security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing

Browse Source
This commit is contained in:
Florian Roth
2022-12-15 13:57:59 +01:00
parent 0f9b2fff71 c98e9ec3cc
commit e2c8d8d6b5
159 changed files with 2293 additions and 653 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/sigma-test.yml
+3 -3
View File
@@ -22,13 +22,13 @@ jobs:
- uses: actions/checkout@v2
with:
submodules: true
- name: Set up Python 3.8
- name: Set up Python 3.11
uses: actions/setup-python@v1
with:
python-version: 3.8
python-version: 3.11
- name: Install dependencies
run: |
pip install sigma-cli~=0.3.2
pip install sigma-cli~=0.5.3
- name: Test Sigma Rule Syntax
run: |
sigma check rules
Pipfile.lock
Generated
+608 -290
View File
@@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68"
"sha256": "7353b17b3a357cace77fb11fbbc501c2b619c7644c676d360f67f70a7feeb9c8"
},
"pipfile-spec": 6,
"requires": {
@@ -18,42 +18,43 @@
"default": {
"attrs": {
"hashes": [
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
"sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6",
"sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
"markers": "python_version >= '3.5'",
"version": "==22.1.0"
},
"certifi": {
"hashes": [
"sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
"sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
"sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
"sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
],
"version": "==2021.5.30"
"index": "pypi",
"version": "==2022.12.7"
},
"charset-normalizer": {
"hashes": [
"sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
"sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
"sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597",
"sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df"
],
"markers": "python_version >= '3'",
"version": "==2.0.4"
"version": "==2.0.12"
},
"deprecated": {
"hashes": [
"sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771",
"sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1"
"sha256:43ac5335da90c31c24ba028af536a91d41d53f9e6901ddb021bcc572ce44e38d",
"sha256:64756e3e14c8c5eea9795d93c524551432a0be75629f8f29e67ab8caf076c76d"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.2.12"
"version": "==1.2.13"
},
"idna": {
"hashes": [
"sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a",
"sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"
"sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
"sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
],
"markers": "python_version >= '3'",
"version": "==3.2"
"version": "==3.4"
},
"jsonschema": {
"hashes": [
@@ -80,30 +81,31 @@
},
"pyrsistent": {
"hashes": [
"sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2",
"sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7",
"sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea",
"sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426",
"sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710",
"sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1",
"sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396",
"sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2",
"sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680",
"sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35",
"sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427",
"sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b",
"sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b",
"sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f",
"sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef",
"sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c",
"sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4",
"sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d",
"sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78",
"sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b",
"sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72"
"sha256:055ab45d5911d7cae397dc418808d8802fb95262751872c841c170b0dbf51eed",
"sha256:111156137b2e71f3a9936baf27cb322e8024dac3dc54ec7fb9f0bcf3249e68bb",
"sha256:187d5730b0507d9285a96fca9716310d572e5464cadd19f22b63a6976254d77a",
"sha256:21455e2b16000440e896ab99e8304617151981ed40c29e9507ef1c2e4314ee95",
"sha256:2aede922a488861de0ad00c7630a6e2d57e8023e4be72d9d7147a9fcd2d30712",
"sha256:3ba4134a3ff0fc7ad225b6b457d1309f4698108fb6b35532d015dca8f5abed73",
"sha256:456cb30ca8bff00596519f2c53e42c245c09e1a4543945703acd4312949bfd41",
"sha256:71d332b0320642b3261e9fee47ab9e65872c2bd90260e5d225dabeed93cbd42b",
"sha256:879b4c2f4d41585c42df4d7654ddffff1239dc4065bc88b745f0341828b83e78",
"sha256:9cd3e9978d12b5d99cbdc727a3022da0430ad007dacf33d0bf554b96427f33ab",
"sha256:a178209e2df710e3f142cbd05313ba0c5ebed0a55d78d9945ac7a4e09d923308",
"sha256:b39725209e06759217d1ac5fcdb510e98670af9e37223985f330b611f62e7425",
"sha256:bfa0351be89c9fcbcb8c9879b826f4353be10f58f8a677efab0c017bf7137ec2",
"sha256:bfd880614c6237243ff53a0539f1cb26987a6dc8ac6e66e0c5a40617296a045e",
"sha256:c43bec251bbd10e3cb58ced80609c5c1eb238da9ca78b964aea410fb820d00d6",
"sha256:d690b18ac4b3e3cab73b0b7aa7dbe65978a172ff94970ff98d82f2031f8971c2",
"sha256:d6982b5a0237e1b7d876b60265564648a69b14017f3b5f908c5be2de3f9abb7a",
"sha256:dec3eac7549869365fe263831f576c8457f6c833937c68542d08fde73457d291",
"sha256:e371b844cec09d8dc424d940e54bba8f67a03ebea20ff7b7b0d56f526c71d584",
"sha256:e5d8f84d81e3729c3b506657dddfe46e8ba9c330bf1858ee33108f8bb2adb38a",
"sha256:ea6b79a02a28550c98b6ca9c35b9f492beaa54d7c5c9e9949555893c8a9234d0",
"sha256:f1258f4e6c42ad0b20f9cfcc3ada5bd6b83374516cd01c0960e3cb75fdca6770"
],
"markers": "python_version >= '3.6'",
"version": "==0.18.0"
"markers": "python_version >= '3.7'",
"version": "==0.19.2"
},
"python-dateutil": {
"hashes": [
@@ -115,10 +117,11 @@
},
"python-utils": {
"hashes": [
"sha256:18fbc1a1df9a9061e3059a48ebe5c8a66b654d688b0e3ecca8b339a7f168f208",
"sha256:352d5b1febeebf9b3cdb9f3c87a3b26ef22d3c9e274a8ec1e7048ecd2fac4349"
"sha256:22990259324eae88faa3389d302861a825dbdd217ab40e3ec701851b3337d592",
"sha256:7e329c427a6d23036cfcc4501638afb31b2ddc8896f25393562833874b8c6e0a"
],
"version": "==2.5.6"
"markers": "python_version >= '3.7'",
"version": "==3.4.5"
},
"pyyaml": {
"hashes": [
@@ -165,38 +168,59 @@
},
"ruamel.yaml": {
"hashes": [
"sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67",
"sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815"
"sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7",
"sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af"
],
"index": "pypi",
"version": "==0.17.10"
"version": "==0.17.21"
},
"ruamel.yaml.clib": {
"hashes": [
"sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd",
"sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0",
"sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277",
"sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104",
"sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd",
"sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78",
"sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99",
"sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527",
"sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84",
"sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7",
"sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468",
"sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b",
"sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94",
"sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233",
"sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb",
"sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5",
"sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe",
"sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751",
"sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502",
"sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed",
"sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c"
"sha256:045e0626baf1c52e5527bd5db361bc83180faaba2ff586e763d3d5982a876a9e",
"sha256:15910ef4f3e537eea7fe45f8a5d19997479940d9196f357152a09031c5be59f3",
"sha256:184faeaec61dbaa3cace407cffc5819f7b977e75360e8d5ca19461cd851a5fc5",
"sha256:1f08fd5a2bea9c4180db71678e850b995d2a5f4537be0e94557668cf0f5f9497",
"sha256:2aa261c29a5545adfef9296b7e33941f46aa5bbd21164228e833412af4c9c75f",
"sha256:3110a99e0f94a4a3470ff67fc20d3f96c25b13d24c6980ff841e82bafe827cac",
"sha256:3243f48ecd450eddadc2d11b5feb08aca941b5cd98c9b1db14b2fd128be8c697",
"sha256:370445fd795706fd291ab00c9df38a0caed0f17a6fb46b0f607668ecb16ce763",
"sha256:40d030e2329ce5286d6b231b8726959ebbe0404c92f0a578c0e2482182e38282",
"sha256:41d0f1fa4c6830176eef5b276af04c89320ea616655d01327d5ce65e50575c94",
"sha256:4a4d8d417868d68b979076a9be6a38c676eca060785abaa6709c7b31593c35d1",
"sha256:4b3a93bb9bc662fc1f99c5c3ea8e623d8b23ad22f861eb6fce9377ac07ad6072",
"sha256:5bc0667c1eb8f83a3752b71b9c4ba55ef7c7058ae57022dd9b29065186a113d9",
"sha256:721bc4ba4525f53f6a611ec0967bdcee61b31df5a56801281027a3a6d1c2daf5",
"sha256:763d65baa3b952479c4e972669f679fe490eee058d5aa85da483ebae2009d231",
"sha256:7bdb4c06b063f6fd55e472e201317a3bb6cdeeee5d5a38512ea5c01e1acbdd93",
"sha256:8831a2cedcd0f0927f788c5bdf6567d9dc9cc235646a434986a852af1cb54b4b",
"sha256:91a789b4aa0097b78c93e3dc4b40040ba55bef518f84a40d4442f713b4094acb",
"sha256:92460ce908546ab69770b2e576e4f99fbb4ce6ab4b245345a3869a0a0410488f",
"sha256:99e77daab5d13a48a4054803d052ff40780278240a902b880dd37a51ba01a307",
"sha256:a234a20ae07e8469da311e182e70ef6b199d0fbeb6c6cc2901204dd87fb867e8",
"sha256:a7b301ff08055d73223058b5c46c55638917f04d21577c95e00e0c4d79201a6b",
"sha256:be2a7ad8fd8f7442b24323d24ba0b56c51219513cfa45b9ada3b87b76c374d4b",
"sha256:bf9a6bc4a0221538b1a7de3ed7bca4c93c02346853f44e1cd764be0023cd3640",
"sha256:c3ca1fbba4ae962521e5eb66d72998b51f0f4d0f608d3c0347a48e1af262efa7",
"sha256:d000f258cf42fec2b1bbf2863c61d7b8918d31ffee905da62dede869254d3b8a",
"sha256:d5859983f26d8cd7bb5c287ef452e8aacc86501487634573d260968f753e1d71",
"sha256:d5e51e2901ec2366b79f16c2299a03e74ba4531ddcfacc1416639c557aef0ad8",
"sha256:debc87a9516b237d0466a711b18b6ebeb17ba9f391eb7f91c649c5c4ec5006c7",
"sha256:df5828871e6648db72d1c19b4bd24819b80a755c4541d3409f0f7acd0f335c80",
"sha256:ecdf1a604009bd35c674b9225a8fa609e0282d9b896c03dd441a91e5f53b534e",
"sha256:efa08d63ef03d079dcae1dfe334f6c8847ba8b645d08df286358b1f5293d24ab",
"sha256:f01da5790e95815eb5a8a138508c01c758e5f5bc0ce4286c4f7028b8dd7ac3d0",
"sha256:f34019dced51047d6f70cb9383b2ae2853b7fc4dce65129a5acd49f4f9256646"
],
"markers": "python_version < '3.10' and platform_python_implementation == 'CPython'",
"version": "==0.2.6"
"markers": "python_version < '3.11' and platform_python_implementation == 'CPython'",
"version": "==0.2.7"
},
"setuptools": {
"hashes": [
"sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54",
"sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75"
],
"markers": "python_version >= '3.7'",
"version": "==65.6.3"
},
"six": {
"hashes": [
@@ -206,6 +230,14 @@
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.16.0"
},
"termcolor": {
"hashes": [
"sha256:67cee2009adc6449c650f6bcf3bdeed00c8ba53a8cda5362733c53e0a39fb70b",
"sha256:fa852e957f97252205e105dd55bbc23b419a70fec0085708fc0515e399f304fd"
],
"index": "pypi",
"version": "==2.1.1"
},
"urllib3": {
"hashes": [
"sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
@@ -216,69 +248,191 @@
},
"wrapt": {
"hashes": [
"sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7"
"sha256:00b6d4ea20a906c0ca56d84f93065b398ab74b927a7a3dbd470f6fc503f95dc3",
"sha256:01c205616a89d09827986bc4e859bcabd64f5a0662a7fe95e0d359424e0e071b",
"sha256:02b41b633c6261feff8ddd8d11c711df6842aba629fdd3da10249a53211a72c4",
"sha256:07f7a7d0f388028b2df1d916e94bbb40624c59b48ecc6cbc232546706fac74c2",
"sha256:11871514607b15cfeb87c547a49bca19fde402f32e2b1c24a632506c0a756656",
"sha256:1b376b3f4896e7930f1f772ac4b064ac12598d1c38d04907e696cc4d794b43d3",
"sha256:21ac0156c4b089b330b7666db40feee30a5d52634cc4560e1905d6529a3897ff",
"sha256:257fd78c513e0fb5cdbe058c27a0624c9884e735bbd131935fd49e9fe719d310",
"sha256:2b39d38039a1fdad98c87279b48bc5dce2c0ca0d73483b12cb72aa9609278e8a",
"sha256:2cf71233a0ed05ccdabe209c606fe0bac7379fdcf687f39b944420d2a09fdb57",
"sha256:2fe803deacd09a233e4762a1adcea5db5d31e6be577a43352936179d14d90069",
"sha256:3232822c7d98d23895ccc443bbdf57c7412c5a65996c30442ebe6ed3df335383",
"sha256:34aa51c45f28ba7f12accd624225e2b1e5a3a45206aa191f6f9aac931d9d56fe",
"sha256:36f582d0c6bc99d5f39cd3ac2a9062e57f3cf606ade29a0a0d6b323462f4dd87",
"sha256:380a85cf89e0e69b7cfbe2ea9f765f004ff419f34194018a6827ac0e3edfed4d",
"sha256:40e7bc81c9e2b2734ea4bc1aceb8a8f0ceaac7c5299bc5d69e37c44d9081d43b",
"sha256:43ca3bbbe97af00f49efb06e352eae40434ca9d915906f77def219b88e85d907",
"sha256:4fcc4649dc762cddacd193e6b55bc02edca674067f5f98166d7713b193932b7f",
"sha256:5a0f54ce2c092aaf439813735584b9537cad479575a09892b8352fea5e988dc0",
"sha256:5a9a0d155deafd9448baff28c08e150d9b24ff010e899311ddd63c45c2445e28",
"sha256:5b02d65b9ccf0ef6c34cba6cf5bf2aab1bb2f49c6090bafeecc9cd81ad4ea1c1",
"sha256:60db23fa423575eeb65ea430cee741acb7c26a1365d103f7b0f6ec412b893853",
"sha256:642c2e7a804fcf18c222e1060df25fc210b9c58db7c91416fb055897fc27e8cc",
"sha256:6a9a25751acb379b466ff6be78a315e2b439d4c94c1e99cb7266d40a537995d3",
"sha256:6b1a564e6cb69922c7fe3a678b9f9a3c54e72b469875aa8018f18b4d1dd1adf3",
"sha256:6d323e1554b3d22cfc03cd3243b5bb815a51f5249fdcbb86fda4bf62bab9e164",
"sha256:6e743de5e9c3d1b7185870f480587b75b1cb604832e380d64f9504a0535912d1",
"sha256:709fe01086a55cf79d20f741f39325018f4df051ef39fe921b1ebe780a66184c",
"sha256:7b7c050ae976e286906dd3f26009e117eb000fb2cf3533398c5ad9ccc86867b1",
"sha256:7d2872609603cb35ca513d7404a94d6d608fc13211563571117046c9d2bcc3d7",
"sha256:7ef58fb89674095bfc57c4069e95d7a31cfdc0939e2a579882ac7d55aadfd2a1",
"sha256:80bb5c256f1415f747011dc3604b59bc1f91c6e7150bd7db03b19170ee06b320",
"sha256:81b19725065dcb43df02b37e03278c011a09e49757287dca60c5aecdd5a0b8ed",
"sha256:833b58d5d0b7e5b9832869f039203389ac7cbf01765639c7309fd50ef619e0b1",
"sha256:88bd7b6bd70a5b6803c1abf6bca012f7ed963e58c68d76ee20b9d751c74a3248",
"sha256:8ad85f7f4e20964db4daadcab70b47ab05c7c1cf2a7c1e51087bfaa83831854c",
"sha256:8c0ce1e99116d5ab21355d8ebe53d9460366704ea38ae4d9f6933188f327b456",
"sha256:8d649d616e5c6a678b26d15ece345354f7c2286acd6db868e65fcc5ff7c24a77",
"sha256:903500616422a40a98a5a3c4ff4ed9d0066f3b4c951fa286018ecdf0750194ef",
"sha256:9736af4641846491aedb3c3f56b9bc5568d92b0692303b5a305301a95dfd38b1",
"sha256:988635d122aaf2bdcef9e795435662bcd65b02f4f4c1ae37fbee7401c440b3a7",
"sha256:9cca3c2cdadb362116235fdbd411735de4328c61425b0aa9f872fd76d02c4e86",
"sha256:9e0fd32e0148dd5dea6af5fee42beb949098564cc23211a88d799e434255a1f4",
"sha256:9f3e6f9e05148ff90002b884fbc2a86bd303ae847e472f44ecc06c2cd2fcdb2d",
"sha256:a85d2b46be66a71bedde836d9e41859879cc54a2a04fad1191eb50c2066f6e9d",
"sha256:a9a52172be0b5aae932bef82a79ec0a0ce87288c7d132946d645eba03f0ad8a8",
"sha256:aa31fdcc33fef9eb2552cbcbfee7773d5a6792c137b359e82879c101e98584c5",
"sha256:b014c23646a467558be7da3d6b9fa409b2c567d2110599b7cf9a0c5992b3b471",
"sha256:b21bb4c09ffabfa0e85e3a6b623e19b80e7acd709b9f91452b8297ace2a8ab00",
"sha256:b5901a312f4d14c59918c221323068fad0540e34324925c8475263841dbdfe68",
"sha256:b9b7a708dd92306328117d8c4b62e2194d00c365f18eff11a9b53c6f923b01e3",
"sha256:d1967f46ea8f2db647c786e78d8cc7e4313dbd1b0aca360592d8027b8508e24d",
"sha256:d52a25136894c63de15a35bc0bdc5adb4b0e173b9c0d07a2be9d3ca64a332735",
"sha256:d77c85fedff92cf788face9bfa3ebaa364448ebb1d765302e9af11bf449ca36d",
"sha256:d79d7d5dc8a32b7093e81e97dad755127ff77bcc899e845f41bf71747af0c569",
"sha256:dbcda74c67263139358f4d188ae5faae95c30929281bc6866d00573783c422b7",
"sha256:ddaea91abf8b0d13443f6dac52e89051a5063c7d014710dcb4d4abb2ff811a59",
"sha256:dee0ce50c6a2dd9056c20db781e9c1cfd33e77d2d569f5d1d9321c641bb903d5",
"sha256:dee60e1de1898bde3b238f18340eec6148986da0455d8ba7848d50470a7a32fb",
"sha256:e2f83e18fe2f4c9e7db597e988f72712c0c3676d337d8b101f6758107c42425b",
"sha256:e3fb1677c720409d5f671e39bac6c9e0e422584e5f518bfd50aa4cbbea02433f",
"sha256:ee2b1b1769f6707a8a445162ea16dddf74285c3964f605877a20e38545c3c462",
"sha256:ee6acae74a2b91865910eef5e7de37dc6895ad96fa23603d1d27ea69df545015",
"sha256:ef3f72c9666bba2bab70d2a8b79f2c6d2c1a42a7f7e2b0ec83bb2f9e383950af"
],
"version": "==1.12.1"
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==1.14.1"
}
},
"develop": {
"aiohttp": {
"hashes": [
"sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe",
"sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe",
"sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5",
"sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8",
"sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd",
"sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb",
"sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c",
"sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87",
"sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0",
"sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290",
"sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5",
"sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287",
"sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde",
"sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf",
"sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8",
"sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16",
"sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf",
"sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809",
"sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213",
"sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f",
"sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013",
"sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b",
"sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9",
"sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5",
"sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb",
"sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df",
"sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4",
"sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439",
"sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f",
"sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22",
"sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f",
"sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5",
"sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970",
"sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009",
"sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc",
"sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a",
"sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95"
"sha256:02f9a2c72fc95d59b881cf38a4b2be9381b9527f9d328771e90f72ac76f31ad8",
"sha256:059a91e88f2c00fe40aed9031b3606c3f311414f86a90d696dd982e7aec48142",
"sha256:05a3c31c6d7cd08c149e50dc7aa2568317f5844acd745621983380597f027a18",
"sha256:08c78317e950e0762c2983f4dd58dc5e6c9ff75c8a0efeae299d363d439c8e34",
"sha256:09e28f572b21642128ef31f4e8372adb6888846f32fecb288c8b0457597ba61a",
"sha256:0d2c6d8c6872df4a6ec37d2ede71eff62395b9e337b4e18efd2177de883a5033",
"sha256:16c121ba0b1ec2b44b73e3a8a171c4f999b33929cd2397124a8c7fcfc8cd9e06",
"sha256:1d90043c1882067f1bd26196d5d2db9aa6d268def3293ed5fb317e13c9413ea4",
"sha256:1e56b9cafcd6531bab5d9b2e890bb4937f4165109fe98e2b98ef0dcfcb06ee9d",
"sha256:20acae4f268317bb975671e375493dbdbc67cddb5f6c71eebdb85b34444ac46b",
"sha256:21b30885a63c3f4ff5b77a5d6caf008b037cb521a5f33eab445dc566f6d092cc",
"sha256:21d69797eb951f155026651f7e9362877334508d39c2fc37bd04ff55b2007091",
"sha256:256deb4b29fe5e47893fa32e1de2d73c3afe7407738bd3c63829874661d4822d",
"sha256:25892c92bee6d9449ffac82c2fe257f3a6f297792cdb18ad784737d61e7a9a85",
"sha256:2ca9af5f8f5812d475c5259393f52d712f6d5f0d7fdad9acdb1107dd9e3cb7eb",
"sha256:2d252771fc85e0cf8da0b823157962d70639e63cb9b578b1dec9868dd1f4f937",
"sha256:2dea10edfa1a54098703cb7acaa665c07b4e7568472a47f4e64e6319d3821ccf",
"sha256:2df5f139233060578d8c2c975128fb231a89ca0a462b35d4b5fcf7c501ebdbe1",
"sha256:2feebbb6074cdbd1ac276dbd737b40e890a1361b3cc30b74ac2f5e24aab41f7b",
"sha256:309aa21c1d54b8ef0723181d430347d7452daaff93e8e2363db8e75c72c2fb2d",
"sha256:3828fb41b7203176b82fe5d699e0d845435f2374750a44b480ea6b930f6be269",
"sha256:398701865e7a9565d49189f6c90868efaca21be65c725fc87fc305906be915da",
"sha256:43046a319664a04b146f81b40e1545d4c8ac7b7dd04c47e40bf09f65f2437346",
"sha256:437399385f2abcd634865705bdc180c8314124b98299d54fe1d4c8990f2f9494",
"sha256:45d88b016c849d74ebc6f2b6e8bc17cabf26e7e40c0661ddd8fae4c00f015697",
"sha256:47841407cc89a4b80b0c52276f3cc8138bbbfba4b179ee3acbd7d77ae33f7ac4",
"sha256:4a4fbc769ea9b6bd97f4ad0b430a6807f92f0e5eb020f1e42ece59f3ecfc4585",
"sha256:4ab94426ddb1ecc6a0b601d832d5d9d421820989b8caa929114811369673235c",
"sha256:4b0f30372cef3fdc262f33d06e7b411cd59058ce9174ef159ad938c4a34a89da",
"sha256:4e3a23ec214e95c9fe85a58470b660efe6534b83e6cbe38b3ed52b053d7cb6ad",
"sha256:512bd5ab136b8dc0ffe3fdf2dfb0c4b4f49c8577f6cae55dca862cd37a4564e2",
"sha256:527b3b87b24844ea7865284aabfab08eb0faf599b385b03c2aa91fc6edd6e4b6",
"sha256:54d107c89a3ebcd13228278d68f1436d3f33f2dd2af5415e3feaeb1156e1a62c",
"sha256:5835f258ca9f7c455493a57ee707b76d2d9634d84d5d7f62e77be984ea80b849",
"sha256:598adde339d2cf7d67beaccda3f2ce7c57b3b412702f29c946708f69cf8222aa",
"sha256:599418aaaf88a6d02a8c515e656f6faf3d10618d3dd95866eb4436520096c84b",
"sha256:5bf651afd22d5f0c4be16cf39d0482ea494f5c88f03e75e5fef3a85177fecdeb",
"sha256:5c59fcd80b9049b49acd29bd3598cada4afc8d8d69bd4160cd613246912535d7",
"sha256:653acc3880459f82a65e27bd6526e47ddf19e643457d36a2250b85b41a564715",
"sha256:66bd5f950344fb2b3dbdd421aaa4e84f4411a1a13fca3aeb2bcbe667f80c9f76",
"sha256:6f3553510abdbec67c043ca85727396ceed1272eef029b050677046d3387be8d",
"sha256:7018ecc5fe97027214556afbc7c502fbd718d0740e87eb1217b17efd05b3d276",
"sha256:713d22cd9643ba9025d33c4af43943c7a1eb8547729228de18d3e02e278472b6",
"sha256:73a4131962e6d91109bca6536416aa067cf6c4efb871975df734f8d2fd821b37",
"sha256:75880ed07be39beff1881d81e4a907cafb802f306efd6d2d15f2b3c69935f6fb",
"sha256:75e14eac916f024305db517e00a9252714fce0abcb10ad327fb6dcdc0d060f1d",
"sha256:8135fa153a20d82ffb64f70a1b5c2738684afa197839b34cc3e3c72fa88d302c",
"sha256:84b14f36e85295fe69c6b9789b51a0903b774046d5f7df538176516c3e422446",
"sha256:86fc24e58ecb32aee09f864cb11bb91bc4c1086615001647dbfc4dc8c32f4008",
"sha256:87f44875f2804bc0511a69ce44a9595d5944837a62caecc8490bbdb0e18b1342",
"sha256:88c70ed9da9963d5496d38320160e8eb7e5f1886f9290475a881db12f351ab5d",
"sha256:88e5be56c231981428f4f506c68b6a46fa25c4123a2e86d156c58a8369d31ab7",
"sha256:89d2e02167fa95172c017732ed7725bc8523c598757f08d13c5acca308e1a061",
"sha256:8d6aaa4e7155afaf994d7924eb290abbe81a6905b303d8cb61310a2aba1c68ba",
"sha256:92a2964319d359f494f16011e23434f6f8ef0434acd3cf154a6b7bec511e2fb7",
"sha256:96372fc29471646b9b106ee918c8eeb4cca423fcbf9a34daa1b93767a88a2290",
"sha256:978b046ca728073070e9abc074b6299ebf3501e8dee5e26efacb13cec2b2dea0",
"sha256:9c7149272fb5834fc186328e2c1fa01dda3e1fa940ce18fded6d412e8f2cf76d",
"sha256:a0239da9fbafd9ff82fd67c16704a7d1bccf0d107a300e790587ad05547681c8",
"sha256:ad5383a67514e8e76906a06741febd9126fc7c7ff0f599d6fcce3e82b80d026f",
"sha256:ad61a9639792fd790523ba072c0555cd6be5a0baf03a49a5dd8cfcf20d56df48",
"sha256:b29bfd650ed8e148f9c515474a6ef0ba1090b7a8faeee26b74a8ff3b33617502",
"sha256:b97decbb3372d4b69e4d4c8117f44632551c692bb1361b356a02b97b69e18a62",
"sha256:ba71c9b4dcbb16212f334126cc3d8beb6af377f6703d9dc2d9fb3874fd667ee9",
"sha256:c37c5cce780349d4d51739ae682dec63573847a2a8dcb44381b174c3d9c8d403",
"sha256:c971bf3786b5fad82ce5ad570dc6ee420f5b12527157929e830f51c55dc8af77",
"sha256:d1fde0f44029e02d02d3993ad55ce93ead9bb9b15c6b7ccd580f90bd7e3de476",
"sha256:d24b8bb40d5c61ef2d9b6a8f4528c2f17f1c5d2d31fed62ec860f6006142e83e",
"sha256:d5ba88df9aa5e2f806650fcbeedbe4f6e8736e92fc0e73b0400538fd25a4dd96",
"sha256:d6f76310355e9fae637c3162936e9504b4767d5c52ca268331e2756e54fd4ca5",
"sha256:d737fc67b9a970f3234754974531dc9afeea11c70791dcb7db53b0cf81b79784",
"sha256:da22885266bbfb3f78218dc40205fed2671909fbd0720aedba39b4515c038091",
"sha256:da37dcfbf4b7f45d80ee386a5f81122501ec75672f475da34784196690762f4b",
"sha256:db19d60d846283ee275d0416e2a23493f4e6b6028825b51290ac05afc87a6f97",
"sha256:db4c979b0b3e0fa7e9e69ecd11b2b3174c6963cebadeecfb7ad24532ffcdd11a",
"sha256:e164e0a98e92d06da343d17d4e9c4da4654f4a4588a20d6c73548a29f176abe2",
"sha256:e168a7560b7c61342ae0412997b069753f27ac4862ec7867eff74f0fe4ea2ad9",
"sha256:e381581b37db1db7597b62a2e6b8b57c3deec95d93b6d6407c5b61ddc98aca6d",
"sha256:e65bc19919c910127c06759a63747ebe14f386cda573d95bcc62b427ca1afc73",
"sha256:e7b8813be97cab8cb52b1375f41f8e6804f6507fe4660152e8ca5c48f0436017",
"sha256:e8a78079d9a39ca9ca99a8b0ac2fdc0c4d25fc80c8a8a82e5c8211509c523363",
"sha256:ebf909ea0a3fc9596e40d55d8000702a85e27fd578ff41a5500f68f20fd32e6c",
"sha256:ec40170327d4a404b0d91855d41bfe1fe4b699222b2b93e3d833a27330a87a6d",
"sha256:f178d2aadf0166be4df834c4953da2d7eef24719e8aec9a65289483eeea9d618",
"sha256:f88df3a83cf9df566f171adba39d5bd52814ac0b94778d2448652fc77f9eb491",
"sha256:f973157ffeab5459eefe7b97a804987876dd0a55570b8fa56b4e1954bf11329b",
"sha256:ff25f48fc8e623d95eca0670b8cc1469a83783c924a602e0fbd47363bb54aaca"
],
"markers": "python_version >= '3.6'",
"version": "==3.7.4.post0"
"version": "==3.8.3"
},
"aiosignal": {
"hashes": [
"sha256:54cd96e15e1649b75d6c87526a6ff0b6c1b0dd3459f43d9ca11d48c339b68cfc",
"sha256:f8376fb07dd1e86a584e4fcdec80b36b7f81aac666ebc724e2c090300dd83b17"
],
"markers": "python_version >= '3.7'",
"version": "==1.3.1"
},
"antlr4-python3-runtime": {
"hashes": [
"sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33"
"sha256:f224469b4168294902bb1efa80a8bf7855f24c99aef99cbefc1bcd3cce77881b"
],
"markers": "python_version >= '3'",
"version": "==4.8"
"version": "==4.9.3"
},
"async-timeout": {
"hashes": [
"sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f",
"sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3"
"sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15",
"sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c"
],
"markers": "python_full_version >= '3.5.3'",
"version": "==3.0.1"
"markers": "python_version >= '3.6'",
"version": "==4.0.2"
},
"attackcti": {
"hashes": [
@@ -290,34 +444,27 @@
},
"attrs": {
"hashes": [
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
"sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6",
"sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
"markers": "python_version >= '3.5'",
"version": "==22.1.0"
},
"certifi": {
"hashes": [
"sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
"sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
"sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3",
"sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"
],
"version": "==2021.5.30"
},
"chardet": {
"hashes": [
"sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
"sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==4.0.0"
"index": "pypi",
"version": "==2022.12.7"
},
"charset-normalizer": {
"hashes": [
"sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
"sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
"sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597",
"sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df"
],
"markers": "python_version >= '3'",
"version": "==2.0.4"
"version": "==2.0.12"
},
"colorama": {
"hashes": [
@@ -401,79 +548,197 @@
"index": "pypi",
"version": "==6.2.0"
},
"frozenlist": {
"hashes": [
"sha256:008a054b75d77c995ea26629ab3a0c0d7281341f2fa7e1e85fa6153ae29ae99c",
"sha256:02c9ac843e3390826a265e331105efeab489ffaf4dd86384595ee8ce6d35ae7f",
"sha256:034a5c08d36649591be1cbb10e09da9f531034acfe29275fc5454a3b101ce41a",
"sha256:05cdb16d09a0832eedf770cb7bd1fe57d8cf4eaf5aced29c4e41e3f20b30a784",
"sha256:0693c609e9742c66ba4870bcee1ad5ff35462d5ffec18710b4ac89337ff16e27",
"sha256:0771aed7f596c7d73444c847a1c16288937ef988dc04fb9f7be4b2aa91db609d",
"sha256:0af2e7c87d35b38732e810befb9d797a99279cbb85374d42ea61c1e9d23094b3",
"sha256:14143ae966a6229350021384870458e4777d1eae4c28d1a7aa47f24d030e6678",
"sha256:180c00c66bde6146a860cbb81b54ee0df350d2daf13ca85b275123bbf85de18a",
"sha256:1841e200fdafc3d51f974d9d377c079a0694a8f06de2e67b48150328d66d5483",
"sha256:23d16d9f477bb55b6154654e0e74557040575d9d19fe78a161bd33d7d76808e8",
"sha256:2b07ae0c1edaa0a36339ec6cce700f51b14a3fc6545fdd32930d2c83917332cf",
"sha256:2c926450857408e42f0bbc295e84395722ce74bae69a3b2aa2a65fe22cb14b99",
"sha256:2e24900aa13212e75e5b366cb9065e78bbf3893d4baab6052d1aca10d46d944c",
"sha256:303e04d422e9b911a09ad499b0368dc551e8c3cd15293c99160c7f1f07b59a48",
"sha256:352bd4c8c72d508778cf05ab491f6ef36149f4d0cb3c56b1b4302852255d05d5",
"sha256:3843f84a6c465a36559161e6c59dce2f2ac10943040c2fd021cfb70d58c4ad56",
"sha256:394c9c242113bfb4b9aa36e2b80a05ffa163a30691c7b5a29eba82e937895d5e",
"sha256:3bbdf44855ed8f0fbcd102ef05ec3012d6a4fd7c7562403f76ce6a52aeffb2b1",
"sha256:40de71985e9042ca00b7953c4f41eabc3dc514a2d1ff534027f091bc74416401",
"sha256:41fe21dc74ad3a779c3d73a2786bdf622ea81234bdd4faf90b8b03cad0c2c0b4",
"sha256:47df36a9fe24054b950bbc2db630d508cca3aa27ed0566c0baf661225e52c18e",
"sha256:4ea42116ceb6bb16dbb7d526e242cb6747b08b7710d9782aa3d6732bd8d27649",
"sha256:58bcc55721e8a90b88332d6cd441261ebb22342e238296bb330968952fbb3a6a",
"sha256:5c11e43016b9024240212d2a65043b70ed8dfd3b52678a1271972702d990ac6d",
"sha256:5cf820485f1b4c91e0417ea0afd41ce5cf5965011b3c22c400f6d144296ccbc0",
"sha256:5d8860749e813a6f65bad8285a0520607c9500caa23fea6ee407e63debcdbef6",
"sha256:6327eb8e419f7d9c38f333cde41b9ae348bec26d840927332f17e887a8dcb70d",
"sha256:65a5e4d3aa679610ac6e3569e865425b23b372277f89b5ef06cf2cdaf1ebf22b",
"sha256:66080ec69883597e4d026f2f71a231a1ee9887835902dbe6b6467d5a89216cf6",
"sha256:783263a4eaad7c49983fe4b2e7b53fa9770c136c270d2d4bbb6d2192bf4d9caf",
"sha256:7f44e24fa70f6fbc74aeec3e971f60a14dde85da364aa87f15d1be94ae75aeef",
"sha256:7fdfc24dcfce5b48109867c13b4cb15e4660e7bd7661741a391f821f23dfdca7",
"sha256:810860bb4bdce7557bc0febb84bbd88198b9dbc2022d8eebe5b3590b2ad6c842",
"sha256:841ea19b43d438a80b4de62ac6ab21cfe6827bb8a9dc62b896acc88eaf9cecba",
"sha256:84610c1502b2461255b4c9b7d5e9c48052601a8957cd0aea6ec7a7a1e1fb9420",
"sha256:899c5e1928eec13fd6f6d8dc51be23f0d09c5281e40d9cf4273d188d9feeaf9b",
"sha256:8bae29d60768bfa8fb92244b74502b18fae55a80eac13c88eb0b496d4268fd2d",
"sha256:8df3de3a9ab8325f94f646609a66cbeeede263910c5c0de0101079ad541af332",
"sha256:8fa3c6e3305aa1146b59a09b32b2e04074945ffcfb2f0931836d103a2c38f936",
"sha256:924620eef691990dfb56dc4709f280f40baee568c794b5c1885800c3ecc69816",
"sha256:9309869032abb23d196cb4e4db574232abe8b8be1339026f489eeb34a4acfd91",
"sha256:9545a33965d0d377b0bc823dcabf26980e77f1b6a7caa368a365a9497fb09420",
"sha256:9ac5995f2b408017b0be26d4a1d7c61bce106ff3d9e3324374d66b5964325448",
"sha256:9bbbcedd75acdfecf2159663b87f1bb5cfc80e7cd99f7ddd9d66eb98b14a8411",
"sha256:a4ae8135b11652b08a8baf07631d3ebfe65a4c87909dbef5fa0cdde440444ee4",
"sha256:a6394d7dadd3cfe3f4b3b186e54d5d8504d44f2d58dcc89d693698e8b7132b32",
"sha256:a97b4fe50b5890d36300820abd305694cb865ddb7885049587a5678215782a6b",
"sha256:ae4dc05c465a08a866b7a1baf360747078b362e6a6dbeb0c57f234db0ef88ae0",
"sha256:b1c63e8d377d039ac769cd0926558bb7068a1f7abb0f003e3717ee003ad85530",
"sha256:b1e2c1185858d7e10ff045c496bbf90ae752c28b365fef2c09cf0fa309291669",
"sha256:b4395e2f8d83fbe0c627b2b696acce67868793d7d9750e90e39592b3626691b7",
"sha256:b756072364347cb6aa5b60f9bc18e94b2f79632de3b0190253ad770c5df17db1",
"sha256:ba64dc2b3b7b158c6660d49cdb1d872d1d0bf4e42043ad8d5006099479a194e5",
"sha256:bed331fe18f58d844d39ceb398b77d6ac0b010d571cba8267c2e7165806b00ce",
"sha256:c188512b43542b1e91cadc3c6c915a82a5eb95929134faf7fd109f14f9892ce4",
"sha256:c21b9aa40e08e4f63a2f92ff3748e6b6c84d717d033c7b3438dd3123ee18f70e",
"sha256:ca713d4af15bae6e5d79b15c10c8522859a9a89d3b361a50b817c98c2fb402a2",
"sha256:cd4210baef299717db0a600d7a3cac81d46ef0e007f88c9335db79f8979c0d3d",
"sha256:cfe33efc9cb900a4c46f91a5ceba26d6df370ffddd9ca386eb1d4f0ad97b9ea9",
"sha256:d5cd3ab21acbdb414bb6c31958d7b06b85eeb40f66463c264a9b343a4e238642",
"sha256:dfbac4c2dfcc082fcf8d942d1e49b6aa0766c19d3358bd86e2000bf0fa4a9cf0",
"sha256:e235688f42b36be2b6b06fc37ac2126a73b75fb8d6bc66dd632aa35286238703",
"sha256:eb82dbba47a8318e75f679690190c10a5e1f447fbf9df41cbc4c3afd726d88cb",
"sha256:ebb86518203e12e96af765ee89034a1dbb0c3c65052d1b0c19bbbd6af8a145e1",
"sha256:ee78feb9d293c323b59a6f2dd441b63339a30edf35abcb51187d2fc26e696d13",
"sha256:eedab4c310c0299961ac285591acd53dc6723a1ebd90a57207c71f6e0c2153ab",
"sha256:efa568b885bca461f7c7b9e032655c0c143d305bf01c30caf6db2854a4532b38",
"sha256:efce6ae830831ab6a22b9b4091d411698145cb9b8fc869e1397ccf4b4b6455cb",
"sha256:f163d2fd041c630fed01bc48d28c3ed4a3b003c00acd396900e11ee5316b56bb",
"sha256:f20380df709d91525e4bee04746ba612a4df0972c1b8f8e1e8af997e678c7b81",
"sha256:f30f1928162e189091cf4d9da2eac617bfe78ef907a761614ff577ef4edfb3c8",
"sha256:f470c92737afa7d4c3aacc001e335062d582053d4dbe73cda126f2d7031068dd",
"sha256:ff8bf625fe85e119553b5383ba0fb6aa3d0ec2ae980295aaefa552374926b3f4"
],
"markers": "python_version >= '3.7'",
"version": "==1.3.3"
},
"idna": {
"hashes": [
"sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a",
"sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"
"sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4",
"sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"
],
"markers": "python_version >= '3'",
"version": "==3.2"
"version": "==3.4"
},
"more-itertools": {
"hashes": [
"sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d",
"sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a"
"sha256:250e83d7e81d0c87ca6bd942e6aeab8cc9daa6096d12c5308f3f92fa5e5c1f41",
"sha256:5a6257e40878ef0520b1803990e3e22303a41b5714006c32a3fd8304b26ea1ab"
],
"markers": "python_version >= '3.5'",
"version": "==8.8.0"
"markers": "python_version >= '3.7'",
"version": "==9.0.0"
},
"multidict": {
"hashes": [
"sha256:018132dbd8688c7a69ad89c4a3f39ea2f9f33302ebe567a879da8f4ca73f0d0a",
"sha256:051012ccee979b2b06be928a6150d237aec75dd6bf2d1eeeb190baf2b05abc93",
"sha256:05c20b68e512166fddba59a918773ba002fdd77800cad9f55b59790030bab632",
"sha256:07b42215124aedecc6083f1ce6b7e5ec5b50047afa701f3442054373a6deb656",
"sha256:0e3c84e6c67eba89c2dbcee08504ba8644ab4284863452450520dad8f1e89b79",
"sha256:0e929169f9c090dae0646a011c8b058e5e5fb391466016b39d21745b48817fd7",
"sha256:1ab820665e67373de5802acae069a6a05567ae234ddb129f31d290fc3d1aa56d",
"sha256:25b4e5f22d3a37ddf3effc0710ba692cfc792c2b9edfb9c05aefe823256e84d5",
"sha256:2e68965192c4ea61fff1b81c14ff712fc7dc15d2bd120602e4a3494ea6584224",
"sha256:2f1a132f1c88724674271d636e6b7351477c27722f2ed789f719f9e3545a3d26",
"sha256:37e5438e1c78931df5d3c0c78ae049092877e5e9c02dd1ff5abb9cf27a5914ea",
"sha256:3a041b76d13706b7fff23b9fc83117c7b8fe8d5fe9e6be45eee72b9baa75f348",
"sha256:3a4f32116f8f72ecf2a29dabfb27b23ab7cdc0ba807e8459e59a93a9be9506f6",
"sha256:46c73e09ad374a6d876c599f2328161bcd95e280f84d2060cf57991dec5cfe76",
"sha256:46dd362c2f045095c920162e9307de5ffd0a1bfbba0a6e990b344366f55a30c1",
"sha256:4b186eb7d6ae7c06eb4392411189469e6a820da81447f46c0072a41c748ab73f",
"sha256:54fd1e83a184e19c598d5e70ba508196fd0bbdd676ce159feb412a4a6664f952",
"sha256:585fd452dd7782130d112f7ddf3473ffdd521414674c33876187e101b588738a",
"sha256:5cf3443199b83ed9e955f511b5b241fd3ae004e3cb81c58ec10f4fe47c7dce37",
"sha256:6a4d5ce640e37b0efcc8441caeea8f43a06addace2335bd11151bc02d2ee31f9",
"sha256:7df80d07818b385f3129180369079bd6934cf70469f99daaebfac89dca288359",
"sha256:806068d4f86cb06af37cd65821554f98240a19ce646d3cd24e1c33587f313eb8",
"sha256:830f57206cc96ed0ccf68304141fec9481a096c4d2e2831f311bde1c404401da",
"sha256:929006d3c2d923788ba153ad0de8ed2e5ed39fdbe8e7be21e2f22ed06c6783d3",
"sha256:9436dc58c123f07b230383083855593550c4d301d2532045a17ccf6eca505f6d",
"sha256:9dd6e9b1a913d096ac95d0399bd737e00f2af1e1594a787e00f7975778c8b2bf",
"sha256:ace010325c787c378afd7f7c1ac66b26313b3344628652eacd149bdd23c68841",
"sha256:b47a43177a5e65b771b80db71e7be76c0ba23cc8aa73eeeb089ed5219cdbe27d",
"sha256:b797515be8743b771aa868f83563f789bbd4b236659ba52243b735d80b29ed93",
"sha256:b7993704f1a4b204e71debe6095150d43b2ee6150fa4f44d6d966ec356a8d61f",
"sha256:d5c65bdf4484872c4af3150aeebe101ba560dcfb34488d9a8ff8dbcd21079647",
"sha256:d81eddcb12d608cc08081fa88d046c78afb1bf8107e6feab5d43503fea74a635",
"sha256:dc862056f76443a0db4509116c5cd480fe1b6a2d45512a653f9a855cc0517456",
"sha256:ecc771ab628ea281517e24fd2c52e8f31c41e66652d07599ad8818abaad38cda",
"sha256:f200755768dc19c6f4e2b672421e0ebb3dd54c38d5a4f262b872d8cfcc9e93b5",
"sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281",
"sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80"
"sha256:018c8e3be7f161a12b3e41741b6721f9baeb2210f4ab25a6359b7d76c1017dce",
"sha256:01b456046a05ff7cceefb0e1d2a9d32f05efcb1c7e0d152446304e11557639ce",
"sha256:114a4ab3e5cfbc56c4b6697686ecb92376c7e8c56893ef20547921552f8bdf57",
"sha256:12e0d396faa6dc55ff5379eee54d1df3b508243ff15bfc8295a6ec7a4483a335",
"sha256:190626ced82d4cc567a09e7346340d380154a493bac6905e0095d8158cdf1e38",
"sha256:1f5d5129a937af4e3c4a1d6c139f4051b7d17d43276cefdd8d442a7031f7eef2",
"sha256:21e1ce0b187c4e93112304dcde2aa18922fdbe8fb4f13d8aa72a5657bce0563a",
"sha256:24e8d513bfcaadc1f8b0ebece3ff50961951c54b07d5a775008a882966102418",
"sha256:2523a29006c034687eccd3ee70093a697129a3ffe8732535d3b2df6a4ecc279d",
"sha256:26fbbe17f8a7211b623502d2bf41022a51da3025142401417c765bf9a56fed4c",
"sha256:2b66d61966b12e6bba500e5cbb2c721a35e119c30ee02495c5629bd0e91eea30",
"sha256:2cf5d19e12eff855aa198259c0b02fd3f5d07e1291fbd20279c37b3b0e6c9852",
"sha256:2cfda34b7cb99eacada2072e0f69c0ad3285cb6f8e480b11f2b6d6c1c6f92718",
"sha256:3541882266247c7cd3dba78d6ef28dbe704774df60c9e4231edaa4493522e614",
"sha256:36df958b15639e40472adaa4f0c2c7828fe680f894a6b48c4ce229f59a6a798b",
"sha256:38d394814b39be1c36ac709006d39d50d72a884f9551acd9c8cc1ffae3fc8c4e",
"sha256:4159fc1ec9ede8ab93382e0d6ba9b1b3d23c72da39a834db7a116986605c7ab4",
"sha256:445c0851a1cbc1f2ec3b40bc22f9c4a235edb3c9a0906122a9df6ea8d51f886c",
"sha256:47defc0218682281a52fb1f6346ebb8b68b17538163a89ea24dfe4da37a8a9a3",
"sha256:4cc5c8cd205a9810d16a5cd428cd81bac554ad1477cb87f4ad722b10992e794d",
"sha256:4ccf55f28066b4f08666764a957c2b7c241c7547b0921d69c7ceab5f74fe1a45",
"sha256:4fb3fe591956d8841882c463f934c9f7485cfd5f763a08c0d467b513dc18ef89",
"sha256:526f8397fc124674b8f39748680a0ff673bd6a715fecb4866716d36e380f015f",
"sha256:578bfcb16f4b8675ef71b960c00f174b0426e0eeb796bab6737389d8288eb827",
"sha256:5b51969503709415a35754954c2763f536a70b8bf7360322b2edb0c0a44391f6",
"sha256:5e58ec0375803526d395f6f7e730ecc45d06e15f68f7b9cdbf644a2918324e51",
"sha256:62db44727d0befea68e8ad2881bb87a9cfb6b87d45dd78609009627167f37b69",
"sha256:67090b17a0a5be5704fd109f231ee73cefb1b3802d41288d6378b5df46ae89ba",
"sha256:6cd14e61f0da2a2cfb9fe05bfced2a1ed7063ce46a7a8cd473be4973de9a7f91",
"sha256:70740c2bc9ab1c99f7cdcb104f27d16c63860c56d51c5bf0ef82fc1d892a2131",
"sha256:73009ea04205966d47e16d98686ac5c438af23a1bb30b48a2c5da3423ec9ce37",
"sha256:791458a1f7d1b4ab3bd9e93e0dcd1d59ef7ee9aa051dcd1ea030e62e49b923fd",
"sha256:7f9511e48bde6b995825e8d35e434fc96296cf07a25f4aae24ff9162be7eaa46",
"sha256:81c3d597591b0940e04949e4e4f79359b2d2e542a686ba0da5e25de33fec13e0",
"sha256:8230a39bae6c2e8a09e4da6bace5064693b00590a4a213e38f9a9366da10e7dd",
"sha256:8b92a9f3ab904397a33b193000dc4de7318ea175c4c460a1e154c415f9008e3d",
"sha256:94cbe5535ef150546b8321aebea22862a3284da51e7b55f6f95b7d73e96d90ee",
"sha256:960ce1b790952916e682093788696ef7e33ac6a97482f9b983abdc293091b531",
"sha256:99341ca1f1db9e7f47914cb2461305665a662383765ced6f843712564766956d",
"sha256:9aac6881454a750554ed4b280a839dcf9e2133a9d12ab4d417d673fb102289b7",
"sha256:9d359b0a962e052b713647ac1f13eabf2263167b149ed1e27d5c579f5c8c7d2c",
"sha256:9dbab2a7e9c073bc9538824a01f5ed689194db7f55f2b8102766873e906a6c1a",
"sha256:a27b029caa3b555a4f3da54bc1e718eb55fcf1a11fda8bf0132147b476cf4c08",
"sha256:a8b817d4ed68fd568ec5e45dd75ddf30cc72a47a6b41b74d5bb211374c296f5e",
"sha256:ad7d66422b9cc51125509229693d27e18c08f2dea3ac9de408d821932b1b3759",
"sha256:b46e79a9f4db53897d17bc64a39d1c7c2be3e3d4f8dba6d6730a2b13ddf0f986",
"sha256:baa96a3418e27d723064854143b2f414a422c84cc87285a71558722049bebc5a",
"sha256:beeca903e4270b4afcd114f371a9602240dc143f9e944edfea00f8d4ad56c40d",
"sha256:c2a1168e5aa7c72499fb03c850e0f03f624fa4a5c8d2e215c518d0a73872eb64",
"sha256:c5790cc603456b6dcf8a9a4765f666895a6afddc88b3d3ba7b53dea2b6e23116",
"sha256:cb4a08f0aaaa869f189ffea0e17b86ad0237b51116d494da15ef7991ee6ad2d7",
"sha256:cd5771e8ea325f85cbb361ddbdeb9ae424a68e5dfb6eea786afdcd22e68a7d5d",
"sha256:ce8e51774eb03844588d3c279adb94efcd0edeccd2f97516623292445bcc01f9",
"sha256:d09daf5c6ce7fc6ed444c9339bbde5ea84e2534d1ca1cd37b60f365c77f00dea",
"sha256:d0e798b072cf2aab9daceb43d97c9c527a0c7593e67a7846ad4cc6051de1e303",
"sha256:d325d61cac602976a5d47b19eaa7d04e3daf4efce2164c630219885087234102",
"sha256:d408172519049e36fb6d29672f060dc8461fc7174eba9883c7026041ef9bfb38",
"sha256:d52442e7c951e4c9ee591d6047706e66923d248d83958bbf99b8b19515fffaef",
"sha256:dc4cfef5d899f5f1a15f3d2ac49f71107a01a5a2745b4dd53fa0cede1419385a",
"sha256:df7b4cee3ff31b3335aba602f8d70dbc641e5b7164b1e9565570c9d3c536a438",
"sha256:e068dfeadbce63072b2d8096486713d04db4946aad0a0f849bd4fc300799d0d3",
"sha256:e07c24018986fb00d6e7eafca8fcd6e05095649e17fcf0e33a592caaa62a78b9",
"sha256:e0bce9f7c30e7e3a9e683f670314c0144e8d34be6b7019e40604763bd278d84f",
"sha256:e1925f78a543b94c3d46274c66a366fee8a263747060220ed0188e5f3eeea1c0",
"sha256:e322c94596054352f5a02771eec71563c018b15699b961aba14d6dd943367022",
"sha256:e4a095e18847c12ec20e55326ab8782d9c2d599400a3a2f174fab4796875d0e2",
"sha256:e5a811aab1b4aea0b4be669363c19847a8c547510f0e18fb632956369fdbdf67",
"sha256:eddf604a3de2ace3d9a4e4d491be7562a1ac095a0a1c95a9ec5781ef0273ef11",
"sha256:ee9b1cae9a6c5d023e5a150f6f6b9dbb3c3bbc7887d6ee07d4c0ecb49a473734",
"sha256:f1650ea41c408755da5eed52ac6ccbc8938ccc3e698d81e6f6a1be02ff2a0945",
"sha256:f2c0957b3e8c66c10d27272709a5299ab3670a0f187c9428f3b90d267119aedb",
"sha256:f76109387e1ec8d8e2137c94c437b89fe002f29e0881aae8ae45529bdff92000",
"sha256:f8a728511c977df6f3d8af388fcb157e49f11db4a6637dd60131b8b6e40b0253",
"sha256:fb6c3dc3d65014d2c782f5acf0b3ba14e639c6c33d3ed8932ead76b9080b3544"
],
"markers": "python_version >= '3.6'",
"version": "==5.1.0"
"markers": "python_version >= '3.7'",
"version": "==6.0.3"
},
"packaging": {
"hashes": [
"sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7",
"sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14"
"sha256:2198ec20bd4c017b8f9717e00f0c8714076fc2fd93816750ab48e2c41de2cfd3",
"sha256:957e2148ba0e1a3b282772e791ef1d8083648bc131c8ab0c1feba110ce1146c3"
],
"markers": "python_version >= '3.6'",
"version": "==21.0"
"markers": "python_version >= '3.7'",
"version": "==22.0"
},
"pathspec": {
"hashes": [
"sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a",
"sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1"
"sha256:88c2606f2c1e818b978540f73ecc908e13999c6c3a383daf3705652ae79807a5",
"sha256:8f6bf73e5758fd365ef5d58ce09ac7c27d2833a8d7da51712eac6e27e35141b0"
],
"version": "==0.9.0"
"markers": "python_version >= '3.7'",
"version": "==0.10.2"
},
"pluggy": {
"hashes": [
@@ -485,19 +750,11 @@
},
"py": {
"hashes": [
"sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3",
"sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"
"sha256:51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719",
"sha256:607c53218732647dff4acdfcd50cb62615cedf612e72d1724fb1a0cc6405b378"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.10.0"
},
"pyparsing": {
"hashes": [
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.4.7"
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==1.11.0"
},
"pytest": {
"hashes": [
@@ -509,10 +766,10 @@
},
"pytz": {
"hashes": [
"sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da",
"sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798"
"sha256:222439474e9c98fced559f1709d89e6c9cbf8d79c794ff3eb9f8800064291427",
"sha256:e89512406b793ca39f5971bc999cc538ce125c0e51c27941bef4568b460095e2"
],
"version": "==2021.1"
"version": "==2022.6"
},
"pyyaml": {
"hashes": [
@@ -557,49 +814,80 @@
"index": "pypi",
"version": "==2.26.0"
},
"setuptools": {
"hashes": [
"sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54",
"sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75"
],
"markers": "python_version >= '3.7'",
"version": "==65.6.3"
},
"simplejson": {
"hashes": [
"sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7",
"sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085",
"sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb",
"sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476",
"sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473",
"sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e",
"sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c",
"sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732",
"sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b",
"sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34",
"sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586",
"sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da",
"sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34",
"sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564",
"sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e",
"sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926",
"sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e",
"sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08",
"sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e",
"sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c",
"sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999",
"sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e",
"sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314",
"sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95",
"sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277",
"sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda",
"sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61",
"sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640",
"sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e",
"sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee",
"sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86",
"sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98",
"sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616",
"sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b",
"sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c",
"sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc",
"sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858",
"sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec"
"sha256:002f069c7bb9a86826616a78f1214fea5b993435720990eecb0bf10955b9cd0e",
"sha256:00b673f0b3caf37a3d993bccf30a97290da6313b6ecc7d66937e9cd906d8f840",
"sha256:07e408222931b1a2aab71e60e5f169fa7c0d74cacd4e0a6a0199716cb18dad76",
"sha256:0de746c8f76355c79fd15eccd7ecde0b137cd911bdcdc463fc5c36ec3d8b98ea",
"sha256:0f33d16fa7b5e2ed6ea85d7b31bc84cf8c73c40cc2c9f87071e0fffcd52f5342",
"sha256:0f49858b5fc802081b71269f4a3aa5c5500ec6553637c9a0630f30a2a6541ea7",
"sha256:17dbc7f71fa5b7e4a2acef38cf0be30461ae6659456a978ce7eeebeb5bdf9e1a",
"sha256:17ec5e408fb6615250c1f18fb4eac3b2b99a85e8613bfc2dfa54827d0bf7f3e1",
"sha256:1b4085151e00ab7ca66f269aff7153f0ec18589cb22e7ceb8b365709c723fdd0",
"sha256:1f169402069f8cf93e359f607725b1d920c4dbe5bda4c520025d5fad8d20c1b7",
"sha256:1fbacdbba3cf5a471c67a9ca6cd270bba9578d5bc22aef6028faebbdb98bbb15",
"sha256:252f7cc5524bb5507a08377a4a75aa7ff4645f3dfca814d38bdbcf0f3c34d1ce",
"sha256:2aeed35db00cdf5d49ff1e7d878afd38c86a5fead0f1d364d539ad4d7a869e0e",
"sha256:2cc76435569e6c19574a8e913cfccbed832249b2b3b360caee9a4caf8ff866bf",
"sha256:448ab14fa67b3ac235a8445d14ec6d56268c3dabbce78720f9efa6d698466710",
"sha256:4609feb2ae66c132c6dcbe01dbfd4f6431afb4ff17303e37ca128fb6297cebd2",
"sha256:46bafa7e794f0e91fde850d906b0dc29a624c726b27e75d23bc8c3e35a48f28b",
"sha256:4a6199d302ec7d889e1aa6b493aa8e40b4dfa4bd85708f8c8f0c64ce5b8e0986",
"sha256:4d8d016f70d241f82189bc9f6d1eb8558b3599861f2c501b3f32da7fdf4e92ac",
"sha256:503da91993cc671fe7ebbf120c3ce868278de8226f158336afde874f7b7aa871",
"sha256:54c63cc7857f16a20aa170ffda9ebce45a3b7ba764b67a5a95bfe7ae613a2710",
"sha256:58a429d2c2fa80834115b923ff689622de8f214cf0dc4afa9f59e824b444ab31",
"sha256:599e9c53d3203bc36ef68efec138ca76d201da7ac06a114fae78536a8c10e35b",
"sha256:5f3dd31309ae5cc9f2df51d2d5cac89722dac3c853042ebefcaf7ad06ca19387",
"sha256:6187cbea7fdede732fe0347ad08cd920ebd9faa30b6c48782cee494051ca97c6",
"sha256:622cf0e1f870f189a0757fdcad7998a0c1dd46b0e53aeac9960556c141319c83",
"sha256:638bdd2deaccd3b8e02b1783280bd82341df5e1faa59c4f0276f03f16eec13ea",
"sha256:6804ad50aaf581df5c982fc101b0d932638066fe191074ded783602eb1c8982a",
"sha256:7a4d9b266ae6db578719f1255c742e76ee4676593087f4f6b79a2bbae2b1dcc5",
"sha256:7a9476dcd72aeba7d55c4800b9cd2204201af3539894b8512d74597e35a3033a",
"sha256:7b95c5cf71c16e4fdaa724719aaf8ccbed533e2df57a20bcff825ceeead27688",
"sha256:8493d2c1a940471b07d7c9c356a3f4eee780df073da2917418d0fe8669b54f99",
"sha256:875cfb43b622672218045dc927a86fc7c4c8111264c1d303aca5de33d5df479e",
"sha256:8d762267c4af617e1798bd0151f626105d06a88f214e3874b77eb89106f899fe",
"sha256:94c17d01e4c65e63deec46c984bb810de5e3a1259eb6bacdca63f3efc9c4c673",
"sha256:96979ff7f0daf47422d5f95d2d006da3210e0490a166bce2529f59f55047fc67",
"sha256:97139bf5134d713710665a6edb9500d69b93642c4b6b44b20800232dbd0f5b39",
"sha256:989b31d586954e65170ad3ec597218a6790c401b82da6193e8a897a06aa7946e",
"sha256:98b4c824f15436f1b22fe6d73c42ffacb246f7efc4d9dbbee542dd72355ecc43",
"sha256:9aff3c24017a7819c76b2f177d4fe8334b3d4cb6f702a2d7c666b3d57c36ffb4",
"sha256:9db78e18624f94d7b5642bf487244f803dab844e771d92e83f85f22da21ffe2d",
"sha256:a0e6dd5a0b8c76fb7522470789f1af793d39d6edbd4e40853e7be550ad49c430",
"sha256:a2f70d8170c7e02166a4c91462581e6ae5f35e3351a6b6c5142adcb04c7153ac",
"sha256:a814227fa08cae435ac7a42dcd2a04a7ec4a3cee23b7f83f9544cd26f452dcc4",
"sha256:aa9ecdd1d7ecbc7d1066c37cfbe52f65adf64b11b22d481a98fe1d3675dfff4b",
"sha256:b2b19d7aa4e9a1e7bf8caaf5f478a790190c60136314f45bb7702cb5a9337266",
"sha256:b4997bd8332cef3923402a07351571788f552f55ea1394ffbfccd4d203a8a05f",
"sha256:b71fef8ee41d59509c7f4afac7f627ed143c9e6db9eb08cfbba85e4c4dc5e67b",
"sha256:bd67d6fad7f4cd7c9cb7fad32d78ce32862fdb574b898447987a5de22fd37d73",
"sha256:ca22993a1a00440392c6c76f39addab8d97c706d2a8bcc2c9b2b6cb2cd7f41df",
"sha256:ce1c0580372d3c9bfa151bd0721a9bd5647b9b2245d0588d813fdbd2eb5d6f22",
"sha256:d522f28f7b252454df86ac3db5a0e1fe5ae03c8fc0cd1592c912b07c9fad6c29",
"sha256:d5d25cc5dad31a10d7a8196125515cc3aa68187c8953459fcaf127c2c8410f51",
"sha256:d9f7a692c11de20cb8ec680584815315e03d1404a6e299d36489b0fb6447d98d",
"sha256:d9fa2ad4cabb5054faa8d4a44b84134b0ec9d1421f5e9264d057d6be4d13c7fa",
"sha256:db53a85f4db0dbd9e5f6277d9153bcaa2ccb87b0d672c6a35f19432b3f2301a3",
"sha256:db9d36c4c7997c2a2513a5d218fd90b53bfeaf7e727f94aaf3576973378b3bce",
"sha256:e80f02e68d25c222471fcc5d1933275b8eb396e5e40b7863e4e0a43b3c810059",
"sha256:e84bd1c29e83ec74a95de070473742eb52d08502f2428eff5751671081e0a0a6",
"sha256:f0e12bdafdf7e32c5ad4a073e325ea0d659d4277af8b3d8eccf3101c56879619",
"sha256:fd56a9e0c63a1f9c37621fe298c77795aefd2a26dca80dcae27688586c40b4bb"
],
"markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==3.17.3"
"version": "==3.18.0"
},
"six": {
"hashes": [
@@ -618,10 +906,11 @@
},
"stix2-patterns": {
"hashes": [
"sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4",
"sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992"
"sha256:07750c5a5af2c758e9d2aa4dde9d8e04bcd162ac2a9b0b4c4de4481d443efa08",
"sha256:ca4d68b2db42ed99794a418388769d2676ca828e9cac0b8629e73cd3f68f6458"
],
"version": "==1.3.2"
"markers": "python_version >= '3.6'",
"version": "==2.0.0"
},
"taxii2-client": {
"hashes": [
@@ -630,14 +919,6 @@
],
"version": "==2.3.0"
},
"typing-extensions": {
"hashes": [
"sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
"sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
"sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
],
"version": "==3.10.0.0"
},
"urllib3": {
"hashes": [
"sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
@@ -662,46 +943,83 @@
},
"yarl": {
"hashes": [
"sha256:00d7ad91b6583602eb9c1d085a2cf281ada267e9a197e8b7cae487dadbfa293e",
"sha256:0355a701b3998dcd832d0dc47cc5dedf3874f966ac7f870e0f3a6788d802d434",
"sha256:15263c3b0b47968c1d90daa89f21fcc889bb4b1aac5555580d74565de6836366",
"sha256:2ce4c621d21326a4a5500c25031e102af589edb50c09b321049e388b3934eec3",
"sha256:31ede6e8c4329fb81c86706ba8f6bf661a924b53ba191b27aa5fcee5714d18ec",
"sha256:324ba3d3c6fee56e2e0b0d09bf5c73824b9f08234339d2b788af65e60040c959",
"sha256:329412812ecfc94a57cd37c9d547579510a9e83c516bc069470db5f75684629e",
"sha256:4736eaee5626db8d9cda9eb5282028cc834e2aeb194e0d8b50217d707e98bb5c",
"sha256:4953fb0b4fdb7e08b2f3b3be80a00d28c5c8a2056bb066169de00e6501b986b6",
"sha256:4c5bcfc3ed226bf6419f7a33982fb4b8ec2e45785a0561eb99274ebbf09fdd6a",
"sha256:547f7665ad50fa8563150ed079f8e805e63dd85def6674c97efd78eed6c224a6",
"sha256:5b883e458058f8d6099e4420f0cc2567989032b5f34b271c0827de9f1079a424",
"sha256:63f90b20ca654b3ecc7a8d62c03ffa46999595f0167d6450fa8383bab252987e",
"sha256:68dc568889b1c13f1e4745c96b931cc94fdd0defe92a72c2b8ce01091b22e35f",
"sha256:69ee97c71fee1f63d04c945f56d5d726483c4762845400a6795a3b75d56b6c50",
"sha256:6d6283d8e0631b617edf0fd726353cb76630b83a089a40933043894e7f6721e2",
"sha256:72a660bdd24497e3e84f5519e57a9ee9220b6f3ac4d45056961bf22838ce20cc",
"sha256:73494d5b71099ae8cb8754f1df131c11d433b387efab7b51849e7e1e851f07a4",
"sha256:7356644cbed76119d0b6bd32ffba704d30d747e0c217109d7979a7bc36c4d970",
"sha256:8a9066529240171b68893d60dca86a763eae2139dd42f42106b03cf4b426bf10",
"sha256:8aa3decd5e0e852dc68335abf5478a518b41bf2ab2f330fe44916399efedfae0",
"sha256:97b5bdc450d63c3ba30a127d018b866ea94e65655efaf889ebeabc20f7d12406",
"sha256:9ede61b0854e267fd565e7527e2f2eb3ef8858b301319be0604177690e1a3896",
"sha256:b2e9a456c121e26d13c29251f8267541bd75e6a1ccf9e859179701c36a078643",
"sha256:b5dfc9a40c198334f4f3f55880ecf910adebdcb2a0b9a9c23c9345faa9185721",
"sha256:bafb450deef6861815ed579c7a6113a879a6ef58aed4c3a4be54400ae8871478",
"sha256:c49ff66d479d38ab863c50f7bb27dee97c6627c5fe60697de15529da9c3de724",
"sha256:ce3beb46a72d9f2190f9e1027886bfc513702d748047b548b05dab7dfb584d2e",
"sha256:d26608cf178efb8faa5ff0f2d2e77c208f471c5a3709e577a7b3fd0445703ac8",
"sha256:d597767fcd2c3dc49d6eea360c458b65643d1e4dbed91361cf5e36e53c1f8c96",
"sha256:d5c32c82990e4ac4d8150fd7652b972216b204de4e83a122546dce571c1bdf25",
"sha256:d8d07d102f17b68966e2de0e07bfd6e139c7c02ef06d3a0f8d2f0f055e13bb76",
"sha256:e46fba844f4895b36f4c398c5af062a9808d1f26b2999c58909517384d5deda2",
"sha256:e6b5460dc5ad42ad2b36cca524491dfcaffbfd9c8df50508bddc354e787b8dc2",
"sha256:f040bcc6725c821a4c0665f3aa96a4d0805a7aaf2caf266d256b8ed71b9f041c",
"sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a",
"sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71"
"sha256:009a028127e0a1755c38b03244c0bea9d5565630db9c4cf9572496e947137a87",
"sha256:0414fd91ce0b763d4eadb4456795b307a71524dbacd015c657bb2a39db2eab89",
"sha256:0978f29222e649c351b173da2b9b4665ad1feb8d1daa9d971eb90df08702668a",
"sha256:0ef8fb25e52663a1c85d608f6dd72e19bd390e2ecaf29c17fb08f730226e3a08",
"sha256:10b08293cda921157f1e7c2790999d903b3fd28cd5c208cf8826b3b508026996",
"sha256:1684a9bd9077e922300ecd48003ddae7a7474e0412bea38d4631443a91d61077",
"sha256:1b372aad2b5f81db66ee7ec085cbad72c4da660d994e8e590c997e9b01e44901",
"sha256:1e21fb44e1eff06dd6ef971d4bdc611807d6bd3691223d9c01a18cec3677939e",
"sha256:2305517e332a862ef75be8fad3606ea10108662bc6fe08509d5ca99503ac2aee",
"sha256:24ad1d10c9db1953291f56b5fe76203977f1ed05f82d09ec97acb623a7976574",
"sha256:272b4f1599f1b621bf2aabe4e5b54f39a933971f4e7c9aa311d6d7dc06965165",
"sha256:2a1fca9588f360036242f379bfea2b8b44cae2721859b1c56d033adfd5893634",
"sha256:2b4fa2606adf392051d990c3b3877d768771adc3faf2e117b9de7eb977741229",
"sha256:3150078118f62371375e1e69b13b48288e44f6691c1069340081c3fd12c94d5b",
"sha256:326dd1d3caf910cd26a26ccbfb84c03b608ba32499b5d6eeb09252c920bcbe4f",
"sha256:34c09b43bd538bf6c4b891ecce94b6fa4f1f10663a8d4ca589a079a5018f6ed7",
"sha256:388a45dc77198b2460eac0aca1efd6a7c09e976ee768b0d5109173e521a19daf",
"sha256:3adeef150d528ded2a8e734ebf9ae2e658f4c49bf413f5f157a470e17a4a2e89",
"sha256:3edac5d74bb3209c418805bda77f973117836e1de7c000e9755e572c1f7850d0",
"sha256:3f6b4aca43b602ba0f1459de647af954769919c4714706be36af670a5f44c9c1",
"sha256:3fc056e35fa6fba63248d93ff6e672c096f95f7836938241ebc8260e062832fe",
"sha256:418857f837347e8aaef682679f41e36c24250097f9e2f315d39bae3a99a34cbf",
"sha256:42430ff511571940d51e75cf42f1e4dbdded477e71c1b7a17f4da76c1da8ea76",
"sha256:44ceac0450e648de86da8e42674f9b7077d763ea80c8ceb9d1c3e41f0f0a9951",
"sha256:47d49ac96156f0928f002e2424299b2c91d9db73e08c4cd6742923a086f1c863",
"sha256:48dd18adcf98ea9cd721a25313aef49d70d413a999d7d89df44f469edfb38a06",
"sha256:49d43402c6e3013ad0978602bf6bf5328535c48d192304b91b97a3c6790b1562",
"sha256:4d04acba75c72e6eb90745447d69f84e6c9056390f7a9724605ca9c56b4afcc6",
"sha256:57a7c87927a468e5a1dc60c17caf9597161d66457a34273ab1760219953f7f4c",
"sha256:58a3c13d1c3005dbbac5c9f0d3210b60220a65a999b1833aa46bd6677c69b08e",
"sha256:5df5e3d04101c1e5c3b1d69710b0574171cc02fddc4b23d1b2813e75f35a30b1",
"sha256:63243b21c6e28ec2375f932a10ce7eda65139b5b854c0f6b82ed945ba526bff3",
"sha256:64dd68a92cab699a233641f5929a40f02a4ede8c009068ca8aa1fe87b8c20ae3",
"sha256:6604711362f2dbf7160df21c416f81fac0de6dbcf0b5445a2ef25478ecc4c778",
"sha256:6c4fcfa71e2c6a3cb568cf81aadc12768b9995323186a10827beccf5fa23d4f8",
"sha256:6d88056a04860a98341a0cf53e950e3ac9f4e51d1b6f61a53b0609df342cc8b2",
"sha256:705227dccbe96ab02c7cb2c43e1228e2826e7ead880bb19ec94ef279e9555b5b",
"sha256:728be34f70a190566d20aa13dc1f01dc44b6aa74580e10a3fb159691bc76909d",
"sha256:74dece2bfc60f0f70907c34b857ee98f2c6dd0f75185db133770cd67300d505f",
"sha256:75c16b2a900b3536dfc7014905a128a2bea8fb01f9ee26d2d7d8db0a08e7cb2c",
"sha256:77e913b846a6b9c5f767b14dc1e759e5aff05502fe73079f6f4176359d832581",
"sha256:7a66c506ec67eb3159eea5096acd05f5e788ceec7b96087d30c7d2865a243918",
"sha256:8c46d3d89902c393a1d1e243ac847e0442d0196bbd81aecc94fcebbc2fd5857c",
"sha256:93202666046d9edadfe9f2e7bf5e0782ea0d497b6d63da322e541665d65a044e",
"sha256:97209cc91189b48e7cfe777237c04af8e7cc51eb369004e061809bcdf4e55220",
"sha256:a48f4f7fea9a51098b02209d90297ac324241bf37ff6be6d2b0149ab2bd51b37",
"sha256:a783cd344113cb88c5ff7ca32f1f16532a6f2142185147822187913eb989f739",
"sha256:ae0eec05ab49e91a78700761777f284c2df119376e391db42c38ab46fd662b77",
"sha256:ae4d7ff1049f36accde9e1ef7301912a751e5bae0a9d142459646114c70ecba6",
"sha256:b05df9ea7496df11b710081bd90ecc3a3db6adb4fee36f6a411e7bc91a18aa42",
"sha256:baf211dcad448a87a0d9047dc8282d7de59473ade7d7fdf22150b1d23859f946",
"sha256:bb81f753c815f6b8e2ddd2eef3c855cf7da193b82396ac013c661aaa6cc6b0a5",
"sha256:bcd7bb1e5c45274af9a1dd7494d3c52b2be5e6bd8d7e49c612705fd45420b12d",
"sha256:bf071f797aec5b96abfc735ab97da9fd8f8768b43ce2abd85356a3127909d146",
"sha256:c15163b6125db87c8f53c98baa5e785782078fbd2dbeaa04c6141935eb6dab7a",
"sha256:cb6d48d80a41f68de41212f3dfd1a9d9898d7841c8f7ce6696cf2fd9cb57ef83",
"sha256:ceff9722e0df2e0a9e8a79c610842004fa54e5b309fe6d218e47cd52f791d7ef",
"sha256:cfa2bbca929aa742b5084fd4663dd4b87c191c844326fcb21c3afd2d11497f80",
"sha256:d617c241c8c3ad5c4e78a08429fa49e4b04bedfc507b34b4d8dceb83b4af3588",
"sha256:d881d152ae0007809c2c02e22aa534e702f12071e6b285e90945aa3c376463c5",
"sha256:da65c3f263729e47351261351b8679c6429151ef9649bba08ef2528ff2c423b2",
"sha256:de986979bbd87272fe557e0a8fcb66fd40ae2ddfe28a8b1ce4eae22681728fef",
"sha256:df60a94d332158b444301c7f569659c926168e4d4aad2cfbf4bce0e8fb8be826",
"sha256:dfef7350ee369197106805e193d420b75467b6cceac646ea5ed3049fcc950a05",
"sha256:e59399dda559688461762800d7fb34d9e8a6a7444fd76ec33220a926c8be1516",
"sha256:e6f3515aafe0209dd17fb9bdd3b4e892963370b3de781f53e1746a521fb39fc0",
"sha256:e7fd20d6576c10306dea2d6a5765f46f0ac5d6f53436217913e952d19237efc4",
"sha256:ebb78745273e51b9832ef90c0898501006670d6e059f2cdb0e999494eb1450c2",
"sha256:efff27bd8cbe1f9bd127e7894942ccc20c857aa8b5a0327874f30201e5ce83d0",
"sha256:f37db05c6051eff17bc832914fe46869f8849de5b92dc4a3466cd63095d23dfd",
"sha256:f8ca8ad414c85bbc50f49c0a106f951613dfa5f948ab69c10ce9b128d368baf8",
"sha256:fb742dcdd5eec9f26b61224c23baea46c9055cf16f62475e11b9b15dfd5c117b",
"sha256:fc77086ce244453e074e445104f0ecb27530d6fd3a46698e33f6c38951d5a0f1",
"sha256:ff205b58dc2929191f68162633d5e10e8044398d7a45265f90a0f1d51f85f72c"
],
"markers": "python_version >= '3.6'",
"version": "==1.6.3"
"markers": "python_version >= '3.7'",
"version": "==1.8.2"
}
}
}
rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml → rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
+6 -2
View File
@@ -1,7 +1,11 @@
title: Excel Proxy Executing Regsvr32 With Payload
id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
status: experimental
description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
status: deprecated
description: |
Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml → rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
+8 -4
View File
@@ -1,13 +1,17 @@
title: Excel Proxy Executing Regsvr32 With Payload
title: Excel Proxy Executing Regsvr32 With Payload Alternate
id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
status: experimental
description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
status: deprecated
description: |
Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'
date: 2021/08/23
modified: 2022/07/07
modified: 2022/12/02
tags:
- attack.t1204.002
- attack.t1047
rules/application/antivirus/av_hacktool.yml
+1 -2
View File
@@ -19,8 +19,7 @@ detection:
- 'HKTL'
- 'SecurityTool'
- 'ATK/' # Sophos
- Signature|contains:
- 'Hacktool'
- Signature|contains: 'Hacktool'
condition: selection
fields:
- FileName
rules/cloud/azure/azure_ad_azurehound_discovery.yml
+23
View File
@@ -0,0 +1,23 @@
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: experimental
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
- https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022/11/27
tags:
- attack.discovery
- attack.t1087.004
- attack.t1526
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'azurehound'
ResultType: 0
condition: selection
falsepositives:
- Unknown
level: high
rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
+4 -1
View File
@@ -1,7 +1,10 @@
title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: experimental
description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
- https://twitter.com/jhencinski/status/1102695118455349248
- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth, Tim Shelton
date: 2019/03/07
modified: 2022/08/16
rules/web/web_cve_2021_27905_apache_solr_exploit.yml
+36
View File
@@ -0,0 +1,36 @@
title: Potential CVE-2021-27905 Exploitation Attempt
id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
status: experimental
description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
references:
- https://twitter.com/Al1ex4/status/1382981479727128580
- https://twitter.com/sec715/status/1373472323538362371
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186
- https://github.com/murataydemir/CVE-2021-27905
author: '@gott_cyber'
date: 2022/12/11
tags:
- attack.initial_access
- attack.t1190
- cve.2021.27905
logsource:
category: webserver
detection:
selection_request1:
c-uri|contains|all:
- '/solr/'
- '/debug/dump?'
- 'param=ContentStream'
sc-status: '200'
selection_request2:
cs-method: 'GET'
c-uri|contains|all:
- '/solr/'
- 'command=fetchindex'
- 'masterUrl='
sc-status: '200'
condition: 1 of selection_*
falsepositives:
- Vulnerability Scanners
level: medium
rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml
+26
View File
@@ -0,0 +1,26 @@
title: Potential Credential Dumping Via WER - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali
date: 2022/12/07
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
AppName: 'lsass.exe'
ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
condition: selection
falsepositives:
- Rare legitimate crashing of the lsass process
level: high
rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml
+4 -1
View File
@@ -8,7 +8,7 @@ references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
author: Florian Roth
date: 2022/06/28
modified: 2022/08/09
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.persistence
@@ -35,6 +35,9 @@ detection:
- 'anonfiles.com'
- 'send.exploit.in'
- 'transfer.sh'
- 'privatlab.net'
- 'privatlab.com'
- 'sendspace.com'
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/security/win_security_disable_event_logging.yml
+2 -2
View File
@@ -7,7 +7,7 @@ description: |
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
references:
- https://bit.ly/WinLogsZero2Hero
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
author: '@neu5ron'
date: 2017/11/19
modified: 2021/11/27
@@ -23,7 +23,7 @@ detection:
EventID: 4719
AuditPolicyChanges|contains:
- '%%8448' # This is "Success removed"
- '%%8450' # This is "Failure removed"
- '%%8450' # This is "Failure removed"
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/security/win_security_etw_modification.yml → rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml
+16 -4
View File
@@ -1,5 +1,8 @@
title: COMPlus_ETWEnabled Registry Modification
title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
- id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
@@ -12,22 +15,31 @@ references:
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
modified: 2022/10/05
modified: 2022/12/09
tags:
- attack.defense_evasion
- attack.t1112
- attack.t1562
logsource:
product: windows
service: security
detection:
selection:
selection_etw_enabled:
EventID: 4657
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: 'ETWEnabled'
NewValue: 0
condition: selection
selection_complus:
EventID: 4657
ObjectName|endswith: '\Environment\'
ObjectValueName:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
NewValue: 0
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml
+3 -2
View File
@@ -10,6 +10,7 @@ references:
- https://twitter.com/SBousseaden/status/1490608838701166596
author: Tim Rauch
date: 2022/09/15
modified: 2022/12/04
tags:
- attack.privilege_escalation
- attack.t1543
@@ -21,8 +22,8 @@ detection:
selection:
EventID: 4697
selection_pid:
- ClientProcessId: '0'
- ParentProcessId: '0'
- ClientProcessId: 0
- ParentProcessId: 0
condition: all of selection*
falsepositives:
- Unknown
rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Failed Code Integrity Checks
id: 470ec5fa-7b4e-4071-b200-4c753100f49b
status: stable
description: Code integrity failures may indicate tampered executables.
description: Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
author: Thomas Patzke
date: 2019/12/03
modified: 2020/08/23
rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml
+61
View File
@@ -0,0 +1,61 @@
title: Suspicious Scheduled Task Creation
id: 3a734d25-df5c-4b99-8034-af1ddb5883a4
status: experimental
description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali
date: 2022/12/05
modified: 2022/12/07
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4698
selection_paths:
TaskContent|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContent|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml
+46
View File
@@ -0,0 +1,46 @@
title: Important Scheduled Task Deleted/Disabled
id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad
related:
- id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
type: similar
- id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
type: similar
status: experimental
description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701
author: Nasreddine Bencherchali
date: 2022/12/05
modified: 2022/12/09
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
EventID:
- 4699 # Task Deleted Event
- 4701 # Task Disabled Event
TaskName|contains:
# Add more important tasks
- '\Windows\SystemRestore\SR'
- '\Windows\Windows Defender\'
- '\Windows\BitLocker'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
- '\Windows\UpdateOrchestrator\'
- '\Windows\ExploitGuard'
filter_ac_power_download:
Task|contains: '\Windows\UpdateOrchestrator\AC Power Download'
filter_sys_username:
SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml
+60
View File
@@ -0,0 +1,60 @@
title: Suspicious Scheduled Task Update
id: 614cf376-6651-47c4-9dcc-6b9527f749f4
status: experimental
description: Detects update to a scheduled task event that contain suspicious keywords.
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali
date: 2022/12/05
tags:
- attack.execution
- attack.privilege_escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4702
selection_paths:
TaskContentNew|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContentNew|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/security/win_security_user_driver_loaded.yml
+11 -9
View File
@@ -13,7 +13,7 @@ references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019/04/08
modified: 2021/11/30
modified: 2022/12/07
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -27,14 +27,16 @@ detection:
PrivilegeList: 'SeLoadDriverPrivilege'
Service: '-'
filter:
ProcessName|endswith:
- '\Windows\System32\Dism.exe'
- '\Windows\System32\rundll32.exe'
- '\Windows\System32\fltMC.exe'
- '\Windows\HelpPane.exe'
- '\Windows\System32\mmc.exe'
- '\Windows\System32\svchost.exe'
- '\Windows\System32\wimserv.exe'
- ProcessName:
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\rundll32.exe'
- 'C:\Windows\System32\fltMC.exe'
- 'C:\Windows\HelpPane.exe'
- 'C:\Windows\System32\mmc.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\wimserv.exe'
- 'C:\Windows\System32\RuntimeBroker.exe'
- ProcessName|endswith:
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml
+2 -1
View File
@@ -6,6 +6,7 @@ references:
- https://github.com/antonioCoco/JuicyPotatoNG
author: Florian Roth
date: 2022/10/07
modified: 2022/12/04
tags:
- attack.execution
- attack.t1557.001
@@ -16,7 +17,7 @@ detection:
selection:
EventID: 10001
param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe' # is the Binary starting/started
param2: '2147943140' # is ERROR id
param2: 2147943140 # is ERROR id
param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' # is DCOM Server
condition: selection
falsepositives:
rules/windows/builtin/system/win_system_service_install_hacktools.yml
+1 -2
View File
@@ -28,8 +28,7 @@ detection:
- 'pwdump'
- 'gsecdump'
- 'cachedump'
- ImagePath|contains:
- 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
- ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
condition: service and selection
falsepositives:
- Unknown
rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml
+2 -1
View File
@@ -9,6 +9,7 @@ references:
- https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
author: Tim Rauch
date: 2022/09/15
modified: 2022/12/04
tags:
- attack.privilege_escalation
- attack.t1543
@@ -19,7 +20,7 @@ detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ProcessId: '0'
ProcessId: 0
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml
+1
View File
@@ -12,6 +12,7 @@ tags:
logsource:
product: windows
service: taskscheduler
definition: the "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and should be enabled in order for this detection to work
detection:
selection:
EventID: 106
rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml
+35
View File
@@ -0,0 +1,35 @@
title: Suspicious Scheduled Tasks Locations
id: 424273ea-7cf8-43a6-b712-375f925e481f
status: experimental
description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
author: Nasreddine Bencherchali
date: 2022/12/05
tags:
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: taskscheduler
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
selection:
EventID: 129 # Created Task Process
Path|contains:
- 'C:\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Users\Public\'
- 'C:\Temp\'
# Add more suspicious LOLBINs below
- 'C:\Windows\System32\calc.exe'
- 'C:\Windows\System32\regsvr32.exe'
- 'C:\Windows\System32\rundll32.exe'
# If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it
#filter:
# TaskName: '\Exact\Task\Name'
# Path: 'Exact\Path'
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/builtin/windefend/win_defender_amsi_trigger.yml
+3 -3
View File
@@ -6,7 +6,7 @@ references:
- https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
author: Bhabesh Raj
date: 2020/09/14
modified: 2021/10/13
modified: 2022/12/07
tags:
- attack.execution
- attack.t1059
@@ -15,8 +15,8 @@ logsource:
service: windefend
detection:
selection:
EventID: 1116
Source_Name: 'AMSI'
EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software.
SourceName: 'AMSI'
condition: selection
falsepositives:
- Unlikely
rules/windows/builtin/windefend/win_defender_disabled.yml
+7 -7
View File
@@ -7,7 +7,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Ján Trenčanský, frack113
date: 2020/07/28
modified: 2022/05/06
modified: 2022/12/06
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -17,11 +17,11 @@ logsource:
detection:
selection:
EventID:
- 5001
- 5010
- 5012
- 5101
- 5001 # Real-time protection is disabled.
- 5010 # Scanning for malware and other potentially unwanted software is disabled.
- 5012 # Scanning for viruses is disabled.
- 5101 # The antimalware platform is expired.
condition: selection
falsepositives:
- Administrator actions
level: low
- Administrator actions (should be investigated)
level: high
rules/windows/builtin/windefend/win_defender_exclusions.yml
+4 -4
View File
@@ -6,7 +6,7 @@ references:
- https://twitter.com/_nullbind/status/1204923340810543109
author: Christian Burkard
date: 2021/07/06
modified: 2022/02/02
modified: 2022/12/06
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -14,10 +14,10 @@ logsource:
product: windows
service: windefend
detection:
selection1:
EventID: 5007
selection:
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains: '\Microsoft\Windows Defender\Exclusions'
condition: selection1
condition: selection
falsepositives:
- Administrator actions
level: medium
rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml
+7 -6
View File
@@ -6,16 +6,17 @@ references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali
date: 2022/08/05
modified: 2022/12/06
tags:
- attack.execution
- attack.t1059
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: windefend
detection:
allowed_apps_key:
EventID: 5007
NewValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
allowed_apps_path:
NewValue|contains:
# Add more paths you don't allow in your org
@@ -25,9 +26,9 @@ detection:
- '\PerfLogs\'
- '\Windows\Temp\'
protected_folders:
EventID: 5007
EventID: 5007 # The antimalware platform configuration changed.
# This will trigger on any folder removal. If you experience FP's then add another selection with specific paths
OldValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
condition: all of allowed_apps* or protected_folders
falsepositives:
- Unlikely
rules/windows/builtin/windefend/win_defender_history_delete.yml
+3 -4
View File
@@ -4,23 +4,22 @@ status: test
description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software".
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
- https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
author: Cian Heasley
date: 2020/08/13
modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1070.001
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 1013
EventType: 4
EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software.
condition: selection
fields:
- EventID
- EventType
falsepositives:
- Deletion of Defender malware detections history for legitimate reasons
level: high
level: low
rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml
+21
View File
@@ -0,0 +1,21 @@
title: Win Defender Restored Quarantine File
id: bc92ca75-cd42-4d61-9a37-9d5aa259c88b
status: experimental
description: Detects the restoration of files from the defender quarantine
references:
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
author: Nasreddine Bencherchali
date: 2022/12/06
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 1009 # The antimalware platform restored an item from quarantine.
condition: selection
falsepositives:
- Legitimate administrator activity restoring a file
level: high
rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml
+38
View File
@@ -0,0 +1,38 @@
title: Windows Defender Suspicious Configuration Changes
id: 801bd44f-ceed-4eb6-887c-11544633c0aa
related:
- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
type: similar
- id: a3ab73f1-bd46-4319-8f06-4b20d0617886
type: similar
status: stable
description: Detects suspicious changes to the windows defender configuration
references:
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
author: Nasreddine Bencherchali
date: 2022/12/06
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains:
# TODO: Add more suspicious values
- '\Windows Defender\DisableAntiSpyware '
#- '\Windows Defender\Features\TamperProtection ' # Might produce FP
- '\Windows Defender\Scan\DisableRemovableDriveScanning '
- '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan '
- '\Windows Defender\SpyNet\DisableBlockAtFirstSeen '
- '\Real-Time Protection\SpyNetReporting '
- '\Real-Time Protection\SubmitSamplesConsent '
# Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
# Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886
condition: selection
falsepositives:
- Administrator activity (must be investigated)
level: high
rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml
+14 -6
View File
@@ -1,11 +1,13 @@
title: Microsoft Defender Tamper Protection Trigger
id: 49e5bc24-8b86-49f1-b743-535f332c2856
status: stable
description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection
description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
references:
- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
author: Bhabesh Raj
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
author: Bhabesh Raj, Nasreddine Bencherchali
date: 2021/07/05
modified: 2022/12/06
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -14,11 +16,17 @@ logsource:
service: windefend
detection:
selection:
EventID: 5013
EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.
Value|endswith:
- '\Windows Defender\DisableAntiSpyware = 0x1()'
- '\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
- '\Windows Defender\DisableAntiSpyware'
- '\Windows Defender\DisableAntiVirus'
- '\Windows Defender\Scan\DisableArchiveScanning'
- '\Windows Defender\Scan\DisableScanningNetworkFiles'
- '\Real-Time Protection\DisableRealtimeMonitoring'
- '\Real-Time Protection\DisableBehaviorMonitoring'
- '\Real-Time Protection\DisableIOAVProtection'
- '\Real-Time Protection\DisableScriptScanning'
condition: selection
falsepositives:
- Administrator actions
- Administrator might try to disable defender features during testing (must be investigated)
level: high
rules/windows/builtin/windefend/win_defender_threat.yml
+4 -4
View File
@@ -15,10 +15,10 @@ logsource:
detection:
selection:
EventID:
- 1006
- 1116
- 1015
- 1117
- 1006 # The antimalware engine found malware or other potentially unwanted software.
- 1116 # The antimalware platform detected malware or other potentially unwanted software.
- 1015 # The antimalware platform detected suspicious behavior.
- 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
condition: selection
falsepositives:
- Unlikely
rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml
+4 -1
View File
@@ -10,7 +10,7 @@ references:
- https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019/10/27
modified: 2022/08/26
modified: 2022/12/14
tags:
- attack.privilege_escalation
- attack.defense_evasion
@@ -95,6 +95,9 @@ detection:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
TargetImage: 'C:\Windows\System32\conhost.exe'
filter_nvidia:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe'
condition: selection and not 1 of filter*
fields:
- ComputerName
rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml
+5
View File
@@ -4,8 +4,10 @@ status: experimental
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
author: Florian Roth
date: 2022/08/24
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.s0139
@@ -32,6 +34,9 @@ detection:
- 'storage.googleapis.com'
- 'anonfiles.com'
- 'send.exploit.in'
- 'privatlab.net'
- 'privatlab.com'
- 'sendspace.com'
selection_extension:
TargetFilename|contains:
- '.exe:Zone'
rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml
+5
View File
@@ -4,8 +4,10 @@ status: experimental
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
author: Florian Roth
date: 2022/08/24
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.s0139
@@ -32,6 +34,9 @@ detection:
- 'storage.googleapis.com'
- 'anonfiles.com'
- 'send.exploit.in'
- 'privatlab.net'
- 'privatlab.com'
- 'sendspace.com'
selection_extension:
TargetFilename|contains:
- '.ps1:Zone'
rules/windows/file/file_event/file_event_lsass_shtinkering.yml
+24
View File
@@ -0,0 +1,24 @@
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: experimental
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022/12/08
tags:
- attack.credential_access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
TargetFilename|contains: 'lsass.exe.'
TargetFilename|endswith: '.dmp'
condition: selection
falsepositives:
- Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Unidentified Attacker November 2018
title: Unidentified Attacker November 2018 - File
id: 3a3f81ca-652c-482b-adeb-b1c804727f74
related:
- id: 7453575c-a747-40b9-839b-125a0aae324b
@@ -9,7 +9,7 @@ references:
- https://twitter.com/DrunkBinary/status/1063075530180886529
author: '@41thexplorer, Microsoft Defender ATP'
date: 2018/11/20
modified: 2021/09/19
modified: 2022/12/02
tags:
- attack.execution
- attack.t1218.011
rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml
+38
View File
@@ -0,0 +1,38 @@
title: Creation Of Non-Existent DLLs In System Folders
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
- id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
type: similar
status: experimental
description: Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking
references:
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://github.com/Wh04m1001/SysmonEoP
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
author: Nasreddine Bencherchali
date: 2022/12/01
modified: 2022/12/09
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename:
- 'C:\Windows\System32\WLBSCTRL.dll'
- 'C:\Windows\System32\TSMSISrv.dll'
- 'C:\Windows\System32\TSVIPSrv.dll'
- 'C:\Windows\System32\wow64log.dll'
filter:
Image|startswith: 'C:\Windows\System32\'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: WScript or CScript Dropper
title: WScript or CScript Dropper - File
id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
related:
- id: cea72823-df4d-4567-950c-0b579eaf0846
@@ -9,7 +9,7 @@ references:
- WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
author: Tim Shelton
date: 2022/01/10
modified: 2022/01/11
modified: 2022/12/02
logsource:
category: file_event
product: windows
rules/windows/file/file_event/file_event_win_hack_dumpert.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Dumpert Process Dumper
title: Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
@@ -10,7 +10,7 @@ references:
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth
date: 2020/02/04
modified: 2022/10/09
modified: 2022/12/02
tags:
- attack.credential_access
- attack.t1003.001
rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml
+1 -2
View File
@@ -26,8 +26,7 @@ detection:
- '\SAM-2023-' # C++ version
- '\SAM-haxx' # Early C++ versions
- '\Sam.save' # PowerShell version
- TargetFilename:
- 'C:\windows\temp\sam' # C# version of HiveNightmare
- TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare
condition: selection
fields:
- CommandLine
rules/windows/file/file_event/file_event_win_mal_adwind.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Adwind RAT / JRAT
title: Adwind RAT / JRAT File Artifact
id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
related:
- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
@@ -10,7 +10,7 @@ references:
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
modified: 2022/10/09
modified: 2022/12/02
tags:
- attack.execution
- attack.t1059.005
rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml → rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml
View File
rules/windows/file/file_event/file_event_win_pingback_backdoor.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Pingback Backdoor
title: Pingback Backdoor - File
id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
status: test
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
@@ -7,7 +7,7 @@ references:
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
author: Bhabesh Raj
date: 2021/05/05
modified: 2022/10/09
modified: 2022/12/02
tags:
- attack.persistence
- attack.t1574.001
rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
+10 -2
View File
@@ -15,9 +15,11 @@ references:
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein
date: 2018/04/07
modified: 2022/10/28
modified: 2022/12/04
tags:
- attack.execution
- attack.t1059.001
@@ -145,12 +147,15 @@ detection:
- '\Invoke-Get-RBCD-Threaded.ps1'
- '\Invoke-Gopher.ps1'
- '\Invoke-Grouper2.ps1'
- '\Invoke-Grouper3.ps1'
- '\Invoke-HandleKatz.ps1'
- '\Invoke-Internalmonologue.ps1'
- '\Invoke-KrbRelay.ps1'
- '\Invoke-KrbRelayUp.ps1'
- '\Invoke-LdapSignCheck.ps1'
- '\Invoke-Lockless.ps1'
- '\Invoke-MITM6.ps1'
- '\Invoke-MalSCCM.ps1'
- '\Invoke-NanoDump.ps1'
- '\Invoke-OxidResolver.ps1'
- '\Invoke-P0wnedshell.ps1'
@@ -184,6 +189,7 @@ detection:
- '\Invoke-SharpPrintNightmare.ps1'
- '\Invoke-SharpPrinter.ps1'
- '\Invoke-SharpRDP.ps1'
- '\Invoke-SharpSCCM.ps1'
- '\Invoke-SharpSSDP.ps1'
- '\Invoke-SharpSecDump.ps1'
- '\Invoke-SharpSniper.ps1'
@@ -191,6 +197,7 @@ detection:
- '\Invoke-SharpSpray.ps1'
- '\Invoke-SharpStay.ps1'
- '\Invoke-SharpUp.ps1'
- '\Invoke-SharpWSUS.ps1'
- '\Invoke-SharpWatson.ps1'
- '\Invoke-Sharphound2.ps1'
- '\Invoke-Sharphound3.ps1'
@@ -205,6 +212,7 @@ detection:
- '\Invoke-StickyNotesExtract.ps1'
- '\Invoke-Thunderfox.ps1'
- '\Invoke-Tokenvator.ps1'
- '\Invoke-TotalExec.ps1'
- '\Invoke-UrbanBishop.ps1'
- '\Invoke-Whisker.ps1'
- '\Invoke-WireTap.ps1'
rules/windows/file/file_event/file_event_win_susp_dropper.yml
+7 -1
View File
@@ -6,7 +6,7 @@ references:
- Malware Sandbox
author: frack113
date: 2022/03/09
modified: 2022/11/08
modified: 2022/12/07
tags:
- attack.resource_development
- attack.t1587.001
@@ -76,9 +76,15 @@ detection:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework\'
Image|endswith: '\mscorsvw.exe'
TargetFilename|startswith: 'C:\Windows\assembly\NativeImages_'
filter_vscode:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\'
Image|endswith: '\Microsoft VS Code\Code.exe'
TargetFilename|contains: '\.vscode\extensions\'
condition: selection and not 1 of filter_*
falsepositives:
- Software installers
- Update utilities
- 32bit applications launching their 64bit versions
#Please contribute to FP to increase the level
level: low
rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Wmiprvse Wbemcomn DLL Hijack
title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
@@ -6,7 +6,7 @@ references:
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/10/12
modified: 2022/10/09
modified: 2022/12/02
tags:
- attack.execution
- attack.t1047
rules/windows/image_load/image_load_abusing_azure_browser_sso.yml
+1 -2
View File
@@ -30,8 +30,7 @@ detection:
- '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
- '\msedgewebview2.exe'
- '\OneDrive.exe'
- Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image: null
condition: selection_dll and not filter_legit
falsepositives:
rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Alternate PowerShell Hosts
title: Alternate PowerShell Hosts - Image
id: fe6e002f-f244-4278-9263-20e4b593827f
status: experimental
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
@@ -6,7 +6,7 @@ references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019/09/12
modified: 2022/11/22
modified: 2022/12/02
tags:
- attack.execution
- attack.t1059.001
rules/windows/image_load/image_load_foggyweb_nobelium.yml
+3 -3
View File
@@ -1,12 +1,12 @@
title: FoggyWeb Backdoor DLL Loading
id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
status: test
description: Detects DLL image load activity as used by FoggyWeb backdoor loader
description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
references:
- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
author: Florian Roth
date: 2021/09/27
modified: 2022/10/09
modified: 2022/12/09
tags:
- attack.resource_development
- attack.t1587
@@ -15,7 +15,7 @@ logsource:
product: windows
detection:
selection:
Image: C:\Windows\ADFS\version.dll
ImageLoaded: 'C:\Windows\ADFS\version.dll'
condition: selection
falsepositives:
- Unlikely
rules/windows/image_load/image_load_pingback_backdoor.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Pingback Backdoor
title: Pingback Backdoor - Image
id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
status: experimental
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
@@ -7,7 +7,7 @@ references:
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
author: Bhabesh Raj
date: 2021/05/05
modified: 2022/08/14
modified: 2022/12/02
tags:
- attack.persistence
- attack.t1574.001
rules/windows/image_load/image_load_side_load_classicexplorer32.yml
+27
View File
@@ -0,0 +1,27 @@
title: Potential DLL Sideloading Via ClassicExplorer32.dll
id: caa02837-f659-466f-bca6-48bde2826ab4
status: experimental
description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
references:
- https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
- https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
author: frack113
date: 2022/12/13
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection_classicexplorer:
ImageLoaded|endswith: '\ClassicExplorer32.dll'
filter_classicexplorer:
ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
condition: selection_classicexplorer and not filter_classicexplorer
falsepositives:
- Unknown
level: medium
rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+8 -1
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md
author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project)
date: 2022/08/14
modified: 2022/10/25
modified: 2022/12/09
tags:
- attack.defense_evasion
- attack.persistence
@@ -433,6 +433,13 @@ detection:
- '\igd10iumd64.dll'
- '\igd12umd64.dll'
- '\igdusc64.dll'
# Other
- '\WLBSCTRL.dll'
- '\TSMSISrv.dll'
- '\TSVIPSrv.dll'
- '\wow64log.dll'
- '\WptsExtensions.dll'
- '\wbemcomn.dll'
filter_generic:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
rules/windows/image_load/image_load_side_load_non_existent_dlls.yml
+43
View File
@@ -0,0 +1,43 @@
title: Sideloading Of Non-Existent DLLs From System Folders
id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
related:
- id: df6ecb8b-7822-4f4b-b412-08f524b4576c
type: similar
status: experimental
description: Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation
references:
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://github.com/Wh04m1001/SysmonEoP
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
author: Nasreddine Bencherchali
date: 2022/12/09
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
# Add other DLLs
- 'C:\Windows\System32\WLBSCTRL.dll'
- 'C:\Windows\System32\TSMSISrv.dll'
- 'C:\Windows\System32\TSVIPSrv.dll'
- 'C:\Windows\System32\wow64log.dll'
- 'C:\Windows\System32\WptsExtensions.dll'
- 'C:\Windows\System32\wbem\wbemcomn.dll'
filter_ms_signed:
Signed: 'true'
# There could be other signatures (please add when found)
Signature: 'Microsoft Windows'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
rules/windows/image_load/image_load_side_load_scm.yml
+29
View File
@@ -0,0 +1,29 @@
title: SCM DLL Sideload
id: bc3cc333-48b9-467a-9d1f-d44ee594ef48
status: experimental
description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
references:
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
author: Nasreddine Bencherchali
date: 2022/12/01
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded:
- 'C:\Windows\System32\WLBSCTRL.dll'
- 'C:\Windows\System32\TSMSISrv.dll'
- 'C:\Windows\System32\TSVIPSrv.dll'
Image: 'C:\Windows\System32\svchost.exe'
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/image_load/image_load_side_load_vmguestlib.yml
+29
View File
@@ -0,0 +1,29 @@
title: VMGuestLib DLL Sideload
id: 70e8e9b4-6a93-4cb7-8cde-da69502e7aff
status: experimental
description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
references:
- https://decoded.avast.io/martinchlumecky/png-steganography/
author: Nasreddine Bencherchali
date: 2022/12/01
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains|all:
- '\VMware\VMware Tools\vmStatsProvider\win32'
- '\vmGuestLib.dll'
Image|endswith: '\Windows\System32\wbem\WmiApSrv.exe'
filter:
Signed: 'true'
condition: selection and not filter
falsepositives:
- FP could occure if the legitimate version of vmGuestLib already exists on the system
level: medium
rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml
+2 -2
View File
@@ -11,7 +11,7 @@ references:
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019/10/27
modified: 2022/09/15
modified: 2022/12/09
tags:
- attack.credential_access
- attack.t1003.001
@@ -50,7 +50,7 @@ detection:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: 'FALSE'
Signed: 'false'
filter1:
- Image|contains: 'Visual Studio'
- CommandLine|contains:
rules/windows/image_load/image_load_susp_dll_load_system_process.yml
+7 -1
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
author: Nasreddine Bencherchali
date: 2022/07/17
modified: 2022/10/12
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1070
@@ -28,6 +28,12 @@ detection:
- ImageLoaded|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- Image:
- 'C:\Windows\SysWOW64\rundll32.exe' # Typical for installers and updaters
- 'C:\Windows\System32\rundll32.exe' # Typical for installers and updaters
- CommandLine|contains|all:
- '\AppData\Local\Temp\' # Typical for installers and updaters
- '\setup.exe'
filter_cleanmgr:
# Example CLI that generates this event: C:\WINDOWS\system32\cleanmgr.exe /autocleanstoragesense /d C:
# Sometimes the DLL gets loaded from %temp%
rules/windows/image_load/image_load_susp_python_image_load.yml
+1 -2
View File
@@ -18,8 +18,7 @@ detection:
selection:
Description: 'Python Core'
filter_generic:
- Image|contains:
- 'Python' # FPs with python38.dll, python.exe etc.
- Image|contains: 'Python' # FPs with python38.dll, python.exe etc.
- Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
rules/windows/image_load/image_load_susp_vss_dll_load.yml
+8
View File
@@ -6,6 +6,7 @@ references:
- https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2022/10/31
modified: 2022/12/14
tags:
- attack.defense_evasion
- attack.impact
@@ -23,6 +24,13 @@ detection:
- 'C:\Windows\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
# The following filter is required because of many FPs cause by :
# C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe
# C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe
# C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe
# C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe
# etc.
- 'C:\ProgramData\Package Cache\'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
rules/windows/image_load/image_load_tttracer_mod_load.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Time Travel Debugging Utility Usage
title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
@@ -8,7 +8,7 @@ references:
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020/10/06
modified: 2022/10/09
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.credential_access
rules/windows/network_connection/net_connection_win_binary_susp_com.yml
+5 -1
View File
@@ -6,9 +6,10 @@ references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
author: Florian Roth
date: 2018/08/30
modified: 2022/08/09
modified: 2022/12/02
tags:
- attack.lateral_movement
- attack.t1105
@@ -33,6 +34,9 @@ detection:
- 'anonfiles.com'
- 'send.exploit.in'
- 'transfer.sh'
- 'privatlab.net'
- 'privatlab.com'
- 'sendspace.com'
Image|startswith:
- 'C:\Windows\'
- 'C:\Users\Public\'
rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml
+2 -4
View File
@@ -22,10 +22,8 @@ detection:
Initiated: 'true'
SourcePort: 3389
selection2:
- DestinationIp|startswith:
- '127.'
- DestinationIp:
- '::1'
- DestinationIp|startswith: '127.'
- DestinationIp: '::1'
condition: selection and selection2
falsepositives:
- Unknown
rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
+1 -2
View File
@@ -43,8 +43,7 @@ detection:
- '51.103.' # Microsoft range, caused some FPs
- '51.104.' # Microsoft range, caused some FPs
- '51.105.' # Microsoft range, caused some FPs
- CommandLine|contains:
- 'PcaSvc.dll,PcaPatchSdbTask'
- CommandLine|contains: 'PcaSvc.dll,PcaPatchSdbTask'
filter_update_processes:
ParentImage: 'C:\Windows\System32\svchost.exe'
RemoteAddress|endswith: ':443'
rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml
+2 -4
View File
@@ -27,10 +27,8 @@ detection:
- '\Windows\Fonts\'
- '\Windows\IME\'
- '\Windows\addins\'
- Image|endswith:
- '\$Recycle.bin'
- Image|startswith:
- 'C:\Perflogs\'
- Image|endswith: '\$Recycle.bin'
- Image|startswith: 'C:\Perflogs\'
false_positive1:
Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location
condition: selection and not 1 of false_positive*
rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml
+2 -2
View File
@@ -7,7 +7,7 @@ references:
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
author: Florian Roth
date: 2021/07/30
modified: 2022/10/09
modified: 2022/12/03
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -23,7 +23,7 @@ detection:
- PipeName|re: '\\\\ntsvcs[0-9a-f]{2}'
- PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}'
- PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}'
- PipeName|re: '\\\\mypipe\-(?:f|h)[0-9a-f]{2}'
- PipeName|re: '\\\\mypipe-(?:f|h)[0-9a-f]{2}'
- PipeName|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}'
- PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}'
- PipeName|re: '\\\\scerpc_?[0-9a-f]{2}'
rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml
+30
View File
@@ -0,0 +1,30 @@
title: Nslookup PowerShell Download Cradle
id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
related:
- id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
type: similar
status: experimental
description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
references:
- https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Sai Prashanth Pulisetti @pulisettis
date: 2022/12/10
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
definition: fields have to be extract from event
detection:
selection:
HostApplication|contains|all:
- 'powershell'
- 'nslookup'
HostApplication|contains:
- '-q=txt'
- '-querytype=txt'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: PowerShell Downgrade Attack
title: PowerShell Downgrade Attack - PowerShell
id: 6331d09b-4785-4c13-980f-f96661356249
status: experimental
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
@@ -6,7 +6,7 @@ references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
date: 2017/03/22
modified: 2021/10/16
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.execution
rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
related:
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
@@ -10,7 +10,7 @@ references:
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113
date: 2021/07/13
modified: 2022/10/09
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1218
rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Zip A Folder With PowerShell For Staging In Temp
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell
id: 71ff406e-b633-4989-96ec-bc49d825a412
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
@@ -9,7 +9,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
author: frack113
date: 2021/07/20
modified: 2022/10/09
modified: 2022/12/02
tags:
- attack.collection
- attack.t1074.001
rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Suspicious XOR Encoded PowerShell Command Line
title: Suspicious XOR Encoded PowerShell Command Line - PowerShell
id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
status: experimental
description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
@@ -6,7 +6,7 @@ references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46
author: Teymur Kheirkhabarov, Harish Segar (rule)
date: 2020/06/29
modified: 2022/07/07
modified: 2022/12/02
tags:
- attack.execution
- attack.t1059.001
rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Alternate PowerShell Hosts
title: Alternate PowerShell Hosts - PowerShell Module
id: 64e8e417-c19a-475a-8d19-98ea705394cc
status: test
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
@@ -6,7 +6,7 @@ references:
- https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
modified: 2022/10/10
modified: 2022/12/02
tags:
- attack.execution
- attack.t1059.001
rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Clear PowerShell History
title: Clear PowerShell History - PowerShell Module
id: f99276ad-d122-4989-a09a-d00904a5f9d2
related:
- id: dfba4ce1-e0ea-495f-986e-97140f31af2d
@@ -9,7 +9,7 @@ references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2019/10/25
modified: 2022/05/10
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1070.003
rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
author: Jonathan Cheong, oscd.community
date: 2020/10/13
modified: 2022/11/27
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1027
@@ -21,7 +21,7 @@ logsource:
definition: PowerShell Module Logging must be enabled
detection:
selection_4103:
Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
condition: selection_4103
falsepositives:
- Unknown
rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2022/11/29
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1027
@@ -21,7 +21,7 @@ logsource:
definition: PowerShell Module Logging must be enabled
detection:
selection_4103:
Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"'
condition: selection_4103
falsepositives:
- Unknown
rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2022/11/29
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1027
@@ -21,7 +21,7 @@ logsource:
definition: PowerShell Module Logging must be enabled
detection:
selection_4103:
Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
condition: selection_4103
falsepositives:
- Unknown
rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
modified: 2022/11/29
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1027
@@ -21,7 +21,7 @@ logsource:
definition: PowerShell Module Logging must be enabled
detection:
selection_4103:
Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
condition: selection_4103
falsepositives:
- Unknown
rules/windows/powershell/powershell_module/posh_pm_powercat.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Netcat The Powershell Version
title: Netcat The Powershell Version - PowerShell Module
id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
status: experimental
description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
@@ -8,7 +8,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
author: frack113
date: 2021/07/21
modified: 2021/10/16
modified: 2022/12/02
tags:
- attack.command_and_control
- attack.t1095
rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
status: experimental
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
@@ -7,7 +7,7 @@ references:
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113
date: 2021/07/13
modified: 2021/10/16
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1218
rules/windows/powershell/powershell_module/posh_pm_susp_download.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Suspicious PowerShell Download
title: Suspicious PowerShell Download - PowerShell Module
id: de41232e-12e8-49fa-86bc-c05c7e722df9
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
@@ -7,7 +7,7 @@ status: experimental
description: Detects suspicious PowerShell download command
author: Florian Roth
date: 2017/03/05
modified: 2021/10/18
modified: 2022/12/02
tags:
- attack.execution
- attack.t1059.001
rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml
+2 -1
View File
@@ -1,4 +1,4 @@
title: Use Get-NetTCPConnection
title: Use Get-NetTCPConnection - PowerShell Module
id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1
status: experimental
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
@@ -6,6 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
author: frack113
date: 2021/12/10
modified: 2022/12/02
tags:
- attack.discovery
- attack.t1049
rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Suspicious PowerShell Invocations - Generic
title: Suspicious PowerShell Invocations - Generic - PowerShell Module
id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
related:
- id: 3d304fda-78aa-43ed-975c-d740798a49c1
@@ -7,7 +7,7 @@ status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth (rule)
date: 2017/03/12
modified: 2021/12/02
modified: 2022/12/02
tags:
- attack.execution
- attack.t1059.001
rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Suspicious PowerShell Invocations - Specific
title: Suspicious PowerShell Invocations - Specific - PowerShell Module
id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
related:
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
@@ -7,7 +7,7 @@ status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
modified: 2022/02/21
modified: 2022/12/02
tags:
- attack.execution
- attack.t1059.001
rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
+2 -1
View File
@@ -1,4 +1,4 @@
title: Suspicious Get Information for SMB Share
title: Suspicious Get Information for SMB Share - PowerShell Module
id: 6942bd25-5970-40ab-af49-944247103358
status: experimental
description: |
@@ -9,6 +9,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021/12/15
modified: 2022/12/02
tags:
- attack.discovery
- attack.t1069.001
rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Zip A Folder With PowerShell For Staging In Temp
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
id: daf7eb81-35fd-410d-9d7a-657837e602bb
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
@@ -9,7 +9,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
author: frack113
date: 2021/07/20
modified: 2021/10/16
modified: 2022/12/02
tags:
- attack.collection
- attack.t1074.001
rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
title: SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
@@ -11,7 +11,7 @@ references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
date: 2020/10/05
modified: 2021/10/18
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1218
rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Clear PowerShell History
title: Clear PowerShell History - PowerShell
id: 26b692dc-1722-49b2-b496-a8258aa6371d
related:
- id: dfba4ce1-e0ea-495f-986e-97140f31af2d
@@ -9,7 +9,7 @@ references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2022/01/25
modified: 2022/05/10
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1070.003
rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
author: Jonathan Cheong, oscd.community
date: 2020/10/13
modified: 2022/11/27
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1027
@@ -18,7 +18,7 @@ logsource:
definition: Script block logging must be enabled
detection:
selection_4104:
ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
condition: selection_4104
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2022/11/29
modified: 2022/12/03
tags:
- attack.defense_evasion
- attack.t1027
@@ -18,7 +18,7 @@ logsource:
definition: Script block logging must be enabled
detection:
selection_4104:
ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$?\{?input\}?|noexit).+\"'
ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"'
condition: selection_4104
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2022/11/29
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1027
@@ -18,7 +18,7 @@ logsource:
definition: Script block logging must be enabled
detection:
selection_4104:
ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
condition: selection_4104
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
modified: 2022/11/29
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1027
@@ -18,7 +18,7 @@ logsource:
definition: Script block logging must be enabled
detection:
selection_4104:
ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
condition: selection_4104
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+12 -7
View File
@@ -9,9 +9,11 @@ references:
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update)
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update)
date: 2017/03/05
modified: 2022/10/28
modified: 2022/12/04
tags:
- attack.execution
- attack.t1059.001
@@ -128,13 +130,14 @@ detection:
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper2'
- 'Invoke-Grouper' # cover Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-Internalmonologue'
- 'Invoke-KrbRelayUp'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MITM6'
- 'Invoke-MalSCCM'
- 'Invoke-NanoDump'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
@@ -144,6 +147,7 @@ detection:
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-Seatbelt'
- 'Invoke-ShadowSpray'
- 'Invoke-SharPersist'
- 'Invoke-SharpAllowedToAct'
- 'Invoke-SharpBlock'
@@ -157,7 +161,6 @@ detection:
- 'Invoke-SharpGPOAbuse'
- 'Invoke-SharpHandler'
- 'Invoke-SharpHide'
- 'Invoke-SharpHound4'
- 'Invoke-SharpImpersonation'
- 'Invoke-SharpImpersonationNoSpace'
- 'Invoke-SharpKatz'
@@ -167,6 +170,7 @@ detection:
- 'Invoke-SharpPrintNightmare'
- 'Invoke-SharpPrinter'
- 'Invoke-SharpRDP'
- 'Invoke-SharpSCCM'
- 'Invoke-SharpSSDP'
- 'Invoke-SharpSecDump'
- 'Invoke-SharpSniper'
@@ -174,9 +178,9 @@ detection:
- 'Invoke-SharpSpray'
- 'Invoke-SharpStay'
- 'Invoke-SharpUp'
- 'Invoke-SharpWSUS'
- 'Invoke-SharpWatson'
- 'Invoke-Sharphound2'
- 'Invoke-Sharphound3'
- 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,.
- 'Invoke-Sharplocker'
- 'Invoke-Sharpshares'
- 'Invoke-Sharpview'
@@ -185,6 +189,7 @@ detection:
- 'Invoke-Spoolsample'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-TotalExec'
- 'Invoke-Thunderfox'
- 'Invoke-Tokenvator'
- 'Invoke-UrbanBishop'
rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Root Certificate Installed
title: Root Certificate Installed - PowerShell
id: 42821614-9264-4761-acfc-5772c3286f76
status: experimental
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020/10/10
modified: 2021/12/04
modified: 2022/12/02
tags:
- attack.defense_evasion
- attack.t1553.004
rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
+3 -4
View File
@@ -1,4 +1,4 @@
title: Change PowerShell Policies to an Insecure Level
title: Change PowerShell Policies to an Insecure Level - PowerShell
id: 61d0475c-173f-4844-86f7-f3eebae1c66b
status: experimental
description: Detects use of Set-ExecutionPolicy to set insecure policies
@@ -8,7 +8,7 @@ references:
- https://adsecurity.org/?p=2604
author: frack113
date: 2021/10/20
modified: 2022/09/10
modified: 2022/12/02
tags:
- attack.execution
- attack.t1059.001
@@ -25,8 +25,7 @@ detection:
- 'bypass'
- 'RemoteSigned'
filter:
- ParentImage:
- 'C:\ProgramData\chocolatey\choco.exe'
- ParentImage: 'C:\ProgramData\chocolatey\choco.exe'
- ScriptBlockText|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
- "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Detected Windows Software Discovery
title: Detected Windows Software Discovery - PowerShell
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
status: experimental
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
@@ -7,7 +7,7 @@ references:
- https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020/10/16
modified: 2021/11/12
modified: 2022/12/02
tags:
- attack.discovery
- attack.t1518
rules/windows/powershell/powershell_script/posh_ps_susp_download.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Suspicious PowerShell Download
title: Suspicious PowerShell Download - Powershell Script
id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
@@ -7,7 +7,7 @@ status: experimental
description: Detects suspicious PowerShell download command
author: Florian Roth
date: 2017/03/05
modified: 2021/10/18
modified: 2022/12/02
tags:
- attack.execution
- attack.t1059.001
rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
+2 -1
View File
@@ -1,4 +1,4 @@
title: Delete Volume Shadow Copies via WMI with PowerShell
title: Delete Volume Shadow Copies via WMI with PowerShell - PS Script
id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
status: test
description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
@@ -6,6 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
author: frack113
date: 2021/12/26
modified: 2022/12/02
tags:
- attack.impact
- attack.t1490
rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml
+2 -1
View File
@@ -1,4 +1,4 @@
title: Deletion of Volume Shadow Copies via WMI with PowerShell
title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
id: c1337eb8-921a-4b59-855b-4ba188ddcc42
related:
- id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
@@ -12,6 +12,7 @@ references:
- https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch
date: 2022/09/20
modified: 2022/12/02
tags:
- attack.impact
- attack.t1490
rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: Zip A Folder With PowerShell For Staging In Temp
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
status: experimental
description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
author: frack113
date: 2021/07/20
modified: 2021/10/16
modified: 2022/12/02
tags:
- attack.collection
- attack.t1074.001
rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml
+28
View File
@@ -0,0 +1,28 @@
title: Potential Privilege Escalation Using Symlink Between Osk and Cmd
id: e9b61244-893f-427c-b287-3e708f321c6b
status: experimental
description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md
- https://ss64.com/nt/mklink.html
author: frack113
date: 2022/12/11
tags:
- attack.credential_access
- attack.t1546.008
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.exe'
selection_cli:
CommandLine|contains|all:
- 'mklink'
- '\osk.exe'
- '\cmd.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high

Some files were not shown because too many files have changed in this diff Show More