From 4312d8c9583be524578a14fe6295c3370b9a9307 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Wed, 4 Jan 2023 09:30:07 -0500 Subject: [PATCH] [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) * initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson --- .../etc/integration-manifests.json.gz | Bin 3314 -> 4144 bytes detection_rules/rule.py | 10 +- pyproject.toml | 5 + rules/apm/apm_403_response_to_a_post.toml | 3 +- .../apm_405_response_method_not_allowed.toml | 3 +- rules/apm/apm_sqlmap_user_agent.toml | 3 +- ...and_and_control_non_standard_ssh_port.toml | 16 +-- ...s_cookies_chromium_browsers_debugging.toml | 3 +- ...e_evasion_deleting_websvr_access_logs.toml | 3 +- ...deletion_of_bash_command_line_history.toml | 3 +- ...sion_elastic_agent_service_terminated.toml | 5 +- ...ion_masquerading_space_after_filename.toml | 9 +- .../defense_evasion_timestomp_touch.toml | 3 +- .../discovery_security_software_grep.toml | 3 +- ...y_virtual_machine_fingerprinting_grep.toml | 3 +- ...on_pentest_eggshell_remote_admin_tool.toml | 10 +- .../execution_python_script_in_cmdline.toml | 3 +- .../execution_revershell_via_shell_cmd.toml | 3 +- ...xecution_suspicious_jar_child_process.toml | 5 +- ...tion_suspicious_java_netcon_childproc.toml | 19 ++- .../guided_onboarding_sample_rule.toml | 17 +-- .../impact_hosts_file_modified.toml | 10 +- ...l_access_modify_auth_module_or_config.toml | 3 +- ...ersistence_shell_profile_modification.toml | 3 +- ...ence_ssh_authorized_keys_modification.toml | 3 +- ...lege_escalation_echo_nopasswd_sudoers.toml | 3 +- ...ation_setuid_setgid_bit_set_via_chmod.toml | 4 +- ...ilege_escalation_sudo_buffer_overflow.toml | 3 +- ...privilege_escalation_sudoers_file_mod.toml | 3 +- ...collection_cloudtrail_logging_created.toml | 4 +- ...ccess_aws_iam_assume_role_brute_force.toml | 14 +- ...ial_access_iam_user_addition_to_group.toml | 16 ++- ...cess_root_console_failure_brute_force.toml | 4 +- ..._access_secretsmanager_getsecretvalue.toml | 15 +- ...se_evasion_cloudtrail_logging_deleted.toml | 8 +- ..._evasion_cloudtrail_logging_suspended.toml | 4 +- ...nse_evasion_cloudwatch_alarm_deletion.toml | 8 +- ..._evasion_config_service_rule_deletion.toml | 4 +- ...vasion_configuration_recorder_stopped.toml | 4 +- ...defense_evasion_ec2_flow_log_deletion.toml | 8 +- ...ense_evasion_ec2_network_acl_deletion.toml | 8 +- ...n_elasticache_security_group_creation.toml | 28 ++-- ...he_security_group_modified_or_deleted.toml | 24 ++-- ...e_evasion_guardduty_detector_deletion.toml | 8 +- ...sion_s3_bucket_configuration_deletion.toml | 4 +- .../aws/defense_evasion_waf_acl_deletion.toml | 8 +- ...asion_waf_rule_or_rule_group_deletion.toml | 5 +- ..._full_network_packet_capture_detected.toml | 23 ++-- ...ltration_ec2_snapshot_change_activity.toml | 15 +- .../exfiltration_ec2_vm_export_failure.toml | 16 ++- .../aws/exfiltration_rds_snapshot_export.toml | 6 +- .../exfiltration_rds_snapshot_restored.toml | 21 +-- ..._eventbridge_rule_disabled_or_deleted.toml | 17 ++- .../impact_cloudtrail_logging_updated.toml | 4 +- .../impact_cloudwatch_log_group_deletion.toml | 4 +- ...impact_cloudwatch_log_stream_deletion.toml | 15 +- .../impact_ec2_disable_ebs_encryption.toml | 4 +- ...mpact_efs_filesystem_or_mount_deleted.toml | 11 +- .../aws/impact_iam_deactivate_mfa_device.toml | 5 +- .../aws/impact_iam_group_deletion.toml | 8 +- ...mk_disabled_or_scheduled_for_deletion.toml | 13 +- .../aws/impact_rds_group_deletion.toml | 5 +- .../impact_rds_instance_cluster_deletion.toml | 17 ++- .../impact_rds_instance_cluster_stoppage.toml | 4 +- .../initial_access_console_login_root.toml | 14 +- .../aws/initial_access_password_recovery.toml | 4 +- .../initial_access_via_system_manager.toml | 15 +- .../ml_cloudtrail_error_message_spike.toml | 2 +- .../aws/ml_cloudtrail_rare_error_code.toml | 2 +- .../ml_cloudtrail_rare_method_by_city.toml | 2 +- .../ml_cloudtrail_rare_method_by_country.toml | 2 +- .../ml_cloudtrail_rare_method_by_user.toml | 2 +- .../persistence_ec2_network_acl_creation.toml | 8 +- ..._group_configuration_change_detection.toml | 26 ++-- .../aws/persistence_iam_group_creation.toml | 4 +- .../aws/persistence_rds_cluster_creation.toml | 8 +- .../aws/persistence_rds_group_creation.toml | 8 +- .../persistence_rds_instance_creation.toml | 4 +- ...ersistence_redshift_instance_creation.toml | 10 +- ...oute_53_domain_transfer_lock_disabled.toml | 4 +- ...domain_transferred_to_another_account.toml | 10 +- ..._53_hosted_zone_associated_with_a_vpc.toml | 13 +- .../aws/persistence_route_table_created.toml | 17 +-- ...tence_route_table_modified_or_deleted.toml | 18 +-- ...calation_aws_suspicious_saml_activity.toml | 14 +- ...ege_escalation_root_login_without_mfa.toml | 14 +- ...ilege_escalation_sts_assumerole_usage.toml | 14 +- ..._escalation_sts_getsessiontoken_abuse.toml | 16 +-- ...ege_escalation_updateassumerolepolicy.toml | 14 +- ...collection_update_event_hub_auth_rule.toml | 4 +- ..._full_network_packet_capture_detected.toml | 24 ++-- .../credential_access_key_vault_modified.toml | 6 +- ...ccess_storage_account_key_regenerated.toml | 4 +- ...e_application_credential_modification.toml | 4 +- ...sion_azure_automation_runbook_deleted.toml | 10 +- ...asion_azure_blob_permissions_modified.toml | 15 +- ...on_azure_diagnostic_settings_deletion.toml | 4 +- ...sion_azure_service_principal_addition.toml | 14 +- .../defense_evasion_event_hub_deletion.toml | 8 +- ...ense_evasion_firewall_policy_deletion.toml | 8 +- ...on_frontdoor_firewall_policy_deletion.toml | 17 ++- ...nse_evasion_kubernetes_events_deleted.toml | 13 +- ...ense_evasion_network_watcher_deletion.toml | 8 +- ...ense_evasion_suppression_rule_created.toml | 14 +- .../discovery_blob_container_access_mod.toml | 4 +- .../execution_command_virtual_machine.toml | 4 +- ...e_service_principal_credentials_added.toml | 4 +- .../azure/impact_kubernetes_pod_deleted.toml | 11 +- .../azure/impact_resource_group_deletion.toml | 4 +- ...mpact_virtual_network_device_modified.toml | 18 +-- ...ure_active_directory_high_risk_signin.toml | 14 +- ..._high_risk_signin_atrisk_or_confirmed.toml | 15 +- ...re_active_directory_powershell_signin.toml | 14 +- ...tack_via_azure_registered_application.toml | 14 +- ...ial_access_external_guest_user_invite.toml | 4 +- ...ence_azure_automation_account_created.toml | 4 +- ...utomation_runbook_created_or_modified.toml | 4 +- ...ence_azure_automation_webhook_created.toml | 4 +- ...re_conditional_access_policy_modified.toml | 4 +- ...re_global_administrator_role_assigned.toml | 27 ++-- ...nce_azure_pim_user_added_global_admin.toml | 4 +- ...ged_identity_management_role_modified.toml | 14 +- ...rsistence_mfa_disabled_for_azure_user.toml | 14 +- ..._added_as_owner_for_azure_application.toml | 4 +- ..._as_owner_for_azure_service_principal.toml | 4 +- ..._azure_kubernetes_rolebinding_created.toml | 12 +- ...berarkpas_error_audit_event_promotion.toml | 16 +-- ...commended_events_to_monitor_promotion.toml | 11 +- .../endpoint/elastic_endpoint_security.toml | 12 +- ...ion_gcp_pub_sub_subscription_creation.toml | 4 +- ...collection_gcp_pub_sub_topic_creation.toml | 4 +- ...nse_evasion_gcp_firewall_rule_created.toml | 4 +- ...nse_evasion_gcp_firewall_rule_deleted.toml | 4 +- ...se_evasion_gcp_firewall_rule_modified.toml | 4 +- ...e_evasion_gcp_logging_bucket_deletion.toml | 8 +- ...nse_evasion_gcp_logging_sink_deletion.toml | 4 +- ...ion_gcp_pub_sub_subscription_deletion.toml | 4 +- ...se_evasion_gcp_pub_sub_topic_deletion.toml | 8 +- ...storage_bucket_configuration_modified.toml | 4 +- ...p_storage_bucket_permissions_modified.toml | 4 +- ...virtual_private_cloud_network_deleted.toml | 4 +- ...p_virtual_private_cloud_route_created.toml | 4 +- ...p_virtual_private_cloud_route_deleted.toml | 4 +- ...tration_gcp_logging_sink_modification.toml | 4 +- .../gcp/impact_gcp_iam_role_deletion.toml | 8 +- .../impact_gcp_service_account_deleted.toml | 4 +- .../impact_gcp_service_account_disabled.toml | 4 +- .../impact_gcp_storage_bucket_deleted.toml | 4 +- ...l_access_gcp_iam_custom_role_creation.toml | 4 +- ..._gcp_iam_service_account_key_deletion.toml | 4 +- ...e_gcp_key_created_for_service_account.toml | 4 +- ...rsistence_gcp_service_account_created.toml | 4 +- ...ship_transferred_via_google_workspace.toml | 4 +- ...ustom_gmail_route_created_or_modified.toml | 4 +- ...ed_from_blocklist_in_google_workspace.toml | 4 +- ...d_to_google_workspace_trusted_domains.toml | 25 ++-- ..._workspace_bitlocker_setting_disabled.toml | 4 +- ..._marketplace_changed_to_allow_any_app.toml | 4 +- ..._google_workspace_admin_role_deletion.toml | 17 ++- ...le_workspace_mfa_enforcement_disabled.toml | 18 ++- ...tion_added_to_google_workspace_domain.toml | 18 ++- ..._google_workspace_2sv_policy_disabled.toml | 4 +- ...workspace_admin_role_assigned_to_user.toml | 4 +- ...a_domain_wide_delegation_of_authority.toml | 4 +- ...e_workspace_custom_admin_role_created.toml | 4 +- ...ence_google_workspace_policy_modified.toml | 17 ++- ...stence_google_workspace_role_modified.toml | 4 +- ...ess_modified_to_allow_external_access.toml | 4 +- ...pace_user_organizational_unit_changed.toml | 4 +- ...led_for_google_workspace_organization.toml | 16 ++- ...covery_denied_service_account_request.toml | 10 +- ...covery_suspicious_self_subject_review.toml | 8 +- .../execution_user_exec_to_pod.toml | 10 +- ...l_access_anonymous_request_authorized.toml | 8 +- ...ed_service_created_with_type_nodeport.toml | 12 +- ...ted_with_excessive_linux_capabilities.toml | 30 ++-- ...e_escalation_pod_created_with_hostipc.toml | 13 +- ...calation_pod_created_with_hostnetwork.toml | 13 +- ...e_escalation_pod_created_with_hostpid.toml | 13 +- ...reated_with_sensitive_hostpath_volume.toml | 37 +++-- ...ege_escalation_privileged_pod_created.toml | 11 +- ...ignment_of_controller_service_account.toml | 8 +- ...llection_microsoft_365_new_inbox_rule.toml | 14 +- ..._365_brute_force_user_account_attempt.toml | 5 +- ...65_potential_password_spraying_attack.toml | 6 +- ...ccess_user_excessive_sso_logon_errors.toml | 6 +- ...osoft_365_exchange_dlp_policy_removed.toml | 4 +- ...change_malware_filter_policy_deletion.toml | 4 +- ..._365_exchange_malware_filter_rule_mod.toml | 4 +- ...65_exchange_safe_attach_rule_disabled.toml | 4 +- ...oft_365_mailboxauditbypassassociation.toml | 18 ++- ..._365_exchange_transport_rule_creation.toml | 4 +- ...osoft_365_exchange_transport_rule_mod.toml | 4 +- ...ft_365_mass_download_by_a_single_user.toml | 12 +- ...oft_365_potential_ransomware_activity.toml | 14 +- ...t_365_unusual_volume_of_file_deletion.toml | 15 +- ...5_exchange_anti_phish_policy_deletion.toml | 4 +- ...soft_365_exchange_anti_phish_rule_mod.toml | 4 +- ...osoft_365_exchange_safelinks_disabled.toml | 4 +- ...rosoft_365_impossible_travel_activity.toml | 9 +- ...65_user_restricted_from_sending_email.toml | 13 +- ...cess_o365_user_reported_phish_malware.toml | 21 +-- ...al_movement_malware_uploaded_onedrive.toml | 6 +- ..._movement_malware_uploaded_sharepoint.toml | 18 +-- ...e_suspicious_mailbox_right_delegation.toml | 18 +-- ...exchange_dkim_signing_config_disabled.toml | 9 +- ...5_exchange_management_role_assignment.toml | 4 +- ..._365_global_administrator_role_assign.toml | 27 ++-- ..._teams_custom_app_interaction_allowed.toml | 17 ++- ...oft_365_teams_external_access_enabled.toml | 4 +- ...rosoft_365_teams_guest_access_enabled.toml | 4 +- ...ion_new_or_modified_federation_domain.toml | 30 ++-- ...l_access_attempted_bypass_of_okta_mfa.toml | 6 +- ...mpts_to_brute_force_okta_user_account.toml | 6 +- ...redential_access_mfa_push_brute_force.toml | 11 +- ...okta_brute_force_or_password_spraying.toml | 6 +- ...tial_access_user_impersonation_access.toml | 17 ++- ...tempt_to_deactivate_okta_network_zone.toml | 19 +-- ...n_attempt_to_delete_okta_network_zone.toml | 18 +-- ...kta_attempt_to_deactivate_okta_policy.toml | 19 +-- ...ttempt_to_deactivate_okta_policy_rule.toml | 27 ++-- ...on_okta_attempt_to_delete_okta_policy.toml | 18 +-- ...ta_attempt_to_delete_okta_policy_rule.toml | 18 +-- ...a_attempt_to_modify_okta_network_zone.toml | 19 +-- ...on_okta_attempt_to_modify_okta_policy.toml | 19 +-- ...ta_attempt_to_modify_okta_policy_rule.toml | 27 ++-- ...ser_password_reset_or_unlock_attempts.toml | 7 +- ...pact_attempt_to_revoke_okta_api_token.toml | 6 +- ...ttempt_to_deactivate_okta_application.toml | 13 +- ...ta_attempt_to_delete_okta_application.toml | 13 +- ...ta_attempt_to_modify_okta_application.toml | 11 +- .../okta/impact_possible_okta_dos_attack.toml | 6 +- ...ta_user_attempted_unauthorized_access.toml | 17 +-- ...icious_activity_reported_by_okta_user.toml | 6 +- ...threat_detected_by_okta_threatinsight.toml | 6 +- ...tor_privileges_assigned_to_okta_group.toml | 6 +- ...inistrator_role_assigned_to_okta_user.toml | 6 +- ...ence_attempt_to_create_okta_api_token.toml | 6 +- ..._deactivate_mfa_for_okta_user_account.toml | 6 +- ...set_mfa_factors_for_okta_user_account.toml | 6 +- ..._or_delete_application_sign_on_policy.toml | 11 +- ...ction_attempt_by_non_ssh_root_session.toml | 3 +- ...and_and_control_linux_iodine_activity.toml | 7 +- ...d_and_control_tunneling_via_earthworm.toml | 3 +- ...ial_access_collection_sensitive_files.toml | 3 +- .../credential_access_ssh_backdoor_log.toml | 3 +- ...ion_attempt_to_disable_syslog_service.toml | 3 +- ..._base32_encoding_or_decoding_activity.toml | 13 +- ...defense_evasion_chattr_immutable_file.toml | 10 +- ...fense_evasion_disable_selinux_attempt.toml | 3 +- ...fense_evasion_file_deletion_via_shred.toml | 3 +- ...defense_evasion_file_mod_writable_dir.toml | 3 +- .../defense_evasion_hidden_file_dir_tmp.toml | 3 +- .../defense_evasion_hidden_shared_object.toml | 9 +- ...defense_evasion_kernel_module_removal.toml | 3 +- .../defense_evasion_log_files_deleted.toml | 3 +- .../discovery_kernel_module_enumeration.toml | 3 +- .../linux/discovery_linux_hping_activity.toml | 3 +- .../linux/discovery_linux_nping_activity.toml | 7 +- ...covery_virtual_machine_fingerprinting.toml | 3 +- ...tion_abnormal_process_id_file_created.toml | 5 +- ...er_or_listener_established_via_netcat.toml | 3 +- rules/linux/execution_perl_tty_shell.toml | 4 +- ..._process_started_from_process_id_file.toml | 5 +- ...ss_started_in_shared_memory_directory.toml | 5 +- rules/linux/execution_python_tty_shell.toml | 4 +- ...xecution_reverse_shell_via_named_pipe.toml | 3 +- .../execution_shell_evasion_linux_binary.toml | 5 +- rules/linux/execution_tc_bpf_filter.toml | 5 +- .../linux/impact_process_kill_threshold.toml | 8 +- ...ment_telnet_network_activity_external.toml | 3 +- ...ment_telnet_network_activity_internal.toml | 3 +- .../persistence_chkconfig_service_add.toml | 5 +- ...credential_access_modify_ssh_binaries.toml | 3 +- .../persistence_dynamic_linker_backup.toml | 5 +- .../linux/persistence_etc_file_creation.toml | 5 +- ...persistence_insmod_kernel_module_load.toml | 5 +- ...ersistence_kde_autostart_modification.toml | 3 +- ...sistence_shell_activity_by_web_server.toml | 8 +- ...lation_ld_preload_shared_object_modif.toml | 3 +- ...vilege_escalation_pkexec_envar_hijack.toml | 13 +- ...privilege_escalation_shadow_file_read.toml | 49 +++---- ...lation_unshare_namesapce_manipulation.toml | 7 +- ...ccess_to_browser_credentials_procargs.toml | 3 +- ...edential_access_credentials_keychains.toml | 3 +- ...dential_access_dumping_hashes_bi_cmds.toml | 3 +- ...tial_access_dumping_keychain_security.toml | 3 +- .../credential_access_kerberosdump_kcc.toml | 12 +- ...s_keychain_pwd_retrieval_security_cmd.toml | 3 +- ...ential_access_mitm_localhost_webproxy.toml | 3 +- ...access_potential_macos_ssh_bruteforce.toml | 3 +- ...al_access_promt_for_pwd_via_osascript.toml | 3 +- .../credential_access_systemkey_dumping.toml | 4 +- ...vasion_apple_softupdates_modification.toml | 3 +- ...evasion_attempt_del_quarantine_attrib.toml | 3 +- ...evasion_attempt_to_disable_gatekeeper.toml | 3 +- ...ense_evasion_install_root_certificate.toml | 3 +- ..._evasion_modify_environment_launchctl.toml | 3 +- ...cy_controls_tcc_database_modification.toml | 3 +- ...tion_privacy_pref_sshd_fulldiskaccess.toml | 3 +- .../defense_evasion_safari_config_change.toml | 3 +- ...dboxed_office_app_suspicious_zip_file.toml | 4 +- ...vasion_tcc_bypass_mounted_apfs_access.toml | 3 +- ..._evasion_unload_endpointsecurity_kext.toml | 3 +- ...covery_users_domain_built_in_commands.toml | 7 +- ...vasion_electron_app_childproc_node_js.toml | 3 +- ...l_access_suspicious_browser_childproc.toml | 3 +- ...staller_package_spawned_network_event.toml | 14 +- ...cution_script_via_automator_workflows.toml | 3 +- ...ing_osascript_exec_followed_by_netcon.toml | 3 +- ...n_shell_execution_via_apple_scripting.toml | 3 +- ...uspicious_mac_ms_office_child_process.toml | 4 +- ...ential_access_kerberos_bifrostconsole.toml | 11 +- .../lateral_movement_mounting_smb_share.toml | 3 +- ...ral_movement_remote_ssh_login_enabled.toml | 3 +- ...teral_movement_vpn_connection_attempt.toml | 7 +- ...stence_account_creation_hide_at_logon.toml | 3 +- ...ce_creation_change_launch_agents_file.toml | 3 +- ..._creation_hidden_login_item_osascript.toml | 35 ++--- ...creation_modif_launch_deamon_sequence.toml | 3 +- ..._access_authorization_plugin_creation.toml | 3 +- rules/macos/persistence_crontab_creation.toml | 3 +- ...launch_agent_deamon_logonitem_process.toml | 3 +- ...rectory_services_plugins_modification.toml | 9 +- ...e_docker_shortcuts_plist_modification.toml | 7 +- ...persistence_emond_rules_file_creation.toml | 9 +- ...istence_emond_rules_process_execution.toml | 3 +- .../persistence_enable_root_account.toml | 3 +- ...n_hidden_launch_agent_deamon_creation.toml | 3 +- ...sistence_finder_sync_plugin_pluginkit.toml | 7 +- ...istence_folder_action_scripts_runtime.toml | 9 +- ...rsistence_login_logout_hooks_defaults.toml | 3 +- ...stence_loginwindow_plist_modification.toml | 23 ++-- ...fication_sublime_app_plugin_or_script.toml | 3 +- ...ersistence_periodic_tasks_file_mdofiy.toml | 3 +- ...saver_engine_unexpected_child_process.toml | 3 +- ...e_screensaver_plist_file_modification.toml | 3 +- ...ence_suspicious_calendar_modification.toml | 3 +- ...tence_via_atom_init_file_modification.toml | 7 +- ...calation_applescript_with_admin_privs.toml | 3 +- ...calation_explicit_creds_via_scripting.toml | 3 +- ...alation_exploit_adobe_acrobat_updater.toml | 14 +- ..._escalation_local_user_added_to_admin.toml | 3 +- ...ilege_escalation_root_crontab_filemod.toml | 3 +- ...cepted_default_telnet_port_connection.toml | 3 +- ...mand_and_control_cobalt_strike_beacon.toml | 14 +- ...cobalt_strike_default_teamserver_cert.toml | 6 +- ...download_rar_powershell_from_internet.toml | 14 +- .../command_and_control_fin7_c2_behavior.toml | 12 +- .../command_and_control_halfbaked_beacon.toml | 12 +- ...d_control_nat_traversal_port_activity.toml | 6 +- .../command_and_control_port_26_activity.toml | 10 +- ...te_desktop_protocol_from_the_internet.toml | 4 +- ...l_network_computing_from_the_internet.toml | 12 +- ...ual_network_computing_to_the_internet.toml | 8 +- ...mote_procedure_call_from_the_internet.toml | 8 +- ...remote_procedure_call_to_the_internet.toml | 8 +- ...file_sharing_activity_to_the_internet.toml | 12 +- ...al_access_unsecure_elasticsearch_node.toml | 12 +- ...ion_email_powershell_exchange_mailbox.toml | 3 +- .../collection_posh_audio_capture.toml | 25 ++-- rules/windows/collection_posh_keylogger.toml | 29 ++-- .../collection_posh_screen_grabber.toml | 21 ++- .../windows/collection_winrar_encryption.toml | 4 +- ...d_control_certutil_network_connection.toml | 7 +- ...ommand_and_control_common_webservices.toml | 34 ++--- ...nd_and_control_dns_tunneling_nslookup.toml | 21 ++- ...control_encrypted_channel_freesslcert.toml | 3 +- .../command_and_control_iexplore_via_com.toml | 13 +- ...ontrol_port_forwarding_added_registry.toml | 13 +- .../command_and_control_rdp_tunnel_plink.toml | 13 +- ...ol_remote_file_copy_desktopimgdownldr.toml | 17 ++- ...and_control_remote_file_copy_mpcmdrun.toml | 17 ++- ...d_control_remote_file_copy_powershell.toml | 7 +- ..._and_control_remote_file_copy_scripts.toml | 7 +- ...control_sunburst_c2_activity_detected.toml | 10 +- ...d_control_teamviewer_remote_file_copy.toml | 17 ++- ...ntial_access_bruteforce_admin_account.toml | 1 + ...ple_logon_failure_followed_by_success.toml | 1 + ...rce_multiple_logon_failure_same_srcip.toml | 3 +- .../credential_access_cmdline_dump_tool.toml | 13 +- ...ess_copy_ntds_sam_volshadowcp_cmdline.toml | 5 +- ...ial_access_credential_dumping_msbuild.toml | 11 +- ...tial_access_dcsync_replication_rights.toml | 24 ++-- ...ntial_access_disable_kerberos_preauth.toml | 18 +-- ...cess_domain_backup_dpapi_private_keys.toml | 3 +- ...credential_access_dump_registry_hives.toml | 15 +- .../credential_access_generic_localdumps.toml | 18 ++- ...ntial_access_iis_apppoolsa_pwd_appcmd.toml | 3 +- ..._access_iis_connectionstrings_dumping.toml | 3 +- ..._access_kerberoasting_unusual_process.toml | 5 +- .../credential_access_ldap_attributes.toml | 25 ++-- ...l_access_lsass_handle_via_malseclogon.toml | 7 +- ...edential_access_lsass_loaded_susp_dll.toml | 31 +++-- ...ial_access_lsass_memdump_file_created.toml | 3 +- ...al_access_lsass_memdump_handle_access.toml | 26 ++-- ...l_access_mimikatz_memssp_default_logs.toml | 17 ++- ...ial_access_mimikatz_powershell_module.toml | 9 +- ..._access_mod_wdigest_security_provider.toml | 15 +- ...l_access_moving_registry_hive_via_smb.toml | 17 ++- ...e_network_logon_provider_modification.toml | 4 +- .../credential_access_posh_minidump.toml | 33 +++-- ...credential_access_posh_request_ticket.toml | 26 ++-- ..._potential_lsa_memdump_via_mirrordump.toml | 3 +- ...cess_relay_ntlm_auth_via_http_spoolss.toml | 3 +- ...dential_access_remote_sam_secretsdump.toml | 16 ++- ...ntial_access_saved_creds_vault_winlog.toml | 6 +- ...redential_access_saved_creds_vaultcmd.toml | 5 +- ...edelegationprivilege_assigned_to_user.toml | 16 ++- .../credential_access_shadow_credentials.toml | 5 +- ...dential_access_spn_attribute_modified.toml | 11 +- ...l_access_suspicious_comsvcs_imageload.toml | 10 +- ...ccess_suspicious_lsass_access_memdump.toml | 5 +- ..._suspicious_lsass_access_via_snapshot.toml | 18 +-- ...cious_winreg_access_via_sebackup_priv.toml | 3 +- ..._symbolic_link_to_shadow_copy_created.toml | 13 +- ...ess_via_snapshot_lsass_clone_creation.toml | 16 +-- ...dential_access_wireless_creds_dumping.toml | 10 +- ...den_file_attribute_with_via_attribexe.toml | 3 +- .../defense_evasion_amsienable_key_mod.toml | 13 +- ...sion_clearing_windows_console_history.toml | 3 +- ...e_evasion_clearing_windows_event_logs.toml | 3 +- ...vasion_clearing_windows_security_logs.toml | 1 + ...e_evasion_create_mod_root_certificate.toml | 13 +- .../defense_evasion_cve_2020_0601.toml | 3 +- ...vasion_defender_disabled_via_registry.toml | 13 +- ...ion_defender_exclusion_via_powershell.toml | 17 ++- ...delete_volume_usn_journal_with_fsutil.toml | 3 +- ...asion_disable_posh_scriptblocklogging.toml | 13 +- ...ble_windows_firewall_rules_with_netsh.toml | 13 +- ...disabling_windows_defender_powershell.toml | 13 +- ...efense_evasion_disabling_windows_logs.toml | 3 +- ...efense_evasion_dns_over_https_enabled.toml | 3 +- ...vasion_dotnet_compiler_parent_process.toml | 3 +- ...evasion_enable_inbound_rdp_with_netsh.toml | 13 +- ...n_enable_network_discovery_with_netsh.toml | 13 +- ...ecution_control_panel_suspicious_args.toml | 3 +- ...ense_evasion_execution_lolbas_wuauclt.toml | 3 +- ...ecution_msbuild_started_by_office_app.toml | 13 +- ...n_execution_msbuild_started_by_script.toml | 3 +- ...ion_msbuild_started_by_system_process.toml | 3 +- ...ion_execution_msbuild_started_renamed.toml | 3 +- ...cution_msbuild_started_unusal_process.toml | 3 +- ...execution_suspicious_explorer_winword.toml | 3 +- ...sion_execution_windefend_unusual_path.toml | 3 +- ..._evasion_file_creation_mult_extension.toml | 3 +- ...efense_evasion_from_unusual_directory.toml | 14 +- ...sion_hide_encoded_executable_registry.toml | 13 +- ...ense_evasion_iis_httplogging_disabled.toml | 3 +- .../defense_evasion_injection_msbuild.toml | 3 +- .../defense_evasion_installutil_beacon.toml | 3 +- ...querading_as_elastic_endpoint_process.toml | 3 +- ...e_evasion_masquerading_renamed_autoit.toml | 3 +- ...erading_suspicious_werfault_childproc.toml | 3 +- ...vasion_masquerading_trusted_directory.toml | 3 +- ...defense_evasion_masquerading_werfault.toml | 3 +- ..._evasion_microsoft_defender_tampering.toml | 3 +- ...isc_lolbin_connecting_to_the_internet.toml | 3 +- ...e_evasion_ms_office_suspicious_regmod.toml | 13 +- ...fense_evasion_msbuild_beacon_sequence.toml | 11 +- ...on_msbuild_making_network_connections.toml | 11 +- .../windows/defense_evasion_mshta_beacon.toml | 4 +- .../windows/defense_evasion_msxsl_beacon.toml | 3 +- .../defense_evasion_msxsl_network.toml | 3 +- ...etwork_connection_from_windows_binary.toml | 3 +- ...e_evasion_parent_process_pid_spoofing.toml | 8 +- ...persistence_account_tokenfilterpolicy.toml | 3 +- .../defense_evasion_posh_assembly_load.toml | 41 +++--- .../defense_evasion_posh_compressed.toml | 32 ++--- ...efense_evasion_posh_process_injection.toml | 27 ++-- ...evasion_potential_processherpaderping.toml | 3 +- ..._powershell_windows_firewall_disabled.toml | 13 +- ...cess_termination_followed_by_deletion.toml | 3 +- ...ense_evasion_proxy_execution_via_msdt.toml | 9 +- ...defense_evasion_rundll32_no_arguments.toml | 3 +- ...ion_scheduledjobs_at_protocol_enabled.toml | 3 +- ..._evasion_sdelete_like_filename_rename.toml | 3 +- .../defense_evasion_sip_provider_mod.toml | 3 +- ...ackdoor_service_disabled_via_registry.toml | 3 +- ..._evasion_suspicious_certutil_commands.toml | 3 +- ...picious_execution_from_mounted_device.toml | 3 +- ...n_suspicious_managedcode_host_process.toml | 7 +- ...picious_process_access_direct_syscall.toml | 7 +- ...suspicious_process_creation_calltrace.toml | 7 +- ...efense_evasion_suspicious_scrobj_load.toml | 5 +- ...evasion_suspicious_short_program_name.toml | 16 ++- ...defense_evasion_suspicious_wmi_script.toml | 3 +- ...evasion_suspicious_zoom_child_process.toml | 3 +- ..._critical_proc_abnormal_file_activity.toml | 17 ++- ...nse_evasion_unusual_ads_file_creation.toml | 7 +- .../defense_evasion_unusual_dir_ads.toml | 3 +- ...nusual_network_connection_via_dllhost.toml | 7 +- ...usual_network_connection_via_rundll32.toml | 7 +- ...on_unusual_process_network_connection.toml | 3 +- ...asion_unusual_system_vp_child_program.toml | 3 +- .../defense_evasion_via_filter_manager.toml | 3 +- ...evasion_workfolders_control_execution.toml | 15 +- .../discovery_adfind_command_activity.toml | 3 +- rules/windows/discovery_admin_recon.toml | 3 +- .../discovery_command_system_account.toml | 3 +- ..._enumerating_domain_trusts_via_nltest.toml | 3 +- ...iscovery_files_dir_systeminfo_via_cmd.toml | 20 +-- rules/windows/discovery_net_view.toml | 3 +- .../windows/discovery_peripheral_device.toml | 3 +- .../discovery_posh_invoke_sharefinder.toml | 27 ++-- ...scovery_posh_suspicious_api_functions.toml | 25 ++-- ..._post_exploitation_external_ip_lookup.toml | 29 ++-- ...very_privileged_localgroup_membership.toml | 11 +- ...ote_system_discovery_commands_windows.toml | 3 +- .../discovery_security_software_wmic.toml | 3 +- .../discovery_whoami_command_activity.toml | 7 +- ...arwinds_backdoor_child_cmd_powershell.toml | 3 +- ...inds_backdoor_unusual_child_processes.toml | 3 +- .../windows/execution_com_object_xwizard.toml | 3 +- ...and_prompt_connecting_to_the_internet.toml | 3 +- ...tion_command_shell_started_by_svchost.toml | 9 +- ...mand_shell_started_by_unusual_process.toml | 3 +- .../execution_command_shell_via_rundll32.toml | 3 +- .../execution_downloaded_shortcut_files.toml | 11 +- .../execution_downloaded_url_file.toml | 3 +- .../execution_enumeration_via_wmiprvse.toml | 3 +- .../execution_from_unusual_path_cmdline.toml | 31 +++-- ...le_program_connecting_to_the_internet.toml | 21 ++- .../execution_ms_office_written_file.toml | 3 +- rules/windows/execution_pdf_written_file.toml | 3 +- .../execution_posh_portable_executable.toml | 19 +-- rules/windows/execution_posh_psreflect.toml | 31 +++-- ...ution_psexec_lateral_movement_command.toml | 3 +- ...er_program_connecting_to_the_internet.toml | 4 +- ...tion_scheduled_task_powershell_source.toml | 11 +- ...xecution_shared_modules_local_sxs_dll.toml | 3 +- .../windows/execution_suspicious_cmd_wmi.toml | 3 +- ...n_suspicious_image_load_wmi_ms_office.toml | 3 +- .../execution_suspicious_pdf_reader.toml | 3 +- ...ecution_suspicious_powershell_imgload.toml | 3 +- .../execution_suspicious_psexesvc.toml | 3 +- .../execution_via_compiled_html_file.toml | 3 +- .../execution_via_hidden_shell_conhost.toml | 3 +- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 3 +- .../windows/impact_backup_file_deletion.toml | 3 +- ...deleting_backup_catalogs_with_wbadmin.toml | 3 +- .../impact_modification_of_boot_config.toml | 3 +- ...impact_stop_process_service_threshold.toml | 7 +- ...copy_deletion_or_resized_via_vssadmin.toml | 3 +- ...e_shadow_copy_deletion_via_powershell.toml | 3 +- ..._volume_shadow_copy_deletion_via_wmic.toml | 3 +- ..._evasion_suspicious_htm_file_creation.toml | 5 +- ...al_access_script_executing_powershell.toml | 3 +- ...ccess_scripts_process_started_via_wmi.toml | 3 +- ...l_access_suspicious_ms_exchange_files.toml | 3 +- ...access_suspicious_ms_exchange_process.toml | 3 +- ...ious_ms_exchange_worker_child_process.toml | 3 +- ...ss_suspicious_ms_office_child_process.toml | 7 +- ...s_suspicious_ms_outlook_child_process.toml | 3 +- ...l_access_unusual_dns_service_children.toml | 5 +- ...ccess_unusual_dns_service_file_writes.toml | 5 +- ...explorer_suspicious_child_parent_args.toml | 3 +- .../windows/lateral_movement_cmd_service.toml | 3 +- rules/windows/lateral_movement_dcom_hta.toml | 14 +- .../windows/lateral_movement_dcom_mmc20.toml | 11 +- ...t_dcom_shellwindow_shellbrowserwindow.toml | 11 +- ...n_lanman_nullsessionpipe_modification.toml | 8 +- ...vement_direct_outbound_smb_connection.toml | 17 +-- ...ateral_movement_evasion_rdp_shadowing.toml | 3 +- ...movement_executable_tool_transfer_smb.toml | 21 +-- ..._movement_execution_from_tsclient_mup.toml | 3 +- ...nt_execution_via_file_shares_sequence.toml | 7 +- ...vement_incoming_winrm_shell_execution.toml | 3 +- .../lateral_movement_incoming_wmi.toml | 9 +- ...ment_mount_hidden_or_webdav_share_net.toml | 3 +- ...l_movement_powershell_remoting_target.toml | 7 +- ...lateral_movement_rdp_enabled_registry.toml | 3 +- .../lateral_movement_rdp_sharprdp_target.toml | 11 +- ...ovement_remote_file_copy_hidden_share.toml | 3 +- ...ement_remote_service_installed_winlog.toml | 1 + .../lateral_movement_remote_services.toml | 13 +- ..._movement_remote_task_creation_winlog.toml | 1 + ...ateral_movement_scheduled_task_target.toml | 11 +- ...nt_service_control_spawned_script_int.toml | 1 + ...ement_suspicious_rdp_client_imageload.toml | 3 +- ...l_movement_via_startup_folder_rdp_smb.toml | 3 +- .../windows/persistence_ad_adminsdholder.toml | 3 +- .../persistence_adobe_hijack_persistence.toml | 11 +- .../windows/persistence_app_compat_shim.toml | 3 +- .../persistence_appcertdlls_registry.toml | 3 +- .../persistence_appinitdlls_registry.toml | 3 +- .../persistence_dontexpirepasswd_account.toml | 13 +- .../persistence_driver_newterm_imphash.toml | 9 +- ...evasion_hidden_local_account_creation.toml | 3 +- ...tence_evasion_registry_ifeo_injection.toml | 3 +- ...egistry_startup_shell_folder_modified.toml | 8 +- ...sistence_gpo_schtask_service_creation.toml | 3 +- ...sistence_local_scheduled_job_creation.toml | 3 +- ...istence_local_scheduled_task_creation.toml | 10 +- ...stence_local_scheduled_task_scripting.toml | 11 +- .../persistence_ms_office_addins_file.toml | 3 +- .../persistence_ms_outlook_vba_template.toml | 3 +- ...istence_msds_alloweddelegateto_krbtgt.toml | 12 +- ...ll_exch_mailbox_activesync_add_device.toml | 3 +- .../persistence_powersshell_profiles.toml | 5 +- ...escalation_via_accessibility_features.toml | 7 +- .../persistence_registry_uncommon.toml | 16 +-- .../persistence_remote_password_reset.toml | 7 +- ...persistence_run_key_and_startup_broad.toml | 9 +- ...ce_runtime_run_key_startup_susp_procs.toml | 3 +- ...stence_scheduled_task_creation_winlog.toml | 1 + .../persistence_scheduled_task_updated.toml | 1 + ...istence_sdprop_exclusion_dsheuristics.toml | 11 +- ...stence_service_windows_service_winlog.toml | 1 + .../persistence_services_registry.toml | 3 +- ...er_file_written_by_suspicious_process.toml | 11 +- ...lder_file_written_by_unsigned_process.toml | 7 +- .../persistence_startup_folder_scripts.toml | 7 +- ...stence_suspicious_com_hijack_registry.toml | 4 +- ...s_image_load_scheduled_task_ms_office.toml | 3 +- ...nce_suspicious_scheduled_task_runtime.toml | 3 +- ...e_suspicious_service_created_registry.toml | 3 +- ...ersistence_system_shells_via_services.toml | 3 +- .../persistence_temp_scheduled_task.toml | 17 +-- .../persistence_time_provider_mod.toml | 3 +- ..._account_added_to_privileged_group_ad.toml | 1 + .../persistence_user_account_creation.toml | 3 +- ...ence_user_account_creation_event_logs.toml | 17 +-- .../persistence_via_application_shimming.toml | 7 +- ...rsistence_via_bits_job_notify_command.toml | 3 +- ...sistence_via_hidden_run_key_valuename.toml | 3 +- ...sa_security_support_provider_registry.toml | 3 +- ...emetrycontroller_scheduledtask_hijack.toml | 3 +- ...ia_update_orchestrator_service_hijack.toml | 7 +- ...nt_instrumentation_event_subscription.toml | 7 +- ...tence_via_wmi_stdregprov_run_services.toml | 27 ++-- .../persistence_webshell_detection.toml | 5 +- ...tion_create_process_as_different_user.toml | 3 +- ...privilege_escalation_credroaming_ldap.toml | 12 +- ...ilege_escalation_disable_uac_registry.toml | 3 +- ...ege_escalation_group_policy_iniscript.toml | 42 +++--- ...lation_group_policy_privileged_groups.toml | 28 ++-- ...scalation_group_policy_scheduled_task.toml | 41 ++++-- ...rivilege_escalation_installertakeover.toml | 7 +- ...scalation_krbrelayup_service_creation.toml | 1 + ...privilege_escalation_lsa_auth_package.toml | 3 +- ...e_escalation_named_pipe_impersonation.toml | 3 +- ...ge_escalation_persistence_phantom_dll.toml | 11 +- ...ion_port_monitor_print_pocessor_abuse.toml | 3 +- ...e_escalation_posh_token_impersonation.toml | 43 +++--- ...ation_printspooler_registry_copyfiles.toml | 3 +- ..._printspooler_service_suspicious_file.toml | 15 +- ...printspooler_suspicious_file_deletion.toml | 7 +- ...tion_printspooler_suspicious_spl_file.toml | 31 +++-- ...calation_rogue_windir_environment_var.toml | 3 +- ...lation_samaccountname_spoofing_attack.toml | 1 + ...alation_suspicious_dnshostname_update.toml | 8 +- ...lation_tokenmanip_sedebugpriv_enabled.toml | 4 +- ...lege_escalation_uac_bypass_com_clipup.toml | 3 +- ...ge_escalation_uac_bypass_com_ieinstal.toml | 3 +- ...n_uac_bypass_com_interface_icmluautil.toml | 3 +- ...alation_uac_bypass_diskcleanup_hijack.toml | 3 +- ...escalation_uac_bypass_dll_sideloading.toml | 8 +- ...ge_escalation_uac_bypass_event_viewer.toml | 7 +- ...ege_escalation_uac_bypass_mock_windir.toml | 7 +- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 7 +- .../privilege_escalation_uac_sdclt.toml | 3 +- ...tion_unusual_parentchild_relationship.toml | 7 +- ...ion_unusual_printspooler_childprocess.toml | 7 +- ...n_unusual_svchost_childproc_childless.toml | 3 +- ...rivilege_escalation_via_ppid_spoofing.toml | 4 +- ...ilege_escalation_via_rogue_named_pipe.toml | 9 +- .../privilege_escalation_via_token_theft.toml | 4 +- ...on_windows_service_via_unusual_client.toml | 9 +- ...rivilege_escalation_wpad_exploitation.toml | 3 +- tests/test_all_rules.py | 129 +++++++++++------- 671 files changed, 3359 insertions(+), 2291 deletions(-) diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 2ed1e6bb0c408815e8025328efa543344cfe3b42..aab5ce6c9f1555ab1882269e239bee308a246d93 100644 GIT binary patch literal 4144 zcmV-05YO))iwFpJ;F)6r|7mV?WoL3>bZKvHEp1_LX=Y_}baO6hb8l_{?VW3HqevQs z{|d^d8EKrQs<@byW~8XK8nsrVj?|;=538LP#uWzzgBNhp*_r)G>hLK!_4@{A~<6s6eCEYhzEIQM9CyG9@1oL>~Oog|Cn777!f5+TX_m` z4gmYG;8KU>ML<|Hy_<*!zP%i!iN9pyh@7AeHp5%1>uB7T@|<3vfol$;p+Iv84Fj4( zXe^-Fk7kH$_z)ToX!fHK4Qik{goXgkp#(+RYg!#^Dfn}7A0y?nB+U;%$`qm0UUyYN z$@uFpLwL#T6E6y04R|s5t06A}UX6GmJvQUTz^ef-3;9oo)mWpqGUeKQ$LK>zrFZ*@L2pdeih%Jj7P<5J}L)#ctFb^ zQTfNnpN_`!=qY$JT|60Ps3m-?A_G=pSbD^9~qx{`WzP0{&4r@^N+{GJSbhE$+lV}p8L!3 zJ|U9}nUt4_*42`VPs*6AARfQTIP_*DgW_=>l5~13rlwO7Iv$&7J<;9*`JY)OPj!f_d@8`V8u8tiA>H zHCEq-`r4}B@?^dsg9*A|0s<4j1QaIF-2@(rgB=ry*H2;0voO=q4=5SnhfP1AkboaH z{lMS{_+i5j7W@D|Z1};3AK-@#KRECM{IKB%7k+>r*4rkU=zoyohhe!axtk^+FhQLO zimzI35mivv!xI#qfF~-RVDJPyvEvDJSi=)lPoUGf9Z#?hdjcKT@I=)U=)8s}wmo5? zjtNifcmj1yc%teF)G^_SswYs#geR(=KphjFsCojEB;bjvCooY0p4j$;jkYK}vEvD} zMd696C(ss!C#s%6TNIwy_JoW2L<3KVU&A&%br2ZjutBVAZd=;28JaHt>eh)*wmRn~UR}Aap4w$2^>toD2O4%> zLk~w__E6g53V${&Z)Vn?Gb}F4#Dnov&hhRa;|b4l@9W9;YtvAD#y50+oQ6_t4Q zqvzGr7Q$lJ4~z9PEUO1$tfBW>IkoaSC9nnfup zHJHN%^Ce;#qygzoJVd@Wq4&;3zHuUyIw5pQnCED=-&Lv81q~-HhwA_ z8spHP#7V}DAQ9ipzZw2)CZ42hB^aUt_K>7gKMuGNX4#x)xAF;C^3}AuMu2KgK(vqt zvy?xF{AEBK+q0?Xn$inJyAx2>4TN1R9-|hsfMo{@b1f5Cwy-!R@t8fdfn^&D@obaX z$XhB{sO1bP^MIv-#U&0II>1uJ!b}TU?hY2ubv@<+%QhB9sAoBFOBIXbQED>nu{aeh zu4~hw^a9%HI2Maqb_A1jB!Qu=F z^H361v3M47Ok}wgEH3p-XJ`UT1&eJF*MeKBSUk}xa)!XNjb&&Pn-LpWDp(woBFn8} zaZT!3CIJ?=>K0;}w)9%A+jT5MN{RfEsOwlfI;5s)0!sx8GnwNuVA;uXDRtqNDi&+# zSnd#5Dp)+rC8nn{mg1V^DfgG_C}`az>GHahLHzQwdrS6%_#|#*e0*E)aV)0QD&7JA zmh&|Bqrt(&BIPrlu&#pX5vHX_n6?gKGI?q94|SugUHRNRN_t?0#+BnF^{WJ$$9ZT* z0FYk$KG>baL%uhvy zq6~epW^*0Bad-dmoW+^)un=I`hlK*mJ}eAacCirTE&H(`Z`q4QUfy#2q)W9~P>Ct0 z`z#1pEH_fqyte8g=iEyLm9l+lgq?>(vF~Tbi_c_#<3d-YsRFJRi z+o2FCXqSo$Dto95L8a;bkUCN+E_n&#aq^O_w^yvG^sg>$LdiRT=F8$zf_h#2Yzw& zpx7~TAfk(TBSMz+)X+ad1cYh{+3?U&Lh#TrLKKAR2vO;P&Y##&3#_fe+-{@Z*5MjX zaTSlpvqXHhyz8(Y(fV2$`+MD|NwMh3cunT1@t9=!0#A9&j`5PDPf_BJmn8DXl>50+ ztke=H#0^$UrplM)swvKA#;T{Y-22*i4zq9+M&kF=yGWCGl=$g5j3)ze*Fh9M@ZdFw z_+UE8x1g?39M~b)ki27&?YjIAKfgJx?0jR0Cx zXjHz_91WlmKx+<-0$NjO@;j-B+k0r1^q~+_17-xw8Zxutv&Mr$6wDekW73&1Ee9m! zmkXAz99x-iz%(7%m0$Mi=}WsMUt0S4vbb;(%*rn-dRA(hZpCF%I#sr&0hUw$eoc}| z#ElOn(0lQf#m3$(ukS6wIctN`#vI&c6C+h5LZt$+`v8Oj$jKcTdIBK;a&pf@V<65g z>pl<)ASd^;=m`W#rm~?EfSkT-k&ZQ04?r61U#lk&3LtMlX#LC`e=ax_pL_^Y{^Cbb z@%nidJVeP$@p2SKQ5a8dN@mm9Jm;&6vph+;lzu_w2@*93mUeWOcI+<9clmJ~XQx0F zzZ9KzBR}%vV0mHjjz1~in>>|2iq5%Nngqq`*?g3VaJ5r|KnS7{l)84aW5LVagvaVq@JDt^ zm$o(4iHCKT`NFfGhRHlL>VT~dv1~nSD6V*#kHlyB0?MDo!4GwFI5w`9aTL@)*S9bKXoPX&*BJdZZs7wGb|ND%2@DxggkZJ~n-5-9*zq z27ENb>s!E2_PnQjh2mL?sjT`q|#UDp3NW5{Vueq(-MmyPYB%=Y!LJso-=|1qKzauY%iw#324s z&K*2YlqTEn7w7LCQ{$YeeeY90kdjmviJC}B>Wf5rEfVXCNCYCOFA{}Fs*6N>o!wb|5s5$~ z)kR`RNnH>LDM@*eETkm$MY181`XV_HNqv#rUW;V+MI-`|R2ON8l+*>0kdite5`{>r zi{v4@>w-wg?m8e6vOCp9vO18EnyAv%sgQQxrq6eOcB%tORFkC7ojSb`Xb6E+7l=S0 zl?C#Uf|M1gxX}OKJmt$xW^1=(UR)?+N1D6hPErmjP`7^kqQX0Npa^;+ljx z3(&>f!Kykt(KHX3t zfvi!;OCZBr(y{o>`ri6x@t0@29df{@hleoWWv~tAe7!Hoy{9xXy~4Hh3fI;vTt}yH zncPxK`Dm#&(H@!Xc2v4*5t4|!vAAs!OT;yNC?b*~Kq`!swGBR=6{<1PqzmKmRy0k+f- z+zjR55--vU46BbZKvHEp1_LX=Y_}baO6hb8l_{?VW3D<478X z|BA?`85nzAy4hZsfzT|?uq@rs!}f<|6UuVg5s@XYBqyEe>Hoe}@+FETCAw6sl5`lD zc5L0==bXBis=i+_f4L1@Kfe0A_Wf!$w#Jj>Q^-6H6ytzv{?ySIl{GJT}^_(Q8rOa15hfd7iqW@CFi873cO}R@|WJ6*L+C+G8*&JC)xadtr9KS)of19Y)Fl#>iX@!;X)(BgJwy9MgXlU zG<|qZvn4-IpDIL)tcW$KpWB;^T z>S;A6@I0P_Mw%C_BW)E18}0h|1n(2ET`l4yuNOBLx#3bgWpXG#U=@U$nTL!NslrAYGCk(l05V%lGSX?g9K3$mM)&aM?gS2cMxhhzcL>yXM1Mdc}*bLwl0Gk1v0bmn=dRxVB=K=DsR&K~1 zsps9kB#Kf+Hch<#f_N#a^`6b#UkRr0lkH`1&=jFDfTjqI2{id=X2^z%(9D6RxXxE`Y;ngQR14WQ2;%}q zQU7Xxde#1_Zcr-fv68?`2d@ge4EU=eF9Kebcp*Jj<7I$X1zslduS&eEzVUjGs;Skt zO#VF}*>KXUkdhleEm%my`z_tyIrlB6f`v&xh;y&Qd+l@RKDZuRv!!Q~Xj?_h6WkVC2lTm9S*(5nT6(=nY1N%GgDe;Q<`rY)= z$MazYTs_07zWOmwb1QLA%A35ZH0Ds$@-bcNLI3Ms$DlFBOBJy5}b3hk>r9_{m&r2S(M0UTD5fTzD`cpn&}sWipR4r1-eVKYuIp864IriUnk6&JdnOWr zNUDo8M@s5~NJvSli=gnjs~1K_sN44v3^fB*jHCRZ2*; z*SMZ^e)g79Eun!=-m1A4JS2H{Nv4oQ?c!txfm9cWKp>R`nj-}%E0BnSKAzTGoMe}- zer<nR*86X$h0NOWhi^0JStC&`5oaCQ`|$maCvD}txdLrf z)K<<6aA>QNw#Vn^()jU7X+xz{d>VPLy~F?%FQGVr;)7D$L>eEQ;uaJinBr3?J}|{+ zP<&8|+bG8er??5l2d20U#RsMM6uJ696c<0RWpwAR((0o(X2|O6P=CPc8&H41>Z5Ky zWcATQJ6!c=sPjuvfB%X{XH9^rKTLoY08B7PaWGsHh&K*hpGB_h<@Mo*{`dif1pJWp z13Hf2hqNEil>|Se{eaFT_#y2FOe%mM(tf~XQTRdjPGM^JVV1lZ3=>o~0f7mIYXWgA z=IlZ@eiBN^-L46q=#wW5cmkftc!Iza@Wh!X^d5P_fG4DQ!hk2>i8D`_@B}>Z!V_k% z>X`6^98VB<0-iYY1nQXZ#JML>$Al-&J%KtVJaO&`3!Z={&OBkm6Y#_fPgrP+!V?)! zpe+hdoO=RoQF!9q6KIRV6E8h6?NxokgeMw!g8%9I(U!{`geij%7z73>G>F-o%^6hP z^+vi2q;B1gZ8h4}5L=^kT|*lhc3#6d^3on|KPBQ140}H^L&mkL!ili|a-A@Uf>o^X ztJRV8SPL7mZ!rsf>Wvz0@K+>q5^Rym$&UxW*IF{HuPES(6AB$D8Wae9MS%oz+EATT z+;jZXYQ?JoN&FRdQI-|=Z@*5(wyE{QHHHxm;}IySZGZ;BwAI z9KUw9hmk5$yCeQ%5Uf3>eGmh8+Gl>7RS<64W|NtmBO)yVB7Qrz0VlP4;g#etE%r!B zB6`1oSQ3Ef0Fnk`z#->A2!N!4nEe7`kB!DabO1>MvHF#V$N+*Q^8$zsATNQ;P*Z&g zWDX$bKnQ@m1fm1TGZ1~;r`B%H`<<^*pgVre^QpqA8NTTm%E4y4i`nsDF@KmH36j2L zI`+X*t-zdsW(k_h{e<5&__)4L{#nwPZo|Myo@Td*j&J&M zHQ;Tv)F4npB{h&Z)RJSgU@=7^QBoBhswk+60aX-K#e^yfs$xME1y!-3ib|@W@}-m< zsCB6%2h>nW4b**AQUi5fmDE68S0y!2$5lyOP3`~SlMhg>KsG