45d5911d7cae397dc418808d8802fb95262751872c841c170b0dbf51eed", + "sha256:111156137b2e71f3a9936baf27cb322e8024dac3dc54ec7fb9f0bcf3249e68bb", + "sha256:187d5730b0507d9285a96fca9716310d572e5464cadd19f22b63a6976254d77a", + "sha256:21455e2b16000440e896ab99e8304617151981ed40c29e9507ef1c2e4314ee95", + "sha256:2aede922a488861de0ad00c7630a6e2d57e8023e4be72d9d7147a9fcd2d30712", + "sha256:3ba4134a3ff0fc7ad225b6b457d1309f4698108fb6b35532d015dca8f5abed73", + "sha256:456cb30ca8bff00596519f2c53e42c245c09e1a4543945703acd4312949bfd41", + "sha256:71d332b0320642b3261e9fee47ab9e65872c2bd90260e5d225dabeed93cbd42b", + "sha256:879b4c2f4d41585c42df4d7654ddffff1239dc4065bc88b745f0341828b83e78", + "sha256:9cd3e9978d12b5d99cbdc727a3022da0430ad007dacf33d0bf554b96427f33ab", + "sha256:a178209e2df710e3f142cbd05313ba0c5ebed0a55d78d9945ac7a4e09d923308", + "sha256:b39725209e06759217d1ac5fcdb510e98670af9e37223985f330b611f62e7425", + "sha256:bfa0351be89c9fcbcb8c9879b826f4353be10f58f8a677efab0c017bf7137ec2", + "sha256:bfd880614c6237243ff53a0539f1cb26987a6dc8ac6e66e0c5a40617296a045e", + "sha256:c43bec251bbd10e3cb58ced80609c5c1eb238da9ca78b964aea410fb820d00d6", + "sha256:d690b18ac4b3e3cab73b0b7aa7dbe65978a172ff94970ff98d82f2031f8971c2", + "sha256:d6982b5a0237e1b7d876b60265564648a69b14017f3b5f908c5be2de3f9abb7a", + "sha256:dec3eac7549869365fe263831f576c8457f6c833937c68542d08fde73457d291", + "sha256:e371b844cec09d8dc424d940e54bba8f67a03ebea20ff7b7b0d56f526c71d584", + "sha256:e5d8f84d81e3729c3b506657dddfe46e8ba9c330bf1858ee33108f8bb2adb38a", + "sha256:ea6b79a02a28550c98b6ca9c35b9f492beaa54d7c5c9e9949555893c8a9234d0", + "sha256:f1258f4e6c42ad0b20f9cfcc3ada5bd6b83374516cd01c0960e3cb75fdca6770" ], - "markers": "python_version >= '3.6'", - "version": "==0.18.0" + "markers": "python_version >= '3.7'", + "version": "==0.19.2" }, "python-dateutil": { "hashes": [ @@ -115,10 +117,11 @@ }, "python-utils": { "hashes": [ - "sha256:18fbc1a1df9a9061e3059a48ebe5c8a66b654d688b0e3ecca8b339a7f168f208", - "sha256:352d5b1febeebf9b3cdb9f3c87a3b26ef22d3c9e274a8ec1e7048ecd2fac4349" + "sha256:22990259324eae88faa3389d302861a825dbdd217ab40e3ec701851b3337d592", + "sha256:7e329c427a6d23036cfcc4501638afb31b2ddc8896f25393562833874b8c6e0a" ], - "version": "==2.5.6" + "markers": "python_version >= '3.7'", + "version": "==3.4.5" }, "pyyaml": { "hashes": [ @@ -165,38 +168,59 @@ }, "ruamel.yaml": { "hashes": [ - "sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67", - "sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815" + "sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7", + "sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af" ], "index": "pypi", - "version": "==0.17.10" + "version": "==0.17.21" }, "ruamel.yaml.clib": { "hashes": [ - "sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd", - "sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0", - "sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277", - "sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104", - "sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd", - "sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78", - "sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99", - "sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527", - "sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84", - "sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7", - "sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468", - "sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b", - "sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94", - "sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233", - "sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb", - "sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5", - "sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe", - "sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751", - "sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502", - "sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed", - "sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c" + "sha256:045e0626baf1c52e5527bd5db361bc83180faaba2ff586e763d3d5982a876a9e", + "sha256:15910ef4f3e537eea7fe45f8a5d19997479940d9196f357152a09031c5be59f3", + "sha256:184faeaec61dbaa3cace407cffc5819f7b977e75360e8d5ca19461cd851a5fc5", + "sha256:1f08fd5a2bea9c4180db71678e850b995d2a5f4537be0e94557668cf0f5f9497", + "sha256:2aa261c29a5545adfef9296b7e33941f46aa5bbd21164228e833412af4c9c75f", + "sha256:3110a99e0f94a4a3470ff67fc20d3f96c25b13d24c6980ff841e82bafe827cac", + "sha256:3243f48ecd450eddadc2d11b5feb08aca941b5cd98c9b1db14b2fd128be8c697", + "sha256:370445fd795706fd291ab00c9df38a0caed0f17a6fb46b0f607668ecb16ce763", + "sha256:40d030e2329ce5286d6b231b8726959ebbe0404c92f0a578c0e2482182e38282", + "sha256:41d0f1fa4c6830176eef5b276af04c89320ea616655d01327d5ce65e50575c94", + "sha256:4a4d8d417868d68b979076a9be6a38c676eca060785abaa6709c7b31593c35d1", + "sha256:4b3a93bb9bc662fc1f99c5c3ea8e623d8b23ad22f861eb6fce9377ac07ad6072", + "sha256:5bc0667c1eb8f83a3752b71b9c4ba55ef7c7058ae57022dd9b29065186a113d9", + "sha256:721bc4ba4525f53f6a611ec0967bdcee61b31df5a56801281027a3a6d1c2daf5", + "sha256:763d65baa3b952479c4e972669f679fe490eee058d5aa85da483ebae2009d231", + "sha256:7bdb4c06b063f6fd55e472e201317a3bb6cdeeee5d5a38512ea5c01e1acbdd93", + "sha256:8831a2cedcd0f0927f788c5bdf6567d9dc9cc235646a434986a852af1cb54b4b", + "sha256:91a789b4aa0097b78c93e3dc4b40040ba55bef518f84a40d4442f713b4094acb", + "sha256:92460ce908546ab69770b2e576e4f99fbb4ce6ab4b245345a3869a0a0410488f", + "sha256:99e77daab5d13a48a4054803d052ff40780278240a902b880dd37a51ba01a307", + "sha256:a234a20ae07e8469da311e182e70ef6b199d0fbeb6c6cc2901204dd87fb867e8", + "sha256:a7b301ff08055d73223058b5c46c55638917f04d21577c95e00e0c4d79201a6b", + "sha256:be2a7ad8fd8f7442b24323d24ba0b56c51219513cfa45b9ada3b87b76c374d4b", + "sha256:bf9a6bc4a0221538b1a7de3ed7bca4c93c02346853f44e1cd764be0023cd3640", + "sha256:c3ca1fbba4ae962521e5eb66d72998b51f0f4d0f608d3c0347a48e1af262efa7", + "sha256:d000f258cf42fec2b1bbf2863c61d7b8918d31ffee905da62dede869254d3b8a", + "sha256:d5859983f26d8cd7bb5c287ef452e8aacc86501487634573d260968f753e1d71", + "sha256:d5e51e2901ec2366b79f16c2299a03e74ba4531ddcfacc1416639c557aef0ad8", + "sha256:debc87a9516b237d0466a711b18b6ebeb17ba9f391eb7f91c649c5c4ec5006c7", + "sha256:df5828871e6648db72d1c19b4bd24819b80a755c4541d3409f0f7acd0f335c80", + "sha256:ecdf1a604009bd35c674b9225a8fa609e0282d9b896c03dd441a91e5f53b534e", + "sha256:efa08d63ef03d079dcae1dfe334f6c8847ba8b645d08df286358b1f5293d24ab", + "sha256:f01da5790e95815eb5a8a138508c01c758e5f5bc0ce4286c4f7028b8dd7ac3d0", + "sha256:f34019dced51047d6f70cb9383b2ae2853b7fc4dce65129a5acd49f4f9256646" ], - "markers": "python_version < '3.10' and platform_python_implementation == 'CPython'", - "version": "==0.2.6" + "markers": "python_version < '3.11' and platform_python_implementation == 'CPython'", + "version": "==0.2.7" + }, + "setuptools": { + "hashes": [ + "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", + "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" + ], + "markers": "python_version >= '3.7'", + "version": "==65.6.3" }, "six": { "hashes": [ @@ -206,6 +230,14 @@ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.16.0" }, + "termcolor": { + "hashes": [ + "sha256:67cee2009adc6449c650f6bcf3bdeed00c8ba53a8cda5362733c53e0a39fb70b", + "sha256:fa852e957f97252205e105dd55bbc23b419a70fec0085708fc0515e399f304fd" + ], + "index": "pypi", + "version": "==2.1.1" + }, "urllib3": { "hashes": [ "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", @@ -216,69 +248,191 @@ }, "wrapt": { "hashes": [ - "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7" + "sha256:00b6d4ea20a906c0ca56d84f93065b398ab74b927a7a3dbd470f6fc503f95dc3", + "sha256:01c205616a89d09827986bc4e859bcabd64f5a0662a7fe95e0d359424e0e071b", + "sha256:02b41b633c6261feff8ddd8d11c711df6842aba629fdd3da10249a53211a72c4", + "sha256:07f7a7d0f388028b2df1d916e94bbb40624c59b48ecc6cbc232546706fac74c2", + "sha256:11871514607b15cfeb87c547a49bca19fde402f32e2b1c24a632506c0a756656", + "sha256:1b376b3f4896e7930f1f772ac4b064ac12598d1c38d04907e696cc4d794b43d3", + "sha256:21ac0156c4b089b330b7666db40feee30a5d52634cc4560e1905d6529a3897ff", + "sha256:257fd78c513e0fb5cdbe058c27a0624c9884e735bbd131935fd49e9fe719d310", + "sha256:2b39d38039a1fdad98c87279b48bc5dce2c0ca0d73483b12cb72aa9609278e8a", + "sha256:2cf71233a0ed05ccdabe209c606fe0bac7379fdcf687f39b944420d2a09fdb57", + "sha256:2fe803deacd09a233e4762a1adcea5db5d31e6be577a43352936179d14d90069", + "sha256:3232822c7d98d23895ccc443bbdf57c7412c5a65996c30442ebe6ed3df335383", + "sha256:34aa51c45f28ba7f12accd624225e2b1e5a3a45206aa191f6f9aac931d9d56fe", + "sha256:36f582d0c6bc99d5f39cd3ac2a9062e57f3cf606ade29a0a0d6b323462f4dd87", + "sha256:380a85cf89e0e69b7cfbe2ea9f765f004ff419f34194018a6827ac0e3edfed4d", + "sha256:40e7bc81c9e2b2734ea4bc1aceb8a8f0ceaac7c5299bc5d69e37c44d9081d43b", + "sha256:43ca3bbbe97af00f49efb06e352eae40434ca9d915906f77def219b88e85d907", + "sha256:4fcc4649dc762cddacd193e6b55bc02edca674067f5f98166d7713b193932b7f", + "sha256:5a0f54ce2c092aaf439813735584b9537cad479575a09892b8352fea5e988dc0", + "sha256:5a9a0d155deafd9448baff28c08e150d9b24ff010e899311ddd63c45c2445e28", + "sha256:5b02d65b9ccf0ef6c34cba6cf5bf2aab1bb2f49c6090bafeecc9cd81ad4ea1c1", + "sha256:60db23fa423575eeb65ea430cee741acb7c26a1365d103f7b0f6ec412b893853", + "sha256:642c2e7a804fcf18c222e1060df25fc210b9c58db7c91416fb055897fc27e8cc", + "sha256:6a9a25751acb379b466ff6be78a315e2b439d4c94c1e99cb7266d40a537995d3", + "sha256:6b1a564e6cb69922c7fe3a678b9f9a3c54e72b469875aa8018f18b4d1dd1adf3", + "sha256:6d323e1554b3d22cfc03cd3243b5bb815a51f5249fdcbb86fda4bf62bab9e164", + "sha256:6e743de5e9c3d1b7185870f480587b75b1cb604832e380d64f9504a0535912d1", + "sha256:709fe01086a55cf79d20f741f39325018f4df051ef39fe921b1ebe780a66184c", + "sha256:7b7c050ae976e286906dd3f26009e117eb000fb2cf3533398c5ad9ccc86867b1", + "sha256:7d2872609603cb35ca513d7404a94d6d608fc13211563571117046c9d2bcc3d7", + "sha256:7ef58fb89674095bfc57c4069e95d7a31cfdc0939e2a579882ac7d55aadfd2a1", + "sha256:80bb5c256f1415f747011dc3604b59bc1f91c6e7150bd7db03b19170ee06b320", + "sha256:81b19725065dcb43df02b37e03278c011a09e49757287dca60c5aecdd5a0b8ed", + "sha256:833b58d5d0b7e5b9832869f039203389ac7cbf01765639c7309fd50ef619e0b1", + "sha256:88bd7b6bd70a5b6803c1abf6bca012f7ed963e58c68d76ee20b9d751c74a3248", + "sha256:8ad85f7f4e20964db4daadcab70b47ab05c7c1cf2a7c1e51087bfaa83831854c", + "sha256:8c0ce1e99116d5ab21355d8ebe53d9460366704ea38ae4d9f6933188f327b456", + "sha256:8d649d616e5c6a678b26d15ece345354f7c2286acd6db868e65fcc5ff7c24a77", + "sha256:903500616422a40a98a5a3c4ff4ed9d0066f3b4c951fa286018ecdf0750194ef", + "sha256:9736af4641846491aedb3c3f56b9bc5568d92b0692303b5a305301a95dfd38b1", + "sha256:988635d122aaf2bdcef9e795435662bcd65b02f4f4c1ae37fbee7401c440b3a7", + "sha256:9cca3c2cdadb362116235fdbd411735de4328c61425b0aa9f872fd76d02c4e86", + "sha256:9e0fd32e0148dd5dea6af5fee42beb949098564cc23211a88d799e434255a1f4", + "sha256:9f3e6f9e05148ff90002b884fbc2a86bd303ae847e472f44ecc06c2cd2fcdb2d", + "sha256:a85d2b46be66a71bedde836d9e41859879cc54a2a04fad1191eb50c2066f6e9d", + "sha256:a9a52172be0b5aae932bef82a79ec0a0ce87288c7d132946d645eba03f0ad8a8", + "sha256:aa31fdcc33fef9eb2552cbcbfee7773d5a6792c137b359e82879c101e98584c5", + "sha256:b014c23646a467558be7da3d6b9fa409b2c567d2110599b7cf9a0c5992b3b471", + "sha256:b21bb4c09ffabfa0e85e3a6b623e19b80e7acd709b9f91452b8297ace2a8ab00", + "sha256:b5901a312f4d14c59918c221323068fad0540e34324925c8475263841dbdfe68", + "sha256:b9b7a708dd92306328117d8c4b62e2194d00c365f18eff11a9b53c6f923b01e3", + "sha256:d1967f46ea8f2db647c786e78d8cc7e4313dbd1b0aca360592d8027b8508e24d", + "sha256:d52a25136894c63de15a35bc0bdc5adb4b0e173b9c0d07a2be9d3ca64a332735", + "sha256:d77c85fedff92cf788face9bfa3ebaa364448ebb1d765302e9af11bf449ca36d", + "sha256:d79d7d5dc8a32b7093e81e97dad755127ff77bcc899e845f41bf71747af0c569", + "sha256:dbcda74c67263139358f4d188ae5faae95c30929281bc6866d00573783c422b7", + "sha256:ddaea91abf8b0d13443f6dac52e89051a5063c7d014710dcb4d4abb2ff811a59", + "sha256:dee0ce50c6a2dd9056c20db781e9c1cfd33e77d2d569f5d1d9321c641bb903d5", + "sha256:dee60e1de1898bde3b238f18340eec6148986da0455d8ba7848d50470a7a32fb", + "sha256:e2f83e18fe2f4c9e7db597e988f72712c0c3676d337d8b101f6758107c42425b", + "sha256:e3fb1677c720409d5f671e39bac6c9e0e422584e5f518bfd50aa4cbbea02433f", + "sha256:ee2b1b1769f6707a8a445162ea16dddf74285c3964f605877a20e38545c3c462", + "sha256:ee6acae74a2b91865910eef5e7de37dc6895ad96fa23603d1d27ea69df545015", + "sha256:ef3f72c9666bba2bab70d2a8b79f2c6d2c1a42a7f7e2b0ec83bb2f9e383950af" ], - "version": "==1.12.1" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.14.1" } }, "develop": { "aiohttp": { "hashes": [ - "sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe", - "sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe", - "sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5", - "sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8", - "sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd", - "sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb", - "sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c", - "sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87", - "sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0", - "sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290", - "sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5", - "sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287", - "sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde", - "sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf", - "sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8", - "sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16", - "sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf", - "sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809", - "sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213", - "sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f", - "sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013", - "sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b", - "sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9", - "sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5", - "sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb", - "sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df", - "sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4", - "sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439", - "sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f", - "sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22", - "sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f", - "sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5", - "sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970", - "sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009", - "sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc", - "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a", - "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95" + "sha256:02f9a2c72fc95d59b881cf38a4b2be9381b9527f9d328771e90f72ac76f31ad8", + "sha256:059a91e88f2c00fe40aed9031b3606c3f311414f86a90d696dd982e7aec48142", + "sha256:05a3c31c6d7cd08c149e50dc7aa2568317f5844acd745621983380597f027a18", + "sha256:08c78317e950e0762c2983f4dd58dc5e6c9ff75c8a0efeae299d363d439c8e34", + "sha256:09e28f572b21642128ef31f4e8372adb6888846f32fecb288c8b0457597ba61a", + "sha256:0d2c6d8c6872df4a6ec37d2ede71eff62395b9e337b4e18efd2177de883a5033", + "sha256:16c121ba0b1ec2b44b73e3a8a171c4f999b33929cd2397124a8c7fcfc8cd9e06", + "sha256:1d90043c1882067f1bd26196d5d2db9aa6d268def3293ed5fb317e13c9413ea4", + "sha256:1e56b9cafcd6531bab5d9b2e890bb4937f4165109fe98e2b98ef0dcfcb06ee9d", + "sha256:20acae4f268317bb975671e375493dbdbc67cddb5f6c71eebdb85b34444ac46b", + "sha256:21b30885a63c3f4ff5b77a5d6caf008b037cb521a5f33eab445dc566f6d092cc", + "sha256:21d69797eb951f155026651f7e9362877334508d39c2fc37bd04ff55b2007091", + "sha256:256deb4b29fe5e47893fa32e1de2d73c3afe7407738bd3c63829874661d4822d", + "sha256:25892c92bee6d9449ffac82c2fe257f3a6f297792cdb18ad784737d61e7a9a85", + "sha256:2ca9af5f8f5812d475c5259393f52d712f6d5f0d7fdad9acdb1107dd9e3cb7eb", + "sha256:2d252771fc85e0cf8da0b823157962d70639e63cb9b578b1dec9868dd1f4f937", + "sha256:2dea10edfa1a54098703cb7acaa665c07b4e7568472a47f4e64e6319d3821ccf", + "sha256:2df5f139233060578d8c2c975128fb231a89ca0a462b35d4b5fcf7c501ebdbe1", + "sha256:2feebbb6074cdbd1ac276dbd737b40e890a1361b3cc30b74ac2f5e24aab41f7b", + "sha256:309aa21c1d54b8ef0723181d430347d7452daaff93e8e2363db8e75c72c2fb2d", + "sha256:3828fb41b7203176b82fe5d699e0d845435f2374750a44b480ea6b930f6be269", + "sha256:398701865e7a9565d49189f6c90868efaca21be65c725fc87fc305906be915da", + "sha256:43046a319664a04b146f81b40e1545d4c8ac7b7dd04c47e40bf09f65f2437346", + "sha256:437399385f2abcd634865705bdc180c8314124b98299d54fe1d4c8990f2f9494", + "sha256:45d88b016c849d74ebc6f2b6e8bc17cabf26e7e40c0661ddd8fae4c00f015697", + "sha256:47841407cc89a4b80b0c52276f3cc8138bbbfba4b179ee3acbd7d77ae33f7ac4", + "sha256:4a4fbc769ea9b6bd97f4ad0b430a6807f92f0e5eb020f1e42ece59f3ecfc4585", + "sha256:4ab94426ddb1ecc6a0b601d832d5d9d421820989b8caa929114811369673235c", + "sha256:4b0f30372cef3fdc262f33d06e7b411cd59058ce9174ef159ad938c4a34a89da", + "sha256:4e3a23ec214e95c9fe85a58470b660efe6534b83e6cbe38b3ed52b053d7cb6ad", + "sha256:512bd5ab136b8dc0ffe3fdf2dfb0c4b4f49c8577f6cae55dca862cd37a4564e2", + "sha256:527b3b87b24844ea7865284aabfab08eb0faf599b385b03c2aa91fc6edd6e4b6", + "sha256:54d107c89a3ebcd13228278d68f1436d3f33f2dd2af5415e3feaeb1156e1a62c", + "sha256:5835f258ca9f7c455493a57ee707b76d2d9634d84d5d7f62e77be984ea80b849", + "sha256:598adde339d2cf7d67beaccda3f2ce7c57b3b412702f29c946708f69cf8222aa", + "sha256:599418aaaf88a6d02a8c515e656f6faf3d10618d3dd95866eb4436520096c84b", + "sha256:5bf651afd22d5f0c4be16cf39d0482ea494f5c88f03e75e5fef3a85177fecdeb", + "sha256:5c59fcd80b9049b49acd29bd3598cada4afc8d8d69bd4160cd613246912535d7", + "sha256:653acc3880459f82a65e27bd6526e47ddf19e643457d36a2250b85b41a564715", + "sha256:66bd5f950344fb2b3dbdd421aaa4e84f4411a1a13fca3aeb2bcbe667f80c9f76", + "sha256:6f3553510abdbec67c043ca85727396ceed1272eef029b050677046d3387be8d", + "sha256:7018ecc5fe97027214556afbc7c502fbd718d0740e87eb1217b17efd05b3d276", + "sha256:713d22cd9643ba9025d33c4af43943c7a1eb8547729228de18d3e02e278472b6", + "sha256:73a4131962e6d91109bca6536416aa067cf6c4efb871975df734f8d2fd821b37", + "sha256:75880ed07be39beff1881d81e4a907cafb802f306efd6d2d15f2b3c69935f6fb", + "sha256:75e14eac916f024305db517e00a9252714fce0abcb10ad327fb6dcdc0d060f1d", + "sha256:8135fa153a20d82ffb64f70a1b5c2738684afa197839b34cc3e3c72fa88d302c", + "sha256:84b14f36e85295fe69c6b9789b51a0903b774046d5f7df538176516c3e422446", + "sha256:86fc24e58ecb32aee09f864cb11bb91bc4c1086615001647dbfc4dc8c32f4008", + "sha256:87f44875f2804bc0511a69ce44a9595d5944837a62caecc8490bbdb0e18b1342", + "sha256:88c70ed9da9963d5496d38320160e8eb7e5f1886f9290475a881db12f351ab5d", + "sha256:88e5be56c231981428f4f506c68b6a46fa25c4123a2e86d156c58a8369d31ab7", + "sha256:89d2e02167fa95172c017732ed7725bc8523c598757f08d13c5acca308e1a061", + "sha256:8d6aaa4e7155afaf994d7924eb290abbe81a6905b303d8cb61310a2aba1c68ba", + "sha256:92a2964319d359f494f16011e23434f6f8ef0434acd3cf154a6b7bec511e2fb7", + "sha256:96372fc29471646b9b106ee918c8eeb4cca423fcbf9a34daa1b93767a88a2290", + "sha256:978b046ca728073070e9abc074b6299ebf3501e8dee5e26efacb13cec2b2dea0", + "sha256:9c7149272fb5834fc186328e2c1fa01dda3e1fa940ce18fded6d412e8f2cf76d", + "sha256:a0239da9fbafd9ff82fd67c16704a7d1bccf0d107a300e790587ad05547681c8", + "sha256:ad5383a67514e8e76906a06741febd9126fc7c7ff0f599d6fcce3e82b80d026f", + "sha256:ad61a9639792fd790523ba072c0555cd6be5a0baf03a49a5dd8cfcf20d56df48", + "sha256:b29bfd650ed8e148f9c515474a6ef0ba1090b7a8faeee26b74a8ff3b33617502", + "sha256:b97decbb3372d4b69e4d4c8117f44632551c692bb1361b356a02b97b69e18a62", + "sha256:ba71c9b4dcbb16212f334126cc3d8beb6af377f6703d9dc2d9fb3874fd667ee9", + "sha256:c37c5cce780349d4d51739ae682dec63573847a2a8dcb44381b174c3d9c8d403", + "sha256:c971bf3786b5fad82ce5ad570dc6ee420f5b12527157929e830f51c55dc8af77", + "sha256:d1fde0f44029e02d02d3993ad55ce93ead9bb9b15c6b7ccd580f90bd7e3de476", + "sha256:d24b8bb40d5c61ef2d9b6a8f4528c2f17f1c5d2d31fed62ec860f6006142e83e", + "sha256:d5ba88df9aa5e2f806650fcbeedbe4f6e8736e92fc0e73b0400538fd25a4dd96", + "sha256:d6f76310355e9fae637c3162936e9504b4767d5c52ca268331e2756e54fd4ca5", + "sha256:d737fc67b9a970f3234754974531dc9afeea11c70791dcb7db53b0cf81b79784", + "sha256:da22885266bbfb3f78218dc40205fed2671909fbd0720aedba39b4515c038091", + "sha256:da37dcfbf4b7f45d80ee386a5f81122501ec75672f475da34784196690762f4b", + "sha256:db19d60d846283ee275d0416e2a23493f4e6b6028825b51290ac05afc87a6f97", + "sha256:db4c979b0b3e0fa7e9e69ecd11b2b3174c6963cebadeecfb7ad24532ffcdd11a", + "sha256:e164e0a98e92d06da343d17d4e9c4da4654f4a4588a20d6c73548a29f176abe2", + "sha256:e168a7560b7c61342ae0412997b069753f27ac4862ec7867eff74f0fe4ea2ad9", + "sha256:e381581b37db1db7597b62a2e6b8b57c3deec95d93b6d6407c5b61ddc98aca6d", + "sha256:e65bc19919c910127c06759a63747ebe14f386cda573d95bcc62b427ca1afc73", + "sha256:e7b8813be97cab8cb52b1375f41f8e6804f6507fe4660152e8ca5c48f0436017", + "sha256:e8a78079d9a39ca9ca99a8b0ac2fdc0c4d25fc80c8a8a82e5c8211509c523363", + "sha256:ebf909ea0a3fc9596e40d55d8000702a85e27fd578ff41a5500f68f20fd32e6c", + "sha256:ec40170327d4a404b0d91855d41bfe1fe4b699222b2b93e3d833a27330a87a6d", + "sha256:f178d2aadf0166be4df834c4953da2d7eef24719e8aec9a65289483eeea9d618", + "sha256:f88df3a83cf9df566f171adba39d5bd52814ac0b94778d2448652fc77f9eb491", + "sha256:f973157ffeab5459eefe7b97a804987876dd0a55570b8fa56b4e1954bf11329b", + "sha256:ff25f48fc8e623d95eca0670b8cc1469a83783c924a602e0fbd47363bb54aaca" ], "markers": "python_version >= '3.6'", - "version": "==3.7.4.post0" + "version": "==3.8.3" + }, + "aiosignal": { + "hashes": [ + "sha256:54cd96e15e1649b75d6c87526a6ff0b6c1b0dd3459f43d9ca11d48c339b68cfc", + "sha256:f8376fb07dd1e86a584e4fcdec80b36b7f81aac666ebc724e2c090300dd83b17" + ], + "markers": "python_version >= '3.7'", + "version": "==1.3.1" }, "antlr4-python3-runtime": { "hashes": [ - "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33" + "sha256:f224469b4168294902bb1efa80a8bf7855f24c99aef99cbefc1bcd3cce77881b" ], "markers": "python_version >= '3'", - "version": "==4.8" + "version": "==4.9.3" }, "async-timeout": { "hashes": [ - "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", - "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3" + "sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15", + "sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c" ], - "markers": "python_full_version >= '3.5.3'", - "version": "==3.0.1" + "markers": "python_version >= '3.6'", + "version": "==4.0.2" }, "attackcti": { "hashes": [ @@ -290,34 +444,27 @@ }, "attrs": { "hashes": [ - "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", - "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6", + "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.2.0" + "markers": "python_version >= '3.5'", + "version": "==22.1.0" }, "certifi": { "hashes": [ - "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", - "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3", + "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18" ], - "version": "==2021.5.30" - }, - "chardet": { - "hashes": [ - "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", - "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==4.0.0" + "index": "pypi", + "version": "==2022.12.7" }, "charset-normalizer": { "hashes": [ - "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", - "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597", + "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df" ], "markers": "python_version >= '3'", - "version": "==2.0.4" + "version": "==2.0.12" }, "colorama": { "hashes": [ @@ -401,79 +548,197 @@ "index": "pypi", "version": "==6.2.0" }, + "frozenlist": { + "hashes": [ + "sha256:008a054b75d77c995ea26629ab3a0c0d7281341f2fa7e1e85fa6153ae29ae99c", + "sha256:02c9ac843e3390826a265e331105efeab489ffaf4dd86384595ee8ce6d35ae7f", + "sha256:034a5c08d36649591be1cbb10e09da9f531034acfe29275fc5454a3b101ce41a", + "sha256:05cdb16d09a0832eedf770cb7bd1fe57d8cf4eaf5aced29c4e41e3f20b30a784", + "sha256:0693c609e9742c66ba4870bcee1ad5ff35462d5ffec18710b4ac89337ff16e27", + "sha256:0771aed7f596c7d73444c847a1c16288937ef988dc04fb9f7be4b2aa91db609d", + "sha256:0af2e7c87d35b38732e810befb9d797a99279cbb85374d42ea61c1e9d23094b3", + "sha256:14143ae966a6229350021384870458e4777d1eae4c28d1a7aa47f24d030e6678", + "sha256:180c00c66bde6146a860cbb81b54ee0df350d2daf13ca85b275123bbf85de18a", + "sha256:1841e200fdafc3d51f974d9d377c079a0694a8f06de2e67b48150328d66d5483", + "sha256:23d16d9f477bb55b6154654e0e74557040575d9d19fe78a161bd33d7d76808e8", + "sha256:2b07ae0c1edaa0a36339ec6cce700f51b14a3fc6545fdd32930d2c83917332cf", + "sha256:2c926450857408e42f0bbc295e84395722ce74bae69a3b2aa2a65fe22cb14b99", + "sha256:2e24900aa13212e75e5b366cb9065e78bbf3893d4baab6052d1aca10d46d944c", + "sha256:303e04d422e9b911a09ad499b0368dc551e8c3cd15293c99160c7f1f07b59a48", + "sha256:352bd4c8c72d508778cf05ab491f6ef36149f4d0cb3c56b1b4302852255d05d5", + "sha256:3843f84a6c465a36559161e6c59dce2f2ac10943040c2fd021cfb70d58c4ad56", + "sha256:394c9c242113bfb4b9aa36e2b80a05ffa163a30691c7b5a29eba82e937895d5e", + "sha256:3bbdf44855ed8f0fbcd102ef05ec3012d6a4fd7c7562403f76ce6a52aeffb2b1", + "sha256:40de71985e9042ca00b7953c4f41eabc3dc514a2d1ff534027f091bc74416401", + "sha256:41fe21dc74ad3a779c3d73a2786bdf622ea81234bdd4faf90b8b03cad0c2c0b4", + "sha256:47df36a9fe24054b950bbc2db630d508cca3aa27ed0566c0baf661225e52c18e", + "sha256:4ea42116ceb6bb16dbb7d526e242cb6747b08b7710d9782aa3d6732bd8d27649", + "sha256:58bcc55721e8a90b88332d6cd441261ebb22342e238296bb330968952fbb3a6a", + "sha256:5c11e43016b9024240212d2a65043b70ed8dfd3b52678a1271972702d990ac6d", + "sha256:5cf820485f1b4c91e0417ea0afd41ce5cf5965011b3c22c400f6d144296ccbc0", + "sha256:5d8860749e813a6f65bad8285a0520607c9500caa23fea6ee407e63debcdbef6", + "sha256:6327eb8e419f7d9c38f333cde41b9ae348bec26d840927332f17e887a8dcb70d", + "sha256:65a5e4d3aa679610ac6e3569e865425b23b372277f89b5ef06cf2cdaf1ebf22b", + "sha256:66080ec69883597e4d026f2f71a231a1ee9887835902dbe6b6467d5a89216cf6", + "sha256:783263a4eaad7c49983fe4b2e7b53fa9770c136c270d2d4bbb6d2192bf4d9caf", + "sha256:7f44e24fa70f6fbc74aeec3e971f60a14dde85da364aa87f15d1be94ae75aeef", + "sha256:7fdfc24dcfce5b48109867c13b4cb15e4660e7bd7661741a391f821f23dfdca7", + "sha256:810860bb4bdce7557bc0febb84bbd88198b9dbc2022d8eebe5b3590b2ad6c842", + "sha256:841ea19b43d438a80b4de62ac6ab21cfe6827bb8a9dc62b896acc88eaf9cecba", + "sha256:84610c1502b2461255b4c9b7d5e9c48052601a8957cd0aea6ec7a7a1e1fb9420", + "sha256:899c5e1928eec13fd6f6d8dc51be23f0d09c5281e40d9cf4273d188d9feeaf9b", + "sha256:8bae29d60768bfa8fb92244b74502b18fae55a80eac13c88eb0b496d4268fd2d", + "sha256:8df3de3a9ab8325f94f646609a66cbeeede263910c5c0de0101079ad541af332", + "sha256:8fa3c6e3305aa1146b59a09b32b2e04074945ffcfb2f0931836d103a2c38f936", + "sha256:924620eef691990dfb56dc4709f280f40baee568c794b5c1885800c3ecc69816", + "sha256:9309869032abb23d196cb4e4db574232abe8b8be1339026f489eeb34a4acfd91", + "sha256:9545a33965d0d377b0bc823dcabf26980e77f1b6a7caa368a365a9497fb09420", + "sha256:9ac5995f2b408017b0be26d4a1d7c61bce106ff3d9e3324374d66b5964325448", + "sha256:9bbbcedd75acdfecf2159663b87f1bb5cfc80e7cd99f7ddd9d66eb98b14a8411", + "sha256:a4ae8135b11652b08a8baf07631d3ebfe65a4c87909dbef5fa0cdde440444ee4", + "sha256:a6394d7dadd3cfe3f4b3b186e54d5d8504d44f2d58dcc89d693698e8b7132b32", + "sha256:a97b4fe50b5890d36300820abd305694cb865ddb7885049587a5678215782a6b", + "sha256:ae4dc05c465a08a866b7a1baf360747078b362e6a6dbeb0c57f234db0ef88ae0", + "sha256:b1c63e8d377d039ac769cd0926558bb7068a1f7abb0f003e3717ee003ad85530", + "sha256:b1e2c1185858d7e10ff045c496bbf90ae752c28b365fef2c09cf0fa309291669", + "sha256:b4395e2f8d83fbe0c627b2b696acce67868793d7d9750e90e39592b3626691b7", + "sha256:b756072364347cb6aa5b60f9bc18e94b2f79632de3b0190253ad770c5df17db1", + "sha256:ba64dc2b3b7b158c6660d49cdb1d872d1d0bf4e42043ad8d5006099479a194e5", + "sha256:bed331fe18f58d844d39ceb398b77d6ac0b010d571cba8267c2e7165806b00ce", + "sha256:c188512b43542b1e91cadc3c6c915a82a5eb95929134faf7fd109f14f9892ce4", + "sha256:c21b9aa40e08e4f63a2f92ff3748e6b6c84d717d033c7b3438dd3123ee18f70e", + "sha256:ca713d4af15bae6e5d79b15c10c8522859a9a89d3b361a50b817c98c2fb402a2", + "sha256:cd4210baef299717db0a600d7a3cac81d46ef0e007f88c9335db79f8979c0d3d", + "sha256:cfe33efc9cb900a4c46f91a5ceba26d6df370ffddd9ca386eb1d4f0ad97b9ea9", + "sha256:d5cd3ab21acbdb414bb6c31958d7b06b85eeb40f66463c264a9b343a4e238642", + "sha256:dfbac4c2dfcc082fcf8d942d1e49b6aa0766c19d3358bd86e2000bf0fa4a9cf0", + "sha256:e235688f42b36be2b6b06fc37ac2126a73b75fb8d6bc66dd632aa35286238703", + "sha256:eb82dbba47a8318e75f679690190c10a5e1f447fbf9df41cbc4c3afd726d88cb", + "sha256:ebb86518203e12e96af765ee89034a1dbb0c3c65052d1b0c19bbbd6af8a145e1", + "sha256:ee78feb9d293c323b59a6f2dd441b63339a30edf35abcb51187d2fc26e696d13", + "sha256:eedab4c310c0299961ac285591acd53dc6723a1ebd90a57207c71f6e0c2153ab", + "sha256:efa568b885bca461f7c7b9e032655c0c143d305bf01c30caf6db2854a4532b38", + "sha256:efce6ae830831ab6a22b9b4091d411698145cb9b8fc869e1397ccf4b4b6455cb", + "sha256:f163d2fd041c630fed01bc48d28c3ed4a3b003c00acd396900e11ee5316b56bb", + "sha256:f20380df709d91525e4bee04746ba612a4df0972c1b8f8e1e8af997e678c7b81", + "sha256:f30f1928162e189091cf4d9da2eac617bfe78ef907a761614ff577ef4edfb3c8", + "sha256:f470c92737afa7d4c3aacc001e335062d582053d4dbe73cda126f2d7031068dd", + "sha256:ff8bf625fe85e119553b5383ba0fb6aa3d0ec2ae980295aaefa552374926b3f4" + ], + "markers": "python_version >= '3.7'", + "version": "==1.3.3" + }, "idna": { "hashes": [ - "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", - "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" + "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", + "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" ], "markers": "python_version >= '3'", - "version": "==3.2" + "version": "==3.4" }, "more-itertools": { "hashes": [ - "sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d", - "sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a" + "sha256:250e83d7e81d0c87ca6bd942e6aeab8cc9daa6096d12c5308f3f92fa5e5c1f41", + "sha256:5a6257e40878ef0520b1803990e3e22303a41b5714006c32a3fd8304b26ea1ab" ], - "markers": "python_version >= '3.5'", - "version": "==8.8.0" + "markers": "python_version >= '3.7'", + "version": "==9.0.0" }, "multidict": { "hashes": [ - "sha256:018132dbd8688c7a69ad89c4a3f39ea2f9f33302ebe567a879da8f4ca73f0d0a", - "sha256:051012ccee979b2b06be928a6150d237aec75dd6bf2d1eeeb190baf2b05abc93", - "sha256:05c20b68e512166fddba59a918773ba002fdd77800cad9f55b59790030bab632", - "sha256:07b42215124aedecc6083f1ce6b7e5ec5b50047afa701f3442054373a6deb656", - "sha256:0e3c84e6c67eba89c2dbcee08504ba8644ab4284863452450520dad8f1e89b79", - "sha256:0e929169f9c090dae0646a011c8b058e5e5fb391466016b39d21745b48817fd7", - "sha256:1ab820665e67373de5802acae069a6a05567ae234ddb129f31d290fc3d1aa56d", - "sha256:25b4e5f22d3a37ddf3effc0710ba692cfc792c2b9edfb9c05aefe823256e84d5", - "sha256:2e68965192c4ea61fff1b81c14ff712fc7dc15d2bd120602e4a3494ea6584224", - "sha256:2f1a132f1c88724674271d636e6b7351477c27722f2ed789f719f9e3545a3d26", - "sha256:37e5438e1c78931df5d3c0c78ae049092877e5e9c02dd1ff5abb9cf27a5914ea", - "sha256:3a041b76d13706b7fff23b9fc83117c7b8fe8d5fe9e6be45eee72b9baa75f348", - "sha256:3a4f32116f8f72ecf2a29dabfb27b23ab7cdc0ba807e8459e59a93a9be9506f6", - "sha256:46c73e09ad374a6d876c599f2328161bcd95e280f84d2060cf57991dec5cfe76", - "sha256:46dd362c2f045095c920162e9307de5ffd0a1bfbba0a6e990b344366f55a30c1", - "sha256:4b186eb7d6ae7c06eb4392411189469e6a820da81447f46c0072a41c748ab73f", - "sha256:54fd1e83a184e19c598d5e70ba508196fd0bbdd676ce159feb412a4a6664f952", - "sha256:585fd452dd7782130d112f7ddf3473ffdd521414674c33876187e101b588738a", - "sha256:5cf3443199b83ed9e955f511b5b241fd3ae004e3cb81c58ec10f4fe47c7dce37", - "sha256:6a4d5ce640e37b0efcc8441caeea8f43a06addace2335bd11151bc02d2ee31f9", - "sha256:7df80d07818b385f3129180369079bd6934cf70469f99daaebfac89dca288359", - "sha256:806068d4f86cb06af37cd65821554f98240a19ce646d3cd24e1c33587f313eb8", - "sha256:830f57206cc96ed0ccf68304141fec9481a096c4d2e2831f311bde1c404401da", - "sha256:929006d3c2d923788ba153ad0de8ed2e5ed39fdbe8e7be21e2f22ed06c6783d3", - "sha256:9436dc58c123f07b230383083855593550c4d301d2532045a17ccf6eca505f6d", - "sha256:9dd6e9b1a913d096ac95d0399bd737e00f2af1e1594a787e00f7975778c8b2bf", - "sha256:ace010325c787c378afd7f7c1ac66b26313b3344628652eacd149bdd23c68841", - "sha256:b47a43177a5e65b771b80db71e7be76c0ba23cc8aa73eeeb089ed5219cdbe27d", - "sha256:b797515be8743b771aa868f83563f789bbd4b236659ba52243b735d80b29ed93", - "sha256:b7993704f1a4b204e71debe6095150d43b2ee6150fa4f44d6d966ec356a8d61f", - "sha256:d5c65bdf4484872c4af3150aeebe101ba560dcfb34488d9a8ff8dbcd21079647", - "sha256:d81eddcb12d608cc08081fa88d046c78afb1bf8107e6feab5d43503fea74a635", - "sha256:dc862056f76443a0db4509116c5cd480fe1b6a2d45512a653f9a855cc0517456", - "sha256:ecc771ab628ea281517e24fd2c52e8f31c41e66652d07599ad8818abaad38cda", - "sha256:f200755768dc19c6f4e2b672421e0ebb3dd54c38d5a4f262b872d8cfcc9e93b5", - "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281", - "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80" + "sha256:018c8e3be7f161a12b3e41741b6721f9baeb2210f4ab25a6359b7d76c1017dce", + "sha256:01b456046a05ff7cceefb0e1d2a9d32f05efcb1c7e0d152446304e11557639ce", + "sha256:114a4ab3e5cfbc56c4b6697686ecb92376c7e8c56893ef20547921552f8bdf57", + "sha256:12e0d396faa6dc55ff5379eee54d1df3b508243ff15bfc8295a6ec7a4483a335", + "sha256:190626ced82d4cc567a09e7346340d380154a493bac6905e0095d8158cdf1e38", + "sha256:1f5d5129a937af4e3c4a1d6c139f4051b7d17d43276cefdd8d442a7031f7eef2", + "sha256:21e1ce0b187c4e93112304dcde2aa18922fdbe8fb4f13d8aa72a5657bce0563a", + "sha256:24e8d513bfcaadc1f8b0ebece3ff50961951c54b07d5a775008a882966102418", + "sha256:2523a29006c034687eccd3ee70093a697129a3ffe8732535d3b2df6a4ecc279d", + "sha256:26fbbe17f8a7211b623502d2bf41022a51da3025142401417c765bf9a56fed4c", + "sha256:2b66d61966b12e6bba500e5cbb2c721a35e119c30ee02495c5629bd0e91eea30", + "sha256:2cf5d19e12eff855aa198259c0b02fd3f5d07e1291fbd20279c37b3b0e6c9852", + "sha256:2cfda34b7cb99eacada2072e0f69c0ad3285cb6f8e480b11f2b6d6c1c6f92718", + "sha256:3541882266247c7cd3dba78d6ef28dbe704774df60c9e4231edaa4493522e614", + "sha256:36df958b15639e40472adaa4f0c2c7828fe680f894a6b48c4ce229f59a6a798b", + "sha256:38d394814b39be1c36ac709006d39d50d72a884f9551acd9c8cc1ffae3fc8c4e", + "sha256:4159fc1ec9ede8ab93382e0d6ba9b1b3d23c72da39a834db7a116986605c7ab4", + "sha256:445c0851a1cbc1f2ec3b40bc22f9c4a235edb3c9a0906122a9df6ea8d51f886c", + "sha256:47defc0218682281a52fb1f6346ebb8b68b17538163a89ea24dfe4da37a8a9a3", + "sha256:4cc5c8cd205a9810d16a5cd428cd81bac554ad1477cb87f4ad722b10992e794d", + "sha256:4ccf55f28066b4f08666764a957c2b7c241c7547b0921d69c7ceab5f74fe1a45", + "sha256:4fb3fe591956d8841882c463f934c9f7485cfd5f763a08c0d467b513dc18ef89", + "sha256:526f8397fc124674b8f39748680a0ff673bd6a715fecb4866716d36e380f015f", + "sha256:578bfcb16f4b8675ef71b960c00f174b0426e0eeb796bab6737389d8288eb827", + "sha256:5b51969503709415a35754954c2763f536a70b8bf7360322b2edb0c0a44391f6", + "sha256:5e58ec0375803526d395f6f7e730ecc45d06e15f68f7b9cdbf644a2918324e51", + "sha256:62db44727d0befea68e8ad2881bb87a9cfb6b87d45dd78609009627167f37b69", + "sha256:67090b17a0a5be5704fd109f231ee73cefb1b3802d41288d6378b5df46ae89ba", + "sha256:6cd14e61f0da2a2cfb9fe05bfced2a1ed7063ce46a7a8cd473be4973de9a7f91", + "sha256:70740c2bc9ab1c99f7cdcb104f27d16c63860c56d51c5bf0ef82fc1d892a2131", + "sha256:73009ea04205966d47e16d98686ac5c438af23a1bb30b48a2c5da3423ec9ce37", + "sha256:791458a1f7d1b4ab3bd9e93e0dcd1d59ef7ee9aa051dcd1ea030e62e49b923fd", + "sha256:7f9511e48bde6b995825e8d35e434fc96296cf07a25f4aae24ff9162be7eaa46", + "sha256:81c3d597591b0940e04949e4e4f79359b2d2e542a686ba0da5e25de33fec13e0", + "sha256:8230a39bae6c2e8a09e4da6bace5064693b00590a4a213e38f9a9366da10e7dd", + "sha256:8b92a9f3ab904397a33b193000dc4de7318ea175c4c460a1e154c415f9008e3d", + "sha256:94cbe5535ef150546b8321aebea22862a3284da51e7b55f6f95b7d73e96d90ee", + "sha256:960ce1b790952916e682093788696ef7e33ac6a97482f9b983abdc293091b531", + "sha256:99341ca1f1db9e7f47914cb2461305665a662383765ced6f843712564766956d", + "sha256:9aac6881454a750554ed4b280a839dcf9e2133a9d12ab4d417d673fb102289b7", + "sha256:9d359b0a962e052b713647ac1f13eabf2263167b149ed1e27d5c579f5c8c7d2c", + "sha256:9dbab2a7e9c073bc9538824a01f5ed689194db7f55f2b8102766873e906a6c1a", + "sha256:a27b029caa3b555a4f3da54bc1e718eb55fcf1a11fda8bf0132147b476cf4c08", + "sha256:a8b817d4ed68fd568ec5e45dd75ddf30cc72a47a6b41b74d5bb211374c296f5e", + "sha256:ad7d66422b9cc51125509229693d27e18c08f2dea3ac9de408d821932b1b3759", + "sha256:b46e79a9f4db53897d17bc64a39d1c7c2be3e3d4f8dba6d6730a2b13ddf0f986", + "sha256:baa96a3418e27d723064854143b2f414a422c84cc87285a71558722049bebc5a", + "sha256:beeca903e4270b4afcd114f371a9602240dc143f9e944edfea00f8d4ad56c40d", + "sha256:c2a1168e5aa7c72499fb03c850e0f03f624fa4a5c8d2e215c518d0a73872eb64", + "sha256:c5790cc603456b6dcf8a9a4765f666895a6afddc88b3d3ba7b53dea2b6e23116", + "sha256:cb4a08f0aaaa869f189ffea0e17b86ad0237b51116d494da15ef7991ee6ad2d7", + "sha256:cd5771e8ea325f85cbb361ddbdeb9ae424a68e5dfb6eea786afdcd22e68a7d5d", + "sha256:ce8e51774eb03844588d3c279adb94efcd0edeccd2f97516623292445bcc01f9", + "sha256:d09daf5c6ce7fc6ed444c9339bbde5ea84e2534d1ca1cd37b60f365c77f00dea", + "sha256:d0e798b072cf2aab9daceb43d97c9c527a0c7593e67a7846ad4cc6051de1e303", + "sha256:d325d61cac602976a5d47b19eaa7d04e3daf4efce2164c630219885087234102", + "sha256:d408172519049e36fb6d29672f060dc8461fc7174eba9883c7026041ef9bfb38", + "sha256:d52442e7c951e4c9ee591d6047706e66923d248d83958bbf99b8b19515fffaef", + "sha256:dc4cfef5d899f5f1a15f3d2ac49f71107a01a5a2745b4dd53fa0cede1419385a", + "sha256:df7b4cee3ff31b3335aba602f8d70dbc641e5b7164b1e9565570c9d3c536a438", + "sha256:e068dfeadbce63072b2d8096486713d04db4946aad0a0f849bd4fc300799d0d3", + "sha256:e07c24018986fb00d6e7eafca8fcd6e05095649e17fcf0e33a592caaa62a78b9", + "sha256:e0bce9f7c30e7e3a9e683f670314c0144e8d34be6b7019e40604763bd278d84f", + "sha256:e1925f78a543b94c3d46274c66a366fee8a263747060220ed0188e5f3eeea1c0", + "sha256:e322c94596054352f5a02771eec71563c018b15699b961aba14d6dd943367022", + "sha256:e4a095e18847c12ec20e55326ab8782d9c2d599400a3a2f174fab4796875d0e2", + "sha256:e5a811aab1b4aea0b4be669363c19847a8c547510f0e18fb632956369fdbdf67", + "sha256:eddf604a3de2ace3d9a4e4d491be7562a1ac095a0a1c95a9ec5781ef0273ef11", + "sha256:ee9b1cae9a6c5d023e5a150f6f6b9dbb3c3bbc7887d6ee07d4c0ecb49a473734", + "sha256:f1650ea41c408755da5eed52ac6ccbc8938ccc3e698d81e6f6a1be02ff2a0945", + "sha256:f2c0957b3e8c66c10d27272709a5299ab3670a0f187c9428f3b90d267119aedb", + "sha256:f76109387e1ec8d8e2137c94c437b89fe002f29e0881aae8ae45529bdff92000", + "sha256:f8a728511c977df6f3d8af388fcb157e49f11db4a6637dd60131b8b6e40b0253", + "sha256:fb6c3dc3d65014d2c782f5acf0b3ba14e639c6c33d3ed8932ead76b9080b3544" ], - "markers": "python_version >= '3.6'", - "version": "==5.1.0" + "markers": "python_version >= '3.7'", + "version": "==6.0.3" }, "packaging": { "hashes": [ - "sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7", - "sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14" + "sha256:2198ec20bd4c017b8f9717e00f0c8714076fc2fd93816750ab48e2c41de2cfd3", + "sha256:957e2148ba0e1a3b282772e791ef1d8083648bc131c8ab0c1feba110ce1146c3" ], - "markers": "python_version >= '3.6'", - "version": "==21.0" + "markers": "python_version >= '3.7'", + "version": "==22.0" }, "pathspec": { "hashes": [ - "sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a", - "sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1" + "sha256:88c2606f2c1e818b978540f73ecc908e13999c6c3a383daf3705652ae79807a5", + "sha256:8f6bf73e5758fd365ef5d58ce09ac7c27d2833a8d7da51712eac6e27e35141b0" ], - "version": "==0.9.0" + "markers": "python_version >= '3.7'", + "version": "==0.10.2" }, "pluggy": { "hashes": [ @@ -485,19 +750,11 @@ }, "py": { "hashes": [ - "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", - "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" + "sha256:51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719", + "sha256:607c53218732647dff4acdfcd50cb62615cedf612e72d1724fb1a0cc6405b378" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.10.0" - }, - "pyparsing": { - "hashes": [ - "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", - "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.4.7" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.11.0" }, "pytest": { "hashes": [ @@ -509,10 +766,10 @@ }, "pytz": { "hashes": [ - "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", - "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" + "sha256:222439474e9c98fced559f1709d89e6c9cbf8d79c794ff3eb9f8800064291427", + "sha256:e89512406b793ca39f5971bc999cc538ce125c0e51c27941bef4568b460095e2" ], - "version": "==2021.1" + "version": "==2022.6" }, "pyyaml": { "hashes": [ @@ -557,49 +814,80 @@ "index": "pypi", "version": "==2.26.0" }, + "setuptools": { + "hashes": [ + "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", + "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" + ], + "markers": "python_version >= '3.7'", + "version": "==65.6.3" + }, "simplejson": { "hashes": [ - "sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7", - "sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085", - "sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb", - "sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476", - "sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473", - "sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e", - "sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c", - "sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732", - "sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b", - "sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34", - "sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586", - "sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da", - "sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34", - "sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564", - "sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e", - "sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926", - "sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e", - "sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08", - "sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e", - "sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c", - "sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999", - "sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e", - "sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314", - "sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95", - "sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277", - "sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda", - "sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61", - "sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640", - "sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e", - "sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee", - "sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86", - "sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98", - "sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616", - "sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b", - "sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c", - "sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc", - "sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858", - "sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec" + "sha256:002f069c7bb9a86826616a78f1214fea5b993435720990eecb0bf10955b9cd0e", + "sha256:00b673f0b3caf37a3d993bccf30a97290da6313b6ecc7d66937e9cd906d8f840", + "sha256:07e408222931b1a2aab71e60e5f169fa7c0d74cacd4e0a6a0199716cb18dad76", + "sha256:0de746c8f76355c79fd15eccd7ecde0b137cd911bdcdc463fc5c36ec3d8b98ea", + "sha256:0f33d16fa7b5e2ed6ea85d7b31bc84cf8c73c40cc2c9f87071e0fffcd52f5342", + "sha256:0f49858b5fc802081b71269f4a3aa5c5500ec6553637c9a0630f30a2a6541ea7", + "sha256:17dbc7f71fa5b7e4a2acef38cf0be30461ae6659456a978ce7eeebeb5bdf9e1a", + "sha256:17ec5e408fb6615250c1f18fb4eac3b2b99a85e8613bfc2dfa54827d0bf7f3e1", + "sha256:1b4085151e00ab7ca66f269aff7153f0ec18589cb22e7ceb8b365709c723fdd0", + "sha256:1f169402069f8cf93e359f607725b1d920c4dbe5bda4c520025d5fad8d20c1b7", + "sha256:1fbacdbba3cf5a471c67a9ca6cd270bba9578d5bc22aef6028faebbdb98bbb15", + "sha256:252f7cc5524bb5507a08377a4a75aa7ff4645f3dfca814d38bdbcf0f3c34d1ce", + "sha256:2aeed35db00cdf5d49ff1e7d878afd38c86a5fead0f1d364d539ad4d7a869e0e", + "sha256:2cc76435569e6c19574a8e913cfccbed832249b2b3b360caee9a4caf8ff866bf", + "sha256:448ab14fa67b3ac235a8445d14ec6d56268c3dabbce78720f9efa6d698466710", + "sha256:4609feb2ae66c132c6dcbe01dbfd4f6431afb4ff17303e37ca128fb6297cebd2", + "sha256:46bafa7e794f0e91fde850d906b0dc29a624c726b27e75d23bc8c3e35a48f28b", + "sha256:4a6199d302ec7d889e1aa6b493aa8e40b4dfa4bd85708f8c8f0c64ce5b8e0986", + "sha256:4d8d016f70d241f82189bc9f6d1eb8558b3599861f2c501b3f32da7fdf4e92ac", + "sha256:503da91993cc671fe7ebbf120c3ce868278de8226f158336afde874f7b7aa871", + "sha256:54c63cc7857f16a20aa170ffda9ebce45a3b7ba764b67a5a95bfe7ae613a2710", + "sha256:58a429d2c2fa80834115b923ff689622de8f214cf0dc4afa9f59e824b444ab31", + "sha256:599e9c53d3203bc36ef68efec138ca76d201da7ac06a114fae78536a8c10e35b", + "sha256:5f3dd31309ae5cc9f2df51d2d5cac89722dac3c853042ebefcaf7ad06ca19387", + "sha256:6187cbea7fdede732fe0347ad08cd920ebd9faa30b6c48782cee494051ca97c6", + "sha256:622cf0e1f870f189a0757fdcad7998a0c1dd46b0e53aeac9960556c141319c83", + "sha256:638bdd2deaccd3b8e02b1783280bd82341df5e1faa59c4f0276f03f16eec13ea", + "sha256:6804ad50aaf581df5c982fc101b0d932638066fe191074ded783602eb1c8982a", + "sha256:7a4d9b266ae6db578719f1255c742e76ee4676593087f4f6b79a2bbae2b1dcc5", + "sha256:7a9476dcd72aeba7d55c4800b9cd2204201af3539894b8512d74597e35a3033a", + "sha256:7b95c5cf71c16e4fdaa724719aaf8ccbed533e2df57a20bcff825ceeead27688", + "sha256:8493d2c1a940471b07d7c9c356a3f4eee780df073da2917418d0fe8669b54f99", + "sha256:875cfb43b622672218045dc927a86fc7c4c8111264c1d303aca5de33d5df479e", + "sha256:8d762267c4af617e1798bd0151f626105d06a88f214e3874b77eb89106f899fe", + "sha256:94c17d01e4c65e63deec46c984bb810de5e3a1259eb6bacdca63f3efc9c4c673", + "sha256:96979ff7f0daf47422d5f95d2d006da3210e0490a166bce2529f59f55047fc67", + "sha256:97139bf5134d713710665a6edb9500d69b93642c4b6b44b20800232dbd0f5b39", + "sha256:989b31d586954e65170ad3ec597218a6790c401b82da6193e8a897a06aa7946e", + "sha256:98b4c824f15436f1b22fe6d73c42ffacb246f7efc4d9dbbee542dd72355ecc43", + "sha256:9aff3c24017a7819c76b2f177d4fe8334b3d4cb6f702a2d7c666b3d57c36ffb4", + "sha256:9db78e18624f94d7b5642bf487244f803dab844e771d92e83f85f22da21ffe2d", + "sha256:a0e6dd5a0b8c76fb7522470789f1af793d39d6edbd4e40853e7be550ad49c430", + "sha256:a2f70d8170c7e02166a4c91462581e6ae5f35e3351a6b6c5142adcb04c7153ac", + "sha256:a814227fa08cae435ac7a42dcd2a04a7ec4a3cee23b7f83f9544cd26f452dcc4", + "sha256:aa9ecdd1d7ecbc7d1066c37cfbe52f65adf64b11b22d481a98fe1d3675dfff4b", + "sha256:b2b19d7aa4e9a1e7bf8caaf5f478a790190c60136314f45bb7702cb5a9337266", + "sha256:b4997bd8332cef3923402a07351571788f552f55ea1394ffbfccd4d203a8a05f", + "sha256:b71fef8ee41d59509c7f4afac7f627ed143c9e6db9eb08cfbba85e4c4dc5e67b", + "sha256:bd67d6fad7f4cd7c9cb7fad32d78ce32862fdb574b898447987a5de22fd37d73", + "sha256:ca22993a1a00440392c6c76f39addab8d97c706d2a8bcc2c9b2b6cb2cd7f41df", + "sha256:ce1c0580372d3c9bfa151bd0721a9bd5647b9b2245d0588d813fdbd2eb5d6f22", + "sha256:d522f28f7b252454df86ac3db5a0e1fe5ae03c8fc0cd1592c912b07c9fad6c29", + "sha256:d5d25cc5dad31a10d7a8196125515cc3aa68187c8953459fcaf127c2c8410f51", + "sha256:d9f7a692c11de20cb8ec680584815315e03d1404a6e299d36489b0fb6447d98d", + "sha256:d9fa2ad4cabb5054faa8d4a44b84134b0ec9d1421f5e9264d057d6be4d13c7fa", + "sha256:db53a85f4db0dbd9e5f6277d9153bcaa2ccb87b0d672c6a35f19432b3f2301a3", + "sha256:db9d36c4c7997c2a2513a5d218fd90b53bfeaf7e727f94aaf3576973378b3bce", + "sha256:e80f02e68d25c222471fcc5d1933275b8eb396e5e40b7863e4e0a43b3c810059", + "sha256:e84bd1c29e83ec74a95de070473742eb52d08502f2428eff5751671081e0a0a6", + "sha256:f0e12bdafdf7e32c5ad4a073e325ea0d659d4277af8b3d8eccf3101c56879619", + "sha256:fd56a9e0c63a1f9c37621fe298c77795aefd2a26dca80dcae27688586c40b4bb" ], "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==3.17.3" + "version": "==3.18.0" }, "six": { "hashes": [ @@ -618,10 +906,11 @@ }, "stix2-patterns": { "hashes": [ - "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4", - "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992" + "sha256:07750c5a5af2c758e9d2aa4dde9d8e04bcd162ac2a9b0b4c4de4481d443efa08", + "sha256:ca4d68b2db42ed99794a418388769d2676ca828e9cac0b8629e73cd3f68f6458" ], - "version": "==1.3.2" + "markers": "python_version >= '3.6'", + "version": "==2.0.0" }, "taxii2-client": { "hashes": [ @@ -630,14 +919,6 @@ ], "version": "==2.3.0" }, - "typing-extensions": { - "hashes": [ - "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", - "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", - "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" - ], - "version": "==3.10.0.0" - }, "urllib3": { "hashes": [ "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", @@ -662,46 +943,83 @@ }, "yarl": { "hashes": [ - "sha256:00d7ad91b6583602eb9c1d085a2cf281ada267e9a197e8b7cae487dadbfa293e", - "sha256:0355a701b3998dcd832d0dc47cc5dedf3874f966ac7f870e0f3a6788d802d434", - "sha256:15263c3b0b47968c1d90daa89f21fcc889bb4b1aac5555580d74565de6836366", - "sha256:2ce4c621d21326a4a5500c25031e102af589edb50c09b321049e388b3934eec3", - "sha256:31ede6e8c4329fb81c86706ba8f6bf661a924b53ba191b27aa5fcee5714d18ec", - "sha256:324ba3d3c6fee56e2e0b0d09bf5c73824b9f08234339d2b788af65e60040c959", - "sha256:329412812ecfc94a57cd37c9d547579510a9e83c516bc069470db5f75684629e", - "sha256:4736eaee5626db8d9cda9eb5282028cc834e2aeb194e0d8b50217d707e98bb5c", - "sha256:4953fb0b4fdb7e08b2f3b3be80a00d28c5c8a2056bb066169de00e6501b986b6", - "sha256:4c5bcfc3ed226bf6419f7a33982fb4b8ec2e45785a0561eb99274ebbf09fdd6a", - "sha256:547f7665ad50fa8563150ed079f8e805e63dd85def6674c97efd78eed6c224a6", - "sha256:5b883e458058f8d6099e4420f0cc2567989032b5f34b271c0827de9f1079a424", - "sha256:63f90b20ca654b3ecc7a8d62c03ffa46999595f0167d6450fa8383bab252987e", - "sha256:68dc568889b1c13f1e4745c96b931cc94fdd0defe92a72c2b8ce01091b22e35f", - "sha256:69ee97c71fee1f63d04c945f56d5d726483c4762845400a6795a3b75d56b6c50", - "sha256:6d6283d8e0631b617edf0fd726353cb76630b83a089a40933043894e7f6721e2", - "sha256:72a660bdd24497e3e84f5519e57a9ee9220b6f3ac4d45056961bf22838ce20cc", - "sha256:73494d5b71099ae8cb8754f1df131c11d433b387efab7b51849e7e1e851f07a4", - "sha256:7356644cbed76119d0b6bd32ffba704d30d747e0c217109d7979a7bc36c4d970", - "sha256:8a9066529240171b68893d60dca86a763eae2139dd42f42106b03cf4b426bf10", - "sha256:8aa3decd5e0e852dc68335abf5478a518b41bf2ab2f330fe44916399efedfae0", - "sha256:97b5bdc450d63c3ba30a127d018b866ea94e65655efaf889ebeabc20f7d12406", - "sha256:9ede61b0854e267fd565e7527e2f2eb3ef8858b301319be0604177690e1a3896", - "sha256:b2e9a456c121e26d13c29251f8267541bd75e6a1ccf9e859179701c36a078643", - "sha256:b5dfc9a40c198334f4f3f55880ecf910adebdcb2a0b9a9c23c9345faa9185721", - "sha256:bafb450deef6861815ed579c7a6113a879a6ef58aed4c3a4be54400ae8871478", - "sha256:c49ff66d479d38ab863c50f7bb27dee97c6627c5fe60697de15529da9c3de724", - "sha256:ce3beb46a72d9f2190f9e1027886bfc513702d748047b548b05dab7dfb584d2e", - "sha256:d26608cf178efb8faa5ff0f2d2e77c208f471c5a3709e577a7b3fd0445703ac8", - "sha256:d597767fcd2c3dc49d6eea360c458b65643d1e4dbed91361cf5e36e53c1f8c96", - "sha256:d5c32c82990e4ac4d8150fd7652b972216b204de4e83a122546dce571c1bdf25", - "sha256:d8d07d102f17b68966e2de0e07bfd6e139c7c02ef06d3a0f8d2f0f055e13bb76", - "sha256:e46fba844f4895b36f4c398c5af062a9808d1f26b2999c58909517384d5deda2", - "sha256:e6b5460dc5ad42ad2b36cca524491dfcaffbfd9c8df50508bddc354e787b8dc2", - "sha256:f040bcc6725c821a4c0665f3aa96a4d0805a7aaf2caf266d256b8ed71b9f041c", - "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a", - "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71" + "sha256:009a028127e0a1755c38b03244c0bea9d5565630db9c4cf9572496e947137a87", + "sha256:0414fd91ce0b763d4eadb4456795b307a71524dbacd015c657bb2a39db2eab89", + "sha256:0978f29222e649c351b173da2b9b4665ad1feb8d1daa9d971eb90df08702668a", + "sha256:0ef8fb25e52663a1c85d608f6dd72e19bd390e2ecaf29c17fb08f730226e3a08", + "sha256:10b08293cda921157f1e7c2790999d903b3fd28cd5c208cf8826b3b508026996", + "sha256:1684a9bd9077e922300ecd48003ddae7a7474e0412bea38d4631443a91d61077", + "sha256:1b372aad2b5f81db66ee7ec085cbad72c4da660d994e8e590c997e9b01e44901", + "sha256:1e21fb44e1eff06dd6ef971d4bdc611807d6bd3691223d9c01a18cec3677939e", + "sha256:2305517e332a862ef75be8fad3606ea10108662bc6fe08509d5ca99503ac2aee", + "sha256:24ad1d10c9db1953291f56b5fe76203977f1ed05f82d09ec97acb623a7976574", + "sha256:272b4f1599f1b621bf2aabe4e5b54f39a933971f4e7c9aa311d6d7dc06965165", + "sha256:2a1fca9588f360036242f379bfea2b8b44cae2721859b1c56d033adfd5893634", + "sha256:2b4fa2606adf392051d990c3b3877d768771adc3faf2e117b9de7eb977741229", + "sha256:3150078118f62371375e1e69b13b48288e44f6691c1069340081c3fd12c94d5b", + "sha256:326dd1d3caf910cd26a26ccbfb84c03b608ba32499b5d6eeb09252c920bcbe4f", + "sha256:34c09b43bd538bf6c4b891ecce94b6fa4f1f10663a8d4ca589a079a5018f6ed7", + "sha256:388a45dc77198b2460eac0aca1efd6a7c09e976ee768b0d5109173e521a19daf", + "sha256:3adeef150d528ded2a8e734ebf9ae2e658f4c49bf413f5f157a470e17a4a2e89", + "sha256:3edac5d74bb3209c418805bda77f973117836e1de7c000e9755e572c1f7850d0", + "sha256:3f6b4aca43b602ba0f1459de647af954769919c4714706be36af670a5f44c9c1", + "sha256:3fc056e35fa6fba63248d93ff6e672c096f95f7836938241ebc8260e062832fe", + "sha256:418857f837347e8aaef682679f41e36c24250097f9e2f315d39bae3a99a34cbf", + "sha256:42430ff511571940d51e75cf42f1e4dbdded477e71c1b7a17f4da76c1da8ea76", + "sha256:44ceac0450e648de86da8e42674f9b7077d763ea80c8ceb9d1c3e41f0f0a9951", + "sha256:47d49ac96156f0928f002e2424299b2c91d9db73e08c4cd6742923a086f1c863", + "sha256:48dd18adcf98ea9cd721a25313aef49d70d413a999d7d89df44f469edfb38a06", + "sha256:49d43402c6e3013ad0978602bf6bf5328535c48d192304b91b97a3c6790b1562", + "sha256:4d04acba75c72e6eb90745447d69f84e6c9056390f7a9724605ca9c56b4afcc6", + "sha256:57a7c87927a468e5a1dc60c17caf9597161d66457a34273ab1760219953f7f4c", + "sha256:58a3c13d1c3005dbbac5c9f0d3210b60220a65a999b1833aa46bd6677c69b08e", + "sha256:5df5e3d04101c1e5c3b1d69710b0574171cc02fddc4b23d1b2813e75f35a30b1", + "sha256:63243b21c6e28ec2375f932a10ce7eda65139b5b854c0f6b82ed945ba526bff3", + "sha256:64dd68a92cab699a233641f5929a40f02a4ede8c009068ca8aa1fe87b8c20ae3", + "sha256:6604711362f2dbf7160df21c416f81fac0de6dbcf0b5445a2ef25478ecc4c778", + "sha256:6c4fcfa71e2c6a3cb568cf81aadc12768b9995323186a10827beccf5fa23d4f8", + "sha256:6d88056a04860a98341a0cf53e950e3ac9f4e51d1b6f61a53b0609df342cc8b2", + "sha256:705227dccbe96ab02c7cb2c43e1228e2826e7ead880bb19ec94ef279e9555b5b", + "sha256:728be34f70a190566d20aa13dc1f01dc44b6aa74580e10a3fb159691bc76909d", + "sha256:74dece2bfc60f0f70907c34b857ee98f2c6dd0f75185db133770cd67300d505f", + "sha256:75c16b2a900b3536dfc7014905a128a2bea8fb01f9ee26d2d7d8db0a08e7cb2c", + "sha256:77e913b846a6b9c5f767b14dc1e759e5aff05502fe73079f6f4176359d832581", + "sha256:7a66c506ec67eb3159eea5096acd05f5e788ceec7b96087d30c7d2865a243918", + "sha256:8c46d3d89902c393a1d1e243ac847e0442d0196bbd81aecc94fcebbc2fd5857c", + "sha256:93202666046d9edadfe9f2e7bf5e0782ea0d497b6d63da322e541665d65a044e", + "sha256:97209cc91189b48e7cfe777237c04af8e7cc51eb369004e061809bcdf4e55220", + "sha256:a48f4f7fea9a51098b02209d90297ac324241bf37ff6be6d2b0149ab2bd51b37", + "sha256:a783cd344113cb88c5ff7ca32f1f16532a6f2142185147822187913eb989f739", + "sha256:ae0eec05ab49e91a78700761777f284c2df119376e391db42c38ab46fd662b77", + "sha256:ae4d7ff1049f36accde9e1ef7301912a751e5bae0a9d142459646114c70ecba6", + "sha256:b05df9ea7496df11b710081bd90ecc3a3db6adb4fee36f6a411e7bc91a18aa42", + "sha256:baf211dcad448a87a0d9047dc8282d7de59473ade7d7fdf22150b1d23859f946", + "sha256:bb81f753c815f6b8e2ddd2eef3c855cf7da193b82396ac013c661aaa6cc6b0a5", + "sha256:bcd7bb1e5c45274af9a1dd7494d3c52b2be5e6bd8d7e49c612705fd45420b12d", + "sha256:bf071f797aec5b96abfc735ab97da9fd8f8768b43ce2abd85356a3127909d146", + "sha256:c15163b6125db87c8f53c98baa5e785782078fbd2dbeaa04c6141935eb6dab7a", + "sha256:cb6d48d80a41f68de41212f3dfd1a9d9898d7841c8f7ce6696cf2fd9cb57ef83", + "sha256:ceff9722e0df2e0a9e8a79c610842004fa54e5b309fe6d218e47cd52f791d7ef", + "sha256:cfa2bbca929aa742b5084fd4663dd4b87c191c844326fcb21c3afd2d11497f80", + "sha256:d617c241c8c3ad5c4e78a08429fa49e4b04bedfc507b34b4d8dceb83b4af3588", + "sha256:d881d152ae0007809c2c02e22aa534e702f12071e6b285e90945aa3c376463c5", + "sha256:da65c3f263729e47351261351b8679c6429151ef9649bba08ef2528ff2c423b2", + "sha256:de986979bbd87272fe557e0a8fcb66fd40ae2ddfe28a8b1ce4eae22681728fef", + "sha256:df60a94d332158b444301c7f569659c926168e4d4aad2cfbf4bce0e8fb8be826", + "sha256:dfef7350ee369197106805e193d420b75467b6cceac646ea5ed3049fcc950a05", + "sha256:e59399dda559688461762800d7fb34d9e8a6a7444fd76ec33220a926c8be1516", + "sha256:e6f3515aafe0209dd17fb9bdd3b4e892963370b3de781f53e1746a521fb39fc0", + "sha256:e7fd20d6576c10306dea2d6a5765f46f0ac5d6f53436217913e952d19237efc4", + "sha256:ebb78745273e51b9832ef90c0898501006670d6e059f2cdb0e999494eb1450c2", + "sha256:efff27bd8cbe1f9bd127e7894942ccc20c857aa8b5a0327874f30201e5ce83d0", + "sha256:f37db05c6051eff17bc832914fe46869f8849de5b92dc4a3466cd63095d23dfd", + "sha256:f8ca8ad414c85bbc50f49c0a106f951613dfa5f948ab69c10ce9b128d368baf8", + "sha256:fb742dcdd5eec9f26b61224c23baea46c9055cf16f62475e11b9b15dfd5c117b", + "sha256:fc77086ce244453e074e445104f0ecb27530d6fd3a46698e33f6c38951d5a0f1", + "sha256:ff205b58dc2929191f68162633d5e10e8044398d7a45265f90a0f1d51f85f72c" ], - "markers": "python_version >= '3.6'", - "version": "==1.6.3" + "markers": "python_version >= '3.7'", + "version": "==1.8.2" } } } From 868be248ddb7ac7cc36180d5cffc16c99151af0a Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Fri, 9 Dec 2022 11:27:28 +0500 Subject: [PATCH 37/81] Fix the filter --- .../proc_creation_win_susp_userinit_child.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index a84f52be0..18301a4a1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) date: 2019/06/17 -modified: 2022/10/09 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1055 @@ -20,7 +20,7 @@ detection: CommandLine|contains: '\netlogon\' filter2: - Image|endswith: '\explorer.exe' - - ImageFileName: 'explorer.exe' + - OriginalFileName: 'explorer.exe' condition: selection and not 1 of filter* fields: - CommandLine From fb8e0894b0d4e68114c0edb042ae072b11e2dcf0 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Fri, 9 Dec 2022 13:42:49 +0500 Subject: [PATCH 38/81] fix: condition --- .../proc_creation_win_susp_use_of_sqlps_bin.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml index 91cb6862a..f1f4d118b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/bryon_/status/975835709587075072 author: 'Agro (@agro_sev) oscd.community' date: 2020/10/10 -modified: 2022/02/25 +modified: 2022/12/09 tags: - attack.execution - attack.t1059.001 @@ -21,14 +21,13 @@ logsource: product: windows detection: selection_1: - Image|endswith: '\sqlps.exe' + - Image|endswith: '\sqlps.exe' + - OriginalFileName: 'sqlps.exe' selection_2: ParentImage|endswith: '\sqlps.exe' - selection_3: - OriginalFileName: '\sqlps.exe' filter: ParentImage|endswith: '\sqlagent.exe' - condition: 1 of selection_* and not filter + condition: (selection_1 and not filter) or selection_2 falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium From a0e80197805563393e82bbb07d0c676c70430199 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 10:33:33 +0100 Subject: [PATCH 39/81] fix: issue raised by PR #3769 --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 6f797afe6..b58d0884a 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -935,7 +935,7 @@ class TestRules(unittest.TestCase): # add "OriginalFilename" after Aurora switched to SourceFilename # add "ProviderName" after special case powershell classic is resolved # typos is a list of tuples where each tuple contains ("The typo", "The correct version") - typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")] + typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName"), ("ImageFileName", "OriginalFileName")] faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases From 6f6cb9648dec2e0429c10fb9b8a9b2723bf9e441 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 10:33:52 +0100 Subject: [PATCH 40/81] fix: fp found in testing --- .../security/win_security_susp_scheduled_task_delete.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml index b19494759..3b3d77ad5 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -12,6 +12,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/08 tags: - attack.execution - attack.privilege_escalation @@ -27,7 +28,7 @@ detection: - 4699 # Task Deleted Event - 4701 # Task Disabled Event TaskName|contains: - # Add more important tasks> + # Add more important tasks - '\Windows\SystemRestore\SR' - '\Windows\Windows Defender\' - '\Windows\BitLocker' @@ -35,7 +36,9 @@ detection: - '\Windows\WindowsUpdate\' - '\Windows\UpdateOrchestrator\' - '\Windows\ExploitGuard' - condition: selection + filter_ac_power_download: + Task|contains: '\Windows\UpdateOrchestrator\AC Power Download' + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high From 7cd15d0bc1e7c49a193b9c4cdf67769f85c7dc1b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 10:34:06 +0100 Subject: [PATCH 41/81] fix: update metadata --- .../proc_creation_win_false_sysinternalsuite.yml | 5 +++-- .../proc_creation_win_impacket_lateralization.yml | 4 ++-- .../process_creation/proc_creation_win_renamed_procdump.yml | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml b/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml index ba28010ce..c1feb1bd7 100644 --- a/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml +++ b/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml @@ -1,11 +1,12 @@ -title: False Sysinternals Suite Tools +title: Potential Binary Impersonating Sysinternals Tools id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: experimental -description: Rename as a legitimate Sysinternals Suite tool to evade detection +description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 date: 2021/12/20 +modified: 2022/12/08 tags: - attack.execution - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml index fb8f65ecb..ba53f5896 100644 --- a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml +++ b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml @@ -9,7 +9,7 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py author: Ecco, oscd.community, Jonhnathan Ribeiro date: 2019/09/03 -modified: 2021/11/27 +modified: 2022/12/08 tags: - attack.execution - attack.t1047 @@ -46,7 +46,7 @@ detection: - 'cmd.exe' - '/Q' - '/c' - - '\\\\127.0.0.1\' + - '\\\\127.0.0.1\\' - '&1' selection_atexec: ParentCommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 9a09c3246..0e7a7715a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -1,4 +1,4 @@ -title: Renamed ProcDump +title: Renamed ProcDump Execution id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 related: - id: 03795938-1387-481b-9f4c-3f6241e604fe @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2022/08/12 +modified: 2022/12/08 tags: - attack.defense_evasion - attack.t1036.003 @@ -34,5 +34,5 @@ detection: condition: (selection_org or all of selection_args_*) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - - Weird admins who renamed binaries (and should be investigated) + - Administrators who rename binaries (should be investigated) level: high From 0783d6df2265657a407127c3fd62d7ce3d752c13 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 12:22:50 +0100 Subject: [PATCH 42/81] feat: update Lsass-Shtinkering rules --- ...in_werfault_susp_lsass_credential_dump.yml | 26 +++++++++++++++++++ .../proc_creation_lsass_shtinkering.yml | 6 ++++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml diff --git a/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml new file mode 100644 index 000000000..d4ac076dd --- /dev/null +++ b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml @@ -0,0 +1,26 @@ +title: Potential Credential Dumping Via WER - Application +id: a18e0862-127b-43ca-be12-1a542c75c7c5 +status: experimental +description: Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 +author: Nasreddine Bencherchali +date: 2022/12/07 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'Application Error' + EventID: 1000 + AppName: 'lsass.exe' + ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL + condition: selection +falsepositives: + - Rare legitimate crashing of the lsass process +level: high diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index a88adb413..cc021edaa 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -1,4 +1,4 @@ -title: Potential Credential Dumping Via Windows Error Reporting +title: Potential Credential Dumping Via WER id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 status: experimental description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass @@ -7,6 +7,7 @@ references: - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash , Nasreddine Bencherchali' date: 2022/12/08 +modified: 2022/12/09 tags: - attack.credential_access - attack.t1003.001 @@ -25,7 +26,10 @@ detection: - 'AUTHORI' - 'AUTORI' CommandLine|contains|all: + # Doc: WerFault.exe -u -p -ip -s # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique + # Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity - ' -u -p ' - ' -ip ' - ' -s ' From 356ab98ada7cf220183c42519da6090155634c29 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 9 Dec 2022 12:55:41 +0100 Subject: [PATCH 43/81] fix: FPs with Important Scheduled Task Deleted --- .../security/win_security_susp_scheduled_task_delete.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml index b19494759..78b60d3fe 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -12,6 +12,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/09 tags: - attack.execution - attack.privilege_escalation @@ -35,7 +36,9 @@ detection: - '\Windows\WindowsUpdate\' - '\Windows\UpdateOrchestrator\' - '\Windows\ExploitGuard' - condition: selection + filter: + SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added + condition: selection and not filter falsepositives: - Unknown level: high From 1143ec85b4808d3215dc481ae948fff2e552bffc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 16:38:32 +0100 Subject: [PATCH 44/81] feat: enhance pssnapin rule --- ...reation_win_powershell_snapins_hafnium.yml | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index f1143d516..bc5a795f5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -1,13 +1,14 @@ -title: Exchange PowerShell Snap-Ins Used by HAFNIUM +title: Exchange PowerShell Snap-Ins Usage id: 25676e10-2121-446e-80a4-71ff8506af47 status: experimental -description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM +description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ -author: FPT.EagleEye + - https://www.intrinsec.com/apt27-analysis/ +author: FPT.EagleEye, Nasreddine Bencherchali date: 2021/03/03 -modified: 2022/07/14 +modified: 2022/12/09 tags: - attack.execution - attack.t1059.001 @@ -17,12 +18,20 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - CommandLine|contains: 'add-pssnapin microsoft.exchange.powershell.snapin' - condition: selection + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli: + CommandLine|contains: 'Add-PSSnapin' + selection_module: + CommandLine|contains: + - 'Microsoft.Exchange.Powershell.Snapin' + - 'Microsoft.Exchange.Management.PowerShell.SnapIn' + condition: all of selection_* fields: - CommandLine - ParentCommandLine From 9f346ce7d1b03aba4945caf5d281cc2ec7ea3d49 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 16:41:36 +0100 Subject: [PATCH 45/81] fix: typo in rule filename --- ...p_log_file.yml => file_event_win_mimikatz_memssp_log_file.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/file/file_event/{file_event_win_mimimaktz_memssp_log_file.yml => file_event_win_mimikatz_memssp_log_file.yml} (100%) diff --git a/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml b/rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml rename to rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml From cde2bdfc22c08925d6f58282bdd265e9265a5856 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 17:11:03 +0100 Subject: [PATCH 46/81] fix: fix typo in fieldname and close #2101 --- rules/windows/image_load/image_load_foggyweb_nobelium.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/image_load_foggyweb_nobelium.yml b/rules/windows/image_load/image_load_foggyweb_nobelium.yml index eaf808b22..8c0ca56f2 100644 --- a/rules/windows/image_load/image_load_foggyweb_nobelium.yml +++ b/rules/windows/image_load/image_load_foggyweb_nobelium.yml @@ -1,12 +1,12 @@ title: FoggyWeb Backdoor DLL Loading id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c status: test -description: Detects DLL image load activity as used by FoggyWeb backdoor loader +description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Florian Roth date: 2021/09/27 -modified: 2022/10/09 +modified: 2022/12/09 tags: - attack.resource_development - attack.t1587 @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - Image: C:\Windows\ADFS\version.dll + ImageLoaded: 'C:\Windows\ADFS\version.dll' condition: selection falsepositives: - Unlikely From 14d174e218b837d1d27b96a6f1f3f2e12161866b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 17:36:24 +0100 Subject: [PATCH 47/81] feat: update rules related to dll sideloading --- ...ile_event_win_create_non_existent_dlls.yml | 7 +++ ...oad_side_load_from_non_system_location.yml | 9 +++- ...image_load_side_load_non_existent_dlls.yml | 43 +++++++++++++++++++ .../image_load_susp_dbghelp_dbgcore_load.yml | 4 +- 4 files changed, 60 insertions(+), 3 deletions(-) create mode 100644 rules/windows/image_load/image_load_side_load_non_existent_dlls.yml diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 9c9c65693..522c8f4fd 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -1,10 +1,16 @@ title: Creation Of Non-Existent DLLs In System Folders id: df6ecb8b-7822-4f4b-b412-08f524b4576c +related: + - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 + type: similar status: experimental description: Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ + - https://github.com/Wh04m1001/SysmonEoP + - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ author: Nasreddine Bencherchali date: 2022/12/01 tags: @@ -22,6 +28,7 @@ detection: - 'C:\Windows\System32\WLBSCTRL.dll' - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 7df5528b4..342b35fc7 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project) date: 2022/08/14 -modified: 2022/10/25 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.persistence @@ -433,6 +433,13 @@ detection: - '\igd10iumd64.dll' - '\igd12umd64.dll' - '\igdusc64.dll' + # Other + - '\WLBSCTRL.dll' + - '\TSMSISrv.dll' + - '\TSVIPSrv.dll' + - '\wow64log.dll' + - '\WptsExtensions.dll' + - '\wbemcomn.dll' filter_generic: ImageLoaded|startswith: - 'C:\Windows\System32\' diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml new file mode 100644 index 000000000..619f4fdf7 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -0,0 +1,43 @@ +title: Sideloading Of Non-Existent DLLs From System Folders +id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 +related: + - id: df6ecb8b-7822-4f4b-b412-08f524b4576c + type: similar +status: experimental +description: Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ + - https://github.com/Wh04m1001/SysmonEoP + - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ + - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + # Add other DLLs + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' + - 'C:\Windows\System32\WptsExtensions.dll' + - 'C:\Windows\System32\wbem\wbemcomn.dll' + filter_ms_signed: + Signed: 'true' + # There could be other signatures (please add when found) + Signature: 'Microsoft Windows' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index bc7467c9c..5d2a23294 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -11,7 +11,7 @@ references: - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 author: Perez Diego (@darkquassar), oscd.community, Ecco date: 2019/10/27 -modified: 2022/09/15 +modified: 2022/12/09 tags: - attack.credential_access - attack.t1003.001 @@ -50,7 +50,7 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Signed: 'FALSE' + Signed: 'false' filter1: - Image|contains: 'Visual Studio' - CommandLine|contains: From 89e44d46cb66871a2bd4b9f532960c8ba6c34754 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 18:06:20 +0100 Subject: [PATCH 48/81] feat: update .net etw tamper rules --- .../win_security_etw_modification.yml | 20 +++++++++++++++---- ..._creation_win_etw_modification_cmdline.yml | 11 ++++++---- .../registry_set_etw_disabled.yml | 18 ++++++++++++++--- 3 files changed, 38 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/security/win_security_etw_modification.yml b/rules/windows/builtin/security/win_security_etw_modification.yml index e05e6598e..e7225550f 100644 --- a/rules/windows/builtin/security/win_security_etw_modification.yml +++ b/rules/windows/builtin/security/win_security_etw_modification.yml @@ -1,5 +1,8 @@ -title: COMPlus_ETWEnabled Registry Modification +title: ETW Logging Disabled In .NET Processes - Registry id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc +related: + - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -12,22 +15,31 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/10/05 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1112 + - attack.t1562 logsource: product: windows service: security detection: - selection: + selection_etw_enabled: EventID: 4657 ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' ObjectValueName: 'ETWEnabled' NewValue: 0 - condition: selection + selection_complus: + EventID: 4657 + ObjectName|endswith: '\Environment\' + ObjectValueName: + - 'COMPlus_ETWEnabled' + - 'COMPlus_ETWFlags' + NewValue: 0 + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index 1d03d645c..cc7917676 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -1,7 +1,7 @@ -title: COMPlus_ETWEnabled Command Line Arguments +title: ETW Logging Disabled In .NET Processes - CommandLine id: 41421f44-58f9-455d-838a-c398859841d4 status: test -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. +description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr @@ -12,9 +12,10 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1562 @@ -23,7 +24,9 @@ logsource: product: windows detection: selection: - CommandLine|contains: 'COMPlus_ETWEnabled=0' + CommandLine|contains: + - 'COMPlus_ETWEnabled' + - 'COMPlus_ETWFlags' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml index 93b500a35..4e888c2de 100644 --- a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml @@ -1,5 +1,8 @@ -title: COMPlus_ETWEnabled Registry Modification - Registry +title: ETW Logging Disabled In .NET Processes - Sysmon Registry id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 +related: + - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -12,20 +15,29 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/11/26 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1112 + - attack.t1562 logsource: product: windows category: registry_set detection: - selection: + selection_etw_enabled: EventType: SetValue TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' + selection_complus: + EventType: SetValue + TargetObject|endswith: + - '\COMPlus_ETWEnabled' + - '\COMPlus_ETWFlags' + Details: 0 condition: selection falsepositives: - Unknown From 7c7057d9d39c95987b69fb32230da87a5f5c0797 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 18:06:58 +0100 Subject: [PATCH 49/81] fix: rename .net etw tamper rules --- ...y_etw_modification.yml => win_security_dot_net_etw_tamper.yml} | 0 ...y_set_etw_disabled.yml => registry_set_dot_net_etw_tamper.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/builtin/security/{win_security_etw_modification.yml => win_security_dot_net_etw_tamper.yml} (100%) rename rules/windows/registry/registry_set/{registry_set_etw_disabled.yml => registry_set_dot_net_etw_tamper.yml} (100%) diff --git a/rules/windows/builtin/security/win_security_etw_modification.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml similarity index 100% rename from rules/windows/builtin/security/win_security_etw_modification.yml rename to rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml similarity index 100% rename from rules/windows/registry/registry_set/registry_set_etw_disabled.yml rename to rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml From fa1cbb314ab972561be714c98139420bdf4f39e9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:09:24 +0100 Subject: [PATCH 50/81] feat: more updates to etw tamper rules --- ...gistry_set_disable_autologger_sessions.yml | 5 ++-- .../registry_set_rpcrt4_etw_tamper.yml | 27 +++++++++++++++++++ .../registry_set_services_etw_tamper.yml | 24 +++++++++++++++++ 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml create mode 100644 rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 38c4c79fa..0254cdb81 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -5,9 +5,10 @@ description: Detects tampering of autologger trace sessions which is a technique references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Nasreddine Bencherchali date: 2022/08/01 -modified: 2022/09/18 +modified: 2022/12/09 tags: - attack.defense_evasion logsource: @@ -22,7 +23,7 @@ detection: - '\EventLog-' - '\Defender' TargetObject|endswith: - - '\Enabled' + - '\Enable' - '\Start' Details: DWORD (0x00000000) filter_legitimate: diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml new file mode 100644 index 000000000..c157026fb --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -0,0 +1,27 @@ +title: ETW Logging Disabled For rpcrt4.dll +id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +status: experimental +description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll +references: + - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.t1112 + - attack.t1562 +logsource: + product: windows + category: registry_set +detection: + selection_etw_enabled: + EventType: SetValue + TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation' + Details: + # This is disabled by default for some reason + - 'DWORD (0x00000000)' # Off + - 'DWORD (0x00000002)' # Off with exceptions + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml new file mode 100644 index 000000000..e45aa08c3 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -0,0 +1,24 @@ +title: ETW Logging Disabled For SCM +id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +status: experimental +description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) +references: + - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.t1112 + - attack.t1562 +logsource: + product: windows + category: registry_set +detection: + selection_etw_enabled: + EventType: SetValue + TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled' + Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1. + condition: selection +falsepositives: + - Unknown +level: low From a8472bf4df92c7b55fde896636d7fa230eeb7d00 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:13:59 +0100 Subject: [PATCH 51/81] fix: add missing selection --- .../registry/registry_set/registry_set_dot_net_etw_tamper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 4e888c2de..3a670b85e 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -38,7 +38,7 @@ detection: - '\COMPlus_ETWEnabled' - '\COMPlus_ETWFlags' Details: 0 - condition: selection + condition: 1 of selection_* falsepositives: - Unknown level: high From fb988ab25e6436ed15656819086fecadb9379043 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:15:35 +0100 Subject: [PATCH 52/81] fix: typos and errors --- .../registry/registry_set/registry_set_rpcrt4_etw_tamper.yml | 4 ++-- .../registry_set/registry_set_services_etw_tamper.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index c157026fb..3377d03c1 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -1,5 +1,5 @@ title: ETW Logging Disabled For rpcrt4.dll -id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +id: 90f342e1-1aaa-4e43-b092-39fda57ed11e status: experimental description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll references: @@ -14,7 +14,7 @@ logsource: product: windows category: registry_set detection: - selection_etw_enabled: + selection: EventType: SetValue TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation' Details: diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index e45aa08c3..073cddb27 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -14,7 +14,7 @@ logsource: product: windows category: registry_set detection: - selection_etw_enabled: + selection: EventType: SetValue TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled' Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1. From bacd8078c557929d350739f6547b6fca6d94bd6c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:18:09 +0100 Subject: [PATCH 53/81] feat: update detection section --- .../proc_creation_win_susp_use_of_sqlps_bin.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml index f1f4d118b..6c8c49a0e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml @@ -20,14 +20,14 @@ logsource: category: process_creation product: windows detection: - selection_1: + selection_parent: + ParentImage|endswith: '\sqlps.exe' + selection_image: - Image|endswith: '\sqlps.exe' - OriginalFileName: 'sqlps.exe' - selection_2: - ParentImage|endswith: '\sqlps.exe' - filter: + filter_image: ParentImage|endswith: '\sqlagent.exe' - condition: (selection_1 and not filter) or selection_2 + condition: selection_parent or (selection_image and not filter_image) falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium From 26cd02cff4edf3247a6756fb1d30f8825bc8a427 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:24:44 +0100 Subject: [PATCH 54/81] fix: add modified date --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 522c8f4fd..23c65c682 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -13,6 +13,7 @@ references: - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ author: Nasreddine Bencherchali date: 2022/12/01 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.persistence From 76fca5aa4b76e9b6cfa1a8eee1535c9b354d643a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:37:53 +0100 Subject: [PATCH 55/81] fix: update title to reflect logic --- .../proc_creation_win_etw_modification_cmdline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index cc7917676..906bffd2f 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -1,4 +1,4 @@ -title: ETW Logging Disabled In .NET Processes - CommandLine +title: ETW Logging Tamper In .NET Processes id: 41421f44-58f9-455d-838a-c398859841d4 status: test description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. From 1a9d7960e7141badae731238eb67651a13bc5318 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:44:44 +0100 Subject: [PATCH 56/81] fix: add dword version --- .../registry/registry_set/registry_set_dot_net_etw_tamper.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 3a670b85e..f32870645 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -37,7 +37,9 @@ detection: TargetObject|endswith: - '\COMPlus_ETWEnabled' - '\COMPlus_ETWFlags' - Details: 0 + Details: + - 0 # For REG_SZ type + - 'DWORD (0x00000000)' condition: 1 of selection_* falsepositives: - Unknown From 96628974425b567c57c219ada11882f264c15409 Mon Sep 17 00:00:00 2001 From: Veramine Date: Fri, 9 Dec 2022 12:13:58 -0800 Subject: [PATCH 57/81] Update proc_creation_win_susp_conhost_option.yml (#3763) --- .../proc_creation_win_susp_conhost_option.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml index 31816d30e..970f2a353 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml @@ -1,12 +1,13 @@ -title: Suspicious Conhost Legacy Option +title: Suspicious High IntegrityLevel Conhost Legacy Option id: 3037d961-21e9-4732-b27a-637bcc7bf539 status: experimental -description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application +description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. references: - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29 - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ + - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 -date: 2022/04/04 +date: 2022/12/09 tags: - attack.defense_evasion - attack.t1202 @@ -15,11 +16,12 @@ logsource: category: process_creation detection: selection: + IntegrityLevel: 'High' CommandLine|contains|all: - 'conhost.exe' - '0xffffffff' - '-ForceV1' condition: selection falsepositives: - - Unknown + - Very Likely, including launching cmd.exe via Run As Administrator level: informational From 646d8614718cbeadfca7a300a527c6aa7a705203 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:57:28 +0100 Subject: [PATCH 58/81] Redcannary --- .../proc_creation_create_link_osk_cmd.yml | 27 +++++++++++++++++++ .../proc_creation_wmic_tamper_defender.yml | 25 +++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml create mode 100644 rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml diff --git a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml new file mode 100644 index 000000000..fe8f3e2d9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml @@ -0,0 +1,27 @@ +title: Create Symbolic Link From osk.exe to cmd.exe +id: e9b61244-893f-427c-b287-3e708f321c6b +status: experimental +description: Detects creation of a link from accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md +author: frack113 +date: 2022/12/11 +tags: + - attack.credential_access + - attack.t1546.008 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\cmd.exe' + - OriginalFileName: 'Cmd.exe' + selection_cli: + CommandLine|contains|all: + - 'mklink' + - '\System32\osk.exe' + - '\System32\cmd.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml new file mode 100644 index 000000000..2b2e08744 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml @@ -0,0 +1,25 @@ +title: WMIC Tamper Windows Defender +id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a +status: experimental +description: Detects tampering Windows Defender with wmic +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: frack113 +date: 2022/12/11 +tags: + - attack.credential_access + - attack.t1546.008 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender' + condition: all of selection_* +falsepositives: + - Unknown +level: high From fec7756b8b7ee8d4a18ad2660bd217fb7c42936f Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:00:05 -0500 Subject: [PATCH 59/81] Create proc_creation_win_lolbin_setres.yml --- .../proc_creation_win_lolbin_setres.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_setres.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml new file mode 100644 index 000000000..c76c85b81 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -0,0 +1,31 @@ +title: Use of Setres.exe +id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 +status: experimental +description: Detects the use of Setres.exe to set the screen resolution and then to potentially launch a file named "choice" from the local path +references: + - https://lolbas-project.github.io/lolbas/Binaries/Setres/ + - https://twitter.com/0gtweet/status/1583356502340870144 + - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) +author: '@gott_cyber' +date: 2022/12/11 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.defense_evasion + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection_ldif: + - Image|endswith: '\setres.exe' + - OriginalFileName: 'setres.exe' + selection_cmd: + CommandLine|contains|all: + - '-w' + - '-h' + condition: all of selection_* +falsepositives: + - Legitimate usage of Setres +level: medium From ff14120ee52a08f018c0ae1370e596e56f978fbb Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:17:53 -0500 Subject: [PATCH 60/81] Update proc_creation_win_lolbin_setres.yml corrected duplicate tags --- .../windows/process_creation/proc_creation_win_lolbin_setres.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index c76c85b81..69b09f3c9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -12,7 +12,6 @@ date: 2022/12/11 tags: - attack.defense_evasion - attack.t1218 - - attack.defense_evasion - attack.t1202 logsource: category: process_creation From 89d2d00a5b2ca20a217c1b29dd6bae625cdb6cfb Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 11 Dec 2022 16:46:32 +0100 Subject: [PATCH 61/81] Redcannary --- .../registry_set_legalnotice_susp_message.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml diff --git a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml new file mode 100644 index 000000000..e1c330d6f --- /dev/null +++ b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml @@ -0,0 +1,28 @@ +title: Set Display Ransom Message +id: 8b9606c9-28be-4a38-b146-0e313cc232c1 +status: experimental +description: Detect modification of LegalNoticeCaption or LegalNoticeText to set a ransom message +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md +author: frack113 +date: 2022/12/11 +tags: + - attack.impact + - attack.t1491.001 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText' + Details|contains: + - 'encrypted' + - 'Unlock-Password' + - 'paying' + condition: selection +falsepositives: + - Unknown +level: high From af0b1e61b4e76630e65f6edcebaeda06a4b80968 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:53:38 -0500 Subject: [PATCH 62/81] Create web_apache_solr_lfi_exploit.yml --- rules/web/web_apache_solr_lfi_exploit.yml | 30 +++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/web/web_apache_solr_lfi_exploit.yml diff --git a/rules/web/web_apache_solr_lfi_exploit.yml b/rules/web/web_apache_solr_lfi_exploit.yml new file mode 100644 index 000000000..2827ac4a8 --- /dev/null +++ b/rules/web/web_apache_solr_lfi_exploit.yml @@ -0,0 +1,30 @@ +title: Potential Apache Solr Local File Read Exploit +id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 +status: experimental +description: | + All Apache Solr versions <= 8.8.1 are impacted by an arbitrary file read and server-side request forgery (SSRF) vulnerability. + Unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API. + After configured, remote attackers can can thereby read local files on the vulnerable devices through ContentStream. +references: + - https://twitter.com/Al1ex4/status/1382981479727128580 + - https://twitter.com/sec715/status/1373472323538362371 + - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ + - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 +author: '@gott_cyber' +date: 2022/12/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection_request: + c-uri|contains|all: + - '/solr/' + - '/debug/dump?' + - 'param=ContentStream' + sc-status: '200' + condition: selection_request +falsepositives: + - Unknown +level: medium From 3a1fe165703526cfd6abc5259a7e993c0ba149ff Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 11:25:12 -0500 Subject: [PATCH 63/81] Update proc_creation_win_lolbin_setres.yml selection correction and detection logic correction --- .../proc_creation_win_lolbin_setres.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index 69b09f3c9..c004f58a8 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -17,14 +17,11 @@ logsource: category: process_creation product: windows detection: - selection_ldif: - - Image|endswith: '\setres.exe' - - OriginalFileName: 'setres.exe' - selection_cmd: - CommandLine|contains|all: - - '-w' - - '-h' - condition: all of selection_* + selection: + ParentImage|endswith: '\setres.exe' + Image|endswith: + - '\choice' + condition: all of selection* falsepositives: - Legitimate usage of Setres level: medium From 063aac1b4d6f075b85ca6a4a71c3d08f83868003 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 11:57:22 -0500 Subject: [PATCH 64/81] Update proc_creation_win_lolbin_setres.yml --- .../process_creation/proc_creation_win_lolbin_setres.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index c004f58a8..32ff6c23c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -19,8 +19,7 @@ logsource: detection: selection: ParentImage|endswith: '\setres.exe' - Image|endswith: - - '\choice' + Image|endswith: '\choice' condition: all of selection* falsepositives: - Legitimate usage of Setres From d797bf0eb112b6895fe8c13c89dd5a88907d96c2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 12 Dec 2022 13:23:59 +0100 Subject: [PATCH 65/81] Apply suggestions from code review Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_create_link_osk_cmd.yml | 9 +++++---- .../proc_creation_wmic_tamper_defender.yml | 2 +- .../registry_set_legalnotice_susp_message.yml | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml index fe8f3e2d9..cef5457d6 100644 --- a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml +++ b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml @@ -1,9 +1,10 @@ -title: Create Symbolic Link From osk.exe to cmd.exe +title: Potential Privilege Escalation Using Symlink Between Osk and Cmd id: e9b61244-893f-427c-b287-3e708f321c6b status: experimental -description: Detects creation of a link from accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in. +description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md + - https://ss64.com/nt/mklink.html author: frack113 date: 2022/12/11 tags: @@ -19,8 +20,8 @@ detection: selection_cli: CommandLine|contains|all: - 'mklink' - - '\System32\osk.exe' - - '\System32\cmd.exe' + - '\osk.exe' + - '\cmd.exe' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml index 2b2e08744..84ed9bd12 100644 --- a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml +++ b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml @@ -1,7 +1,7 @@ title: WMIC Tamper Windows Defender id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a status: experimental -description: Detects tampering Windows Defender with wmic +description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ diff --git a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml index e1c330d6f..4780d88a6 100644 --- a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml +++ b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml @@ -1,7 +1,7 @@ -title: Set Display Ransom Message +title: Potential Ransomware Activity Using LegalNotice Message id: 8b9606c9-28be-4a38-b146-0e313cc232c1 status: experimental -description: Detect modification of LegalNoticeCaption or LegalNoticeText to set a ransom message +description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md author: frack113 From 5a46cd3efd4fedadb1f6d7517199847a98859c97 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:54:46 +0530 Subject: [PATCH 66/81] Create Abuse Nslookup with DNS Records (#3773) Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- ...osh_pc_abuse_nslookup_with_dns_records.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml diff --git a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml new file mode 100644 index 000000000..e1e309369 --- /dev/null +++ b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml @@ -0,0 +1,30 @@ +title: Nslookup PowerShell Download Cradle +id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 +related: + - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 + type: similar +status: experimental +description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records +references: + - https://twitter.com/Alh4zr3d/status/1566489367232651264 +author: Sai Prashanth Pulisetti @pulisettis +date: 2022/12/10 +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: ps_classic_start + definition: fields have to be extract from event +detection: + selection: + HostApplication|contains|all: + - 'powershell' + - 'nslookup' + HostApplication|contains: + - '-q=txt' + - '-querytype=txt' + condition: selection +falsepositives: + - Unknown +level: high From da2d06fa37d2a8f00a26950efce7e80f21953d3b Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Mon, 12 Dec 2022 07:28:57 -0800 Subject: [PATCH 67/81] Added suspicious rcedit rule. --- .../proc_creation_susp_rcedit_execution.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml new file mode 100644 index 000000000..772917603 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -0,0 +1,37 @@ +title: Suspicious Use of rcedit utility +id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 +status: experimental +description: Detects the suspicious child use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +references: + - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe + - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 + - https://github.com/electron/rcedit +author: Micah Babinski +date: 2022/12/11 +tags: + - attack.defense_evasion + - attack.t1036.003 + - attack.t1036 + - attack.t1027.005 + - attack.t1027 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - '\rcedit-x64.exe' + - '\rcedit-x86.exe' + CommandLine|contains: '--set-resource-string' + selection2: + CommandLine|contains: + - 'OriginalFileName' + - 'CompanyName' + - 'FileDescription' + - 'ProductName' + - 'ProductVersion' + - 'LegalCopyright' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: high From e8a980161c7ff4cdb52f29b1853370914a5c565b Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Mon, 12 Dec 2022 07:32:26 -0800 Subject: [PATCH 68/81] Fixed rule description and title. --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index 772917603..d4da0bf3d 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -1,7 +1,7 @@ -title: Suspicious Use of rcedit utility +title: Suspicious Use of Rcedit Utility to Alter Executable Metadata id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: experimental -description: Detects the suspicious child use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +description: Detects the suspicious use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. references: - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 From 52997da9b25d4ad1221d7625327fc509ab30555c Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Mon, 12 Dec 2022 07:33:47 -0800 Subject: [PATCH 69/81] Modified level (reduce severity) --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index d4da0bf3d..4b320ebac 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -34,4 +34,4 @@ detection: condition: selection1 and selection2 falsepositives: - Unknown -level: high +level: medium From 622fb687b7c062b00810a4ca31fe0b97faca96fe Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 21:58:17 +0100 Subject: [PATCH 70/81] fix: update logic and other information --- .../proc_creation_susp_rcedit_execution.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index 4b320ebac..1ad1b4900 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -1,7 +1,7 @@ -title: Suspicious Use of Rcedit Utility to Alter Executable Metadata +title: Potential Metadata Tamper Using Rcedit id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: experimental -description: Detects the suspicious use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. references: - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 @@ -18,12 +18,16 @@ logsource: category: process_creation product: windows detection: - selection1: - Image|endswith: + selection_img: + - Image|endswith: - '\rcedit-x64.exe' - '\rcedit-x86.exe' - CommandLine|contains: '--set-resource-string' - selection2: + - Description: 'Edit resources of exe' + - Product: 'rcedit' + selection_flags: + CommandLine|contains: + - '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" + selection_attributes: CommandLine|contains: - 'OriginalFileName' - 'CompanyName' @@ -31,7 +35,7 @@ detection: - 'ProductName' - 'ProductVersion' - 'LegalCopyright' - condition: selection1 and selection2 + condition: all of selection_* falsepositives: - - Unknown + - Legitimate use of the tool by administrators or users to update metadata of a binary level: medium From 14a2bf3b596bbf0980346b31eb3fd10aeb23ed5c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 22:16:38 +0100 Subject: [PATCH 71/81] fix: error in selection --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index 1ad1b4900..c9ca2c50d 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -25,8 +25,7 @@ detection: - Description: 'Edit resources of exe' - Product: 'rcedit' selection_flags: - CommandLine|contains: - - '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" + CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" selection_attributes: CommandLine|contains: - 'OriginalFileName' From a7662a7350cbe6db9f574858442d5e852ddeb74e Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:07:05 -0500 Subject: [PATCH 72/81] Update rules/windows/process_creation/proc_creation_win_lolbin_setres.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../process_creation/proc_creation_win_lolbin_setres.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index 32ff6c23c..da47af9ae 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -1,7 +1,7 @@ title: Use of Setres.exe id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 status: experimental -description: Detects the use of Setres.exe to set the screen resolution and then to potentially launch a file named "choice" from the local path +description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path references: - https://lolbas-project.github.io/lolbas/Binaries/Setres/ - https://twitter.com/0gtweet/status/1583356502340870144 From 120bff21f878f634e64c855f13a55ea1e125432b Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:09:26 -0500 Subject: [PATCH 73/81] Update proc_creation_win_lolbin_setres.yml --- .../process_creation/proc_creation_win_lolbin_setres.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index da47af9ae..924eea112 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -18,8 +18,8 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\setres.exe' - Image|endswith: '\choice' + ParentImage|endswith: '\setres.exe' + Image|endswith: '\choice' condition: all of selection* falsepositives: - Legitimate usage of Setres From b9b88b13822293922989b3c1be2d7b598c63a212 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:16:03 -0500 Subject: [PATCH 74/81] Update web_apache_solr_lfi_exploit.yml --- rules/web/web_apache_solr_lfi_exploit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/web/web_apache_solr_lfi_exploit.yml b/rules/web/web_apache_solr_lfi_exploit.yml index 2827ac4a8..31240079f 100644 --- a/rules/web/web_apache_solr_lfi_exploit.yml +++ b/rules/web/web_apache_solr_lfi_exploit.yml @@ -15,6 +15,7 @@ date: 2022/12/11 tags: - attack.initial_access - attack.t1190 + - cve.2021-27905 logsource: category: webserver detection: From c91c775f587bc7c7edb90d104e95d7032fe60e08 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:16:52 -0500 Subject: [PATCH 75/81] Rename web_apache_solr_lfi_exploit.yml to web_cve_2021-27905_apache_solr_lfi_exploit.yml --- ...exploit.yml => web_cve_2021-27905_apache_solr_lfi_exploit.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_apache_solr_lfi_exploit.yml => web_cve_2021-27905_apache_solr_lfi_exploit.yml} (100%) diff --git a/rules/web/web_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml similarity index 100% rename from rules/web/web_apache_solr_lfi_exploit.yml rename to rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml From 11351b78dd5b277556ac741078829306e6fc9f40 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:17:11 -0500 Subject: [PATCH 76/81] Rename web_cve_2021-27905_apache_solr_lfi_exploit.yml to web_cve_2021_27905_apache_solr_lfi_exploit.yml --- ...exploit.yml => web_cve_2021_27905_apache_solr_lfi_exploit.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_cve_2021-27905_apache_solr_lfi_exploit.yml => web_cve_2021_27905_apache_solr_lfi_exploit.yml} (100%) diff --git a/rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml similarity index 100% rename from rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml rename to rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml From 14ccb7b00ecf481d3877addc64d683f1752698df Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 23:26:19 +0100 Subject: [PATCH 77/81] fix: broken tag --- rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml index 31240079f..006c8f823 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml @@ -15,7 +15,7 @@ date: 2022/12/11 tags: - attack.initial_access - attack.t1190 - - cve.2021-27905 + - cve.2021.27905 logsource: category: webserver detection: From 796db1479fb73ddf66228935da3035ef55e39c21 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:31:32 -0500 Subject: [PATCH 78/81] Update web_cve_2021_27905_apache_solr_lfi_exploit.yml --- .../web_cve_2021_27905_apache_solr_lfi_exploit.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml index 006c8f823..c7fb08329 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml @@ -10,6 +10,7 @@ references: - https://twitter.com/sec715/status/1373472323538362371 - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 + - https://github.com/murataydemir/CVE-2021-27905 author: '@gott_cyber' date: 2022/12/11 tags: @@ -19,13 +20,19 @@ tags: logsource: category: webserver detection: - selection_request: + selection_request1: c-uri|contains|all: - '/solr/' - '/debug/dump?' - 'param=ContentStream' sc-status: '200' - condition: selection_request + selection_request2: + cs-method: 'GET' + c-uri|contains|all: + - '/solr/' + - '?command=fetchindex&masterUrl=' + sc-status: '200' + condition: selection_request1 or selection_request2 falsepositives: - Unknown level: medium From aca5dccd7fdda232309cb4698cebecb8280f71b3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 00:01:46 +0100 Subject: [PATCH 79/81] fix: change title --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index c9ca2c50d..776cd622a 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -1,4 +1,4 @@ -title: Potential Metadata Tamper Using Rcedit +title: Potential PE Metadata Tamper Using Rcedit id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: experimental description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. From 8011ef23a314d9f0650a1e44aa08a2498c9206bb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 00:15:49 +0100 Subject: [PATCH 80/81] fix: enhance logic, description and title --- ...l => web_cve_2021_27905_apache_solr_exploit.yml} | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) rename rules/web/{web_cve_2021_27905_apache_solr_lfi_exploit.yml => web_cve_2021_27905_apache_solr_exploit.yml} (78%) diff --git a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml similarity index 78% rename from rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml rename to rules/web/web_cve_2021_27905_apache_solr_exploit.yml index c7fb08329..8652e3408 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml @@ -1,8 +1,8 @@ -title: Potential Apache Solr Local File Read Exploit +title: Potential CVE-2021-27905 Exploitation Attempt id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 status: experimental description: | - All Apache Solr versions <= 8.8.1 are impacted by an arbitrary file read and server-side request forgery (SSRF) vulnerability. + Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. Unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API. After configured, remote attackers can can thereby read local files on the vulnerable devices through ContentStream. references: @@ -29,10 +29,11 @@ detection: selection_request2: cs-method: 'GET' c-uri|contains|all: - - '/solr/' - - '?command=fetchindex&masterUrl=' + - '/solr/' + - 'command=fetchindex' + - 'masterUrl=' sc-status: '200' - condition: selection_request1 or selection_request2 + condition: 1 of selection_* falsepositives: - - Unknown + - Vulnerability Scanners level: medium From 078fcaab28380eeb36b46599c82c94b7a2bf5ce8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 00:17:04 +0100 Subject: [PATCH 81/81] fix: update description --- rules/web/web_cve_2021_27905_apache_solr_exploit.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/web/web_cve_2021_27905_apache_solr_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml index 8652e3408..697558820 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml @@ -1,10 +1,7 @@ title: Potential CVE-2021-27905 Exploitation Attempt id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 status: experimental -description: | - Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. - Unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API. - After configured, remote attackers can can thereby read local files on the vulnerable devices through ContentStream. +description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. references: - https://twitter.com/Al1ex4/status/1382981479727128580 - https://twitter.com/sec715/status/1373472323538362371