From af99186992ddfafe2a6c49af043f6c1206c98f74 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 12 Sep 2023 21:28:01 -0300 Subject: [PATCH 1/9] [New Rule] New BBR Rules - Part 3 (#3034) * [New Rule] New BBR Rules - Part 3 * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- detection_rules/etc/non-ecs-schema.json | 1 + .../persistence_startup_folder_scripts.toml | 5 ++ .../credential_access_kirbi_file.toml | 70 +++++++++++++++++++ ...nse_evasion_unusual_process_path_wbem.toml | 54 ++++++++++++++ .../execution_downloaded_url_file.toml | 32 ++++----- .../execution_wmi_wbemtest.toml | 45 ++++++++++++ .../lateral_movement_wmic_remote.toml | 61 ++++++++++++++++ 7 files changed, 251 insertions(+), 17 deletions(-) create mode 100644 rules_building_block/credential_access_kirbi_file.toml create mode 100644 rules_building_block/defense_evasion_unusual_process_path_wbem.toml rename {rules/windows => rules_building_block}/execution_downloaded_url_file.toml (60%) create mode 100644 rules_building_block/execution_wmi_wbemtest.toml create mode 100644 rules_building_block/lateral_movement_wmic_remote.toml diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 22153ef2a..ba80df95a 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -71,6 +71,7 @@ "process.Ext.effective_parent.name": "keyword", "file.Ext.header_bytes": "keyword", "file.Ext.entropy": "long", + "file.Ext.windows.zone_identifier": "long", "file.size": "long", "file.Ext.original.name": "keyword", "dll.Ext.device.product_id": "keyword", diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index b7e0207ac..1ba5001ae 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -137,6 +137,11 @@ id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" +[[rule.threat.technique.subtechnique]] +id = "T1547.009" +name = "Shortcut Modification" +reference = "https://attack.mitre.org/techniques/T1547/009/" + [rule.threat.tactic] diff --git a/rules_building_block/credential_access_kirbi_file.toml b/rules_building_block/credential_access_kirbi_file.toml new file mode 100644 index 000000000..f8dbf8449 --- /dev/null +++ b/rules_building_block/credential_access_kirbi_file.toml @@ -0,0 +1,70 @@ +[metadata] +creation_date = "2023/08/23" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running +Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the +attacker to impersonate users using Kerberos tickets. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Kirbi File Creation" +risk_score = 21 +rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml new file mode 100644 index 000000000..bf630f783 --- /dev/null +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2023/08/23" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" + +[rule] +author = ["Elastic"] +description = """ +Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Unusual Process Execution on WBEM Path" +risk_score = 21 +rule_id = "1f460f12-a3cf-4105-9ebb-f788cc63f365" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.executable : ("?:\\Windows\\System32\\wbem\\*", "?:\\Windows\\SysWow64\\wbem\\*") and + not process.name : ( + "mofcomp.exe", + "scrcons.exe", + "unsecapp.exe", + "wbemtest.exe", + "winmgmt.exe", + "wmiadap.exe", + "wmiapsrv.exe", + "wmic.exe", + "wmiprvse.exe" + ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules_building_block/execution_downloaded_url_file.toml similarity index 60% rename from rules/windows/execution_downloaded_url_file.toml rename to rules_building_block/execution_downloaded_url_file.toml index 603baeac0..71f3ee33e 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules_building_block/execution_downloaded_url_file.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/02" -integration = ["endpoint", "windows"] -maturity = "development" -query_schema_validation = false -updated_date = "2023/06/22" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" [rule] author = ["Elastic"] @@ -11,26 +12,23 @@ description = """ Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. """ -from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Downloaded URL Files" -risk_score = 47 +risk_score = 21 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" -severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" type = "eql" query = ''' -/* leaving in development pending `file.Ext.windows.zone_identifier` landing in ECS then endpoint */ - -sequence by process.entity_id with maxspan=2s - [file where host.os.type == "windows" and event.type == "creation" and file.extension == "url" and - not process.name == "explorer.exe"] - [file where host.os.type == "windows" and event.type == "creation" and file.extension == "url:Zone.Identifier" and - /* non-ECS field - may disqualify conversion */ - file.Ext.windows.zone_identifier > 1 and not process.name == "explorer.exe"] +file where host.os.type == "windows" and event.type == "creation" and file.extension == "url" + and file.Ext.windows.zone_identifier > 1 and not process.name : "explorer.exe" ''' diff --git a/rules_building_block/execution_wmi_wbemtest.toml b/rules_building_block/execution_wmi_wbemtest.toml new file mode 100644 index 000000000..d4771fec3 --- /dev/null +++ b/rules_building_block/execution_wmi_wbemtest.toml @@ -0,0 +1,45 @@ +[metadata] +creation_date = "2023/08/24" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/24" + +[rule] +author = ["Elastic"] +description = """ +Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against +local or remote endpoints. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "WMI WBEMTEST Utility Execution" +risk_score = 21 +rule_id = "d3551433-782f-4e22-bbea-c816af2d41c6" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.name : "wbemtest.exe" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml new file mode 100644 index 000000000..fcdef0622 --- /dev/null +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -0,0 +1,61 @@ +[metadata] +creation_date = "2023/08/24" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/24" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, +attackers can abuse this built-in utility to achieve lateral movement. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "WMIC Remote Command" +risk_score = 21 +rule_id = "f59668de-caa0-4b84-94c1-3a1549e1e798" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "WMIC.exe" and + process.args : "*node:*" and + process.args : ("call", "set", "get") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" From ddb1f75352ea19870b5c275b7d152ee2d99cb100 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 12 Sep 2023 21:49:22 -0300 Subject: [PATCH 2/9] [New Rule] New BBR Rules - Part 2 (#3029) * [New Rule] New BBR Rules - Part 2 * Update discovery_generic_account_groups.toml * Update discovery_generic_account_groups.toml * Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/execution_downloaded_shortcut_files.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules_building_block/defense_evasion_unusual_process_extension.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update defense_evasion_unusual_process_extension.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- .../persistence_registry_uncommon.toml | 9 ++- ...ense_evasion_cmd_copy_binary_contents.toml | 48 ++++++++++++++ ...nse_evasion_unusual_process_extension.toml | 60 +++++++++++++++++ .../execution_downloaded_shortcut_files.toml | 31 ++++----- rules_building_block/execution_mofcomp.toml | 65 +++++++++++++++++++ ...persistence_msoffice_startup_registry.toml | 52 +++++++++++++++ 6 files changed, 247 insertions(+), 18 deletions(-) create mode 100644 rules_building_block/defense_evasion_cmd_copy_binary_contents.toml create mode 100644 rules_building_block/defense_evasion_unusual_process_extension.toml rename {rules/windows => rules_building_block}/execution_downloaded_shortcut_files.toml (59%) create mode 100644 rules_building_block/execution_mofcomp.toml create mode 100644 rules_building_block/persistence_msoffice_startup_registry.toml diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 1f981bea1..aaed54042 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -102,7 +102,14 @@ id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.002" +name = "Screensaver" +reference = "https://attack.mitre.org/techniques/T1546/002/" [rule.threat.tactic] id = "TA0003" diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml new file mode 100644 index 000000000..d7f1350a8 --- /dev/null +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2023/08/23" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" + +[rule] +author = ["Elastic"] +description = """ +Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Binary Content Copy via Cmd.exe" +risk_score = 21 +rule_id = "53dedd83-1be7-430f-8026-363256395c8b" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "cmd.exe" and ( + (process.args : "type" and process.args : (">", ">>")) or + (process.args : "copy" and process.args : "/b")) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_unusual_process_extension.toml b/rules_building_block/defense_evasion_unusual_process_extension.toml new file mode 100644 index 000000000..74f784b76 --- /dev/null +++ b/rules_building_block/defense_evasion_unusual_process_extension.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2023/08/23" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" + +[rule] +author = ["Elastic"] +description = """ +Identifies processes running with unusual extensions that are not typically valid for Windows executables. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Unusual Process Extension" +risk_score = 21 +rule_id = "800e01be-a7a4-46d0-8de9-69f3c9582b44" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.executable : "?*" and + not process.name : ("*.exe", "*.com", "*.scr", "*.tmp", "*.dat") and + not process.executable : + ( + "MemCompression", + "Registry", + "vmmem", + "vmmemWSL", + "?:\\Program Files\\Dell\\SupportAssistAgent\\*.p5x", + "?:\\Program Files\\Docker\\Docker\\com.docker.service", + "?:\\Users\\*\\AppData\\Local\\Intel\\AGS\\Libs\\AGSRunner.bin" + ) and + not ( + (process.name : "C9632CF058AE4321B6B0B5EA39B710FE" and process.code_signature.subject_name == "Dell Inc") or + (process.name : "*.upd" and process.code_signature.subject_name == "Bloomberg LP") or + (process.name: "FD552E21-686E-413C-931D-3B82A9D29F3B" and process.code_signature.subject_name: "Adobe Inc.") or + (process.name: "3B91051C-AE82-43C9-BCEF-0309CD2DD9EB" and process.code_signature.subject_name: "McAfee, LLC") + ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules_building_block/execution_downloaded_shortcut_files.toml similarity index 59% rename from rules/windows/execution_downloaded_shortcut_files.toml rename to rules_building_block/execution_downloaded_shortcut_files.toml index 87e2411f5..259534f12 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules_building_block/execution_downloaded_shortcut_files.toml @@ -1,37 +1,34 @@ [metadata] creation_date = "2020/09/02" -integration = ["endpoint", "windows"] -maturity = "development" -query_schema_validation = false -updated_date = "2023/06/22" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" [rule] author = ["Elastic"] description = """ Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns. + """ -from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Downloaded Shortcut Files" risk_score = 21 -rule_id = "6b1fd8e8-cefe-444c-bc4d-feaa2c497347" +rule_id = "39157d52-4035-44a8-9d1a-6f8c5f580a07" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" type = "eql" +building_block_type = "default" query = ''' -/* leaving in development pending `file.Ext.windows.zone_identifier` landing in ECS then endpoint */ - -sequence by process.entity_id with maxspan=2s - /* file.extension added to endpoint fields for 7.10 */ - [file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk"] - /* not sure yet how the update will capture ADS */ - [file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk:Zone.Identifier" and - /* non-ECS field - may disqualify conversion */ - file.Ext.windows.zone_identifier > 1] +file where host.os.type == "windows" and event.type == "creation" and file.extension == "lnk" and file.Ext.windows.zone_identifier > 1 ''' diff --git a/rules_building_block/execution_mofcomp.toml b/rules_building_block/execution_mofcomp.toml new file mode 100644 index 000000000..7876fc1de --- /dev/null +++ b/rules_building_block/execution_mofcomp.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/08/23" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/23" + +[rule] +author = ["Elastic"] +description = """ +Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF +files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or +establish persistence using WMI Event Subscription. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Mofcomp Activity" +risk_score = 21 +rule_id = "210d4430-b371-470e-b879-80b7182aa75e" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : "mofcomp.exe" and process.args : "*.mof" and + not user.id : "S-1-5-18" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.003" +name = "Windows Management Instrumentation Event Subscription" +reference = "https://attack.mitre.org/techniques/T1546/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules_building_block/persistence_msoffice_startup_registry.toml b/rules_building_block/persistence_msoffice_startup_registry.toml new file mode 100644 index 000000000..456d3ffdf --- /dev/null +++ b/rules_building_block/persistence_msoffice_startup_registry.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/08/22" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/22" + +[rule] +author = ["Elastic"] +description = """ +Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to +specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain +persistence on a compromised host. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Office Test Registry Persistence" +references = [ + "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", +] +risk_score = 21 +rule_id = "14dab405-5dd9-450c-8106-72951af2391f" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +registry where host.os.type == "windows" and event.action != "deletion" and + registry.path : "*\\Software\\Microsoft\\Office Test\\Special\\Perf\\*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1137" +name = "Office Application Startup" +reference = "https://attack.mitre.org/techniques/T1137/" +[[rule.threat.technique.subtechnique]] +id = "T1137.002" +name = "Office Test" +reference = "https://attack.mitre.org/techniques/T1137/002/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" From 4034436f06b5fbc18f5735e77171c8287c1aab26 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 13 Sep 2023 08:07:01 -0300 Subject: [PATCH 3/9] [Security Content] Add missing osquery transforms (#3088) * [Security Content] Add missing osquery transforms * Revertable unit test * . * Revert "Revertable unit test" This reverts commit 8c909fc2712b16e062890a63f31a6c080b81244a. --------- Co-authored-by: Mika Ayenson --- .../threat_intel_indicator_match_address.toml | 28 +++++++++++++++++++ .../threat_intel_indicator_match_hash.toml | 25 +++++++++++++++++ ...threat_intel_indicator_match_registry.toml | 25 +++++++++++++++++ .../threat_intel_indicator_match_url.toml | 28 +++++++++++++++++++ 4 files changed, 106 insertions(+) diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/cross-platform/threat_intel_indicator_match_address.toml index 645fd1b45..33b1f3a77 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/cross-platform/threat_intel_indicator_match_address.toml @@ -8,6 +8,31 @@ general rules. """ min_stack_version = "8.5.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] description = """ @@ -30,6 +55,9 @@ Matches are based on threat intelligence data that's been ingested during the la This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event. +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + #### Possible investigation steps - Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field. diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index 9dc5fe673..bc87591b0 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -8,6 +8,31 @@ general rules. """ min_stack_version = "8.5.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] description = """ diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/cross-platform/threat_intel_indicator_match_registry.toml index 61873d86b..0544553c9 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/cross-platform/threat_intel_indicator_match_registry.toml @@ -8,6 +8,31 @@ general rules. """ min_stack_version = "8.5.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] description = """ diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index 847c5ba85..548dcb99a 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -8,6 +8,31 @@ general rules. """ min_stack_version = "8.5.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] description = """ @@ -30,6 +55,9 @@ Matches are based on threat intelligence data that's been ingested during the la This rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc. +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + #### Possible investigation steps - Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field: From ccfc931fbd047606f6651d6739d62288309b97b8 Mon Sep 17 00:00:00 2001 From: Hilton Date: Thu, 14 Sep 2023 02:51:07 +1000 Subject: [PATCH 4/9] Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity (#3091) * Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server" as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour. * simplified detection logic by utilising process.parent.args --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- .../execution_command_shell_started_by_unusual_process.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index fd0b008d3..f5c6bef24 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -51,7 +51,8 @@ process where host.os.type == "windows" and event.type == "start" and "WerFault.exe", "WUDFHost.exe", "unsecapp.exe", - "wlanext.exe" ) + "wlanext.exe" ) and + not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}") ''' From 904e37b732c4a79dbe30af0985ed788792103a8c Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Thu, 14 Sep 2023 17:16:51 -0400 Subject: [PATCH 5/9] [New Rule] GitHub Protected Branch Settings Changed (#3054) * new rule file * testing query change * query changed back * Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml updates based on review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * updated integration manifests with github schema * Update defense_evasion_github_protected_branch_settings_changed.toml added event.dataset to query * added timestamp_override * changed timestamp_override to @timestamp * changed timestamp_override --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- .../etc/integration-manifests.json.gz | Bin 7391 -> 7676 bytes .../etc/integration-schemas.json.gz | Bin 2616031 -> 2622294 bytes ...hub_protected_branch_settings_changed.toml | 51 ++++++++++++++++++ 3 files changed, 51 insertions(+) create mode 100644 rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 123ebf9175c10e6befab5d5df4cdca64c6c13c67..5303e11f2b397ba4045a1f4f18580e7e841fc010 100644 GIT binary patch literal 7676 zcmZX3byO2>*ft`Fr1a>}(FlUD0Rqwj(jXloHF9)!I%+gZGmtJx8718@r4f)W0qKTs z`2OB=-gCZlwq5u2T-ROCpU)Vh9zQmB+Be6%vvzQ`uyQtawT3!8w>NdLwzP0@b>Xpb zfjVI9X4<>V)u)Bu;jv|>eeR>cXx(e574xaDnX|S`nDL($9v&ktcYOL*1ZXj3f3%p& zo4^etRX+6Mmh8A;{%WVr+q{R*^f>st3ACg4csM{epoIk7nQnRkpsKt}8fFunDXA>c(iHAgWm2WbO}bX?t=v z)NuJ6Stl;nFD)9WvD0+c=I3kBe0J?b$+8xqvixW8u>L#{LQ|k8dg;IO@&|bFFa~gB zE$V%lA$t~O{Ykca>b4EsaNtTa%G#YCQ*g8<^tQtjd9lkkBxf>^={ay_Bi{O);Z4Ju zzw9%;+fOM08R2IQD^;EX_%#Z*r|>1s0|R~@u*$oOyRyr*#WnbKo~3nj%K<+joBF|T zQ$A$+2xDnP4fu|8fjv#mR6jT~Df{J!hrh^^-fojtIA#Bt@c!~*j?(h_sHgf~k1r^e z>k)QA<$=8r{$Rut^@Ixki}@xJ_pF5mC^nnZv$%X#1w5OCPTHBL1B|7sB3Ngi3e9iw z@cO)8!z^cpExJ4bY!{tdwG73V8J0)D(cL2f{qDJ!YuCMIo;v;=zMo}dx3he*3^sme zrstlVEl%$H>rp_-Av$Tffev`b99M71#s?s`ugQr=UgZe|!y1u}^-T@)f-iR^Mb@A}KsLjhYl zfGtT!bCGs#kao(_-U}DARC_Umd=>Hp>8b>P59lnOR4N7{mdi+WZ$6c_E)Ox_!8s8Z zgGf__HfcK>EEK5230qB+kxbx9mN`%euK8q}+_j#FHNQ2*iEA*0gzn7@vkSIUWbXre z!Dql;aviK}F479a1}?io(Fd`TfHlS2b6e4Xi2a4n zI(sM{=G!PNGH_QdbQlh_2>`$Zgv8R%I|vj7L*n=afZ#!CP-x5#*{$X^a@)4sQQ1@ z<|TEAbM(7j=8}*g;hvI}gmEWFXNM9IqJ!06?fs37+m8_s|vYhJh&ZOB7`7HBCE6<=-U^uquWXE8V*z zfE1P`fm(va-b1G9zgikuC`NAY&m|KEWR=c*9|9bv!5W!Btx)O%=7$UTErD-)L@((|1T*TpN?7m$i`+~@<05Hv$pm%^@9}$0A1-3)b6?5#Lpq*jn^eg|4P1m4O3 z>EB`$b;@Dtc=y*}pVVQi{OWrCYEis3OrNGW`Hqxl`2?`VtuJBQZ0pMAD>{f!Ak}{L zH_}p&>tuk&ZMfk`dCTkD$RxeiDKP~uX95U82&3r#n`}e+(cKM!i-3?KBx^wk1q1}| zU%-KYfMh}-_A)gvgfKB7qK;&kIdWY};Nzs6Kq`A04vI;i7A1;+i2pMk!4TO0Ofjwj zVb2{cFwlNw;z|PfkB?BZA6a1tj(@?VnKEmDj)37#D5PA5Oa|pxPKKx>RZftpaoP<1 z*DFGWHbUj&q>6wfIpKYvD6pMN))~sA&xIma7a$-DMkm%NAcTdeUue{R$lg!fYZdNt z!Nl3X`dgj|4c??xA^dFsSOlWL8O+}scv?9SP$Bg|sF8187VrC7uBZ{b1Q+LbCq*KEg7KXsy-lV3_4HoQvRZc@&fZ1vWIjZ+!%7UBY{a zZcV$37ZPzVhCmq({tFYKwOj<^+u-}2*}83}UhMzoSWnLzt!~$4*_LR{gnlp8hE?C* z&Rw@v&X*yTCIPa-A`EZo_MqAq~+@z2XVXn z;nwrMiChYDS-UPzvi$0RT++6W0cAQ(QCBbH&Fudem+WIBXzYy%a|Y`LnF}gw$0ZP| zSqdtHm{MjiEVSp$6)d!g)Gbexw27=OwDEwY*41L(*b@%bMKNy5+Qf;;^4dSmSvd4y zv${XceF&s#JrZT@%WSKIlggw%PYCGAa@XM9m$9~(l)LBYx|a0!MTq$H0R1*;Wp9-x zrK{6e=gcn6tiXD;Ij;8;bSHZlC7!@6D0LQ2lvDIAQBZWnge2}Bt<5w$iLw~J0;xrF zY(Bm59wh7Ak{AlPK}cHJHlM!bmGOfx6hD%ctFM1qsMNL^;ZyzLl^&fHdenr3ZV0te zVzQsjN~XCw?M_-56KmA0?v%N89bb>+R$AH9$sVfbdA8Lc;eQD!?it-e>_&-hA1x?X z&|^)qutqtlAz61w68{xC>F-Bif3dBur6m8KvAAofG;^WV`TV7eTV;}D2PZ;i^I3y~ z;ul4@J58#L0hjHU%mW<_?77dS8BViG>lLY=v7@&oPVAo0MbFh`?qu<1%A7)2uQn7t zu3ExG<<(+NO4Uy@n)6PwU&xOKzI;eKKJSm}sgVN#mHh0<^sA!aaxB{^c!AUPy+&5jH36JJzjAWxPiMr5|`yMap`;4(q1l-<8ay z0`Xqj#wR%*f<3Kb@+M|A_XkpA@*t+=I{0-xrj+_moM;w%eqNt}233=J>4vNtj$Tl2 z6bgr28{zys=b;gcDe#(2{PT?|y~PeN;C(b45)`nawx@bxOQ_`t?Vtbht8#UU(hvJ= z@)vek6VBq5(>`Bt&)gExqK`9xd{5kWzjwayc<8c@mFru>DuWuOCND!?)>glf8s%5U z1YdBl6K?TQf8um>xy}U2o*%_`NZFRz5QUrSNjO1^= zaSe1ti600-UU>ZY!7F|+4G}nNjpCqK+~&(#%hs?r+3z)YZ7}+~VVinqV>(X zafYbRX6HmT*0}!WXnlnstv9U<_vZ4eZw1vV2^^tA2bE%B1J1=|UYFa=GgbH#b$r;7 zR3E_+Zq_?4k+A2T9z{pK7qZZnaq7W`(k7GyNIjN~Lsmm0a)v=2tKaJ&Kx%W?<8us|5Bc!rb zM%PjsIBcfJgq2efKcVvaev=s&Q{1Bb8kN2!Du+|oqeeZO_Tew(0?gI<@e4!TKMug5 zy@k`Y*ZUL>Ffpm6wb(72)BJ%-6CEgmgiUg7TqD)3oois?snU-kOihX|Lb{!si0rGR zdQE9s=cFdV*QQTjxA&^1^{E~nXtEw^8eWIOPO^WO-u)lgYz5X$x4^!CmzrC_jE5lo zx``pdSjwLvX;0HE(;pABO1UV7uE*u#lI5bd1*T+v${!u3R03F~$bgV6Sb>+!PhYa! z3mHfdYz&iM!1SqrMkXs^V-*t&K$(yJuEvSxOiMt<)u&lcAH_%Dr%%%YS)7KVVJ(t> zq)TD~<>)2tKR}7E)J&e`IKlr2V$z&R7(dG)>D^89tf#IrVkaVKR-vmROpJdNn-G8V zsGly=a30Gt(*Auke^oPQ{h`gWaLDj_7L4r)(K9hqCb4!oRT_DC>B7qcf=LUmM%JtW zZ@Xh9(ZZ9N&Ci|>M1CXv?D?}*3s4&$!f#zkVi6PNc2{P3w&^X7A@BQ-ve%-@7AJW{ zSf*wH4!xdt7Im+a!2YO|ky*x3tol(qquEvcs|e;CKe-*0Wx&yU`-l37x*|JxUa~+f z9t4hfCr}F-W01Ag9J>^XrkCCMNo4i_&1u!f24;@|5>0Yk&~SlTOth0irgp48$bM11 zZXeY2&LN%$>VdHkZhbq%in%#Y93-TGMM^>km&gKQhCPmblcPfN0I&T33%L7&3*|Q+ zs694@xY`ubSCEd{%Ugj^U_Xy_??rLy8Of^;k@fo@jxy6AM3_P}fi7tn zYK?SHB%1v(coe^*Fn(z!VG!^OF$8)<{&Y2Dc*PJH5Q*VPvg?V_zJsGiAi3jbOv7`u zZ_a}HkY)ZRLB7&5C+jKU_%l}=8X3Ln@+PItKK@AX6lVvXf5Y$c>1)>GL8@+psslN{ zAK_pVzhG?z+J#71L(F9pHZ;Bb*8MvgBR~>A+a;?h%zx11@F+RBz0@#C91L4Z+9}&F zC>`$86P+qZTut>%8v1!*WVu!;wB-lu2HSa=d}y`4FsVFgIkl9pe7^10oey#8$2ZF$ zU0u^rVwN>3lB1SZj90)llgC|Pv93r-QZ{aWLnW>Fw_@6*F288-_*+k$Gb~@!OrE6h zeK~KUb6x(&ql(EXxki1B2TuAXW+QRM`0qRm1V}~eVF%I0mA*aH{h=Iv=iG?}Oo^3( zE^~EH@u}FF$O@Qz>MrIg0o2y^`zgv*Ci{EK>RL}PF1(-u(tN;*T-H-out*1DPTyrz zT(I{O#3K zqNdFhX3V_2sL!Z^xf)J&jTRWrs1!@xPj&02S4`Gxgwome%bb$d%9}hajvVMB5@$rA zOEK#g6*2+3OCRF*^(U~~J|;AIIWvwN78qv~46?TfgV|)4%p3Su@PuZPX#1}9!Tl62 z388a|ta;sE>ssZac*wq83uW^5PDc2`@kH5LPPpz6&-YJho<|0V0rs8Up=vZVGPcu| zdftxCPeQ((d?xF*2D1&gnI$SsCn?l(faYvoCK-Z3?V-aU-1PZURmHk*Ic{syKr&Eo zK5}?#Vz*S^uodZSXBajvh?_nbJ`667yR@^y4N{oKl(Xvq+65D)3*e@kx4Xa3?S0#> zJz}KQd|{L!17C907xmYT-YYojU0$*m&FraB2;21kI)pgsu?DFkV*7l`FN@N&{jfGV zGh{0x$Bl~1X>>xGDc4u7yPuD3w2{X_JFSIi%R$^(xNK`KiIo$--kVbLBwQ4EHtQ}F zT=2M#*!2O@Bp_^f%8ucz#IrCdvgq90qD*eVk?Qac_v&e(x9Ku=g^|jK-QnXZ$uwpV zyxdH7fo?!r%$N#!+Att3#$6i1h{2oUE`hjTF|4xx6)8N!LHZauV zG%F_7KNY}@3h=!=o<`P_4=fb_)a)unfu6o{GY9eU3Y`n2Cka0?9!x@@Da`{o~mnlN|h6PF0?|{b*|=>B`B`Hwv~G*YUL}I za_Ho-BE9A{d5*;=u9amKgHAhA_sV)Ho~`Tk=p&r3bvY9suiyF9E3C*T|ADXu-IKbg zB-iMqZ?F=2Nb6e{9UqHWM&YRw0pYH%@->mAqf+oahkPMQYXHZtE>KO;ElP{{ZLv%~ zQkJtn-bU+S1o~4FX6|UBtf%iN$SSYzR_e-`&WcmaZfm?z*+8;diq&{)aJg@Nre^=4 zh)8OJS1W>!Gd7bZoKrp*$zFUJw*5n~Wb0v7)1kKAd>*LJ<0-TzzSnWHMZe6JoXCKj z2azMYR4u#29GTa9T2bt2S9~tN_JvYs%F(yp5i|7X7vW!mMS&dbC}+G0^vkI$*>_5L zTP>DP4zlOOtOvfI8DNJ^0k`K%9jC$}o7iA3&T_2mZW^I-qs5A*1Z{%{Ua*OIW{#D}SnGGs^dD^M|v>?iM9~^)Hs=4_jG&Hh@wt#b?-A>{O?Gz52Ni8w-C}4Dw{sTrx45*au-M)MGr z#s5tv4f@cLjB6$=DY=9f_BCHVw1Yfy6ANtK4r%ZwtZj}8Adn9?W7ml#_oKpZ zayS?6GDlVy2ZIi2m!>F8Q?vs3vCxyW(9=*sP4&PR*q#)s`W91}t$^wLvL6-xA+pOd z3M+=AK%TB%eyjvdEuyf7xeDY((R2h&t)hSuK+$-tWBJG%MzMK0g-^alp zF9IA6{#>n=o-p^DD&;8%)Gxs0)YJ4CbwNDR@)Qf#OZwcO7STd+Nm5- zJUb)KQbPT)EzK9Il1f#>W~{&J>oc(ywl|o#>lw(S44*hdYBuX6-1lD1=WSSjSt#B* z(N%&(WI+YQvgLVSq!~*TutgWJeLT)b9RuUD_|vkU{-}v5up-+Mmiy_#e!M!iYF0t# z{(3#q$h!mL9W1X(qpV80#gVtg@luqkZ8n?@>PFg3HH~EHl@Z4dNZK-c9e(M&{vsF8Vwl z+zi?ue;R%WUKTAa#I1iym4kQ18E2<|_1MJC+k)LTR7ZUPX(rAeagaS&tpt11MG-)b zlTbRqi8%Su%`7jLe*?(BA$0qZ<@JA`2*CE1M$uLt3c6yRCkI0%Z@?{W6Ta%+ZUWhK z*~&d^Lp^Nr=X5o@E+0=DEmvIn&qHU3a5Szsr}^+Lh=}$?x#VRIjv5=Y_b5 zDTsnMROc*Uzi}+o!xJy$W-ju(SGo&)E|$h>3S-_LDaMog2Nl+&>}tKI_-#(2p|_l+ z`}`ZB5jK+0l_I`^5DoTEjc{CPH%0s&t@PU?g-Qfb6hI`;FZ-Mw()kmKhM~wP7qp?&5d#hfAlS(Jg)(CMJWVzVfaA=C8cjc z`(i4j=9YvEC(P>dJKu#84)yZQ*?mI!Oa{*68j(uvt2{JF9iW_$erWKc8+4p5Sakwf z@cvs5d){wwEDx$Wv0gyDt`4%7u!s`L4Jyz1Dr;i?5dC@@mDTsCzJzUVnaknS)`z<8 znVCmkM8=>^(cbHoKW!-um0jg>x!$Q0@T{FLyS$d~qT7uwYA+KaFomg>Y_0;{xmWZi z7-InVL2d&2bURSd@G+;8zt*9YTE9!420#O2;sQU%g}Er>D9@P}E7`|iYauM>a0EWk zMyz#vp^gm*<`jCx>BW&rpi!t2j&B{Um?`prH~$@{+csuWX%zG9OHCTSrZ^%AVNsv8 z0A{P#iiIVMtpt{04uRUuIXtVrC}AJ)by&u8q!o@E^G4*tjHFTDXGG-#b|>nbt{KVx eK@7LOQWL*bLE literal 7391 zcmZWtbySprvqc(2atTFXsihGFmPYCBMiA+4kOrl@J7qz-mrkWtKw?3 z@4R=;`(yXcow+k}=R0S=Kb9sM8~dHXygBNFjibATm8*%njgupXgNdV!rG=Zj8>g+C zlOxJO?mM@&fwr)RDBJ4S+QE{Z`z?o{L4yhn-;&qbJdJL3c2)|Q&nqy|6p26PnBU(_ zKcRRlr?Y<(V{zRnhe^q`*NvdXXMawrZ5}hB@Ecsxwn& zmmyMDzrzsFedkVDqSNsMqEAfL4FwG&M6%4w_>4z2*bJ4b+L;yC@OF5ia*Sabi%dogxM(e1c?&Qf(vG(p6cNmhUI(WMx@{~2H4iLGEf zQ+z&j$B~Z!T6#7AaI+tS;@WF--I(QStBh)!cX8PB6+C-|Y z>4pQhHeYS8E}iqTQ*-p#r#&FTkL#{jGSgnEXd@n^&wB%h0#D-&icapMXKVzbqp&V3 z21oo5YNCc6i0(B4=`&^}#aig8TQTDMSo&(i)yO5B6(P25bj#10+;YwHJ~h0~P-#6% z{PV7&9~EcM>8gK9QMOXRWpzky$>q7-cX>k`2Ehad48FmW)IWrq@!GC0zKd?K=s#4V z)-R7iq(7bunRY}b->&+-kJs{7fm$SOUwBhHtQ};!-j7LoX$JJT=1Rv+jERmZ3wv$b z+TYzZpSK(9^b2FOrCKs`@nT%3++kvDq<%tuRrBrQW?O_jvy0F>%21+o^%u_YzPpyj z^Cb>)m(i{tRHi!-1y{DXd^uUDrd$!VAK^*p-Yi2A3kA3z86e6V%qPk2~e zqQ>|Dg##cT3~u0-q0CmL#G0oljO{Ined-VcAK0862nG*W_wwBs#Bn>CMS(SZX|cNv zZ%nqMKC#tIrLGl128AM_u%MzQp`g;Z5TW97`p7-zQnPZQs7m~5PKt^+V0kbb-at9M z$CP^b-f!06x;r#npVKHt0>-)X2sOMqLv`u|2L=I88 zH|vno^;Q~|TA^3%UN@uh35g>RVHE}XguEyG4{{PcqIbwt+i!U3>8Bl{YuV${zyA+6 zh;)*IWebPUjN%t1=|qPDGpc&cg^aA?uQhNWT6(%q zG^UD@%*)2zg0%R`(A8P-c*M)Iw2~M|r^7xYGk`ioZ#j3uUWir@GilZvIql@A`PHv(-?)(bB6$NA9SP)G%Qo zc~sNNho-UuwUx`M?eqYiPKWZL(8sw72}Q2zn&RbVWrn88n~>rlEswHNKGK0Qq?A=Y z1$SL5p&XP-rx5DG`fum|1hfjF{a&<4O*%8_#dsLfvj{{>tSCqerh$+uLzTlQi~EX; zw7RMD*hU{$YW7@L&O?G#JO!72?{Or9LMV|3vK9q~#7(__oRmLX(lb%>-$!5n+lv(a zJ52gO(ZE~2fY$;O3_(Ar4E-kZbOaVpTf zWT5k@K9;fWXH#7)q69N@?ZHFTg>>T56VeUbb#%|)Xey(^IaPSY0m>4*5!2GV@&IM= ze}Ob$B+QzyD%u*X&Wi;RZ{UOoO2G{yFyUi+C!p21tOnh4bD<| z+@3w_K5s2VYrqdjSLfyZr}|Y)G8qCiV1fhGd6h_ltaGKH@(@9R=Uf^MYZ*tx{wpun z1V0D6p!66*4n zTH(5+?ApEBBJuA9I3q>x-ky&1d%g0TJRV_;yKJL43UxB*!YOwu{SC}XbN=-LUzY-y z6X%??Ls`xBjh|`-0Ox0CKwEM5bBpL&#YOX*JQ-oU4r9YRR)+D%|BuKI;?&ZEf)o`R znH)QZKIyW#+9Imq@_I}*{7b5Lf9HR;;%9mnc2Mve>F~)2zm>oOrdfI^3Bq>elkNer z#p8?ESDiHWGHD>-L$8W~Gh=M-_wlfu41Q1(?JN+lYZn2E=rX~_M|w~u_V0c9^1qL7 z_j|k<4Cnue2twX0h`f3GDe`8Sth3DzZvc-fU|cwMO!zl`juq>5+SxEHWOdq%KkviC zb&%8@CekAb!%FQ9$>U`B9zVJ65SIVfMT>R~>JJyggnNWWPf+9Jxs98DiK!N5TXS=) zXyqWN;zFrAiVg?B8~H=zdi=wE*W5MOy&Y?cr@yVtVW)S=2RG|)3d=}24%a(uJBO(h@>7^=%qu>YT}P<%m*L~ry(7DE z61+0eBL4Lz8=(V=$HF4|6oA6XfkN$SYxc%ulvfBJ2fdUH9+cNkT z)U$iUcfn@aE;4D!$(8)x>-M60(1F)z>@x4wqFj`uyo{&dkp8)ryYXz@llQGWtk;TE zy|*&%M<)5einM?lW_gB7i9z{;jm6*%K$36427p6QwPd_8-!NBh51~?xne?6;vwpM= zYQB5U7REH1diLfkCfU9th2!MR&T9(KOj@?;1pnM>dVr5k-vqSM8r{HtzlMmwa z>ZfN^hMQw$*~f3j=k}VzgJ0Oz2c@uAcM$OD=j&OzZ2GqhY7DavJZ@uPj20x7R0ad5 z2QoCd7tJxa^?waWDyL~tvi(eZZe3pvv(LQq#Q<0itB@W1QA;Mh9*nv(hmYd( z>B}pSK`p|vD*tFw(lA8NdzB92n*KY3y$U=aQd)rY+Q|K{H#>)Yey#wdXlKPuU|TvU z)b~2tTTN1Vni2FLqz6UMy+(2-rfBM4YRO;Ezi^e9mOef+q`_XKA%&P{en4$NMEx;`f;B7w);UvNr7?gPg?v^KgKM@(uc>|JE*4g$gRHLg zJ2=Su#pOSG^*&&phvZTZf6IUWds;f?6?x$>Sz$OuxJI3ieZe)h2Xn!7Oo1u74Oanf zu^L*+uY!;l&MCi8^%^p&(*y@jp9NHPxBIqHABWpsGVi;zs#GpmWNCA!Gf_?VzD8)g z`~jN!1CH$ZX~4*sb4$m2sBC%9Lo4+YmefB!wYWK53Qi2%R6A5Xx1-W>KKilrb+Kk+ z2JDYn72D< zqz0~|N%rFpa>0?m*%)-3DT^{HasmYaHO4XRWYj?O4g?>WrQyN?8$qzO9!$7Y4-p|6OUz(NKJ0 z7D`(but;jLE}cJ%|KewE!+Er-J!S0HvM0~iwRfU@(YKoAGc&N0rm<DioyAX`jZZlT%#b%s4q~gr9Tre8z7QUY1A4{88JX#>UqXgn_b%Iq5PI6 z%BU}MUQpj6KM8OYrWE;_Xd|?!7BpoJIg)+Ph0B=h{_Hw^p zaHG8RkHR$*5^XkKE)n<^H|iY*$PLh(*sIuL?>0B-Rq8w~6B;x=Gv5CRUr@G+x&Hw% zCmNMqB21-OiB&zBI1L-zt~9Y*gZL0*aq0 z@s7}EZDnJRFiAXB3L#4E$!id<_S5-aR~964~I{lIs^wVtp-Zh{ju(PLZL2(@Y<9U7rVH4kYunlMRE^)J1w6bs)*di184h!@EbWv@EAVGxy^_kN<*wQ8m@u zsizL_W-oHJZyY`KHrXc5&!2qT=NieMlSb)$M@MKC`Iatd3wuMKPA%e#AgV_kwi19{2l)k4dLs35W`BOU|k3Omxhd9sG0w&}3OSnC@{aLtso z8{u0slu>Wgx0@3$KY87w7^Zw0Kv{H4K~Z{bjsHy;W+TKI&xiFppB}|f$_^ihR79~@ zcaACcdfew$G8k|qSJFoQH3jXlOh}3LIDZjOVO;1M4*ASp=;d}mSNYo$YdLDfsi!4I zy#s^N=@*lc*Vz=)POAHARfg9>X}9ok)7+jDR)_HMM{5#ZD&C}AVDh1Wvx#d-cH(uG zp(9?2p_MPck%RQ;S}SKTLw8@Yc_ydRYqmg`{*fYkmkI2K_$)o`VZX6^29CSisNBh! z0dU~(Hi^*;>bQ$yDJrF$Vm6awdCg*i$MU_Mail+~elYtI+e{8;naUUW)Ah)vo}tj- zOiZ!DV_74vJa^DQCS8`Mu9um~6b zm;jicw(2;xYneY;H}&iRn2$9D+-%a(9~>;zJ-yf;Q5K0*V0aTKob|bYg5*+-L^hg| zuXcRF?l4<*g#y2drl#E)ezNQatGM&zu=CaF3=$J@@eiCEsm5nZ>*BNpA5~+^sQC`~ z6XC61+6&WDe2;f>LLV8XB=1$NJxP{1U1#eak_*^t{kY8)M6+`LvO4hq#&gJRg8nAn z?(2iIhi=z&g)x9LuRQqHn>%{qr_aMGx!nt~PDP)4Ss9y@4dbtw;`do2ifx~N7#rUk z)xb8Fg0m4rG<|F$J7SkT5qH69HOF5VIc$zd_m)aBeA|OB?1DXm-&l5!Wwoq#(v#I3 zMaYxr-^~}Z*Q`Y_ZboeG54XSohOM4`d*@Ux@nsErzazB6>F+ICBcK+iqggWg%k93p zACHP%1m3ZqQ7@Zk(kT25C#}{&6lhBxS1`BggFIL1j`sR(+TtcE(zlA3bN;AU8lo^| zyP{CUuBFSKk#avG1tDGaXaJO zKF0i7C*Ck{*Y=f({E{o;T|S?Bj-wsK5DXp+QO-2aHicF-Neo(;ktogDC)dt(4issH zKQ$naQ+{pYrc}O=^S-yMymzzWDQrMn&M3LI)qd758MkcgV;W&b2*-y$kWvq5wpKp5 zR-VkB3GCy?F+0>49rY%Fgb6MwkWU_eq???LI4$tx;L!;X(L$?f zvR@r-qubX3iYy6hD_rH1P)qs-o>0rP&@CVmw~j-%=pOMjbc^;8PeQjI>sx1`WRG<+ z=TH#0{o<>J*HD|By%HwGKs@6>{8&Eq!g!j*oUo@)lo#K;jQMulPms(Ou-;8}+U$G4 zHrH!jJF9plLi$PSqgRLEj_7)ZJfN75UlJg{!dRY8tn13qG<41^NN8<6MwM_~auWeL zfwQU-q;4w?%$Tv!TylwN<-K~54;%;|I+I>cF1qqV^5^-gl_F?;Fbd<7^ryIkJ}2J6 za&IO+y=0m1{VuIwOV8*C*~82_npo_ApSdnO>LIEe2Pb=0xwZ#|7y44L%tMeWyJ&QU z-Elh7J`GkPB&Kf2VQHOk)=a8Ln!D?A=o>imf#eK4D#EnD%J>@U7agN3PV_&la9nTN z|Gsg%Q*$sa#h0LZUy3iN)sTyZr=1|-p{@~5UarViR;>DMdb4UaOx7V`hRz9^2y@>l zG*IHl4d=imS09Hs&q0m}rOg(qv!h^XQSn-NdoH_S>(EdV;LF^@T1T}fnre`B;_`gQ zb$9Y_)N*zjj2Va0UNoQ+*Icj^VyQdu_IR2V>>kCWE>syCKj6-ycD@pS~wOJ?7hzY)#yMsUC2l*HJv*>=`UNynvnOC{panS>1dk2=d1J$dw=cdvptS9Va zSK|`srO*VU1I{-;Ct@-_6MybWe6G!(fDGjo(M-6)Xl>3@B*^^qnGMLm^}mOEiY-=w zPrKM(8jx{5(yx}Z2^hv?K}n(EuHVx`W!cE7hcK+jid+S?|%uoFD1~0bVwUvfh znfOz?_pm#!=BFNR@FLQ)>+jink_c){R{Fz8>5FlZ z^@o(i*Mkq!m*XPpz;F`NSNQ@=@7vJW_NR5;0A_s@eOal4*iMC=dZz_0OJ2>g5rng9-y#>pf|H&R5{{(D*79E@`vK_2feLHx32e#Sb7YYWO$KTtwL(&;G%=7kPY%_Gq5njcx~7mpsjIT5 zVfFp?oom3`b>o;Tk(s%aw8$5 zYO$=KcD}Z#5hDyw)$vW&nJ^>+XSahFMa9#Hjj#^$C`w_Xyo6Qg}Z_P zA6I+VY&O`nL$yE=Q%o^a#NQ(LUxviI*I9XV6VTXVtK=P=!gtTa?fL#U|2VMlT+hC6 z2^x7gC(~|~yp$|6nJncqWbMFuPe;(isI7fIVG#&1S5{^<11$%4G!wiwjDtx1OZW5wyO2-)-T z9hSlxxpMBrJUIQCLc%Ui;clYAGmq&+@BMaFn!xMt*R(@D&ALW9Mlt04@_M3P7l@zb zFs{z-8GrTO7uI6JV%agO8L_Gf$AXp%+k^*hBLmw>Cpgd(96B)@u$X+$cBYY+sOjqY zPtFeNy5no4h~(gGq-l(4foWtw)>cR;A8Pc&VHAAQbZp|GHHz|+ahd!Of6w4h{}T%x z*8=Z{k2D|7&)LY-FKU&#{6>?Gw?KLJWc32nhGGFzIJK*+@0iqacph#M>-mX|-sz3r zx)}Toj_EcZM?ECL#)b5|g_5H8t=lpr%e#ztaZYTg+y0}Xj>5J^MriJryB94Xu2STO zP4KU+Y^#n>m#CZ50B7qT-AQ+v#YKWRr6@YFUt& zVQky~?D*6uUTy|!iL6a5(GjJM!yWClQG>06J4RwPIx?9gr~4?8E{HY>BWp==_|n{T zO(t;UMm?FuANhG1+!iFGTW~avr+YrjvFlE1g676!nf;7MX3T&~xIs~ZV#&s2UtBsTIcMz*Q;S*g7`Q$sB&Zxcndy$PF*JvZ@O WkIuRI&H4TV8br9AxaAo-%6|bz|7+s_ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 33669f653c22132f5c835a5293098079846f6edc..dc8f49bd620b71287d6258f9054d74e22f152967 100644 GIT binary patch delta 28186 zcmch<1zZ)+{{OEa9HddCOF&RSx?55Zq@<*~L%J7fq@=sMOS+`Hy9K1XrGMZ@z249L z-1EQx`~6&aKiJ26XJ%*LJ7;#zdF^v%XNTkOj(8;81>yU^!0=mbzX!R4?z)2@+(D4; zpnL8hD0dLFJLozQ#vOFu9R%wRf^!GKyMqwiL5S`kBzF+9I|#)c^uQhT&>e*84tnGc zLURY9yMr*?L746!EO!vLI|#=egzFB%a|hwOg9zL~kKI9p?jRy}5V1Sxi93j-1VkDY z20RxHntxeV_jK@-hU0ksFrsAKP@9IsUgZ7#F^eK_ExUlq3)TsHpUylf&@^ucy_j2r?v~}gD-dfc^-tuRq*Y7GZKZ9 z>h6Mq%DJgiG`U{cB3+I_fP|#j!^!OX)$SiY*aXY!8QO&xM>rZUTa8kO3Cc6TsL?Eb z6Tm!o<)PAue!|et$~`I-{?L9Qbv+ZQZY3=@nyFnZ%y5%>{`hI?d#kXJWT#`nNqLe{$uQk-~f;f7i~^yw2PHK;p!D}1RZpCdZ@6&2K+BDakZLxvT~{Xm;> zy-tzlFOx%;OmoSm!VB{=LG@V*oafyZ^IKLKi`_mmk46ttK-kk+Lm3pn0DY$rsm${o-DLkrjZd7E{%Gc zfNQ8N4)&5?22DrA^iq_ICTId@&sXN1a(U?(inD^m)SU<<`3-HS;VqzO{4qEF-707U zBx(e#Lj$HL9VSdnT6e9Ms3lu5&zO2d3&jfLlg9$@F`AE2lXWkYUsRQSUh&z8d{-5D zQK1oCT{rtx^>9bQlQwU&c(c|+9Zyh5&NeWW%1JA(ONSXz%D_%tn!44%&;x;m zQM#Wgn2cwl2+OCj`^gBf(wQ4JbnuRjM5;Kr3AO>=)BuJ}N?Lle2QqnPUt4o#A6j+R z9BOXH9ID+$%uHD^GEzv^TtV9_E>~KR9;88?{uZ%IQ*}dX*hGUmzPj~(9Q-fy9hRrY zr;ay?I>9L0r1fX^MKs2qVk|c@o%~Wd=TTButD=(z9Pq1O3`v`)p%_1wARjMe@_G^X zmHM7}Ve2=g%l_jCns>!qv^G>Jg#?vrU*?<~kw&`$$Ra?9_I1Fimib^`AC($>=jx!_ zCOt!GrOKym@eh;R`#I?6uh}D_yt=n#oJ#Xq%|ql89eYOBL%xqi^3`deVrQBw5a!}LBw53Lql=&wM`0CH z7ZsF(jtskxc9162#-0!1GDUN%g*J+B=hBH@lu5_eeKlSz_Irh(L^SyR`R+G#DjYcu?6oG{ z9*Q~|etFXP$|D?}3R9W3TGOU|Cur^ou&-S7ZW6C~HHE7+2If;0@VqawB>D+xJ_}i= z-?kJv1A^ma{ZEo3E>1FW!~DY>4Uye*p;*Yr(he#jDNpX~cSM$etuV68VwziAJf^#0_$CktiF zUGRRu1H32f!ZsnuD?ABsf(Q1Ne7R-IOvN+wiP3i_@3<({v;b0X7+#~f#lvu+I1!%n zee>RVSoeY}kkgxalWz@$mj*wz%egO%)}d@6E`8-Jjk5XMb380%9~sow0!=Bch4V2w zY**SxclumM)?)hn9>F1U8Xzz{fj_Y!I zpAc#=K5C6{nI8t~3{;el-az!1!;!d34tf+2U4O+1a=@bc8TJ})DRb$T(k@y)%6H#R z)sKH8T4QS|#6j-Mu+ok?swp4X2 zUjaFATYWA{40lbtQMy&EYy>E2H%qv1~0EDpp>TdSU=bUG)ZT2f4^kZd@+dl2#3cm@>Gi$!H>BszLG2+gs4d&XQ z7Y4ezqSw2}E$%nYn3CtTrQFc@2s%UT?2!$2v@HID(bBjj^?{v+Cd&}f*X;WrSJ09m z;tT7SSeSiHG3KZn)Z7}qqGRSH8j{c11I*+dP}j@=Lz-Q&x>`9l*8r_)6^PajEJc;) zi_{~e#jupc-2Arpx%8nJnh$JporDO6_|GFe&JQ|gZN+nkP|u34KE&HUSAUXlL<2aaQ4{P~>=qcY4~1RLA*2n_g|N&?)Sw|5-IT5gVU{ z(Y#g}aG%}?<`e-kPoEAsKK-rIf#+AQlvUw=w}!{i(+E2KBUi~*2AV0zeif{$U9WT% z3FR$#)og_n(rQVEBhbV@@yoyA;$X1UQ~bOsD#(3(*BYN#@%U6lN8Dd)O&&NJ~Nozq&21mO9s?@ z9-YD_!GR%z*taRe#Z9|X$?8yCH5n^A)7?8xBzw*qt6F}&QOa%i6a$Dq%i{*UL|+ZK z$J!6zK796V<|T30s_(jHW`~#vmBE{(g9hR`Ru0JJG<4|KqErUD`gY^0#cAQ9A97aR zUk46GAc<1FY3N#tVW~+8`pU3EG}y_iWM-FGan|u5nxBm2LuG%6U$55tG0awv0XW*F zlDk!yMRL7VoT!35@~H<}IZ)oniIGvL@DZqPSJNZlC-0q>n~mL9e67JTOJu|BnL6eW zn$_Fc9Oq@Nf;U%SBgA6-U~Ux_Bj`hRT{f|IyQe`gFnf2vbUkJVz^#wqJdTqlr~MEt|0{ zA1g9?@^XZCE{dC|skrMe88gnM;ZkPv=6)oW>TLdyxk?krL%)>rZg9U0Ze07xS!?T+ z{ds+!me0E2Q^&##KYk+$eGLh0p9%3(brt}-a~xPi2&xr~)jF1o`mh8-gzGO(U~#e& znK#7A%a9ht)qhE_a1!Y}In{P>#fIH$ru@yf#!)UT|mCDIP*m%2fuX*RW^22FBd84&pp;P%HWA*|8 zRKD0G5*T+s+9b_+PfRhHAlbj)>(ErMF&#X=-3mK4w-noG%LxwdQpCR z6IJdZHKN5n-g+{%Fe~i&QgkC6N?LYnqqDRAY?7M;-ZEk%PQpma2X>*-&sRDQ1knq+ z4N5y@j-ix3qb?EhFCOD;&KP8F8;qeVt>dm4a~@dBPPQXu;FMc3ZLBB*gQJj- zb|&fRS!WTl;eADDFvn?v<5$jNo83}{r;RLA5g<^W@ueUK^6EnWB1ia-C~ig zc&?pvYc#937;_qvkI3WSEe1>z>|Y{?)kLm_w#H+juu@P=oYal)!49i zjv;qUcxrWDQmfFF6i&l400?VA#HK<-Vzd{<9$=fRUvf&>NlLMJ&`sgCV4hP~2LRpw< zia*)V2(1*IlsFAM2O;U$n#`|!#1<1SWMkChdMP@oRdS9(``)+74%i{zT6a)GYh5E3 z0dnX(R*|eas9hIggWDG3URQPq9LB5Qo8wu_w#C#>Gtlao0-;?j4l=P6kvLf)-SX{~ zFf9_LL6Fgdd?ooSW%sJIDh`O~ca0CRwFt(M@A`D(7U4!Q6NffK!-qo7FnNmW?N{9m zWi5sj7cwVBJ}tD}2SA~WCZ`FKOWk-!#z|lJ4AE?)m#5h2CNr8VpAQSXAn#JXlo=Mb zF526)ISr87L}v+}r6qmfr}DAqHBFo38htC?e#-r6&)_N;GPeFs@qnW8^rxG!F8zEq z_lX*p+dhHp#z~ZnuO^5k7c9H>q)Xd3hI3BypRotAMjp|Zya9;mrzJh;3a4l9sZ(lQ zoipWRs*64{$dZ$4jv^a*Q<(OFLHf6(H8uq)ON%~)FRzc$UO&c5PNDSKyfB>Mfl{bx ze>Kb$Tv{BVbh2#4G)oas6lBw&?y=0&@dY0>DBLK_0mXu2yftQb;Bd%O<-j*nN0fG> zP!ljXOP`g9g?_uN;D0K;Y);)Zj@3`x+0R_5_+gmgW%Srt zetJxKguQkg-jo|fI%G=m+LFlCN_9d0`IZ_tHC#Q#y<+4p9_n>_1a0Z1^SoR&;gx z*5iikN!#^ut|g!dXus1E>=TM;U--xdS`E?t>U7>7RS;{QqSra{Dc{P&L@_r`ls}wO z(h}uyRcoFoUbGF{b2iYW$3XJxSO2CXH8&Dawt_xxoK~S@>9o6i*B0h|a;l<(23x;qbuSNB7=JDKM%kqch@u=+YI?3B^1 zStccVsZ+C_At~7!cm8sBzFf`L83JhApho1bX1s;eo&;;U9c{jnf6twrY8=LlCAcz5O)cjz+f4U&3TcrqPVUwExo zMeJ|%>XfA7jb5GGg~21RasG1G1*D?N)Y1YcHyvKc()=N&@vM^|#FrIb(}_e~B3zb_ z0=ba82?7P~#`%28Fp~eGvCs(t_U7+&=4r-b*L6KJJmZb+GUOvOm!j>$1x)s}+nRe>!sPC;r74i@`E9q4gg&i^dV> z{gt*s%2S>)A#$71GP)^(Md;q(JZ!1y~wRZoVU=uEiHQyA4XV~hz$;O}@Gail#w1*jjvH>lVcX?opHk##g2Ti(<5&)m zttFK?tEI6F4V^W=l$qafHmj4&qW1~=QXcBy>{{P)*S`2SHj912Xt*O0^V%+i-kR5f zYEsLaRIh&-bxxHwdI<>IhHVA+pe>=4mr3%^BA<(7clbuO*>vCzUf z3vBX4rXTmm7wRKeA^orbX@i`%t^pduSQ|HXdQoW532hD6>>J6+`p!?>4jQ|}D_ z-|Nx_q?L(JI$CrEgqM7L$Gbqj&oD|3x05Ke#GWAg9d%@0OJY+e>&0>Zw0im?4mRNe zr#?fij&(9+IIfdyM@fdmrQs)s;!;@dX=~LwTH+VtT_J&Z}({mS1y}A$@N*5bGdqw*lR)L?3HJkwqh^99`rbCGdgb#+%(t zfQ)e)!{At*Cpb{J`hAEtu2ooWQbEkJ(G*~^JI*CA!z=q{y=|Uou*3SPgmh)cBS?p} zET$qektv62_(MIu6`VwKw;mK$!5inLF9A&h8iip!j}6A0nw#gWyvwTac8$AX51 zMGL9U^1nqgl}^if4XzCI4%ZcP2~ATGLz;#PR9=zyeZ^^n`E2s~sUipPn>x-m(YT=4 zOqQ~d6|nMBEr$*NyqC#tDjog)8~gBD5*P8+V-J6Zxz+pdmDoK=xmSXl&%0kf#xiHR zhzRd1=PO$AXxIxX6>${HqIsU6>r<5BWT(G2Q10xmdjKyT5NzqdJ%n zKUlJ8u`GJCNSYSTKxS^I7GxS5_uhOE4l?~Zfu5nput0vWlZ1cdfG538ugfzHolH&J zyeCFkQfLqBAaGSHmXf8WZ^}_?P8)?{RZR%#m7Uzc*}yA1yRVsFpRNf2GJ*Aa@8twX z^7nwrWaCjwe9BNgsJaKXK_-Y z+cOO~+PcjEBT6T21BWVFP3*EXGsm=690pr2-W;6787eYmTR>)H^XyNShzlu+OdbBx z$(vb+|Dux>+gqk#vHoMF?A!09hHSzzr~weV>vqK!r!AWtw?-h)a&casesi5BB+A2o zH-&Q4p_&i>WAmk)Xd|ee60?m3`HX)9y-=me3H{>_#d@~zMuuda@WK5~fv1NBH7i3{ zF_SOlzh*C$ZALl-j304#p`-P!w+{E(Lzswa%Nz~XUq3oFBB6|pXaTkogZyxW%qKaj zVanc=Ghs40R(8xiX7_KZ2{b&Q^DG;$B`2`I=y5fIe{b0y#fUVm877Z^@Guj!ZjH7G zS~A!WCfCXqLy}_4bf)hXu-%+K-Iz%mZ*HO|SGi{qH=2pL9+yYUak##1(u$jDwaS-G zYQU8WqOz;$$U?KwIt5(A#+Dc+wX)A#C{HUk$X{K55Btps3oCZpLmFBjEu!o3GZCkxZELiLVPuwN!=a2YzX?|4 zz=mgpFl>)E+zK8xyuNV`dKzBC5jhxEsV~yy0q2F-nlp8CnM`ywd*7spcs$+t*{+zd zXAZ~vb`F-2U$L|pgqWuyp*B;#$fB^?(Nx>m=^q$VTWFrE*Us1DwIgL8o8rJ#=81is z6zSeqy=#=naUxbMB;?6Nq@*2tZ?(%RpMX0exS-4~JTEeDb8c_7d7PP91~u@a#}jTi z4uGJ5MMrcZCTgkh=Gq@`C9{k!P1e*qLBi|Vn`!EQ%oG=*Zf!W=^f9WmQ~!iW69Uuw z@Qdu!=t%>G|FCStrJN4@ApS;(8gwfgX<#cytVO8b8dn|X68l!(M;6yA1I?ZLV z-*Q;xX<6Ppi;l*%K=DmBd;((Bi8oN`Hv#Tjb(*aT>dsHEF?DbkJ%&JwX47P&f0x4M zgMdK>sy0DP99Xi3B(u~8B?K+KCOFX8UqT`?nmKrp+7->Q0hL>SflINI)l*@sT`J*Y zsgUJItrAglo|_fArMWn{dw`!lL1ji#r}df`tBxQxR{dk@ke)xslF-9SBvNZ^V=Evj zJP}XpotVVLqkGBTI~}?ny@7g22SuWlQ|5RHz#P6GNW;bXO7@mHUO^>)rB-|)P2&hsQ45e|bOwSXrIlUx`6YxI4r zvt~p2tnsdDJtJNu^8PLTi;_8%MpGdHtvyc^BHOkztt_G-I1yqqgcIZA+xn;I4V|7X ziA}}7Epwlw-rqXe2xo}{uyg4>4W#F4eH}$N6{M&4=1f|cR*ca-rrJ*O%F{?U8&_mf zIZZLeG~_X$Wh~NztuPPmL(WIBQJ{ars5H*cS4Q5zidO$YQMbu$MB$JB0a2GQ2$k;Z z<)nFNyvxGI`~->JtN*SB&P5(Z`!NvVu8QU&KWjjpO}lJevi1ZSB@g~9?B#?pt9p}& zA2j(sGh-LFghmKW6^A`kJK`snub8>>)uu*;M0d(0)F4$kH4CFpq^ml$7f>8)da!ah zKGW+Ce)xi6A$A^c;NkqQ^Wye9(F)iJsiL( zQq4aZW7%N}!4oC59;ihkqGyqtmR#SV@VQ2+lwImpy)SQ&D*kY&Ep7Z9vq)~_muwf7 zN{a=*w!+L0wUKX71bAgAmCGNEU^!L{2ki-)v}o#&94o%SsMAAG!~K$#HT?*2$bQDR z%YNq0hJ7Bv)b&5+HXu|vNlv%WX?@XV<5XO-=Cz~>zeJeyewW72G3(Sw_c)le2&V4w zxyKH6gUNTNMiVB3Ai>2M7J}@?*^7f9^FUB;K{@txMsWFIm&0QOHC9)(t4Waq;pS;^ zm21x_8lDsDKVdt9rfCbt@ld5a!l1JBuWbc2;SduI8tK*ZqvSWX>b3OT`Z|w45uFQ9uhM9w*@N=!)oVY zN6cucoHmx~I(VM;j7IJy9YQoqTmBod3jC6-IVu_#SoApSqY2;tw*6eNXv^bBmgib7 zo#51{JP9^}dp_E_kq&MX^~|hz>(g5Ys1+TLh+f9$7}z~$i2tO_X+!zTw(P%FxTrhM z!a!}MNl3}ww}by>=SKYtkuNEU*exR#A%Lh8W2rJB-^gG->gRc?aAl%jO3&G%WYOAY zG9}!Y+V2Hy*d@JbJeMr6)NU@;O+)Bk{u72J<7%UcL*m8Jl`DXxvPr9$YrfM&?Zw2J zjiG6*R!LN0Cb?VI%Y9lTM-a&5;~MciSdEd!t1~6Yj}6(Ge+ZaZ&E|i2MZ&^vDI8!S zF+`vY+b{=fYW(I|*dQVyRelS6L`2Kh1PAF^uh|z2m4xd<`D%|mGz4j~0*k29nu-T% ziZ`Lht5iEaJOmX4NIh>w%|OlSyL2onTb>tT5-r{PXg1!K-18|r4*928{jOTi3<~O? z@A3gRYV}68HXWmJTR8Ob4`W25R9_?;U@-ybKD{Zid17YY#E#EEObO57t#q!+hMLkA zQF>}?2y6w$?kWUq)FDiV+9GtM#~QhIpO(F43_Vq1v@%vrATy3TC9A%2WQ+_rQDu%N6_j% z*1nj+o0L&VWrXi`p=DdLlr#iHqAV>NOzR_dVhFw?F(ZT`Y~f}t;8o$Qg@%kh33ZQN zf6(nW)m#6zxG>BWZ!O)f7^C*wX$g=`QG2%v>9gE1g!|wEGkZk!_@~L0v}7@SW0uLS z&%3c%{Hjtz(=zd{h}GnWqcEvD1@%6YkT5mnj>Sf3Wn92`V0l&{JVFxe5Bos(=v^A& zx97ji2(7M!cmU4br1cw=GdGP9Oh(o_OWYOGU$)Hjl4}+F)8N#b0E`bOPqm=kN<-$V za7jNUZAYIjEjvhsl%eH5okDpoa(XQIp&K5}aE%CN|2%peMifaI0La2i&x#*5Vc=kY zw=+0X!|q^Lh2t)hlm!F$lxRcvkodR9zV_-AgW~3|KO4#{@(1M``f8_W*0x1-JA96C zkx;mz?2x>HxVrf8M zuz74o_G`L)NeS#O&xuR|Py+<1pDg6QNz|2k8cgjm*rz0=qD|v%qCmYd`rNDS_<B z96H;f-^fcK6~Q7zV~tlwZeC%O`pA4Vp$$D>txGWfn*X{UTlI*lXn3({j%c4u7zDiK zN5;>5VS+{F@Io#-O|3hWj^u-VeG@*)v-;-OkK(h`_x%g4s7UBBGn=qq>W!%BjFZ83 z+Rn6G9HYfwXnf_c;4kr~;H1rU@O&VhnypClIX%ygh`hC_yR}n1Uf`Ely>UF70GJ0v zhV|E?)y)$HPr&9|th*;Ju0wT≪0oz7p+yqUbVqp4zDLY^Q423|&Yl6q~0%Y(>S- zGe`s9i_B{+{^gtSTuB}!e|i%I_y=K}u$ z&rLb2gAnbZ@x61tUIM-1hc*=?akavduPY^%8W*#VFiRd|(CL;B)LO!4Rq^F^Moy_? ztF9Ltw?si`0cqQ>Kofh<`Cn_q^?NGp$50ou^zJ}zMhXXwCM<^tDttPQCA4h+M9(W@ z;Yy=bW`5yUG8~hvI&~k=7=_oU40?8fgBhR8gUqI2tE*Z1mMCIeAC#z*ZQHP{O>Qz; z96F!70aIKw=;{O7p$i0QicuLjTq{nJFLuOtd)7YkRlWp>`@FXzUe+HA5URb_Q6zmO z?WArepG=#MPI7;A6_c5%hT2r$PM%k4uoF7^TD3}Qic(p8h-m>FbnOx!XfrN%tv(4Q z&VPX)sXVe8Gzix{EsJK1Rv&~Hc2JPw`J{%bCM8`kPS`)mSo0BP44Rjv<|eGt3y%RN z)zNUDlF2oq^Az&xly%`@^!3lc{9W{MdZnI8lO0#x?5!vS9qUVhpeYxE=@NVg=)9>n zR+Le1+eT8}tdEHR5@nB`zwGYNOVxRfwM*iuHS_GP?N-a_R?M;)*826s*zFFrXN)ST zYx`z})y+R^hnky| zwtL1d6{e6|i-+>wQbDJ#Qy-<)%4!BcU_02Mj(xtKijh)N{wBC zla7RwYHds2C&|*&1L~4s*q4KbK*;D!Zts>+l#+-@@g6_-vTbZs;nphIpj6%ErPWlR ze)#K8c11^0b~{O<**W?zWYf5Gy^WNMl}anARv^--(Vvmkg}yshe&wjrSiACeTiklz zUASruFK06GY=!sB=iDka!Q-e}ybR~rw8Z`sV>vBV%@6H3K@DF?Pn~pV)PPJ$YXv1e zSMERX>JQEuL+J8Tt$vrS+Y}q0s2f^K$z?bfI`FGrEL~v7+0hM>2XHYETFA+L+6Ri~ zl;RN(!~n#?5RGa97THs7iH!#-9qJ%4v=&7C=YF`1$~bt2M^TI^)(x)R(}QzQhE|EA z{+yl;4Av*5DOc+0j&|Ck3ELRun=x6_wBQ-SEE)Z@F?SzWBgn-_)*5U9m>Tw zpM6d;o%dPF(wkQs+*@DnBt5%XtP^Mm0P8b&t$;UuB zB&TM_SgNjhIY;-^0LvEYi~84?+NRa!4{WD^K_S`kjLZFXjh=-q*hsqaDuE^Vt^6Ps z&)%%yC&9d-MHS;O(Ce8yWXx2}k1CEHU4*HYQG`3Wk<8>eCBqYA6RH+g@RssE6s#;B zb51n-e71y4X5_?_AgN<@hfHtl9uF6z$z{U8k|_S0j_UD7` zpe%I)X5W3hb2jVk>T8)=T(PTnSr>#ldkRZ@NxN_Z9zHab)*J^UR1Qrp3G%Sx@yFJ}9L zf!zS7ud(zRWcV(9n7f)Pzcs5~xI~>`J5Yn7wxeZSEaV`_cJvJ9A>^2gv1n>v6Y#3N zfs1`_uhwO>$#fQ3;e;^CHwXGe)Bo{6=*Jd)eP*=u%D@+F1-m(Dqg4cdh}CP^8gW`t~ara}mqo{ybNPu^>-@=S^^NgA&*md}M31V;280X|x1BLdnuUja( z{HcUeBSct_wac&#HOsI;yKyO1HMDfK4x<6S%S;N{{m(ZYELz>E<9V+7yri;5q@fWh&0 zG-cE?M;4v6%{|qs;{DQOBu7118HPd_S+_?A4m~1Rd zT1{WAjsZZ)mEXHh{Nbz#g`IonPQ5Fa@!!r^!68=Q78oly#0uO3V+Ds;fm>j#;1KI= zFjjDg6{!B-Ggfej6}aZC|7*qy4zU8az*xZ{R^S#GD>%do+yY|-hggAIV65N}D{u>p z6&zv(Zh^6aL#)7mH2L`d##q52R^S#GD>%do+{{M)A2U{Ph!wa6#`+hCHTWlDy&ix5 z=ZqB`Vg+u2v4TUaz%4LVaEKMS1;z>vu>!ZiSivDy;1(DwIK&Fv0%HY-Sb%do+yY|-hggAIV65N} zD{u>p6&zv(Zh^6aL#)6pFjjDg75L6s|Hq6K3}OXtfw6)^tiUZWR&a%do+yY|-hggAMQ-l9^j1?SW1#W?{fj#;1DZt3yc*UVg+u2v4TUaz~8iv6&zy)hggAMD_Q?<>sY}t zR&asY}tR&dK$fxl@TD>%jq4zU7%(>hjgj1?SW1^%XW ztl$_cIK&G4P3u^}F;;Mh75JOhv4Uf);1DbDH?3m@$5_E3R^V@1#|n9!xUT9OPC{g3)XmR+(kSje3S$|F#^vS)|Q_(YJDSAne5vu2JGzKVqbI%sI*e zaf^^|Fa{~jYk}7GcB{S z@3v`LHL2#Q`9FC|8mwCJxkC2HpcKlxGxK&fO6cB*k1m8Yb~GO2iod7I(3`Mp5bdRxZp zQ3s+Bv*PzwJ~y zwHkl>=wR6MaN2edrH=5kHfk{!J=@vt_~OEs>N;d@J*v52>9&JPYp-;~T^?#>>KUAt z&X`$VJcy=vOun6^<;?!>M*I$-ESfq=JWkr=o#db@OUi!sf=L?g3zjzVwF>_6)jqs~ zS()jN&Q`7t4iAj?Pcm1V+TO2_%|2e04?&`ufv#u1P?<9Z&?w=*`QE%?&MSyU=Fn~HVls&Yi_@oQwgsQz@KS617YiAQg{ z?bm8ExT5FzvdXYh40=6f{6ru9)RjeAE-cngD!JOpSfJIegE63Su}YNlN`+_{f(*Jp zj!xMVNi|12dm}$7S8PDKZ86X7dMd9xe~GZ6cAMQtlAa7iLG^h6*8|C{NrN>jV^ST+ zdquyN82q(GtH^~N5JA-n&-Q*f7950{gyJPYfc0+nl&#FR^-?)_<%KM#H70W*$I1-9 z?P%HfSSC{$NmP%mIbI{8;EWTt-Urm7*u{9a6R2+bzL8g0XaPq({3vQDcn>0d*a;gB z*j>Eec4>7RLBmM^frsY|6tw&~YTj0~{O!|NA<`qp)>xgOk&L0Ns#YvQYvWWA^cfcs z^e+&i=<^Vws9#-PJ?e+(BI|>Sr5J*;El?d^BJffg6$-T-xEo!CRMl#V*CSGaNEj(G z7>Zv`J#?;?%HcdnkUZx#9f6uVUHusaswZnv^g|YBtbb|&@P?e@o4~v?9Wh#244aAX zH$(hK)BUL2gVRSIqQ{fijQ#ISK6gQgY>B~sX|J_+U9y_dtG3|1o{KI!vZ}m*7}2!? zAGXUEuZYkvGu%n!JE~(vO$?_yQ>mOnrMhDd*@TCIAAPi9D;3ru_Q0>yD6#B$3TUUdg1;ys zx#tCibd#9Z6Q6SULd}?CaGjAI=$cw=qXOr z=ix+-WML9kV%}P2Ilawh9VXL-ivCAJj8t~;R}illR7Uu(aC+@g>=r~Azs(@q@va~w zGP%uQaG+E;_hIvxz|=fG@c1jo7u^^A&)LAA3ZnRN(?k5Z&~Ifd5G)Y>CHssVt_E=F z!>+v!<3~IKVtkYYe;vjjheIzwEx7k#1HV<4QIKvsADr<7k=8D%d< zxvwqZPlsfbaVgYXEG!_2n=~H(s;y&AYo`;U@GI@x7_i`{kO{K~p%oF8!mzg^I8SO2|r{@sQDDED7APMw$C znP5iQoc)i6xW0ak1HP{izcu>5Ms)q{q5Q9@|CA!&b@ws!Kc)O?`)lW>*H|F@%Q?>A zG5|1b^Vik=y-o9b``>h&{r|M%{OSh(w|)cse{`Jp|E}ZwO^pNm{xRKrK>zNps&lqG z+y2k)ssBGs1N?XQ6uP*{71wXw_`mMOz&{3?n-=|ZH?FI-J4^A*yne^!=EUm!ak(N# znJ1~%G#<#3X=qy9ns*w(l4%9!#(wSobdJMit*`Khrgv%*w>&Db*Nii&XzU2h?*4Y< zby47tI({C+gh7Qt^=s#^9ik>@WXQkH`W4T=WFO0lTVKIiGC7!JRQ-s@H_l6u8@RcG ze<}Slr3J194ovn<77PtR(;YBnSV646H`X7gx@gU=0$j?m^O%69X=H2ODTH@S0%G?l z3AQesnx{P(CdZ5Tys92=T}I6tXM9Q=@DRo(+uVMcT7%6pFkry=Vv9P6s#ANA{}`b- z(;rp$$c6sOC?_UbbbfY|JCgL6j#Lsa@2eX;d*D_N)=QzLhxcvknUC%`3%d$yAl*5- zql)y|x*Bxn)rnjO&?x8D-QG*Vr-iWPATQ41?pv(2qm@T>NKz2?GfOe-8UBzhdbElJdYK-<#ir!cL?A>`T&d_e5ts z;I=70`c2@{=jLTyW@0CWR{k$A-0%&Sfxwdejgt6ApA9*-)`^o*MK&g0B^s;d=jB>$ zAwuI8b|fu9Y++M{U;UpPTNixA!|x^(rP8qEG~nO_pg66&IqX9@?3FkSo^U9#1#r?- zyp5~jjH@GbGDSH5oOS%(a!dH=Mw1 zV~E9IK~`F1Bj)hgljxWvz(~I$pW5tgaKDSERBV6!`Zo2Rj+c5@*z(@pZGd`C>r&iM zP2?KryxFzu&7ZVqu2$oAPT^0FHa*UuMp+e8 zx=MJbKjH;U?=#r|-%34V&h!F8n*2v(#d~2Gt{HI#T2lops&S$9#kBiMnX#;N3{{Ul zTuYRl^|OAr^LxR;QKTsSfabE#gX0?G5dtg{d$eu~G1jsjYeAl3%_sC~m!@KGi#<{) zG5r`tu+t-VQw9&oJnSU}k{A0!sIa82-!9oLR%HqE`Y-|0)?|wN0%FF!Puc&d(IOsx zM7(%^*l8EEslnM%BxRx>GTPg{A}2P!^sd~YtbO^);Hx5cGr@#;3$VT;;r&QI^g{a6 zp-?4k#Z>6d8z$Q93>ok4PqIh@_mGC?c7&@NcLIHE5(FMuDp)ki10z>qwvVwo`h?6} zpUVeEbCJ*&bq>2>9`NPFBHsKc;r5!V<+n7}2)L*r>37XLzmP*8XSLWCu3DcoQZTTY*YXj@^w7o!^b$=A|a(o)?VcJ`4#eO*liD z1O*>I+UjUQ8)~7)lZkdzEkgrw8TqPM0}6b(WXV^ncm`fm6`{0BHgL2`&T#ZfUU2jh zAK@sa`QWItxzR0(#L>UjyGT>QJiU2c@gGBZ%BxcMeQe-i8MDHc>r0){BVqe?rn;=WSLl(RGSzjvkml0uHfdJBVQf|IP$@0oL2 z)geOk)+m!tF`|l6Ei(~DP zYPDTs7Q5vhnpxJHX2&LZ*C$` z`Zl{wdA^~P;#sz?fzD|)2Xrfa8*lxlvCql4{e5%&9OHN)S$@V(Yl`05!kfM@oXh(7 z65mb~tB&*vNoBqJ=~C0oscY3L(nfr%zwPyqqr4Gu?Ev4m|90c{1Uc-pzwOWb>BBMo zfZU_&P1QQ!aL$H$&$K3yz}e*vEW}e7YCA&HyHIyg?};OGzqs>P&drzmpR$2J7bKu~ zUvTeFh3-Jrvxy_0b3KLmV#oWlYSo($`sTa|KLhx)b90ekvTw4u0XYb@`~OnN#X5oD z+uwe=OA)B|am6Koi|)OfCmK^_mpw+nOkv$9v0Yzi9sWAur0bSah_z$1U#y+Eg+fki zL1SRqtUweY)Q>>|o&LulG4cB#F?c;l=-&(ynAd~E$o@YDi6_?I2Z?FD?}J44)?W=0 zz`u+VC9WT@U-Teg5&I^R6t|$_tiT?Ad9EvDogfI4LFwc@9B((ijQ?RV1w1X5|Cpap z|3o(&j>MOow=*djYlEwDu&+u6Tuq1(nR(UUbyn=Rc=aAh^y7-&rJpu38MCOXQG1Ac z4BbWX`RirMow$uEfJxVQIkx2$6KW-rwN~sFgOyX~>W?QH^Yj8JE$eh_7(r0<+ww&! zy?S*;BkOfJUc~mR=jKBseYUQ7@AFVmFmR( zYx(;b>YvK|EDZcS>_*1?R>#l$pV>EAem9>Rm@)|l2?qa~ts=dA@z7%C`bOFR5zqC{ zVAH!lVg`N&{m&=7xl{f!-haeHg!Nwc9+)yWV*FpSk7b8!uTH-~{)z{hnfdS}Xz;iGF0}Q|f1F*mVY%l-^48R2g@W23k zFyI9kKmZ01f&oNe05KRq0tS$R0c2nRIT%0z22g?lFTnsRFn}5ipaBDbbpYD*6p*KK z!UE4shi(4a#@y8YzGf2xZ&T#!iZ!_dXRGN1nWQZ$t-BSI;Jm3MBsI-rzqYGRUO{IP zu{By(v3E?OS&P#sa|#ub!h36(#kEBui&i_LD5gJ2iu_HJ$}ZdoW)udaXV@9F^-AW3 zM}Jh%i)^^*TyxcF4w-ippxKzik%G3OSgfATK-E7fqsafe<208wsIl?ubnU_!VME;j z0lKq!Aa@8vO%IFp%*3u#29o$gq~UeTF2Qi_!3;$h{Ql`j?4N+XSN-$Uo3^B%_KSw! zww-*t)a+s%ugmsNytia`D8TBFwIjD}%OhLW+E(oZozzt44V`JxO(|l1c-CG_9{bUu zz8m*zk(V1QLI9C~77RJTHPc!h-p}Cx@7EVrmqgCz;u+gDG_PUoswYUwxxtKtcj;`% z+Dqyu-Xy(ChibzHxNSw{yU0M|9jz@+8y})!Sjo>hf*(ztBd+OgzOC2Gw2zjheRQw2 z=m40#0bO$MeAhyWjEiQu@4;auHyjm~bzOKryQed4nM!nl6BL3PQyB{;aAs2R%*_ol zeQU!g8;7!w`<=d2L${!ERFrYQ^knk#d#lXC85~U06#kGK1+aI@5i@e2%4|6@Jy-33 zX9kyA@R{2Pr+$z0Dn%9Nvxb~TST+Q`jU5w8Lr^~{>;+aOCBe(iz;UFCrDtQ#9B3TL z;MdCM)t@C*OlbwmjgkBla^pz)vglo=&Br3J;s^B(~+ZQIIUTDQ?V+ijk$E^`K3w$kptfMZ|x z2wC9JxL_(1$PxVXOtp@Lz$W;tXm5r;l~rU7H8IWBs3dDQf$5NIRe#^WmoqU|Es*?d4K$nQq6D}tGfOna1xBbdkBBPZ*Q@qB2 zGhW*p%v%wG+ub)0p|le&=y$>@_fUc1dKC4Sj0PiXU2dBEh8X(u>K_nk!kGg}Dq5 zo-PM?|4e(~qYwqF6Z5O3iOi@Tv*v~2_1Q1^NS(Gi!t!s#u;CLZ;^0H5k*LKf7`3a- zX_THKY;IXxUtf3&;`kFfgNANpXSm9Rc)6UiPYA8zM_eedG*9$nC}P*B`Y^^sT)JywzofaPvotGX`3cCJdCMS@3Bq5q*emt*-hf##o!$JJa*v<0&1UHHB(oDiM{1dsrGn4TX+If|RQKY1j&poQ`t zq696aq#mQ&zScy70tJ=V8#AQ&%ndnhWHFj&$QoQx^S(D2ljOaO zb(CXRJ;>tv@LBZn>yyWf+A9qBm?>}cpXYVXl(Uv$xdJ#TU)o;LQ3!t>hs3%}5U*A+ zk*L=6CdPnFat@dk6kDA(Dv zXPwZ;oi`Y9fO@k9;3ZMY_J@&nXH3NA`5(NdvX}x!0f}Yb`b->?wd$z7XmXMw)n6*S zrGs8zcx=KMAxk}#h7`tJ-CKWO;LR>UCWe_P2N_4>Dl^lfDtw@G%jtcKP5bL&4TFI8 z8!gr`AfC;FAYToUHmrW?w1qTQNNa`Hv#6i^bo@lWuGlpTi~ZKUl<&pdXvZqqGrzN2 zqfp}(?vV6}eGvg%ED)72E{Yr|9Cj#sY7yp!E-gHrxU42s$SVNfJU$gWn}GN|mh?0T zwL_Ar!e2q0`{>PJ;de1i3@M$gL!=t9iJhy10Pmll^oFKpwA%23lG4kH)BFNFm4!W? z*u11JB_CjyJSvVP2^J73=_c?gqwNwgCF+!saoFY*%YqM!S?d(=+z(8fxiA@f0_HOX zh^jPRk#&8KhtL)eP^G4ysu!z^;T~gxB)aT&%Kd3-Qa@HR6V!X4zI@e=(39jEuVGay z(VUbL|BQEueg|!V-T}!XiuesS&2uxQY)PcK)wU1k1(e}@{7ks}4P=H{@)Vgx@-9TI z0n)nky^3FxagH>v-^h!;d=(n?p;$!Y^Zj#$7M&4FYNAs_4otEi%<~(XpwLYr7tm%w zTWRi@j%EN78-O2em%DUCh1A%nEHnu8~J*-=F9O`jNC0tIPYF`yt8Ds())1=^6 zurf`9dcQso9V|J9_~gk=BnC?Nprs1daMP2j(mO?5UA++ElFwxQw_zne1W+}TAdPA; zxFx%%`hoM}sZqCf4x`=7JXfU^Vy6o!bGU# z_y%kbd}qZ={PK@z7=d>ekSua7PV@ADQj^-i3$o?u_>V7}y|%4pP{fFHXx(~(ONeOK z&NVYoajBmum34}NkFJs8-aUGCmrsRDM1(}eT_te+kWgbF12HACR|93gX}dR63$*GlW8qIvsy1>!rXUrWN4#!ZOmAC z9w)tH62S2OLNCf#C%qks(?bxWaVLM*eK`mk+l)PD9Qj%xz-)I5#-%#)Ru~-@-~vkT zvu0^!oP@$0XGT9(uawWGjNTK4-oi|zdA65L#QQDGW0zdt&xPMaFf&bWWlRNp#Pfft zzZ}T3W_QXW*vxcW?kpR+U{PV;dTh1m^zJPq+cEokxE=!Or*ae|sh+ZqtvARCE$9oN zDB`t7`BV*mZUWmLP5FnyFPRA1KOgi=5xgOxaa6a#F(1+_Kc6W>P>X?Npus8ks6eewY6%Y3QW>fG3? z>eJYviJm=OoJ^pax>|(%l6T_g%WPU&l+;>^jE2>3kSyoP447enMpW!^emTUZgF{FZ z&>y$mp~!eU{{X8+Ho;^pn76bqRpH%MT16d2)t*c7NKxYs%MhMdig2%>7|zPcUl5-x zTq(5=F!@v5gAp!H8gH!>f0QA$ReJ*ruu`3XDyqsB*C4fBnb^F>Lo(y!;awMLf_zmS zVWD2~pUu4A(1l+6WNl`kRLk~?%#LEpznHA`*#R12_y*IeV}yHaZ`$N@dC7+*Ocz8H zeN>W4x6W?Aa;CImg!5u&UmDVZaXJ^^wpf}}Ml2^ET6s^bet4mYIy&ESu_IlfV>JEF zSqbC;vjA$dZgMtb5<}2PjnYnDd0p#U@wu(yRM(@;yRhYEd`0;+2G2n-`z
nhv9 z&a258xa1Q9PpNIEuwzcB&G722(3GoThNtSukR5UA_ z3iI;cR1&-rY7_H5QXgJ)eN#cD3UF+B8A%xGbAU*kcJ1P`_q9=n3}mlKQdw#H;>o(F zMTD3rtAGG<=n5p&yH4k^^ym&f4a)nOlNX3*ijU&6ekb97mSwFq7|bilTBH0@c<~62 z2I)1fe+zq?L%xH5W00R`|FeN3@zN`ox zt@`Yt@$p>qPI`2ydPJf46!qI2Q78-d4vGH=4rcQhtv8lt{kMI!*yhFphC>wCAe>cE zGt2+S_EVy_3T;0Le!trf(BpUeX%PjQv*`S8Kluy}#nu1gxAH?ZCD_aT2B?y99rv@WI;Su{t18Eetgip4FPJ$pFEDChNT zE!CzrJgQsV+~%2cZZ}FNu4Q~K2<%G8OEz(B8fF^#>{^_v)hpM;Bhf6bhzaz;Asxa@ z>JBS7;dUu8n>baFCqi>cU!*D@sIaG@o^>E+{{TVvqNOIQHXU1Efj{BJ9m!7=#9k=C zN+)5um=X{fHh*wzL9I#c;l$Q9_Sm)Y3{~Aif8R5e6Iy|?wewAjD`y~|;ntc%`U5($ zM5_;DDc&u#rr;$nhqcT*9)JkNQXA>RDq&o;rjJTJ_k>*}wuD`tT?xY>U1!2juL}>l z3Sx3r1GW|^QC zANGz~lREn)GM;>4KwcP1b=NT8&;w;RA{ZTo7?+36@g%k%akuU+RvGkS;xp^ElCbBr zzaiK`PF>;o0iO9dtuR_V>lMLM(d$38#l?3a6KD#pEy!+ehs4=L0DF)F)T`Gw!@DSjytx8p@AP!+ba?t)vbr3U`;r9yg8x#aQl-mh9x`eKA z<cjsUUilN4&386!llBZCBJ?5}OS3gmCWwTPxH(IP-#f3`x+eXXNouK{21# zy&^tr?7aGZVM+zK_wC)ZoQDXF{-*+ z*X;nFL8-tqz7zIg<~JFPVCi5d6~S1V60KI!(LKvbqM6+0-pZ=C{Zc6FQ+Hy&I^A8; z!CZmJqVSP0MAT#-pU;4aiex&iQYwhz4J=16>FwDmbNbGS4*vTYnzfik)(L%1g<+Wd z+ahD;aMq5jn-z3=U5Q({wI&YF2q{pCmV?=K_YrsrwdI8uYsvR&d*%Q`?J}?tY74&C z!zsku07xp=H`=SkJUlL;2`)r=g_px1r8TOV#EA!9LFvE?V!YS>S$49(6yzYE_oVjI zE7}A;vOQG>*51CUS!JhSTs1pOLKGZ?@^B9WS%m&Jwuqe8I(x0v_qJviqGa?k82C0=6R<0x<-V!YD%O z41so_OUzdp@M~%57x|~%I$_DM=nmx{Tnn0CDBWVcB{JO5yi8-*^j4d1Gq>lMh~$lf z`EJ(cm>dR8?Rby=Z+V|meK2ebzsL9eTWAm1EB3B-V{;KP4!`A6*fUh$P7r`hHRX-c zc(P;>4ARO}BPiCJ%KPbl>q#I3J(}*C$pXk-C{37p6v`B3*sFYpsV<1Oj8;#9IXN)_ z;?zQ#K7}W0tJ&R>PqsoyAMV1SFX02}+r4Tng|y+SGS!Rh#Fh9J2{xovAJAJ^Mn+eQ zx~U%BEZ4EjQCPf98WzoGefEB>+F4$hTRB1V5%-sqE52$@BS{Q%py?HmkJ&;DSRh6P z8z69K7;DtJm)yc6Di zmQcUQIA(04FE&VK_3GgQG&MyN9t^hcl$>7QY(Bpb`~2aP##YZIac?w5F#3vZ6@DnhOi4$5^6pD*!#nZPhO_Z7Py-59bi=%utqZqc zz^H*QzYk-N;v69`ZZa_naFY22u6ju^a?G7I50>{Ovg`L?>I>}kc(G%&0aElJF6?*w zq3oIq4)>(j*f|_asJY$feu$$@FA!ClAehbD#@e$?*VW&?xU<&EsMv^X7}NEQ9DUd| zzWViNVqIhJ9X7uJrMCdEN29(ZWHRjz{yGBpX@paK8H9_QC$!An^(lDb>KHu`(iBWW zmULOVE2nLK4yyS~>?=&ZFk1s{!@OAHG8$c|I0>~cIZ8*j@qPqqI?Kl$&0{PFm+&S! zAryk0UrmNJr9pekZRiw}V%K%4bnfzH<w{CPegF}B(J9CyKMjx-&wI>;()lKj)yrX2yHNQTN9$R?H+s zO&^jab0PW}Kn&29?G#(#HOX~jZZ=WtYkb*9KMD4DGmdXiUlO zK!K5_L={6rFfEent3=@8((M7{OAwGz=@U)8|5x{=Zrxy%e6|;53?0dC=f;ZuChJu@ ze#dIw=U|15Ei%Vh7>f%^lpoz@vlF@b6#$0ShCSQbCA^a8FeUC)O8RKw>1$%-e26Fr zh!0Z1ivQCJsO@Ow1?A^=LqC7Sm-#vCC5_36csh&DalCRemEl$)^f*<>XKFUV^7u8} zJCKJ<W-n4 z3HPM`8ho`O`n5O##wFa?Iz!5@afwk$0dtG)>dGHdo>qRidb>MK2uE`FO6p3Gyj;^C zrINu=;Ai{@!8QYEvnG~%Pro5oL~$5&;`;rXfwo|=mZ9%RcRFZXY{9ec9*Z*sLev6$ zDO=$ZJJ-L2&OzMRB5e(K%{%D0S~73R?q2vxn^#Z_FFMzm8_-`fMyY*a@Mfuc@sTRn zr{P3~P>x5s)BJUTV+8QMhfNihBm^}RNC~oyIXX5C(Rn>umo_KM{N1UjALAVFXwya6 z$uutcc;GUtV4l_eD8))!J;o$%^gDq^k@)tkMP~4Lph(k#YfZ9ogx^%3u$G+;=1B(9 zlNDFbw%ih2uH$EjV7s=0b?bY*sv&)Jy*}i}^fgp2FHcnsMJtJG{~=dk{hh_jEp?qM z)+gHkvQ9wD2Dzj1^n^HXNXzlE`HMAn8A+p3m&8kKhPgfIM~%zmNiXchWRNrOqqT3+ z19fKHkBfU1$dWsdk(~rh$bhP-nj{A9QXL+`Q@%G~v7KJVcJ5zH`Y}IPRkEO1z3beY zX-&E3ry~0cH-CEw|7#!#u3$gn(qVTTG5?C@%mq9<+6BXT8pQ53kQY>9&!L2ViyTY& zMrL*ZmYXC>V`-<5d^SLvai&F%Loq=wVI;vag}Uakbg&d(f? zu+(&P*i$~95#m>`ao;Uvw!N_gP`vk*acHC?q4q-j!NXAcOi3J{|5gVH;jtWly~ zrN=5i14(u{3N$5N1rlWsc1fs~t=BL?ryebAQT#$wzos5R+Ppt4mw)gnF$?@GHhs@x zBu(Y#Se)Ym)aadyqv(xl=+@7!XwcVqwX57%^0gn72^014wb@UV;%1@Uh)=eTamFoAvmg&F zqg(gUDGi;r0jdzaU#*~PG-+C}_%wtcp1ZbgOx_Nz%DGi5qu=rBEA2GL&RXGmlVT3d(9Tz7RY$9l}~azCwHNG`Y%t zh|rtKY#d~qWkbtw{Z{czECG-p^b>UGWl@?F{G&a3nqE5(EEg0d$w{>c2*`FlDMTrokIS85ueVeN~R@7&QDUl4O2|312 z@*a8C55Sp)z%qX{i)BTftB%?63w_wE+E?u-hO158um5z7J1pPw99_y442h5yJNUg~ zFd3>az8}-?vawDcMK&hop0--l!;}IB5`mVBUiI=0NQ-;dx9xJCkBKxe*!dW9aZ4N6``ET z3smY;Ydg#uD-NDSXk$orUJQB0loS4`LR-06$XR|*%OCGtoweyxCOMyD z|C)=WruQGsw;jCC+U#U+m(akpk?OeoQuQBm5%gy7!K7du*~)FmnjTQlCa4xZXFZgq zr2orFXamSYdHsH%!-wk71NshwnoUGoke$pbiElc%F*8zR`EG9CY!I5!I;PHn2%8zt zi8Pf2hY=laA^N<@H(I>kdD+ww@l^xyR-QyqPxB_6f7;+p9DAQHBHiFa9K(SGSjVw4 z?eXX$#goX^@~y-<{zi}sZy-JY;thSPwoloK{;$5!0jQwaX1p2ShL zN7ov)k;vU#9LX>k44$8{3sgvLje&_}_zfM91s|XcNR;9s&t-ghJO4kX2(-1u#~HWy z+xKco4ccW4i&)Ijj{{VFJ6$=-f$(OTpq`lVi;c?`ce@r*{|Exq0sQyOBnEs}ygz0; z6LSr&Pk1>_q+tkwxxw!=_A`-H)i}_(U%-!;YZ!Cg4AJ$bCD3ENn;>V)vHcDTU(wRr z%T!lGm)g`U3!%6=E*DwA5>(1vsL6$24Yj7%Fwwcx_Str+FSg!0o#wt&D~*9I6d>25 zEGFN3aT4V3N!~rngCzd89?488BMh_HNg;Coi?Ka|qfTIvR&ksK;8iLN%Ja~AVNWje zf*heYWmK%Hnz6EM-0Pn;KL^t(KPtf@6lAv?C6AbU4b_{@eq)Z5y1_@&=$2MVo?;CkjKS0EU2fIQD|98vo@YJGAsfG1CNXW z+9GzyVXJKkl7I#p+GOAagf6ZTi`Buc^Oc28052V7MeBNz1rFs|F5p*kvQ5=(| zPIFgrOAN8_2LjOpZ->WXiwWH>ouCLGlHw1vfC+`%`U9_ETp*_bKns!a^%YaoytW(ATT2&99Vgp36OsX&?QWZqnwq28lwUrdf; zyU;nH;QIb&;?m39@-g?tcxc9J7!d{PMeT zMt|>0ypTETH3*X#5M55I>2r4(QqRS1aYV#VKJ06m<`A3b$29>O;#apH0SkmLcg@rB zF_yxHOEFHQ_PS0+i|Js0|O)^c*ESHTzLd<}SAPjx;mKmlQ=4gaM zQe#b*YDyvKF5*W6@L<=4+Wc})sy?T)&_N!et`bDpt~gp&%}-}-&R4k~#svtU#; zB=L8hF4nKG_YV~o(Ve$53yXEqfoHb>Va6^| zoIj$gwh>+rt*geogTu!^Tw8JUnX!>vpUkpg!Xt>Fd!ayH_%5c~*vRomOLA2gt%F6V zvQ7kG-FPxQTE&NLS(wyBqOAgUL;}Voz{FPdak7+w@Wgt@s$M=XVxcVu-t4`(ONaMv z`tCegd6w}<_RcDDY0HlDRfW0&(6f^6&!Oal(Qf5uIwE(vx#gaMdo{K901TVJ3U~J* zH*&mYu|i=1+BocT|; zSE){mOB6LBEe4i6uAsyb{PtpHe5wc{E6*A@%`Uz@?boJ4cO>T09W=Adpy5MN*hp_w zm!uF&4R|IV?;$VSH92p5Vs_2vK3N#q9_JA-pFi?HqnkDaNQm-`fz+CPk3zqVoReL> z`M&e`9N&j~+b|<7aLRls#r~enWYzfb`xGLg-c69pYZ@q--gS%-hY)$Z z7v4ffTG~!*LFYBt^(>S%LRr*E_CkQ^cza?3!O#Mdg2XKTJJkHYOPYD~{!7xF)G0~_ zWOYak!1EC1@Bi?}w}F&s0r4^Z6F=KQ#GS6HFZ%4B)%b@!hps?NNk0P$($TQ) zM|0`hlSdA^+(Z~SI}A>IPv7KUDUsTOk`VQGaQt3j^`LLtSZaa_MbZqo7rC$0s6(?e zJ`@n&-7$mPNZwRxeWW}`Q{8jn95vo~YyXc>gRWdbb0SZ?iTW=j4b6?@@!JgVE-4=< za2qpZK9%eL!=zD#AFFmwm8cgPiq4x#~ zf@Bpb1VnbK?W55|eeR%c%qZwSiuaq!46X2e!QEv|#yCD=OZ<}oT$P<~SYidMTqc%R zcX-+ZB)f&9LcFiG#<4OVROG3VX5wiP2nWY)cRHnW`fyx>sY-Mh4${VY2;v=!iF2V` zk!S}8px)r0F>e@rY53;`=A-Qf@!XGGfsdvsy)Bf@GmtWUAcN({tiMS!W9yawiN1S# z0)|nLg+KsVa}mfgt-NwWlwL7^%wa^-X(H}b>>tt$)&Ut9qZ=j(aKeJxzcah)%J3C) zn!UXjgGaD@CU~*AZooD1%Y>;=>?Lk8$$>1}L8Ik*mBTP1FKSyC_Jq0W?~|eN(+fJPdS3;S4uJv2vBLRV3|LaFZyxZ7*_h8^w_Jb(k*h zCY|Ws0ST!`lQGRt$zpEZ@Gc@Ls~UGOLhA2oyd$gr5MrXB2)fOfcc6A8fV@8nRSg3`1120%vDZmp5W{HOBWjr6j~FO#j$)=_DEVc7PpyI(UT-F zSj0@Cb3?K~A(i;@{CLwamCQU+&{Co*XrD5N2f3FMLSqD^gz1CG8UdMLjv*dKKn9tv zZ$0myi!4jD>xL)mL!!;i&r@V~ct={g*OjHDiErM>{f(u;5swo-bo|%IP_ln3h&^pp zlEeYAFv!}Gr0t-BY#2e4?bPf&Z^txa7w2EmY>z}^ZJ);3re65nb3xq{Vj$}-fcm+m7zhi5zj1D z#OU$_lU#OfS&sK)WHm6wh2e{F$GNGXB(;&!-5cLaMd$BB{LR%tsutrt+te__I`_r%jN8&E!1S5ufnsHaQ!=yxSimh z%3N7x6AaC6m+1-H7DjDC#p zd{?=V2i_uvMOV0{T8$njRB7y^T8~3E(mXJZ>Z&#I(r2(5XdgsKaaM_k}Tb6fN!yCdXRl~>bx4m5$E_WxNl2k?zu9_ z?x;CcIApjKiW0|(mR7o8E4Ds3aMr}?moBKskZ&!ejB$Lj&9ktpG)hz@VoT>)*#tOQrA^^c5w zOw30e{%&v^D2{$|d@ofdKfy#Yf4p$vt71sXwALV>g( ztclLvRJyFcf_r~S1Jw|vKXC6aX&^Z^Nll!`hfuajRO)ZS2S$IKn5Ag* zdaBxe*?h72p{StTFSf)LU0z`@q)h_tHZOwmtdDG6)KjH>AX+}^f!SqY5}qm2S%7kM zC5uld7sM4$&Zks781f*De9gsmq4>$Pi7hVfV}3u+HDmAd&&>}a{%t$nYh6iH{VRur zBn$aH7W1f)!UnDPts-M8nnyT)DFY`9hyA+JFkOL!B^srWFP=bh?b|wNDno}{I{e~z z;5R{BDDN!UJQB}6EI=KfD-PW^MJ!mpI|uL=5FA>{|4s_fl5coDnY zfPXk1qtG?gnW1!5J2_-E42WwXiZ7h`c7vlwBSMemQ`#|)XG@fLR^H17f=+zrmQaK9 zgiqmZ~!qkWw2jM-#Gf$1K(P z&yk7_hgbxF^C?CngZ3egwopG{OrvZ-SglA2=JesncC2reZRv26eX}}EmTg{3^&d6B zS9VZv=#gm7gzAqP@CrLJLG0cZS!w`aq#YB#3UGPaN$0|gIrtn1k&!XRh2$}C&W6NiV+7I$H)R|@)f$_v&yXNL0<=TaBbKL&IAQy~7D zd@j^rX2@AN-fDt4ghTxR@|XZB;sDJ8oRI_{Ua9M5+NN`jznLF+CJ4h=aa89ld)P%O;MmTPir-J z;Tv;Pz)ZxkhxMEJ)t&6Q43~sNsoTi>7@KKEcy2I^B--Q{2-kPyTy;+FtX#p$Ls%u)M`P5qGsk~#4z9|~+|plY{4EK9#BSwRKDCW0oAt9PWuvJeITfvY3#!;co#jjB z(VJ{Kmoj~=Mk;-RhgjKn6QR->w@BSWPvOM)*}H@L-kaaNKv&P%|G>t2*8>*_b|g@X zuH``H#c2GG}k&9lH{kbrZ-^E-LdPM0NdUC%Ogv_Wc4j~$9b4+}bpGyFtxgCQ>Py|;jtZO56fr2dh-u7OJun&EgK zQVSv}<5`-sD_irJuZL=8((u))W%V>gg}FW7QkrHHov2;EtI^Z$B;B|^AhJ^- zb2)hwbGb;iiSe&D7+ZtL}-9vAF!lMN-02{RuxMVr1N0u8i<6)IhK7rKUKhP*xk zhiHI~Xu^(~Ab32(ZKYh*i>PJslW7=DFBI5o1Z|oj!pW`A1AE)T{92B{TSp;b=P#@C zXchf_A1i+H7}l8zvBl0F$*CXkBhf7nQH;d%zv-CrrbMwhUJ?dz;2K{vf4h)Q{kh`X zDb1@4Ilp4O|1@9RV%;(2T06VV*bQQ|`WACe_0gQdN!4#L7bAI8%yGIJ{Vf7PX zhu>0jP{F@R%}_mS*~+YlXC-fIzjU@G{-_2^*1&si;xlmvqUcsr@o77xYG3ahDW`hu zI@PVG^v!cM9fXsG6G@uaU9I~|;fEc4=x&SDVfJlAXtid=c|jme%Q0BS`$wkAH^fVg z2IA0>V5iKeQnmU`J{6?qgQ&Y6YJ?1n&E~kRnF)ArYc#{vIfB!(@I?YY5jWbN@PP1< zZ6V_EhralZW%5vB%OJn|n^PCBsOV;qVK>>oiSch$V55-=8tq#wH(o#gB?$b^_eNr% zFF4|hyvG;|>zc6f=vc^o)vx-6N?8T!U|;a4V?Q9?*9#{evk#LYfy`iph025GuzeUM zDh`&qwBfBY-cD*v&I)TbPf*c2w?yb{rl2&uM4K!qAtPH`ms=#>Ma<-H9XnG-nA`Uz zbF_)fi?Y)f^1xxK5$VJ!0`v%$oN;R45Vd?$7~GrenNk71RIX7o@ox};P`d(|C~e;! z8rK*$u;G7tLq8&2GUQ^l*gErVdB%sSd0B93DIgo-<_g3GDf}!GAae5VW1yncQ1+2S zu~5Byka=TQgdNVzHU9}J4*z>r*N~z<{7Vt|oz-tm?FztHBK1aCz0u-AUZEp*yh4}O zi;S_N+ziikb!($QHLFHh=rO9G_f?vvBsqq3fu9(7Q2afsLXNfj5wl8TK)h2(71q*}^xfHN}>l8QG9IU_6=g^*ih^{&#H;%b)+vEe^ts ze;AEmoX&(TMS(mIqUP*x8Zx;#u!w2?epop6?TlRL!)4phAU$uHLY1I)9XZ#ymk~3l zSBXNB5ZJNS4k`Qy{g1J~U{UYp9STkN&hc}d56T<{KZ|+vqDkzNroTQ{Ls%~~_!@G0 z@H!IjA;q+Tso@EUVwt)16=H%iR^{v>{X+IzswF+gUN!z7fg)kwzLFy*d2K!Wr1_c@ z>0wsrNql#!2}6N%%zqYDKle^h_s8^y*G|?~ucAB+icfn2!2UNN0}WyV%gsBthwY-P zs1GexX~~-FFY;=*5smD}`L9xGDLk@Nk9ZaxKhI>7dAg};&Evt}1G_^V`^km(!=o6V0v+B(a?V$ zV*mbl4`86-=`pVS_9MLaX4XPXhaQ=g=v!K9 zKH&}xh=3)K(F_1L_Fb-+Np@YV4Y%uaOv&x(Y?C$P$bF{0Yytg`$?>9M&69i5D4$8T zNA(fu#Z3K%@CB~(tsBQdk}+kT^q#tWR~icw9P^T51C+=2RpQ<)Y#TD8ywlvm;%IPf zLjhZmeoLrdP@ImY5gOEO5%~%0s!9xfU`>-(U=P5PH9d66@|RlhE4`PBI&hS9pSS3r z69q~UAbr8RS9=e~PML2VDkk(E{aj{>1Z>`5Q$aBY6KRn-LBxUrc>58iF$RV4nMR!S z`$xQPt3@9vlM0+Sl(36{n3MUKpb6!0@%(C#Yq_0qy~h{i1F3;&R5MletbeHmzm?@` zs-jC1p4pFaK40FnZCT)SuBfqPs2t@5X35yPSB`7!|741~tT|*EF@HWLr|UcMIcxgw zt;*-^45_(_Iunt9ZB@GQP$QkLl~ro*?3aDl)bztSvahKE**r5_%g5|S?9|d~VI(QM zZbeSJZiSh>Mx$8tM~sWUrtUcu8|ghW66J_r`D?9`^(9d%0nVnzbcIHXiBNpw_AnhMGFQ>GQ-SEmO z<>~n=bt1*HF4&~nXD#jvMhCA`+3l)2Hl6&_gApc_X?t((aBTi8S;}+sS9Z{@W`>6c zA>%T=K*X+|oSNMV0?%e^HmulGym(L%N_Fr3*&-ZjvEbpO zSEx1~D3ne9fP3YR)UE9qKEf$f)bW+iKby8#exIx-_4-@#11k?#TS_Ob zQxfZMefclPAV?~+gzh`#b*S18XQGg1`#=8jAIIS5K+XVXyrH$v9@{X)$P3Dgz3p*N zl{qG;S~3f#XP3#CxU^dft@W`2M~$)hGc?EU`mqUYwl?h;MEBX9A}F78G0lg(5XN!w z5f3Ipyj00h5Z@w0gd3brlc{5I1EE8nU|)a#fQ{WXtbRPHmeH^sB4Ldu;ItwfeY zvP=OuP9tpY!kITnjW0iBXuaF4#+)S#2o7YRtCYR@n^-FC?G(N;v&h8OS0>>{L#>E-lcUvL>5rekD_aFk$6TVL zP384znDkwDj7bRD)e=AINnhM83Gx09Sn)4-jCGeA?_wDmyXWyn5BoTL$9M+v$__|R z?H%+>OJ@A-9n2qhISk$?h__C}EIZ}b~F z%?MWuN5g2&;IMGxU=DsSOG-s_RJ*paV7Y7ry@iDMKoN25KshtpB`Rz_Grdekw z`s4Z)k_4;sie*XPAuEK>9*T%DRyroccpHAi2{VHuW$i-8)S6r#Mgnb{%4d;)>mMQzYtH2h&41@=CKAw|}o$tc; zF=zp=#KH&ZKCMkP+jQe3DM@}sfT@{HdZFCTf#Q~LsSsv<0f?qcuLG@mYo#<7;A+CX z;@5JZhRtOuTyUkMPk<& Date: Thu, 14 Sep 2023 18:00:25 -0400 Subject: [PATCH 6/9] [New Rule] Github Repository Deleted (#3056) * new rule * Update rules/integrations/github/impact_github_repository_deleted.toml * Update rules/integrations/github/impact_github_repository_deleted.toml updates based on review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- .../impact_github_repository_deleted.toml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rules/integrations/github/impact_github_repository_deleted.toml diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml new file mode 100644 index 000000000..a3193318c --- /dev/null +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2023/08/29" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/29" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when a GitHub repository is deleted within your organization. +Repositories are a critical component used within an organization to manage work, +collaborate with others and release products to the public. Any delete action against +a repository should be investigated to determine it's validity. Unauthorized deletion +of organization repositories could cause irreversible loss of intellectual property and +indicate compromise within your organization. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub Repository Deleted" +risk_score = 47 +rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b" +severity = "medium" +tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +configuration where event.module == "github" and event.action == "repo.destroy" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + From b291317ea6ef04b840ad07ac1c5a12f7773922bd Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 18 Sep 2023 09:51:20 +0200 Subject: [PATCH 7/9] [New Rule] Network Activity Detected via cat (#3069) * [New Rule] Network Activity via cat * Update command_and_control_cat_network_activity.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- ...mand_and_control_cat_network_activity.toml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/linux/command_and_control_cat_network_activity.toml diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml new file mode 100644 index 000000000..39cb4ed43 --- /dev/null +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2023/09/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/04" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat +is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. +This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools +or files to another host in the network or exfiltrate data while attempting to evade detection in the process. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Network Activity Detected via cat" +risk_score = 47 +rule_id = "afd04601-12fc-4149-9b78-9c3f8fe45d39" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] +type = "eql" +query = ''' +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "cat"] + [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and + process.name == "cat"] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" From de2b97a492e6e6b3f9b7ddd9430db247ff5374b9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 11:14:42 -0400 Subject: [PATCH 8/9] Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3108) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 * Update detection_rules/etc/version.lock.json --------- Co-authored-by: terrancedejesus Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- detection_rules/etc/version.lock.json | 135 +++++++++++++++++++++++--- 1 file changed, 120 insertions(+), 15 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 64e084555..c18651999 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -190,6 +190,13 @@ "type": "eql", "version": 106 }, + "07639887-da3a-4fbf-9532-8ce748ff8c50": { + "min_stack_version": "8.3", + "rule_name": "GitHub Protected Branch Settings Changed", + "sha256": "b801d28bb5398fb531f21cecefae0f3c21b0d7b4c675fc8349ccf4448e7a2b7c", + "type": "eql", + "version": 1 + }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -340,9 +347,9 @@ "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "min_stack_version": "8.5", "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "88e3b7fed59fc79874b0d6375168a21a7623b3a38a74c838ea3c3698190a92d1", + "sha256": "421308bb2c832aaa4cdbefbde389b0ff645e12fc5d7ea78c9296139099772abb", "type": "threat_match", - "version": 2 + "version": 3 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.3", @@ -637,6 +644,13 @@ "type": "query", "version": 102 }, + "14dab405-5dd9-450c-8106-72951af2391f": { + "min_stack_version": "8.3", + "rule_name": "Office Test Registry Persistence", + "sha256": "2a26bc9292902c92d9bc73a14ff7e20ffa9c0904b209692b1e8e23bd32c88fb3", + "type": "eql", + "version": 1 + }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "min_stack_version": "8.4", "previous": { @@ -967,6 +981,13 @@ "type": "query", "version": 6 }, + "1f460f12-a3cf-4105-9ebb-f788cc63f365": { + "min_stack_version": "8.3", + "rule_name": "Unusual Process Execution on WBEM Path", + "sha256": "7d596dca903c48dde13a6b90746947628693b11dd9140e3eb89ca6eba10ae966", + "type": "eql", + "version": 1 + }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "8.3", "rule_name": "Unusual Linux User Calling the Metadata Service", @@ -1036,6 +1057,13 @@ "type": "query", "version": 100 }, + "210d4430-b371-470e-b879-80b7182aa75e": { + "min_stack_version": "8.3", + "rule_name": "Mofcomp Activity", + "sha256": "d42c6a1889b42bcd83cb46d9838038cfd4248b792d5fef1abc4cedc81b269d4a", + "type": "eql", + "version": 1 + }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", @@ -1517,6 +1545,13 @@ "type": "eql", "version": 1 }, + "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { + "min_stack_version": "8.3", + "rule_name": "GitHub Repository Deleted", + "sha256": "82225047c1559d8bba7c15944953088395802e8a1ad8fd0552714eee65b22635", + "type": "eql", + "version": 1 + }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "min_stack_version": "8.3", "rule_name": "Accepted Default Telnet Port Connection", @@ -1655,6 +1690,13 @@ "type": "query", "version": 103 }, + "39157d52-4035-44a8-9d1a-6f8c5f580a07": { + "min_stack_version": "8.3", + "rule_name": "Downloaded Shortcut Files", + "sha256": "362ab87565072831948627491a1ba91889340030ce6f1438122322ffa57acb5d", + "type": "eql", + "version": 1 + }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Outlook VBA", @@ -1706,9 +1748,9 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.3", "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "a9acccb7d18adc13099ab88eb003c037bf57f2defa18fc91c8945299c38cba92", + "sha256": "97b3141cf72282ca02c73091a527edf31e31d10d22d241e91c6d173bc1abd792", "type": "eql", - "version": 106 + "version": 107 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", @@ -2334,12 +2376,19 @@ "type": "eql", "version": 106 }, + "53dedd83-1be7-430f-8026-363256395c8b": { + "min_stack_version": "8.3", + "rule_name": "Binary Content Copy via Cmd.exe", + "sha256": "3ab2b049abaa1462ebed7b019dcd5da6957b5328c2ce7d2eb86b87e74a4ec28d", + "type": "eql", + "version": 1 + }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", "rule_name": "Uncommon Registry Persistence Change", - "sha256": "950bfce6a55758ef6c60b1fd13ef84531915c61992e405c7217f3bcb40df0f3f", + "sha256": "470d8e6c5c1dfd3564bd5f3b59d7853db9137942de25c38e4281b2d16df70ede", "type": "eql", - "version": 104 + "version": 105 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.3", @@ -2586,6 +2635,13 @@ "type": "new_terms", "version": 6 }, + "5c895b4f-9133-4e68-9e23-59902175355c": { + "min_stack_version": "8.6", + "rule_name": "Potential Meterpreter Reverse Shell", + "sha256": "5941e6650b12bc02b03d289fa389b9f2347c53636e6368753bd5917b5a776cd5", + "type": "eql", + "version": 1 + }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", "rule_name": "Unusual Linux Process Discovery Activity", @@ -3537,6 +3593,13 @@ "type": "eql", "version": 3 }, + "800e01be-a7a4-46d0-8de9-69f3c9582b44": { + "min_stack_version": "8.3", + "rule_name": "Unusual Process Extension", + "sha256": "15e1dd225bae684eac522b61872faae250a8aac0c4cb71b4e6d68986665587ed", + "type": "eql", + "version": 1 + }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "min_stack_version": "8.3", "rule_name": "Unusual City For an AWS Command", @@ -4577,6 +4640,13 @@ "type": "eql", "version": 2 }, + "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { + "min_stack_version": "8.6", + "rule_name": "Potential Reverse Shell via UDP", + "sha256": "2bb373420b8f04de56b4e10442d426787ff255a9ed14d92c64f05a0c3334871f", + "type": "eql", + "version": 1 + }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "min_stack_version": "8.3", "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -4601,9 +4671,9 @@ "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "min_stack_version": "8.5", "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "1867577987b72a8cb67a4b74b89643d3df862354ae3eadfd616c9b51ec1000a0", + "sha256": "4c02e860e8200660cdd059bfaa155532f5b584f3325ac7ffbdafbebcefe5a234", "type": "threat_match", - "version": 2 + "version": 3 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", @@ -4714,9 +4784,9 @@ "aab184d3-72b3-4639-b242-6597c99d8bca": { "min_stack_version": "8.5", "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "b84f93be7b12d9e7b6dc37e4b6f6f68f717bbb33d181321aaa4a2f77ed66a60d", + "sha256": "1532d5577abdf44288ebeb628cd80e676e02e99367876b31e9c46200d37d5e81", "type": "threat_match", - "version": 3 + "version": 4 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", @@ -4889,6 +4959,13 @@ "type": "eql", "version": 105 }, + "afd04601-12fc-4149-9b78-9c3f8fe45d39": { + "min_stack_version": "8.3", + "rule_name": "Network Activity Detected via cat", + "sha256": "842200b53b379cfcfe0e98cce8c0775e7120c7312edc3aecaa2cae7783559566", + "type": "eql", + "version": 1 + }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", @@ -5091,6 +5168,13 @@ "type": "eql", "version": 104 }, + "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { + "min_stack_version": "8.3", + "rule_name": "Kirbi File Creation", + "sha256": "5cc88228ed8f2119aba7d21bef4e172fec1499a3b3b8168eb439cb581d94c2ac", + "type": "eql", + "version": 1 + }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", @@ -5745,6 +5829,13 @@ "type": "eql", "version": 105 }, + "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { + "min_stack_version": "8.3", + "rule_name": "Downloaded URL Files", + "sha256": "3b2b2822568470b436f1a1db2ca7db260343faeb5f156b1b3b697a4393137938", + "type": "eql", + "version": 1 + }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.3", "rule_name": "Attempt to Deactivate MFA for an Okta User Account", @@ -5886,6 +5977,13 @@ "type": "eql", "version": 6 }, + "d3551433-782f-4e22-bbea-c816af2d41c6": { + "min_stack_version": "8.3", + "rule_name": "WMI WBEMTEST Utility Execution", + "sha256": "687d0e851309a066fb0d13b00750846d62e6da9fca5b2a80f9f8b6864ada9b76", + "type": "eql", + "version": 1 + }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", "rule_name": "Shell Execution via Apple Scripting", @@ -6492,7 +6590,7 @@ "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a", "type": "eql", - "version": 2 + "version": 4 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "min_stack_version": "8.3", @@ -6886,9 +6984,9 @@ "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "min_stack_version": "8.5", "rule_name": "Threat Intel URL Indicator Match", - "sha256": "b03b79e60e32f4744d7db406946e56fc43bf99671ae3c7cd9af2dabdb17d171f", + "sha256": "f8210c3d8a13d1354dfe9c14053034eafc71b8bef3477f9e8e7279672ce95601", "type": "threat_match", - "version": 2 + "version": 3 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", @@ -6938,6 +7036,13 @@ "type": "query", "version": 1 }, + "f59668de-caa0-4b84-94c1-3a1549e1e798": { + "min_stack_version": "8.3", + "rule_name": "WMIC Remote Command", + "sha256": "dc6e94a20b8f1618cea407e2ac25227adc96daf497e2c1b5b034408f0e1aa3c9", + "type": "eql", + "version": 1 + }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "min_stack_version": "8.3", "rule_name": "Masquerading Space After Filename", @@ -7004,9 +7109,9 @@ "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.3", "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "b1b304251797d95d12cc192562063ef62b6569b453974d77fb9f017320ae1731", + "sha256": "afb59ffb04d13b21e0f2cff08ed6f27c27dde808d3cb5b84a5eb3ddb2d566665", "type": "eql", - "version": 107 + "version": 108 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3", From f6b6bee5c287d2d6806000ed3ce2b7c605a2bb35 Mon Sep 17 00:00:00 2001 From: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Date: Thu, 21 Sep 2023 12:22:39 -0700 Subject: [PATCH 9/9] update transform test to fail on missing transform (#3085) Co-authored-by: brokensound77 Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- tests/test_all_rules.py | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 6e56a91c8..eaf7a86c7 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -1177,20 +1177,29 @@ class TestNoteMarkdownPlugins(BaseRuleTest): for rule in self.production_rules.rules: has_transform = rule.contents.get('transform') is not None has_note = rule.contents.data.get('note') is not None + note = rule.contents.data.note - if has_transform and not has_note: - self.fail(f'{self.rule_str(rule)} transformed defined with no note') - elif not has_transform: - continue + if has_transform: + if not has_note: + self.fail(f'{self.rule_str(rule)} transformed defined with no note') + else: + if not has_note: + continue + + note_template = PatchedTemplate(note) + identifiers = [i for i in note_template.get_identifiers() if '_' in i] + + if not has_transform: + if identifiers: + self.fail(f'{self.rule_str(rule)} note contains plugin placeholders with no transform entries') + else: + continue transform = rule.contents.transform transform_counts = {plugin: len(entries) for plugin, entries in transform.to_dict().items()} - note = rule.contents.data.note - self.assertIsNotNone(note) - note_template = PatchedTemplate(note) note_counts = defaultdict(int) - for identifier in note_template.get_identifiers(): + for identifier in identifiers: # "$" is used for other things, so this verifies the pattern of a trailing "_" followed by ints if '_' not in identifier: continue