From a0f2893d52a4731a2461d20645d13f33686550c1 Mon Sep 17 00:00:00 2001 From: Tony Phipps Date: Mon, 26 Aug 2024 16:09:22 -0600 Subject: [PATCH] add output sample --- Splunk/output/savedsearches.conf | 6682 ++++++++++++++++++++++++++++++ 1 file changed, 6682 insertions(+) create mode 100644 Splunk/output/savedsearches.conf diff --git a/Splunk/output/savedsearches.conf b/Splunk/output/savedsearches.conf new file mode 100644 index 0000000..81bb0d4 --- /dev/null +++ b/Splunk/output/savedsearches.conf @@ -0,0 +1,6682 @@ +[default] +cron_schedule = */30 * * * * +dispatch.earliest_time = 0 +dispatch.latest_time = now +enableSched = 0 +schedule_window = auto +[Potentially Suspicious File Download From ZIP TLD] +description = Detects the download of a file with a potentially suspicious extension from a .zip top level domain. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=15 Contents="*.zip/*" TargetFilename IN ("*.bat:Zone*", "*.dat:Zone*", "*.dll:Zone*", "*.doc:Zone*", "*.docm:Zone*", "*.exe:Zone*", "*.hta:Zone*", "*.pptm:Zone*", "*.ps1:Zone*", "*.rar:Zone*", "*.rtf:Zone*", "*.sct:Zone*", "*.vbe:Zone*", "*.vbs:Zone*", "*.ws:Zone*", "*.wsf:Zone*", "*.xll:Zone*", "*.xls:Zone*", "*.xlsm:Zone*", "*.zip:Zone*") | fields - _raw | collect index=notable_events source="Potentially Suspicious File Download From ZIP TLD" marker="guid=0bb4bbeb-fe52-4044-b40c-430a04577ebe,tags=attack.defense-evasion," +[Creation Of a Suspicious ADS File Outside a Browser Download] +description = Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=15 Contents="[ZoneTransfer] ZoneId=3*" TargetFilename="*:Zone.Identifier" TargetFilename IN ("*.exe*", "*.scr*", "*.bat*", "*.cmd*", "*.docx*", "*.hta*", "*.jse*", "*.lnk*", "*.pptx*", "*.ps*", "*.reg*", "*.sct*", "*.vb*", "*.wsc*", "*.wsf*", "*.xlsx*") NOT (Image="*\\brave.exe" OR Image IN ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") OR Image IN ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") OR Image IN ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe") OR Image="*\\maxthon.exe" OR Image="C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*" OR Image="*\\WindowsApps\\MicrosoftEdge.exe" OR Image IN ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe") OR (Image IN ("C:\\Program Files (x86)\\Microsoft\\EdgeCore\\*", "C:\\Program Files\\Microsoft\\EdgeCore\\*") Image IN ("*\\msedge.exe", "*\\msedgewebview2.exe")) OR Image="*\\opera.exe" OR Image="*\\safari.exe" OR Image="*\\seamonkey.exe" OR Image="*\\vivaldi.exe" OR Image="*\\whale.exe" OR (Image="C:\\Program Files\\WindowsApps\\Microsoft.ScreenSketch_*" Image="*\\SnippingTool\\SnippingTool.exe" TargetFilename="C:\\Users\\*" TargetFilename="*\\AppData\\Local\\Packages\\Microsoft.ScreenSketch_*" TargetFilename="*\\TempState\\Screenshot *" TargetFilename="*.png:Zone.Identifier")) | fields - _raw | collect index=notable_events source="Creation Of a Suspicious ADS File Outside a Browser Download" marker="guid=573df571-a223-43bc-846e-3f98da481eca,tags=attack.defense-evasion," +[Suspicious File Download From File Sharing Websites - File Stream] +description = Detects the download of suspicious file type from a well-known file and paste sharing domain +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=15 Contents IN ("*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*") TargetFilename IN ("*.cpl:Zone*", "*.dll:Zone*", "*.exe:Zone*", "*.hta:Zone*", "*.lnk:Zone*", "*.one:Zone*", "*.vbe:Zone*", "*.vbs:Zone*", "*.xll:Zone*") | fields - _raw | collect index=notable_events source="Suspicious File Download From File Sharing Websites - File Stream" marker="guid=52182dfb-afb7-41db-b4bc-5336cb29b464,tags=attack.defense-evasion,tags=attack.s0139,tags=attack.t1564.004," +[Unusual File Download From File Sharing Websites - File Stream] +description = Detects the download of suspicious file type from a well-known file and paste sharing domain +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=15 Contents IN ("*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*") TargetFilename IN ("*.bat:Zone*", "*.cmd:Zone*", "*.ps1:Zone*") | fields - _raw | collect index=notable_events source="Unusual File Download From File Sharing Websites - File Stream" marker="guid=ae02ed70-11aa-4a22-b397-c0d0e8f6ea99,tags=attack.defense-evasion,tags=attack.s0139,tags=attack.t1564.004," +[Unusual File Download from Direct IP Address] +description = Detects the download of suspicious file type from URLs with IP +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=15 TargetFilename IN ("*.ps1:Zone*", "*.bat:Zone*", "*.exe:Zone*", "*.vbe:Zone*", "*.vbs:Zone*", "*.dll:Zone*", "*.one:Zone*", "*.cmd:Zone*", "*.hta:Zone*", "*.xll:Zone*", "*.lnk:Zone*")\ +| regex Contents="http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" | fields - _raw | collect index=notable_events source="Unusual File Download from Direct IP Address" marker="guid=025bd229-fd1f-4fdb-97ab-20006e1a5368,tags=attack.defense-evasion,tags=attack.t1564.004," +[Hidden Executable In NTFS Alternate Data Stream] +description = Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=15 Hash="*IMPHASH=*" NOT Hash="*IMPHASH=00000000000000000000000000000000*" | fields - _raw | collect index=notable_events source="Hidden Executable In NTFS Alternate Data Stream" marker="guid=b69888d4-380c-45ce-9cf9-d9ce46e67821,tags=attack.defense-evasion,tags=attack.s0139,tags=attack.t1564.004," +[Potential Suspicious Winget Package Installation] +description = Detects potential suspicious winget package installation from a suspicious source. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=15 Contents="[ZoneTransfer] ZoneId=3*" Contents IN ("*://1*", "*://2*", "*://3*", "*://4*", "*://5*", "*://6*", "*://7*", "*://8*", "*://9*") TargetFilename="*:Zone.Identifier" TargetFilename="*\\AppData\\Local\\Temp\\WinGet\\*" | fields - _raw | collect index=notable_events source="Potential Suspicious Winget Package Installation" marker="guid=a3f5c081-e75b-43a0-9f5b-51f26fe5dba2,tags=attack.defense-evasion,tags=attack.persistence," +[HackTool Named File Stream Created] +description = Detects the creation of a named file stream with the imphash of a well-known hack tool +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=15 Imphash IN ("bcca3c247b619dcd13c8cdff5f123932", "3a19059bd7688cb88e70005f18efc439", "bf6223a49e45d99094406777eb6004ba", "0c106686a31bfe2ba931ae1cf6e9dbc6", "0d1447d4b3259b3c2a1d4cfb7ece13c3", "1b0369a1e06271833f78ffa70ffb4eaf", "4c1b52a19748428e51b14c278d0f58e3", "4d927a711f77d62cebd4f322cb57ec6f", "66ee036df5fc1004d9ed5e9a94a1086a", "672b13f4a0b6f27d29065123fe882dfc", "6bbd59cea665c4afcc2814c1327ec91f", "725bb81dc24214f6ecacc0cfb36ad30d", "9528a0e91e28fbb88ad433feabca2456", "9da6d5d77be11712527dcab86df449a3", "a6e01bc1ab89f8d91d9eab72032aae88", "b24c5eddaea4fe50c6a96a2a133521e4", "d21bbc50dcc169d7b4d0f01962793154", "fcc251cceae90d22c392215cc9a2d5d6", "23867a89c2b8fc733be6cf5ef902f2d1", "a37ff327f8d48e8a4d2f757e1b6e70bc", "f9a28c458284584a93b14216308d31bd", "6118619783fc175bc7ebecff0769b46e", "959a83047e80ab68b368fdb3f4c6e4ea", "563233bfa169acc7892451f71ad5850a", "87575cb7a0e0700eb37f2e3668671a08", "13f08707f759af6003837a150a371ba1", "1781f06048a7e58b323f0b9259be798b", "233f85f2d4bc9d6521a6caae11a1e7f5", "24af2584cbf4d60bbe5c6d1b31b3be6d", "632969ddf6dbf4e0f53424b75e4b91f2", "713c29b396b907ed71a72482759ed757", "749a7bb1f0b4c4455949c0b2bf7f9e9f", "8628b2608957a6b0c6330ac3de28ce2e", "8b114550386e31895dfab371e741123d", "94cb940a1a6b65bed4d5a8f849ce9793", "9d68781980370e00e0bd939ee5e6c141", "b18a1401ff8f444056d29450fbc0a6ce", "cb567f9498452721d77a451374955f5f", "730073214094cd328547bf1f72289752", "17b461a082950fc6332228572138b80c", "dc25ee78e2ef4d36faa0badf1e7461c9", "819b19d53ca6736448f9325a85736792", "829da329ce140d873b4a8bde2cbfaa7e", "c547f2e66061a8dffb6f5a3ff63c0a74", "0588081ab0e63ba785938467e1b10cca", "0d9ec08bac6c07d9987dfd0f1506587c", "bc129092b71c89b4d4c8cdf8ea590b29", "4da924cf622d039d58bce71cdf05d242", "e7a3a5c377e2d29324093377d7db1c66", "9a9dbec5c62f0380b4fa5fd31deffedf", "af8a3976ad71e5d5fdfb67ddb8dadfce", "0c477898bbf137bbd6f2a54e3b805ff4", "0ca9f02b537bcea20d4ea5eb1a9fe338", "3ab3655e5a14d4eefc547f4781bf7f9e", "e6f9d5152da699934b30daab206471f6", "3ad59991ccf1d67339b319b15a41b35d", "ffdd59e0318b85a3e480874d9796d872", "0cf479628d7cc1ea25ec7998a92f5051", "07a2d4dcbd6cb2c6a45e6b101f0b6d51", "d6d0f80386e1380d05cb78e871bc72b1", "38d9e015591bbfd4929e0d0f47fa0055", "0e2216679ca6e1094d63322e3412d650", "ada161bf41b8e5e9132858cb54cab5fb", "2a1bc4913cd5ecb0434df07cb675b798", "11083e75553baae21dc89ce8f9a195e4", "a23d29c9e566f2fa8ffbb79267f5df80", "4a07f944a83e8a7c2525efa35dd30e2f", "767637c23bb42cd5d7397cf58b0be688", "14c4e4c72ba075e9069ee67f39188ad8", "3c782813d4afce07bbfc5a9772acdbdc", "7d010c6bb6a3726f327f7e239166d127", "89159ba4dd04e4ce5559f132a9964eb3", "6f33f4a5fc42b8cec7314947bd13f30f", "5834ed4291bdeb928270428ebbaf7604", "5a8a8a43f25485e7ee1b201edcbc7a38", "dc7d30b90b2d8abf664fbed2b1b59894", "41923ea1f824fe63ea5beb84db7a3e74", "3de09703c8e79ed2ca3f01074719906b", "a53a02b997935fd8eedcb5f7abab9b9f", "e96a73c7bf33a464c510ede582318bf2", "32089b8851bbf8bc2d014e9f37288c83", "09D278F9DE118EF09163C6140255C690", "03866661686829d806989e2fc5a72606", "e57401fbdadcd4571ff385ab82bd5d6d", "84B763C45C0E4A3E7CA5548C710DB4EE", "19584675d94829987952432e018d5056", "330768a4f172e10acb6287b87289d83b", "885c99ccfbe77d1cbfcb9c4e7c1a3313", "22a22bc9e4e0d2f189f1ea01748816ac", "7fa30e6bb7e8e8a69155636e50bf1b28", "96df3a3731912449521f6f8d183279b1", "7e6cf3ff4576581271ac8a313b2aab46", "51791678f351c03a0eb4e2a7b05c6e17", "25ce42b079282632708fc846129e98a5", "021bcca20ba3381b11bdde26b4e62f20", "59223b5f52d8799d38e0754855cbdf42", "81e75d8f1d276c156653d3d8813e4a43", "17244e8b6b8227e57fe709ccad421420", "5b76da3acdedc8a5cdf23a798b5936b4", "cb2b65bb77d995cc1c0e5df1c860133c", "40445337761d80cf465136fafb1f63e6", "8a790f401b29fa87bc1e56f7272b3aa6") OR Hash IN ("*IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932*", "*IMPHASH=3A19059BD7688CB88E70005F18EFC439*", "*IMPHASH=bf6223a49e45d99094406777eb6004ba*", "*IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6*", "*IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3*", "*IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF*", "*IMPHASH=4C1B52A19748428E51B14C278D0F58E3*", "*IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F*", "*IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A*", "*IMPHASH=672B13F4A0B6F27D29065123FE882DFC*", "*IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F*", "*IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D*", "*IMPHASH=9528A0E91E28FBB88AD433FEABCA2456*", "*IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3*", "*IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88*", "*IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4*", "*IMPHASH=D21BBC50DCC169D7B4D0F01962793154*", "*IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6*", "*IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1*", "*IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC*", "*IMPHASH=F9A28C458284584A93B14216308D31BD*", "*IMPHASH=6118619783FC175BC7EBECFF0769B46E*", "*IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA*", "*IMPHASH=563233BFA169ACC7892451F71AD5850A*", "*IMPHASH=87575CB7A0E0700EB37F2E3668671A08*", "*IMPHASH=13F08707F759AF6003837A150A371BA1*", "*IMPHASH=1781F06048A7E58B323F0B9259BE798B*", "*IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5*", "*IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D*", "*IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2*", "*IMPHASH=713C29B396B907ED71A72482759ED757*", "*IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F*", "*IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E*", "*IMPHASH=8B114550386E31895DFAB371E741123D*", "*IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793*", "*IMPHASH=9D68781980370E00E0BD939EE5E6C141*", "*IMPHASH=B18A1401FF8F444056D29450FBC0A6CE*", "*IMPHASH=CB567F9498452721D77A451374955F5F*", "*IMPHASH=730073214094CD328547BF1F72289752*", "*IMPHASH=17B461A082950FC6332228572138B80C*", "*IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9*", "*IMPHASH=819B19D53CA6736448F9325A85736792*", "*IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E*", "*IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74*", "*IMPHASH=0588081AB0E63BA785938467E1B10CCA*", "*IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C*", "*IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29*", "*IMPHASH=4DA924CF622D039D58BCE71CDF05D242*", "*IMPHASH=E7A3A5C377E2D29324093377D7DB1C66*", "*IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF*", "*IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE*", "*IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4*", "*IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338*", "*IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E*", "*IMPHASH=E6F9D5152DA699934B30DAAB206471F6*", "*IMPHASH=3AD59991CCF1D67339B319B15A41B35D*", "*IMPHASH=FFDD59E0318B85A3E480874D9796D872*", "*IMPHASH=0CF479628D7CC1EA25EC7998A92F5051*", "*IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51*", "*IMPHASH=D6D0F80386E1380D05CB78E871BC72B1*", "*IMPHASH=38D9E015591BBFD4929E0D0F47FA0055*", "*IMPHASH=0E2216679CA6E1094D63322E3412D650*", "*IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB*", "*IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798*", "*IMPHASH=11083E75553BAAE21DC89CE8F9A195E4*", "*IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80*", "*IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F*", "*IMPHASH=767637C23BB42CD5D7397CF58B0BE688*", "*IMPHASH=14C4E4C72BA075E9069EE67F39188AD8*", "*IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC*", "*IMPHASH=7D010C6BB6A3726F327F7E239166D127*", "*IMPHASH=89159BA4DD04E4CE5559F132A9964EB3*", "*IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F*", "*IMPHASH=5834ED4291BDEB928270428EBBAF7604*", "*IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38*", "*IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894*", "*IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74*", "*IMPHASH=3DE09703C8E79ED2CA3F01074719906B*", "*IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F*", "*IMPHASH=E96A73C7BF33A464C510EDE582318BF2*", "*IMPHASH=32089B8851BBF8BC2D014E9F37288C83*", "*IMPHASH=09D278F9DE118EF09163C6140255C690*", "*IMPHASH=03866661686829d806989e2fc5a72606*", "*IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d*", "*IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE*", "*IMPHASH=19584675D94829987952432E018D5056*", "*IMPHASH=330768A4F172E10ACB6287B87289D83B*", "*IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313*", "*IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC*", "*IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28*", "*IMPHASH=96DF3A3731912449521F6F8D183279B1*", "*IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46*", "*IMPHASH=51791678F351C03A0EB4E2A7B05C6E17*", "*IMPHASH=25CE42B079282632708FC846129E98A5*", "*IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20*", "*IMPHASH=59223B5F52D8799D38E0754855CBDF42*", "*IMPHASH=81E75D8F1D276C156653D3D8813E4A43*", "*IMPHASH=17244E8B6B8227E57FE709CCAD421420*", "*IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4*", "*IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C*", "*IMPHASH=40445337761D80CF465136FAFB1F63E6*", "*IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6*") | fields - _raw | collect index=notable_events source="HackTool Named File Stream Created" marker="guid=19b041f6-e583-40dc-b842-d6fa8011493f,tags=attack.defense-evasion,tags=attack.s0139,tags=attack.t1564.004," +[Exports Registry Key To an Alternate Data Stream] +description = Exports the target Registry key and hides it in the specified alternate data stream. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=15 Image="*\\regedit.exe" | table TargetFilename | fields - _raw | collect index=notable_events source="Exports Registry Key To an Alternate Data Stream" marker="guid=0d7a9363-af70-4e7b-a3b7-1a176b7fbe84,tags=attack.defense-evasion,tags=attack.t1564.004," +[Potentially Suspicious DLL Registered Via Odbcconf.EXE] +description = Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\odbcconf.exe" OR OriginalFileName="odbcconf.exe" CommandLine="*REGSVR *" NOT CommandLine="*.dll*" | fields - _raw | collect index=notable_events source="Potentially Suspicious DLL Registered Via Odbcconf.EXE" marker="guid=ba4cfc11-d0fa-4d94-bf20-7c332c412e76,tags=attack.defense-evasion,tags=attack.t1218.008," +[Suspicious Invoke-WebRequest Execution With DirectIP] +description = Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*curl *", "*Invoke-WebRequest*", "*iwr *", "*wget *") CommandLine IN ("*://1*", "*://2*", "*://3*", "*://4*", "*://5*", "*://6*", "*://7*", "*://8*", "*://9*") | fields - _raw | collect index=notable_events source="Suspicious Invoke-WebRequest Execution With DirectIP" marker="guid=1edff897-9146-48d2-9066-52e8d8f80a2f,tags=attack.command-and-control,tags=attack.t1105," +[Windows Recall Feature Enabled Via Reg.EXE] +description = Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine="*Microsoft\\Windows\\WindowsAI*" CommandLine="*DisableAIDataAnalysis*" CommandLine IN ("*add*", "*0*") OR CommandLine="*delete*" | fields - _raw | collect index=notable_events source="Windows Recall Feature Enabled Via Reg.EXE" marker="guid=817f252c-5143-4dae-b418-48c3e9f63728,tags=attack.collection,tags=attack.t1113," +[Suspicious X509Enrollment - Process Creation] +description = Detect use of X509Enrollment +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*X509Enrollment.CBinaryConverter*", "*884e2002-217d-11da-b2a4-000e7bbb2b09*") | fields - _raw | collect index=notable_events source="Suspicious X509Enrollment - Process Creation" marker="guid=114de787-4eb2-48cc-abdb-c0b449f93ea4,tags=attack.defense-evasion,tags=attack.t1553.004," +[Use of Pcalua For Execution] +description = Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\pcalua.exe" CommandLine="* -a*" | fields - _raw | collect index=notable_events source="Use of Pcalua For Execution" marker="guid=0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2,tags=attack.execution,tags=attack.t1059," +[Potential Application Whitelisting Bypass via Dnx.EXE] +description = Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dnx.exe" | fields - _raw | collect index=notable_events source="Potential Application Whitelisting Bypass via Dnx.EXE" marker="guid=81ebd28b-9607-4478-bf06-974ed9d53ed7,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1027.004," +[Suspicious IIS URL GlobalRules Rewrite Via AppCmd] +description = Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\appcmd.exe" OR OriginalFileName="appcmd.exe" CommandLine="*set*" CommandLine="*config*" CommandLine="*section:system.webServer/rewrite/globalRules*" CommandLine="*commit:*" | fields - _raw | collect index=notable_events source="Suspicious IIS URL GlobalRules Rewrite Via AppCmd" marker="guid=7c8af9b2-dcae-41a2-a9db-b28c288b5f08,tags=attack.defense-evasion," +[Firewall Configuration Discovery Via Netsh.EXE] +description = Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" CommandLine="*netsh *" CommandLine="*show *" CommandLine="*firewall *" CommandLine IN ("*config *", "*state *", "*rule *", "*name=all*") | fields - _raw | collect index=notable_events source="Firewall Configuration Discovery Via Netsh.EXE" marker="guid=0e4164da-94bc-450d-a7be-a4b176179f1f,tags=attack.discovery,tags=attack.t1016," +[AgentExecutor PowerShell Execution] +description = Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="\\AgentExecutor.exe" OR OriginalFileName="AgentExecutor.exe" CommandLine IN ("* -powershell*", "* -remediationScript*") NOT ParentImage="*\\Microsoft.Management.Services.IntuneWindowsAgent.exe" | fields - _raw | collect index=notable_events source="AgentExecutor PowerShell Execution" marker="guid=7efd2c8d-8b18-45b7-947d-adfe9ed04f61,tags=attack.defense-evasion,tags=attack.t1218," +[Use of TTDInject.exe] +description = Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*ttdinject.exe" OR OriginalFileName="TTDInject.EXE" | fields - _raw | collect index=notable_events source="Use of TTDInject.exe" marker="guid=b27077d6-23e6-45d2-81a0-e2b356eea5fd,tags=attack.defense-evasion,tags=attack.t1127," +[Conhost.exe CommandLine Path Traversal] +description = detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentCommandLine="*conhost*" CommandLine="*/../../*" | fields - _raw | collect index=notable_events source="Conhost.exe CommandLine Path Traversal" marker="guid=ee5e119b-1f75-4b34-add8-3be976961e39,tags=attack.execution,tags=attack.t1059.003," +[Logged-On User Password Change Via Ksetup.EXE] +description = Detects password change for the logged-on user's via "ksetup.exe" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ksetup.exe" OR OriginalFileName="ksetup.exe" CommandLine="* /ChangePassword *" | fields - _raw | collect index=notable_events source="Logged-On User Password Change Via Ksetup.EXE" marker="guid=c9783e20-4793-4164-ba96-d9ee483992c4,tags=attack.execution," +[PUA - NirCmd Execution As LOCAL SYSTEM] +description = Detects the use of NirCmd tool for command execution as SYSTEM user +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* runassystem *" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="PUA - NirCmd Execution As LOCAL SYSTEM" marker="guid=d9047477-0359-48c9-b8c7-792cedcdc9c4,tags=attack.execution,tags=attack.t1569.002,tags=attack.s0029," +[Gzip Archive Decode Via PowerShell] +description = Detects attempts of decoding encoded Gzip archives via PowerShell. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*GZipStream*" CommandLine="*::Decompress*" | fields - _raw | collect index=notable_events source="Gzip Archive Decode Via PowerShell" marker="guid=98767d61-b2e8-4d71-b661-e36783ee24c1,tags=attack.command-and-control,tags=attack.t1132.001," +[HackTool - WinPwn Execution] +description = Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Offline_Winpwn*", "*WinPwn *", "*WinPwn.exe*", "*WinPwn.ps1*") | fields - _raw | collect index=notable_events source="HackTool - WinPwn Execution" marker="guid=d557dc06-62e8-4468-a8e8-7984124908ce,tags=attack.credential-access,tags=attack.defense-evasion,tags=attack.discovery,tags=attack.execution,tags=attack.privilege-escalation,tags=attack.t1046,tags=attack.t1082,tags=attack.t1106,tags=attack.t1518,tags=attack.t1548.002,tags=attack.t1552.001,tags=attack.t1555,tags=attack.t1555.003," +[Compressed File Extraction Via Tar.EXE] +description = Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\tar.exe" OR OriginalFileName="bsdtar" CommandLine="*-x*" | fields - _raw | collect index=notable_events source="Compressed File Extraction Via Tar.EXE" marker="guid=bf361876-6620-407a-812f-bfe11e51e924,tags=attack.collection,tags=attack.exfiltration,tags=attack.t1560,tags=attack.t1560.001," +[Unmount Share Via Net.EXE] +description = Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine="*share*" CommandLine="*/delete*" | fields - _raw | collect index=notable_events source="Unmount Share Via Net.EXE" marker="guid=cb7c4a03-2871-43c0-9bbb-18bbdb079896,tags=attack.defense-evasion,tags=attack.t1070.005," +[PUA - AdvancedRun Suspicious Execution] +description = Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*/EXEFilename*", "*/CommandLine*") CommandLine IN ("* /RunAs 8 *", "* /RunAs 4 *", "* /RunAs 10 *", "* /RunAs 11 *") OR CommandLine IN ("*/RunAs 8", "*/RunAs 4", "*/RunAs 10", "*/RunAs 11") | fields - _raw | collect index=notable_events source="PUA - AdvancedRun Suspicious Execution" marker="guid=fa00b701-44c6-4679-994d-5a18afa8a707,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1134.002," +[Suspicious RDP Redirect Using TSCON] +description = Detects a suspicious RDP session redirect using tscon.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* /dest:rdp-tcp#*" | fields - _raw | collect index=notable_events source="Suspicious RDP Redirect Using TSCON" marker="guid=f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb,tags=attack.lateral-movement,tags=attack.t1563.002,tags=attack.t1021.001,tags=car.2013-07-002," +[New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE] +description = Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dnscmd.exe" CommandLine="*/config*" CommandLine="*/serverlevelplugindll*" | fields - _raw | collect index=notable_events source="New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" marker="guid=f63b56ee-3f79-4b8a-97fb-5c48007e8573,tags=attack.defense-evasion,tags=attack.t1574.002,tags=attack.t1112," +[Suspicious Schtasks From Env Var Folder] +description = Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\schtasks.exe" CommandLine="* /create *" CommandLine IN ("*:\\Perflogs*", "*:\\Windows\\Temp*", "*\\AppData\\Local\\*", "*\\AppData\\Roaming\\*", "*\\Users\\Public*", "*%AppData%*", "*%Public%*")) OR (ParentCommandLine="*\\svchost.exe -k netsvcs -p -s Schedule" CommandLine IN ("*:\\Perflogs*", "*:\\Windows\\Temp*", "*\\Users\\Public*", "*%Public%*")) NOT (CommandLine IN ("*update_task.xml*", "*/Create /TN TVInstallRestore /TR*") OR ParentCommandLine="*unattended.ini*" OR (CommandLine="*/Create /Xml \"C:\\Users\\*" CommandLine="*\\AppData\\Local\\Temp\\.CR.*" CommandLine="*Avira_Security_Installation.xml*") OR (CommandLine="*/Create /F /TN*" CommandLine="*/Xml *" CommandLine="*\\AppData\\Local\\Temp\\is-*" CommandLine="*Avira_*" CommandLine IN ("*.tmp\\UpdateFallbackTask.xml*", "*.tmp\\WatchdogServiceControlManagerTimeout.xml*", "*.tmp\\SystrayAutostart.xml*", "*.tmp\\MaintenanceTask.xml*")) OR (CommandLine="*\\AppData\\Local\\Temp\\*" CommandLine="*/Create /TN \"klcp_update\" /XML *" CommandLine="*\\klcp_update_task.xml*")) | fields - _raw | collect index=notable_events source="Suspicious Schtasks From Env Var Folder" marker="guid=81325ce1-be01-4250-944f-b4789644556f,tags=attack.execution,tags=attack.t1053.005," +[Service Registry Key Deleted Via Reg.EXE] +description = Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*reg.exe" OR OriginalFileName="reg.exe" CommandLine="* delete *" CommandLine="*\\SYSTEM\\CurrentControlSet\\services\\*" | fields - _raw | collect index=notable_events source="Service Registry Key Deleted Via Reg.EXE" marker="guid=05b2aa93-1210-42c8-8d9a-2fcc13b284f5,tags=attack.defense-evasion,tags=attack.t1562.001," +[HackTool - Impacket Tools Execution] +description = Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\goldenPac*", "*\\karmaSMB*", "*\\kintercept*", "*\\ntlmrelayx*", "*\\rpcdump*", "*\\samrdump*", "*\\secretsdump*", "*\\smbexec*", "*\\smbrelayx*", "*\\wmiexec*", "*\\wmipersist*") OR Image IN ("*\\atexec_windows.exe", "*\\dcomexec_windows.exe", "*\\dpapi_windows.exe", "*\\findDelegation_windows.exe", "*\\GetADUsers_windows.exe", "*\\GetNPUsers_windows.exe", "*\\getPac_windows.exe", "*\\getST_windows.exe", "*\\getTGT_windows.exe", "*\\GetUserSPNs_windows.exe", "*\\ifmap_windows.exe", "*\\mimikatz_windows.exe", "*\\netview_windows.exe", "*\\nmapAnswerMachine_windows.exe", "*\\opdump_windows.exe", "*\\psexec_windows.exe", "*\\rdp_check_windows.exe", "*\\sambaPipe_windows.exe", "*\\smbclient_windows.exe", "*\\smbserver_windows.exe", "*\\sniff_windows.exe", "*\\sniffer_windows.exe", "*\\split_windows.exe", "*\\ticketer_windows.exe") | fields - _raw | collect index=notable_events source="HackTool - Impacket Tools Execution" marker="guid=4627c6ae-6899-46e2-aa0c-6ebcb1becd19,tags=attack.execution,tags=attack.t1557.001," +[Suspicious Child Process Of Manage Engine ServiceDesk] +description = Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\ManageEngine\\ServiceDesk\\*" ParentImage="*\\java.exe*" Image IN ("*\\AppVLP.exe", "*\\bash.exe", "*\\bitsadmin.exe", "*\\calc.exe", "*\\certutil.exe", "*\\cscript.exe", "*\\curl.exe", "*\\forfiles.exe", "*\\mftrace.exe", "*\\mshta.exe", "*\\net.exe", "*\\net1.exe", "*\\notepad.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\query.exe", "*\\reg.exe", "*\\schtasks.exe", "*\\scrcons.exe", "*\\sh.exe", "*\\systeminfo.exe", "*\\whoami.exe", "*\\wmic.exe", "*\\wscript.exe") NOT (Image IN ("*\\net.exe", "*\\net1.exe") CommandLine="* stop*") | fields - _raw | collect index=notable_events source="Suspicious Child Process Of Manage Engine ServiceDesk" marker="guid=cea2b7ea-792b-405f-95a1-b903ea06458f,tags=attack.command-and-control,tags=attack.t1102," +[Potential Manage-bde.wsf Abuse To Proxy Execution] +description = Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\wscript.exe" OR OriginalFileName="wscript.exe" CommandLine="*manage-bde.wsf*") OR (ParentImage IN ("*\\cscript.exe", "*\\wscript.exe") ParentCommandLine="*manage-bde.wsf*" NOT Image="*\\cmd.exe") | fields - _raw | collect index=notable_events source="Potential Manage-bde.wsf Abuse To Proxy Execution" marker="guid=c363385c-f75d-4753-a108-c1a8e28bdbda,tags=attack.defense-evasion,tags=attack.t1216," +[Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION] +description = Detects Obfuscated Powershell via VAR++ LAUNCHER +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*&&set*" CommandLine="*cmd*" CommandLine="*/c*" CommandLine="*-f*" CommandLine IN ("*{0}*", "*{1}*", "*{2}*", "*{3}*", "*{4}*", "*{5}*") | fields - _raw | collect index=notable_events source="Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" marker="guid=e9f55347-2928-4c06-88e5-1a7f8169942e,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[PUA - Seatbelt Execution] +description = Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Seatbelt.exe" OR OriginalFileName="Seatbelt.exe" OR Description="Seatbelt" OR CommandLine IN ("* DpapiMasterKeys*", "* InterestingProcesses*", "* InterestingFiles*", "* CertificateThumbprints*", "* ChromiumBookmarks*", "* ChromiumHistory*", "* ChromiumPresence*", "* CloudCredentials*", "* CredEnum*", "* CredGuard*", "* FirefoxHistory*", "* ProcessCreationEvents*") OR (CommandLine IN ("* -group=misc*", "* -group=remote*", "* -group=chromium*", "* -group=slack*", "* -group=system*", "* -group=user*", "* -group=all*") CommandLine="* -outputfile=*") | fields - _raw | collect index=notable_events source="PUA - Seatbelt Execution" marker="guid=38646daa-e78f-4ace-9de0-55547b2d30da,tags=attack.discovery,tags=attack.t1526,tags=attack.t1087,tags=attack.t1083," +[Suspicious Ping/Del Command Combination] +description = Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* -n *" OR CommandLine="* /n *" OR CommandLine="* –n *" OR CommandLine="* —n *" OR CommandLine="* ―n *" CommandLine="*Nul*" CommandLine="* -f *" OR CommandLine="* /f *" OR CommandLine="* –f *" OR CommandLine="* —f *" OR CommandLine="* ―f *" OR CommandLine="* -q *" OR CommandLine="* /q *" OR CommandLine="* –q *" OR CommandLine="* —q *" OR CommandLine="* ―q *" CommandLine="*ping*" CommandLine="*del *" | fields - _raw | collect index=notable_events source="Suspicious Ping/Del Command Combination" marker="guid=54786ddc-5b8a-11ed-9b6a-0242ac120002,tags=attack.defense-evasion,tags=attack.t1070.004," +[Potential Suspicious Mofcomp Execution] +description = Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\mofcomp.exe" OR OriginalFileName="mofcomp.exe" ParentImage IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wsl.exe", "*\\wscript.exe", "*\\cscript.exe") OR CommandLine IN ("*\\AppData\\Local\\Temp*", "*\\Users\\Public\\*", "*\\WINDOWS\\Temp\\*", "*%temp%*", "*%tmp%*", "*%appdata%*") NOT (ParentImage="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" CommandLine="*C:\\Windows\\TEMP\\*" CommandLine="*.mof") NOT (CommandLine="*C:\\Windows\\TEMP\\*" CommandLine="*.mof") | fields - _raw | collect index=notable_events source="Potential Suspicious Mofcomp Execution" marker="guid=1dd05363-104e-4b4a-b963-196a534b03a1,tags=attack.defense-evasion,tags=attack.t1218," +[HackTool - Hashcat Password Cracker Execution] +description = Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\hashcat.exe" OR (CommandLine="*-a *" CommandLine="*-m 1000 *" CommandLine="*-r *") | fields - _raw | collect index=notable_events source="HackTool - Hashcat Password Cracker Execution" marker="guid=39b31e81-5f5f-4898-9c0e-2160cfc0f9bf,tags=attack.credential-access,tags=attack.t1110.002," +[Persistence Via TypedPaths - CommandLine] +description = Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths*" | fields - _raw | collect index=notable_events source="Persistence Via TypedPaths - CommandLine" marker="guid=ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba,tags=attack.persistence," +[ETW Logging Tamper In .NET Processes Via CommandLine] +description = Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*COMPlus_ETWEnabled*", "*COMPlus_ETWFlags*") | fields - _raw | collect index=notable_events source="ETW Logging Tamper In .NET Processes Via CommandLine" marker="guid=41421f44-58f9-455d-838a-c398859841d4,tags=attack.defense-evasion,tags=attack.t1562," +[Powershell Defender Exclusion] +description = Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Add-MpPreference *", "*Set-MpPreference *") CommandLine IN ("* -ExclusionPath *", "* -ExclusionExtension *", "* -ExclusionProcess *", "* -ExclusionIpAddress *") | fields - _raw | collect index=notable_events source="Powershell Defender Exclusion" marker="guid=17769c90-230e-488b-a463-e05c08e9d48f,tags=attack.defense-evasion,tags=attack.t1562.001," +[Arbitrary Shell Command Execution Via Settingcontent-Ms] +description = The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*.SettingContent-ms*" NOT CommandLine="*immersivecontrolpanel*" | table ParentProcess,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Arbitrary Shell Command Execution Via Settingcontent-Ms" marker="guid=24de4f3b-804c-4165-b442-5a06a2302c7e,tags=attack.t1204,tags=attack.t1566.001,tags=attack.execution,tags=attack.initial-access," +[Whoami.EXE Execution Anomaly] +description = Detects the execution of whoami.exe with suspicious parent processes. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\whoami.exe" OR OriginalFileName="whoami.exe" NOT (ParentImage IN ("*\\cmd.exe", "*\\powershell_ise.exe", "*\\powershell.exe", "*\\pwsh.exe") OR ParentImage!=* OR ParentImage="") NOT ParentImage="*:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe" | fields - _raw | collect index=notable_events source="Whoami.EXE Execution Anomaly" marker="guid=8de1cbe8-d6f5-496d-8237-5f44a721c7a0,tags=attack.discovery,tags=attack.t1033,tags=car.2016-03-001," +[DeviceCredentialDeployment Execution] +description = Detects the execution of DeviceCredentialDeployment to hide a process from view +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\DeviceCredentialDeployment.exe" | fields - _raw | collect index=notable_events source="DeviceCredentialDeployment Execution" marker="guid=b8b1b304-a60f-4999-9a6e-c547bde03ffd,tags=attack.defense-evasion,tags=attack.t1218," +[HackTool - Jlaive In-Memory Assembly Execution] +description = Detects the use of Jlaive to execute assemblies in a copied PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\cmd.exe" ParentCommandLine="*.bat" (Image="*\\xcopy.exe" CommandLine="*powershell.exe*" CommandLine="*.bat.exe*") OR (Image="*\\xcopy.exe" CommandLine="*pwsh.exe*" CommandLine="*.bat.exe*") OR (Image="*\\attrib.exe" CommandLine="*+s*" CommandLine="*+h*" CommandLine="*.bat.exe*") | fields - _raw | collect index=notable_events source="HackTool - Jlaive In-Memory Assembly Execution" marker="guid=0a99eb3e-1617-41bd-b095-13dc767f3def,tags=attack.execution,tags=attack.t1059.003," +[File And SubFolder Enumeration Via Dir Command] +description = Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*dir*-s*" OR CommandLine="*dir*/s*" OR CommandLine="*dir*–s*" OR CommandLine="*dir*—s*" OR CommandLine="*dir*―s*" | fields - _raw | collect index=notable_events source="File And SubFolder Enumeration Via Dir Command" marker="guid=7c9340a9-e2ee-4e43-94c5-c54ebbea1006,tags=attack.discovery,tags=attack.t1217," +[Renamed NirCmd.EXE Execution] +description = Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="NirCmd.exe" NOT (Image IN ("*\\nircmd.exe", "*\\nircmdc.exe")) | fields - _raw | collect index=notable_events source="Renamed NirCmd.EXE Execution" marker="guid=264982dc-dbad-4dce-b707-1e0d3e0f73d9,tags=attack.execution,tags=attack.t1059,tags=attack.defense-evasion,tags=attack.t1202," +[Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS] +description = Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*gatherNetworkInfo.vbs*" NOT (Image IN ("*\\cscript.exe", "*\\wscript.exe")) | fields - _raw | collect index=notable_events source="Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" marker="guid=07aa184a-870d-413d-893a-157f317f6f58,tags=attack.discovery,tags=attack.execution,tags=attack.t1615,tags=attack.t1059.005," +[New ActiveScriptEventConsumer Created Via Wmic.EXE] +description = Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*ActiveScriptEventConsumer*" CommandLine="* CREATE *" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="New ActiveScriptEventConsumer Created Via Wmic.EXE" marker="guid=ebef4391-1a81-4761-a40a-1db446c0e625,tags=attack.persistence,tags=attack.t1546.003," +[HackTool - Wmiexec Default Powershell Command] +description = Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc*" | fields - _raw | collect index=notable_events source="HackTool - Wmiexec Default Powershell Command" marker="guid=022eaba8-f0bf-4dd9-9217-4604b0bb3bb0,tags=attack.defense-evasion,tags=attack.lateral-movement," +[Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE] +description = Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certutil.exe" OR OriginalFileName="CertUtil.exe" CommandLine IN ("*urlcache *", "*verifyctl *") CommandLine IN ("*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*") | fields - _raw | collect index=notable_events source="Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE" marker="guid=42a5f1e7-9603-4f6d-97ae-3f37d130d794,tags=attack.defense-evasion,tags=attack.t1027," +[Local Groups Reconnaissance Via Wmic.EXE] +description = Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wmic.exe" OR OriginalFileName="wmic.exe" CommandLine="* group*" | fields - _raw | collect index=notable_events source="Local Groups Reconnaissance Via Wmic.EXE" marker="guid=164eda96-11b2-430b-85ff-6a265c15bf32,tags=attack.discovery,tags=attack.t1069.001," +[Stop Windows Service Via PowerShell Stop-Service] +description = Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") OR Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine="*Stop-Service *" | fields - _raw | collect index=notable_events source="Stop Windows Service Via PowerShell Stop-Service" marker="guid=c49c5062-0966-4170-9efd-9968c913a6cf,tags=attack.impact,tags=attack.t1489," +[Procdump Execution] +description = Detects usage of the SysInternals Procdump utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\procdump.exe", "*\\procdump64.exe") | fields - _raw | collect index=notable_events source="Procdump Execution" marker="guid=2e65275c-8288-4ab4-aeb7-6274f58b6b20,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1003.001," +[AddinUtil.EXE Execution From Uncommon Directory] +description = Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\addinutil.exe" OR OriginalFileName="AddInUtil.exe" NOT (Image IN ("*:\\Windows\\Microsoft.NET\\Framework\\*", "*:\\Windows\\Microsoft.NET\\Framework64\\*", "*:\\Windows\\WinSxS\\*")) | fields - _raw | collect index=notable_events source="AddinUtil.EXE Execution From Uncommon Directory" marker="guid=6120ac2a-a34b-42c0-a9bd-1fb9f459f348,tags=attack.defense-evasion,tags=attack.t1218," +[Suspicious Kernel Dump Using Dtrace] +description = Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\dtrace.exe" CommandLine="*lkd(0)*") OR (CommandLine="*syscall:::return*" CommandLine="*lkd(*") | fields - _raw | collect index=notable_events source="Suspicious Kernel Dump Using Dtrace" marker="guid=7124aebe-4cd7-4ccb-8df0-6d6b93c96795,tags=attack.discovery,tags=attack.t1082," +[Stop Windows Service Via Sc.EXE] +description = Detects the stopping of a Windows service via the "sc.exe" utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="sc.exe" OR Image="*\\sc.exe" CommandLine="* stop *" | fields - _raw | collect index=notable_events source="Stop Windows Service Via Sc.EXE" marker="guid=81bcb81b-5b1f-474b-b373-52c871aaa7b1,tags=attack.impact,tags=attack.t1489," +[HackTool - Quarks PwDump Execution] +description = Detects usage of the Quarks PwDump tool via commandline arguments +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\QuarksPwDump.exe" OR CommandLine IN (" -dhl", " --dump-hash-local", " -dhdc", " --dump-hash-domain-cached", " --dump-bitlocker", " -dhd ", " --dump-hash-domain ", "--ntds-file") | fields - _raw | collect index=notable_events source="HackTool - Quarks PwDump Execution" marker="guid=0685b176-c816-4837-8e7b-1216f346636b,tags=attack.credential-access,tags=attack.t1003.002," +[Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location] +description = Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\Regsvcs.exe", "*\\Regasm.exe") OR OriginalFileName IN ("RegSvcs.exe", "RegAsm.exe") CommandLine IN ("*\\AppData\\Local\\Temp\\*", "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "*\\PerfLogs\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location" marker="guid=cc368ed0-2411-45dc-a222-510ace303cb2,tags=attack.defense-evasion,tags=attack.t1218.009," +[Suspicious Service DACL Modification Via Set-Service Cmdlet] +description = Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\pwsh.exe" OR OriginalFileName="pwsh.dll" CommandLine IN ("*-SecurityDescriptorSddl *", "*-sd *") CommandLine="*Set-Service *" CommandLine="*D;;*" CommandLine IN ("*;;;IU*", "*;;;SU*", "*;;;BA*", "*;;;SY*", "*;;;WD*") | fields - _raw | collect index=notable_events source="Suspicious Service DACL Modification Via Set-Service Cmdlet" marker="guid=a95b9b42-1308-4735-a1af-abb1c5e6f5ac,tags=attack.persistence,tags=attack.t1543.003," +[Potential RDP Tunneling Via Plink] +description = Execution of plink to perform data exfiltration and tunneling +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\plink.exe" CommandLine="*:127.0.0.1:3389*") OR (Image="*\\plink.exe" CommandLine="*:3389*" CommandLine IN ("* -P 443*", "* -P 22*")) | fields - _raw | collect index=notable_events source="Potential RDP Tunneling Via Plink" marker="guid=f38ce0b9-5e97-4b47-a211-7dc8d8b871da,tags=attack.command-and-control,tags=attack.t1572," +[Suspicious Splwow64 Without Params] +description = Detects suspicious Splwow64.exe process without any command line parameters +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\splwow64.exe" CommandLine="*splwow64.exe" | fields - _raw | collect index=notable_events source="Suspicious Splwow64 Without Params" marker="guid=1f1a8509-2cbb-44f5-8751-8e1571518ce2,tags=attack.defense-evasion,tags=attack.t1202," +[PUA - CsExec Execution] +description = Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\csexec.exe" OR Description="csexec" | fields - _raw | collect index=notable_events source="PUA - CsExec Execution" marker="guid=d08a2711-ee8b-4323-bdec-b7d85e892b31,tags=attack.resource-development,tags=attack.t1587.001,tags=attack.execution,tags=attack.t1569.002," +[SafeBoot Registry Key Deleted Via Reg.EXE] +description = Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*reg.exe" OR OriginalFileName="reg.exe" CommandLine="* delete *" CommandLine="*\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot*" | fields - _raw | collect index=notable_events source="SafeBoot Registry Key Deleted Via Reg.EXE" marker="guid=fc0e89b5-adb0-43c1-b749-c12a10ec37de,tags=attack.defense-evasion,tags=attack.t1562.001," +[Findstr GPP Passwords] +description = Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\find.exe", "*\\findstr.exe") OR OriginalFileName IN ("FIND.EXE", "FINDSTR.EXE") CommandLine="*cpassword*" CommandLine="*\\sysvol\\*" CommandLine="*.xml*" | fields - _raw | collect index=notable_events source="Findstr GPP Passwords" marker="guid=91a2c315-9ee6-4052-a853-6f6a8238f90d,tags=attack.credential-access,tags=attack.t1552.006," +[DNS Exfiltration and Tunneling Tools Execution] +description = Well-known DNS Exfiltration tools execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\iodine.exe", "*\\dnscat2*") | fields - _raw | collect index=notable_events source="DNS Exfiltration and Tunneling Tools Execution" marker="guid=98a96a5a-64a0-4c42-92c5-489da3866cb0,tags=attack.exfiltration,tags=attack.t1048.001,tags=attack.command-and-control,tags=attack.t1071.004,tags=attack.t1132.001," +[Perl Inline Command Execution] +description = Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\perl.exe" OR OriginalFileName="perl.exe" CommandLine="* -e*" | fields - _raw | collect index=notable_events source="Perl Inline Command Execution" marker="guid=f426547a-e0f7-441a-b63e-854ac5bdf54d,tags=attack.execution,tags=attack.t1059," +[User Discovery And Export Via Get-ADUser Cmdlet] +description = Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine="*Get-ADUser *" CommandLine="* -Filter \**" CommandLine IN ("* > *", "* | Select *", "*Out-File*", "*Set-Content*", "*Add-Content*") | fields - _raw | collect index=notable_events source="User Discovery And Export Via Get-ADUser Cmdlet" marker="guid=1114e048-b69c-4f41-bc20-657245ae6e3f,tags=attack.discovery,tags=attack.t1033," +[Uncommon One Time Only Scheduled Task At 00:00] +description = Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe*" OR OriginalFileName="schtasks.exe" CommandLine IN ("*wscript*", "*vbscript*", "*cscript*", "*wmic *", "*wmic.exe*", "*regsvr32.exe*", "*powershell*", "*\\AppData\\*") CommandLine="*once*" CommandLine="*00:00*" | fields - _raw | collect index=notable_events source="Uncommon One Time Only Scheduled Task At 00:00" marker="guid=970823b7-273b-460a-8afc-3a6811998529,tags=attack.execution,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1053.005," +[Exchange PowerShell Snap-Ins Usage] +description = Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine="*Add-PSSnapin*" CommandLine IN ("*Microsoft.Exchange.Powershell.Snapin*", "*Microsoft.Exchange.Management.PowerShell.SnapIn*") NOT (ParentImage="C:\\Windows\\System32\\msiexec.exe" CommandLine="*$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null*") | fields - _raw | collect index=notable_events source="Exchange PowerShell Snap-Ins Usage" marker="guid=25676e10-2121-446e-80a4-71ff8506af47,tags=attack.execution,tags=attack.t1059.001,tags=attack.collection,tags=attack.t1114," +[HackTool - EDRSilencer Execution] +description = Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\EDRSilencer.exe" OR OriginalFileName="EDRSilencer.exe" OR Description="*EDRSilencer*" | fields - _raw | collect index=notable_events source="HackTool - EDRSilencer Execution" marker="guid=eb2d07d4-49cb-4523-801a-da002df36602,tags=attack.defense-evasion,tags=attack.t1562," +[HackTool - Stracciatella Execution] +description = Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Stracciatella.exe" OR OriginalFileName="Stracciatella.exe" OR Description="Stracciatella" OR Hashes IN ("*SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956*", "*SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a*") OR sha256 IN ("9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956", "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a") | fields - _raw | collect index=notable_events source="HackTool - Stracciatella Execution" marker="guid=7a4d9232-92fc-404d-8ce1-4c92e7caf539,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1059,tags=attack.t1562.001," +[Disabled IE Security Features] +description = Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="* -name IEHarden *" CommandLine="* -value 0 *") OR (CommandLine="* -name DEPOff *" CommandLine="* -value 1 *") OR (CommandLine="* -name DisableFirstRunCustomize *" CommandLine="* -value 2 *") | fields - _raw | collect index=notable_events source="Disabled IE Security Features" marker="guid=fb50eb7a-5ab1-43ae-bcc9-091818cb8424,tags=attack.defense-evasion,tags=attack.t1562.001," +[Suspicious Windows Service Tampering] +description = Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("net.exe", "net1.exe", "PowerShell.EXE", "psservice.exe", "pwsh.dll", "sc.exe") OR Image IN ("*\\net.exe", "*\\net1.exe", "*\\powershell.exe", "*\\PsService.exe", "*\\PsService64.exe", "*\\pwsh.exe", "*\\sc.exe") CommandLine IN ("* delete *", "* pause *", "* stop *", "*Stop-Service *", "*Remove-Service *") OR (CommandLine="*config*" CommandLine="*start=disabled*") CommandLine IN ("*143Svc*", "*Acronis VSS Provider*", "*AcronisAgent*", "*AcrSch2Svc*", "*AdobeARMservice*", "*AHS Service*", "*Antivirus*", "*Apache4*", "*ARSM*", "*aswBcc*", "*AteraAgent*", "*Avast Business Console Client Antivirus Service*", "*avast! Antivirus*", "*AVG Antivirus*", "*avgAdminClient*", "*AvgAdminServer*", "*AVP1*", "*BackupExec*", "*bedbg*", "*BITS*", "*BrokerInfrastructure*", "*CASLicenceServer*", "*CASWebServer*", "*Client Agent 7.60*", "*Core Browsing Protection*", "*Core Mail Protection*", "*Core Scanning Server*", "*DCAgent*", "*dwmrcs*", "*EhttpSr*", "*ekrn*", "*Enterprise Client Service*", "*epag*", "*EPIntegrationService*", "*EPProtectedService*", "*EPRedline*", "*EPSecurityService*", "*EPUpdateService*", "*EraserSvc11710*", "*EsgShKernel*", "*ESHASRV*", "*FA_Scheduler*", "*FirebirdGuardianDefaultInstance*", "*FirebirdServerDefaultInstance*", "*FontCache3.0.0.0*", "*HealthTLService*", "*hmpalertsvc*", "*HMS*", "*HostControllerService*", "*hvdsvc*", "*IAStorDataMgrSvc*", "*IBMHPS*", "*ibmspsvc*", "*IISAdmin*", "*IMANSVC*", "*IMAP4Svc*", "*instance2*", "*KAVFS*", "*KAVFSGT*", "*kavfsslp*", "*KeyIso*", "*klbackupdisk*", "*klbackupflt*", "*klflt*", "*klhk*", "*KLIF*", "*klim6*", "*klkbdflt*", "*klmouflt*", "*klnagent*", "*klpd*", "*kltap*", "*KSDE1.0.0*", "*LogProcessorService*", "*M8EndpointAgent*", "*macmnsvc*", "*masvc*", "*MBAMService*", "*MBCloudEA*", "*MBEndpointAgent*", "*McAfeeDLPAgentService*", "*McAfeeEngineService*", "*MCAFEEEVENTPARSERSRV*", "*McAfeeFramework*", "*MCAFEETOMCATSRV530*", "*McShield*", "*McTaskManager*", "*mfefire*", "*mfemms*", "*mfevto*", "*mfevtp*", "*mfewc*", "*MMS*", "*mozyprobackup*", "*MSComplianceAudit*", "*MSDTC*", "*MsDtsServer*", "*MSExchange*", "*msftesq1SPROO*", "*msftesql$PROD*", "*msftesql$SQLEXPRESS*", "*MSOLAP$SQL_2008*", "*MSOLAP$SYSTEM_BGC*", "*MSOLAP$TPS*", "*MSOLAP$TPSAMA*", "*MSOLAPSTPS*", "*MSOLAPSTPSAMA*", "*mssecflt*", "*MSSQ!I.SPROFXENGAGEMEHT*", "*MSSQ0SHAREPOINT*", "*MSSQ0SOPHOS*", "*MSSQL*", "*MSSQLFDLauncher$*", "*MySQL*", "*NanoServiceMain*", "*NetMsmqActivator*", "*NetPipeActivator*", "*netprofm*", "*NetTcpActivator*", "*NetTcpPortSharing*", "*ntrtscan*", "*nvspwmi*", "*ofcservice*", "*Online Protection System*", "*OracleClientCache80*", "*OracleDBConsole*", "*OracleMTSRecoveryService*", "*OracleOraDb11g_home1*", "*OracleService*", "*OracleVssWriter*", "*osppsvc*", "*PandaAetherAgent*", "*PccNTUpd*", "*PDVFSService*", "*POP3Svc*", "*postgresql-x64-9.4*", "*POVFSService*", "*PSUAService*", "*Quick Update Service*", "*RepairService*", "*ReportServer*", "*ReportServer$*", "*RESvc*", "*RpcEptMapper*", "*sacsvr*", "*SamSs*", "*SAVAdminService*", "*SAVService*", "*ScSecSvc*", "*SDRSVC*", "*SearchExchangeTracing*", "*sense*", "*SentinelAgent*", "*SentinelHelperService*", "*SepMasterService*", "*ShMonitor*", "*Smcinst*", "*SmcService*", "*SMTPSvc*", "*SNAC*", "*SntpService*", "*Sophos*", "*SQ1SafeOLRService*", "*SQL Backups*", "*SQL Server*", "*SQLAgent*", "*SQLANYs_Sage_FAS_Fixed_Assets*", "*SQLBrowser*", "*SQLsafe*", "*SQLSERVERAGENT*", "*SQLTELEMETRY*", "*SQLWriter*", "*SSISTELEMETRY130*", "*SstpSvc*", "*storflt*", "*svcGenericHost*", "*swc_service*", "*swi_filter*", "*swi_service*", "*swi_update*", "*Symantec*", "*TeamViewer*", "*Telemetryserver*", "*ThreatLockerService*", "*TMBMServer*", "*TmCCSF*", "*TmFilter*", "*TMiCRCScanService*", "*tmlisten*", "*TMLWCSService*", "*TmPfw*", "*TmPreFilter*", "*TmProxy*", "*TMSmartRelayService*", "*tmusa*", "*Tomcat*", "*Trend Micro Deep Security Manager*", "*TrueKey*", "*UFNet*", "*UI0Detect*", "*UniFi*", "*UTODetect*", "*vds*", "*Veeam*", "*VeeamDeploySvc*", "*Veritas System Recovery*", "*vmic*", "*VMTools*", "*vmvss*", "*VSApiNt*", "*VSS*", "*W3Svc*", "*wbengine*", "*WdNisSvc*", "*WeanClOudSve*", "*Weems JY*", "*WinDefend*", "*wmms*", "*wozyprobackup*", "*WPFFontCache_v0400*", "*WRSVC*", "*wsbexchange*", "*Zoolz 2 Service*") | fields - _raw | collect index=notable_events source="Suspicious Windows Service Tampering" marker="guid=ce72ef99-22f1-43d4-8695-419dcb5d9330,tags=attack.defense-evasion,tags=attack.t1489," +[Sdiagnhost Calling Suspicious Child Process] +description = Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\sdiagnhost.exe" Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\cmd.exe", "*\\mshta.exe", "*\\cscript.exe", "*\\wscript.exe", "*\\taskkill.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\calc.exe") | fields - _raw | collect index=notable_events source="Sdiagnhost Calling Suspicious Child Process" marker="guid=f3d39c45-de1a-4486-a687-ab126124f744,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1218," +[Suspicious MsiExec Embedding Parent] +description = Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\cmd.exe") ParentCommandLine="*MsiExec.exe*" ParentCommandLine="*-Embedding *" NOT ((Image="*:\\Windows\\System32\\cmd.exe" CommandLine="*C:\\Program Files\\SplunkUniversalForwarder\\bin\\*") OR CommandLine="*\\DismFoDInstall.cmd*" OR (ParentCommandLine="*\\MsiExec.exe -Embedding *" ParentCommandLine="*Global\\MSI0000*")) | fields - _raw | collect index=notable_events source="Suspicious MsiExec Embedding Parent" marker="guid=4a2a2c3e-209f-4d01-b513-4155a540b469,tags=attack.t1218.007,tags=attack.defense-evasion," +[Potential DLL Sideloading Via DeviceEnroller.EXE] +description = Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\deviceenroller.exe" OR OriginalFileName="deviceenroller.exe" CommandLine="*/PhoneDeepLink*" | fields - _raw | collect index=notable_events source="Potential DLL Sideloading Via DeviceEnroller.EXE" marker="guid=e173ad47-4388-4012-ae62-bd13f71c18a8,tags=attack.defense-evasion,tags=attack.t1574.002," +[Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE] +description = Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" (CommandLine="*firewall*" CommandLine="*add*" CommandLine="*allowedprogram*") OR (CommandLine="*advfirewall*" CommandLine="*firewall*" CommandLine="*add*" CommandLine="*rule*" CommandLine="*action=allow*" CommandLine="*program=*") CommandLine IN ("*:\\$Recycle.bin\\*", "*:\\RECYCLER.BIN\\*", "*:\\RECYCLERS.BIN\\*", "*:\\SystemVolumeInformation\\*", "*:\\Temp\\*", "*:\\Users\\Default\\*", "*:\\Users\\Desktop\\*", "*:\\Users\\Public\\*", "*:\\Windows\\addins\\*", "*:\\Windows\\cursors\\*", "*:\\Windows\\debug\\*", "*:\\Windows\\drivers\\*", "*:\\Windows\\fonts\\*", "*:\\Windows\\help\\*", "*:\\Windows\\system32\\tasks\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*\\Downloads\\*", "*\\Local Settings\\Temporary Internet Files\\*", "*\\Temporary Internet Files\\Content.Outlook\\*", "*%Public%\\*", "*%TEMP%*", "*%TMP%*") | fields - _raw | collect index=notable_events source="Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" marker="guid=a35f5a72-f347-4e36-8895-9869b0d5fc6d,tags=attack.defense-evasion,tags=attack.t1562.004," +[Mshtml.DLL RunHTMLApplication Suspicious Usage] +description = Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\..\\*" CommandLine="*mshtml*" CommandLine IN ("*#135*", "*RunHTMLApplication*") | fields - _raw | collect index=notable_events source="Mshtml.DLL RunHTMLApplication Suspicious Usage" marker="guid=4782eb5a-a513-4523-a0ac-f3082b26ac5c,tags=attack.defense-evasion,tags=attack.execution," +[Pubprn.vbs Proxy Execution] +description = Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\pubprn.vbs*" CommandLine="*script:*" | fields - _raw | collect index=notable_events source="Pubprn.vbs Proxy Execution" marker="guid=1fb76ab8-fa60-4b01-bddd-71e89bf555da,tags=attack.defense-evasion,tags=attack.t1216.001," +[Discovery of a System Time] +description = Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image IN ("*\\net.exe", "*\\net1.exe") CommandLine="*time*") OR (Image="*\\w32tm.exe" CommandLine="*tz*") | fields - _raw | collect index=notable_events source="Discovery of a System Time" marker="guid=b243b280-65fe-48df-ba07-6ddea7646427,tags=attack.discovery,tags=attack.t1124," +[Finger.EXE Execution] +description = Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="finger.exe" OR Image="*\\finger.exe" | fields - _raw | collect index=notable_events source="Finger.EXE Execution" marker="guid=af491bca-e752-4b44-9c86-df5680533dbc,tags=attack.command-and-control,tags=attack.t1105," +[Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)] +description = Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ntdsutil.exe" | fields - _raw | collect index=notable_events source="Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" marker="guid=2afafd61-6aae-4df4-baed-139fa1f4c345,tags=attack.credential-access,tags=attack.t1003.003," +[Findstr Launching .lnk File] +description = Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\find.exe", "*\\findstr.exe") OR OriginalFileName IN ("FIND.EXE", "FINDSTR.EXE") CommandLine IN ("*.lnk", "*.lnk\"", "*.lnk'") | fields - _raw | collect index=notable_events source="Findstr Launching .lnk File" marker="guid=33339be3-148b-4e16-af56-ad16ec6c7e7b,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1202,tags=attack.t1027.003," +[Add SafeBoot Keys Via Reg Utility] +description = Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine="*\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot*" CommandLine IN ("* copy *", "* add *") | fields - _raw | collect index=notable_events source="Add SafeBoot Keys Via Reg Utility" marker="guid=d7662ff6-9e97-4596-a61d-9839e32dee8d,tags=attack.defense-evasion,tags=attack.t1562.001," +[Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension] +description = Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\Regsvcs.exe", "*\\Regasm.exe") OR OriginalFileName IN ("RegSvcs.exe", "RegAsm.exe") CommandLine IN ("*.dat*", "*.gif*", "*.jpeg*", "*.jpg*", "*.png*", "*.txt*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension" marker="guid=e9f8f8cc-07cc-4e81-b724-f387db9175e4,tags=attack.defense-evasion,tags=attack.t1218.009," +[SyncAppvPublishingServer Execute Arbitrary PowerShell Code] +description = Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SyncAppvPublishingServer.exe" OR OriginalFileName="syncappvpublishingserver.exe" CommandLine="*\"n; *" | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="SyncAppvPublishingServer Execute Arbitrary PowerShell Code" marker="guid=fbd7c32d-db2a-4418-b92c-566eb8911133,tags=attack.defense-evasion,tags=attack.t1218," +[Psexec Execution] +description = Detects user accept agreement execution in psexec commandline +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\psexec.exe" OR OriginalFileName="psexec.c" | fields - _raw | collect index=notable_events source="Psexec Execution" marker="guid=730fc21b-eaff-474b-ad23-90fd265d4988,tags=attack.execution,tags=attack.t1569,tags=attack.t1021," +[Suspicious Child Process of AspNetCompiler] +description = Detects potentially suspicious child processes of "aspnet_compiler.exe". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\aspnet_compiler.exe" Image IN ("*\\calc.exe", "*\\notepad.exe") OR Image IN ("*\\Users\\Public\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Local\\Roaming\\*", "*:\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\Windows\\System32\\Tasks\\*", "*:\\Windows\\Tasks\\*") | fields - _raw | collect index=notable_events source="Suspicious Child Process of AspNetCompiler" marker="guid=9ccba514-7cb6-4c5c-b377-700758f2f120,tags=attack.defense-evasion,tags=attack.t1127," +[Windows Defender Definition Files Removed] +description = Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\MpCmdRun.exe" OR OriginalFileName="MpCmdRun.exe" CommandLine="* -RemoveDefinitions*" CommandLine="* -All*" | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Windows Defender Definition Files Removed" marker="guid=9719a8aa-401c-41af-8108-ced7ec9cd75c,tags=attack.defense-evasion,tags=attack.t1562.001," +[Renamed Microsoft Teams Execution] +description = Detects the execution of a renamed Microsoft Teams binary. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("msteams.exe", "teams.exe") NOT (Image IN ("*\\msteams.exe", "*\\teams.exe")) | fields - _raw | collect index=notable_events source="Renamed Microsoft Teams Execution" marker="guid=88f46b67-14d4-4f45-ac2c-d66984f22191,tags=attack.defense-evasion," +[Windows Firewall Disabled via PowerShell] +description = Detects attempts to disable the Windows Firewall using PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\powershell_ise.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine="*Set-NetFirewallProfile *" CommandLine="* -Enabled *" CommandLine="* False*" CommandLine IN ("* -All *", "*Public*", "*Domain*", "*Private*") | fields - _raw | collect index=notable_events source="Windows Firewall Disabled via PowerShell" marker="guid=12f6b752-042d-483e-bf9c-915a6d06ad75,tags=attack.defense-evasion,tags=attack.t1562," +[Shell32 DLL Execution in Suspicious Directory] +description = Detects shell32.dll executing a DLL in a suspicious directory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*shell32.dll*" CommandLine="*Control_RunDLL*" CommandLine IN ("*%AppData%*", "*%LocalAppData%*", "*%Temp%*", "*%tmp%*", "*\\AppData\\*", "*\\Temp\\*", "*\\Users\\Public\\*") | fields - _raw | collect index=notable_events source="Shell32 DLL Execution in Suspicious Directory" marker="guid=32b96012-7892-429e-b26c-ac2bf46066ff,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218.011," +[Potential Arbitrary File Download Via Cmdl32.EXE] +description = Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmdl32.exe" OR OriginalFileName="CMDL32.EXE" CommandLine="*/vpn*" CommandLine="*/lan*" | fields - _raw | collect index=notable_events source="Potential Arbitrary File Download Via Cmdl32.EXE" marker="guid=f37aba28-a9e6-4045-882c-d5004043b337,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1202," +[Uncommon FileSystem Load Attempt By Format.com] +description = Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\format.com" CommandLine="*/fs:*" NOT (CommandLine IN ("*/fs:exFAT*", "*/fs:FAT*", "*/fs:NTFS*", "*/fs:ReFS*", "*/fs:UDF*")) | fields - _raw | collect index=notable_events source="Uncommon FileSystem Load Attempt By Format.com" marker="guid=9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60,tags=attack.defense-evasion," +[HackTool - Potential Impacket Lateral Movement Activity] +description = Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (ParentImage IN ("*\\wmiprvse.exe", "*\\mmc.exe", "*\\explorer.exe", "*\\services.exe") CommandLine="*cmd.exe*" CommandLine="*/Q*" CommandLine="*/c*" CommandLine="*\\\\127.0.0.1\\*" CommandLine="*&1*") OR (ParentCommandLine IN ("*svchost.exe -k netsvcs*", "*taskeng.exe*") CommandLine="*cmd.exe*" CommandLine="*/C*" CommandLine="*Windows\\Temp\\*" CommandLine="*&1*") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="HackTool - Potential Impacket Lateral Movement Activity" marker="guid=10c14723-61c7-4c75-92ca-9af245723ad2,tags=attack.execution,tags=attack.t1047,tags=attack.lateral-movement,tags=attack.t1021.003," +[Audio Capture via PowerShell] +description = Detects audio capture via PowerShell Cmdlet. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*WindowsAudioDevice-Powershell-Cmdlet*", "*Toggle-AudioDevice*", "*Get-AudioDevice *", "*Set-AudioDevice *", "*Write-AudioDevice *") | fields - _raw | collect index=notable_events source="Audio Capture via PowerShell" marker="guid=932fb0d8-692b-4b0f-a26e-5643a50fe7d6,tags=attack.collection,tags=attack.t1123," +[Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE] +description = Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" CommandLine IN ("*SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths*", "*SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths*") CommandLine="*ADD *" CommandLine="*/t *" CommandLine="*REG_DWORD *" CommandLine="*/v *" CommandLine="*/d *" CommandLine="*0*" | fields - _raw | collect index=notable_events source="Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" marker="guid=48917adc-a28e-4f5d-b729-11e75da8941f,tags=attack.defense-evasion,tags=attack.t1562.001," +[Hacktool Execution - Imphash] +description = Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Imphash IN ("bcca3c247b619dcd13c8cdff5f123932", "3a19059bd7688cb88e70005f18efc439", "bf6223a49e45d99094406777eb6004ba", "23867a89c2b8fc733be6cf5ef902f2d1", "a37ff327f8d48e8a4d2f757e1b6e70bc", "f9a28c458284584a93b14216308d31bd", "6118619783fc175bc7ebecff0769b46e", "959a83047e80ab68b368fdb3f4c6e4ea", "563233bfa169acc7892451f71ad5850a", "87575cb7a0e0700eb37f2e3668671a08", "13f08707f759af6003837a150a371ba1", "1781f06048a7e58b323f0b9259be798b", "233f85f2d4bc9d6521a6caae11a1e7f5", "24af2584cbf4d60bbe5c6d1b31b3be6d", "632969ddf6dbf4e0f53424b75e4b91f2", "713c29b396b907ed71a72482759ed757", "749a7bb1f0b4c4455949c0b2bf7f9e9f", "8628b2608957a6b0c6330ac3de28ce2e", "8b114550386e31895dfab371e741123d", "94cb940a1a6b65bed4d5a8f849ce9793", "9d68781980370e00e0bd939ee5e6c141", "b18a1401ff8f444056d29450fbc0a6ce", "cb567f9498452721d77a451374955f5f", "730073214094cd328547bf1f72289752", "17b461a082950fc6332228572138b80c", "dc25ee78e2ef4d36faa0badf1e7461c9", "819b19d53ca6736448f9325a85736792", "829da329ce140d873b4a8bde2cbfaa7e", "c547f2e66061a8dffb6f5a3ff63c0a74", "0588081ab0e63ba785938467e1b10cca", "0d9ec08bac6c07d9987dfd0f1506587c", "bc129092b71c89b4d4c8cdf8ea590b29", "4da924cf622d039d58bce71cdf05d242", "e7a3a5c377e2d29324093377d7db1c66", "9a9dbec5c62f0380b4fa5fd31deffedf", "af8a3976ad71e5d5fdfb67ddb8dadfce", "0c477898bbf137bbd6f2a54e3b805ff4", "0ca9f02b537bcea20d4ea5eb1a9fe338", "3ab3655e5a14d4eefc547f4781bf7f9e", "e6f9d5152da699934b30daab206471f6", "3ad59991ccf1d67339b319b15a41b35d", "ffdd59e0318b85a3e480874d9796d872", "0cf479628d7cc1ea25ec7998a92f5051", "07a2d4dcbd6cb2c6a45e6b101f0b6d51", "d6d0f80386e1380d05cb78e871bc72b1", "38d9e015591bbfd4929e0d0f47fa0055", "0e2216679ca6e1094d63322e3412d650", "ada161bf41b8e5e9132858cb54cab5fb", "2a1bc4913cd5ecb0434df07cb675b798", "11083e75553baae21dc89ce8f9a195e4", "a23d29c9e566f2fa8ffbb79267f5df80", "4a07f944a83e8a7c2525efa35dd30e2f", "767637c23bb42cd5d7397cf58b0be688", "14c4e4c72ba075e9069ee67f39188ad8", "3c782813d4afce07bbfc5a9772acdbdc", "7d010c6bb6a3726f327f7e239166d127", "89159ba4dd04e4ce5559f132a9964eb3", "6f33f4a5fc42b8cec7314947bd13f30f", "5834ed4291bdeb928270428ebbaf7604", "5a8a8a43f25485e7ee1b201edcbc7a38", "dc7d30b90b2d8abf664fbed2b1b59894", "41923ea1f824fe63ea5beb84db7a3e74", "3de09703c8e79ed2ca3f01074719906b", "a53a02b997935fd8eedcb5f7abab9b9f", "e96a73c7bf33a464c510ede582318bf2", "32089b8851bbf8bc2d014e9f37288c83", "09D278F9DE118EF09163C6140255C690", "03866661686829d806989e2fc5a72606", "e57401fbdadcd4571ff385ab82bd5d6d", "84B763C45C0E4A3E7CA5548C710DB4EE", "19584675d94829987952432e018d5056", "330768a4f172e10acb6287b87289d83b", "885c99ccfbe77d1cbfcb9c4e7c1a3313", "22a22bc9e4e0d2f189f1ea01748816ac", "7fa30e6bb7e8e8a69155636e50bf1b28", "96df3a3731912449521f6f8d183279b1", "7e6cf3ff4576581271ac8a313b2aab46", "51791678f351c03a0eb4e2a7b05c6e17", "25ce42b079282632708fc846129e98a5", "021bcca20ba3381b11bdde26b4e62f20", "59223b5f52d8799d38e0754855cbdf42", "81e75d8f1d276c156653d3d8813e4a43", "17244e8b6b8227e57fe709ccad421420", "5b76da3acdedc8a5cdf23a798b5936b4", "cb2b65bb77d995cc1c0e5df1c860133c", "40445337761d80cf465136fafb1f63e6", "8a790f401b29fa87bc1e56f7272b3aa6", "b50199e952c875241b9ce06c971ce3c1") OR Hashes IN ("*IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932*", "*IMPHASH=3A19059BD7688CB88E70005F18EFC439*", "*IMPHASH=bf6223a49e45d99094406777eb6004ba*", "*IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1*", "*IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC*", "*IMPHASH=F9A28C458284584A93B14216308D31BD*", "*IMPHASH=6118619783FC175BC7EBECFF0769B46E*", "*IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA*", "*IMPHASH=563233BFA169ACC7892451F71AD5850A*", "*IMPHASH=87575CB7A0E0700EB37F2E3668671A08*", "*IMPHASH=13F08707F759AF6003837A150A371BA1*", "*IMPHASH=1781F06048A7E58B323F0B9259BE798B*", "*IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5*", "*IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D*", "*IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2*", "*IMPHASH=713C29B396B907ED71A72482759ED757*", "*IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F*", "*IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E*", "*IMPHASH=8B114550386E31895DFAB371E741123D*", "*IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793*", "*IMPHASH=9D68781980370E00E0BD939EE5E6C141*", "*IMPHASH=B18A1401FF8F444056D29450FBC0A6CE*", "*IMPHASH=CB567F9498452721D77A451374955F5F*", "*IMPHASH=730073214094CD328547BF1F72289752*", "*IMPHASH=17B461A082950FC6332228572138B80C*", "*IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9*", "*IMPHASH=819B19D53CA6736448F9325A85736792*", "*IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E*", "*IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74*", "*IMPHASH=0588081AB0E63BA785938467E1B10CCA*", "*IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C*", "*IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29*", "*IMPHASH=4DA924CF622D039D58BCE71CDF05D242*", "*IMPHASH=E7A3A5C377E2D29324093377D7DB1C66*", "*IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF*", "*IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE*", "*IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4*", "*IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338*", "*IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E*", "*IMPHASH=E6F9D5152DA699934B30DAAB206471F6*", "*IMPHASH=3AD59991CCF1D67339B319B15A41B35D*", "*IMPHASH=FFDD59E0318B85A3E480874D9796D872*", "*IMPHASH=0CF479628D7CC1EA25EC7998A92F5051*", "*IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51*", "*IMPHASH=D6D0F80386E1380D05CB78E871BC72B1*", "*IMPHASH=38D9E015591BBFD4929E0D0F47FA0055*", "*IMPHASH=0E2216679CA6E1094D63322E3412D650*", "*IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB*", "*IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798*", "*IMPHASH=11083E75553BAAE21DC89CE8F9A195E4*", "*IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80*", "*IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F*", "*IMPHASH=767637C23BB42CD5D7397CF58B0BE688*", "*IMPHASH=14C4E4C72BA075E9069EE67F39188AD8*", "*IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC*", "*IMPHASH=7D010C6BB6A3726F327F7E239166D127*", "*IMPHASH=89159BA4DD04E4CE5559F132A9964EB3*", "*IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F*", "*IMPHASH=5834ED4291BDEB928270428EBBAF7604*", "*IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38*", "*IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894*", "*IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74*", "*IMPHASH=3DE09703C8E79ED2CA3F01074719906B*", "*IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F*", "*IMPHASH=E96A73C7BF33A464C510EDE582318BF2*", "*IMPHASH=32089B8851BBF8BC2D014E9F37288C83*", "*IMPHASH=09D278F9DE118EF09163C6140255C690*", "*IMPHASH=03866661686829d806989e2fc5a72606*", "*IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d*", "*IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE*", "*IMPHASH=19584675D94829987952432E018D5056*", "*IMPHASH=330768A4F172E10ACB6287B87289D83B*", "*IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313*", "*IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC*", "*IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28*", "*IMPHASH=96DF3A3731912449521F6F8D183279B1*", "*IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46*", "*IMPHASH=51791678F351C03A0EB4E2A7B05C6E17*", "*IMPHASH=25CE42B079282632708FC846129E98A5*", "*IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20*", "*IMPHASH=59223B5F52D8799D38E0754855CBDF42*", "*IMPHASH=81E75D8F1D276C156653D3D8813E4A43*", "*IMPHASH=17244E8B6B8227E57FE709CCAD421420*", "*IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4*", "*IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C*", "*IMPHASH=40445337761D80CF465136FAFB1F63E6*", "*IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6*", "*IMPHASH=B50199E952C875241B9CE06C971CE3C1*") | fields - _raw | collect index=notable_events source="Hacktool Execution - Imphash" marker="guid=24e3e58a-646b-4b50-adef-02ef935b9fc8,tags=attack.credential-access,tags=attack.t1588.002,tags=attack.t1003," +[Suspicious Execution of Hostname] +description = Use of hostname to get information +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\HOSTNAME.EXE" | fields - _raw | collect index=notable_events source="Suspicious Execution of Hostname" marker="guid=7be5fb68-f9ef-476d-8b51-0256ebece19e,tags=attack.discovery,tags=attack.t1082," +[HackTool - Hydra Password Bruteforce Execution] +description = Detects command line parameters used by Hydra password guessing hack tool +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*-u *" CommandLine="*-p *" CommandLine IN ("*^USER^*", "*^PASS^*") | fields - _raw | collect index=notable_events source="HackTool - Hydra Password Bruteforce Execution" marker="guid=aaafa146-074c-11eb-adc1-0242ac120002,tags=attack.credential-access,tags=attack.t1110,tags=attack.t1110.001," +[PowerShell Base64 Encoded WMI Classes] +description = Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ*", "*cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA*", "*XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A*", "*V2luMzJfU2hhZG93Y29we*", "*dpbjMyX1NoYWRvd2NvcH*", "*XaW4zMl9TaGFkb3djb3B5*") OR CommandLine IN ("*VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA*", "*cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA*", "*XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg*", "*V2luMzJfU2NoZWR1bGVkSm9i*", "*dpbjMyX1NjaGVkdWxlZEpvY*", "*XaW4zMl9TY2hlZHVsZWRKb2*") OR CommandLine IN ("*VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw*", "*cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA*", "*XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA*", "*V2luMzJfUHJvY2Vzc*", "*dpbjMyX1Byb2Nlc3*", "*XaW4zMl9Qcm9jZXNz*") OR CommandLine IN ("*VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A*", "*cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA*", "*XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA*", "*V2luMzJfVXNlckFjY291bn*", "*dpbjMyX1VzZXJBY2NvdW50*", "*XaW4zMl9Vc2VyQWNjb3Vud*") OR CommandLine IN ("*VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA*", "*cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA*", "*XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg*", "*V2luMzJfTG9nZ2VkT25Vc2Vy*", "*dpbjMyX0xvZ2dlZE9uVXNlc*", "*XaW4zMl9Mb2dnZWRPblVzZX*") | fields - _raw | collect index=notable_events source="PowerShell Base64 Encoded WMI Classes" marker="guid=1816994b-42e1-4fb1-afd2-134d88184f71,tags=attack.execution,tags=attack.t1059.001,tags=attack.defense-evasion,tags=attack.t1027," +[User Added To Highly Privileged Group] +description = Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*localgroup *" CommandLine="* /add*") OR (CommandLine="*Add-LocalGroupMember *" CommandLine="* -Group *") CommandLine IN ("*Group Policy Creator Owners*", "*Schema Admins*") | fields - _raw | collect index=notable_events source="User Added To Highly Privileged Group" marker="guid=10fb649c-3600-4d37-b1e6-56ea90bb7e09,tags=attack.persistence,tags=attack.t1098," +[Potential Tampering With RDP Related Registry Keys Via Reg.EXE] +description = Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine="* add *" CommandLine="*\\CurrentControlSet\\Control\\Terminal Server*" CommandLine="*REG_DWORD*" CommandLine="* /f*" (CommandLine="*Licensing Core*" CommandLine="*EnableConcurrentSessions*") OR CommandLine IN ("*WinStations\\RDP-Tcp*", "*MaxInstanceCount*", "*fEnableWinStation*", "*TSUserEnabled*", "*TSEnabled*", "*TSAppCompat*", "*IdleWinStationPoolCount*", "*TSAdvertise*", "*AllowTSConnections*", "*fSingleSessionPerUser*", "*fDenyTSConnections*") | fields - _raw | collect index=notable_events source="Potential Tampering With RDP Related Registry Keys Via Reg.EXE" marker="guid=0d5675be-bc88-4172-86d3-1e96a4476536,tags=attack.defense-evasion,tags=attack.lateral-movement,tags=attack.t1021.001,tags=attack.t1112," +[Lolbin Unregmp2.exe Use As Proxy] +description = Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\unregmp2.exe" OR OriginalFileName="unregmp2.exe" CommandLine="* -HideWMP*" OR CommandLine="* /HideWMP*" OR CommandLine="* –HideWMP*" OR CommandLine="* —HideWMP*" OR CommandLine="* ―HideWMP*" | fields - _raw | collect index=notable_events source="Lolbin Unregmp2.exe Use As Proxy" marker="guid=727454c0-d851-48b0-8b89-385611ab0704,tags=attack.defense-evasion,tags=attack.t1218," +[Potential Meterpreter/CobaltStrike Activity] +description = Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\services.exe" (CommandLine="*/c*" CommandLine="*echo*" CommandLine="*\\pipe\\*" CommandLine IN ("*cmd*", "*%COMSPEC%*")) OR (CommandLine="*rundll32*" CommandLine="*.dll,a*" CommandLine="*/p:*") NOT CommandLine="*MpCmdRun*" | table ComputerName,User,CommandLine | fields - _raw | collect index=notable_events source="Potential Meterpreter/CobaltStrike Activity" marker="guid=15619216-e993-4721-b590-4c520615a67d,tags=attack.privilege-escalation,tags=attack.t1134.001,tags=attack.t1134.002," +[Suspicious Encoded PowerShell Command Line] +description = Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") (CommandLine="* -e*" CommandLine IN ("* JAB*", "* SUVYI*", "* SQBFAFgA*", "* aQBlAHgA*", "* aWV4I*", "* IAA*", "* IAB*", "* UwB*", "* cwB*")) OR CommandLine IN ("*.exe -ENCOD *", "* BA^J e-*") NOT CommandLine="* -ExecutionPolicy remotesigned *" | fields - _raw | collect index=notable_events source="Suspicious Encoded PowerShell Command Line" marker="guid=ca2092a1-c273-4878-9b4b-0d60115bf5ea,tags=attack.execution,tags=attack.t1059.001," +[Security Service Disabled Via Reg.EXE] +description = Detects execution of "reg.exe" to disable security services such as Windows Defender. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*reg*" CommandLine="*add*" CommandLine="*d 4*" CommandLine="*v Start*" CommandLine IN ("*\\AppIDSvc*", "*\\MsMpSvc*", "*\\NisSrv*", "*\\SecurityHealthService*", "*\\Sense*", "*\\UsoSvc*", "*\\WdBoot*", "*\\WdFilter*", "*\\WdNisDrv*", "*\\WdNisSvc*", "*\\WinDefend*", "*\\wscsvc*", "*\\wuauserv*") | fields - _raw | collect index=notable_events source="Security Service Disabled Via Reg.EXE" marker="guid=5e95028c-5229-4214-afae-d653d573d0ec,tags=attack.defense-evasion,tags=attack.t1562.001," +[Potential Process Execution Proxy Via CL_Invocation.ps1] +description = Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*SyncInvoke *" | fields - _raw | collect index=notable_events source="Potential Process Execution Proxy Via CL_Invocation.ps1" marker="guid=a0459f02-ac51-4c09-b511-b8c9203fc429,tags=attack.defense-evasion,tags=attack.t1216," +[Potential Arbitrary File Download Using Office Application] +description = Detects potential arbitrary file download using a Microsoft Office application +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\EXCEL.EXE", "*\\POWERPNT.EXE", "*\\WINWORD.exe") OR OriginalFileName IN ("Excel.exe", "POWERPNT.EXE", "WinWord.exe") CommandLine IN ("*http://*", "*https://*") | fields - _raw | collect index=notable_events source="Potential Arbitrary File Download Using Office Application" marker="guid=4ae3e30b-b03f-43aa-87e3-b622f4048eed,tags=attack.defense-evasion,tags=attack.t1202," +[Potentially Suspicious Ping/Copy Command Combination] +description = Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*ping*" CommandLine="*copy *" CommandLine="* -n *" OR CommandLine="* /n *" OR CommandLine="* –n *" OR CommandLine="* —n *" OR CommandLine="* ―n *" CommandLine="* -y *" OR CommandLine="* /y *" OR CommandLine="* –y *" OR CommandLine="* —y *" OR CommandLine="* ―y *" | fields - _raw | collect index=notable_events source="Potentially Suspicious Ping/Copy Command Combination" marker="guid=ded2b07a-d12f-4284-9b76-653e37b6c8b0,tags=attack.defense-evasion,tags=attack.t1070.004," +[Suspicious Process Masquerading As SvcHost.EXE] +description = Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\svchost.exe" NOT (Image IN ("C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe") OR OriginalFileName="svchost.exe") | fields - _raw | collect index=notable_events source="Suspicious Process Masquerading As SvcHost.EXE" marker="guid=be58d2e2-06c8-4f58-b666-b99f6dc3b6cd,tags=attack.defense-evasion,tags=attack.t1036.005," +[Execution of Suspicious File Type Extension] +description = Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 NOT (Image IN ("*.bin", "*.cgi", "*.com", "*.exe", "*.scr", "*.tmp")) NOT (Image IN ("System", "Registry", "MemCompression", "vmmem") OR Image="*:\\Windows\\Installer\\MSI*" OR Image="*:\\Windows\\System32\\DriverStore\\FileRepository\\*" OR (Image="*:\\Config.Msi\\*" Image IN ("*.rbf", "*.rbs")) OR ParentImage="*:\\Windows\\Temp\\*" OR Image="*:\\Windows\\Temp\\*" OR Image="*:\\$Extend\\$Deleted\\*" OR Image IN ("-", "") OR Image!=*) NOT (ParentImage="*:\\ProgramData\\Avira\\*" OR (Image="*NVIDIA\\NvBackend\\*" Image="*.dat") OR (Image IN ("*:\\Program Files (x86)\\WINPAKPRO\\*", "*:\\Program Files\\WINPAKPRO\\*") Image="*.ngn") OR Image IN ("*:\\Program Files (x86)\\MyQ\\Server\\pcltool.dll", "*:\\Program Files\\MyQ\\Server\\pcltool.dll") OR (Image="*\\AppData\\Local\\Packages\\*" Image="*\\LocalState\\rootfs\\*") OR Image="*\\LZMA_EXE" OR Image="*:\\Program Files\\Mozilla Firefox\\*" OR (ParentImage="C:\\Windows\\System32\\services.exe" Image="*com.docker.service")) | fields - _raw | collect index=notable_events source="Execution of Suspicious File Type Extension" marker="guid=c09dad97-1c78-4f71-b127-7edb2b8e491a,tags=attack.defense-evasion," +[Firewall Disabled via Netsh.EXE] +description = Detects netsh commands that turns off the Windows firewall +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" (CommandLine="*firewall*" CommandLine="*set*" CommandLine="*opmode*" CommandLine="*disable*") OR (CommandLine="*advfirewall*" CommandLine="*set*" CommandLine="*state*" CommandLine="*off*") | fields - _raw | collect index=notable_events source="Firewall Disabled via Netsh.EXE" marker="guid=57c4bf16-227f-4394-8ec7-1b745ee061c3,tags=attack.defense-evasion,tags=attack.t1562.004,tags=attack.s0108," +[Python Spawning Pretty TTY on Windows] +description = Detects python spawning a pretty tty +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*python.exe", "*python3.exe", "*python2.exe") (CommandLine="*import pty*" CommandLine="*.spawn(*") OR CommandLine="*from pty import spawn*" | fields - _raw | collect index=notable_events source="Python Spawning Pretty TTY on Windows" marker="guid=480e7e51-e797-47e3-8d72-ebfce65b6d8d,tags=attack.execution,tags=attack.t1059," +[Persistence Via Sticky Key Backdoor] +description = By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*copy *" CommandLine="*/y *" CommandLine="*C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe*" | fields - _raw | collect index=notable_events source="Persistence Via Sticky Key Backdoor" marker="guid=1070db9a-3e5d-412e-8e7b-7183b616e1b3,tags=attack.t1546.008,tags=attack.privilege-escalation," +[Arbitrary File Download Via GfxDownloadWrapper.EXE] +description = Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\GfxDownloadWrapper.exe" CommandLine IN ("*http://*", "*https://*") NOT CommandLine="*https://gameplayapi.intel.com/*" | fields - _raw | collect index=notable_events source="Arbitrary File Download Via GfxDownloadWrapper.EXE" marker="guid=eee00933-a761-4cd0-be70-c42fe91731e7,tags=attack.command-and-control,tags=attack.t1105," +[Windows Processes Suspicious Parent Directory] +description = Detect suspicious parent processes of well-known Windows processes +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\svchost.exe", "*\\taskhost.exe", "*\\lsm.exe", "*\\lsass.exe", "*\\services.exe", "*\\lsaiso.exe", "*\\csrss.exe", "*\\wininit.exe", "*\\winlogon.exe") NOT (ParentImage IN ("*\\SavService.exe", "*\\ngen.exe") OR ParentImage IN ("*\\System32\\*", "*\\SysWOW64\\*") OR (ParentImage IN ("*\\Windows Defender\\*", "*\\Microsoft Security Client\\*") ParentImage="*\\MsMpEng.exe") OR ParentImage!=* OR ParentImage="-") | fields - _raw | collect index=notable_events source="Windows Processes Suspicious Parent Directory" marker="guid=96036718-71cc-4027-a538-d1587e0006a7,tags=attack.defense-evasion,tags=attack.t1036.003,tags=attack.t1036.005," +[Changing Existing Service ImagePath Value Via Reg.EXE] +description = Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" CommandLine="*add *" CommandLine="*SYSTEM\\CurrentControlSet\\Services\\*" CommandLine="* ImagePath *" CommandLine="* -d *" OR CommandLine="* /d *" OR CommandLine="* –d *" OR CommandLine="* —d *" OR CommandLine="* ―d *" | fields - _raw | collect index=notable_events source="Changing Existing Service ImagePath Value Via Reg.EXE" marker="guid=9b0b7ac3-6223-47aa-a3fd-e8f211e637db,tags=attack.persistence,tags=attack.t1574.011," +[Potential Browser Data Stealing] +description = Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*copy-item*", "*copy *", "*cpi *", "* cp *", "*move *", "*move-item*", "* mi *", "* mv *") OR Image IN ("*\\xcopy.exe", "*\\robocopy.exe") OR OriginalFileName IN ("XCOPY.EXE", "robocopy.exe") CommandLine IN ("*\\Amigo\\User Data*", "*\\BraveSoftware\\Brave-Browser\\User Data*", "*\\CentBrowser\\User Data*", "*\\Chromium\\User Data*", "*\\CocCoc\\Browser\\User Data*", "*\\Comodo\\Dragon\\User Data*", "*\\Elements Browser\\User Data*", "*\\Epic Privacy Browser\\User Data*", "*\\Google\\Chrome Beta\\User Data*", "*\\Google\\Chrome SxS\\User Data*", "*\\Google\\Chrome\\User Data\\*", "*\\Kometa\\User Data*", "*\\Maxthon5\\Users*", "*\\Microsoft\\Edge\\User Data*", "*\\Mozilla\\Firefox\\Profiles*", "*\\Nichrome\\User Data*", "*\\Opera Software\\Opera GX Stable\\*", "*\\Opera Software\\Opera Neon\\User Data*", "*\\Opera Software\\Opera Stable\\*", "*\\Orbitum\\User Data*", "*\\QIP Surf\\User Data*", "*\\Sputnik\\User Data*", "*\\Torch\\User Data*", "*\\uCozMedia\\Uran\\User Data*", "*\\Vivaldi\\User Data*") | fields - _raw | collect index=notable_events source="Potential Browser Data Stealing" marker="guid=47147b5b-9e17-4d76-b8d2-7bac24c5ce1b,tags=attack.credential-access,tags=attack.t1555.003," +[PUA - AdFind Suspicious Execution] +description = Detects AdFind execution with common flags seen used during attacks +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*domainlist*", "*trustdmp*", "*dcmodes*", "*adinfo*", "* dclist *", "*computer_pwdnotreqd*", "*objectcategory=*", "*-subnets -f*", "*name=\"Domain Admins\"*", "*-sc u:*", "*domainncs*", "*dompol*", "* oudmp *", "*subnetdmp*", "*gpodmp*", "*fspdmp*", "*users_noexpire*", "*computers_active*", "*computers_pwdnotreqd*") | fields - _raw | collect index=notable_events source="PUA - AdFind Suspicious Execution" marker="guid=9a132afa-654e-11eb-ae93-0242ac130002,tags=attack.discovery,tags=attack.t1018,tags=attack.t1087.002,tags=attack.t1482,tags=attack.t1069.002,tags=stp.1u," +[Regsvr32 DLL Execution With Uncommon Extension] +description = Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regsvr32.exe" OR OriginalFileName="REGSVR32.EXE" NOT (CommandLine IN ("*.ax*", "*.cpl*", "*.dll*", "*.ocx*") OR CommandLine!=* OR CommandLine="") NOT (CommandLine IN ("*.ppl*", "*.bav*")) | fields - _raw | collect index=notable_events source="Regsvr32 DLL Execution With Uncommon Extension" marker="guid=50919691-7302-437f-8e10-1fe088afa145,tags=attack.defense-evasion,tags=attack.t1574,tags=attack.execution," +[New Generic Credentials Added Via Cmdkey.EXE] +description = Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmdkey.exe" OR OriginalFileName="cmdkey.exe" CommandLine="* -g*" OR CommandLine="* /g*" OR CommandLine="* –g*" OR CommandLine="* —g*" OR CommandLine="* ―g*" CommandLine="* -u*" OR CommandLine="* /u*" OR CommandLine="* –u*" OR CommandLine="* —u*" OR CommandLine="* ―u*" CommandLine="* -p*" OR CommandLine="* /p*" OR CommandLine="* –p*" OR CommandLine="* —p*" OR CommandLine="* ―p*" | fields - _raw | collect index=notable_events source="New Generic Credentials Added Via Cmdkey.EXE" marker="guid=b1ec66c6-f4d1-4b5c-96dd-af28ccae7727,tags=attack.credential-access,tags=attack.t1003.005," +[Domain Trust Discovery Via Dsquery] +description = Detects execution of "dsquery.exe" for domain trust discovery +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dsquery.exe" OR OriginalFileName="dsquery.exe" CommandLine="*trustedDomain*" | fields - _raw | collect index=notable_events source="Domain Trust Discovery Via Dsquery" marker="guid=3bad990e-4848-4a78-9530-b427d854aac0,tags=attack.discovery,tags=attack.t1482," +[Remote Access Tool - ScreenConnect Execution] +description = An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="ScreenConnect Service" OR Product="ScreenConnect" OR Company="ScreenConnect Software" | fields - _raw | collect index=notable_events source="Remote Access Tool - ScreenConnect Execution" marker="guid=57bff678-25d1-4d6c-8211-8ca106d12053,tags=attack.command-and-control,tags=attack.t1219," +[Webshell Hacking Activity Patterns] +description = Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\caddy.exe", "*\\httpd.exe", "*\\nginx.exe", "*\\php-cgi.exe", "*\\w3wp.exe", "*\\ws_tomcatservice.exe") OR (ParentImage IN ("*\\java.exe", "*\\javaw.exe") ParentImage IN ("*-tomcat-*", "*\\tomcat*")) OR (ParentImage IN ("*\\java.exe", "*\\javaw.exe") CommandLine IN ("*catalina.jar*", "*CATALINA_HOME*")) (CommandLine="*rundll32*" CommandLine="*comsvcs*") OR (CommandLine="* -hp*" CommandLine="* a *" CommandLine="* -m*") OR (CommandLine="*net*" CommandLine="* user *" CommandLine="* /add*") OR (CommandLine="*net*" CommandLine="* localgroup *" CommandLine="* administrators *" CommandLine="*/add*") OR Image IN ("*\\ntdsutil.exe", "*\\ldifde.exe", "*\\adfind.exe", "*\\procdump.exe", "*\\Nanodump.exe", "*\\vssadmin.exe", "*\\fsutil.exe") OR CommandLine IN ("* -decode *", "* -NoP *", "* -W Hidden *", "* /decode *", "* /ticket:*", "* sekurlsa*", "*.dmp full*", "*.downloadfile(*", "*.downloadstring(*", "*FromBase64String*", "*process call create*", "*reg save *", "*whoami /priv*") | fields - _raw | collect index=notable_events source="Webshell Hacking Activity Patterns" marker="guid=4ebc877f-4612-45cb-b3a5-8e3834db36c9,tags=attack.persistence,tags=attack.t1505.003,tags=attack.t1018,tags=attack.t1033,tags=attack.t1087," +[Weak or Abused Passwords In CLI] +description = Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*123456789*", "*123123qwE*", "*Asd123.aaaa*", "*Decryptme*", "*P@ssw0rd!*", "*Pass8080*", "*password123*", "*test@202*") | fields - _raw | collect index=notable_events source="Weak or Abused Passwords In CLI" marker="guid=91edcfb1-2529-4ac2-9ecc-7617f895c7e4,tags=attack.defense-evasion,tags=attack.execution," +[HackTool - PPID Spoofing SelectMyParent Tool Execution] +description = Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SelectMyParent.exe" OR CommandLine IN ("*PPID-spoof*", "*ppid_spoof*", "*spoof-ppid*", "*spoof_ppid*", "*ppidspoof*", "*spoofppid*", "*spoofedppid*", "* -spawnto *") OR OriginalFileName IN ("*PPID-spoof*", "*ppid_spoof*", "*spoof-ppid*", "*spoof_ppid*", "*ppidspoof*", "*spoofppid*", "*spoofedppid*") OR Description="SelectMyParent" OR Imphash IN ("04d974875bd225f00902b4cad9af3fbc", "a782af154c9e743ddf3f3eb2b8f3d16e", "89059503d7fbf470e68f7e63313da3ad", "ca28337632625c8281ab8a130b3d6bad") OR Hashes IN ("*IMPHASH=04D974875BD225F00902B4CAD9AF3FBC*", "*IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E*", "*IMPHASH=89059503D7FBF470E68F7E63313DA3AD*", "*IMPHASH=CA28337632625C8281AB8A130B3D6BAD*") | fields - _raw | collect index=notable_events source="HackTool - PPID Spoofing SelectMyParent Tool Execution" marker="guid=52ff7941-8211-46f9-84f8-9903efb7077d,tags=attack.defense-evasion,tags=attack.t1134.004," +[Potential Defense Evasion Via Right-to-Left Override] +description = Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*‮*" | fields - _raw | collect index=notable_events source="Potential Defense Evasion Via Right-to-Left Override" marker="guid=ad691d92-15f2-4181-9aa4-723c74f9ddc3,tags=attack.defense-evasion,tags=attack.t1036.002," +[Potentially Suspicious Windows App Activity] +description = Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*C:\\Program Files\\WindowsApps\\*" Image IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR CommandLine IN ("*cmd /c*", "*Invoke-*", "*Base64*") NOT (ParentImage="*:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal*" ParentImage="*\\WindowsTerminal.exe" Image IN ("*\\powershell.exe", "*\\cmd.exe", "*\\pwsh.exe")) | fields - _raw | collect index=notable_events source="Potentially Suspicious Windows App Activity" marker="guid=f91ed517-a6ba-471d-9910-b3b4a398c0f3,tags=attack.defense-evasion," +[Veeam Backup Database Suspicious Query] +description = Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sqlcmd.exe" CommandLine="*VeeamBackup*" CommandLine="*From *" CommandLine IN ("*BackupRepositories*", "*Backups*", "*Credentials*", "*HostCreds*", "*SmbFileShares*", "*Ssh_creds*", "*VSphereInfo*") | fields - _raw | collect index=notable_events source="Veeam Backup Database Suspicious Query" marker="guid=696bfb54-227e-4602-ac5b-30d9d2053312,tags=attack.collection,tags=attack.t1005," +[Always Install Elevated MSI Spawned Cmd And Powershell] +description = Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll") ParentImage="*\\Windows\\Installer\\*" ParentImage="*msi*" ParentImage="*tmp" | table Image,ParentImage | fields - _raw | collect index=notable_events source="Always Install Elevated MSI Spawned Cmd And Powershell" marker="guid=1e53dd56-8d83-4eb4-a43e-b790a05510aa,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Add New Download Source To Winget] +description = Detects usage of winget to add new additional download sources +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\winget.exe" OR OriginalFileName="winget.exe" CommandLine="*source *" CommandLine="*add *" | fields - _raw | collect index=notable_events source="Add New Download Source To Winget" marker="guid=05ebafc8-7aa2-4bcd-a269-2aec93f9e842,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1059," +[Files Added To An Archive Using Rar.EXE] +description = Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rar.exe" CommandLine="* a *" | fields - _raw | collect index=notable_events source="Files Added To An Archive Using Rar.EXE" marker="guid=6f3e2987-db24-4c78-a860-b4f4095a7095,tags=attack.collection,tags=attack.t1560.001," +[Interactive AT Job] +description = Detects an interactive AT job, which may be used as a form of privilege escalation. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\at.exe" CommandLine="*interactive*" | fields - _raw | collect index=notable_events source="Interactive AT Job" marker="guid=60fc936d-2eb0-4543-8a13-911c750a1dfc,tags=attack.privilege-escalation,tags=attack.t1053.002," +[Suspicious Microsoft Office Child Process] +description = Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\EQNEDT32.EXE", "*\\EXCEL.EXE", "*\\MSACCESS.EXE", "*\\MSPUB.exe", "*\\ONENOTE.EXE", "*\\POWERPNT.exe", "*\\VISIO.exe", "*\\WINWORD.EXE", "*\\wordpad.exe", "*\\wordview.exe") OriginalFileName IN ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe") OR Image IN ("*\\AppVLP.exe", "*\\bash.exe", "*\\bitsadmin.exe", "*\\certoc.exe", "*\\certutil.exe", "*\\cmd.exe", "*\\cmstp.exe", "*\\control.exe", "*\\cscript.exe", "*\\curl.exe", "*\\forfiles.exe", "*\\hh.exe", "*\\ieexec.exe", "*\\installutil.exe", "*\\javaw.exe", "*\\mftrace.exe", "*\\Microsoft.Workflow.Compiler.exe", "*\\msbuild.exe", "*\\msdt.exe", "*\\mshta.exe", "*\\msidb.exe", "*\\msiexec.exe", "*\\msxsl.exe", "*\\odbcconf.exe", "*\\pcalua.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regasm.exe", "*\\regsvcs.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\schtasks.exe", "*\\scrcons.exe", "*\\scriptrunner.exe", "*\\sh.exe", "*\\svchost.exe", "*\\verclsid.exe", "*\\wmic.exe", "*\\workfolders.exe", "*\\wscript.exe") OR Image IN ("*\\AppData\\*", "*\\Users\\Public\\*", "*\\ProgramData\\*", "*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\System32\\Tasks\\*") | fields - _raw | collect index=notable_events source="Suspicious Microsoft Office Child Process" marker="guid=438025f9-5856-4663-83f7-52f878a70a50,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1047,tags=attack.t1204.002,tags=attack.t1218.010," +[PUA - PingCastle Execution From Potentially Suspicious Parent] +description = Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentCommandLine IN ("*.bat*", "*.chm*", "*.cmd*", "*.hta*", "*.htm*", "*.html*", "*.js*", "*.lnk*", "*.ps1*", "*.vbe*", "*.vbs*", "*.wsf*") OR ParentCommandLine IN ("*:\\Perflogs\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp*", "*\\AppData\\Roaming\\*", "*\\Temporary Internet*") OR (ParentCommandLine="*:\\Users\\*" ParentCommandLine="*\\Favorites\\*") OR (ParentCommandLine="*:\\Users\\*" ParentCommandLine="*\\Favourites\\*") OR (ParentCommandLine="*:\\Users\\*" ParentCommandLine="*\\Contacts\\*") ParentCommandLine IN ("*.bat*", "*.chm*", "*.cmd*", "*.hta*", "*.htm*", "*.html*", "*.js*", "*.lnk*", "*.ps1*", "*.vbe*", "*.vbs*", "*.wsf*") Image="*\\PingCastle.exe" OR OriginalFileName="PingCastle.exe" OR Product="Ping Castle" OR CommandLine IN ("*--scanner aclcheck*", "*--scanner antivirus*", "*--scanner computerversion*", "*--scanner foreignusers*", "*--scanner laps_bitlocker*", "*--scanner localadmin*", "*--scanner nullsession*", "*--scanner nullsession-trust*", "*--scanner oxidbindings*", "*--scanner remote*", "*--scanner share*", "*--scanner smb*", "*--scanner smb3querynetwork*", "*--scanner spooler*", "*--scanner startup*", "*--scanner zerologon*") OR CommandLine="*--no-enum-limit*" OR (CommandLine="*--healthcheck*" CommandLine="*--level Full*") OR (CommandLine="*--healthcheck*" CommandLine="*--server *") | fields - _raw | collect index=notable_events source="PUA - PingCastle Execution From Potentially Suspicious Parent" marker="guid=b37998de-a70b-4f33-b219-ec36bf433dc0,tags=attack.reconnaissance,tags=attack.t1595," +[Suspicious File Characteristics Due to Missing Fields] +description = Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Description="?" FileVersion="?") OR (Description="?" Product="?") OR (Description="?" Company="?") Image="*\\Downloads\\*" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious File Characteristics Due to Missing Fields" marker="guid=9637e8a5-7131-4f7f-bdc7-2b05d8670c43,tags=attack.execution,tags=attack.t1059.006," +[Renamed ProcDump Execution] +description = Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="procdump" OR (CommandLine="* -ma *" OR CommandLine="* /ma *" OR CommandLine="* –ma *" OR CommandLine="* —ma *" OR CommandLine="* ―ma *" OR CommandLine="* -mp *" OR CommandLine="* /mp *" OR CommandLine="* –mp *" OR CommandLine="* —mp *" OR CommandLine="* ―mp *" CommandLine="* -accepteula*" OR CommandLine="* /accepteula*" OR CommandLine="* –accepteula*" OR CommandLine="* —accepteula*" OR CommandLine="* ―accepteula*") NOT (Image IN ("*\\procdump.exe", "*\\procdump64.exe")) | fields - _raw | collect index=notable_events source="Renamed ProcDump Execution" marker="guid=4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67,tags=attack.defense-evasion,tags=attack.t1036.003," +[Gpresult Display Group Policy Information] +description = Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\gpresult.exe" CommandLine IN ("*/z*", "*/v*") | fields - _raw | collect index=notable_events source="Gpresult Display Group Policy Information" marker="guid=e56d3073-83ff-4021-90fe-c658e0709e72,tags=attack.discovery,tags=attack.t1615," +[PUA - CleanWipe Execution] +description = Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SepRemovalToolNative_x64.exe" OR (Image="*\\CATClean.exe" CommandLine="*--uninstall*") OR (Image="*\\NetInstaller.exe" CommandLine="*-r*") OR (Image="*\\WFPUnins.exe" CommandLine="*/uninstall*" CommandLine="*/enterprise*") | fields - _raw | collect index=notable_events source="PUA - CleanWipe Execution" marker="guid=f44800ac-38ec-471f-936e-3fa7d9c53100,tags=attack.defense-evasion,tags=attack.t1562.001," +[Potential Regsvr32 Commandline Flag Anomaly] +description = Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regsvr32.exe" CommandLine="* -i:*" OR CommandLine="* /i:*" OR CommandLine="* –i:*" OR CommandLine="* —i:*" OR CommandLine="* ―i:*" NOT CommandLine="* -n *" OR CommandLine="* /n *" OR CommandLine="* –n *" OR CommandLine="* —n *" OR CommandLine="* ―n *" | fields - _raw | collect index=notable_events source="Potential Regsvr32 Commandline Flag Anomaly" marker="guid=b236190c-1c61-41e9-84b3-3fe03f6d76b0,tags=attack.defense-evasion,tags=attack.t1218.010," +[Suspicious Download From File-Sharing Website Via Bitsadmin] +description = Detects usage of bitsadmin downloading a file from a suspicious domain +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\bitsadmin.exe" OR OriginalFileName="bitsadmin.exe" CommandLine IN ("* /transfer *", "* /create *", "* /addfile *") CommandLine IN ("*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*") | fields - _raw | collect index=notable_events source="Suspicious Download From File-Sharing Website Via Bitsadmin" marker="guid=8518ed3d-f7c9-4601-a26c-f361a4256a0c,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197,tags=attack.s0190,tags=attack.t1036.003," +[Port Forwarding Activity Via SSH.EXE] +description = Detects port forwarding activity via SSH.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ssh.exe" CommandLine="* -R *" OR CommandLine="* /R *" OR CommandLine="* –R *" OR CommandLine="* —R *" OR CommandLine="* ―R *" | fields - _raw | collect index=notable_events source="Port Forwarding Activity Via SSH.EXE" marker="guid=327f48c1-a6db-4eb8-875a-f6981f1b0183,tags=attack.command-and-control,tags=attack.lateral-movement,tags=attack.t1572,tags=attack.t1021.001,tags=attack.t1021.004," +[Outlook EnableUnsafeClientMailRules Setting Enabled] +description = Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\Outlook\\Security\\EnableUnsafeClientMailRules*" | fields - _raw | collect index=notable_events source="Outlook EnableUnsafeClientMailRules Setting Enabled" marker="guid=55f0a3a1-846e-40eb-8273-677371b8d912,tags=attack.execution,tags=attack.t1059,tags=attack.t1202," +[Suspicious GrpConv Execution] +description = Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*grpconv.exe -o*", "*grpconv -o*") | fields - _raw | collect index=notable_events source="Suspicious GrpConv Execution" marker="guid=f14e169e-9978-4c69-acb3-1cff8200bc36,tags=attack.persistence,tags=attack.t1547," +[Operator Bloopers Cobalt Strike Commands] +description = Detects use of Cobalt Strike commands accidentally entered in the CMD shell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="Cmd.Exe" OR Image="*\\cmd.exe" CommandLine IN ("cmd *", "cmd.exe*", "c:\\windows\\system32\\cmd.exe*") CommandLine IN ("*psinject*", "*spawnas*", "*make_token*", "*remote-exec*", "*rev2self*", "*dcsync*", "*logonpasswords*", "*execute-assembly*", "*getsystem*") | fields - _raw | collect index=notable_events source="Operator Bloopers Cobalt Strike Commands" marker="guid=647c7b9e-d784-4fda-b9a0-45c565a7b729,tags=attack.execution,tags=attack.t1059.003,tags=stp.1u," +[Operator Bloopers Cobalt Strike Modules] +description = Detects Cobalt Strike module/commands accidentally entered in CMD shell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="Cmd.Exe" OR Image="*\\cmd.exe" CommandLine IN ("*Invoke-UserHunter*", "*Invoke-ShareFinder*", "*Invoke-Kerberoast*", "*Invoke-SMBAutoBrute*", "*Invoke-Nightmare*", "*zerologon*", "*av_query*") | fields - _raw | collect index=notable_events source="Operator Bloopers Cobalt Strike Modules" marker="guid=4f154fb6-27d1-4813-a759-78b93e0b9c48,tags=attack.execution,tags=attack.t1059.003," +[Firewall Rule Deleted Via Netsh.EXE] +description = Detects the removal of a port or application rule in the Windows Firewall configuration using netsh +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" CommandLine="*firewall*" CommandLine="*delete *" NOT (ParentImage="*\\Dropbox.exe" CommandLine="*name=Dropbox*") | fields - _raw | collect index=notable_events source="Firewall Rule Deleted Via Netsh.EXE" marker="guid=1a5fefe6-734f-452e-a07d-fc1c35bce4b2,tags=attack.defense-evasion,tags=attack.t1562.004," +[Uncommon Child Processes Of SndVol.exe] +description = Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\SndVol.exe" NOT (Image="*\\rundll32.exe" CommandLine="* shell32.dll,Control_RunDLL *") | fields - _raw | collect index=notable_events source="Uncommon Child Processes Of SndVol.exe" marker="guid=ba42babc-0666-4393-a4f7-ceaf5a69191e,tags=attack.execution," +[Kernel Memory Dump Via LiveKD] +description = Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\livekd.exe", "*\\livekd64.exe") OR OriginalFileName="livekd.exe" CommandLine="* -m*" OR CommandLine="* /m*" OR CommandLine="* –m*" OR CommandLine="* —m*" OR CommandLine="* ―m*" | fields - _raw | collect index=notable_events source="Kernel Memory Dump Via LiveKD" marker="guid=c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2,tags=attack.defense-evasion," +[Potential PowerShell Execution Via DLL] +description = Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\InstallUtil.exe", "*\\RegAsm.exe", "*\\RegSvcs.exe", "*\\regsvr32.exe", "*\\rundll32.exe") OR OriginalFileName IN ("InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.EXE", "RUNDLL32.EXE") CommandLine IN ("*Default.GetString*", "*DownloadString*", "*FromBase64String*", "*ICM *", "*IEX *", "*Invoke-Command*", "*Invoke-Expression*") | fields - _raw | collect index=notable_events source="Potential PowerShell Execution Via DLL" marker="guid=6812a10b-60ea-420c-832f-dfcc33b646ba,tags=attack.defense-evasion,tags=attack.t1218.011," +[Disabled Volume Snapshots] +description = Detects commands that temporarily turn off Volume Snapshots +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\Services\\VSS\\Diag*" CommandLine="*/d Disabled*" | fields - _raw | collect index=notable_events source="Disabled Volume Snapshots" marker="guid=dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a,tags=attack.defense-evasion,tags=attack.t1562.001," +[JScript Compiler Execution] +description = Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\jsc.exe" OR OriginalFileName="jsc.exe" | fields - _raw | collect index=notable_events source="JScript Compiler Execution" marker="guid=52788a70-f1da-40dd-8fbd-73b5865d6568,tags=attack.defense-evasion,tags=attack.t1127," +[Potentially Suspicious Child Process Of WinRAR.EXE] +description = Detects potentially suspicious child processes of WinRAR.exe. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\WinRAR.exe" Image IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR OriginalFileName IN ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe") | fields - _raw | collect index=notable_events source="Potentially Suspicious Child Process Of WinRAR.EXE" marker="guid=146aace8-9bd6-42ba-be7a-0070d8027b76,tags=attack.execution,tags=attack.t1203," +[Whoami Utility Execution] +description = Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\whoami.exe" OR OriginalFileName="whoami.exe" | fields - _raw | collect index=notable_events source="Whoami Utility Execution" marker="guid=e28a5a99-da44-436d-b7a0-2afc20a5f413,tags=attack.discovery,tags=attack.t1033,tags=car.2016-03-001," +[C# IL Code Compilation Via Ilasm.EXE] +description = Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ilasm.exe" OR OriginalFileName="ilasm.exe" CommandLine IN ("* /dll*", "* /exe*") | fields - _raw | collect index=notable_events source="C# IL Code Compilation Via Ilasm.EXE" marker="guid=850d55f9-6eeb-4492-ad69-a72338f65ba4,tags=attack.defense-evasion,tags=attack.t1127," +[HackTool - GMER Rootkit Detector and Remover Execution] +description = Detects the execution GMER tool based on image and hash fields. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\gmer.exe" OR Hashes IN ("*MD5=E9DC058440D321AA17D0600B3CA0AB04*", "*SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57*", "*SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173*") OR md5="e9dc058440d321aa17d0600b3ca0ab04" OR sha1="539c228b6b332f5aa523e5ce358c16647d8bbe57" OR sha256="e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173" | fields - _raw | collect index=notable_events source="HackTool - GMER Rootkit Detector and Remover Execution" marker="guid=9082ff1f-88ab-4678-a3cc-5bcff99fc74d,tags=attack.defense-evasion," +[Console CodePage Lookup Via CHCP] +description = Detects use of chcp to look up the system locale value as part of host discovery +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\cmd.exe" ParentCommandLine="* -c *" OR ParentCommandLine="* /c *" OR ParentCommandLine="* –c *" OR ParentCommandLine="* —c *" OR ParentCommandLine="* ―c *" OR ParentCommandLine="* -r *" OR ParentCommandLine="* /r *" OR ParentCommandLine="* –r *" OR ParentCommandLine="* —r *" OR ParentCommandLine="* ―r *" OR ParentCommandLine="* -k *" OR ParentCommandLine="* /k *" OR ParentCommandLine="* –k *" OR ParentCommandLine="* —k *" OR ParentCommandLine="* ―k *" Image="*\\chcp.com" CommandLine IN ("*chcp", "*chcp ", "*chcp ") | fields - _raw | collect index=notable_events source="Console CodePage Lookup Via CHCP" marker="guid=7090adee-82e2-4269-bd59-80691e7c6338,tags=attack.discovery,tags=attack.t1614.001," +[Potential Persistence Via Netsh Helper DLL] +description = Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="netsh.exe" OR Image="*\\netsh.exe" CommandLine="*add*" CommandLine="*helper*" | fields - _raw | collect index=notable_events source="Potential Persistence Via Netsh Helper DLL" marker="guid=56321594-9087-49d9-bf10-524fe8479452,tags=attack.privilege-escalation,tags=attack.persistence,tags=attack.t1546.007,tags=attack.s0108," +[Uncommon Child Process Of Setres.EXE] +description = Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\setres.exe" Image="*\\choice*" NOT (Image IN ("*C:\\Windows\\System32\\choice.exe", "*C:\\Windows\\SysWOW64\\choice.exe")) | fields - _raw | collect index=notable_events source="Uncommon Child Process Of Setres.EXE" marker="guid=835e75bf-4bfd-47a4-b8a6-b766cac8bcb7,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1202," +[Potential LSASS Process Dump Via Procdump] +description = Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* -ma *" OR CommandLine="* /ma *" OR CommandLine="* –ma *" OR CommandLine="* —ma *" OR CommandLine="* ―ma *" CommandLine="* ls*" | fields - _raw | collect index=notable_events source="Potential LSASS Process Dump Via Procdump" marker="guid=5afee48e-67dd-4e03-a783-f74259dcf998,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.credential-access,tags=attack.t1003.001,tags=car.2013-05-009," +[Potential Binary Proxy Execution Via VSDiagnostics.EXE] +description = Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\VSDiagnostics.exe" OR OriginalFileName="VSDiagnostics.exe" CommandLine="*start*" CommandLine IN ("* /launch:*", "* -launch:*") | fields - _raw | collect index=notable_events source="Potential Binary Proxy Execution Via VSDiagnostics.EXE" marker="guid=ac1c92b4-ac81-405a-9978-4604d78cc47e,tags=attack.defense-evasion,tags=attack.t1218," +[Deny Service Access Using Security Descriptor Tampering Via Sc.EXE] +description = Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sc.exe" OR OriginalFileName="sc.exe" CommandLine="*sdset*" CommandLine="*D;*" CommandLine IN ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*") | fields - _raw | collect index=notable_events source="Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" marker="guid=99cf1e02-00fb-4c0d-8375-563f978dfd37,tags=attack.persistence,tags=attack.t1543.003," +[MpiExec Lolbin] +description = Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\mpiexec.exe" OR Imphash="d8b52ef6aaa3a81501bdfff9dbb96217" OR Hashes="*IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217*" CommandLine IN ("* /n 1 *", "* -n 1 *") | fields - _raw | collect index=notable_events source="MpiExec Lolbin" marker="guid=729ce0ea-5d8f-4769-9762-e35de441586d,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218," +[Uninstall Sysinternals Sysmon] +description = Detects the removal of Sysmon, which could be a potential attempt at defense evasion +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\Sysmon64.exe", "*\\Sysmon.exe") OR Description="System activity monitor" CommandLine="*-u*" OR CommandLine="*/u*" OR CommandLine="*–u*" OR CommandLine="*—u*" OR CommandLine="*―u*" | fields - _raw | collect index=notable_events source="Uninstall Sysinternals Sysmon" marker="guid=6a5f68d1-c4b5-46b9-94ee-5324892ea939,tags=attack.defense-evasion,tags=attack.t1562.001," +[Suspicious Driver Install by pnputil.exe] +description = Detects when a possible suspicious driver is being installed via pnputil.exe lolbin +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*-i*", "*/install*", "*-a*", "*/add-driver*", "*.inf*") Image="*\\pnputil.exe" | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Driver Install by pnputil.exe" marker="guid=a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1,tags=attack.persistence,tags=attack.t1547," +[HackTool - CrackMapExec Process Patterns] +description = Detects suspicious process patterns found in logs when CrackMapExec is used +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*tasklist /fi *" CommandLine="*Imagename eq lsass.exe*" CommandLine IN ("*cmd.exe /c *", "*cmd.exe /r *", "*cmd.exe /k *", "*cmd /c *", "*cmd /r *", "*cmd /k *") User IN ("*AUTHORI*", "*AUTORI*")) OR (CommandLine="*do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump*" CommandLine="*\\Windows\\Temp\\*" CommandLine="* full*" CommandLine="*%%B*") OR (CommandLine="*tasklist /v /fo csv*" CommandLine="*findstr /i \"lsass\"*") | fields - _raw | collect index=notable_events source="HackTool - CrackMapExec Process Patterns" marker="guid=f26307d8-14cd-47e3-a26b-4b4769f24af6,tags=attack.credential-access,tags=attack.t1003.001," +[AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl] +description = Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*winrm*" CommandLine IN ("*format:pretty*", "*format:\"pretty\"*", "*format:\"text\"*", "*format:text*") NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*")) | fields - _raw | collect index=notable_events source="AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" marker="guid=074e0ded-6ced-4ebd-8b4d-53f55908119d,tags=attack.defense-evasion,tags=attack.t1216," +[Windows Shell/Scripting Processes Spawning Suspicious Programs] +description = Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\rundll32.exe", "*\\cscript.exe", "*\\wscript.exe", "*\\wmiprvse.exe", "*\\regsvr32.exe") Image IN ("*\\schtasks.exe", "*\\nslookup.exe", "*\\certutil.exe", "*\\bitsadmin.exe", "*\\mshta.exe") NOT (CurrentDirectory="*\\ccmcache\\*" OR ParentCommandLine IN ("*\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\setup-scheduledtask.ps1*", "*\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\set-selfhealing.ps1*", "*\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\check-workspacehealth.ps1*", "*\\nessus_*") OR CommandLine="*\\nessus_*" OR (ParentImage="*\\mshta.exe" Image="*\\mshta.exe" ParentCommandLine="*C:\\MEM_Configmgr_*" ParentCommandLine="*\\splash.hta*" ParentCommandLine="*{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}*" CommandLine="*C:\\MEM_Configmgr_*" CommandLine="*\\SMSSETUP\\BIN\\*" CommandLine="*\\autorun.hta*" CommandLine="*{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}*")) | table CommandLine,ParentCommandLine,CurrentDirectory,Image,ParentImage | fields - _raw | collect index=notable_events source="Windows Shell/Scripting Processes Spawning Suspicious Programs" marker="guid=3a6586ad-127a-4d3b-a677-1e6eacdf8fde,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1059.005,tags=attack.t1059.001,tags=attack.t1218," +[TrustedPath UAC Bypass Pattern] +description = Detects indicators of a UAC bypass method by mocking directories +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*C:\\Windows \\System32\\*" | fields - _raw | collect index=notable_events source="TrustedPath UAC Bypass Pattern" marker="guid=4ac47ed3-44c2-4b1f-9d51-bf46e8914126,tags=attack.defense-evasion,tags=attack.t1548.002," +[File Encryption/Decryption Via Gpg4win From Suspicious Locations] +description = Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\gpg.exe", "*\\gpg2.exe") OR Product="GNU Privacy Guard (GnuPG)" OR Description="GnuPG’s OpenPGP tool" CommandLine="*-passphrase*" CommandLine IN ("*:\\PerfLogs\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*") | fields - _raw | collect index=notable_events source="File Encryption/Decryption Via Gpg4win From Suspicious Locations" marker="guid=e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d,tags=attack.execution," +[Potential Mftrace.EXE Abuse] +description = Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\mftrace.exe" | fields - _raw | collect index=notable_events source="Potential Mftrace.EXE Abuse" marker="guid=3d48c9d3-1aa6-418d-98d3-8fd3c01a564e,tags=attack.defense-evasion,tags=attack.t1127," +[Visual Studio NodejsTools PressAnyKey Renamed Execution] +description = Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="Microsoft.NodejsTools.PressAnyKey.exe" NOT Image="*\\Microsoft.NodejsTools.PressAnyKey.exe" | fields - _raw | collect index=notable_events source="Visual Studio NodejsTools PressAnyKey Renamed Execution" marker="guid=65c3ca2c-525f-4ced-968e-246a713d164f,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218," +[Imports Registry Key From a File] +description = Detects the import of the specified file to the registry with regedit.exe. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regedit.exe" OR OriginalFileName="REGEDIT.EXE" CommandLine IN ("* /i *", "* /s *", "*.reg*") NOT (CommandLine="* -e *" OR CommandLine="* /e *" OR CommandLine="* –e *" OR CommandLine="* —e *" OR CommandLine="* ―e *" OR CommandLine="* -a *" OR CommandLine="* /a *" OR CommandLine="* –a *" OR CommandLine="* —a *" OR CommandLine="* ―a *" OR CommandLine="* -c *" OR CommandLine="* /c *" OR CommandLine="* –c *" OR CommandLine="* —c *" OR CommandLine="* ―c *")\ +| regex CommandLine=":[^ \\\\]" | table ParentImage,CommandLine | fields - _raw | collect index=notable_events source="Imports Registry Key From a File" marker="guid=73bba97f-a82d-42ce-b315-9182e76c57b1,tags=attack.t1112,tags=attack.defense-evasion," +[Potential Configuration And Service Reconnaissance Via Reg.EXE] +description = Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine="*query*" CommandLine IN ("*currentVersion\\windows*", "*winlogon\\*", "*currentVersion\\shellServiceObjectDelayLoad*", "*currentVersion\\run*", "*currentVersion\\policies\\explorer\\run*", "*currentcontrolset\\services*") | fields - _raw | collect index=notable_events source="Potential Configuration And Service Reconnaissance Via Reg.EXE" marker="guid=970007b7-ce32-49d0-a4a4-fbef016950bd,tags=attack.discovery,tags=attack.t1012,tags=attack.t1007," +[Remote Access Tool - LogMeIn Execution] +description = An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="LMIGuardianSvc" OR Product="LMIGuardianSvc" OR Company="LogMeIn, Inc." | fields - _raw | collect index=notable_events source="Remote Access Tool - LogMeIn Execution" marker="guid=d85873ef-a0f8-4c48-a53a-6b621f11729d,tags=attack.command-and-control,tags=attack.t1219," +[Base64 Encoded PowerShell Command Detected] +description = Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*::FromBase64String(*" | fields - _raw | collect index=notable_events source="Base64 Encoded PowerShell Command Detected" marker="guid=e32d4572-9826-4738-b651-95fa63747e8a,tags=attack.t1027,tags=attack.defense-evasion,tags=attack.t1140,tags=attack.t1059.001," +[Potentially Suspicious Usage Of Qemu] +description = Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*-m 1M*", "*-m 2M*", "*-m 3M*") CommandLine="*restrict=off*" CommandLine="*-netdev *" CommandLine="*connect=*" CommandLine="*-nographic*" NOT (CommandLine IN ("* -cdrom *", "* type=virt *", "* -blockdev *")) | fields - _raw | collect index=notable_events source="Potentially Suspicious Usage Of Qemu" marker="guid=5fc297ae-25b6-488a-8f25-cc12ac29b744,tags=attack.command-and-control,tags=attack.t1090,tags=attack.t1572," +[Renamed Visual Studio Code Tunnel Execution] +description = Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ((OriginalFileName!=* CommandLine="*.exe tunnel") OR (CommandLine="*.exe tunnel*" CommandLine="*--name *" CommandLine="*--accept-server-license-terms*") OR (CommandLine="*tunnel *" CommandLine="*service*" CommandLine="*internal-run*" CommandLine="*tunnel-service.log*") NOT (Image IN ("*\\code-tunnel.exe", "*\\code.exe"))) OR (ParentCommandLine="* tunnel" Image="*\\cmd.exe" CommandLine="*/d /c *" CommandLine="*\\servers\\Stable-*" CommandLine="*code-server.cmd*" NOT (ParentImage IN ("*\\code-tunnel.exe", "*\\code.exe"))) | fields - _raw | collect index=notable_events source="Renamed Visual Studio Code Tunnel Execution" marker="guid=2cf29f11-e356-4f61-98c0-1bdb9393d6da,tags=attack.command-and-control,tags=attack.t1071.001," +[Execute MSDT Via Answer File] +description = Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msdt.exe" CommandLine="*\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml*" CommandLine IN ("* -af *", "* /af *") NOT ParentImage="*\\pcwrun.exe" | fields - _raw | collect index=notable_events source="Execute MSDT Via Answer File" marker="guid=9c8c7000-3065-44a8-a555-79bcba5d9955,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.execution," +[Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location] +description = Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\iexpress.exe" OR OriginalFileName="IEXPRESS.exe" CommandLine="* -n *" OR CommandLine="* /n *" OR CommandLine="* –n *" OR CommandLine="* —n *" OR CommandLine="* ―n *" CommandLine IN ("*:\\ProgramData\\*", "*:\\Temp\\*", "*:\\Windows\\System32\\Tasks\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*") | fields - _raw | collect index=notable_events source="Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" marker="guid=b2b048b0-7857-4380-b0fb-d3f0ab820b71,tags=attack.defense-evasion,tags=attack.t1218," +[Whoami.EXE Execution With Output Option] +description = Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\whoami.exe" OR OriginalFileName="whoami.exe" CommandLine IN ("* /FO CSV*", "* -FO CSV*")) OR CommandLine="*whoami*>*" | fields - _raw | collect index=notable_events source="Whoami.EXE Execution With Output Option" marker="guid=c30fb093-1109-4dc8-88a8-b30d11c95a5d,tags=attack.discovery,tags=attack.t1033,tags=car.2016-03-001," +[Uncommon Child Process Spawned By Odbcconf.EXE] +description = Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\odbcconf.exe" | fields - _raw | collect index=notable_events source="Uncommon Child Process Spawned By Odbcconf.EXE" marker="guid=8e3c7994-131e-4ba5-b6ea-804d49113a26,tags=attack.defense-evasion,tags=attack.t1218.008," +[Imports Registry Key From an ADS] +description = Detects the import of a alternate datastream to the registry with regedit.exe. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regedit.exe" OR OriginalFileName="REGEDIT.EXE" CommandLine IN ("* /i *", "*.reg*") NOT (CommandLine="* -e *" OR CommandLine="* /e *" OR CommandLine="* –e *" OR CommandLine="* —e *" OR CommandLine="* ―e *" OR CommandLine="* -a *" OR CommandLine="* /a *" OR CommandLine="* –a *" OR CommandLine="* —a *" OR CommandLine="* ―a *" OR CommandLine="* -c *" OR CommandLine="* /c *" OR CommandLine="* –c *" OR CommandLine="* —c *" OR CommandLine="* ―c *")\ +| regex CommandLine=":[^ \\\\]" | table ParentImage,CommandLine | fields - _raw | collect index=notable_events source="Imports Registry Key From an ADS" marker="guid=0b80ade5-6997-4b1d-99a1-71701778ea61,tags=attack.t1112,tags=attack.defense-evasion," +[Potential Commandline Obfuscation Using Unicode Characters] +description = Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*ˣ*", "*˪*", "*ˢ*") OR CommandLine IN ("*∕*", "*⁄*") OR CommandLine IN ("*―*", "*—*") OR CommandLine IN ("*¯*", "*®*", "*¶*") | fields - _raw | collect index=notable_events source="Potential Commandline Obfuscation Using Unicode Characters" marker="guid=e0552b19-5a83-4222-b141-b36184bb8d79,tags=attack.defense-evasion,tags=attack.t1027," +[Potentially Suspicious Electron Application CommandLine] +description = Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\chrome.exe", "*\\code.exe", "*\\discord.exe", "*\\GitHubDesktop.exe", "*\\keybase.exe", "*\\msedge_proxy.exe", "*\\msedge.exe", "*\\msedgewebview2.exe", "*\\msteams.exe", "*\\slack.exe", "*\\Teams.exe") OR OriginalFileName IN ("chrome.exe", "code.exe", "discord.exe", "GitHubDesktop.exe", "keybase.exe", "msedge_proxy.exe", "msedge.exe", "msedgewebview2.exe", "msteams.exe", "slack.exe", "Teams.exe") CommandLine IN ("*--browser-subprocess-path*", "*--gpu-launcher*", "*--renderer-cmd-prefix*", "*--utility-cmd-prefix*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Electron Application CommandLine" marker="guid=378a05d8-963c-46c9-bcce-13c7657eac99,tags=attack.execution," +[Cloudflared Tunnel Connections Cleanup] +description = Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* tunnel *" CommandLine="*cleanup *" CommandLine IN ("*-config *", "*-connector-id *") | fields - _raw | collect index=notable_events source="Cloudflared Tunnel Connections Cleanup" marker="guid=7050bba1-1aed-454e-8f73-3f46f09ce56a,tags=attack.command-and-control,tags=attack.t1102,tags=attack.t1090,tags=attack.t1572," +[CMSTP Execution Process Creation] +description = Detects various indicators of Microsoft Connection Manager Profile Installer execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\cmstp.exe" | table CommandLine,ParentCommandLine,Details | fields - _raw | collect index=notable_events source="CMSTP Execution Process Creation" marker="guid=7d4cdc5a-0076-40ca-aac8-f7e714570e47,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218.003,tags=attack.g0069,tags=car.2019-04-001," +[Rundll32 Execution Without CommandLine Parameters] +description = Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*\\rundll32.exe", "*\\rundll32.exe\"", "*\\rundll32") NOT (ParentImage IN ("*\\AppData\\Local\\*", "*\\Microsoft\\Edge\\*")) | fields - _raw | collect index=notable_events source="Rundll32 Execution Without CommandLine Parameters" marker="guid=1775e15e-b61b-4d14-a1a3-80981298085a,tags=attack.defense-evasion,tags=attack.t1202," +[Remote Access Tool - Anydesk Execution From Suspicious Folder] +description = An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\AnyDesk.exe" OR Description="AnyDesk" OR Product="AnyDesk" OR Company="AnyDesk Software GmbH" NOT (Image IN ("*\\AppData\\*", "*Program Files (x86)\\AnyDesk*", "*Program Files\\AnyDesk*")) | fields - _raw | collect index=notable_events source="Remote Access Tool - Anydesk Execution From Suspicious Folder" marker="guid=065b00ca-5d5c-4557-ac95-64a6d0b64d86,tags=attack.command-and-control,tags=attack.t1219," +[PowerShell Base64 Encoded IEX Cmdlet] +description = Detects usage of a base64 encoded "IEX" cmdlet in a process command line +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*SUVYIChb*" OR CommandLine="*lFWCAoW*" OR CommandLine="*JRVggKF*" OR CommandLine="*aWV4IChb*" OR CommandLine="*lleCAoW*" OR CommandLine="*pZXggKF*" OR CommandLine="*aWV4IChOZX*" OR CommandLine="*lleCAoTmV3*" OR CommandLine="*pZXggKE5ld*" OR CommandLine="*SUVYIChOZX*" OR CommandLine="*lFWCAoTmV3*" OR CommandLine="*JRVggKE5ld*" OR CommandLine="*SUVYKF*" OR CommandLine="*lFWChb*" OR CommandLine="*JRVgoW*" OR CommandLine="*aWV4KF*" OR CommandLine="*lleChb*" OR CommandLine="*pZXgoW*" OR CommandLine="*aWV4KE5ld*" OR CommandLine="*lleChOZX*" OR CommandLine="*pZXgoTmV3*" OR CommandLine="*SUVYKE5ld*" OR CommandLine="*lFWChOZX*" OR CommandLine="*JRVgoTmV3*" OR CommandLine="*SUVYKCgn*" OR CommandLine="*lFWCgoJ*" OR CommandLine="*JRVgoKC*" OR CommandLine="*aWV4KCgn*" OR CommandLine="*lleCgoJ*" OR CommandLine="*pZXgoKC*" OR CommandLine IN ("*SQBFAFgAIAAoAFsA*", "*kARQBYACAAKABbA*", "*JAEUAWAAgACgAWw*", "*aQBlAHgAIAAoAFsA*", "*kAZQB4ACAAKABbA*", "*pAGUAeAAgACgAWw*", "*aQBlAHgAIAAoAE4AZQB3A*", "*kAZQB4ACAAKABOAGUAdw*", "*pAGUAeAAgACgATgBlAHcA*", "*SQBFAFgAIAAoAE4AZQB3A*", "*kARQBYACAAKABOAGUAdw*", "*JAEUAWAAgACgATgBlAHcA*") | fields - _raw | collect index=notable_events source="PowerShell Base64 Encoded IEX Cmdlet" marker="guid=88f680b8-070e-402c-ae11-d2914f2257f1,tags=attack.execution,tags=attack.t1059.001," +[Potential Mpclient.DLL Sideloading Via Defender Binaries] +description = Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\MpCmdRun.exe", "*\\NisSrv.exe") NOT (Image IN ("C:\\Program Files (x86)\\Windows Defender\\*", "C:\\Program Files\\Microsoft Security Client\\*", "C:\\Program Files\\Windows Defender\\*", "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*", "C:\\Windows\\WinSxS\\*")) | fields - _raw | collect index=notable_events source="Potential Mpclient.DLL Sideloading Via Defender Binaries" marker="guid=7002aa10-b8d4-47ae-b5ba-51ab07e228b9,tags=attack.defense-evasion,tags=attack.t1574.002," +[PUA - DefenderCheck Execution] +description = Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\DefenderCheck.exe" OR Description="DefenderCheck" | fields - _raw | collect index=notable_events source="PUA - DefenderCheck Execution" marker="guid=f0ca6c24-3225-47d5-b1f5-352bf07ecfa7,tags=attack.defense-evasion,tags=attack.t1027.005," +[Suspicious File Downloaded From Direct IP Via Certutil.EXE] +description = Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certutil.exe" OR OriginalFileName="CertUtil.exe" CommandLine IN ("*urlcache *", "*verifyctl *") CommandLine IN ("*://1*", "*://2*", "*://3*", "*://4*", "*://5*", "*://6*", "*://7*", "*://8*", "*://9*") NOT CommandLine="*://7-*" | fields - _raw | collect index=notable_events source="Suspicious File Downloaded From Direct IP Via Certutil.EXE" marker="guid=13e6fe51-d478-4c7e-b0f2-6da9b400a829,tags=attack.defense-evasion,tags=attack.t1027," +[ETW Trace Evasion Activity] +description = Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*cl*" CommandLine="*/Trace*") OR (CommandLine="*clear-log*" CommandLine="*/Trace*") OR (CommandLine="*sl*" CommandLine="*/e:false*") OR (CommandLine="*set-log*" CommandLine="*/e:false*") OR (CommandLine="*logman*" CommandLine="*update*" CommandLine="*trace*" CommandLine="*--p*" CommandLine="*-ets*") OR CommandLine="*Remove-EtwTraceProvider*" OR (CommandLine="*Set-EtwTraceProvider*" CommandLine="*0x11*") | fields - _raw | collect index=notable_events source="ETW Trace Evasion Activity" marker="guid=a238b5d0-ce2d-4414-a676-7a531b3d13d6,tags=attack.defense-evasion,tags=attack.t1070,tags=attack.t1562.006,tags=car.2016-04-002," +[Process Memory Dump via RdrLeakDiag.EXE] +description = Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine IN ("*fullmemdmp*", "*/memdmp*", "*-memdmp*") CommandLine IN ("* -o *", "* /o *") CommandLine IN ("* -p *", "* /p *")) OR (Image="*\\rdrleakdiag.exe" OR OriginalFileName="RdrLeakDiag.exe" CommandLine IN ("*fullmemdmp*", "*/memdmp*", "*-memdmp*")) | fields - _raw | collect index=notable_events source="Process Memory Dump via RdrLeakDiag.EXE" marker="guid=edadb1e5-5919-4e4c-8462-a9e643b02c4b,tags=attack.credential-access,tags=attack.t1003.001," +[Visual Studio Code Tunnel Execution] +description = Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (OriginalFileName!=* CommandLine="*.exe tunnel") OR (CommandLine="*.exe tunnel*" CommandLine="*--name *" CommandLine="*--accept-server-license-terms*") OR (ParentCommandLine="* tunnel" Image="*\\cmd.exe" CommandLine="*/d /c *" CommandLine="*\\servers\\Stable-*" CommandLine="*code-server.cmd*") | fields - _raw | collect index=notable_events source="Visual Studio Code Tunnel Execution" marker="guid=90d6bd71-dffb-4989-8d86-a827fedd6624,tags=attack.command-and-control,tags=attack.t1071.001," +[Potential Process Injection Via Msra.EXE] +description = Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\msra.exe" ParentCommandLine="*msra.exe" Image IN ("*\\arp.exe", "*\\cmd.exe", "*\\net.exe", "*\\netstat.exe", "*\\nslookup.exe", "*\\route.exe", "*\\schtasks.exe", "*\\whoami.exe") | fields - _raw | collect index=notable_events source="Potential Process Injection Via Msra.EXE" marker="guid=744a188b-0415-4792-896f-11ddb0588dbc,tags=attack.defense-evasion,tags=attack.t1055," +[Compress Data and Lock With Password for Exfiltration With WINZIP] +description = An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*winzip.exe*", "*winzip64.exe*") CommandLine="*-s\"*" CommandLine IN ("* -min *", "* -a *") | fields - _raw | collect index=notable_events source="Compress Data and Lock With Password for Exfiltration With WINZIP" marker="guid=e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d,tags=attack.collection,tags=attack.t1560.001," +[Audit Policy Tampering Via NT Resource Kit Auditpol] +description = Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*/logon:none*", "*/system:none*", "*/sam:none*", "*/privilege:none*", "*/object:none*", "*/process:none*", "*/policy:none*") | fields - _raw | collect index=notable_events source="Audit Policy Tampering Via NT Resource Kit Auditpol" marker="guid=c6c56ada-612b-42d1-9a29-adad3c5c2c1e,tags=attack.defense-evasion,tags=attack.t1562.002," +[Assembly Loading Via CL_LoadAssembly.ps1] +description = Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*LoadAssemblyFromPath *", "*LoadAssemblyFromNS *") | fields - _raw | collect index=notable_events source="Assembly Loading Via CL_LoadAssembly.ps1" marker="guid=c57872c7-614f-4d7f-a40d-b78c8df2d30d,tags=attack.defense-evasion,tags=attack.t1216," +[Delete All Scheduled Tasks] +description = Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" CommandLine="* /delete *" CommandLine="*/tn \**" CommandLine="* /f*" | fields - _raw | collect index=notable_events source="Delete All Scheduled Tasks" marker="guid=220457c1-1c9f-4c2e-afe6-9598926222c1,tags=attack.impact,tags=attack.t1489," +[PUA - NPS Tunneling Tool Execution] +description = Detects the use of NPS, a port forwarding and intranet penetration proxy server +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\npc.exe" OR (CommandLine="* -server=*" CommandLine="* -vkey=*" CommandLine="* -password=*") OR CommandLine="* -config=npc*" OR Hashes IN ("*MD5=AE8ACF66BFE3A44148964048B826D005*", "*SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181*", "*SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856*") OR md5="ae8acf66bfe3a44148964048b826d005" OR sha1="cea49e9b9b67f3a13ad0be1c2655293ea3c18181" OR sha256="5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856" | fields - _raw | collect index=notable_events source="PUA - NPS Tunneling Tool Execution" marker="guid=68d37776-61db-42f5-bf54-27e87072d17e,tags=attack.command-and-control,tags=attack.t1090," +[UAC Bypass Using ChangePK and SLUI] +description = Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\changepk.exe" ParentImage="*\\slui.exe" IntegrityLevel IN ("High", "System") | fields - _raw | collect index=notable_events source="UAC Bypass Using ChangePK and SLUI" marker="guid=503d581c-7df0-4bbe-b9be-5840c0ecc1fc,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Import PowerShell Modules From Suspicious Directories - ProcCreation] +description = Detects powershell scripts that import modules from suspicious directories +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Import-Module \"$Env:Temp\\*", "*Import-Module '$Env:Temp\\*", "*Import-Module $Env:Temp\\*", "*Import-Module \"$Env:Appdata\\*", "*Import-Module '$Env:Appdata\\*", "*Import-Module $Env:Appdata\\*", "*Import-Module C:\\Users\\Public\\*", "*ipmo \"$Env:Temp\\*", "*ipmo '$Env:Temp\\*", "*ipmo $Env:Temp\\*", "*ipmo \"$Env:Appdata\\*", "*ipmo '$Env:Appdata\\*", "*ipmo $Env:Appdata\\*", "*ipmo C:\\Users\\Public\\*") | fields - _raw | collect index=notable_events source="Import PowerShell Modules From Suspicious Directories - ProcCreation" marker="guid=c31364f7-8be6-4b77-8483-dd2b5a7b69a3,tags=attack.execution,tags=attack.t1059.001," +[Suspicious Microsoft OneNote Child Process] +description = Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\onenote.exe" OriginalFileName IN ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe") OR Image IN ("*\\AppVLP.exe", "*\\bash.exe", "*\\bitsadmin.exe", "*\\certoc.exe", "*\\certutil.exe", "*\\cmd.exe", "*\\cmstp.exe", "*\\control.exe", "*\\cscript.exe", "*\\curl.exe", "*\\forfiles.exe", "*\\hh.exe", "*\\ieexec.exe", "*\\installutil.exe", "*\\javaw.exe", "*\\mftrace.exe", "*\\Microsoft.Workflow.Compiler.exe", "*\\msbuild.exe", "*\\msdt.exe", "*\\mshta.exe", "*\\msidb.exe", "*\\msiexec.exe", "*\\msxsl.exe", "*\\odbcconf.exe", "*\\pcalua.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regasm.exe", "*\\regsvcs.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\schtasks.exe", "*\\scrcons.exe", "*\\scriptrunner.exe", "*\\sh.exe", "*\\svchost.exe", "*\\verclsid.exe", "*\\wmic.exe", "*\\workfolders.exe", "*\\wscript.exe") OR (Image="*\\explorer.exe" CommandLine IN ("*.hta*", "*.vb*", "*.wsh*", "*.js*", "*.ps*", "*.scr*", "*.pif*", "*.bat*", "*.cmd*")) OR Image IN ("*\\AppData\\*", "*\\Users\\Public\\*", "*\\ProgramData\\*", "*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\System32\\Tasks\\*") NOT ((Image="*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" CommandLine="*-Embedding") OR (Image="*\\AppData\\Local\\Microsoft\\OneDrive\\*" Image="*\\FileCoAuth.exe" CommandLine="*-Embedding")) | fields - _raw | collect index=notable_events source="Suspicious Microsoft OneNote Child Process" marker="guid=c27515df-97a9-4162-8a60-dc0eeb51b775,tags=attack.t1566,tags=attack.t1566.001,tags=attack.initial-access," +[Process Memory Dump Via Dotnet-Dump] +description = Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dotnet-dump.exe" OR OriginalFileName="dotnet-dump.dll" CommandLine="*collect*" | fields - _raw | collect index=notable_events source="Process Memory Dump Via Dotnet-Dump" marker="guid=53d8d3e1-ca33-4012-adf3-e05a4d652e34,tags=attack.defense-evasion,tags=attack.t1218," +[Remote Access Tool - ScreenConnect Installation Execution] +description = Detects ScreenConnect program starts that establish a remote access to a system. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*e=Access&*" CommandLine="*y=Guest&*" CommandLine="*&p=*" CommandLine="*&c=*" CommandLine="*&k=*" | fields - _raw | collect index=notable_events source="Remote Access Tool - ScreenConnect Installation Execution" marker="guid=75bfe6e6-cd8e-429e-91d3-03921e1d7962,tags=attack.initial-access,tags=attack.t1133," +[RDP Connection Allowed Via Netsh.EXE] +description = Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" CommandLine="*firewall *" CommandLine="*add *" CommandLine="*tcp *" CommandLine="*3389*" CommandLine IN ("*portopening*", "*allow*") | fields - _raw | collect index=notable_events source="RDP Connection Allowed Via Netsh.EXE" marker="guid=01aeb693-138d-49d2-9403-c4f52d7d3d62,tags=attack.defense-evasion,tags=attack.t1562.004," +[Potential COM Objects Download Cradles Usage - Process Creation] +description = Detects usage of COM objects that can be abused to download files in PowerShell by CLSID +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*[Type]::GetTypeFromCLSID(*" CommandLine IN ("*0002DF01-0000-0000-C000-000000000046*", "*F6D90F16-9C73-11D3-B32E-00C04F990BB4*", "*F5078F35-C551-11D3-89B9-0000F81FE221*", "*88d96a0a-f192-11d4-a65f-0040963251e5*", "*AFBA6B42-5692-48EA-8141-DC517DCF0EF1*", "*AFB40FFD-B609-40A3-9828-F88BBE11E4E3*", "*88d96a0b-f192-11d4-a65f-0040963251e5*", "*2087c2f4-2cef-4953-a8ab-66779b670495*", "*000209FF-0000-0000-C000-000000000046*", "*00024500-0000-0000-C000-000000000046*") | fields - _raw | collect index=notable_events source="Potential COM Objects Download Cradles Usage - Process Creation" marker="guid=02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf,tags=attack.command-and-control,tags=attack.t1105," +[Suspicious Parent Double Extension File Execution] +description = Detect execution of suspicious double extension files in ParentCommandLine +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*.doc.lnk", "*.docx.lnk", "*.xls.lnk", "*.xlsx.lnk", "*.ppt.lnk", "*.pptx.lnk", "*.rtf.lnk", "*.pdf.lnk", "*.txt.lnk", "*.doc.js", "*.docx.js", "*.xls.js", "*.xlsx.js", "*.ppt.js", "*.pptx.js", "*.rtf.js", "*.pdf.js", "*.txt.js") OR ParentCommandLine IN ("*.doc.lnk*", "*.docx.lnk*", "*.xls.lnk*", "*.xlsx.lnk*", "*.ppt.lnk*", "*.pptx.lnk*", "*.rtf.lnk*", "*.pdf.lnk*", "*.txt.lnk*", "*.doc.js*", "*.docx.js*", "*.xls.js*", "*.xlsx.js*", "*.ppt.js*", "*.pptx.js*", "*.rtf.js*", "*.pdf.js*", "*.txt.js*") | fields - _raw | collect index=notable_events source="Suspicious Parent Double Extension File Execution" marker="guid=5e6a80c8-2d45-4633-9ef4-fa2671a39c5c,tags=attack.defense-evasion,tags=attack.t1036.007," +[Change Default File Association To Executable Via Assoc] +description = Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*assoc *" CommandLine="*exefile*" NOT CommandLine="*.exe=exefile*" | fields - _raw | collect index=notable_events source="Change Default File Association To Executable Via Assoc" marker="guid=ae6f14e6-14de-45b0-9f44-c0986f50dc89,tags=attack.persistence,tags=attack.t1546.001," +[HackTool - LocalPotato Execution] +description = Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\LocalPotato.exe" OR (CommandLine="*.exe -i C:\\*" CommandLine="*-o Windows\\*") OR Hashes IN ("*IMPHASH=E1742EE971D6549E8D4D81115F88F1FC*", "*IMPHASH=DD82066EFBA94D7556EF582F247C8BB5*") OR Imphash IN ("E1742EE971D6549E8D4D81115F88F1FC", "DD82066EFBA94D7556EF582F247C8BB5") | fields - _raw | collect index=notable_events source="HackTool - LocalPotato Execution" marker="guid=6bd75993-9888-4f91-9404-e1e4e4e34b77,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=cve.2023-21746," +[DumpStack.log Defender Evasion] +description = Detects the use of the filename DumpStack.log to evade Microsoft Defender +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\DumpStack.log" OR CommandLine="* -o DumpStack.log*" | fields - _raw | collect index=notable_events source="DumpStack.log Defender Evasion" marker="guid=4f647cfa-b598-4e12-ad69-c68dd16caef8,tags=attack.defense-evasion," +[Malicious Base64 Encoded PowerShell Keywords in Command Lines] +description = Detects base64 encoded strings used in hidden malicious PowerShell command lines +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine="* hidden *" CommandLine IN ("*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*", "*aXRzYWRtaW4gL3RyYW5zZmVy*", "*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*", "*JpdHNhZG1pbiAvdHJhbnNmZX*", "*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*", "*Yml0c2FkbWluIC90cmFuc2Zlc*", "*AGMAaAB1AG4AawBfAHMAaQB6AGUA*", "*JABjAGgAdQBuAGsAXwBzAGkAegBlA*", "*JGNodW5rX3Npem*", "*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*", "*RjaHVua19zaXpl*", "*Y2h1bmtfc2l6Z*", "*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*", "*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*", "*lPLkNvbXByZXNzaW9u*", "*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*", "*SU8uQ29tcHJlc3Npb2*", "*Ty5Db21wcmVzc2lvb*", "*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*", "*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*", "*lPLk1lbW9yeVN0cmVhb*", "*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*", "*SU8uTWVtb3J5U3RyZWFt*", "*Ty5NZW1vcnlTdHJlYW*", "*4ARwBlAHQAQwBoAHUAbgBrA*", "*5HZXRDaHVua*", "*AEcAZQB0AEMAaAB1AG4Aaw*", "*LgBHAGUAdABDAGgAdQBuAGsA*", "*LkdldENodW5r*", "*R2V0Q2h1bm*", "*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*", "*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*", "*RIUkVBRF9JTkZPNj*", "*SFJFQURfSU5GTzY0*", "*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*", "*VEhSRUFEX0lORk82N*", "*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*", "*cmVhdGVSZW1vdGVUaHJlYW*", "*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*", "*NyZWF0ZVJlbW90ZVRocmVhZ*", "*Q3JlYXRlUmVtb3RlVGhyZWFk*", "*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*", "*0AZQBtAG0AbwB2AGUA*", "*1lbW1vdm*", "*AGUAbQBtAG8AdgBlA*", "*bQBlAG0AbQBvAHYAZQ*", "*bWVtbW92Z*", "*ZW1tb3Zl*") | fields - _raw | collect index=notable_events source="Malicious Base64 Encoded PowerShell Keywords in Command Lines" marker="guid=f26c6093-6f14-4b12-800f-0fcb46f5ffd0,tags=attack.execution,tags=attack.t1059.001," +[BitLockerTogo.EXE Execution] +description = Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\BitLockerToGo.exe" | fields - _raw | collect index=notable_events source="BitLockerTogo.EXE Execution" marker="guid=7f2376f9-42ee-4dfc-9360-fecff9a88fc8,tags=attack.defense-evasion,tags=attack.t1218," +[PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE] +description = Detects active directory enumeration activity using known AdFind CLI flags +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*lockoutduration*", "*lockoutthreshold*", "*lockoutobservationwindow*", "*maxpwdage*", "*minpwdage*", "*minpwdlength*", "*pwdhistorylength*", "*pwdproperties*") OR CommandLine="*-sc admincountdmp*" OR CommandLine="*-sc exchaddresses*" | fields - _raw | collect index=notable_events source="PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" marker="guid=455b9d50-15a1-4b99-853f-8d37655a4c1b,tags=attack.discovery,tags=attack.t1087.002," +[SQLite Firefox Profile Data DB Access] +description = Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="SQLite" OR Image IN ("*\\sqlite.exe", "*\\sqlite3.exe") CommandLine IN ("*cookies.sqlite*", "*places.sqlite*") | fields - _raw | collect index=notable_events source="SQLite Firefox Profile Data DB Access" marker="guid=4833155a-4053-4c9c-a997-777fcea0baa7,tags=attack.credential-access,tags=attack.t1539,tags=attack.collection,tags=attack.t1005," +[Response File Execution Via Odbcconf.EXE] +description = Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\odbcconf.exe" OR OriginalFileName="odbcconf.exe" CommandLine="* -f *" OR CommandLine="* /f *" OR CommandLine="* –f *" OR CommandLine="* —f *" OR CommandLine="* ―f *" CommandLine="*.rsp*" | fields - _raw | collect index=notable_events source="Response File Execution Via Odbcconf.EXE" marker="guid=5f03babb-12db-4eec-8c82-7b4cb5580868,tags=attack.defense-evasion,tags=attack.t1218.008," +[New Port Forwarding Rule Added Via Netsh.EXE] +description = Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" (CommandLine="*interface*" CommandLine="*portproxy*" CommandLine="*add*" CommandLine="*v4tov4*") OR (CommandLine="*i *" CommandLine="*p *" CommandLine="*a *" CommandLine="*v *") OR (CommandLine="*connectp*" CommandLine="*listena*" CommandLine="*c=*") | fields - _raw | collect index=notable_events source="New Port Forwarding Rule Added Via Netsh.EXE" marker="guid=322ed9ec-fcab-4f67-9a34-e7c6aef43614,tags=attack.lateral-movement,tags=attack.defense-evasion,tags=attack.command-and-control,tags=attack.t1090," +[New Process Created Via Taskmgr.EXE] +description = Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\taskmgr.exe" NOT (Image IN ("*:\\Windows\\System32\\mmc.exe", "*:\\Windows\\System32\\resmon.exe", "*:\\Windows\\System32\\Taskmgr.exe")) | fields - _raw | collect index=notable_events source="New Process Created Via Taskmgr.EXE" marker="guid=3d7679bd-0c00-440c-97b0-3f204273e6c7,tags=attack.defense-evasion,tags=attack.t1036," +[Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call] +description = Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ*", "*oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA*", "*6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA*", "*OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ*", "*oAOgAoACIATABvACIAKwAiAGEAZAAiACkA*", "*6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA*", "*OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ*", "*oAOgAoACIATABvAGEAIgArACIAZAAiACkA*", "*6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA*", "*OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ*", "*oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA*", "*6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA*", "*OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ*", "*oAOgAoACcATABvACcAKwAnAGEAZAAnACkA*", "*6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA*", "*OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ*", "*oAOgAoACcATABvAGEAJwArACcAZAAnACkA*", "*6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA*") | table CommandLine | fields - _raw | collect index=notable_events source="Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call" marker="guid=9c0295ce-d60d-40bd-bd74-84673b7592b1,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1059.001,tags=attack.t1027," +[Driver/DLL Installation Via Odbcconf.EXE] +description = Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\odbcconf.exe" OR OriginalFileName="odbcconf.exe" CommandLine="*INSTALLDRIVER *" CommandLine="*.dll*" | fields - _raw | collect index=notable_events source="Driver/DLL Installation Via Odbcconf.EXE" marker="guid=3f5491e2-8db8-496b-9e95-1029fce852d4,tags=attack.defense-evasion,tags=attack.t1218.008," +[Suspicious Powercfg Execution To Change Lock Screen Timeout] +description = Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\powercfg.exe" OR OriginalFileName="PowerCfg.exe" (CommandLine="*/setacvalueindex *" CommandLine="*SCHEME_CURRENT*" CommandLine="*SUB_VIDEO*" CommandLine="*VIDEOCONLOCK*") OR (CommandLine="*-change *" CommandLine="*-standby-timeout-*") | fields - _raw | collect index=notable_events source="Suspicious Powercfg Execution To Change Lock Screen Timeout" marker="guid=f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b,tags=attack.defense-evasion," +[Potential UAC Bypass Via Sdclt.EXE] +description = A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*sdclt.exe" IntegrityLevel="High" | fields - _raw | collect index=notable_events source="Potential UAC Bypass Via Sdclt.EXE" marker="guid=40f9af16-589d-4984-b78d-8c2aec023197,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1548.002," +[PowerShell Download and Execution Cradles] +description = Detects PowerShell download and execution cradles. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*.DownloadString(*", "*.DownloadFile(*", "*Invoke-WebRequest *", "*iwr *") CommandLine IN ("*;iex $*", "*| IEX*", "*|IEX *", "*I`E`X*", "*I`EX*", "*IE`X*", "*iex *", "*IEX (*", "*IEX(*", "*Invoke-Expression*") | fields - _raw | collect index=notable_events source="PowerShell Download and Execution Cradles" marker="guid=85b0b087-eddf-4a2b-b033-d771fa2b9775,tags=attack.execution,tags=attack.t1059," +[Use of Wfc.exe] +description = The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wfc.exe" OR OriginalFileName="wfc.exe" | fields - _raw | collect index=notable_events source="Use of Wfc.exe" marker="guid=49be8799-7b4d-4fda-ad23-cafbefdebbc5,tags=attack.defense-evasion,tags=attack.t1127," +[Potentially Suspicious Execution From Parent Process In Public Folder] +description = Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*:\\Users\\Public\\*" Image IN ("*\\bitsadmin.exe", "*\\certutil.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR CommandLine IN ("*bitsadmin*", "*certutil*", "*cscript*", "*mshta*", "*powershell*", "*regsvr32*", "*rundll32*", "*wscript*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Execution From Parent Process In Public Folder" marker="guid=69bd9b97-2be2-41b6-9816-fb08757a4d1a,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1564,tags=attack.t1059," +[Code Execution via Pcwutl.dll] +description = Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*pcwutl*" CommandLine="*LaunchApplication*" | fields - _raw | collect index=notable_events source="Code Execution via Pcwutl.dll" marker="guid=9386d78a-7207-4048-9c9f-a93a7c2d1c05,tags=attack.defense-evasion,tags=attack.t1218.011," +[Potential Binary Proxy Execution Via Cdb.EXE] +description = Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cdb.exe" OR OriginalFileName="CDB.Exe" CommandLine IN ("* -c *", "* -cf *") | fields - _raw | collect index=notable_events source="Potential Binary Proxy Execution Via Cdb.EXE" marker="guid=b5c7395f-e501-4a08-94d4-57fe7a9da9d2,tags=attack.execution,tags=attack.t1106,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1127," +[Uncommon Child Process Of Defaultpack.EXE] +description = Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\DefaultPack.exe" | fields - _raw | collect index=notable_events source="Uncommon Child Process Of Defaultpack.EXE" marker="guid=b2309017-4235-44fe-b5af-b15363011957,tags=attack.t1218,tags=attack.defense-evasion,tags=attack.execution," +[Add Potential Suspicious New Download Source To Winget] +description = Detects usage of winget to add new potentially suspicious download sources +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\winget.exe" OR OriginalFileName="winget.exe" CommandLine="*source *" CommandLine="*add *"\ +| regex CommandLine="://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" | fields - _raw | collect index=notable_events source="Add Potential Suspicious New Download Source To Winget" marker="guid=c15a46a0-07d4-4c87-b4b6-89207835a83b,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1059," +[Uncommon Assistive Technology Applications Execution Via AtBroker.EXE] +description = Detects the start of a non built-in assistive technology applications via "Atbroker.EXE". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\AtBroker.exe" OR OriginalFileName="AtBroker.exe" CommandLine="*start*" NOT (CommandLine IN ("*animations*", "*audiodescription*", "*caretbrowsing*", "*caretwidth*", "*colorfiltering*", "*cursorindicator*", "*cursorscheme*", "*filterkeys*", "*focusborderheight*", "*focusborderwidth*", "*highcontrast*", "*keyboardcues*", "*keyboardpref*", "*livecaptions*", "*magnifierpane*", "*messageduration*", "*minimumhitradius*", "*mousekeys*", "*Narrator*", "*osk*", "*overlappedcontent*", "*showsounds*", "*soundsentry*", "*speechreco*", "*stickykeys*", "*togglekeys*", "*voiceaccess*", "*windowarranging*", "*windowtracking*", "*windowtrackingtimeout*", "*windowtrackingzorder*")) NOT CommandLine="*Oracle_JavaAccessBridge*" | fields - _raw | collect index=notable_events source="Uncommon Assistive Technology Applications Execution Via AtBroker.EXE" marker="guid=f24bcaea-0cd1-11eb-adc1-0242ac120002,tags=attack.defense-evasion,tags=attack.t1218," +[Suspicious Use of PsLogList] +description = Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="psloglist.exe" OR Image IN ("*\\psloglist.exe", "*\\psloglist64.exe") CommandLine IN ("* security*", "* application*", "* system*") CommandLine="* -d*" OR CommandLine="* /d*" OR CommandLine="* –d*" OR CommandLine="* —d*" OR CommandLine="* ―d*" OR CommandLine="* -x*" OR CommandLine="* /x*" OR CommandLine="* –x*" OR CommandLine="* —x*" OR CommandLine="* ―x*" OR CommandLine="* -s*" OR CommandLine="* /s*" OR CommandLine="* –s*" OR CommandLine="* —s*" OR CommandLine="* ―s*" OR CommandLine="* -c*" OR CommandLine="* /c*" OR CommandLine="* –c*" OR CommandLine="* —c*" OR CommandLine="* ―c*" OR CommandLine="* -g*" OR CommandLine="* /g*" OR CommandLine="* –g*" OR CommandLine="* —g*" OR CommandLine="* ―g*" | fields - _raw | collect index=notable_events source="Suspicious Use of PsLogList" marker="guid=aae1243f-d8af-40d8-ab20-33fc6d0c55bc,tags=attack.discovery,tags=attack.t1087,tags=attack.t1087.001,tags=attack.t1087.002," +[File Download via CertOC.EXE] +description = Detects when a user downloads a file by using CertOC.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certoc.exe" OR OriginalFileName="CertOC.exe" CommandLine="*-GetCACAPS*" CommandLine="*http*" | fields - _raw | collect index=notable_events source="File Download via CertOC.EXE" marker="guid=70ad0861-d1fe-491c-a45f-fa48148a300d,tags=attack.command-and-control,tags=attack.t1105," +[Execution of Powershell Script in Public Folder] +description = This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("*-f C:\\Users\\Public*", "*-f \"C:\\Users\\Public*", "*-f %Public%*", "*-fi C:\\Users\\Public*", "*-fi \"C:\\Users\\Public*", "*-fi %Public%*", "*-fil C:\\Users\\Public*", "*-fil \"C:\\Users\\Public*", "*-fil %Public%*", "*-file C:\\Users\\Public*", "*-file \"C:\\Users\\Public*", "*-file %Public%*") | table CommandLine | fields - _raw | collect index=notable_events source="Execution of Powershell Script in Public Folder" marker="guid=fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4,tags=attack.execution,tags=attack.t1059.001," +[Suspicious IIS Module Registration] +description = Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\w3wp.exe" CommandLine="*appcmd.exe add module*" OR (CommandLine="* system.enterpriseservices.internal.publish*" Image="*\\powershell.exe") OR (CommandLine="*gacutil*" CommandLine="* /I*") | fields - _raw | collect index=notable_events source="Suspicious IIS Module Registration" marker="guid=043c4b8b-3a54-4780-9682-081cb6b8185c,tags=attack.persistence,tags=attack.t1505.004," +[Base64 MZ Header In CommandLine] +description = Detects encoded base64 MZ header in the commandline +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*TVqQAAMAAAAEAAAA*", "*TVpQAAIAAAAEAA8A*", "*TVqAAAEAAAAEABAA*", "*TVoAAAAAAAAAAAAA*", "*TVpTAQEAAAAEAAAA*") | fields - _raw | collect index=notable_events source="Base64 MZ Header In CommandLine" marker="guid=22e58743-4ac8-4a9f-bf19-00a0428d8c5f,tags=attack.execution," +[Active Directory Structure Export Via Ldifde.EXE] +description = Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ldifde.exe" OR OriginalFileName="ldifde.exe" CommandLine="*-f*" NOT CommandLine="* -i*" | fields - _raw | collect index=notable_events source="Active Directory Structure Export Via Ldifde.EXE" marker="guid=4f7a6757-ff79-46db-9687-66501a02d9ec,tags=attack.exfiltration," +[Sdclt Child Processes] +description = A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\sdclt.exe" | fields - _raw | collect index=notable_events source="Sdclt Child Processes" marker="guid=da2738f2-fadb-4394-afa7-0a0674885afa,tags=attack.privilege-escalation,tags=attack.t1548.002," +[HackTool - SharpUp PrivEsc Tool Execution] +description = Detects the use of SharpUp, a tool for local privilege escalation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SharpUp.exe" OR Description="SharpUp" OR CommandLine IN ("*HijackablePaths*", "*UnquotedServicePath*", "*ProcessDLLHijack*", "*ModifiableServiceBinaries*", "*ModifiableScheduledTask*", "*DomainGPPPassword*", "*CachedGPPPassword*") | fields - _raw | collect index=notable_events source="HackTool - SharpUp PrivEsc Tool Execution" marker="guid=c484e533-ee16-4a93-b6ac-f0ea4868b2f1,tags=attack.privilege-escalation,tags=attack.t1615,tags=attack.t1569.002,tags=attack.t1574.005," +[Suspicious Process Execution From Fake Recycle.Bin Folder] +description = Detects process execution from a fake recycle bin folder, often used to avoid security solution. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*RECYCLERS.BIN\\*", "*RECYCLER.BIN\\*") | fields - _raw | collect index=notable_events source="Suspicious Process Execution From Fake Recycle.Bin Folder" marker="guid=5ce0f04e-3efc-42af-839d-5b3a543b76c0,tags=attack.persistence,tags=attack.defense-evasion," +[Cscript/Wscript Potentially Suspicious Child Process] +description = Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\wscript.exe", "*\\cscript.exe") Image="*\\rundll32.exe" OR (Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe") (CommandLine="*mshta*" CommandLine="*http*") OR CommandLine IN ("*rundll32*", "*regsvr32*", "*msiexec*")) NOT (Image="*\\rundll32.exe" CommandLine IN ("*UpdatePerUserSystemParameters*", "*PrintUIEntry*", "*ClearMyTracksByProcess*")) | fields - _raw | collect index=notable_events source="Cscript/Wscript Potentially Suspicious Child Process" marker="guid=b6676963-0353-4f88-90f5-36c20d443c6a,tags=attack.execution," +[Potentially Suspicious WebDAV LNK Execution] +description = Detects possible execution via LNK file accessed on a WebDAV server. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\explorer.exe" Image IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe") CommandLine="*\\DavWWWRoot\\*" | fields - _raw | collect index=notable_events source="Potentially Suspicious WebDAV LNK Execution" marker="guid=1412aa78-a24c-4abd-83df-767dfb2c5bbe,tags=attack.execution,tags=attack.t1059.001,tags=attack.t1204," +[PUA- IOX Tunneling Tool Execution] +description = Detects the use of IOX - a tool for port forwarding and intranet proxy purposes +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\iox.exe" OR CommandLine IN ("*.exe fwd -l *", "*.exe fwd -r *", "*.exe proxy -l *", "*.exe proxy -r *") OR Hashes IN ("*MD5=9DB2D314DD3F704A02051EF5EA210993*", "*SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD*", "*SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731*") OR md5="9db2d314dd3f704a02051ef5ea210993" OR sha1="039130337e28a6623ecf9a0a3da7d92c5964d8dd" OR sha256="c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731" | fields - _raw | collect index=notable_events source="PUA- IOX Tunneling Tool Execution" marker="guid=d7654f02-e04b-4934-9838-65c46f187ebc,tags=attack.command-and-control,tags=attack.t1090," +[Proxy Execution Via Wuauclt.EXE] +description = Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wuauclt.exe" OR OriginalFileName="wuauclt.exe" CommandLine="*UpdateDeploymentProvider*" CommandLine="*RunHandlerComServer*" NOT (CommandLine="* /UpdateDeploymentProvider UpdateDeploymentProvider.dll *" OR CommandLine="* wuaueng.dll *" OR CommandLine IN ("*:\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId*", "*:\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId*") OR (CommandLine="*:\\Windows\\WinSxS\\*" CommandLine="*\\UpdateDeploy.dll /ClassId *")) | fields - _raw | collect index=notable_events source="Proxy Execution Via Wuauclt.EXE" marker="guid=af77cf95-c469-471c-b6a0-946c685c4798,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.execution," +[Renamed Jusched.EXE Execution] +description = Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description IN ("Java Update Scheduler", "Java(TM) Update Scheduler") NOT Image="*\\jusched.exe" | fields - _raw | collect index=notable_events source="Renamed Jusched.EXE Execution" marker="guid=edd8a48c-1b9f-4ba1-83aa-490338cd1ccb,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1036.003," +[Curl Web Request With Potential Custom User-Agent] +description = Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\curl.exe" OR OriginalFileName="curl.exe" CommandLine="*User-Agent:*"\ +| regex CommandLine="\\s-H\\s" | fields - _raw | collect index=notable_events source="Curl Web Request With Potential Custom User-Agent" marker="guid=85de1f22-d189-44e4-8239-dc276b45379b,tags=attack.execution," +[Use of W32tm as Timer] +description = When configured with suitable command line arguments, w32tm can act as a delay mechanism +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\w32tm.exe" OR OriginalFileName="w32time.dll" CommandLine="*/stripchart*" CommandLine="*/computer:*" CommandLine="*/period:*" CommandLine="*/dataonly*" CommandLine="*/samples:*" | fields - _raw | collect index=notable_events source="Use of W32tm as Timer" marker="guid=6da2c9f5-7c53-401b-aacb-92c040ce1215,tags=attack.discovery,tags=attack.t1124," +[User Added to Remote Desktop Users Group] +description = Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*localgroup *" CommandLine="* /add*") OR (CommandLine="*Add-LocalGroupMember *" CommandLine="* -Group *") CommandLine IN ("*Remote Desktop Users*", "*Utilisateurs du Bureau à distance*", "*Usuarios de escritorio remoto*") | fields - _raw | collect index=notable_events source="User Added to Remote Desktop Users Group" marker="guid=ffa28e60-bdb1-46e0-9f82-05f7a61cc06e,tags=attack.persistence,tags=attack.lateral-movement,tags=attack.t1133,tags=attack.t1136.001,tags=attack.t1021.001," +[Diskshadow Script Mode - Uncommon Script Extension Execution] +description = Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="diskshadow.exe" OR Image="*\\diskshadow.exe" CommandLine="*-s *" OR CommandLine="*/s *" OR CommandLine="*–s *" OR CommandLine="*—s *" OR CommandLine="*―s *" NOT CommandLine="*.txt*" | fields - _raw | collect index=notable_events source="Diskshadow Script Mode - Uncommon Script Extension Execution" marker="guid=1dde5376-a648-492e-9e54-4241dd9b0c7f,tags=attack.defense-evasion,tags=attack.t1218," +[Suspicious Schtasks Execution AppData Folder] +description = Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" CommandLine="*/Create*" CommandLine="*/RU*" CommandLine="*/TR*" CommandLine="*C:\\Users\\*" CommandLine="*\\AppData\\Local\\*" CommandLine IN ("*NT AUT*", "* SYSTEM *") NOT (ParentImage="*\\AppData\\Local\\Temp\\*" ParentImage="*TeamViewer_.exe*" Image="*\\schtasks.exe" CommandLine="*/TN TVInstallRestore*") | fields - _raw | collect index=notable_events source="Suspicious Schtasks Execution AppData Folder" marker="guid=c5c00f49-b3f9-45a6-997e-cfdecc6e1967,tags=attack.execution,tags=attack.persistence,tags=attack.t1053.005,tags=attack.t1059.001," +[SQLite Chromium Profile Data DB Access] +description = Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="SQLite" OR Image IN ("*\\sqlite.exe", "*\\sqlite3.exe") CommandLine IN ("*\\User Data\\*", "*\\Opera Software\\*", "*\\ChromiumViewer\\*") CommandLine IN ("*Login Data*", "*Cookies*", "*Web Data*", "*History*", "*Bookmarks*") | fields - _raw | collect index=notable_events source="SQLite Chromium Profile Data DB Access" marker="guid=24c77512-782b-448a-8950-eddb0785fc71,tags=attack.credential-access,tags=attack.t1539,tags=attack.t1555.003,tags=attack.collection,tags=attack.t1005," +[Suspicious Network Command] +description = Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*ipconfig /all*", "*netsh interface show interface*", "*arp -a*", "*nbtstat -n*", "*net config*", "*route print*") | fields - _raw | collect index=notable_events source="Suspicious Network Command" marker="guid=a29c1813-ab1f-4dde-b489-330b952e91ae,tags=attack.discovery,tags=attack.t1016," +[Permission Misconfiguration Reconnaissance Via Findstr.EXE] +description = Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image IN ("*\\find.exe", "*\\findstr.exe") OR OriginalFileName IN ("FIND.EXE", "FINDSTR.EXE") CommandLine IN ("*\"Everyone\"*", "*'Everyone'*", "*\"BUILTIN\\\"*", "*'BUILTIN\\'*")) OR (CommandLine="*icacls *" CommandLine="*findstr *" CommandLine="*Everyone*") | fields - _raw | collect index=notable_events source="Permission Misconfiguration Reconnaissance Via Findstr.EXE" marker="guid=47e4bab7-c626-47dc-967b-255608c9a920,tags=attack.credential-access,tags=attack.t1552.006," +[Suspicious Provlaunch.EXE Child Process] +description = Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\provlaunch.exe" Image IN ("*\\calc.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\notepad.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR Image IN ("*:\\PerfLogs\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*\\AppData\\Temp\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*") | fields - _raw | collect index=notable_events source="Suspicious Provlaunch.EXE Child Process" marker="guid=f9999590-1f94-4a34-a91e-951e47bedefd,tags=attack.defense-evasion,tags=attack.t1218," +[File Download Via Bitsadmin To A Suspicious Target Folder] +description = Detects usage of bitsadmin downloading a file to a suspicious target folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\bitsadmin.exe" OR OriginalFileName="bitsadmin.exe" CommandLine IN ("* /transfer *", "* /create *", "* /addfile *") CommandLine IN ("*:\\Perflogs*", "*:\\ProgramData\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Desktop\\*", "*%ProgramData%*", "*%public%*") | fields - _raw | collect index=notable_events source="File Download Via Bitsadmin To A Suspicious Target Folder" marker="guid=2ddef153-167b-4e89-86b6-757a9e65dcac,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197,tags=attack.s0190,tags=attack.t1036.003," +[Hidden Powershell in Link File Pattern] +description = Detects events that appear when a user click on a link file with a powershell command in it +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="C:\\Windows\\explorer.exe" Image="C:\\Windows\\System32\\cmd.exe" CommandLine="*powershell*" CommandLine="*.lnk*" | fields - _raw | collect index=notable_events source="Hidden Powershell in Link File Pattern" marker="guid=30e92f50-bb5a-4884-98b5-d20aa80f3d7a,tags=attack.execution,tags=attack.t1059.001," +[DllUnregisterServer Function Call Via Msiexec.EXE] +description = Detects MsiExec loading a DLL and calling its DllUnregisterServer function +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msiexec.exe" OR OriginalFileName="\\msiexec.exe" CommandLine="* -z *" OR CommandLine="* /z *" OR CommandLine="* –z *" OR CommandLine="* —z *" OR CommandLine="* ―z *" CommandLine="*.dll*" | fields - _raw | collect index=notable_events source="DllUnregisterServer Function Call Via Msiexec.EXE" marker="guid=84f52741-8834-4a8c-a413-2eb2269aa6c8,tags=attack.defense-evasion,tags=attack.t1218.007," +[Insensitive Subfolder Search Via Findstr.EXE] +description = Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*findstr*" OR Image="*findstr.exe" OR OriginalFileName="FINDSTR.EXE" CommandLine="* -s *" OR CommandLine="* /s *" OR CommandLine="* –s *" OR CommandLine="* —s *" OR CommandLine="* ―s *" CommandLine="* -i *" OR CommandLine="* /i *" OR CommandLine="* –i *" OR CommandLine="* —i *" OR CommandLine="* ―i *" | fields - _raw | collect index=notable_events source="Insensitive Subfolder Search Via Findstr.EXE" marker="guid=04936b66-3915-43ad-a8e5-809eadfd1141,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1564.004,tags=attack.t1552.001,tags=attack.t1105," +[PowerShell SAM Copy] +description = Detects suspicious PowerShell scripts accessing SAM hives +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\HarddiskVolumeShadowCopy*" CommandLine="*System32\\config\\sam*" CommandLine IN ("*Copy-Item*", "*cp $_.*", "*cpi $_.*", "*copy $_.*", "*.File]::Copy(*") | fields - _raw | collect index=notable_events source="PowerShell SAM Copy" marker="guid=1af57a4b-460a-4738-9034-db68b880c665,tags=attack.credential-access,tags=attack.t1003.002," +[Process Execution From A Potentially Suspicious Folder] +description = Detects a potentially suspicious execution from an uncommon folder. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*:\\Perflogs\\*", "*:\\Users\\All Users\\*", "*:\\Users\\Default\\*", "*:\\Users\\NetworkService\\*", "*:\\Windows\\addins\\*", "*:\\Windows\\debug\\*", "*:\\Windows\\Fonts\\*", "*:\\Windows\\Help\\*", "*:\\Windows\\IME\\*", "*:\\Windows\\Media\\*", "*:\\Windows\\repair\\*", "*:\\Windows\\security\\*", "*:\\Windows\\System32\\Tasks\\*", "*:\\Windows\\Tasks\\*", "*$Recycle.bin*", "*\\config\\systemprofile\\*", "*\\Intel\\Logs\\*", "*\\RSA\\MachineKeys\\*") NOT (Image="C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\*" OR (Image="C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\*" Image="*\\CitrixReceiverUpdater.exe")) | fields - _raw | collect index=notable_events source="Process Execution From A Potentially Suspicious Folder" marker="guid=3dfd06d2-eaf4-4532-9555-68aca59f57c4,tags=attack.defense-evasion,tags=attack.t1036," +[Potentially Suspicious Child Process Of DiskShadow.EXE] +description = Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\diskshadow.exe" Image IN ("*\\certutil.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") | fields - _raw | collect index=notable_events source="Potentially Suspicious Child Process Of DiskShadow.EXE" marker="guid=9f546b25-5f12-4c8d-8532-5893dcb1e4b8,tags=attack.defense-evasion,tags=attack.t1218," +[File Download Via Bitsadmin] +description = Detects usage of bitsadmin downloading a file +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\bitsadmin.exe" OR OriginalFileName="bitsadmin.exe" CommandLine="* /transfer *" OR (CommandLine IN ("* /create *", "* /addfile *") CommandLine="*http*") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="File Download Via Bitsadmin" marker="guid=d059842b-6b9d-4ed1-b5c3-5b89143c6ede,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197,tags=attack.s0190,tags=attack.t1036.003," +[Suspicious Schtasks Schedule Type With High Privileges] +description = Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" OR OriginalFileName="schtasks.exe" CommandLine IN ("* ONLOGON *", "* ONSTART *", "* ONCE *", "* ONIDLE *") CommandLine IN ("*NT AUT*", "* SYSTEM*", "*HIGHEST*") | fields - _raw | collect index=notable_events source="Suspicious Schtasks Schedule Type With High Privileges" marker="guid=7a02e22e-b885-4404-b38b-1ddc7e65258a,tags=attack.execution,tags=attack.t1053.005," +[Suspicious Execution of InstallUtil Without Log] +description = Uses the .NET InstallUtil.exe application in order to execute image without log +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\InstallUtil.exe" Image="*Microsoft.NET\\Framework*" CommandLine="*/logfile= *" CommandLine="*/LogToConsole=false*" | fields - _raw | collect index=notable_events source="Suspicious Execution of InstallUtil Without Log" marker="guid=d042284c-a296-4988-9be5-f424fadcc28c,tags=attack.defense-evasion," +[HackTool - SharpLDAPmonitor Execution] +description = Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SharpLDAPmonitor.exe" OR OriginalFileName="SharpLDAPmonitor.exe" OR (CommandLine="*/user:*" CommandLine="*/pass:*" CommandLine="*/dcip:*") | fields - _raw | collect index=notable_events source="HackTool - SharpLDAPmonitor Execution" marker="guid=9f8fc146-1d1a-4dbf-b8fd-dfae15e08541,tags=attack.discovery," +[Suspicious File Download From IP Via Curl.EXE] +description = Detects potentially suspicious file downloads directly from IP addresses using curl.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\curl.exe" OR OriginalFileName="curl.exe" CommandLine="*http*" CommandLine IN ("* -O*", "*--remote-name*", "*--output*") CommandLine IN ("*.bat", "*.bat\"", "*.dat", "*.dat\"", "*.dll", "*.dll\"", "*.exe", "*.exe\"", "*.gif", "*.gif\"", "*.hta", "*.hta\"", "*.jpeg", "*.jpeg\"", "*.log", "*.log\"", "*.msi", "*.msi\"", "*.png", "*.png\"", "*.ps1", "*.ps1\"", "*.psm1", "*.psm1\"", "*.vbe", "*.vbe\"", "*.vbs", "*.vbs\"", "*.bat'", "*.dat'", "*.dll'", "*.exe'", "*.gif'", "*.hta'", "*.jpeg'", "*.log'", "*.msi'", "*.png'", "*.ps1'", "*.psm1'", "*.vbe'", "*.vbs'")\ +| regex CommandLine="://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" | fields - _raw | collect index=notable_events source="Suspicious File Download From IP Via Curl.EXE" marker="guid=5cb299fc-5fb1-4d07-b989-0644c68b6043,tags=attack.execution," +[Use NTFS Short Name in Command Line] +description = Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*~1.exe*", "*~1.bat*", "*~1.msi*", "*~1.vbe*", "*~1.vbs*", "*~1.dll*", "*~1.ps1*", "*~1.js*", "*~1.hta*", "*~2.exe*", "*~2.bat*", "*~2.msi*", "*~2.vbe*", "*~2.vbs*", "*~2.dll*", "*~2.ps1*", "*~2.js*", "*~2.hta*") NOT (ParentImage IN ("*\\WebEx\\WebexHost.exe", "*\\thor\\thor64.exe") OR CommandLine="*C:\\xampp\\vcredist\\VCREDI~1.EXE*") | fields - _raw | collect index=notable_events source="Use NTFS Short Name in Command Line" marker="guid=dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795,tags=attack.defense-evasion,tags=attack.t1564.004," +[Suspicious Use of CSharp Interactive Console] +description = Detects the execution of CSharp interactive console by PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\csi.exe" ParentImage IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\powershell_ise.exe") OriginalFileName="csi.exe" | fields - _raw | collect index=notable_events source="Suspicious Use of CSharp Interactive Console" marker="guid=a9e416a8-e613-4f8b-88b8-a7d1d1af2f61,tags=attack.execution,tags=attack.t1127," +[Suspicious JavaScript Execution Via Mshta.EXE] +description = Detects execution of javascript code using "mshta.exe". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\mshta.exe" OR OriginalFileName="MSHTA.EXE" CommandLine="*javascript*" | fields - _raw | collect index=notable_events source="Suspicious JavaScript Execution Via Mshta.EXE" marker="guid=67f113fa-e23d-4271-befa-30113b3e08b1,tags=attack.defense-evasion,tags=attack.t1218.005," +[Bad Opsec Defaults Sacrificial Processes With Improper Arguments] +description = Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\WerFault.exe" CommandLine="*WerFault.exe") OR (Image="*\\rundll32.exe" CommandLine="*rundll32.exe") OR (Image="*\\regsvcs.exe" CommandLine="*regsvcs.exe") OR (Image="*\\regasm.exe" CommandLine="*regasm.exe") OR (Image="*\\regsvr32.exe" CommandLine="*regsvr32.exe") NOT (ParentImage="*:\\Users\\*" ParentImage="*\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{*") NOT (ParentImage="*:\\Users\\*" ParentImage="*\\AppData\\Local\\Google\\Chrome\\Application\\*" ParentImage="*\\Installer\\setup.exe" ParentCommandLine="*--uninstall --channel=stable*" Image="*\\rundll32.exe" CommandLine="*rundll32.exe") | fields - _raw | collect index=notable_events source="Bad Opsec Defaults Sacrificial Processes With Improper Arguments" marker="guid=a7c3d773-caef-227e-a7e7-c2f13c622329,tags=attack.defense-evasion,tags=attack.t1218.011," +[Suspicious Curl.EXE Download] +description = Detects a suspicious curl process start on Windows and outputs the requested document to a local file +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\curl.exe" OR Product="The curl executable" CommandLine IN ("*%AppData%*", "*%Public%*", "*%Temp%*", "*%tmp%*", "*\\AppData\\*", "*\\Desktop\\*", "*\\Temp\\*", "*\\Users\\Public\\*", "*C:\\PerfLogs\\*", "*C:\\ProgramData\\*", "*C:\\Windows\\Temp\\*") OR CommandLine IN ("*.dll", "*.gif", "*.jpeg", "*.jpg", "*.png", "*.temp", "*.tmp", "*.txt", "*.vbe", "*.vbs") NOT (ParentImage="C:\\Program Files\\Git\\usr\\bin\\sh.exe" Image="C:\\Program Files\\Git\\mingw64\\bin\\curl.exe" CommandLine="*--silent --show-error --output *" CommandLine="*gfw-httpget-*" CommandLine="*AppData*") | fields - _raw | collect index=notable_events source="Suspicious Curl.EXE Download" marker="guid=e218595b-bbe7-4ee5-8a96-f32a24ad3468,tags=attack.command-and-control,tags=attack.t1105," +[Potentially Suspicious Child Process of KeyScrambler.exe] +description = Detects potentially suspicious child processes of KeyScrambler.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\KeyScrambler.exe" Image IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR OriginalFileName IN ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe") | fields - _raw | collect index=notable_events source="Potentially Suspicious Child Process of KeyScrambler.exe" marker="guid=ca5583e9-8f80-46ac-ab91-7f314d13b984,tags=attack.execution,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1203,tags=attack.t1574.002," +[Uncommon Child Process Of Appvlp.EXE] +description = Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\appvlp.exe" NOT (Image IN ("*:\\Windows\\SysWOW64\\rundll32.exe", "*:\\Windows\\System32\\rundll32.exe")) NOT ((Image="*:\\Program Files\\Microsoft Office*" Image="*\\msoasb.exe") OR (Image="*:\\Program Files\\Microsoft Office*" Image="*\\SkypeSrv\\*" Image="*\\SKYPESERVER.EXE") OR (Image="*:\\Program Files\\Microsoft Office*" Image="*\\MSOUC.EXE")) | fields - _raw | collect index=notable_events source="Uncommon Child Process Of Appvlp.EXE" marker="guid=9c7e131a-0f2c-4ae0-9d43-b04f4e266d43,tags=attack.t1218,tags=attack.defense-evasion,tags=attack.execution," +[Suspicious CodePage Switch Via CHCP] +description = Detects a code page switch in command line or batch scripts to a rare language +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\chcp.com" CommandLine IN ("* 936", "* 1258") | table ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious CodePage Switch Via CHCP" marker="guid=c7942406-33dd-4377-a564-0f62db0593a3,tags=attack.t1036,tags=attack.defense-evasion," +[Recon Command Output Piped To Findstr.EXE] +description = Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*ipconfig*|*find*", "*net*|*find*", "*netstat*|*find*", "*ping*|*find*", "*systeminfo*|*find*", "*tasklist*|*find*", "*whoami*|*find*") | fields - _raw | collect index=notable_events source="Recon Command Output Piped To Findstr.EXE" marker="guid=ccb5742c-c248-4982-8c5c-5571b9275ad3,tags=attack.discovery,tags=attack.t1057," +[Chopper Webshell Process Pattern] +description = Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\w3wp.exe" OR ParentImage="*\\w3wp.exe" CommandLine IN ("*&ipconfig&echo*", "*&quser&echo*", "*&whoami&echo*", "*&c:&echo*", "*&cd&echo*", "*&dir&echo*", "*&echo [E]*", "*&echo [S]*") | fields - _raw | collect index=notable_events source="Chopper Webshell Process Pattern" marker="guid=fa3c117a-bc0d-416e-a31b-0c0e80653efb,tags=attack.persistence,tags=attack.t1505.003,tags=attack.t1018,tags=attack.t1033,tags=attack.t1087," +[Filter Driver Unloaded Via Fltmc.EXE] +description = Detect filter driver unloading activity via fltmc.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\fltMC.exe" OR OriginalFileName="fltMC.exe" CommandLine="*unload*" NOT ((ParentImage="C:\\Users\\*" ParentImage="*\\AppData\\Local\\Temp\\*" ParentImage="*\\endpoint-protection-installer-x64.tmp" CommandLine="*unload rtp_filesystem_filter") OR (ParentImage="C:\\Program Files (x86)\\ManageEngine\\uems_agent\\bin\\dcfaservice64.exe" CommandLine="*unload DFMFilter")) | fields - _raw | collect index=notable_events source="Filter Driver Unloaded Via Fltmc.EXE" marker="guid=4931188c-178e-4ee7-a348-39e8a7a56821,tags=attack.defense-evasion,tags=attack.t1070,tags=attack.t1562,tags=attack.t1562.002," +[Potential AMSI Bypass Using NULL Bits] +description = Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*if(0){{{0}}}' -f $(0 -as [char]) +*", "*#*") | fields - _raw | collect index=notable_events source="Potential AMSI Bypass Using NULL Bits" marker="guid=92a974db-ab84-457f-9ec0-55db83d7a825,tags=attack.defense-evasion,tags=attack.t1562.001," +[Suspicious Response File Execution Via Odbcconf.EXE] +description = Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\odbcconf.exe" OR OriginalFileName="odbcconf.exe" CommandLine="* -f *" OR CommandLine="* /f *" OR CommandLine="* –f *" OR CommandLine="* —f *" OR CommandLine="* ―f *" NOT (CommandLine="*.rsp*" OR (ParentImage="C:\\Windows\\System32\\runonce.exe" Image="C:\\Windows\\System32\\odbcconf.exe" CommandLine="*.exe /E /F \"C:\\WINDOWS\\system32\\odbcconf.tmp\"*")) | fields - _raw | collect index=notable_events source="Suspicious Response File Execution Via Odbcconf.EXE" marker="guid=2d32dd6f-3196-4093-b9eb-1ad8ab088ca5,tags=attack.defense-evasion,tags=attack.t1218.008," +[Xwizard.EXE Execution From Non-Default Location] +description = Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\xwizard.exe" OR OriginalFileName="xwizard.exe" NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*")) | fields - _raw | collect index=notable_events source="Xwizard.EXE Execution From Non-Default Location" marker="guid=193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1,tags=attack.defense-evasion,tags=attack.t1574.002," +[Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution] +description = Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\Microsoft.NodejsTools.PressAnyKey.exe" | fields - _raw | collect index=notable_events source="Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution" marker="guid=a20391f8-76fb-437b-abc0-dba2df1952c6,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218," +[PUA - Wsudo Suspicious Execution] +description = Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wsudo.exe" OR OriginalFileName="wsudo.exe" OR Description="Windows sudo utility" OR ParentImage="*\\wsudo-bridge.exe" OR CommandLine IN ("*-u System*", "*-uSystem*", "*-u TrustedInstaller*", "*-uTrustedInstaller*", "* --ti *") | fields - _raw | collect index=notable_events source="PUA - Wsudo Suspicious Execution" marker="guid=bdeeabc9-ff2a-4a51-be59-bb253aac7891,tags=attack.execution,tags=attack.privilege-escalation,tags=attack.t1059," +[Suspicious MSHTA Child Process] +description = Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\mshta.exe" Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\reg.exe", "*\\regsvr32.exe", "*\\bitsadmin.exe") OR OriginalFileName IN ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe", "cscript.exe", "Bash.exe", "reg.exe", "REGSVR32.EXE", "bitsadmin.exe") | fields - _raw | collect index=notable_events source="Suspicious MSHTA Child Process" marker="guid=03cc0c25-389f-4bf8-b48d-11878079f1ca,tags=attack.defense-evasion,tags=attack.t1218.005,tags=car.2013-02-003,tags=car.2013-03-001,tags=car.2014-04-003," +[Always Install Elevated Windows Installer] +description = Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\Windows\\Installer\\*" Image="*msi*" Image="*tmp") OR (Image="*\\msiexec.exe" IntegrityLevel="System") User IN ("*AUTHORI*", "*AUTORI*") NOT (ParentImage="C:\\Windows\\System32\\services.exe" OR CommandLine="*\\system32\\msiexec.exe /V" OR ParentCommandLine="*\\system32\\msiexec.exe /V" OR ParentImage="C:\\ProgramData\\Sophos\\*" OR ParentImage="C:\\ProgramData\\Avira\\*" OR ParentImage IN ("C:\\Program Files\\Avast Software\\*", "C:\\Program Files (x86)\\Avast Software\\*") OR ParentImage IN ("C:\\Program Files\\Google\\Update\\*", "C:\\Program Files (x86)\\Google\\Update\\*")) | fields - _raw | collect index=notable_events source="Always Install Elevated Windows Installer" marker="guid=cd951fdc-4b2f-47f5-ba99-a33bf61e3770,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Process Launched Without Image Name] +description = Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\.exe" | fields - _raw | collect index=notable_events source="Process Launched Without Image Name" marker="guid=f208d6d8-d83a-4c2c-960d-877c37da84e5,tags=attack.defense-evasion," +[PUA - NirCmd Execution] +description = Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\NirCmd.exe" OR OriginalFileName="NirCmd.exe" OR CommandLine IN ("* execmd *", "*.exe script *", "*.exe shexec *", "* runinteractive *") OR (CommandLine IN ("* exec *", "* exec2 *") CommandLine IN ("* show *", "* hide *")) | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="PUA - NirCmd Execution" marker="guid=4e2ed651-1906-4a59-a78a-18220fca1b22,tags=attack.execution,tags=attack.t1569.002,tags=attack.s0029," +[Suspicious Invoke-WebRequest Execution] +description = Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*curl *", "*Invoke-WebRequest*", "*iwr *", "*wget *") CommandLine IN ("* -ur*", "* -o*") CommandLine IN ("*\\AppData\\*", "*\\Desktop\\*", "*\\Temp\\*", "*\\Users\\Public\\*", "*%AppData%*", "*%Public%*", "*%Temp%*", "*%tmp%*", "*:\\Windows\\*") | fields - _raw | collect index=notable_events source="Suspicious Invoke-WebRequest Execution" marker="guid=5e3cc4d8-3e68-43db-8656-eaaeefdec9cc,tags=attack.command-and-control,tags=attack.t1105," +[MSHTA Suspicious Execution 01] +description = Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\mshta.exe" CommandLine IN ("*vbscript*", "*.jpg*", "*.png*", "*.lnk*", "*.xls*", "*.doc*", "*.zip*", "*.dll*") | fields - _raw | collect index=notable_events source="MSHTA Suspicious Execution 01" marker="guid=cc7abbd0-762b-41e3-8a26-57ad50d2eea3,tags=attack.defense-evasion,tags=attack.t1140,tags=attack.t1218.005,tags=attack.execution,tags=attack.t1059.007,tags=cve.2020-1599," +[Renamed NetSupport RAT Execution] +description = Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="*NetSupport Remote Control*" OR OriginalFileName="*client32.exe*" OR Imphash="a9d50692e95b79723f3e76fcf70d023e" OR Hashes="*IMPHASH=A9D50692E95B79723F3E76FCF70D023E*" NOT Image="*\\client32.exe" | fields - _raw | collect index=notable_events source="Renamed NetSupport RAT Execution" marker="guid=0afbd410-de03-4078-8491-f132303cb67d,tags=attack.defense-evasion," +[Potentially Suspicious CMD Shell Output Redirect] +description = Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine IN ("*>*%APPDATA%\\*", "*>*%TEMP%\\*", "*>*%TMP%\\*", "*>*%USERPROFILE%\\*", "*>*C:\\ProgramData\\*", "*>*C:\\Temp\\*", "*>*C:\\Users\\Public\\*", "*>*C:\\Windows\\Temp\\*") OR (CommandLine IN ("* >*", "*\">*", "*'>*") CommandLine="*C:\\Users\\*" CommandLine="*\\AppData\\Local\\*") | fields - _raw | collect index=notable_events source="Potentially Suspicious CMD Shell Output Redirect" marker="guid=8e0bb260-d4b2-4fff-bb8d-3f82118e6892,tags=attack.defense-evasion,tags=attack.t1218," +[Disable Windows IIS HTTP Logging] +description = Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\appcmd.exe" OR OriginalFileName="appcmd.exe" CommandLine="*set*" CommandLine="*config*" CommandLine="*section:httplogging*" CommandLine="*dontLog:true*" | fields - _raw | collect index=notable_events source="Disable Windows IIS HTTP Logging" marker="guid=e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e,tags=attack.defense-evasion,tags=attack.t1562.002," +[Suspicious SYSTEM User Process Creation] +description = Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 IntegrityLevel="System" User IN ("*AUTHORI*", "*AUTORI*") Image IN ("*\\calc.exe", "*\\cscript.exe", "*\\forfiles.exe", "*\\hh.exe", "*\\mshta.exe", "*\\ping.exe", "*\\wscript.exe") OR CommandLine IN ("* -NoP *", "* -W Hidden *", "* -decode *", "* /decode *", "* /urlcache *", "* -urlcache *", "* -e* JAB*", "* -e* SUVYI*", "* -e* SQBFAFgA*", "* -e* aWV4I*", "* -e* IAB*", "* -e* PAA*", "* -e* aQBlAHgA*", "*vssadmin delete shadows*", "*reg SAVE HKLM*", "* -ma *", "*Microsoft\\Windows\\CurrentVersion\\Run*", "*.downloadstring(*", "*.downloadfile(*", "* /ticket:*", "*dpapi::*", "*event::clear*", "*event::drop*", "*id::modify*", "*kerberos::*", "*lsadump::*", "*misc::*", "*privilege::*", "*rpc::*", "*sekurlsa::*", "*sid::*", "*token::*", "*vault::cred*", "*vault::list*", "* p::d *", "*;iex(*", "*MiniDump*", "*net user *") NOT (CommandLine="*ping 127.0.0.1 -n*" OR (Image="*\\PING.EXE" ParentCommandLine="*\\DismFoDInstall.cmd*") OR ParentImage="*:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\*" OR (ParentImage IN ("*:\\Program Files (x86)\\Java\\*", "*:\\Program Files\\Java\\*") ParentImage="*\\bin\\javaws.exe" Image IN ("*:\\Program Files (x86)\\Java\\*", "*:\\Program Files\\Java\\*") Image="*\\bin\\jp2launcher.exe" CommandLine="* -ma *")) | fields - _raw | collect index=notable_events source="Suspicious SYSTEM User Process Creation" marker="guid=2617e7ed-adb7-40ba-b0f3-8f9945fe6c09,tags=attack.credential-access,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1134,tags=attack.t1003,tags=attack.t1027," +[Write Protect For Storage Disabled] +description = Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\System\\CurrentControlSet\\Control*" CommandLine="*Write Protection*" CommandLine="*0*" CommandLine="*storage*" | fields - _raw | collect index=notable_events source="Write Protect For Storage Disabled" marker="guid=75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13,tags=attack.defense-evasion,tags=attack.t1562," +[New Firewall Rule Added Via Netsh.EXE] +description = Detects the addition of a new rule to the Windows firewall via netsh +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" CommandLine="* firewall *" CommandLine="* add *" NOT (CommandLine IN ("*advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=*:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any*", "*advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=*:\\Program Files\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any*")) | fields - _raw | collect index=notable_events source="New Firewall Rule Added Via Netsh.EXE" marker="guid=cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c,tags=attack.defense-evasion,tags=attack.t1562.004,tags=attack.s0246," +[Potentially Suspicious Execution Of PDQDeployRunner] +description = Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\PDQDeployRunner-*" Image IN ("*\\bash.exe", "*\\certutil.exe", "*\\cmd.exe", "*\\csc.exe", "*\\cscript.exe", "*\\dllhost.exe", "*\\mshta.exe", "*\\msiexec.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\scriptrunner.exe", "*\\wmic.exe", "*\\wscript.exe", "*\\wsl.exe") OR Image IN ("*:\\ProgramData\\*", "*:\\Users\\Public\\*", "*:\\Windows\\TEMP\\*", "*\\AppData\\Local\\Temp*") OR CommandLine IN ("* -decode *", "* -enc *", "* -encodedcommand *", "* -w hidden*", "*DownloadString*", "*FromBase64String*", "*http*", "*iex *", "*Invoke-*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Execution Of PDQDeployRunner" marker="guid=12b8e9f5-96b2-41e1-9a42-8c6779a5c184,tags=attack.execution," +[Wusa Extracting Cab Files] +description = Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wusa.exe" CommandLine="*/extract:*" | fields - _raw | collect index=notable_events source="Wusa Extracting Cab Files" marker="guid=59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9,tags=attack.execution," +[Visual Studio Code Tunnel Service Installation] +description = Detects the installation of VsCode tunnel (code-tunnel) as a service. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*tunnel *" CommandLine="*service*" CommandLine="*internal-run*" CommandLine="*tunnel-service.log*" | fields - _raw | collect index=notable_events source="Visual Studio Code Tunnel Service Installation" marker="guid=30bf1789-379d-4fdc-900f-55cd0a90a801,tags=attack.command-and-control,tags=attack.t1071.001," +[Certificate Exported Via PowerShell] +description = Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Export-PfxCertificate *", "*Export-Certificate *") | fields - _raw | collect index=notable_events source="Certificate Exported Via PowerShell" marker="guid=9e716b33-63b2-46da-86a4-bd3c3b9b5dfb,tags=attack.credential-access,tags=attack.execution,tags=attack.t1552.004,tags=attack.t1059.001," +[Indirect Command Execution From Script File Via Bash.EXE] +description = Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*:\\Windows\\System32\\bash.exe", "*:\\Windows\\SysWOW64\\bash.exe") OR OriginalFileName="Bash.exe" NOT (CommandLine IN ("*bash.exe -*", "*bash -*") OR CommandLine!=* OR CommandLine="" OR CommandLine IN ("bash.exe", "bash")) | fields - _raw | collect index=notable_events source="Indirect Command Execution From Script File Via Bash.EXE" marker="guid=2d22a514-e024-4428-9dba-41505bd63a5b,tags=attack.defense-evasion,tags=attack.t1202," +[Potential Arbitrary Code Execution Via Node.EXE] +description = Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\node.exe" CommandLine IN ("* -e *", "* --eval *") CommandLine="*.exec(*" CommandLine="*net.socket*" CommandLine="*.connect*" CommandLine="*child_process*" | fields - _raw | collect index=notable_events source="Potential Arbitrary Code Execution Via Node.EXE" marker="guid=6640f31c-01ad-49b5-beb5-83498a5cd8bd,tags=attack.defense-evasion,tags=attack.t1127," +[Suspicious DLL Loaded via CertOC.EXE] +description = Detects when a user installs certificates by using CertOC.exe to load the target DLL file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certoc.exe" OR OriginalFileName="CertOC.exe" CommandLine="* -LoadDLL *" OR CommandLine="* /LoadDLL *" OR CommandLine="* –LoadDLL *" OR CommandLine="* —LoadDLL *" OR CommandLine="* ―LoadDLL *" CommandLine IN ("*\\Appdata\\Local\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Users\\Public\\*", "*C:\\Windows\\Tasks\\*", "*C:\\Windows\\Temp\\*") | fields - _raw | collect index=notable_events source="Suspicious DLL Loaded via CertOC.EXE" marker="guid=84232095-ecca-4015-b0d7-7726507ee793,tags=attack.defense-evasion,tags=attack.t1218," +[HackTool - PowerTool Execution] +description = Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\PowerTool.exe", "*\\PowerTool64.exe") OR OriginalFileName="PowerTool.exe" | fields - _raw | collect index=notable_events source="HackTool - PowerTool Execution" marker="guid=a34f79a3-8e5f-4cc3-b765-de00695452c2,tags=attack.defense-evasion,tags=attack.t1562.001," +[HackTool - Inveigh Execution] +description = Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Inveigh.exe" OR OriginalFileName IN ("\\Inveigh.exe", "\\Inveigh.dll") OR Description="Inveigh" OR CommandLine IN ("* -SpooferIP*", "* -ReplyToIPs *", "* -ReplyToDomains *", "* -ReplyToMACs *", "* -SnifferIP*") | fields - _raw | collect index=notable_events source="HackTool - Inveigh Execution" marker="guid=b99a1518-1ad5-4f65-bc95-1ffff97a8fd0,tags=attack.credential-access,tags=attack.t1003.001," +[Potential Crypto Mining Activity] +description = Detects command line parameters or strings often used by crypto miners +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("* --cpu-priority=*", "*--donate-level=0*", "* -o pool.*", "* --nicehash*", "* --algo=rx/0 *", "*stratum+tcp://*", "*stratum+udp://*", "*LS1kb25hdGUtbGV2ZWw9*", "*0tZG9uYXRlLWxldmVsP*", "*tLWRvbmF0ZS1sZXZlbD*", "*c3RyYXR1bSt0Y3A6Ly*", "*N0cmF0dW0rdGNwOi8v*", "*zdHJhdHVtK3RjcDovL*", "*c3RyYXR1bSt1ZHA6Ly*", "*N0cmF0dW0rdWRwOi8v*", "*zdHJhdHVtK3VkcDovL*") NOT (CommandLine IN ("* pool.c *", "* pool.o *", "*gcc -*")) | fields - _raw | collect index=notable_events source="Potential Crypto Mining Activity" marker="guid=66c3b204-9f88-4d0a-a7f7-8a57d521ca55,tags=attack.impact,tags=attack.t1496," +[Suspicious Plink Port Forwarding] +description = Detects suspicious Plink tunnel port forwarding to a local port +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="Command-line SSH, Telnet, and Rlogin client" CommandLine="* -R *" | fields - _raw | collect index=notable_events source="Suspicious Plink Port Forwarding" marker="guid=48a61b29-389f-4032-b317-b30de6b95314,tags=attack.command-and-control,tags=attack.t1572,tags=attack.lateral-movement,tags=attack.t1021.001," +[PowerShell DownloadFile] +description = Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*powershell*" CommandLine="*.DownloadFile*" CommandLine="*System.Net.WebClient*" | fields - _raw | collect index=notable_events source="PowerShell DownloadFile" marker="guid=8f70ac5f-1f6f-4f8e-b454-db19561216c5,tags=attack.execution,tags=attack.t1059.001,tags=attack.command-and-control,tags=attack.t1104,tags=attack.t1105," +[File Download Using ProtocolHandler.exe] +description = Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\protocolhandler.exe" OR OriginalFileName="ProtocolHandler.exe" CommandLine IN ("*ftp://*", "*http://*", "*https://*") | fields - _raw | collect index=notable_events source="File Download Using ProtocolHandler.exe" marker="guid=104cdb48-a7a8-4ca7-a453-32942c6e5dcb,tags=attack.defense-evasion,tags=attack.t1218," +[HackTool - RemoteKrbRelay Execution] +description = Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\RemoteKrbRelay.exe" OR OriginalFileName="RemoteKrbRelay.exe" OR (CommandLine="* -clsid *" CommandLine="* -target *" CommandLine="* -victim *") OR (CommandLine="*-rbcd *" CommandLine IN ("*-cn *", "*--computername *")) OR (CommandLine="*-chp *" CommandLine="*-chpPass *" CommandLine="*-chpUser *") OR (CommandLine="*-addgroupmember *" CommandLine="*-group *" CommandLine="*-groupuser *") OR (CommandLine="*-smb *" CommandLine="*--smbkeyword *" CommandLine IN ("*interactive*", "*secrets*", "*service-add*")) | fields - _raw | collect index=notable_events source="HackTool - RemoteKrbRelay Execution" marker="guid=a7664b14-75fb-4a50-a223-cb9bc0afbacf,tags=attack.credential-access,tags=attack.t1558.003," +[Use of FSharp Interpreters] +description = Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\fsi.exe", "*\\fsianycpu.exe") OR OriginalFileName IN ("fsi.exe", "fsianycpu.exe") | fields - _raw | collect index=notable_events source="Use of FSharp Interpreters" marker="guid=b96b2031-7c17-4473-afe7-a30ce714db29,tags=attack.execution,tags=attack.t1059," +[Dllhost.EXE Execution Anomaly] +description = Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dllhost.exe" CommandLine IN ("dllhost.exe", "dllhost") NOT CommandLine!=* | fields - _raw | collect index=notable_events source="Dllhost.EXE Execution Anomaly" marker="guid=e7888eb1-13b0-4616-bd99-4bc0c2b054b9,tags=attack.defense-evasion,tags=attack.t1055," +[Renamed Whoami Execution] +description = Detects the execution of whoami that has been renamed to a different name to avoid detection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="whoami.exe" NOT Image="*\\whoami.exe" | fields - _raw | collect index=notable_events source="Renamed Whoami Execution" marker="guid=f1086bf7-a0c4-4a37-9102-01e573caf4a0,tags=attack.discovery,tags=attack.t1033,tags=car.2016-03-001," +[Execute Code with Pester.bat as Parent] +description = Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\powershell.exe", "*\\pwsh.exe") ParentCommandLine="*\\WindowsPowerShell\\Modules\\Pester\\*" ParentCommandLine IN ("*{ Invoke-Pester -EnableExit ;*", "*{ Get-Help \"*") | fields - _raw | collect index=notable_events source="Execute Code with Pester.bat as Parent" marker="guid=18988e1b-9087-4f8a-82fe-0414dce49878,tags=attack.execution,tags=attack.t1059.001,tags=attack.defense-evasion,tags=attack.t1216," +[Suspicious Service Path Modification] +description = Detects service path modification via the "sc" binary to a suspicious command or path +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sc.exe" CommandLine="*config*" CommandLine="*binPath*" CommandLine IN ("*powershell*", "*cmd *", "*mshta*", "*wscript*", "*cscript*", "*rundll32*", "*svchost*", "*dllhost*", "*cmd.exe /c*", "*cmd.exe /k*", "*cmd.exe /r*", "*cmd /c*", "*cmd /k*", "*cmd /r*", "*C:\\Users\\Public*", "*\\Downloads\\*", "*\\Desktop\\*", "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "*C:\\Windows\\TEMP\\*", "*\\AppData\\Local\\Temp*") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Service Path Modification" marker="guid=138d3531-8793-4f50-a2cd-f291b2863d78,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1543.003," +[DLL Sideloading by VMware Xfer Utility] +description = Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\VMwareXferlogs.exe" NOT Image="C:\\Program Files\\VMware\\*" | fields - _raw | collect index=notable_events source="DLL Sideloading by VMware Xfer Utility" marker="guid=ebea773c-a8f1-42ad-a856-00cb221966e8,tags=attack.defense-evasion,tags=attack.t1574.002," +[Sensitive File Recovery From Backup Via Wbadmin.EXE] +description = Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wbadmin.exe" OR OriginalFileName="WBADMIN.EXE" CommandLine="* recovery*" CommandLine="*recoveryTarget*" CommandLine="*itemtype:File*" CommandLine IN ("*\\config\\SAM*", "*\\config\\SECURITY*", "*\\config\\SYSTEM*", "*\\Windows\\NTDS\\NTDS.dit*") | fields - _raw | collect index=notable_events source="Sensitive File Recovery From Backup Via Wbadmin.EXE" marker="guid=84972c80-251c-4c3a-9079-4f00aad93938,tags=attack.credential-access,tags=attack.t1003.003," +[Service Reconnaissance Via Wmic.EXE] +description = An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\WMIC.exe" OR OriginalFileName="wmic.exe" CommandLine="*service*" | fields - _raw | collect index=notable_events source="Service Reconnaissance Via Wmic.EXE" marker="guid=76f55eaa-d27f-4213-9d45-7b0e4b60bbae,tags=attack.execution,tags=attack.t1047," +[Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate] +description = Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\AnyDesk.exe" OR Description="AnyDesk" OR Product="AnyDesk" OR Company="AnyDesk Software GmbH" FileVersion IN ("7.0.*", "7.1.*", "8.0.1*", "8.0.2*", "8.0.3*", "8.0.4*", "8.0.5*", "8.0.6*", "8.0.7*") NOT (CommandLine IN ("* --remove*", "* --uninstall*")) | fields - _raw | collect index=notable_events source="Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate" marker="guid=41f407b5-3096-44ea-a74f-96d04fbc41be,tags=attack.execution,tags=attack.initial-access," +[Process Memory Dump Via Comsvcs.DLL] +description = Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" OR CommandLine="*rundll32*" CommandLine="*comsvcs*" CommandLine="*full*" CommandLine IN ("*#-*", "*#+*", "*#24*", "*24 *", "*MiniDump*")) OR (CommandLine="*24*" CommandLine="*comsvcs*" CommandLine="*full*" CommandLine IN ("* #*", "*,#*", "*, #*")) | fields - _raw | collect index=notable_events source="Process Memory Dump Via Comsvcs.DLL" marker="guid=646ea171-dded-4578-8a4d-65e9822892e3,tags=attack.defense-evasion,tags=attack.credential-access,tags=attack.t1036,tags=attack.t1003.001,tags=car.2013-05-009," +[Conhost Spawned By Uncommon Parent Process] +description = Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\conhost.exe" ParentImage IN ("*\\explorer.exe", "*\\lsass.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\services.exe", "*\\smss.exe", "*\\spoolsv.exe", "*\\svchost.exe", "*\\userinit.exe", "*\\wininit.exe", "*\\winlogon.exe") NOT (ParentCommandLine IN ("*-k apphost -s AppHostSvc*", "*-k imgsvc*", "*-k localService -p -s RemoteRegistry*", "*-k LocalSystemNetworkRestricted -p -s NgcSvc*", "*-k NetSvcs -p -s NcaSvc*", "*-k netsvcs -p -s NetSetupSvc*", "*-k netsvcs -p -s wlidsvc*", "*-k NetworkService -p -s DoSvc*", "*-k wsappx -p -s AppXSvc*", "*-k wsappx -p -s ClipSVC*")) NOT (ParentCommandLine IN ("*C:\\Program Files (x86)\\Dropbox\\Client\\*", "*C:\\Program Files\\Dropbox\\Client\\*")) | fields - _raw | collect index=notable_events source="Conhost Spawned By Uncommon Parent Process" marker="guid=cbb9e3d1-2386-4e59-912e-62f1484f7a89,tags=attack.execution,tags=attack.t1059," +[Bypass UAC via CMSTP] +description = Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmstp.exe" OR OriginalFileName="CMSTP.EXE" CommandLine IN ("*/s*", "*-s*", "*/au*", "*-au*", "*/ni*", "*-ni*") | table ComputerName,User,CommandLine | fields - _raw | collect index=notable_events source="Bypass UAC via CMSTP" marker="guid=e66779cc-383e-4224-a3a4-267eeb585c40,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1548.002,tags=attack.t1218.003," +[Suspicious Greedy Compression Using Rar.EXE] +description = Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rar.exe" OR Description="Command line RAR" OR CommandLine IN ("*.exe a *", "* a -m*") CommandLine="* -hp*" CommandLine="* -r *" CommandLine IN ("* *:\\\*.*", "* *:\\\\\*.*", "* *:\\$Recycle.bin\\*", "* *:\\PerfLogs\\*", "* *:\\Temp*", "* *:\\Users\\Public\\*", "* *:\\Windows\\*", "* %public%*") | fields - _raw | collect index=notable_events source="Suspicious Greedy Compression Using Rar.EXE" marker="guid=afe52666-401e-4a02-b4ff-5d128990b8cb,tags=attack.execution,tags=attack.t1059," +[Disable Important Scheduled Task] +description = Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" CommandLine="*/Change*" CommandLine="*/TN*" CommandLine="*/disable*" CommandLine IN ("*\\Windows\\BitLocker*", "*\\Windows\\ExploitGuard*", "*\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh*", "*\\Windows\\SystemRestore\\SR*", "*\\Windows\\UpdateOrchestrator\\*", "*\\Windows\\Windows Defender\\*", "*\\Windows\\WindowsBackup\\*", "*\\Windows\\WindowsUpdate\\*") | fields - _raw | collect index=notable_events source="Disable Important Scheduled Task" marker="guid=9ac94dc8-9042-493c-ba45-3b5e7c86b980,tags=attack.impact,tags=attack.t1489," +[Suspicious HH.EXE Execution] +description = Detects a suspicious execution of a Microsoft HTML Help (HH.exe) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="HH.exe" OR Image="*\\hh.exe" CommandLine IN ("*.application*", "*\\AppData\\Local\\Temp\\*", "*\\Content.Outlook\\*", "*\\Downloads\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*") | fields - _raw | collect index=notable_events source="Suspicious HH.EXE Execution" marker="guid=e8a95b5e-c891-46e2-b33a-93937d3abc31,tags=attack.defense-evasion,tags=attack.execution,tags=attack.initial-access,tags=attack.t1047,tags=attack.t1059.001,tags=attack.t1059.003,tags=attack.t1059.005,tags=attack.t1059.007,tags=attack.t1218,tags=attack.t1218.001,tags=attack.t1218.010,tags=attack.t1218.011,tags=attack.t1566,tags=attack.t1566.001," +[Dumping Process via Sqldumper.exe] +description = Detects process dump via legitimate sqldumper.exe binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sqldumper.exe" CommandLine IN ("*0x0110*", "*0x01100:40*") | fields - _raw | collect index=notable_events source="Dumping Process via Sqldumper.exe" marker="guid=23ceaf5c-b6f1-4a32-8559-f2ff734be516,tags=attack.credential-access,tags=attack.t1003.001," +[Potentially Suspicious Child Process Of VsCode] +description = Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\code.exe" Image IN ("*\\calc.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\cscript.exe", "*\\wscript.exe") OR (Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\cmd.exe") CommandLine IN ("*Invoke-Expressions*", "*IEX*", "*Invoke-Command*", "*ICM*", "*DownloadString*", "*rundll32*", "*regsvr32*", "*wscript*", "*cscript*")) OR Image IN ("*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*:\\Temp\\*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Child Process Of VsCode" marker="guid=5a3164f2-b373-4152-93cf-090b13c12d27,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1202," +[HackTool - SharpEvtMute Execution] +description = Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SharpEvtMute.exe" OR Description="SharpEvtMute" OR CommandLine IN ("*--Filter \"rule *", "*--Encoded --Filter \\\"*") | fields - _raw | collect index=notable_events source="HackTool - SharpEvtMute Execution" marker="guid=bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c,tags=attack.defense-evasion,tags=attack.t1562.002," +[Windows Credential Manager Access via VaultCmd] +description = List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\VaultCmd.exe" OR OriginalFileName="VAULTCMD.EXE" CommandLine="*/listcreds:*" | fields - _raw | collect index=notable_events source="Windows Credential Manager Access via VaultCmd" marker="guid=58f50261-c53b-4c88-bd12-1d71f12eda4c,tags=attack.credential-access,tags=attack.t1555.004," +[PUA - System Informer Execution] +description = Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SystemInformer.exe" OR OriginalFileName="SystemInformer.exe" OR Description="System Informer" OR Product="System Informer" OR Hashes IN ("*MD5=19426363A37C03C3ED6FEDF57B6696EC*", "*SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC*", "*SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287*", "*IMPHASH=B68908ADAEB5D662F87F2528AF318F12*") OR md5="19426363A37C03C3ED6FEDF57B6696EC" OR sha1="8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC" OR sha256="8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287" OR Imphash="B68908ADAEB5D662F87F2528AF318F12" | fields - _raw | collect index=notable_events source="PUA - System Informer Execution" marker="guid=5722dff1-4bdd-4949-86ab-fbaf707e767a,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.discovery,tags=attack.defense-evasion,tags=attack.t1082,tags=attack.t1564,tags=attack.t1543," +[File Download Via Bitsadmin To An Uncommon Target Folder] +description = Detects usage of bitsadmin downloading a file to uncommon target folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\bitsadmin.exe" OR OriginalFileName="bitsadmin.exe" CommandLine IN ("* /transfer *", "* /create *", "* /addfile *") CommandLine IN ("*%AppData%*", "*%temp%*", "*%tmp%*", "*\\AppData\\Local\\*", "*C:\\Windows\\Temp\\*") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="File Download Via Bitsadmin To An Uncommon Target Folder" marker="guid=6e30c82f-a9f8-4aab-b79c-7c12bce6f248,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197,tags=attack.s0190,tags=attack.t1036.003," +[Start Windows Service Via Net.EXE] +description = Detects the usage of the "net.exe" command to start a service using the "start" flag +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine="* start *" | fields - _raw | collect index=notable_events source="Start Windows Service Via Net.EXE" marker="guid=2a072a96-a086-49fa-bcb5-15cc5a619093,tags=attack.execution,tags=attack.t1569.002," +[Esentutl Steals Browser Information] +description = One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\esentutl.exe" OR OriginalFileName="esentutl.exe" CommandLine="*-r*" OR CommandLine="*/r*" OR CommandLine="*–r*" OR CommandLine="*—r*" OR CommandLine="*―r*" CommandLine="*\\Windows\\WebCache*" | fields - _raw | collect index=notable_events source="Esentutl Steals Browser Information" marker="guid=6a69f62d-ce75-4b57-8dce-6351eb55b362,tags=attack.collection,tags=attack.t1005," +[Potential Script Proxy Execution Via CL_Mutexverifiers.ps1] +description = Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\powershell.exe", "*\\pwsh.exe") Image="*\\powershell.exe" CommandLine="* -nologo -windowstyle minimized -file *" CommandLine IN ("*\\AppData\\Local\\Temp\\*", "*\\Windows\\Temp\\*") | fields - _raw | collect index=notable_events source="Potential Script Proxy Execution Via CL_Mutexverifiers.ps1" marker="guid=1e0e1a81-e79b-44bc-935b-ddb9c8006b3d,tags=attack.defense-evasion,tags=attack.t1216," +[Suspicious Regsvr32 Execution From Remote Share] +description = Detects REGSVR32.exe to execute DLL hosted on remote shares +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regsvr32.exe" OR OriginalFileName="\\REGSVR32.EXE" CommandLine="* \\\\*" | fields - _raw | collect index=notable_events source="Suspicious Regsvr32 Execution From Remote Share" marker="guid=88a87a10-384b-4ad7-8871-2f9bf9259ce5,tags=attack.defense-evasion,tags=attack.t1218.010," +[Suspicious Service Binary Directory] +description = Detects a service binary running in a suspicious directory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\Users\\Public\\*", "*\\$Recycle.bin*", "*\\Users\\All Users\\*", "*\\Users\\Default\\*", "*\\Users\\Contacts\\*", "*\\Users\\Searches\\*", "*C:\\Perflogs\\*", "*\\config\\systemprofile\\*", "*\\Windows\\Fonts\\*", "*\\Windows\\IME\\*", "*\\Windows\\addins\\*") ParentImage IN ("*\\services.exe", "*\\svchost.exe") | fields - _raw | collect index=notable_events source="Suspicious Service Binary Directory" marker="guid=883faa95-175a-4e22-8181-e5761aeb373c,tags=attack.defense-evasion,tags=attack.t1202," +[HackTool - F-Secure C3 Load by Rundll32] +description = F-Secure C3 produces DLLs with a default exported StartNodeRelay function. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*rundll32.exe*" CommandLine="*.dll*" CommandLine="*StartNodeRelay*" | fields - _raw | collect index=notable_events source="HackTool - F-Secure C3 Load by Rundll32" marker="guid=b18c9d4c-fac9-4708-bd06-dd5bfacf200f,tags=attack.defense-evasion,tags=attack.t1218.011," +[Renamed AdFind Execution] +description = Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*domainlist*", "*trustdmp*", "*dcmodes*", "*adinfo*", "* dclist *", "*computer_pwdnotreqd*", "*objectcategory=*", "*-subnets -f*", "*name=\"Domain Admins\"*", "*-sc u:*", "*domainncs*", "*dompol*", "* oudmp *", "*subnetdmp*", "*gpodmp*", "*fspdmp*", "*users_noexpire*", "*computers_active*", "*computers_pwdnotreqd*") OR Imphash IN ("bca5675746d13a1f246e2da3c2217492", "53e117a96057eaf19c41380d0e87f1c2") OR Hashes IN ("*IMPHASH=BCA5675746D13A1F246E2DA3C2217492*", "*IMPHASH=53E117A96057EAF19C41380D0E87F1C2*") OR OriginalFileName="AdFind.exe" NOT Image="*\\AdFind.exe" | fields - _raw | collect index=notable_events source="Renamed AdFind Execution" marker="guid=df55196f-f105-44d3-a675-e9dfb6cc2f2b,tags=attack.discovery,tags=attack.t1018,tags=attack.t1087.002,tags=attack.t1482,tags=attack.t1069.002," +[Potential Persistence Via Powershell Search Order Hijacking - Task] +description = Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="C:\\WINDOWS\\System32\\svchost.exe" ParentCommandLine="*-k netsvcs*" ParentCommandLine="*-s Schedule*" CommandLine IN ("* -windowstyle hidden", "* -w hidden", "* -ep bypass", "* -noni") | fields - _raw | collect index=notable_events source="Potential Persistence Via Powershell Search Order Hijacking - Task" marker="guid=b66474aa-bd92-4333-a16c-298155b120df,tags=attack.execution,tags=attack.persistence,tags=attack.t1053.005,tags=attack.t1059.001," +[Potentially Suspicious Child Process Of ClickOnce Application] +description = Detects potentially suspicious child processes of a ClickOnce deployment application +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\AppData\\Local\\Apps\\2.0\\*" Image IN ("*\\calc.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\explorer.exe", "*\\mshta.exe", "*\\net.exe", "*\\net1.exe", "*\\nltest.exe", "*\\notepad.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\reg.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\schtasks.exe", "*\\werfault.exe", "*\\wscript.exe") | fields - _raw | collect index=notable_events source="Potentially Suspicious Child Process Of ClickOnce Application" marker="guid=67bc0e75-c0a9-4cfc-8754-84a505b63c04,tags=attack.execution,tags=attack.defense-evasion," +[Rebuild Performance Counter Values Via Lodctr.EXE] +description = Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\lodctr.exe" OriginalFileName="LODCTR.EXE" CommandLine="* -r*" OR CommandLine="* /r*" OR CommandLine="* –r*" OR CommandLine="* —r*" OR CommandLine="* ―r*" | fields - _raw | collect index=notable_events source="Rebuild Performance Counter Values Via Lodctr.EXE" marker="guid=cc9d3712-6310-4320-b2df-7cb408274d53,tags=attack.execution," +[HackTool - Windows Credential Editor (WCE) Execution] +description = Detects the use of Windows Credential Editor (WCE) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Imphash IN ("a53a02b997935fd8eedcb5f7abab9b9f", "e96a73c7bf33a464c510ede582318bf2") OR Hashes IN ("*IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f*", "*IMPHASH=e96a73c7bf33a464c510ede582318bf2*") OR (CommandLine="*.exe -S" ParentImage="*\\services.exe") NOT Image="*\\clussvc.exe" | fields - _raw | collect index=notable_events source="HackTool - Windows Credential Editor (WCE) Execution" marker="guid=7aa7009a-28b9-4344-8c1f-159489a390df,tags=attack.credential-access,tags=attack.t1003.001,tags=attack.s0005," +[Suspicious RASdial Activity] +description = Detects suspicious process related to rasdial.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*rasdial.exe" | fields - _raw | collect index=notable_events source="Suspicious RASdial Activity" marker="guid=6bba49bf-7f8c-47d6-a1bb-6b4dece4640e,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1059," +[Suspicious Scheduled Task Name As GUID] +description = Detects creation of a scheduled task with a GUID like name +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" CommandLine="*/Create *" CommandLine IN ("*/TN \"{*", "*/TN '{*", "*/TN {*") CommandLine IN ("*}\"*", "*}'*", "*} *") | fields - _raw | collect index=notable_events source="Suspicious Scheduled Task Name As GUID" marker="guid=ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b,tags=attack.execution,tags=attack.t1053.005," +[Potential Commandline Obfuscation Using Escape Characters] +description = Detects potential commandline obfuscation using known escape characters +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*h^t^t^p*", "*h\"t\"t\"p*") | fields - _raw | collect index=notable_events source="Potential Commandline Obfuscation Using Escape Characters" marker="guid=f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd,tags=attack.defense-evasion,tags=attack.t1140," +[Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE] +description = Detects usage of cmdkey to look for cached credentials on the system +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmdkey.exe" OR OriginalFileName="cmdkey.exe" CommandLine="* -l*" OR CommandLine="* /l*" OR CommandLine="* –l*" OR CommandLine="* —l*" OR CommandLine="* ―l*" | table CommandLine,ParentCommandLine,User | fields - _raw | collect index=notable_events source="Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" marker="guid=07f8bdc2-c9b3-472a-9817-5a670b872f53,tags=attack.credential-access,tags=attack.t1003.005," +[Detection of PowerShell Execution via Sqlps.exe] +description = This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\sqlps.exe" OR (Image="*\\sqlps.exe" OR OriginalFileName="sqlps.exe" NOT ParentImage="*\\sqlagent.exe") | fields - _raw | collect index=notable_events source="Detection of PowerShell Execution via Sqlps.exe" marker="guid=0152550d-3a26-4efd-9f0e-54a0b28ae2f3,tags=attack.execution,tags=attack.t1059.001,tags=attack.defense-evasion,tags=attack.t1127," +[File Download with Headless Browser] +description = Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\brave.exe", "*\\chrome.exe", "*\\msedge.exe", "*\\opera.exe", "*\\vivaldi.exe") CommandLine="*--headless*" CommandLine="*dump-dom*" CommandLine="*http*" | fields - _raw | collect index=notable_events source="File Download with Headless Browser" marker="guid=0e8cfe08-02c9-4815-a2f8-0d157b7ed33e,tags=attack.command-and-control,tags=attack.t1105," +[PowerShell Base64 Encoded FromBase64String Cmdlet] +description = Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*OjpGcm9tQmFzZTY0U3RyaW5n*" OR CommandLine="*o6RnJvbUJhc2U2NFN0cmluZ*" OR CommandLine="*6OkZyb21CYXNlNjRTdHJpbm*" OR CommandLine IN ("*OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA*", "*oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA*", "*6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw*") | fields - _raw | collect index=notable_events source="PowerShell Base64 Encoded FromBase64String Cmdlet" marker="guid=fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c,tags=attack.defense-evasion,tags=attack.t1140,tags=attack.execution,tags=attack.t1059.001," +[PUA - Potential PE Metadata Tamper Using Rcedit] +description = Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\rcedit-x64.exe", "*\\rcedit-x86.exe") OR Description="Edit resources of exe" OR Product="rcedit" CommandLine="*--set-*" CommandLine IN ("*OriginalFileName*", "*CompanyName*", "*FileDescription*", "*ProductName*", "*ProductVersion*", "*LegalCopyright*") | fields - _raw | collect index=notable_events source="PUA - Potential PE Metadata Tamper Using Rcedit" marker="guid=0c92f2e6-f08f-4b73-9216-ecb0ca634689,tags=attack.defense-evasion,tags=attack.t1036.003,tags=attack.t1036,tags=attack.t1027.005,tags=attack.t1027," +[Arbitrary File Download Via MSEDGE_PROXY.EXE] +description = Detects usage of "msedge_proxy.exe" to download arbitrary files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msedge_proxy.exe" OR OriginalFileName="msedge_proxy.exe" CommandLine IN ("*http://*", "*https://*") | fields - _raw | collect index=notable_events source="Arbitrary File Download Via MSEDGE_PROXY.EXE" marker="guid=e84d89c4-f544-41ca-a6af-4b92fd38b023,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[Remote Access Tool - Simple Help Execution] +description = An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\JWrapper-Remote Access\\*", "*\\JWrapper-Remote Support\\*") Image="*\\SimpleService.exe" | fields - _raw | collect index=notable_events source="Remote Access Tool - Simple Help Execution" marker="guid=95e60a2b-4705-444b-b7da-ba0ea81a3ee2,tags=attack.command-and-control,tags=attack.t1219," +[PowerShell Set-Acl On Windows Folder] +description = Detects PowerShell scripts to set the ACL to a file in the Windows folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") OR Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine="*Set-Acl *" CommandLine="*-AclObject *" CommandLine IN ("*-Path \"C:\\Windows*", "*-Path 'C:\\Windows*", "*-Path %windir%*", "*-Path $env:windir*") CommandLine IN ("*FullControl*", "*Allow*") | fields - _raw | collect index=notable_events source="PowerShell Set-Acl On Windows Folder" marker="guid=0944e002-e3f6-4eb5-bf69-3a3067b53d73,tags=attack.defense-evasion," +[File With Suspicious Extension Downloaded Via Bitsadmin] +description = Detects usage of bitsadmin downloading a file with a suspicious extension +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\bitsadmin.exe" OR OriginalFileName="bitsadmin.exe" CommandLine IN ("* /transfer *", "* /create *", "* /addfile *") CommandLine IN ("*.7z*", "*.asax*", "*.ashx*", "*.asmx*", "*.asp*", "*.aspx*", "*.bat*", "*.cfm*", "*.cgi*", "*.chm*", "*.cmd*", "*.dll*", "*.gif*", "*.jpeg*", "*.jpg*", "*.jsp*", "*.jspx*", "*.log*", "*.png*", "*.ps1*", "*.psm1*", "*.rar*", "*.scf*", "*.sct*", "*.txt*", "*.vbe*", "*.vbs*", "*.war*", "*.wsf*", "*.wsh*", "*.xll*", "*.zip*") | fields - _raw | collect index=notable_events source="File With Suspicious Extension Downloaded Via Bitsadmin" marker="guid=5b80a791-ad9b-4b75-bcc1-ad4e1e89c200,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197,tags=attack.s0190,tags=attack.t1036.003," +[Renamed CreateDump Utility Execution] +description = Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="FX_VER_INTERNALNAME_STR" OR (CommandLine="* -u *" CommandLine="* -f *" CommandLine="*.dmp*") OR (CommandLine="* --full *" CommandLine="* --name *" CommandLine="*.dmp*") NOT Image="*\\createdump.exe" | fields - _raw | collect index=notable_events source="Renamed CreateDump Utility Execution" marker="guid=1a1ed54a-2ba4-4221-94d5-01dee560d71e,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1003.001," +[Sysinternals PsService Execution] +description = Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="psservice.exe" OR Image IN ("*\\PsService.exe", "*\\PsService64.exe") | fields - _raw | collect index=notable_events source="Sysinternals PsService Execution" marker="guid=3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f,tags=attack.discovery,tags=attack.persistence,tags=attack.t1543.003," +[RestrictedAdminMode Registry Value Tampering - ProcCreation] +description = Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\System\\CurrentControlSet\\Control\\Lsa\\*" CommandLine="*DisableRestrictedAdmin*" | fields - _raw | collect index=notable_events source="RestrictedAdminMode Registry Value Tampering - ProcCreation" marker="guid=28ac00d6-22d9-4a3c-927f-bbd770104573,tags=attack.defense-evasion,tags=attack.t1112," +[Visual Basic Command Line Compiler Usage] +description = Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\vbc.exe" Image="*\\cvtres.exe" | fields - _raw | collect index=notable_events source="Visual Basic Command Line Compiler Usage" marker="guid=7b10f171-7f04-47c7-9fa2-5be43c76e535,tags=attack.defense-evasion,tags=attack.t1027.004," +[Service Security Descriptor Tampering Via Sc.EXE] +description = Detection of sc.exe utility adding a new service with special permission which hides that service. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sc.exe" OR OriginalFileName="sc.exe" CommandLine="*sdset*" | fields - _raw | collect index=notable_events source="Service Security Descriptor Tampering Via Sc.EXE" marker="guid=98c5aeef-32d5-492f-b174-64a691896d25,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1574.011," +[Detect Virtualbox Driver Installation OR Starting Of VMs] +description = Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*VBoxRT.dll,RTR3Init*", "*VBoxC.dll*", "*VBoxDrv.sys*") OR CommandLine IN ("*startvm*", "*controlvm*") | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Detect Virtualbox Driver Installation OR Starting Of VMs" marker="guid=bab049ca-7471-4828-9024-38279a4c04da,tags=attack.defense-evasion,tags=attack.t1564.006,tags=attack.t1564," +[Disable Windows Defender AV Security Monitoring] +description = Detects attackers attempting to disable Windows Defender using Powershell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*-DisableBehaviorMonitoring $true*", "*-DisableRuntimeMonitoring $true*")) OR (Image="*\\sc.exe" OR OriginalFileName="sc.exe" (CommandLine="*stop*" CommandLine="*WinDefend*") OR (CommandLine="*delete*" CommandLine="*WinDefend*") OR (CommandLine="*config*" CommandLine="*WinDefend*" CommandLine="*start=disabled*")) | fields - _raw | collect index=notable_events source="Disable Windows Defender AV Security Monitoring" marker="guid=a7ee1722-c3c5-aeff-3212-c777e4733217,tags=attack.defense-evasion,tags=attack.t1562.001," +[Run PowerShell Script from ADS] +description = Detects PowerShell script execution from Alternate Data Stream (ADS) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\powershell.exe", "*\\pwsh.exe") Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine="*Get-Content*" CommandLine="*-Stream*" | fields - _raw | collect index=notable_events source="Run PowerShell Script from ADS" marker="guid=45a594aa-1fbd-4972-a809-ff5a99dd81b8,tags=attack.defense-evasion,tags=attack.t1564.004," +[Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE] +description = Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dotnet.exe" OR OriginalFileName=".NET Host" CommandLine IN ("*.csproj", "*.csproj\"", "*.dll", "*.dll\"", "*.csproj'", "*.dll'") | fields - _raw | collect index=notable_events source="Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE" marker="guid=d80d5c81-04ba-45b4-84e4-92eba40e0ad3,tags=attack.defense-evasion,tags=attack.t1218," +[Launch-VsDevShell.PS1 Proxy Execution] +description = Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*Launch-VsDevShell.ps1*" CommandLine IN ("*VsWherePath *", "*VsInstallationPath *") | fields - _raw | collect index=notable_events source="Launch-VsDevShell.PS1 Proxy Execution" marker="guid=45d3a03d-f441-458c-8883-df101a3bb146,tags=attack.defense-evasion,tags=attack.t1216.001," +[Reg Add Suspicious Paths] +description = Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine IN ("*\\AppDataLow\\Software\\Microsoft\\*", "*\\Policies\\Microsoft\\Windows\\OOBE*", "*\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*", "*\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon*", "*\\CurrentControlSet\\Control\\SecurityProviders\\WDigest*", "*\\Microsoft\\Windows Defender\\*") | fields - _raw | collect index=notable_events source="Reg Add Suspicious Paths" marker="guid=b7e2a8d4-74bb-4b78-adc9-3f92af2d4829,tags=attack.defense-evasion,tags=attack.t1112,tags=attack.t1562.001," +[Nltest.EXE Execution] +description = Detects nltest commands that can be used for information discovery +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\nltest.exe" OR OriginalFileName="nltestrk.exe" | fields - _raw | collect index=notable_events source="Nltest.EXE Execution" marker="guid=903076ff-f442-475a-b667-4f246bcc203b,tags=attack.discovery,tags=attack.t1016,tags=attack.t1018,tags=attack.t1482," +[Potential DLL Injection Or Execution Using Tracker.exe] +description = Detects potential DLL injection and execution using "Tracker.exe" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\tracker.exe" OR Description="Tracker" CommandLine IN ("* /d *", "* /c *") NOT (CommandLine="* /ERRORREPORT:PROMPT *" OR ParentImage IN ("*\\Msbuild\\Current\\Bin\\MSBuild.exe", "*\\Msbuild\\Current\\Bin\\amd64\\MSBuild.exe")) | fields - _raw | collect index=notable_events source="Potential DLL Injection Or Execution Using Tracker.exe" marker="guid=148431ce-4b70-403d-8525-fcc2993f29ea,tags=attack.defense-evasion,tags=attack.t1055.001," +[Suspicious Scheduled Task Creation Involving Temp Folder] +description = Detects the creation of scheduled tasks that involves a temporary folder and runs only once +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" CommandLine="* /create *" CommandLine="* /sc once *" CommandLine="*\\Temp\\*" | fields - _raw | collect index=notable_events source="Suspicious Scheduled Task Creation Involving Temp Folder" marker="guid=39019a4e-317f-4ce3-ae63-309a8c6b53c5,tags=attack.execution,tags=attack.persistence,tags=attack.t1053.005," +[Potential Privilege Escalation To LOCAL SYSTEM] +description = Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* -s cmd*" OR CommandLine="* /s cmd*" OR CommandLine="* –s cmd*" OR CommandLine="* —s cmd*" OR CommandLine="* ―s cmd*" OR CommandLine="* -s -i cmd*" OR CommandLine="* -s /i cmd*" OR CommandLine="* -s –i cmd*" OR CommandLine="* -s —i cmd*" OR CommandLine="* -s ―i cmd*" OR CommandLine="* /s -i cmd*" OR CommandLine="* /s /i cmd*" OR CommandLine="* /s –i cmd*" OR CommandLine="* /s —i cmd*" OR CommandLine="* /s ―i cmd*" OR CommandLine="* –s -i cmd*" OR CommandLine="* –s /i cmd*" OR CommandLine="* –s –i cmd*" OR CommandLine="* –s —i cmd*" OR CommandLine="* –s ―i cmd*" OR CommandLine="* —s -i cmd*" OR CommandLine="* —s /i cmd*" OR CommandLine="* —s –i cmd*" OR CommandLine="* —s —i cmd*" OR CommandLine="* —s ―i cmd*" OR CommandLine="* ―s -i cmd*" OR CommandLine="* ―s /i cmd*" OR CommandLine="* ―s –i cmd*" OR CommandLine="* ―s —i cmd*" OR CommandLine="* ―s ―i cmd*" OR CommandLine="* -i -s cmd*" OR CommandLine="* -i /s cmd*" OR CommandLine="* -i –s cmd*" OR CommandLine="* -i —s cmd*" OR CommandLine="* -i ―s cmd*" OR CommandLine="* /i -s cmd*" OR CommandLine="* /i /s cmd*" OR CommandLine="* /i –s cmd*" OR CommandLine="* /i —s cmd*" OR CommandLine="* /i ―s cmd*" OR CommandLine="* –i -s cmd*" OR CommandLine="* –i /s cmd*" OR CommandLine="* –i –s cmd*" OR CommandLine="* –i —s cmd*" OR CommandLine="* –i ―s cmd*" OR CommandLine="* —i -s cmd*" OR CommandLine="* —i /s cmd*" OR CommandLine="* —i –s cmd*" OR CommandLine="* —i —s cmd*" OR CommandLine="* —i ―s cmd*" OR CommandLine="* ―i -s cmd*" OR CommandLine="* ―i /s cmd*" OR CommandLine="* ―i –s cmd*" OR CommandLine="* ―i —s cmd*" OR CommandLine="* ―i ―s cmd*" OR CommandLine="* -s pwsh*" OR CommandLine="* /s pwsh*" OR CommandLine="* –s pwsh*" OR CommandLine="* —s pwsh*" OR CommandLine="* ―s pwsh*" OR CommandLine="* -s -i pwsh*" OR CommandLine="* -s /i pwsh*" OR CommandLine="* -s –i pwsh*" OR CommandLine="* -s —i pwsh*" OR CommandLine="* -s ―i pwsh*" OR CommandLine="* /s -i pwsh*" OR CommandLine="* /s /i pwsh*" OR CommandLine="* /s –i pwsh*" OR CommandLine="* /s —i pwsh*" OR CommandLine="* /s ―i pwsh*" OR CommandLine="* –s -i pwsh*" OR CommandLine="* –s /i pwsh*" OR CommandLine="* –s –i pwsh*" OR CommandLine="* –s —i pwsh*" OR CommandLine="* –s ―i pwsh*" OR CommandLine="* —s -i pwsh*" OR CommandLine="* —s /i pwsh*" OR CommandLine="* —s –i pwsh*" OR CommandLine="* —s —i pwsh*" OR CommandLine="* —s ―i pwsh*" OR CommandLine="* ―s -i pwsh*" OR CommandLine="* ―s /i pwsh*" OR CommandLine="* ―s –i pwsh*" OR CommandLine="* ―s —i pwsh*" OR CommandLine="* ―s ―i pwsh*" OR CommandLine="* -i -s pwsh*" OR CommandLine="* -i /s pwsh*" OR CommandLine="* -i –s pwsh*" OR CommandLine="* -i —s pwsh*" OR CommandLine="* -i ―s pwsh*" OR CommandLine="* /i -s pwsh*" OR CommandLine="* /i /s pwsh*" OR CommandLine="* /i –s pwsh*" OR CommandLine="* /i —s pwsh*" OR CommandLine="* /i ―s pwsh*" OR CommandLine="* –i -s pwsh*" OR CommandLine="* –i /s pwsh*" OR CommandLine="* –i –s pwsh*" OR CommandLine="* –i —s pwsh*" OR CommandLine="* –i ―s pwsh*" OR CommandLine="* —i -s pwsh*" OR CommandLine="* —i /s pwsh*" OR CommandLine="* —i –s pwsh*" OR CommandLine="* —i —s pwsh*" OR CommandLine="* —i ―s pwsh*" OR CommandLine="* ―i -s pwsh*" OR CommandLine="* ―i /s pwsh*" OR CommandLine="* ―i –s pwsh*" OR CommandLine="* ―i —s pwsh*" OR CommandLine="* ―i ―s pwsh*" OR CommandLine="* -s powershell*" OR CommandLine="* /s powershell*" OR CommandLine="* –s powershell*" OR CommandLine="* —s powershell*" OR CommandLine="* ―s powershell*" OR CommandLine="* -s -i powershell*" OR CommandLine="* -s /i powershell*" OR CommandLine="* -s –i powershell*" OR CommandLine="* -s —i powershell*" OR CommandLine="* -s ―i powershell*" OR CommandLine="* /s -i powershell*" OR CommandLine="* /s /i powershell*" OR CommandLine="* /s –i powershell*" OR CommandLine="* /s —i powershell*" OR CommandLine="* /s ―i powershell*" OR CommandLine="* –s -i powershell*" OR CommandLine="* –s /i powershell*" OR CommandLine="* –s –i powershell*" OR CommandLine="* –s —i powershell*" OR CommandLine="* –s ―i powershell*" OR CommandLine="* —s -i powershell*" OR CommandLine="* —s /i powershell*" OR CommandLine="* —s –i powershell*" OR CommandLine="* —s —i powershell*" OR CommandLine="* —s ―i powershell*" OR CommandLine="* ―s -i powershell*" OR CommandLine="* ―s /i powershell*" OR CommandLine="* ―s –i powershell*" OR CommandLine="* ―s —i powershell*" OR CommandLine="* ―s ―i powershell*" OR CommandLine="* -i -s powershell*" OR CommandLine="* -i /s powershell*" OR CommandLine="* -i –s powershell*" OR CommandLine="* -i —s powershell*" OR CommandLine="* -i ―s powershell*" OR CommandLine="* /i -s powershell*" OR CommandLine="* /i /s powershell*" OR CommandLine="* /i –s powershell*" OR CommandLine="* /i —s powershell*" OR CommandLine="* /i ―s powershell*" OR CommandLine="* –i -s powershell*" OR CommandLine="* –i /s powershell*" OR CommandLine="* –i –s powershell*" OR CommandLine="* –i —s powershell*" OR CommandLine="* –i ―s powershell*" OR CommandLine="* —i -s powershell*" OR CommandLine="* —i /s powershell*" OR CommandLine="* —i –s powershell*" OR CommandLine="* —i —s powershell*" OR CommandLine="* —i ―s powershell*" OR CommandLine="* ―i -s powershell*" OR CommandLine="* ―i /s powershell*" OR CommandLine="* ―i –s powershell*" OR CommandLine="* ―i —s powershell*" OR CommandLine="* ―i ―s powershell*" NOT (CommandLine IN ("*paexec*", "*PsExec*", "*accepteula*")) | fields - _raw | collect index=notable_events source="Potential Privilege Escalation To LOCAL SYSTEM" marker="guid=207b0396-3689-42d9-8399-4222658efc99,tags=attack.resource-development,tags=attack.t1587.001," +[File In Suspicious Location Encoded To Base64 Via Certutil.EXE] +description = Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certutil.exe" OR OriginalFileName="CertUtil.exe" CommandLine="*-encode*" OR CommandLine="*/encode*" OR CommandLine="*–encode*" OR CommandLine="*—encode*" OR CommandLine="*―encode*" CommandLine IN ("*\\AppData\\Roaming\\*", "*\\Desktop\\*", "*\\Local\\Temp\\*", "*\\PerfLogs\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*", "*$Recycle.Bin*") | fields - _raw | collect index=notable_events source="File In Suspicious Location Encoded To Base64 Via Certutil.EXE" marker="guid=82a6714f-4899-4f16-9c1e-9a333544d4c3,tags=attack.defense-evasion,tags=attack.t1027," +[Suspicious WebDav Client Execution Via Rundll32.EXE] +description = Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\svchost.exe" ParentCommandLine="*-s WebClient*" Image="*\\rundll32.exe" CommandLine="*C:\\windows\\system32\\davclnt.dll,DavSetCookie*" NOT (CommandLine IN ("*://10.*", "*://192.168.*", "*://172.16.*", "*://172.17.*", "*://172.18.*", "*://172.19.*", "*://172.20.*", "*://172.21.*", "*://172.22.*", "*://172.23.*", "*://172.24.*", "*://172.25.*", "*://172.26.*", "*://172.27.*", "*://172.28.*", "*://172.29.*", "*://172.30.*", "*://172.31.*", "*://127.*", "*://169.254.*"))\ +| regex CommandLine="://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" | fields - _raw | collect index=notable_events source="Suspicious WebDav Client Execution Via Rundll32.EXE" marker="guid=982e9f2d-1a85-4d5b-aea4-31f5e97c6555,tags=attack.exfiltration,tags=attack.t1048.003,tags=cve.2023-23397," +[Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)] +description = Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ntdsutil.exe" OR OriginalFileName="ntdsutil.exe" (CommandLine="*snapshot*" CommandLine="*mount *") OR (CommandLine="*ac*" CommandLine="* i*" CommandLine="* ntds*") | fields - _raw | collect index=notable_events source="Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" marker="guid=a58353df-af43-4753-bad0-cd83ef35eef5,tags=attack.credential-access,tags=attack.t1003.003," +[Potential CommandLine Path Traversal Via Cmd.EXE] +description = Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\cmd.exe" OR Image="*\\cmd.exe" OR OriginalFileName="cmd.exe" ParentCommandLine IN ("*/c*", "*/k*", "*/r*") OR CommandLine IN ("*/c*", "*/k*", "*/r*") ParentCommandLine="/../../" OR CommandLine="*/../../*" NOT CommandLine="*\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java*" | fields - _raw | collect index=notable_events source="Potential CommandLine Path Traversal Via Cmd.EXE" marker="guid=087790e3-3287-436c-bccf-cbd0184a7db1,tags=attack.execution,tags=attack.t1059.003," +[Suspicious Vsls-Agent Command With AgentExtensionPath Load] +description = Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\vsls-agent.exe" CommandLine="*--agentExtensionPath*" NOT CommandLine="*Microsoft.VisualStudio.LiveShare.Agent.*" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Vsls-Agent Command With AgentExtensionPath Load" marker="guid=43103702-5886-11ed-9b6a-0242ac120002,tags=attack.defense-evasion,tags=attack.t1218," +[Possible Privilege Escalation via Weak Service Permissions] +description = Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sc.exe" IntegrityLevel="Medium" (CommandLine="*config*" CommandLine="*binPath*") OR (CommandLine="*failure*" CommandLine="*command*") | fields - _raw | collect index=notable_events source="Possible Privilege Escalation via Weak Service Permissions" marker="guid=d937b75f-a665-4480-88a5-2f20e9f9b22a,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1574.011," +[Potentially Suspicious Desktop Background Change Using Reg.EXE] +description = Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine="*add*" CommandLine IN ("*Control Panel\\Desktop*", "*CurrentVersion\\Policies\\ActiveDesktop*", "*CurrentVersion\\Policies\\System*") (CommandLine="*/v NoChangingWallpaper*" CommandLine="*/d 1*") OR (CommandLine="*/v Wallpaper*" CommandLine="*/t REG_SZ*") OR (CommandLine="*/v WallpaperStyle*" CommandLine="*/d 2*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Desktop Background Change Using Reg.EXE" marker="guid=8cbc9475-8d05-4e27-9c32-df960716c701,tags=attack.defense-evasion,tags=attack.impact,tags=attack.t1112,tags=attack.t1491.001," +[Regsvr32 Execution From Potential Suspicious Location] +description = Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regsvr32.exe" OR OriginalFileName="REGSVR32.EXE" CommandLine IN ("*:\\ProgramData\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*") | fields - _raw | collect index=notable_events source="Regsvr32 Execution From Potential Suspicious Location" marker="guid=9525dc73-0327-438c-8c04-13c0e037e9da,tags=attack.defense-evasion,tags=attack.t1218.010," +[Potentially Suspicious ASP.NET Compilation Via AspNetCompiler] +description = Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*C:\\Windows\\Microsoft.NET\\Framework\\*", "*C:\\Windows\\Microsoft.NET\\Framework64\\*") Image="*\\aspnet_compiler.exe" CommandLine IN ("*\\Users\\Public\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Local\\Roaming\\*", "*:\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\Windows\\System32\\Tasks\\*", "*:\\Windows\\Tasks\\*") | fields - _raw | collect index=notable_events source="Potentially Suspicious ASP.NET Compilation Via AspNetCompiler" marker="guid=9f50fe98-fe5c-4a2d-86c7-fad7f63ed622,tags=attack.defense-evasion,tags=attack.t1127," +[Unusual Parent Process For Cmd.EXE] +description = Detects suspicious parent process for cmd.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" ParentImage IN ("*\\csrss.exe", "*\\ctfmon.exe", "*\\dllhost.exe", "*\\epad.exe", "*\\FlashPlayerUpdateService.exe", "*\\GoogleUpdate.exe", "*\\jucheck.exe", "*\\jusched.exe", "*\\LogonUI.exe", "*\\lsass.exe", "*\\regsvr32.exe", "*\\SearchIndexer.exe", "*\\SearchProtocolHost.exe", "*\\SIHClient.exe", "*\\sihost.exe", "*\\slui.exe", "*\\spoolsv.exe", "*\\sppsvc.exe", "*\\taskhostw.exe", "*\\unsecapp.exe", "*\\WerFault.exe", "*\\wermgr.exe", "*\\wlanext.exe", "*\\WUDFHost.exe") | fields - _raw | collect index=notable_events source="Unusual Parent Process For Cmd.EXE" marker="guid=4b991083-3d0e-44ce-8fc4-b254025d8d4b,tags=attack.execution,tags=attack.t1059," +[Suspicious ZipExec Execution] +description = ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*/generic:Microsoft_Windows_Shell_ZipFolder:filename=*" CommandLine="*.zip*" CommandLine="*/pass:*" CommandLine="*/user:*") OR (CommandLine="*/delete*" CommandLine="*Microsoft_Windows_Shell_ZipFolder:filename=*" CommandLine="*.zip*") | fields - _raw | collect index=notable_events source="Suspicious ZipExec Execution" marker="guid=90dcf730-1b71-4ae7-9ffc-6fcf62bd0132,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1202," +[Potential Encoded PowerShell Patterns In CommandLine] +description = Detects specific combinations of encoding methods in PowerShell via the commandline +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") (CommandLine IN ("*ToInt*", "*ToDecimal*", "*ToByte*", "*ToUint*", "*ToSingle*", "*ToSByte*") CommandLine IN ("*ToChar*", "*ToString*", "*String*")) OR (CommandLine="*char*" CommandLine="*join*") OR (CommandLine="*split*" CommandLine="*join*") | fields - _raw | collect index=notable_events source="Potential Encoded PowerShell Patterns In CommandLine" marker="guid=cdf05894-89e7-4ead-b2b0-0a5f97a90f2f,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[PowerShell Script Change Permission Via Set-Acl] +description = Detects PowerShell execution to set the ACL of a file or a folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") OR Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine="*Set-Acl *" CommandLine="*-AclObject *" CommandLine="*-Path *" | fields - _raw | collect index=notable_events source="PowerShell Script Change Permission Via Set-Acl" marker="guid=bdeb2cff-af74-4094-8426-724dc937f20a,tags=attack.defense-evasion," +[UAC Bypass WSReset] +description = Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wsreset.exe" IntegrityLevel IN ("High", "System") | fields - _raw | collect index=notable_events source="UAC Bypass WSReset" marker="guid=89a9a0e0-f61a-42e5-8957-b1479565a658,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Suspicious Child Process Of BgInfo.EXE] +description = Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\bginfo.exe", "*\\bginfo64.exe") Image IN ("*\\calc.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\notepad.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe") OR Image IN ("*\\AppData\\Local\\*", "*\\AppData\\Roaming\\*", "*:\\Users\\Public\\*", "*:\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\PerfLogs\\*") | fields - _raw | collect index=notable_events source="Suspicious Child Process Of BgInfo.EXE" marker="guid=811f459f-9231-45d4-959a-0266c6311987,tags=attack.execution,tags=attack.t1059.005,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1202," +[Windows Share Mount Via Net.EXE] +description = Detects when a share is mounted using the "net.exe" utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine IN ("* use *", "* \\\\*") | fields - _raw | collect index=notable_events source="Windows Share Mount Via Net.EXE" marker="guid=f117933c-980c-4f78-b384-e3d838111165,tags=attack.lateral-movement,tags=attack.t1021.002," +[Suspicious Debugger Registration Cmdline] +description = Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\CurrentVersion\\Image File Execution Options\\*" CommandLine IN ("*sethc.exe*", "*utilman.exe*", "*osk.exe*", "*magnify.exe*", "*narrator.exe*", "*displayswitch.exe*", "*atbroker.exe*", "*HelpPane.exe*") | fields - _raw | collect index=notable_events source="Suspicious Debugger Registration Cmdline" marker="guid=ae215552-081e-44c7-805f-be16f975c8a2,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1546.008," +[MMC Spawning Windows Shell] +description = Detects a Windows command line executable started from MMC +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\mmc.exe" Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\reg.exe", "*\\regsvr32.exe") OR Image="*\\BITSADMIN*" | table CommandLine,Image,ParentCommandLine | fields - _raw | collect index=notable_events source="MMC Spawning Windows Shell" marker="guid=05a2ab7e-ce11-4b63-86db-ab32e763e11d,tags=attack.lateral-movement,tags=attack.t1021.003," +[Enumeration for 3rd Party Creds From CLI] +description = Detects processes that query known 3rd party registry keys that holds credentials via commandline +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*\\Software\\SimonTatham\\PuTTY\\Sessions*", "*\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\*", "*\\Software\\Mobatek\\MobaXterm\\*", "*\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin*", "*\\Software\\Aerofox\\FoxmailPreview*", "*\\Software\\Aerofox\\Foxmail\\V3.1*", "*\\Software\\IncrediMail\\Identities*", "*\\Software\\Qualcomm\\Eudora\\CommandLine*", "*\\Software\\RimArts\\B2\\Settings*", "*\\Software\\OpenVPN-GUI\\configs*", "*\\Software\\Martin Prikryl\\WinSCP 2\\Sessions*", "*\\Software\\FTPWare\\COREFTP\\Sites*", "*\\Software\\DownloadManager\\Passwords*", "*\\Software\\OpenSSH\\Agent\\Keys*", "*\\Software\\TightVNC\\Server*", "*\\Software\\ORL\\WinVNC3\\Password*", "*\\Software\\RealVNC\\WinVNC4*") | fields - _raw | collect index=notable_events source="Enumeration for 3rd Party Creds From CLI" marker="guid=87a476dc-0079-4583-a985-dee7a20a03de,tags=attack.credential-access,tags=attack.t1552.002," +[DLL Loaded via CertOC.EXE] +description = Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certoc.exe" OR OriginalFileName="CertOC.exe" CommandLine="* -LoadDLL *" OR CommandLine="* /LoadDLL *" OR CommandLine="* –LoadDLL *" OR CommandLine="* —LoadDLL *" OR CommandLine="* ―LoadDLL *" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="DLL Loaded via CertOC.EXE" marker="guid=242301bc-f92f-4476-8718-78004a6efd9f,tags=attack.defense-evasion,tags=attack.t1218," +[UAC Bypass Using Consent and Comctl32 - Process] +description = Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\consent.exe" Image="*\\werfault.exe" IntegrityLevel IN ("High", "System") | fields - _raw | collect index=notable_events source="UAC Bypass Using Consent and Comctl32 - Process" marker="guid=1ca6bd18-0ba0-44ca-851c-92ed89a61085,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[PowerShell Get-Process LSASS] +description = Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Get-Process lsas*", "*ps lsas*", "*gps lsas*") | fields - _raw | collect index=notable_events source="PowerShell Get-Process LSASS" marker="guid=b2815d0d-7481-4bf0-9b6c-a4c48a94b349,tags=attack.credential-access,tags=attack.t1552.004," +[Suspicious Manipulation Of Default Accounts Via Net.EXE] +description = Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine="* user *" CommandLine IN ("* Järjestelmänvalvoja *", "* Rendszergazda *", "* Администратор *", "* Administrateur *", "* Administrador *", "* Administratör *", "* Administrator *", "* guest *", "* DefaultAccount *", "* \"Järjestelmänvalvoja\" *", "* \"Rendszergazda\" *", "* \"Администратор\" *", "* \"Administrateur\" *", "* \"Administrador\" *", "* \"Administratör\" *", "* \"Administrator\" *", "* \"guest\" *", "* \"DefaultAccount\" *", "* 'Järjestelmänvalvoja' *", "* 'Rendszergazda' *", "* 'Администратор' *", "* 'Administrateur' *", "* 'Administrador' *", "* 'Administratör' *", "* 'Administrator' *", "* 'guest' *", "* 'DefaultAccount' *") NOT (CommandLine="*guest*" CommandLine="*/active no*") | fields - _raw | collect index=notable_events source="Suspicious Manipulation Of Default Accounts Via Net.EXE" marker="guid=5b768e71-86f2-4879-b448-81061cbae951,tags=attack.collection,tags=attack.t1560.001," +[Potential SPN Enumeration Via Setspn.EXE] +description = Detects service principal name (SPN) enumeration used for Kerberoasting +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\setspn.exe" OR OriginalFileName="setspn.exe" OR (Description="*Query or reset the computer*" Description="*SPN attribute*") CommandLine IN ("* -q *", "* /q *") | fields - _raw | collect index=notable_events source="Potential SPN Enumeration Via Setspn.EXE" marker="guid=1eeed653-dbc8-4187-ad0c-eeebb20e6599,tags=attack.credential-access,tags=attack.t1558.003," +[Stop Windows Service Via Net.EXE] +description = Detects the stopping of a Windows service via the "net" utility. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("net.exe", "net1.exe") OR Image IN ("*\\net.exe", "*\\net1.exe") CommandLine="* stop *" | fields - _raw | collect index=notable_events source="Stop Windows Service Via Net.EXE" marker="guid=88872991-7445-4a22-90b2-a3adadb0e827,tags=attack.impact,tags=attack.t1489," +[Potential Persistence Attempt Via Run Keys Using Reg.EXE] +description = Detects suspicious command line reg.exe tool adding key to RUN key in Registry +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*reg*" CommandLine="* ADD *" CommandLine="*Software\\Microsoft\\Windows\\CurrentVersion\\Run*" | fields - _raw | collect index=notable_events source="Potential Persistence Attempt Via Run Keys Using Reg.EXE" marker="guid=de587dce-915e-4218-aac4-835ca6af6f70,tags=attack.persistence,tags=attack.t1547.001," +[Sysinternals PsSuspend Execution] +description = Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="pssuspend.exe" OR Image IN ("*\\pssuspend.exe", "*\\pssuspend64.exe") | fields - _raw | collect index=notable_events source="Sysinternals PsSuspend Execution" marker="guid=48bbc537-b652-4b4e-bd1d-281172df448f,tags=attack.discovery,tags=attack.persistence,tags=attack.t1543.003," +[Suspicious UltraVNC Execution] +description = Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*-autoreconnect *" CommandLine="*-connect *" CommandLine="*-id:*" | fields - _raw | collect index=notable_events source="Suspicious UltraVNC Execution" marker="guid=871b9555-69ca-4993-99d3-35a59f9f3599,tags=attack.lateral-movement,tags=attack.g0047,tags=attack.t1021.005," +[HackTool - Htran/NATBypass Execution] +description = Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\htran.exe", "*\\lcx.exe") OR CommandLine IN ("*.exe -tran *", "*.exe -slave *") | fields - _raw | collect index=notable_events source="HackTool - Htran/NATBypass Execution" marker="guid=f5e3b62f-e577-4e59-931e-0a15b2b94e1e,tags=attack.command-and-control,tags=attack.t1090,tags=attack.s0040," +[MsiExec Web Install] +description = Detects suspicious msiexec process starts with web addresses as parameter +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* msiexec*" CommandLine="*://*" | fields - _raw | collect index=notable_events source="MsiExec Web Install" marker="guid=f7b5f842-a6af-4da5-9e95-e32478f3cd2f,tags=attack.defense-evasion,tags=attack.t1218.007,tags=attack.command-and-control,tags=attack.t1105," +[HackTool - KrbRelayUp Execution] +description = Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\KrbRelayUp.exe" OR OriginalFileName="KrbRelayUp.exe" OR (CommandLine="* relay *" CommandLine="* -Domain *" CommandLine="* -ComputerName *") OR (CommandLine="* krbscm *" CommandLine="* -sc *") OR (CommandLine="* spawn *" CommandLine="* -d *" CommandLine="* -cn *" CommandLine="* -cp *") | fields - _raw | collect index=notable_events source="HackTool - KrbRelayUp Execution" marker="guid=12827a56-61a4-476a-a9cb-f3068f191073,tags=attack.credential-access,tags=attack.t1558.003,tags=attack.lateral-movement,tags=attack.t1550.003," +[Renamed PsExec Service Execution] +description = Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="psexesvc.exe" NOT Image="C:\\Windows\\PSEXESVC.exe" | fields - _raw | collect index=notable_events source="Renamed PsExec Service Execution" marker="guid=51ae86a2-e2e1-4097-ad85-c46cb6851de4,tags=attack.execution," +[Potential Suspicious Browser Launch From Document Reader Process] +description = Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*Acrobat Reader*", "*Microsoft Office*", "*PDF Reader*") Image IN ("*\\brave.exe", "*\\chrome.exe", "*\\firefox.exe", "*\\msedge.exe", "*\\opera.exe", "*\\maxthon.exe", "*\\seamonkey.exe", "*\\vivaldi.exe", "*") CommandLine="*http*" | fields - _raw | collect index=notable_events source="Potential Suspicious Browser Launch From Document Reader Process" marker="guid=1193d960-2369-499f-a158-7b50a31df682,tags=attack.execution,tags=attack.t1204.002," +[Potential Adplus.EXE Abuse] +description = Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\adplus.exe" OR OriginalFileName="Adplus.exe" CommandLine IN ("* -hang *", "* -pn *", "* -pmn *", "* -p *", "* -po *", "* -c *", "* -sc *") | fields - _raw | collect index=notable_events source="Potential Adplus.EXE Abuse" marker="guid=2f869d59-7f6a-4931-992c-cce556ff2d53,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1003.001," +[Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell] +description = Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\WmiPrvSE.exe" Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") | fields - _raw | collect index=notable_events source="Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell" marker="guid=692f0bec-83ba-4d04-af7e-e884a96059b6,tags=attack.execution,tags=attack.t1047,tags=attack.t1059.001," +[Abusing Print Executable] +description = Attackers can use print.exe for remote file copy +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\print.exe" CommandLine="print*" CommandLine="*/D*" CommandLine="*.exe*" NOT CommandLine="*print.exe*" | fields - _raw | collect index=notable_events source="Abusing Print Executable" marker="guid=bafac3d6-7de9-4dd9-8874-4a1194b493ed,tags=attack.defense-evasion,tags=attack.t1218," +[Potential Recon Activity Using DriverQuery.EXE] +description = Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*driverquery.exe" OR OriginalFileName="drvqry.exe" ParentImage IN ("*\\cscript.exe", "*\\mshta.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR ParentImage IN ("*\\AppData\\Local\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*") | fields - _raw | collect index=notable_events source="Potential Recon Activity Using DriverQuery.EXE" marker="guid=9fc3072c-dc8f-4bf7-b231-18950000fadd,tags=attack.discovery," +[Suspicious Execution Location Of Wermgr.EXE] +description = Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wermgr.exe" NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\WinSxS\\*")) | fields - _raw | collect index=notable_events source="Suspicious Execution Location Of Wermgr.EXE" marker="guid=5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5,tags=attack.execution," +[DriverQuery.EXE Execution] +description = Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*driverquery.exe" OR OriginalFileName="drvqry.exe" NOT (ParentImage IN ("*\\cscript.exe", "*\\mshta.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR ParentImage IN ("*\\AppData\\Local\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*")) | fields - _raw | collect index=notable_events source="DriverQuery.EXE Execution" marker="guid=a20def93-0709-4eae-9bd2-31206e21e6b2,tags=attack.discovery," +[OpenWith.exe Executes Specified Binary] +description = The OpenWith.exe executes other binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\OpenWith.exe" CommandLine="*/c*" | fields - _raw | collect index=notable_events source="OpenWith.exe Executes Specified Binary" marker="guid=cec8e918-30f7-4e2d-9bfa-a59cc97ae60f,tags=attack.defense-evasion,tags=attack.t1218," +[Remote Access Tool - GoToAssist Execution] +description = An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="GoTo Opener" OR Product="GoTo Opener" OR Company="LogMeIn, Inc." | fields - _raw | collect index=notable_events source="Remote Access Tool - GoToAssist Execution" marker="guid=b6d98a4f-cef0-4abf-bbf6-24132854a83d,tags=attack.command-and-control,tags=attack.t1219," +[Tap Installer Execution] +description = Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\tapinstall.exe" NOT (Image IN ("*:\\Program Files\\Avast Software\\SecureLine VPN\\*", "*:\\Program Files (x86)\\Avast Software\\SecureLine VPN\\*") OR Image="*:\\Program Files\\OpenVPN Connect\\drivers\\tap\\*" OR Image="*:\\Program Files (x86)\\Proton Technologies\\ProtonVPNTap\\installer\\*") | fields - _raw | collect index=notable_events source="Tap Installer Execution" marker="guid=99793437-3e16-439b-be0f-078782cf953d,tags=attack.exfiltration,tags=attack.t1048," +[PUA - Radmin Viewer Utility Execution] +description = Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="Radmin Viewer" OR Product="Radmin Viewer" OR OriginalFileName="Radmin.exe" | fields - _raw | collect index=notable_events source="PUA - Radmin Viewer Utility Execution" marker="guid=5817e76f-4804-41e6-8f1d-5fa0b3ecae2d,tags=attack.execution,tags=attack.lateral-movement,tags=attack.t1072," +[Raccine Uninstall] +description = Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*taskkill *" CommandLine="*RaccineSettings.exe*") OR (CommandLine="*reg.exe*" CommandLine="*delete*" CommandLine="*Raccine Tray*") OR (CommandLine="*schtasks*" CommandLine="*/DELETE*" CommandLine="*Raccine Rules Updater*") | fields - _raw | collect index=notable_events source="Raccine Uninstall" marker="guid=a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc,tags=attack.defense-evasion,tags=attack.t1562.001," +[Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE] +description = Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*") CommandLine IN ("*.DownloadString(*", "*.DownloadFile(*", "*Invoke-WebRequest *", "*iwr *", "*wget *") | fields - _raw | collect index=notable_events source="Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE" marker="guid=b6e04788-29e1-4557-bb14-77f761848ab8,tags=attack.execution," +[Recon Information for Export with Command Prompt] +description = Once established within a system or network, an adversary may use automated techniques for collecting internal data. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\tree.com", "*\\WMIC.exe", "*\\doskey.exe", "*\\sc.exe") OR OriginalFileName IN ("wmic.exe", "DOSKEY.EXE", "sc.exe") ParentCommandLine IN ("* > %TEMP%\\*", "* > %TMP%\\*") | fields - _raw | collect index=notable_events source="Recon Information for Export with Command Prompt" marker="guid=aa2efee7-34dd-446e-8a37-40790a66efd7,tags=attack.collection,tags=attack.t1119," +[PUA - Ngrok Execution] +description = Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("* tcp 139*", "* tcp 445*", "* tcp 3389*", "* tcp 5985*", "* tcp 5986*") OR (CommandLine="* start *" CommandLine="*--all*" CommandLine="*--config*" CommandLine="*.yml*") OR (Image="*ngrok.exe" CommandLine IN ("* tcp *", "* http *", "* authtoken *")) OR CommandLine IN ("*.exe authtoken *", "*.exe start --all*") | fields - _raw | collect index=notable_events source="PUA - Ngrok Execution" marker="guid=ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31,tags=attack.command-and-control,tags=attack.t1572," +[UAC Bypass Using IEInstal - Process] +description = Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 IntegrityLevel IN ("High", "System") ParentImage="*\\ieinstal.exe" Image="*\\AppData\\Local\\Temp\\*" Image="*consent.exe" | fields - _raw | collect index=notable_events source="UAC Bypass Using IEInstal - Process" marker="guid=80fc36aa-945e-4181-89f2-2f907ab6775d,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Potentially Over Permissive Permissions Granted Using Dsacls.EXE] +description = Detects usage of Dsacls to grant over permissive permissions +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dsacls.exe" OR OriginalFileName="DSACLS.EXE" CommandLine="* /G *" CommandLine IN ("*GR*", "*GE*", "*GW*", "*GA*", "*WP*", "*WD*") | fields - _raw | collect index=notable_events source="Potentially Over Permissive Permissions Granted Using Dsacls.EXE" marker="guid=01c42d3c-242d-4655-85b2-34f1739632f7,tags=attack.defense-evasion,tags=attack.t1218," +[PsExec Service Execution] +description = Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="C:\\Windows\\PSEXESVC.exe" OR OriginalFileName="psexesvc.exe" | fields - _raw | collect index=notable_events source="PsExec Service Execution" marker="guid=fdfcbd78-48f1-4a4b-90ac-d82241e368c5,tags=attack.execution," +[New User Created Via Net.EXE] +description = Identifies the creation of local users via the net.exe command. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine="*user*" CommandLine="*add*" | fields - _raw | collect index=notable_events source="New User Created Via Net.EXE" marker="guid=cd219ff3-fa99-45d4-8380-a7d15116c6dc,tags=attack.persistence,tags=attack.t1136.001," +[Suspicious Script Execution From Temp Folder] +description = Detects a suspicious script executions from temporary folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\mshta.exe", "*\\wscript.exe", "*\\cscript.exe") CommandLine IN ("*\\Windows\\Temp*", "*\\Temporary Internet*", "*\\AppData\\Local\\Temp*", "*\\AppData\\Roaming\\Temp*", "*%TEMP%*", "*%TMP%*", "*%LocalAppData%\\Temp*") NOT (CommandLine IN ("* >*", "*Out-File*", "*ConvertTo-Json*", "*-WindowStyle hidden -Verb runAs*", "*\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\Amazon\\EC2-Windows\\*")) | fields - _raw | collect index=notable_events source="Suspicious Script Execution From Temp Folder" marker="guid=a6a39bdb-935c-4f0a-ab77-35f4bbf44d33,tags=attack.execution,tags=attack.t1059," +[Suspicious New Service Creation] +description = Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\sc.exe" CommandLine="*create*" CommandLine="*binPath=*") OR (CommandLine="*New-Service*" CommandLine="*-BinaryPathName*") CommandLine IN ("*powershell*", "*mshta*", "*wscript*", "*cscript*", "*svchost*", "*dllhost*", "*cmd *", "*cmd.exe /c*", "*cmd.exe /k*", "*cmd.exe /r*", "*rundll32*", "*C:\\Users\\Public*", "*\\Downloads\\*", "*\\Desktop\\*", "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "*C:\\Windows\\TEMP\\*", "*\\AppData\\Local\\Temp*") | fields - _raw | collect index=notable_events source="Suspicious New Service Creation" marker="guid=17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1543.003," +[Potential Data Exfiltration Activity Via CommandLine Tools] +description = Detects the use of various CLI utilities exfiltrating data via web requests +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\cmd.exe") CommandLine IN ("*Invoke-WebRequest*", "*iwr *", "*wget *", "*curl *") CommandLine="* -ur*" CommandLine="* -me*" CommandLine="* -b*" CommandLine="* POST *") OR (Image="*\\curl.exe" CommandLine="*--ur*" CommandLine IN ("* -d *", "* --data *")) OR (Image="*\\wget.exe" CommandLine IN ("*--post-data*", "*--post-file*")) CommandLine IN ("*Get-Content*", "*GetBytes*", "*hostname*", "*ifconfig*", "*ipconfig*", "*net view*", "*netstat*", "*nltest*", "*qprocess*", "*sc query*", "*systeminfo*", "*tasklist*", "*ToBase64String*", "*whoami*") OR (CommandLine="*type *" CommandLine="* > *" CommandLine="* C:\\*") | fields - _raw | collect index=notable_events source="Potential Data Exfiltration Activity Via CommandLine Tools" marker="guid=7d1aaf3d-4304-425c-b7c3-162055e0b3ab,tags=attack.execution,tags=attack.t1059.001," +[Potential Persistence Attempt Via Existing Service Tampering] +description = Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*sc *" CommandLine="*config *" CommandLine="*binpath=*") OR (CommandLine="*sc *" CommandLine="*failure*" CommandLine="*command=*") OR ((CommandLine="*reg *" CommandLine="*add *" CommandLine="*FailureCommand*") OR (CommandLine="*reg *" CommandLine="*add *" CommandLine="*ImagePath*") CommandLine IN ("*.sh*", "*.exe*", "*.dll*", "*.bin$*", "*.bat*", "*.cmd*", "*.js*", "*.msh$*", "*.reg$*", "*.scr*", "*.ps*", "*.vb*", "*.jar*", "*.pl*")) | fields - _raw | collect index=notable_events source="Potential Persistence Attempt Via Existing Service Tampering" marker="guid=38879043-7e1e-47a9-8d46-6bec88e201df,tags=attack.persistence,tags=attack.t1543.003,tags=attack.t1574.011," +[Suspicious Usage Of ShellExec_RunDLL] +description = Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*ShellExec_RunDLL*" CommandLine IN ("*regsvr32*", "*msiexec*", "*\\Users\\Public\\*", "*odbcconf*", "*\\Desktop\\*", "*\\Temp\\*", "*Invoke-*", "*iex*", "*comspec*") | fields - _raw | collect index=notable_events source="Suspicious Usage Of ShellExec_RunDLL" marker="guid=d87bd452-6da1-456e-8155-7dc988157b7d,tags=attack.defense-evasion," +[Suspicious Command Patterns In Scheduled Task Creation] +description = Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" CommandLine="*/Create *" (CommandLine IN ("*/sc minute *", "*/ru system *") CommandLine IN ("*cmd /c*", "*cmd /k*", "*cmd /r*", "*cmd.exe /c *", "*cmd.exe /k *", "*cmd.exe /r *")) OR CommandLine IN ("* -decode *", "* -enc *", "* -w hidden *", "* bypass *", "* IEX*", "*.DownloadData*", "*.DownloadFile*", "*.DownloadString*", "*/c start /min *", "*FromBase64String*", "*mshta http*", "*mshta.exe http*") OR (CommandLine IN ("*:\\ProgramData\\*", "*:\\Temp\\*", "*:\\Tmp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\*", "*%AppData%*", "*%Temp%*", "*%tmp%*") CommandLine IN ("*cscript*", "*curl*", "*wscript*")) | fields - _raw | collect index=notable_events source="Suspicious Command Patterns In Scheduled Task Creation" marker="guid=f2c64357-b1d2-41b7-849f-34d2682c0fad,tags=attack.execution,tags=attack.t1053.005," +[Mavinject Inject DLL Into Running Process] +description = Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* /INJECTRUNNING *" NOT ParentImage="C:\\Windows\\System32\\AppVClient.exe" | fields - _raw | collect index=notable_events source="Mavinject Inject DLL Into Running Process" marker="guid=4f73421b-5a0b-4bbf-a892-5a7fb99bea66,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1055.001,tags=attack.t1218.013," +[Potentially Suspicious Call To Win32_NTEventlogFile Class] +description = Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*Win32_NTEventlogFile*" CommandLine IN ("*.BackupEventlog(*", "*.ChangeSecurityPermissions(*", "*.ChangeSecurityPermissionsEx(*", "*.ClearEventLog(*", "*.Delete(*", "*.DeleteEx(*", "*.Rename(*", "*.TakeOwnerShip(*", "*.TakeOwnerShipEx(*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Call To Win32_NTEventlogFile Class" marker="guid=caf201a9-c2ce-4a26-9c3a-2b9525413711,tags=attack.defense-evasion," +[Arbitrary Command Execution Using WSL] +description = Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wsl.exe" OR OriginalFileName="wsl.exe" CommandLine IN ("* -e *", "* --exec*", "* --system*", "* --shell-type *", "* /mnt/c*", "* --user root*", "* -u root*", "*--debug-shell*") NOT (ParentImage="*\\cmd.exe" CommandLine="* -d *" CommandLine="* -e kill *") | fields - _raw | collect index=notable_events source="Arbitrary Command Execution Using WSL" marker="guid=dec44ca7-61ad-493c-bfd7-8819c5faa09b,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1202," +[Change PowerShell Policies to an Insecure Level] +description = Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") OR Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("*-executionpolicy *", "* -ep *", "* -exec *") CommandLine IN ("*Bypass*", "*Unrestricted*") | fields - _raw | collect index=notable_events source="Change PowerShell Policies to an Insecure Level" marker="guid=87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180,tags=attack.execution,tags=attack.t1059.001," +[Suspicious Electron Application Child Processes] +description = Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\chrome.exe", "*\\discord.exe", "*\\GitHubDesktop.exe", "*\\keybase.exe", "*\\msedge.exe", "*\\msedgewebview2.exe", "*\\msteams.exe", "*\\slack.exe", "*\\teams.exe") Image IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\whoami.exe", "*\\wscript.exe") OR Image IN ("*:\\ProgramData\\*", "*:\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*") NOT (ParentImage="*\\Discord.exe" Image="*\\cmd.exe" CommandLine="*\\NVSMI\\nvidia-smi.exe*") | fields - _raw | collect index=notable_events source="Suspicious Electron Application Child Processes" marker="guid=f26eb764-fd89-464b-85e2-dc4a8e6e77b8,tags=attack.execution," +[Suspicious Process Patterns NTDS.DIT Exfil] +description = Detects suspicious process patterns used in NTDS.DIT exfiltration +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\NTDSDump.exe", "*\\NTDSDumpEx.exe") OR (CommandLine="*ntds.dit*" CommandLine="*system.hiv*") OR CommandLine="*NTDSgrab.ps1*" OR (CommandLine="*ac i ntds*" CommandLine="*create full*") OR (CommandLine="*/c copy *" CommandLine="*\\windows\\ntds\\ntds.dit*") OR (CommandLine="*activate instance ntds*" CommandLine="*create full*") OR (CommandLine="*powershell*" CommandLine="*ntds.dit*") OR (CommandLine="*ntds.dit*" ParentImage IN ("*\\apache*", "*\\tomcat*", "*\\AppData\\*", "*\\Temp\\*", "*\\Public\\*", "*\\PerfLogs\\*") OR Image IN ("*\\apache*", "*\\tomcat*", "*\\AppData\\*", "*\\Temp\\*", "*\\Public\\*", "*\\PerfLogs\\*")) | fields - _raw | collect index=notable_events source="Suspicious Process Patterns NTDS.DIT Exfil" marker="guid=8bc64091-6875-4881-aaf9-7bd25b5dda08,tags=attack.credential-access,tags=attack.t1003.003," +[Remote XSL Execution Via Msxsl.EXE] +description = Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msxsl.exe" CommandLine="*http*" | fields - _raw | collect index=notable_events source="Remote XSL Execution Via Msxsl.EXE" marker="guid=75d0a94e-6252-448d-a7be-d953dff527bb,tags=attack.defense-evasion,tags=attack.t1220," +[Suspicious CustomShellHost Execution] +description = Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe' +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\CustomShellHost.exe" NOT Image="C:\\Windows\\explorer.exe" | fields - _raw | collect index=notable_events source="Suspicious CustomShellHost Execution" marker="guid=84b14121-9d14-416e-800b-f3b829c5a14d,tags=attack.defense-evasion,tags=attack.t1216," +[Indirect Inline Command Execution Via Bash.EXE] +description = Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*:\\Windows\\System32\\bash.exe", "*:\\Windows\\SysWOW64\\bash.exe") OR OriginalFileName="Bash.exe" CommandLine="* -c *" | fields - _raw | collect index=notable_events source="Indirect Inline Command Execution Via Bash.EXE" marker="guid=5edc2273-c26f-406c-83f3-f4d948e740dd,tags=attack.defense-evasion,tags=attack.t1202," +[Potential WinAPI Calls Via CommandLine] +description = Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*AddSecurityPackage*", "*AdjustTokenPrivileges*", "*Advapi32*", "*CloseHandle*", "*CreateProcessWithToken*", "*CreatePseudoConsole*", "*CreateRemoteThread*", "*CreateThread*", "*CreateUserThread*", "*DangerousGetHandle*", "*DuplicateTokenEx*", "*EnumerateSecurityPackages*", "*FreeHGlobal*", "*FreeLibrary*", "*GetDelegateForFunctionPointer*", "*GetLogonSessionData*", "*GetModuleHandle*", "*GetProcAddress*", "*GetProcessHandle*", "*GetTokenInformation*", "*ImpersonateLoggedOnUser*", "*kernel32*", "*LoadLibrary*", "*memcpy*", "*MiniDumpWriteDump*", "*ntdll*", "*OpenDesktop*", "*OpenProcess*", "*OpenProcessToken*", "*OpenThreadToken*", "*OpenWindowStation*", "*PtrToString*", "*QueueUserApc*", "*ReadProcessMemory*", "*RevertToSelf*", "*RtlCreateUserThread*", "*secur32*", "*SetThreadToken*", "*VirtualAlloc*", "*VirtualFree*", "*VirtualProtect*", "*WaitForSingleObject*", "*WriteInt32*", "*WriteProcessMemory*", "*ZeroFreeGlobalAllocUnicode*") NOT (Image="*\\MpCmdRun.exe" CommandLine="*GetLoadLibraryWAddress32*") | fields - _raw | collect index=notable_events source="Potential WinAPI Calls Via CommandLine" marker="guid=ba3f5c1b-6272-4119-9dbd-0bc8d21c2702,tags=attack.execution,tags=attack.t1106," +[PowerShell Script Run in AppData] +description = Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*powershell.exe*", "*\\powershell*", "*\\pwsh*", "*pwsh.exe*") CommandLine="*/c *" CommandLine="*\\AppData\\*" CommandLine IN ("*Local\\*", "*Roaming\\*") | fields - _raw | collect index=notable_events source="PowerShell Script Run in AppData" marker="guid=ac175779-025a-4f12-98b0-acdaeb77ea85,tags=attack.execution,tags=attack.t1059.001," +[Computer System Reconnaissance Via Wmic.EXE] +description = Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wmic.exe" OR OriginalFileName="wmic.exe" CommandLine="*computersystem*" | fields - _raw | collect index=notable_events source="Computer System Reconnaissance Via Wmic.EXE" marker="guid=9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f,tags=attack.discovery,tags=attack.execution,tags=attack.t1047," +[New Network Trace Capture Started Via Netsh.EXE] +description = Detects the execution of netsh with the "trace" flag in order to start a network capture +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" CommandLine="*trace*" CommandLine="*start*" | fields - _raw | collect index=notable_events source="New Network Trace Capture Started Via Netsh.EXE" marker="guid=d3c3861d-c504-4c77-ba55-224ba82d0118,tags=attack.discovery,tags=attack.credential-access,tags=attack.t1040," +[Powershell Executed From Headless ConHost Process] +description = Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\conhost.exe" OR OriginalFileName="CONHOST.EXE" CommandLine="*--headless*" CommandLine="*powershell*" | fields - _raw | collect index=notable_events source="Powershell Executed From Headless ConHost Process" marker="guid=056c7317-9a09-4bd4-9067-d051312752ea,tags=attack.defense-evasion,tags=attack.t1059.001,tags=attack.t1059.003," +[Suspicious Rundll32 Execution With Image Extension] +description = Detects the execution of Rundll32.exe with DLL files masquerading as image files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.exe" CommandLine IN ("*.bmp*", "*.cr2*", "*.eps*", "*.gif*", "*.ico*", "*.jpeg*", "*.jpg*", "*.nef*", "*.orf*", "*.png*", "*.raw*", "*.sr2*", "*.tif*", "*.tiff*") | fields - _raw | collect index=notable_events source="Suspicious Rundll32 Execution With Image Extension" marker="guid=4aa6040b-3f28-44e3-a769-9208e5feb5ec,tags=attack.defense-evasion,tags=attack.t1218.011," +[Visual Studio Code Tunnel Shell Execution] +description = Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\servers\\Stable-*" ParentImage="*\\server\\node.exe" ParentCommandLine="*.vscode-server*" (Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine="*\\terminal\\browser\\media\\shellIntegration.ps1*") OR Image IN ("*\\wsl.exe", "*\\bash.exe") | fields - _raw | collect index=notable_events source="Visual Studio Code Tunnel Shell Execution" marker="guid=f4a623c2-4ef5-4c33-b811-0642f702c9f1,tags=attack.command-and-control,tags=attack.t1071.001," +[Use of Scriptrunner.exe] +description = The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ScriptRunner.exe" OR OriginalFileName="ScriptRunner.exe" CommandLine="* -appvscript *" | fields - _raw | collect index=notable_events source="Use of Scriptrunner.exe" marker="guid=64760eef-87f7-4ed3-93fd-655668ea9420,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[Using SettingSyncHost.exe as LOLBin] +description = Detects using SettingSyncHost.exe to run hijacked binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*")) ParentCommandLine="*cmd.exe /c*" ParentCommandLine="*RoamDiag.cmd*" ParentCommandLine="*-outputpath*" | table TargetFilename,Image | fields - _raw | collect index=notable_events source="Using SettingSyncHost.exe as LOLBin" marker="guid=b2ddd389-f676-4ac4-845a-e00781a48e5f,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1574.008," +[CodePage Modification Via MODE.COM To Russian Language] +description = Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\mode.com" OR OriginalFileName="MODE.COM" CommandLine="* con *" CommandLine="* cp *" CommandLine="* select=*" CommandLine IN ("*=1251", "*=866") | fields - _raw | collect index=notable_events source="CodePage Modification Via MODE.COM To Russian Language" marker="guid=12fbff88-16b5-4b42-9754-cd001a789fb3,tags=attack.defense-evasion,tags=attack.t1036," +[Suspect Svchost Activity] +description = It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*svchost.exe" Image="*\\svchost.exe" NOT (ParentImage IN ("*\\rpcnet.exe", "*\\rpcnetp.exe") OR CommandLine!=*) | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspect Svchost Activity" marker="guid=16c37b52-b141-42a5-a3ea-bbe098444397,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1055," +[Potentially Suspicious Child Process Of Regsvr32] +description = Detects potentially suspicious child processes of "regsvr32.exe". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\regsvr32.exe" Image IN ("*\\calc.exe", "*\\cscript.exe", "*\\explorer.exe", "*\\mshta.exe", "*\\net.exe", "*\\net1.exe", "*\\nltest.exe", "*\\notepad.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\reg.exe", "*\\schtasks.exe", "*\\werfault.exe", "*\\wscript.exe") NOT (Image="*\\werfault.exe" CommandLine="* -u -p *") | fields - _raw | collect index=notable_events source="Potentially Suspicious Child Process Of Regsvr32" marker="guid=6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca,tags=attack.defense-evasion,tags=attack.t1218.010," +[Msxsl.EXE Execution] +description = Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msxsl.exe" | fields - _raw | collect index=notable_events source="Msxsl.EXE Execution" marker="guid=9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0,tags=attack.defense-evasion,tags=attack.t1220," +[Potential Tampering With Security Products Via WMIC] +description = Detects uninstallation or termination of security products using the WMIC utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*wmic*" CommandLine="*product where *" CommandLine="*call*" CommandLine="*uninstall*" CommandLine="*/nointeractive*") OR (CommandLine="*wmic*" CommandLine="*caption like *" CommandLine IN ("*call delete*", "*call terminate*")) OR (CommandLine="*process *" CommandLine="*where *" CommandLine="*delete*") CommandLine IN ("*%carbon%*", "*%cylance%*", "*%endpoint%*", "*%eset%*", "*%malware%*", "*%Sophos%*", "*%symantec%*", "*Antivirus*", "*AVG *", "*Carbon Black*", "*CarbonBlack*", "*Cb Defense Sensor 64-bit*", "*Crowdstrike Sensor*", "*Cylance *", "*Dell Threat Defense*", "*DLP Endpoint*", "*Endpoint Detection*", "*Endpoint Protection*", "*Endpoint Security*", "*Endpoint Sensor*", "*ESET File Security*", "*LogRhythm System Monitor Service*", "*Malwarebytes*", "*McAfee Agent*", "*Microsoft Security Client*", "*Sophos Anti-Virus*", "*Sophos AutoUpdate*", "*Sophos Credential Store*", "*Sophos Management Console*", "*Sophos Management Database*", "*Sophos Management Server*", "*Sophos Remote Management System*", "*Sophos Update Manager*", "*Threat Protection*", "*VirusScan*", "*Webroot SecureAnywhere*", "*Windows Defender*") | fields - _raw | collect index=notable_events source="Potential Tampering With Security Products Via WMIC" marker="guid=847d5ff3-8a31-4737-a970-aeae8fe21765,tags=attack.defense-evasion,tags=attack.t1562.001," +[Uncommon Child Process Of Conhost.EXE] +description = Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\conhost.exe" NOT (Image="*:\\Windows\\System32\\conhost.exe" OR Image!=* OR Image="") NOT etw_provider="SystemTraceProvider-Process" | fields - _raw | collect index=notable_events source="Uncommon Child Process Of Conhost.EXE" marker="guid=7dc2dedd-7603-461a-bc13-15803d132355,tags=attack.defense-evasion,tags=attack.t1202," +[Run Once Task Execution as Configured in Registry] +description = This rule detects the execution of Run Once task as configured in the registry +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\runonce.exe" OR Description="Run Once Wrapper" CommandLine IN ("*/AlternateShellStartup*", "*/r") | fields - _raw | collect index=notable_events source="Run Once Task Execution as Configured in Registry" marker="guid=198effb6-6c98-4d0c-9ea3-451fa143c45c,tags=attack.defense-evasion,tags=attack.t1112," +[Suspicious XOR Encoded PowerShell Command] +description = Detects presence of a potentially xor encoded powershell command +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") OR Description="Windows PowerShell" OR Product="PowerShell Core 6" CommandLine="*bxor*" CommandLine IN ("*ForEach*", "*for(*", "*for *", "*-join *", "*-join'*", "*-join\"*", "*-join`*", "*::Join*", "*[char]*") | fields - _raw | collect index=notable_events source="Suspicious XOR Encoded PowerShell Command" marker="guid=bb780e0c-16cf-4383-8383-1e5471db6cf9,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1059.001,tags=attack.t1140,tags=attack.t1027," +[Execution via stordiag.exe] +description = Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\stordiag.exe" Image IN ("*\\schtasks.exe", "*\\systeminfo.exe", "*\\fltmc.exe") NOT (ParentImage IN ("c:\\windows\\system32\\*", "c:\\windows\\syswow64\\*")) | fields - _raw | collect index=notable_events source="Execution via stordiag.exe" marker="guid=961e0abb-1b1e-4c84-a453-aafe56ad0d34,tags=attack.defense-evasion,tags=attack.t1218," +[Remote Access Tool - AnyDesk Silent Installation] +description = Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*--install*" CommandLine="*--start-with-win*" CommandLine="*--silent*" | table CommandLine,ParentCommandLine,CurrentDirectory | fields - _raw | collect index=notable_events source="Remote Access Tool - AnyDesk Silent Installation" marker="guid=114e7f1c-f137-48c8-8f54-3088c24ce4b9,tags=attack.command-and-control,tags=attack.t1219," +[Indirect Command Execution By Program Compatibility Wizard] +description = Detect indirect command execution via Program Compatibility Assistant pcwrun.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\pcwrun.exe" | table ComputerName,User,ParentCommandLine,CommandLine | fields - _raw | collect index=notable_events source="Indirect Command Execution By Program Compatibility Wizard" marker="guid=b97cd4b1-30b8-4a9d-bd72-6293928d52bc,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.execution," +[VMToolsd Suspicious Child Process] +description = Detects suspicious child process creations of VMware Tools process which may indicate persistence setup +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\vmtoolsd.exe" Image IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR OriginalFileName IN ("Cmd.Exe", "cscript.exe", "MSHTA.EXE", "PowerShell.EXE", "pwsh.dll", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe") NOT ((Image="*\\cmd.exe" CommandLine IN ("*\\VMware\\VMware Tools\\poweron-vm-default.bat*", "*\\VMware\\VMware Tools\\poweroff-vm-default.bat*", "*\\VMware\\VMware Tools\\resume-vm-default.bat*", "*\\VMware\\VMware Tools\\suspend-vm-default.bat*")) OR (Image="*\\cmd.exe" CommandLine="") OR (Image="*\\cmd.exe" CommandLine!=*)) | fields - _raw | collect index=notable_events source="VMToolsd Suspicious Child Process" marker="guid=5687f942-867b-4578-ade7-1e341c46e99a,tags=attack.execution,tags=attack.persistence,tags=attack.t1059," +[Remote File Download Via Desktopimgdownldr Utility] +description = Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\desktopimgdownldr.exe" ParentImage="*\\desktopimgdownldr.exe" CommandLine="*/lockscreenurl:http*" | fields - _raw | collect index=notable_events source="Remote File Download Via Desktopimgdownldr Utility" marker="guid=214641c2-c579-4ecb-8427-0cf19df6842e,tags=attack.command-and-control,tags=attack.t1105," +[Powershell Inline Execution From A File] +description = Detects inline execution of PowerShell code from a file +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*iex *", "*Invoke-Expression *", "*Invoke-Command *", "*icm *") CommandLine IN ("*cat *", "*get-content *", "*type *") CommandLine="* -raw*" | fields - _raw | collect index=notable_events source="Powershell Inline Execution From A File" marker="guid=ee218c12-627a-4d27-9e30-d6fb2fe22ed2,tags=attack.execution,tags=attack.t1059.001," +[Arbitrary Binary Execution Using GUP Utility] +description = Detects execution of the Notepad++ updater (gup) to launch other commands or executables +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\gup.exe" Image="*\\explorer.exe" NOT ((Image="*\\explorer.exe" CommandLine="*\\Notepad++\\notepad++.exe*") OR ParentImage="*\\Notepad++\\updater\\*" OR CommandLine!=*) | fields - _raw | collect index=notable_events source="Arbitrary Binary Execution Using GUP Utility" marker="guid=d65aee4d-2292-4cea-b832-83accd6cfa43,tags=attack.execution," +[Hiding Files with Attrib.exe] +description = Detects usage of attrib.exe to hide files from users. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\attrib.exe" OR OriginalFileName="ATTRIB.EXE" CommandLine="* +h *" NOT CommandLine="*\\desktop.ini *" NOT (ParentImage="*\\cmd.exe" CommandLine="+R +H +S +A \\\*.cui" ParentCommandLine="C:\\WINDOWS\\system32\\\*.bat") | fields - _raw | collect index=notable_events source="Hiding Files with Attrib.exe" marker="guid=4281cb20-2994-4580-aa63-c8b86d019934,tags=attack.defense-evasion,tags=attack.t1564.001," +[Potential Amazon SSM Agent Hijacking] +description = Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\amazon-ssm-agent.exe" CommandLine="*-register *" CommandLine="*-code *" CommandLine="*-id *" CommandLine="*-region *" | fields - _raw | collect index=notable_events source="Potential Amazon SSM Agent Hijacking" marker="guid=d20ee2f4-822c-4827-9e15-41500b1fff10,tags=attack.command-and-control,tags=attack.persistence,tags=attack.t1219," +[Renamed Remote Utilities RAT (RURAT) Execution] +description = Detects execution of renamed Remote Utilities (RURAT) via Product PE header field +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="Remote Utilities" NOT (Image IN ("*\\rutserv.exe", "*\\rfusclient.exe")) | fields - _raw | collect index=notable_events source="Renamed Remote Utilities RAT (RURAT) Execution" marker="guid=9ef27c24-4903-4192-881a-3adde7ff92a5,tags=attack.defense-evasion,tags=attack.collection,tags=attack.command-and-control,tags=attack.discovery,tags=attack.s0592," +[Malicious PowerShell Commandlets - ProcessCreation] +description = Detects Commandlet names from well-known PowerShell exploitation frameworks +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Add-Exfiltration*", "*Add-Persistence*", "*Add-RegBackdoor*", "*Add-RemoteRegBackdoor*", "*Add-ScrnSaveBackdoor*", "*Check-VM*", "*ConvertTo-Rc4ByteStream*", "*Decrypt-Hash*", "*Disable-ADIDNSNode*", "*Disable-MachineAccount*", "*Do-Exfiltration*", "*Enable-ADIDNSNode*", "*Enable-MachineAccount*", "*Enabled-DuplicateToken*", "*Exploit-Jboss*", "*Export-ADR*", "*Export-ADRCSV*", "*Export-ADRExcel*", "*Export-ADRHTML*", "*Export-ADRJSON*", "*Export-ADRXML*", "*Find-Fruit*", "*Find-GPOLocation*", "*Find-TrustedDocuments*", "*Get-ADIDNS*", "*Get-ApplicationHost*", "*Get-ChromeDump*", "*Get-ClipboardContents*", "*Get-FoxDump*", "*Get-GPPPassword*", "*Get-IndexedItem*", "*Get-KerberosAESKey*", "*Get-Keystrokes*", "*Get-LSASecret*", "*Get-MachineAccountAttribute*", "*Get-MachineAccountCreator*", "*Get-PassHashes*", "*Get-RegAlwaysInstallElevated*", "*Get-RegAutoLogon*", "*Get-RemoteBootKey*", "*Get-RemoteCachedCredential*", "*Get-RemoteLocalAccountHash*", "*Get-RemoteLSAKey*", "*Get-RemoteMachineAccountHash*", "*Get-RemoteNLKMKey*", "*Get-RickAstley*", "*Get-Screenshot*", "*Get-SecurityPackages*", "*Get-ServiceFilePermission*", "*Get-ServicePermission*", "*Get-ServiceUnquoted*", "*Get-SiteListPassword*", "*Get-System*", "*Get-TimedScreenshot*", "*Get-UnattendedInstallFile*", "*Get-Unconstrained*", "*Get-USBKeystrokes*", "*Get-VaultCredential*", "*Get-VulnAutoRun*", "*Get-VulnSchTask*", "*Grant-ADIDNSPermission*", "*Gupt-Backdoor*", "*HTTP-Login*", "*Install-ServiceBinary*", "*Install-SSP*", "*Invoke-ACLScanner*", "*Invoke-ADRecon*", "*Invoke-ADSBackdoor*", "*Invoke-AgentSmith*", "*Invoke-AllChecks*", "*Invoke-ARPScan*", "*Invoke-AzureHound*", "*Invoke-BackdoorLNK*", "*Invoke-BadPotato*", "*Invoke-BetterSafetyKatz*", "*Invoke-BypassUAC*", "*Invoke-Carbuncle*", "*Invoke-Certify*", "*Invoke-ConPtyShell*", "*Invoke-CredentialInjection*", "*Invoke-DAFT*", "*Invoke-DCSync*", "*Invoke-DinvokeKatz*", "*Invoke-DllInjection*", "*Invoke-DNSUpdate*", "*Invoke-DomainPasswordSpray*", "*Invoke-DowngradeAccount*", "*Invoke-EgressCheck*", "*Invoke-Eyewitness*", "*Invoke-FakeLogonScreen*", "*Invoke-Farmer*", "*Invoke-Get-RBCD-Threaded*", "*Invoke-Gopher*", "*Invoke-Grouper*", "*Invoke-HandleKatz*", "*Invoke-ImpersonatedProcess*", "*Invoke-ImpersonateSystem*", "*Invoke-InteractiveSystemPowerShell*", "*Invoke-Internalmonologue*", "*Invoke-Inveigh*", "*Invoke-InveighRelay*", "*Invoke-KrbRelay*", "*Invoke-LdapSignCheck*", "*Invoke-Lockless*", "*Invoke-MalSCCM*", "*Invoke-Mimikatz*", "*Invoke-Mimikittenz*", "*Invoke-MITM6*", "*Invoke-NanoDump*", "*Invoke-NetRipper*", "*Invoke-Nightmare*", "*Invoke-NinjaCopy*", "*Invoke-OfficeScrape*", "*Invoke-OxidResolver*", "*Invoke-P0wnedshell*", "*Invoke-Paranoia*", "*Invoke-PortScan*", "*Invoke-PoshRatHttp*", "*Invoke-PostExfil*", "*Invoke-PowerDump*", "*Invoke-PowerShellTCP*", "*Invoke-PowerShellWMI*", "*Invoke-PPLDump*", "*Invoke-PsExec*", "*Invoke-PSInject*", "*Invoke-PsUaCme*", "*Invoke-ReflectivePEInjection*", "*Invoke-ReverseDNSLookup*", "*Invoke-Rubeus*", "*Invoke-RunAs*", "*Invoke-SafetyKatz*", "*Invoke-SauronEye*", "*Invoke-SCShell*", "*Invoke-Seatbelt*", "*Invoke-ServiceAbuse*", "*Invoke-ShadowSpray*", "*Invoke-Sharp*", "*Invoke-Shellcode*", "*Invoke-SMBScanner*", "*Invoke-Snaffler*", "*Invoke-Spoolsample*", "*Invoke-SpraySinglePassword*", "*Invoke-SSHCommand*", "*Invoke-StandIn*", "*Invoke-StickyNotesExtract*", "*Invoke-SystemCommand*", "*Invoke-Tasksbackdoor*", "*Invoke-Tater*", "*Invoke-Thunderfox*", "*Invoke-ThunderStruck*", "*Invoke-TokenManipulation*", "*Invoke-Tokenvator*", "*Invoke-TotalExec*", "*Invoke-UrbanBishop*", "*Invoke-UserHunter*", "*Invoke-VoiceTroll*", "*Invoke-Whisker*", "*Invoke-WinEnum*", "*Invoke-winPEAS*", "*Invoke-WireTap*", "*Invoke-WmiCommand*", "*Invoke-WMIExec*", "*Invoke-WScriptBypassUAC*", "*Invoke-Zerologon*", "*MailRaider*", "*New-ADIDNSNode*", "*New-DNSRecordArray*", "*New-HoneyHash*", "*New-InMemoryModule*", "*New-MachineAccount*", "*New-SOASerialNumberArray*", "*Out-Minidump*", "*Port-Scan*", "*PowerBreach*", "*powercat *", "*PowerUp*", "*PowerView*", "*Remove-ADIDNSNode*", "*Remove-MachineAccount*", "*Remove-Update*", "*Rename-ADIDNSNode*", "*Revoke-ADIDNSPermission*", "*Set-ADIDNSNode*", "*Set-MacAttribute*", "*Set-MachineAccountAttribute*", "*Set-Wallpaper*", "*Show-TargetScreen*", "*Start-CaptureServer*", "*Start-Dnscat2*", "*Start-WebcamRecorder*", "*VolumeShadowCopyTools*") | fields - _raw | collect index=notable_events source="Malicious PowerShell Commandlets - ProcessCreation" marker="guid=02030f2f-6199-49ec-b258-ea71b07e03dc,tags=attack.execution,tags=attack.discovery,tags=attack.t1482,tags=attack.t1087,tags=attack.t1087.001,tags=attack.t1087.002,tags=attack.t1069.001,tags=attack.t1069.002,tags=attack.t1069,tags=attack.t1059.001," +[System File Execution Location Anomaly] +description = Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\atbroker.exe", "*\\audiodg.exe", "*\\bcdedit.exe", "*\\bitsadmin.exe", "*\\certreq.exe", "*\\certutil.exe", "*\\cmstp.exe", "*\\conhost.exe", "*\\consent.exe", "*\\cscript.exe", "*\\csrss.exe", "*\\dashost.exe", "*\\defrag.exe", "*\\dfrgui.exe", "*\\dism.exe", "*\\dllhost.exe", "*\\dllhst3g.exe", "*\\dwm.exe", "*\\eventvwr.exe", "*\\logonui.exe", "*\\LsaIso.exe", "*\\lsass.exe", "*\\lsm.exe", "*\\msiexec.exe", "*\\ntoskrnl.exe", "*\\powershell_ise.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\runonce.exe", "*\\RuntimeBroker.exe", "*\\schtasks.exe", "*\\services.exe", "*\\sihost.exe", "*\\smartscreen.exe", "*\\smss.exe", "*\\spoolsv.exe", "*\\svchost.exe", "*\\taskhost.exe", "*\\Taskmgr.exe", "*\\userinit.exe", "*\\wininit.exe", "*\\winlogon.exe", "*\\winver.exe", "*\\wlanext.exe", "*\\wscript.exe", "*\\wsl.exe", "*\\wsmprovhost.exe") NOT (Image IN ("C:\\$WINDOWS.~BT\\*", "C:\\$WinREAgent\\*", "C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\System32\\*", "C:\\Windows\\SystemTemp\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\uus\\*", "C:\\Windows\\WinSxS\\*") OR Image IN ("C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe") OR (Image="C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux*" Image="*\\wsl.exe")) NOT Image="*\\SystemRoot\\System32\\*" | fields - _raw | collect index=notable_events source="System File Execution Location Anomaly" marker="guid=e4a6b256-3e47-40fc-89d2-7a477edd6915,tags=attack.defense-evasion,tags=attack.t1036," +[UAC Bypass Using Event Viewer RecentViews] +description = Detects the pattern of UAC Bypass using Event Viewer RecentViews +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*\\Event Viewer\\RecentViews*", "*\\EventV~1\\RecentViews*") CommandLine="*>*" | fields - _raw | collect index=notable_events source="UAC Bypass Using Event Viewer RecentViews" marker="guid=30fc8de7-d833-40c4-96b6-28319fbc4f6c,tags=attack.defense-evasion,tags=attack.privilege-escalation," +[Potential PowerShell Obfuscation Via WCHAR] +description = Detects suspicious encoded character syntax often used for defense evasion +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*(WCHAR)0x*" | fields - _raw | collect index=notable_events source="Potential PowerShell Obfuscation Via WCHAR" marker="guid=e312efd0-35a1-407f-8439-b8d434b438a6,tags=attack.execution,tags=attack.t1059.001,tags=attack.defense-evasion,tags=attack.t1027," +[Winrar Compressing Dump Files] +description = Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\rar.exe", "*\\winrar.exe") OR Description="Command line RAR" CommandLine IN ("*.dmp*", "*.dump*", "*.hdmp*") | fields - _raw | collect index=notable_events source="Winrar Compressing Dump Files" marker="guid=1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc,tags=attack.collection,tags=attack.t1560.001," +[HackTool - Certipy Execution] +description = Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Certipy.exe" OR OriginalFileName="Certipy.exe" OR Description="*Certipy*" OR (CommandLine IN ("* auth *", "* find *", "* forge *", "* relay *", "* req *", "* shadow *") CommandLine IN ("* -bloodhound*", "* -ca-pfx *", "* -dc-ip *", "* -kirbi*", "* -old-bloodhound*", "* -pfx *", "* -target*", "* -username *", "* -vulnerable*", "*auth -pfx*", "*shadow auto*", "*shadow list*")) | fields - _raw | collect index=notable_events source="HackTool - Certipy Execution" marker="guid=6938366d-8954-4ddc-baff-c830b3ba8fcd,tags=attack.discovery,tags=attack.credential-access,tags=attack.t1649," +[Potentially Suspicious GoogleUpdate Child Process] +description = Detects potentially suspicious child processes of "GoogleUpdate.exe" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\GoogleUpdate.exe" NOT (Image="*\\Google*" OR Image IN ("*\\setup.exe", "*chrome_updater.exe", "*chrome_installer.exe") OR Image!=*) | fields - _raw | collect index=notable_events source="Potentially Suspicious GoogleUpdate Child Process" marker="guid=84b1ecf9-6eff-4004-bafb-bae5c0e251b2,tags=attack.defense-evasion," +[HackTool - XORDump Execution] +description = Detects suspicious use of XORDump process memory dumping utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\xordump.exe" OR CommandLine IN ("* -process lsass.exe *", "* -m comsvcs *", "* -m dbghelp *", "* -m dbgcore *") | fields - _raw | collect index=notable_events source="HackTool - XORDump Execution" marker="guid=66e563f9-1cbd-4a22-a957-d8b7c0f44372,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1003.001," +[Control Panel Items] +description = Detects the malicious use of a control panel item +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine="*add*" CommandLine="*CurrentVersion\\Control Panel\\CPLs*") OR (CommandLine="*.cpl" NOT (CommandLine IN ("*\\System32\\*", "*%System%*", "*|C:\\Windows\\system32|*") OR (CommandLine="*regsvr32 *" CommandLine="* /s *" CommandLine="*igfxCPL.cpl*"))) | fields - _raw | collect index=notable_events source="Control Panel Items" marker="guid=0ba863e6-def5-4e50-9cea-4dd8c7dc46a4,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218.002,tags=attack.persistence,tags=attack.t1546," +[Invoke-Obfuscation STDIN+ Launcher] +description = Detects Obfuscated use of stdin to execute PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1\ +| regex CommandLine="cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\\"" | fields - _raw | collect index=notable_events source="Invoke-Obfuscation STDIN+ Launcher" marker="guid=6c96fc76-0eb1-11eb-adc1-0242ac120002,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Execution Of Non-Existing File] +description = Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 NOT Image="*\\*" NOT (Image!=* OR Image IN ("-", "") OR Image IN ("System", "Registry", "MemCompression", "vmmem") OR CommandLine IN ("Registry", "MemCompression", "vmmem")) | fields - _raw | collect index=notable_events source="Execution Of Non-Existing File" marker="guid=71158e3f-df67-472b-930e-7d287acaa3e1,tags=attack.defense-evasion," +[UAC Bypass Using NTFS Reparse Point - Process] +description = Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="\"C:\\Windows\\system32\\wusa.exe\" /quiet C:\\Users\\*" CommandLine="*\\AppData\\Local\\Temp\\update.msu" IntegrityLevel IN ("High", "System")) OR (ParentCommandLine="\"C:\\Windows\\system32\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\Windows\\system32\\pe386\" /ignorecheck" IntegrityLevel IN ("High", "System") CommandLine="*C:\\Users\\*" CommandLine="*\\AppData\\Local\\Temp\\*" CommandLine="*\\dismhost.exe {*" Image="*\\DismHost.exe") | fields - _raw | collect index=notable_events source="UAC Bypass Using NTFS Reparse Point - Process" marker="guid=39ed3c80-e6a1-431b-9df3-911ac53d08a7,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[PrintBrm ZIP Creation of Extraction] +description = Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\PrintBrm.exe" CommandLine="* -f*" CommandLine="*.zip*" | fields - _raw | collect index=notable_events source="PrintBrm ZIP Creation of Extraction" marker="guid=cafeeba3-01da-4ab4-b6c4-a31b1d9730c7,tags=attack.command-and-control,tags=attack.t1105,tags=attack.defense-evasion,tags=attack.t1564.004," +[Ie4uinit Lolbin Use From Invalid Path] +description = Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ie4uinit.exe" OR OriginalFileName="IE4UINIT.EXE" NOT (CurrentDirectory IN ("c:\\windows\\system32\\", "c:\\windows\\sysWOW64\\") OR CurrentDirectory!=*) | fields - _raw | collect index=notable_events source="Ie4uinit Lolbin Use From Invalid Path" marker="guid=d3bf399f-b0cf-4250-8bb4-dfc192ab81dc,tags=attack.defense-evasion,tags=attack.t1218," +[Suspicious Msiexec Quiet Install From Remote Location] +description = Detects usage of Msiexec.exe to install packages hosted remotely quietly +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msiexec.exe" OR OriginalFileName="msiexec.exe" CommandLine="*-i*" OR CommandLine="*/i*" OR CommandLine="*–i*" OR CommandLine="*—i*" OR CommandLine="*―i*" OR CommandLine="*-package*" OR CommandLine="*/package*" OR CommandLine="*–package*" OR CommandLine="*—package*" OR CommandLine="*―package*" OR CommandLine="*-a*" OR CommandLine="*/a*" OR CommandLine="*–a*" OR CommandLine="*—a*" OR CommandLine="*―a*" OR CommandLine="*-j*" OR CommandLine="*/j*" OR CommandLine="*–j*" OR CommandLine="*—j*" OR CommandLine="*―j*" CommandLine="*-q*" OR CommandLine="*/q*" OR CommandLine="*–q*" OR CommandLine="*—q*" OR CommandLine="*―q*" CommandLine IN ("*http*", "*\\\\*") | fields - _raw | collect index=notable_events source="Suspicious Msiexec Quiet Install From Remote Location" marker="guid=8150732a-0c9d-4a99-82b9-9efb9b90c40c,tags=attack.defense-evasion,tags=attack.t1218.007," +[Potentially Suspicious Regsvr32 HTTP IP Pattern] +description = Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regsvr32.exe" OR OriginalFileName="REGSVR32.EXE" CommandLine IN ("* /i:http://1*", "* /i:http://2*", "* /i:http://3*", "* /i:http://4*", "* /i:http://5*", "* /i:http://6*", "* /i:http://7*", "* /i:http://8*", "* /i:http://9*", "* /i:https://1*", "* /i:https://2*", "* /i:https://3*", "* /i:https://4*", "* /i:https://5*", "* /i:https://6*", "* /i:https://7*", "* /i:https://8*", "* /i:https://9*", "* -i:http://1*", "* -i:http://2*", "* -i:http://3*", "* -i:http://4*", "* -i:http://5*", "* -i:http://6*", "* -i:http://7*", "* -i:http://8*", "* -i:http://9*", "* -i:https://1*", "* -i:https://2*", "* -i:https://3*", "* -i:https://4*", "* -i:https://5*", "* -i:https://6*", "* -i:https://7*", "* -i:https://8*", "* -i:https://9*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Regsvr32 HTTP IP Pattern" marker="guid=2dd2c217-bf68-437a-b57c-fe9fd01d5de8,tags=attack.defense-evasion,tags=attack.t1218.010," +[Potentially Suspicious Event Viewer Child Process] +description = Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\eventvwr.exe" NOT (Image IN ("*:\\Windows\\System32\\mmc.exe", "*:\\Windows\\System32\\WerFault.exe", "*:\\Windows\\SysWOW64\\WerFault.exe")) | fields - _raw | collect index=notable_events source="Potentially Suspicious Event Viewer Child Process" marker="guid=be344333-921d-4c4d-8bb8-e584cf584780,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002,tags=car.2019-04-001," +[Suspicious Modification Of Scheduled Tasks] +description = Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" CommandLine="* /Change *" CommandLine="* /TN *" CommandLine IN ("*\\AppData\\Local\\Temp*", "*\\AppData\\Roaming\\*", "*\\Users\\Public\\*", "*\\WINDOWS\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Temporary Internet*", "*C:\\ProgramData\\*", "*C:\\Perflogs\\*", "*%ProgramData%*", "*%appdata%*", "*%comspec%*", "*%localappdata%*") CommandLine IN ("*regsvr32*", "*rundll32*", "*cmd /c *", "*cmd /k *", "*cmd /r *", "*cmd.exe /c *", "*cmd.exe /k *", "*cmd.exe /r *", "*powershell*", "*mshta*", "*wscript*", "*cscript*", "*certutil*", "*bitsadmin*", "*bash.exe*", "*bash *", "*scrcons*", "*wmic *", "*wmic.exe*", "*forfiles*", "*scriptrunner*", "*hh.exe*", "*hh *") | fields - _raw | collect index=notable_events source="Suspicious Modification Of Scheduled Tasks" marker="guid=1c0e41cd-21bb-4433-9acc-4a2cd6367b9b,tags=attack.execution,tags=attack.t1053.005," +[SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code] +description = Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\SyncAppvPublishingServer.vbs*" CommandLine="*;*" | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" marker="guid=36475a7d-0f6d-4dce-9b01-6aeb473bbaf1,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1216," +[HackTool - SecurityXploded Execution] +description = Detects the execution of SecurityXploded Tools +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Company="SecurityXploded" OR Image="*PasswordDump.exe" OR OriginalFileName="*PasswordDump.exe" | fields - _raw | collect index=notable_events source="HackTool - SecurityXploded Execution" marker="guid=7679d464-4f74-45e2-9e01-ac66c5eb041a,tags=attack.credential-access,tags=attack.t1555," +[WMIC Remote Command Execution] +description = Detects the execution of WMIC to query information on a remote system +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\WMIC.exe" OR OriginalFileName="wmic.exe" CommandLine="*/node:*" NOT (CommandLine IN ("*/node:127.0.0.1 *", "*/node:localhost *")) | fields - _raw | collect index=notable_events source="WMIC Remote Command Execution" marker="guid=7773b877-5abb-4a3e-b9c9-fd0369b59b00,tags=attack.execution,tags=attack.t1047," +[PUA - AdvancedRun Execution] +description = Detects the execution of AdvancedRun utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="AdvancedRun.exe" OR (CommandLine="* /EXEFilename *" CommandLine="* /Run*") OR (CommandLine="* /WindowState 0*" CommandLine="* /RunAs *" CommandLine="* /CommandLine *") | fields - _raw | collect index=notable_events source="PUA - AdvancedRun Execution" marker="guid=d2b749ee-4225-417e-b20e-a8d2193cbb84,tags=attack.execution,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1564.003,tags=attack.t1134.002,tags=attack.t1059.003," +[Suspicious Diantz Alternate Data Stream Execution] +description = Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*diantz.exe*" CommandLine="*.cab*"\ +| regex CommandLine=":[^\\\\]" | fields - _raw | collect index=notable_events source="Suspicious Diantz Alternate Data Stream Execution" marker="guid=6b369ced-4b1d-48f1-b427-fdc0de0790bd,tags=attack.defense-evasion,tags=attack.t1564.004," +[Renamed AutoIt Execution] +description = Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("* /AutoIt3ExecuteScript*", "* /ErrorStdOut*") OR Imphash IN ("fdc554b3a8683918d731685855683ddf", "cd30a61b60b3d60cecdb034c8c83c290", "f8a00c72f2d667d2edbb234d0c0ae000") OR Hashes IN ("*IMPHASH=FDC554B3A8683918D731685855683DDF*", "*IMPHASH=CD30A61B60B3D60CECDB034C8C83C290*", "*IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000*") OR OriginalFileName IN ("AutoIt3.exe", "AutoIt2.exe", "AutoIt.exe") NOT (Image IN ("*\\AutoIt.exe", "*\\AutoIt2.exe", "*\\AutoIt3_x64.exe", "*\\AutoIt3.exe")) | fields - _raw | collect index=notable_events source="Renamed AutoIt Execution" marker="guid=f4264e47-f522-4c38-a420-04525d5b880f,tags=attack.defense-evasion,tags=attack.t1027," +[Regedit as Trusted Installer] +description = Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regedit.exe" ParentImage IN ("*\\TrustedInstaller.exe", "*\\ProcessHacker.exe") | fields - _raw | collect index=notable_events source="Regedit as Trusted Installer" marker="guid=883835a7-df45-43e4-bf1d-4268768afda4,tags=attack.privilege-escalation,tags=attack.t1548," +[Microsoft IIS Connection Strings Decryption] +description = Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\aspnet_regiis.exe" OR OriginalFileName="aspnet_regiis.exe" CommandLine="*connectionStrings*" CommandLine="* -pdf*" | fields - _raw | collect index=notable_events source="Microsoft IIS Connection Strings Decryption" marker="guid=97dbf6e2-e436-44d8-abee-4261b24d3e41,tags=attack.credential-access,tags=attack.t1003," +[Suspicious Reg Add BitLocker] +description = Detects suspicious addition to BitLocker related registry keys via the reg.exe utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*REG*" CommandLine="*ADD*" CommandLine="*\\SOFTWARE\\Policies\\Microsoft\\FVE*" CommandLine="*/v*" CommandLine="*/f*" CommandLine IN ("*EnableBDEWithNoTPM*", "*UseAdvancedStartup*", "*UseTPM*", "*UseTPMKey*", "*UseTPMKeyPIN*", "*RecoveryKeyMessageSource*", "*UseTPMPIN*", "*RecoveryKeyMessage*") | fields - _raw | collect index=notable_events source="Suspicious Reg Add BitLocker" marker="guid=0e0255bf-2548-47b8-9582-c0955c9283f5,tags=attack.impact,tags=attack.t1486," +[File Download Via InstallUtil.EXE] +description = Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\InstallUtil.exe" OR OriginalFileName="InstallUtil.exe" CommandLine IN ("*ftp://*", "*http://*", "*https://*") | fields - _raw | collect index=notable_events source="File Download Via InstallUtil.EXE" marker="guid=75edd216-1939-4c73-8d61-7f3a0d85b5cc,tags=attack.defense-evasion,tags=attack.t1218," +[Active Directory Structure Export Via Csvde.EXE] +description = Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\csvde.exe" OR OriginalFileName="csvde.exe" CommandLine="* -f*" NOT CommandLine="* -i*" | fields - _raw | collect index=notable_events source="Active Directory Structure Export Via Csvde.EXE" marker="guid=e5d36acd-acb4-4c6f-a13f-9eb203d50099,tags=attack.exfiltration,tags=attack.discovery,tags=attack.t1087.002," +[File Download From IP Based URL Via CertOC.EXE] +description = Detects when a user downloads a file from an IP based URL using CertOC.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certoc.exe" OR OriginalFileName="CertOC.exe" CommandLine="*-GetCACAPS*"\ +| regex CommandLine="://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" | fields - _raw | collect index=notable_events source="File Download From IP Based URL Via CertOC.EXE" marker="guid=b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a,tags=attack.command-and-control,tags=attack.execution,tags=attack.t1105," +[Suspicious Windows Update Agent Empty Cmdline] +description = Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Wuauclt.exe" OR OriginalFileName="Wuauclt.exe" CommandLine IN ("*Wuauclt", "*Wuauclt.exe") | fields - _raw | collect index=notable_events source="Suspicious Windows Update Agent Empty Cmdline" marker="guid=52d097e2-063e-4c9c-8fbb-855c8948d135,tags=attack.defense-evasion,tags=attack.t1036," +[Elevated System Shell Spawned From Uncommon Parent Location] +description = Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\cmd.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll", "Cmd.Exe") User IN ("*AUTHORI*", "*AUTORI*") LogonId="0x3e7" NOT (ParentImage IN ("*:\\Program Files (x86)\\*", "*:\\Program Files\\*", "*:\\ProgramData\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\Temp\\*", "*:\\Windows\\WinSxS\\*") OR ParentImage!=* OR ParentImage="") NOT ((ParentImage="*:\\ManageEngine\\ADManager Plus\\pgsql\\bin\\postgres.exe" Image="*\\cmd.exe") OR (CommandLine="*:\\WINDOWS\\system32\\cmd.exe /c \"*" CurrentDirectory="*:\\WINDOWS\\Temp\\asgard2-agent\\*") OR (ParentImage="*:\\IBM\\SpectrumProtect\\webserver\\scripts\\*" CommandLine="*:\\IBM\\SpectrumProtect\\webserver\\scripts\\*")) | fields - _raw | collect index=notable_events source="Elevated System Shell Spawned From Uncommon Parent Location" marker="guid=178e615d-e666-498b-9630-9ed363038101,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1059," +[Suspicious PowerShell Invocation From Script Engines] +description = Detects suspicious powershell invocations from interpreters or unusual programs +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\wscript.exe", "*\\cscript.exe") Image IN ("*\\powershell.exe", "*\\pwsh.exe") NOT CurrentDirectory="*\\Health Service State\\*" | fields - _raw | collect index=notable_events source="Suspicious PowerShell Invocation From Script Engines" marker="guid=95eadcb2-92e4-4ed1-9031-92547773a6db,tags=attack.execution,tags=attack.t1059.001," +[Invoke-Obfuscation VAR+ Launcher] +description = Detects Obfuscated use of Environment Variables to execute PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1\ +| regex CommandLine="cmd.{0,5}(?:/c|/r)(?:\\s|)\\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\\"" | fields - _raw | collect index=notable_events source="Invoke-Obfuscation VAR+ Launcher" marker="guid=27aec9c9-dbb0-4939-8422-1742242471d0,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Renamed PingCastle Binary Execution] +description = Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe") OR CommandLine IN ("*--scanner aclcheck*", "*--scanner antivirus*", "*--scanner computerversion*", "*--scanner foreignusers*", "*--scanner laps_bitlocker*", "*--scanner localadmin*", "*--scanner nullsession*", "*--scanner nullsession-trust*", "*--scanner oxidbindings*", "*--scanner remote*", "*--scanner share*", "*--scanner smb*", "*--scanner smb3querynetwork*", "*--scanner spooler*", "*--scanner startup*", "*--scanner zerologon*") OR CommandLine="*--no-enum-limit*" OR (CommandLine="*--healthcheck*" CommandLine="*--level Full*") OR (CommandLine="*--healthcheck*" CommandLine="*--server *") NOT (Image IN ("*\\PingCastleReporting.exe", "*\\PingCastleCloud.exe", "*\\PingCastle.exe")) | fields - _raw | collect index=notable_events source="Renamed PingCastle Binary Execution" marker="guid=2433a154-bb3d-42e4-86c3-a26bdac91c45,tags=attack.execution,tags=attack.t1059,tags=attack.defense-evasion,tags=attack.t1202," +[Suspicious NTLM Authentication on the Printer Spooler Service] +description = Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*C:\\windows\\system32\\davclnt.dll,DavSetCookie*" CommandLine="*http*" CommandLine IN ("*spoolss*", "*srvsvc*", "*/print/pipe/*") | fields - _raw | collect index=notable_events source="Suspicious NTLM Authentication on the Printer Spooler Service" marker="guid=bb76d96b-821c-47cf-944b-7ce377864492,tags=attack.privilege-escalation,tags=attack.credential-access,tags=attack.t1212," +[Potential Homoglyph Attack Using Lookalike Characters] +description = Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*А*", "*В*", "*Е*", "*К*", "*М*", "*Н*", "*О*", "*Р*", "*С*", "*Т*", "*Х*", "*Ѕ*", "*І*", "*Ј*", "*Ү*", "*Ӏ*", "*Ԍ*", "*Ԛ*", "*Ԝ*", "*Α*", "*Β*", "*Ε*", "*Ζ*", "*Η*", "*Ι*", "*Κ*", "*Μ*", "*Ν*", "*Ο*", "*Ρ*", "*Τ*", "*Υ*", "*Χ*") OR CommandLine IN ("*а*", "*е*", "*о*", "*р*", "*с*", "*х*", "*ѕ*", "*і*", "*ӏ*", "*ј*", "*һ*", "*ԁ*", "*ԛ*", "*ԝ*", "*ο*") | fields - _raw | collect index=notable_events source="Potential Homoglyph Attack Using Lookalike Characters" marker="guid=32e280f1-8ad4-46ef-9e80-910657611fbc,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1036.003," +[System Network Connections Discovery Via Net.EXE] +description = Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine IN ("* use", "* sessions") OR CommandLine IN ("* use *", "* sessions *") | fields - _raw | collect index=notable_events source="System Network Connections Discovery Via Net.EXE" marker="guid=1c67a717-32ba-409b-a45d-0fb704a73a81,tags=attack.discovery,tags=attack.t1049," +[HH.EXE Execution] +description = Detects the execution of "hh.exe" to open ".chm" files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="HH.exe" OR Image="*\\hh.exe" CommandLine="*.chm*" | fields - _raw | collect index=notable_events source="HH.EXE Execution" marker="guid=68c8acb4-1b60-4890-8e82-3ddf7a6dba84,tags=attack.defense-evasion,tags=attack.t1218.001," +[Security Tools Keyword Lookup Via Findstr.EXE] +description = Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\find.exe", "*\\findstr.exe") OR OriginalFileName IN ("FIND.EXE", "FINDSTR.EXE") CommandLine IN ("* avira", "* avira\"", "* cb", "* cb\"", "* cylance", "* cylance\"", "* defender", "* defender\"", "* kaspersky", "* kaspersky\"", "* kes", "* kes\"", "* mc", "* mc\"", "* sec", "* sec\"", "* sentinel", "* sentinel\"", "* symantec", "* symantec\"", "* virus", "* virus\"") | fields - _raw | collect index=notable_events source="Security Tools Keyword Lookup Via Findstr.EXE" marker="guid=4fe074b4-b833-4081-8f24-7dcfeca72b42,tags=attack.discovery,tags=attack.t1518.001," +[Arbitrary File Download Via MSPUB.EXE] +description = Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\MSPUB.exe" OR OriginalFileName="MSPUB.exe" CommandLine IN ("*ftp://*", "*http://*", "*https://*") | fields - _raw | collect index=notable_events source="Arbitrary File Download Via MSPUB.EXE" marker="guid=3b3c7f55-f771-4dd6-8a6e-08d057a17caf,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[PUA - Netcat Suspicious Execution] +description = Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\nc.exe", "*\\ncat.exe", "*\\netcat.exe") OR CommandLine IN ("* -lvp *", "* -lvnp*", "* -l -v -p *", "* -lv -p *", "* -l --proxy-type http *", "* -vnl --exec *", "* -vnl -e *", "* --lua-exec *", "* --sh-exec *") | fields - _raw | collect index=notable_events source="PUA - Netcat Suspicious Execution" marker="guid=e31033fc-33f0-4020-9a16-faf9b31cbf08,tags=attack.command-and-control,tags=attack.t1095," +[Rar Usage with Password and Compression Level] +description = Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* -hp*" CommandLine IN ("* -m*", "* a *") | fields - _raw | collect index=notable_events source="Rar Usage with Password and Compression Level" marker="guid=faa48cae-6b25-4f00-a094-08947fef582f,tags=attack.collection,tags=attack.t1560.001," +[Shadow Copies Creation Using Operating Systems Utilities] +description = Shadow Copies creation using operating systems utilities, possible credential access +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\wmic.exe", "*\\vssadmin.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE") CommandLine="*shadow*" CommandLine="*create*" | fields - _raw | collect index=notable_events source="Shadow Copies Creation Using Operating Systems Utilities" marker="guid=b17ea6f7-6e90-447e-a799-e6c0a493d6ce,tags=attack.credential-access,tags=attack.t1003,tags=attack.t1003.002,tags=attack.t1003.003," +[DLL Execution via Rasautou.exe] +description = Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rasautou.exe" OR OriginalFileName="rasdlui.exe" CommandLine="* -d *" CommandLine="* -p *" | fields - _raw | collect index=notable_events source="DLL Execution via Rasautou.exe" marker="guid=cd3d1298-eb3b-476c-ac67-12847de55813,tags=attack.defense-evasion,tags=attack.t1218," +[Remote Code Execute via Winrm.vbs] +description = Detects an attempt to execute code or create service on remote host via winrm.vbs. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cscript.exe" OR OriginalFileName="cscript.exe" CommandLine="*winrm*" CommandLine="*invoke Create wmicimv2/Win32_*" CommandLine="*-r:http*" | fields - _raw | collect index=notable_events source="Remote Code Execute via Winrm.vbs" marker="guid=9df0dd3a-1a5c-47e3-a2bc-30ed177646a0,tags=attack.defense-evasion,tags=attack.t1216," +[PDQ Deploy Remote Adminstartion Tool Execution] +description = Detect use of PDQ Deploy remote admin tool +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="PDQ Deploy Console" OR Product="PDQ Deploy" OR Company="PDQ.com" OR OriginalFileName="PDQDeployConsole.exe" | fields - _raw | collect index=notable_events source="PDQ Deploy Remote Adminstartion Tool Execution" marker="guid=d679950c-abb7-43a6-80fb-2a480c4fc450,tags=attack.execution,tags=attack.lateral-movement,tags=attack.t1072," +[Potential SquiblyTwo Technique Execution] +description = Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wmic.exe" OR OriginalFileName="wmic.exe" OR Imphash IN ("1B1A3F43BF37B5BFE60751F2EE2F326E", "37777A96245A3C74EB217308F3546F4C", "9D87C9D67CE724033C0B40CC4CA1B206") OR Hashes IN ("*IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E*", "*IMPHASH=37777A96245A3C74EB217308F3546F4C*", "*IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206*") CommandLine="*format:*" CommandLine="*http*" | fields - _raw | collect index=notable_events source="Potential SquiblyTwo Technique Execution" marker="guid=8d63dadf-b91b-4187-87b6-34a1114577ea,tags=attack.defense-evasion,tags=attack.t1047,tags=attack.t1220,tags=attack.execution,tags=attack.t1059.005,tags=attack.t1059.007," +[New Virtual Smart Card Created Via TpmVscMgr.EXE] +description = Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\tpmvscmgr.exe" OriginalFileName="TpmVscMgr.exe" CommandLine="*create*" | fields - _raw | collect index=notable_events source="New Virtual Smart Card Created Via TpmVscMgr.EXE" marker="guid=c633622e-cab9-4eaa-bb13-66a1d68b3e47,tags=attack.execution," +[Potential SMB Relay Attack Tool Execution] +description = Detects different hacktools used for relay attacks on Windows for privilege escalation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*PetitPotam*", "*RottenPotato*", "*HotPotato*", "*JuicyPotato*", "*\\just_dce_*", "*Juicy Potato*", "*\\temp\\rot.exe*", "*\\Potato.exe*", "*\\SpoolSample.exe*", "*\\Responder.exe*", "*\\smbrelayx*", "*\\ntlmrelayx*", "*\\LocalPotato*") OR CommandLine IN ("*Invoke-Tater*", "* smbrelay*", "* ntlmrelay*", "*cme smb *", "* /ntlm:NTLMhash *", "*Invoke-PetitPotam*", "*.exe -t * -p *") OR (CommandLine="*.exe -c \"{*" CommandLine="*}\" -z") NOT (Image IN ("*HotPotatoes6*", "*HotPotatoes7*", "*HotPotatoes *")) | fields - _raw | collect index=notable_events source="Potential SMB Relay Attack Tool Execution" marker="guid=5589ab4f-a767-433c-961d-c91f3f704db1,tags=attack.execution,tags=attack.t1557.001," +[Suspicious Child Process Of SQL Server] +description = Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\sqlservr.exe" Image IN ("*\\bash.exe", "*\\bitsadmin.exe", "*\\cmd.exe", "*\\netstat.exe", "*\\nltest.exe", "*\\ping.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\sh.exe", "*\\systeminfo.exe", "*\\tasklist.exe", "*\\wsl.exe") NOT (ParentImage="C:\\Program Files\\Microsoft SQL Server\\*" ParentImage="*DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" Image="C:\\Windows\\System32\\cmd.exe" CommandLine="\"C:\\Windows\\system32\\cmd.exe\" *") | fields - _raw | collect index=notable_events source="Suspicious Child Process Of SQL Server" marker="guid=869b9ca7-9ea2-4a5a-8325-e80e62f75445,tags=attack.t1505.003,tags=attack.t1190,tags=attack.initial-access,tags=attack.persistence,tags=attack.privilege-escalation," +[Suspicious Scheduled Task Creation via Masqueraded XML File] +description = Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" OR OriginalFileName="schtasks.exe" CommandLine IN ("*/create*", "*-create*") CommandLine IN ("*/xml*", "*-xml*") NOT (CommandLine="*.xml*" OR IntegrityLevel="System" OR (ParentImage="*\\rundll32.exe" ParentCommandLine="*:\\WINDOWS\\Installer\\MSI*" ParentCommandLine="*.tmp,zzzzInvokeManagedCustomActionOutOfProc*")) NOT (ParentImage IN ("*:\\ProgramData\\OEM\\UpgradeTool\\CareCenter_*\\BUnzip\\Setup_msi.exe", "*:\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe", "*:\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe", "*:\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe", "*:\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe")) | fields - _raw | collect index=notable_events source="Suspicious Scheduled Task Creation via Masqueraded XML File" marker="guid=dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1036.005,tags=attack.t1053.005," +[Terminal Service Process Spawn] +description = Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentCommandLine="*\\svchost.exe*" ParentCommandLine="*termsvcs*" NOT (Image IN ("*\\rdpclip.exe", "*:\\Windows\\System32\\csrss.exe", "*:\\Windows\\System32\\wininit.exe", "*:\\Windows\\System32\\winlogon.exe") OR Image!=*) | fields - _raw | collect index=notable_events source="Terminal Service Process Spawn" marker="guid=1012f107-b8f1-4271-af30-5aed2de89b39,tags=attack.initial-access,tags=attack.t1190,tags=attack.lateral-movement,tags=attack.t1210,tags=car.2013-07-002," +[Suspicious Runscripthelper.exe] +description = Detects execution of powershell scripts via Runscripthelper.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Runscripthelper.exe" CommandLine="*surfacecheck*" | table CommandLine | fields - _raw | collect index=notable_events source="Suspicious Runscripthelper.exe" marker="guid=eca49c87-8a75-4f13-9c73-a5a29e845f03,tags=attack.execution,tags=attack.t1059,tags=attack.defense-evasion,tags=attack.t1202," +[Process Access via TrolleyExpress Exclusion] +description = Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*\\TrolleyExpress 7*", "*\\TrolleyExpress 8*", "*\\TrolleyExpress 9*", "*\\TrolleyExpress.exe 7*", "*\\TrolleyExpress.exe 8*", "*\\TrolleyExpress.exe 9*", "*\\TrolleyExpress.exe -ma *") OR (Image="*\\TrolleyExpress.exe" NOT (OriginalFileName="*CtxInstall*" OR OriginalFileName!=*)) | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Process Access via TrolleyExpress Exclusion" marker="guid=4c0aaedc-154c-4427-ada0-d80ef9c9deb6,tags=attack.defense-evasion,tags=attack.t1218.011,tags=attack.credential-access,tags=attack.t1003.001," +[Renamed Sysinternals Sdelete Execution] +description = Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="sdelete.exe" NOT (Image IN ("*\\sdelete.exe", "*\\sdelete64.exe")) | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Renamed Sysinternals Sdelete Execution" marker="guid=c1d867fe-8d95-4487-aab4-e53f2d339f90,tags=attack.impact,tags=attack.t1485," +[File Decoded From Base64/Hex Via Certutil.EXE] +description = Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certutil.exe" OR OriginalFileName="CertUtil.exe" CommandLine="*-decode *" OR CommandLine="*/decode *" OR CommandLine="*–decode *" OR CommandLine="*—decode *" OR CommandLine="*―decode *" OR CommandLine="*-decodehex *" OR CommandLine="*/decodehex *" OR CommandLine="*–decodehex *" OR CommandLine="*—decodehex *" OR CommandLine="*―decodehex *" | fields - _raw | collect index=notable_events source="File Decoded From Base64/Hex Via Certutil.EXE" marker="guid=cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7,tags=attack.defense-evasion,tags=attack.t1027," +[PUA - PingCastle Execution] +description = Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Hashes IN ("*MD5=f741f25ac909ee434e50812d436c73ff*", "*MD5=d40acbfc29ee24388262e3d8be16f622*", "*MD5=01bb2c16fadb992fa66228cd02d45c60*", "*MD5=9e1b18e62e42b5444fc55b51e640355b*", "*MD5=b7f8fe33ac471b074ca9e630ba0c7e79*", "*MD5=324579d717c9b9b8e71d0269d13f811f*", "*MD5=63257a1ddaf83cfa43fe24a3bc06c207*", "*MD5=049e85963826b059c9bac273bb9c82ab*", "*MD5=ecb98b7b4d4427eb8221381154ff4cb2*", "*MD5=faf87749ac790ec3a10dd069d10f9d63*", "*MD5=f296dba5d21ad18e6990b1992aea8f83*", "*MD5=93ba94355e794b6c6f98204cf39f7a11*", "*MD5=a258ef593ac63155523a461ecc73bdba*", "*MD5=97000eb5d1653f1140ee3f47186463c4*", "*MD5=95eb317fbbe14a82bd9fdf31c48b8d93*", "*MD5=32fe9f0d2630ac40ea29023920f20f49*", "*MD5=a05930dde939cfd02677fc18bb2b7df5*", "*MD5=124283924e86933ff9054a549d3a268b*", "*MD5=ceda6909b8573fdeb0351c6920225686*", "*MD5=60ce120040f2cd311c810ae6f6bbc182*", "*MD5=2f10cdc5b09100a260703a28eadd0ceb*", "*MD5=011d967028e797a4c16d547f7ba1463f*", "*MD5=2da9152c0970500c697c1c9b4a9e0360*", "*MD5=b5ba72034b8f44d431f55275bace9f8b*", "*MD5=d6ed9101df0f24e27ff92ddab42dacca*", "*MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d*", "*MD5=5e083cd0143ae95a6cb79b68c07ca573*", "*MD5=28caff93748cb84be70486e79f04c2df*", "*MD5=9d4f12c30f9b500f896efd1800e4dd11*", "*MD5=4586f7dd14271ad65a5fb696b393f4c0*", "*MD5=86ba9dddbdf49215145b5bcd081d4011*", "*MD5=9dce0a481343874ef9a36c9a825ef991*", "*MD5=85890f62e231ad964b1fda7a674747ec*", "*MD5=599be548da6441d7fe3e9a1bb8cb0833*", "*MD5=9b0c7fd5763f66e9b8c7b457fce53f96*", "*MD5=32d45718164205aec3e98e0223717d1d*", "*MD5=6ff5f373ee7f794cd17db50704d00ddb*", "*MD5=88efbdf41f0650f8f58a3053b0ca0459*", "*MD5=ef915f61f861d1fb7cbde9afd2e7bd93*", "*MD5=781fa16511a595757154b4304d2dd350*", "*MD5=5018ec39be0e296f4fc8c8575bfa8486*", "*MD5=f4a84d6f1caf0875b50135423d04139f*", "*SHA1=9c1431801fa6342ed68f047842b9a11778fc669b*", "*SHA1=c36c862f40dad78cb065197aad15fef690c262f2*", "*SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d*", "*SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f*", "*SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa*", "*SHA1=f14c9633040897d375e3069fddc71e859f283778*", "*SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc*", "*SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937*", "*SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36*", "*SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b*", "*SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc*", "*SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11*", "*SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995*", "*SHA1=607e1fa810c799735221a609af3bfc405728c02d*", "*SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3*", "*SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a*", "*SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491*", "*SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178*", "*SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4*", "*SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84*", "*SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea*", "*SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17*", "*SHA1=81d67b3d70c4e855cb11a453cc32997517708362*", "*SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad*", "*SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2*", "*SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92*", "*SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1*", "*SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a*", "*SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db*", "*SHA1=3150f14508ee4cae19cf09083499d1cda8426540*", "*SHA1=036ad9876fa552b1298c040e233d620ea44689c6*", "*SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5*", "*SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c*", "*SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d*", "*SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4*", "*SHA1=c82152cddf9e5df49094686531872ecd545976db*", "*SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61*", "*SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836*", "*SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719*", "*SHA1=34c0c5839af1c92bce7562b91418443a2044c90d*", "*SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08*", "*SHA1=3a515551814775df0ccbe09f219bc972eae45a10*", "*SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b*", "*SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85*", "*SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03*", "*SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795*", "*SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f*", "*SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a*", "*SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275*", "*SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b*", "*SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2*", "*SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae*", "*SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6*", "*SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a*", "*SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1*", "*SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559*", "*SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2*", "*SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef*", "*SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d*", "*SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524*", "*SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b*", "*SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b*", "*SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629*", "*SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358*", "*SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca*", "*SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea*", "*SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172*", "*SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4*", "*SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2*", "*SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66*", "*SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27*", "*SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41*", "*SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1*", "*SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0*", "*SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8*", "*SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d*", "*SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726*", "*SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90*", "*SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5*", "*SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140*", "*SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87*", "*SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892*", "*SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054*", "*SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd*") OR Image="*\\PingCastle.exe" OR OriginalFileName="PingCastle.exe" OR Product="Ping Castle" OR CommandLine IN ("*--scanner aclcheck*", "*--scanner antivirus*", "*--scanner computerversion*", "*--scanner foreignusers*", "*--scanner laps_bitlocker*", "*--scanner localadmin*", "*--scanner nullsession*", "*--scanner nullsession-trust*", "*--scanner oxidbindings*", "*--scanner remote*", "*--scanner share*", "*--scanner smb*", "*--scanner smb3querynetwork*", "*--scanner spooler*", "*--scanner startup*", "*--scanner zerologon*") OR CommandLine="*--no-enum-limit*" OR (CommandLine="*--healthcheck*" CommandLine="*--level Full*") OR (CommandLine="*--healthcheck*" CommandLine="*--server *") | fields - _raw | collect index=notable_events source="PUA - PingCastle Execution" marker="guid=b1cb4ab6-ac31-43f4-adf1-d9d08957419c,tags=attack.reconnaissance,tags=attack.t1595," +[Use Short Name Path in Image] +description = Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*~1\\*", "*~2\\*") NOT (ParentImage IN ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe") OR ParentImage IN ("*\\WebEx\\WebexHost.exe", "*\\thor\\thor64.exe") OR Product="InstallShield (R)" OR Description="InstallShield (R) Setup Engine" OR Company="InstallShield Software Corporation" OR (Image="*\\AppData\\*" Image="*\\Temp\\*") OR Image IN ("*~1\\unzip.exe", "*~1\\7zG.exe")) | fields - _raw | collect index=notable_events source="Use Short Name Path in Image" marker="guid=a96970af-f126-420d-90e1-d37bf25e50e1,tags=attack.defense-evasion,tags=attack.t1564.004," +[Suspicious PowerShell Encoded Command Patterns] +description = Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.Exe", "pwsh.dll") CommandLine IN ("* -e *", "* -en *", "* -enc *", "* -enco*") CommandLine IN ("* JAB*", "* SUVYI*", "* SQBFAFgA*", "* aWV4I*", "* IAB*", "* PAA*", "* aQBlAHgA*") NOT (ParentImage IN ("*C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\*", "*\\gc_worker.exe*")) | fields - _raw | collect index=notable_events source="Suspicious PowerShell Encoded Command Patterns" marker="guid=b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c,tags=attack.execution,tags=attack.t1059.001," +[Phishing Pattern ISO in Archive] +description = Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\Winrar.exe", "*\\7zFM.exe", "*\\peazip.exe") Image IN ("*\\isoburn.exe", "*\\PowerISO.exe", "*\\ImgBurn.exe") | fields - _raw | collect index=notable_events source="Phishing Pattern ISO in Archive" marker="guid=fcdf69e5-a3d3-452a-9724-26f2308bf2b1,tags=attack.initial-access,tags=attack.t1566," +[Writing Of Malicious Files To The Fonts Folder] +description = Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*echo*", "*copy*", "*type*", "*file createnew*", "*cacls*") CommandLine="*C:\\Windows\\Fonts\\*" CommandLine IN ("*.sh*", "*.exe*", "*.dll*", "*.bin*", "*.bat*", "*.cmd*", "*.js*", "*.msh*", "*.reg*", "*.scr*", "*.ps*", "*.vb*", "*.jar*", "*.pl*", "*.inf*", "*.cpl*", "*.hta*", "*.msi*", "*.vbs*") | fields - _raw | collect index=notable_events source="Writing Of Malicious Files To The Fonts Folder" marker="guid=ae9b0bd7-8888-4606-b444-0ed7410cb728,tags=attack.t1211,tags=attack.t1059,tags=attack.defense-evasion,tags=attack.persistence," +[HackTool - PurpleSharp Execution] +description = Detects the execution of the PurpleSharp adversary simulation tool +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\purplesharp*" OR OriginalFileName="PurpleSharp.exe" OR CommandLine IN ("*xyz123456.exe*", "*PurpleSharp*") | fields - _raw | collect index=notable_events source="HackTool - PurpleSharp Execution" marker="guid=ff23ffbc-3378-435e-992f-0624dcf93ab4,tags=attack.t1587,tags=attack.resource-development," +[HackTool - CoercedPotato Execution] +description = Detects the use of CoercedPotato, a tool for privilege escalation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\CoercedPotato.exe" OR CommandLine="* --exploitId *" OR Imphash IN ("a75d7669db6b2e107a44c4057ff7f7d6", "f91624350e2c678c5dcbe5e1f24e22c9", "14c81850a079a87e83d50ca41c709a15") OR Hashes IN ("*IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6*", "*IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9*", "*IMPHASH=14C81850A079A87E83D50CA41C709A15*") | fields - _raw | collect index=notable_events source="HackTool - CoercedPotato Execution" marker="guid=e8d34729-86a4-4140-adfd-0a29c2106307,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1055," +[REGISTER_APP.VBS Proxy Execution] +description = Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\register_app.vbs*" CommandLine="*-register*" | fields - _raw | collect index=notable_events source="REGISTER_APP.VBS Proxy Execution" marker="guid=1c8774a0-44d4-4db0-91f8-e792359c70bd,tags=attack.defense-evasion,tags=attack.t1218," +[Suspicious Extexport Execution] +description = Extexport.exe loads dll and is execute from other folder the original path +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*Extexport.exe*" OR Image="*\\Extexport.exe" OR OriginalFileName="extexport.exe" | fields - _raw | collect index=notable_events source="Suspicious Extexport Execution" marker="guid=fb0b815b-f5f6-4f50-970f-ffe21f253f7a,tags=attack.defense-evasion,tags=attack.t1218," +[Arbitrary File Download Via ConfigSecurityPolicy.EXE] +description = Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*ConfigSecurityPolicy.exe*" OR Image="*\\ConfigSecurityPolicy.exe" OR OriginalFileName="ConfigSecurityPolicy.exe" CommandLine IN ("*ftp://*", "*http://*", "*https://*") | fields - _raw | collect index=notable_events source="Arbitrary File Download Via ConfigSecurityPolicy.EXE" marker="guid=1f0f6176-6482-4027-b151-00071af39d7e,tags=attack.exfiltration,tags=attack.t1567," +[HackTool - SILENTTRINITY Stager Execution] +description = Detects SILENTTRINITY stager use via PE metadata +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="*st2stager*" | fields - _raw | collect index=notable_events source="HackTool - SILENTTRINITY Stager Execution" marker="guid=03552375-cc2c-4883-bbe4-7958d5a980be,tags=attack.command-and-control,tags=attack.t1071," +[HackTool - Dumpert Process Dumper Execution] +description = Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Hashes="*09D278F9DE118EF09163C6140255C690*" OR CommandLine="*Dumpert.dll*" | fields - _raw | collect index=notable_events source="HackTool - Dumpert Process Dumper Execution" marker="guid=2704ab9e-afe2-4854-a3b1-0c0706d03578,tags=attack.credential-access,tags=attack.t1003.001," +[New Service Creation Using PowerShell] +description = Detects the creation of a new service using powershell. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*New-Service*" CommandLine="*-BinaryPathName*" | fields - _raw | collect index=notable_events source="New Service Creation Using PowerShell" marker="guid=c02e96b7-c63a-4c47-bd83-4a9f74afcfb2,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1543.003," +[IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI] +description = Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults*" CommandLine="*http*" CommandLine="* 0*" | fields - _raw | collect index=notable_events source="IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" marker="guid=10344bb3-7f65-46c2-b915-2d00d47be5b0,tags=attack.execution,tags=attack.defense-evasion," +[PUA - Mouse Lock Execution] +description = In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="*Mouse Lock*" OR Company="*Misc314*" OR CommandLine="*Mouse Lock_*" | table Product,Company,CommandLine | fields - _raw | collect index=notable_events source="PUA - Mouse Lock Execution" marker="guid=c9192ad9-75e5-43eb-8647-82a0a5b493e3,tags=attack.credential-access,tags=attack.collection,tags=attack.t1056.002," +[New Kernel Driver Via SC.EXE] +description = Detects creation of a new service (kernel driver) with the type "kernel" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sc.exe" CommandLine IN ("*create*", "*config*") CommandLine="*binPath*" CommandLine="*type*" CommandLine="*kernel*" | fields - _raw | collect index=notable_events source="New Kernel Driver Via SC.EXE" marker="guid=431a1fdb-4799-4f3b-91c3-a683b003fc49,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1543.003," +[LOL-Binary Copied From System Directory] +description = Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\cmd.exe" CommandLine="*copy *") OR (Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("*copy-item*", "* copy *", "*cpi *", "* cp *")) OR Image IN ("*\\robocopy.exe", "*\\xcopy.exe") OR OriginalFileName IN ("robocopy.exe", "XCOPY.EXE") CommandLine IN ("*\\System32*", "*\\SysWOW64*", "*\\WinSxS*") CommandLine IN ("*\\bitsadmin.exe*", "*\\calc.exe*", "*\\certutil.exe*", "*\\cmdl32.exe*", "*\\cscript.exe*", "*\\mshta.exe*", "*\\rundll32.exe*", "*\\wscript.exe*") | fields - _raw | collect index=notable_events source="LOL-Binary Copied From System Directory" marker="guid=f5d19838-41b5-476c-98d8-ba8af4929ee2,tags=attack.defense-evasion,tags=attack.t1036.003," +[Suspicious Double Extension File Execution] +description = Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*.doc.exe", "*.docx.exe", "*.xls.exe", "*.xlsx.exe", "*.ppt.exe", "*.pptx.exe", "*.rtf.exe", "*.pdf.exe", "*.txt.exe", "* .exe", "*______.exe", "*.doc.js", "*.docx.js", "*.xls.js", "*.xlsx.js", "*.ppt.js", "*.pptx.js", "*.rtf.js", "*.pdf.js", "*.txt.js") CommandLine IN ("*.doc.exe*", "*.docx.exe*", "*.xls.exe*", "*.xlsx.exe*", "*.ppt.exe*", "*.pptx.exe*", "*.rtf.exe*", "*.pdf.exe*", "*.txt.exe*", "* .exe*", "*______.exe*", "*.doc.js*", "*.docx.js*", "*.xls.js*", "*.xlsx.js*", "*.ppt.js*", "*.pptx.js*", "*.rtf.js*", "*.pdf.js*", "*.txt.js*") | fields - _raw | collect index=notable_events source="Suspicious Double Extension File Execution" marker="guid=1cdd9a09-06c9-4769-99ff-626e2b3991b8,tags=attack.initial-access,tags=attack.t1566.001," +[Suspicious Child Process Created as System] +description = Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentUser IN ("*AUTHORI*", "*AUTORI*") ParentUser IN ("*\\NETWORK SERVICE", "*\\LOCAL SERVICE") User IN ("*AUTHORI*", "*AUTORI*") User IN ("*\\SYSTEM", "*\\Système", "*\\СИСТЕМА") IntegrityLevel="System" NOT (Image="*\\rundll32.exe" CommandLine="*DavSetCookie*") | fields - _raw | collect index=notable_events source="Suspicious Child Process Created as System" marker="guid=590a5f4c-6c8c-4f10-8307-89afe9453a9d,tags=attack.privilege-escalation,tags=attack.t1134.002," +[PowerShell Download Pattern] +description = Detects a Powershell process that contains download commands in its command line string +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine="*new-object*" CommandLine="*net.webclient).*" CommandLine="*download*" CommandLine IN ("*string(*", "*file(*") | fields - _raw | collect index=notable_events source="PowerShell Download Pattern" marker="guid=3b6ab547-8ec2-4991-b9d2-2b06702a48d7,tags=attack.execution,tags=attack.t1059.001," +[Monitoring For Persistence Via BITS] +description = BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\bitsadmin.exe" OR OriginalFileName="bitsadmin.exe" (CommandLine="*/SetNotifyCmdLine*" CommandLine IN ("*%COMSPEC%*", "*cmd.exe*", "*regsvr32.exe*")) OR (CommandLine="*/Addfile*" CommandLine IN ("*http:*", "*https:*", "*ftp:*", "*ftps:*")) | fields - _raw | collect index=notable_events source="Monitoring For Persistence Via BITS" marker="guid=b9cbbc17-d00d-4e3d-a827-b06d03d2380d,tags=attack.defense-evasion,tags=attack.t1197," +[File Recovery From Backup Via Wbadmin.EXE] +description = Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wbadmin.exe" OR OriginalFileName="WBADMIN.EXE" CommandLine="* recovery*" CommandLine="*recoveryTarget*" CommandLine="*itemtype:File*" | fields - _raw | collect index=notable_events source="File Recovery From Backup Via Wbadmin.EXE" marker="guid=6fe4aa1e-0531-4510-8be2-782154b73b48,tags=attack.impact,tags=attack.t1490," +[ImagingDevices Unusual Parent/Child Processes] +description = Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (ParentImage IN ("*\\WmiPrvSE.exe", "*\\svchost.exe", "*\\dllhost.exe") Image="*\\ImagingDevices.exe") OR ParentImage="*\\ImagingDevices.exe" | fields - _raw | collect index=notable_events source="ImagingDevices Unusual Parent/Child Processes" marker="guid=f11f2808-adb4-46c0-802a-8660db50fa99,tags=attack.defense-evasion,tags=attack.execution," +[Unusual Child Process of dns.exe] +description = Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\dns.exe" NOT Image="*\\conhost.exe" | fields - _raw | collect index=notable_events source="Unusual Child Process of dns.exe" marker="guid=a4e3d776-f12e-42c2-8510-9e6ed1f43ec3,tags=attack.initial-access,tags=attack.t1133," +[CobaltStrike Load by Rundll32] +description = Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" OR CommandLine IN ("*rundll32.exe*", "*rundll32 *") CommandLine="*.dll*" CommandLine IN ("* StartW", "*,StartW") | fields - _raw | collect index=notable_events source="CobaltStrike Load by Rundll32" marker="guid=ae9c6a7c-9521-42a6-915e-5aaa8689d529,tags=attack.defense-evasion,tags=attack.t1218.011," +[Fsutil Behavior Set SymlinkEvaluation] +description = A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\fsutil.exe" OR OriginalFileName="fsutil.exe" CommandLine="*behavior *" CommandLine="*set *" CommandLine="*SymlinkEvaluation*" | fields - _raw | collect index=notable_events source="Fsutil Behavior Set SymlinkEvaluation" marker="guid=c0b2768a-dd06-4671-8339-b16ca8d1f27f,tags=attack.execution,tags=attack.t1059," +[WSL Child Process Anomaly] +description = Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\wsl.exe", "*\\wslhost.exe") Image IN ("*\\calc.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR Image IN ("*\\AppData\\Local\\Temp\\*", "*C:\\Users\\Public\\*", "*C:\\Windows\\Temp\\*", "*C:\\Temp\\*", "*\\Downloads\\*", "*\\Desktop\\*") | fields - _raw | collect index=notable_events source="WSL Child Process Anomaly" marker="guid=2267fe65-0681-42ad-9a6d-46553d3f3480,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1202," +[Renamed SysInternals DebugView Execution] +description = Detects suspicious renamed SysInternals DebugView execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="Sysinternals DebugView" NOT (OriginalFileName="Dbgview.exe" Image="*\\Dbgview.exe") | fields - _raw | collect index=notable_events source="Renamed SysInternals DebugView Execution" marker="guid=cd764533-2e07-40d6-a718-cfeec7f2da7f,tags=attack.resource-development,tags=attack.t1588.002," +[Use of OpenConsole] +description = Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="OpenConsole.exe" OR Image="*\\OpenConsole.exe" NOT Image="C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal*" | fields - _raw | collect index=notable_events source="Use of OpenConsole" marker="guid=814c95cc-8192-4378-a70a-f1aafd877af1,tags=attack.execution,tags=attack.t1059," +[WMI Backdoor Exchange Transport Agent] +description = Detects a WMI backdoor in Exchange Transport Agents via WMI event filters +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\EdgeTransport.exe" NOT (Image="C:\\Windows\\System32\\conhost.exe" OR (Image="C:\\Program Files\\Microsoft\\Exchange Server\\*" Image="*\\Bin\\OleConverter.exe")) | fields - _raw | collect index=notable_events source="WMI Backdoor Exchange Transport Agent" marker="guid=797011dc-44f4-4e6f-9f10-a8ceefbe566b,tags=attack.persistence,tags=attack.t1546.003," +[Arbitrary File Download Via MSOHTMED.EXE] +description = Detects usage of "MSOHTMED" to download arbitrary files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\MSOHTMED.exe" OR OriginalFileName="MsoHtmEd.exe" CommandLine IN ("*ftp://*", "*http://*", "*https://*") | fields - _raw | collect index=notable_events source="Arbitrary File Download Via MSOHTMED.EXE" marker="guid=459f2f98-397b-4a4a-9f47-6a5ec2f1c69d,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[Potential Product Reconnaissance Via Wmic.EXE] +description = Detects the execution of WMIC in order to get a list of firewall and antivirus products +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wmic.exe" OR OriginalFileName="wmic.exe" CommandLine="*Product*" | fields - _raw | collect index=notable_events source="Potential Product Reconnaissance Via Wmic.EXE" marker="guid=15434e33-5027-4914-88d5-3d4145ec25a9,tags=attack.execution,tags=attack.t1047," +[7Zip Compressing Dump Files] +description = Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="*7-Zip*" OR Image IN ("*\\7z.exe", "*\\7zr.exe", "*\\7za.exe") OR OriginalFileName IN ("7z.exe", "7za.exe") CommandLine IN ("*.dmp*", "*.dump*", "*.hdmp*") | fields - _raw | collect index=notable_events source="7Zip Compressing Dump Files" marker="guid=ec570e53-4c76-45a9-804d-dc3f355ff7a7,tags=attack.collection,tags=attack.t1560.001," +[Potential Dropper Script Execution Via WScript/CScript] +description = Detects wscript/cscript executions of scripts located in user directories +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\wscript.exe", "*\\cscript.exe") CommandLine IN ("*:\\Temp\\*", "*:\\Tmp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*") CommandLine IN ("*.js*", "*.jse*", "*.vba*", "*.vbe*", "*.vbs*", "*.wsf*") | fields - _raw | collect index=notable_events source="Potential Dropper Script Execution Via WScript/CScript" marker="guid=cea72823-df4d-4567-950c-0b579eaf0846,tags=attack.execution,tags=attack.t1059.005,tags=attack.t1059.007," +[Audit Policy Tampering Via Auditpol] +description = Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\auditpol.exe" OR OriginalFileName="AUDITPOL.EXE" CommandLine IN ("*disable*", "*clear*", "*remove*", "*restore*") | fields - _raw | collect index=notable_events source="Audit Policy Tampering Via Auditpol" marker="guid=0a13e132-651d-11eb-ae93-0242ac130002,tags=attack.defense-evasion,tags=attack.t1562.002," +[Execute From Alternate Data Streams] +description = Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*txt:*" (CommandLine="*type *" CommandLine="* > *") OR (CommandLine="*makecab *" CommandLine="*.cab*") OR (CommandLine="*reg *" CommandLine="* export *") OR (CommandLine="*regedit *" CommandLine="* /E *") OR (CommandLine="*esentutl *" CommandLine="* /y *" CommandLine="* /d *" CommandLine="* /o *") | fields - _raw | collect index=notable_events source="Execute From Alternate Data Streams" marker="guid=7f43c430-5001-4f8b-aaa9-c3b88f18fa5c,tags=attack.defense-evasion,tags=attack.t1564.004," +[Potential Memory Dumping Activity Via LiveKD] +description = Detects execution of LiveKD based on PE metadata or image name +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\livekd.exe", "*\\livekd64.exe") OR OriginalFileName="livekd.exe" | fields - _raw | collect index=notable_events source="Potential Memory Dumping Activity Via LiveKD" marker="guid=a85f7765-698a-4088-afa0-ecfbf8d01fa4,tags=attack.defense-evasion," +[File Download Via Windows Defender MpCmpRun.EXE] +description = Detects the use of Windows Defender MpCmdRun.EXE to download files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="MpCmdRun.exe" OR Image="*\\MpCmdRun.exe" OR CommandLine="*MpCmdRun.exe*" OR Description="Microsoft Malware Protection Command Line Utility" CommandLine="*DownloadFile*" CommandLine="*url*" | fields - _raw | collect index=notable_events source="File Download Via Windows Defender MpCmpRun.EXE" marker="guid=46123129-1024-423e-9fae-43af4a0fa9a5,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.command-and-control,tags=attack.t1105," +[WebDav Client Execution Via Rundll32.EXE] +description = Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\svchost.exe" Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*C:\\windows\\system32\\davclnt.dll,DavSetCookie*" | fields - _raw | collect index=notable_events source="WebDav Client Execution Via Rundll32.EXE" marker="guid=2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5,tags=attack.exfiltration,tags=attack.t1048.003," +[Potential PowerShell Execution Policy Tampering - ProcCreation] +description = Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy*", "*\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy*") CommandLine IN ("*Bypass*", "*RemoteSigned*", "*Unrestricted*") | fields - _raw | collect index=notable_events source="Potential PowerShell Execution Policy Tampering - ProcCreation" marker="guid=cf2e938e-9a3e-4fe8-a347-411642b28a9f,tags=attack.defense-evasion," +[HackTool - winPEAS Execution] +description = WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="winPEAS.exe" OR Image IN ("*\\winPEASany_ofs.exe", "*\\winPEASany.exe", "*\\winPEASx64_ofs.exe", "*\\winPEASx64.exe", "*\\winPEASx86_ofs.exe", "*\\winPEASx86.exe") OR CommandLine IN ("* applicationsinfo*", "* browserinfo*", "* eventsinfo*", "* fileanalysis*", "* filesinfo*", "* processinfo*", "* servicesinfo*", "* windowscreds*") OR CommandLine="*https://github.com/carlospolop/PEASS-ng/releases/latest/download/*" OR ParentCommandLine="* -linpeas" OR CommandLine="* -linpeas" | fields - _raw | collect index=notable_events source="HackTool - winPEAS Execution" marker="guid=98b53e78-ebaf-46f8-be06-421aafd176d9,tags=attack.privilege-escalation,tags=attack.t1082,tags=attack.t1087,tags=attack.t1046," +[File Deletion Via Del] +description = Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine IN ("*del *", "*erase *") CommandLine="* -f*" OR CommandLine="* /f*" OR CommandLine="* –f*" OR CommandLine="* —f*" OR CommandLine="* ―f*" OR CommandLine="* -s*" OR CommandLine="* /s*" OR CommandLine="* –s*" OR CommandLine="* —s*" OR CommandLine="* ―s*" OR CommandLine="* -q*" OR CommandLine="* /q*" OR CommandLine="* –q*" OR CommandLine="* —q*" OR CommandLine="* ―q*" | fields - _raw | collect index=notable_events source="File Deletion Via Del" marker="guid=379fa130-190e-4c3f-b7bc-6c8e834485f3,tags=attack.defense-evasion,tags=attack.t1070.004," +[Rundll32 UNC Path Execution] +description = Detects rundll32 execution where the DLL is located on a remote location (share) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" OR CommandLine="*rundll32*" CommandLine="* \\\\*" | fields - _raw | collect index=notable_events source="Rundll32 UNC Path Execution" marker="guid=5cdb711b-5740-4fb2-ba88-f7945027afac,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1021.002,tags=attack.t1218.011," +[Suspicious PowerShell Mailbox Export to Share] +description = Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*New-MailboxExportRequest*" CommandLine="* -Mailbox *" CommandLine="* -FilePath \\\\*" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious PowerShell Mailbox Export to Share" marker="guid=889719ef-dd62-43df-86c3-768fb08dc7c0,tags=attack.exfiltration," +[Php Inline Command Execution] +description = Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\php.exe" OR OriginalFileName="php.exe" CommandLine="* -r*" | fields - _raw | collect index=notable_events source="Php Inline Command Execution" marker="guid=d81871ef-5738-47ab-9797-7a9c90cd4bfb,tags=attack.execution,tags=attack.t1059," +[Suspicious Group And Account Reconnaissance Activity Using Net.EXE] +description = Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") (CommandLine IN ("* group *", "* localgroup *") CommandLine IN ("*domain admins*", "* administrator*", "* administrateur*", "*enterprise admins*", "*Exchange Trusted Subsystem*", "*Remote Desktop Users*", "*Utilisateurs du Bureau à distance*", "*Usuarios de escritorio remoto*", "* /do*") NOT CommandLine="* /add*") OR (CommandLine="* accounts *" CommandLine="* /do*") | fields - _raw | collect index=notable_events source="Suspicious Group And Account Reconnaissance Activity Using Net.EXE" marker="guid=d95de845-b83c-4a9a-8a6a-4fc802ebf6c0,tags=attack.discovery,tags=attack.t1087.001,tags=attack.t1087.002," +[UAC Bypass Using IDiagnostic Profile] +description = Detects the "IDiagnosticProfileUAC" UAC bypass technique +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\DllHost.exe" ParentCommandLine="* /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}*" IntegrityLevel IN ("High", "System") | fields - _raw | collect index=notable_events source="UAC Bypass Using IDiagnostic Profile" marker="guid=4cbef972-f347-4170-b62a-8253f6168e6d,tags=attack.execution,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Scheduled Task Executing Payload from Registry] +description = Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" OR OriginalFileName="schtasks.exe" CommandLine="*/Create*" CommandLine IN ("*Get-ItemProperty*", "* gp *") CommandLine IN ("*HKCU:*", "*HKLM:*", "*registry::*", "*HKEY_*") NOT (CommandLine IN ("*FromBase64String*", "*encodedcommand*")) | fields - _raw | collect index=notable_events source="Scheduled Task Executing Payload from Registry" marker="guid=86588b36-c6d3-465f-9cee-8f9093e07798,tags=attack.execution,tags=attack.persistence,tags=attack.t1053.005,tags=attack.t1059.001," +[Taskkill Symantec Endpoint Protection] +description = Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*taskkill*" CommandLine="* /F *" CommandLine="* /IM *" CommandLine="*ccSvcHst.exe*" | fields - _raw | collect index=notable_events source="Taskkill Symantec Endpoint Protection" marker="guid=4a6713f6-3331-11ed-a261-0242ac120002,tags=attack.defense-evasion,tags=attack.t1562.001," +[New User Created Via Net.EXE With Never Expire Option] +description = Detects creation of local users via the net.exe command with the option "never expire" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine="*user*" CommandLine="*add*" CommandLine="*expires:never*" | fields - _raw | collect index=notable_events source="New User Created Via Net.EXE With Never Expire Option" marker="guid=b9f0e6f5-09b4-4358-bae4-08408705bd5c,tags=attack.persistence,tags=attack.t1136.001," +[ShimCache Flush] +description = Detects actions that clear the local ShimCache and remove forensic evidence +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*rundll32*" CommandLine="*apphelp.dll*" CommandLine IN ("*ShimFlushCache*", "*#250*")) OR (CommandLine="*rundll32*" CommandLine="*kernel32.dll*" CommandLine IN ("*BaseFlushAppcompatCache*", "*#46*")) | table Image,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="ShimCache Flush" marker="guid=b0524451-19af-4efa-a46f-562a977f792e,tags=attack.defense-evasion,tags=attack.t1112," +[Suspicious Key Manager Access] +description = Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*keymgr*" CommandLine="*KRShowKeyMgr*" | fields - _raw | collect index=notable_events source="Suspicious Key Manager Access" marker="guid=a4694263-59a8-4608-a3a0-6f8d3a51664c,tags=attack.credential-access,tags=attack.t1555.004," +[Microsoft Workflow Compiler Execution] +description = Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Microsoft.Workflow.Compiler.exe" OR OriginalFileName="Microsoft.Workflow.Compiler.exe" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Microsoft Workflow Compiler Execution" marker="guid=419dbf2b-8a9b-4bea-bf99-7544b050ec8d,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1127,tags=attack.t1218," +[Add Insecure Download Source To Winget] +description = Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\winget.exe" OR OriginalFileName="winget.exe" CommandLine="*source *" CommandLine="*add *" CommandLine="*http://*" | fields - _raw | collect index=notable_events source="Add Insecure Download Source To Winget" marker="guid=81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1059," +[Remote File Download Via Findstr.EXE] +description = Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*findstr*" OR Image="*findstr.exe" OR OriginalFileName="FINDSTR.EXE" CommandLine="* -v *" OR CommandLine="* /v *" OR CommandLine="* –v *" OR CommandLine="* —v *" OR CommandLine="* ―v *" CommandLine="* -l *" OR CommandLine="* /l *" OR CommandLine="* –l *" OR CommandLine="* —l *" OR CommandLine="* ―l *" CommandLine="*\\\\*" | fields - _raw | collect index=notable_events source="Remote File Download Via Findstr.EXE" marker="guid=587254ee-a24b-4335-b3cd-065c0f1f4baa,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1564.004,tags=attack.t1552.001,tags=attack.t1105," +[Lolbin Ssh.exe Use As Proxy] +description = Detect usage of the "ssh.exe" binary as a proxy to launch other programs +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="C:\\Windows\\System32\\OpenSSH\\sshd.exe" OR (Image="*\\ssh.exe" CommandLine="*ProxyCommand=*" OR (CommandLine="*PermitLocalCommand*" CommandLine="*LocalCommand*")) | fields - _raw | collect index=notable_events source="Lolbin Ssh.exe Use As Proxy" marker="guid=7d6d30b8-5b91-4b90-a891-46cccaf29598,tags=attack.defense-evasion,tags=attack.t1202," +[UAC Bypass Using DismHost] +description = Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*C:\\Users\\*" ParentImage="*\\AppData\\Local\\Temp\\*" ParentImage="*\\DismHost.exe*" IntegrityLevel IN ("High", "System") | fields - _raw | collect index=notable_events source="UAC Bypass Using DismHost" marker="guid=853e74f9-9392-4935-ad3b-2e8c040dae86,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Renamed CURL.EXE Execution] +description = Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="curl.exe" OR Description="The curl executable" NOT Image="*\\curl*" | fields - _raw | collect index=notable_events source="Renamed CURL.EXE Execution" marker="guid=7530cd3d-7671-43e3-b209-976966f6ea48,tags=attack.execution,tags=attack.t1059,tags=attack.defense-evasion,tags=attack.t1202," +[Query Usage To Exfil Data] +description = Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*:\\Windows\\System32\\query.exe" CommandLine IN ("*session >*", "*process >*") | fields - _raw | collect index=notable_events source="Query Usage To Exfil Data" marker="guid=53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2,tags=attack.execution," +[Suspicious Chromium Browser Instance Executed With Custom Extension] +description = Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") Image IN ("*\\brave.exe", "*\\chrome.exe", "*\\msedge.exe", "*\\opera.exe", "*\\vivaldi.exe") CommandLine="*--load-extension=*" | fields - _raw | collect index=notable_events source="Suspicious Chromium Browser Instance Executed With Custom Extension" marker="guid=27ba3207-dd30-4812-abbf-5d20c57d474e,tags=attack.persistence,tags=attack.t1176," +[Remote Access Tool - RURAT Execution From Unusual Location] +description = Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\rutserv.exe", "*\\rfusclient.exe") OR Product="Remote Utilities" NOT (Image IN ("C:\\Program Files\\Remote Utilities*", "C:\\Program Files (x86)\\Remote Utilities*")) | fields - _raw | collect index=notable_events source="Remote Access Tool - RURAT Execution From Unusual Location" marker="guid=e01fa958-6893-41d4-ae03-182477c5e77d,tags=attack.defense-evasion," +[Sensitive File Dump Via Wbadmin.EXE] +description = Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wbadmin.exe" OR OriginalFileName="WBADMIN.EXE" CommandLine IN ("*start*", "*backup*") CommandLine IN ("*\\config\\SAM*", "*\\config\\SECURITY*", "*\\config\\SYSTEM*", "*\\Windows\\NTDS\\NTDS.dit*") | fields - _raw | collect index=notable_events source="Sensitive File Dump Via Wbadmin.EXE" marker="guid=8b93a509-1cb8-42e1-97aa-ee24224cdc15,tags=attack.credential-access,tags=attack.t1003.003," +[Suspicious Eventlog Clearing or Configuration Change Activity] +description = Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\wevtutil.exe" CommandLine IN ("*clear-log *", "* cl *", "*set-log *", "* sl *", "*lfn:*")) OR (Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("*Clear-EventLog *", "*Remove-EventLog *", "*Limit-EventLog *", "*Clear-WinEvent *")) OR (Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\wmic.exe") CommandLine="*ClearEventLog*") NOT (ParentImage IN ("C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe") CommandLine="* sl *") | fields - _raw | collect index=notable_events source="Suspicious Eventlog Clearing or Configuration Change Activity" marker="guid=cc36992a-4671-4f21-a91d-6c2b72a2edf5,tags=attack.defense-evasion,tags=attack.t1070.001,tags=attack.t1562.002,tags=car.2016-04-002," +[Service StartupType Change Via Sc.EXE] +description = Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sc.exe" OR OriginalFileName="sc.exe" CommandLine="* config *" CommandLine="*start*" CommandLine IN ("*disabled*", "*demand*") | fields - _raw | collect index=notable_events source="Service StartupType Change Via Sc.EXE" marker="guid=85c312b7-f44d-4a51-a024-d671c40b49fc,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1562.001," +[Suspicious Process By Web Server Process] +description = Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\caddy.exe", "*\\httpd.exe", "*\\nginx.exe", "*\\php-cgi.exe", "*\\php.exe", "*\\tomcat.exe", "*\\UMWorkerProcess.exe", "*\\w3wp.exe", "*\\ws_TomcatService.exe") OR (ParentImage IN ("*\\java.exe", "*\\javaw.exe") ParentImage IN ("*-tomcat-*", "*\\tomcat*")) OR (ParentImage IN ("*\\java.exe", "*\\javaw.exe") ParentCommandLine IN ("*CATALINA_HOME*", "*catalina.home*", "*catalina.jar*")) Image IN ("*\\arp.exe", "*\\at.exe", "*\\bash.exe", "*\\bitsadmin.exe", "*\\certutil.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\dsget.exe", "*\\hostname.exe", "*\\nbtstat.exe", "*\\net.exe", "*\\net1.exe", "*\\netdom.exe", "*\\netsh.exe", "*\\nltest.exe", "*\\ntdutil.exe", "*\\powershell_ise.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\qprocess.exe", "*\\query.exe", "*\\qwinsta.exe", "*\\reg.exe", "*\\rundll32.exe", "*\\sc.exe", "*\\sh.exe", "*\\wmic.exe", "*\\wscript.exe", "*\\wusa.exe") NOT ((ParentImage="*\\java.exe" CommandLine="*Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") OR (ParentImage="*\\java.exe" CommandLine="*sc query*" CommandLine="*ADManager Plus*")) | fields - _raw | collect index=notable_events source="Suspicious Process By Web Server Process" marker="guid=8202070f-edeb-4d31-a010-a26c72ac5600,tags=attack.persistence,tags=attack.t1505.003,tags=attack.t1190," +[Command Line Execution with Suspicious URL and AppData Strings] +description = Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" CommandLine="*http*" CommandLine="*://*" CommandLine="*%AppData%*" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Command Line Execution with Suspicious URL and AppData Strings" marker="guid=1ac8666b-046f-4201-8aba-1951aaec03a3,tags=attack.execution,tags=attack.command-and-control,tags=attack.t1059.003,tags=attack.t1059.001,tags=attack.t1105," +[Potential Fake Instance Of Hxtsr.EXE Executed] +description = HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\hxtsr.exe" NOT (Image="*:\\program files\\windowsapps\\microsoft.windowscommunicationsapps_*" Image="*\\hxtsr.exe") | fields - _raw | collect index=notable_events source="Potential Fake Instance Of Hxtsr.EXE Executed" marker="guid=4e762605-34a8-406d-b72e-c1a089313320,tags=attack.defense-evasion,tags=attack.t1036," +[Execute Pcwrun.EXE To Leverage Follina] +description = Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\pcwrun.exe" CommandLine="*../*" | fields - _raw | collect index=notable_events source="Execute Pcwrun.EXE To Leverage Follina" marker="guid=6004abd0-afa4-4557-ba90-49d172e0a299,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.execution," +[Suspicious Execution From Outlook Temporary Folder] +description = Detects a suspicious program execution in Outlook temp folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Temporary Internet Files\\Content.Outlook\\*" | fields - _raw | collect index=notable_events source="Suspicious Execution From Outlook Temporary Folder" marker="guid=a018fdc3-46a3-44e5-9afb-2cd4af1d4b39,tags=attack.initial-access,tags=attack.t1566.001," +[Suspicious Control Panel DLL Load] +description = Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\System32\\control.exe" Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" NOT CommandLine="*Shell32.dll*" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Control Panel DLL Load" marker="guid=d7eb979b-c2b5-4a6f-a3a7-c87ce6763819,tags=attack.defense-evasion,tags=attack.t1218.011," +[Suspicious Rundll32 Invoking Inline VBScript] +description = Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*rundll32.exe*" CommandLine="*Execute*" CommandLine="*RegRead*" CommandLine="*window.close*" | fields - _raw | collect index=notable_events source="Suspicious Rundll32 Invoking Inline VBScript" marker="guid=1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd,tags=attack.defense-evasion,tags=attack.t1055," +[PUA - SoftPerfect Netscan Execution] +description = Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netscan.exe" OR Product="Network Scanner" OR Description="Application for scanning networks" | fields - _raw | collect index=notable_events source="PUA - SoftPerfect Netscan Execution" marker="guid=ca387a8e-1c84-4da3-9993-028b45342d30,tags=attack.discovery,tags=attack.t1046," +[Audio Capture via SoundRecorder] +description = Detect attacker collecting audio via SoundRecorder application. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SoundRecorder.exe" CommandLine="*/FILE*" | fields - _raw | collect index=notable_events source="Audio Capture via SoundRecorder" marker="guid=83865853-59aa-449e-9600-74b9d89a6d6e,tags=attack.collection,tags=attack.t1123," +[Suspicious Msiexec Execute Arbitrary DLL] +description = Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msiexec.exe" CommandLine="* -y*" OR CommandLine="* /y*" OR CommandLine="* –y*" OR CommandLine="* —y*" OR CommandLine="* ―y*" NOT (CommandLine IN ("*\\MsiExec.exe\" /Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll*", "*\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll*", "*\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll*", "*\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll*", "*\\MsiExec.exe\" /Y \"C:\\Windows\\CCM\\*", "*\\MsiExec.exe\" /Y C:\\Windows\\CCM\\*", "*\\MsiExec.exe\" -Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll*", "*\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll*", "*\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll*", "*\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll*", "*\\MsiExec.exe\" -Y \"C:\\Windows\\CCM\\*", "*\\MsiExec.exe\" -Y C:\\Windows\\CCM\\*")) | fields - _raw | collect index=notable_events source="Suspicious Msiexec Execute Arbitrary DLL" marker="guid=6f4191bb-912b-48a8-9ce7-682769541e6d,tags=attack.defense-evasion,tags=attack.t1218.007," +[UAC Bypass via Windows Firewall Snap-In Hijack] +description = Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\mmc.exe" ParentCommandLine="*WF.msc*" NOT Image="*\\WerFault.exe" | fields - _raw | collect index=notable_events source="UAC Bypass via Windows Firewall Snap-In Hijack" marker="guid=e52cb31c-10ed-4aea-bcb7-593c9f4a315b,tags=attack.privilege-escalation,tags=attack.t1548," +[Suspicious Binary In User Directory Spawned From Office Application] +description = Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\WINWORD.EXE", "*\\EXCEL.EXE", "*\\POWERPNT.exe", "*\\MSPUB.exe", "*\\VISIO.exe", "*\\MSACCESS.exe", "*\\EQNEDT32.exe") Image="C:\\users\\*" Image="*.exe" NOT Image="*\\Teams.exe" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Binary In User Directory Spawned From Office Application" marker="guid=aa3a6f94-890e-4e22-b634-ffdfd54792cc,tags=attack.execution,tags=attack.t1204.002,tags=attack.g0046,tags=car.2013-05-002," +[Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE] +description = Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*copy *" CommandLine="* \\\\*" CommandLine IN ("*.dmp*", "*.dump*", "*.hdmp*") | fields - _raw | collect index=notable_events source="Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE" marker="guid=044ba588-dff4-4918-9808-3f95e8160606,tags=attack.credential-access," +[Potential File Overwrite Via Sysinternals SDelete] +description = Detects the use of SDelete to erase a file not the free space +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="sdelete.exe" NOT (CommandLine IN ("* -h*", "* -c*", "* -z*", "* /?*")) | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Potential File Overwrite Via Sysinternals SDelete" marker="guid=a4824fca-976f-4964-b334-0621379e84c4,tags=attack.impact,tags=attack.t1485," +[Forfiles Command Execution] +description = Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\forfiles.exe" OR OriginalFileName="forfiles.exe" CommandLine="* -c *" OR CommandLine="* /c *" OR CommandLine="* –c *" OR CommandLine="* —c *" OR CommandLine="* ―c *" | fields - _raw | collect index=notable_events source="Forfiles Command Execution" marker="guid=9aa5106d-bce3-4b13-86df-3a20f1d5cf0b,tags=attack.execution,tags=attack.t1059," +[Suspicious Certreq Command to Download] +description = Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certreq.exe" OR OriginalFileName="CertReq.exe" CommandLine="* -Post *" CommandLine="* -config *" CommandLine="* http*" CommandLine="* C:\\windows\\win.ini *" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Certreq Command to Download" marker="guid=4480827a-9799-4232-b2c4-ccc6c4e9e12b,tags=attack.command-and-control,tags=attack.t1105," +[Scheduled Task Executing Encoded Payload from Registry] +description = Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" OR OriginalFileName="schtasks.exe" CommandLine="*/Create*" CommandLine IN ("*FromBase64String*", "*encodedcommand*") CommandLine IN ("*Get-ItemProperty*", "* gp *") CommandLine IN ("*HKCU:*", "*HKLM:*", "*registry::*", "*HKEY_*") | fields - _raw | collect index=notable_events source="Scheduled Task Executing Encoded Payload from Registry" marker="guid=c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78,tags=attack.execution,tags=attack.persistence,tags=attack.t1053.005,tags=attack.t1059.001," +[Suspicious Calculator Usage] +description = Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\calc.exe *" OR (Image="*\\calc.exe" NOT (Image IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\WinSxS\\*"))) | fields - _raw | collect index=notable_events source="Suspicious Calculator Usage" marker="guid=737e618a-a410-49b5-bec3-9e55ff7fbc15,tags=attack.defense-evasion,tags=attack.t1036," +[Suspicious Child Process Of Wermgr.EXE] +description = Detects suspicious Windows Error Reporting manager (wermgr.exe) child process +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\wermgr.exe" Image IN ("*\\cmd.exe", "*\\cscript.exe", "*\\ipconfig.exe", "*\\mshta.exe", "*\\net.exe", "*\\net1.exe", "*\\netstat.exe", "*\\nslookup.exe", "*\\powershell_ise.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\systeminfo.exe", "*\\whoami.exe", "*\\wscript.exe") NOT (Image="*\\rundll32.exe" CommandLine="*C:\\Windows\\system32\\WerConCpl.dll*" CommandLine="*LaunchErcApp -queuereporting*") | fields - _raw | collect index=notable_events source="Suspicious Child Process Of Wermgr.EXE" marker="guid=396f6630-f3ac-44e3-bfc8-1b161bc00c4e,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1055,tags=attack.t1036," +[Potential Privilege Escalation Using Symlink Between Osk and Cmd] +description = Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*mklink*" CommandLine="*\\osk.exe*" CommandLine="*\\cmd.exe*" | fields - _raw | collect index=notable_events source="Potential Privilege Escalation Using Symlink Between Osk and Cmd" marker="guid=e9b61244-893f-427c-b287-3e708f321c6b,tags=attack.privilege-escalation,tags=attack.persistence,tags=attack.t1546.008," +[Suspicious Active Directory Database Snapshot Via ADExplorer] +description = Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ADExplorer.exe" OR OriginalFileName="AdExp" CommandLine="*snapshot*" CommandLine IN ("*\\Downloads\\*", "*\\Users\\Public\\*", "*\\AppData\\*", "*\\Windows\\Temp\\*") | fields - _raw | collect index=notable_events source="Suspicious Active Directory Database Snapshot Via ADExplorer" marker="guid=ef61af62-bc74-4f58-b49b-626448227652,tags=attack.credential-access,tags=attack.t1552.001,tags=attack.t1003.003," +[WMI Persistence - Script Event Consumer] +description = Detects WMI script event consumers +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="C:\\WINDOWS\\system32\\wbem\\scrcons.exe" ParentImage="C:\\Windows\\System32\\svchost.exe" | fields - _raw | collect index=notable_events source="WMI Persistence - Script Event Consumer" marker="guid=ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1546.003," +[HackTool - SysmonEOP Execution] +description = Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SysmonEOP.exe" OR Hashes IN ("*IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5*", "*IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC*") OR Imphash IN ("22f4089eb8aba31e1bb162c6d9bf72e5", "5123fa4c4384d431cd0d893eeb49bbec") | fields - _raw | collect index=notable_events source="HackTool - SysmonEOP Execution" marker="guid=8a7e90c5-fe6e-45dc-889e-057fe4378bd9,tags=cve.2022-41120,tags=attack.t1068,tags=attack.privilege-escalation," +[Potential RDP Session Hijacking Activity] +description = Detects potential RDP Session Hijacking activity on Windows systems +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\tscon.exe" OR OriginalFileName="tscon.exe" IntegrityLevel="SYSTEM" | fields - _raw | collect index=notable_events source="Potential RDP Session Hijacking Activity" marker="guid=224f140f-3553-4cd1-af78-13d81bf9f7cc,tags=attack.execution," +[PUA - Advanced IP Scanner Execution] +description = Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\advanced_ip_scanner*" OR OriginalFileName="*advanced_ip_scanner*" OR Description="*Advanced IP Scanner*" OR (CommandLine="*/portable*" CommandLine="*/lng*") | fields - _raw | collect index=notable_events source="PUA - Advanced IP Scanner Execution" marker="guid=bef37fa2-f205-4a7b-b484-0759bfd5f86f,tags=attack.discovery,tags=attack.t1046,tags=attack.t1135," +[New Service Creation Using Sc.EXE] +description = Detects the creation of a new service using the "sc.exe" utility. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sc.exe" CommandLine="*create*" CommandLine="*binPath*" | fields - _raw | collect index=notable_events source="New Service Creation Using Sc.EXE" marker="guid=85ff530b-261d-48c6-a441-facaa2e81e48,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1543.003," +[Suspicious Execution of Powershell with Base64] +description = Commandline to launch powershell with a base64 payload +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("* -e *", "* -en *", "* -enc *", "* -enco*", "* -ec *") NOT (CommandLine="* -Encoding *" OR ParentImage IN ("*C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\*", "*\\gc_worker.exe*")) | fields - _raw | collect index=notable_events source="Suspicious Execution of Powershell with Base64" marker="guid=fb843269-508c-4b76-8b8d-88679db22ce7,tags=attack.execution,tags=attack.t1059.001," +[Suspicious PowerShell Invocations - Specific - ProcessCreation] +description = Detects suspicious PowerShell invocation command parameters +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*-nop*" CommandLine="* -w *" CommandLine="*hidden*" CommandLine="* -c *" CommandLine="*[Convert]::FromBase64String*") OR (CommandLine="* -w *" CommandLine="*hidden*" CommandLine="*-noni*" CommandLine="*-nop*" CommandLine="* -c *" CommandLine="*iex*" CommandLine="*New-Object*") OR (CommandLine="* -w *" CommandLine="*hidden*" CommandLine="*-ep*" CommandLine="*bypass*" CommandLine="*-Enc*") OR (CommandLine="*powershell*" CommandLine="*reg*" CommandLine="*add*" CommandLine="*\\software\\*") OR (CommandLine="*bypass*" CommandLine="*-noprofile*" CommandLine="*-windowstyle*" CommandLine="*hidden*" CommandLine="*new-object*" CommandLine="*system.net.webclient*" CommandLine="*.download*") OR (CommandLine="*iex*" CommandLine="*New-Object*" CommandLine="*Net.WebClient*" CommandLine="*.Download*") NOT (CommandLine IN ("*(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1*", "*Write-ChocolateyWarning*")) | fields - _raw | collect index=notable_events source="Suspicious PowerShell Invocations - Specific - ProcessCreation" marker="guid=536e2947-3729-478c-9903-745aaffe60d2,tags=attack.defense-evasion," +[Deletion of Volume Shadow Copies via WMI with PowerShell] +description = Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*") CommandLine="*Win32_ShadowCopy*" CommandLine IN ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*") | fields - _raw | collect index=notable_events source="Deletion of Volume Shadow Copies via WMI with PowerShell" marker="guid=21ff4ca9-f13a-41ad-b828-0077b2af2e40,tags=attack.impact,tags=attack.t1490," +[Renamed Msdt.EXE Execution] +description = Detects the execution of a renamed "Msdt.exe" binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="msdt.exe" NOT Image="*\\msdt.exe" | fields - _raw | collect index=notable_events source="Renamed Msdt.EXE Execution" marker="guid=bd1c6866-65fc-44b2-be51-5588fcff82b9,tags=attack.defense-evasion,tags=attack.t1036.003," +[WhoAmI as Parameter] +description = Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*.exe whoami*" | fields - _raw | collect index=notable_events source="WhoAmI as Parameter" marker="guid=e9142d84-fbe0-401d-ac50-3e519fb00c89,tags=attack.discovery,tags=attack.t1033,tags=car.2016-03-001," +[Potential Unquoted Service Path Reconnaissance Via Wmic.EXE] +description = Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="wmic.exe" OR Image="*\\WMIC.exe" CommandLine="* service get *" CommandLine="*name,displayname,pathname,startmode*" | fields - _raw | collect index=notable_events source="Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" marker="guid=68bcd73b-37ef-49cb-95fc-edc809730be6,tags=attack.execution,tags=attack.t1047," +[Invoke-Obfuscation CLIP+ Launcher] +description = Detects Obfuscated use of Clip.exe to execute PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*cmd*" CommandLine="*&&*" CommandLine="*clipboard]::*" CommandLine="*-f*" CommandLine IN ("*/c*", "*/r*") | fields - _raw | collect index=notable_events source="Invoke-Obfuscation CLIP+ Launcher" marker="guid=b222df08-0e07-11eb-adc1-0242ac120002,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Potential AMSI Bypass Via .NET Reflection] +description = Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*System.Management.Automation.AmsiUtils*", "*amsiInitFailed*") OR (CommandLine="*[Ref].Assembly.GetType*" CommandLine="*SetValue($null,$true)*" CommandLine="*NonPublic,Static*") | fields - _raw | collect index=notable_events source="Potential AMSI Bypass Via .NET Reflection" marker="guid=30edb182-aa75-42c0-b0a9-e998bb29067c,tags=attack.defense-evasion,tags=attack.t1562.001," +[UtilityFunctions.ps1 Proxy Dll] +description = Detects the use of a Microsoft signed script executing a managed DLL with PowerShell. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*UtilityFunctions.ps1*", "*RegSnapin *") | fields - _raw | collect index=notable_events source="UtilityFunctions.ps1 Proxy Dll" marker="guid=0403d67d-6227-4ea8-8145-4e72db7da120,tags=attack.defense-evasion,tags=attack.t1216," +[Nslookup PowerShell Download Cradle - ProcessCreation] +description = Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\nslookup.exe*" OR OriginalFileName="\\nslookup.exe" ParentImage IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("* -q=txt *", "* -querytype=txt *") | fields - _raw | collect index=notable_events source="Nslookup PowerShell Download Cradle - ProcessCreation" marker="guid=1b3b01c7-84e9-4072-86e5-fc285a41ff23,tags=attack.defense-evasion," +[Suspicious DumpMinitool Execution] +description = Detects suspicious ways to use the "DumpMinitool.exe" binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\DumpMinitool.exe", "*\\DumpMinitool.x86.exe", "*\\DumpMinitool.arm64.exe") OR OriginalFileName IN ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe") NOT (Image IN ("*\\Microsoft Visual Studio\\*", "*\\Extensions\\*")) OR CommandLine="*.txt*" OR (CommandLine IN ("* Full*", "* Mini*", "* WithHeap*") NOT CommandLine="*--dumpType*") | fields - _raw | collect index=notable_events source="Suspicious DumpMinitool Execution" marker="guid=eb1c4225-1c23-4241-8dd4-051389fde4ce,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1003.001," +[HackTool - Impersonate Execution] +description = Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*impersonate.exe*" CommandLine IN ("* list *", "* exec *", "* adduser *")) OR Hashes IN ("*MD5=9520714AB576B0ED01D1513691377D01*", "*SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A*", "*IMPHASH=0A358FFC1697B7A07D0E817AC740DF62*") OR md5="9520714AB576B0ED01D1513691377D01" OR sha256="E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A" OR Imphash="0A358FFC1697B7A07D0E817AC740DF62" | fields - _raw | collect index=notable_events source="HackTool - Impersonate Execution" marker="guid=cf0c254b-22f1-4b2b-8221-e137b3c0af94,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1134.001,tags=attack.t1134.003," +[File Download From IP URL Via Curl.EXE] +description = Detects file downloads directly from IP address URL using curl.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\curl.exe" OR OriginalFileName="curl.exe" CommandLine="*http*" CommandLine IN ("* -O*", "*--remote-name*", "*--output*") NOT (CommandLine IN ("*.bat", "*.bat\"", "*.dat", "*.dat\"", "*.dll", "*.dll\"", "*.exe", "*.exe\"", "*.gif", "*.gif\"", "*.hta", "*.hta\"", "*.jpeg", "*.jpeg\"", "*.log", "*.log\"", "*.msi", "*.msi\"", "*.png", "*.png\"", "*.ps1", "*.ps1\"", "*.psm1", "*.psm1\"", "*.vbe", "*.vbe\"", "*.vbs", "*.vbs\"", "*.bat'", "*.dat'", "*.dll'", "*.exe'", "*.gif'", "*.hta'", "*.jpeg'", "*.log'", "*.msi'", "*.png'", "*.ps1'", "*.psm1'", "*.vbe'", "*.vbs'"))\ +| regex CommandLine="://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" | fields - _raw | collect index=notable_events source="File Download From IP URL Via Curl.EXE" marker="guid=9cc85849-3b02-4cb5-b371-3a1ff54f2218,tags=attack.execution," +[PUA - Adidnsdump Execution] +description = This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\python.exe" CommandLine="*adidnsdump*" | fields - _raw | collect index=notable_events source="PUA - Adidnsdump Execution" marker="guid=26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160,tags=attack.discovery,tags=attack.t1018," +[Firewall Rule Update Via Netsh.EXE] +description = Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" CommandLine="* firewall *" CommandLine="* set *" | fields - _raw | collect index=notable_events source="Firewall Rule Update Via Netsh.EXE" marker="guid=a70dcb37-3bee-453a-99df-d0c683151be6,tags=attack.defense-evasion," +[Suspicious Copy From or To System Directory] +description = Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\cmd.exe" CommandLine="*copy *") OR (Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("*copy-item*", "* copy *", "*cpi *", "* cp *")) OR Image IN ("*\\robocopy.exe", "*\\xcopy.exe") OR OriginalFileName IN ("robocopy.exe", "XCOPY.EXE") CommandLine IN ("*\\System32*", "*\\SysWOW64*", "*\\WinSxS*") | fields - _raw | collect index=notable_events source="Suspicious Copy From or To System Directory" marker="guid=fff9d2b7-e11c-4a69-93d3-40ef66189767,tags=attack.defense-evasion,tags=attack.t1036.003," +[Mstsc.EXE Execution With Local RDP File] +description = Detects potential RDP connection via Mstsc using a local ".rdp" file +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\mstsc.exe" OR OriginalFileName="mstsc.exe" CommandLine IN ("*.rdp", "*.rdp\"") NOT (ParentImage="C:\\Windows\\System32\\lxss\\wslhost.exe" CommandLine="*C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp*") | fields - _raw | collect index=notable_events source="Mstsc.EXE Execution With Local RDP File" marker="guid=5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af,tags=attack.command-and-control,tags=attack.t1219," +[Service Started/Stopped Via Wmic.EXE] +description = Detects usage of wmic to start or stop a service +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="wmic.exe" OR Image="*\\WMIC.exe" CommandLine="* service *" CommandLine="* call *" CommandLine IN ("*stopservice*", "*startservice*") | fields - _raw | collect index=notable_events source="Service Started/Stopped Via Wmic.EXE" marker="guid=0b7163dc-7eee-4960-af17-c0cd517f92da,tags=attack.execution,tags=attack.t1047," +[Screen Capture Activity Via Psr.EXE] +description = Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Psr.exe" CommandLine IN ("*/start*", "*-start*") | fields - _raw | collect index=notable_events source="Screen Capture Activity Via Psr.EXE" marker="guid=2158f96f-43c2-43cb-952a-ab4580f32382,tags=attack.collection,tags=attack.t1113," +[Powershell Defender Disable Scan Feature] +description = Detects requests to disable Microsoft Defender features using PowerShell commands +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine IN ("*Add-MpPreference *", "*Set-MpPreference *") CommandLine IN ("*DisableArchiveScanning *", "*DisableRealtimeMonitoring *", "*DisableIOAVProtection *", "*DisableBehaviorMonitoring *", "*DisableBlockAtFirstSeen *", "*DisableCatchupFullScan *", "*DisableCatchupQuickScan *") CommandLine IN ("*$true*", "* 1 *")) OR CommandLine="*ZGlzYWJsZWFyY2hpdmVzY2FubmluZy*" OR CommandLine="*Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg*" OR CommandLine="*kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI*" OR CommandLine="*RGlzYWJsZUFyY2hpdmVTY2FubmluZy*" OR CommandLine="*Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg*" OR CommandLine="*EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI*" OR CommandLine="*ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy*" OR CommandLine="*Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg*" OR CommandLine="*kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI*" OR CommandLine="*RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy*" OR CommandLine="*Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg*" OR CommandLine="*EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI*" OR CommandLine="*ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g*" OR CommandLine="*Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI*" OR CommandLine="*kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi*" OR CommandLine="*RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g*" OR CommandLine="*Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI*" OR CommandLine="*EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi*" OR CommandLine="*ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi*" OR CommandLine="*Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g*" OR CommandLine="*kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI*" OR CommandLine="*RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi*" OR CommandLine="*Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g*" OR CommandLine="*EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI*" OR CommandLine="*ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g*" OR CommandLine="*Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI*" OR CommandLine="*kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi*" OR CommandLine="*RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g*" OR CommandLine="*Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI*" OR CommandLine="*EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi*" OR CommandLine="*ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI*" OR CommandLine="*Rpc2FibGVpb2F2cHJvdGVjdGlvbi*" OR CommandLine="*kaXNhYmxlaW9hdnByb3RlY3Rpb24g*" OR CommandLine="*RGlzYWJsZUlPQVZQcm90ZWN0aW9uI*" OR CommandLine="*Rpc2FibGVJT0FWUHJvdGVjdGlvbi*" OR CommandLine="*EaXNhYmxlSU9BVlByb3RlY3Rpb24g*" OR CommandLine="*ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy*" OR CommandLine="*Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg*" OR CommandLine="*kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI*" OR CommandLine="*RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy*" OR CommandLine="*Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg*" OR CommandLine="*EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI*" OR CommandLine IN ("*RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA*", "*QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA*", "*EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA*", "*RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA*", "*QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA*", "*EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA*", "*RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA*", "*QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA*", "*EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA*", "*RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA*", "*QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA*", "*EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA*", "*ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA*", "*QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA*", "*kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA*", "*ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA*", "*QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA*", "*kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA*", "*ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA*", "*QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA*", "*kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA*", "*ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA*", "*QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA*", "*kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA*", "*RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA*", "*RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA*", "*RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA*") | fields - _raw | collect index=notable_events source="Powershell Defender Disable Scan Feature" marker="guid=1ec65a5f-9473-4f12-97da-622044d6df21,tags=attack.defense-evasion,tags=attack.t1562.001," +[Potential MsiExec Masquerading] +description = Detects the execution of msiexec.exe from an uncommon directory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msiexec.exe" OR OriginalFileName="\\msiexec.exe" NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\WinSxS\\*")) | fields - _raw | collect index=notable_events source="Potential MsiExec Masquerading" marker="guid=e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144,tags=attack.defense-evasion,tags=attack.t1036.005," +[Potential Download/Upload Activity Using Type Command] +description = Detects usage of the "type" command to download/upload data from WebDAV server +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*type *" CommandLine="* > \\\\*") OR (CommandLine="*type \\\\*" CommandLine="* > *") | fields - _raw | collect index=notable_events source="Potential Download/Upload Activity Using Type Command" marker="guid=aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f,tags=attack.command-and-control,tags=attack.t1105," +[Devtoolslauncher.exe Executes Specified Binary] +description = The Devtoolslauncher.exe executes other binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\devtoolslauncher.exe" CommandLine="*LaunchForDeploy*" | fields - _raw | collect index=notable_events source="Devtoolslauncher.exe Executes Specified Binary" marker="guid=cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6,tags=attack.defense-evasion,tags=attack.t1218," +[All Backups Deleted Via Wbadmin.EXE] +description = Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wbadmin.exe" OR OriginalFileName="WBADMIN.EXE" CommandLine="*delete*" CommandLine="*backup*" CommandLine="*keepVersions:0*" | fields - _raw | collect index=notable_events source="All Backups Deleted Via Wbadmin.EXE" marker="guid=639c9081-f482-47d3-a0bd-ddee3d4ecd76,tags=attack.impact,tags=attack.t1490," +[LSASS Dump Keyword In CommandLine] +description = Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*lsass.dmp*", "*lsass.zip*", "*lsass.rar*", "*Andrew.dmp*", "*Coredump.dmp*", "*NotLSASS.zip*", "*lsass_2*", "*lsassdump*", "*lsassdmp*") OR (CommandLine="*lsass*" CommandLine="*.dmp*") OR (CommandLine="*SQLDmpr*" CommandLine="*.mdmp*") OR (CommandLine="*nanodump*" CommandLine="*.dmp*") | fields - _raw | collect index=notable_events source="LSASS Dump Keyword In CommandLine" marker="guid=ffa6861c-4461-4f59-8a41-578c39f3f23e,tags=attack.credential-access,tags=attack.t1003.001," +[Suspicious Mshta.EXE Execution Patterns] +description = Detects suspicious mshta process execution patterns +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\mshta.exe" OR OriginalFileName="MSHTA.EXE" ParentImage IN ("*\\cmd.exe", "*\\cscript.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") CommandLine IN ("*\\AppData\\Local\\*", "*C:\\ProgramData\\*", "*C:\\Users\\Public\\*", "*C:\\Windows\\Temp\\*")) OR (Image="*\\mshta.exe" OR OriginalFileName="MSHTA.EXE" NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*") OR CommandLine IN ("*.htm*", "*.hta*") OR CommandLine IN ("*mshta.exe", "*mshta"))) | fields - _raw | collect index=notable_events source="Suspicious Mshta.EXE Execution Patterns" marker="guid=e32f92d1-523e-49c3-9374-bdb13b46a3ba,tags=attack.execution,tags=attack.t1106," +[System Disk And Volume Reconnaissance Via Wmic.EXE] +description = An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the `wmic` command-line utility and has been observed being used by threat actors such as Volt Typhoon. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\WMIC.exe" OR OriginalFileName="wmic.exe" CommandLine IN ("*volume*", "*path win32_logicaldisk*") | fields - _raw | collect index=notable_events source="System Disk And Volume Reconnaissance Via Wmic.EXE" marker="guid=c79da740-5030-45ec-a2e0-479e824a562c,tags=attack.execution,tags=attack.discovery,tags=attack.t1047,tags=attack.t1082," +[Potential Persistence Via Microsoft Compatibility Appraiser] +description = Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" OR OriginalFileName="schtasks.exe" CommandLine="*run *" CommandLine="*\\Application Experience\\Microsoft Compatibility Appraiser*" | fields - _raw | collect index=notable_events source="Potential Persistence Via Microsoft Compatibility Appraiser" marker="guid=f548a603-c9f2-4c89-b511-b089f7e94549,tags=attack.persistence,tags=attack.t1053.005," +[Suspicious WmiPrvSE Child Process] +description = Detects suspicious and uncommon child processes of WmiPrvSE +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\wbem\\WmiPrvSE.exe" Image IN ("*\\certutil.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\msiexec.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\verclsid.exe", "*\\wscript.exe") OR (Image="*\\cmd.exe" CommandLine IN ("*cscript*", "*mshta*", "*powershell*", "*pwsh*", "*regsvr32*", "*rundll32*", "*wscript*")) NOT (Image="*\\WerFault.exe" OR Image="*\\WmiPrvSE.exe" OR (Image="*\\msiexec.exe" CommandLine="*/i *")) | fields - _raw | collect index=notable_events source="Suspicious WmiPrvSE Child Process" marker="guid=8a582fe2-0882-4b89-a82a-da6b2dc32937,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1047,tags=attack.t1204.002,tags=attack.t1218.010," +[Potential Suspicious Windows Feature Enabled - ProcCreation] +description = Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*Enable-WindowsOptionalFeature*" CommandLine="*-Online*" CommandLine="*-FeatureName*" CommandLine IN ("*TelnetServer*", "*Internet-Explorer-Optional-amd64*", "*TFTP*", "*SMB1Protocol*", "*Client-ProjFS*", "*Microsoft-Windows-Subsystem-Linux*") | fields - _raw | collect index=notable_events source="Potential Suspicious Windows Feature Enabled - ProcCreation" marker="guid=c740d4cf-a1e9-41de-bb16-8a46a4f57918,tags=attack.defense-evasion," +[Potentially Suspicious EventLog Recon Activity Using Log Query Utilities] +description = Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Microsoft-Windows-PowerShell*", "*Microsoft-Windows-Security-Auditing*", "*Microsoft-Windows-TerminalServices-LocalSessionManager*", "*Microsoft-Windows-TerminalServices-RemoteConnectionManager*", "*Microsoft-Windows-Windows Defender*", "*PowerShellCore*", "*Security*", "*Windows PowerShell*") OR CommandLine IN ("*-InstanceId 4624*", "*System[EventID=4624]*", "*EventCode=*4624**", "*EventIdentifier=*4624**", "*-InstanceId 4778*", "*System[EventID=4778]*", "*EventCode=*4778**", "*EventIdentifier=*4778**", "*-InstanceId 25*", "*System[EventID=25]*", "*EventCode=*25**", "*EventIdentifier=*25**") (CommandLine="*Select*" CommandLine="*Win32_NTLogEvent*") OR (Image="*\\wevtutil.exe" OR OriginalFileName="wevtutil.exe" CommandLine IN ("* qe *", "* query-events *")) OR (Image="*\\wmic.exe" OR OriginalFileName="wmic.exe" CommandLine="* ntevent*") OR CommandLine IN ("*Get-WinEvent *", "*get-eventlog *") | fields - _raw | collect index=notable_events source="Potentially Suspicious EventLog Recon Activity Using Log Query Utilities" marker="guid=beaa66d6-aa1b-4e3c-80f5-e0145369bfaf,tags=attack.credential-access,tags=attack.discovery,tags=attack.t1552," +[Suspicious Where Execution] +description = Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\where.exe" OR OriginalFileName="where.exe" CommandLine IN ("*places.sqlite*", "*cookies.sqlite*", "*formhistory.sqlite*", "*logins.json*", "*key4.db*", "*key3.db*", "*sessionstore.jsonlz4*", "*History*", "*Bookmarks*", "*Cookies*", "*Login Data*") | fields - _raw | collect index=notable_events source="Suspicious Where Execution" marker="guid=725a9768-0f5e-4cb3-aec2-bc5719c6831a,tags=attack.discovery,tags=attack.t1217," +[DLL Execution Via Register-cimprovider.exe] +description = Detects using register-cimprovider.exe to execute arbitrary dll file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\register-cimprovider.exe" CommandLine="*-path*" CommandLine="*dll*" | table CommandLine | fields - _raw | collect index=notable_events source="DLL Execution Via Register-cimprovider.exe" marker="guid=a2910908-e86f-4687-aeba-76a5f996e652,tags=attack.defense-evasion,tags=attack.t1574," +[Dropping Of Password Filter DLL] +description = Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa*" CommandLine="*scecli\\0*" CommandLine="*reg add*" | fields - _raw | collect index=notable_events source="Dropping Of Password Filter DLL" marker="guid=b7966f4a-b333-455b-8370-8ca53c229762,tags=attack.credential-access,tags=attack.t1556.002," +[Potential Renamed Rundll32 Execution] +description = Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*DllRegisterServer*" NOT Image="*\\rundll32.exe" | fields - _raw | collect index=notable_events source="Potential Renamed Rundll32 Execution" marker="guid=2569ed8c-1147-498a-9b8c-2ad3656b10ed,tags=attack.execution," +[PsExec/PAExec Escalation to LOCAL SYSTEM] +description = Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* -s cmd*" OR CommandLine="* /s cmd*" OR CommandLine="* –s cmd*" OR CommandLine="* —s cmd*" OR CommandLine="* ―s cmd*" OR CommandLine="* -s -i cmd*" OR CommandLine="* -s /i cmd*" OR CommandLine="* -s –i cmd*" OR CommandLine="* -s —i cmd*" OR CommandLine="* -s ―i cmd*" OR CommandLine="* /s -i cmd*" OR CommandLine="* /s /i cmd*" OR CommandLine="* /s –i cmd*" OR CommandLine="* /s —i cmd*" OR CommandLine="* /s ―i cmd*" OR CommandLine="* –s -i cmd*" OR CommandLine="* –s /i cmd*" OR CommandLine="* –s –i cmd*" OR CommandLine="* –s —i cmd*" OR CommandLine="* –s ―i cmd*" OR CommandLine="* —s -i cmd*" OR CommandLine="* —s /i cmd*" OR CommandLine="* —s –i cmd*" OR CommandLine="* —s —i cmd*" OR CommandLine="* —s ―i cmd*" OR CommandLine="* ―s -i cmd*" OR CommandLine="* ―s /i cmd*" OR CommandLine="* ―s –i cmd*" OR CommandLine="* ―s —i cmd*" OR CommandLine="* ―s ―i cmd*" OR CommandLine="* -i -s cmd*" OR CommandLine="* -i /s cmd*" OR CommandLine="* -i –s cmd*" OR CommandLine="* -i —s cmd*" OR CommandLine="* -i ―s cmd*" OR CommandLine="* /i -s cmd*" OR CommandLine="* /i /s cmd*" OR CommandLine="* /i –s cmd*" OR CommandLine="* /i —s cmd*" OR CommandLine="* /i ―s cmd*" OR CommandLine="* –i -s cmd*" OR CommandLine="* –i /s cmd*" OR CommandLine="* –i –s cmd*" OR CommandLine="* –i —s cmd*" OR CommandLine="* –i ―s cmd*" OR CommandLine="* —i -s cmd*" OR CommandLine="* —i /s cmd*" OR CommandLine="* —i –s cmd*" OR CommandLine="* —i —s cmd*" OR CommandLine="* —i ―s cmd*" OR CommandLine="* ―i -s cmd*" OR CommandLine="* ―i /s cmd*" OR CommandLine="* ―i –s cmd*" OR CommandLine="* ―i —s cmd*" OR CommandLine="* ―i ―s cmd*" OR CommandLine="* -s pwsh*" OR CommandLine="* /s pwsh*" OR CommandLine="* –s pwsh*" OR CommandLine="* —s pwsh*" OR CommandLine="* ―s pwsh*" OR CommandLine="* -s -i pwsh*" OR CommandLine="* -s /i pwsh*" OR CommandLine="* -s –i pwsh*" OR CommandLine="* -s —i pwsh*" OR CommandLine="* -s ―i pwsh*" OR CommandLine="* /s -i pwsh*" OR CommandLine="* /s /i pwsh*" OR CommandLine="* /s –i pwsh*" OR CommandLine="* /s —i pwsh*" OR CommandLine="* /s ―i pwsh*" OR CommandLine="* –s -i pwsh*" OR CommandLine="* –s /i pwsh*" OR CommandLine="* –s –i pwsh*" OR CommandLine="* –s —i pwsh*" OR CommandLine="* –s ―i pwsh*" OR CommandLine="* —s -i pwsh*" OR CommandLine="* —s /i pwsh*" OR CommandLine="* —s –i pwsh*" OR CommandLine="* —s —i pwsh*" OR CommandLine="* —s ―i pwsh*" OR CommandLine="* ―s -i pwsh*" OR CommandLine="* ―s /i pwsh*" OR CommandLine="* ―s –i pwsh*" OR CommandLine="* ―s —i pwsh*" OR CommandLine="* ―s ―i pwsh*" OR CommandLine="* -i -s pwsh*" OR CommandLine="* -i /s pwsh*" OR CommandLine="* -i –s pwsh*" OR CommandLine="* -i —s pwsh*" OR CommandLine="* -i ―s pwsh*" OR CommandLine="* /i -s pwsh*" OR CommandLine="* /i /s pwsh*" OR CommandLine="* /i –s pwsh*" OR CommandLine="* /i —s pwsh*" OR CommandLine="* /i ―s pwsh*" OR CommandLine="* –i -s pwsh*" OR CommandLine="* –i /s pwsh*" OR CommandLine="* –i –s pwsh*" OR CommandLine="* –i —s pwsh*" OR CommandLine="* –i ―s pwsh*" OR CommandLine="* —i -s pwsh*" OR CommandLine="* —i /s pwsh*" OR CommandLine="* —i –s pwsh*" OR CommandLine="* —i —s pwsh*" OR CommandLine="* —i ―s pwsh*" OR CommandLine="* ―i -s pwsh*" OR CommandLine="* ―i /s pwsh*" OR CommandLine="* ―i –s pwsh*" OR CommandLine="* ―i —s pwsh*" OR CommandLine="* ―i ―s pwsh*" OR CommandLine="* -s powershell*" OR CommandLine="* /s powershell*" OR CommandLine="* –s powershell*" OR CommandLine="* —s powershell*" OR CommandLine="* ―s powershell*" OR CommandLine="* -s -i powershell*" OR CommandLine="* -s /i powershell*" OR CommandLine="* -s –i powershell*" OR CommandLine="* -s —i powershell*" OR CommandLine="* -s ―i powershell*" OR CommandLine="* /s -i powershell*" OR CommandLine="* /s /i powershell*" OR CommandLine="* /s –i powershell*" OR CommandLine="* /s —i powershell*" OR CommandLine="* /s ―i powershell*" OR CommandLine="* –s -i powershell*" OR CommandLine="* –s /i powershell*" OR CommandLine="* –s –i powershell*" OR CommandLine="* –s —i powershell*" OR CommandLine="* –s ―i powershell*" OR CommandLine="* —s -i powershell*" OR CommandLine="* —s /i powershell*" OR CommandLine="* —s –i powershell*" OR CommandLine="* —s —i powershell*" OR CommandLine="* —s ―i powershell*" OR CommandLine="* ―s -i powershell*" OR CommandLine="* ―s /i powershell*" OR CommandLine="* ―s –i powershell*" OR CommandLine="* ―s —i powershell*" OR CommandLine="* ―s ―i powershell*" OR CommandLine="* -i -s powershell*" OR CommandLine="* -i /s powershell*" OR CommandLine="* -i –s powershell*" OR CommandLine="* -i —s powershell*" OR CommandLine="* -i ―s powershell*" OR CommandLine="* /i -s powershell*" OR CommandLine="* /i /s powershell*" OR CommandLine="* /i –s powershell*" OR CommandLine="* /i —s powershell*" OR CommandLine="* /i ―s powershell*" OR CommandLine="* –i -s powershell*" OR CommandLine="* –i /s powershell*" OR CommandLine="* –i –s powershell*" OR CommandLine="* –i —s powershell*" OR CommandLine="* –i ―s powershell*" OR CommandLine="* —i -s powershell*" OR CommandLine="* —i /s powershell*" OR CommandLine="* —i –s powershell*" OR CommandLine="* —i —s powershell*" OR CommandLine="* —i ―s powershell*" OR CommandLine="* ―i -s powershell*" OR CommandLine="* ―i /s powershell*" OR CommandLine="* ―i –s powershell*" OR CommandLine="* ―i —s powershell*" OR CommandLine="* ―i ―s powershell*" CommandLine IN ("*psexec*", "*paexec*", "*accepteula*") | fields - _raw | collect index=notable_events source="PsExec/PAExec Escalation to LOCAL SYSTEM" marker="guid=8834e2f7-6b4b-4f09-8906-d2276470ee23,tags=attack.resource-development,tags=attack.t1587.001," +[Suspicious PowerShell IEX Execution Patterns] +description = Detects suspicious ways to run Invoke-Execution using IEX alias +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("* | iex;*", "* | iex *", "* | iex}*", "* | IEX ;*", "* | IEX -Error*", "* | IEX (new*", "*);IEX *") CommandLine IN ("*::FromBase64String*", "*.GetString([System.Convert]::*")) OR CommandLine IN ("*)|iex;$*", "*);iex($*", "*);iex $*", "* | IEX | *", "* | iex\\\"*") | fields - _raw | collect index=notable_events source="Suspicious PowerShell IEX Execution Patterns" marker="guid=09576804-7a05-458e-a817-eb718ca91f54,tags=attack.execution,tags=attack.t1059.001," +[Wusa.EXE Extracting Cab Files From Suspicious Paths] +description = Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wusa.exe" CommandLine="*/extract:*" CommandLine IN ("*:\\PerfLogs\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\Appdata\\Local\\Temp\\*") | fields - _raw | collect index=notable_events source="Wusa.EXE Extracting Cab Files From Suspicious Paths" marker="guid=c74c0390-3e20-41fd-a69a-128f0275a5ea,tags=attack.execution," +[Renamed AutoHotkey.EXE Execution] +description = Detects execution of a renamed autohotkey.exe binary based on PE metadata fields +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="*AutoHotkey*" OR Description="*AutoHotkey*" OR OriginalFileName IN ("AutoHotkey.exe", "AutoHotkey.rc") NOT (Image IN ("*\\AutoHotkey.exe", "*\\AutoHotkey32.exe", "*\\AutoHotkey32_UIA.exe", "*\\AutoHotkey64.exe", "*\\AutoHotkey64_UIA.exe", "*\\AutoHotkeyA32.exe", "*\\AutoHotkeyA32_UIA.exe", "*\\AutoHotkeyU32.exe", "*\\AutoHotkeyU32_UIA.exe", "*\\AutoHotkeyU64.exe", "*\\AutoHotkeyU64_UIA.exe") OR Image="*\\AutoHotkey*") | fields - _raw | collect index=notable_events source="Renamed AutoHotkey.EXE Execution" marker="guid=0f16d9cf-0616-45c8-8fad-becc11b5a41c,tags=attack.defense-evasion," +[Potentially Suspicious Rundll32.EXE Execution of UDL File] +description = Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\explorer.exe" Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*oledb32.dll*" CommandLine="*,OpenDSLFile *" CommandLine="*\\Users\\*\\Downloads\\*" CommandLine="*.udl" | fields - _raw | collect index=notable_events source="Potentially Suspicious Rundll32.EXE Execution of UDL File" marker="guid=0ea52357-cd59-4340-9981-c46c7e900428,tags=attack.execution,tags=attack.t1218.011,tags=attack.t1071," +[Esentutl Gather Credentials] +description = Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*esentutl*" CommandLine="* /p*" | table User,CommandLine,ParentCommandLine,CurrentDirectory | fields - _raw | collect index=notable_events source="Esentutl Gather Credentials" marker="guid=7df1713a-1a5b-4a4b-a071-dc83b144a101,tags=attack.credential-access,tags=attack.t1003,tags=attack.t1003.003," +[HackTool - Pypykatz Credentials Dumping Activity] +description = Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\pypykatz.exe", "*\\python.exe") CommandLine="*live*" CommandLine="*registry*" | fields - _raw | collect index=notable_events source="HackTool - Pypykatz Credentials Dumping Activity" marker="guid=a29808fd-ef50-49ff-9c7a-59a9b040b404,tags=attack.credential-access,tags=attack.t1003.002," +[CreateDump Process Dump] +description = Detects uses of the createdump.exe LOLOBIN utility to dump process memory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\createdump.exe" OR OriginalFileName="FX_VER_INTERNALNAME_STR" CommandLine IN ("* -u *", "* --full *", "* -f *", "* --name *", "*.dmp *") | fields - _raw | collect index=notable_events source="CreateDump Process Dump" marker="guid=515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1003.001," +[Use NTFS Short Name in Image] +description = Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*~1.bat*", "*~1.dll*", "*~1.exe*", "*~1.hta*", "*~1.js*", "*~1.msi*", "*~1.ps1*", "*~1.tmp*", "*~1.vbe*", "*~1.vbs*", "*~2.bat*", "*~2.dll*", "*~2.exe*", "*~2.hta*", "*~2.js*", "*~2.msi*", "*~2.ps1*", "*~2.tmp*", "*~2.vbe*", "*~2.vbs*") NOT ParentImage="C:\\Windows\\explorer.exe" NOT (ParentImage="*\\WebEx\\WebexHost.exe" OR ParentImage="*\\thor\\thor64.exe" OR Image="C:\\PROGRA~1\\WinZip\\WZPREL~1.EXE" OR Image="*\\VCREDI~1.EXE") | fields - _raw | collect index=notable_events source="Use NTFS Short Name in Image" marker="guid=3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b,tags=attack.defense-evasion,tags=attack.t1564.004," +[Certificate Exported Via Certutil.EXE] +description = Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certutil.exe" OR OriginalFileName="CertUtil.exe" CommandLine="*-exportPFX *" OR CommandLine="*/exportPFX *" OR CommandLine="*–exportPFX *" OR CommandLine="*—exportPFX *" OR CommandLine="*―exportPFX *" | fields - _raw | collect index=notable_events source="Certificate Exported Via Certutil.EXE" marker="guid=3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5,tags=attack.defense-evasion,tags=attack.t1027," +[Enable LM Hash Storage - ProcCreation] +description = Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\System\\CurrentControlSet\\Control\\Lsa*" CommandLine="*NoLMHash*" CommandLine="* 0*" | fields - _raw | collect index=notable_events source="Enable LM Hash Storage - ProcCreation" marker="guid=98dedfdd-8333-49d4-9f23-d7018cccae53,tags=attack.defense-evasion,tags=attack.t1112," +[Remote Access Tool - AnyDesk Execution] +description = An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\AnyDesk.exe" OR Description="AnyDesk" OR Product="AnyDesk" OR Company="AnyDesk Software GmbH" | fields - _raw | collect index=notable_events source="Remote Access Tool - AnyDesk Execution" marker="guid=b52e84a3-029e-4529-b09b-71d19dd27e94,tags=attack.command-and-control,tags=attack.t1219," +[Schtasks Creation Or Modification With SYSTEM Privileges] +description = Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" CommandLine IN ("* /change *", "* /create *") CommandLine="*/ru *" CommandLine IN ("*NT AUT*", "* SYSTEM *") NOT ((Image="*\\schtasks.exe" CommandLine="*/TN TVInstallRestore*" CommandLine="*\\TeamViewer_.exe*") OR CommandLine IN ("*/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR *", "*:\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira_speedup_setup.exe*", "*/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST*")) | fields - _raw | collect index=notable_events source="Schtasks Creation Or Modification With SYSTEM Privileges" marker="guid=89ca78fd-b37c-4310-b3d3-81a023f83936,tags=attack.execution,tags=attack.persistence,tags=attack.t1053.005," +[Start of NT Virtual DOS Machine] +description = Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\ntvdm.exe", "*\\csrstub.exe") | fields - _raw | collect index=notable_events source="Start of NT Virtual DOS Machine" marker="guid=16905e21-66ee-42fe-b256-1318ada2d770,tags=attack.defense-evasion," +[Invoke-Obfuscation Via Use Clip] +description = Detects Obfuscated Powershell via use Clip.exe in Scripts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1\ +| regex CommandLine="(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)" | fields - _raw | collect index=notable_events source="Invoke-Obfuscation Via Use Clip" marker="guid=e1561947-b4e3-4a74-9bdd-83baed21bdb5,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Abused Debug Privilege by Arbitrary Parent Processes] +description = Detection of unusual child processes by different system processes +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\winlogon.exe", "*\\services.exe", "*\\lsass.exe", "*\\csrss.exe", "*\\smss.exe", "*\\wininit.exe", "*\\spoolsv.exe", "*\\searchindexer.exe") User IN ("*AUTHORI*", "*AUTORI*") Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\cmd.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll", "Cmd.Exe") NOT (CommandLine="* route *" CommandLine="* ADD *") | table ParentImage,Image,User,CommandLine | fields - _raw | collect index=notable_events source="Abused Debug Privilege by Arbitrary Parent Processes" marker="guid=d522eca2-2973-4391-a3e0-ef0374321dae,tags=attack.privilege-escalation,tags=attack.t1548," +[Suspicious MSDT Parent Process] +description = Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\schtasks.exe", "*\\wmic.exe", "*\\wscript.exe", "*\\wsl.exe") Image="*\\msdt.exe" OR OriginalFileName="msdt.exe" | fields - _raw | collect index=notable_events source="Suspicious MSDT Parent Process" marker="guid=7a74da6b-ea76-47db-92cc-874ad90df734,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1218," +[Scheduled Task Creation Via Schtasks.EXE] +description = Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" CommandLine="* /create *" NOT (User IN ("*AUTHORI*", "*AUTORI*")) | fields - _raw | collect index=notable_events source="Scheduled Task Creation Via Schtasks.EXE" marker="guid=92626ddd-662c-49e3-ac59-f6535f12d189,tags=attack.execution,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1053.005,tags=attack.s0111,tags=car.2013-08-001,tags=stp.1u," +[Potential Arbitrary Command Execution Using Msdt.EXE] +description = Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msdt.exe" OR OriginalFileName="msdt.exe" CommandLine="*IT_BrowseForFile=*" OR (CommandLine="* PCWDiagnostic*" CommandLine="* -af *" OR CommandLine="* /af *" OR CommandLine="* –af *" OR CommandLine="* —af *" OR CommandLine="* ―af *") | fields - _raw | collect index=notable_events source="Potential Arbitrary Command Execution Using Msdt.EXE" marker="guid=258fc8ce-8352-443a-9120-8a11e4857fa5,tags=attack.defense-evasion,tags=attack.t1202," +[Loaded Module Enumeration Via Tasklist.EXE] +description = Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\tasklist.exe" OR OriginalFileName="tasklist.exe" CommandLine="*-m*" OR CommandLine="*/m*" OR CommandLine="*–m*" OR CommandLine="*—m*" OR CommandLine="*―m*" CommandLine="*rdpcorets.dll*" | fields - _raw | collect index=notable_events source="Loaded Module Enumeration Via Tasklist.EXE" marker="guid=34275eb8-fa19-436b-b959-3d9ecd53fa1f,tags=attack.t1003," +[Wscript Shell Run In CommandLine] +description = Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*Wscript.*" CommandLine="*.Shell*" CommandLine="*.Run*" | fields - _raw | collect index=notable_events source="Wscript Shell Run In CommandLine" marker="guid=2c28c248-7f50-417a-9186-a85b223010ee,tags=attack.execution,tags=attack.t1059," +[Tamper Windows Defender Remove-MpPreference] +description = Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*Remove-MpPreference*" CommandLine IN ("*-ControlledFolderAccessProtectedFolders *", "*-AttackSurfaceReductionRules_Ids *", "*-AttackSurfaceReductionRules_Actions *", "*-CheckForSignaturesBeforeRunningScan *") | fields - _raw | collect index=notable_events source="Tamper Windows Defender Remove-MpPreference" marker="guid=07e3cb2c-0608-410d-be4b-1511cb1a0448,tags=attack.defense-evasion,tags=attack.t1562.001," +[RDP Port Forwarding Rule Added Via Netsh.EXE] +description = Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" CommandLine="* i*" CommandLine="* p*" CommandLine="*=3389*" CommandLine="* c*" | fields - _raw | collect index=notable_events source="RDP Port Forwarding Rule Added Via Netsh.EXE" marker="guid=782d6f3e-4c5d-4b8c-92a3-1d05fed72e63,tags=attack.lateral-movement,tags=attack.defense-evasion,tags=attack.command-and-control,tags=attack.t1090," +[Use Of The SFTP.EXE Binary As A LOLBIN] +description = Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sftp.exe" CommandLine IN ("* -D ..*", "* -D C:\\*") | fields - _raw | collect index=notable_events source="Use Of The SFTP.EXE Binary As A LOLBIN" marker="guid=a85ffc3a-e8fd-4040-93bf-78aff284d801,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[Scripting/CommandLine Process Spawned Regsvr32] +description = Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell_ise.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe") Image="*\\regsvr32.exe" NOT (ParentImage="C:\\Windows\\System32\\cmd.exe" CommandLine="* /s C:\\Windows\\System32\\RpcProxy\\RpcProxy.dll") | fields - _raw | collect index=notable_events source="Scripting/CommandLine Process Spawned Regsvr32" marker="guid=ab37a6ec-6068-432b-a64e-2c7bf95b1d22,tags=attack.defense-evasion,tags=attack.t1218.010," +[XBAP Execution From Uncommon Locations Via PresentationHost.EXE] +description = Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\presentationhost.exe" OR OriginalFileName="PresentationHost.exe" CommandLine="*.xbap*" NOT (CommandLine IN ("* C:\\Windows\\*", "* C:\\Program Files*")) | fields - _raw | collect index=notable_events source="XBAP Execution From Uncommon Locations Via PresentationHost.EXE" marker="guid=d22e2925-cfd8-463f-96f6-89cec9d9bc5f,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[Ping Hex IP] +description = Detects a ping command that uses a hex encoded IP address +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ping.exe" CommandLine="*0x*" | table ParentCommandLine | fields - _raw | collect index=notable_events source="Ping Hex IP" marker="guid=1a0d4aba-7668-4365-9ce4-6d79ab088dfd,tags=attack.defense-evasion,tags=attack.t1140,tags=attack.t1027," +[Potential ReflectDebugger Content Execution Via WerFault.EXE] +description = Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\WerFault.exe" OR OriginalFileName="WerFault.exe" CommandLine="* -pr *" | fields - _raw | collect index=notable_events source="Potential ReflectDebugger Content Execution Via WerFault.EXE" marker="guid=fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1036," +[Potential Provisioning Registry Key Abuse For Binary Proxy Execution] +description = Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*SOFTWARE\\Microsoft\\Provisioning\\Commands\\*" | fields - _raw | collect index=notable_events source="Potential Provisioning Registry Key Abuse For Binary Proxy Execution" marker="guid=2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25,tags=attack.defense-evasion,tags=attack.t1218," +[Add Windows Capability Via PowerShell Cmdlet] +description = Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine="*Add-WindowsCapability*" CommandLine="*OpenSSH.*" | fields - _raw | collect index=notable_events source="Add Windows Capability Via PowerShell Cmdlet" marker="guid=b36d01a3-ddaf-4804-be18-18a6247adfcd,tags=attack.execution," +[Microsoft IIS Service Account Password Dumped] +description = Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\appcmd.exe" OR OriginalFileName="appcmd.exe" CommandLine="*list *" CommandLine IN ("* /config*", "* /xml*", "* -config*", "* -xml*") OR (CommandLine IN ("* /@t*", "* /text*", "* /show*", "* -@t*", "* -text*", "* -show*") CommandLine IN ("*:\**", "*password*")) | fields - _raw | collect index=notable_events source="Microsoft IIS Service Account Password Dumped" marker="guid=2d3cdeec-c0db-45b4-aa86-082f7eb75701,tags=attack.credential-access,tags=attack.t1003," +[HackTool - Mimikatz Execution] +description = Detection well-known mimikatz command line arguments +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*DumpCreds*", "*mimikatz*") OR CommandLine IN ("*::aadcookie*", "*::detours*", "*::memssp*", "*::mflt*", "*::ncroutemon*", "*::ngcsign*", "*::printnightmare*", "*::skeleton*", "*::preshutdown*", "*::mstsc*", "*::multirdp*") OR CommandLine IN ("*rpc::*", "*token::*", "*crypto::*", "*dpapi::*", "*sekurlsa::*", "*kerberos::*", "*lsadump::*", "*privilege::*", "*process::*", "*vault::*") | fields - _raw | collect index=notable_events source="HackTool - Mimikatz Execution" marker="guid=a642964e-bead-4bed-8910-1bb4d63e3b4d,tags=attack.credential-access,tags=attack.t1003.001,tags=attack.t1003.002,tags=attack.t1003.004,tags=attack.t1003.005,tags=attack.t1003.006," +[Renamed BOINC Client Execution] +description = Detects the execution of a renamed BOINC binary. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="BOINC.exe" NOT Image="*\\BOINC.exe" | fields - _raw | collect index=notable_events source="Renamed BOINC Client Execution" marker="guid=30d07da2-83ab-45d8-ae75-ec7c0edcaffc,tags=attack.defense-evasion,tags=attack.t1553," +[Potential Register_App.Vbs LOLScript Abuse] +description = Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\cscript.exe", "*\\wscript.exe") OR OriginalFileName IN ("cscript.exe", "wscript.exe") CommandLine="*.vbs -register *" | fields - _raw | collect index=notable_events source="Potential Register_App.Vbs LOLScript Abuse" marker="guid=28c8f68b-098d-45af-8d43-8089f3e35403,tags=attack.defense-evasion,tags=attack.t1218," +[Browser Execution In Headless Mode] +description = Detects execution of Chromium based browser in headless mode +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\brave.exe", "*\\chrome.exe", "*\\msedge.exe", "*\\opera.exe", "*\\vivaldi.exe") CommandLine="*--headless*" | fields - _raw | collect index=notable_events source="Browser Execution In Headless Mode" marker="guid=ef9dcfed-690c-4c5d-a9d1-482cd422225c,tags=attack.command-and-control,tags=attack.t1105," +[Non-privileged Usage of Reg or Powershell] +description = Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*reg *" CommandLine="*add*") OR CommandLine IN ("*powershell*", "*set-itemproperty*", "* sp *", "*new-itemproperty*") IntegrityLevel="Medium" CommandLine="*ControlSet*" CommandLine="*Services*" CommandLine IN ("*ImagePath*", "*FailureCommand*", "*ServiceDLL*") | table EventID,IntegrityLevel,CommandLine | fields - _raw | collect index=notable_events source="Non-privileged Usage of Reg or Powershell" marker="guid=8f02c935-effe-45b3-8fc9-ef8696a9e41d,tags=attack.defense-evasion,tags=attack.t1112," +[Potential Privilege Escalation via Service Permissions Weakness] +description = Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 IntegrityLevel="Medium" CommandLine="*ControlSet*" CommandLine="*services*" CommandLine IN ("*\\ImagePath*", "*\\FailureCommand*", "*\\ServiceDll*") | fields - _raw | collect index=notable_events source="Potential Privilege Escalation via Service Permissions Weakness" marker="guid=0f9c21f1-6a73-4b0e-9809-cb562cb8d981,tags=attack.privilege-escalation,tags=attack.t1574.011," +[Suspicious Child Process Of Veeam Dabatase] +description = Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\sqlservr.exe" ParentCommandLine="*VEEAMSQL*" (Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wsl.exe", "*\\wt.exe") CommandLine IN ("*-ex *", "*bypass*", "*cscript*", "*DownloadString*", "*http://*", "*https://*", "*mshta*", "*regsvr32*", "*rundll32*", "*wscript*", "*copy *")) OR Image IN ("*\\net.exe", "*\\net1.exe", "*\\netstat.exe", "*\\nltest.exe", "*\\ping.exe", "*\\tasklist.exe", "*\\whoami.exe") | fields - _raw | collect index=notable_events source="Suspicious Child Process Of Veeam Dabatase" marker="guid=d55b793d-f847-4eea-b59a-5ab09908ac90,tags=attack.initial-access,tags=attack.persistence,tags=attack.privilege-escalation," +[Potential Shim Database Persistence via Sdbinst.EXE] +description = Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sdbinst.exe" OR OriginalFileName="sdbinst.exe" CommandLine="*.sdb*" NOT (ParentImage="*\\msiexec.exe" CommandLine IN ("*:\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb*", "*:\\Program Files\\IIS Express\\iisexpressshim.sdb*")) | fields - _raw | collect index=notable_events source="Potential Shim Database Persistence via Sdbinst.EXE" marker="guid=517490a7-115a-48c6-8862-1a481504d5a8,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1546.011," +[HackTool - DInjector PowerShell Cradle Execution] +description = Detects the use of the Dinject PowerShell cradle based on the specific flags +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* /am51*" CommandLine="* /password*" | fields - _raw | collect index=notable_events source="HackTool - DInjector PowerShell Cradle Execution" marker="guid=d78b5d61-187d-44b6-bf02-93486a80de5a,tags=attack.defense-evasion,tags=attack.t1055," +[Potential ShellDispatch.DLL Functionality Abuse] +description = Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*RunDll_ShellExecuteW*" | fields - _raw | collect index=notable_events source="Potential ShellDispatch.DLL Functionality Abuse" marker="guid=82343930-652f-43f5-ab70-2ee9fdd6d5e9,tags=attack.execution,tags=attack.defense-evasion," +[Potential Windows Defender Tampering Via Wmic.EXE] +description = Detects potential tampering with Windows Defender settings such as adding exclusion using wmic +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="wmic.exe" OR Image="*\\WMIC.exe" CommandLine="*/Namespace:\\\\root\\Microsoft\\Windows\\Defender*" | fields - _raw | collect index=notable_events source="Potential Windows Defender Tampering Via Wmic.EXE" marker="guid=51cbac1e-eee3-4a90-b1b7-358efb81fa0a,tags=attack.credential-access,tags=attack.t1546.008," +[PowerShell Base64 Encoded Invoke Keyword] +description = Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine="* -e*" CommandLine IN ("*SQBuAHYAbwBrAGUALQ*", "*kAbgB2AG8AawBlAC0A*", "*JAG4AdgBvAGsAZQAtA*", "*SW52b2tlL*", "*ludm9rZS*", "*JbnZva2Ut*") | fields - _raw | collect index=notable_events source="PowerShell Base64 Encoded Invoke Keyword" marker="guid=6385697e-9f1b-40bd-8817-f4a91f40508e,tags=attack.execution,tags=attack.t1059.001,tags=attack.defense-evasion,tags=attack.t1027," +[Renamed Office Binary Execution] +description = Detects the execution of a renamed office binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("Excel.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "WinWord.exe") OR Description IN ("Microsoft Access", "Microsoft Excel", "Microsoft OneNote", "Microsoft Outlook", "Microsoft PowerPoint", "Microsoft Publisher", "Microsoft Word", "Sent to OneNote Tool") NOT (Image IN ("*\\EXCEL.exe", "*\\excelcnv.exe", "*\\MSACCESS.exe", "*\\MSPUB.EXE", "*\\ONENOTE.EXE", "*\\ONENOTEM.EXE", "*\\OUTLOOK.EXE", "*\\POWERPNT.EXE", "*\\WINWORD.exe")) | fields - _raw | collect index=notable_events source="Renamed Office Binary Execution" marker="guid=0b0cd537-fc77-4e6e-a973-e53495c1083d,tags=attack.defense-evasion," +[Suspicious Redirection to Local Admin Share] +description = Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*>*" CommandLine IN ("*\\\\127.0.0.1\\admin$\\*", "*\\\\localhost\\admin$\\*") | fields - _raw | collect index=notable_events source="Suspicious Redirection to Local Admin Share" marker="guid=ab9e3b40-0c85-4ba1-aede-455d226fd124,tags=attack.exfiltration,tags=attack.t1048," +[Uninstall Crowdstrike Falcon Sensor] +description = Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\WindowsSensor.exe*" CommandLine="* /uninstall*" CommandLine="* /quiet*" | fields - _raw | collect index=notable_events source="Uninstall Crowdstrike Falcon Sensor" marker="guid=f0f7be61-9cf5-43be-9836-99d6ef448a18,tags=attack.defense-evasion,tags=attack.t1562.001," +[Rundll32 Execution Without Parameters] +description = Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("rundll32.exe", "rundll32") | table ComputerName,SubjectUserName,CommandLine,Image,ParentImage | fields - _raw | collect index=notable_events source="Rundll32 Execution Without Parameters" marker="guid=5bb68627-3198-40ca-b458-49f973db8752,tags=attack.lateral-movement,tags=attack.t1021.002,tags=attack.t1570,tags=attack.execution,tags=attack.t1569.002," +[Cloudflared Portable Execution] +description = Detects the execution of the "cloudflared" binary from a non standard location. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cloudflared.exe" NOT (Image IN ("*:\\Program Files (x86)\\cloudflared\\*", "*:\\Program Files\\cloudflared\\*")) | fields - _raw | collect index=notable_events source="Cloudflared Portable Execution" marker="guid=fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd,tags=attack.command-and-control,tags=attack.t1090.001," +[Binary Proxy Execution Via Dotnet-Trace.EXE] +description = Detects commandline arguments for executing a child process via dotnet-trace.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dotnet-trace.exe" OR OriginalFileName="dotnet-trace.dll" CommandLine="*-- *" CommandLine="*collect*" | fields - _raw | collect index=notable_events source="Binary Proxy Execution Via Dotnet-Trace.EXE" marker="guid=9257c05b-4a4a-48e5-a670-b7b073cf401b,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218," +[SQL Client Tools PowerShell Session Detection] +description = This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sqltoolsps.exe" OR ParentImage="*\\sqltoolsps.exe" OR OriginalFileName="\\sqltoolsps.exe" NOT ParentImage="*\\smss.exe" | fields - _raw | collect index=notable_events source="SQL Client Tools PowerShell Session Detection" marker="guid=a746c9b8-a2fb-4ee5-a428-92bee9e99060,tags=attack.execution,tags=attack.t1059.001,tags=attack.defense-evasion,tags=attack.t1127," +[UAC Bypass Using MSConfig Token Modification - Process] +description = Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 IntegrityLevel IN ("High", "System") ParentImage="*\\AppData\\Local\\Temp\\pkgmgr.exe" CommandLine="\"C:\\Windows\\system32\\msconfig.exe\" -5" | fields - _raw | collect index=notable_events source="UAC Bypass Using MSConfig Token Modification - Process" marker="guid=ad92e3f9-7eb6-460e-96b1-582b0ccbb980,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Set Suspicious Files as System Files Using Attrib.EXE] +description = Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\attrib.exe" OR OriginalFileName="ATTRIB.EXE" CommandLine="* +s*" CommandLine IN ("* %*", "*\\Users\\Public\\*", "*\\AppData\\Local\\*", "*\\ProgramData\\*", "*\\Downloads\\*", "*\\Windows\\Temp\\*") CommandLine IN ("*.bat*", "*.dll*", "*.exe*", "*.hta*", "*.ps1*", "*.vbe*", "*.vbs*") NOT (CommandLine="*\\Windows\\TEMP\\*" CommandLine="*.exe*") | fields - _raw | collect index=notable_events source="Set Suspicious Files as System Files Using Attrib.EXE" marker="guid=efec536f-72e8-4656-8960-5e85d091345b,tags=attack.defense-evasion,tags=attack.t1564.001," +[Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script] +description = Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\VMwareToolBoxCmd.exe" OR OriginalFileName="toolbox-cmd.exe" CommandLine="* script *" CommandLine="* set *" | fields - _raw | collect index=notable_events source="Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" marker="guid=7aa4e81a-a65c-4e10-9f81-b200eb229d7d,tags=attack.execution,tags=attack.persistence,tags=attack.t1059," +[Data Copied To Clipboard Via Clip.EXE] +description = Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\clip.exe" OR OriginalFileName="clip.exe" | fields - _raw | collect index=notable_events source="Data Copied To Clipboard Via Clip.EXE" marker="guid=ddeff553-5233-4ae9-bbab-d64d2bd634be,tags=attack.collection,tags=attack.t1115," +[Suspicious High IntegrityLevel Conhost Legacy Option] +description = ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 IntegrityLevel="High" CommandLine="*conhost.exe*" CommandLine="*0xffffffff*" CommandLine="*-ForceV1*" | fields - _raw | collect index=notable_events source="Suspicious High IntegrityLevel Conhost Legacy Option" marker="guid=3037d961-21e9-4732-b27a-637bcc7bf539,tags=attack.defense-evasion,tags=attack.t1202," +[Email Exifiltration Via Powershell] +description = Detects email exfiltration via powershell cmdlets +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine="*Add-PSSnapin*" CommandLine="*Get-Recipient*" CommandLine="*-ExpandProperty*" CommandLine="*EmailAddresses*" CommandLine="*SmtpAddress*" CommandLine="*-hidetableheaders*" | fields - _raw | collect index=notable_events source="Email Exifiltration Via Powershell" marker="guid=312d0384-401c-4b8b-abdf-685ffba9a332,tags=attack.exfiltration," +[XSL Script Execution Via WMIC.EXE] +description = Detects the execution of WMIC with the "format" flag to potentially load XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wmic.exe" CommandLine="*-format*" OR CommandLine="*/format*" OR CommandLine="*–format*" OR CommandLine="*—format*" OR CommandLine="*―format*" NOT (CommandLine IN ("*Format:List*", "*Format:htable*", "*Format:hform*", "*Format:table*", "*Format:mof*", "*Format:value*", "*Format:rawxml*", "*Format:xml*", "*Format:csv*")) | fields - _raw | collect index=notable_events source="XSL Script Execution Via WMIC.EXE" marker="guid=05c36dd6-79d6-4a9a-97da-3db20298ab2d,tags=attack.defense-evasion,tags=attack.t1220," +[New DLL Registered Via Odbcconf.EXE] +description = Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\odbcconf.exe" OR OriginalFileName="odbcconf.exe" CommandLine="*REGSVR *" CommandLine="*.dll*" | fields - _raw | collect index=notable_events source="New DLL Registered Via Odbcconf.EXE" marker="guid=9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70,tags=attack.defense-evasion,tags=attack.t1218.008," +[Msiexec Quiet Installation] +description = Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msiexec.exe" OR OriginalFileName="msiexec.exe" CommandLine="*-i*" OR CommandLine="*/i*" OR CommandLine="*–i*" OR CommandLine="*—i*" OR CommandLine="*―i*" OR CommandLine="*-package*" OR CommandLine="*/package*" OR CommandLine="*–package*" OR CommandLine="*—package*" OR CommandLine="*―package*" OR CommandLine="*-a*" OR CommandLine="*/a*" OR CommandLine="*–a*" OR CommandLine="*—a*" OR CommandLine="*―a*" OR CommandLine="*-j*" OR CommandLine="*/j*" OR CommandLine="*–j*" OR CommandLine="*—j*" OR CommandLine="*―j*" CommandLine="*-q*" OR CommandLine="*/q*" OR CommandLine="*–q*" OR CommandLine="*—q*" OR CommandLine="*―q*" NOT ((ParentImage="C:\\Users\\*" ParentImage="*\\AppData\\Local\\Temp\\*") OR ParentImage="C:\\Windows\\Temp\\*" OR (ParentImage="C:\\Windows\\CCM\\Ccm32BitLauncher.exe" IntegrityLevel="System")) | fields - _raw | collect index=notable_events source="Msiexec Quiet Installation" marker="guid=79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5,tags=attack.defense-evasion,tags=attack.t1218.007," +[Taskmgr as LOCAL_SYSTEM] +description = Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 User IN ("*AUTHORI*", "*AUTORI*") Image="*\\taskmgr.exe" | fields - _raw | collect index=notable_events source="Taskmgr as LOCAL_SYSTEM" marker="guid=9fff585c-c33e-4a86-b3cd-39312079a65f,tags=attack.defense-evasion,tags=attack.t1036," +[Suspicious Extrac32 Alternate Data Stream Execution] +description = Extract data from cab file and hide it in an alternate data stream +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*extrac32.exe*" CommandLine="*.cab*"\ +| regex CommandLine=":[^\\\\]" | fields - _raw | collect index=notable_events source="Suspicious Extrac32 Alternate Data Stream Execution" marker="guid=4b13db67-0c45-40f1-aba8-66a1a7198a1e,tags=attack.defense-evasion,tags=attack.t1564.004," +[Use of Remote.exe] +description = Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\remote.exe" OR OriginalFileName="remote.exe" | fields - _raw | collect index=notable_events source="Use of Remote.exe" marker="guid=4eddc365-79b4-43ff-a9d7-99422dc34b93,tags=attack.defense-evasion,tags=attack.t1127," +[PUA - RunXCmd Execution] +description = Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("* /account=system *", "* /account=ti *") CommandLine="*/exec=*" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="PUA - RunXCmd Execution" marker="guid=93199800-b52a-4dec-b762-75212c196542,tags=attack.execution,tags=attack.t1569.002,tags=attack.s0029," +[Permission Check Via Accesschk.EXE] +description = Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="*AccessChk" OR Description="*Reports effective permissions*" OR Image IN ("*\\accesschk.exe", "*\\accesschk64.exe") OR OriginalFileName="accesschk.exe" CommandLine IN ("*uwcqv *", "*kwsu *", "*qwsu *", "*uwdqs *") | table IntegrityLevel,Product,Description,CommandLine | fields - _raw | collect index=notable_events source="Permission Check Via Accesschk.EXE" marker="guid=c625d754-6a3d-4f65-9c9a-536aea960d37,tags=attack.discovery,tags=attack.t1069.001," +[Uncommon System Information Discovery Via Wmic.EXE] +description = Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="WMI Commandline Utility" OR OriginalFileName="wmic.exe" OR Image="*\\WMIC.exe" CommandLine IN ("*LOGICALDISK get Name,Size,FreeSpace*", "*os get Caption,OSArchitecture,Version*") | fields - _raw | collect index=notable_events source="Uncommon System Information Discovery Via Wmic.EXE" marker="guid=9d5a1274-922a-49d0-87f3-8c653483b909,tags=attack.discovery,tags=attack.t1082," +[Potential RDP Tunneling Via SSH] +description = Execution of ssh.exe to perform data exfiltration and tunneling through RDP +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ssh.exe" CommandLine="*:3389*" | fields - _raw | collect index=notable_events source="Potential RDP Tunneling Via SSH" marker="guid=f7d7ebd5-a016-46e2-9c54-f9932f2d386d,tags=attack.command-and-control,tags=attack.t1572," +[New Process Created Via Wmic.EXE] +description = Detects new process creation using WMIC via the "process call create" flag +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wmic.exe" OR OriginalFileName="wmic.exe" CommandLine="*process*" CommandLine="*call*" CommandLine="*create*" | fields - _raw | collect index=notable_events source="New Process Created Via Wmic.EXE" marker="guid=526be59f-a573-4eea-b5f7-f0973207634d,tags=attack.execution,tags=attack.t1047,tags=car.2016-03-002," +[Use of VisualUiaVerifyNative.exe] +description = VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\VisualUiaVerifyNative.exe" OR OriginalFileName="VisualUiaVerifyNative.exe" | fields - _raw | collect index=notable_events source="Use of VisualUiaVerifyNative.exe" marker="guid=b30a8bc5-e21b-4ca2-9420-0a94019ac56a,tags=attack.defense-evasion,tags=attack.t1218," +[Gpscript Execution] +description = Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\gpscript.exe" OR OriginalFileName="GPSCRIPT.EXE" CommandLine IN ("* /logon*", "* /startup*") NOT ParentCommandLine="C:\\windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc" | fields - _raw | collect index=notable_events source="Gpscript Execution" marker="guid=1e59c230-6670-45bf-83b0-98903780607e,tags=attack.defense-evasion,tags=attack.t1218," +[Potential LethalHTA Technique Execution] +description = Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\svchost.exe" Image="*\\mshta.exe" | fields - _raw | collect index=notable_events source="Potential LethalHTA Technique Execution" marker="guid=ed5d72a6-f8f4-479d-ba79-02f6a80d7471,tags=attack.defense-evasion,tags=attack.t1218.005," +[Potential Suspicious Registry File Imported Via Reg.EXE] +description = Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine="* import *" CommandLine IN ("*C:\\Users\\*", "*%temp%*", "*%tmp%*", "*%appdata%*", "*\\AppData\\Local\\Temp\\*", "*C:\\Windows\\Temp\\*", "*C:\\ProgramData\\*") | fields - _raw | collect index=notable_events source="Potential Suspicious Registry File Imported Via Reg.EXE" marker="guid=62e0298b-e994-4189-bc87-bc699aa62d97,tags=attack.t1112,tags=attack.defense-evasion," +[Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution] +description = Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\OfflineScannerShell.exe" OR OriginalFileName="OfflineScannerShell.exe" NOT (CurrentDirectory="C:\\Program Files\\Windows Defender\\Offline\\" OR CurrentDirectory="" OR CurrentDirectory!=*) | fields - _raw | collect index=notable_events source="Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution" marker="guid=02b18447-ea83-4b1b-8805-714a8a34546a,tags=attack.defense-evasion,tags=attack.t1218," +[Hardware Model Reconnaissance Via Wmic.EXE] +description = Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wmic.exe" OR OriginalFileName="wmic.exe" CommandLine="*csproduct*" | fields - _raw | collect index=notable_events source="Hardware Model Reconnaissance Via Wmic.EXE" marker="guid=3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d,tags=attack.execution,tags=attack.t1047,tags=car.2016-03-002," +[Read Contents From Stdin Via Cmd.EXE] +description = Detect the use of "<" to read and potentially execute a file via cmd.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="Cmd.Exe" OR Image="*\\cmd.exe" CommandLine="*<*" | fields - _raw | collect index=notable_events source="Read Contents From Stdin Via Cmd.EXE" marker="guid=241e802a-b65e-484f-88cd-c2dc10f9206d,tags=attack.execution,tags=attack.t1059.003," +[Registry Modification Via Regini.EXE] +description = Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regini.exe" OR OriginalFileName="REGINI.EXE"\ +| regex CommandLine!=":[^ \\\\]" | table ParentImage,CommandLine | fields - _raw | collect index=notable_events source="Registry Modification Via Regini.EXE" marker="guid=5f60740a-f57b-4e76-82a1-15b6ff2cb134,tags=attack.t1112,tags=attack.defense-evasion," +[RunDLL32 Spawning Explorer] +description = Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\rundll32.exe" Image="*\\explorer.exe" NOT ParentCommandLine="*\\shell32.dll,Control_RunDLL*" | fields - _raw | collect index=notable_events source="RunDLL32 Spawning Explorer" marker="guid=caa06de8-fdef-4c91-826a-7f9e163eef4b,tags=attack.defense-evasion,tags=attack.t1218.011," +[Shell Process Spawned by Java.EXE] +description = Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\java.exe" Image IN ("*\\bash.exe", "*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe") NOT (ParentImage="*build*" CommandLine="*build*") | fields - _raw | collect index=notable_events source="Shell Process Spawned by Java.EXE" marker="guid=dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0,tags=attack.initial-access,tags=attack.persistence,tags=attack.privilege-escalation," +[Uncommon Extension Shim Database Installation Via Sdbinst.EXE] +description = Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sdbinst.exe" OR OriginalFileName="sdbinst.exe" NOT (CommandLine="*.sdb*" OR CommandLine IN ("* -c", "* -f", "* -mm", "* -t") OR CommandLine="* -m -bg*" OR CommandLine!=* OR CommandLine="") | fields - _raw | collect index=notable_events source="Uncommon Extension Shim Database Installation Via Sdbinst.EXE" marker="guid=18ee686c-38a3-4f65-9f44-48a077141f42,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1546.011," +[Suspicious WindowsTerminal Child Processes] +description = Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\WindowsTerminal.exe", "*\\wt.exe") Image IN ("*\\rundll32.exe", "*\\regsvr32.exe", "*\\certutil.exe", "*\\cscript.exe", "*\\wscript.exe", "*\\csc.exe") OR Image IN ("*C:\\Users\\Public\\*", "*\\Downloads\\*", "*\\Desktop\\*", "*\\AppData\\Local\\Temp\\*", "*\\Windows\\TEMP\\*") OR CommandLine IN ("* iex *", "* icm*", "*Invoke-*", "*Import-Module *", "*ipmo *", "*DownloadString(*", "* /c *", "* /k *", "* /r *") NOT ((CommandLine="*Import-Module*" CommandLine="*Microsoft.VisualStudio.DevShell.dll*" CommandLine="*Enter-VsDevShell*") OR (CommandLine="*\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_*" CommandLine="*\\LocalState\\settings.json*") OR (CommandLine="*C:\\Program Files\\Microsoft Visual Studio\\*" CommandLine="*\\Common7\\Tools\\VsDevCmd.bat*")) | fields - _raw | collect index=notable_events source="Suspicious WindowsTerminal Child Processes" marker="guid=8de89e52-f6e1-4b5b-afd1-41ecfa300d48,tags=attack.execution,tags=attack.persistence," +[Sensitive File Access Via Volume Shadow Copy Backup] +description = Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*" CommandLine IN ("*\\NTDS.dit*", "*\\SYSTEM*", "*\\SECURITY*") | fields - _raw | collect index=notable_events source="Sensitive File Access Via Volume Shadow Copy Backup" marker="guid=f57f8d16-1f39-4dcb-a604-6c73d9b54b3d,tags=attack.impact,tags=attack.t1490," +[Renamed Gpg.EXE Execution] +description = Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="gpg.exe" NOT (Image IN ("*\\gpg.exe", "*\\gpg2.exe")) | fields - _raw | collect index=notable_events source="Renamed Gpg.EXE Execution" marker="guid=ec0722a3-eb5c-4a56-8ab2-bf6f20708592,tags=attack.impact,tags=attack.t1486," +[Active Directory Database Snapshot Via ADExplorer] +description = Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ADExplorer.exe" OR OriginalFileName="AdExp" CommandLine="*snapshot*" | fields - _raw | collect index=notable_events source="Active Directory Database Snapshot Via ADExplorer" marker="guid=9212f354-7775-4e28-9c9f-8f0a4544e664,tags=attack.credential-access,tags=attack.t1552.001,tags=attack.t1003.003," +[Schtasks From Suspicious Folders] +description = Detects scheduled task creations that have suspicious action command and folder combinations +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" OR OriginalFileName="schtasks.exe" CommandLine="* /create *" CommandLine IN ("*powershell*", "*pwsh*", "*cmd /c *", "*cmd /k *", "*cmd /r *", "*cmd.exe /c *", "*cmd.exe /k *", "*cmd.exe /r *") CommandLine IN ("*C:\\ProgramData\\*", "*%ProgramData%*") | fields - _raw | collect index=notable_events source="Schtasks From Suspicious Folders" marker="guid=8a8379b8-780b-4dbf-b1e9-31c8d112fefb,tags=attack.execution,tags=attack.t1053.005," +[Unsigned AppX Installation Attempt Using Add-AppxPackage] +description = Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*Add-AppPackage *", "*Add-AppxPackage *") CommandLine="* -AllowUnsigned*" | fields - _raw | collect index=notable_events source="Unsigned AppX Installation Attempt Using Add-AppxPackage" marker="guid=37651c2a-42cd-4a69-ae0d-22a4349aa04a,tags=attack.persistence,tags=attack.defense-evasion," +[Sysinternals PsSuspend Suspicious Execution] +description = Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="pssuspend.exe" OR Image IN ("*\\pssuspend.exe", "*\\pssuspend64.exe") CommandLine="*msmpeng.exe*" | fields - _raw | collect index=notable_events source="Sysinternals PsSuspend Suspicious Execution" marker="guid=4beb6ae0-f85b-41e2-8f18-8668abc8af78,tags=attack.defense-evasion,tags=attack.t1562.001," +[HackTool - CreateMiniDump Execution] +description = Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\CreateMiniDump.exe" OR Imphash="4a07f944a83e8a7c2525efa35dd30e2f" OR Hashes="*IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f*" | fields - _raw | collect index=notable_events source="HackTool - CreateMiniDump Execution" marker="guid=36d88494-1d43-4dc0-b3fa-35c8fea0ca9d,tags=attack.credential-access,tags=attack.t1003.001," +[PsExec Service Child Process Execution as LOCAL SYSTEM] +description = Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="C:\\Windows\\PSEXESVC.exe" User IN ("*AUTHORI*", "*AUTORI*") | fields - _raw | collect index=notable_events source="PsExec Service Child Process Execution as LOCAL SYSTEM" marker="guid=7c0dcd3d-acf8-4f71-9570-f448b0034f94,tags=attack.execution," +[UAC Bypass Using Disk Cleanup] +description = Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\"\\system32\\cleanmgr.exe /autoclean /d C:" ParentCommandLine="C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" IntegrityLevel IN ("High", "System") | fields - _raw | collect index=notable_events source="UAC Bypass Using Disk Cleanup" marker="guid=b697e69c-746f-4a86-9f59-7bfff8eab881,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Potential Active Directory Enumeration Using AD Module - ProcCreation] +description = Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*Import-Module *", "*ipmo *") CommandLine="*Microsoft.ActiveDirectory.Management.dll*" | fields - _raw | collect index=notable_events source="Potential Active Directory Enumeration Using AD Module - ProcCreation" marker="guid=70bc5215-526f-4477-963c-a47a5c9ebd12,tags=attack.reconnaissance,tags=attack.discovery,tags=attack.impact," +[Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet] +description = Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*Get-LocalGroupMember *" CommandLine IN ("*domain admins*", "* administrator*", "* administrateur*", "*enterprise admins*", "*Exchange Trusted Subsystem*", "*Remote Desktop Users*", "*Utilisateurs du Bureau à distance*", "*Usuarios de escritorio remoto*") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" marker="guid=c8a180d6-47a3-4345-a609-53f9c3d834fc,tags=attack.discovery,tags=attack.t1087.001," +[Modify Group Policy Settings] +description = Detect malicious GPO modifications can be used to implement many other malicious behaviors. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System*" CommandLine IN ("*GroupPolicyRefreshTimeDC*", "*GroupPolicyRefreshTimeOffsetDC*", "*GroupPolicyRefreshTime*", "*GroupPolicyRefreshTimeOffset*", "*EnableSmartScreen*", "*ShellSmartScreenLevel*") | fields - _raw | collect index=notable_events source="Modify Group Policy Settings" marker="guid=ada4b0c4-758b-46ac-9033-9004613a150d,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1484.001," +[HackTool - WinRM Access Via Evil-WinRM] +description = Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ruby.exe" CommandLine="*-i *" CommandLine="*-u *" CommandLine="*-p *" | fields - _raw | collect index=notable_events source="HackTool - WinRM Access Via Evil-WinRM" marker="guid=a197e378-d31b-41c0-9635-cfdf1c1bb423,tags=attack.lateral-movement,tags=attack.t1021.006," +[Process Reconnaissance Via Wmic.EXE] +description = Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\WMIC.exe" OR OriginalFileName="wmic.exe" CommandLine="*process*" NOT (CommandLine="*call*" CommandLine="*create*") | fields - _raw | collect index=notable_events source="Process Reconnaissance Via Wmic.EXE" marker="guid=221b251a-357a-49a9-920a-271802777cc0,tags=attack.execution,tags=attack.t1047," +[HTML Help HH.EXE Suspicious Child Process] +description = Detects a suspicious child process of a Microsoft HTML Help (HH.exe) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\hh.exe" Image IN ("*\\CertReq.exe", "*\\CertUtil.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\installutil.exe", "*\\MSbuild.exe", "*\\MSHTA.EXE", "*\\msiexec.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\schtasks.exe", "*\\wmic.exe", "*\\wscript.exe") | fields - _raw | collect index=notable_events source="HTML Help HH.EXE Suspicious Child Process" marker="guid=52cad028-0ff0-4854-8f67-d25dfcbc78b4,tags=attack.defense-evasion,tags=attack.execution,tags=attack.initial-access,tags=attack.t1047,tags=attack.t1059.001,tags=attack.t1059.003,tags=attack.t1059.005,tags=attack.t1059.007,tags=attack.t1218,tags=attack.t1218.001,tags=attack.t1218.010,tags=attack.t1218.011,tags=attack.t1566,tags=attack.t1566.001," +[MSExchange Transport Agent Installation] +description = Detects the Installation of a Exchange Transport Agent +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*Install-TransportAgent*" | table AssemblyPath | fields - _raw | collect index=notable_events source="MSExchange Transport Agent Installation" marker="guid=83809e84-4475-4b69-bc3e-4aad8568612f,tags=attack.persistence,tags=attack.t1505.002," +[Wlrmdr.EXE Uncommon Argument Or Child Process] +description = Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\wlrmdr.exe" OR (Image="*\\wlrmdr.exe" OR OriginalFileName="WLRMNDR.EXE" CommandLine="*-s *" OR CommandLine="*/s *" OR CommandLine="*–s *" OR CommandLine="*—s *" OR CommandLine="*―s *" CommandLine="*-f *" OR CommandLine="*/f *" OR CommandLine="*–f *" OR CommandLine="*—f *" OR CommandLine="*―f *" CommandLine="*-t *" OR CommandLine="*/t *" OR CommandLine="*–t *" OR CommandLine="*—t *" OR CommandLine="*―t *" CommandLine="*-m *" OR CommandLine="*/m *" OR CommandLine="*–m *" OR CommandLine="*—m *" OR CommandLine="*―m *" CommandLine="*-a *" OR CommandLine="*/a *" OR CommandLine="*–a *" OR CommandLine="*—a *" OR CommandLine="*―a *" CommandLine="*-u *" OR CommandLine="*/u *" OR CommandLine="*–u *" OR CommandLine="*—u *" OR CommandLine="*―u *" NOT (ParentImage="C:\\Windows\\System32\\winlogon.exe" OR ParentImage IN ("", "-") OR ParentImage!=*)) | fields - _raw | collect index=notable_events source="Wlrmdr.EXE Uncommon Argument Or Child Process" marker="guid=9cfc00b6-bfb7-49ce-9781-ef78503154bb,tags=attack.defense-evasion,tags=attack.t1218," +[WmiPrvSE Spawned A Process] +description = Detects WmiPrvSE spawning a process +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\WmiPrvSe.exe" NOT (LogonId IN ("0x3e7", "null") OR User IN ("*AUTHORI*", "*AUTORI*") OR Image="*\\WmiPrvSE.exe" OR Image="*\\WerFault.exe" OR LogonId!=*) | fields - _raw | collect index=notable_events source="WmiPrvSE Spawned A Process" marker="guid=d21374ff-f574-44a7-9998-4a8c8bf33d7d,tags=attack.execution,tags=attack.t1047," +[Sysmon Driver Unloaded Via Fltmc.EXE] +description = Detects possible Sysmon filter driver unloaded via fltmc.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\fltMC.exe" OR OriginalFileName="fltMC.exe" CommandLine="*unload*" CommandLine="*sysmon*" | fields - _raw | collect index=notable_events source="Sysmon Driver Unloaded Via Fltmc.EXE" marker="guid=4d7cda18-1b12-4e52-b45c-d28653210df8,tags=attack.defense-evasion,tags=attack.t1070,tags=attack.t1562,tags=attack.t1562.002," +[Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE] +description = Detects potential malicious and unauthorized usage of bcdedit.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\bcdedit.exe" OR OriginalFileName="bcdedit.exe" CommandLine IN ("*delete*", "*deletevalue*", "*import*", "*safeboot*", "*network*") | fields - _raw | collect index=notable_events source="Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" marker="guid=c9fbe8e9-119d-40a6-9b59-dd58a5d84429,tags=attack.defense-evasion,tags=attack.t1070,tags=attack.persistence,tags=attack.t1542.003," +[Explorer Process Tree Break] +description = Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}*" OR (CommandLine="*explorer.exe*" CommandLine="* -root,*" OR CommandLine="* /root,*" OR CommandLine="* –root,*" OR CommandLine="* —root,*" OR CommandLine="* ―root,*") | fields - _raw | collect index=notable_events source="Explorer Process Tree Break" marker="guid=949f1ffb-6e85-4f00-ae1e-c3c5b190d605,tags=attack.defense-evasion,tags=attack.t1036," +[Suspicious File Download From File Sharing Domain Via Curl.EXE] +description = Detects potentially suspicious file download from file sharing domains using curl.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\curl.exe" OR OriginalFileName="curl.exe" CommandLine IN ("*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*") CommandLine="*http*" CommandLine IN ("* -O*", "*--remote-name*", "*--output*") CommandLine IN ("*.ps1", "*.ps1'", "*.ps1\"", "*.dat", "*.dat'", "*.dat\"", "*.msi", "*.msi'", "*.msi\"", "*.bat", "*.bat'", "*.bat\"", "*.exe", "*.exe'", "*.exe\"", "*.vbs", "*.vbs'", "*.vbs\"", "*.vbe", "*.vbe'", "*.vbe\"", "*.hta", "*.hta'", "*.hta\"", "*.dll", "*.dll'", "*.dll\"", "*.psm1", "*.psm1'", "*.psm1\"") | fields - _raw | collect index=notable_events source="Suspicious File Download From File Sharing Domain Via Curl.EXE" marker="guid=56454143-524f-49fb-b1c6-3fb8b1ad41fb,tags=attack.execution," +[Windows Admin Share Mount Via Net.EXE] +description = Detects when an admin share is mounted using net.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine="* use *" CommandLine="* \\\\*\\*$*" | fields - _raw | collect index=notable_events source="Windows Admin Share Mount Via Net.EXE" marker="guid=3abd6094-7027-475f-9630-8ab9be7b9725,tags=attack.lateral-movement,tags=attack.t1021.002," +[Privilege Escalation via Named Pipe Impersonation] +description = Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\cmd.exe", "*\\powershell.exe") OR OriginalFileName IN ("Cmd.Exe", "PowerShell.EXE") CommandLine="*echo*" CommandLine="*>*" CommandLine="*\\\\.\\pipe\\*" | fields - _raw | collect index=notable_events source="Privilege Escalation via Named Pipe Impersonation" marker="guid=9bd04a79-dabe-4f1f-a5ff-92430265c96b,tags=attack.lateral-movement,tags=attack.t1021," +[Suspicious PowerShell Parameter Substring] +description = Detects suspicious PowerShell invocation with a parameter substring +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("* -windowstyle h *", "* -windowstyl h*", "* -windowsty h*", "* -windowst h*", "* -windows h*", "* -windo h*", "* -wind h*", "* -win h*", "* -wi h*", "* -win h *", "* -win hi *", "* -win hid *", "* -win hidd *", "* -win hidde *", "* -NoPr *", "* -NoPro *", "* -NoProf *", "* -NoProfi *", "* -NoProfil *", "* -nonin *", "* -nonint *", "* -noninte *", "* -noninter *", "* -nonintera *", "* -noninterac *", "* -noninteract *", "* -noninteracti *", "* -noninteractiv *", "* -ec *", "* -encodedComman *", "* -encodedComma *", "* -encodedComm *", "* -encodedCom *", "* -encodedCo *", "* -encodedC *", "* -encoded *", "* -encode *", "* -encod *", "* -enco *", "* -en *", "* -executionpolic *", "* -executionpoli *", "* -executionpol *", "* -executionpo *", "* -executionp *", "* -execution bypass*", "* -executio bypass*", "* -executi bypass*", "* -execut bypass*", "* -execu bypass*", "* -exec bypass*", "* -exe bypass*", "* -ex bypass*", "* -ep bypass*", "* /windowstyle h *", "* /windowstyl h*", "* /windowsty h*", "* /windowst h*", "* /windows h*", "* /windo h*", "* /wind h*", "* /win h*", "* /wi h*", "* /win h *", "* /win hi *", "* /win hid *", "* /win hidd *", "* /win hidde *", "* /NoPr *", "* /NoPro *", "* /NoProf *", "* /NoProfi *", "* /NoProfil *", "* /nonin *", "* /nonint *", "* /noninte *", "* /noninter *", "* /nonintera *", "* /noninterac *", "* /noninteract *", "* /noninteracti *", "* /noninteractiv *", "* /ec *", "* /encodedComman *", "* /encodedComma *", "* /encodedComm *", "* /encodedCom *", "* /encodedCo *", "* /encodedC *", "* /encoded *", "* /encode *", "* /encod *", "* /enco *", "* /en *", "* /executionpolic *", "* /executionpoli *", "* /executionpol *", "* /executionpo *", "* /executionp *", "* /execution bypass*", "* /executio bypass*", "* /executi bypass*", "* /execut bypass*", "* /execu bypass*", "* /exec bypass*", "* /exe bypass*", "* /ex bypass*", "* /ep bypass*") | fields - _raw | collect index=notable_events source="Suspicious PowerShell Parameter Substring" marker="guid=36210e0d-5b19-485d-a087-c096088885f0,tags=attack.execution,tags=attack.t1059.001," +[Execution via WorkFolders.exe] +description = Detects using WorkFolders.exe to execute an arbitrary control.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\control.exe" ParentImage="*\\WorkFolders.exe" NOT Image="C:\\Windows\\System32\\control.exe" | fields - _raw | collect index=notable_events source="Execution via WorkFolders.exe" marker="guid=0bbc6369-43e3-453d-9944-cae58821c173,tags=attack.defense-evasion,tags=attack.t1218," +[PUA - WebBrowserPassView Execution] +description = Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="Web Browser Password Viewer" OR Image="*\\WebBrowserPassView.exe" | fields - _raw | collect index=notable_events source="PUA - WebBrowserPassView Execution" marker="guid=d0dae994-26c6-4d2d-83b5-b3c8b79ae513,tags=attack.credential-access,tags=attack.t1555.003," +[Change Default File Association Via Assoc] +description = Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*assoc*" | table Image,CommandLine,User,LogonGuid,Hashes,ParentProcessGuid,ParentCommandLine | fields - _raw | collect index=notable_events source="Change Default File Association Via Assoc" marker="guid=3d3aa6cd-6272-44d6-8afc-7e88dfef7061,tags=attack.persistence,tags=attack.t1546.001," +[Tor Client/Browser Execution] +description = Detects the use of Tor or Tor-Browser to connect to onion routing networks +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\tor.exe", "*\\Tor Browser\\Browser\\firefox.exe") | fields - _raw | collect index=notable_events source="Tor Client/Browser Execution" marker="guid=62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c,tags=attack.command-and-control,tags=attack.t1090.003," +[Node Process Executions] +description = Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Adobe Creative Cloud Experience\\libs\\node.exe" NOT CommandLine="*Adobe Creative Cloud Experience\\js*" | table Image,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Node Process Executions" marker="guid=df1f26d3-bea7-4700-9ea2-ad3e990cf90e,tags=attack.defense-evasion,tags=attack.t1127,tags=attack.t1059.007," +[DirLister Execution] +description = Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="DirLister.exe" OR Image="*\\dirlister.exe" | fields - _raw | collect index=notable_events source="DirLister Execution" marker="guid=b4dc61f5-6cce-468e-a608-b48b469feaa2,tags=attack.discovery,tags=attack.t1083," +[Suspicious Msbuild Execution By Uncommon Parent Process] +description = Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\MSBuild.exe" OR OriginalFileName="MSBuild.exe" NOT (ParentImage IN ("*\\devenv.exe", "*\\cmd.exe", "*\\msbuild.exe", "*\\python.exe", "*\\explorer.exe", "*\\nuget.exe")) | fields - _raw | collect index=notable_events source="Suspicious Msbuild Execution By Uncommon Parent Process" marker="guid=33be4333-2c6b-44f4-ae28-102cdbde0a31,tags=attack.defense-evasion," +[Enumerate All Information With Whoami.EXE] +description = Detects the execution of "whoami.exe" with the "/all" flag +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\whoami.exe" OR OriginalFileName="whoami.exe" CommandLine="* -all*" OR CommandLine="* /all*" OR CommandLine="* –all*" OR CommandLine="* —all*" OR CommandLine="* ―all*" | fields - _raw | collect index=notable_events source="Enumerate All Information With Whoami.EXE" marker="guid=c248c896-e412-4279-8c15-1c558067b6fa,tags=attack.discovery,tags=attack.t1033,tags=car.2016-03-001," +[Data Export From MSSQL Table Via BCP.EXE] +description = Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\bcp.exe" OR OriginalFileName="BCP.exe" CommandLine IN ("* out *", "* queryout *") | fields - _raw | collect index=notable_events source="Data Export From MSSQL Table Via BCP.EXE" marker="guid=c615d676-f655-46b9-b913-78729021e5d7,tags=attack.execution,tags=attack.t1048," +[PUA - Process Hacker Execution] +description = Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ProcessHacker_*" OR Image="*\\ProcessHacker.exe" OR OriginalFileName IN ("ProcessHacker.exe", "Process Hacker") OR Description="Process Hacker" OR Product="Process Hacker" OR Hashes IN ("*MD5=68F9B52895F4D34E74112F3129B3B00D*", "*MD5=B365AF317AE730A67C936F21432B9C71*", "*SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D*", "*SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E*", "*SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F*", "*SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4*", "*IMPHASH=3695333C60DEDECDCAFF1590409AA462*", "*IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF*") OR md5 IN ("68f9b52895f4d34e74112f3129b3b00d", "b365af317ae730a67c936f21432b9c71") OR sha1 IN ("c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e", "a0bdfac3ce1880b32ff9b696458327ce352e3b1d") OR sha256 IN ("d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f", "bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4") OR Imphash IN ("04de0ad9c37eb7bd52043d2ecac958df", "3695333c60dedecdcaff1590409aa462") | fields - _raw | collect index=notable_events source="PUA - Process Hacker Execution" marker="guid=811e0002-b13b-4a15-9d00-a613fce66e42,tags=attack.defense-evasion,tags=attack.discovery,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1622,tags=attack.t1564,tags=attack.t1543," +[Regsvr32 DLL Execution With Suspicious File Extension] +description = Detects the execution of REGSVR32.exe with DLL files masquerading as other files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regsvr32.exe" OR OriginalFileName="REGSVR32.EXE" CommandLine IN ("*.bin", "*.bmp", "*.cr2", "*.dat", "*.eps", "*.gif", "*.ico", "*.jpeg", "*.jpg", "*.nef", "*.orf", "*.png", "*.raw", "*.sr2", "*.temp", "*.tif", "*.tiff", "*.tmp", "*.rtf", "*.txt") | fields - _raw | collect index=notable_events source="Regsvr32 DLL Execution With Suspicious File Extension" marker="guid=089fc3d2-71e8-4763-a8a5-c97fbb0a403e,tags=attack.defense-evasion,tags=attack.t1218.010," +[Windows Internet Hosted WebDav Share Mount Via Net.EXE] +description = Detects when an internet hosted webdav share is mounted using the "net.exe" utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine="* use *" CommandLine="* http*" | fields - _raw | collect index=notable_events source="Windows Internet Hosted WebDav Share Mount Via Net.EXE" marker="guid=7e6237fe-3ddb-438f-9381-9bf9de5af8d0,tags=attack.lateral-movement,tags=attack.t1021.002," +[Java Running with Remote Debugging] +description = Detects a JAVA process running with remote debugging allowing more than just localhost to connect +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*transport=dt_socket,address=*" CommandLine IN ("*jre1.*", "*jdk1.*") NOT (CommandLine IN ("*address=127.0.0.1*", "*address=localhost*")) | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Java Running with Remote Debugging" marker="guid=8f88e3f6-2a49-48f5-a5c4-2f7eedf78710,tags=attack.t1203,tags=attack.execution," +[Suspicious FromBase64String Usage On Gzip Archive - Process Creation] +description = Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*FromBase64String*" CommandLine="*MemoryStream*" CommandLine="*H4sI*" | fields - _raw | collect index=notable_events source="Suspicious FromBase64String Usage On Gzip Archive - Process Creation" marker="guid=d75d6b6b-adb9-48f7-824b-ac2e786efe1f,tags=attack.command-and-control,tags=attack.t1132.001," +[Suspicious Csi.exe Usage] +description = Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\csi.exe", "*\\rcsi.exe") OR OriginalFileName IN ("csi.exe", "rcsi.exe") Company="Microsoft Corporation" | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Csi.exe Usage" marker="guid=40b95d31-1afc-469e-8d34-9a3a667d058e,tags=attack.execution,tags=attack.t1072,tags=attack.defense-evasion,tags=attack.t1218," +[Odbcconf.EXE Suspicious DLL Location] +description = Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\odbcconf.exe" OR OriginalFileName="odbcconf.exe" CommandLine IN ("*:\\PerfLogs\\*", "*:\\ProgramData\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Registration\\CRMLog*", "*:\\Windows\\System32\\com\\dmp\\*", "*:\\Windows\\System32\\FxsTmp\\*", "*:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*:\\Windows\\System32\\spool\\drivers\\color\\*", "*:\\Windows\\System32\\spool\\PRINTERS\\*", "*:\\Windows\\System32\\spool\\SERVERS\\*", "*:\\Windows\\System32\\Tasks_Migrated\\*", "*:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\*", "*:\\Windows\\SysWOW64\\com\\dmp\\*", "*:\\Windows\\SysWOW64\\FxsTmp\\*", "*:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*", "*:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*:\\Windows\\Tracing\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*") | fields - _raw | collect index=notable_events source="Odbcconf.EXE Suspicious DLL Location" marker="guid=6b65c28e-11f3-46cb-902a-68f2cafaf474,tags=attack.defense-evasion,tags=attack.t1218.008," +[HackTool - SafetyKatz Execution] +description = Detects the execution of the hacktool SafetyKatz via PE information and default Image name +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SafetyKatz.exe" OR OriginalFileName="SafetyKatz.exe" OR Description="SafetyKatz" | fields - _raw | collect index=notable_events source="HackTool - SafetyKatz Execution" marker="guid=b1876533-4ed5-4a83-90f3-b8645840a413,tags=attack.credential-access,tags=attack.t1003.001," +[HackTool - Empire PowerShell UAC Bypass] +description = Detects some Empire PowerShell UAC bypass methods +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*", "* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="HackTool - Empire PowerShell UAC Bypass" marker="guid=3268b746-88d8-4cd3-bffc-30077d02c787,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002,tags=car.2019-04-001," +[Remotely Hosted HTA File Executed Via Mshta.EXE] +description = Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\mshta.exe" OR OriginalFileName="MSHTA.EXE" CommandLine IN ("*http://*", "*https://*", "*ftp://*") | fields - _raw | collect index=notable_events source="Remotely Hosted HTA File Executed Via Mshta.EXE" marker="guid=b98d0db6-511d-45de-ad02-e82a98729620,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218.005," +[Uncommon AddinUtil.EXE CommandLine Execution] +description = Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\addinutil.exe" OR OriginalFileName="AddInUtil.exe" CommandLine IN ("*-AddInRoot:*", "*-PipelineRoot:*") NOT (CommandLine IN ("*-AddInRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA*", "*-AddInRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA*", "*-PipelineRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA*", "*-PipelineRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA*")) | fields - _raw | collect index=notable_events source="Uncommon AddinUtil.EXE CommandLine Execution" marker="guid=4f2cd9b6-4a17-440f-bb2a-687abb65993a,tags=attack.defense-evasion,tags=attack.t1218," +[Script Event Consumer Spawning Process] +description = Detects a suspicious child process of Script Event Consumer (scrcons.exe). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\scrcons.exe" Image IN ("*\\svchost.exe", "*\\dllhost.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\schtasks.exe", "*\\regsvr32.exe", "*\\mshta.exe", "*\\rundll32.exe", "*\\msiexec.exe", "*\\msbuild.exe") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Script Event Consumer Spawning Process" marker="guid=f6d1dd2f-b8ce-40ca-bc23-062efb686b34,tags=attack.execution,tags=attack.t1047," +[Tasks Folder Evasion] +description = The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*echo *", "*copy *", "*type *", "*file createnew*") CommandLine IN ("* C:\\Windows\\System32\\Tasks\\*", "* C:\\Windows\\SysWow64\\Tasks\\*") | table CommandLine,ParentProcess | fields - _raw | collect index=notable_events source="Tasks Folder Evasion" marker="guid=cc4e02ba-9c06-48e2-b09e-2500cace9ae0,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.execution,tags=attack.t1574.002," +[Uncommon Userinit Child Process] +description = Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\userinit.exe" NOT Image="*:\\WINDOWS\\explorer.exe" NOT (CommandLine IN ("*netlogon.bat*", "*UsrLogon.cmd*") OR CommandLine="PowerShell.exe" OR Image IN ("*:\\Windows\\System32\\proquota.exe", "*:\\Windows\\SysWOW64\\proquota.exe") OR Image IN ("*:\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe", "*:\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe", "*:\\Program Files (x86)\\Citrix\\System32\\icast.exe", "*:\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe", "*:\\Program Files\\Citrix\\HDX\\bin\\icast.exe", "*:\\Program Files\\Citrix\\System32\\icast.exe") OR Image!=*) | fields - _raw | collect index=notable_events source="Uncommon Userinit Child Process" marker="guid=0a98a10c-685d-4ab0-bddc-b6bdd1d48458,tags=attack.t1037.001,tags=attack.persistence," +[Windows Backup Deleted Via Wbadmin.EXE] +description = Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wbadmin.exe" OR OriginalFileName="WBADMIN.EXE" CommandLine="*delete *" CommandLine="*backup*" NOT CommandLine="*keepVersions:0*" | fields - _raw | collect index=notable_events source="Windows Backup Deleted Via Wbadmin.EXE" marker="guid=89f75308-5b1b-4390-b2d8-d6b2340efaf8,tags=attack.impact,tags=attack.t1490," +[Powershell Base64 Encoded MpPreference Cmdlet] +description = Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*QWRkLU1wUHJlZmVyZW5jZS*" OR CommandLine="*FkZC1NcFByZWZlcmVuY2Ug*" OR CommandLine="*BZGQtTXBQcmVmZXJlbmNlI*" OR CommandLine="*U2V0LU1wUHJlZmVyZW5jZS*" OR CommandLine="*NldC1NcFByZWZlcmVuY2Ug*" OR CommandLine="*TZXQtTXBQcmVmZXJlbmNlI*" OR CommandLine="*YWRkLW1wcHJlZmVyZW5jZS*" OR CommandLine="*FkZC1tcHByZWZlcmVuY2Ug*" OR CommandLine="*hZGQtbXBwcmVmZXJlbmNlI*" OR CommandLine="*c2V0LW1wcHJlZmVyZW5jZS*" OR CommandLine="*NldC1tcHByZWZlcmVuY2Ug*" OR CommandLine="*zZXQtbXBwcmVmZXJlbmNlI*" OR CommandLine IN ("*QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA*", "*EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA*", "*BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA*", "*UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA*", "*MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA*", "*TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA*", "*YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA*", "*EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA*", "*hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA*", "*cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA*", "*MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA*", "*zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA*") | fields - _raw | collect index=notable_events source="Powershell Base64 Encoded MpPreference Cmdlet" marker="guid=c6fb44c6-71f5-49e6-9462-1425d328aee3,tags=attack.defense-evasion,tags=attack.t1562.001," +[Compressed File Creation Via Tar.EXE] +description = Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\tar.exe" OR OriginalFileName="bsdtar" CommandLine IN ("*-c*", "*-r*", "*-u*") | fields - _raw | collect index=notable_events source="Compressed File Creation Via Tar.EXE" marker="guid=418a3163-3247-4b7b-9933-dcfcb7c52ea9,tags=attack.collection,tags=attack.exfiltration,tags=attack.t1560,tags=attack.t1560.001," +[Arbitrary File Download Via Squirrel.EXE] +description = Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\squirrel.exe", "*\\update.exe") CommandLine IN ("* --download *", "* --update *", "* --updateRollback=*") CommandLine="*http*" | fields - _raw | collect index=notable_events source="Arbitrary File Download Via Squirrel.EXE" marker="guid=1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[HackTool - CrackMapExec PowerShell Obfuscation] +description = The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*join*split*", "*( $ShellId[1]+$ShellId[13]+'x')*", "*( $PSHome[*]+$PSHOME[*]+*", "*( $env:Public[13]+$env:Public[5]+'x')*", "*( $env:ComSpec[4,*,25]-Join'')*", "*[1,3]+'x'-Join'')*") | table ComputerName,User,CommandLine | fields - _raw | collect index=notable_events source="HackTool - CrackMapExec PowerShell Obfuscation" marker="guid=6f8b3439-a203-45dc-a88b-abf57ea15ccf,tags=attack.execution,tags=attack.t1059.001,tags=attack.defense-evasion,tags=attack.t1027.005," +[Suspicious Advpack Call Via Rundll32.EXE] +description = Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" OR CommandLine="*rundll32*" CommandLine="*advpack*" (CommandLine="*#+*" CommandLine="*12*") OR CommandLine="*#-*" | fields - _raw | collect index=notable_events source="Suspicious Advpack Call Via Rundll32.EXE" marker="guid=a1473adb-5338-4a20-b4c3-126763e2d3d3,tags=attack.defense-evasion," +[Bypass UAC via Fodhelper.exe] +description = Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\fodhelper.exe" | table ComputerName,User,CommandLine | fields - _raw | collect index=notable_events source="Bypass UAC via Fodhelper.exe" marker="guid=7f741dcf-fc22-4759-87b4-9ae8376676a2,tags=attack.privilege-escalation,tags=attack.t1548.002," +[HackTool - Rubeus Execution] +description = Detects the execution of the hacktool Rubeus via PE information of command line parameters +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Rubeus.exe" OR OriginalFileName="Rubeus.exe" OR Description="Rubeus" OR CommandLine IN ("*asreproast *", "*dump /service:krbtgt *", "*dump /luid:0x*", "*kerberoast *", "*createnetonly /program:*", "*ptt /ticket:*", "*/impersonateuser:*", "*renew /ticket:*", "*asktgt /user:*", "*harvest /interval:*", "*s4u /user:*", "*s4u /ticket:*", "*hash /password:*", "*golden /aes256:*", "*silver /user:*") | fields - _raw | collect index=notable_events source="HackTool - Rubeus Execution" marker="guid=7ec2c172-dceb-4c10-92c9-87c1881b7e18,tags=attack.credential-access,tags=attack.t1003,tags=attack.t1558.003,tags=attack.lateral-movement,tags=attack.t1550.003," +[Suspicious Remote Child Process From Outlook] +description = Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\outlook.exe" Image="\\\\*" | fields - _raw | collect index=notable_events source="Suspicious Remote Child Process From Outlook" marker="guid=e212d415-0e93-435f-9e1a-f29005bb4723,tags=attack.execution,tags=attack.t1059,tags=attack.t1202," +[AspNetCompiler Execution] +description = Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*C:\\Windows\\Microsoft.NET\\Framework\\*", "*C:\\Windows\\Microsoft.NET\\Framework64\\*") Image="*\\aspnet_compiler.exe" | fields - _raw | collect index=notable_events source="AspNetCompiler Execution" marker="guid=a01b8329-5953-4f73-ae2d-aa01e1f35f00,tags=attack.defense-evasion,tags=attack.t1127," +[Browser Started with Remote Debugging] +description = Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* --remote-debugging-*" OR (Image="*\\firefox.exe" CommandLine="* -start-debugger-server*") | fields - _raw | collect index=notable_events source="Browser Started with Remote Debugging" marker="guid=b3d34dc5-2efd-4ae3-845f-8ec14921f449,tags=attack.credential-access,tags=attack.t1185," +[Python Inline Command Execution] +description = Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="python.exe" OR Image IN ("*python.exe", "*python3.exe", "*python2.exe") CommandLine="* -c*" NOT ((ParentImage="C:\\Program Files\\Python*" ParentImage="*\\python.exe" ParentCommandLine="*-E -s -m ensurepip -U --default-pip*") OR ParentImage="*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe") | fields - _raw | collect index=notable_events source="Python Inline Command Execution" marker="guid=899133d5-4d7c-4a7f-94ee-27355c879d90,tags=attack.execution,tags=attack.t1059," +[UAC Bypass Using Windows Media Player - Process] +description = Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="C:\\Program Files\\Windows Media Player\\osk.exe" IntegrityLevel IN ("High", "System")) OR (Image="C:\\Windows\\System32\\cmd.exe" ParentCommandLine="\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s" IntegrityLevel IN ("High", "System")) | fields - _raw | collect index=notable_events source="UAC Bypass Using Windows Media Player - Process" marker="guid=0058b9e5-bcd7-40d4-9205-95ca5a16d7b2,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Remote Access Tool - Team Viewer Session Started On Windows Host] +description = Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="TeamViewer_Desktop.exe" ParentImage="TeamViewer_Service.exe" CommandLine="*TeamViewer_Desktop.exe --IPCport 5939 --Module 1" | fields - _raw | collect index=notable_events source="Remote Access Tool - Team Viewer Session Started On Windows Host" marker="guid=ab70c354-d9ac-4e11-bbb6-ec8e3b153357,tags=attack.initial-access,tags=attack.t1133," +[Chromium Browser Headless Execution To Mockbin Like Site] +description = Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\brave.exe", "*\\chrome.exe", "*\\msedge.exe", "*\\opera.exe", "*\\vivaldi.exe") CommandLine="*--headless*" CommandLine IN ("*://run.mocky*", "*://mockbin*") | fields - _raw | collect index=notable_events source="Chromium Browser Headless Execution To Mockbin Like Site" marker="guid=1c526788-0abe-4713-862f-b520da5e5316,tags=attack.execution," +[Suspicious Diantz Download and Compress Into a CAB File] +description = Download and compress a remote file and store it in a cab file on local machine. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*diantz.exe*" CommandLine="* \\\\*" CommandLine="*.cab*" | fields - _raw | collect index=notable_events source="Suspicious Diantz Download and Compress Into a CAB File" marker="guid=185d7418-f250-42d0-b72e-0c8b70661e93,tags=attack.command-and-control,tags=attack.t1105," +[HackTool - Bloodhound/Sharphound Execution] +description = Detects command line parameters used by Bloodhound and Sharphound hack tools +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="*SharpHound*" OR Description="*SharpHound*" OR Company IN ("*SpecterOps*", "*evil corp*") OR Image IN ("*\\Bloodhound.exe*", "*\\SharpHound.exe*") OR CommandLine IN ("* -CollectionMethod All *", "* --CollectionMethods Session *", "* --Loop --Loopduration *", "* --PortScanTimeout *", "*.exe -c All -d *", "*Invoke-Bloodhound*", "*Get-BloodHoundData*") OR (CommandLine="* -JsonFolder *" CommandLine="* -ZipFileName *") OR (CommandLine="* DCOnly *" CommandLine="* --NoSaveCache *") | fields - _raw | collect index=notable_events source="HackTool - Bloodhound/Sharphound Execution" marker="guid=f376c8a7-a2d0-4ddc-aa0c-16c17236d962,tags=attack.discovery,tags=attack.t1087.001,tags=attack.t1087.002,tags=attack.t1482,tags=attack.t1069.001,tags=attack.t1069.002,tags=attack.execution,tags=attack.t1059.001," +[Potential DLL File Download Via PowerShell Invoke-WebRequest] +description = Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Invoke-WebRequest *", "*IWR *") CommandLine="*http*" CommandLine="*OutFile*" CommandLine="*.dll*" | fields - _raw | collect index=notable_events source="Potential DLL File Download Via PowerShell Invoke-WebRequest" marker="guid=0f0450f3-8b47-441e-a31b-15a91dc243e2,tags=attack.command-and-control,tags=attack.execution,tags=attack.t1059.001,tags=attack.t1105," +[Renamed MegaSync Execution] +description = Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="megasync.exe" NOT Image="*\\megasync.exe" | fields - _raw | collect index=notable_events source="Renamed MegaSync Execution" marker="guid=643bdcac-8b82-49f4-9fd9-25a90b929f3b,tags=attack.defense-evasion,tags=attack.t1218," +[HackTool - UACMe Akagi Execution] +description = Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="UACMe" OR Company IN ("REvol Corp", "APT 92", "UG North", "Hazardous Environments", "CD Project Rekt") OR Description IN ("UACMe main module", "Pentesting utility") OR OriginalFileName IN ("Akagi.exe", "Akagi64.exe") OR Image IN ("*\\Akagi64.exe", "*\\Akagi.exe") OR Hashes IN ("*IMPHASH=767637C23BB42CD5D7397CF58B0BE688*", "*IMPHASH=14C4E4C72BA075E9069EE67F39188AD8*", "*IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC*", "*IMPHASH=7D010C6BB6A3726F327F7E239166D127*", "*IMPHASH=89159BA4DD04E4CE5559F132A9964EB3*", "*IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F*", "*IMPHASH=5834ED4291BDEB928270428EBBAF7604*", "*IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38*", "*IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894*", "*IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74*", "*IMPHASH=3DE09703C8E79ED2CA3F01074719906B*") OR Imphash IN ("767637c23bb42cd5d7397cf58b0be688", "14c4e4c72ba075e9069ee67f39188ad8", "3c782813d4afce07bbfc5a9772acdbdc", "7d010c6bb6a3726f327f7e239166d127", "89159ba4dd04e4ce5559f132a9964eb3", "6f33f4a5fc42b8cec7314947bd13f30f", "5834ed4291bdeb928270428ebbaf7604", "5a8a8a43f25485e7ee1b201edcbc7a38", "dc7d30b90b2d8abf664fbed2b1b59894", "41923ea1f824fe63ea5beb84db7a3e74", "3de09703c8e79ed2ca3f01074719906b") | fields - _raw | collect index=notable_events source="HackTool - UACMe Akagi Execution" marker="guid=d38d2fa4-98e6-4a24-aff1-410b0c9ad177,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Suspicious Rundll32 Setupapi.dll Activity] +description = setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\runonce.exe" ParentImage="*\\rundll32.exe" ParentCommandLine="*setupapi.dll*" ParentCommandLine="*InstallHinfSection*" | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Rundll32 Setupapi.dll Activity" marker="guid=285b85b1-a555-4095-8652-a8a4106af63f,tags=attack.defense-evasion,tags=attack.t1218.011," +[LSA PPL Protection Disabled Via Reg.EXE] +description = Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine="*SYSTEM\\CurrentControlSet\\Control\\Lsa*" CommandLine="* add *" CommandLine="* /d 0*" CommandLine="* /v RunAsPPL *" | fields - _raw | collect index=notable_events source="LSA PPL Protection Disabled Via Reg.EXE" marker="guid=8c0eca51-0f88-4db2-9183-fdfb10c703f9,tags=attack.defense-evasion,tags=attack.t1562.010," +[Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet] +description = Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Compress-Archive -Path*-DestinationPath $env:TEMP*", "*Compress-Archive -Path*-DestinationPath*\\AppData\\Local\\Temp\\*", "*Compress-Archive -Path*-DestinationPath*:\\Windows\\Temp\\*") | fields - _raw | collect index=notable_events source="Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet" marker="guid=85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98,tags=attack.collection,tags=attack.t1074.001," +[Remote CHM File Download/Execution Via HH.EXE] +description = Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="HH.exe" OR Image="*\\hh.exe" CommandLine IN ("*http://*", "*https://*", "*\\\\*") | fields - _raw | collect index=notable_events source="Remote CHM File Download/Execution Via HH.EXE" marker="guid=f57c58b3-ee69-4ef5-9041-455bf39aaa89,tags=attack.defense-evasion,tags=attack.t1218.001," +[Webshell Detection With Command Line Keywords] +description = Detects certain command line parameters often used during reconnaissance activity via web shells +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\w3wp.exe", "*\\php-cgi.exe", "*\\nginx.exe", "*\\httpd.exe", "*\\caddy.exe", "*\\ws_tomcatservice.exe") OR (ParentImage IN ("*\\java.exe", "*\\javaw.exe") ParentImage IN ("*-tomcat-*", "*\\tomcat*")) OR (ParentImage IN ("*\\java.exe", "*\\javaw.exe") CommandLine IN ("*catalina.jar*", "*CATALINA_HOME*")) (OriginalFileName IN ("net.exe", "net1.exe") CommandLine IN ("* user *", "* use *", "* group *")) OR (OriginalFileName="ping.exe" CommandLine="* -n *") OR CommandLine IN ("*&cd&echo*", "*cd /d *") OR (OriginalFileName="wmic.exe" CommandLine="* /node:*") OR Image IN ("*\\dsquery.exe", "*\\find.exe", "*\\findstr.exe", "*\\ipconfig.exe", "*\\netstat.exe", "*\\nslookup.exe", "*\\pathping.exe", "*\\quser.exe", "*\\schtasks.exe", "*\\systeminfo.exe", "*\\tasklist.exe", "*\\tracert.exe", "*\\ver.exe", "*\\wevtutil.exe", "*\\whoami.exe") OR OriginalFileName IN ("dsquery.exe", "find.exe", "findstr.exe", "ipconfig.exe", "netstat.exe", "nslookup.exe", "pathping.exe", "quser.exe", "schtasks.exe", "sysinfo.exe", "tasklist.exe", "tracert.exe", "ver.exe", "VSSADMIN.EXE", "wevtutil.exe", "whoami.exe") OR CommandLine IN ("* Test-NetConnection *", "*dir \\*") | fields - _raw | collect index=notable_events source="Webshell Detection With Command Line Keywords" marker="guid=bed2a484-9348-4143-8a8a-b801c979301c,tags=attack.persistence,tags=attack.t1505.003,tags=attack.t1018,tags=attack.t1033,tags=attack.t1087," +[Use of UltraVNC Remote Access Software] +description = An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="VNCViewer" OR Product="UltraVNC VNCViewer" OR Company="UltraVNC" OR OriginalFileName="VNCViewer.exe" | fields - _raw | collect index=notable_events source="Use of UltraVNC Remote Access Software" marker="guid=145322e4-0fd3-486b-81ca-9addc75736d8,tags=attack.command-and-control,tags=attack.t1219," +[Suspicious Spool Service Child Process] +description = Detects suspicious print spool service (spoolsv.exe) child processes. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\spoolsv.exe" IntegrityLevel="System" Image IN ("*\\gpupdate.exe", "*\\whoami.exe", "*\\nltest.exe", "*\\taskkill.exe", "*\\wmic.exe", "*\\taskmgr.exe", "*\\sc.exe", "*\\findstr.exe", "*\\curl.exe", "*\\wget.exe", "*\\certutil.exe", "*\\bitsadmin.exe", "*\\accesschk.exe", "*\\wevtutil.exe", "*\\bcdedit.exe", "*\\fsutil.exe", "*\\cipher.exe", "*\\schtasks.exe", "*\\write.exe", "*\\wuauclt.exe", "*\\systeminfo.exe", "*\\reg.exe", "*\\query.exe") OR (Image IN ("*\\net.exe", "*\\net1.exe") NOT CommandLine="*start*") OR (Image="*\\cmd.exe" NOT (CommandLine IN ("*.spl*", "*route add*", "*program files*"))) OR (Image="*\\netsh.exe" NOT (CommandLine IN ("*add portopening*", "*rule name*"))) OR (Image IN ("*\\powershell.exe", "*\\pwsh.exe") NOT CommandLine="*.spl*") OR (Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*rundll32.exe") | table Image,CommandLine | fields - _raw | collect index=notable_events source="Suspicious Spool Service Child Process" marker="guid=dcdbc940-0bff-46b2-95f3-2d73f848e33b,tags=attack.execution,tags=attack.t1203,tags=attack.privilege-escalation,tags=attack.t1068," +[Suspicious File Encoded To Base64 Via Certutil.EXE] +description = Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certutil.exe" OR OriginalFileName="CertUtil.exe" CommandLine="*-encode*" OR CommandLine="*/encode*" OR CommandLine="*–encode*" OR CommandLine="*—encode*" OR CommandLine="*―encode*" CommandLine IN ("*.acl*", "*.bat*", "*.doc*", "*.gif*", "*.jpeg*", "*.jpg*", "*.mp3*", "*.pdf*", "*.png*", "*.ppt*", "*.tmp*", "*.xls*", "*.xml*") | fields - _raw | collect index=notable_events source="Suspicious File Encoded To Base64 Via Certutil.EXE" marker="guid=ea0cdc3e-2239-4f26-a947-4e8f8224e464,tags=attack.defense-evasion,tags=attack.t1027," +[Suspicious TSCON Start as SYSTEM] +description = Detects a tscon.exe start as LOCAL SYSTEM +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 User IN ("*AUTHORI*", "*AUTORI*") Image="*\\tscon.exe" | fields - _raw | collect index=notable_events source="Suspicious TSCON Start as SYSTEM" marker="guid=9847f263-4a81-424f-970c-875dab15b79b,tags=attack.command-and-control,tags=attack.t1219," +[UAC Bypass Using PkgMgr and DISM] +description = Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\pkgmgr.exe" Image="*\\dism.exe" IntegrityLevel IN ("High", "System") | fields - _raw | collect index=notable_events source="UAC Bypass Using PkgMgr and DISM" marker="guid=a743ceba-c771-4d75-97eb-8a90f7f4844c,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Potential Discovery Activity Via Dnscmd.EXE] +description = Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dnscmd.exe" CommandLine IN ("*/enumrecords*", "*/enumzones*", "*/ZonePrint*", "*/info*") | fields - _raw | collect index=notable_events source="Potential Discovery Activity Via Dnscmd.EXE" marker="guid=b6457d63-d2a2-4e29-859d-4e7affc153d1,tags=attack.discovery,tags=attack.execution,tags=attack.t1543.003," +[New Root Certificate Installed Via CertMgr.EXE] +description = Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\CertMgr.exe" OR OriginalFileName="CERTMGT.EXE" CommandLine="*/add*" CommandLine="*root*" | fields - _raw | collect index=notable_events source="New Root Certificate Installed Via CertMgr.EXE" marker="guid=ff992eac-6449-4c60-8c1d-91c9722a1d48,tags=attack.defense-evasion,tags=attack.t1553.004," +[Renamed Mavinject.EXE Execution] +description = Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("mavinject32.exe", "mavinject64.exe") NOT (Image IN ("*\\mavinject32.exe", "*\\mavinject64.exe")) | fields - _raw | collect index=notable_events source="Renamed Mavinject.EXE Execution" marker="guid=e6474a1b-5390-49cd-ab41-8d88655f7394,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1055.001,tags=attack.t1218.013," +[Potential Dosfuscation Activity] +description = Detects possible payload obfuscation via the commandline +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*^^*", "*^|^*", "*,;,*", "*;;;;*", "*;; ;;*", "*(,(,*", "*%COMSPEC:~*", "* c^m^d*", "*^c^m^d*", "* c^md*", "* cm^d*", "*^cm^d*", "* s^et *", "* s^e^t *", "* se^t *") | fields - _raw | collect index=notable_events source="Potential Dosfuscation Activity" marker="guid=a77c1610-fc73-4019-8e29-0f51efc04a51,tags=attack.execution,tags=attack.t1059," +[Computer Discovery And Export Via Get-ADComputer Cmdlet] +description = Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine="*Get-ADComputer *" CommandLine="* -Filter \**" CommandLine IN ("* > *", "* | Select *", "*Out-File*", "*Set-Content*", "*Add-Content*") | fields - _raw | collect index=notable_events source="Computer Discovery And Export Via Get-ADComputer Cmdlet" marker="guid=435e10e4-992a-4281-96f3-38b11106adde,tags=attack.discovery,tags=attack.t1033," +[Suspicious HWP Sub Processes] +description = Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\Hwp.exe" Image="*\\gbb.exe" | fields - _raw | collect index=notable_events source="Suspicious HWP Sub Processes" marker="guid=023394c4-29d5-46ab-92b8-6a534c6f447b,tags=attack.initial-access,tags=attack.t1566.001,tags=attack.execution,tags=attack.t1203,tags=attack.t1059.003,tags=attack.g0032," +[Suspicious Query of MachineGUID] +description = Use of reg to get MachineGuid information +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" CommandLine="*SOFTWARE\\Microsoft\\Cryptography*" CommandLine="*/v *" CommandLine="*MachineGuid*" | fields - _raw | collect index=notable_events source="Suspicious Query of MachineGUID" marker="guid=f5240972-3938-4e56-8e4b-e33893176c1f,tags=attack.discovery,tags=attack.t1082," +[Enumeration for Credentials in Registry] +description = Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" CommandLine="* query *" CommandLine="*/t *" CommandLine="*REG_SZ*" CommandLine="*/s*" (CommandLine="*/f *" CommandLine="*HKLM*") OR (CommandLine="*/f *" CommandLine="*HKCU*") OR CommandLine="*HKCU\\Software\\SimonTatham\\PuTTY\\Sessions*" | fields - _raw | collect index=notable_events source="Enumeration for Credentials in Registry" marker="guid=e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1,tags=attack.credential-access,tags=attack.t1552.002," +[PowerShell Execution With Potential Decryption Capabilities] +description = Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*Get-ChildItem *", "*dir *", "*gci *", "*ls *") CommandLine IN ("*Get-Content *", "*gc *", "*cat *", "*type *", "*ReadAllBytes*") (CommandLine="* ^| *" CommandLine="*\*.lnk*" CommandLine="*-Recurse*" CommandLine="*-Skip *") OR (CommandLine="* -ExpandProperty *" CommandLine="*\*.lnk*" CommandLine="*WriteAllBytes*" CommandLine="* .length *") | fields - _raw | collect index=notable_events source="PowerShell Execution With Potential Decryption Capabilities" marker="guid=434c08ba-8406-4d15-8b24-782cb071a691,tags=attack.execution," +[Wab Execution From Non Default Location] +description = Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\wab.exe", "*\\wabmig.exe") NOT (Image IN ("C:\\Windows\\WinSxS\\*", "C:\\Program Files\\Windows Mail\\*", "C:\\Program Files (x86)\\Windows Mail\\*")) | fields - _raw | collect index=notable_events source="Wab Execution From Non Default Location" marker="guid=395907ee-96e5-4666-af2e-2ca91688e151,tags=attack.defense-evasion,tags=attack.execution," +[Uncommon Svchost Parent Process] +description = Detects an uncommon svchost parent process +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\svchost.exe" NOT (ParentImage IN ("*\\Mrt.exe", "*\\MsMpEng.exe", "*\\ngen.exe", "*\\rpcnet.exe", "*\\services.exe", "*\\TiWorker.exe") OR ParentImage!=* OR ParentImage IN ("-", "")) | fields - _raw | collect index=notable_events source="Uncommon Svchost Parent Process" marker="guid=01d2e2a1-5f09-44f7-9fc1-24faa7479b6d,tags=attack.defense-evasion,tags=attack.t1036.005," +[Cloudflared Quick Tunnel Execution] +description = Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image IN ("*\\cloudflared.exe", "*\\cloudflared-windows-386.exe", "*\\cloudflared-windows-amd64.exe") OR Hashes IN ("*SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29*", "*SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8*", "*SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039*", "*SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28*", "*SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7*", "*SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373*", "*SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670*", "*SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a*", "*SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0*", "*SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1*", "*SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2*", "*SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac*", "*SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f*", "*SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d*", "*SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499*", "*SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b*", "*SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f*", "*SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032*", "*SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234*", "*SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f*", "*SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058*", "*SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c*", "*SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f*", "*SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5*", "*SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3*", "*SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4*", "*SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c*", "*SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4*", "*SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f*", "*SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad*", "*SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7*", "*SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75*", "*SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6*", "*SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688*", "*SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f*", "*SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663*", "*SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77*", "*SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078*") (CommandLine="*-url*" CommandLine="*tunnel*") OR CommandLine IN ("*.exe -url*", "*.exe --url*")) OR (CommandLine="*-url*" CommandLine="*-no-autoupdate*") | fields - _raw | collect index=notable_events source="Cloudflared Quick Tunnel Execution" marker="guid=222129f7-f4dc-4568-b0d2-22440a9639ba,tags=attack.command-and-control,tags=attack.t1090.001," +[HackTool - SharpMove Tool Execution] +description = Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SharpMove.exe" OR OriginalFileName="SharpMove.exe" OR (CommandLine="*computername=*" CommandLine IN ("*action=create*", "*action=dcom*", "*action=executevbs*", "*action=hijackdcom*", "*action=modschtask*", "*action=modsvc*", "*action=query*", "*action=scm*", "*action=startservice*", "*action=taskscheduler*")) | fields - _raw | collect index=notable_events source="HackTool - SharpMove Tool Execution" marker="guid=055fb54c-a8f4-4aee-bd44-f74cf30a0d9d,tags=attack.lateral-movement,tags=attack.t1021.002," +[Arbitrary File Download Via IMEWDBLD.EXE] +description = Detects usage of "IMEWDBLD.exe" to download arbitrary files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\IMEWDBLD.exe" OR OriginalFileName="imewdbld.exe" CommandLine IN ("*http://*", "*https://*") | fields - _raw | collect index=notable_events source="Arbitrary File Download Via IMEWDBLD.EXE" marker="guid=863218bd-c7d0-4c52-80cd-0a96c09f54af,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[HackTool - KrbRelay Execution] +description = Detects the use of KrbRelay, a Kerberos relaying tool +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\KrbRelay.exe" OR OriginalFileName="KrbRelay.exe" OR (CommandLine="* -spn *" CommandLine="* -clsid *" CommandLine="* -rbcd *") OR (CommandLine="*shadowcred*" CommandLine="*clsid*" CommandLine="*spn*") OR (CommandLine="*spn *" CommandLine="*session *" CommandLine="*clsid *") | fields - _raw | collect index=notable_events source="HackTool - KrbRelay Execution" marker="guid=e96253b8-6b3b-4f90-9e59-3b24b99cf9b4,tags=attack.credential-access,tags=attack.t1558.003," +[Execute Code with Pester.bat] +description = Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine="*Pester*" CommandLine="*Get-Help*") OR (Image="*\\cmd.exe" CommandLine="*pester*" CommandLine="*;*" CommandLine IN ("*help*", "*?*")) | fields - _raw | collect index=notable_events source="Execute Code with Pester.bat" marker="guid=59e938ff-0d6d-4dc3-b13f-36cc28734d4e,tags=attack.execution,tags=attack.t1059.001,tags=attack.defense-evasion,tags=attack.t1216," +[Suspicious PowerShell Parent Process] +description = Detects a suspicious or uncommon parent processes of PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*tomcat*" OR ParentImage IN ("*\\amigo.exe", "*\\browser.exe", "*\\chrome.exe", "*\\firefox.exe", "*\\httpd.exe", "*\\iexplore.exe", "*\\jbosssvc.exe", "*\\microsoftedge.exe", "*\\microsoftedgecp.exe", "*\\MicrosoftEdgeSH.exe", "*\\mshta.exe", "*\\nginx.exe", "*\\outlook.exe", "*\\php-cgi.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\safari.exe", "*\\services.exe", "*\\sqlagent.exe", "*\\sqlserver.exe", "*\\sqlservr.exe", "*\\vivaldi.exe", "*\\w3wp.exe") Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR CommandLine IN ("*/c powershell*", "*/c pwsh*") OR Description="Windows PowerShell" OR Product="PowerShell Core 6" OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") | fields - _raw | collect index=notable_events source="Suspicious PowerShell Parent Process" marker="guid=754ed792-634f-40ae-b3bc-e0448d33f695,tags=attack.execution,tags=attack.t1059.001," +[Private Keys Reconnaissance Via CommandLine Tools] +description = Adversaries may search for private key certificate files on compromised systems for insecurely stored credential +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*.key*", "*.pgp*", "*.gpg*", "*.ppk*", "*.p12*", "*.pem*", "*.pfx*", "*.cer*", "*.p7b*", "*.asc*") (Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*dir *") OR (Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine="*Get-ChildItem *") OR Image="*\\findstr.exe" OR OriginalFileName="FINDSTR.EXE" | fields - _raw | collect index=notable_events source="Private Keys Reconnaissance Via CommandLine Tools" marker="guid=213d6a77-3d55-4ce8-ba74-fcfef741974e,tags=attack.credential-access,tags=attack.t1552.004," +[Netsh Allow Group Policy on Microsoft Defender Firewall] +description = Adversaries may modify system firewalls in order to bypass controls limiting network usage +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" CommandLine="*advfirewall*" CommandLine="*firewall*" CommandLine="*set*" CommandLine="*rule*" CommandLine="*group=*" CommandLine="*new*" CommandLine="*enable=Yes*" | fields - _raw | collect index=notable_events source="Netsh Allow Group Policy on Microsoft Defender Firewall" marker="guid=347906f3-e207-4d18-ae5b-a9403d6bcdef,tags=attack.defense-evasion,tags=attack.t1562.004," +[Malicious Windows Script Components File Execution by TAEF Detection] +description = Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\te.exe" OR ParentImage="*\\te.exe" OR OriginalFileName="\\te.exe" | fields - _raw | collect index=notable_events source="Malicious Windows Script Components File Execution by TAEF Detection" marker="guid=634b00d5-ccc3-4a06-ae3b-0ec8444dd51b,tags=attack.defense-evasion,tags=attack.t1218," +[Potentially Suspicious Regsvr32 HTTP/FTP Pattern] +description = Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regsvr32.exe" OR OriginalFileName="REGSVR32.EXE" CommandLine IN ("* /i*", "* -i*") CommandLine IN ("*ftp*", "*http*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Regsvr32 HTTP/FTP Pattern" marker="guid=867356ee-9352-41c9-a8f2-1be690d78216,tags=attack.defense-evasion,tags=attack.t1218.010," +[PUA - Crassus Execution] +description = Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Crassus.exe" OR OriginalFileName="Crassus.exe" OR Description="*Crassus*" | fields - _raw | collect index=notable_events source="PUA - Crassus Execution" marker="guid=2c32b543-1058-4808-91c6-5b31b8bed6c5,tags=attack.discovery,tags=attack.t1590.001," +[Potential Arbitrary DLL Load Using Winword] +description = Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\WINWORD.exe" OR OriginalFileName="WinWord.exe" CommandLine="*/l *" CommandLine="*.dll*" | fields - _raw | collect index=notable_events source="Potential Arbitrary DLL Load Using Winword" marker="guid=f7375e28-5c14-432f-b8d1-1db26c832df3,tags=attack.defense-evasion,tags=attack.t1202," +[Suspicious Office Token Search Via CLI] +description = Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*eyJ0eXAiOi*", "* eyJ0eX*", "* \"eyJ0eX\"*", "* 'eyJ0eX'*") | fields - _raw | collect index=notable_events source="Suspicious Office Token Search Via CLI" marker="guid=6d3a3952-6530-44a3-8554-cf17c116c615,tags=attack.credential-access,tags=attack.t1528," +[Run PowerShell Script from Redirected Input Stream] +description = Detects PowerShell script execution via input stream redirect +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe")\ +| regex CommandLine="\\s-\\s*<" | fields - _raw | collect index=notable_events source="Run PowerShell Script from Redirected Input Stream" marker="guid=c83bf4b5-cdf0-437c-90fa-43d734f7c476,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1059," +[HackTool - Default PowerSploit/Empire Scheduled Task Creation] +description = Detects the creation of a schtask via PowerSploit or Empire Default Configuration. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\powershell.exe", "*\\pwsh.exe") Image="*\\schtasks.exe" CommandLine="*/Create*" CommandLine="*powershell.exe -NonI*" CommandLine="*/TN Updater /TR*" CommandLine IN ("*/SC ONLOGON*", "*/SC DAILY /ST*", "*/SC ONIDLE*", "*/SC HOURLY*") | fields - _raw | collect index=notable_events source="HackTool - Default PowerSploit/Empire Scheduled Task Creation" marker="guid=56c217c3-2de2-479b-990f-5c109ba8458f,tags=attack.execution,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.s0111,tags=attack.g0022,tags=attack.g0060,tags=car.2013-08-001,tags=attack.t1053.005,tags=attack.t1059.001," +[New Remote Desktop Connection Initiated Via Mstsc.EXE] +description = Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\mstsc.exe" OR OriginalFileName="mstsc.exe" CommandLine="* -v:*" OR CommandLine="* /v:*" OR CommandLine="* –v:*" OR CommandLine="* —v:*" OR CommandLine="* ―v:*" NOT (ParentImage="C:\\Windows\\System32\\lxss\\wslhost.exe" CommandLine="*C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp*") | fields - _raw | collect index=notable_events source="New Remote Desktop Connection Initiated Via Mstsc.EXE" marker="guid=954f0af7-62dd-418f-b3df-a84bc2c7a774,tags=attack.lateral-movement,tags=attack.t1021.001," +[Wab/Wabmig Unusual Parent Or Child Processes] +description = Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (ParentImage IN ("*\\WmiPrvSE.exe", "*\\svchost.exe", "*\\dllhost.exe") Image IN ("*\\wab.exe", "*\\wabmig.exe")) OR ParentImage IN ("*\\wab.exe", "*\\wabmig.exe") | fields - _raw | collect index=notable_events source="Wab/Wabmig Unusual Parent Or Child Processes" marker="guid=63d1ccc0-2a43-4f4b-9289-361b308991ff,tags=attack.defense-evasion,tags=attack.execution," +[PktMon.EXE Execution] +description = Detects execution of PktMon, a tool that captures network packets. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\pktmon.exe" OR OriginalFileName="PktMon.exe" | fields - _raw | collect index=notable_events source="PktMon.EXE Execution" marker="guid=f956c7c1-0f60-4bc5-b7d7-b39ab3c08908,tags=attack.credential-access,tags=attack.t1040," +[Cscript/Wscript Uncommon Script Extension Execution] +description = Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("wscript.exe", "cscript.exe") OR Image IN ("*\\wscript.exe", "*\\cscript.exe") CommandLine IN ("*.csv*", "*.dat*", "*.doc*", "*.gif*", "*.jpeg*", "*.jpg*", "*.png*", "*.ppt*", "*.txt*", "*.xls*", "*.xml*") | fields - _raw | collect index=notable_events source="Cscript/Wscript Uncommon Script Extension Execution" marker="guid=99b7460d-c9f1-40d7-a316-1f36f61d52ee,tags=attack.execution,tags=attack.t1059.005,tags=attack.t1059.007," +[PUA - Nimgrab Execution] +description = Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\nimgrab.exe" OR Hashes IN ("*MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B*", "*SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559*", "*IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45*") OR md5="2DD44C3C29D667F5C0EF5F9D7C7FFB8B" OR sha256="F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559" OR Imphash="C07FDDD21D123EA9B3A08EEF44AAAC45" | fields - _raw | collect index=notable_events source="PUA - Nimgrab Execution" marker="guid=74a12f18-505c-4114-8d0b-8448dd5485c6,tags=attack.command-and-control,tags=attack.t1105," +[Boot Configuration Tampering Via Bcdedit.EXE] +description = Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\bcdedit.exe" OR OriginalFileName="bcdedit.exe" CommandLine="*set*" (CommandLine="*bootstatuspolicy*" CommandLine="*ignoreallfailures*") OR (CommandLine="*recoveryenabled*" CommandLine="*no*") | table ComputerName,User,CommandLine | fields - _raw | collect index=notable_events source="Boot Configuration Tampering Via Bcdedit.EXE" marker="guid=1444443e-6757-43e4-9ea4-c8fc705f79a2,tags=attack.impact,tags=attack.t1490," +[Diskshadow Script Mode - Execution From Potential Suspicious Location] +description = Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="diskshadow.exe" OR Image="*\\diskshadow.exe" CommandLine="*-s *" OR CommandLine="*/s *" OR CommandLine="*–s *" OR CommandLine="*—s *" OR CommandLine="*―s *" CommandLine IN ("*:\\Temp\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\*", "*\\AppData\\Roaming\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*") | fields - _raw | collect index=notable_events source="Diskshadow Script Mode - Execution From Potential Suspicious Location" marker="guid=fa1a7e52-3d02-435b-81b8-00da14dd66c1,tags=attack.defense-evasion,tags=attack.t1218," +[Suspicious SysAidServer Child] +description = Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\java.exe", "*\\javaw.exe") ParentCommandLine="*SysAidServer*" | fields - _raw | collect index=notable_events source="Suspicious SysAidServer Child" marker="guid=60bfeac3-0d35-4302-8efb-1dd16f715bc6,tags=attack.lateral-movement,tags=attack.t1210," +[Suspicious Processes Spawned by WinRM] +description = Detects suspicious processes including shells spawnd from WinRM host process +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\wsmprovhost.exe" Image IN ("*\\cmd.exe", "*\\sh.exe", "*\\bash.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wsl.exe", "*\\schtasks.exe", "*\\certutil.exe", "*\\whoami.exe", "*\\bitsadmin.exe") | fields - _raw | collect index=notable_events source="Suspicious Processes Spawned by WinRM" marker="guid=5cc2cda8-f261-4d88-a2de-e9e193c86716,tags=attack.t1190,tags=attack.initial-access,tags=attack.persistence,tags=attack.privilege-escalation," +[Potential PowerShell Downgrade Attack] +description = Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\powershell.exe" CommandLine IN ("* -version 2 *", "* -versio 2 *", "* -versi 2 *", "* -vers 2 *", "* -ver 2 *", "* -ve 2 *", "* -v 2 *") | fields - _raw | collect index=notable_events source="Potential PowerShell Downgrade Attack" marker="guid=b3512211-c67e-4707-bedc-66efc7848863,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1059.001," +[Verclsid.exe Runs COM Object] +description = Detects when verclsid.exe is used to run COM object via GUID +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\verclsid.exe" OR OriginalFileName="verclsid.exe" CommandLine="*/S*" CommandLine="*/C*" | table CommandLine | fields - _raw | collect index=notable_events source="Verclsid.exe Runs COM Object" marker="guid=d06be4b9-8045-428b-a567-740a26d9db25,tags=attack.defense-evasion,tags=attack.t1218," +[Fsutil Drive Enumeration] +description = Attackers may leverage fsutil to enumerated connected drives. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\fsutil.exe" OR OriginalFileName="fsutil.exe" CommandLine="*drives*" | fields - _raw | collect index=notable_events source="Fsutil Drive Enumeration" marker="guid=63de06b9-a385-40b5-8b32-73f2b9ef84b6,tags=attack.discovery,tags=attack.t1120," +[Remote Access Tool - NetSupport Execution] +description = An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="NetSupport Client Configurator" OR Product="NetSupport Remote Control" OR Company="NetSupport Ltd" OR OriginalFileName="PCICFGUI.EXE" | fields - _raw | collect index=notable_events source="Remote Access Tool - NetSupport Execution" marker="guid=758ff488-18d5-4cbe-8ec4-02b6285a434f,tags=attack.command-and-control,tags=attack.t1219," +[Invoke-Obfuscation Via Use MSHTA] +description = Detects Obfuscated Powershell via use MSHTA in Scripts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*set*" CommandLine="*&&*" CommandLine="*mshta*" CommandLine="*vbscript:createobject*" CommandLine="*.run*" CommandLine="*(window.close)*" | fields - _raw | collect index=notable_events source="Invoke-Obfuscation Via Use MSHTA" marker="guid=ac20ae82-8758-4f38-958e-b44a3140ca88,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Renamed Cloudflared.EXE Execution] +description = Detects the execution of a renamed "cloudflared" binary. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="* tunnel *" CommandLine="*cleanup *" CommandLine IN ("*-config *", "*-connector-id *")) OR (CommandLine="* tunnel *" CommandLine="* run *" CommandLine IN ("*-config *", "*-credentials-contents *", "*-credentials-file *", "*-token *")) OR (CommandLine="*-url*" CommandLine="*tunnel*") OR Hashes IN ("*SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29*", "*SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8*", "*SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039*", "*SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28*", "*SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7*", "*SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373*", "*SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670*", "*SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a*", "*SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0*", "*SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1*", "*SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2*", "*SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac*", "*SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f*", "*SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d*", "*SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499*", "*SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b*", "*SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f*", "*SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032*", "*SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234*", "*SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f*", "*SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058*", "*SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c*", "*SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f*", "*SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5*", "*SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3*", "*SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4*", "*SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c*", "*SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4*", "*SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f*", "*SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad*", "*SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7*", "*SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75*", "*SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6*", "*SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688*", "*SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f*", "*SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663*", "*SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77*", "*SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078*") NOT (Image IN ("*\\cloudflared.exe", "*\\cloudflared-windows-386.exe", "*\\cloudflared-windows-amd64.exe")) | fields - _raw | collect index=notable_events source="Renamed Cloudflared.EXE Execution" marker="guid=e0c69ebd-b54f-4aed-8ae3-e3467843f3f0,tags=attack.command-and-control,tags=attack.t1090.001," +[UEFI Persistence Via Wpbbin - ProcessCreation] +description = Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="C:\\Windows\\System32\\wpbbin.exe" | fields - _raw | collect index=notable_events source="UEFI Persistence Via Wpbbin - ProcessCreation" marker="guid=4abc0ec4-db5a-412f-9632-26659cddf145,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.t1542.001," +[Potentially Suspicious Cabinet File Expansion] +description = Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\expand.exe" CommandLine="*-F:*" OR CommandLine="*/F:*" OR CommandLine="*–F:*" OR CommandLine="*—F:*" OR CommandLine="*―F:*" CommandLine IN ("*:\\Perflogs\\*", "*:\\Users\\Public\\*", "*\\Temporary Internet*", "*:\\ProgramData*", "*\\AppData\\Local\\Temp*", "*\\AppData\\Roaming\\Temp*", "*:\\Windows\\Temp*") OR (CommandLine="*:\\Users\\*" CommandLine="*\\Favorites\\*") OR (CommandLine="*:\\Users\\*" CommandLine="*\\Favourites\\*") OR (CommandLine="*:\\Users\\*" CommandLine="*\\Contacts\\*") NOT (ParentImage="C:\\Program Files (x86)\\Dell\\UpdateService\\ServiceShell.exe" CommandLine="*C:\\ProgramData\\Dell\\UpdateService\\Temp\\*") | fields - _raw | collect index=notable_events source="Potentially Suspicious Cabinet File Expansion" marker="guid=9f107a84-532c-41af-b005-8d12a607639f,tags=attack.defense-evasion,tags=attack.t1218," +[Potential Credential Dumping Via WER] +description = Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Werfault.exe" OR OriginalFileName="WerFault.exe" ParentUser IN ("*AUTHORI*", "*AUTORI*") User IN ("*AUTHORI*", "*AUTORI*") CommandLine="* -u -p *" CommandLine="* -ip *" CommandLine="* -s *" NOT ParentImage="C:\\Windows\\System32\\lsass.exe" | fields - _raw | collect index=notable_events source="Potential Credential Dumping Via WER" marker="guid=9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3,tags=attack.credential-access,tags=attack.t1003.001," +[Uncommon Child Process Of AddinUtil.EXE] +description = Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\addinutil.exe" NOT (Image IN ("*:\\Windows\\System32\\conhost.exe", "*:\\Windows\\System32\\werfault.exe", "*:\\Windows\\SysWOW64\\werfault.exe")) | fields - _raw | collect index=notable_events source="Uncommon Child Process Of AddinUtil.EXE" marker="guid=b5746143-59d6-4603-8d06-acbd60e166ee,tags=attack.defense-evasion,tags=attack.t1218," +[Local File Read Using Curl.EXE] +description = Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\curl.exe" OR OriginalFileName="curl.exe" CommandLine="*file:///*" | fields - _raw | collect index=notable_events source="Local File Read Using Curl.EXE" marker="guid=aa6f6ea6-0676-40dd-b510-6e46f02d8867,tags=attack.execution," +[Potential Command Line Path Traversal Evasion Attempt] +description = Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\Windows\\*" CommandLine IN ("*\\..\\Windows\\*", "*\\..\\System32\\*", "*\\..\\..\\*")) OR CommandLine="*.exe\\..\\*" NOT (CommandLine IN ("*\\Google\\Drive\\googledrivesync.exe\\..\\*", "*\\Citrix\\Virtual Smart Card\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\..\\*")) | fields - _raw | collect index=notable_events source="Potential Command Line Path Traversal Evasion Attempt" marker="guid=1327381e-6ab0-4f38-b583-4c1b8346a56b,tags=attack.defense-evasion,tags=attack.t1036," +[Potential Reconnaissance Activity Via GatherNetworkInfo.VBS] +description = Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\cscript.exe", "*\\wscript.exe") OR OriginalFileName IN ("cscript.exe", "wscript.exe") CommandLine="*gatherNetworkInfo.vbs*" | fields - _raw | collect index=notable_events source="Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" marker="guid=575dce0c-8139-4e30-9295-1ee75969f7fe,tags=attack.discovery,tags=attack.execution,tags=attack.t1615,tags=attack.t1059.005," +[Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp] +description = Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\excel.exe" OriginalFileName IN ("foxprow.exe", "schdplus.exe", "winproj.exe") OR Image IN ("*\\foxprow.exe", "*\\schdplus.exe", "*\\winproj.exe") | fields - _raw | collect index=notable_events source="Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" marker="guid=551d9c1f-816c-445b-a7a6-7a3864720d60,tags=attack.t1021.003,tags=attack.lateral-movement," +[Chromium Browser Instance Executed With Custom Extension] +description = Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\brave.exe", "*\\chrome.exe", "*\\msedge.exe", "*\\opera.exe", "*\\vivaldi.exe") CommandLine="*--load-extension=*" | fields - _raw | collect index=notable_events source="Chromium Browser Instance Executed With Custom Extension" marker="guid=88d6e60c-759d-4ac1-a447-c0f1466c2d21,tags=attack.persistence,tags=attack.t1176," +[Fsutil Suspicious Invocation] +description = Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\fsutil.exe" OR OriginalFileName="fsutil.exe" CommandLine IN ("*deletejournal*", "*createjournal*", "*setZeroData*") | fields - _raw | collect index=notable_events source="Fsutil Suspicious Invocation" marker="guid=add64136-62e5-48ea-807e-88638d02df1e,tags=attack.defense-evasion,tags=attack.impact,tags=attack.t1070,tags=attack.t1485," +[Suspicious GUP Usage] +description = Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\GUP.exe" NOT (Image IN ("*\\Program Files\\Notepad++\\updater\\GUP.exe", "*\\Program Files (x86)\\Notepad++\\updater\\GUP.exe") OR (Image="*\\Users\\*" Image IN ("*\\AppData\\Local\\Notepad++\\updater\\GUP.exe", "*\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe"))) | fields - _raw | collect index=notable_events source="Suspicious GUP Usage" marker="guid=0a4f6091-223b-41f6-8743-f322ec84930b,tags=attack.defense-evasion,tags=attack.t1574.002," +[PUA - Nmap/Zenmap Execution] +description = Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\nmap.exe", "*\\zennmap.exe") OR OriginalFileName IN ("nmap.exe", "zennmap.exe") | fields - _raw | collect index=notable_events source="PUA - Nmap/Zenmap Execution" marker="guid=f6ecd1cf-19b8-4488-97f6-00f0924991a3,tags=attack.discovery,tags=attack.t1046," +[LOLBAS Data Exfiltration by DataSvcUtil.exe] +description = Detects when a user performs data exfiltration by using DataSvcUtil.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*/in:*", "*/out:*", "*/uri:*") Image="*\\DataSvcUtil.exe" OR OriginalFileName="DataSvcUtil.exe" | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="LOLBAS Data Exfiltration by DataSvcUtil.exe" marker="guid=e290b10b-1023-4452-a4a9-eb31a9013b3a,tags=attack.exfiltration,tags=attack.t1567," +[Use Icacls to Hide File to Everyone] +description = Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="iCACLS.EXE" OR Image="*\\icacls.exe" CommandLine="*/deny*" CommandLine="*S-1-1-0:*" | fields - _raw | collect index=notable_events source="Use Icacls to Hide File to Everyone" marker="guid=4ae81040-fc1c-4249-bfa3-938d260214d9,tags=attack.defense-evasion,tags=attack.t1564.001," +[HackTool - TruffleSnout Execution] +description = Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="TruffleSnout.exe" OR Image="*\\TruffleSnout.exe" | fields - _raw | collect index=notable_events source="HackTool - TruffleSnout Execution" marker="guid=69ca006d-b9a9-47f5-80ff-ecd4d25d481a,tags=attack.discovery,tags=attack.t1482," +[Kavremover Dropped Binary LOLBIN Usage] +description = Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* run run-cmd *" NOT (ParentImage IN ("*\\cleanapi.exe", "*\\kavremover.exe")) | fields - _raw | collect index=notable_events source="Kavremover Dropped Binary LOLBIN Usage" marker="guid=d047726b-c71c-4048-a99b-2e2f50dc107d,tags=attack.defense-evasion,tags=attack.t1127," +[Windows Kernel Debugger Execution] +description = Detects execution of the Windows Kernel Debugger "kd.exe". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\kd.exe" OR OriginalFileName="kd.exe" | fields - _raw | collect index=notable_events source="Windows Kernel Debugger Execution" marker="guid=27ee9438-90dc-4bef-904b-d3ef927f5e7e,tags=attack.defense-evasion,tags=attack.privilege-escalation," +[NtdllPipe Like Activity Execution] +description = Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*type %windir%\\system32\\ntdll.dll*", "*type %systemroot%\\system32\\ntdll.dll*", "*type c:\\windows\\system32\\ntdll.dll*", "*\\ntdll.dll > \\\\.\\pipe\\*") | fields - _raw | collect index=notable_events source="NtdllPipe Like Activity Execution" marker="guid=bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2,tags=attack.defense-evasion," +[Net WebClient Casing Anomalies] +description = Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*TgBlAFQALgB3AEUAQg*", "*4AZQBUAC4AdwBFAEIA*", "*OAGUAVAAuAHcARQBCA*", "*bgBFAHQALgB3AGUAYg*", "*4ARQB0AC4AdwBlAGIA*", "*uAEUAdAAuAHcAZQBiA*", "*TgBFAHQALgB3AGUAYg*", "*OAEUAdAAuAHcAZQBiA*", "*bgBlAFQALgB3AGUAYg*", "*4AZQBUAC4AdwBlAGIA*", "*uAGUAVAAuAHcAZQBiA*", "*TgBlAFQALgB3AGUAYg*", "*OAGUAVAAuAHcAZQBiA*", "*bgBFAFQALgB3AGUAYg*", "*4ARQBUAC4AdwBlAGIA*", "*uAEUAVAAuAHcAZQBiA*", "*bgBlAHQALgBXAGUAYg*", "*4AZQB0AC4AVwBlAGIA*", "*uAGUAdAAuAFcAZQBiA*", "*bgBFAHQALgBXAGUAYg*", "*4ARQB0AC4AVwBlAGIA*", "*uAEUAdAAuAFcAZQBiA*", "*TgBFAHQALgBXAGUAYg*", "*OAEUAdAAuAFcAZQBiA*", "*bgBlAFQALgBXAGUAYg*", "*4AZQBUAC4AVwBlAGIA*", "*uAGUAVAAuAFcAZQBiA*", "*TgBlAFQALgBXAGUAYg*", "*OAGUAVAAuAFcAZQBiA*", "*bgBFAFQALgBXAGUAYg*", "*4ARQBUAC4AVwBlAGIA*", "*uAEUAVAAuAFcAZQBiA*", "*bgBlAHQALgB3AEUAYg*", "*4AZQB0AC4AdwBFAGIA*", "*uAGUAdAAuAHcARQBiA*", "*TgBlAHQALgB3AEUAYg*", "*OAGUAdAAuAHcARQBiA*", "*bgBFAHQALgB3AEUAYg*", "*4ARQB0AC4AdwBFAGIA*", "*uAEUAdAAuAHcARQBiA*", "*TgBFAHQALgB3AEUAYg*", "*OAEUAdAAuAHcARQBiA*", "*bgBlAFQALgB3AEUAYg*", "*4AZQBUAC4AdwBFAGIA*", "*uAGUAVAAuAHcARQBiA*", "*TgBlAFQALgB3AEUAYg*", "*OAGUAVAAuAHcARQBiA*", "*bgBFAFQALgB3AEUAYg*", "*4ARQBUAC4AdwBFAGIA*", "*uAEUAVAAuAHcARQBiA*", "*TgBFAFQALgB3AEUAYg*", "*OAEUAVAAuAHcARQBiA*", "*bgBlAHQALgBXAEUAYg*", "*4AZQB0AC4AVwBFAGIA*", "*uAGUAdAAuAFcARQBiA*", "*TgBlAHQALgBXAEUAYg*", "*OAGUAdAAuAFcARQBiA*", "*bgBFAHQALgBXAEUAYg*", "*4ARQB0AC4AVwBFAGIA*", "*uAEUAdAAuAFcARQBiA*", "*TgBFAHQALgBXAEUAYg*", "*OAEUAdAAuAFcARQBiA*", "*bgBlAFQALgBXAEUAYg*", "*4AZQBUAC4AVwBFAGIA*", "*uAGUAVAAuAFcARQBiA*", "*TgBlAFQALgBXAEUAYg*", "*OAGUAVAAuAFcARQBiA*", "*bgBFAFQALgBXAEUAYg*", "*4ARQBUAC4AVwBFAGIA*", "*uAEUAVAAuAFcARQBiA*", "*TgBFAFQALgBXAEUAYg*", "*OAEUAVAAuAFcARQBiA*", "*bgBlAHQALgB3AGUAQg*", "*4AZQB0AC4AdwBlAEIA*", "*uAGUAdAAuAHcAZQBCA*", "*TgBlAHQALgB3AGUAQg*", "*OAGUAdAAuAHcAZQBCA*", "*bgBFAHQALgB3AGUAQg*", "*4ARQB0AC4AdwBlAEIA*", "*uAEUAdAAuAHcAZQBCA*", "*TgBFAHQALgB3AGUAQg*", "*OAEUAdAAuAHcAZQBCA*", "*bgBlAFQALgB3AGUAQg*", "*4AZQBUAC4AdwBlAEIA*", "*uAGUAVAAuAHcAZQBCA*", "*TgBlAFQALgB3AGUAQg*", "*OAGUAVAAuAHcAZQBCA*", "*bgBFAFQALgB3AGUAQg*", "*4ARQBUAC4AdwBlAEIA*", "*uAEUAVAAuAHcAZQBCA*", "*TgBFAFQALgB3AGUAQg*", "*OAEUAVAAuAHcAZQBCA*", "*bgBlAHQALgBXAGUAQg*", "*4AZQB0AC4AVwBlAEIA*", "*uAGUAdAAuAFcAZQBCA*", "*TgBlAHQALgBXAGUAQg*", "*OAGUAdAAuAFcAZQBCA*", "*bgBFAHQALgBXAGUAQg*", "*4ARQB0AC4AVwBlAEIA*", "*uAEUAdAAuAFcAZQBCA*", "*TgBFAHQALgBXAGUAQg*", "*OAEUAdAAuAFcAZQBCA*", "*bgBlAFQALgBXAGUAQg*", "*4AZQBUAC4AVwBlAEIA*", "*uAGUAVAAuAFcAZQBCA*", "*TgBlAFQALgBXAGUAQg*", "*OAGUAVAAuAFcAZQBCA*", "*bgBFAFQALgBXAGUAQg*", "*4ARQBUAC4AVwBlAEIA*", "*uAEUAVAAuAFcAZQBCA*", "*TgBFAFQALgBXAGUAQg*", "*OAEUAVAAuAFcAZQBCA*", "*bgBlAHQALgB3AEUAQg*", "*4AZQB0AC4AdwBFAEIA*", "*uAGUAdAAuAHcARQBCA*", "*TgBlAHQALgB3AEUAQg*", "*OAGUAdAAuAHcARQBCA*", "*bgBFAHQALgB3AEUAQg*", "*4ARQB0AC4AdwBFAEIA*", "*uAEUAdAAuAHcARQBCA*", "*TgBFAHQALgB3AEUAQg*", "*OAEUAdAAuAHcARQBCA*", "*bgBlAFQALgB3AEUAQg*", "*uAGUAVAAuAHcARQBCA*", "*bgBFAFQALgB3AEUAQg*", "*4ARQBUAC4AdwBFAEIA*", "*uAEUAVAAuAHcARQBCA*", "*TgBFAFQALgB3AEUAQg*", "*OAEUAVAAuAHcARQBCA*", "*TgBlAHQALgBXAEUAQg*", "*4AZQB0AC4AVwBFAEIA*", "*OAGUAdAAuAFcARQBCA*", "*bgBFAHQALgBXAEUAQg*", "*4ARQB0AC4AVwBFAEIA*", "*uAEUAdAAuAFcARQBCA*", "*TgBFAHQALgBXAEUAQg*", "*OAEUAdAAuAFcARQBCA*", "*bgBlAFQALgBXAEUAQg*", "*4AZQBUAC4AVwBFAEIA*", "*uAGUAVAAuAFcARQBCA*", "*TgBlAFQALgBXAEUAQg*", "*OAGUAVAAuAFcARQBCA*", "*bgBFAFQALgBXAEUAQg*", "*4ARQBUAC4AVwBFAEIA*", "*uAEUAVAAuAFcARQBCA*") | fields - _raw | collect index=notable_events source="Net WebClient Casing Anomalies" marker="guid=c86133ad-4725-4bd0-8170-210788e0a7ba,tags=attack.execution,tags=attack.t1059.001," +[Automated Collection Command Prompt] +description = Once established within a system or network, an adversary may use automated techniques for collecting internal data. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*.doc*", "*.docx*", "*.xls*", "*.xlsx*", "*.ppt*", "*.pptx*", "*.rtf*", "*.pdf*", "*.txt*") (CommandLine="*dir *" CommandLine="* /b *" CommandLine="* /s *") OR (OriginalFileName="FINDSTR.EXE" CommandLine IN ("* /e *", "* /si *")) | fields - _raw | collect index=notable_events source="Automated Collection Command Prompt" marker="guid=f576a613-2392-4067-9d1a-9345fb58d8d1,tags=attack.collection,tags=attack.t1119,tags=attack.credential-access,tags=attack.t1552.001," +[PUA - Chisel Tunneling Tool Execution] +description = Detects usage of the Chisel tunneling tool via the commandline arguments +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\chisel.exe" OR (CommandLine IN ("*exe client *", "*exe server *") CommandLine IN ("*-socks5*", "*-reverse*", "* r:*", "*:127.0.0.1:*", "*-tls-skip-verify *", "*:socks*")) | fields - _raw | collect index=notable_events source="PUA - Chisel Tunneling Tool Execution" marker="guid=8b0e12da-d3c3-49db-bb4f-256703f380e5,tags=attack.command-and-control,tags=attack.t1090.001," +[Direct Autorun Keys Modification] +description = Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" CommandLine="*add*" CommandLine IN ("*\\software\\Microsoft\\Windows\\CurrentVersion\\Run*", "*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit*", "*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell*", "*\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows*", "*\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*", "*\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell*") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Direct Autorun Keys Modification" marker="guid=24357373-078f-44ed-9ac4-6d334a668a11,tags=attack.persistence,tags=attack.t1547.001," +[IIS Native-Code Module Command Line Installation] +description = Detects suspicious IIS native-code module installations via command line +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\appcmd.exe" OR OriginalFileName="appcmd.exe" CommandLine="*install*" CommandLine="*module*" CommandLine="*-name:*" OR CommandLine="*/name:*" OR CommandLine="*–name:*" OR CommandLine="*—name:*" OR CommandLine="*―name:*" NOT ParentImage="C:\\Windows\\System32\\inetsrv\\iissetup.exe" | fields - _raw | collect index=notable_events source="IIS Native-Code Module Command Line Installation" marker="guid=9465ddf4-f9e4-4ebd-8d98-702df3a93239,tags=attack.persistence,tags=attack.t1505.003," +[Potential Persistence Via Logon Scripts - CommandLine] +description = Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*UserInitMprLogonScript*" | fields - _raw | collect index=notable_events source="Potential Persistence Via Logon Scripts - CommandLine" marker="guid=21d856f9-9281-4ded-9377-51a1a6e2a432,tags=attack.persistence,tags=attack.t1037.001," +[HackTool - CrackMapExec Execution Patterns] +description = Detects various execution patterns of the CrackMapExec pentesting framework +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1*", "*cmd.exe /C * > \\\\*\\*\\* 2>&1*", "*cmd.exe /C * > *\\Temp\\* 2>&1*", "*powershell.exe -exec bypass -noni -nop -w 1 -C \"*", "*powershell.exe -noni -nop -w 1 -enc *") | fields - _raw | collect index=notable_events source="HackTool - CrackMapExec Execution Patterns" marker="guid=058f4380-962d-40a5-afce-50207d36d7e2,tags=attack.execution,tags=attack.t1047,tags=attack.t1053,tags=attack.t1059.003,tags=attack.t1059.001,tags=attack.s0106," +[Copying Sensitive Files with Credential Data] +description = Files with well-known filenames (sensitive files with credential data) copying +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\esentutl.exe" OR OriginalFileName="\\esentutl.exe" CommandLine="*vss*" OR CommandLine="* -m *" OR CommandLine="* /m *" OR CommandLine="* –m *" OR CommandLine="* —m *" OR CommandLine="* ―m *" OR CommandLine="* -y *" OR CommandLine="* /y *" OR CommandLine="* –y *" OR CommandLine="* —y *" OR CommandLine="* ―y *") OR CommandLine IN ("*\\config\\RegBack\\sam*", "*\\config\\RegBack\\security*", "*\\config\\RegBack\\system*", "*\\config\\sam*", "*\\config\\security*", "*\\config\\system *", "*\\repair\\sam*", "*\\repair\\security*", "*\\repair\\system*", "*\\windows\\ntds\\ntds.dit*") | fields - _raw | collect index=notable_events source="Copying Sensitive Files with Credential Data" marker="guid=e7be6119-fc37-43f0-ad4f-1f3f99be2f9f,tags=attack.credential-access,tags=attack.t1003.002,tags=attack.t1003.003,tags=car.2013-07-001,tags=attack.s0404," +[HackTool - Sliver C2 Implant Activity Pattern] +description = Detects process activity patterns as seen being used by Sliver C2 framework implants +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*" | fields - _raw | collect index=notable_events source="HackTool - Sliver C2 Implant Activity Pattern" marker="guid=42333b2c-b425-441c-b70e-99404a17170f,tags=attack.execution,tags=attack.t1059," +[Ruby Inline Command Execution] +description = Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ruby.exe" OR OriginalFileName="ruby.exe" CommandLine="* -e*" | fields - _raw | collect index=notable_events source="Ruby Inline Command Execution" marker="guid=20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8,tags=attack.execution,tags=attack.t1059," +[Suspicious Windows Trace ETW Session Tamper Via Logman.EXE] +description = Detects the execution of "logman" utility in order to disable or delete Windows trace sessions +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\logman.exe" OR OriginalFileName="Logman.exe" CommandLine IN ("*stop *", "*delete *") CommandLine IN ("*Circular Kernel Context Logger*", "*EventLog-*", "*SYSMON TRACE*", "*SysmonDnsEtwSession*") | fields - _raw | collect index=notable_events source="Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" marker="guid=cd1f961e-0b96-436b-b7c6-38da4583ec00,tags=attack.defense-evasion,tags=attack.t1562.001,tags=attack.t1070.001," +[Suspicious Obfuscated PowerShell Code] +description = Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*IAAtAGIAeABvAHIAIAAwAHgA*", "*AALQBiAHgAbwByACAAMAB4A*", "*gAC0AYgB4AG8AcgAgADAAeA*", "*AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg*", "*AuAEkAbgB2AG8AawBlACgAKQAgAHwAI*", "*ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC*", "*AHsAMQB9AHsAMAB9ACIAIAAtAGYAI*", "*B7ADEAfQB7ADAAfQAiACAALQBmAC*", "*AewAxAH0AewAwAH0AIgAgAC0AZgAg*", "*AHsAMAB9AHsAMwB9ACIAIAAtAGYAI*", "*B7ADAAfQB7ADMAfQAiACAALQBmAC*", "*AewAwAH0AewAzAH0AIgAgAC0AZgAg*", "*AHsAMgB9AHsAMAB9ACIAIAAtAGYAI*", "*B7ADIAfQB7ADAAfQAiACAALQBmAC*", "*AewAyAH0AewAwAH0AIgAgAC0AZgAg*", "*AHsAMQB9AHsAMAB9ACcAIAAtAGYAI*", "*B7ADEAfQB7ADAAfQAnACAALQBmAC*", "*AewAxAH0AewAwAH0AJwAgAC0AZgAg*", "*AHsAMAB9AHsAMwB9ACcAIAAtAGYAI*", "*B7ADAAfQB7ADMAfQAnACAALQBmAC*", "*AewAwAH0AewAzAH0AJwAgAC0AZgAg*", "*AHsAMgB9AHsAMAB9ACcAIAAtAGYAI*", "*B7ADIAfQB7ADAAfQAnACAALQBmAC*", "*AewAyAH0AewAwAH0AJwAgAC0AZgAg*") | fields - _raw | collect index=notable_events source="Suspicious Obfuscated PowerShell Code" marker="guid=8d01b53f-456f-48ee-90f6-bc28e67d4e35,tags=attack.defense-evasion," +[Usage Of Web Request Commands And Cmdlets] +description = Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*[System.Net.WebRequest]::create*", "*curl *", "*Invoke-RestMethod*", "*Invoke-WebRequest*", "*iwr *", "*Net.WebClient*", "*Resume-BitsTransfer*", "*Start-BitsTransfer*", "*wget *", "*WinHttp.WinHttpRequest*") | fields - _raw | collect index=notable_events source="Usage Of Web Request Commands And Cmdlets" marker="guid=9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d,tags=attack.execution,tags=attack.t1059.001," +[Detected Windows Software Discovery] +description = Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" CommandLine="*query*" CommandLine="*\\software\\*" CommandLine="*/v*" CommandLine="*svcversion*" | fields - _raw | collect index=notable_events source="Detected Windows Software Discovery" marker="guid=e13f668e-7f95-443d-98d2-1816a7648a7b,tags=attack.discovery,tags=attack.t1518," +[Exports Registry Key To a File] +description = Detects the export of the target Registry key to a file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regedit.exe" OR OriginalFileName="REGEDIT.EXE" CommandLine="* -E *" OR CommandLine="* /E *" OR CommandLine="* –E *" OR CommandLine="* —E *" OR CommandLine="* ―E *" NOT (CommandLine IN ("*hklm*", "*hkey_local_machine*") CommandLine IN ("*\\system", "*\\sam", "*\\security")) | table ParentImage,CommandLine | fields - _raw | collect index=notable_events source="Exports Registry Key To a File" marker="guid=f0e53e89-8d22-46ea-9db5-9d4796ee2f8a,tags=attack.exfiltration,tags=attack.t1012," +[Renamed Vmnat.exe Execution] +description = Detects renamed vmnat.exe or portable version that can be used for DLL side-loading +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="vmnat.exe" NOT Image="*vmnat.exe" | fields - _raw | collect index=notable_events source="Renamed Vmnat.exe Execution" marker="guid=7b4f794b-590a-4ad4-ba18-7964a2832205,tags=attack.defense-evasion,tags=attack.t1574.002," +[Rundll32 Execution With Uncommon DLL Extension] +description = Detects the execution of rundll32 with a command line that doesn't contain a common extension +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" NOT (CommandLine!=* OR CommandLine="" OR CommandLine IN ("*.cpl *", "*.cpl,*", "*.cpl\"*", "*.cpl'*", "*.dll *", "*.dll,*", "*.dll\"*", "*.dll'*", "*.inf *", "*.inf,*", "*.inf\"*", "*.inf'*") OR CommandLine IN ("*.cpl", "*.dll", "*.inf") OR CommandLine="* -localserver *" OR (ParentImage="*\\msiexec.exe" CommandLine="*:\\Windows\\Installer\\*" CommandLine="*.tmp*" CommandLine="*zzzzInvokeManagedCustomActionOutOfProc*")) NOT (ParentCommandLine="*:\\Users\\*" ParentCommandLine="*\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{*" ParentCommandLine="*\\EDGEMITMP_*" ParentCommandLine="*.tmp\\setup.exe*" ParentCommandLine="*--install-archive=*" ParentCommandLine="*--previous-version=*" ParentCommandLine="*--msedgewebview --verbose-logging --do-not-launch-msedge --user-level*") | fields - _raw | collect index=notable_events source="Rundll32 Execution With Uncommon DLL Extension" marker="guid=c3a99af4-35a9-4668-879e-c09aeb4f2bdf,tags=attack.defense-evasion,tags=attack.t1218.011," +[Replace.exe Usage] +description = Detects the use of Replace.exe which can be used to replace file with another file +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\replace.exe" CommandLine="*-a*" OR CommandLine="*/a*" OR CommandLine="*–a*" OR CommandLine="*—a*" OR CommandLine="*―a*" | fields - _raw | collect index=notable_events source="Replace.exe Usage" marker="guid=9292293b-8496-4715-9db6-37028dcda4b3,tags=attack.command-and-control,tags=attack.t1105," +[File Download And Execution Via IEExec.EXE] +description = Detects execution of the IEExec utility to download and execute files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\IEExec.exe" OR OriginalFileName="IEExec.exe" CommandLine IN ("*http://*", "*https://*") | fields - _raw | collect index=notable_events source="File Download And Execution Via IEExec.EXE" marker="guid=9801abb8-e297-4dbf-9fbd-57dde0e830ad,tags=attack.command-and-control,tags=attack.t1105," +[Regsvr32 Execution From Highly Suspicious Location] +description = Detects execution of regsvr32 where the DLL is located in a highly suspicious locations +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regsvr32.exe" OR OriginalFileName="REGSVR32.EXE" CommandLine IN ("*:\\PerfLogs\\*", "*:\\Temp\\*", "*\\Windows\\Registration\\CRMLog*", "*\\Windows\\System32\\com\\dmp\\*", "*\\Windows\\System32\\FxsTmp\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\Tasks_Migrated\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\*", "*\\Windows\\SysWOW64\\com\\dmp\\*", "*\\Windows\\SysWOW64\\FxsTmp\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\*", "*\\Windows\\Tasks\\*", "*\\Windows\\Tracing\\*") OR (CommandLine IN ("* \"C:\\*", "* C:\\*", "* 'C:\\*", "*D:\\*") NOT (CommandLine IN ("*C:\\Program Files (x86)\\*", "*C:\\Program Files\\*", "*C:\\ProgramData\\*", "*C:\\Users\\*", "* C:\\Windows\\*", "* \"C:\\Windows\\*", "* 'C:\\Windows\\*"))) NOT (CommandLine="" OR CommandLine!=*) | fields - _raw | collect index=notable_events source="Regsvr32 Execution From Highly Suspicious Location" marker="guid=327ff235-94eb-4f06-b9de-aaee571324be,tags=attack.defense-evasion,tags=attack.t1218.010," +[UAC Bypass via ICMLuaUtil] +description = Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\dllhost.exe" ParentCommandLine IN ("*/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*", "*/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}*") NOT (Image="*\\WerFault.exe" OR OriginalFileName="WerFault.exe") | fields - _raw | collect index=notable_events source="UAC Bypass via ICMLuaUtil" marker="guid=49f2f17b-b4c8-4172-a68b-d5bf95d05130,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Suspicious ScreenSave Change by Reg.exe] +description = Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" CommandLine IN ("*HKEY_CURRENT_USER\\Control Panel\\Desktop*", "*HKCU\\Control Panel\\Desktop*") (CommandLine="*/v ScreenSaveActive*" CommandLine="*/t REG_SZ*" CommandLine="*/d 1*" CommandLine="*/f*") OR (CommandLine="*/v ScreenSaveTimeout*" CommandLine="*/t REG_SZ*" CommandLine="*/d *" CommandLine="*/f*") OR (CommandLine="*/v ScreenSaverIsSecure*" CommandLine="*/t REG_SZ*" CommandLine="*/d 0*" CommandLine="*/f*") OR (CommandLine="*/v SCRNSAVE.EXE*" CommandLine="*/t REG_SZ*" CommandLine="*/d *" CommandLine="*.scr*" CommandLine="*/f*") | fields - _raw | collect index=notable_events source="Suspicious ScreenSave Change by Reg.exe" marker="guid=0fc35fc3-efe6-4898-8a37-0b233339524f,tags=attack.privilege-escalation,tags=attack.t1546.002," +[Potential Powershell ReverseShell Connection] +description = Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") OR Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine="* Net.Sockets.TCPClient*" CommandLine="*.GetStream(*" CommandLine="*.Write(*" | fields - _raw | collect index=notable_events source="Potential Powershell ReverseShell Connection" marker="guid=edc2f8ae-2412-4dfd-b9d5-0c57727e70be,tags=attack.execution,tags=attack.t1059.001," +[Potential Rundll32 Execution With DLL Stored In ADS] +description = Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE"\ +| regex CommandLine="[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:" | fields - _raw | collect index=notable_events source="Potential Rundll32 Execution With DLL Stored In ADS" marker="guid=9248c7e1-2bf3-4661-a22c-600a8040b446,tags=attack.defense-evasion,tags=attack.t1564.004," +[Bypass UAC via WSReset.exe] +description = Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\wsreset.exe" NOT (Image="*\\conhost.exe" OR OriginalFileName="CONHOST.EXE") | fields - _raw | collect index=notable_events source="Bypass UAC via WSReset.exe" marker="guid=d797268e-28a9-49a7-b9a8-2f5039011c5c,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1548.002," +[Suspicious Mstsc.EXE Execution With Local RDP File] +description = Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\mstsc.exe" OR OriginalFileName="mstsc.exe" CommandLine IN ("*.rdp", "*.rdp\"") CommandLine IN ("*:\\Users\\Public\\*", "*:\\Windows\\System32\\spool\\drivers\\color*", "*:\\Windows\\System32\\Tasks_Migrated *", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*:\\Windows\\Tracing\\*", "*\\AppData\\Local\\Temp\\*", "*\\Downloads\\*") | fields - _raw | collect index=notable_events source="Suspicious Mstsc.EXE Execution With Local RDP File" marker="guid=6e22722b-dfb1-4508-a911-49ac840b40f8,tags=attack.command-and-control,tags=attack.t1219," +[LSASS Process Reconnaissance Via Findstr.EXE] +description = Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image IN ("*\\find.exe", "*\\findstr.exe") OR OriginalFileName IN ("FIND.EXE", "FINDSTR.EXE") CommandLine="*lsass*") OR CommandLine="* -i \"lsass*" OR CommandLine="* /i \"lsass*" OR CommandLine="* –i \"lsass*" OR CommandLine="* —i \"lsass*" OR CommandLine="* ―i \"lsass*" OR CommandLine="* -i lsass.exe*" OR CommandLine="* /i lsass.exe*" OR CommandLine="* –i lsass.exe*" OR CommandLine="* —i lsass.exe*" OR CommandLine="* ―i lsass.exe*" OR CommandLine="*findstr \"lsass*" OR CommandLine="*findstr lsass*" OR CommandLine="*findstr.exe \"lsass*" OR CommandLine="*findstr.exe lsass*" | fields - _raw | collect index=notable_events source="LSASS Process Reconnaissance Via Findstr.EXE" marker="guid=fe63010f-8823-4864-a96b-a7b4a0f7b929,tags=attack.credential-access,tags=attack.t1552.006," +[Abuse of Service Permissions to Hide Services Via Set-Service] +description = Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\pwsh.exe" OR OriginalFileName="pwsh.dll" CommandLine="*Set-Service *" CommandLine="*DCLCWPDTSD*" CommandLine IN ("*-SecurityDescriptorSddl *", "*-sd *") | fields - _raw | collect index=notable_events source="Abuse of Service Permissions to Hide Services Via Set-Service" marker="guid=514e4c3a-c77d-4cde-a00f-046425e2301e,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1574.011," +[Suspicious Execution of Shutdown] +description = Use of the commandline to shutdown or reboot windows +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\shutdown.exe" CommandLine IN ("*/r *", "*/s *") | fields - _raw | collect index=notable_events source="Suspicious Execution of Shutdown" marker="guid=34ebb878-1b15-4895-b352-ca2eeb99b274,tags=attack.impact,tags=attack.t1529," +[Suspicious Serv-U Process Pattern] +description = Detects a suspicious process pattern which could be a sign of an exploited Serv-U service +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\Serv-U.exe" Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\schtasks.exe", "*\\regsvr32.exe", "*\\wmic.exe", "*\\mshta.exe", "*\\rundll32.exe", "*\\msiexec.exe", "*\\forfiles.exe", "*\\scriptrunner.exe") | fields - _raw | collect index=notable_events source="Suspicious Serv-U Process Pattern" marker="guid=58f4ea09-0fc2-4520-ba18-b85c540b0eaf,tags=attack.credential-access,tags=attack.t1555,tags=cve.2021-35211," +[Potential Network Sniffing Activity Using Network Tools] +description = Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\tshark.exe" CommandLine="*-i*") OR Image="*\\windump.exe" | fields - _raw | collect index=notable_events source="Potential Network Sniffing Activity Using Network Tools" marker="guid=ba1f7802-adc7-48b4-9ecb-81e227fddfd5,tags=attack.credential-access,tags=attack.discovery,tags=attack.t1040," +[Arbitrary File Download Via PresentationHost.EXE] +description = Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\presentationhost.exe" OR OriginalFileName="PresentationHost.exe" CommandLine IN ("*http://*", "*https://*", "*ftp://*") | fields - _raw | collect index=notable_events source="Arbitrary File Download Via PresentationHost.EXE" marker="guid=b124ddf4-778d-418e-907f-6dd3fc0d31cd,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[Insecure Proxy/DOH Transfer Via Curl.EXE] +description = Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\curl.exe" OR OriginalFileName="curl.exe" CommandLine IN ("*--doh-insecure*", "*--proxy-insecure*") | fields - _raw | collect index=notable_events source="Insecure Proxy/DOH Transfer Via Curl.EXE" marker="guid=2c1486f5-02e8-4f86-9099-b97f2da4ed77,tags=attack.execution," +[Greedy File Deletion Using Del] +description = Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine IN ("*del *", "*erase *") CommandLine IN ("*\\\*.au3*", "*\\\*.dll*", "*\\\*.exe*", "*\\\*.js*") | fields - _raw | collect index=notable_events source="Greedy File Deletion Using Del" marker="guid=204b17ae-4007-471b-917b-b917b315c5db,tags=attack.defense-evasion,tags=attack.t1070.004," +[VeeamBackup Database Credentials Dump Via Sqlcmd.EXE] +description = Detects dump of credentials in VeeamBackup dbo +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sqlcmd.exe" CommandLine="*SELECT*" CommandLine="*TOP*" CommandLine="*[VeeamBackup].[dbo].[Credentials]*" | fields - _raw | collect index=notable_events source="VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" marker="guid=b57ba453-b384-4ab9-9f40-1038086b4e53,tags=attack.collection,tags=attack.t1005," +[Suspicious Download from Office Domain] +description = Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\curl.exe", "*\\wget.exe") OR CommandLine IN ("*Invoke-WebRequest*", "*iwr *", "*curl *", "*wget *", "*Start-BitsTransfer*", "*.DownloadFile(*", "*.DownloadString(*") CommandLine IN ("*https://attachment.outlook.live.net/owa/*", "*https://onenoteonlinesync.onenote.com/onenoteonlinesync/*") | fields - _raw | collect index=notable_events source="Suspicious Download from Office Domain" marker="guid=00d49ed5-4491-4271-a8db-650a4ef6f8c1,tags=attack.command-and-control,tags=attack.t1105,tags=attack.t1608," +[Security Privileges Enumeration Via Whoami.EXE] +description = Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\whoami.exe" OR OriginalFileName="whoami.exe" CommandLine IN ("* /priv*", "* -priv*") | fields - _raw | collect index=notable_events source="Security Privileges Enumeration Via Whoami.EXE" marker="guid=97a80ec7-0e2f-4d05-9ef4-65760e634f6b,tags=attack.privilege-escalation,tags=attack.discovery,tags=attack.t1033," +[Potential Binary Impersonating Sysinternals Tools] +description = Detects binaries that use the same name as legitimate sysinternals tools to evade detection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\accesschk.exe", "*\\accesschk64.exe", "*\\AccessEnum.exe", "*\\ADExplorer.exe", "*\\ADExplorer64.exe", "*\\ADInsight.exe", "*\\ADInsight64.exe", "*\\adrestore.exe", "*\\adrestore64.exe", "*\\Autologon.exe", "*\\Autologon64.exe", "*\\Autoruns.exe", "*\\Autoruns64.exe", "*\\autorunsc.exe", "*\\autorunsc64.exe", "*\\Bginfo.exe", "*\\Bginfo64.exe", "*\\Cacheset.exe", "*\\Cacheset64.exe", "*\\Clockres.exe", "*\\Clockres64.exe", "*\\Contig.exe", "*\\Contig64.exe", "*\\Coreinfo.exe", "*\\Coreinfo64.exe", "*\\CPUSTRES.EXE", "*\\CPUSTRES64.EXE", "*\\ctrl2cap.exe", "*\\Dbgview.exe", "*\\dbgview64.exe", "*\\Desktops.exe", "*\\Desktops64.exe", "*\\disk2vhd.exe", "*\\disk2vhd64.exe", "*\\diskext.exe", "*\\diskext64.exe", "*\\Diskmon.exe", "*\\Diskmon64.exe", "*\\DiskView.exe", "*\\DiskView64.exe", "*\\du.exe", "*\\du64.exe", "*\\efsdump.exe", "*\\FindLinks.exe", "*\\FindLinks64.exe", "*\\handle.exe", "*\\handle64.exe", "*\\hex2dec.exe", "*\\hex2dec64.exe", "*\\junction.exe", "*\\junction64.exe", "*\\ldmdump.exe", "*\\listdlls.exe", "*\\listdlls64.exe", "*\\livekd.exe", "*\\livekd64.exe", "*\\loadOrd.exe", "*\\loadOrd64.exe", "*\\loadOrdC.exe", "*\\loadOrdC64.exe", "*\\logonsessions.exe", "*\\logonsessions64.exe", "*\\movefile.exe", "*\\movefile64.exe", "*\\notmyfault.exe", "*\\notmyfault64.exe", "*\\notmyfaultc.exe", "*\\notmyfaultc64.exe", "*\\ntfsinfo.exe", "*\\ntfsinfo64.exe", "*\\pendmoves.exe", "*\\pendmoves64.exe", "*\\pipelist.exe", "*\\pipelist64.exe", "*\\portmon.exe", "*\\procdump.exe", "*\\procdump64.exe", "*\\procexp.exe", "*\\procexp64.exe", "*\\Procmon.exe", "*\\Procmon64.exe", "*\\psExec.exe", "*\\psExec64.exe", "*\\psfile.exe", "*\\psfile64.exe", "*\\psGetsid.exe", "*\\psGetsid64.exe", "*\\psInfo.exe", "*\\psInfo64.exe", "*\\pskill.exe", "*\\pskill64.exe", "*\\pslist.exe", "*\\pslist64.exe", "*\\psLoggedon.exe", "*\\psLoggedon64.exe", "*\\psloglist.exe", "*\\psloglist64.exe", "*\\pspasswd.exe", "*\\pspasswd64.exe", "*\\psping.exe", "*\\psping64.exe", "*\\psService.exe", "*\\psService64.exe", "*\\psshutdown.exe", "*\\psshutdown64.exe", "*\\pssuspend.exe", "*\\pssuspend64.exe", "*\\RAMMap.exe", "*\\RDCMan.exe", "*\\RegDelNull.exe", "*\\RegDelNull64.exe", "*\\regjump.exe", "*\\ru.exe", "*\\ru64.exe", "*\\sdelete.exe", "*\\sdelete64.exe", "*\\ShareEnum.exe", "*\\ShareEnum64.exe", "*\\shellRunas.exe", "*\\sigcheck.exe", "*\\sigcheck64.exe", "*\\streams.exe", "*\\streams64.exe", "*\\strings.exe", "*\\strings64.exe", "*\\sync.exe", "*\\sync64.exe", "*\\Sysmon.exe", "*\\Sysmon64.exe", "*\\tcpvcon.exe", "*\\tcpvcon64.exe", "*\\tcpview.exe", "*\\tcpview64.exe", "*\\Testlimit.exe", "*\\Testlimit64.exe", "*\\vmmap.exe", "*\\vmmap64.exe", "*\\Volumeid.exe", "*\\Volumeid64.exe", "*\\whois.exe", "*\\whois64.exe", "*\\Winobj.exe", "*\\Winobj64.exe", "*\\ZoomIt.exe", "*\\ZoomIt64.exe") NOT (Company IN ("Sysinternals - www.sysinternals.com", "Sysinternals") OR Company!=*) | fields - _raw | collect index=notable_events source="Potential Binary Impersonating Sysinternals Tools" marker="guid=7cce6fc8-a07f-4d84-a53e-96e1879843c9,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1202," +[PUA - Advanced Port Scanner Execution] +description = Detects the use of Advanced Port Scanner. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\advanced_port_scanner*" OR OriginalFileName="*advanced_port_scanner*" OR Description="*Advanced Port Scanner*" OR (CommandLine="*/portable*" CommandLine="*/lng*") | fields - _raw | collect index=notable_events source="PUA - Advanced Port Scanner Execution" marker="guid=54773c5f-f1cc-4703-9126-2f797d96a69d,tags=attack.discovery,tags=attack.t1046,tags=attack.t1135," +[Arbitrary MSI Download Via Devinit.EXE] +description = Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* -t msi-install *" CommandLine="* -i http*" | fields - _raw | collect index=notable_events source="Arbitrary MSI Download Via Devinit.EXE" marker="guid=90d50722-0483-4065-8e35-57efaadd354d,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1218," +[Application Whitelisting Bypass via Dxcap.exe] +description = Detects execution of of Dxcap.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\DXCap.exe" OR OriginalFileName="DXCap.exe" CommandLine="* -c *" | fields - _raw | collect index=notable_events source="Application Whitelisting Bypass via Dxcap.exe" marker="guid=60f16a96-db70-42eb-8f76-16763e333590,tags=attack.defense-evasion,tags=attack.t1218," +[Suspicious Shells Spawn by Java Utility Keytool] +description = Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\keytool.exe" Image IN ("*\\cmd.exe", "*\\sh.exe", "*\\bash.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\schtasks.exe", "*\\certutil.exe", "*\\whoami.exe", "*\\bitsadmin.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\scrcons.exe", "*\\regsvr32.exe", "*\\hh.exe", "*\\wmic.exe", "*\\mshta.exe", "*\\rundll32.exe", "*\\forfiles.exe", "*\\scriptrunner.exe", "*\\mftrace.exe", "*\\AppVLP.exe", "*\\systeminfo.exe", "*\\reg.exe", "*\\query.exe") | fields - _raw | collect index=notable_events source="Suspicious Shells Spawn by Java Utility Keytool" marker="guid=90fb5e62-ca1f-4e22-b42e-cc521874c938,tags=attack.initial-access,tags=attack.persistence,tags=attack.privilege-escalation," +[Potentially Suspicious Command Targeting Teams Sensitive Files] +description = Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*\\Microsoft\\Teams\\Cookies*", "*\\Microsoft\\Teams\\Local Storage\\leveldb*") NOT Image="*\\Microsoft\\Teams\\current\\Teams.exe" | fields - _raw | collect index=notable_events source="Potentially Suspicious Command Targeting Teams Sensitive Files" marker="guid=d2eb17db-1d39-41dc-b57f-301f6512fa75,tags=attack.credential-access,tags=attack.t1528," +[Suspicious Download From Direct IP Via Bitsadmin] +description = Detects usage of bitsadmin downloading a file using an URL that contains an IP +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\bitsadmin.exe" OR OriginalFileName="bitsadmin.exe" CommandLine IN ("* /transfer *", "* /create *", "* /addfile *") CommandLine IN ("*://1*", "*://2*", "*://3*", "*://4*", "*://5*", "*://6*", "*://7*", "*://8*", "*://9*") NOT CommandLine="*://7-*" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Download From Direct IP Via Bitsadmin" marker="guid=99c840f2-2012-46fd-9141-c761987550ef,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197,tags=attack.s0190,tags=attack.t1036.003," +[ManageEngine Endpoint Central Dctask64.EXE Potential Abuse] +description = Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dctask64.exe" OR Hashes IN ("*6834B1B94E49701D77CCB3C0895E1AFD*", "*1BB6F93B129F398C7C4A76BB97450BBA*", "*FAA2AC19875FADE461C8D89DCF2710A3*", "*F1039CED4B91572AB7847D26032E6BBF*") CommandLine IN ("* executecmd64 *", "* invokeexe *", "* injectDll *") | fields - _raw | collect index=notable_events source="ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" marker="guid=6345b048-8441-43a7-9bed-541133633d7a,tags=attack.defense-evasion,tags=attack.t1055.001," +[Rundll32 InstallScreenSaver Execution] +description = An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*InstallScreenSaver*" | fields - _raw | collect index=notable_events source="Rundll32 InstallScreenSaver Execution" marker="guid=15bd98ea-55f4-4d37-b09a-e7caa0fa2221,tags=attack.t1218.011,tags=attack.defense-evasion," +[Invoke-Obfuscation Via Stdin] +description = Detects Obfuscated Powershell via Stdin in Scripts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1\ +| regex CommandLine="(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"" | fields - _raw | collect index=notable_events source="Invoke-Obfuscation Via Stdin" marker="guid=9c14c9fa-1a63-4a64-8e57-d19280559490,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[CMSTP UAC Bypass via COM Object Access] +description = Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\DllHost.exe" ParentCommandLine IN ("* /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*", "* /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}*", "* /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}*", "* /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}*", "* /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}*") IntegrityLevel IN ("High", "System") | fields - _raw | collect index=notable_events source="CMSTP UAC Bypass via COM Object Access" marker="guid=4b60e6f2-bf39-47b4-b4ea-398e33cfe253,tags=attack.execution,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002,tags=attack.t1218.003,tags=attack.g0069,tags=car.2019-04-001," +[Potential NTLM Coercion Via Certutil.EXE] +description = Detects possible NTLM coercion via certutil using the 'syncwithWU' flag +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certutil.exe" OR OriginalFileName="CertUtil.exe" CommandLine="* -syncwithWU *" CommandLine="* \\\\*" | fields - _raw | collect index=notable_events source="Potential NTLM Coercion Via Certutil.EXE" marker="guid=6c6d9280-e6d0-4b9d-80ac-254701b64916,tags=attack.defense-evasion,tags=attack.t1218," +[Suspicious Rundll32 Activity Invoking Sys File] +description = Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*rundll32.exe*" CommandLine IN ("*.sys,*", "*.sys *") | fields - _raw | collect index=notable_events source="Suspicious Rundll32 Activity Invoking Sys File" marker="guid=731231b9-0b5d-4219-94dd-abb6959aa7ea,tags=attack.defense-evasion,tags=attack.t1218.011," +[HackTool - Empire PowerShell Launch Parameters] +description = Detects suspicious powershell command line parameters used in Empire +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("* -NoP -sta -NonI -W Hidden -Enc *", "* -noP -sta -w 1 -enc *", "* -NoP -NonI -W Hidden -enc *", "* -noP -sta -w 1 -enc*", "* -enc SQB*", "* -nop -exec bypass -EncodedCommand *") | fields - _raw | collect index=notable_events source="HackTool - Empire PowerShell Launch Parameters" marker="guid=79f4ede3-402e-41c8-bc3e-ebbf5f162581,tags=attack.execution,tags=attack.t1059.001," +[DSInternals Suspicious PowerShell Cmdlets] +description = Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Add-ADDBSidHistory*", "*Add-ADNgcKey*", "*Add-ADReplNgcKey*", "*ConvertFrom-ADManagedPasswordBlob*", "*ConvertFrom-GPPrefPassword*", "*ConvertFrom-ManagedPasswordBlob*", "*ConvertFrom-UnattendXmlPassword*", "*ConvertFrom-UnicodePassword*", "*ConvertTo-AADHash*", "*ConvertTo-GPPrefPassword*", "*ConvertTo-KerberosKey*", "*ConvertTo-LMHash*", "*ConvertTo-MsoPasswordHash*", "*ConvertTo-NTHash*", "*ConvertTo-OrgIdHash*", "*ConvertTo-UnicodePassword*", "*Disable-ADDBAccount*", "*Enable-ADDBAccount*", "*Get-ADDBAccount*", "*Get-ADDBBackupKey*", "*Get-ADDBDomainController*", "*Get-ADDBGroupManagedServiceAccount*", "*Get-ADDBKdsRootKey*", "*Get-ADDBSchemaAttribute*", "*Get-ADDBServiceAccount*", "*Get-ADDefaultPasswordPolicy*", "*Get-ADKeyCredential*", "*Get-ADPasswordPolicy*", "*Get-ADReplAccount*", "*Get-ADReplBackupKey*", "*Get-ADReplicationAccount*", "*Get-ADSIAccount*", "*Get-AzureADUserEx*", "*Get-BootKey*", "*Get-KeyCredential*", "*Get-LsaBackupKey*", "*Get-LsaPolicy*", "*Get-SamPasswordPolicy*", "*Get-SysKey*", "*Get-SystemKey*", "*New-ADDBRestoreFromMediaScript*", "*New-ADKeyCredential*", "*New-ADNgcKey*", "*New-NTHashSet*", "*Remove-ADDBObject*", "*Save-DPAPIBlob*", "*Set-ADAccountPasswordHash*", "*Set-ADDBAccountPassword*", "*Set-ADDBBootKey*", "*Set-ADDBDomainController*", "*Set-ADDBPrimaryGroup*", "*Set-ADDBSysKey*", "*Set-AzureADUserEx*", "*Set-LsaPolicy*", "*Set-SamAccountPasswordHash*", "*Set-WinUserPasswordHash*", "*Test-ADDBPasswordQuality*", "*Test-ADPasswordQuality*", "*Test-ADReplPasswordQuality*", "*Test-PasswordQuality*", "*Unlock-ADDBAccount*", "*Write-ADNgcKey*", "*Write-ADReplNgcKey*") | fields - _raw | collect index=notable_events source="DSInternals Suspicious PowerShell Cmdlets" marker="guid=43d91656-a9b2-4541-b7e2-6a9bd3a13f4e,tags=attack.execution,tags=attack.t1059.001," +[Remote Access Tool - ScreenConnect Server Web Shell Execution] +description = Detects potential web shell execution from the ScreenConnect server process. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\ScreenConnect.Service.exe" Image IN ("*\\cmd.exe", "*\\csc.exe") | fields - _raw | collect index=notable_events source="Remote Access Tool - ScreenConnect Server Web Shell Execution" marker="guid=b19146a3-25d4-41b4-928b-1e2a92641b1b,tags=attack.initial-access,tags=attack.t1190," +[HackTool - CrackMapExec Execution] +description = This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\crackmapexec.exe" OR CommandLine="* -M pe_inject *" OR (CommandLine="* --local-auth*" CommandLine="* -u *" CommandLine="* -x *") OR (CommandLine="* --local-auth*" CommandLine="* -u *" CommandLine="* -p *" CommandLine="* -H 'NTHASH'*") OR (CommandLine="* mssql *" CommandLine="* -u *" CommandLine="* -p *" CommandLine="* -M *" CommandLine="* -d *") OR (CommandLine="* smb *" CommandLine="* -u *" CommandLine="* -H *" CommandLine="* -M *" CommandLine="* -o *") OR (CommandLine="* smb *" CommandLine="* -u *" CommandLine="* -p *" CommandLine="* --local-auth*") OR (CommandLine="* --local-auth*" CommandLine="* -u *" CommandLine="* -p *" CommandLine="* 10.*" CommandLine="* 192.168.*" CommandLine="*/24 *") | table ComputerName,User,CommandLine | fields - _raw | collect index=notable_events source="HackTool - CrackMapExec Execution" marker="guid=42a993dd-bb3e-48c8-b372-4d6684c4106c,tags=attack.execution,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.credential-access,tags=attack.discovery,tags=attack.t1047,tags=attack.t1053,tags=attack.t1059.003,tags=attack.t1059.001,tags=attack.t1110,tags=attack.t1201," +[HackTool - SharpDPAPI Execution] +description = Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SharpDPAPI.exe" OR OriginalFileName="SharpDPAPI.exe" OR (CommandLine IN ("* backupkey *", "* blob *", "* certificates *", "* credentials *", "* keepass *", "* masterkeys *", "* rdg *", "* vaults *") (CommandLine="* {*" CommandLine="*}:*") OR CommandLine IN ("* /file:*", "* /machine*", "* /mkfile:*", "* /password:*", "* /pvk:*", "* /server:*", "* /target:*", "* /unprotect*")) | fields - _raw | collect index=notable_events source="HackTool - SharpDPAPI Execution" marker="guid=c7d33b50-f690-4b51-8cfb-0fb912a31e57,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1134.001,tags=attack.t1134.003," +[Capture Credentials with Rpcping.exe] +description = Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rpcping.exe" CommandLine="*-s*" OR CommandLine="*/s*" OR CommandLine="*–s*" OR CommandLine="*—s*" OR CommandLine="*―s*" (CommandLine="*-u*" OR CommandLine="*/u*" OR CommandLine="*–u*" OR CommandLine="*—u*" OR CommandLine="*―u*" CommandLine="*NTLM*") OR (CommandLine="*-t*" OR CommandLine="*/t*" OR CommandLine="*–t*" OR CommandLine="*—t*" OR CommandLine="*―t*" CommandLine="*ncacn_np*") | fields - _raw | collect index=notable_events source="Capture Credentials with Rpcping.exe" marker="guid=93671f99-04eb-4ab4-a161-70d446a84003,tags=attack.credential-access,tags=attack.t1003," +[Potentially Suspicious Rundll32 Activity] +description = Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*javascript:*" CommandLine="*.RegisterXLL*") OR (CommandLine="*url.dll*" CommandLine="*OpenURL*") OR (CommandLine="*url.dll*" CommandLine="*OpenURLA*") OR (CommandLine="*url.dll*" CommandLine="*FileProtocolHandler*") OR (CommandLine="*zipfldr.dll*" CommandLine="*RouteTheCall*") OR (CommandLine="*shell32.dll*" CommandLine="*Control_RunDLL*") OR (CommandLine="*shell32.dll*" CommandLine="*ShellExec_RunDLL*") OR (CommandLine="*mshtml.dll*" CommandLine="*PrintHTML*") OR (CommandLine="*advpack.dll*" CommandLine="*LaunchINFSection*") OR (CommandLine="*advpack.dll*" CommandLine="*RegisterOCX*") OR (CommandLine="*ieadvpack.dll*" CommandLine="*LaunchINFSection*") OR (CommandLine="*ieadvpack.dll*" CommandLine="*RegisterOCX*") OR (CommandLine="*ieframe.dll*" CommandLine="*OpenURL*") OR (CommandLine="*shdocvw.dll*" CommandLine="*OpenURL*") OR (CommandLine="*syssetup.dll*" CommandLine="*SetupInfObjectInstallAction*") OR (CommandLine="*setupapi.dll*" CommandLine="*InstallHinfSection*") OR (CommandLine="*pcwutl.dll*" CommandLine="*LaunchApplication*") OR (CommandLine="*dfshim.dll*" CommandLine="*ShOpenVerbApplication*") OR (CommandLine="*dfshim.dll*" CommandLine="*ShOpenVerbShortcut*") OR (CommandLine="*scrobj.dll*" CommandLine="*GenerateTypeLib*" CommandLine="*http*") OR (CommandLine="*shimgvw.dll*" CommandLine="*ImageView_Fullscreen*" CommandLine="*http*") OR (CommandLine="*comsvcs.dll*" CommandLine="*MiniDump*") NOT (CommandLine="*shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver*" OR (ParentImage="C:\\Windows\\System32\\control.exe" ParentCommandLine="*.cpl*" CommandLine="*Shell32.dll*" CommandLine="*Control_RunDLL*" CommandLine="*.cpl*") OR (ParentImage="C:\\Windows\\System32\\control.exe" CommandLine="\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Windows\\System32\\*" CommandLine="*.cpl\",")) | fields - _raw | collect index=notable_events source="Potentially Suspicious Rundll32 Activity" marker="guid=e593cf51-88db-4ee1-b920-37e89012a3c9,tags=attack.defense-evasion,tags=attack.t1218.011," +[Potential Provlaunch.EXE Binary Proxy Execution Abuse] +description = Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\provlaunch.exe" NOT (Image IN ("*\\calc.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\notepad.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR Image IN ("*:\\PerfLogs\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*\\AppData\\Temp\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*")) | fields - _raw | collect index=notable_events source="Potential Provlaunch.EXE Binary Proxy Execution Abuse" marker="guid=7f5d1c9a-3e83-48df-95a7-2b98aae6c13c,tags=attack.defense-evasion,tags=attack.t1218," +[PUA - Fast Reverse Proxy (FRP) Execution] +description = Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\frpc.exe", "*\\frps.exe") OR CommandLine="*\\frpc.ini*" OR Hashes IN ("*MD5=7D9C233B8C9E3F0EA290D2B84593C842*", "*SHA1=06DDC9280E1F1810677935A2477012960905942F*", "*SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C*") OR md5="7d9c233b8c9e3f0ea290d2b84593c842" OR sha1="06ddc9280e1f1810677935a2477012960905942f" OR sha256="57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c" | fields - _raw | collect index=notable_events source="PUA - Fast Reverse Proxy (FRP) Execution" marker="guid=32410e29-5f94-4568-b6a3-d91a8adad863,tags=attack.command-and-control,tags=attack.t1090," +[Potential SysInternals ProcDump Evasion] +description = Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*copy procdump*", "*move procdump*") OR (CommandLine="*copy *" CommandLine="*.dmp *" CommandLine IN ("*2.dmp*", "*lsass*", "*out.dmp*")) OR CommandLine IN ("*copy lsass.exe_*", "*move lsass.exe_*") | fields - _raw | collect index=notable_events source="Potential SysInternals ProcDump Evasion" marker="guid=79b06761-465f-4f88-9ef2-150e24d3d737,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1003.001," +[DumpMinitool Execution] +description = Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\DumpMinitool.exe", "*\\DumpMinitool.x86.exe", "*\\DumpMinitool.arm64.exe") OR OriginalFileName IN ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe") CommandLine IN ("* Full*", "* Mini*", "* WithHeap*") | fields - _raw | collect index=notable_events source="DumpMinitool Execution" marker="guid=dee0a7a3-f200-4112-a99b-952196d81e42,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1003.001," +[File Encryption Using Gpg4win] +description = Detects usage of Gpg4win to encrypt files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\gpg.exe", "*\\gpg2.exe") OR Description="GnuPG’s OpenPGP tool" CommandLine="* -c *" CommandLine="*passphrase*" | fields - _raw | collect index=notable_events source="File Encryption Using Gpg4win" marker="guid=550bbb84-ce5d-4e61-84ad-e590f0024dcd,tags=attack.execution," +[Delete Important Scheduled Task] +description = Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" CommandLine="*/delete*" CommandLine="*/tn*" CommandLine IN ("*\\Windows\\BitLocker*", "*\\Windows\\ExploitGuard*", "*\\Windows\\SystemRestore\\SR*", "*\\Windows\\UpdateOrchestrator\\*", "*\\Windows\\Windows Defender\\*", "*\\Windows\\WindowsBackup\\*", "*\\Windows\\WindowsUpdate\\*") | fields - _raw | collect index=notable_events source="Delete Important Scheduled Task" marker="guid=dbc1f800-0fe0-4bc0-9c66-292c2abe3f78,tags=attack.impact,tags=attack.t1489," +[HackTool - SharpView Execution] +description = Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="SharpView.exe" OR Image="*\\SharpView.exe" OR CommandLine IN ("*Add-RemoteConnection*", "*Convert-ADName*", "*ConvertFrom-SID*", "*ConvertFrom-UACValue*", "*Convert-SidToName*", "*Export-PowerViewCSV*", "*Find-DomainObjectPropertyOutlier*", "*Find-DomainProcess*", "*Find-DomainShare*", "*Find-DomainUserEvent*", "*Find-DomainUserLocation*", "*Find-ForeignGroup*", "*Find-ForeignUser*", "*Find-GPOComputerAdmin*", "*Find-GPOLocation*", "*Find-Interesting*", "*Find-LocalAdminAccess*", "*Find-ManagedSecurityGroups*", "*Get-CachedRDPConnection*", "*Get-DFSshare*", "*Get-DomainComputer*", "*Get-DomainController*", "*Get-DomainDFSShare*", "*Get-DomainDNSRecord*", "*Get-DomainFileServer*", "*Get-DomainForeign*", "*Get-DomainGPO*", "*Get-DomainGroup*", "*Get-DomainGUIDMap*", "*Get-DomainManagedSecurityGroup*", "*Get-DomainObject*", "*Get-DomainOU*", "*Get-DomainPolicy*", "*Get-DomainSID*", "*Get-DomainSite*", "*Get-DomainSPNTicket*", "*Get-DomainSubnet*", "*Get-DomainTrust*", "*Get-DomainUserEvent*", "*Get-ForestDomain*", "*Get-ForestGlobalCatalog*", "*Get-ForestTrust*", "*Get-GptTmpl*", "*Get-GroupsXML*", "*Get-LastLoggedOn*", "*Get-LoggedOnLocal*", "*Get-NetComputer*", "*Get-NetDomain*", "*Get-NetFileServer*", "*Get-NetForest*", "*Get-NetGPO*", "*Get-NetGroupMember*", "*Get-NetLocalGroup*", "*Get-NetLoggedon*", "*Get-NetOU*", "*Get-NetProcess*", "*Get-NetRDPSession*", "*Get-NetSession*", "*Get-NetShare*", "*Get-NetSite*", "*Get-NetSubnet*", "*Get-NetUser*", "*Get-PathAcl*", "*Get-PrincipalContext*", "*Get-RegistryMountedDrive*", "*Get-RegLoggedOn*", "*Get-WMIRegCachedRDPConnection*", "*Get-WMIRegLastLoggedOn*", "*Get-WMIRegMountedDrive*", "*Get-WMIRegProxy*", "*Invoke-ACLScanner*", "*Invoke-CheckLocalAdminAccess*", "*Invoke-Kerberoast*", "*Invoke-MapDomainTrust*", "*Invoke-RevertToSelf*", "*Invoke-Sharefinder*", "*Invoke-UserImpersonation*", "*Remove-DomainObjectAcl*", "*Remove-RemoteConnection*", "*Request-SPNTicket*", "*Set-DomainObject*", "*Test-AdminAccess*") | fields - _raw | collect index=notable_events source="HackTool - SharpView Execution" marker="guid=b2317cfa-4a47-4ead-b3ff-297438c0bc2d,tags=attack.discovery,tags=attack.t1049,tags=attack.t1069.002,tags=attack.t1482,tags=attack.t1135,tags=attack.t1033," +[Install New Package Via Winget Local Manifest] +description = Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\winget.exe" OR OriginalFileName="winget.exe" CommandLine IN ("*install*", "* add *") CommandLine IN ("*-m *", "*--manifest*") | fields - _raw | collect index=notable_events source="Install New Package Via Winget Local Manifest" marker="guid=313d6012-51a0-4d93-8dfc-de8553239e25,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1059," +[Computer Password Change Via Ksetup.EXE] +description = Detects password change for the computer's domain account or host principal via "ksetup.exe" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ksetup.exe" OR OriginalFileName="ksetup.exe" CommandLine="* /setcomputerpassword *" | fields - _raw | collect index=notable_events source="Computer Password Change Via Ksetup.EXE" marker="guid=de16d92c-c446-4d53-8938-10aeef41c8b6,tags=attack.execution," +[Remote Access Tool - ScreenConnect Remote Command Execution] +description = Detects the execution of a system command via the ScreenConnect RMM service. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\ScreenConnect.ClientService.exe" Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*\\TEMP\\ScreenConnect\\*" | fields - _raw | collect index=notable_events source="Remote Access Tool - ScreenConnect Remote Command Execution" marker="guid=b1f73849-6329-4069-bc8f-78a604bb8b23,tags=attack.execution,tags=attack.t1059.003," +[Rundll32 Spawned Via Explorer.EXE] +description = Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\explorer.exe" Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" NOT (CommandLine IN ("* C:\\Windows\\System32\\*", "* -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617")) | fields - _raw | collect index=notable_events source="Rundll32 Spawned Via Explorer.EXE" marker="guid=1723e720-616d-4ddc-ab02-f7e3685a4713,tags=attack.defense-evasion," +[Potential Product Class Reconnaissance Via Wmic.EXE] +description = Detects the execution of WMIC in order to get a list of firewall and antivirus products +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wmic.exe" OR OriginalFileName="wmic.exe" CommandLine IN ("*AntiVirusProduct*", "*FirewallProduct*") | fields - _raw | collect index=notable_events source="Potential Product Class Reconnaissance Via Wmic.EXE" marker="guid=e568650b-5dcd-4658-8f34-ded0b1e13992,tags=attack.execution,tags=attack.t1047,tags=car.2016-03-002," +[Suspicious Workstation Locking via Rundll32] +description = Detects a suspicious call to the user32.dll function that locks the user workstation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" ParentImage="*\\cmd.exe" CommandLine="*user32.dll,*" CommandLine="*LockWorkStation*" | table Image,ParentImage | fields - _raw | collect index=notable_events source="Suspicious Workstation Locking via Rundll32" marker="guid=3b5b0213-0460-4e3f-8937-3abf98ff7dcc,tags=attack.defense-evasion," +[Suspicious Userinit Child Process] +description = Detects a suspicious child process of userinit +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\userinit.exe" NOT (CommandLine="*\\netlogon\\*" OR Image="*\\explorer.exe" OR OriginalFileName="explorer.exe") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Userinit Child Process" marker="guid=b655a06a-31c0-477a-95c2-3726b83d649d,tags=attack.defense-evasion,tags=attack.t1055," +[Uncommon Link.EXE Parent Process] +description = Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\link.exe" CommandLine="*LINK /*" NOT (ParentImage IN ("C:\\Program Files\\Microsoft Visual Studio\\*", "C:\\Program Files (x86)\\Microsoft Visual Studio\\*") ParentImage IN ("*\\VC\\bin\\*", "*\\VC\\Tools\\*")) | fields - _raw | collect index=notable_events source="Uncommon Link.EXE Parent Process" marker="guid=6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6,tags=attack.defense-evasion,tags=attack.t1218," +[Suspicious Windows Defender Registry Key Tampering Via Reg.EXE] +description = Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine IN ("*SOFTWARE\\Microsoft\\Windows Defender\\*", "*SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center*", "*SOFTWARE\\Policies\\Microsoft\\Windows Defender\\*") (CommandLine="* add *" CommandLine="*d 0*" CommandLine IN ("*DisallowExploitProtectionOverride*", "*EnableControlledFolderAccess*", "*MpEnablePus*", "*PUAProtection*", "*SpynetReporting*", "*SubmitSamplesConsent*", "*TamperProtection*")) OR (CommandLine="* add *" CommandLine="*d 1*" CommandLine IN ("*DisableAntiSpyware*", "*DisableAntiSpywareRealtimeProtection*", "*DisableAntiVirus*", "*DisableArchiveScanning*", "*DisableBehaviorMonitoring*", "*DisableBlockAtFirstSeen*", "*DisableConfig*", "*DisableEnhancedNotifications*", "*DisableIntrusionPreventionSystem*", "*DisableIOAVProtection*", "*DisableOnAccessProtection*", "*DisablePrivacyMode*", "*DisableRealtimeMonitoring*", "*DisableRoutinelyTakingAction*", "*DisableScanOnRealtimeEnable*", "*DisableScriptScanning*", "*Notification_Suppress*", "*SignatureDisableUpdateOnStartupWithoutEngine*")) | fields - _raw | collect index=notable_events source="Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" marker="guid=452bce90-6fb0-43cc-97a5-affc283139b3,tags=attack.defense-evasion,tags=attack.t1562.001," +[Suspicious Outlook Child Process] +description = Detects a suspicious process spawning from an Outlook process. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\OUTLOOK.EXE" Image IN ("*\\AppVLP.exe", "*\\bash.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\forfiles.exe", "*\\hh.exe", "*\\mftrace.exe", "*\\msbuild.exe", "*\\msdt.exe", "*\\mshta.exe", "*\\msiexec.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\schtasks.exe", "*\\scrcons.exe", "*\\scriptrunner.exe", "*\\sh.exe", "*\\svchost.exe", "*\\wmic.exe", "*\\wscript.exe") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Outlook Child Process" marker="guid=208748f7-881d-47ac-a29c-07ea84bf691d,tags=attack.execution,tags=attack.t1204.002," +[File Encoded To Base64 Via Certutil.EXE] +description = Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certutil.exe" OR OriginalFileName="CertUtil.exe" CommandLine="*-encode*" OR CommandLine="*/encode*" OR CommandLine="*–encode*" OR CommandLine="*—encode*" OR CommandLine="*―encode*" | fields - _raw | collect index=notable_events source="File Encoded To Base64 Via Certutil.EXE" marker="guid=e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a,tags=attack.defense-evasion,tags=attack.t1027," +[Harvesting Of Wifi Credentials Via Netsh.EXE] +description = Detect the harvesting of wifi credentials using netsh.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" CommandLine="*wlan*" CommandLine="* s*" CommandLine="* p*" CommandLine="* k*" CommandLine="*=clear*" | fields - _raw | collect index=notable_events source="Harvesting Of Wifi Credentials Via Netsh.EXE" marker="guid=42b1a5b8-353f-4f10-b256-39de4467faff,tags=attack.discovery,tags=attack.credential-access,tags=attack.t1040," +[PUA - DIT Snapshot Viewer] +description = Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ditsnap.exe" OR CommandLine="*ditsnap.exe*" | fields - _raw | collect index=notable_events source="PUA - DIT Snapshot Viewer" marker="guid=d3b70aad-097e-409c-9df2-450f80dc476b,tags=attack.credential-access,tags=attack.t1003.003," +[Suspicious RunAs-Like Flag Combination] +description = Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("* -u system *", "* --user system *", "* -u NT*", "* -u \"NT*", "* -u 'NT*", "* --system *", "* -u administrator *") CommandLine IN ("* -c cmd*", "* -c \"cmd*", "* -c powershell*", "* -c \"powershell*", "* --command cmd*", "* --command powershell*", "* -c whoami*", "* -c wscript*", "* -c cscript*") | fields - _raw | collect index=notable_events source="Suspicious RunAs-Like Flag Combination" marker="guid=50d66fb0-03f8-4da0-8add-84e77d12a020,tags=attack.privilege-escalation," +[Interesting Service Enumeration Via Sc.EXE] +description = Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sc.exe" OR OriginalFileName="sc.exe" CommandLine="*query*" CommandLine="*termservice*" | fields - _raw | collect index=notable_events source="Interesting Service Enumeration Via Sc.EXE" marker="guid=e83e8899-c9b2-483b-b355-5decc942b959,tags=attack.t1003," +[File Download Using Notepad++ GUP Utility] +description = Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\GUP.exe" OR OriginalFileName="gup.exe" CommandLine="* -unzipTo *" CommandLine="*http*" NOT ParentImage="*\\notepad++.exe" | fields - _raw | collect index=notable_events source="File Download Using Notepad++ GUP Utility" marker="guid=44143844-0631-49ab-97a0-96387d6b2d7c,tags=attack.command-and-control,tags=attack.t1105," +[Execute Files with Msdeploy.exe] +description = Detects file execution using the msdeploy.exe lolbin +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*verb:sync*" CommandLine="*-source:RunCommand*" CommandLine="*-dest:runCommand*" Image="*\\msdeploy.exe" | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Execute Files with Msdeploy.exe" marker="guid=646bc99f-6682-4b47-a73a-17b1b64c9d34,tags=attack.defense-evasion,tags=attack.t1218," +[Suspicious Sigverif Execution] +description = Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\sigverif.exe" | fields - _raw | collect index=notable_events source="Suspicious Sigverif Execution" marker="guid=7d4aaec2-08ed-4430-8b96-28420e030e04,tags=attack.defense-evasion,tags=attack.t1216," +[Service DACL Abuse To Hide Services Via Sc.EXE] +description = Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sc.exe" OR OriginalFileName="sc.exe" CommandLine="*sdset*" CommandLine="*DCLCWPDTSD*" | fields - _raw | collect index=notable_events source="Service DACL Abuse To Hide Services Via Sc.EXE" marker="guid=a537cfc3-4297-4789-92b5-345bfd845ad0,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1574.011," +[Compress Data and Lock With Password for Exfiltration With 7-ZIP] +description = An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="*7-Zip*" OR Image IN ("*\\7z.exe", "*\\7zr.exe", "*\\7za.exe") OR OriginalFileName IN ("7z.exe", "7za.exe") CommandLine="* -p*" CommandLine IN ("* a *", "* u *") | fields - _raw | collect index=notable_events source="Compress Data and Lock With Password for Exfiltration With 7-ZIP" marker="guid=9fbf5927-5261-4284-a71d-f681029ea574,tags=attack.collection,tags=attack.t1560.001," +[Suspicious Extrac32 Execution] +description = Download or Copy file with Extrac32 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*extrac32.exe*" OR Image="*\\extrac32.exe" OR OriginalFileName="extrac32.exe" CommandLine="*.cab*" CommandLine IN ("*/C*", "*/Y*", "* \\\\*") | fields - _raw | collect index=notable_events source="Suspicious Extrac32 Execution" marker="guid=aa8e035d-7be4-48d3-a944-102aec04400d,tags=attack.command-and-control,tags=attack.t1105," +[PUA - NSudo Execution] +description = Detects the use of NSudo tool for command execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\NSudo.exe", "*\\NSudoLC.exe", "*\\NSudoLG.exe") OR OriginalFileName IN ("NSudo.exe", "NSudoLC.exe", "NSudoLG.exe") CommandLine IN ("*-U:S *", "*-U:T *", "*-U:E *", "*-P:E *", "*-M:S *", "*-M:H *", "*-U=S *", "*-U=T *", "*-U=E *", "*-P=E *", "*-M=S *", "*-M=H *", "*-ShowWindowMode:Hide*") | fields - _raw | collect index=notable_events source="PUA - NSudo Execution" marker="guid=771d1eb5-9587-4568-95fb-9ec44153a012,tags=attack.execution,tags=attack.t1569.002,tags=attack.s0029," +[New Root Certificate Installed Via Certutil.EXE] +description = Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certutil.exe" OR OriginalFileName="CertUtil.exe" CommandLine="*-addstore*" OR CommandLine="*/addstore*" OR CommandLine="*–addstore*" OR CommandLine="*—addstore*" OR CommandLine="*―addstore*" CommandLine="*root*" | fields - _raw | collect index=notable_events source="New Root Certificate Installed Via Certutil.EXE" marker="guid=d2125259-ddea-4c1c-9c22-977eb5b29cf0,tags=attack.defense-evasion,tags=attack.t1553.004," +[Non Interactive PowerShell Process Spawned] +description = Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") NOT (ParentImage IN ("*:\\Windows\\explorer.exe", "*:\\Windows\\System32\\CompatTelRunner.exe", "*:\\Windows\\SysWOW64\\explorer.exe") OR ParentImage=":\\$WINDOWS.~BT\\Sources\\SetupHost.exe") NOT ((ParentImage="*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe" ParentCommandLine="* --ms-enable-electron-run-as-node *") OR (ParentImage="*:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_*" ParentImage="*\\WindowsTerminal.exe")) | fields - _raw | collect index=notable_events source="Non Interactive PowerShell Process Spawned" marker="guid=f4bbd493-b796-416e-bbf2-121235348529,tags=attack.execution,tags=attack.t1059.001," +[Process Creation Using Sysnative Folder] +description = Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*:\\Windows\\Sysnative\\*" OR Image="*:\\Windows\\Sysnative\\*" | fields - _raw | collect index=notable_events source="Process Creation Using Sysnative Folder" marker="guid=3c1b5fb0-c72f-45ba-abd1-4d4c353144ab,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1055," +[Potential Arbitrary Command Execution Via FTP.EXE] +description = Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\ftp.exe" OR (Image="*\\ftp.exe" OR OriginalFileName="ftp.exe" CommandLine="*-s:*" OR CommandLine="*/s:*" OR CommandLine="*–s:*" OR CommandLine="*—s:*" OR CommandLine="*―s:*") | fields - _raw | collect index=notable_events source="Potential Arbitrary Command Execution Via FTP.EXE" marker="guid=06b401f4-107c-4ff9-947f-9ec1e7649f1e,tags=attack.execution,tags=attack.t1059,tags=attack.defense-evasion,tags=attack.t1202," +[LOLBIN Execution From Abnormal Drive] +description = Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\calc.exe", "*\\certutil.exe", "*\\cmstp.exe", "*\\cscript.exe", "*\\installutil.exe", "*\\mshta.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR OriginalFileName IN ("CALC.EXE", "CertUtil.exe", "CMSTP.EXE", "cscript.exe", "installutil.exe", "MSHTA.EXE", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe") NOT (CurrentDirectory="*C:\\*" OR CurrentDirectory="" OR CurrentDirectory!=*) | fields - _raw | collect index=notable_events source="LOLBIN Execution From Abnormal Drive" marker="guid=d4ca7c59-e9e4-42d8-bf57-91a776efcb87,tags=attack.defense-evasion," +[Lolbin Runexehelper Use As Proxy] +description = Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\runexehelper.exe" | fields - _raw | collect index=notable_events source="Lolbin Runexehelper Use As Proxy" marker="guid=cd71385d-fd9b-4691-9b98-2b1f7e508714,tags=attack.defense-evasion,tags=attack.t1218," +[Hacktool Execution - PE Metadata] +description = Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Company="Cube0x0" | fields - _raw | collect index=notable_events source="Hacktool Execution - PE Metadata" marker="guid=37c1333a-a0db-48be-b64b-7393b2386e3b,tags=attack.credential-access,tags=attack.t1588.002,tags=attack.t1003," +[Suspicious Desktopimgdownldr Command] +description = Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="* /lockscreenurl:*" NOT (CommandLine IN ("*.jpg*", "*.jpeg*", "*.png*"))) OR (CommandLine="*reg delete*" CommandLine="*\\PersonalizationCSP*") | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Desktopimgdownldr Command" marker="guid=bb58aa4a-b80b-415a-a2c0-2f65a4c81009,tags=attack.command-and-control,tags=attack.t1105," +[Suspicious Process Start Locations] +description = Detects suspicious process run from unusual locations +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*:\\RECYCLER\\*", "*:\\SystemVolumeInformation\\*") OR Image IN ("C:\\Windows\\Tasks\\*", "C:\\Windows\\debug\\*", "C:\\Windows\\fonts\\*", "C:\\Windows\\help\\*", "C:\\Windows\\drivers\\*", "C:\\Windows\\addins\\*", "C:\\Windows\\cursors\\*", "C:\\Windows\\system32\\tasks\\*") | fields - _raw | collect index=notable_events source="Suspicious Process Start Locations" marker="guid=15b75071-74cc-47e0-b4c6-b43744a62a2b,tags=attack.defense-evasion,tags=attack.t1036,tags=car.2013-05-002," +[Windows Binary Executed From WSL] +description = Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CurrentDirectory="*\\\\wsl.localhost*"\ +| regex Image="[a-zA-Z]:\\\\" | fields - _raw | collect index=notable_events source="Windows Binary Executed From WSL" marker="guid=ed825c86-c009-4014-b413-b76003e33d35,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1202," +[Renamed Plink Execution] +description = Detects the execution of a renamed version of the Plink binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="Plink" OR (CommandLine="* -l forward*" CommandLine="* -P *" CommandLine="* -R *") NOT Image="*\\plink.exe" | fields - _raw | collect index=notable_events source="Renamed Plink Execution" marker="guid=1c12727d-02bf-45ff-a9f3-d49806a3cf43,tags=attack.defense-evasion,tags=attack.t1036," +[HackTool - Covenant PowerShell Launcher] +description = Detects suspicious command lines used in Covenant luanchers +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*-Sta*" CommandLine="*-Nop*" CommandLine="*-Window*" CommandLine="*Hidden*" CommandLine IN ("*-Command*", "*-EncodedCommand*")) OR CommandLine IN ("*sv o (New-Object IO.MemorySteam);sv d *", "*mshta file.hta*", "*GruntHTTP*", "*-EncodedCommand cwB2ACAAbwAgA*") | fields - _raw | collect index=notable_events source="HackTool - Covenant PowerShell Launcher" marker="guid=c260b6db-48ba-4b4a-a76f-2f67644e99d2,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1059.001,tags=attack.t1564.003," +[Use Short Name Path in Command Line] +description = Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*~1\\*", "*~2\\*") NOT (ParentImage IN ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe", "C:\\Program Files\\GPSoftware\\Directory Opus\\dopus.exe") OR ParentImage IN ("*\\WebEx\\WebexHost.exe", "*\\thor\\thor64.exe", "*\\veam.backup.shell.exe", "*\\winget.exe", "*\\Everything\\Everything.exe") OR ParentImage="*\\AppData\\Local\\Temp\\WinGet\\*" OR CommandLine IN ("*\\appdata\\local\\webex\\webex64\\meetings\\wbxreport.exe*", "*C:\\Program Files\\Git\\post-install.bat*", "*C:\\Program Files\\Git\\cmd\\scalar.exe*")) | fields - _raw | collect index=notable_events source="Use Short Name Path in Command Line" marker="guid=349d891d-fef0-4fe4-bc53-eee623a15969,tags=attack.defense-evasion,tags=attack.t1564.004," +[Mstsc.EXE Execution From Uncommon Parent] +description = Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\brave.exe", "*\\CCleanerBrowser.exe", "*\\chrome.exe", "*\\chromium.exe", "*\\firefox.exe", "*\\iexplore.exe", "*\\microsoftedge.exe", "*\\msedge.exe", "*\\opera.exe", "*\\vivaldi.exe", "*\\whale.exe", "*\\outlook.exe") Image="*\\mstsc.exe" OR OriginalFileName="mstsc.exe" | fields - _raw | collect index=notable_events source="Mstsc.EXE Execution From Uncommon Parent" marker="guid=ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6,tags=attack.lateral-movement," +[Potential Execution of Sysinternals Tools] +description = Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* -accepteula*" OR CommandLine="* /accepteula*" OR CommandLine="* –accepteula*" OR CommandLine="* —accepteula*" OR CommandLine="* ―accepteula*" | fields - _raw | collect index=notable_events source="Potential Execution of Sysinternals Tools" marker="guid=7cccd811-7ae9-4ebe-9afd-cb5c406b824b,tags=attack.resource-development,tags=attack.t1588.002," +[Suspicious Recursive Takeown] +description = Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\takeown.exe" CommandLine="*/f *" CommandLine="*/r*" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious Recursive Takeown" marker="guid=554601fb-9b71-4bcc-abf4-21a611be4fde,tags=attack.defense-evasion,tags=attack.t1222.001," +[Renamed BrowserCore.EXE Execution] +description = Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="BrowserCore.exe" NOT Image="*\\BrowserCore.exe" | fields - _raw | collect index=notable_events source="Renamed BrowserCore.EXE Execution" marker="guid=8a4519e8-e64a-40b6-ae85-ba8ad2177559,tags=attack.t1528,tags=attack.t1036.003," +[Copy From Or To Admin Share Or Sysvol Folder] +description = Detects a copy command or a copy utility execution to or from an Admin share or remote +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*\\\\*$*", "*\\Sysvol\\*") Image IN ("*\\robocopy.exe", "*\\xcopy.exe") OR OriginalFileName IN ("robocopy.exe", "XCOPY.EXE") OR (Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*copy*") OR (Image IN ("*\\powershell.exe*", "*\\pwsh.exe*") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*copy-item*", "*copy *", "*cpi *", "* cp *", "*move *", "*move-item*", "* mi *", "* mv *")) | fields - _raw | collect index=notable_events source="Copy From Or To Admin Share Or Sysvol Folder" marker="guid=855bc8b5-2ae8-402e-a9ed-b889e6df1900,tags=attack.lateral-movement,tags=attack.collection,tags=attack.exfiltration,tags=attack.t1039,tags=attack.t1048,tags=attack.t1021.002," +[UAC Bypass Abusing Winsat Path Parsing - Process] +description = Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 IntegrityLevel IN ("High", "System") ParentImage="*\\AppData\\Local\\Temp\\system32\\winsat.exe" ParentCommandLine="*C:\\Windows \\system32\\winsat.exe*" | fields - _raw | collect index=notable_events source="UAC Bypass Abusing Winsat Path Parsing - Process" marker="guid=7a01183d-71a2-46ad-ad5c-acd989ac1793,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE] +description = Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\find.exe", "*\\findstr.exe") OR OriginalFileName IN ("FIND.EXE", "FINDSTR.EXE") CommandLine="* 385201*" | fields - _raw | collect index=notable_events source="Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" marker="guid=37db85d1-b089-490a-a59a-c7b6f984f480,tags=attack.discovery,tags=attack.t1518.001," +[Use of VSIISExeLauncher.exe] +description = The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\VSIISExeLauncher.exe" OR OriginalFileName="VSIISExeLauncher.exe" CommandLine IN ("* -p *", "* -a *") | fields - _raw | collect index=notable_events source="Use of VSIISExeLauncher.exe" marker="guid=18749301-f1c5-4efc-a4c3-276ff1f5b6f8,tags=attack.defense-evasion,tags=attack.t1127," +[Whoami.EXE Execution From Privileged Process] +description = Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="whoami.exe" OR Image="*\\whoami.exe" User IN ("*AUTHORI*", "*AUTORI*", "*TrustedInstaller*") | fields - _raw | collect index=notable_events source="Whoami.EXE Execution From Privileged Process" marker="guid=79ce34ca-af29-4d0e-b832-fc1b377020db,tags=attack.privilege-escalation,tags=attack.discovery,tags=attack.t1033," +[Sysmon Configuration Update] +description = Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\Sysmon64.exe", "*\\Sysmon.exe") OR Description="System activity monitor" CommandLine="*-c*" OR CommandLine="*/c*" OR CommandLine="*–c*" OR CommandLine="*—c*" OR CommandLine="*―c*" | fields - _raw | collect index=notable_events source="Sysmon Configuration Update" marker="guid=87911521-7098-470b-a459-9a57fc80bdfd,tags=attack.defense-evasion,tags=attack.t1562.001," +[RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses] +description = Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*Invoke-ATHRemoteFXvGPUDisablementCommand*", "*Invoke-ATHRemoteFXvGPUDisableme*") | fields - _raw | collect index=notable_events source="RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses" marker="guid=a6fc3c46-23b8-4996-9ea2-573f4c4d88c5,tags=attack.defense-evasion,tags=attack.t1218," +[Malicious PE Execution by Microsoft Visual Studio Debugger] +description = There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\vsjitdebugger.exe" NOT (Image IN ("*\\vsimmersiveactivatehelper*.exe", "*\\devenv.exe")) | fields - _raw | collect index=notable_events source="Malicious PE Execution by Microsoft Visual Studio Debugger" marker="guid=15c7904e-6ad1-4a45-9b46-5fb25df37fd2,tags=attack.t1218,tags=attack.defense-evasion," +[Suspicious AgentExecutor PowerShell Execution] +description = Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\AgentExecutor.exe" OR OriginalFileName="AgentExecutor.exe" CommandLine IN ("* -powershell*", "* -remediationScript*") NOT (CommandLine IN ("*C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\*", "*C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\*") OR ParentImage="*\\Microsoft.Management.Services.IntuneWindowsAgent.exe") | fields - _raw | collect index=notable_events source="Suspicious AgentExecutor PowerShell Execution" marker="guid=c0b40568-b1e9-4b03-8d6c-b096da6da9ab,tags=attack.defense-evasion,tags=attack.t1218," +[HackTool - LaZagne Execution] +description = Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\lazagne.exe" OR (Image IN ("*:\\PerfLogs\\*", "*:\\ProgramData\\*", "*:\\Temp\\*", "*:\\Tmp\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*", "*\\Users\\Public\\*") CommandLine IN ("*.exe all", "*.exe browsers", "*.exe chats", "*.exe databases", "*.exe games", "*.exe git", "*.exe mails", "*.exe maven", "*.exe memory", "*.exe multimedia", "*.exe sysadmin", "*.exe unused", "*.exe wifi", "*.exe windows")) OR (CommandLine IN ("*all *", "*browsers *", "*chats *", "*databases *", "*games *", "*git *", "*mails *", "*maven *", "*memory *", "*multimedia *", "*php *", "*svn *", "*sysadmin *", "*unused *", "*wifi *", "*windows *") CommandLine IN ("*-oA*", "*-oJ*", "*-oN*", "*-output*", "*-password*", "*-1Password*", "*-apachedirectorystudio*", "*-autologon*", "*-ChromiumBased*", "*-composer*", "*-coreftp*", "*-credfiles*", "*-credman*", "*-cyberduck*", "*-dbvis*", "*-EyeCon*", "*-filezilla*", "*-filezillaserver*", "*-ftpnavigator*", "*-galconfusion*", "*-gitforwindows*", "*-hashdump*", "*-iisapppool*", "*-IISCentralCertP*", "*-kalypsomedia*", "*-keepass*", "*-keepassconfig*", "*-lsa_secrets*", "*-mavenrepositories*", "*-memory_dump*", "*-Mozilla*", "*-mRemoteNG*", "*-mscache*", "*-opensshforwindows*", "*-openvpn*", "*-outlook*", "*-pidgin*", "*-postgresql*", "*-psi-im*", "*-puttycm*", "*-pypykatz*", "*-Rclone*", "*-rdpmanager*", "*-robomongo*", "*-roguestale*", "*-skype*", "*-SQLDeveloper*", "*-squirrel*", "*-tortoise*", "*-turba*", "*-UCBrowser*", "*-unattended*", "*-vault*", "*-vaultfiles*", "*-vnc*", "*-windows*", "*-winscp*", "*-wsl*")) | fields - _raw | collect index=notable_events source="HackTool - LaZagne Execution" marker="guid=c2b86e67-b880-4eec-b045-50bc98ef4844,tags=attack.credential-access," +[Exports Critical Registry Keys To a File] +description = Detects the export of a crital Registry key to a file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regedit.exe" OR OriginalFileName="REGEDIT.EXE" CommandLine="* -E *" OR CommandLine="* /E *" OR CommandLine="* –E *" OR CommandLine="* —E *" OR CommandLine="* ―E *" CommandLine IN ("*hklm*", "*hkey_local_machine*") CommandLine IN ("*\\system", "*\\sam", "*\\security") | table ParentImage,CommandLine | fields - _raw | collect index=notable_events source="Exports Critical Registry Keys To a File" marker="guid=82880171-b475-4201-b811-e9c826cd5eaa,tags=attack.exfiltration,tags=attack.t1012," +[Suspicious Registry Modification From ADS Via Regini.EXE] +description = Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\regini.exe" OR OriginalFileName="REGINI.EXE"\ +| regex CommandLine=":[^ \\\\]" | table ParentImage,CommandLine | fields - _raw | collect index=notable_events source="Suspicious Registry Modification From ADS Via Regini.EXE" marker="guid=77946e79-97f1-45a2-84b4-f37b5c0d8682,tags=attack.t1112,tags=attack.defense-evasion," +[HackTool - HandleKatz LSASS Dumper Execution] +description = Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\loader.exe" CommandLine="*--pid:*") OR Imphash IN ("38d9e015591bbfd4929e0d0f47fa0055", "0e2216679ca6e1094d63322e3412d650") OR Hashes IN ("*IMPHASH=38D9E015591BBFD4929E0D0F47FA0055*", "*IMPHASH=0E2216679CA6E1094D63322E3412D650*") OR (CommandLine="*--pid:*" CommandLine="*--outfile:*" CommandLine IN ("*.dmp*", "*lsass*", "*.obf*", "*dump*")) | fields - _raw | collect index=notable_events source="HackTool - HandleKatz LSASS Dumper Execution" marker="guid=ca621ba5-54ab-4035-9942-d378e6fcde3c,tags=attack.credential-access,tags=attack.t1003.001," +[Dumping of Sensitive Hives Via Reg.EXE] +description = Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine IN ("* save *", "* export *", "* ˢave *", "* eˣport *") CommandLine IN ("*hklm*", "*hk˪m*", "*hkey_local_machine*", "*hkey_˪ocal_machine*", "*hkey_loca˪_machine*", "*hkey_˪oca˪_machine*") CommandLine IN ("*\\system*", "*\\sam*", "*\\security*", "*\\ˢystem*", "*\\syˢtem*", "*\\ˢyˢtem*", "*\\ˢam*", "*\\ˢecurity*") | fields - _raw | collect index=notable_events source="Dumping of Sensitive Hives Via Reg.EXE" marker="guid=fd877b94-9bb5-4191-bb25-d79cbd93c167,tags=attack.credential-access,tags=attack.t1003.002,tags=attack.t1003.004,tags=attack.t1003.005,tags=car.2013-07-001," +[Allow Service Access Using Security Descriptor Tampering Via Sc.EXE] +description = Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sc.exe" OR OriginalFileName="sc.exe" CommandLine="*sdset*" CommandLine="*A;*" CommandLine IN ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*") | fields - _raw | collect index=notable_events source="Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" marker="guid=6c8fbee5-dee8-49bc-851d-c3142d02aa47,tags=attack.persistence,tags=attack.t1543.003," +[Cloudflared Tunnel Execution] +description = Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* tunnel *" CommandLine="* run *" CommandLine IN ("*-config *", "*-credentials-contents *", "*-credentials-file *", "*-token *") | fields - _raw | collect index=notable_events source="Cloudflared Tunnel Execution" marker="guid=9a019ffc-3580-4c9d-8d87-079f7e8d3fd4,tags=attack.command-and-control,tags=attack.t1102,tags=attack.t1090,tags=attack.t1572," +[Service StartupType Change Via PowerShell Set-Service] +description = Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\powershell.exe" OR OriginalFileName="PowerShell.EXE" CommandLine="*Set-Service*" CommandLine="*-StartupType*" CommandLine IN ("*Disabled*", "*Manual*") | fields - _raw | collect index=notable_events source="Service StartupType Change Via PowerShell Set-Service" marker="guid=62b20d44-1546-4e61-afce-8e175eb9473c,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1562.001," +[Potential Remote Desktop Tunneling] +description = Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*:3389*" CommandLine IN ("* -L *", "* -P *", "* -R *", "* -pw *", "* -ssh *") | fields - _raw | collect index=notable_events source="Potential Remote Desktop Tunneling" marker="guid=8a3038e8-9c9d-46f8-b184-66234a160f6f,tags=attack.lateral-movement,tags=attack.t1021," +[Suspicious Execution of Shutdown to Log Out] +description = Detects the rare use of the command line tool shutdown to logoff a user +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\shutdown.exe" CommandLine="*/l*" | fields - _raw | collect index=notable_events source="Suspicious Execution of Shutdown to Log Out" marker="guid=ec290c06-9b6b-4338-8b6b-095c0f284f10,tags=attack.impact,tags=attack.t1529," +[Potential Defense Evasion Via Rename Of Highly Relevant Binaries] +description = Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="Execute processes remotely" OR Product="Sysinternals PsExec" OR Description IN ("Windows PowerShell*", "pwsh*") OR OriginalFileName IN ("certutil.exe", "cmstp.exe", "cscript.exe", "mshta.exe", "msiexec.exe", "powershell_ise.exe", "powershell.exe", "psexec.c", "psexec.exe", "psexesvc.exe", "pwsh.dll", "reg.exe", "regsvr32.exe", "rundll32.exe", "WerMgr", "wmic.exe", "wscript.exe") NOT (Image IN ("*\\certutil.exe", "*\\cmstp.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\msiexec.exe", "*\\powershell_ise.exe", "*\\powershell.exe", "*\\psexec.exe", "*\\psexec64.exe", "*\\PSEXESVC.exe", "*\\pwsh.exe", "*\\reg.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wermgr.exe", "*\\wmic.exe", "*\\wscript.exe")) | fields - _raw | collect index=notable_events source="Potential Defense Evasion Via Rename Of Highly Relevant Binaries" marker="guid=0ba1da6d-b6ce-4366-828c-18826c9de23e,tags=attack.defense-evasion,tags=attack.t1036.003,tags=car.2013-05-009," +[Potential Recon Activity Via Nltest.EXE] +description = Detects nltest commands that can be used for information discovery +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\nltest.exe" OR OriginalFileName="nltestrk.exe" (CommandLine="*server*" CommandLine="*query*") OR CommandLine IN ("*/user*", "*all_trusts*", "*dclist:*", "*dnsgetdc:*", "*domain_trusts*", "*dsgetdc:*", "*parentdomain*", "*trusted_domains*") | fields - _raw | collect index=notable_events source="Potential Recon Activity Via Nltest.EXE" marker="guid=5cc90652-4cbd-4241-aa3b-4b462fa5a248,tags=attack.discovery,tags=attack.t1016,tags=attack.t1482," +[HackTool - PCHunter Execution] +description = Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\PCHunter64.exe", "*\\PCHunter32.exe") OR OriginalFileName="PCHunter.exe" OR Description="Epoolsoft Windows Information View Tools" OR Hashes IN ("*SHA1=5F1CBC3D99558307BC1250D084FA968521482025*", "*MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7*", "*SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32*", "*IMPHASH=444D210CEA1FF8112F256A4997EED7FF*", "*SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB*", "*MD5=228DD0C2E6287547E26FFBD973A40F14*", "*SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C*", "*IMPHASH=0479F44DF47CFA2EF1CCC4416A538663*") OR md5 IN ("228dd0c2e6287547e26ffbd973a40f14", "987b65cd9b9f4e9a1afd8f8b48cf64a7") OR sha1 IN ("5f1cbc3d99558307bc1250d084fa968521482025", "3fb89787cb97d902780da080545584d97fb1c2eb") OR sha256 IN ("2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32", "55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c") OR Imphash IN ("444d210cea1ff8112f256a4997eed7ff", "0479f44df47cfa2ef1ccc4416a538663") | fields - _raw | collect index=notable_events source="HackTool - PCHunter Execution" marker="guid=fca949cc-79ca-446e-8064-01aa7e52ece5,tags=attack.execution,tags=attack.discovery,tags=attack.t1082,tags=attack.t1057,tags=attack.t1012,tags=attack.t1083,tags=attack.t1007," +[UAC Bypass Tools Using ComputerDefaults] +description = Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 IntegrityLevel IN ("High", "System") Image="C:\\Windows\\System32\\ComputerDefaults.exe" NOT (ParentImage IN ("*:\\Windows\\System32*", "*:\\Program Files*")) | fields - _raw | collect index=notable_events source="UAC Bypass Tools Using ComputerDefaults" marker="guid=3c05e90d-7eba-4324-9972-5d7f711a60a8,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Winrar Execution in Non-Standard Folder] +description = Detects a suspicious winrar execution in a folder which is not the default installation folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\rar.exe", "*\\winrar.exe") OR Description="Command line RAR" NOT (Image="*\\UnRAR.exe" OR Image IN ("*:\\Program Files (x86)\\WinRAR\\*", "*:\\Program Files\\WinRAR\\*")) NOT Image="*:\\Windows\\Temp\\*" | fields - _raw | collect index=notable_events source="Winrar Execution in Non-Standard Folder" marker="guid=4ede543c-e098-43d9-a28f-dd784a13132f,tags=attack.collection,tags=attack.t1560.001," +[Portable Gpg.EXE Execution] +description = Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\gpg.exe", "*\\gpg2.exe") OR OriginalFileName="gpg.exe" OR Description="GnuPG’s OpenPGP tool" NOT (Image IN ("*:\\Program Files (x86)\\GNU\\GnuPG\\bin\\*", "*:\\Program Files (x86)\\GnuPG VS-Desktop\\*", "*:\\Program Files (x86)\\GnuPG\\bin\\*", "*:\\Program Files (x86)\\Gpg4win\\bin\\*")) | fields - _raw | collect index=notable_events source="Portable Gpg.EXE Execution" marker="guid=77df53a5-1d78-4f32-bc5a-0e7465bd8f41,tags=attack.impact,tags=attack.t1486," +[Curl Download And Execute Combination] +description = Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* -c *" OR CommandLine="* /c *" OR CommandLine="* –c *" OR CommandLine="* —c *" OR CommandLine="* ―c *" CommandLine="*curl *" CommandLine="*http*" CommandLine="*-o*" CommandLine="*&*" | fields - _raw | collect index=notable_events source="Curl Download And Execute Combination" marker="guid=21dd6d38-2b18-4453-9404-a0fe4a0cc288,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.command-and-control,tags=attack.t1105," +[Forfiles.EXE Child Process Masquerading] +description = Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentCommandLine IN ("*.exe", "*.exe\"") Image="*\\cmd.exe" CommandLine="/c echo \"*" NOT (ParentImage IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*") ParentImage="*\\forfiles.exe" Image IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*") Image="*\\cmd.exe") | fields - _raw | collect index=notable_events source="Forfiles.EXE Child Process Masquerading" marker="guid=f53714ec-5077-420e-ad20-907ff9bb2958,tags=attack.defense-evasion,tags=attack.t1036," +[InfDefaultInstall.exe .inf Execution] +description = Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*InfDefaultInstall.exe *" CommandLine="*.inf*" | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="InfDefaultInstall.exe .inf Execution" marker="guid=ce7cf472-6fcc-490a-9481-3786840b5d9b,tags=attack.defense-evasion,tags=attack.t1218," +[Share And Session Enumeration Using Net.EXE] +description = Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine="*view*" NOT CommandLine="*\\\\*" | table ComputerName,User,CommandLine | fields - _raw | collect index=notable_events source="Share And Session Enumeration Using Net.EXE" marker="guid=62510e69-616b-4078-b371-847da438cc03,tags=attack.discovery,tags=attack.t1018," +[Explorer NOUACCHECK Flag] +description = Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\explorer.exe" CommandLine="*/NOUACCHECK*" NOT (ParentCommandLine="C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" OR ParentImage="C:\\Windows\\System32\\svchost.exe") | fields - _raw | collect index=notable_events source="Explorer NOUACCHECK Flag" marker="guid=534f2ef7-e8a2-4433-816d-c91bccde289b,tags=attack.defense-evasion,tags=attack.t1548.002," +[Potential Password Spraying Attempt Using Dsacls.EXE] +description = Detects possible password spraying attempts using Dsacls +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\dsacls.exe" OR OriginalFileName="DSACLS.EXE" CommandLine="*/user:*" CommandLine="*/passwd:*" | fields - _raw | collect index=notable_events source="Potential Password Spraying Attempt Using Dsacls.EXE" marker="guid=bac9fb54-2da7-44e9-988f-11e9a5edbc0c,tags=attack.defense-evasion,tags=attack.t1218," +[AADInternals PowerShell Cmdlets Execution - ProccessCreation] +description = Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.Exe", "pwsh.dll") CommandLine IN ("*Add-AADInt*", "*ConvertTo-AADInt*", "*Disable-AADInt*", "*Enable-AADInt*", "*Export-AADInt*", "*Get-AADInt*", "*Grant-AADInt*", "*Install-AADInt*", "*Invoke-AADInt*", "*Join-AADInt*", "*New-AADInt*", "*Open-AADInt*", "*Read-AADInt*", "*Register-AADInt*", "*Remove-AADInt*", "*Restore-AADInt*", "*Search-AADInt*", "*Send-AADInt*", "*Set-AADInt*", "*Start-AADInt*", "*Update-AADInt*") | fields - _raw | collect index=notable_events source="AADInternals PowerShell Cmdlets Execution - ProccessCreation" marker="guid=c86500e9-a645-4680-98d7-f882c70c1ea3,tags=attack.execution,tags=attack.reconnaissance,tags=attack.discovery,tags=attack.credential-access,tags=attack.impact," +[HackTool - SharpLdapWhoami Execution] +description = Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SharpLdapWhoami.exe" OR OriginalFileName="*SharpLdapWhoami*" OR Product="SharpLdapWhoami" OR CommandLine IN ("* /method:ntlm", "* /method:kerb", "* /method:nego", "* /m:nego", "* /m:ntlm", "* /m:kerb") | fields - _raw | collect index=notable_events source="HackTool - SharpLdapWhoami Execution" marker="guid=d9367cbb-c2e0-47ce-bdc0-128cb6da898d,tags=attack.discovery,tags=attack.t1033,tags=car.2016-03-001," +[Suspicious Reg Add Open Command] +description = Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*reg*" CommandLine="*add*" CommandLine="*hkcu\\software\\classes\\ms-settings\\shell\\open\\command*" CommandLine="*/ve *" CommandLine="*/d*") OR (CommandLine="*reg*" CommandLine="*add*" CommandLine="*hkcu\\software\\classes\\ms-settings\\shell\\open\\command*" CommandLine="*/v*" CommandLine="*DelegateExecute*") OR (CommandLine="*reg*" CommandLine="*delete*" CommandLine="*hkcu\\software\\classes\\ms-settings*") | fields - _raw | collect index=notable_events source="Suspicious Reg Add Open Command" marker="guid=dd3ee8cc-f751-41c9-ba53-5a32ed47e563,tags=attack.credential-access,tags=attack.t1003," +[Suspicious Process Created Via Wmic.EXE] +description = Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*process *" CommandLine="*call *" CommandLine="*create *" CommandLine IN ("*rundll32*", "*bitsadmin*", "*regsvr32*", "*cmd.exe /c *", "*cmd.exe /k *", "*cmd.exe /r *", "*cmd /c *", "*cmd /k *", "*cmd /r *", "*powershell*", "*pwsh*", "*certutil*", "*cscript*", "*wscript*", "*mshta*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*", "*\\AppData\\Local\\*", "*%temp%*", "*%tmp%*", "*%ProgramData%*", "*%appdata%*", "*%comspec%*", "*%localappdata%*") | fields - _raw | collect index=notable_events source="Suspicious Process Created Via Wmic.EXE" marker="guid=3c89a1e8-0fba-449e-8f1b-8409d6267ec8,tags=attack.execution,tags=attack.t1047," +[Script Interpreter Execution From Suspicious Folder] +description = Detects a suspicious script execution in temporary folders or folders accessible by environment variables +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\cscript.exe", "*\\mshta.exe", "*\\wscript.exe") OR CommandLine IN ("* -ep bypass *", "* -ExecutionPolicy bypass *", "* -w hidden *", "*/e:javascript *", "*/e:Jscript *", "*/e:vbscript *") OR OriginalFileName IN ("cscript.exe", "mshta.exe", "wscript.exe") CommandLine IN ("*:\\Perflogs\\*", "*:\\Users\\Public\\*", "*\\AppData\\Local\\Temp*", "*\\AppData\\Roaming\\Temp*", "*\\Temporary Internet*", "*\\Windows\\Temp*") OR (CommandLine="*:\\Users\\*" CommandLine="*\\Favorites\\*") OR (CommandLine="*:\\Users\\*" CommandLine="*\\Favourites\\*") OR (CommandLine="*:\\Users\\*" CommandLine="*\\Contacts\\*") | fields - _raw | collect index=notable_events source="Script Interpreter Execution From Suspicious Folder" marker="guid=1228c958-e64e-4e71-92ad-7d429f4138ba,tags=attack.execution,tags=attack.t1059," +[Invoke-Obfuscation COMPRESS OBFUSCATION] +description = Detects Obfuscated Powershell via COMPRESS OBFUSCATION +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*new-object*" CommandLine="*text.encoding]::ascii*" CommandLine IN ("*system.io.compression.deflatestream*", "*system.io.streamreader*", "*readtoend(*") | fields - _raw | collect index=notable_events source="Invoke-Obfuscation COMPRESS OBFUSCATION" marker="guid=7eedcc9d-9fdb-4d94-9c54-474e8affc0c7,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[HackTool - Certify Execution] +description = Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\Certify.exe" OR OriginalFileName="Certify.exe" OR Description="*Certify*" OR (CommandLine IN ("*.exe cas *", "*.exe find *", "*.exe pkiobjects *", "*.exe request *", "*.exe download *") CommandLine IN ("* /vulnerable*", "* /template:*", "* /altname:*", "* /domain:*", "* /path:*", "* /ca:*")) | fields - _raw | collect index=notable_events source="HackTool - Certify Execution" marker="guid=762f2482-ff21-4970-8939-0aa317a886bb,tags=attack.discovery,tags=attack.credential-access,tags=attack.t1649," +[PUA - Rclone Execution] +description = Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*--config *" CommandLine="*--no-check-certificate *" CommandLine="* copy *") OR (Image="*\\rclone.exe" OR Description="Rsync for cloud storage" CommandLine IN ("*pass*", "*user*", "*copy*", "*sync*", "*config*", "*lsd*", "*remote*", "*ls*", "*mega*", "*pcloud*", "*ftp*", "*ignore-existing*", "*auto-confirm*", "*transfers*", "*multi-thread-streams*", "*no-check-certificate *")) | table CommandLine,ParentCommandLine,Details | fields - _raw | collect index=notable_events source="PUA - Rclone Execution" marker="guid=e37db05d-d1f9-49c8-b464-cee1a4b11638,tags=attack.exfiltration,tags=attack.t1567.002," +[HackTool - SharpImpersonation Execution] +description = Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SharpImpersonation.exe" OR OriginalFileName="SharpImpersonation.exe" OR (CommandLine="* user:*" CommandLine="* binary:*") OR (CommandLine="* user:*" CommandLine="* shellcode:*") OR CommandLine IN ("* technique:CreateProcessAsUserW*", "* technique:ImpersonateLoggedOnuser*") | fields - _raw | collect index=notable_events source="HackTool - SharpImpersonation Execution" marker="guid=f89b08d0-77ad-4728-817b-9b16c5a69c7a,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1134.001,tags=attack.t1134.003," +[Suspicious Process Parents] +description = Detects suspicious parent processes that should not have any children or should only have a single possible child program +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\minesweeper.exe", "*\\winver.exe", "*\\bitsadmin.exe") OR (ParentImage IN ("*\\csrss.exe", "*\\certutil.exe", "*\\eventvwr.exe", "*\\calc.exe", "*\\notepad.exe") NOT (Image IN ("*\\WerFault.exe", "*\\wermgr.exe", "*\\conhost.exe", "*\\mmc.exe", "*\\win32calc.exe", "*\\notepad.exe") OR Image!=*)) | fields - _raw | collect index=notable_events source="Suspicious Process Parents" marker="guid=cbec226f-63d9-4eca-9f52-dfb6652f24df,tags=attack.defense-evasion,tags=attack.t1036," +[Remote Access Tool - NetSupport Execution From Unusual Location] +description = Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files') +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\client32.exe" OR Product="*NetSupport Remote Control*" OR OriginalFileName="*client32.exe*" OR Imphash="a9d50692e95b79723f3e76fcf70d023e" OR Hashes="*IMPHASH=a9d50692e95b79723f3e76fcf70d023e*" NOT (Image IN ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*")) | fields - _raw | collect index=notable_events source="Remote Access Tool - NetSupport Execution From Unusual Location" marker="guid=37e8d358-6408-4853-82f4-98333fca7014,tags=attack.defense-evasion," +[Potentially Suspicious Office Document Executed From Trusted Location] +description = Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\explorer.exe", "*\\dopus.exe") Image IN ("*\\EXCEL.EXE", "*\\POWERPNT.EXE", "*\\WINWORD.exe") OR OriginalFileName IN ("Excel.exe", "POWERPNT.EXE", "WinWord.exe") CommandLine IN ("*\\AppData\\Roaming\\Microsoft\\Templates*", "*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", "*\\Microsoft Office\\root\\Templates\\*", "*\\Microsoft Office\\Templates\\*") NOT (CommandLine IN ("*.dotx", "*.xltx", "*.potx")) | fields - _raw | collect index=notable_events source="Potentially Suspicious Office Document Executed From Trusted Location" marker="guid=f99abdf0-6283-4e71-bd2b-b5c048a94743,tags=attack.defense-evasion,tags=attack.t1202," +[Application Removed Via Wmic.EXE] +description = Detects the removal or uninstallation of an application via "Wmic.EXE". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\WMIC.exe" OR OriginalFileName="wmic.exe" CommandLine="*call*" CommandLine="*uninstall*" | fields - _raw | collect index=notable_events source="Application Removed Via Wmic.EXE" marker="guid=b53317a0-8acf-4fd1-8de8-a5401e776b96,tags=attack.execution,tags=attack.t1047," +[Copy From VolumeShadowCopy Via Cmd.EXE] +description = Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*copy *" CommandLine="*\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*" | fields - _raw | collect index=notable_events source="Copy From VolumeShadowCopy Via Cmd.EXE" marker="guid=c73124a7-3e89-44a3-bdc1-25fe4df754b1,tags=attack.impact,tags=attack.t1490," +[Suspicious Program Names] +description = Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\CVE-202*", "*\\CVE202*") OR Image IN ("*\\poc.exe", "*\\artifact.exe", "*\\artifact64.exe", "*\\artifact_protected.exe", "*\\artifact32.exe", "*\\artifact32big.exe", "*obfuscated.exe", "*obfusc.exe", "*\\meterpreter") OR CommandLine IN ("*inject.ps1*", "*Invoke-CVE*", "*pupy.ps1*", "*payload.ps1*", "*beacon.ps1*", "*PowerView.ps1*", "*bypass.ps1*", "*obfuscated.ps1*", "*obfusc.ps1*", "*obfus.ps1*", "*obfs.ps1*", "*evil.ps1*", "*MiniDogz.ps1*", "*_enc.ps1*", "*\\shell.ps1*", "*\\rshell.ps1*", "*revshell.ps1*", "*\\av.ps1*", "*\\av_test.ps1*", "*adrecon.ps1*", "*mimikatz.ps1*", "*\\PowerUp_*", "*powerup.ps1*", "*\\Temp\\a.ps1*", "*\\Temp\\p.ps1*", "*\\Temp\\1.ps1*", "*Hound.ps1*", "*encode.ps1*", "*powercat.ps1*") | table CommandLine,ParentCommandLine,CurrentDirectory | fields - _raw | collect index=notable_events source="Suspicious Program Names" marker="guid=efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6,tags=attack.execution,tags=attack.t1059," +[Time Travel Debugging Utility Usage] +description = Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\tttracer.exe" | fields - _raw | collect index=notable_events source="Time Travel Debugging Utility Usage" marker="guid=0b4ae027-2a2d-4b93-8c7e-962caaba5b2a,tags=attack.defense-evasion,tags=attack.credential-access,tags=attack.t1218,tags=attack.t1003.001," +[Suspicious File Execution From Internet Hosted WebDav Share] +description = Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe*" OR OriginalFileName="Cmd.EXE" CommandLine="* net use http*" CommandLine="*& start /b *" CommandLine="*\\DavWWWRoot\\*" CommandLine IN ("*.exe *", "*.dll *", "*.bat *", "*.vbs *", "*.ps1 *") | fields - _raw | collect index=notable_events source="Suspicious File Execution From Internet Hosted WebDav Share" marker="guid=f0507c0f-a3a2-40f5-acc6-7f543c334993,tags=attack.execution,tags=attack.t1059.001," +[HackTool - SharPersist Execution] +description = Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SharPersist.exe" OR Product="SharPersist" OR CommandLine IN ("* -t schtask -c *", "* -t startupfolder -c *") OR (CommandLine="* -t reg -c *" CommandLine="* -m add*") OR (CommandLine="* -t service -c *" CommandLine="* -m add*") OR (CommandLine="* -t schtask -c *" CommandLine="* -m add*") | fields - _raw | collect index=notable_events source="HackTool - SharPersist Execution" marker="guid=26488ad0-f9fd-4536-876f-52fea846a2e4,tags=attack.persistence,tags=attack.t1053," +[Suspicious SYSVOL Domain Group Policy Access] +description = Detects Access to Domain Group Policies stored in SYSVOL +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\SYSVOL\\*" CommandLine="*\\policies\\*" | fields - _raw | collect index=notable_events source="Suspicious SYSVOL Domain Group Policy Access" marker="guid=05f3c945-dcc8-4393-9f3d-af65077a8f86,tags=attack.credential-access,tags=attack.t1552.006," +[Potential Credential Dumping Via LSASS Process Clone] +description = Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\Windows\\System32\\lsass.exe" Image="*\\Windows\\System32\\lsass.exe" | fields - _raw | collect index=notable_events source="Potential Credential Dumping Via LSASS Process Clone" marker="guid=c8da0dfd-4ed0-4b68-962d-13c9c884384e,tags=attack.credential-access,tags=attack.t1003,tags=attack.t1003.001," +[Potential Obfuscated Ordinal Call Via Rundll32] +description = Detects execution of "rundll32" with potential obfuscated ordinal calls +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" OR CommandLine="*rundll32*" CommandLine IN ("*#+*", "*#-*") | fields - _raw | collect index=notable_events source="Potential Obfuscated Ordinal Call Via Rundll32" marker="guid=43fa5350-db63-4b8f-9a01-789a427074e1,tags=attack.defense-evasion," +[Webshell Tool Reconnaissance Activity] +description = Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\caddy.exe", "*\\httpd.exe", "*\\nginx.exe", "*\\php-cgi.exe", "*\\w3wp.exe", "*\\ws_tomcatservice.exe") OR (ParentImage IN ("*\\java.exe", "*\\javaw.exe") ParentImage IN ("*-tomcat-*", "*\\tomcat*")) OR (ParentImage IN ("*\\java.exe", "*\\javaw.exe") CommandLine IN ("*CATALINA_HOME*", "*catalina.jar*")) CommandLine IN ("*perl --help*", "*perl -h*", "*python --help*", "*python -h*", "*python3 --help*", "*python3 -h*", "*wget --help*") | fields - _raw | collect index=notable_events source="Webshell Tool Reconnaissance Activity" marker="guid=f64e5c19-879c-4bae-b471-6d84c8339677,tags=attack.persistence,tags=attack.t1505.003," +[Deleted Data Overwritten Via Cipher.EXE] +description = Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="CIPHER.EXE" OR Image="*\\cipher.exe" CommandLine="* /w:*" | fields - _raw | collect index=notable_events source="Deleted Data Overwritten Via Cipher.EXE" marker="guid=4b046706-5789-4673-b111-66f25fe99534,tags=attack.impact,tags=attack.t1485," +[Windows Hotfix Updates Reconnaissance Via Wmic.EXE] +description = Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="wmic.exe" OR Image="*\\WMIC.exe" CommandLine="* qfe*" | fields - _raw | collect index=notable_events source="Windows Hotfix Updates Reconnaissance Via Wmic.EXE" marker="guid=dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45,tags=attack.execution,tags=attack.t1047," +[Suspicious Git Clone] +description = Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\git.exe", "*\\git-remote-https.exe") OR OriginalFileName="git.exe" CommandLine IN ("* clone *", "*git-remote-https *") CommandLine IN ("*exploit*", "*Vulns*", "*vulnerability*", "*RemoteCodeExecution*", "*Invoke-*", "*CVE-*", "*poc-*", "*ProofOfConcept*", "*proxyshell*", "*log4shell*", "*eternalblue*", "*eternal-blue*", "*MS17-*") | fields - _raw | collect index=notable_events source="Suspicious Git Clone" marker="guid=aef9d1f1-7396-4e92-a927-4567c7a495c1,tags=attack.reconnaissance,tags=attack.t1593.003," +[Password Provided In Command Line Of Net.EXE] +description = Detects a when net.exe is called with a password in the command line +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine="* use *" CommandLine="*:*\\*" CommandLine="*/USER:* *" NOT CommandLine="* " | fields - _raw | collect index=notable_events source="Password Provided In Command Line Of Net.EXE" marker="guid=d4498716-1d52-438f-8084-4a603157d131,tags=attack.defense-evasion,tags=attack.initial-access,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.lateral-movement,tags=attack.t1021.002,tags=attack.t1078," +[File Download From Browser Process Via Inline URL] +description = Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\brave.exe", "*\\chrome.exe", "*\\msedge.exe", "*\\opera.exe", "*\\vivaldi.exe") CommandLine="*http*" CommandLine IN ("*.7z", "*.dat", "*.dll", "*.exe", "*.hta", "*.ps1", "*.psm1", "*.txt", "*.vbe", "*.vbs", "*.zip") | fields - _raw | collect index=notable_events source="File Download From Browser Process Via Inline URL" marker="guid=94771a71-ba41-4b6e-a757-b531372eaab6,tags=attack.command-and-control,tags=attack.t1105," +[Uncommon Child Process Of BgInfo.EXE] +description = Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\bginfo.exe", "*\\bginfo64.exe") | fields - _raw | collect index=notable_events source="Uncommon Child Process Of BgInfo.EXE" marker="guid=aaf46cdc-934e-4284-b329-34aa701e3771,tags=attack.execution,tags=attack.t1059.005,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1202," +[User Added to Local Administrators Group] +description = Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*localgroup *" CommandLine="* /add*") OR (CommandLine="*Add-LocalGroupMember *" CommandLine="* -Group *") CommandLine IN ("* administrators *", "* administrateur*") | fields - _raw | collect index=notable_events source="User Added to Local Administrators Group" marker="guid=ad720b90-25ad-43ff-9b5e-5c841facc8e5,tags=attack.persistence,tags=attack.t1098," +[Sysprep on AppData Folder] +description = Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\sysprep.exe" CommandLine="*\\AppData\\*" | fields - _raw | collect index=notable_events source="Sysprep on AppData Folder" marker="guid=d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e,tags=attack.execution,tags=attack.t1059," +[Suspicious Schtasks Schedule Types] +description = Detects scheduled task creations or modification on a suspicious schedule type +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\schtasks.exe" OR OriginalFileName="schtasks.exe" CommandLine IN ("* ONLOGON *", "* ONSTART *", "* ONCE *", "* ONIDLE *") NOT (CommandLine IN ("*NT AUT*", "* SYSTEM*", "*HIGHEST*")) | fields - _raw | collect index=notable_events source="Suspicious Schtasks Schedule Types" marker="guid=24c8392b-aa3c-46b7-a545-43f71657fe98,tags=attack.execution,tags=attack.t1053.005," +[Suspicious PowerShell Download and Execute Pattern] +description = Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*IEX ((New-Object Net.WebClient).DownloadString*", "*IEX (New-Object Net.WebClient).DownloadString*", "*IEX((New-Object Net.WebClient).DownloadString*", "*IEX(New-Object Net.WebClient).DownloadString*", "* -command (New-Object System.Net.WebClient).DownloadFile(*", "* -c (New-Object System.Net.WebClient).DownloadFile(*") | fields - _raw | collect index=notable_events source="Suspicious PowerShell Download and Execute Pattern" marker="guid=e6c54d94-498c-4562-a37c-b469d8e9a275,tags=attack.execution,tags=attack.t1059.001," +[HackTool - ADCSPwn Execution] +description = Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="* --adcs *" CommandLine="* --port *" | fields - _raw | collect index=notable_events source="HackTool - ADCSPwn Execution" marker="guid=cd8c163e-a19b-402e-bdd5-419ff5859f12,tags=attack.credential-access,tags=attack.t1557.001," +[Potential MSTSC Shadowing Activity] +description = Detects RDP session hijacking by using MSTSC shadowing +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*noconsentprompt*" CommandLine="*shadow:*" | fields - _raw | collect index=notable_events source="Potential MSTSC Shadowing Activity" marker="guid=6ba5a05f-b095-4f0a-8654-b825f4f16334,tags=attack.lateral-movement,tags=attack.t1563.002," +[Potential Data Stealing Via Chromium Headless Debugging] +description = Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*--remote-debugging-*" CommandLine="*--user-data-dir*" CommandLine="*--headless*" | fields - _raw | collect index=notable_events source="Potential Data Stealing Via Chromium Headless Debugging" marker="guid=3e8207c5-fcd2-4ea6-9418-15d45b4890e4,tags=attack.credential-access,tags=attack.t1185," +[Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script] +description = Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\VMwareToolBoxCmd.exe" OR OriginalFileName="toolbox-cmd.exe" CommandLine="* script *" CommandLine="* set *" CommandLine IN ("*:\\PerfLogs\\*", "*:\\Temp\\*", "*:\\Windows\\System32\\Tasks\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp*") | fields - _raw | collect index=notable_events source="Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" marker="guid=236d8e89-ed95-4789-a982-36f4643738ba,tags=attack.execution,tags=attack.persistence,tags=attack.t1059," +[Suspicious Scan Loop Network] +description = Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*for *", "*foreach *") CommandLine IN ("*nslookup*", "*ping*") | fields - _raw | collect index=notable_events source="Suspicious Scan Loop Network" marker="guid=f8ad2e2c-40b6-4117-84d7-20b89896ab23,tags=attack.execution,tags=attack.t1059,tags=attack.discovery,tags=attack.t1018," +[Potential PsExec Remote Execution] +description = Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*accepteula*" CommandLine="* -u *" CommandLine="* -p *" CommandLine="* \\\\*" | fields - _raw | collect index=notable_events source="Potential PsExec Remote Execution" marker="guid=ea011323-7045-460b-b2d7-0f7442ea6b38,tags=attack.resource-development,tags=attack.t1587.001," +[HackTool - Koadic Execution] +description = Detects command line parameters used by Koadic hack tool +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*/q*" CommandLine="*/c*" CommandLine="*chcp*" | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="HackTool - Koadic Execution" marker="guid=5cddf373-ef00-4112-ad72-960ac29bac34,tags=attack.execution,tags=attack.t1059.003,tags=attack.t1059.005,tags=attack.t1059.007," +[Suspicious Execution of Systeminfo] +description = Detects usage of the "systeminfo" command to retrieve information +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\systeminfo.exe" OR OriginalFileName="sysinfo.exe" | fields - _raw | collect index=notable_events source="Suspicious Execution of Systeminfo" marker="guid=0ef56343-059e-4cb6-adc1-4c3c967c5e46,tags=attack.discovery,tags=attack.t1082," +[Suspicious Driver/DLL Installation Via Odbcconf.EXE] +description = Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\odbcconf.exe" OR OriginalFileName="odbcconf.exe" CommandLine="*INSTALLDRIVER *" NOT CommandLine="*.dll*" | fields - _raw | collect index=notable_events source="Suspicious Driver/DLL Installation Via Odbcconf.EXE" marker="guid=cb0fe7c5-f3a3-484d-aa25-d350a7912729,tags=attack.defense-evasion,tags=attack.t1218.008," +[Suspicious LOLBIN AccCheckConsole] +description = Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\AccCheckConsole.exe" OR OriginalFileName="AccCheckConsole.exe" CommandLine="* -window *" CommandLine="*.dll*" | fields - _raw | collect index=notable_events source="Suspicious LOLBIN AccCheckConsole" marker="guid=0f6da907-5854-4be6-859a-e9958747b0aa,tags=attack.execution," +[Dism Remove Online Package] +description = Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\DismHost.exe" ParentCommandLine="*/Online*" ParentCommandLine="*/Disable-Feature*") OR (Image="*\\Dism.exe" CommandLine="*/Online*" CommandLine="*/Disable-Feature*") | fields - _raw | collect index=notable_events source="Dism Remove Online Package" marker="guid=43e32da2-fdd0-4156-90de-50dfd62636f9,tags=attack.defense-evasion,tags=attack.t1562.001," +[Renamed ZOHO Dctask64 Execution] +description = Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Hashes IN ("*6834B1B94E49701D77CCB3C0895E1AFD*", "*1BB6F93B129F398C7C4A76BB97450BBA*", "*FAA2AC19875FADE461C8D89DCF2710A3*", "*F1039CED4B91572AB7847D26032E6BBF*") NOT Image="*\\dctask64.exe" | fields - _raw | collect index=notable_events source="Renamed ZOHO Dctask64 Execution" marker="guid=340a090b-c4e9-412e-bb36-b4b16fe96f9b,tags=attack.defense-evasion,tags=attack.t1036,tags=attack.t1055.001,tags=attack.t1202,tags=attack.t1218," +[Process Proxy Execution Via Squirrel.EXE] +description = Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\squirrel.exe", "*\\update.exe") CommandLine IN ("*--processStart*", "*--processStartAndWait*", "*--createShortcut*") NOT ((CommandLine="*:\\Users\\*" CommandLine="*\\AppData\\Local\\Discord\\Update.exe*" CommandLine="* --processStart*" CommandLine="*Discord.exe*") OR (CommandLine="*:\\Users\\*" CommandLine="*\\AppData\\Local\\GitHubDesktop\\Update.exe*" CommandLine="*GitHubDesktop.exe*" CommandLine IN ("*--createShortcut*", "*--processStartAndWait*")) OR (CommandLine="*:\\Users\\*" CommandLine="*\\AppData\\Local\\Microsoft\\Teams\\Update.exe*" CommandLine="*Teams.exe*" CommandLine IN ("*--processStart*", "*--createShortcut*")) OR (CommandLine="*:\\Users\\*" CommandLine="*\\AppData\\Local\\yammerdesktop\\Update.exe*" CommandLine="*Yammer.exe*" CommandLine IN ("*--processStart*", "*--createShortcut*"))) | fields - _raw | collect index=notable_events source="Process Proxy Execution Via Squirrel.EXE" marker="guid=45239e6a-b035-4aaf-b339-8ad379fcb67e,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[PUA - 3Proxy Execution] +description = Detects the use of 3proxy, a tiny free proxy server +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\3proxy.exe" OR Description="3proxy - tiny proxy server" OR CommandLine="*.exe -i127.0.0.1 -p*" | fields - _raw | collect index=notable_events source="PUA - 3Proxy Execution" marker="guid=f38a82d2-fba3-4781-b549-525efbec8506,tags=attack.command-and-control,tags=attack.t1572," +[PowerShell Get-Clipboard Cmdlet Via CLI] +description = Detects usage of the 'Get-Clipboard' cmdlet via CLI +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*Get-Clipboard*" | fields - _raw | collect index=notable_events source="PowerShell Get-Clipboard Cmdlet Via CLI" marker="guid=b9aeac14-2ffd-4ad3-b967-1354a4e628c3,tags=attack.collection,tags=attack.t1115," +[Suspicious WMIC Execution Via Office Process] +description = Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage IN ("*\\WINWORD.EXE", "*\\EXCEL.EXE", "*\\POWERPNT.exe", "*\\MSPUB.exe", "*\\VISIO.exe", "*\\MSACCESS.EXE", "*\\EQNEDT32.EXE", "*\\ONENOTE.EXE", "*\\wordpad.exe", "*\\wordview.exe") Image="*\\wbem\\WMIC.exe" OR OriginalFileName="wmic.exe" CommandLine="*process*" CommandLine="*create*" CommandLine="*call*" CommandLine IN ("*regsvr32*", "*rundll32*", "*msiexec*", "*mshta*", "*verclsid*", "*wscript*", "*cscript*") | fields - _raw | collect index=notable_events source="Suspicious WMIC Execution Via Office Process" marker="guid=e1693bc8-7168-4eab-8718-cdcaa68a1738,tags=attack.t1204.002,tags=attack.t1047,tags=attack.t1218.010,tags=attack.execution,tags=attack.defense-evasion," +[Sticky Key Like Backdoor Execution] +description = Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\winlogon.exe" Image IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe", "*\\wt.exe") CommandLine IN ("*sethc.exe*", "*utilman.exe*", "*osk.exe*", "*Magnify.exe*", "*Narrator.exe*", "*DisplaySwitch.exe*") | fields - _raw | collect index=notable_events source="Sticky Key Like Backdoor Execution" marker="guid=2fdefcb3-dbda-401e-ae23-f0db027628bc,tags=attack.privilege-escalation,tags=attack.persistence,tags=attack.t1546.008,tags=car.2014-11-003,tags=car.2014-11-008," +[HackTool - SharpChisel Execution] +description = Detects usage of the Sharp Chisel via the commandline arguments +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SharpChisel.exe" OR Product="SharpChisel" | fields - _raw | collect index=notable_events source="HackTool - SharpChisel Execution" marker="guid=cf93e05e-d798-4d9e-b522-b0248dc61eaf,tags=attack.command-and-control,tags=attack.t1090.001," +[Cmd.EXE Missing Space Characters Execution Anomaly] +description = Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*cmd.exe/c*", "*\\cmd/c*", "*\"cmd/c*", "*cmd.exe/k*", "*\\cmd/k*", "*\"cmd/k*", "*cmd.exe/r*", "*\\cmd/r*", "*\"cmd/r*") OR CommandLine IN ("*/cwhoami*", "*/cpowershell*", "*/cschtasks*", "*/cbitsadmin*", "*/ccertutil*", "*/kwhoami*", "*/kpowershell*", "*/kschtasks*", "*/kbitsadmin*", "*/kcertutil*") OR CommandLine IN ("*cmd.exe /c*", "*cmd /c*", "*cmd.exe /k*", "*cmd /k*", "*cmd.exe /r*", "*cmd /r*") NOT (CommandLine IN ("*cmd.exe /c *", "*cmd /c *", "*cmd.exe /k *", "*cmd /k *", "*cmd.exe /r *", "*cmd /r *") OR CommandLine IN ("*AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules*", "*cmd.exe/c .", "cmd.exe /c")) | fields - _raw | collect index=notable_events source="Cmd.EXE Missing Space Characters Execution Anomaly" marker="guid=a16980c2-0c56-4de0-9a79-17971979efdd,tags=attack.execution,tags=attack.t1059.001," +[ConvertTo-SecureString Cmdlet Usage Via CommandLine] +description = Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine="*ConvertTo-SecureString*" | fields - _raw | collect index=notable_events source="ConvertTo-SecureString Cmdlet Usage Via CommandLine" marker="guid=74403157-20f5-415d-89a7-c505779585cf,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Suspicious Cabinet File Execution Via Msdt.EXE] +description = Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\msdt.exe" OR OriginalFileName="msdt.exe" CommandLine="* -cab *" OR CommandLine="* /cab *" OR CommandLine="* –cab *" OR CommandLine="* —cab *" OR CommandLine="* ―cab *" | fields - _raw | collect index=notable_events source="Suspicious Cabinet File Execution Via Msdt.EXE" marker="guid=dc4576d4-7467-424f-9eee-fd2b02855fe0,tags=attack.defense-evasion,tags=attack.t1202," +[Shadow Copies Deletion Using Operating Systems Utilities] +description = Shadow Copies deletion using operating systems utilities +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\wmic.exe", "*\\vssadmin.exe", "*\\diskshadow.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe") CommandLine="*shadow*" CommandLine="*delete*") OR (Image="*\\wbadmin.exe" OR OriginalFileName="WBADMIN.EXE" CommandLine="*delete*" CommandLine="*catalog*" CommandLine="*quiet*") OR (Image="*\\vssadmin.exe" OR OriginalFileName="VSSADMIN.EXE" CommandLine="*resize*" CommandLine="*shadowstorage*" CommandLine IN ("*unbounded*", "*/MaxSize=*")) | table CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Shadow Copies Deletion Using Operating Systems Utilities" marker="guid=c947b146-0abc-4c87-9c64-b17e9d7274a2,tags=attack.defense-evasion,tags=attack.impact,tags=attack.t1070,tags=attack.t1490," +[Rundll32 Registered COM Objects] +description = load malicious registered COM objects +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine IN ("*-sta *", "*-localserver *") CommandLine="*{*" CommandLine="*}*" | fields - _raw | collect index=notable_events source="Rundll32 Registered COM Objects" marker="guid=f1edd233-30b5-4823-9e6a-c4171b24d316,tags=attack.privilege-escalation,tags=attack.persistence,tags=attack.t1546.015," +[Potential File Download Via MS-AppInstaller Protocol Handler] +description = Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*ms-appinstaller://*source=*" CommandLine="*http*" | fields - _raw | collect index=notable_events source="Potential File Download Via MS-AppInstaller Protocol Handler" marker="guid=180c7c5c-d64b-4a63-86e9-68910451bc8b,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218," +[Group Membership Reconnaissance Via Whoami.EXE] +description = Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\whoami.exe" OR OriginalFileName="whoami.exe" CommandLine IN ("* /groups*", "* -groups*") | fields - _raw | collect index=notable_events source="Group Membership Reconnaissance Via Whoami.EXE" marker="guid=bd8b828d-0dca-48e1-8a63-8a58ecf2644f,tags=attack.discovery,tags=attack.t1033," +[PowerShell Base64 Encoded Reflective Assembly Load] +description = Detects base64 encoded .NET reflective loading of Assembly +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA*", "*sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA*", "*bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA*", "*AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC*", "*BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp*", "*AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK*", "*WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ*", "*sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA*", "*bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA*", "*WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA*", "*sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA*", "*bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA*") | table CommandLine | fields - _raw | collect index=notable_events source="PowerShell Base64 Encoded Reflective Assembly Load" marker="guid=62b7ccc9-23b4-471e-aa15-6da3663c4d59,tags=attack.execution,tags=attack.t1059.001,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.t1620," +[File Decryption Using Gpg4win] +description = Detects usage of Gpg4win to decrypt files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\gpg.exe", "*\\gpg2.exe") OR Description="GnuPG’s OpenPGP tool" CommandLine="* -d *" CommandLine="*passphrase*" | fields - _raw | collect index=notable_events source="File Decryption Using Gpg4win" marker="guid=037dcd71-33a8-4392-bb01-293c94663e5a,tags=attack.execution," +[MMC20 Lateral Movement] +description = Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\svchost.exe" Image="*\\mmc.exe" CommandLine="*-Embedding*" | fields - _raw | collect index=notable_events source="MMC20 Lateral Movement" marker="guid=f1f3bf22-deb2-418d-8cce-e1a45e46a5bd,tags=attack.execution,tags=attack.t1021.003," +[Wusa.EXE Executed By Parent Process Located In Suspicious Location] +description = Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wusa.exe" ParentImage IN ("*:\\Perflogs\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\Appdata\\Local\\Temp\\*", "*\\Temporary Internet*") OR (ParentImage="*:\\Users\\*" ParentImage="*\\Favorites\\*") OR (ParentImage="*:\\Users\\*" ParentImage="*\\Favourites\\*") OR (ParentImage="*:\\Users\\*" ParentImage="*\\Contacts\\*") OR (ParentImage="*:\\Users\\*" ParentImage="*\\Pictures\\*") | fields - _raw | collect index=notable_events source="Wusa.EXE Executed By Parent Process Located In Suspicious Location" marker="guid=ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99,tags=attack.execution," +[VolumeShadowCopy Symlink Creation Via Mklink] +description = Shadow Copies storage symbolic link creation using operating systems utilities +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*mklink*" CommandLine="*HarddiskVolumeShadowCopy*" | fields - _raw | collect index=notable_events source="VolumeShadowCopy Symlink Creation Via Mklink" marker="guid=40b19fa6-d835-400c-b301-41f3a2baacaf,tags=attack.credential-access,tags=attack.t1003.002,tags=attack.t1003.003," +[Suspicious VBoxDrvInst.exe Parameters] +description = Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\VBoxDrvInst.exe" CommandLine="*driver*" CommandLine="*executeinf*" | table ComputerName,User,CommandLine,ParentCommandLine | fields - _raw | collect index=notable_events source="Suspicious VBoxDrvInst.exe Parameters" marker="guid=b7b19cb6-9b32-4fc4-a108-73f19acfe262,tags=attack.defense-evasion,tags=attack.t1112," +[Local Accounts Discovery] +description = Local accounts, System Owner/User discovery using operating systems utilities +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (Image="*\\cmd.exe" CommandLine="* /c*" CommandLine="*dir *" CommandLine="*\\Users\\*" NOT CommandLine="* rmdir *") OR (Image IN ("*\\net.exe", "*\\net1.exe") CommandLine="*user*" NOT (CommandLine IN ("*/domain*", "*/add*", "*/delete*", "*/active*", "*/expires*", "*/passwordreq*", "*/scriptpath*", "*/times*", "*/workstations*"))) OR Image IN ("*\\whoami.exe", "*\\quser.exe", "*\\qwinsta.exe") OR (Image="*\\wmic.exe" CommandLine="*useraccount*" CommandLine="*get*") OR (Image="*\\cmdkey.exe" CommandLine="* /l*") | fields - _raw | collect index=notable_events source="Local Accounts Discovery" marker="guid=502b42de-4306-40b4-9596-6f590c81f073,tags=attack.discovery,tags=attack.t1033,tags=attack.t1087.001," +[Directory Removal Via Rmdir] +description = Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\cmd.exe" OR OriginalFileName="Cmd.Exe" CommandLine="*rmdir*" CommandLine IN ("*/s*", "*/q*") | fields - _raw | collect index=notable_events source="Directory Removal Via Rmdir" marker="guid=41ca393d-538c-408a-ac27-cf1e038be80c,tags=attack.defense-evasion,tags=attack.t1070.004," +[Remote Access Tool - AnyDesk Piped Password Via CLI] +description = Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*/c *" CommandLine="*echo *" CommandLine="*.exe --set-password*" | fields - _raw | collect index=notable_events source="Remote Access Tool - AnyDesk Piped Password Via CLI" marker="guid=b1377339-fda6-477a-b455-ac0923f9ec2c,tags=attack.command-and-control,tags=attack.t1219," +[Potential Suspicious Activity Using SeCEdit] +description = Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\secedit.exe" OR OriginalFileName="SeCEdit" (CommandLine="*/export*" CommandLine="*/cfg*") OR (CommandLine="*/configure*" CommandLine="*/db*") | fields - _raw | collect index=notable_events source="Potential Suspicious Activity Using SeCEdit" marker="guid=c2c76b77-32be-4d1f-82c9-7e544bdfe0eb,tags=attack.discovery,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.credential-access,tags=attack.privilege-escalation,tags=attack.t1562.002,tags=attack.t1547.001,tags=attack.t1505.005,tags=attack.t1556.002,tags=attack.t1562,tags=attack.t1574.007,tags=attack.t1564.002,tags=attack.t1546.008,tags=attack.t1546.007,tags=attack.t1547.014,tags=attack.t1547.010,tags=attack.t1547.002,tags=attack.t1557,tags=attack.t1082," +[Suspicious Download Via Certutil.EXE] +description = Detects the execution of certutil with certain flags that allow the utility to download files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\certutil.exe" OR OriginalFileName="CertUtil.exe" CommandLine IN ("*urlcache *", "*verifyctl *") CommandLine="*http*" | fields - _raw | collect index=notable_events source="Suspicious Download Via Certutil.EXE" marker="guid=19b08b1c-861d-4e75-a1ef-ea0c1baf202b,tags=attack.defense-evasion,tags=attack.t1027," +[Remote Access Tool - UltraViewer Execution] +description = An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Product="UltraViewer" OR Company="DucFabulous Co,ltd" OR OriginalFileName="UltraViewer_Desktop.exe" | fields - _raw | collect index=notable_events source="Remote Access Tool - UltraViewer Execution" marker="guid=88656cec-6c3b-487c-82c0-f73ebb805503,tags=attack.command-and-control,tags=attack.t1219," +[Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI] +description = Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*::$index_allocation*" | fields - _raw | collect index=notable_events source="Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" marker="guid=0900463c-b33b-49a8-be1d-552a3b553dae,tags=attack.defense-evasion,tags=attack.t1564.004," +[Import LDAP Data Interchange Format File Via Ldifde.EXE] +description = Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\ldifde.exe" OR OriginalFileName="ldifde.exe" CommandLine="*-i*" CommandLine="*-f*" | fields - _raw | collect index=notable_events source="Import LDAP Data Interchange Format File Via Ldifde.EXE" marker="guid=6f535e01-ca1f-40be-ab8d-45b19c0c8b7f,tags=attack.command-and-control,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1105," +[Potential PowerShell Obfuscation Via Reversed Commands] +description = Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll") CommandLine IN ("*hctac*", "*kaerb*", "*dnammoc*", "*ekovn*", "*eliFd*", "*rahc*", "*etirw*", "*golon*", "*tninon*", "*eddih*", "*tpircS*", "*ssecorp*", "*llehsrewop*", "*esnopser*", "*daolnwod*", "*tneilCbeW*", "*tneilc*", "*ptth*", "*elifotevas*", "*46esab*", "*htaPpmeTteG*", "*tcejbO*", "*maerts*", "*hcaerof*", "*retupmoc*") NOT (CommandLine IN ("* -EncodedCommand *", "* -enc *")) | fields - _raw | collect index=notable_events source="Potential PowerShell Obfuscation Via Reversed Commands" marker="guid=b6b49cd1-34d6-4ead-b1bf-176e9edba9a4,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Remote PowerShell Session Host Process (WinRM)] +description = Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\wsmprovhost.exe" OR ParentImage="*\\wsmprovhost.exe" | table ComputerName,User,CommandLine | fields - _raw | collect index=notable_events source="Remote PowerShell Session Host Process (WinRM)" marker="guid=734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8,tags=attack.execution,tags=attack.t1059.001,tags=attack.t1021.006," +[Potential CobaltStrike Process Patterns] +description = Detects potential process patterns related to Cobalt Strike beacon activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 (CommandLine="*cmd.exe /C whoami" ParentImage="C:\\Temp\\*") OR (ParentImage IN ("*\\runonce.exe", "*\\dllhost.exe") CommandLine="*cmd.exe /c echo*" CommandLine="*> \\\\.\\pipe*") OR (ParentCommandLine="*cmd.exe /C echo*" ParentCommandLine="* > \\\\.\\pipe*" CommandLine="*conhost.exe 0xffffffff -ForceV1") OR (ParentCommandLine="*/C whoami" CommandLine="*conhost.exe 0xffffffff -ForceV1") | fields - _raw | collect index=notable_events source="Potential CobaltStrike Process Patterns" marker="guid=f35c5d71-b489-4e22-a115-f003df287317,tags=attack.execution,tags=attack.t1059," +[Root Certificate Installed From Susp Locations] +description = Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*Import-Certificate*" CommandLine="* -FilePath *" CommandLine="*Cert:\\LocalMachine\\Root*" CommandLine IN ("*\\AppData\\Local\\Temp\\*", "*:\\Windows\\TEMP\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Perflogs\\*", "*:\\Users\\Public\\*") | fields - _raw | collect index=notable_events source="Root Certificate Installed From Susp Locations" marker="guid=5f6a601c-2ecb-498b-9c33-660362323afa,tags=attack.defense-evasion,tags=attack.t1553.004," +[Potential Signing Bypass Via Windows Developer Features] +description = Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\SystemSettingsAdminFlows.exe" OR OriginalFileName="SystemSettingsAdminFlows.EXE" CommandLine="*TurnOnDeveloperFeatures*" CommandLine IN ("*DeveloperUnlock*", "*EnableSideloading*") | fields - _raw | collect index=notable_events source="Potential Signing Bypass Via Windows Developer Features" marker="guid=a383dec4-deec-4e6e-913b-ed9249670848,tags=attack.defense-evasion," +[Renamed FTP.EXE Execution] +description = Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName="ftp.exe" NOT Image="*\\ftp.exe" | table CommandLine,ParentImage | fields - _raw | collect index=notable_events source="Renamed FTP.EXE Execution" marker="guid=277a4393-446c-449a-b0ed-7fdc7795244c,tags=attack.execution,tags=attack.t1059,tags=attack.defense-evasion,tags=attack.t1202," +[Suspicious Processes Spawned by Java.EXE] +description = Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentImage="*\\java.exe" Image IN ("*\\AppVLP.exe", "*\\bitsadmin.exe", "*\\certutil.exe", "*\\cscript.exe", "*\\curl.exe", "*\\forfiles.exe", "*\\hh.exe", "*\\mftrace.exe", "*\\mshta.exe", "*\\net.exe", "*\\net1.exe", "*\\query.exe", "*\\reg.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\schtasks.exe", "*\\scrcons.exe", "*\\scriptrunner.exe", "*\\sh.exe", "*\\systeminfo.exe", "*\\whoami.exe", "*\\wmic.exe", "*\\wscript.exe") | fields - _raw | collect index=notable_events source="Suspicious Processes Spawned by Java.EXE" marker="guid=0d34ed8b-1c12-4ff2-828c-16fc860b766d,tags=attack.initial-access,tags=attack.persistence,tags=attack.privilege-escalation," +[Potential Windows Defender AV Bypass Via Dump64.EXE Rename] +description = Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image=":\\Program Files*" Image="*\\Microsoft Visual Studio\\*" Image="*\\dump64.exe" OriginalFileName="procdump" OR CommandLine IN ("* -ma *", "* -mp *") | fields - _raw | collect index=notable_events source="Potential Windows Defender AV Bypass Via Dump64.EXE Rename" marker="guid=129966c9-de17-4334-a123-8b58172e664d,tags=attack.credential-access,tags=attack.t1003.001," +[PowerShell Web Download] +description = Detects suspicious ways to download files or content using PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine IN ("*.DownloadString(*", "*.DownloadFile(*", "*Invoke-WebRequest *", "*iwr *") | fields - _raw | collect index=notable_events source="PowerShell Web Download" marker="guid=6e897651-f157-4d8f-aaeb-df8151488385,tags=attack.command-and-control,tags=attack.execution,tags=attack.t1059.001,tags=attack.t1105," +[Potential Credential Dumping Attempt Using New NetworkProvider - CLI] +description = Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*\\System\\CurrentControlSet\\Services\\*" CommandLine="*\\NetworkProvider*" | fields - _raw | collect index=notable_events source="Potential Credential Dumping Attempt Using New NetworkProvider - CLI" marker="guid=baef1ec6-2ca9-47a3-97cc-4cf2bda10b77,tags=attack.credential-access,tags=attack.t1003," +[Network Reconnaissance Activity] +description = Detects a set of suspicious network related commands often used in recon stages +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 CommandLine="*nslookup*" CommandLine="*_ldap._tcp.dc._msdcs.*" | fields - _raw | collect index=notable_events source="Network Reconnaissance Activity" marker="guid=e6313acd-208c-44fc-a0ff-db85d572e90e,tags=attack.discovery,tags=attack.t1087,tags=attack.t1082,tags=car.2016-03-001," +[Suspicious AddinUtil.EXE CommandLine Execution] +description = Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\addinutil.exe" OR OriginalFileName="AddInUtil.exe" (CommandLine IN ("*-AddInRoot:*", "*-PipelineRoot:*") CommandLine IN ("*\\AppData\\Local\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*")) OR (CommandLine IN ("*-AddInRoot:.*", "*-AddInRoot:\".\"*", "*-PipelineRoot:.*", "*-PipelineRoot:\".\"*") CurrentDirectory IN ("*\\AppData\\Local\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*")) | fields - _raw | collect index=notable_events source="Suspicious AddinUtil.EXE CommandLine Execution" marker="guid=631b22a4-70f4-4e2f-9ea8-42f84d9df6d8,tags=attack.defense-evasion,tags=attack.t1218," +[Potential Defense Evasion Via Binary Rename] +description = Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 OriginalFileName IN ("Cmd.Exe", "CONHOST.EXE", "7z.exe", "WinRAR.exe", "wevtutil.exe", "net.exe", "net1.exe", "netsh.exe", "InstallUtil.exe") NOT (Image IN ("*\\cmd.exe", "*\\conhost.exe", "*\\7z.exe", "*\\WinRAR.exe", "*\\wevtutil.exe", "*\\net.exe", "*\\net1.exe", "*\\netsh.exe", "*\\InstallUtil.exe")) | fields - _raw | collect index=notable_events source="Potential Defense Evasion Via Binary Rename" marker="guid=36480ae1-a1cb-4eaa-a0d6-29801d7e9142,tags=attack.defense-evasion,tags=attack.t1036.003," +[Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution] +description = Detects potentially suspicious child processes launched via the ScreenConnect client service. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 ParentCommandLine="*:\\Windows\\TEMP\\ScreenConnect\\*" ParentCommandLine="*run.cmd*" Image IN ("*\\bitsadmin.exe", "*\\cmd.exe", "*\\curl.exe", "*\\dllhost.exe", "*\\net.exe", "*\\nltest.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\rundll32.exe", "*\\wevtutil.exe") | fields - _raw | collect index=notable_events source="Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution" marker="guid=7b582f1a-b318-4c6a-bf4e-66fe49bf55a5,tags=attack.command-and-control,tags=attack.t1219," +[HackTool - RedMimicry Winnti Playbook Execution] +description = Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image IN ("*\\rundll32.exe", "*\\cmd.exe") CommandLine IN ("*gthread-3.6.dll*", "*\\Windows\\Temp\\tmp.bat*", "*sigcmm-2.4.dll*") | fields - _raw | collect index=notable_events source="HackTool - RedMimicry Winnti Playbook Execution" marker="guid=95022b85-ff2a-49fa-939a-d7b8f56eeb9b,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1106,tags=attack.t1059.003,tags=attack.t1218.011," +[Application Terminated Via Wmic.EXE] +description = Detects calls to the "terminate" function via wmic in order to kill an application +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Image="*\\WMIC.exe" OR OriginalFileName="wmic.exe" CommandLine="*call*" CommandLine="*terminate*" | fields - _raw | collect index=notable_events source="Application Terminated Via Wmic.EXE" marker="guid=49d9671b-0a0a-4c09-8280-d215bfd30662,tags=attack.execution,tags=attack.t1047," +[Renamed PAExec Execution] +description = Detects execution of renamed version of PAExec. Often used by attackers +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=1 Description="PAExec Application" OR OriginalFileName="PAExec.exe" OR Product="*PAExec*" OR Imphash IN ("11D40A7B7876288F919AB819CC2D9802", "6444f8a34e99b8f7d9647de66aabe516", "dfd6aa3f7b2b1035b76b718f1ddc689f", "1a6cca4d5460b1710a12dea39e4a592c") OR Hashes IN ("*IMPHASH=11D40A7B7876288F919AB819CC2D9802*", "*IMPHASH=6444f8a34e99b8f7d9647de66aabe516*", "*IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f*", "*IMPHASH=1a6cca4d5460b1710a12dea39e4a592c*") NOT (Image IN ("*\\paexec.exe", "C:\\Windows\\PAExec-*")) | fields - _raw | collect index=notable_events source="Renamed PAExec Execution" marker="guid=c4e49831-1496-40cf-8ce1-b53f942b02f9,tags=attack.defense-evasion,tags=attack.t1202," +[Remote Thread Created In Shell Application] +description = Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 TargetImage IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe") | fields - _raw | collect index=notable_events source="Remote Thread Created In Shell Application" marker="guid=a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f,tags=attack.defense-evasion,tags=attack.t1055," +[Potential Credential Dumping Attempt Via PowerShell Remote Thread] +description = Detects remote thread creation by PowerShell processes into "lsass.exe" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 SourceImage IN ("*\\powershell.exe", "*\\pwsh.exe") TargetImage="*\\lsass.exe" | fields - _raw | collect index=notable_events source="Potential Credential Dumping Attempt Via PowerShell Remote Thread" marker="guid=fb656378-f909-47c1-8747-278bf09f4f4f,tags=attack.credential-access,tags=attack.t1003.001," +[Remote Thread Creation By Uncommon Source Image] +description = Detects uncommon processes creating remote threads. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 SourceImage IN ("*\\explorer.exe", "*\\iexplore.exe", "*\\msiexec.exe", "*\\powerpnt.exe", "*\\schtasks.exe", "*\\winlogon.exe") NOT ((SourceImage="C:\\Windows\\System32\\winlogon.exe" TargetImage IN ("C:\\Windows\\System32\\services.exe", "C:\\Windows\\System32\\wininit.exe", "C:\\Windows\\System32\\csrss.exe", "C:\\Windows\\System32\\LogonUI.exe")) OR (SourceImage="C:\\Windows\\System32\\winlogon.exe" TargetParentProcessId=4) OR (SourceImage IN ("C:\\Windows\\System32\\schtasks.exe", "C:\\Windows\\SysWOW64\\schtasks.exe") TargetImage="C:\\Windows\\System32\\conhost.exe") OR (SourceImage="C:\\Windows\\explorer.exe" TargetImage IN ("C:\\Program Files (x86)\\*", "C:\\Program Files\\*", "C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*")) OR TargetImage="System" OR (SourceImage="*\\msiexec.exe" TargetImage IN ("*\\AppData\\Local\\*", "*C:\\Program Files (x86)\\*", "*C:\\Program Files\\*")) OR TargetImage!=* OR TargetImage="") NOT ((SourceImage="C:\\Program Files\\internet explorer\\iexplore.exe" SourceCommandLine="*https://*" SourceCommandLine="*.checkpoint.com/documents/*" SourceCommandLine="*SmartConsole_OLH/*" SourceCommandLine="*default.htm#cshid=*") OR (SourceImage="C:\\Program Files\\internet explorer\\iexplore.exe" SourceParentImage IN ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*") SourceParentImage="*\\CheckPoint\\SmartConsole\\*" SourceParentImage="*\\SmartConsole.exe*") OR (SourceImage="*\\Microsoft Office\\*" SourceImage="*\\POWERPNT.EXE" TargetImage="C:\\Windows\\System32\\csrss.exe")) | fields - _raw | collect index=notable_events source="Remote Thread Creation By Uncommon Source Image" marker="guid=66d31e5f-52d6-40a4-9615-002d3789a119,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1055," +[HackTool - Potential CobaltStrike Process Injection] +description = Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 StartAddress IN ("*0B80", "*0C7C", "*0C88") | fields - _raw | collect index=notable_events source="HackTool - Potential CobaltStrike Process Injection" marker="guid=6309645e-122d-4c5b-bb2b-22e4f9c2fa42,tags=attack.defense-evasion,tags=attack.t1055.001," +[Remote Thread Creation In Uncommon Target Image] +description = Detects uncommon target processes for remote thread creation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 TargetImage IN ("*\\calc.exe", "*\\calculator.exe", "*\\mspaint.exe", "*\\notepad.exe", "*\\ping.exe", "*\\sethc.exe", "*\\spoolsv.exe", "*\\wordpad.exe", "*\\write.exe") NOT SourceImage="C:\\Windows\\System32\\csrss.exe" NOT (StartFunction="EtwpNotificationThread" OR SourceImage="*unknown process*" OR (SourceImage="C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" StartFunction="GetCommandLineW" TargetImage IN ("C:\\Windows\\System32\\notepad.exe", "C:\\Windows\\System32\\spoolsv.exe")) OR (SourceImage="C:\\Program Files\\Xerox\\XeroxPrintExperience\\CommonFiles\\XeroxPrintJobEventManagerService.exe" StartFunction="LoadLibraryW" TargetImage="C:\\Windows\\System32\\spoolsv.exe")) | fields - _raw | collect index=notable_events source="Remote Thread Creation In Uncommon Target Image" marker="guid=a1a144b7-5c9b-4853-a559-2172be8d4a03,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1055.003," +[Remote Thread Creation Ttdinject.exe Proxy] +description = Detects a remote thread creation of Ttdinject.exe used as proxy +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 SourceImage="*\\ttdinject.exe" | fields - _raw | collect index=notable_events source="Remote Thread Creation Ttdinject.exe Proxy" marker="guid=c15e99a3-c474-48ab-b9a7-84549a7a9d16,tags=attack.defense-evasion,tags=attack.t1127," +[Remote Thread Creation In Mstsc.Exe From Suspicious Location] +description = Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 TargetImage="*\\mstsc.exe" SourceImage IN ("*:\\Temp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\PerfLogs\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*") | fields - _raw | collect index=notable_events source="Remote Thread Creation In Mstsc.Exe From Suspicious Location" marker="guid=c0aac16a-b1e7-4330-bab0-3c27bb4987c7,tags=attack.credential-access," +[Remote Thread Creation Via PowerShell In Uncommon Target] +description = Detects the creation of a remote thread from a Powershell process in an uncommon target process +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 SourceImage IN ("*\\powershell.exe", "*\\pwsh.exe") TargetImage IN ("*\\rundll32.exe", "*\\regsvr32.exe") | fields - _raw | collect index=notable_events source="Remote Thread Creation Via PowerShell In Uncommon Target" marker="guid=99b97608-3e21-4bfe-8217-2a127c396a0e,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218.011,tags=attack.t1059.001," +[Remote Thread Created In KeePass.EXE] +description = Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 TargetImage="*\\KeePass.exe" | fields - _raw | collect index=notable_events source="Remote Thread Created In KeePass.EXE" marker="guid=77564cc2-7382-438b-a7f6-395c2ae53b9a,tags=attack.credential-access,tags=attack.t1555.005," +[HackTool - CACTUSTORCH Remote Thread Creation] +description = Detects remote thread creation from CACTUSTORCH as described in references. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 SourceImage IN ("*\\System32\\cscript.exe", "*\\System32\\wscript.exe", "*\\System32\\mshta.exe", "*\\winword.exe", "*\\excel.exe") TargetImage="*\\SysWOW64\\*" StartModule!=* | fields - _raw | collect index=notable_events source="HackTool - CACTUSTORCH Remote Thread Creation" marker="guid=2e4e488a-6164-4811-9ea1-f960c7359c40,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1055.012,tags=attack.t1059.005,tags=attack.t1059.007,tags=attack.t1218.005," +[Password Dumper Remote Thread in LSASS] +description = Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 TargetImage="*\\lsass.exe" StartModule="" | fields - _raw | collect index=notable_events source="Password Dumper Remote Thread in LSASS" marker="guid=f239b326-2f41-4d6b-9dfa-c846a60ef505,tags=attack.credential-access,tags=attack.s0005,tags=attack.t1003.001," +[Rare Remote Thread Creation By Uncommon Source Image] +description = Detects uncommon processes creating remote threads. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=8 SourceImage IN ("*\\bash.exe", "*\\cscript.exe", "*\\cvtres.exe", "*\\defrag.exe", "*\\dialer.exe", "*\\dnx.exe", "*\\esentutl.exe", "*\\excel.exe", "*\\expand.exe", "*\\find.exe", "*\\findstr.exe", "*\\forfiles.exe", "*\\gpupdate.exe", "*\\hh.exe", "*\\installutil.exe", "*\\lync.exe", "*\\makecab.exe", "*\\mDNSResponder.exe", "*\\monitoringhost.exe", "*\\msbuild.exe", "*\\mshta.exe", "*\\mspaint.exe", "*\\outlook.exe", "*\\ping.exe", "*\\provtool.exe", "*\\python.exe", "*\\regsvr32.exe", "*\\robocopy.exe", "*\\runonce.exe", "*\\sapcimc.exe", "*\\smartscreen.exe", "*\\spoolsv.exe", "*\\tstheme.exe", "*\\userinit.exe", "*\\vssadmin.exe", "*\\vssvc.exe", "*\\w3wp.exe", "*\\winscp.exe", "*\\winword.exe", "*\\wmic.exe", "*\\wscript.exe") | fields - _raw | collect index=notable_events source="Rare Remote Thread Creation By Uncommon Source Image" marker="guid=02d1d718-dd13-41af-989d-ea85c7fab93f,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1055," +[Potential Defense Evasion Via Raw Disk Access By Uncommon Tools] +description = Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=9 NOT (Device="*floppy*" OR Image IN ("*:\\$WINDOWS.~BT\\*", "*:\\Program Files (x86)\\*", "*:\\Program Files\\*", "*:\\Windows\\CCM\\*", "*:\\Windows\\explorer.exe*", "*:\\Windows\\servicing\\*", "*:\\Windows\\SoftwareDistribution\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\SystemApps\\*", "*:\\Windows\\uus\\*", "*:\\Windows\\WinSxS\\*") OR Image IN ("Registry", "System") OR (Image="*:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*" Image="*\\MsMpEng.exe") OR (Image="*:\\Users\\*" Image="*\\AppData\\*" Image="*\\Microsoft\\*") OR (Image="*:\\Windows\\Temp\\*" Image IN ("*\\Executables\\SSDUpdate.exe", "*\\HostMetadata\\NVMEHostmetadata.exe")) OR Image!=* OR Image="*:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe") NOT ((Image="*\\AppData\\Local\\GitHubDesktop\\app-*" Image="*\\resources\\app\\git\\mingw64\\bin\\git.exe") OR (Image="*:\\Windows\\Temp\\asgard2-agent\\*" Image="*\\thor.exe") OR Image="*\\AppData\\Local\\Keybase\\upd.exe*") | fields - _raw | collect index=notable_events source="Potential Defense Evasion Via Raw Disk Access By Uncommon Tools" marker="guid=db809f10-56ce-4420-8c86-d6a7d793c79c,tags=attack.defense-evasion,tags=attack.t1006," +[Vulnerable HackSys Extreme Vulnerable Driver Load] +description = Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=6 ImageLoaded="*\\HEVD.sys" OR Hashes IN ("*IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5*", "*IMPHASH=c46ea2e651fd5f7f716c8867c6d13594*") OR Imphash IN ("f26d0b110873a1c7d8c4f08fbeab89c5", "c46ea2e651fd5f7f716c8867c6d13594") | fields - _raw | collect index=notable_events source="Vulnerable HackSys Extreme Vulnerable Driver Load" marker="guid=295c9289-acee-4503-a571-8eacaef36b28,tags=attack.privilege-escalation,tags=attack.t1543.003," +[PUA - System Informer Driver Load] +description = Detects driver load of the System Informer tool +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=6 ImageLoaded="*\\SystemInformer.sys" OR Hashes IN ("*SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24*", "*SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454*", "*SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D*", "*SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B*", "*SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D*", "*SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34*", "*SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89*", "*SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB*", "*SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B*", "*SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97*", "*SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656*", "*SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4*", "*SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138*") OR sha256 IN ("8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24", "a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454", "38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d", "a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b", "4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d", "3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34", "047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89", "18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb", "b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b", "640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97", "251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656", "e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4", "3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138") | fields - _raw | collect index=notable_events source="PUA - System Informer Driver Load" marker="guid=10cb6535-b31d-4512-9962-513dcbc42cc1,tags=attack.privilege-escalation,tags=attack.t1543," +[Driver Load From A Temporary Directory] +description = Detects a driver load from a temporary directory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=6 ImageLoaded="*\\Temp\\*" | fields - _raw | collect index=notable_events source="Driver Load From A Temporary Directory" marker="guid=2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1543.003," +[Malicious Driver Load] +description = Detects loading of known malicious drivers via their hash. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=6 Hashes IN ("*MD5=5be61a24f50eb4c94d98b8a82ef58dcf*", "*MD5=d70a80fc73dd43469934a7b1cc623c76*", "*MD5=3b71eab204a5f7ed77811e41fed73105*", "*MD5=528ce5ce19eb34f401ef024de7ddf222*", "*MD5=ae548418b491cd3f31618eb9e5730973*", "*MD5=72f53f55898548767e0276c472be41e8*", "*MD5=508faa4647f305a97ed7167abc4d1330*", "*MD5=ed2b653d55c03f0bffa250372d682b75*", "*MD5=0d2ba47286f1c68e87622b3a16bf9d92*", "*MD5=3164bd6c12dd0fe1bdf3b833d56323b9*", "*MD5=70fd7209ce5c013a1f9e699b5cc86cdc*", "*MD5=c71be7b112059d2dc84c0f952e04e6cc*", "*MD5=acac842a46f3501fe407b1db1b247a0b*", "*MD5=01c2e4d8234258451083d6ce4e8910b7*", "*MD5=c8541a9cef64589593e999968a0385b9*", "*MD5=e172a38ade3aa0a2bc1bf9604a54a3b5*", "*MD5=6fcf56f6ca3210ec397e55f727353c4a*", "*MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16*", "*MD5=07056573d464b0f5284f7e3acedd4a3f*", "*MD5=c7b7f1edb9bbef174e6506885561d85d*", "*MD5=d5918d735a23f746f0e83f724c4f26e5*", "*MD5=84763d8ca9fe5c3bff9667b2adf667de*", "*MD5=fb593b1f1f80d20fc7f4b818065c64b6*", "*MD5=909f3fc221acbe999483c87d9ead024a*", "*MD5=e29f6311ae87542b3d693c1f38e4e3ad*", "*MD5=aeb0801f22d71c7494e884d914446751*", "*MD5=3f11a94f1ac5efdd19767c6976da9ba4*", "*MD5=be6318413160e589080df02bb3ca6e6a*", "*MD5=0b311af53d2f4f77d30f1aed709db257*", "*MD5=d075d56dfce6b9b13484152b1ef40f93*", "*MD5=27384ec4c634701012a2962c30badad2*", "*MD5=5eb2c576597dd21a6b44557c237cf896*", "*MD5=f56db4eba3829c0918413b5c0b42f00f*", "*MD5=e27b2486aa5c256b662812b465b6036c*", "*MD5=db86dfd7aefbb5be6728a63461b0f5f3*", "*MD5=04a88f5974caa621cee18f34300fc08a*", "*MD5=5129d8fd53d6a4aba81657ab2aa5d243*", "*MD5=cd2c641788d5d125c316ed739c69bb59*", "*MD5=7073cd0085fcba1cd7d3568f9e6d652c*", "*MD5=24f0f2b4b3cdae11de1b81c537df41c7*", "*MD5=88bea56ae9257b40063785cf47546024*", "*MD5=63060b756377fce2ce4ab9d079ca732f*", "*MD5=50b39072d0ee9af5ef4824eca34be6e3*", "*MD5=57c18a8f5d1ba6d015e4d5bc698e3624*", "*MD5=7d26985a5048bad57d9c223362f3d55c*", "*MD5=ba54a0dbe2685e66e21d41b4529b3528*", "*MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11*", "*MD5=b52f51bbe6b49d0b475d943c29c4d4cb*", "*MD5=a837302307dace2a00d07202b661bce2*", "*MD5=78a122d926ccc371d60c861600c310f3*", "*MD5=bdb305aa0806f8b38b7ce43c927fe919*", "*MD5=27053e964667318e1b370150cbca9138*", "*MD5=6a4fbcfb44717eae2145c761c1c99b6a*", "*MD5=d13c1b76b4a1ca3ff5ab63678b51df6d*", "*MD5=6a066d2be83cf83f343d0550b0b8f206*", "*MD5=7108b0d4021af4c41de2c223319cd4c1*", "*MD5=1cd158a64f3d886357535382a6fdad75*", "*MD5=e939448b28a4edc81f1f974cebf6e7d2*", "*MD5=4198d3db44d7c4b3ba9072d258a4fc2d*", "*MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20*", "*MD5=30ca3cc19f001a8f12c619daa8c6b6e3*", "*MD5=fe9004353b25640f6a879e57f07122d7*", "*MD5=06c7fcf3523235cf52b3eee083ec07b2*", "*MD5=364605ad21b9275681cffef607fac273*", "*MD5=968ddb06af90ef83c5f20fbdd4eee62e*", "*MD5=ba50bd645d7c81416bb26a9d39998296*", "*MD5=29e03f4811b64969e48a99300978f58c*", "*MD5=b0770094c3c64250167b55e4db850c04*", "*MD5=40b968ecdbe9e967d92c5da51c390eee*", "*MD5=b6b530dd25c5eb66499968ec82e8791e*", "*MD5=f209cb0e468ca0b76d879859d5c8c54e*", "*MD5=76f8607fc4fb9e828d613a7214436b66*", "*MD5=4b058945c9f2b8d8ebc485add1101ba5*", "*MD5=faae7f5f69fde12303dd1c0c816b72b7*", "*MD5=89d294ef7fefcdf1a6ca0ab96a856f57*", "*MD5=ef0e1725aaf0c6c972593f860531a2ea*", "*MD5=bbdbffebfc753b11897de2da7c9912a5*", "*MD5=5ebfc0af031130ba9de1d5d3275734b3*", "*MD5=22949977ce5cd96ba674b403a9c81285*", "*MD5=77cfd3943cc34d9f5279c330cd8940bc*", "*MD5=311de109df18e485d4a626b5dbe19bc6*", "*MD5=2730cc25ad385acc7213a1261b21c12d*", "*MD5=87dc81ebe85f20c1a7970e495a778e60*", "*MD5=154b45f072fe844676e6970612fd39c7*", "*MD5=5a4fe297c7d42539303137b6d75b150d*", "*MD5=d6a1dd7b2c06f058b408b3613c13d413*", "*MD5=a6e9d6505f6d2326a8a9214667c61c67*", "*MD5=7fad9f2ef803496f482ce4728578a57a*", "*MD5=5076fba3d90e346fd17f78db0a4aa12c*", "*MD5=79df0eabbf2895e4e2dae15a4772868c*", "*MD5=14580bd59c55185115fd3abe73b016a2*", "*MD5=1f2888e57fdd6aee466962c25ba7d62d*", "*MD5=5e9231e85cecfc6141e3644fda12a734*", "*MD5=dc564bac7258e16627b9de0ce39fae25*", "*MD5=4e4c068c06331130334f23957fca9e3c*", "*MD5=1ee9f6326649cd23381eb9d7dfdeddf7*", "*MD5=4e1f656001af3677856f664e96282a6f*", "*MD5=36f44643178c505ea0384e0fb241e904*", "*MD5=6b480fac7caca2f85be9a0cfe79aedfc*", "*MD5=c1ab425977d467b64f437a6c5ad82b44*", "*MD5=fe508caa54ffeb2285d9f00df547fe4a*", "*MD5=d3af70287de8757cebc6f8d45bb21a20*", "*MD5=990b949894b7dc82a8cf1131b063cb1a*", "*MD5=c62209b8a5daf3f32ad876ad6cefda1b*", "*MD5=c159fb0f345a8771e56aab8e16927361*", "*MD5=19b15eeccab0752c6793f782ca665a45*", "*MD5=1d51029dfbd616bf121b40a0d1efeb10*", "*MD5=157a22689629ec876337f5f9409918d5*", "*MD5=3dd829fb27353622eff34be1eabb8f18*", "*MD5=8636fe3724f2bcba9399daffd6ef3c7e*", "*MD5=3d0b3e19262099ade884b75ba86ca7e8*", "*MD5=97539c78d6e2b5356ce79e40bcd4d570*", "*MD5=0308b6888e0f197db6704ca20203eee4*", "*MD5=091a6bd4880048514c5dd3bede15eba5*", "*MD5=7e92f98b809430622b04e88441b2eb04*", "*MD5=bb5bda8889d8d27ef984dbd6ad82c946*", "*MD5=b76aee508f68b5b6dccd6e1f66f4cf8b*", "*MD5=a822b9e6eedf69211013e192967bf523*", "*MD5=df52f8a85eb64bc69039243d9680d8e4*", "*MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a*", "*MD5=44857ca402a15ab51dc5afe47abdfa44*", "*MD5=f9844524fb0009e5b784c21c7bad4220*", "*MD5=d34b218c386bfe8b1f9c941e374418d7*", "*MD5=0ca010a32a9b0aeae1e46d666b83b659*", "*MD5=93496a436c5546156a69deb255a9fed0*", "*MD5=1cd5e231064e03c596e819b6ff48daf9*", "*MD5=70a71fe86df717ac59dbf856d7ac5789*", "*MD5=a33089d4e50f7d2ea8b52ca95d26ebf3*", "*MD5=e0cc9b415d884f85c45be145872892b8*", "*MD5=a42249a046182aaaf3a7a7db98bfa69d*", "*MD5=c5ae6ca044bd03c3506c132b033be1dc*", "*MD5=7ebe606acd81abf1f8cb0767c974164b*", "*MD5=b5dcc869a91efcc6e8ea0c3c07605d63*", "*MD5=62c18d61ed324088f963510bae43b831*", "*MD5=093a2a635c3a27aac50efd6463f4efa1*", "*MD5=28102acca39ad0199f262ba9958be3f4*", "*MD5=650ef9dd70cb192027e536754d6e0f63*", "*MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44*", "*MD5=6771b13a53b9c7449d4891e427735ea2*", "*MD5=072ba2309b825ce1dba37d8d924ea8ed*", "*MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb*", "*MD5=1325ec39e98225e487b40043faee8052*", "*MD5=4484f4007de2c3ee4581a2cff77ca3b4*", "*MD5=a236e7d654cd932b7d11cb604629a2d0*", "*MD5=17509f0a98dc5c5d52c3f9ac1428a21b*", "*MD5=840a5edf2534dd23a082cf7b28cbfc4d*", "*MD5=77a7ed4798d02ef6636cd0fd07fc382a*", "*MD5=a9df5964635ef8bd567ae487c3d214c4*", "*MD5=8b75047199825c8e62fdcc1c915db8bd*", "*MD5=d416494232c4197cb36a914df2e17677*", "*MD5=4cf14a96485a1270fed97bb8000e4f86*", "*MD5=35e512f9bedc89dca5ce81f35820714c*", "*MD5=40f35792e7565aa047796758a3ce1b77*", "*MD5=f7f31bccc9b7b2964ac85106831022b1*", "*MD5=26aedc10d4215ba997495d3a68355f4a*", "*MD5=10f3679384a03cb487bda9621ceb5f90*", "*MD5=80219fb6b5954c33e16bac5ecdac651b*", "*MD5=cee36b5c6362993fa921435979bfbe4a*", "*MD5=e37a08f516b8a7ca64163f5d9e68fe5a*", "*MD5=49518f7375a5f995ebe9423d8f19cfe4*", "*MD5=920df6e42cf91bbe19707f5a86e3c5c5*", "*MD5=2ec877e425bd7eddb663627216e3491e*", "*MD5=550b7991d93534bc510bc4f237155a7a*", "*MD5=98d53f6b3bec0a3417a04fbb9e17fa06*", "*MD5=13a57a4ef721440c7c9208b51f7c05de*", "*MD5=c5fc3605194e033bdf3781ff2adaeb61*", "*MD5=6e625ec04c20a9dbd48c7060efbf5e92*", "*MD5=0b9b78d1281c7d4ab50497cf6ea7452a*", "*MD5=4e906fcb13e2793c98f47291fd69391b*", "*MD5=2bb353891d65c9e267eb98a3a2b694c3*", "*MD5=7d86cdda7f49f91fdb69901a002b34e7*", "*MD5=f69b06ca7c34d16f26ea1c6861edf62a*", "*MD5=ee6b1a79cb6641aa44c762ee90786fe0*", "*MD5=1fc7aeeff3ab19004d2e53eae8160ab1*", "*MD5=24d3ea54f25e32832ac20335a1ce1062*", "*MD5=c94f405c5929cfcccc8ad00b42c95083*", "*MD5=b164daf106566f444dfb280d743bc2f7*", "*MD5=93130909e562925597110a617f05e2a9*", "*MD5=f589d4bf547c140b6ec8a511ea47c658*", "*MD5=bf445ac375977ecf551bc2a912c58e8a*", "*MD5=629ee55e4b5a225d048fbcd5f0a1d18b*", "*MD5=0023ca0ca16a62d93ef51f3df98b2f94*", "*MD5=a3d69c7e24300389b56782aa63b0e357*", "*MD5=cbd8d370462503508e44dba023bdf9bc*", "*MD5=67daa04716803a15fc11c9e353d77c2f*", "*MD5=c9d4214c850e0cedf033dc8f0cd3aace*", "*MD5=bd5b0514f3b40f139d8079138d01b5f6*", "*MD5=19bdd9b799e3c2c54c0d7fff68b31c20*", "*MD5=f242cffd9926c0ccf94af3bf16b6e527*", "*MD5=5aeab9427d85951def146b4c0a44fc63*", "*MD5=40170485cca576adb5266cf5b0d3b0bd*", "*MD5=c277c4386a78fae1b7e17eaecf4f472b*", "*MD5=58c37866cbc3d1338e4fc58ada924ffe*", "*MD5=0f16a43f7989034641fd2de3eb268bf1*", "*MD5=0ae30291c6cbfa7be39320badd6e8de0*", "*MD5=05dd59bd4f175304480affd8f1305c37*", "*MD5=f838f4eb36f1e7036238776c7a70f0b0*", "*MD5=85093bb9f027027c2c61aee50796de30*", "*MD5=ae338d91d1b05a72559b7f6ed717362d*", "*MD5=bd91787b5dcb2189b856804e85dfa1d9*", "*MD5=6b3c1511e12f4d27a4ea3b18020d7b84*", "*MD5=97264fd62d4907bdac917917a07b3b7a*", "*MD5=6ececf26ff8b03ed7ffbddadec9a9dab*", "*MD5=47e6ac52431ca47da17248d80bf71389*", "*MD5=eb57f03b7603f0b235af62e8cd5be8c2*", "*MD5=e1a9aa4c14669b1fb1f67a7266f87e82*", "*MD5=29047f0b7790e524b09a06852d31a117*", "*MD5=4dd6250eb2d368f500949952eb013964*", "*MD5=fb7c61ef427f9b2fdff3574ee6b1819b*", "*MD5=844af8c877f5da723c1b82cf6e213fc1*", "*MD5=e39152eadd76751b1d7485231b280948*", "*MD5=ac6e29f535b2c42999c50d2fc32f2c9c*", "*MD5=2406ea37152d2154be3fef6d69ada2c6*", "*MD5=0ea8389589c603a8b05146bd06020597*", "*MD5=754e21482baf18b8b0ed0f4be462ba03*", "*MD5=c4a517a02ba9f6eac5cf06e3629cc076*", "*MD5=32282e07db321e8d7849f2287bb6a14f*", "*MD5=32b67a6cd6dd998b9f563ed13d54a8bc*", "*MD5=3359e1d4244a7d724949c63e89689ef8*", "*MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0*", "*MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6*", "*MD5=a90236e4962620949b720f647a91f101*", "*MD5=ccde8c94439f9fc9c42761e4b9a23d97*", "*MD5=68caf620ef8deaf06819cf8c80d3367b*", "*MD5=5fec28e8f4f76e5ede24beb32a32b9d7*", "*MD5=e8eac6642b882a6196555539149c73f2*", "*MD5=aa98b95f5cbae8260122de06a215ee10*", "*MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80*", "*MD5=abc168fdca7169bf9dc40cec9761018d*", "*MD5=7f9309f5e4defec132b622fadbcad511*", "*MD5=4748696211bd56c2d93c21cab91e82a5*", "*MD5=48394dce30bb8da5ae089cb8f41b86dc*", "*MD5=65f800e1112864bf41eb815649f428d5*", "*MD5=bd25be845c151370ff177509d95d5add*", "*MD5=a37ed7663073319d02f2513575a22995*", "*MD5=2c39f6172fbc967844cac12d7ab2fa55*", "*MD5=491aec2249ad8e2020f9f9b559ab68a8*", "*MD5=1e0eb80347e723fa31fce2abb0301d44*", "*MD5=a26363e7b02b13f2b8d697abb90cd5c3*", "*MD5=4118b86e490aed091b1a219dba45f332*", "*MD5=6d131a7462e568213b44ef69156f10a5*", "*MD5=10c2ea775c9e76e7774ab89e38f38287*", "*SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79*", "*SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23*", "*SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe*", "*SHA1=af42afda54d150810a60baa7987f9f09d49d1317*", "*SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7*", "*SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462*", "*SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7*", "*SHA1=e730eb971ecb493b69de2308b6412836303f733a*", "*SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca*", "*SHA1=5fef884a901e81ac173d63ade3f5c51694decf74*", "*SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc*", "*SHA1=6451522b1fb428e549976d0742df5034f8124b17*", "*SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a*", "*SHA1=cc65bf60600b64feece5575f21ab89e03a728332*", "*SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166*", "*SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a*", "*SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3*", "*SHA1=c42178977bd7bbefe084da0129ed808cb7266204*", "*SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333*", "*SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee*", "*SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837*", "*SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf*", "*SHA1=7638c048af5beae44352764390deea597cc3e7b1*", "*SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5*", "*SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2*", "*SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87*", "*SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e*", "*SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d*", "*SHA1=505546d82aab56889a923004654b9afdec54efe6*", "*SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a*", "*SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383*", "*SHA1=844d7bcd1a928d340255ff42971cca6244a459bf*", "*SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f*", "*SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684*", "*SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e*", "*SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84*", "*SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285*", "*SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6*", "*SHA1=607387cc90b93d58d6c9a432340261fde846b1d9*", "*SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07*", "*SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6*", "*SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6*", "*SHA1=b8b123a413b7bccfa8433deba4f88669c969b543*", "*SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509*", "*SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22*", "*SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d*", "*SHA1=a111dc6ae5575977feba71ee69b790e056846a02*", "*SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3*", "*SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2*", "*SHA1=0de86ec7d7f16a3680df89256548301eed970393*", "*SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2*", "*SHA1=0883a9c54e8442a551994989db6fc694f1086d41*", "*SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16*", "*SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10*", "*SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09*", "*SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c*", "*SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39*", "*SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c*", "*SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f*", "*SHA1=994dc79255aeb662a672a1814280de73d405617a*", "*SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1*", "*SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5*", "*SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b*", "*SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61*", "*SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9*", "*SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7*", "*SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b*", "*SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd*", "*SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2*", "*SHA1=17fa047c1f979b180644906fe9265f21af5b0509*", "*SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3*", "*SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a*", "*SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048*", "*SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f*", "*SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b*", "*SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527*", "*SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130*", "*SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d*", "*SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1*", "*SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a*", "*SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08*", "*SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec*", "*SHA1=73bac306292b4e9107147db94d0d836fdb071e33*", "*SHA1=9382981b05b1fb950245313992444bfa0db5f881*", "*SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3*", "*SHA1=9c36600c2640007d3410dea8017573a113374873*", "*SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb*", "*SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7*", "*SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab*", "*SHA1=cb25a5125fb353496b59b910263209f273f3552d*", "*SHA1=a5f1b56615bdaabf803219613f43671233f2001c*", "*SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38*", "*SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7*", "*SHA1=632c80a3c95cf589b03812539dea59594eaefae0*", "*SHA1=e6966e360038be3b9d8c9b2582eba4e263796084*", "*SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab*", "*SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51*", "*SHA1=80e4808a7fe752cac444676dbbee174367fa2083*", "*SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0*", "*SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2*", "*SHA1=3825ebb0b0664b5f0789371240f65231693be37d*", "*SHA1=de9469a5d01fb84afd41d176f363a66e410d46da*", "*SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b*", "*SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff*", "*SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5*", "*SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358*", "*SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405*", "*SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8*", "*SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2*", "*SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed*", "*SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe*", "*SHA1=9481cd590c69544c197b4ee055056302978a7191*", "*SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da*", "*SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b*", "*SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5*", "*SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4*", "*SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25*", "*SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc*", "*SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457*", "*SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d*", "*SHA1=f6793243ad20359d8be40d3accac168a15a327fb*", "*SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1*", "*SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8*", "*SHA1=10115219e3595b93204c70eec6db3e68a93f3144*", "*SHA1=161bae224cf184ed6c09c77fae866d42412c6d25*", "*SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82*", "*SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d*", "*SHA1=745335bcdf02fb42df7d890a24858e16094f48fd*", "*SHA1=2a202830db58d5e942e4f6609228b14095ed2cab*", "*SHA1=0167259abd9231c29bec32e6106ca93a13999f90*", "*SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167*", "*SHA1=613a9df389ad612a5187632d679da11d60f6046a*", "*SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514*", "*SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86*", "*SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d*", "*SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb*", "*SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812*", "*SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528*", "*SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3*", "*SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d*", "*SHA1=552730553a1dea0290710465fb8189bdd0eaad42*", "*SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35*", "*SHA1=07f282db28771838d0e75d6618f70d76acfe6082*", "*SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e*", "*SHA1=22c9da04847c26188226c3a345e2126ef00aa19e*", "*SHA1=43501832ce50ccaba2706be852813d51de5a900f*", "*SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542*", "*SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde*", "*SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc*", "*SHA1=928b5971a0f7525209d599e2ef15c31717047022*", "*SHA1=b5696e2183d9387776820ef3afa388200f08f5a6*", "*SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2*", "*SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3*", "*SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774*", "*SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945*", "*SHA1=064de88dbbea67c149e779aac05228e5405985c7*", "*SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7*", "*SHA1=98130128685c8640a8a8391cb4718e98dd8fe542*", "*SHA1=a5914161f8a885702427cf75443fb08d28d904f0*", "*SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad*", "*SHA1=fff4f28287677caabc60c8ab36786c370226588d*", "*SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5*", "*SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2*", "*SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda*", "*SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4*", "*SHA1=87e20486e804bfff393cc9ad9659858e130402a2*", "*SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c*", "*SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9*", "*SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a*", "*SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0*", "*SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b*", "*SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6*", "*SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b*", "*SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c*", "*SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a*", "*SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed*", "*SHA1=76568d987f8603339b8d1958f76de2b957811f66*", "*SHA1=e841c8494b715b27b33be6f800ca290628507aba*", "*SHA1=b555aad38df7605985462f3899572931ee126259*", "*SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1*", "*SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327*", "*SHA1=bb6ef5518df35d9508673d5011138add8c30fc27*", "*SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b*", "*SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307*", "*SHA1=34b677fba9dcab9a9016332b3332ce57f5796860*", "*SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d*", "*SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e*", "*SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2*", "*SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72*", "*SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5*", "*SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a*", "*SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef*", "*SHA1=18693de1487c55e374b46a7728b5bf43300d4f69*", "*SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98*", "*SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c*", "*SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5*", "*SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8*", "*SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c*", "*SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196*", "*SHA1=e42bd2f585c00a1d6557df405246081f89542d15*", "*SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9*", "*SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd*", "*SHA1=948368fe309652e8d88088d23e1df39e9c2b6649*", "*SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d*", "*SHA1=1f25f54e9b289f76604e81e98483309612c5a471*", "*SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d*", "*SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d*", "*SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09*", "*SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f*", "*SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652*", "*SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad*", "*SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c*", "*SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a*", "*SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b*", "*SHA1=d02403f85be6f243054395a873b41ef8a17ea279*", "*SHA1=4da007dd298723f920e194501bb49bab769dfb14*", "*SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a*", "*SHA1=221717a48ee8e2d19470579c987674f661869e17*", "*SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa*", "*SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56*", "*SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375*", "*SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3*", "*SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe*", "*SHA1=6d09d826581baa1817be6fbd44426db9b05f1909*", "*SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e*", "*SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631*", "*SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997*", "*SHA1=0320534df24a37a245a0b09679a5adb27018fb5f*", "*SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0*", "*SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef*", "*SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202*", "*SHA1=062457182ab08594c631a3f897aeb03c6097eb77*", "*SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25*", "*SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670*", "*SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e*", "*SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5*", "*SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b*", "*SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739*", "*SHA1=020580278d74d0fe741b0f786d8dca7554359997*", "*SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677*", "*SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4*", "*SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7*", "*SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d*", "*SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f*", "*SHA1=c257aa4094539719a3c7b7950598ef872dbf9518*", "*SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49*", "*SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e*", "*SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c*", "*SHA1=86f34eaea117f629297218a4d196b5729e72d7b9*", "*SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0*", "*SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7*", "*SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8*", "*SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb*", "*SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a*", "*SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb*", "*SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d*", "*SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2*", "*SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a*", "*SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212*", "*SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b*", "*SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac*", "*SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1*", "*SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76*", "*SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421*", "*SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316*", "*SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47*", "*SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03*", "*SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c*", "*SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553*", "*SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87*", "*SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330*", "*SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852*", "*SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304*", "*SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931*", "*SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d*", "*SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c*", "*SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736*", "*SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830*", "*SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104*", "*SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a*", "*SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a*", "*SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a*", "*SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0*", "*SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392*", "*SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd*", "*SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee*", "*SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01*", "*SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254*", "*SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231*", "*SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39*", "*SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d*", "*SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1*", "*SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae*", "*SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4*", "*SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50*", "*SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9*", "*SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212*", "*SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25*", "*SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09*", "*SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1*", "*SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99*", "*SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae*", "*SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475*", "*SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2*", "*SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c*", "*SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb*", "*SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db*", "*SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2*", "*SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c*", "*SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b*", "*SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c*", "*SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217*", "*SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597*", "*SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37*", "*SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4*", "*SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376*", "*SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a*", "*SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e*", "*SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a*", "*SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25*", "*SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be*", "*SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7*", "*SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a*", "*SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c*", "*SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987*", "*SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f*", "*SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad*", "*SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e*", "*SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5*", "*SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b*", "*SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa*", "*SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972*", "*SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a*", "*SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46*", "*SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f*", "*SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4*", "*SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8*", "*SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6*", "*SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21*", "*SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894*", "*SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd*", "*SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62*", "*SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e*", "*SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff*", "*SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b*", "*SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870*", "*SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640*", "*SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530*", "*SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd*", "*SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550*", "*SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9*", "*SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b*", "*SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c*", "*SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988*", "*SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875*", "*SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263*", "*SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4*", "*SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280*", "*SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9*", "*SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12*", "*SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe*", "*SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b*", "*SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f*", "*SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a*", "*SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719*", "*SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908*", "*SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de*", "*SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc*", "*SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a*", "*SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427*", "*SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653*", "*SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919*", "*SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad*", "*SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920*", "*SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77*", "*SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e*", "*SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105*", "*SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2*", "*SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa*", "*SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112*", "*SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4*", "*SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff*", "*SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3*", "*SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925*", "*SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6*", "*SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878*", "*SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59*", "*SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66*", "*SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280*", "*SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7*", "*SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167*", "*SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a*", "*SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7*", "*SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec*", "*SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620*", "*SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f*", "*SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905*", "*SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3*", "*SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b*", "*SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab*", "*SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc*", "*SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968*", "*SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28*", "*SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0*", "*SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93*", "*SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12*", "*SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8*", "*SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895*", "*SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3*", "*SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f*", "*SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be*", "*SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8*", "*SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f*", "*SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe*", "*SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4*", "*SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5*", "*SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af*", "*SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40*", "*SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6*", "*SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d*", "*SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a*", "*SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96*", "*SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497*", "*SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2*", "*SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce*", "*SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96*", "*SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576*", "*SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80*", "*SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266*", "*SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724*", "*SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee*", "*SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b*", "*SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f*", "*SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e*", "*SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1*", "*SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952*", "*SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da*", "*SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e*", "*SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463*", "*SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7*", "*SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0*", "*SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1*", "*SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9*", "*SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a*", "*SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85*", "*SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac*", "*SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873*", "*SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7*", "*SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38*", "*SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c*", "*SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c*", "*SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524*", "*SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51*", "*SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df*", "*SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601*", "*SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7*", "*SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3*", "*SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19*", "*SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55*", "*SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe*", "*SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85*", "*SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1*", "*SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06*", "*SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c*", "*SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3*", "*SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55*", "*SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778*", "*SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6*", "*SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6*", "*SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43*", "*SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3*", "*SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7*", "*SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715*", "*SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434*", "*SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0*", "*SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f*", "*SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327*", "*SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d*", "*SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021*", "*SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4*", "*SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15*", "*SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f*", "*SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2*", "*SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677*", "*SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d*", "*SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d*", "*SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f*", "*SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57*", "*SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc*", "*SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c*", "*SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35*", "*SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440*", "*IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7*", "*IMPHASH=7641a0c227f0a3a45b80bb8af43cd152*", "*IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c*", "*IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d*", "*IMPHASH=beceab354c66949088c9e5ed1f1ff2a4*", "*IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626*", "*IMPHASH=420625b024fba72a24025defdf95b303*", "*IMPHASH=65ccc2c578a984c31880b6c5e65257d3*", "*IMPHASH=e717abe060bc5c34925fe3120ac22f45*", "*IMPHASH=41113a3a832353963112b94f4635a383*", "*IMPHASH=3866dd9fe63de457bdbf893bf7050ddf*", "*IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4*", "*IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca*", "*IMPHASH=c9a6e83d931286d1604d1add8403e1e5*", "*IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372*", "*IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f*", "*IMPHASH=8e35c9460537092672b3c7c14bccc7e0*", "*IMPHASH=7bf14377888c429897eb10a85f70266c*", "*IMPHASH=b351627263648b1d220bb488e7ec7202*", "*IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a*", "*IMPHASH=a7bd820fa5b895fab06f20739c9f24b8*", "*IMPHASH=be0dd8b8e045356d600ee55a64d9d197*", "*IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8*", "*IMPHASH=6c8d5c79a850eecc2fb0291cebda618d*", "*IMPHASH=c32d9a9af7f702814e1368c689877f3a*", "*IMPHASH=6b387c029257f024a43a73f38afb2629*", "*IMPHASH=df43355c636583e56e92142dcc69cc58*", "*IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd*", "*IMPHASH=c214aac08575c139e48d04f5aee21585*", "*IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7*", "*IMPHASH=059c6bd84285f4960e767f032b33f19b*", "*IMPHASH=a09170ef09c55cdca9472c02cb1f2647*", "*IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a*", "*IMPHASH=0262d4147f21d681f8519ab2af79283f*", "*IMPHASH=832219eb71b8bdb771f1d29d27b0acf4*", "*IMPHASH=514298d18002920ee5a917fc34426417*", "*IMPHASH=26ceec6572c630bdad60c984e51b7da4*", "*IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90*", "*IMPHASH=4b47f6031c558106eee17655f8f8a32f*", "*IMPHASH=a6c4a7369500900fc172f9557cff22cf*", "*IMPHASH=3b49942ec6cef1898e97f741b2b5df8a*", "*IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511*", "*IMPHASH=27f6dc8a247a22308dd1beba5086b302*", "*IMPHASH=7d017945bf90936a6c40f73f91ed02c2*", "*IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97*", "*IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e*", "*IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9*", "*IMPHASH=87fd2b54ed568e2294300e164b8c46f7*", "*IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a*", "*IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff*", "*IMPHASH=2a008187d4a73284ddcc43f1b727b513*", "*IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127*", "*IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4*", "*IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4*", "*IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771*") | fields - _raw | collect index=notable_events source="Malicious Driver Load" marker="guid=05296024-fe8a-4baf-8f3d-9a5f5624ceb2,tags=attack.privilege-escalation,tags=attack.t1543.003,tags=attack.t1068," +[Vulnerable Driver Load] +description = Detects loading of known vulnerable drivers via their hash. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=6 Hashes IN ("*MD5=c996d7971c49252c582171d9380360f2*", "*MD5=da7e98b23b49b7293ee06713032c74f6*", "*MD5=9496585198d726000ea505abc39dbfe9*", "*MD5=649ff59b8e571c1fc6535b31662407aa*", "*MD5=4429f85e2415742c7cf8c9f54905c4b9*", "*MD5=a610cd4c762b5af8575285dafb9baa8f*", "*MD5=d5e76d125d624f8025d534f49e3c4162*", "*MD5=9c8fffef24fc480917236f9a20b80a47*", "*MD5=65b979bcab915c3922578fe77953d789*", "*MD5=598f8fb2317350e5f90b7bd16baf5738*", "*MD5=6691e873354f1914692df104718eebad*", "*MD5=4814205270caa80d35569eee8081838e*", "*MD5=7f9128654c3def08c28e0e13efff0fee*", "*MD5=ce952204558ea66ec1a9632dcbdde8bd*", "*MD5=0c0195c48b6b8582fa6f6373032118da*", "*MD5=370a4ca29a7cf1d6bc0744afc12b236c*", "*MD5=67e03f83c503c3f11843942df32efe5a*", "*MD5=8a70921638ff82bb924456deadcd20e6*", "*MD5=8a212a246b3c41f3ddce5888aaaaacd6*", "*MD5=a346417e9ae2c17a8fbf73302eeb611d*", "*MD5=d4f7c14e92b36c341c41ae93159407dd*", "*MD5=748cf64b95ca83abc35762ad2c25458f*", "*MD5=79ab228766c76cfdf42a64722821711e*", "*MD5=ce67e51b8c0370d1bfe421b79fa8b656*", "*MD5=25190f667f31318dd9a2e36383d5709f*", "*MD5=1f263a57c5ef46c8577744ecb32c9548*", "*MD5=c6cfa2d6e4c443e673c2c12417ea3001*", "*MD5=cceb3a7e3bd0203c807168b393a65a74*", "*MD5=56b54823a79a53747cbe11f8c4db7b1e*", "*MD5=988dabdcf990b134b0ac1e00512c30c4*", "*MD5=09e77d71d626574e6142894caca6e6dd*", "*MD5=c832a4313ff082258240b61b88efa025*", "*MD5=44499d3cab387aa78a4a6eca2ac181fb*", "*MD5=6ff59faea912903af0ba8e80e58612bc*", "*MD5=7461f0f9b931044a9d5f1d44eb4e8e09*", "*MD5=08bac71557df8a9b1381c8c165f64520*", "*MD5=fea9319d67177ed6f36438d2bd9392fb*", "*MD5=6dd82d91f981893be57ff90101a7f7f1*", "*MD5=d4119a5cb07ce945c6549eae74e39731*", "*MD5=cf1113723e3c1c71af80d228f040c198*", "*MD5=0e625b7a7c3f75524e307b160f8db337*", "*MD5=6e1faeee0ebfcb384208772410fe1e86*", "*MD5=58a92520dda53166e322118ee0503364*", "*MD5=916ba55fc004b85939ee0cc86a5191c5*", "*MD5=f16b44cca74d3c3645e4c0a6bb5c0cb9*", "*MD5=db2fc89098ac722dabe3c37ed23de340*", "*MD5=6f5cf7feb9bb8108b68f169b8e625ffe*", "*MD5=d2588631d8aae2a3e54410eaf54f0679*", "*MD5=72acbdd8fac58b71b301980eab3ebfc8*", "*MD5=9cc757a18b86408efc1ce3ed20cbcdac*", "*MD5=230fd3749904ca045ea5ec0aa14006e9*", "*MD5=79329e2917623181888605bc5b302711*", "*MD5=3e4a1384a27013ab7b767a88b8a1bd34*", "*MD5=bafd6bad121e42f940a0b8abc587eadf*", "*MD5=02a1d77ef13bd41cad04abcce896d0b9*", "*MD5=de331f863627dc489f547725d7292bbd*", "*MD5=29122f970a9e766ef01a73e0616d68b3*", "*MD5=2b8814cff6351c2b775387770053bdec*", "*MD5=332db70d2c5c332768ab063ba6ac8433*", "*MD5=40f39a98fb513411dacdfc5b2d972206*", "*MD5=644d687c9f96c82ea2974ccacd8cd549*", "*MD5=825703c494e0d270f797f1ecf070f698*", "*MD5=afae2a21e36158f5cf4f76f896649c75*", "*MD5=dd050e79c515e4a6d1ae36cac5545025*", "*MD5=6133e1008f8c6fc32d4b1a60941bab85*", "*MD5=0e2fc7e7f85c980eb698b9e468c20366*", "*MD5=94c80490b02cc655d2d80597c3aef08f*", "*MD5=4d487f77be4471900d6ccbc47242cc25*", "*MD5=2e3dbb01b282a526bdc3031e0663c41c*", "*MD5=93a23503e26773c27ed1da06bb79e7a4*", "*MD5=ffd0c87d9bf894af26823fbde94c71b6*", "*MD5=a86150f2e29b35369afa2cafd7aa9764*", "*MD5=6126065af2fc2639473d12ee3c0c198e*", "*MD5=c1d3a6bb423739a5e781f7eee04c9cfd*", "*MD5=f0db5af13c457a299a64cf524c64b042*", "*MD5=e5e8ecb20bc5630414707295327d755e*", "*MD5=659a59d7e26b7730361244e12201378e*", "*MD5=8f47af49c330c9fcf3451ad2252b9e04*", "*MD5=dd9596c18818288845423c68f3f39800*", "*MD5=a7d3ebfb3843ee28d9ca18b496bd0eb2*", "*MD5=20125794b807116617d43f02b616e092*", "*MD5=46cae59443ae41f4dbb42e050a9b501a*", "*MD5=21e13f2cb269defeae5e1d09887d47bb*", "*MD5=5bab40019419a2713298a5c9173e5d30*", "*MD5=7314c2bc19c6608d511ef36e17a12c98*", "*MD5=24061b0958874c1cb2a5a8e9d25482d4*", "*MD5=31a4631d77b2357ac9618e2a60021f11*", "*MD5=130c5aec46bdec8d534df7222d160fdb*", "*MD5=592065b29131af32aa18a9e546be9617*", "*MD5=2d64d681d79e0d26650928259530c075*", "*MD5=1ce19950e23c975f677b80ff59d04fae*", "*MD5=318e309e11199ec69d8928c46a4d901b*", "*MD5=d78a29306f42d42cd48ad6bc6c6a7602*", "*MD5=6a094d8e4b00dd1d93eb494099e98478*", "*MD5=0be80db5d9368fdb29fe9d9bfdd02e7c*", "*MD5=ba23266992ad964eff6d358d946b76bd*", "*MD5=560069dc51d3cc7f9cf1f4e940f93cae*", "*MD5=a785b3bc4309d2eb111911c1b55e793f*", "*MD5=ac591a3b4df82a589edbb236263ec70a*", "*MD5=a664904f69756834049e9e272abb6fea*", "*MD5=19f32bf24b725f103f49dc3fa2f4f0bd*", "*MD5=2509a71a02296aa65a3428ddfac22180*", "*MD5=9988fc825675d4d3e2298537fc78e303*", "*MD5=dab9142dc12480bb39f25c9911df6c6c*", "*MD5=2c47725db0c5eb5c2ecc32ff208bceb6*", "*MD5=bdfe1f0346c066971e1f3d96f7fdaa2c*", "*MD5=7644bed8b74dc294ac77bf406df8ad77*", "*MD5=9ade14e58996a6abbfe2409d6cddba6a*", "*MD5=5212e0957468d3f94d90fa7a0f06b58f*", "*MD5=96e10a2904fff9491762a4fb549ad580*", "*MD5=0c55128c301921ce71991a6d546756ad*", "*MD5=97e90c869b5b0f493b833710931c39ed*", "*MD5=f36b8094c2fbf57f99870bfaeeacb25c*", "*MD5=b3d6378185356326fd8ee4329b0b7698*", "*MD5=9321a61a25c7961d9f36852ecaa86f55*", "*MD5=f758e7d53184faab5bc51f751937fa36*", "*MD5=1f7b2a00fe0c55d17d1b04c5e0507970*", "*MD5=239224202ccdea1f09813a70be8413ee*", "*MD5=996ded363410dfd38af50c76bd5b4fbc*", "*MD5=0fc2653b1c45f08ca0abd1eb7772e3c0*", "*MD5=79b8119b012352d255961e76605567d6*", "*MD5=2e1f8a2a80221deb93496a861693c565*", "*MD5=697bbd86ee1d386ae1e99759b1e38919*", "*MD5=ddc2ffe0ab3fcd48db898ab13c38d88d*", "*MD5=2971d4ee95f640d2818e38d8877c8984*", "*MD5=962a33a191dbe56915fd196e3a868cf0*", "*MD5=7575b35fee4ec8dbd0a61dbca3b972e3*", "*MD5=2d7f1c02b94d6f0f3e10107e5ea8e141*", "*MD5=057ec65bac5e786affeb97c0a0d1db15*", "*MD5=483abeee17e4e30a760ec8c0d6d31d6d*", "*MD5=f23b2adcfab58e33872e5c2d0041ad88*", "*MD5=2601cf769ad6ffee727997679693f774*", "*MD5=b4598c05d5440250633e25933fff42b0*", "*MD5=2e5f016ff9378be41fe98fa62f99b12d*", "*MD5=75d6c3469347de1cdfa3b1b9f1544208*", "*MD5=828bb9cb1dd449cd65a29b18ec46055f*", "*MD5=1bd38ac06ef8709ad23af666622609c9*", "*MD5=e747f164fc89566f934f9ec5627cd8c3*", "*MD5=a01c412699b6f21645b2885c2bae4454*", "*MD5=a216803d691d92acc44ac77d981aa767*", "*MD5=112b4a6d8c205c1287c66ad0009c3226*", "*MD5=68dde686d6999ad2e5d182b20403240b*", "*MD5=2d854c6772f0daa8d1fde4168d26c36b*", "*MD5=9a9dbf5107848c254381be67a4c1b1dd*", "*MD5=3ecd3ca61ffc54b0d93f8b19161b83da*", "*MD5=1ad400766530669d14a077514599e7f3*", "*MD5=4f27c09cc8680e06b04d6a9c34ca1e08*", "*MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d*", "*MD5=043d5a1fc66662a3f91b8a9c027f9be9*", "*MD5=a0e2223868b6133c5712ba5ed20c3e8a*", "*MD5=2b3e0db4f00d4b3d0b4d178234b02e72*", "*MD5=1610342659cb8eb4a0361dbc047a2221*", "*MD5=c842827d4704a5ef53a809463254e1cc*", "*MD5=bf2a954160cb155df0df433929e9102b*", "*MD5=81b72492d45982cd7a4a138676329fd6*", "*MD5=2a2867e1f323320fdeef40c1da578a9a*", "*MD5=b3f132ce34207b7be899f4978276b66d*", "*MD5=3247014ba35d406475311a2eab0c4657*", "*MD5=88d5fc86f0dd3a8b42463f8d5503a570*", "*MD5=0be5c6476dd58072c93af4fca62ee4b3*", "*MD5=3cf7a55ec897cc938aebb8161cb8e74f*", "*MD5=931d4f01b5a88027ef86437f1b862000*", "*MD5=d253c19194a18030296ae62a10821640*", "*MD5=c5f5d109f11aadebae94c77b27cb026f*", "*MD5=15dd3ef7df34f9b464e9b38c2deb0793*", "*MD5=e913a51f66e380837ffe8da6707d4cc4*", "*MD5=c552dae8eaadd708a38704e8d62cf64d*", "*MD5=1f8a9619ab644728ce4cf86f3ad879ea*", "*MD5=f7edd110de10f9a50c2922f1450819aa*", "*MD5=be17a598e0f5314748ade0871ad343e7*", "*MD5=aa1ed3917928f04d97d8a217fe9b5cb1*", "*MD5=880686bceaf66bfde3c80569eb1ebfa7*", "*MD5=bc1eeb4993a601e6f7776233028ac095*", "*MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3*", "*MD5=3a1ba5cd653a9ddce30c58e7c8ae28ae*", "*MD5=5054083cf29649a76c94658ba7ff5bce*", "*MD5=dedd07993780d973c22c93e77ab69fa3*", "*MD5=3aacaa62758fa6d178043d78ba89bebc*", "*MD5=f1a203406a680cc7e4017844b129dcbf*", "*MD5=2399e6f7f868d05623be03a616b4811e*", "*MD5=0d5774527af6e30905317839686b449d*", "*MD5=5bbe4e52bd33f1cdd4cf38c7c65f80ae*", "*MD5=047c06d4d38ea443c9af23a501c4480d*", "*MD5=a72e10ecea2fdeb8b9d4f45d0294086b*", "*MD5=c9c25778efe890baa4087e32937016a0*", "*MD5=0ba6afe0ea182236f98365bd977adfdf*", "*MD5=e626956c883c7ff3aeb0414570135a58*", "*MD5=3e796eb95aca7e620d6a0c2118d6871b*", "*MD5=f3f5c518bc3715492cb0b7c59e94c357*", "*MD5=4e92f1c677e08fd09b57032c5b47ca46*", "*MD5=f22740ba54a400fd2be7690bb204aa08*", "*MD5=3467b0d996251dc56a72fc51a536dd6b*", "*MD5=198b723e13a270bb664dcb9fb6ed42e6*", "*MD5=bdc3b6b83dde7111d5d6b9a2aadf233f*", "*MD5=3651a6990fe38711ebb285143f867a43*", "*MD5=7db75077d53a63531ef2742d98ca6acc*", "*MD5=55c36d43dd930069148008902f431ea5*", "*MD5=f026460a7a720d0b8394f28a1f9203dc*", "*MD5=cb22776d06f1e81cc87faeb0245acde8*", "*MD5=b994110f069d197222508a724d8afdac*", "*MD5=e6eaee1b3e41f404c289e22df66ef66b*", "*MD5=29872c7376c42e2a64fa838dad98aa11*", "*MD5=d21fba3d09e5b060bd08796916166218*", "*MD5=880611326b768c4922e9da8a8effc582*", "*MD5=9c3c250646e11052b1e38500ee0e467b*", "*MD5=178cc9403816c082d22a1d47fa1f9c85*", "*MD5=2c1045bb133b7c9f5115e7f2b20c267a*", "*MD5=707ab1170389eba44ffd4cfad01b5969*", "*MD5=ddf2655068467d981242ea96e3b88614*", "*MD5=7907e14f9bcf3a4689c9a74a1a873cb6*", "*MD5=b3424a229d845a88340045c29327c529*", "*MD5=0b0447072ada1636a14087574a512c82*", "*MD5=0be4a11bc261f3cd8b4dbfebee88c209*", "*MD5=7dd538bcaa98d6c063ead8606066333f*", "*MD5=8a108158431e9a7d08e330fd7a46d175*", "*MD5=e6ea0e8d2edcc6cad3c414a889d17ac4*", "*MD5=288471f132c7249f598032d03575f083*", "*MD5=11fb599312cb1cf43ca5e879ed6fb71e*", "*MD5=2348508499406dec3b508f349949cb51*", "*MD5=fe820a5f99b092c3660762c6fc6c64e0*", "*MD5=c508d28487121828c3a1c2b57acb05be*", "*MD5=91755cc5c3ccf97313dc2bece813b4d9*", "*MD5=2f8653034a35526df88ea0c62b035a42*", "*MD5=3dbf69f935ea48571ea6b0f5a2878896*", "*MD5=7e3a6f880486a4782b896e6dbd9cc26f*", "*MD5=2850608430dd089f24386f3336c84729*", "*MD5=a711e6ab17802fabf2e69e0cd57c54cd*", "*MD5=2eec12c17d6b8deeeac485f47131d150*", "*MD5=e7ab83a655b0cd934a19d94ac81e4eec*", "*MD5=a91a1bc393971a662a3210dac8c17dfd*", "*MD5=2fed983ec44d1e7cffb0d516407746f2*", "*MD5=18439fe2aaeddfd355ef88091cb6c15f*", "*MD5=592756f68ab8ae590662b0c4212a3bb9*", "*MD5=d63c9c1a427a134461258b7b8742858f*", "*MD5=6e25148bb384469f3d5386dc5217548a*", "*MD5=700d6a0331befd4ed9cfbb3234b335e7*", "*MD5=e68972cd9f28f0be0f9df7207aba9d1d*", "*MD5=b2a9ac0600b12ec9819e049d7a6a0b75*", "*MD5=c796a92a66ec725b7b7febbdc13dc69b*", "*MD5=5b6c21e8366220f7511e6904ffeeced9*", "*MD5=8741e6df191c805028b92cec44b1ba88*", "*MD5=b47dee29b5e6e1939567a926c7a3e6a4*", "*MD5=dff6c75c9754a6be61a47a273364cdf7*", "*MD5=d86269ba823c9ecf49a145540cd0b3df*", "*MD5=3c55092900343d3d28564e2d34e7be2c*", "*MD5=fef9dd9ea587f8886ade43c1befbdafe*", "*MD5=96c5900331bd17344f338d006888bae5*", "*MD5=7e7e3f5532b6af24dcc252ac4b240311*", "*MD5=c6f8983dd3d75640c072a8459b8fa55a*", "*MD5=1caf5070493459ba029d988dbb2c7422*", "*MD5=2b653950483196f0d175ba6bc35f1125*", "*MD5=15814b675e9d08953f2c64e4e5ccb4f4*", "*MD5=de4001f89ed139d1ed6ae5586d48997a*", "*MD5=dc943bf367ae77016ae399df8e71d38a*", "*MD5=524cd77f4c100cf20af4004f740b0268*", "*MD5=e5f8fcdfb52155ed4dffd8a205b3d091*", "*MD5=925ee3f3227c3b63e141ba16bd83f024*", "*MD5=fbf729350ca08a7673b115ce9c9eb7e5*", "*MD5=eb0a8eeb444033ebf9b4b304f114f2c8*", "*MD5=c7a57cd4bea07dadba2e2fb914379910*", "*MD5=384370c812acb7181f972d57dc77c324*", "*MD5=d43dcba796b40234267ad2862fa52600*", "*MD5=b0954711c133d284a171dd560c8f492a*", "*MD5=262969a3fab32b9e17e63e2d17a57744*", "*MD5=05a6f843c43d75fbce8e885bb8656aa4*", "*MD5=992ded5b623be3c228f32edb4ca3f2d2*", "*MD5=13a0d3f9d5f39adaca0a8d3bb327eb31*", "*MD5=f5051c756035ef5de9c4c48bacb0612b*", "*MD5=1276f735d22cf04676a719edc6b0df18*", "*MD5=d4a299c595d35264b5cfd12490a138dc*", "*MD5=f4e1997192d5a95a38965c9e15c687fc*", "*MD5=05369fa594a033e48b7921018b3263fb*", "*MD5=ed07f1a8038596574184e09211dfc30f*", "*MD5=e1ebc6c5257a277115a7e61ee3e5e42f*", "*MD5=821adf5ba68fd8cc7f4f1bc915fe47de*", "*MD5=b12d1630fd50b2a21fd91e45d522ba3a*", "*MD5=729dd4df669dc96e74f4180c6ee2a64b*", "*MD5=c6b5a3ae07b165a6e5fff7e31ff91016*", "*MD5=e36f6f7401ae11e11f69d744703914db*", "*MD5=9ba7c30177d2897bb3f7b3dc2f95ae0a*", "*MD5=b5326548762bfaae7a42d5b0898dfeac*", "*MD5=f2f728d2f69765f5dfda913d407783d2*", "*MD5=637cf50b06bc53deae846b252d56bbdc*", "*MD5=c37b575c3a96b9788c26cefcf43f3542*", "*MD5=e4266262a77fffdea2584283f6c4f51d*", "*MD5=054299e09cea38df2b84e6b29348b418*", "*MD5=4cc3ddd5ae268d9a154a426af2c23ef9*", "*MD5=d717f8de642b65f029829c34fbd13a45*", "*MD5=e79c91c27df3eaf82fb7bd1280172517*", "*MD5=fd7de498a72b2daf89f321d23948c3c4*", "*MD5=6682176866d6bd6b4ea3c8e398bd3aae*", "*MD5=eb525d99a31eb4fff09814e83593a494*", "*MD5=e323413de3caec7f7730b43c551f26a0*", "*MD5=353e5d424668d785f13c904fde3bac84*", "*MD5=3b9698a9ee85f0b4edf150deef790ccd*", "*MD5=3f8cdaf7413000d34d6a1a1d5341a11b*", "*MD5=dcd966874b4c8c952662d2d16ddb4d7c*", "*MD5=3fda3d414c31ad73efd8ccceeaa3bdc2*", "*MD5=ca6931fcbc1492d7283aa9dc0149032e*", "*MD5=084bd27e151fef55b5d80025c3114d35*", "*MD5=7c887f2b1a56b84d86828529604957db*", "*MD5=c24800c382b38707e556af957e9e94fd*", "*MD5=f84da507b3067f019c340b737cd68d32*", "*MD5=d3026938514218766cb6d3b36ccfa322*", "*MD5=6917ef5d483ed30be14f8085eaef521b*", "*MD5=945ef111161bae49075107e5bc11a23f*", "*MD5=44a3b9cc0a8e89c11544932b295ea113*", "*MD5=6cc3c3be2de12310a35a6ab2aed141d6*", "*MD5=085d3423f3c12a17119920f1a293ab4d*", "*MD5=547971da89a47b6ad6459cd7d7854e12*", "*MD5=aa5dd4beca6f67733e04d9d050ecd523*", "*MD5=903c149851e9929ec45daefc544fcd99*", "*MD5=ba5f0f6347780c2ed911bbf888e75bef*", "*MD5=1873a2ce2df273d409c47094bc269285*", "*MD5=97e3a44ec4ae58c8cc38eefc613e950e*", "*MD5=1cb26adeca26aefb5a61065e990402da*", "*MD5=17fe96af33f1fe475957689aeb5f816e*", "*MD5=c5b8e612360277ac70aa328432a99fd6*", "*MD5=62f8d7f884366df6100c7e892e3d70bf*", "*MD5=a5deee418b7b580ca89db8a871dc1645*", "*MD5=5f44a01ccc530b34051b9d0ccb5bb842*", "*MD5=25ede0fd525a30d31998ea62876961ec*", "*MD5=1c61eb82f1269d8d6be8de2411133811*", "*MD5=338a98e1c27bc76f09331fcd7ae413a5*", "*MD5=f66b96aa7ae430b56289409241645099*", "*MD5=8ea94766cd7890483449dc193d267993*", "*MD5=75fa19142531cbf490770c2988a7db64*", "*MD5=ee3b74cdfed959782dff84153e3d5a6e*", "*MD5=fdf975524d4cdb4f127d79aac571ae9e*", "*MD5=688a10e87af9bcf0e40277d927923a00*", "*MD5=62792c30836ae7861c3ca2409cd35c02*", "*MD5=b62e2371158a082e239f5883bd6000d1*", "*MD5=1f01257d9730f805b2a1d69099ef891d*", "*MD5=b934322c68c30dceca96c0274a51f7b0*", "*MD5=76355d5eafdfa3e9b7580b9153de1f30*", "*MD5=9fdcd543574a712a80d62da8bfd8331c*", "*MD5=1440c0da81c700bd61142bc569477d81*", "*MD5=4c76554d9a72653c6156ca0024d21a8e*", "*MD5=148bd10da8c8d64928a213c7bf1f2fca*", "*MD5=95e4c7b0384da89dce8ea6f31c3613d9*", "*MD5=e6cb1728c50bd020e531d19a14904e1c*", "*MD5=62f02339fe267dc7438f603bfb5431a1*", "*MD5=0a4e6bd5cc2e9172e461408be47c3149*", "*MD5=28cb0b64134ad62c2acf77db8501a619*", "*MD5=4ecfb46fcdce95623f994bd29bbe59cb*", "*MD5=7ee0c884e7d282958c5b3a9e47f23e13*", "*MD5=dbc415304403be25ac83047c170b0ec2*", "*MD5=0c7f66cd219817eaab41f36d4bc0d4cd*", "*MD5=3c9c537167923723429c86ab38743e7d*", "*MD5=a57b47489febc552515778dd0fd1e51c*", "*MD5=680dcb5c39c1ec40ac3897bb3e9f27b9*", "*MD5=5f9785e7535f8f602cb294a54962c9e7*", "*MD5=e4ea7ebfa142d20a92fbe468a77eafa6*", "*MD5=32365e3e64d28cc94756ac9a09b67f06*", "*MD5=be9eeea2a8cac5f6cd92c97f234e2fe1*", "*MD5=5bd30b502168013c9ea03a5c2f1c9776*", "*MD5=ba21bfa3d05661ba216873a9ef66a6e2*", "*MD5=dad8f40626ed4702e0e8502562d93d7c*", "*MD5=8fbb1ffc6f13f9d5ee8480b36baffc52*", "*MD5=bedc99bbcedaf89e2ee1aa574c5a2fa4*", "*MD5=9dd414590e695ea208139c23db8a5aa3*", "*MD5=270052c61f4de95ebfbf3a49fb39235f*", "*MD5=19c0c18384d6a6d65462be891692df9c*", "*MD5=a26e600652c33dd054731b4693bf5b01*", "*MD5=8b779fe1d71839ad361226f66f1b3fe5*", "*MD5=8ad9dfc971df71cd43788ade6acf8e7d*", "*MD5=2dbc09c853c4bf2e058d29aaa21fa803*", "*MD5=13ee349c15ee5d6cf640b3d0111ffc0e*", "*MD5=fef60a37301e1f5a3020fa3487fb2cd7*", "*MD5=4353b713487a2945b823423bbbf709bd*", "*MD5=875c44411674b75feb07592aeffa09c1*", "*MD5=b971b79bdca77e8755e615909a1c7a9f*", "*MD5=ad03f225247b58a57584b40a4d1746d3*", "*MD5=2229d5a9a92b62df4df9cf51f48436f7*", "*MD5=5bb840db439eb281927588dbce5f5418*", "*MD5=fd80c3d38669b302de4b4b736941c0d1*", "*MD5=d1440503d1528c55fdc569678a663667*", "*MD5=d1e57c74bafa56e8e2641290d153f4d2*", "*MD5=c9b046a6961957cc6c93a5192d3e61e3*", "*MD5=ff795e4f387c3e22291083b7d6b92ffb*", "*MD5=782f165b1d2db23f78e82fee0127cc14*", "*MD5=002a58b90a589913a07012253662c98c*", "*MD5=0211ab46b73a2623b86c1cfcb30579ab*", "*MD5=d0a5b98788e480c12afc65ad3e6d4478*", "*MD5=d6cc5709aca6a6b868962a6506d48abc*", "*MD5=08001b0cdb0946433366032827d7a187*", "*MD5=8fc6cafd4e63a3271edf6a1897a892ae*", "*MD5=0e207ef80361b3d047a2358d0e2206b4*", "*MD5=b10b210c5944965d0dc85e70a0b19a42*", "*MD5=006d9d615cdcc105f642ab599b66f94e*", "*MD5=b32497762d916dba6c827e31205b67dd*", "*MD5=f766a9bb7cd46ba8c871484058f908f0*", "*MD5=546db985012d988e4482acfae4a935a8*", "*MD5=700e9902b0a28979724582f116288bad*", "*MD5=0395b4e0eb21693590ad1cfdf7044b8b*", "*MD5=d95c9a241e52b4f967fa4cdb7b99fc80*", "*MD5=ee91da973bebe6442527b3d1abcc3c80*", "*MD5=1a234f4643f5658bab07bfa611282267*", "*MD5=1898ceda3247213c084f43637ef163b3*", "*MD5=1b5c3c458e31bede55145d0644e88d75*", "*MD5=42132c7a755064f94314b01afb80e73c*", "*MD5=1b76363059fef4f7da752eb0dfb0c1e1*", "*MD5=cc8855fe30a9cdef895177a4cf1a3dad*", "*MD5=6d4159694e1754f262e326b52a3b305a*", "*MD5=b7ca4c32c844df9b61634052ae276387*", "*MD5=361a598d8bb92c13b18abb7cac850b01*", "*MD5=27bcbeec8a466178a6057b64bef66512*", "*MD5=f310b453ac562f2c53d30aa6e35506bb*", "*MD5=14add4f16d80595e6e816abf038141e5*", "*MD5=ab53d07f18a9697139ddc825b466f696*", "*MD5=278761b706276f9b49e1e2fd21b9cb07*", "*MD5=60e84516c6ec6dfdae7b422d1f7cab06*", "*MD5=20afd54ca260e2bf6589fac72935fecf*", "*MD5=3ad7b36a584504b3c70b5f552ba33015*", "*MD5=9f3b5de6fe46429bed794813c6ae8421*", "*MD5=7b9717c608a5f5a1c816128a609e9575*", "*MD5=798de15f187c1f013095bbbeb6fb6197*", "*MD5=66066d9852bc65988fb4777f0ff3fbb4*", "*MD5=13dda15ef67eb265869fc371c72d6ef0*", "*MD5=63e333d64a8716e1ae59f914cb686ae8*", "*MD5=3411fdf098aa20193eee5ffa36ba43b2*", "*MD5=ad6d5177656dfc5b43def5d13d32f9f6*", "*MD5=97221e16e7a99a00592ca278c49ffbfc*", "*MD5=010c0e5ac584e3ab97a2daf84cf436f5*", "*MD5=29b1ddc69e89b160cc3722e5e0738fd8*", "*MD5=aad4fb47cb39a9ab4159662a29e1ee88*", "*MD5=4e093256b034925ecd6b29473ff16858*", "*MD5=51c233297c3aa16c4222e35ded1139b6*", "*MD5=9945823e9846724c70d2f8d66a403300*", "*MD5=aa2ef08d48b66bd814280976614468a7*", "*MD5=33fc573c0e8bedfe3614e17219273429*", "*MD5=c08063f052308b6f5882482615387f30*", "*MD5=c8c6fadcb7cb85f197ab77e6a7b67aa9*", "*MD5=3f29f651a3c4ff5ce16d61deccf46618*", "*MD5=08c1bce6627764c9f8c79439555c5636*", "*MD5=1da1cfe6aa15325c9ecf8f8c9b2cd12d*", "*MD5=c1d063c9422a19944cdaa6714623f2ec*", "*MD5=b0809d8adc254c52f9d06362489ce474*", "*MD5=a22626febc924eb219a953f1ee2b9600*", "*MD5=5a615f4641287e5e88968f5455627d45*", "*MD5=de2aac9468158c73880e31509924d7e0*", "*MD5=dd38cc344d2a0da1c03e92eb4b89a193*", "*MD5=c1fce7aac4e9dd7a730997e2979fa1e2*", "*MD5=0634299fc837b47b531e4762d946b2ae*", "*MD5=e4ff4edce076f21f5f8d082a62c9db8b*", "*MD5=43ed1d08c19626688db34f63e55114fb*", "*MD5=6c28461e78f8d908ca9a66bad2e212f7*", "*MD5=8aa9d47ec9a0713c56b6dec3d601d105*", "*MD5=c9390a8f3ca511c1306a039ca5d80997*", "*MD5=c60a4bc4fec820d88113afb1da6e4db3*", "*MD5=6b3abe55c4d39e305a11b4d1091dfaac*", "*MD5=f4a31e08f89e5f002ef3cf7b1224af5f*", "*MD5=d7cf689e6c63d37bc071499f687300dd*", "*MD5=7c0b186d1912686cfcb8cd9cdebabe58*", "*MD5=8cb2ffb8bb0bbf8cd0dd685611854637*", "*MD5=9b359b722ac80c4e0a5235264e1e0156*", "*MD5=09927915aba84c8acd91efdaac674b86*", "*MD5=e4b50e44d1f12a47e18259b41074f126*", "*MD5=0ec361f2fba49c73260af351c39ff9cb*", "*MD5=65ad6a7c43f8d566afd5676f9447b6c1*", "*MD5=ddb7da975d90b2a9c9c58e1af55f0285*", "*MD5=8291dcbcbccc2ce28195d04ac616a1b5*", "*MD5=2da269863ed99be7b6b8ec2adc710648*", "*MD5=2ab9f5a66d75adb01171bb04ab4380f2*", "*MD5=3a7c69293fcd5688cc398691093ec06a*", "*MD5=13a2b915f6d93e52505656773d53096f*", "*MD5=7bd840ff7f15df79a9a71fec7db1243e*", "*MD5=0a6a1c9a7f80a2a5dcced5c4c0473765*", "*MD5=a1547e8b2ca0516d0d9191a55b8536c0*", "*MD5=e04ff937f6fd273b774f23aed5dd8c13*", "*MD5=fac8eb49e2fd541b81fcbdeb98a199cb*", "*MD5=cb31f1b637056a3d374e22865c41e6d9*", "*MD5=c69c292e0b76b25a5fa0e16136770e11*", "*MD5=cebf532d1e3c109418687cb9207516ad*", "*MD5=eeb8e039f6d942538eb4b0252117899a*", "*MD5=4d99d02f49e027332a0a9c31c674e13b*", "*MD5=e9a30edef1105b8a64218f892b2e56ed*", "*MD5=dd04cd3de0c19bede84e9c95a86b3ca8*", "*MD5=70196d88c03f2ea557281b24dad85de5*", "*MD5=708ac9f7b12b6ca4553fd8d0c7299296*", "*MD5=cafbf85b902f189ba35f3d7823aad195*", "*MD5=d48f681f70e19d2fa521df63bc72ab9e*", "*MD5=6ae9d25e02b54367a4e93c2492b8b02e*", "*MD5=f14359ceb3705d77353b244bb795b552*", "*MD5=0d992b69029d1f23a872ff5a3352fb5b*", "*MD5=9993a2a45c745bb0139bf3e8decd626c*", "*MD5=6d67da13cf84f15f6797ed929dd8cf5d*", "*MD5=c2eb4539a4f6ab6edd01bdc191619975*", "*MD5=349fa788a4a7b57e37e426aca9b736d5*", "*MD5=4c016fd76ed5c05e84ca8cab77993961*", "*MD5=ea14899d1bfba397bc731770765768d1*", "*MD5=4ec08e0bcdf3e880e7f5a7d78a73440c*", "*MD5=e65fa439efa9e5ad1d2c9aee40c7238e*", "*MD5=0898af0888d8f7a9544ef56e5e16354e*", "*MD5=10e681ce84afdd642e59ddfdb28284e9*", "*MD5=b5f96dd5cc7d14a9860ab99d161bf171*", "*MD5=37c3a9fef349d13685ec9c2acaaeafce*", "*MD5=027e10a5048b135862d638b9085d1402*", "*MD5=b0baac4d6cbac384a633c71858b35a2e*", "*MD5=d0a5f9ace1f0c459cef714156db1de02*", "*MD5=b34361d151c793415ef92ee5d368c053*", "*MD5=f0fdfdf3303e2f7c141aa3a24d523af1*", "*MD5=d424f369f7e010249619f0ecbe5f3805*", "*MD5=639252292bb40b3f10f8a6842aee3cd4*", "*MD5=7e6e2ed880c7ab115fca68136051f9ce*", "*MD5=f8dce1eb0f9fcaf07f68fe290aa629e4*", "*MD5=fa222bed731713904320723b9c085b11*", "*MD5=aa69b4255e786d968adbd75ba5cf3e93*", "*MD5=06ffbb2cbf5ac9ef95773b4f5c4c896a*", "*MD5=00685003005b0b437af929f0499545e4*", "*MD5=85e606523ce390f7fcd8370d5f4b812a*", "*MD5=23cf3da010497eb2bf39a5c5a57e437c*", "*MD5=dc9be271f403e2278071d6ece408ff28*", "*MD5=6b16512bffe88146a7915f749bd81641*", "*MD5=c2585e2696e21e25c05122e37e75a947*", "*MD5=165178829b5587a628977bfca6fd6900*", "*MD5=24156523b923fd9dcfdd0ac684dcdb20*", "*MD5=750d1f07ea9d10b38a33636036c30cca*", "*MD5=fc90bcc43daa48882be359a17b71abf7*", "*MD5=09672532194b4bff5e0f7a7d782c7bf2*", "*MD5=212bfd1ef00e199a365aeb74a8182609*", "*MD5=e3d290406de40c32095bd76dc88179fb*", "*MD5=715572dfe6fb10b16f980bfa242f3fa5*", "*MD5=c8f88ca47b393da6acf87fa190e81333*", "*MD5=d0c2caa17c7b6d2200e1b5aa9d07135e*", "*MD5=16a8e8437b94d6207af2f25fd4801b6d*", "*MD5=7bdf418a65ec33ec8ff47e7de705a4e1*", "*MD5=31f34de4374a6ed0e70a022a0efa2570*", "*MD5=cfad9185ffcf5850b5810c28b24d5fc8*", "*MD5=6ba221afb17342a3c81245a4958516a2*", "*MD5=f44f6ec546850ceb796a2cb528928a91*", "*MD5=34a7fab63a4ed5a0b61eb204828e08e5*", "*MD5=a92bf3c219a5fa82087b6c31bdf36ff3*", "*MD5=fa0d1fca7c5b44ce3b799389434fcaa5*", "*MD5=affe4764d880e78b2afb2643b15b8d41*", "*MD5=f80ceb0dbb889663f0bee058b109ce0e*", "*MD5=25ebe6f757129adbe78ec312a5f1800b*", "*MD5=7f7b8cde26c4943c9465e412adbb790f*", "*MD5=bfe96411cf67edb3cee2b9894b910cd5*", "*MD5=6e2178dc5f9e37e6b4b6cbdaef1b12b1*", "*MD5=0420fa6704fd0590c5ce7176fdada650*", "*MD5=7ed6030f14e66e743241f2c1fa783e69*", "*MD5=61e8367fb57297a949c9a80c2e0e5a38*", "*MD5=7951fa3096c99295d681acb0742506bf*", "*MD5=bcd60bf152fdec05cd40562b466be252*", "*MD5=376b1e8957227a3639ec1482900d9b97*", "*MD5=7331720a5522d5cd972623326cf87a3f*", "*MD5=8e78ab9b9709bafb11695a0a6eddeff9*", "*MD5=8abbb12e61045984eda19e2dc77b235e*", "*MD5=0199a59af05d9986842ecbdee3884f0c*", "*MD5=729afa54490443da66c2685bd77cb1f0*", "*MD5=95c88d25e211a4d52a82c53e5d93e634*", "*MD5=aa55dd14064cb808613d09195e3ba749*", "*MD5=ef1afb3a5ddad6795721f824690b4a69*", "*MD5=db46c56849bbce9a55a03283efc8c280*", "*MD5=991230087394738976dbd44f92516cae*", "*MD5=3af19d325f9dcdf360276ae5e7c136ea*", "*MD5=98763a3dee3cf03de334f00f95fc071a*", "*MD5=4b194021d6bd6650cbd1aed9370b2329*", "*MD5=517d484bdbad4637188ec7a908335b86*", "*MD5=2ddd3c0e23bc0fd63702910c597298b4*", "*MD5=120b5bbb9d2eb35ff4f62d79507ea63a*", "*MD5=6bada94085b6709694f8327c211d12e1*", "*MD5=5c5f1c2dc6c2479bafec7c010c41c6ec*", "*MD5=ab81264493c218a0e875a0d50104ac9f*", "*MD5=ea2ff60fcce3b9ffe0bd77658b88512d*", "*MD5=76d1d4d285f74059f32b8ad19a146d0c*", "*MD5=b9cf3294c13cdea624ab95ca3e2e483f*", "*MD5=0cd0fe9d16b62415b116686a2f414f8c*", "*MD5=2503c4cf31588f0b011eb992ca3ee7ff*", "*MD5=f0470f82ba58bc4309f83a0f2aefa4d5*", "*MD5=db72def618cbc3c5f9aa82f091b54250*", "*MD5=2ff629de3667fcd606a0693951f1c1a9*", "*MD5=119f0656ab4bb872f79ee5d421e2b9f9*", "*MD5=55a7c51dc2aa959c41e391db8f6b8b4f*", "*MD5=009876ab9cf3a3d4e3fc3afe13ae839e*", "*MD5=f8a13d4413a93dd005fad116cbd6b6f7*", "*MD5=5093f38d597532d59d4df9018056f0d1*", "*MD5=00f887e74faad40e6e97d9d0e9c71370*", "*MD5=0215d0681979987fe908fb19dab83399*", "*MD5=7962d91b1f53ce55c7338788bd4eb378*", "*MD5=1bca427ab8e67a9db833eb8f0ff92196*", "*MD5=a730b97ab977aa444fa261902822a905*", "*MD5=a453083b8f4ca7cb60cac327e97edbe2*", "*MD5=afc2448b4080f695e76e059a96958cab*", "*MD5=4f963d716a60737e5b59299f00daf285*", "*MD5=ee59b64ae296a87bf7a6aee38ad09617*", "*MD5=1c9d2a993e99054050b596d88b307d95*", "*MD5=5cd0ec261c8c2a39d9105fbbcad4e5b9*", "*MD5=4c6d311e0b13c4f469f717db4ab4d0e7*", "*MD5=84fb76ee319073e77fb364bbbbff5461*", "*MD5=d660fc7255646d5014d45c3bca9c6e20*", "*MD5=ecccbf1e7c727f923c9d709707800e6c*", "*MD5=94ccef76fda12ab0b8270f9b2980552b*", "*MD5=f853abe0dc162601e66e4a346faed854*", "*MD5=154fd286c96665946d55a7d49923ad7e*", "*MD5=a5afd20e34bcd634ebd25b3ab2ff3403*", "*MD5=c9c7113f5e15f70fcc576e835c859d56*", "*MD5=ad22a7b010de6f9c6f39c350a471a440*", "*MD5=7a6a6d6921cd1a4e1d61f9672a4560d6*", "*MD5=9af5ae780b6a9ea485fa15f28ddb20a7*", "*MD5=1f15a513abc039533ca996552ba27e51*", "*MD5=d1bac75205c389d6d5d6418f0457c29b*", "*MD5=36527fdb70ed6f74b70a98129f82ad62*", "*MD5=3d5164e85d740bce0391e2b81d49d308*", "*MD5=30550db8f400b1e11593dffd644abb67*", "*MD5=b17fb1ad5e880467cf7e61b1ee8e3448*", "*MD5=6f5d54ab483659ac78672440422ae3f1*", "*MD5=f042e8318cf20957c2339d96690c3186*", "*MD5=5158f786afa19945d19bee9179065e4d*", "*MD5=328a2cb2da464b0c2beb898ff9ae9f3a*", "*MD5=e7273e17ac85dc4272c4c4400091a19e*", "*MD5=d74d202646e5a6d0d2c4207e1f949826*", "*MD5=9ce1b0e5cfa8223cec3be1c7616e9f63*", "*MD5=55cd6b46ac25bbe01245f2270a0d6cb8*", "*MD5=b8b6686324f7aa77f570bc019ec214e6*", "*MD5=d104621c93213942b7b43d65b5d8d33e*", "*MD5=8cc5a4045a80a822cbc1e9eadff8e533*", "*MD5=ef18d594c862d6d3704b777fa3445ac2*", "*MD5=b941c8364308990ee4cc6eadf7214e0f*", "*MD5=2ca1044a04cb2f0ce5bd0a5832981e04*", "*MD5=f8fe655b7d63dbdc53b0983a0d143028*", "*MD5=cd9f0fcecf1664facb3671c0130dc8bb*", "*MD5=3e9ee8418f22a8ae0e2bf6ff293988fa*", "*MD5=3bf217f8ef018ca5ea20947bfdfc0a4d*", "*MD5=778b7feea3c750d44745d3bf294bd4ce*", "*MD5=4514a0e8bcab7de4cff55999cdf00cd1*", "*MD5=5228b7a738dc90a06ae4f4a7412cb1e9*", "*MD5=159f89d9870e208abd8b912c3d1d3ae9*", "*MD5=e425c66663c96d5a9f030b0ad4d219a8*", "*MD5=85b756463ab0c000f816260d49923cde*", "*MD5=acd221ff7cf10b6117fd609929cde395*", "*MD5=a87689b1067edacc48fddf90020dee23*", "*MD5=0d123be07e2dfd2b2ade49ad2a905a5b*", "*MD5=3ae11bde32cdbd8637124ada866a5a7e*", "*MD5=cc35379f0421b907004a9099611ee2cd*", "*MD5=23b807c09b9b6ea85ed5c508aab200b7*", "*MD5=26d973d6d9a0d133dfda7d8c1adc04b7*", "*MD5=eba6b88bc7bca21658bda9533f0bbff8*", "*MD5=9eb524c5f92e5b80374b8261292fdeb5*", "*MD5=4a23e0f2c6f926a41b28d574cbc6ac30*", "*MD5=c61876aaca6ce822be18adb9d9bd4260*", "*MD5=aae268c4b593156bdae25af5a2a4af21*", "*MD5=de711decdd763a73098372f752bf5a1c*", "*MD5=1b32c54b95121ab1683c7b83b2db4b96*", "*MD5=9aa7ed7809eec0d8bc6c545a1d18107a*", "*MD5=07493c774aa406478005e8fe52c788b2*", "*MD5=9b9d367cb53df0a2e0850760c840d016*", "*MD5=70c2c29643ee1edd3bbcd2ef1ffc9a73*", "*MD5=766f9ea38918827df59a6aed204d2b09*", "*MD5=f670d1570c75ab1d8e870c1c6e3baba1*", "*MD5=34edf3464c3f5605c1ca3a071f12e28c*", "*MD5=bae1f127c4ff21d8fe45e2bbfc59c180*", "*MD5=31469f1313871690e8dc2e8ee4799b22*", "*MD5=79483cb29a0c428e1362ec8642109eee*", "*MD5=c607c37af638fa4eac751976a6afbaa6*", "*MD5=fb7637cfe8562095937f4d6cff420784*", "*MD5=d98d2f80b94f70780b46d1f079a38d93*", "*MD5=35fbc4c04c31c1a40e666be6529c6321*", "*MD5=969f1d19449dc5c2535dd5786093f651*", "*MD5=986f083e5fd01eea4ec3b2575a110a95*", "*MD5=ccf523b951afaa0147f22e2a7aae4976*", "*MD5=978cd6d9666627842340ef774fd9e2ac*", "*MD5=9d8cb58b9a9e177ddd599791a58a654d*", "*MD5=e3fda6120dfa016a76d975fdab7954f6*", "*MD5=e99e86480d4206beb898dda82b71ca44*", "*MD5=a2be99e4904264baa5649c4d4cd13a17*", "*MD5=563b33cfc3c815feff659caaa94edc33*", "*MD5=18b4bbeae6b07d2e21729b8698bbd25a*", "*MD5=f51065667fb127cf6de984daea2f6b24*", "*MD5=35c8fdf881909fa28c92b1c2741ac60b*", "*MD5=477e02a8e31cde2e76a8fb020df095c2*", "*MD5=6b6dfb6d952a2e36efd4a387fdb94637*", "*MD5=f7d963c14a691a022301afa31de9ecef*", "*MD5=9638f265b1ddd5da6ecdf5c0619dcbe6*", "*MD5=2e48c3b8042fdcef0ed435562407bd21*", "*MD5=ada5f19423f91795c0372ff39d745acf*", "*MD5=702d5606cf2199e0edea6f0e0d27cd10*", "*MD5=0809f48fd30845d983d569b847fa83cf*", "*MD5=743c403d20a89db5ed84c874768b7119*", "*MD5=ed6348707f177629739df73b97ba1b6e*", "*MD5=f33c3f08536f988aac84d72d83b139a6*", "*MD5=34686a4b10f239d781772e9e94486c1a*", "*MD5=d77fb9fb256b0c2ec0258c39b80dc513*", "*MD5=b2e4e588ce7b993cc31c18a0721d904d*", "*MD5=eda6e97b453388bb51ce84b8a11d9d13*", "*MD5=d90cdd8f2826e5ea3faf8e258f20dc40*", "*MD5=736c4b85ce346ddf3b49b1e3abb4e72a*", "*MD5=b5ada7fd226d20ec6634fc24768f9e22*", "*MD5=843e39865b29bb3df825bd273f195a98*", "*MD5=7671bbf15b7a8c8f59a0c42a1765136a*", "*MD5=6c5e50ef2069896f408cdaaddd307893*", "*MD5=67b5b8607234bf63ce1e6a52b4a05f87*", "*MD5=24589081b827989b52d954dcd88035d0*", "*MD5=8fcf90cb5f9cb7205c075c662720f762*", "*MD5=812e960977116bf6d6c1ccf8b5dd351f*", "*MD5=a4fda97f452b8f8705695a729f5969f7*", "*MD5=6f7125540e5e90957ba5f8d755a8d570*", "*MD5=5a1ee9e6a177f305765f09b0ae6ac1c5*", "*MD5=4b42a7a6327827a8dbdecf367832c0cd*", "*MD5=663f2fb92608073824ee3106886120f3*", "*MD5=d6c4baecff632d6ad63c45fc39e04b2f*", "*MD5=4ae55080ec8aed49343e40d08370195c*", "*MD5=21be10f66bb65c1d406407faa0b9ba95*", "*MD5=e9ccb6bac8715918a2ac35d8f0b4e1e6*", "*MD5=a223f8584bcb978c003dd451b1439f8d*", "*MD5=f30db62d02a69c36ccb01ac9d41dc085*", "*MD5=d396332f9d7b71c10b3b83da030690f0*", "*MD5=715ac0756234a203cb7ce8524b6ddc0d*", "*MD5=b94ffce20e36b2930eb3ac72f72c00d6*", "*MD5=efb4ed2040b9b3d408aab8dc15df5a06*", "*MD5=8f1255efd2ed0d3b03a02c6b236c06d6*", "*MD5=530feb1e37831302f58b7c219be6b844*", "*MD5=2e219df70fccb79351f0452cba86623e*", "*MD5=99c131567c10c25589e741e69a8f8aa3*", "*MD5=6fb3d42a4f07d8115d59eb2ea6504de5*", "*MD5=839cbbc86453960e9eb6db814b776a40*", "*MD5=3c1f92a1386fa6cf1ba51bae5e9a98dd*", "*MD5=46edb648c1b5c3abd76bd5e912dac026*", "*MD5=bd067efb8cafd971142bc964b4f85df1*", "*MD5=3db2afc15e7cc78bd11f4c726060db5c*", "*MD5=01f092be2a36a5574005e25368426ad2*", "*MD5=65c069af3875494ec686afbb0c3da399*", "*MD5=ce65b7adcf954eb36df62ea3d4a628c7*", "*MD5=ae5eb2759305402821aeddc52ba9a6d6*", "*MD5=048549f7e9978aff602a24dea98ee48a*", "*MD5=da8437200af5f3f790e301b9958993d2*", "*MD5=590875a0b2eeb171403fc7d0f5110cb2*", "*MD5=bc71da7c055e3172226090ba5d8e2248*", "*MD5=d76b56b79b1c95e8dcd7ee88cb0d25ab*", "*MD5=14eead4d42728e9340ec8399a225c124*", "*MD5=1b2e3b7f2966f2f6e6a1bb89f97228e5*", "*MD5=5e9d5c59ba1f1060f53909c129df3355*", "*MD5=0ac31915ec9a6b7d4d4bba8fe6d60ff7*", "*MD5=6909b5e86e00b4033fedfca1775b0e33*", "*MD5=2b4e66fac6503494a2c6f32bb6ab3826*", "*MD5=a125390293d50091b643cfa096c2148c*", "*MD5=79bfbeb4e8cfdd0cb1d73612360bd811*", "*MD5=389823db299b350f2ee830d47376eeac*", "*MD5=a17c403c4b74d4fa920c3887066daeb2*", "*MD5=1793e1d4247b29313325d1462dec81e2*", "*MD5=c31610f4c383204a1fc105c54b7403c9*", "*MD5=0ec31f45e2e698a83131b4443f9a6dd7*", "*MD5=4885e1bf1971c8fa9e7686fd5199f500*", "*MD5=f83c61adbb154d46dd8f77923aa7e9c3*", "*MD5=5cc5c26fc99175997d84fe95c61ab2c2*", "*MD5=49832b4f726cdff825257bee33ad8451*", "*MD5=1493d342e7a36553c56b2adea150949e*", "*MD5=df9953fa93e1793456a8d428ba7e5700*", "*MD5=40bc58b7615d00eb55ad9ba700c340c1*", "*MD5=ba2c0fa201c74621cddd8638497b3c70*", "*MD5=3c9f9c1b802f66cf03cbe82dec2bd454*", "*MD5=7d84a4ed0fcca3d098881a3f3283724b*", "*MD5=0e14b69dcf67c20343f85f9fdb5b9300*", "*MD5=17b97fbe2e8834d7ad30211635e1b271*", "*MD5=7fbd3b4488a12eab56c54e7bb91516f3*", "*MD5=9007c94c9d91ccff8d7f5d4cdddcc403*", "*MD5=260eef181a9bf2849bfec54c1736613b*", "*MD5=dbde0572d702d0a05c0d509d5624a4d7*", "*MD5=5c5973d2caf86e96311f6399513ab8df*", "*MD5=0703c1e07186cb98837a2ae76f50d42e*", "*MD5=5970e8de1b337ca665114511b9d10806*", "*MD5=2580fb4131353ec417b0df59811f705c*", "*MD5=fa63a634189bd4d6570964e2161426b0*", "*MD5=ee57cbe6ec6a703678eaa6c59542ff57*", "*MD5=e140cb81bd27434fc4fd9080b7551922*", "*MD5=49fe3d1f3d5c2e50a0df0f6e8436d778*", "*MD5=a3af4a4fa6cba27284f8289436c2f074*", "*MD5=192519661fe6d132f233d0355c3f4a6d*", "*MD5=394e290aff9d4e78e504cedfb2d99350*", "*MD5=2e7d824a49d731da9fc96262a29c85ce*", "*MD5=f7cbbb5eb263ec9a35a1042f52e82ca4*", "*MD5=2d8e4f38b36c334d0a32a7324832501d*", "*MD5=443689645455987cb347154b391f734d*", "*MD5=9258e3cb20e24a93d4afdee9f5a0299c*", "*MD5=0067c788e1cb174f008c325ebde56c22*", "*MD5=79f7e6f98a5d3ab6601622be4471027f*", "*MD5=1c31d4e9ad2d2b5600ae9d0c0969fe59*", "*MD5=2f1ebc14bd8a29b89896737ca4076002*", "*MD5=43830326cd5fae66f5508e27cbec39a0*", "*MD5=df5f8e118a97d1b38833fcdf7127ab29*", "*MD5=8de7dcade65a1f51605a076c1d2b3456*", "*MD5=fadf9c1365981066c39489397840f848*", "*MD5=2c957aa79231fad8e221e035db6d0d81*", "*MD5=fd81af62964f5dd5eb4a828543a33dcf*", "*MD5=045ef7a39288ba1f4b8d6eca43def44f*", "*MD5=90f8c1b76f786814d03ef4c51d4abb6d*", "*MD5=17719a7f571d4cd08223f0b30f71b8b8*", "*MD5=bdd8dc8880dfbc19d729ca51071de288*", "*MD5=d79b8b7bed8d30387c22663b24e8c191*", "*MD5=57cd52ed992b634e74d2ddf9853a73b3*", "*MD5=1c294146fc77565030603878fd0106f9*", "*MD5=b7946feaeae34d51f045c4f986fa62ce*", "*MD5=86fd54c56dcafe2de918c36f8dfda67e*", "*MD5=adc1e141b57505fd011bc1efb1ae6967*", "*MD5=6822566b28be75b2a76446a57064369f*", "*MD5=d9ce18960c23f38706ae9c6584d9ac90*", "*MD5=935a7df222f19ac532e831e6bf9e8e45*", "*MD5=664ad9cf500916c94fc2c0020660ac4e*", "*MD5=356bda2bf0f6899a2c08b2da3ec69f13*", "*MD5=dacb62578b3ea191ea37486d15f4f83c*", "*MD5=89c7bd12495e29413038224cb61db02e*", "*MD5=f60a9b88c6ff07d4990d8653d0025683*", "*MD5=710b290a00598fbb1bcc49b30174b2c9*", "*MD5=5c9f240e0b83df758993837d18859cbe*", "*MD5=cb0c5d3639fcd810cde94b7b990aa51c*", "*MD5=4d17b32be70ef39eae5d5edeb5e89877*", "*MD5=0d4306983e694c1f34920bae12d887e6*", "*MD5=2751c7fd7f09479fa2b15168695adebc*", "*MD5=84ba7af6ada1b3ea5efb9871a0613fc6*", "*MD5=0a653d9d0594b152ca835d0b2593269f*", "*MD5=02198692732722681f246c1b33f7a9d9*", "*MD5=9d884ecd3b6c3f2509851ea15ffefbef*", "*MD5=3473faea65fba5d4fbe54c0898a3c044*", "*MD5=013719e840e955c2e4cd9d18c94a2625*", "*MD5=5e71c0814287763d529822d0a022e693*", "*MD5=9f94028cbcf6789103cb5bb6fcef355d*", "*MD5=0d8daf471d871deb90225d2953c0eb95*", "*MD5=ad612a7eb913b5f7d25703cd44953c35*", "*MD5=fe3fb6719e86481a3514ab9e00a55bcf*", "*MD5=3e87e3346441539d3a90278a120766df*", "*MD5=fa173832dca1b1faeba095e5c82a1559*", "*MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5*", "*MD5=803a371a78d528a44ef8777f67443b16*", "*MD5=257483d5d8b268d0d679956c7acdf02d*", "*MD5=02fc655279b8ea3ef37237c488b675cc*", "*MD5=94999245e9580c6228b22ac44c66044c*", "*MD5=88aada8325a3659736b3a7201c825664*", "*MD5=92927c47d6ff139c9b19674c9d0088f6*", "*MD5=05bf59560656c8a9a3191812b0e1235b*", "*MD5=c098f8aeb67eeb2262dbf681690a9306*", "*MD5=eb61616a7bc58e3f5b8cf855d04808c3*", "*MD5=e3aaa0c1c3a5e99eb9970ebe4b5a3183*", "*MD5=5efbbfcc6adac121c8e2fe76641ed329*", "*MD5=4eb4069c230a5dc40cd5d60d2cb3e0d0*", "*MD5=e0528f756bbb2ab83c60f9fd6f541e42*", "*MD5=eb4de413782193e824773723d790cfc4*", "*MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a*", "*MD5=97580157f65612f765f39af594b86697*", "*MD5=21e72a43aedefcd70ca8999cc353b51b*", "*MD5=d6b259b2dfe80bdf4d026063accd752c*", "*MD5=ca7b41ce335051bf9dd7fa4a55581296*", "*MD5=084a13f18856d610d44d3109a9d2acde*", "*MD5=a5f637d61719d37a5b4868c385e363c0*", "*MD5=1392b92179b07b672720763d9b1028a5*", "*MD5=1a5a95d6bedbe29e5acf5eb6a727c634*", "*MD5=a71020c6d6d42c5000e9993425247e06*", "*MD5=a9f220b1507a3c9a327a99995ff99c82*", "*MD5=7c40ec9ed020cc9404de8fe3a5361a09*", "*MD5=fe937e1ed4c8f1d4eac12b065093ae63*", "*MD5=4ca0dba9e224473d664c25e411f5a3bd*", "*MD5=2a8662e91a51d8e04a94fa580c7d3828*", "*MD5=942c6a8332d5dd06d8f4b2a9cb386ff4*", "*MD5=0283b43c6bc965175a1c92b255d39556*", "*MD5=2d91d45cd09dfc3f8e89da1c261fd1ac*", "*MD5=187ddca26d119573223cf0a32ba55a61*", "*MD5=1549e6cbce408acaddeb4d24796f2eaf*", "*MD5=6beb1d8146f5a4aaa2f7b8c0c9bced30*", "*MD5=6cce5bb9c8c2a8293df2d3b1897941a2*", "*MD5=e0fb44aba5e7798f2dc637c6d1f6ca84*", "*MD5=de1cc5c266140bff9d964fab87a29421*", "*MD5=66e0db8a5b0425459d0430547ecbb3db*", "*MD5=03ca3b1cff154ab8855043abadd07956*", "*MD5=2a5fb925125af951bd76c00579d61666*", "*MD5=a2c5f994e9b4a74b2f5b51c7a44c4401*", "*MD5=5c55fcfe39336de769bfa258ab4c901d*", "*MD5=aa12c1cb47c443c6108bfe7fc1a34d98*", "*MD5=8407ddfab85ae664e507c30314090385*", "*MD5=be54aabf09c3fa4671b6efacafa389e3*", "*MD5=296bde4d0ed32c6069eb90c502187d0d*", "*MD5=1d768959aaa194d60e4524ce47708377*", "*MD5=dca1c62c793f84bb2d8e41ca50efbff1*", "*MD5=2a5ccd95292f03f0dd4899d18b55b428*", "*MD5=1f950cfd5ed8dd9de3de004f5416fe20*", "*MD5=35493772986f610753be29121cd68234*", "*MD5=6212832f13b296ddbc85b24e22edb5ec*", "*MD5=9b157f1261a8a42e4ef5ec23dd4cda9e*", "*MD5=b89b097b8b8aecb8341d05136f334ebb*", "*MD5=8942e9fa2459b1e179a6535ca16a2fb4*", "*MD5=64efbffaa153b0d53dc1bccda4279299*", "*MD5=70dcd07d38017b43f710061f37cb4a91*", "*MD5=537e2c3020b1d48b125da593e66508ec*", "*MD5=05b4463677e2566414ad53434ad9e7e5*", "*MD5=7be3a7a743f2013c3e90355219626c2c*", "*MD5=7f258c0161e9edca8e7f85ac0dd68e46*", "*MD5=81df475ab8d37343f0ad2a55b1397a8f*", "*MD5=f0aeb731d83f7ab6008c92c97faf6233*", "*MD5=507a649eb585d8d0447eab0532ef0c73*", "*MD5=5c5e3c7ca39d9472099ea81c329b7d75*", "*MD5=a31246180e61140ad7ff9dd7edf1f6a1*", "*MD5=9226339848e359f5e4cd519bef7dcd39*", "*MD5=f544f9925cab71786e57241c10e08633*", "*MD5=88d2143ae62878dada3aa0a6d8f7cea8*", "*MD5=c06dda757b92e79540551efd00b99d4b*", "*MD5=41ce6b172542a9a227e34a45881e1d2a*", "*MD5=9bcb97a1697a70f59405786759af63b8*", "*MD5=17c7bcae7ebabb95af2f7c91b19c361c*", "*MD5=aaa8999a169e39fb8b48ae49cd6ac30a*", "*MD5=9a5a35112c4f8016abcc6363b44d3385*", "*MD5=6b2df08bacf640cc2ac6f20c76af07ee*", "*MD5=ab4656d1ec4d4cc83c76f639a5340e84*", "*MD5=697f698b59f32f66cd8166e43a5c49c7*", "*MD5=4e90cd77509738d30d3181a4d0880bfa*", "*MD5=e3bdb307b32b13b8f7e621e8d5cc8cd3*", "*MD5=16472fca75ab4b5647c99de608949cde*", "*MD5=24fe18891c173a7c76426d08d2b0630e*", "*MD5=2faa725dd9bb22b2100e3010f8a72182*", "*MD5=251e1ce4e8e9b9418830ed3dc8edd5e3*", "*MD5=1f3522c5db7b9dcdd7729148f105018e*", "*MD5=d5a642329cce4df94b8dc1ba9660ae34*", "*MD5=b2600502a5b962b8cdfac2ead24b17b4*", "*MD5=c9cb486b4f652c9cfb8411803f8ed5f0*", "*MD5=73c98438ac64a68e88b7b0afd11ba140*", "*MD5=ab7b28b532beba6a6c0217bc406b80ee*", "*MD5=75dbd5db9892d7451d0429bec1aabe1a*", "*MD5=d4a10447fdaff7a001715191c1f914b6*", "*MD5=31eca8c0b32135850d5a50aee11fec87*", "*MD5=2cc65e805757cfc4f87889cdceb546cd*", "*MD5=96b463b6fa426ae42c414177af550ba2*", "*MD5=ef5ba21690c2f4ba7e62bf022b2df1f7*", "*MD5=f406c5536bcf9bacbeb7ce8a3c383bfa*", "*MD5=1ed043249c21ab201edccb37f1d40af9*", "*MD5=86635fdc8e28957e6c01fc483fe7b020*", "*MD5=520c18f50d3cb2ce162767c4c1998b86*", "*MD5=569676d3d45b0964ac6dd0815be8ff8c*", "*MD5=3f39f013168428c8e505a7b9e6cba8a2*", "*MD5=68726474c69b738eac3a62e06b33addc*", "*MD5=c04a5cdcb446dc708d9302be4e91e46d*", "*MD5=a179c4093d05a3e1ee73f6ff07f994aa*", "*MD5=1a22a85489a94db6ff68cd624ef43bad*", "*MD5=4ad30223df1361726ff64417f8515272*", "*MD5=4cee9945f9a3e8f2433f5aa8c58671fb*", "*MD5=f56f30ac68c35dd4680054cdfd8f3f00*", "*MD5=31a331a88c6280555859455518a95c35*", "*MD5=650f6531db6fb0ed25d7fc70be35a4da*", "*MD5=82854a57630059d1ce2870159dc2f86b*", "*MD5=d556cb79967e92b5cc69686d16c1d846*", "*MD5=5b1e1a9dade81f1e80fdc0a2d3f9006e*", "*MD5=d9e7e5bcc5b01915dbcef7762a7fc329*", "*MD5=a60c9173563b940203cf4ad38ccf2082*", "*MD5=95a95e28cf5ee4ece6ffbaf169358192*", "*MD5=397580c24c544d477688fcfca9c9b542*", "*MD5=c5d1f8ed329ebb86ddd01e414a6a1718*", "*MD5=ab4ee84e09b09012ac86d3a875af9d43*", "*MD5=c9a293762319d73c8ee84bcaaf81b7b3*", "*MD5=a641e3dccba765a10718c9cb0da7879e*", "*MD5=dd39a86852b498b891672ffbcd071c03*", "*MD5=715f8efab1d1c660e4188055c4b28eed*", "*MD5=c046ca4da48db1524ddf3a49a8d02b65*", "*MD5=f5e6ef0dcbb3d4a608e9e0bba4d80d0a*", "*MD5=bf581e9eb91bace0b02a2c5a54bf1419*", "*MD5=d6c2e061b21c32c585aca5f38335c21c*", "*MD5=7aa34cd9ea5649c24a814e292b270b6f*", "*MD5=5eabc87416f59e894adfde065d0405fa*", "*MD5=7ffdd78d63ca7307a96843cfe806799e*", "*MD5=bbbc9a6cc488cfb0f6c6934b193891eb*", "*MD5=113056ec5c679b6f74c9556339ebf962*", "*MD5=f7745b42882dec947f6629ab9b7c39b7*", "*MD5=4b60ef388071e0baf299496e3d6590ae*", "*MD5=c006d1844f20b91d0ea52bf32d611f30*", "*MD5=a0074303fe697a36d9397c0122e04973*", "*MD5=ff7b31fa6e9ab923bce8af31d1be5bb2*", "*MD5=2e887e52e45bba3c47ccd0e75fc5266f*", "*MD5=7eeb4c0cb786a409b94066986addf315*", "*MD5=e28ce623e3e5fa1d2fe16c721efad4c2*", "*MD5=0eb3dfeffb49d32310d96f3aa3e8ca61*", "*MD5=a15235fcec1c9b65d736661d4bec0d38*", "*MD5=0ad87bba19f0b71ccb2d32239abd49ec*", "*MD5=1c9001dcd34b4db414f0c54242fedf49*", "*MD5=490b1f404c4f31f4538b36736c990136*", "*MD5=1dc94a6a82697c62a04e461d7a94d0b0*", "*MD5=555446a3ca8d9237403471d4744e39f4*", "*MD5=100fe0bc0c183d16e1f08d1a2ad624a8*", "*MD5=37086ae5244442ba552803984a11d6cb*", "*MD5=5d4df0bac74e9ac62af6bc99440b050b*", "*MD5=94cdf2cf363be5a8749670bea4db65cd*", "*MD5=3a48f0e4297947663fbb11702aa1d728*", "*MD5=98583b2f2efe12d2a167217a3838c498*", "*MD5=7437d4070b5c018e05354c179f1d5e2a*", "*MD5=7d46d0ddaf8c7e1776a70c220bf47524*", "*MD5=3c4154866f3d483fdc9f4f64ef868888*", "*MD5=91203acddac81511d17a68a030d063a8*", "*MD5=7d87a9c54e49943bf18574c6f02788ee*", "*MD5=8d63e1a9ff4cafee1af179c0c544365c*", "*MD5=34069a15ae3aa0e879cd0d81708e4bcc*", "*MD5=e4788e5b3e5f0a0bbb318a9c426c2812*", "*MD5=1c591efa8660d4d36a75db9b82474174*", "*MD5=e9e786bdba458b8b4f9e93d034f73d00*", "*MD5=d5db81974ffda566fa821400419f59be*", "*MD5=a926b64be7c27ccb96e687a3924de298*", "*MD5=1c4acf27317a2b5eaedff3ce6094794d*", "*MD5=cd1c8a66e885b7a8b464094395566a46*", "*MD5=edfa69e9132a56778d6363cd41843893*", "*MD5=1ed08a6264c5c92099d6d1dae5e8f530*", "*MD5=f690bfc0799e51a626ba3931960c3173*", "*MD5=7c983b4e66c4697ad3ce7efc9166b505*", "*MD5=4a06bcd96ef0b90a1753a805b4235f28*", "*MD5=c28b4a60ebd4b8c12861829cc13aa6ff*", "*MD5=e700a820f117f65e813b216fccbf78c9*", "*MD5=515c75d77c64909690c18c08ef3fc310*", "*MD5=7056549baa6da18910151b08121e2c94*", "*MD5=61b068b10abfa0776f3b96a208d75bf9*", "*MD5=c901887f28bbb55a10eb934755b47227*", "*MD5=0761c357aed5f591142edaefdf0c89c8*", "*MD5=f141db170bb4c6e088f30ddc58404ad3*", "*MD5=6d97ee5b3300d0f7fa359f2712834c40*", "*MD5=53f103e490bc11624ef6a51a6d3bdc05*", "*MD5=3482acba11c71e45026747dbe366a7d9*", "*MD5=7475bfea6ea1cd54029208ed59b96c6b*", "*MD5=d011d5fecdc94754bf02014cb229d6bc*", "*MD5=42f7cc4be348c3efd98b0f1233cf2d69*", "*MD5=45c2d133d41d2732f3653ed615a745c8*", "*MD5=71fffc05cff351a6f26f78441cfebe26*", "*MD5=da6f7407c4656a2dbaf16a407aff1a38*", "*MD5=5dd25029499cd5656927e9c559955b07*", "*MD5=a82c01606dc27d05d9d3bfb6bb807e32*", "*MD5=8a973be665923e9708974e72228f9805*", "*MD5=312e31851e0fc2072dbf9a128557d6ef*", "*MD5=4ff880566f22919ed94ffae215d39da5*", "*MD5=fcc5de75c1837b631ed77ea4638704b9*", "*MD5=279f3b94c2b9ab5911515bc3e0ecf175*", "*MD5=61d6b1c71ad94f8485e966bebc36d092*", "*MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85*", "*MD5=4a829b8cf1f8fdb69e1d58ae04e6106e*", "*MD5=e4d4a22cbf94e6b0a92fc36d46741f56*", "*MD5=e4a0bba88605d4c07b58a2cc3fac0fe9*", "*MD5=272446de15c63095940a3dad0b426f21*", "*MD5=f160ecce1500a5a5877c123584e86b17*", "*MD5=0a2ec9e3e236698185978a5fc76e74e6*", "*MD5=21ca6a013a75fcf6f930d4b08803973a*", "*MD5=e432956d19714c65723f9c407ffea0c5*", "*MD5=4e4b9bdcc6b8d97828ae1972d750a08d*", "*MD5=67e3b720cee8184c714585a85f8058a0*", "*MD5=03c9d5f24fd65ad57de2d8a2c7960a70*", "*MD5=f65e545771fd922693f0ec68b2141012*", "*MD5=7a16fca3d56c6038c692ec75b2bfee15*", "*MD5=5adebdb94abb4c76dad2b7ecb1384a9d*", "*MD5=003dc41d148ec3286dc7df404ba3f2aa*", "*MD5=0490f5961e0980792f5cb5aedf081dd7*", "*MD5=d3e40644a91327da2b1a7241606fe559*", "*MD5=49938383844ceec33dba794fb751c9a5*", "*MD5=f7393fb917aed182e4cbef25ce8af950*", "*MD5=549e5148be5e7be17f9d416d8a0e333e*", "*MD5=9a237fa07ce3ed06ea924a9bed4a6b99*", "*MD5=96fb2101f85fa81871256107bdd25169*", "*MD5=aa9adcf64008e13d7e68b56fdd307ead*", "*MD5=62eed4173c566a248531fb6f20a5900d*", "*MD5=87982977500b93330df08bf372435641*", "*MD5=9e0af1fe4d6dd2ca4721810ed1c930d6*", "*MD5=9b5533c4af38759d167d5399e83b475f*", "*MD5=bd5d4d07ae09e9f418d6b4ac6d9f2ed5*", "*MD5=22ca5fe8fb0e5e22e6fb0848108c03f4*", "*MD5=7b43dfd84de5e81162ebcfafb764b769*", "*MD5=ccb09eb78e047c931708149992c2e435*", "*MD5=8c1d181480796d7d3366a9381fd7782d*", "*MD5=b5192270857c1f17f7290acbaadf097d*", "*MD5=fe71c99a5830f94d77a8792741d6e6c7*", "*MD5=238769fd8379ec476c1114bd2bd28ca6*", "*MD5=cf7aeedd674417b648fc334d179c94ae*", "*MD5=52b7cd123f6d1b9ed76b08f2ee7d9433*", "*MD5=8d14b013fc2b555e404b1c3301150c34*", "*MD5=2e492f14a1087374368562d01cd609aa*", "*MD5=65e6718a547495c692e090d7887d247b*", "*MD5=51e7b58f6e9b776568ffbd4dd9972a60*", "*MD5=84c4d8ae023ca9bb60694fa467141247*", "*MD5=69ac6165912cb263a656497cc70155e6*", "*MD5=30efb7d485fc9c28fe82a97deac29626*", "*MD5=f4b2580cf0477493908b7ed81e4482f8*", "*MD5=fc6dadb97bd3b7a61d06f20d0d2e1bac*", "*MD5=595363661db3e50acc4de05b0215cc6f*", "*MD5=cec257dcac9e708cefb17f8984dd0a70*", "*MD5=0e51d96a3b878b396708535f49a6d7cb*", "*MD5=f34489c0f0d0a16b4db8a17281b57eba*", "*MD5=80b4041695810f98e1c71ff0cf420b6d*", "*MD5=7978d858168fadd05c17779da5f4695a*", "*MD5=557fd33ee99db6fe263cfcb82b7866b3*", "*MD5=7b9e1e5e8ff4f18f84108bb9f7b5d108*", "*MD5=9b91a44a488e4d539f2e55476b216024*", "*MD5=3b23808de1403961205352e94b8f2f9b*", "*MD5=13bd61916343d94ebefc9a7911d7bf88*", "*MD5=936729b8dc2282037bc1504c2680e3ad*", "*MD5=9f70cd5edcc4efc48ae21e04fb03be9d*", "*MD5=75e50ae2e0f783e0caf912f45e15248a*", "*MD5=444f538daa9f7b340cfd43974ed43690*", "*MD5=8b47c5580b130dd3f580af09323bc949*", "*MD5=daf11013cf4c879a54ed6a86a05bee3c*", "*MD5=eff3a9cc3e99ef3ddae57df72807f0c7*", "*MD5=9982da703f13140997e137b1e745a2e3*", "*MD5=f778489c7105a63e9e789a02412aaa5f*", "*MD5=723381977ce7df57ec623db52b84f426*", "*MD5=1db988eb9ac5f99756c33b91830a9cf6*", "*MD5=c02f70960fa934b8defa16a03d7f6556*", "*MD5=5e35c049bc8076406910da36edf9212d*", "*MD5=241a095631570a9cef4f126c87605c60*", "*MD5=bbe4f5f8b0c0f32f384a83ae31f49a00*", "*MD5=b418293e25632c5f377bf034bb450e57*", "*MD5=4f191abc652d8f7442ca2636725e1ed6*", "*MD5=34e55ccceec34a8567c8b95d662ba886*", "*MD5=4f5ca81806098204c4dea0927a8fec66*", "*MD5=8b287636041792f640f92e77e560725e*", "*MD5=56a515173b211832e20fbc64e5a0447c*", "*MD5=2315a8919cfb167e718d8c788ed3ceca*", "*MD5=2d465b4487dc81effaa84f122b71c24f*", "*MD5=29ccff428e5eb70ae429c3da8968e1ec*", "*MD5=28d6b138adc174a86c0f6248d8a88275*", "*MD5=9beecfb3146f19400880da61476ef940*", "*MD5=d5556c54c474cf0bff25804bfbe788d3*", "*MD5=f7a09ac4a91a6390f8d00bf09f53ae37*", "*MD5=0d6fef14f8e1ce5753424bd22c46b1ce*", "*MD5=06897b431c07886454e0681723dd53e6*", "*MD5=c533d6d64b474ffc3169a0e0fc0a701a*", "*MD5=c52dce2bee8ec88748411e470ff531f6*", "*MD5=71858fa117e6f3309606d5cdb57e6e09*", "*MD5=259381daae0357fbfefe1d92188c496a*", "*MD5=ceac1347acae9ad9496d4b0593256522*", "*MD5=4124de3cb72f5dfd7288389862b03f2a*", "*MD5=edbf206c27c3aa7d1890899dffcc03ec*", "*MD5=a5ff71e189b462d2b1f0e9e8c4668d79*", "*MD5=c49a1956a6a25ffc25ad97d6762b0989*", "*MD5=c475c7d0f2d934f150b6c32c01479134*", "*MD5=eb7f6d01c97783013115ad1a2833401a*", "*MD5=e98f4cc2cbf9ec23fd84da30c0625884*", "*MD5=bf74d0706f5ab9c34067192260f4efb0*", "*MD5=0752f113d983030939b4ab98b0812cf0*", "*MD5=7c22b7686c75a2bb7409b3c392cc791a*", "*MD5=07efb8259b42975d502a058db8a3fd21*", "*MD5=def0da6c95d14f7020e533028224250e*", "*MD5=d4a9f80ecb448da510e5bf82c4a699ee*", "*MD5=c5e7e8ca0d76a13a568901b6b304c3ba*", "*MD5=59f6320772a2e6b0b3587536be4cc022*", "*MD5=0cd2504a2e0a8ad81d9a3a6a1fad7306*", "*MD5=0ccc4e9396e0be9c4639faec53715831*", "*MD5=c15eb30e806ad5e771b23423fd2040b0*", "*MD5=f3d14fcdb86db8d75416ce173c6061af*", "*MD5=637f2708da54e792c27f1141d5bb09cd*", "*MD5=779af226b7b72ff9d78ce1f03d4a3389*", "*MD5=a17c58c0582ee560c72f60764ed63224*", "*MD5=c2c1b8c00b99e913d992a870ed478a24*", "*MD5=2b6a17ec50d3a21e030ed78f7acbd2af*", "*MD5=76bb1a4332666222a8e3e1339e267179*", "*MD5=0ef05030abd55ba6b02faa2c0970f67f*", "*MD5=56a9e9b5334f8698a0ede27c64140982*", "*MD5=9e0659d443a2b9d1afc75a160f500605*", "*MD5=bc6ff00fb3a14437c94b37ac9a2101d4*", "*MD5=2da209dde8188076a9579bd256dc90d0*", "*MD5=11dc5523bb559f8d2ce637f6a2b70dea*", "*MD5=12908c285b9d68ee1f39186110df0f1e*", "*MD5=73a40e29f61e5d142c8f42b28a351190*", "*MD5=0797bb21d7a0210fedf4f3533ee82494*", "*MD5=6846c2035b4c56b488d2ce2c69a57261*", "*MD5=dbf11f3fad1db3eb08e2ee24b5ebfb95*", "*MD5=41339c852c6e8e4c94323f500c87a79c*", "*MD5=ce57844fb185d0cdd9d3ce9e5b6a891d*", "*MD5=3ab94fba7196e84a97e83b15f7bcb270*", "*MD5=0291ced808eafe406d3d9b56d2fc0c26*", "*MD5=3836e2db9034543f63943cdbb52a691a*", "*MD5=0dff47f3b14fb1c1bad47cc517f0581a*", "*MD5=e8ebba56ea799e1e62748c59e1a4c586*", "*MD5=2c54859a67306e20bfdc8887b537de72*", "*MD5=4e67277648c63b79563360dac22b5492*", "*MD5=26ce59f9fc8639fd7fed53ce3b785015*", "*MD5=2927eac51c46944ab69ba81462fb9045*", "*MD5=1a6e12c2d11e208bdf72a8962120fae7*", "*MD5=daf800da15b33bf1a84ee7afc59f0656*", "*MD5=9cbdb5fb6dc63cb13f10b6333407cbb9*", "*MD5=9650db2ef0a44984845841ab24972ced*", "*MD5=96a8b535b5e14b582ca5679a3e2a5946*", "*MD5=33b3842172f21ba22982bfb6bffbda27*", "*MD5=2391fb461b061d0e5fccb050d4af7941*", "*MD5=8bf290b5eda99fc2697373a87f4e1927*", "*MD5=5fade7137c14a94b323f3b7886fba2a9*", "*MD5=a89ca92145fc330adced0dd005421183*", "*MD5=96421b56dbda73e9b965f027a3bda7ba*", "*MD5=d6e9f6c67d9b3d790d592557a7d57c3c*", "*MD5=6fa271b6816affaef640808fc51ac8af*", "*MD5=94d45bb36b13f4e936badb382fc133fe*", "*MD5=e027daa2f81961d09aef88093e107d93*", "*MD5=b1b8e6b85dd03c7f1290b1a071fc79c1*", "*MD5=07fc1e043654fdde56da98d93523635c*", "*MD5=118f3fdba730094d17aa1b259586aef6*", "*MD5=2714c93eb240375a2893ed7f8818004f*", "*MD5=641243746597fbd650e5000d95811ea3*", "*MD5=449bb1c656fa30de7702f17e35b11cd3*", "*MD5=96c850e53caca0469e1c4604e6c1aad1*", "*MD5=12cecc3c14160f32b21279c1a36b8338*", "*MD5=949ef0df929a71d6cc77494dfcb1ddeb*", "*MD5=8065a7659562005127673ac52898675f*", "*MD5=1033f0849180aac4b101a914bc8c53b4*", "*MD5=8f73c1c48ffddfca7d1a98faf83d18ff*", "*MD5=648adec580746afbbf59904c1e150c73*", "*MD5=e84605c8e290de6b92ce81d2f6a175d2*", "*MD5=300d6ac47a146eb8eb159f51bc13f7cf*", "*MD5=392d7180653b0ca77a78bdf15953d865*", "*MD5=f0e21ababe63668fb3fbd02e90cd1fa9*", "*MD5=e0bfbdf3793ea2742c03f5a82cb305a5*", "*MD5=00143c457c8885fd935fc5d5a6ba07a4*", "*MD5=c8d3784a3ab7a04ad34ea0aba32289ca*", "*MD5=9532893c1d358188d66b0d7b0784bb6b*", "*MD5=564d84a799db39b381a582a0b2f738c4*", "*MD5=fd3b7234419fafc9bdd533f48896ed73*", "*MD5=be5f46fd1056f02a7a241e052fa5888f*", "*MD5=2128e6c044ee86f822d952a261af0b48*", "*MD5=4b817d0e7714b9d43db43ae4a22a161e*", "*MD5=eaec88a63db9cf9cee53471263afe6fb*", "*MD5=ecdc79141b7002b246770d01606504f2*", "*MD5=ad866d83b4f0391aecceb4e507011831*", "*MD5=88a6d84f4f1cc188741271ac1999a4e9*", "*MD5=8580165a2803591e007380db9097bbcc*", "*MD5=5c4df33951d20253a98aa7b5e78e571a*", "*MD5=27d21eeff199ed555a29ca0ea4453cfb*", "*MD5=43bfc857406191963f4f3d9f1b76a7bf*", "*MD5=0fbf893691a376b168d8cdf427b89945*", "*MD5=1762105b28eb90d19e9ab3acde16ead6*", "*MD5=b41dcdb2e710dffba2d8ea1defb0f087*", "*MD5=c42caa9cdcc50c01cb2fed985a03fe23*", "*MD5=c516acb873c7f8c24a0431df8287756e*", "*MD5=343ada10d948db29251f2d9c809af204*", "*MD5=790ccca8341919bb8bb49262a21fca0e*", "*MD5=51207adb8dab983332d6b22c29fe8129*", "*MD5=f1e054333cc40f79cfa78e5fbf3b54c2*", "*MD5=7c4e513702a0322b0e3bce29dea9e3e9*", "*MD5=8ac6d458abbe4f5280996eb90235377c*", "*MD5=6a1ff4806c1a6e897208f48a1f5b062f*", "*MD5=a4531040276080441974d9e00d8d4cfa*", "*MD5=d1f9ffe5569642c8f8c10ed7ee5d9391*", "*MD5=09b3d078ffa3b4ed0ad2e477a2ee341f*", "*MD5=83601bbe5563d92c1fdb4e960d84dc77*", "*MD5=1414629b1ee93d2652ff49b2eb829940*", "*MD5=84b17daba8715089542641990c1ea3c2*", "*MD5=6ae4dec687ac6d1b635a4e351dddf73e*", "*MD5=9dfd73dadb2f1c7e9c9d2542981aaa63*", "*MD5=1e1a3d43bd598b231207ff3e70f78454*", "*MD5=07f83829e7429e60298440cd1e601a6a*", "*MD5=7c72a7e1d42b0790773efd8700e24952*", "*MD5=f41eea88057d3dd1a56027c4174eed22*", "*MD5=f53fa44c7b591a2be105344790543369*", "*MD5=08e06b839499cb4b752347399db41b57*", "*MD5=c3fea895fe95ea7a57d9f4d7abed5e71*", "*MD5=785045f8b25cd2e937ddc6b09debe01a*", "*MD5=53bb10742e10991af4ad280fcb134151*", "*MD5=76c643ab29d497317085e5db8c799960*", "*MD5=bce7f34912ff59a3926216b206deb09f*", "*MD5=c4f5619ce04d4bee38024d08513c77fd*", "*MD5=2a3ce41bb2a7894d939fbd1b20dae5a0*", "*MD5=86bec99cd121b0386a5acc1c368a9d49*", "*MD5=e076dadf37dd43a6b36aeed957abee9e*", "*MD5=4a85754636c694572ca9f440d254f5ce*", "*MD5=f4b7b84a6828d2f9205b55cf8cfc7742*", "*MD5=8f5b84350bfc4fe3a65d921b4bd0e737*", "*MD5=f9d04e99e4cab90973226a4555bc6d57*", "*MD5=bc5366760098dc14ec00ae36c359f42b*", "*MD5=b79475c4783efdd8122694c6b5669a79*", "*MD5=5f4a232d92480a1bebbe025ef64dc760*", "*MD5=1cff7b947f8c3dea1d34dc791fc78cdc*", "*MD5=69ba501a268f09f694ff0e8e208aa20e*", "*MD5=030c8432981e4d41b191624b3e07afe2*", "*MD5=c56a9ed0192c5a2b39691e54f2132a2f*", "*SHA1=38a863bcd37c9c56d53274753d5b0e614ba6c8bb*", "*SHA1=87d2b638e5dfab1e37961d27ca734b83ece02804*", "*SHA1=1a56614ea7d335c844b7fc6edd5feb59b8df7b55*", "*SHA1=f02af84393e9627ba808d4159841854a6601cf80*", "*SHA1=75649b228a22ce1e2a306844e0d48f714fb03f28*", "*SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6*", "*SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001*", "*SHA1=388068adc9ec46a0bbc8173bcb0d5f9cf8af6ea5*", "*SHA1=fce3a95b222c810c56e7ed5a3d7fb059eb693682*", "*SHA1=f4728f490d741b04b611164a7d997e34458e3a5e*", "*SHA1=4d516b1c9b7a81de2836ab24ba6b880c11807255*", "*SHA1=bda26e533ef971d501095950010081b772920afc*", "*SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b*", "*SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0*", "*SHA1=b82c034e41d463f4e68b0a7d334f2d7611049bcb*", "*SHA1=8795df6494b724d9f279f007db33c24c27a91d08*", "*SHA1=b8d19cd28788ce4570623a5433b091a5fbd4c26d*", "*SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4*", "*SHA1=72f16e6a18ba87248dd72f52445c916ad2e4edc2*", "*SHA1=c0568bcdf57db1fa43cdee5a2a12b768a0064622*", "*SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad*", "*SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f*", "*SHA1=0edf51a0fac3b90f6961c2b20bbaeb4ccfc1ea84*", "*SHA1=6102b73489e1d319c0db7b84cb2c426c5f680120*", "*SHA1=c16d7b2fbe69a28ccbcf87348903277f22805bf3*", "*SHA1=c21510569fd84a5fe04508aa28e3cf9c8cc45b7a*", "*SHA1=2207cdee7deaba1492ae2349392864f19eb4dfaf*", "*SHA1=2f86a4828ba86034f0c043db3e3db33aa2cf5da5*", "*SHA1=569f4605c65c2a217b28aefeb8570f9ea663e4b7*", "*SHA1=cd828ee0725f6185861fd0a9d3bd78f1d96e55bf*", "*SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b*", "*SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124*", "*SHA1=7877bd7da617ec92a5c47f0da1f0abcf6484d905*", "*SHA1=3adea4a3a91504dc2e3c5e9247c6427cd5c73bab*", "*SHA1=55015f64783ddd148674a74d8137bcd6ccd6231d*", "*SHA1=f8d7369527cc6976283cc73cd761f93bd1cec49d*", "*SHA1=8fb149fc476cf5bf18dc575334edad7caf210996*", "*SHA1=091df975fa983e4ad44435ca092dbf84911f28a5*", "*SHA1=928d26cce64ad458e1f602cc2aea848e0b04eaaf*", "*SHA1=a7baff6666fc2d259c22f986b8a153c7b1d1d8be*", "*SHA1=90d73db752eac6ffc53555281fc5aa92297285ec*", "*SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1*", "*SHA1=a0bf00e4ef2b1a79ccf2361c6b303688641ed94c*", "*SHA1=4a2bb97d395634b67194856d79a1ee5209aa06a7*", "*SHA1=e0ee5ea6693c26f21b143ef9b133f53efe443b1e*", "*SHA1=c70989ed7a6ad9d7cd40ae970e90f3c3f2f84860*", "*SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f*", "*SHA1=c05df2e56e05b97e3ca8c6a61865cae722ed3066*", "*SHA1=dbf6e72c08824fe49c29b7660c9965c37d983e93*", "*SHA1=bed323603a33fa8b2fc7568149345184690f0390*", "*SHA1=2365a66c1eddfcf8385d9ff38ba8bd5f6f2e4fc2*", "*SHA1=59b0b8e3478f3d21213a8afda84181c4ed0a79a7*", "*SHA1=297fdf58e60d54bcddf2694c21ceb9da9ec17915*", "*SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b*", "*SHA1=adf9328e60c714ff0b98083bcf2f4ee2d58b960b*", "*SHA1=78834ff75e2ff8b7456e85114802e58bc9fda457*", "*SHA1=0a5ef5b72e621a639860c03f1cac499567082f39*", "*SHA1=aadaec4c31d661c249e4cf455ec752fffa3e5cfc*", "*SHA1=492a47426b04f00c0d5b711ad8c872aad3aa3a1d*", "*SHA1=064847af77afca8a879a9bf34cb87b64b5e69165*", "*SHA1=468cc011807704c04892ed209cf81d7896a12a0c*", "*SHA1=1013d5a0fd6074a8c40dbf3a88e3e06fbf3bcf41*", "*SHA1=fc62b746e0e726537bf848b48212f46db585af6d*", "*SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f*", "*SHA1=eceb51233f013e04406da11482324d45e70281c7*", "*SHA1=ff9887cfd695916a06319b3a96f7ab2e6343a20e*", "*SHA1=67e87ca093da64a23cf0fc0be2b35e03d1bf1543*", "*SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82*", "*SHA1=62244c704b0f227444d3a515ea0dc1003418a028*", "*SHA1=4d6e532830058fadd861ff9eac16de8cfc6974ce*", "*SHA1=ebced350ea447df8e10ebb080e3a3e5b32aca348*", "*SHA1=6de3d5c2e33d91eef975a30bc07b0e53a68e77b8*", "*SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86*", "*SHA1=0be77bb3720283c9a970a97dab25d2a312e86110*", "*SHA1=213ba055863d4226da26a759e8a254062ea77814*", "*SHA1=9099482b26e9ba8e1d303418afc9111a3bffd6b3*", "*SHA1=623cd2abef6c92255f79cbbd3309cb59176771da*", "*SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8*", "*SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e*", "*SHA1=461882bd59887617cadc1c7b2b22d0a45458c070*", "*SHA1=f6d826d73bf819dbc9a058f2b55c88d6d4b634e3*", "*SHA1=8278db134d3b505c735306393fdf104d014fb3bf*", "*SHA1=22c909898f5babe37cc421b4f5ed0522196f8127*", "*SHA1=e8311ba74bc6b35b1171b81056d0148913b1d61c*", "*SHA1=3eea0f5fb180c6f865fc83ac75ef3ad5b1376775*", "*SHA1=8e2511ae90643584ceb0d98f0f780cd6b7290604*", "*SHA1=8a922499f7a1b978555b46c30f90de1339760c74*", "*SHA1=2540205480ea3d59e4031de3c6632e3ce2596459*", "*SHA1=8edcd4b35f5ae88d14e83252390659c6fc79eae3*", "*SHA1=aaffdc89befa42e375f822366bbded8c245baf94*", "*SHA1=1d9fd846e12104ae31fd6f6040b93fc689abf047*", "*SHA1=3d3b42d7b0af68da01019274e341b03d7c54f752*", "*SHA1=88811e1a542f33431b9f8b74cb8bf27209b27f17*", "*SHA1=67b45c1e204d44824cd7858455e1acedbd7ffbb3*", "*SHA1=fff7ee0febb8c93539220ca49d4206616e15c666*", "*SHA1=205c69f078a563f54f4c0da2d02a25e284370251*", "*SHA1=d302ae7f016299af323a3542d840004888ab91ff*", "*SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370*", "*SHA1=228b1ff5cd519faa15d9c2f8cfefd7e683bc3f2b*", "*SHA1=63cf021c8662fa23ce3e4075a4f849431e473058*", "*SHA1=ca4d2bd6022f71e1a48b08728c0ac83c68e91281*", "*SHA1=d43b2ac1221f2eaf2c170788280255cfef3edd72*", "*SHA1=db3ce886a47027c09bb668c7049362ab86c82ceb*", "*SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1*", "*SHA1=745bad097052134548fe159f158c04be5616afc2*", "*SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978*", "*SHA1=0e47bd9b67500a67ce18c24328d6d0db8ae2c493*", "*SHA1=ef95f500b60c49f40ed6ce3014ffdb294b301e95*", "*SHA1=2ee7b3f6bcc9e95a9ae60bcb9bbc483b0400077d*", "*SHA1=b3f5185d7824ea2c2d931c292f4d8f77903a4d2a*", "*SHA1=029c678674f482ababe8bbfdb93152392457109d*", "*SHA1=aadebbcbde0e7edd35e29d98871289a75e744aad*", "*SHA1=a88546fb61a2fa7dab978a9cb678469e8f0ed475*", "*SHA1=90abd7670c84c47e6ffc45c67d676db8c12b1939*", "*SHA1=4fe873544c34243826489997a5ff14ed39dd090d*", "*SHA1=d06d119579156b1ec732c50f0f64358762eb631a*", "*SHA1=27eab595ec403580236e04101172247c4f5d5426*", "*SHA1=d1670bd08cfd376fc2b70c6193f3099078f1d72f*", "*SHA1=7ee675f0106e36d9159c5507b96c3237fb9348cd*", "*SHA1=fde6ab389a6e0a9b2ef1713df9d43cca5f1f3da8*", "*SHA1=d61acd857242185a56e101642d15b9b5f0558c26*", "*SHA1=9d44260558807daff61a0cc0c6a8719c3adacd2d*", "*SHA1=3f17ff83dc8a5f875fb1b3a5d3b9fcbe407a99f0*", "*SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c*", "*SHA1=a951953e3c1bb08653ed7b0daec38be7b0169c27*", "*SHA1=35f803d483af51762bee3ec130de6a03362ce920*", "*SHA1=ed3f11383a47710fa840e13a7a9286227fa1474c*", "*SHA1=004d9353f334e42c79a12c3a31785a96f330bbef*", "*SHA1=0b77242d4e920f2fcb2b506502cfe3985381defc*", "*SHA1=8146ed4a9c9a2f7e7aeae0a0539610c3c1cd3563*", "*SHA1=2261198385d62d2117f50f631652eded0ecc71db*", "*SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e*", "*SHA1=ef0504dd90eb451f51d2c4f987fb7833c91c755b*", "*SHA1=34b2986f1ff5146f7145433f1ef5dfe6210131d0*", "*SHA1=472cc191937349a712aabcbc4d118c1c982ab7c9*", "*SHA1=7c43d43d95232e37aa09c5e2bcd3a7699d6b7479*", "*SHA1=de2c073c8b4db6ffd11a99784d307f880444e5d3*", "*SHA1=e88259de797573fa515603ad3354aed0bce572f1*", "*SHA1=f70eb454c0e9ea67a18c625faf7a666665801035*", "*SHA1=4a2e034d2702aba6bca5d9405ba533ed1274ff0c*", "*SHA1=8788f4b39cbf037270904bdb8118c8b037ee6562*", "*SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2*", "*SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451*", "*SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1*", "*SHA1=5b866f522bcdf80e6a9fda71b385f917317f6551*", "*SHA1=4a7d66874a0472a47087fabaa033a85d47413379*", "*SHA1=517504aaf8afc9748d6aec657d46a6f7bbc60c09*", "*SHA1=f0d6b0bcd5f47b41d3c3192e244314d99d1df409*", "*SHA1=3f43412c563889a5f5350f415f7040a71cc25221*", "*SHA1=8031ecbff95f299b53113ccd105582defad38d7b*", "*SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e*", "*SHA1=55c64235d223baeb8577a2445fdaa6bedcde23db*", "*SHA1=12154f58b68902a40a7165035d37974128deb902*", "*SHA1=fa60a89980aad30db3a358fb1c1536a4d31dff6c*", "*SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63*", "*SHA1=9310239b75394b75a963336fbd154038fc13c4e3*", "*SHA1=7673cebd15488cbbb4ca65209f92faab3f933205*", "*SHA1=3a3342f4ca8cc45c6b86f64b1a7d7659020b429f*", "*SHA1=190c20e130a9156442eebcf913746c69b9485eec*", "*SHA1=3c9c86c0b215ecbab0eeb4479c204dba65258b8e*", "*SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89*", "*SHA1=c00ad2a252b53cf2d0dc74b53d1af987982e1ad1*", "*SHA1=3f223581409492172a1e875f130f3485b90fbe5f*", "*SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344*", "*SHA1=7cd4aea9c1f82111bf7f9d4934be95e9bb6f8ae0*", "*SHA1=d32408c3b79b1f007331d2a3c78b1a7e96f37f79*", "*SHA1=a6a71fb4f91080aff2a3a42811b4bd86fb22168d*", "*SHA1=a0c7c913d7b5724a46581b6e00dd72c26c37794d*", "*SHA1=6f8b0e1c7d7bd7beed853e0d51ca03f143e5b703*", "*SHA1=91ee32b464f6385fc8c44b867ca3dec665cbe886*", "*SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd*", "*SHA1=75dd52e28c40cd22e38ae2a74b52eb0cddfcb2c4*", "*SHA1=14bf0eaa90e012169745b3e30c281a327751e316*", "*SHA1=f9cced7ccdc1f149ad8ad13a264c4425aee89b8e*", "*SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417*", "*SHA1=e4e40032376279e29487afc18527804dce792883*", "*SHA1=bebf97411946749b9050989d9c40352dbe8269ea*", "*SHA1=cfcecf6207d16aeb0af29aac8a4a2f104483018e*", "*SHA1=b21cba198d721737aabd882ada6c91295a5975ed*", "*SHA1=8f540936f2484d020e270e41529624407b7e107e*", "*SHA1=32888d789edc91095da2e0a5d6c564c2aebcee68*", "*SHA1=10fc6933deb7de9813e07d864ce03334a4f489d9*", "*SHA1=09d3ff3c57f5154735e676f2c0a10b5e51336bb3*", "*SHA1=d022f5e3c1bba43871af254a16ab0e378ea66184*", "*SHA1=6c445ceb38d5b1212ce2e7498888dd9562a57875*", "*SHA1=cf9b4d606467108e4b845ecb8ede2f5865bd6c33*", "*SHA1=c4ce0bb8a939c4f4cff955d9b3cdd9eb52746cc9*", "*SHA1=8325e8d7fd2edc126dcf1089dee8da64e79fb12e*", "*SHA1=2bb68b195f66f53f90f17b364928929d5b2883b5*", "*SHA1=d3a6f86245212e1ef9e0e906818027ec14a239cb*", "*SHA1=5672e2212c3b427c1aef83fcd725b587a3d3f979*", "*SHA1=7cee31d3aaee8771c872626feedeeb5d09db008c*", "*SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2*", "*SHA1=4f0d9122f57f4f8df41f3c3950359eb1284b9ab5*", "*SHA1=59c4960851af9240dded4173c4f823727af19512*", "*SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d*", "*SHA1=9393698058ce1187eb87e8c148cfe4804761142d*", "*SHA1=ed219d966a6e74275895cc0b975b79397760ea9f*", "*SHA1=4dba2ac32ed58ead57dd36b18d1cb30cc1c7b9aa*", "*SHA1=d2be76e79741454b4611675b58446e10fc3d0c6c*", "*SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f*", "*SHA1=6b54b8f7edca5fb25a8ef1a1d31e14b9738db579*", "*SHA1=52d9bbe41eea0b60507c469f7810d80343c03c2b*", "*SHA1=f7330a6a4d9df2f35ab93a28c8ee1eb14a74be6e*", "*SHA1=589a7d4df869395601ba7538a65afae8c4616385*", "*SHA1=61d44c9a1ef992bc29502f725d1672d551b9bc3f*", "*SHA1=da689e8e0e3fc4c7114b44d185eef4c768e15946*", "*SHA1=170a50139f95ad1ec94d51fdd94c1966dbed0e47*", "*SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d*", "*SHA1=bfff0073c936b9a7e2ad6848deb6f9bf03205488*", "*SHA1=1586f121d38cc42e5d04fe2f56091e91c6cdd8fa*", "*SHA1=96ec8c16f6a54b48e9a7f0d0416a529f4bf9ac11*", "*SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436*", "*SHA1=4d4535c111c7b568cb8a3bece27a97d738512a6b*", "*SHA1=258f1cdc79bd20c2e6630a0865abfe60473b98d5*", "*SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8*", "*SHA1=2c2fc258871499b206963c0f933583cedcdf9ea2*", "*SHA1=6a2912c8e2aa4373852585bc1134b83c637bc9fd*", "*SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f*", "*SHA1=1951ae94c6ee63fa801208771b5784f021c70c60*", "*SHA1=8b53284fb23d34ca144544b19f8fba63700830d8*", "*SHA1=6bfeac43be3ebd8d95a5eba963e18d97d76d2b05*", "*SHA1=2ae1456bb0fa5a016954b03967878fb6db4d81eb*", "*SHA1=63f9ee1e7aefd961cf36eeffd455977f1b940f6c*", "*SHA1=ac13941f436139b909d105ad55637e1308f49d9a*", "*SHA1=baa94f0f816d7a41a63e7f1aa9dd3d64a9450ed0*", "*SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65*", "*SHA1=bff4c3696d81002c56f473a8ab353ef0e45854c0*", "*SHA1=64df813dc0774ef57d21141dcb38d08059fd8660*", "*SHA1=bdfb1a2b08d823009c912808425b357d22480ecc*", "*SHA1=470633a3a1e1b1f13c3f6c5192ce881efd206d7c*", "*SHA1=65f6a4a23846277914d90ba6c12742eecf1be22d*", "*SHA1=ed40c1f7da98634869b415530e250f4a665a8c48*", "*SHA1=1ab702c495cb7832d4cc1ff896277fa56ed8f30d*", "*SHA1=684786de4b3b3f53816eae9df5f943a22c89601f*", "*SHA1=b3b523504af5228c49060ec8dea9f8adce05e117*", "*SHA1=108575d8f0b98fed29514a54052f7bf5a8cb3ff0*", "*SHA1=8fafd70bae94bbc22786c9328ee9126fed54dbae*", "*SHA1=d3b23a0b70d6d279abd8db109f08a8b0721ce327*", "*SHA1=190ec384e6eb1dafca80df05055ead620b2502ba*", "*SHA1=6b25acbcb41a593aca6314885572fc22d16582a2*", "*SHA1=341225961c15a969c62de38b4ec1938f65fda178*", "*SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326*", "*SHA1=5812387783d61c6ab5702213bb968590a18065e3*", "*SHA1=e700fcfae0582275dbaee740f4f44b081703d20d*", "*SHA1=a2167b723dfb24bf8565cbe2de0ecce77307fb9e*", "*SHA1=7cf7644e38746c9be4537b395285888d5572ae1b*", "*SHA1=3b8ddf860861cc4040dea2d2d09f80582547d105*", "*SHA1=1a17cc64e47d3db7085a4dc365049a2d4552dc8a*", "*SHA1=9b3f57693f0f69d3729762d59a10439e738b9031*", "*SHA1=63bb17160115f16b3fca1f028b13033af4e468c6*", "*SHA1=631fdd1ef2d6f2d98e36f8fc7adbf90fbfb0a1e8*", "*SHA1=06ec56736c2fc070066079bb628c17b089b58f6c*", "*SHA1=d1ba4c95697a25ec265a3908acbff269e29e760c*", "*SHA1=e40182c106f6f09fd79494686329b95477d6beb5*", "*SHA1=c74f6293be68533995e4b95469e6dddedd1c3905*", "*SHA1=ec457a53ea03287cbbd1edcd5f27835a518ef144*", "*SHA1=1a01f3bdbfae4f8111674068a001aaf3363f21ea*", "*SHA1=ce1d0ebaeaa4fe3ecb49242f1e80bc7a4e43fd8c*", "*SHA1=f77413ec3bd9ed3f31fc53a4c755dc4123e0068f*", "*SHA1=17614fdee3b89272e99758983b99111cbb1b312c*", "*SHA1=8b63eb0f5dbb844ee5f6682f0badef872ae569bf*", "*SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60*", "*SHA1=c8674fe95460a37819e06d9df304254931033ca7*", "*SHA1=273634ac170d1a6abd32e0db597376a6f62eb59e*", "*SHA1=dd4cd182192b43d4105786ba87f55a036ec45ef2*", "*SHA1=f9eb4c942a89b4ba39d2bdbfd23716937ccb9925*", "*SHA1=94144619920bd086028bb5647b1649a35438028c*", "*SHA1=2871a631f36cd1ea2fd268036087d28070ef2c52*", "*SHA1=57cf65b024d9e2831729def42db2362d7c90dcfa*", "*SHA1=d3daa971580b9f94002f7257de44fcef13bb1673*", "*SHA1=8ac5703e67c3e6e0585cb8dbb86d196c5362f9bb*", "*SHA1=756fd2b82bf92538786b1bd283c6ef2f9794761e*", "*SHA1=c775ca665ed4858acc3f7e75e025cbbda1f8c687*", "*SHA1=a8be6203c5a87ecc3ae1c452b7b6dbdf3a9f82ae*", "*SHA1=085c0ea6980cb93a3afa076764b7866467ac987c*", "*SHA1=09f117d83f2f206ee37f1eb19eea576a0ac9bdcc*", "*SHA1=c41ff2067634a1cce6b8ec657cdfd87e7f6974e3*", "*SHA1=ddec18909571a9d5992f93636628756b7aa9b9a2*", "*SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2*", "*SHA1=06ec62c590ca0f1f2575300c151c84640d2523c0*", "*SHA1=f95b59cab63408343ecbdb0e71db34e83f75b503*", "*SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a*", "*SHA1=9360774a37906e3b3c9fab39721cb9400dd31c46*", "*SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131*", "*SHA1=dc393d30453daa1f853f47797e48c142ac77a37b*", "*SHA1=b70321d078f2e9c9826303bdc87ba9b7be290807*", "*SHA1=4cd5bf02edf6883a08dfed7702267612e21ed56e*", "*SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1*", "*SHA1=296757d5663290f172e99e60b9059f989cba4c4e*", "*SHA1=0caf4e86b14aaab7e10815389fcd635988bc6637*", "*SHA1=449ff4f5ce2fdddac05a6c82e45a7e802b1c1305*", "*SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce*", "*SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab*", "*SHA1=4818d7517054d5cba38b679bdf7f8495fd152729*", "*SHA1=47df454cb030c1f4f7002d46b1308a32b03148e7*", "*SHA1=28fa0e9429af24197134306b6c7189263e939136*", "*SHA1=186b6523e8e2fa121d6d3b8cb106e9a5b918af4f*", "*SHA1=9dbd255ee29be0e552f7f5f30d6ffb97e6cd0b0d*", "*SHA1=76a756cc61653abcadd63db4a74c48d92607a861*", "*SHA1=15df139494d2c40a645fb010908551185c27f3c5*", "*SHA1=64879accdb4dbbaac55d91185c82f2b193f0c869*", "*SHA1=55777e18eb95b6c9c3e6df903f0ac36056fa83da*", "*SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5*", "*SHA1=135b261eb03e830c57b1729e3a4653f9c27c7522*", "*SHA1=deaf7d0c934cc428981ffa5bf528ca920bc692dc*", "*SHA1=309a799f1a00868ab05cdbb851b3297db34d9b0d*", "*SHA1=d5beca70469e0dcb099ba35979155e7c91876fd2*", "*SHA1=376d59d0b19905ebb9b89913a5bdfacde1bd5a1e*", "*SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2*", "*SHA1=dfd801b6c2715f5525f8ffb38e3396a5ad9b831d*", "*SHA1=92befb8b3d17bd3f510d09d464ec0131f8a43b8f*", "*SHA1=b671677079bf7c660579bee08b8875a48ff61896*", "*SHA1=0d6fb0cb9566b4e4ca4586f26fe0631ffa847f2c*", "*SHA1=bca4bbe4388ebeb834688e97fac281c09b0f3ac1*", "*SHA1=0b3836d5d98bc8862a380aae19caa3e77a2d93ef*", "*SHA1=b394f84e093cb144568e18aaf5b857dff77091fa*", "*SHA1=7329bb4a7ca98556fa6b05bd4f9b236186e845d1*", "*SHA1=0307d76750dd98d707c699aee3b626643afb6936*", "*SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a*", "*SHA1=2740cd167a9ccb81c8e8719ce0d2ae31babc631c*", "*SHA1=77a011b5d5d5aaf421a543fcee22cb7979807c60*", "*SHA1=a197a02025946aca96d6e74746f84774df31249e*", "*SHA1=82ba5513c33e056c3f54152c8555abf555f3e745*", "*SHA1=c71597c89bd8e937886e3390bc8ac4f17cdeae7c*", "*SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2*", "*SHA1=e71caa502d0fe3a7383ce26285a6022e63acda97*", "*SHA1=446130c61555e5c9224197963d32e108cd899ea0*", "*SHA1=218e4bbdd5ce810c48b938307d01501c442b75f4*", "*SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de*", "*SHA1=0cb14c1049c0e81c8655ab7ee7d698c11758ea06*", "*SHA1=f3c20ce4282587c920e9ff5da2150fac7858172e*", "*SHA1=dd49a71f158c879fb8d607cc558b507c7c8bc5b9*", "*SHA1=7d34bb240cb5dec51ffcc7bf062c8d613819ac30*", "*SHA1=0b01c4c1f18d72eb622be2553114f32edfe7b7aa*", "*SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b*", "*SHA1=4186ac693003f92fdf1efbd27fb8f6473a7cc53e*", "*SHA1=01b95ae502aa09aabc69a0482fcc8198f7765950*", "*SHA1=4c18754dca481f107f0923fb8ef5e149d128525d*", "*SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda*", "*SHA1=c614ab686e844c7a7d2b20bc7061ab15290e2cfd*", "*SHA1=2cf75df00c69d907cfe683cb25077015d05be65d*", "*SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6*", "*SHA1=a528cdeed550844ca7d31c9e231a700b4185d0da*", "*SHA1=8ec28d7da81cf202f03761842738d740c0bb2fed*", "*SHA1=e606282505af817698206672db632332e8c3d3ff*", "*SHA1=47830d6d3ee2d2a643abf46a72738d77f14114bc*", "*SHA1=57ea07ab767f11c81c6468b1f8a3d5f4618b800b*", "*SHA1=34b0f1b2038a1572ee6381022a24333357b033c4*", "*SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697*", "*SHA1=a14d96b65d3968181d57b57ee60c533cb621b707*", "*SHA1=cd248648eafca6ef77c1b76237a6482f449f13be*", "*SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08*", "*SHA1=64ff172bafc33f14ca5f2e35f9753d41e239a5e4*", "*SHA1=74bf2ec32cb881424a79e99709071870148d242d*", "*SHA1=943593e880b4d340f2548548e6e673ef6f61eed3*", "*SHA1=3c81cdfd99d91c7c9de7921607be12233ed0dfd8*", "*SHA1=c1a5aacf05c00080e04d692a99c46ab445bf8b6e*", "*SHA1=1768fb2b4796f624fa52b95dfdfbfb922ac21019*", "*SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d*", "*SHA1=6df6d5b30d04b9adb9d2c99de18ed108b011d52b*", "*SHA1=8589a284f1a087ad5b548fb1a933289781b4cedc*", "*SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c*", "*SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0*", "*SHA1=f5bafebfbfb67a022452870289ac7849e9ee1f61*", "*SHA1=5965ca5462cd9f24c67a1a1c4ef277fab8ea81d3*", "*SHA1=804013a12f2f6ba2e55c4542cbdc50ca01761905*", "*SHA1=30c6e1da8745c3d53df696af407ef095a8398273*", "*SHA1=2fed7eddd63f10ed4649d9425b94f86140f91385*", "*SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d*", "*SHA1=5ce273aa80ed3b0394e593a999059096682736ae*", "*SHA1=36397c6879978223ba52acd97da99e8067ab7f05*", "*SHA1=8a23735d9a143ad526bf73c6553e36e8a8d2e561*", "*SHA1=2f991435a6f58e25c103a657d24ed892b99690b8*", "*SHA1=f2ce790bf47b01a7e1ef5291d8fa341d5f66883a*", "*SHA1=f52c2d897fa00910d5566503dd5a297970f13dc6*", "*SHA1=256d285347acd715ed8920e41e5ec928ae9201a8*", "*SHA1=58fe23f1bb9d4bcc1b07b102222a7d776cc90f6c*", "*SHA1=55d84fd3e5db4bdbd3fb6c56a84b6b8a320c7c58*", "*SHA1=a71c17bfeefd76a9f89e74a52a2b6fdd3efbabe2*", "*SHA1=83b5e60943a92050fccb8acef7aa464c8f81d38e*", "*SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67*", "*SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5*", "*SHA1=9db1585c0fab6a9feb411c39267ac4ad29171696*", "*SHA1=2eddb10eecef740ec2f9158fa39410ec32262fc3*", "*SHA1=ad60e40a148accec0950d8d13bf7182c2bd5dfef*", "*SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347*", "*SHA1=5a7bcb1864d1e8ecde0b58d21b98518ca4b2f1f2*", "*SHA1=d6de8983dbd9c4c83f514f4edf1ac7be7f68632f*", "*SHA1=07f60b2b0e56cb15aad3ca8a96d9fe3a91491329*", "*SHA1=6b90a6eeef66bb9302665081e30bf9802ca956cc*", "*SHA1=634b1e9d0aafac1ec4373291cefb52c121e8d265*", "*SHA1=af50109b112995f8c82be8ef3a88be404510cdde*", "*SHA1=ec04d8c814f6884c009a7b51c452e73895794e64*", "*SHA1=fdf4a0af89f0c8276ad6d540c75beece380703ab*", "*SHA1=76046978d8e4409e53d8126a8dcfc3bf8602c37f*", "*SHA1=13df48ab4cd412651b2604829ce9b61d39a791bb*", "*SHA1=cb25d537f4e2872e5fcbd893da8ce3807137df80*", "*SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256*", "*SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3*", "*SHA1=c1fe7870e202733123715cacae9b02c29494d94d*", "*SHA1=9c256edd10823ca76c0443a330e523027b70522d*", "*SHA1=079627e0f5b1ad1fb3fe64038a09bc6e8b8d289d*", "*SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b*", "*SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb*", "*SHA1=3f338ab65bac9550b8749bb1208edb0f7d7bcb81*", "*SHA1=723fd9dd0957403ed131c72340e1996648f77a48*", "*SHA1=e0d83953a9efef81ba0fa9de1e3446b6f0a23cc6*", "*SHA1=1d5d2c5853619c25518ba0c55fd7477050e708fb*", "*SHA1=838823f25436cadc9a145ddac076dce3e0b84d96*", "*SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4*", "*SHA1=363068731e87bcee19ad5cb802e14f9248465d31*", "*SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4*", "*SHA1=0d8a832b9383fcdc23e83487b188ddd30963ca82*", "*SHA1=db6170ee2ee0a3292deceb2fc88ef26d938ebf2d*", "*SHA1=a9ea84ee976c66977bb7497aa374bba4f0dd2b27*", "*SHA1=7859e75580570e23a1ef7208b9a76f81738043d5*", "*SHA1=e067024ec42b556fb1e89ca52ef6719aa09cdf89*", "*SHA1=0ed0c4d6c3b6b478cbfd7fb0bd1e1b5457a757cc*", "*SHA1=54a4772212da2025bd8fb2dc913e1c4490e7a0cd*", "*SHA1=68ca9c27131aa35c7f433dc914da74f4b3d8793f*", "*SHA1=468e2e5505a3d924b14fedee4ddf240d09393776*", "*SHA1=cc3e5e45aca5b670035dfb008f0a88cecfd91cf7*", "*SHA1=8d676504c2680cf71c0c91afb18af40ea83b6c22*", "*SHA1=ba5b4eaa7cab012b71a8a973899eeee47a12becc*", "*SHA1=1901467b6f04a93b35d3ca0727c8a14f3ce3ed52*", "*SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c*", "*SHA1=116679c4b2cca6ec69453309d9d85d3793cbe05f*", "*SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e*", "*SHA1=e702221d059b86d49ed11395adffa82ef32a1bce*", "*SHA1=dd085542683898a680311a0d1095ea2dffe865e2*", "*SHA1=69849d68d1857c83b09e1956a46fe879260d2aab*", "*SHA1=a23a0627297a71a4414193e12a8c074e7bbb8a2e*", "*SHA1=91530e1e1fb25a26f3e0d6587200ddbaecb45c74*", "*SHA1=247065af09fc6fd56b07d3f5c26f555a5ccbfda4*", "*SHA1=e840904ce12cc2f94eb1ec16b0b89e2822c24805*", "*SHA1=e5bfb18f63fcfb7dc09b0292602112ea7837ef7a*", "*SHA1=dc6e62dbde5869a6adc92253fff6326b6af5c8d4*", "*SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb*", "*SHA1=40dba13a059679401fcaf7d4dbe80db03c9d265c*", "*SHA1=acb5d7e182a108ee02c5cb879fc94e0d6db7dd68*", "*SHA1=543933cce83f2e75d1b6a8abdb41199ddef8406c*", "*SHA1=0f2fdfb249c260c892334e62ab77ac88fcb8b5e4*", "*SHA1=81a319685d0b6112edee4bc25d14d6236f4e12da*", "*SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26*", "*SHA1=488b20ed53c2060c41b9a0cac1efb39a888df7c5*", "*SHA1=e1069365cb580e3525090f2fa28efd4127223588*", "*SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7*", "*SHA1=67dfd415c729705396ce54166bd70faf09ac7f10*", "*SHA1=c8ec23066a50800d42913d5e439700c5cd6a2287*", "*SHA1=07f62d9b6321bed0008e106e9ce4240cb3f76da2*", "*SHA1=a57eefa0c653b49bd60b6f46d7c441a78063b682*", "*SHA1=a4ae87b7802c82dfb6a4d26ab52788410af98532*", "*SHA1=bc949bc040333fdc9140b897b0066ef125343ef6*", "*SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75*", "*SHA1=6bb68e1894bfbc1ac86bcdc048f7fe7743de2f92*", "*SHA1=a54ae1793e9d77e61416e0d9fb81269a4bc8f8a2*", "*SHA1=51b60eaa228458dee605430aae1bc26f3fc62325*", "*SHA1=054a50293c7b4eea064c91ef59cf120d8100f237*", "*SHA1=844d2345bde50bf8ee7e86117cf7b8c6e6f00be4*", "*SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3*", "*SHA1=d0452363b41385f6a6778f970f3744dde4701d8f*", "*SHA1=d72de7e8f0118153dd5cf784f724e725865fc523*", "*SHA1=340ce5d8859f923222bea5917f40c4259cce1bbc*", "*SHA1=e1bf5dd17f84bce3b2891dffa855d81a21914418*", "*SHA1=e4cbb48aa1aff6cf4ea94ef3b7afb6c245ac47e8*", "*SHA1=0e1df95042081fa2408782f14ce483f0db19d5ab*", "*SHA1=d2fb46277c36498e87d0f47415b7980440d40e3d*", "*SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463*", "*SHA1=4a887ae6b773000864f9228800aab75e6ff34240*", "*SHA1=283c7dc5b029dbc41027df16716ec12761a53df8*", "*SHA1=dcdc9b2bc8e79d44846086d0d482cb7c589f09b8*", "*SHA1=ec8c0b2f49756b8784b3523e70cd8821b05b95eb*", "*SHA1=16c6bcef489f190a48e9d3b1f35972db89516479*", "*SHA1=ffabdf33635bdc1ed1714bc8bbfd7b73ef78a37c*", "*SHA1=7c625de858710d3673f6cb0cd8d0643d5422c688*", "*SHA1=faa61346430aedc952d820f7b16b973c9bf133c3*", "*SHA1=1e959d6ae22c4d9fa5613c3a9d3b6e1b472be05d*", "*SHA1=f18e669127c041431cde8f2d03b15cfc20696056*", "*SHA1=1de9f25d189faa294468517b15947a523538ce9d*", "*SHA1=d8e8dcc8531b8d07f8dabc9e79c19aac6eeca793*", "*SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a*", "*SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2*", "*SHA1=4786253daac6c60ffc0d2871fdd68023ec93dfb3*", "*SHA1=ea58d72db03df85b04d1412a9b90d88ba68ab43d*", "*SHA1=48a09ca5fdbc214e675083c2259e051b0629457b*", "*SHA1=ea63567ea8d168cb6e9aae705b80a09f927b2f77*", "*SHA1=8347487b32b993da87275e3d44ff3683c8130d33*", "*SHA1=4471935df0e68fe149425703b66f1efca3d82168*", "*SHA1=eaddeefe13bca118369faf95eee85b0a2a553221*", "*SHA1=98600e919b8579d89e232a253d7277355b652750*", "*SHA1=444a2b778e2fc26067c49dde0aff0dcfb85f2b64*", "*SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741*", "*SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0*", "*SHA1=6210dabb908cc750379cc7563beb884b3895e046*", "*SHA1=22c08d67bf687bf7ddd57056e274cbbbdb647561*", "*SHA1=1a8b737dff81aa9e338b1fce0dc96ee7ee467bd5*", "*SHA1=a9b8d7afa2e4685280aebbeb162600cfce4e48c8*", "*SHA1=8800a33a37c640922ce6a2996cd822ed4603b8bb*", "*SHA1=4f94789cffb23c301f93d6913b594748684abf6a*", "*SHA1=511b06898770337609ee065547dbf14ce3de5a95*", "*SHA1=c32e6cddc7731408c747fd47af3d62861719fd7b*", "*SHA1=a93197c8c1897a95c4fb0367d7451019ae9f3054*", "*SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb*", "*SHA1=a59006308c4b5d33bb8f34ac6fb16701814fb8dc*", "*SHA1=3e917f0986802d47c0ffe4d6f5944998987c4160*", "*SHA1=b406920634361f4b7d7c1ec3b11bb40872d85105*", "*SHA1=9ec6f54c74bcc48e355226c26513a7240fd9462d*", "*SHA1=79f1a6f5486523e6d8dcfef696bc949fc767613d*", "*SHA1=dce4322406004fc884d91ed9a88a36daca7ae19a*", "*SHA1=dbe26c67a4cabba16d339a1b256ca008effcf6c8*", "*SHA1=9f5453c36aa03760d935e062ac9e1f548d14e894*", "*SHA1=da361c56c18ea98e1c442aac7c322ff20f64486b*", "*SHA1=14c9cd9e2cf2b0aae56c46ff9ad1c89a8a980050*", "*SHA1=21e6c104fe9731c874fab5c9560c929b2857b918*", "*SHA1=ef80da613442047697bec35ea228cde477c09a3d*", "*SHA1=c834c4931b074665d56ccab437dfcc326649d612*", "*SHA1=aa2ea973bb248b18973e57339307cfb8d309f687*", "*SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614*", "*SHA1=977fd907b6a2509019d8ef4f6213039f2523f2b5*", "*SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f*", "*SHA1=a45687965357036df17b8ff380e3a43a8fbb2ca9*", "*SHA1=59aead65b240a163ad47b2d1cf33cdb330608317*", "*SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f*", "*SHA1=ddd36f96f5a509855f55eed9eb4cba9758d6339a*", "*SHA1=a838303cda908530ef124f8d6f7fb69938b613bc*", "*SHA1=84d44e166072bccf1f8e1e9eb51880ffa065a274*", "*SHA1=88d00eff21221f95a0307da229bc9fe1afb6861b*", "*SHA1=9ca90642cff9ca71c7022c0f9dfd87da2b6a0bff*", "*SHA1=a98734cd388f5b4b3caca5ce61cb03b05a8ad570*", "*SHA1=bad84fca57ab0ef0af9230a93e0cc3d149f9ccd0*", "*SHA1=ce5681896e7631b6e83cccb7aa056a33e72a1bbe*", "*SHA1=0634878c3f6048a38ec82869d7c6df2f69f3e210*", "*SHA1=eacfc73f5f45f229867ee8b2eb1f9649b5dd422e*", "*SHA1=dc8fa4648c674e3a7148dd8e8c35f668a3701a52*", "*SHA1=02316decf9e5165b431c599643f6856e86b95e7c*", "*SHA1=cc3186debacb98e0b0fb40ad82816bea10741099*", "*SHA1=87f313fc30ec8759b391e9d6c08f79b02f3ecebd*", "*SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e*", "*SHA1=62fdb0b43c56530a6a0ba434037d131f236d1266*", "*SHA1=5088c71a740ef7c4156dcaa31e543052fe226e1c*", "*SHA1=64d0447cbb0d6a45010b94eb9d5b0b90296edcbf*", "*SHA1=0aecdc0b8208b81b0c37eef3b0eaea8d8ebef42e*", "*SHA1=2fe874274bac6842819c1e9fe9477e6d5240944d*", "*SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd*", "*SHA1=ba0938512d7abab23a72279b914d0ea0fb46e498*", "*SHA1=3d8cc9123be74b31c597b0014c2a72090f0c44ef*", "*SHA1=1f1ce28c10453acbc9d3844b4604c59c0ab0ad46*", "*SHA1=724dde837df2ff92b3ea7026fe8a0c4e5773898f*", "*SHA1=8ab7e9ba3c26bcd5d6d0646c6d2b2693e22aac1c*", "*SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332*", "*SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9*", "*SHA1=bea745b598dd957924d3465ebc04c5b830d5724f*", "*SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3*", "*SHA1=99bd8c1f5eeedd9f6a9252df5dbd0e42ef5999a4*", "*SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d*", "*SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8*", "*SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2*", "*SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809*", "*SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299*", "*SHA1=43f53a739eda1e58f470e8e9ff9aa1437e5d9546*", "*SHA1=879e92a7427bdbcc051a18bbb3727ac68154e825*", "*SHA1=be270d94744b62b0d36bef905ef6296165ffcee9*", "*SHA1=108439a4c4508e8dca659905128a4633d8851fd9*", "*SHA1=fe0afc6dd03a9bd7f6e673cc6b4af2266737e3d1*", "*SHA1=343ec3073fc84968e40a145dc9260a403966bcb4*", "*SHA1=0d9c77aca860a43cca87a0c00f69e2ab07ab0b67*", "*SHA1=c60cf6dea446e4a52c6b1cfc2a76e9aadd954dab*", "*SHA1=bd3e1d5aacac6406a7bcea3b471bbfa863efbc3d*", "*SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe*", "*SHA1=53a194e1a30ed9b2d3acd87c2752cfa6645eea76*", "*SHA1=06ecf73790f0277b8e27c8138e2c9ad0fc876438*", "*SHA1=a22c111045b4358f8279190e50851c443534fc24*", "*SHA1=d2c7aa9b424015f970fe7506ae5d1c69a8ac11f6*", "*SHA1=2eeab9786dac3f5f69e642f6e29f4e4819038551*", "*SHA1=8ea50d7d13ff2d1306fed30a2d136dd6245eb3bc*", "*SHA1=490109fa6739f114651f4199196c5121d1c6bdf2*", "*SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef*", "*SHA1=66e95daee3d1244a029d7f3d91915f1f233d1916*", "*SHA1=175fb76c7cd8f0aeb916f4acb3b03f8b2d51846a*", "*SHA1=0536c9f15094ca8ddeef6dec75d93dc35366d8a9*", "*SHA1=65886384708d5a6c86f3c4c16a7e7cdbf68de92a*", "*SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4*", "*SHA1=25d812a5ece19ea375178ef9d60415841087726e*", "*SHA1=24b47ba7179755e3b12a59d55ae6b2c3d2bd1505*", "*SHA1=a547c5b1543a4c3a4f91208d377a2b513088f4a4*", "*SHA1=604870e76e55078dfb8055d49ae8565ed6177f7c*", "*SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc*", "*SHA1=962e2ac84c28ed5e373d4d4ccb434eceee011974*", "*SHA1=94b014123412fbe8709b58ec72594f8053037ae9*", "*SHA1=c969f1f73922fd95db1992a5b552fbc488366a40*", "*SHA1=6dac7a8fa9589caae0db9d6775361d26011c80b2*", "*SHA1=cd7b0c6b6ef809e7fb1f68ba36150eceabe500f7*", "*SHA1=1d2ab091d5c0b6e5977f7fa5c4a7bfb8ea302dc7*", "*SHA1=729a8675665c61824f22f06c7b954be4d14b52c4*", "*SHA1=814200191551faec65b21f5f6819b46c8fc227a3*", "*SHA1=59c0fa0d61576d9eb839c9c7e15d57047ee7fe29*", "*SHA1=48be0ec2e8cb90cac2be49ef71e44390a0f648ce*", "*SHA1=0e030cf5e5996f0778452567e144f75936dc278f*", "*SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee*", "*SHA1=6cc28df318a9420b49a252d6e8aaeda0330dc67d*", "*SHA1=59e6effdb23644ca03e60618095dc172a28f846e*", "*SHA1=df177a0c8c1113449f008f8e833105344b419834*", "*SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4*", "*SHA1=c0a8e45e57bb6d82524417d6fb7e955ab95621c0*", "*SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8*", "*SHA1=363b907c3b4f37968e9c8e1b7eeca5a5c5d530f8*", "*SHA1=53f7a84a8cebe0e3f84894c6b9119466d1a8ddaf*", "*SHA1=7ee65bedaf7967c752831c83e26540e65358175e*", "*SHA1=e525f54b762c10703c975132e8fc21b6cd88d39b*", "*SHA1=3a1f19b7a269723e244756dac1fc27c793276fe7*", "*SHA1=d6b61c685cfaa36c85f1672ac95844f8293c70d0*", "*SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946*", "*SHA1=96523f72e4283f9816d3da8f2270690dd1dd263e*", "*SHA1=5db61d00a001fd493591dc919f69b14713889fc5*", "*SHA1=b3c111d7192cfa8824e5c9b7c0660c37978025d6*", "*SHA1=49b1e6a922a8d2cb2101c48155dfc08c17d09341*", "*SHA1=282fca60f0c37eb6d76400bca24567945e43c6d8*", "*SHA1=2a06006e54c62a2e8bdf14313f90f0ab5d2f8de8*", "*SHA1=4692730f6b56eeb0399460c72ade8a15ddd43a62*", "*SHA1=fe10018af723986db50701c8532df5ed98b17c39*", "*SHA1=b34fc245d561905c06a8058753d25244aaecbb61*", "*SHA1=2ade3347df84d6707f39d9b821890440bcfdb5e9*", "*SHA1=5e9538d76b75f87f94ca5409ae3ddc363e8aba7f*", "*SHA1=5a69d921926ef0abf03757edf22c0d8d30c15d4b*", "*SHA1=986c1fdfe7c9731f4de15680a475a72cf2245121*", "*SHA1=42eb220fdfb76c6e0649a3e36acccbdf36e287f1*", "*SHA1=7192e22e0f8343058ec29fb7b8065e09ce389a5b*", "*SHA1=b2b01c728e0e8ef7b2e9040d6db9828bd4a5b48d*", "*SHA1=b99a5396094b6b20cea72fbf0c0083030155f74e*", "*SHA1=628e63caf72c29042e162f5f7570105d2108e3c2*", "*SHA1=1fb12c5db2acad8849677e97d7ce860d2bb2329e*", "*SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13*", "*SHA1=46be4e6cd8117ac13531bff30edcf564f39bcc52*", "*SHA1=377f7e7382908690189aede31fcdd532baa186b5*", "*SHA1=5b4619596c89ed17ccbe92fd5c0a823033f2f1e1*", "*SHA1=bda102afbc60f3f3c5bcbd5390ffbbbb89170b9c*", "*SHA1=ca33c88cd74e00ece898dca32a24bdfcacc3f756*", "*SHA1=7d1ff4096a75f9fcc67c7c9c810d99874c096b6b*", "*SHA1=1a83c8b63d675c940aaec10f70c0c7698e9b0165*", "*SHA1=f8e88630dae53e0b54edefdefa36d96c3dcbd776*", "*SHA1=e33eac9d3b9b5c0db3db096332f059bf315a2343*", "*SHA1=5635bb2478929010693bc3b23f8b7fe5fdbc3aed*", "*SHA1=3fd7fda9c7dfdb2a845c39971572bd090bee3b1d*", "*SHA1=3e790c4e893513566916c76a677b0f98bd7334dd*", "*SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939*", "*SHA1=5ca6a52230507b1dffab7acd501540bc10f1ab81*", "*SHA1=820d339fd3dbb632a790d6506ddf6aee925fcffe*", "*SHA1=0ac0c21ca05161eaa6a042f347391a2a2fc78c96*", "*SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe*", "*SHA1=4f077a95908b154ea12faa95de711cb44359c162*", "*SHA1=29a190727140f40cea9514a6420f5a195e36386b*", "*SHA1=dbf3abdc85d6a0801c4af4cd1b77c44d5f57b03e*", "*SHA1=de0c16e3812924212f04e15caa09763ae4770403*", "*SHA1=3b1f1e96fc8a7eb93b14b1213f797f164a313cee*", "*SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d*", "*SHA1=4c021c4a5592c07d4d415ab11b23a70ba419174b*", "*SHA1=9d191bee98f0af4969a26113098e3ea85483ae2d*", "*SHA1=ac31d15851c0af14d60cfce23f00c4b7887d3cb7*", "*SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac*", "*SHA1=5f8ae70b25b664433c6942d5963acadf2042cfe8*", "*SHA1=a37616f0575a683bd81a0f49fadbbc87e1525eba*", "*SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53*", "*SHA1=c22c28a32a5e43a76514faf4fac14d135e0d4ffd*", "*SHA1=7c996d9ef7e47a3b197ff69798333dc29a04cc8a*", "*SHA1=cb0bc86d437ab78c1fbefdaf1af965522ebdd65d*", "*SHA1=4a1a499857accc04b4d586df3f0e0c2b3546e825*", "*SHA1=c3a893680cd33706546a7a3e8fbcc4bd063ce07e*", "*SHA1=df58f9b193c6916aaec7606c0de5eba70c8ec665*", "*SHA1=fc69138b9365fa60e21243369940c8dcfcca5db1*", "*SHA1=3fbe337b6ed1a1a63ae8b4240c01bd68ed531674*", "*SHA1=07c244739803f60a75d60347c17edc02d5d10b5d*", "*SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1*", "*SHA1=6e191d72b980c8f08a0f60efa01f0b5bf3b34afb*", "*SHA1=d697a3f4993e7cb15efdeda3b1a798ae25a2d0e9*", "*SHA1=5cfec6aa4842e5bafff23937f5efca71f21cf7ca*", "*SHA1=def86c7dee1f788c717ac1917f1b5bbfada25a95*", "*SHA1=c22dc62e10378191840285814838fe9ed1af55d7*", "*SHA1=58b31fb2b623bd2c5d5c8c49b657a14a674664a4*", "*SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77*", "*SHA1=b62c5bae9c6541620379115a7ba0036ecfa19537*", "*SHA1=585df373a9c56072ab6074afee8f1ec3778d70f8*", "*SHA1=64ab599d34c26f53afe076a84c54db7ba1a53def*", "*SHA1=f130e82524d8f5af403c3b0e0ffa4b64fedeec92*", "*SHA1=bd87aecc0ac1d1c2ab72be1090d39fab657f7cc6*", "*SHA1=5499f1bca93a3613428e8c18ac93a93b9a7249fb*", "*SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181*", "*SHA1=2f9b0cd96d961e49d5d3b416028fd3a0e43d6a28*", "*SHA1=1da0c712ff42bd9112ac6afadb7c4d3ae2f20fb7*", "*SHA1=ef8de780cfe839ecf6dc0dc161ae645bff9b853c*", "*SHA1=feb8e6e7419713a2993c48b9758c039bd322b699*", "*SHA1=d9b05c5ffc5eddf65186ba802bb1ece0249cab05*", "*SHA1=08596732304351b311970ff96b21f451f23b1e25*", "*SHA1=687b8962febbbea4cf6b3c11181fd76acb7dfd5a*", "*SHA1=9d0b824892fbfb0b943911326f95cd0264c60f7d*", "*SHA1=2ed4b51429b0a3303a645effc84022512f829836*", "*SHA1=1a40773dc430d7cb102710812b8c61fc51dfb79b*", "*SHA1=4f7a8e26a97980544be634b26899afbefb0a833c*", "*SHA1=983a8d4b1cb68140740a7680f929d493463e32e3*", "*SHA1=c4b6e2351a72311a6e8f71186b218951a27fb97f*", "*SHA1=6b090c558b877b6abb0d1051610cadbc6335ecbb*", "*SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2*", "*SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705*", "*SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e*", "*SHA1=27aa3f1b4baccd70d95ea75a0a3e54e735728aa2*", "*SHA1=005ac9213a8a4a6c421787a7b25c0bc7b9f3b309*", "*SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162*", "*SHA1=c1777fcb7005b707f8c86b2370f3278a8ccd729f*", "*SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b*", "*SHA1=cfa85a19d9a2f7f687b0decdc4a5480b6e30cb8c*", "*SHA1=0e60414750c48676d7aa9c9ec81c0a3b3a4d53d0*", "*SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c*", "*SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb*", "*SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a*", "*SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af*", "*SHA1=19bf65bdd9d77f54f1e8ccf189dc114e752344b0*", "*SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15*", "*SHA1=9f22ebcd2915471e7526f30aa53c24b557a689f5*", "*SHA1=562368c390b0dadf2356b8b3c747357ecef2dfc8*", "*SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d*", "*SHA1=03a56369b8b143049a6ec9f6cc4ef91ac2775863*", "*SHA1=82034032b30bbb78d634d6f52c7d7770a73b1b3c*", "*SHA1=3059bc49e027a79ff61f0147edbc5cd56ad5fc2d*", "*SHA1=af5f642b105d86f82ba6d5e7a55d6404bfb50875*", "*SHA1=f86ae53eb61d3c7c316effe86395a4c0376b06db*", "*SHA1=3fd55927d5997d33f5449e9a355eb5c0452e0de3*", "*SHA1=d942dac4033dcd681161181d50ce3661d1e12b96*", "*SHA1=dd55015f5406f0051853fd7cca3ab0406b5a2d52*", "*SHA1=336ed563ef96c40eece92a4d13de9f9b69991c8a*", "*SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a*", "*SHA1=ada23b709cb2bef8bedd612dc345db2e2fdbfaca*", "*SHA1=bd421ffdcc074ecca954d9b2c2fbce9301e9a36c*", "*SHA1=42f6bfcf558ef6da9254ed263a89abf4e909b5d5*", "*SHA1=9eef72e0c4d5055f6ae5fe49f7f812de29afbf37*", "*SHA1=007b2c7d72a5a89b424095dbb7f67ff2aeddb277*", "*SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35*", "*SHA1=35a817d949b2eab012506bed0a3b4628dd884471*", "*SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c*", "*SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03*", "*SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6*", "*SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260*", "*SHA1=34ec04159d2c653a583a73285e6e2ac3c7b416dd*", "*SHA1=4f30f64b5dfcdc889f4a5e25b039c93dd8551c71*", "*SHA1=13572d36428ef32cfed3af7a8bb011ee756302b0*", "*SHA1=17d28a90ef4d3dbb083371f99943ff938f3b39f6*", "*SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77*", "*SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea*", "*SHA1=c8a4a64b412fd8ef079661db4a4a7cd7394514ca*", "*SHA1=24343ec4dfec11796a8800a3059b630e8be89070*", "*SHA1=a55b709cec2288384b12eafa8be4930e7c075ec9*", "*SHA1=5853e44ea0b6b4e9844651aa57d631193c1ed0f0*", "*SHA1=e3266b046d278194ade4d8f677772d0cb4ecfaf1*", "*SHA1=717669a1e2380cb61cc4e34618e118cc9cabbcd0*", "*SHA1=0adc1320421f02f2324e764aa344018758514436*", "*SHA1=7e900b0370a1d3cb8a3ea5394d7d094f95ec5dc0*", "*SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59*", "*SHA1=68b97bfaf61294743ba15ef36357cdb8e963b56e*", "*SHA1=e0d12e44db3f57ee7ea723683a6fd346dacf2e3e*", "*SHA1=31529d0e73f7fbfbe8c28367466c404c0e3e1d5a*", "*SHA1=04967bfd248d30183992c6c9fd2d9e07ae8d68ad*", "*SHA1=4d14d25b540bf8623d09c06107b8ca7bb7625c30*", "*SHA1=01779ee53f999464465ed690d823d160f73f10e7*", "*SHA1=e83fc2331ae1ea792b6cff7e970f607fee7346be*", "*SHA1=c8864c0c66ea45011c1c4e79328a3a1acf7e84a9*", "*SHA1=a92207062fb72e6e173b2ffdb12c76834455f5d3*", "*SHA1=6e58421e37c022410455b1c7b01f1e3c949df1cd*", "*SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b*", "*SHA1=4885cd221fa1ea330b9e4c1702be955d68bd3f6a*", "*SHA1=f7413250e7e8ad83c350092d78f0f75fcca9f474*", "*SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8*", "*SHA1=970af806aa5e9a57d42298ab5ffa6e0d0e46deda*", "*SHA1=fe02ae340dc7fe08e4ad26dab9de418924e21603*", "*SHA1=85941b94524da181be8aad290127aa18fc71895c*", "*SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d*", "*SHA1=9cc694dcb532e94554a2a1ef7c6ced3e2f86ef5a*", "*SHA1=398e8209e5c5fdcb6c287c5f9561e91887caca7d*", "*SHA1=4e56e0b1d12664c05615c69697a2f5c5d893058a*", "*SHA1=ee877b496777763e853dd81fefd0924509bc5be0*", "*SHA1=3f347117d21cd8229dd99fa03d6c92601067c604*", "*SHA1=61f5904e9ff0d7e83ad89f0e7a3741e7f2fbf799*", "*SHA1=7ce978092fadbef44441a5f8dcb434df2464f193*", "*SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748*", "*SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b*", "*SHA1=91d026cd98de124d281fd6a8e7c54ddf6b913804*", "*SHA1=db006fa522142a197686c01116a6cf60e0001ef7*", "*SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57*", "*SHA1=089411e052ea17d66033155f77ae683c50147018*", "*SHA1=263181bc8c2c6af06b9a06d994e4b651c3ab1849*", "*SHA1=30e7258a5816a6db19cdda2b2603a8c3276f05c2*", "*SHA1=96047b280e0d6ddde9df1c79ca5f561219a0370d*", "*SHA1=c6bd965300f07012d1b651a9b8776028c45b149a*", "*SHA1=4c6ec22bc10947d089167b19d83a26bdd69f0dd1*", "*SHA1=ccd547ef957189eddb6ee213e5e0136e980186f9*", "*SHA1=8d3be83cf3bb36dbce974654b5330adb38792c2d*", "*SHA1=d0216ebc81618c22d9d51f2f702c739625f40037*", "*SHA1=18f34a0005e82a9a1556ba40b997b0eae554d5fd*", "*SHA1=3784d1b09a515c8824e05e9ea422c935e693080c*", "*SHA1=5c94c8894799f02f19e45fcab44ee33e653a4d17*", "*SHA1=88839168e50a4739dd4193f2d8f93a30cd1f14d8*", "*SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c*", "*SHA1=5742ad3d30bd34c0c26c466ac6475a2b832ad59e*", "*SHA1=d452fc8541ed5e97a6cbc93d08892c82991cdaad*", "*SHA1=eac1b9e1848dc455ed780292f20cd6a0c38a3406*", "*SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c*", "*SHA1=d48757b74eff02255f74614f35aa27abbe3f72c7*", "*SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9*", "*SHA1=08efd5e24b5ebfef63b5e488144dc9fb6524eaf1*", "*SHA1=cb212a826324909fdedd2b572a59a5be877f1d7d*", "*SHA1=b0aede5a66e13469c46acbc3b01ccf038acf222c*", "*SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e*", "*SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430*", "*SHA1=75d0b9bdfa79e5d43ec8b4c0996f559075723de7*", "*SHA1=1bd4ae9a406bf010e34cdd38e823f732972b18e3*", "*SHA1=b74338c91c6effabc02ae0ced180428ab1024c7d*", "*SHA1=6679cb0907ade366cf577d55be07eabc9fb83861*", "*SHA1=6ce0094a9aacdc050ff568935014607b8f23ff00*", "*SHA1=f7b3457a6fd008656e7216b1f09db2ff062f1ca4*", "*SHA1=89656051126c3e97477a9985d363fbdde0bc159e*", "*SHA1=1ecb7b9658eb819a80b8ebdaa2e69f0d84162622*", "*SHA1=aaaf565fa30834aba3f29a97fc58d15e372500b5*", "*SHA1=b49ac8fefc6d1274d84fef44c1e5183cc7accba1*", "*SHA1=9f2b550c58c71d407898594b110a9320d5b15793*", "*SHA1=3f6a997b04d2299ba0e9f505803e8d60d0755f44*", "*SHA1=ec0c3c61a293a90f36db5f8ed91cbf33c2b14a19*", "*SHA1=d73dabcb3f55935b701542fd26875006217ebbbe*", "*SHA1=dda8c7e852fe07d67c110dab163354a2a85f44a5*", "*SHA1=643383938d5e0d4fd30d302af3e9293a4798e392*", "*SHA1=9e8a87401dc7cc56b3a628b554ba395b1868520f*", "*SHA1=35b28b15835aa0775b57f460d8a03e53dc1fb30f*", "*SHA1=09c567b8dd7c7f93884c2e6b71a7149fc0a7a1b5*", "*SHA1=9f6883e59fd6c136cfc556b7b388a4c363dc0516*", "*SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312*", "*SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676*", "*SHA1=5abffd08f4939a0dee81a5d95cf1c02e2e14218c*", "*SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410*", "*SHA1=5eb693c9cc49c7d6a03f7960ddcfd8f468e5656b*", "*SHA1=4518758452af35d593e0cae80d9841a86af6d3de*", "*SHA1=da42cefde56d673850f5ef69e7934d39a6de3025*", "*SHA1=c32dfdb0ee859de618484f3ab7a43ee1d9a25d1c*", "*SHA1=471ca4b5bb5fe68543264dd52acb99fddd7b3c6d*", "*SHA1=290d6376658cf0f8182de0fae40b503098fa09fd*", "*SHA1=2bc9047f08a664ade481d0bbf554d3a0b49424ca*", "*SHA1=1f84d89dd0ae5008c827ce274848d551aff3fc33*", "*SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb*", "*SHA1=cb5229acdf87493e45d54886e6371fc59fc09ee5*", "*SHA1=2db49bdf8029fdcda0a2f722219ae744eae918b0*", "*SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec*", "*SHA1=24f6e827984cca5d9aa3e4c6f3c0c5603977795a*", "*SHA1=db3debacd5f6152abd7a457d7910a0ec4457c0d7*", "*SHA1=96323381a98790b8ffac1654cb65e12dbbe6aff1*", "*SHA1=7241b25c3a3ee9f36b52de3db2fc27db7065af37*", "*SHA1=3c956b524e73586195d704b874e36d49fe42cb6a*", "*SHA1=fb25e6886d98fe044d0eb7bd42d24a93286266e0*", "*SHA1=caa0cb48368542a54949be18475d45b342fb76e5*", "*SHA1=4c16dcc7e6d7dd29a5f6600e50fc01a272c940e1*", "*SHA1=1f3a9265963b660392c4053329eb9436deeed339*", "*SHA1=b0c7ec472abf544c5524b644a7114cba0505951e*", "*SHA1=622e7bffda8c80997e149ac11492625572e386e0*", "*SHA1=4ffa89f8dbdade28813e12db035cf9bd8665ef72*", "*SHA1=5fece994f2409810a0ad050b3ca9b633c93919e4*", "*SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79*", "*SHA1=2fa92d3739735bc9ac4dc38f42d909d97cc5c2a8*", "*SHA1=fece30b9b862bf99ae6a41e49f524fe6f32e215e*", "*SHA1=ae344c123ef6d206235f2a8448d07f86433db5a6*", "*SHA1=ad1616ea6dc17c91d983e829aa8a6706e81a3d27*", "*SHA1=c127c4d0917f54cee13a61c6c0029c95ae0746cf*", "*SHA1=84341ed15d645c4daedcdd39863998761e4cb0e3*", "*SHA1=fb4ce6de14f2be00a137e8dde2c68bb5b137ab9c*", "*SHA1=22c905fcdd7964726b4be5e8b5a9781322687a45*", "*SHA1=4927d843577bada119a17b249ff4e7f5e9983a92*", "*SHA1=d083e69055556a36df7c6e02115cbbf90726f35c*", "*SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf*", "*SHA1=86e59b17272a3e7d9976c980ded939bf8bf75069*", "*SHA1=eb0021e29488c97a0e42a084a4fe5a0695eccb7b*", "*SHA1=388819a7048179848425441c60b3a8390ad04a69*", "*SHA1=611411538b2bc9045d29bbd07e6845e918343e3c*", "*SHA1=43011eb72be4775fec37aa436753c4d6827395d1*", "*SHA1=18938e0d924ee7c0febdbf2676a099e828182c1c*", "*SHA1=1743b073cccf44368dc83ed3659057eb5f644b06*", "*SHA1=fb1570b4865083dfce1fcff2bd72e9e1b03cead5*", "*SHA1=96c2e1d7c9a8ad242f8f478e871f645895d3e451*", "*SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0*", "*SHA1=70258117b5efe65476f85143fd14fa0b7f148adb*", "*SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891*", "*SHA1=24b3f962587b0062ac9a1ec71bcc3836b12306d2*", "*SHA1=663803d7ab5aff28be37c2e7e8c7b98b91c5733e*", "*SHA1=2739c2cfa8306e6f78c335c55639566b3d450644*", "*SHA1=2027e5e8f2cfdfbd9081f99b65af4921626d77f9*", "*SHA1=eb44a05f8bba3d15e38454bd92999a856e6574eb*", "*SHA1=d7597d27eeb2658a7c7362193f4e5c813c5013e5*", "*SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd*", "*SHA1=1e6c2763f97e4275bba581de880124d64666a2fe*", "*SHA1=19977d45e98b48c901596fb0a49a7623cee4c782*", "*SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f*", "*SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843*", "*SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba*", "*SHA1=8d0f33d073720597164f7321603578cd13346d1f*", "*SHA1=229716e61f74db821d5065bac533469efb54867b*", "*SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526*", "*SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308*", "*SHA1=469c04cb7841eedd43227facaf60a6d55cf21fd7*", "*SHA1=722aa0fa468b63c5d7ea308d77230ae3169d5f83*", "*SHA1=bfd8568f19d4273a1288726342d7620cc9070ae5*", "*SHA1=17b3163aecd1f512f1603548ef6eb4947fbec95e*", "*SHA1=ce549714a11bd43b52be709581c6e144957136ec*", "*SHA1=a3224815aedc14bb46f09535e9b8ca7eaa4963bf*", "*SHA1=ba0d6c596b78a1fc166747d7523ca6316ef87e9f*", "*SHA1=f85f5e5d747433b274e53c8377bf24fbc08758b6*", "*SHA1=2e9466d5a814c20403be7c7a5811039ca833bd5d*", "*SHA1=3bb1dddb4157b6b8175fc6e1e7c33bef7870c500*", "*SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816*", "*SHA1=a958734d25865cbc6bcbc11090ab9d6b72799143*", "*SHA1=11fcaeda49848474cee9989a00d8f29cb727acb7*", "*SHA1=45328110873640d8fed9fc72f7d2eadd3d17ceae*", "*SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc*", "*SHA1=3fd5cd30085450a509eaa6367af26f6c4b9741b6*", "*SHA1=f1b3bdc3beb2dca19940d53eb5a0aed85b807e30*", "*SHA1=948fa3149742f73bf3089893407df1b20f78a563*", "*SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c*", "*SHA1=5eed0ce6487d0b8d0a6989044c4fcab1bd845d9e*", "*SHA1=ce31292b05c0ae1dc639a6ee95bb3bc7350f2aaf*", "*SHA1=1a53902327bac3ab323ee63ed215234b735c64da*", "*SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123*", "*SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13*", "*SHA1=f052dc35b74a1a6246842fbb35eb481577537826*", "*SHA1=ba3faca988ff56f4850dede2587d5a3eff7c6677*", "*SHA1=8f266edf9f536c7fc5bb3797a1cf9039fde8e97c*", "*SHA1=d57c732050d7160161e096a8b238cb05d89d1bb2*", "*SHA1=7480c7f7346ce1f86a7429d9728235f03a11f227*", "*SHA1=40abf7edb4c76fb3f22418f03198151c5363f1cb*", "*SHA1=43b61039f415d14189d578012b6cb1bd2303d304*", "*SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27*", "*SHA1=a809831166a70700b59076e0dbc8975f57b14398*", "*SHA1=22c9cd0f5986e91b733fbd5eda377720fd76c86d*", "*SHA1=d7b20ac695002334f804ffc67705ce6ac5732f91*", "*SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0*", "*SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c*", "*SHA1=72a5ac213ec1681d173bee4f1807c70a77b41bf6*", "*SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1*", "*SHA1=891c8d482e23222498022845a6b349fe1a186bcc*", "*SHA1=6a60c5dc7d881ddb5d6fe954f10b8aa10d214e72*", "*SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f*", "*SHA1=e40ea8d498328b90c4afbb0bb0e8b91b826f688e*", "*SHA1=356172a2e12fd3d54e758aaa4ff0759074259144*", "*SHA1=7115929de6fc6b9f09142a878d1a1bf358af5f24*", "*SHA1=1b84abffd814b9f4595296b3e5ede0c44e630967*", "*SHA1=40d29aa7b3fafd27c8b27c7ca7a3089ccb88d69b*", "*SHA1=1c3f2579310ddd7ae09ce9ca1cc537a771b83c9f*", "*SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4*", "*SHA1=879fcc6795cebe67718388228e715c470de87dca*", "*SHA1=b33b99ae2653b4e675beb7d9eb2c925a1f105bd4*", "*SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7*", "*SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa*", "*SHA1=c31049605f028a56ce939cd2f97c2e56c12d99f8*", "*SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962*", "*SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07*", "*SHA1=3048f3422b2b31b74eace0dab3f5c4440bdc7bb2*", "*SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2*", "*SHA1=0ff2ad8941fbb80cbccb6db7db1990c01c2869b1*", "*SHA1=6d3c760251d6e6ea7ff4f4fcac14876fac829cf9*", "*SHA1=20cf02c95e329cf2fd4563cddcbd434aad81ccb4*", "*SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c*", "*SHA1=e835776e0dc68c994dd18e8628454520156c93e3*", "*SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8*", "*SHA1=97bc298a1d12a493bf14e6523e4ff48d64832954*", "*SHA1=fb349c3cde212ef33a11a9d58a622dc58dff3f74*", "*SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c*", "*SHA1=b0a684474eb746876faa617a28824bee93ba24f0*", "*SHA1=a01c42a5be7950adbc7228a9612255ac3a06b904*", "*SHA1=a22dead5cdf05bd2f79a4d0066ffcf01c7d303ec*", "*SHA1=f7ce71891738a976cd8d4b516c8d7a8e2f6b0ad6*", "*SHA1=441f87633ee6fbea5dee1268d1b9b936a596464d*", "*SHA1=da9cea92f996f938f699902482ac5313d5e8b28e*", "*SHA1=32f27451c377c8b5ea66be5475c2f2733cffe306*", "*SHA1=58ebfb7de214ee09f6bf71c8cc9c139dd4c8b016*", "*SHA1=f5293ac70d75cdfe580ff6a9edcc83236012eaf1*", "*SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7*", "*SHA1=0b63e76fad88ac48dbfc7cf227890332fcd994a5*", "*SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f*", "*SHA1=160a237295a9e5cbb64ca686a84e47553a14f71d*", "*SHA1=f5d58452620b55c2931cba75eb701f4cde90a9e4*", "*SHA1=a24840e32071e0f64e1dff8ca540604896811587*", "*SHA1=fad8e308f6d2e6a9cfaf9e6189335126a3c69acb*", "*SHA1=6da2dd8a0b4c0e09a04613bbabfc07c0b848ec77*", "*SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e*", "*SHA1=f049e68720a5f377a5c529ca82d1147fe21b4c33*", "*SHA1=c4454a3a4a95e6772acb8a3d998b78a329259566*", "*SHA1=5291b17205accf847433388fe17553e96ad434ec*", "*SHA1=8b037d7a7cb612eabd8e20a9ce93afd92a6db2c2*", "*SHA1=0cca79962d9af574169f5dec12b1f4ca8e5e1868*", "*SHA1=87d47340d1940eaeb788523606804855818569e3*", "*SHA1=272ffcda920a8e2440eb0d31dcd05485e0d597ad*", "*SHA1=e28b754d4d332ea57349110c019d841cf4d27356*", "*SHA1=d1c38145addfed1bcd1b400334ff5a5e2ef9a5c6*", "*SHA1=c201d5d0ab945095c3b1a356b3b228af1aa652fc*", "*SHA1=39e57a0bb3b349c70ad5f11592f9282860bbcc0a*", "*SHA1=5622caf22032e5cbef52f48077cfbcbbbe85e961*", "*SHA1=d8498707f295082f6a95fd9d32c9782951f5a082*", "*SHA1=da03799bb0025a476e3e15cc5f426e5412aeef02*", "*SHA1=b5dfa3396136236cc9a5c91f06514fa717508ef5*", "*SHA1=ba63502aaf8c5a7c2464e83295948447e938a844*", "*SHA1=21ce232de0f306a162d6407fe1826aff435b2a04*", "*SHA1=36a6f75f05ac348af357fdecbabe1a184fe8d315*", "*SHA1=03257294ee74f69881002c4bf764b9cb83b759d6*", "*SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1*", "*SHA1=1045c63eccb54c8aee9fd83ffe48306dc7fe272c*", "*SHA1=8f4b79b8026da7f966d38a8ba494c113c5e3894b*", "*SHA1=f736ccbb44c4de97cf9e9022e1379a4f58f5a5b8*", "*SHA1=d612165251d5f1dcfb1f1a762c88d956f49ce344*", "*SHA1=fac870d438bf62ecd5d5c8c58cc9bfda6f246b8b*", "*SHA1=86b1186a4e282341daf2088204ab9ff2d0402d28*", "*SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0*", "*SHA1=0cac0dbaa7adb7bba6e92c7cd2d514be7e86a914*", "*SHA1=1b25fbab2dbee5504dc94fbcc298cd8669c097a8*", "*SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a*", "*SHA1=8d6d6745a2adc9e5aa025c38875554ae6440d1ad*", "*SHA1=f42aa04b69a2e2241958b972ef24b65f91c3af12*", "*SHA1=44a3a00394a6d233a27189482852babf070ffebe*", "*SHA1=3e406325a717d7163ca31e81beae822d03cbe3d8*", "*SHA1=fc154983af4a5be15ae1e4b54e2050530b8bc057*", "*SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0*", "*SHA1=f9c916d163b85057414300ca214ebdf751172ecf*", "*SHA1=195b91a1a43de8bfb52a4869fbf53d7a226a6559*", "*SHA1=d62fa51e520022483bdc5847141658de689c0c29*", "*SHA1=9329a0ce2749a3a6bea2028ce7562d74c417db64*", "*SHA1=cfdb2085eaf729c7967f5d4efe16da3d50d07a23*", "*SHA1=184729ec2ffd0928a408255a23b3f532ffb3db3d*", "*SHA1=45a9f95a7a018925148152b888d09d478d56bbf5*", "*SHA1=a5f9aef55c64722ff2db96039af3b9c7dd8163e3*", "*SHA1=483e58ed495e4067a7c42ca48e8a5f600b14e018*", "*SHA1=b9b72a5be3871ddc0446bae35548ea176c4ea613*", "*SHA1=18f09ec53f0b7d2b1ab64949157e0e84628d0f0a*", "*SHA1=de2b56ef7a30a4697e9c4cdcae0fc215d45d061d*", "*SHA1=e2e7a2b2550b889235aafd9ffd1966ccd20badfe*", "*SHA1=016aa643fbd8e10484741436bcacc0d9eee483c8*", "*SHA1=5c88d9fcc491c7f1078c224e1d6c9f5bda8f3d8a*", "*SHA1=86e893e59352fcb220768fb758fcc5bbd91dd39e*", "*SHA1=1568117f691b41f989f10562f354ee574a6abc2d*", "*SHA1=5c2262f9e160047b9f4dee53bbfd958ec27ec22e*", "*SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1*", "*SHA1=8db4376a86bd2164513c178a578a0bf8d90e7292*", "*SHA1=4a04596acf79115f15add3921ce30a96f594d7ce*", "*SHA1=16a091bfd1fd616d4607cac367782b1d2ab07491*", "*SHA1=cf664e30f8bd548444458eef6d56d5c2e2713e2a*", "*SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3*", "*SHA1=f544f25104fe997ec873f5cec64c7aa722263fb4*", "*SHA1=be797c91768ac854bd3b82a093e55db83da0cb11*", "*SHA1=cea540a2864ece0a868d841ab27680ff841fcbe6*", "*SHA1=b4f1877156bf3157bff1170ba878848b2f22d2d5*", "*SHA1=55cffb0ef56e52686b0c407b94bbea3701d6eccd*", "*SHA1=b6543d006cb2579fb768205c479524e432c04204*", "*SHA1=879b32fcf78044cbc74b57717ab3ae18e77bc2fb*", "*SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4*", "*SHA1=4a7324ca485973d514fd087699f6d759ff32743b*", "*SHA1=e41808b022656befb7dc42bbeceaf867e2fec6b2*", "*SHA1=1e09f3dd6ba9386fa9126f0116e49c2371401e01*", "*SHA1=5bdd44eb321557c5d3ab056959397f0048ac90e6*", "*SHA1=42bb38b0b93d83b62fe2604b154ada9314c98df7*", "*SHA1=c47b890dda9882f9f37eccc27d58d6a774a2901f*", "*SHA1=2cc70b772b42e0208f345c7c70d78f7536812f99*", "*SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd*", "*SHA1=b7a2f2760f9819cb242b2e4f5b7bab0a65944c81*", "*SHA1=7a1689cde189378e7db84456212b0e438f9bf90a*", "*SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95*", "*SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0*", "*SHA1=0a6e0f9f3d7179a99345d40e409895c12919195b*", "*SHA1=2dd916cb8a9973b5890829361c1f9c0d532ba5d6*", "*SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe*", "*SHA1=dcfeca5e883a084e89ecd734c4528b922a1099b9*", "*SHA1=f56fec3f2012cd7fc4528626debc590909ed74b6*", "*SHA1=d126c6974a21e9c5fdd7ff1ca60bcc37c9353b47*", "*SHA1=a6aa7926aa46beaf9882a93053536b75ef2c7536*", "*SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6*", "*SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be*", "*SHA1=7ba4607763c6fef1b2562b72044a20ca2a0303e2*", "*SHA1=bec66e0a4842048c25732f7ea2bbe989ea400abf*", "*SHA1=fd87b70f94674b02d62bb01ae6e62d75c618f5c8*", "*SHA1=d17656f11b899d58dca7b6c3dd6eef3d65ae88e2*", "*SHA1=c1c869deee6293eee3d0d84b6706d90fab8f8558*", "*SHA1=f56186b6a7aa3dd7832c9d821f9d2d93bc2a9360*", "*SHA1=e9d7d7d42fd534abf52da23c0d6ec238cefde071*", "*SHA1=8d0ae69fbe0c6575b6f8caf3983dd3ddc65aadb5*", "*SHA1=b67945815e40b1cd90708c57c57dab12ed29da83*", "*SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471*", "*SHA1=a4e2e227f984f344d48f4bf088ca9d020c63db4e*", "*SHA1=a34adabde63514e1916713a588905c4019f83efb*", "*SHA1=3270720a066492b046d7180ca6e60602c764cac7*", "*SHA1=2bcb81f1b643071180e8ed8f7e42f49606669976*", "*SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a*", "*SHA1=bb1f9cc94e83c59c90b055fe13bb4604b2c624df*", "*SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d*", "*SHA1=d702d88b12233be9413446c445f22fda4a92a1d9*", "*SHA1=6ecfc7ccc4843812bfccfb7e91594c018f0a0ff9*", "*SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b*", "*SHA1=c520a368c472869c3dc356a7bcfa88046352e4d9*", "*SHA1=254dce914e13b90003b0ae72d8705d92fe7c8dd0*", "*SHA1=e9f576137181c261dc3b23871d1d822731d54a12*", "*SHA1=ec1eafb87340b18c7ef3bc349fed1ddd5d3678f6*", "*SHA1=1c537fd17836283364349475c6138e6667cf1164*", "*SHA1=cfdf9c9125755f4e81fa7cc5410d7740fdfea4ed*", "*SHA1=252157ab2e33eed7aa112d1c93c720cadcee31ae*", "*SHA1=97f668aa01ebbbf2f5f93419d146e6608d203efd*", "*SHA1=9feacc95d30107ce3e1e9a491e2c12d73eef2979*", "*SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab*", "*SHA1=0f78974194b604122b1cd4e82768155f946f6d24*", "*SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c*", "*SHA1=d363011d6991219d7f152609164aba63c266b740*", "*SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1*", "*SHA1=db3538f324f9e52defaba7be1ab991008e43d012*", "*SHA1=008a292f71f49be1fb538f876de6556ce7b5603a*", "*SHA1=e35969966769e7760094cbcffb294d0d04a09db6*", "*SHA1=5236728c7562b047a9371403137a6e169e2026a6*", "*SHA1=862387e84baaf506c10080620cc46df2bda03eea*", "*SHA1=c0100f8a8697a240604b3ea88848dd94947c7fd3*", "*SHA1=ad05bff5fe45df9e08252717fc2bc2af57bf026f*", "*SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de*", "*SHA1=637d0de7fa2a06e462dad40a575cb0fa4a38d377*", "*SHA1=0904b8fa4654197eefd6380c81bbb2149ffe0634*", "*SHA1=928b9b180ff5deb9f9dd3a38c4758bcf09298c47*", "*SHA1=432fa24e0ce4b3673113c90b34d6e52dc7bac471*", "*SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825*", "*SHA1=444f96d8943aec21d26f665203f3fb80b9a2a260*", "*SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467*", "*SHA1=eba5483bb47ec6ff51d91a9bdf1eee3b6344493d*", "*SHA1=e3048cd05573dc1d30b1088859bc728ef67aaad0*", "*SHA1=537923c633d8fc94d9ae45ad9d89e5346f581f17*", "*SHA1=022f7aa4d0f04d594588ae9fa65c90bcc4bda833*", "*SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2*", "*SHA1=7a107291a9fad0d298a606eb34798d423c4a5683*", "*SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a*", "*SHA1=0fd700fee341148661616ecd8af8eca5e9fa60e3*", "*SHA1=3aba6dd15260875eb290e9d67992066141aa0bb0*", "*SHA1=a5596d4d329add26b9ca9fa7005302148dfacfd8*", "*SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0*", "*SHA1=22fc833e07dd163315095d32ebcd3b3e377c33a4*", "*SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1*", "*SHA1=c9522cf7f6d6637aaff096b4b16b0d81f6ee1c37*", "*SHA1=d11659145d6627f3d93975528d92fb6814171f91*", "*SHA1=d3d2fe8080f0b18465520785f3a955e1a24ae462*", "*SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387*", "*SHA1=ea37a4241fa4d92c168d052c4e095ccd22a83080*", "*SHA1=72966ca845759d239d09da0de7eebe3abe86fee3*", "*SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9*", "*SHA1=dc69a6cdf048e2c4a370d4b5cafd717d236374ea*", "*SHA1=24daa825adedcbbb1d098cbe9d68c40389901b64*", "*SHA1=2bf6b88b84d27cdf0699d6d18b08a1b36310cdd1*", "*SHA1=dc55217b6043d819eadebd423ff07704ee103231*", "*SHA1=2ba0db7465cf4ffb272f803a9d77292b79c1e6df*", "*SHA1=52ea274e399df8706067fdc5ac52af0480461887*", "*SHA1=d8adf4f02513367c2b273abb0bc02f7eb3a5ef19*", "*SHA1=6887668eb41637bbbab285d41a36093c6b17a8fa*", "*SHA1=d6b1b3311263bfb170f2091d22f373c2215051b7*", "*SHA1=fad014ec98529644b5db5388d96bc4f9b77dcdc3*", "*SHA1=a714a2a045fa8f46d0165b78fe3eecf129c1de3a*", "*SHA1=a09334489fb18443c8793cb0395860518193cc3c*", "*SHA1=49d58f7565bacf10539bc63f1d2fe342b3c3d85a*", "*SHA1=e4fcb363cfe9de0e32096fa5be94a41577a89bb0*", "*SHA1=6a60f5fa0dfc6c1fa55b24a29df7464ee01a9717*", "*SHA1=8b86c99328e4eb542663164685c6926e7e54ac20*", "*SHA1=431550db5c160b56e801f220ceeb515dc16e68d2*", "*SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586*", "*SHA1=dd893cd3520b2015790f7f48023d833f8fe81374*", "*SHA1=7626036baf98ddcb492a8ec34e58c022ebd70a80*", "*SHA1=0b8b83f245d94107cb802a285e6529161d9a834d*", "*SHA1=c01caaa74439af49ca81cb5b200a167e7d32343c*", "*SHA1=26a8ab6ea80ab64d5736b9b72a39d90121156e76*", "*SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f*", "*SHA1=f6f7b5776001149496092a95fb10218dea5d6a6b*", "*SHA1=166759fd511613414d3213942fe2575b926a6226*", "*SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e*", "*SHA1=0a89a6f6f40213356487bfcfb0b129e4f6375180*", "*SHA1=f640c94e71921479cc48d06b59aba41ffa50a769*", "*SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7*", "*SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754*", "*SHA1=3ca51b23f8562485820883e894b448413891183a*", "*SHA1=8275977e4b586e485e9025222d0a582fcb9e1e8f*", "*SHA1=30846313e3387298f1f81c694102133568d6d48d*", "*SHA1=b52886433e608926a0b6e623217009e4071b107e*", "*SHA1=d19d1d3aa30391922989f4c6e3f7dc4937dcefbf*", "*SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c*", "*SHA1=091a039f5f2ae1bb0fa0f83660f4c178fd3a5a10*", "*SHA1=6293ff11805cd33bccbcca9f0132bff3ae2e2534*", "*SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc*", "*SHA1=7667b72471689151e176baeba4e1cd9cd006a09a*", "*SHA1=1479717fab67d98bbc3665f6b12adddfca74e0ef*", "*SHA1=fc8fbd92f6e64682360885c188d1bdfbc14ca579*", "*SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643*", "*SHA1=6df42ea7c0e6ee02062bf9ca2aa4aa5cd3775274*", "*SHA1=c40ff3ebf6b5579108165be63250634823db32ec*", "*SHA1=cef5a329f7a36c76a546d9528e57245127f37246*", "*SHA1=7c46ecc5ce8e5f6e236a3b169fb46bb357ac3546*", "*SHA1=a32232a426c552667f710d2dcbd2fb9f9c50331d*", "*SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327*", "*SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab*", "*SHA1=d496a8d3e71eaacd873ccef1d1f6801e54959713*", "*SHA1=437b56dc106d2e649d2c243c86729b6e6461d535*", "*SHA1=f10ec1b88c3a383c2a0c03362d31960836e3fb5f*", "*SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6*", "*SHA1=7503a1ed7f6fbd068f8c900dd5ddb291417e3464*", "*SHA1=24aafe3c727c6a3bd1942db78327ada8fcb8c084*", "*SHA1=8453fc3198349cf0561c87efc329c81e7240c3da*", "*SHA1=51b9867c391be3ce56ba7e1c3cba8c76777245b2*", "*SHA1=a7bd05de737f8ea57857f1e0845a25677df01872*", "*SHA1=eb2496304073727564b513efd6387a77ce395443*", "*SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e*", "*SHA1=736531c76b8d9c56e26561bf430e10ecabff0186*", "*SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02*", "*SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca*", "*SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57*", "*SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346*", "*SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3*", "*SHA1=c948ae14761095e4d76b55d9de86412258be7afd*", "*SHA1=80ea425e193bd0e05161e8e1dc34fb0eae5f9017*", "*SHA1=2e546d86d3b1e4eaa92b6ec4768de79f70eb922f*", "*SHA1=b91c34bb846fd5b2f13f627b7da16c78e3ee7b0f*", "*SHA1=a6816949cd469b6e5c35858d19273936fab1bef6*", "*SHA1=c02cb8256dfb37f690f2698473fe5428d17bc178*", "*SHA1=c2d18ce26ce2435845f534146d7f353b662ad2b9*", "*SHA1=05eff2001f595f9e2894c6b5eee756ae72379a6d*", "*SHA1=0a19a9c4c9185b80188da529ec9c9f45cbe73186*", "*SHA1=e7d8fc86b90f75864b7e2415235e17df4d85ee31*", "*SHA1=8e64c32bcfd70361956674f45964a8b0c8aa6388*", "*SHA1=97941faf575e43e59fe8ee167de457c2cf75c9eb*", "*SHA1=7e8efd93a1dad02385ec56c8f3b1cfd23aa47977*", "*SHA1=850d7df29256b4f537eddafe95cfea59fb118fe2*", "*SHA1=e2f40590b404a24e775f781525d8ed01f1b1156d*", "*SHA1=ff9048c451644c9c5ff2ba1408b194a0970b49e6*", "*SHA1=53f7fc4feb66af748f2ab295394bf4de62ae9fcc*", "*SHA1=3def50587309440e3b9e595bdbe4dde8d69a64e7*", "*SHA1=c6d349823bbb1f5b44bae91357895dba653c5861*", "*SHA1=f3029dba668285aac04117273599ac12a94a3564*", "*SHA1=adab368ed3c17b8f2dc0b2173076668b6153e03a*", "*SHA1=c45d03076fa6e66c1b8b74b020ad84712755e3df*", "*SHA1=0d27a3166575ec5983ec58de2591552cfa90ef92*", "*SHA1=d28b604b9bb608979cc0eab1e9e93e11c721aa3d*", "*SHA1=70bb3b831880e058524735b14f2a0f1a72916a4c*", "*SHA1=5a55c227ca13e9373b87f1ef6534533c7ce1f4fb*", "*SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba*", "*SHA1=4075de7d7d2169d650c5ccede8251463913511e6*", "*SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7*", "*SHA1=619413b5a6d6aeb4d58c409d54fe4a981dd7e4d9*", "*SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de*", "*SHA1=d9c1913a6c76b883568910094dfa1d67aad80c84*", "*SHA1=49174d56cce618c77ae4013fe28861c80bf5ba97*", "*SHA1=e11f48631c6e0277e21a8bdf9be513651305f0d5*", "*SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775*", "*SHA1=d5326fea00bcde2ef7155acf3285c245c9fb4ece*", "*SHA1=e8234c44f3b7e4c510ef868e8c080e00e2832b07*", "*SHA1=9449f211c3c47821b638513d239e5f2c778dc523*", "*SHA1=456a1acacaa02664517c2f2fb854216e8e967f9d*", "*SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8*", "*SHA1=b314742af197a786218c6dd704b438469445eefa*", "*SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371*", "*SHA1=fbfabf309680fbf7c0f6f14c5a0e4840c894e393*", "*SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef*", "*SHA1=6ed5c2313eecd97b78aa5dcdb442dd47345c9e43*", "*SHA1=1f26424eaf046dbf800ae2ac52d9bb38494d061a*", "*SHA1=b7fa8278ab7bc485727d075e761a72042c4595f7*", "*SHA1=10b9ae9286837b3bf6a00771c7e81adbdea3cbfe*", "*SHA1=850f15fd67d9177a50f3efef07a805b9613f50d6*", "*SHA1=696d68bdbe1d684029aaad2861c49af56694473a*", "*SHA1=164c899638bc83099c0379ea76485194564c956c*", "*SHA1=15f16fe63105b8f9cc0ef2bc8f97cfa5deb40662*", "*SHA1=b304cb10c88ddd8461bad429ebfd2fd1b809ac2b*", "*SHA1=a95a126b539989e29e68969bfab16df291e7fa8a*", "*SHA1=4f02fb7387ca0bc598c3bcb66c5065d08dbb3f73*", "*SHA1=1e8bccbd74f194db6411011017716c8c6b730d03*", "*SHA1=0cc60a56e245e70f664906b7b67dfe1b4a08a5b7*", "*SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a*", "*SHA1=19bd488fe54b011f387e8c5d202a70019a204adf*", "*SHA1=879e327292616c56bd4aafc279fbda6cc393b74d*", "*SHA1=45e8f87afa41143e0c5850f9e054d18ec9c8a6c0*", "*SHA1=b53c360b35174bd89f97f681bf7c17f40e519eb6*", "*SHA1=c3be2bbd9b3f696bc9d51d5973cc00ca059fb172*", "*SHA1=5bb2d46ba666c03c56c326f0bbc85cc48a87dfa3*", "*SHA1=9b8c7eda28bfad07ffe5f84a892299bc7e118442*", "*SHA1=762a5b4c7beb2af675617dca6dcd6afd36ce0afd*", "*SHA1=6d9e22a275a5477ea446e6c56ee45671fbcbb5f6*", "*SHA1=1292c7dd60214d96a71e7705e519006b9de7968f*", "*SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13*", "*SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646*", "*SHA1=f61e56359c663a769073782a0a3ffd3679c2694a*", "*SHA1=dd2b90c9796237036ac7136a172d96274dea14c8*", "*SHA1=af5b7556706e09ee9e74ee2e87eab5c0a49d2d35*", "*SHA1=57cc324326ab6c4239f8c10d2d1ce8862b2ce4d5*", "*SHA1=bed5bad7f405aa828a146c7f71d09c31d0c32051*", "*SHA1=34a07ae39b232cc3dbbe657b34660e692ff2043a*", "*SHA1=3f67a43ae174a715795e49f72bc350302de83323*", "*SHA1=a3d612a5ea3439ba72157bd96e390070bdddbbf3*", "*SHA1=655a9487d7a935322e19bb92d2465849055d029d*", "*SHA1=f70989f8b17971f13d45ee537e4ce98e93acbbaf*", "*SHA1=4044e5da1f16441fe7eb27cff7a76887a1aa7fec*", "*SHA1=7b4c922415e13deaf54bb2771f2ae30814ee1d14*", "*SHA1=8c11430372889bae1f91e8d068e2b2ad56dfc6bf*", "*SHA1=4f376b1d1439477a426ef3c52e8c1c69c2cb5305*", "*SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f*", "*SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403*", "*SHA1=7fb52290883a6b69a96d480f2867643396727e83*", "*SHA1=82dbac75b73ff4b92bdcbf6977a6683e1dcfe995*", "*SHA1=5b83c61178afb87ef7d58fd786808effcaaae861*", "*SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed*", "*SHA1=ebafebe5e94fdf12bd2159ed66d73268576bc7d9*", "*SHA1=5e4b93591f905854fb870011464291c3508aff44*", "*SHA1=a38aac44ee232fb50a6abf145e8dd921ca3e7d78*", "*SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b*", "*SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22*", "*SHA256=66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796*", "*SHA256=e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994*", "*SHA256=5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea*", "*SHA256=b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a*", "*SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4*", "*SHA256=c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547*", "*SHA256=506f56996fbcd34ff8a27e6948a2e2e21e6dbf42dab6e3a6438402000b969fd1*", "*SHA256=4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61*", "*SHA256=9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504*", "*SHA256=5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa*", "*SHA256=a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f*", "*SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675*", "*SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf*", "*SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb*", "*SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c*", "*SHA256=247aadaf17ed894fcacf3fc4e109b005540e3659fd0249190eb33725d3d3082f*", "*SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8*", "*SHA256=dfe57c6a4ef4d2491be325d67428698a61d9c5d2a24dbada10043d313be2c8cc*", "*SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc*", "*SHA256=46cf46e1073b7c99142964b7c4bef1e5285fabcf2c6dbe5be99000a393d9f474*", "*SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a*", "*SHA256=4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba*", "*SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395*", "*SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2*", "*SHA256=a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00*", "*SHA256=e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16*", "*SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712*", "*SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f*", "*SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50*", "*SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763*", "*SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26*", "*SHA256=5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879*", "*SHA256=68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248*", "*SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75*", "*SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d*", "*SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d*", "*SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812*", "*SHA256=b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e*", "*SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1*", "*SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439*", "*SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de*", "*SHA256=d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee*", "*SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a*", "*SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339*", "*SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46*", "*SHA256=a6f8aa3de5b4aea58eddd45807d722c864d4bc4a38ad573174af864e21f0d526*", "*SHA256=0c018eaa293c03febe2aef1e868fca782a06b49d7d2f9f388ae5fb57604c5250*", "*SHA256=223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1*", "*SHA256=18047c2d45758a43d6b7e56bcd4aa90354c899795baf944f037850c48d8e892a*", "*SHA256=442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243*", "*SHA256=7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8*", "*SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47*", "*SHA256=0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2*", "*SHA256=9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c*", "*SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3*", "*SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6*", "*SHA256=a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce*", "*SHA256=d3b5fd13a53eee5c468c8bfde4bfa7b968c761f9b781bb80ccd5637ee052ee7d*", "*SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59*", "*SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1*", "*SHA256=16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c*", "*SHA256=0bd164da36bd637bb76ca66602d732af912bd9299cb3d520d26db528cb54826d*", "*SHA256=c3d479d7efd0f6b502d6829b893711bdd51aac07d66326b41ef5451bafdfcb29*", "*SHA256=4eb1b9f3fe3c79f20c9cdeba92f6d6eb9b9ed15b546851e1f5338c0b7d36364b*", "*SHA256=fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70*", "*SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8*", "*SHA256=7149fbd191d7e4941a32a3118ab017426b551d5d369f20c94c4f36ae4ef54f26*", "*SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f*", "*SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa*", "*SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed*", "*SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492*", "*SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36*", "*SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293*", "*SHA256=cbd4f66ae09797fcd1dc943261a526710acc8dd4b24e6f67ed4a1fce8b0ae31c*", "*SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566*", "*SHA256=b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1*", "*SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be*", "*SHA256=a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e*", "*SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889*", "*SHA256=4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158*", "*SHA256=d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8*", "*SHA256=f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672*", "*SHA256=f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2*", "*SHA256=3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284*", "*SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0*", "*SHA256=1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd*", "*SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b*", "*SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0*", "*SHA256=bac7e75745d0cb8819de738b73edded02a07111587c4531383dccd4562922b65*", "*SHA256=8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750*", "*SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162*", "*SHA256=03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d*", "*SHA256=af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1*", "*SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173*", "*SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5*", "*SHA256=38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8*", "*SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a*", "*SHA256=ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156*", "*SHA256=a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f*", "*SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6*", "*SHA256=d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6*", "*SHA256=f9bc6b2d5822c5b3a7b1023adceb25b47b41e664347860be4603ee81b644590e*", "*SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677*", "*SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3*", "*SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4*", "*SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea*", "*SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3*", "*SHA256=45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271*", "*SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91*", "*SHA256=ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498*", "*SHA256=3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486*", "*SHA256=e6a2b1937fa277526a1e0ca9f9b32f85ab9cb7cb1a32250dd9c607e93fc2924f*", "*SHA256=f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229*", "*SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8*", "*SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469*", "*SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf*", "*SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190*", "*SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb*", "*SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135*", "*SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d*", "*SHA256=ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9*", "*SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f*", "*SHA256=eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd*", "*SHA256=a10b4ed33a13c08804da8b46fd1b7bd653a6f2bb65668e82086de1940c5bb5d1*", "*SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e*", "*SHA256=9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340*", "*SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775*", "*SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba*", "*SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf*", "*SHA256=7c933f5d07ccb4bd715666cd6eb35a774b266ddd8d212849535a54192a44f667*", "*SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb*", "*SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184*", "*SHA256=c0ae3349ebaac9a99c47ec55d5f7de00dc03bd7c5cd15799bc00646d642aa8de*", "*SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a*", "*SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25*", "*SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa*", "*SHA256=c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad*", "*SHA256=e8b51ab681714e491ab1a59a7c9419db39db04b0dd7be11293f3a0951afe740e*", "*SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef*", "*SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980*", "*SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748*", "*SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8*", "*SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3*", "*SHA256=42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180*", "*SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c*", "*SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52*", "*SHA256=67e9d1f6f7ed58d86b025d3578cb7a3f3c389b9dd425b7f46bb1056e83bffc78*", "*SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb*", "*SHA256=0aca4447ee54d635f76b941f6100b829dc8b2e0df27bdf584acb90f15f12fbda*", "*SHA256=49ae47b6b4d5e1b791b89e0395659d42a29a79c3e6ec52cbfcb9f9cef857a9dd*", "*SHA256=0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c*", "*SHA256=e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21*", "*SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd*", "*SHA256=41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f*", "*SHA256=d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c*", "*SHA256=b617a072c578cea38c460e2851f3d122ba1b7cfa1f5ee3e9f5927663ac37af61*", "*SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f*", "*SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb*", "*SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d*", "*SHA256=c9c60f560440ff16ad3c767ff5b7658d5bda61ea1166efe9b7f450447557136e*", "*SHA256=7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5*", "*SHA256=680ddece32fe99f056e770cb08641f5b585550798dfdf723441a11364637c7e6*", "*SHA256=1c425793a8ce87be916969d6d7e9dd0687b181565c3b483ce53ad1ec6fb72a17*", "*SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad*", "*SHA256=4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb*", "*SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433*", "*SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970*", "*SHA256=0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec*", "*SHA256=5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00*", "*SHA256=3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928*", "*SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f*", "*SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833*", "*SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c*", "*SHA256=38e6d7c2787b6289629c72b1ec87655392267044b4e4b830c0232243657ee8f9*", "*SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0*", "*SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa*", "*SHA256=0b8887921e4a22e24fd058ba5ac40061b4bb569ac7207b9548168af9d6995e7c*", "*SHA256=8a982eed9cbc724d50a9ddf4f74ecbcd67b4fdcd9c2bb1795bc88c2d9caf7506*", "*SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293*", "*SHA256=e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce*", "*SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219*", "*SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039*", "*SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683*", "*SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418*", "*SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5*", "*SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b*", "*SHA256=33bc9a17a0909e32a3ae7e6f089b7f050591dd6f3f7a8172575606bec01889ef*", "*SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f*", "*SHA256=53b9e423baf946983d03ce309ec5e006ba18c9956dcd97c68a8b714d18c8ffcf*", "*SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670*", "*SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e*", "*SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe*", "*SHA256=76940e313c27c7ff692051fbf1fbdec19c8c31a6723a9de7e15c3c1bec8186f6*", "*SHA256=eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed*", "*SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf*", "*SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2*", "*SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af*", "*SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004*", "*SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9*", "*SHA256=67cd6166d791bdf74453e19c015b2cb1e85e41892c04580034b65f9f03fe2e79*", "*SHA256=71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713*", "*SHA256=8ae383546761069b26826dfbf2ac0233169d155bca6a94160488092b4e70b222*", "*SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7*", "*SHA256=a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641*", "*SHA256=29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36*", "*SHA256=7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3*", "*SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7*", "*SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b*", "*SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838*", "*SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456*", "*SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8*", "*SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1*", "*SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10*", "*SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60*", "*SHA256=4737750788c72d2fc9cf95681c622357263075d65b23e54c4dc3f31446cad37b*", "*SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c*", "*SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c*", "*SHA256=3b2ad08123e8ed2516548240cfcdf5eefd89293f31070a6cd3949ee1b66fed14*", "*SHA256=edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5*", "*SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b*", "*SHA256=39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d*", "*SHA256=0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502*", "*SHA256=5da0ffe33987f8d5fb9c151f0eff29b99f42233b27efcad596add27bdc5c88ff*", "*SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9*", "*SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1*", "*SHA256=bceaf970b60b4457eca3c181f649a1c67f4602778171e53d9bdc9b97a09603ca*", "*SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b*", "*SHA256=db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7*", "*SHA256=32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e*", "*SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c*", "*SHA256=bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042*", "*SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653*", "*SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145*", "*SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478*", "*SHA256=b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5*", "*SHA256=edfc38f91b5e198f3bf80ef6dcaebb5e86963936bcd2e5280088ca90d6998b8c*", "*SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48*", "*SHA256=0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7*", "*SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f*", "*SHA256=b3a191ccd1df19cdf17fe6637d48266ac84c4310b013ad6973d8cb336b06ff69*", "*SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53*", "*SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4*", "*SHA256=c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778*", "*SHA256=0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75*", "*SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c*", "*SHA256=bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c*", "*SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57*", "*SHA256=00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c*", "*SHA256=7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca*", "*SHA256=3b19a7207a55d752db1b366b1dea2fd2c7620a825a3f0dcffca10af76611118c*", "*SHA256=fe2fb5d6cfcd64aeb62e6bf5b71fd2b2a87886eb97ab59e5353ba740da9f5db5*", "*SHA256=7fd90500b57f9ac959c87f713fe9ca59e669e6e1512f77fccb6a75cdc0dfee8e*", "*SHA256=0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901*", "*SHA256=e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc*", "*SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c*", "*SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1*", "*SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88*", "*SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b*", "*SHA256=65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d*", "*SHA256=0e10d3c73596e359462dc6bfcb886768486ff59e158f0f872d23c5e9a2f7c168*", "*SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508*", "*SHA256=060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f*", "*SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a*", "*SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486*", "*SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a*", "*SHA256=642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54*", "*SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9*", "*SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c*", "*SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac*", "*SHA256=6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d*", "*SHA256=1ce9e4600859293c59d884ea721e9b20b2410f6ef80699f8a78a6b9fad505dfc*", "*SHA256=33d7046a5d41f4010ad5df632577154ed223dac2ab0ca2da57dbf1724db45a57*", "*SHA256=653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d*", "*SHA256=20dd9542d30174585f2623642c7fbbda84e2347e4365e804e3f3d81f530c4ece*", "*SHA256=3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2*", "*SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd*", "*SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512*", "*SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743*", "*SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57*", "*SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92*", "*SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5*", "*SHA256=613d6cc154586c21b330018142a89eac4504e185f0be7f86af975e5b6c046c55*", "*SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298*", "*SHA256=b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c*", "*SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab*", "*SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd*", "*SHA256=854bc946b557ed78c7d40547eb39e293e83942a693c94d0e798d1c4fbde7efa9*", "*SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc*", "*SHA256=aa0c52cebd64a0115c0e7faf4316a52208f738f66a54b4871bd4162eb83dc41a*", "*SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade*", "*SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009*", "*SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d*", "*SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9*", "*SHA256=69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce*", "*SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761*", "*SHA256=16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23*", "*SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0*", "*SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c*", "*SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2*", "*SHA256=f2ed6c1906663016123559d9f3407bc67f64e0d235fa6f10810a3fa7bb322967*", "*SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1*", "*SHA256=c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a*", "*SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48*", "*SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8*", "*SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f*", "*SHA256=d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd*", "*SHA256=636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220*", "*SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22*", "*SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f*", "*SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e*", "*SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408*", "*SHA256=4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f*", "*SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2*", "*SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a*", "*SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5*", "*SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a*", "*SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6*", "*SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a*", "*SHA256=9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01*", "*SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258*", "*SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558*", "*SHA256=d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b*", "*SHA256=c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65*", "*SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3*", "*SHA256=f583cfb8aab7d084dc052dbd0b9d56693308cbb26bd1b607c2aedf8ee2b25e44*", "*SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2*", "*SHA256=bac1cd96ba242cdf29f8feac501110739f1524f0db1c8fcad59409e77b8928ba*", "*SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482*", "*SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc*", "*SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165*", "*SHA256=73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061*", "*SHA256=ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1*", "*SHA256=c181ce9a57e8d763db89ba7c45702a8cf66ef1bb58e3f21874cf0265711f886b*", "*SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02*", "*SHA256=51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb*", "*SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6*", "*SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a*", "*SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b*", "*SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0*", "*SHA256=83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc*", "*SHA256=8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250*", "*SHA256=61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874*", "*SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129*", "*SHA256=a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af*", "*SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff*", "*SHA256=6297556f66cd6619057f3a5b216b314f8a27eebb5fa575ee07a1944aca71ae80*", "*SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184*", "*SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af*", "*SHA256=3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1*", "*SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e*", "*SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587*", "*SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8*", "*SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89*", "*SHA256=72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35*", "*SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b*", "*SHA256=b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027*", "*SHA256=0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d*", "*SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924*", "*SHA256=5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c*", "*SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1*", "*SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4*", "*SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e*", "*SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131*", "*SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f*", "*SHA256=8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881*", "*SHA256=9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3*", "*SHA256=dd2c1aa4e14c825f3715891bfa2b6264650a794f366d5f73ed1ef1d79ff0dbf9*", "*SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24*", "*SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7*", "*SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2*", "*SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960*", "*SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357*", "*SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0*", "*SHA256=1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3*", "*SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0*", "*SHA256=87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b*", "*SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92*", "*SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc*", "*SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6*", "*SHA256=837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2*", "*SHA256=db73b0fa032be22405fa0b52fbfe3b30e56ac4787e620e4854c32668ae43bc33*", "*SHA256=773999db2f07c50aad70e50c1983fa95804369d25a5b4f10bd610f864c27f2fc*", "*SHA256=f64a78b1294e6837f12f171a663d8831f232b1012fd8bae3c2c6368fbf71219b*", "*SHA256=733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e*", "*SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21*", "*SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194*", "*SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48*", "*SHA256=747a4dc50915053649c499a508853a42d9e325a5eec22e586571e338c6d32465*", "*SHA256=903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b*", "*SHA256=6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259*", "*SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0*", "*SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5*", "*SHA256=55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03*", "*SHA256=f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686*", "*SHA256=4ba224af60a50cad10d0091c89134c72fc021da8d34a6f25c4827184dc6ca5c7*", "*SHA256=40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554*", "*SHA256=1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b*", "*SHA256=53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b*", "*SHA256=7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6*", "*SHA256=6e76764d750ebd835aa4bb055830d278df530303585614c1dc743f8d5adf97d7*", "*SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004*", "*SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89*", "*SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b*", "*SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20*", "*SHA256=00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03*", "*SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4*", "*SHA256=d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c*", "*SHA256=6ef0b34649186fb98a7431b606e77ee35e755894b038755ba98e577bd51b2c72*", "*SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98*", "*SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa*", "*SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d*", "*SHA256=3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb*", "*SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f*", "*SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e*", "*SHA256=760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510*", "*SHA256=b749566057dee0439f54b0d38935e5939b5cb011c46d7022530f748ebc63efe5*", "*SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94*", "*SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf*", "*SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9*", "*SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa*", "*SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248*", "*SHA256=ac26150bc98ee0419a8b23e4cda3566e0eba94718ba8059346a9696401e9793d*", "*SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0*", "*SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa*", "*SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b*", "*SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c*", "*SHA256=0a9b608461d55815e99700607a52fbdb7d598f968126d38e10cc4293ac4b1ad8*", "*SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3*", "*SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e*", "*SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5*", "*SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a*", "*SHA256=2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f*", "*SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1*", "*SHA256=8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c*", "*SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8*", "*SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3*", "*SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1*", "*SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1*", "*SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775*", "*SHA256=ad0309c2d225d8540a47250e3773876e05ce6a47a7767511e2f68645562c0686*", "*SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0*", "*SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa*", "*SHA256=3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9*", "*SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073*", "*SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c*", "*SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219*", "*SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4*", "*SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2*", "*SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9*", "*SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5*", "*SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c*", "*SHA256=c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa*", "*SHA256=11208bbba148736309a8d2a4ab9ab6b8f22f2297547b100d8bdfd7d413fe98b2*", "*SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504*", "*SHA256=d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b*", "*SHA256=c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b*", "*SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126*", "*SHA256=81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05*", "*SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9*", "*SHA256=828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2*", "*SHA256=182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714*", "*SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57*", "*SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d*", "*SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185*", "*SHA256=f1fbec90c60ee4daba1b35932db9f3556633b2777b1039163841a91cf997938e*", "*SHA256=9917144b7240b1ce0cadb1210fd26182744fbbdf145943037c4b93e44aced207*", "*SHA256=c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1*", "*SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1*", "*SHA256=ad215185dc833c54d523350ef3dbc10b3357a88fc4dde00281d9af81ea0764d5*", "*SHA256=e2d6cdc3d8960a50d9f292bb337b3235956a61e4e8b16cf158cb979b777f42aa*", "*SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d*", "*SHA256=dbebf6d463c2dbf61836b3eba09b643e1d79a02652a32482ca58894703b9addb*", "*SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb*", "*SHA256=e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5*", "*SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685*", "*SHA256=70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7*", "*SHA256=909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77*", "*SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918*", "*SHA256=90574d2c406b9738aae8fc629c3983c5e47a6282a43b052f38b5dd313380c30a*", "*SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba*", "*SHA256=5daa8fa3b5db2e6225a2effea41af95fe7ffc579550c4081c8028ed33bc023b8*", "*SHA256=115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406*", "*SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4*", "*SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63*", "*SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25*", "*SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501*", "*SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c*", "*SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f*", "*SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b*", "*SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26*", "*SHA256=b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c*", "*SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe*", "*SHA256=f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2*", "*SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e*", "*SHA256=4c807bacfcf5c30686e26812ec8d5581a824b82fee7434260c27c33eee2dfbe2*", "*SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b*", "*SHA256=700b9839fde53e91f0847053b4d2eb8d9bd3aca098844510f1fa3bab6a37eb24*", "*SHA256=d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e*", "*SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80*", "*SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74*", "*SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d*", "*SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85*", "*SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512*", "*SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df*", "*SHA256=ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8*", "*SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc*", "*SHA256=5d7bfe05792189eaf7193bee85f0c792c33315cfcb40b2e62cc7baef6cafbc5c*", "*SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062*", "*SHA256=4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0*", "*SHA256=7ef8949637cb947f1a4e1d4e68d31d1385a600d1b1054b53e7417767461fafa7*", "*SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0*", "*SHA256=4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4*", "*SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f*", "*SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d*", "*SHA256=da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb*", "*SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90*", "*SHA256=cf66fcbcb8b2ea7fb4398f398b7480c50f6a451b51367718c36330182c1bb496*", "*SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463*", "*SHA256=1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d*", "*SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467*", "*SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca*", "*SHA256=b78eb7f12ba718183313cf336655996756411b7dcc8648157aaa4c891ca9dbee*", "*SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5*", "*SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd*", "*SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8*", "*SHA256=5ab48bf8c099611b217cc9f78af2f92e9aaeedf1cea4c95d5dd562f51e9f0d09*", "*SHA256=274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab*", "*SHA256=89bc3cb4522f9b0bf467a93a4123ef623c28244e25a9c34d4aae11f705d187e7*", "*SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd*", "*SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d*", "*SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3*", "*SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5*", "*SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb*", "*SHA256=afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3*", "*SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2*", "*SHA256=9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91*", "*SHA256=97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c*", "*SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850*", "*SHA256=065a34b786b0ccf6f88c136408943c3d2bd3da14357ee1e55e81e05d67a4c9bc*", "*SHA256=3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d*", "*SHA256=c188b36f258f38193ace21a7d254f0aec36b59ad7e3f9bcb9c2958108effebad*", "*SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c*", "*SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c*", "*SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88*", "*SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8*", "*SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c*", "*SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6*", "*SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526*", "*SHA256=a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e*", "*SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b*", "*SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882*", "*SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae*", "*SHA256=5be106b92424b12865338b3f541b3c244dce9693fe15f763316f0c6d6fc073ee*", "*SHA256=b84dc9b885193ced6a1b6842a365a4f18d1683951bb11a5c780ab737ffa06684*", "*SHA256=dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d*", "*SHA256=3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb*", "*SHA256=f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1*", "*SHA256=8bf01cd6d55502838853851703eb297ec71361fa9a0b088a30c2434f4d2bf9c6*", "*SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3*", "*SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8*", "*SHA256=1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43*", "*SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad*", "*SHA256=a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c*", "*SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed*", "*SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b*", "*SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a*", "*SHA256=70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505*", "*SHA256=76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb*", "*SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c*", "*SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee*", "*SHA256=1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a*", "*SHA256=ef438a754fd940d145cc5d658ddac666a06871d71652b258946c21efe4b7e517*", "*SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05*", "*SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee*", "*SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5*", "*SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b*", "*SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285*", "*SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb*", "*SHA256=d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e*", "*SHA256=b531f0a11ca481d5125c93c977325e135a04058019f939169ce3cdedaddd422d*", "*SHA256=fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a*", "*SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc*", "*SHA256=5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3*", "*SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a*", "*SHA256=b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f*", "*SHA256=786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc*", "*SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca*", "*SHA256=212c05b487cd4e64de2a1077b789e47e9ac3361efa24d9aab3cc6ad4bd3bd76a*", "*SHA256=5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab*", "*SHA256=79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd*", "*SHA256=9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95*", "*SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada*", "*SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26*", "*SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036*", "*SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7*", "*SHA256=ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc*", "*SHA256=b2bc7514201727d773c09a1cfcfae793fcdbad98024251ccb510df0c269b04e6*", "*SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965*", "*SHA256=eef68fdc5df91660410fb9bed005ed08c258c44d66349192faf5bb5f09f5fa90*", "*SHA256=582b62ffbcbcdd62c0fc624cdf106545af71078f1edfe1129401d64f3eefaa3a*", "*SHA256=326b53365f8486c78608139cac84619eff90be361f7ade9db70f9867dd94dcc9*", "*SHA256=9bd8b0289955a6eb791f45c3203f08a64cbd457fd1b9d598a6fbbca5d0372e36*", "*SHA256=655110646bff890c448c0951e11132dc3592bda6e080696341b930d090224723*", "*SHA256=8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f*", "*SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6*", "*SHA256=f2a4ddc38e68efd2eac27b2562529926f5ade93575a82e8d3e0abb2b37347257*", "*SHA256=e89afd283d5789b8064d5487e04b97e2cd3fc0c711a8cec230543ebdf9ffc534*", "*SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f*", "*SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572*", "*SHA256=81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d*", "*SHA256=2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9*", "*SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7*", "*SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a*", "*SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289*", "*SHA256=71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5*", "*SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8*", "*SHA256=848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891*", "*SHA256=14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c*", "*SHA256=49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94*", "*SHA256=a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53*", "*SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200*", "*SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf*", "*SHA256=c8ff7c9f510f7a2ed88d9b336d8c9339698d5e1ee14bfb91aa89703ec06dce42*", "*SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917*", "*SHA256=348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1*", "*SHA256=f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad*", "*SHA256=5fbfd7c4ea3db1197ad38d5a945acf6f2f42cb350380cf8ae276bc80b0dedb77*", "*SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c*", "*SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa*", "*SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a*", "*SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d*", "*SHA256=7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc*", "*SHA256=7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f*", "*SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e*", "*SHA256=39f137083e6c0200543e1f8d3c074f857d141bdb8c8f09338d48520537b881aa*", "*SHA256=0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182*", "*SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b*", "*SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c*", "*SHA256=a0dd3d43ab891777b11d4fdcb3b7f246b80bc66d12f7810cf268a5f6f4f8eb7b*", "*SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5*", "*SHA256=e9919d1546c7dfef62ff01b87f739812de0a57463611c12012013ae689023ce1*", "*SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5*", "*SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f*", "*SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28*", "*SHA256=b9ed73af3aef69dc1fb91731d6d0a649e93f83d0f07ddb9729d71c2d00ed0801*", "*SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c*", "*SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148*", "*SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6*", "*SHA256=5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4*", "*SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612*", "*SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e*", "*SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d*", "*SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9*", "*SHA256=648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f*", "*SHA256=6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440*", "*SHA256=b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25*", "*SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b*", "*SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6*", "*SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6*", "*SHA256=22e125c284a55eb730f03ec27b87ab84cf897f9d046b91c76bea2b5809fd51c5*", "*SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289*", "*SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f*", "*SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8*", "*SHA256=b7bba82777c9912e6a728c3e873c5a8fd3546982e0d5fa88e64b3e2122f9bc3b*", "*SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399*", "*SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085*", "*SHA256=f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585*", "*SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135*", "*SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396*", "*SHA256=d21aba58222930cb75946a0fb72b4adc96de583d3f7d8dc13829b804eb877257*", "*SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354*", "*SHA256=2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266*", "*SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82*", "*SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100*", "*SHA256=0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57*", "*SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae*", "*SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c*", "*SHA256=cb59a641adb623a65a9b5af1db2ffd921fd1ca1bc046a6df85d5f2e00fd0b5a5*", "*SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8*", "*SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0*", "*SHA256=51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292*", "*SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30*", "*SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4*", "*SHA256=83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c*", "*SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449*", "*SHA256=51f002ee44e46889cf5b99a724dd10cc2bd3e22545e2a2cb3bd6b1dd3af5ba11*", "*SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd*", "*SHA256=e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717*", "*SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a*", "*SHA256=b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890*", "*SHA256=bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091*", "*SHA256=6575ea9b319beb3845d43ce2c70ea55f0414da2055fa82eec324c4cebdefe893*", "*SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8*", "*SHA256=63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e*", "*SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2*", "*SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d*", "*SHA256=26d69e677d30bb53c7ac7f3fce76291fe2c44720ef17ee386f95f08ec5175288*", "*SHA256=b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71*", "*SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305*", "*SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4*", "*SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69*", "*SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1*", "*SHA256=d7a61c671eab1dfaa62fe1088a85f6d52fb11f2f32a53822a49521ca2c16585e*", "*SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4*", "*SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4*", "*SHA256=478bcb750017cb6541f3dd0d08a47370f3c92eec998bc3825b5d8e08ee831b70*", "*SHA256=1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7*", "*SHA256=e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21*", "*SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f*", "*SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e*", "*SHA256=4ace6dded819e87f3686af2006cb415ed75554881a28c54de606975c41975112*", "*SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a*", "*SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f*", "*SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7*", "*SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524*", "*SHA256=202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213*", "*SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005*", "*SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd*", "*SHA256=00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922*", "*SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102*", "*SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5*", "*SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8*", "*SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867*", "*SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca*", "*SHA256=c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b*", "*SHA256=c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038*", "*SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21*", "*SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3*", "*SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3*", "*SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14*", "*SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793*", "*SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79*", "*SHA256=405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1*", "*SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229*", "*SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1*", "*SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659*", "*SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687*", "*SHA256=ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d*", "*SHA256=b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c*", "*SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533*", "*SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9*", "*SHA256=11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f*", "*SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c*", "*SHA256=2a11b4f125d8537e69af7b684494e49ef2a30a219634988e278177fa36c934eb*", "*SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f*", "*SHA256=37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20*", "*SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b*", "*SHA256=c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0*", "*SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc*", "*SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2*", "*SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb*", "*SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba*", "*SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e*", "*SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de*", "*SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b*", "*SHA256=ffd03584246730397e231eb8d16c1449aef2c3bc79bf9da3ebf8400a21b20ae7*", "*SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646*", "*SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7*", "*SHA256=c640930c29ea3610a3a5cebee573235ec70267ed223b79b9fa45a80081e686a4*", "*SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc*", "*SHA256=16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1*", "*SHA256=24e70c87d58fa5771f02b9ddf0d8870cba6b26e35c6455a2c77f482e2080d3e9*", "*SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a*", "*SHA256=8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c*", "*SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4*", "*SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03*", "*SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64*", "*SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf*", "*SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530*", "*SHA256=d9a2bf0f5ba185170441f003dc46fbb570e1c9fdf2132ab7de28b87ba7ad1a0c*", "*SHA256=0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180*", "*SHA256=b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763*", "*SHA256=bfc121e93fcbf9bd42736cfe7675ae2cc805be9a58f1a0d8cc3aa5b42e49a13f*", "*SHA256=b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b*", "*SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2*", "*SHA256=5bdba1561ec5b23b1d56ea8cee411147d1526595f03a9281166a563b3641fa2a*", "*SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b*", "*SHA256=66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e*", "*SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba*", "*SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961*", "*SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a*", "*SHA256=9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be*", "*SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29*", "*SHA256=fc3e8554602c476e2edfa92ba4f6fb2e5ba0db433b9fbd7d8be1036e454d2584*", "*SHA256=bef87650c29faf421e7ad666bf47d7a78a45f291b438c8d1c4b6a66e5b54c6fc*", "*SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e*", "*SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c*", "*SHA256=4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d*", "*SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879*", "*SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb*", "*SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a*", "*SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347*", "*SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3*", "*SHA256=f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de*", "*SHA256=567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270*", "*SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba*", "*SHA256=b074caef2fbf7e1dc8870edccb65254858d95836f466b4e9e6ca398bf7a27aa3*", "*SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9*", "*SHA256=8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409*", "*SHA256=f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d*", "*SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813*", "*SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa*", "*SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa*", "*SHA256=9e2622d8e7a0ec136ba1fff639833f05137f8a1ff03e7a93b9a4aea25e7abb8d*", "*SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe*", "*SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7*", "*SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2*", "*SHA256=3ac8e54be2804f5fa60d0d23a11ba323fba078a942c96279425aabad935b8236*", "*SHA256=468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5*", "*SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b*", "*SHA256=ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4*", "*SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441*", "*SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989*", "*SHA256=0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7*", "*SHA256=daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5*", "*SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa*", "*SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa*", "*SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608*", "*SHA256=7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0*", "*SHA256=f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6*", "*SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d*", "*SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf*", "*SHA256=0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664*", "*SHA256=dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53*", "*SHA256=f48f31bf9c6abbd44124b66bce2ab1200176e31ef1e901733761f2b5ceb60fb2*", "*SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7*", "*SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a*", "*SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91*", "*SHA256=3678ba63d62efd3b706d1b661d631ded801485c08b5eb9a3ef38380c6cff319a*", "*SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd*", "*SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd*", "*SHA256=3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5*", "*SHA256=f13f6a4bf7711216c9e911f18dfa2735222551fb1f8c1a645a8674c1983ccea6*", "*SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0*", "*SHA256=898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289*", "*SHA256=834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78*", "*SHA256=d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4*", "*SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c*", "*SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7*", "*SHA256=8001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258*", "*SHA256=4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51*", "*SHA256=1336469ec0711736e742b730d356af23f8139da6038979cfe4de282de1365d3b*", "*SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75*", "*SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9*", "*SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d*", "*SHA256=85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3*", "*SHA256=31e2e5c3290989e8624820cf5af886fd778ee8187fed593f33a6178f65103f37*", "*SHA256=1deae340bf619319adce00701de887f7434deab4d5547a1742aeedb5634d23c6*", "*SHA256=442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c*", "*SHA256=ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1*", "*SHA256=53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6*", "*SHA256=f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65*", "*SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028*", "*SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65*", "*SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094*", "*SHA256=87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5*", "*SHA256=c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633*", "*SHA256=78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663*", "*SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7*", "*SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc*", "*SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e*", "*SHA256=be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0*", "*SHA256=7108613244f16c2279c3c917aa49cef8acf0b92fdaa9ace19bf5cf634360d727*", "*SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f*", "*SHA256=20e52e0d7f579dc6884cc6e80266fddceda69ea5fdd0b095c0874b0d877e48a2*", "*SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a*", "*SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566*", "*SHA256=b3e645e8817696fa5d5e2255f9328f3b6a2e5fce91737f4d654ff155dc9851e5*", "*SHA256=3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458*", "*SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44*", "*SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351*", "*SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192*", "*SHA256=d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7*", "*SHA256=e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb*", "*SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356*", "*SHA256=d330ab003206ce5e9828607562790aa8dd0453f6b7452f5c6053e3c6b6761d25*", "*SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058*", "*SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c*", "*SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c*", "*SHA256=5fe5a6f88fbbc85be9efe81204eee11dff1a683b426019d330b1276a3b5424f4*", "*SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6*", "*SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d*", "*SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d*", "*SHA256=af298d940b186f922464d2ef19ccfc129c77126a4f337ecf357b4fe5162a477c*", "*SHA256=6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097*", "*SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01*", "*SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63*", "*SHA256=be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7*", "*SHA256=2288c418ddadd5a1db4e58c118d8455b01fd33728664408ce23b9346ae0ca057*", "*SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00*", "*SHA256=64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5*", "*SHA256=7de1ce434f957df7bbdf6578dd0bf06ed1269f3cc182802d5c499f5570a85b3a*", "*SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2*", "*SHA256=ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9*", "*SHA256=f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114*", "*SHA256=8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047*", "*SHA256=0584520b4b3bdad1d177329bd9952c0589b2a99eb9676cb324d1fce46dad0b9a*", "*SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa*", "*SHA256=4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4*", "*SHA256=a0e583bd88eb198558442f69a8bbfc96f4c5c297befea295138cfd2070f745c5*", "*SHA256=9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91*", "*SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7*", "*SHA256=d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e*", "*SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a*", "*SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c*", "*SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41*", "*SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0*", "*SHA256=1e9ec6b3e83055ae90f3664a083c46885c506d33de5e2a49f5f1189e89fa9f0a*", "*SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df*", "*SHA256=2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958*", "*SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0*", "*SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc*", "*SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229*", "*SHA256=d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565*", "*SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1*", "*SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad*", "*SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9*", "*SHA256=a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67*", "*SHA256=d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2*", "*SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc*", "*SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c*", "*SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2*", "*SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a*", "*SHA256=d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4*", "*SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a*", "*SHA256=c35f3a9da8e81e75642af20103240618b641d39724f9df438bf0f361122876b0*", "*SHA256=ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3*", "*SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc*", "*SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b*", "*SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853*", "*SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38*", "*SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9*", "*SHA256=3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f*", "*SHA256=7fc01f25c4c18a6c539cda38fdbf34b2ff02a15ffd1d93a7215e1f48f76fb3be*", "*SHA256=6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7*", "*SHA256=18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7*", "*SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1*", "*SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7*", "*SHA256=88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3*", "*SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba*", "*SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961*", "*SHA256=46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28*", "*SHA256=73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a*", "*SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc*", "*SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63*", "*SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d*", "*SHA256=922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832*", "*SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a*", "*SHA256=bb0742036c82709e02f25f98a9ff37c36a8c228bcaa98e40629fac8cde95b421*", "*SHA256=7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96*", "*SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8*", "*SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810*", "*SHA256=1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718*", "*SHA256=11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768*", "*SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf*", "*SHA256=5449e4dd1b75a7d52922c30baeca0ca8e32fe2210d1e72af2a2f314a5c2268fb*", "*SHA256=54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876*", "*SHA256=98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e*", "*SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3*", "*SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960*", "*SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c*", "*SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414*", "*SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7*", "*SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33*", "*SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a*", "*SHA256=1cedd5815bb6e20d3697103cfc0275f5015f469e6007e8cac16892c97731c695*", "*SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece*", "*SHA256=b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f*", "*SHA256=7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25*", "*SHA256=6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0*", "*SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496*", "*SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b*", "*SHA256=0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3*", "*SHA256=ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7*", "*SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6*", "*SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae*", "*SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704*", "*SHA256=63af3fdb1e85949c8adccb43f09ca4556ae258b363a99ae599e1e834d34c8670*", "*SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8*", "*SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134*", "*SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6*", "*SHA256=e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef*", "*SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9*", "*SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf*", "*SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605*", "*SHA256=ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d*", "*SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22*", "*SHA256=0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02*", "*SHA256=c8926e31be2d1355e542793af8ff9ccc4d1d60cae40c9564b2400dd4e1090bda*", "*SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de*", "*SHA256=0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c*", "*SHA256=dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233*", "*SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0*", "*SHA256=423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18*", "*SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13*", "*SHA256=ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7*", "*SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4*", "*SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc*", "*SHA256=a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6*", "*SHA256=d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757*", "*SHA256=11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359*", "*SHA256=1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67*", "*SHA256=2695390a8a7448390fe383beb1eee06d582202683f0273d6e72ef39a8cf709e1*", "*SHA256=ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18*", "*SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22*", "*SHA256=b9e0c2a569ab02742fa3a37846310a1d4e46ba2bfd4f80e16f00865fc62690cb*", "*SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758*", "*SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5*", "*SHA256=a188760f1bf36584a2720014ca982252c6bcd824e7619a98580e28be6090dccc*", "*SHA256=442f12adebf7cb166b19e8aead2b0440450fd1f33f5db384a39776bb2656474a*", "*SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495*", "*SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0*", "*SHA256=0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0*", "*SHA256=94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915*", "*SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347*", "*SHA256=47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d*", "*SHA256=a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e*", "*SHA256=c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413*", "*SHA256=082d4d4d4ba1bda5e1599bd24e930ae9f000e7d12b00f7021cca90a4600ea470*", "*SHA256=84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451*", "*SHA256=64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66*", "*SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3*", "*SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8*", "*SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955*", "*SHA256=9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727*", "*SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d*", "*SHA256=96df0b01eeba3e6e50759d400df380db27f0d0e34812d0374d22ac1758230452*", "*SHA256=df4c02beb039d15ff0c691bbc3595c9edfc1d24e783c8538a859bc5ea537188d*", "*SHA256=3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50*", "*SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280*", "*SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c*", "*SHA256=0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5*", "*SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986*", "*SHA256=41765151df57125286b398cc107ff8007972f4653527f876d133dac1548865d6*", "*SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54*", "*SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3*", "*SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233*", "*SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230*", "*SHA256=39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0*", "*SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c*", "*SHA256=6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d*", "*SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be*", "*SHA256=05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686*", "*SHA256=a6c05b10a5c090b743a61fa225b09e390e2dd2bd6cb4fd96b987f1e0d3f2124a*", "*SHA256=ce231637422709d927fb6fa0c4f2215b9c0e3ebbd951fb2fa97b8e64da479b96*", "*SHA256=26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd*", "*SHA256=ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613*", "*SHA256=fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17*", "*SHA256=37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60*", "*SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1*", "*SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668*", "*SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4*", "*SHA256=b1e4455499c6a90ba9a861120a015a6b6f17e64479462b869ad0f05edf6552de*", "*SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f*", "*SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb*", "*SHA256=50aa2b3a762abb1306fa003c60de3c78e89ea5d29aab8a9c6479792d2be3c2d7*", "*SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c*", "*SHA256=6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943*", "*SHA256=61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629*", "*SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e*", "*SHA256=d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd*", "*SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f*", "*SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d*", "*SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8*", "*SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6*", "*SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06*", "*SHA256=ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91*", "*SHA256=0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0*", "*SHA256=b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe*", "*SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7*", "*SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee*", "*SHA256=48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548*", "*SHA256=87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b*", "*SHA256=54bf602a6f1baaec5809a630a5c33f76f1c3147e4b05cecf17b96a93b1d41dca*", "*SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc*", "*SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602*", "*SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15*", "*SHA256=fded693528f7e6ac1af253e0bd2726607308fdaa904f1e7242ed44e1c0b29ae8*", "*SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef*", "*SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7*", "*SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3*", "*SHA256=8edab185e765f9806fa57153db1ede00e68270d2351443ee1de30674eca8d9b6*", "*SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15*", "*SHA256=8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7*", "*SHA256=c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746*", "*SHA256=77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f*", "*SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57*", "*SHA256=3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8*", "*SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9*", "*SHA256=5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9*", "*SHA256=c7079033659ac9459b3b7ab2510805832db2e2a70fe9beb1a6e13c1f51890d88*", "*SHA256=bbbeb5020b58e6942ec7dec0d1d518e95fc12ddae43f54ef0829d3393c6afd63*", "*SHA256=38535a0e9fc0684308eb5d6aa6284669bc9743f11cb605b79883b8c13ef906ad*", "*SHA256=65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377*", "*SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35*", "*SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24*", "*SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008*", "*SHA256=bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e*", "*SHA256=df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858*", "*SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8*", "*SHA256=159dcf37dc723d6db2bad46ed6a1b0e31d72390ec298a5413c7be318aef4a241*", "*SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476*", "*SHA256=cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183*", "*SHA256=2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b*", "*SHA256=033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7*", "*SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff*", "*SHA256=1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a*", "*SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d*", "*SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471*", "*SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109*", "*SHA256=368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1*", "*SHA256=070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103*", "*SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10*", "*SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6*", "*SHA256=f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e*", "*SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097*", "*SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457*", "*SHA256=5bf3985644308662ebfa2fbcc11fb4d3e2a0c817ad3da1a791020f8c8589ebc8*", "*SHA256=a19fc837ca342d2db43ee8ad7290df48a1b8b85996c58a19ca3530101862a804*", "*SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35*", "*SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272*", "*SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39*", "*SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd*", "*SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e*", "*SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94*", "*SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db*", "*SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797*", "*SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71*", "*SHA256=6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402*", "*SHA256=2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e*", "*SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf*", "*SHA256=767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b*", "*SHA256=dba8db472e51edd59f0bbaf4e09df71613d4dd26fd05f14a9bc7e3fc217a78aa*", "*SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573*", "*SHA256=797c1f883d90d25e7fd553624bb16bfd5db24c2658aa0c3c51c715d5833c10fd*", "*SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52*", "*SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b*", "*SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*", "*SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00*", "*SHA256=d9a3dc47699949c8ec0c704346fb2ee86ff9010daa0dbac953cfa5f76b52fcd1*", "*SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9*", "*SHA256=572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4*", "*SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9*", "*SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a*", "*SHA256=91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4*", "*SHA256=5de78cf5f0b1b09e7145db84e91a2223c3ed4d83cceb3ef073c068cf88b9d444*", "*SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b*", "*SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47*", "*SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303*", "*SHA256=40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59*", "*SHA256=7277130afa0b1506998d7bc58567b0d83f52a27175f4c7c4a7186347095fceed*", "*SHA256=6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388*", "*SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015*", "*SHA256=775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9*", "*SHA256=125e4475a5437634cab529da9ea2ef0f4f65f89fb25a06349d731f283c27d9fe*", "*SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c*", "*SHA256=08828990218ebb4415c1bb33fa2b0a009efd0784b18b3f7ecd3bc078343f7208*", "*SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0*", "*SHA256=e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc*", "*SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43*", "*SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578*", "*SHA256=1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441*", "*SHA256=dd0bd7b8fae8e8835ba09118a02a06a51e111fccbe16916414844aab91cfeed4*", "*SHA256=17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d*", "*SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099*", "*SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2*", "*SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880*", "*SHA256=db0d425708ba908aedf5f8762d6fdca7636ae3a537372889446176c0237a2836*", "*SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282*", "*SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e*", "*SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab*", "*SHA256=7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0*", "*SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec*", "*SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0*", "*SHA256=3d8cfc9abea6d83dfea6da03260ff81be3b7b304321274f696ff0fdb9920c645*", "*SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59*", "*SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf*", "*SHA256=07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88*", "*SHA256=423d58265b22504f512a84faf787c1af17c44445ae68f7adcaa68b6f970e7bd5*", "*SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b*", "*SHA256=ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33*", "*SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a*", "*SHA256=270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc*", "*SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab*", "*SHA256=fa21e3d2bfb9fafddec0488852377fbb2dbdd6c066ca05bb5c4b6aa840fb7879*", "*SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe*", "*SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427*", "*SHA256=7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f*", "*SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9*", "*SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c*", "*SHA256=d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8*", "*SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4*", "*SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3*", "*SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69*", "*SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097*", "*SHA256=4ec7af309a9359c332d300861655faeceb68bb1cd836dd66d10dd4fac9c01a28*", "*SHA256=1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590*", "*SHA256=defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd*", "*SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b*", "*SHA256=d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb*", "*SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374*", "*SHA256=e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe*", "*SHA256=a6c11d3bec2a94c40933ec1d3604cfe87617ba828b14f4cded6cfe85656debc0*", "*SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84*", "*SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd*", "*SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7*", "*SHA256=bd3cf8b9af255b5d4735782d3653be38578ff5be18846b13d05867a6159aaa53*", "*SHA256=84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51*", "*SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993*", "*SHA256=e34afe0a8c5459d13e7a11f20d62c7762b2a55613aaf6dbeb887e014b5f19295*", "*SHA256=d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e*", "*SHA256=0e9072759433abf3304667b332354e0c635964ff930de034294bf13d40da2a6f*", "*SHA256=0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49*", "*SHA256=13ae4d9dcacba8133d8189e59d9352272e15629e6bca580c32aff9810bd96e44*", "*SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8*", "*SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805*", "*SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a*", "*SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c*", "*SHA256=c6db7f2750e7438196ec906cc9eba540ef49ceca6dbd981038cef1dc50662a73*", "*SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38*", "*SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0*", "*SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506*", "*SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3*", "*SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3*", "*SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921*", "*SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e*", "*SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a*", "*SHA256=e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65*", "*SHA256=8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65*", "*SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9*", "*SHA256=eba14a2b4cefd74edaf38d963775352dc3618977e30261aab52be682a76b536f*", "*SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2*", "*SHA256=bae4372a9284db52dedc1c1100cefa758b3ec8d9d4f0e5588a8db34ded5edb1f*", "*SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2*", "*SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499*", "*SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445*", "*SHA256=31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5*", "*SHA256=e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f*", "*SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3*", "*SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8*", "*SHA256=66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea*", "*SHA256=d3eaf041ce5f3fd59885ead2cb4ce5c61ac9d83d41f626512942a50e3da7b75a*", "*SHA256=a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec*", "*SHA256=8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040*", "*SHA256=748ccadb6bf6cdf4c5a5a1bb9950ee167d8b27c5817da71d38e2bc922ffce73d*", "*SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56*", "*SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e*", "*SHA256=1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f*", "*SHA256=d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4*", "*SHA256=019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f*", "*SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782*", "*SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56*", "*SHA256=cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461*", "*SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb*", "*SHA256=07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8*", "*SHA256=43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee*", "*SHA256=dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b*", "*SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280*", "*SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d*", "*SHA256=a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1*", "*SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e*", "*SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461*", "*SHA256=13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9*", "*SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57*", "*SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c*", "*SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5*", "*SHA256=9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a*", "*SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247*", "*SHA256=d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3*", "*SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1*", "*SHA256=1076504a145810dfe331324007569b95d0310ac1e08951077ac3baf668b2a486*", "*SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4*", "*SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f*", "*SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1*", "*SHA256=386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8*", "*SHA256=163912dfa4ad141e689e1625e994ab7c1f335410ebff0ade86bda3b7cdf6e065*", "*SHA256=e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822*", "*SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06*", "*SHA256=003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4*", "*SHA256=d2e843d9729da9b19d6085edf69b90b057c890a74142f5202707057ee9c0b568*", "*SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40*", "*SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890*", "*SHA256=d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23*", "*SHA256=3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76*", "*SHA256=e26a21e1b79ecaee7033e05edb0bd72aca463c23bd6fdf5835916ce2dfdf1a63*", "*SHA256=00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd*", "*SHA256=707b4b5f5c4585156d8a4d8c39cf26729f5ad05d7f77b17f48e670e808e3e6a0*", "*SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4*", "*SHA256=b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44*", "*SHA256=b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d*", "*SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3*", "*SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def*", "*SHA256=793a26c5c4c154a40f84c3d3165deb807062b26796acaae94b72f453e95230d5*", "*SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250*", "*SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40*", "*SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe*", "*SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b*", "*SHA256=7c830ed39c9de8fe711632bf44846615f84b10db383f47b7d7c9db29a2bd829a*", "*SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4*", "*SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036*", "*SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5*", "*IMPHASH=88e21ed9e717781eaf87209acbdbb567*", "*IMPHASH=481d7bb63a8e5eaba756137e6ef22e54*", "*IMPHASH=cef6a450f196b28e634aa3c0655d8eda*", "*IMPHASH=0e0722c16a5ded199f64b26fccd2115a*", "*IMPHASH=f0cd7cce1d03cf9df1b8266701f92b46*", "*IMPHASH=cc88330f6dca52a40e258f689d3e2db4*", "*IMPHASH=835e364e2175338d970c2aaee365f3dc*", "*IMPHASH=82e75304c5b7ed87121b8b89c82f2389*", "*IMPHASH=9470f56376e665fb981a35b303436041*", "*IMPHASH=37b1eada43ad08093dfa4de7a411d15f*", "*IMPHASH=a2d936fa82b7340d28a697fb344046d8*", "*IMPHASH=16b23f4c6ea47d01340a2cce4bf613f7*", "*IMPHASH=32b632f6379bfaac9f4f3a030a694f55*", "*IMPHASH=052280a42374b8d779c10cd0d8118691*", "*IMPHASH=540992ba6f31301ba27604515a78ad79*", "*IMPHASH=a5fd3b0143c8db98017ec1b2b2528360*", "*IMPHASH=1e13511288689b63b2e1348bf5eb567b*", "*IMPHASH=dd406d43857d7f5ad1b0aec04fdb7e5f*", "*IMPHASH=cf1a39b9408348cddaa4a2827283534c*", "*IMPHASH=0dcd262801389f839ce909cb173448e2*", "*IMPHASH=9e15ce38f071c916bea830247f1241bb*", "*IMPHASH=5716c52252afe18d09f6c1bc6e5ef3ef*", "*IMPHASH=ecf8495ba751a7e38d6be4c5c80f2bef*", "*IMPHASH=f475387e3959dbea86854d61602db136*", "*IMPHASH=98dc1b41bda471f7eabdce8a5d16c09d*", "*IMPHASH=8b7e7c20da6ca9ac4bdb3927fe2b266a*", "*IMPHASH=14075e605bff546182d682f41afefea2*", "*IMPHASH=b8302791cd2edfe6dd562c4854ea495f*", "*IMPHASH=a1d29a3af6402793ec9d23883512938a*", "*IMPHASH=aa01c534155ce919d797860feb531eae*", "*IMPHASH=ebb99842fa08915eb8b7f67d8dc7a13a*", "*IMPHASH=89f3f52b23bdf03bd2bb7eb3cfab8817*", "*IMPHASH=8605f70bcc472025c2e78082388ed00b*", "*IMPHASH=27365d8741d23e179699f1f11a619c7d*", "*IMPHASH=dc0a0f2d424a59b4d17033f58f01b027*", "*IMPHASH=48e2ef3c2d32ecca62510d90e12b6632*", "*IMPHASH=a793af44219650b4dd07d8a19ede33f1*", "*IMPHASH=5f4063ab963abff76d0d83d239697e36*", "*IMPHASH=7716b766e630388f64de1961719be3d4*", "*IMPHASH=8ed3fbdefcc1982cd7decc40ace9d2e7*", "*IMPHASH=6e796fd10b55f58fd0ec9f122a14e918*", "*IMPHASH=2d7766896629499b1484227afaf43dd7*", "*IMPHASH=0579e15c488a56c544e8fac130d826ba*", "*IMPHASH=e1d88d0526dfa369c3661355dbd8773d*", "*IMPHASH=8ec78cf864273fd81203678b61c41f04*", "*IMPHASH=ff605557fd515d7ab30ff41dbd8bd24a*", "*IMPHASH=234f0978e7f2aa0beb9501ff53d94e5b*", "*IMPHASH=77d6a7153b3015318622b793227fb394*", "*IMPHASH=6c42ea981bc29a7e2ed56d297e0b56dc*", "*IMPHASH=23eb5ffc060c6c52546d38e2b63019bd*", "*IMPHASH=ee9cc2f584c2f06fbff67d484adcf426*", "*IMPHASH=d6dc99d60798b2647006ddba21671160*", "*IMPHASH=1427c5f0f4fb100e26a3911f8209504b*", "*IMPHASH=a095f31019d7a32d0a0507879a1822b1*", "*IMPHASH=b8a35d469bc164d86ac7c64e93b0037b*", "*IMPHASH=0e9dfd08346bbe128159bff440d13389*", "*IMPHASH=bd607d71fdc1444aa96dc431591c5c44*", "*IMPHASH=f4b8d579fbdb32eabd01954394f5bf3a*", "*IMPHASH=edc2197e927392567cf09f7de410b5bb*", "*IMPHASH=7fb9382c0d754d5aac897d7a3e72b10c*", "*IMPHASH=1422b8d354b95d9cd880c8726df45dfc*", "*IMPHASH=0c959096cf4b3180530cc7865ef29157*", "*IMPHASH=aca7bbc6be02770c50b07eb6f94d1d78*", "*IMPHASH=3f4c9025125027e307b7e52dd577303b*", "*IMPHASH=68062e8b9d3c1e6cc62a9cae16a12b81*", "*IMPHASH=228bac53e82887d1ed92f51a667a8231*", "*IMPHASH=8919b7bae28d98c4a9e5967c9c55ce70*", "*IMPHASH=7e798c3abcbd0f1cfa8b2b9688e01936*", "*IMPHASH=8add42784f4693f421d85a2bcbadc620*", "*IMPHASH=fbcdb079e9c13a82f98b79bb6ce86175*", "*IMPHASH=a94892b77a6474429b9f692d9952a9d5*", "*IMPHASH=aa03d5a319bc221875846e19e01276f7*", "*IMPHASH=26150d69f50aa9247c3f3f17521d18a2*", "*IMPHASH=beb40a1e9d5c89308d1c56958ddac27d*", "*IMPHASH=59b3f3fa2775e407721c2491ddb2890b*", "*IMPHASH=c314c92b5c25c6f4323e3efaf8bde47a*", "*IMPHASH=d8752c1d5954bea175ac00df5acebb09*", "*IMPHASH=54e54063abbf1edaa9cf9ed8a18916d6*", "*IMPHASH=4aaef0105216f062a5f3ee071a72770c*", "*IMPHASH=67f975f0734a5b0598223fbe00b3367e*", "*IMPHASH=175c5711f3c49a0d929e9e2314b21c6b*", "*IMPHASH=12befc0a82dcb0585359d335ed47af19*", "*IMPHASH=24b344cd341f8b20003ac85be08df979*", "*IMPHASH=08c7f29f5cb29ba70e49879da2e8ddce*", "*IMPHASH=fc9c0ba924e7f104eda5254aaeacc5e8*", "*IMPHASH=5192bc7311bdeb1f3977bdc0d2e943e4*", "*IMPHASH=7363079b9aae7d58bd33c691a613c83c*", "*IMPHASH=e2c63196ed5368f03dabed73b1ff3409*", "*IMPHASH=8211bd4f00a3d9928a11a6ac3329fc46*", "*IMPHASH=2699b7ae36fcadd71425ebafd231d0d1*", "*IMPHASH=8d2a933d039e8b8134ef41236d5ea843*", "*IMPHASH=cc335217d6f7ab7a53dcfa55cbda5fb0*", "*IMPHASH=f9141c3df8f7ec7b3f2d46265a3b5528*", "*IMPHASH=e0813a780309a0af84b605d95bd194e4*", "*IMPHASH=e5fd4339e7b94543b16624a27ba1c872*", "*IMPHASH=fffbca93e6322995552b841c7d65b033*", "*IMPHASH=105b74485670215ab231a942c9101ccf*", "*IMPHASH=74081c86ad3e9771011f162c107927de*", "*IMPHASH=2df11474daf362b1b2fa3d3a89b6acbe*", "*IMPHASH=22a9d7a42282b48c566b4423363d3a3e*", "*IMPHASH=4fbdc03e4487f98fb59360ea5b3e640d*", "*IMPHASH=b262e8d078ede007ebd0aa71b9152863*", "*IMPHASH=abbab73b191d90dc642cbbc1f31d750d*", "*IMPHASH=a5b3ea8c2012c517c472ad6befd37134*", "*IMPHASH=9d7183c1d8107495354c4fad9dae3452*", "*IMPHASH=7d004bbe0f546a91c93562d324307fa7*", "*IMPHASH=b84820037d6a51ba108e0e81ce01db0b*", "*IMPHASH=68b717fa2ab9431cd176776363359d48*", "*IMPHASH=b0356152212dc6e33752847235064fb0*", "*IMPHASH=baa420e9d4e3baf0d65d4fc2bf497708*", "*IMPHASH=85fd19df117fbc21efbcb1d587063e12*", "*IMPHASH=8122311437457ccae22578e301c6a17d*", "*IMPHASH=f939ef0b7f792672866386600f82aa04*", "*IMPHASH=d7de998e454f947f62d4a6b66490563b*", "*IMPHASH=17a9b50297a2334d8e9dfc3411bbe8ab*", "*IMPHASH=6816dabcee7b7d027bfbb93a16297afa*", "*IMPHASH=6723b1d5bd0f1fc13216cb44541e619e*", "*IMPHASH=71e84092e69114f0792419cb8b2b0fd1*", "*IMPHASH=9c8c681f74950997cd571fd838a847b8*", "*IMPHASH=95fe5e937e5acf9bea948fe0256e46ae*", "*IMPHASH=fc789f89340a45f1ab6c49e61b1f6b40*", "*IMPHASH=b8d0a36d2b14d79dfa08fb2e121f0920*", "*IMPHASH=6ce93eab57a73915ecd5c202a339f6ce*", "*IMPHASH=59b168c8ba0db46cb70d1d5a103e6c41*", "*IMPHASH=3edc60bda68569cac7ad7604728ff40d*", "*IMPHASH=3e8e7e5e779c7064e6bab177167e9e7a*", "*IMPHASH=b05ee5c816a30bc52378c759486af0b9*", "*IMPHASH=f7d07bcaa23837d219dcb64e76290252*", "*IMPHASH=d658b06ec1ce39670b02a2dd83e29d03*", "*IMPHASH=11bfcbdb0787ef461d442f973c392cf6*", "*IMPHASH=f531646e31cc12dfaac5b8352653c384*", "*IMPHASH=9b3ad85a76080f989d24cd89da90175a*", "*IMPHASH=5f6fd4ffba177389f414dd1a6ded24b4*", "*IMPHASH=4b0b017b23567cf8b9e1268957acd032*", "*IMPHASH=b4a71a1265f5f82cf383af17e229acb5*", "*IMPHASH=0ebf1214948a636eba076b14cd8f72d5*", "*IMPHASH=c05e71aad32edcbe71ae0ef1621f8693*", "*IMPHASH=427cd9c70cca88ca1db61a5ddc3b8450*", "*IMPHASH=236bc37dff7a92a4d25d807cf038e674*", "*IMPHASH=e38cca61999fb8a0308c0eb798b07989*", "*IMPHASH=3815f9107b799b863cd905178e6e07d0*", "*IMPHASH=3c91d549b68e320924bcde3856993e87*", "*IMPHASH=bb56f25a810b329868a0ff8e94080bad*", "*IMPHASH=f5030145594c486434040aa2636a5dde*", "*IMPHASH=d8101af81fd826b492ced1994ebd3268*", "*IMPHASH=b5967a61e1a4e1d57b3d8ffefc5721ed*", "*IMPHASH=799c9c020c6fcfd11a4172bc861f74af*", "*IMPHASH=2b9471e7bb8c05dc55d0a2ff0591ea98*", "*IMPHASH=6a47c957830ccce7ef43ed96aacf7c2c*", "*IMPHASH=b1e749ba779687a5127817da3d47af2c*", "*IMPHASH=202a0f2f992ec379e2876776ae9de661*", "*IMPHASH=f5df2479285c7b593b3630b8357032e3*", "*IMPHASH=32204eaf2afa5b348ab17de07362885c*", "*IMPHASH=1de2e6e58f6b19c4ec9ad6ca9fce5c14*", "*IMPHASH=64d934652c680b7759f6e75d05ee3072*", "*IMPHASH=176d8e75a27a45e2c6f5d4cceca4d869*", "*IMPHASH=f0820e8f674e44e5c2a3f899ec561c1d*", "*IMPHASH=f4fa225abfb5a5263241a01a2c3f2b8f*", "*IMPHASH=a18b467c3b43f334ca455c495a3ef70d*", "*IMPHASH=a8633e68c2ad9f3dc83775d8d5b21c5b*", "*IMPHASH=9d5a58052468c8e07ff3d5bd730e5d00*", "*IMPHASH=69260cce3156aa2dc0540fb78f5fe826*", "*IMPHASH=b1336b0cb67918ed39f1f88c354910d0*", "*IMPHASH=f119bff607049d431d0968fbaf6532f3*", "*IMPHASH=c91146dfe120f6e8fbed2150d9e020ca*", "*IMPHASH=1e6875beefe8571686d3e8530f8c4bfb*", "*IMPHASH=acdf419d1d03923be256205b9c33eec8*", "*IMPHASH=756adaea6a3f9f0cdaff73d1a49ca201*", "*IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511*", "*IMPHASH=6e7cd05c0da9f82449a8b3795418ee00*", "*IMPHASH=8c3af6c25ab40c4daefb4f836d12e1c8*", "*IMPHASH=4792bcb395d06f9efb72e8020c4af5e6*", "*IMPHASH=d5bc15465b63888cc8b98ecc63a81517*", "*IMPHASH=7f53340c91c108efedb5b8678c5207b3*", "*IMPHASH=3f4a90b2976641ad2c0164792b24d322*", "*IMPHASH=d221afaadf43ceedb581e665435c56c7*", "*IMPHASH=f212bbc758bb52fc661839b1d194b76e*", "*IMPHASH=e938b727f5a033818337f7ba0584500f*", "*IMPHASH=3ac083b0ee2b752436a8a1532179f032*", "*IMPHASH=2e9ef79ea88178e29516dfa435a58900*", "*IMPHASH=24c3d3be20e794c17844d030be03fd2f*", "*IMPHASH=700a9350ac8b218ab9fc62cf25337ad3*", "*IMPHASH=e586fd1c5af87b43696b9d29b09bf1b1*", "*IMPHASH=2233472cee6457ad207017803048aaff*", "*IMPHASH=f046e37fa7914491dc25a6f7718da341*", "*IMPHASH=683bc425e3d8c21f9473a238a0645a4e*", "*IMPHASH=f08e2ac6ca73cd2a924ed25dc6813638*", "*IMPHASH=e2306e26abfd90a5ce4dad0e266b3905*", "*IMPHASH=10917aa77669c6ae714f074d89be9ab8*", "*IMPHASH=db62897eb9d2098e988f830159c04c82*", "*IMPHASH=51780bba04121d6be13f69de08721445*", "*IMPHASH=29a2e15ac1622a3daf7da5a78f0cef08*", "*IMPHASH=5988ec9f159fefbdf89d893aa634dd92*", "*IMPHASH=05d3de62beab8e88de1dafd3b24a16f6*", "*IMPHASH=88380fdfc880da4da407c38f34fe8a3c*", "*IMPHASH=8a424cd36ae3eab0d11332ce3b982a02*", "*IMPHASH=60a2fba979aaa0d0ccd09c12ca3d9e57*", "*IMPHASH=85f86c7c8ce81a78e84efa545d7edc65*", "*IMPHASH=9523103b30fb194643b97ccc3ab7abb0*", "*IMPHASH=0c2219c9c5eab786fa876f74356eea20*", "*IMPHASH=7abb0911ca4cc4697ee1e9897932d3ac*", "*IMPHASH=c6a0f65ba653ee78255cc9e314abc442*", "*IMPHASH=44e6f2f64092b48f8eb926c36ebd1d56*", "*IMPHASH=13300d56528646611f26704266713952*", "*IMPHASH=095c0cdb9c0421da216371c1f4e8790e*", "*IMPHASH=45f8f347e3fb919f3164a4a3278f1c71*", "*IMPHASH=0e4f5481813eeec4e5dd96e36020135f*", "*IMPHASH=1d05fb30a58133da2e9dbdfcf51b80fd*", "*IMPHASH=2561727ac42d399030b3c46477c428f4*", "*IMPHASH=be69e763a6a858c3e7e1ea6e3af12691*", "*IMPHASH=7fba20994f76fb31b9f5a2b3f0c00055*", "*IMPHASH=1d9cdf46ff335712634c292180c06755*", "*IMPHASH=ad4586d21c9469bf636b5e8660e9d702*", "*IMPHASH=958dd67f866ae27cf716e30a025b266f*", "*IMPHASH=1dd3b83f2b007f862a1d8de4a1d3303f*", "*IMPHASH=b4c562c2c654abd2cc71658646314976*", "*IMPHASH=679eba16ab2d51543b7007708838ef7c*", "*IMPHASH=a1603fe7f02448c6b33687ddb9304c7f*", "*IMPHASH=9e2cf28fe320bbf74972509536569c8e*", "*IMPHASH=f233a65b937c69b447824889fb7425ff*", "*IMPHASH=b3204707f6e489cd5a2484881eaf78ca*", "*IMPHASH=c61a46ffe79d3f7d6307c0d2ae5f391e*", "*IMPHASH=28c5045218461018dbde27212ab0f227*", "*IMPHASH=af34db96db910a3fa7a56f2fac8ed5e1*", "*IMPHASH=e80eeed7225a880bbde0d038a5fe1af4*", "*IMPHASH=62473b41d695f075ad96abc4a408de5b*", "*IMPHASH=56307b5227183c002e4231320a72b961*", "*IMPHASH=dd7c5c0c762169d40ee01280e4ac74fc*", "*IMPHASH=9915439d37f385dbffc72bf835f3ee02*", "*IMPHASH=4199ed50502e00f57d9b66e9305450f5*", "*IMPHASH=71c580daf556775f690f0af3db12506f*", "*IMPHASH=c1ab6741cd29de98a138f2bd639f620a*", "*IMPHASH=32247962aa01af8ad5dca696260a05ab*", "*IMPHASH=1d774a94ad511efe5ebfe70acc6f8c85*", "*IMPHASH=690a0fb27a0c47c785d6bbbfc2e56501*", "*IMPHASH=78727a5fac8bd281903014ee00dcd553*", "*IMPHASH=f5ebade1d3a6d3bde264b0c7f9f639e7*", "*IMPHASH=4343c9c0b78ee21e895f10d929c240d4*", "*IMPHASH=f510a429c6ce5c8d414550518b3823d2*", "*IMPHASH=45acfe4a83f61d872fb904a1f08ef991*", "*IMPHASH=cbf26c6e8cf7e294bda273e7026a2789*", "*IMPHASH=84d83741445d9f5a6717b874fed3d8f3*", "*IMPHASH=0b40636205c64cacfd2e4f407518ad58*", "*IMPHASH=b4627789883457d50964a248104cb4c2*", "*IMPHASH=a7ff164c1ee5113a0a09e66b2cd03544*", "*IMPHASH=a0a13575e37906924a0b79043b4005c6*", "*IMPHASH=955e7b12a8fa06444c68e54026c45de1*", "*IMPHASH=8f52e36711c80bb9d7e30995e0092e83*", "*IMPHASH=05fbe4619edf747787879d9323951439*", "*IMPHASH=865c945f842a3f5f5453fb90d12f6765*", "*IMPHASH=89f925b54b95944513671d79eba5fe07*", "*IMPHASH=f4c5b0399665885a7dd34f7cdbbc586f*", "*IMPHASH=2ece23bdef16ee294bd905c7ba1be589*", "*IMPHASH=e800cd3299d4cda0d9e02255acc3b7dd*", "*IMPHASH=a86fb9a41955bda815ab902fb58baa27*", "*IMPHASH=2f7ea575cf15da16c8f117eee37046d8*", "*IMPHASH=223a76f59831e1a59980b603f81c271d*", "*IMPHASH=c17c0bd619c1e188ffe27bd328dd7d08*", "*IMPHASH=1429d5c551f71d3ce6a7cc54c9348e95*", "*IMPHASH=3552d8a0022e7f3136b667e6d1e402f2*", "*IMPHASH=67d92a28cd2923a923adf7fd958905d8*", "*IMPHASH=3c9af2347198d96c8ab5b189b4e3db37*", "*IMPHASH=f43aa654b4bfb882a0af098ad3f899e9*", "*IMPHASH=518e77c070ae21af7c558962cd1854a3*", "*IMPHASH=8e96d1a56746c6f6f30f1a0963ce2f26*", "*IMPHASH=b19743993dc7f1d48b2a86fe9b9c91e3*", "*IMPHASH=acd1b0130287133223d26c91f27f6899*", "*IMPHASH=82942c060f79cefd3bf1acdf5c207561*", "*IMPHASH=bc5c06a7fa9555f3f34043d828d9b123*", "*IMPHASH=ccdeab2a83fbf2fef2e418cccd133ec1*", "*IMPHASH=2424cf613f90884493009dd6bee95693*", "*IMPHASH=5c77661ac2951da388949d9a834eb694*", "*IMPHASH=2a20cc9578bb34a4bb10b87b49b24982*", "*IMPHASH=3ee1cb6085fbe05e46e2b88493426848*", "*IMPHASH=cb876abd8c6ca8a47d50aec4a520a020*", "*IMPHASH=80ae2342fd6c7f5e1c642918e33dafb1*", "*IMPHASH=aa274f6b4b15691fd725d7044f98bf36*", "*IMPHASH=5e4c9e685f9b7d77c90ff710972bb7dd*", "*IMPHASH=4fb06df8cb54846e42943f0d3ae96e2f*", "*IMPHASH=74cc5d779ee7dbc9f389bab9dcccac50*", "*IMPHASH=0707fe3c02c8d2a4d6219bd0596d76f3*", "*IMPHASH=7863a0f25a0647ed7d52641222bd709a*", "*IMPHASH=75018719e85e67b75e73c57d682dbcbf*", "*IMPHASH=e08b2d7c450761f01ec9ed4ef0ca56a4*", "*IMPHASH=2263350df91a5a4f5e10e68b3b822029*", "*IMPHASH=6f0b9814da4da038669c47e77c2f268f*", "*IMPHASH=9fb64527ca6d4541cc256b1abd1e4101*", "*IMPHASH=27db67ffa112f866f1d34c32226e09cf*", "*IMPHASH=5bb79a6caa12076a6d140085cb53892e*", "*IMPHASH=d169b0949781ca2a6efea5a106266a02*", "*IMPHASH=5a50a9a44f5d36af5df1bde995d22e42*", "*IMPHASH=626c8ecbc636968157d73f18ac315926*", "*IMPHASH=f12ae9073d95c22ed89247253d59f500*", "*IMPHASH=44cbd2ee295f1a35795eb4cd7cdd0864*", "*IMPHASH=840e656bdb2987fa422092ec9d588895*", "*IMPHASH=d57ef6278dcd7049063e8fb6ade9effc*", "*IMPHASH=392aa6863da8d7c14ad7386026e93b58*", "*IMPHASH=5662b51943d85b7ca47a99cac81af985*", "*IMPHASH=8418ac0d7aaa9015794e55ea54733342*", "*IMPHASH=163436e69f8e582bdc1c1e6f735de23b*", "*IMPHASH=24e4c876bb5db0b0e0a4e92f0a3d3a48*", "*IMPHASH=3198fc43051f03c6c71587dbf232f75c*", "*IMPHASH=9321f9c47129fbc728ead2710e22f1a5*", "*IMPHASH=1a0d0d460994cfde55ee908d62330ee0*", "*IMPHASH=82f5b92ccd99d13f4dd6ed6aaf0441bc*", "*IMPHASH=634f3c43b014dc8845b086c9328a678c*", "*IMPHASH=81acb4bb89ef49c4e7f30513b4750e53*", "*IMPHASH=d61d30746681d0fda9bfd9e8af061b2a*", "*IMPHASH=7453e39bd87c63550451ba2fa354dd8e*", "*IMPHASH=bb437241f56020db0fcbf8f8629bdb07*", "*IMPHASH=1e8ee6407390a2d52051bec21c771fdb*", "*IMPHASH=7c24141cdcfc23f5eb0e2b6792d80740*", "*IMPHASH=a7f2c2e8e9d6c90e28819d1a3ab84bc8*", "*IMPHASH=1b0788bb68804273159b8ace9cba7ea3*", "*IMPHASH=9521d8684357766840dbcac2b4cee67d*", "*IMPHASH=b4c2607b2af5376910bf80b561e9a18a*", "*IMPHASH=f138fdbc6c7fbf73e135717c7d7eac27*", "*IMPHASH=82525a4a571f0f8d4e4f42ec6bb3900e*", "*IMPHASH=8bbc742eaed888736a715757f0584fb6*", "*IMPHASH=be527e5f470fbc661f914c81bfc9af38*", "*IMPHASH=ad374977f06fefefbb9c77155f7a0733*", "*IMPHASH=111e6d92e02f02f737654c5b1cfe9f6f*", "*IMPHASH=31907ffcac211e27136b14bb2f442070*", "*IMPHASH=60e068470635cf20cc19b7f8e8cbfc5f*", "*IMPHASH=8a5edbe5251fe141ea0262d5d572178b*", "*IMPHASH=0265c50548889ffd5c2d3a2539885efe*", "*IMPHASH=9376f1c4ab79240cc948b77bf9e8814b*", "*IMPHASH=82b2288ac7f842e42de15c5bc96f1772*", "*IMPHASH=317f02ddc9809d608a9bf63ce24e9550*", "*IMPHASH=65abf5c92cc2239f2dc9d589458569c9*", "*IMPHASH=12fef92a55cb5e1533b89d8e6a5892b2*", "*IMPHASH=fd133033a24971502ff0b2f189215c56*", "*IMPHASH=050d389675730da0d9d75367659cd53b*", "*IMPHASH=c590cbf2d6cbf206a2e47e8ed91dd944*", "*IMPHASH=505e0a016962137ca6169bce64ba2f53*", "*IMPHASH=02a27dc9a48b694b7df4b821eb65178c*", "*IMPHASH=bfe13c695e41d3eee414d3929b1bd523*", "*IMPHASH=5095ddaed3abc22c1510a141d72735cc*", "*IMPHASH=8f96c3ef5dda3fe697d4a4d6326dbe37*", "*IMPHASH=e1ecbd956bd016618b07e7dddcaf6e60*", "*IMPHASH=07a42e80559d960b176c0fc8fd309bfe*", "*IMPHASH=f86759bb4de4320918615dc06e998a39*", "*IMPHASH=c9f08d92efe88afb2545eb82a8870233*", "*IMPHASH=6b867dee14a77d0ada8ccad99b16291e*", "*IMPHASH=744af2b62301859b4ccdffba53551b15*", "*IMPHASH=ec5ee9a38e54ed3d4a6e6545672cb651*", "*IMPHASH=c3c9e6c0c33bad17eb055ec795fc113e*", "*IMPHASH=31a3c2c72c9a565dc4ba75ef26677569*", "*IMPHASH=7bc998aaa9fe4b4fd5e133554f42d913*", "*IMPHASH=bb981f82c2bfc3c22471df92d9d0fb89*", "*IMPHASH=ad34ea17f90a34f6f84a399a96383ada*", "*IMPHASH=30c0ed518c03fa46fa0bfe76f2db0e42*", "*IMPHASH=587191d77c08023e6e95463153e45463*", "*IMPHASH=c83f076c00d2b0a6ba9dc82f56a97631*", "*IMPHASH=cb8db41ab8c06472574e58b9466f4070*", "*IMPHASH=391ffad95759bc4bac2b737d0d0eaa84*", "*IMPHASH=c52384bc825d2414de3195672971339e*", "*IMPHASH=b0e74761cced2dde5173ae05ec562085*", "*IMPHASH=4bd0bd7710a7f71d38f056241c8ce0a7*", "*IMPHASH=ad0cdf3bab32983050527655bce40f96*", "*IMPHASH=e1a5435877b427be967867a25b1d263e*", "*IMPHASH=61b719638eacc2c5ca299805d4819e69*", "*IMPHASH=7687d0eba49315582228ef660f61b471*", "*IMPHASH=e7cbb1ce75bfc69f53855066a936042d*", "*IMPHASH=bc44fdc145156a15d0a803d18877b218*", "*IMPHASH=d5e7fc56a905088dbc79b8e27b98faea*", "*IMPHASH=3702511999371bac8982d01820dd70f2*", "*IMPHASH=d14ea0e632fc8485d77e7eba3c4d4537*", "*IMPHASH=2e7d3b001306473cbff3d0dc11a6fcbc*", "*IMPHASH=e717a2158439123c6fca79b6b2c0ba49*", "*IMPHASH=6736c04d5ff512e5e2eb608414276513*", "*IMPHASH=225e24ee3c4081a16ef32831b70bf8ef*", "*IMPHASH=48028b3b694466c1c0eb1d91ef5c02cb*", "*IMPHASH=37f7c6238c9ce110408e01ae1bc45635*", "*IMPHASH=b95bc1a99081d695b1c0b37b90a4a0be*", "*IMPHASH=78eaf4d62617f6b614d318cc70c6548a*", "*IMPHASH=55db306bc2be3ff71a6b91fd9db051b8*", "*IMPHASH=021fd02a8adad420116496b6f2759960*", "*IMPHASH=b3e26c5e0de2d01597dca208ef27cc38*", "*IMPHASH=67affe6126c1d4a774b2504061c96a2e*", "*IMPHASH=656ad5c2eac95f75d3fe6d5ca59e0d8d*", "*IMPHASH=5ea78a193212fe61ac722f45f0b0eab9*", "*IMPHASH=77ec8b2c372741f12098f084a13a56a8*", "*IMPHASH=f27327907e57c0c2c9fddc68eab2eb7b*", "*IMPHASH=b679ac08daf4b4ce8a58d85a8e0904ac*", "*IMPHASH=f2c2ee1ff03c54f384f4eee8c2533107*", "*IMPHASH=c12f7aec6ebe84a8390c82720adfc237*", "*IMPHASH=0a8eeabf5981efb2116244785cb03900*", "*IMPHASH=7f8c74638fcf297f8216aa5b184f61d6*", "*IMPHASH=d41fa95d4642dc981f10de36f4dc8cd7*", "*IMPHASH=8d616e68080def2200312de80392efa7*", "*IMPHASH=cde9174249f04dad0f79890c976c0792*", "*IMPHASH=858ceae385cdcfcbc7814644564c23e6*", "*IMPHASH=d232ae5bad7ce02f4eece90ef370c7a0*", "*IMPHASH=c7f08aed5725fe6a53a62ebe354ff135*", "*IMPHASH=cc81a908891587ccac8059435eda4c66*", "*IMPHASH=bd4f9a93da2bb4b5f6e90d4f9381661c*", "*IMPHASH=01aa65221a48929f0a34a27c4e3011b1*", "*IMPHASH=409d2ab916237fb129c57aacbb7cb4fe*", "*IMPHASH=65181bc89a1c2b5854548236269846c1*", "*IMPHASH=787e32b3fd816479fb93f9af0b6d0da3*", "*IMPHASH=8e89024d2c0ef0451c12b956a2b55b91*", "*IMPHASH=0cba56fa162378bc4ee09e94a4e2fe33*", "*IMPHASH=b7a0100fe60d7a8263da64820f7d0120*", "*IMPHASH=d16f507665603095c26147a7adcb93b8*", "*IMPHASH=0b663530751cc11f34273fee7921c431*", "*IMPHASH=604b5bd94f1892fd9e9025ef7a2bbe54*", "*IMPHASH=cb8397a3262c80b558aff93ab75b6a7b*", "*IMPHASH=d6c920c10d4d0f92f0ac14c3fefed233*", "*IMPHASH=9fd359d308a1e93106189b4ebd945855*", "*IMPHASH=c94e5ad0f33374535392364a5a193253*", "*IMPHASH=751c6b5c201f8c52f5512350cad88ddc*", "*IMPHASH=eac62dd0c27ed557fa4b641fa4050d04*", "*IMPHASH=506a31d768aec26b297c45b50026c820*", "*IMPHASH=60805da513b95c3d18a93b988bdfb58f*", "*IMPHASH=3aa0ceb8fcd07cf2514d1cb0b9bccf4b*", "*IMPHASH=c1579e4266fbdc47a5abc493a2d9d597*", "*IMPHASH=adfd4c0b031598afecb6f3f585f5f581*", "*IMPHASH=7a286ef4179598007a8afe9e5af95a48*", "*IMPHASH=c7912c850407aa93c979d95c4f593507*", "*IMPHASH=bec5dc89f030df7a96d19483fad4cc0a*", "*IMPHASH=b91054cdc4c8b3169cfe6c157f6d9f07*", "*IMPHASH=d67b7c7501e5261df5e66b3219fa52ee*", "*IMPHASH=b142d772a67c40535c8d8fabb6861748*", "*IMPHASH=1957e33acbc826c69f452ae1d1b89ac9*", "*IMPHASH=7a4a0df0bde1f8da6547a580d5bee7c3*", "*IMPHASH=085a78615099ffefa2df0a31da3058d8*", "*IMPHASH=e804d4ee2c20f3eb1d3c955e38a2fe11*", "*IMPHASH=6f2d756d22c285a46206de3bfde6c79d*", "*IMPHASH=071356ee9d8c7f91cbe8fa3c448286a2*", "*IMPHASH=ebf30b4cd57a4f4548a03eab0f6c418c*", "*IMPHASH=08ab07a2bc35aea02cd6d1efbb954cb3*", "*IMPHASH=cb15f8046e159c17b0510738fa18f758*", "*IMPHASH=07a513d1599c93bd34f01323b1ef7430*", "*IMPHASH=2430f988dcdc3828f6079e1e2cc71dc8*", "*IMPHASH=8b41eacbfbe5f5348579e27d30767e74*", "*IMPHASH=afee876e89b51e2cc7c91353fb588fe6*", "*IMPHASH=e11e41c95c1872ac3ebbd7768b16cf9e*", "*IMPHASH=e9077c03c44a511c2c8eaf5bad9ab90b*", "*IMPHASH=d6d76f43ccc3872b879b0df583364c78*", "*IMPHASH=62dbb90b4be9282d52aff9ae1a101d6b*", "*IMPHASH=3ec1e7e215efad2711248558465da9ad*", "*IMPHASH=96f270be3f73ec3fc2f2237fe84efca0*", "*IMPHASH=9ad5f7496f8c918d6c0536751d3accae*", "*IMPHASH=b1ed268dfdf4f39960971eb5822a4755*", "*IMPHASH=4c0161f638d5acafe23fcee3c5e86f15*", "*IMPHASH=9928d53dbe860aba1b7c891831680629*", "*IMPHASH=d122c1eaa50839be14c31876d0d4e0be*", "*IMPHASH=8f4588156ea7d9af8e4c162ce4c3ff23*", "*IMPHASH=abdaca21ab5c831000b0aa4b8f357716*", "*IMPHASH=0555907292d07d9f78205416eb1924d3*", "*IMPHASH=832f0fb3579a07b1c4bec82b4478306b*", "*IMPHASH=340e874a1ca966e45fc2a314ef228cce*", "*IMPHASH=b35d1d3faa6c97b106b343823d5df867*", "*IMPHASH=7e1327419d10a7eeece5579526f75d9f*", "*IMPHASH=084b99aebda8a13e4f774a2ced272e85*", "*IMPHASH=81ba5280406320ce6f03a9817d7d6035*", "*IMPHASH=e4f1a9234e4ea105321909d4c0e597ae*", "*IMPHASH=68a12eb3f32f7e193bd0d722ea6be4ab*", "*IMPHASH=c3fd2e688276a184b2528ee590054e5a*", "*IMPHASH=531d2392dbdd314fb1d9318fe9e5c4d2*", "*IMPHASH=29a1da8841f5363423dcba1a9773809a*", "*IMPHASH=9fc4a96d982ebfd6b9d87c0f3ebef681*", "*IMPHASH=304c4fcf70cfc8299a3b6eed8e7bbb31*", "*IMPHASH=3415f704b3149ea9a3d3a54036b208dd*", "*IMPHASH=7cf815757705e26b809574488ed56d0e*", "*IMPHASH=28d780857f0f6616f938aca3a38b5072*", "*IMPHASH=235102691b04f562ae8aa7ece38d8bc9*", "*IMPHASH=262d8fbbf1f514399bb3f230cddc12af*", "*IMPHASH=0f3ddbe229201f6fa9a3dbbaf842a556*", "*IMPHASH=bd093a7d5ba5632ee52f3466a688ee55*", "*IMPHASH=a9e22f5e8f4965960716d94ba7639c9f*", "*IMPHASH=528ac7a1e034801d1f20238971c6ec19*", "*IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4*", "*IMPHASH=7c8c655791b5c853e45aa174e5cc1333*", "*IMPHASH=a53b095a8d7366075d445892070cde51*", "*IMPHASH=f079f8637a1d4fe2fb93af2a267b68ef*", "*IMPHASH=0ebd5902a82ddfef8ed96678c1573a7b*", "*IMPHASH=9a970527986cd03e5a25d18b372624a1*", "*IMPHASH=87fde0c3f8e7dff7ab0d718d6b1252c8*", "*IMPHASH=959dce366573a7aae10b74a08931722a*", "*IMPHASH=fce118020e70919e5c8c629687f89e56*", "*IMPHASH=86682585c620fa85096a7bedaf990cd1*", "*IMPHASH=5f9cf5b0511f3c1129b467d273b921f2*", "*IMPHASH=543f80399f79401471523d335ea61642*", "*IMPHASH=3ca448454c33a5c72ad5e774de47930a*", "*IMPHASH=51ecd9b363fde1f003f4b4f20c874b1b*", "*IMPHASH=1f2627fc453dc35031a9502372bd3549*", "*IMPHASH=2cf48a541dc193e91bb2a831adcf278e*", "*IMPHASH=805e4a267f9495e7c0c430d92b78f8bd*", "*IMPHASH=92caaf6ebb43bbe61f3da8526172f776*", "*IMPHASH=421730c2b3fa3a7d78c2eda3da1be6a8*", "*IMPHASH=aa54fa0523f677e56d6d8199e5e18732*", "*IMPHASH=8ee2435c62b02fe0372cde028be489cb*", "*IMPHASH=50b6a9c4df6d0c9f517c804ad1307d7c*", "*IMPHASH=037b9d19995faadf69a2ce134473e346*", "*IMPHASH=2c19472843b56c67efb80d8c447f3cfe*", "*IMPHASH=a74f61fdcea718cb9579907b2caf54ab*", "*IMPHASH=84d45ee8df6f63b5af419d89003a97bc*", "*IMPHASH=69dbb4c8bbe4d8c2e1493f82170b93c4*", "*IMPHASH=6903b92e7760c5d7f7c181b64eb13176*", "*IMPHASH=d6f977640d4810a784d152e4d3c63a6b*", "*IMPHASH=473c3773ca11aa7371dbf350919c5724*", "*IMPHASH=87842ffa59724bda8389394bcaeb5d73*", "*IMPHASH=18502b56d9ea5dea7f9d31ef85db31d5*", "*IMPHASH=b6f67458e30912358144df4adf5264fd*", "*IMPHASH=a49a51d7f2ae972483961eb64d17888e*", "*IMPHASH=81e2eb25e24938b90806de865630a2b2*", "*IMPHASH=96861132665e8d66c0a91e6c02cc6639*", "*IMPHASH=69163e5596280d3319375c9bcd4b5da1*", "*IMPHASH=4946030efb34ab167180563899d5eb27*", "*IMPHASH=4c304943af1b07b15a5efa80f17d9b89*", "*IMPHASH=821d74031d3f625bcbd0df08b70f1e77*", "*IMPHASH=1bef18e9dda6f1e7bbf7eb76e9ccf16b*", "*IMPHASH=21f58b1f2de6ad0e9c019da7a4e7317b*", "*IMPHASH=91387ac37086b9b519f945b58095f38d*", "*IMPHASH=dcd41632f0ad9683e5c9c7cc083f78f7*", "*IMPHASH=ced7ea67fdf3d89a48849e0062278f7d*", "*IMPHASH=5713a0c2b363c49706fa0e60151511a8*", "*IMPHASH=089e8a8f2bb007852c63b64e66430293*", "*IMPHASH=383be1d728b0be96be1b810a131705ee*", "*IMPHASH=3d42ff70269b824dd9d4a8cb905669f9*", "*IMPHASH=363922cc73591e60f2af113182414230*", "*IMPHASH=fa084cdc36f03f1aeddaa3450e2781b1*", "*IMPHASH=3c61f9a38aaa7650fcd33b46e794d1bb*", "*IMPHASH=42e3f2ffa29901e572f2df03cb872159*", "*IMPHASH=4c5fc4519f1417f0630c3343aab7c9d2*", "*IMPHASH=d5d40497d82daf7e44255ede810ce7a6*", "*IMPHASH=91ee149529956a79a91eeb8c48f00b3d*", "*IMPHASH=a387f215b4964a3ca2e3c92f235a6d1b*", "*IMPHASH=ca6e77f472ebd5b2ade876e7c773bb57*", "*IMPHASH=67bace81ce26ddf73732dd75cbd0c0f2*", "*IMPHASH=18b8de84bd7aa83fec79d2c6aaf0a4f5*", "*IMPHASH=519cf5394541bf5e2869edeec81521e1*", "*IMPHASH=cae90f82e91b9a60af9a0e36c1f73be4*", "*IMPHASH=643f4d79f35dddc9bb5cc04a0f0c18d3*", "*IMPHASH=6b7d4c6283b9b951b7b2f47a0c5be8c7*", "*IMPHASH=b4c857bd3a7b1d8125c0f62aec45401e*", "*IMPHASH=49a12b06131d938e9dc40c693b88ba7f*", "*IMPHASH=f74aa24adc713dbb957ccb18f3c16a71*", "*IMPHASH=6faad89adbfc9d5448bb1bd12e7714cd*", "*IMPHASH=5759d90322a7311eaccf4f0ab2c2a7c4*", "*IMPHASH=8b6c1a09e11200591663b880a94a8d18*", "*IMPHASH=eade2a2576f329e4971bf5044ab24ac7*", "*IMPHASH=8b47d6faba90b5c89e27f7119c987e1a*", "*IMPHASH=4433528b0f664177546dd3e229f0daa5*", "*IMPHASH=c0f234205c50cc713673353c9653eea1*", "*IMPHASH=b4b90c1b054ebe273bff4b2fd6927990*", "*IMPHASH=f2dc136141066311fddef65f7f417c44*", "*IMPHASH=12a08688ec92616a8b639d85cc13a3ed*", "*IMPHASH=296afaa5ea70bbd17135afcd04758148*", "*IMPHASH=8232d2f79ce126e84cc044543ad82790*", "*IMPHASH=e10e743d152cf62f219a7e9192fb533d*", "*IMPHASH=e5af2438da6df2aa9750aa632c80cfa4*", "*IMPHASH=3a4e0bc46866ca54459753f62c879b62*", "*IMPHASH=10cb3185e13390f8931a50a131448cdf*", "*IMPHASH=4fb27d2712ef4afdb67e0921d64a5f1e*", "*IMPHASH=a96a02cf5f7896a9a9f045d1986bd83c*", "*IMPHASH=fd894d394a8ca9abd74f7210ed931682*", "*IMPHASH=ca07de87d444c1d2d10e16e9dcc2dc19*", "*IMPHASH=1aa10b05dee9268d7ce87f5f56ea9ded*", "*IMPHASH=485f7e86663d49c68c8b5f705d310f50*", "*IMPHASH=5899e93373114ca9e458e906675132b7*", "*IMPHASH=be2d638c3933fc3f5a96e539f9910c5f*", "*IMPHASH=fbfa302bf7eb5d615d0968541ee49ce4*", "*IMPHASH=f9b9487f25a2c1e08c02f391387c5323*", "*IMPHASH=ef102e058f6b88af0d66d26236257706*", "*IMPHASH=0f371a913e9fa3ba3a923718e489debb*") | fields - _raw | collect index=notable_events source="Vulnerable Driver Load" marker="guid=7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8,tags=attack.privilege-escalation,tags=attack.t1543.003,tags=attack.t1068," +[WinDivert Driver Load] +description = Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=6 ImageLoaded IN ("*\\WinDivert.sys*", "*\\WinDivert64.sys*", "*\\NordDivert.sys*", "*\\lingtiwfp.sys*", "*\\eswfp.sys*") OR Hashes IN ("*IMPHASH=0604bb7cb4bb851e2168d5c7d9399087*", "*IMPHASH=2e5f0e649d97f32b03c09e4686d0574f*", "*IMPHASH=52f8aa269f69f0edad9e8fcdaedce276*", "*IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76*", "*IMPHASH=58623490691babe8330adc81cd04a663*", "*IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b*", "*IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96*", "*IMPHASH=a1b2e245acd47e4a348e1a552a02859a*", "*IMPHASH=2a5f85fe4609461c6339637594fa9b0a*", "*IMPHASH=6b2c6f95233c2914d1d488ee27531acc*", "*IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342*", "*IMPHASH=d8a719865c448b1bd2ec241e46ac1c88*", "*IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38*", "*IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6*", "*IMPHASH=a74929edfc3289895e3f2885278947ae*", "*IMPHASH=a66b476c2d06c370f0a53b5537f2f11e*", "*IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4*", "*IMPHASH=c28cd6ccd83179e79dac132a553693d9*") OR Imphash IN ("0604bb7cb4bb851e2168d5c7d9399087", "2e5f0e649d97f32b03c09e4686d0574f", "52f8aa269f69f0edad9e8fcdaedce276", "c0e5d314da39dbf65a2dbff409cc2c76", "58623490691babe8330adc81cd04a663", "8ee39b48656e4d6b8459d7ba7da7438b", "45ee545ae77e8d43fc70ede9efcd4c96", "a1b2e245acd47e4a348e1a552a02859a", "2a5f85fe4609461c6339637594fa9b0a", "6b2c6f95233c2914d1d488ee27531acc", "9f2fdd3f9ab922bbb0560a7df46f4342", "d8a719865c448b1bd2ec241e46ac1c88", "0ea54f8c9af4a2fe8367fa457f48ed38", "9d519ae0a0864d6d6ae3f8b6c9c70af6", "a74929edfc3289895e3f2885278947ae", "a66b476c2d06c370f0a53b5537f2f11e", "bdcd836a46bc2415773f6b5ea77a46e4", "c28cd6ccd83179e79dac132a553693d9") | fields - _raw | collect index=notable_events source="WinDivert Driver Load" marker="guid=679085d5-f427-4484-9f58-1dc30a7c426d,tags=attack.collection,tags=attack.defense-evasion,tags=attack.t1599.001,tags=attack.t1557.001," +[PUA - Process Hacker Driver Load] +description = Detects driver load of the Process Hacker tool +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=6 ImageLoaded="*\\kprocesshacker.sys" OR Hashes IN ("*IMPHASH=821D74031D3F625BCBD0DF08B70F1E77*", "*IMPHASH=F86759BB4DE4320918615DC06E998A39*", "*IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18*", "*IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0*") OR Imphash IN ("821D74031D3F625BCBD0DF08B70F1E77", "F86759BB4DE4320918615DC06E998A39", "0A64EEB85419257D0CE32BD5D55C3A18", "6E7B34DFC017700B1517B230DF6FF0D0") | fields - _raw | collect index=notable_events source="PUA - Process Hacker Driver Load" marker="guid=67add051-9ee7-4ad3-93ba-42935615ae8d,tags=attack.privilege-escalation,tags=cve.2021-21551,tags=attack.t1543," +[Malicious Driver Load By Name] +description = Detects loading of known malicious drivers via the file name of the drivers. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=6 ImageLoaded IN ("*\\wfshbr64.sys", "*\\ktmutil7odm.sys", "*\\ktes.sys", "*\\a26363e7b02b13f2b8d697abb90cd5c3.sys", "*\\kt2.sys", "*\\4748696211bd56c2d93c21cab91e82a5.sys", "*\\malicious.sys", "*\\a236e7d654cd932b7d11cb604629a2d0.sys", "*\\spwizimgvt.sys", "*\\c94f405c5929cfcccc8ad00b42c95083.sys", "*\\fur.sys", "*\\wantd.sys", "*\\windbg.sys", "*\\4118b86e490aed091b1a219dba45f332.sys", "*\\gmer64.sys", "*\\1fc7aeeff3ab19004d2e53eae8160ab1.sys", "*\\poortry2.sys", "*\\wintapix.sys", "*\\daxin_blank6.sys", "*\\6771b13a53b9c7449d4891e427735ea2.sys", "*\\blacklotus_driver.sys", "*\\air_system10.sys", "*\\dkrtk.sys", "*\\7.sys", "*\\sense5ext.sys", "*\\ktgn.sys", "*\\ndislan.sys", "*\\nlslexicons0024uvn.sys", "*\\be6318413160e589080df02bb3ca6e6a.sys", "*\\4.sys", "*\\wantd_2.sys", "*\\e29f6311ae87542b3d693c1f38e4e3ad.sys", "*\\daxin_blank3.sys", "*\\gftkyj64.sys", "*\\daxin_blank2.sys", "*\\wantd_4.sys", "*\\reddriver.sys", "*\\834761775.sys", "*\\mlgbbiicaihflrnh.sys", "*\\mjj0ge.sys", "*\\daxin_blank.sys", "*\\daxin_blank5.sys", "*\\poortry1.sys", "*\\msqpq.sys", "*\\mimidrv.sys", "*\\e939448b28a4edc81f1f974cebf6e7d2.sys", "*\\prokiller64.sys", "*\\nodedriver.sys", "*\\wantd_3.sys", "*\\lctka.sys", "*\\kapchelper_x64.sys", "*\\daxin_blank4.sys", "*\\a9df5964635ef8bd567ae487c3d214c4.sys", "*\\wantd_6.sys", "*\\ntbios.sys", "*\\wantd_5.sys", "*\\pciecubed.sys", "*\\mimikatz.sys", "*\\nqrmq.sys", "*\\2.sys", "*\\poortry.sys", "*\\ntbios_2.sys", "*\\fgme.sys", "*\\telephonuafy.sys", "*\\typelibde.sys", "*\\daxin_blank1.sys", "*\\ef0e1725aaf0c6c972593f860531a2ea.sys", "*\\5a4fe297c7d42539303137b6d75b150d.sys") | fields - _raw | collect index=notable_events source="Malicious Driver Load By Name" marker="guid=39b64854-5497-4b57-a448-40977b8c9679,tags=attack.privilege-escalation,tags=attack.t1543.003,tags=attack.t1068," +[Vulnerable WinRing0 Driver Load] +description = Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=6 ImageLoaded IN ("*\\WinRing0x64.sys", "*\\WinRing0.sys", "*\\WinRing0.dll", "*\\WinRing0x64.dll", "*\\winring00x64.sys") OR Hashes="*IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7*" OR Imphash="d41fa95d4642dc981f10de36f4dc8cd7" | fields - _raw | collect index=notable_events source="Vulnerable WinRing0 Driver Load" marker="guid=1a42dfa6-6cb2-4df9-9b48-295be477e835,tags=attack.privilege-escalation,tags=attack.t1543.003," +[Vulnerable Driver Load By Name] +description = Detects the load of known vulnerable drivers via the file name of the drivers. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=6 ImageLoaded IN ("*\\panmonfltx64.sys", "*\\dbutil.sys", "*\\fairplaykd.sys", "*\\nvaudio.sys", "*\\superbmc.sys", "*\\bsmi.sys", "*\\smarteio64.sys", "*\\bwrsh.sys", "*\\agent64.sys", "*\\asmmap64.sys", "*\\dellbios.sys", "*\\chaos-rootkit.sys", "*\\wcpu.sys", "*\\dh_kernel.sys", "*\\sbiosio64.sys", "*\\bw.sys", "*\\asrdrv102.sys", "*\\nt6.sys", "*\\mhyprot3.sys", "*\\winio64c.sys", "*\\asupio64.sys", "*\\blackbonedrv10.sys", "*\\d.sys", "*\\driver7-x86.sys", "*\\sfdrvx32.sys", "*\\enetechio64.sys", "*\\gdrv.sys", "*\\sysinfodetectorx64.sys", "*\\fh-ethercat_dio.sys", "*\\asromgdrv.sys", "*\\my.sys", "*\\dcprotect.sys", "*\\irec.sys", "*\\gedevdrv.sys", "*\\winio32a.sys", "*\\gvcidrv64.sys", "*\\winio32.sys", "*\\bs_hwmio64.sys", "*\\nstr.sys", "*\\inpoutx64.sys", "*\\hw.sys", "*\\winio64.sys", "*\\hpportiox64.sys", "*\\iobitunlocker.sys", "*\\b1.sys", "*\\aoddriver.sys", "*\\elbycdio.sys", "*\\protects.sys", "*\\kprocesshacker.sys", "*\\speedfan.sys", "*\\radhwmgr.sys", "*\\iscflashx64.sys", "*\\black.sys", "*\\b4.sys", "*\\hwos2ec10x64.sys", "*\\winflash64.sys", "*\\corsairllaccess64.sys", "*\\bs_i2cio.sys", "*\\d3.sys", "*\\windows-xp-64.sys", "*\\aswvmm.sys", "*\\bs_i2c64.sys", "*\\1.sys", "*\\nchgbios2x64.sys", "*\\cpuz141.sys", "*\\segwindrvx64.sys", "*\\tdeio64.sys", "*\\ntiolib.sys", "*\\gtckmdfbs.sys", "*\\iomap64.sys", "*\\avalueio.sys", "*\\semav6msr.sys", "*\\lgdcatcher.sys", "*\\b.sys", "*\\hwdetectng.sys", "*\\nt4.sys", "*\\tgsafe.sys", "*\\mydrivers.sys", "*\\eneio64.sys", "*\\procexp.sys", "*\\viragt64.sys", "*\\fpcie2com.sys", "*\\lenovodiagnosticsdriver.sys", "*\\cp2x72c.sys", "*\\kerneld.amd64", "*\\bs_def64.sys", "*\\piddrv.sys", "*\\amifldrv64.sys", "*\\cpuz_x64.sys", "*\\proxy32.sys", "*\\wsdkd.sys", "*\\t8.sys", "*\\ucorew64.sys", "*\\atszio.sys", "*\\lmiinfo.sys", "*\\80.sys", "*\\nt3.sys", "*\\ngiodriver.sys", "*\\lv561av.sys", "*\\gpcidrv64.sys", "*\\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys", "*\\rtport.sys", "*\\full.sys", "*\\viragt.sys", "*\\fiddrv64.sys", "*\\cupfixerx64.sys", "*\\cpupress.sys", "*\\hwos2ec7x64.sys", "*\\driver7-x86-withoutdbg.sys", "*\\asrdrv10.sys", "*\\nvflsh64.sys", "*\\asrrapidstartdrv.sys", "*\\tmcomm.sys", "*\\wiseunlo.sys", "*\\rwdrv.sys", "*\\asio64.sys", "*\\nvoclock.sys", "*\\panio.sys", "*\\mtcbsv64.sys", "*\\amigendrv64.sys", "*\\capcom.sys", "*\\netflt.sys", "*\\phlashnt.sys", "*\\dbutil_2_3.sys", "*\\ni.sys", "*\\ntiolib_x64.sys", "*\\atszio64.sys", "*\\lgcoretemp.sys", "*\\lha.sys", "*\\phymem64.sys", "*\\dbutildrv2.sys", "*\\asrdrv103.sys", "*\\rtcore64.sys", "*\\bs_hwmio64_w10.sys", "*\\ene.sys", "*\\winio64b.sys", "*\\piddrv64.sys", "*\\directio32.sys", "*\\monitor_win10_x64.sys", "*\\nt5.sys", "*\\asrsmartconnectdrv.sys", "*\\rtif.sys", "*\\atillk64.sys", "*\\directio.sys", "*\\asribdrv.sys", "*\\kfeco11x64.sys", "*\\citmdrv_ia64.sys", "*\\sysdrv3s.sys", "*\\amp.sys", "*\\vboxdrv.sys", "*\\adv64drv.sys", "*\\hostnt.sys", "*\\phymem_ext64.sys", "*\\echo_driver.sys", "*\\winiodrv.sys", "*\\pdfwkrnl.sys", "*\\glckio2.sys", "*\\asrdrv106.sys", "*\\nscm.sys", "*\\bs_rcio64.sys", "*\\ncpl.sys", "*\\sandra.sys", "*\\fiddrv.sys", "*\\hwrwdrv.sys", "*\\mhyprot.sys", "*\\asrsetupdrv103.sys", "*\\iqvw64.sys", "*\\b3.sys", "*\\ssport.sys", "*\\bs_def.sys", "*\\computerz.sys", "*\\windows8-10-32.sys", "*\\nstrwsk.sys", "*\\lurker.sys", "*\\bsmemx64.sys", "*\\wyproxy64.sys", "*\\asio.sys", "*\\t3.sys", "*\\cpuz.sys", "*\\rtkio.sys", "*\\driver7-x64.sys", "*\\netfilterdrv.sys", "*\\ioaccess.sys", "*\\testbone.sys", "*\\gameink.sys", "*\\kevp64.sys", "*\\mhyprot2.sys", "*\\se64a.sys", "*\\vboxusb.sys", "*\\windows7-32.sys", "*\\vproeventmonitor.sys", "*\\winio64a.sys", "*\\asrdrv101.sys", "*\\netproxydriver.sys", "*\\elrawdsk.sys", "*\\zam64.sys", "*\\cg6kwin2k.sys", "*\\asupio.sys", "*\\stdcdrvws64.sys", "*\\81.sys", "*\\citmdrv_amd64.sys", "*\\amdryzenmasterdriver.sys", "*\\vmdrv.sys", "*\\sysinfo.sys", "*\\alsysio64.sys", "*\\directio64.sys", "*\\rzpnk.sys", "*\\amdpowerprofiler.sys", "*\\truesight.sys", "*\\wirwadrv.sys", "*\\phymemx64.sys", "*\\msio64.sys", "*\\sepdrv3_1.sys", "*\\gametersafe.sys", "*\\bs_rcio.sys", "*\\d4.sys", "*\\t.sys", "*\\eio.sys", "*\\nt2.sys", "*\\winring0.sys", "*\\physmem.sys", "*\\libnicm.sys", "*\\msio32.sys", "*\\asrautochkupddrv.sys", "*\\asio32.sys", "*\\etdsupp.sys", "*\\smep_namco.sys", "*\\bandai.sys", "*\\d2.sys", "*\\magdrvamd64.sys", "*\\nvflash.sys", "*\\goad.sys", "*\\proxy64.sys", "*\\amsdk.sys", "*\\kbdcap64.sys", "*\\vdbsv64.sys", "*\\pchunter.sys", "*\\sysconp.sys", "*\\dh_kernel_10.sys", "*\\msrhook.sys", "*\\bedaisy.sys", "*\\dcr.sys", "*\\panmonflt.sys", "*\\bsmixp64.sys", "*\\otipcibus.sys", "*\\fidpcidrv.sys", "*\\kfeco10x64.sys", "*\\asrdrv104.sys", "*\\c.sys", "*\\tdklib64.sys", "*\\bsmix64.sys", "*\\bs_flash64.sys", "*\\stdcdrv64.sys", "*\\naldrv.sys", "*\\ctiio64.sys", "*\\bwrs.sys", "*\\nicm.sys", "*\\winio32b.sys", "*\\paniox64.sys", "*\\ecsiodriverx64.sys", "*\\iomem64.sys", "*\\fidpcidrv64.sys", "*\\aswarpot.sys", "*\\bs_rciow1064.sys", "*\\asmio64.sys", "*\\openlibsys.sys", "*\\viraglt64.sys", "*\\dbk64.sys", "*\\t7.sys", "*\\atlaccess.sys", "*\\nbiolib_x64.sys", "*\\smep_capcom.sys", "*\\iqvw64e.sys") | fields - _raw | collect index=notable_events source="Vulnerable Driver Load By Name" marker="guid=72cd00d6-490c-4650-86ff-1d11f491daa1,tags=attack.privilege-escalation,tags=attack.t1543.003,tags=attack.t1068," +[Potential COM Object Hijacking Via TreatAs Subkey - Registry] +description = Detects COM object hijacking via TreatAs subkey +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="CreateKey" TargetObject="*HKU\\*" TargetObject="*Classes\\CLSID\\*" TargetObject="*\\TreatAs*" NOT Image="C:\\WINDOWS\\system32\\svchost.exe" | fields - _raw | collect index=notable_events source="Potential COM Object Hijacking Via TreatAs Subkey - Registry" marker="guid=9b0f8a61-91b2-464f-aceb-0527e0a45020,tags=attack.persistence,tags=attack.t1546.015," +[PUA - Sysinternal Tool Execution - Registry] +description = Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="CreateKey" TargetObject="*\\EulaAccepted" | fields - _raw | collect index=notable_events source="PUA - Sysinternal Tool Execution - Registry" marker="guid=25ffa65d-76d8-4da5-a832-3f2b0136e133,tags=attack.resource-development,tags=attack.t1588.002," +[Potential Persistence Via Logon Scripts - Registry] +description = Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="CreateKey" TargetObject="*UserInitMprLogonScript*" | fields - _raw | collect index=notable_events source="Potential Persistence Via Logon Scripts - Registry" marker="guid=9ace0707-b560-49b8-b6ca-5148b42f39fb,tags=attack.t1037.001,tags=attack.persistence,tags=attack.lateral-movement," +[Suspicious Execution Of Renamed Sysinternals Tools - Registry] +description = Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="CreateKey" TargetObject IN ("*\\Active Directory Explorer*", "*\\Handle*", "*\\LiveKd*", "*\\ProcDump*", "*\\Process Explorer*", "*\\PsExec*", "*\\PsLoggedon*", "*\\PsLoglist*", "*\\PsPasswd*", "*\\PsPing*", "*\\PsService*", "*\\SDelete*") TargetObject="*\\EulaAccepted" NOT (Image IN ("*\\ADExplorer.exe", "*\\ADExplorer64.exe", "*\\handle.exe", "*\\handle64.exe", "*\\livekd.exe", "*\\livekd64.exe", "*\\procdump.exe", "*\\procdump64.exe", "*\\procexp.exe", "*\\procexp64.exe", "*\\PsExec.exe", "*\\PsExec64.exe", "*\\PsLoggedon.exe", "*\\PsLoggedon64.exe", "*\\psloglist.exe", "*\\psloglist64.exe", "*\\pspasswd.exe", "*\\pspasswd64.exe", "*\\PsPing.exe", "*\\PsPing64.exe", "*\\PsService.exe", "*\\PsService64.exe", "*\\sdelete.exe")) | fields - _raw | collect index=notable_events source="Suspicious Execution Of Renamed Sysinternals Tools - Registry" marker="guid=f50f3c09-557d-492d-81db-9064a8d4e211,tags=attack.resource-development,tags=attack.t1588.002," +[PUA - Sysinternals Tools Execution - Registry] +description = Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="CreateKey" TargetObject IN ("*\\Active Directory Explorer*", "*\\Handle*", "*\\LiveKd*", "*\\Process Explorer*", "*\\ProcDump*", "*\\PsExec*", "*\\PsLoglist*", "*\\PsPasswd*", "*\\SDelete*", "*\\Sysinternals*") TargetObject="*\\EulaAccepted" | fields - _raw | collect index=notable_events source="PUA - Sysinternals Tools Execution - Registry" marker="guid=c7da8edc-49ae-45a2-9e61-9fd860e4e73d,tags=attack.resource-development,tags=attack.t1588.002," +[Potential Persistence Via Disk Cleanup Handler - Registry] +description = Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="CreateKey" TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\*" NOT (TargetObject IN ("*\\Active Setup Temp Folders", "*\\BranchCache", "*\\Content Indexer Cleaner", "*\\D3D Shader Cache", "*\\Delivery Optimization Files", "*\\Device Driver Packages", "*\\Diagnostic Data Viewer database files", "*\\Downloaded Program Files", "*\\DownloadsFolder", "*\\Feedback Hub Archive log files", "*\\Internet Cache Files", "*\\Language Pack", "*\\Microsoft Office Temp Files", "*\\Offline Pages Files", "*\\Old ChkDsk Files", "*\\Previous Installations", "*\\Recycle Bin", "*\\RetailDemo Offline Content", "*\\Setup Log Files", "*\\System error memory dump files", "*\\System error minidump files", "*\\Temporary Files", "*\\Temporary Setup Files", "*\\Temporary Sync Files", "*\\Thumbnail Cache", "*\\Update Cleanup", "*\\Upgrade Discarded Files", "*\\User file versions", "*\\Windows Defender", "*\\Windows Error Reporting Files", "*\\Windows ESD installation files", "*\\Windows Upgrade Log Files")) | fields - _raw | collect index=notable_events source="Potential Persistence Via Disk Cleanup Handler - Registry" marker="guid=d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a,tags=attack.persistence," +[Potential NetWire RAT Activity - Registry] +description = Detects registry keys related to NetWire RAT +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="CreateKey" TargetObject="*\\software\\NetWire*" | fields - _raw | collect index=notable_events source="Potential NetWire RAT Activity - Registry" marker="guid=1d218616-71b0-4c40-855b-9dbe75510f7f,tags=attack.defense-evasion,tags=attack.t1112," +[Potential Persistence Via New AMSI Providers - Registry] +description = Detects when an attacker registers a new AMSI provider in order to achieve persistence +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="CreateKey" TargetObject IN ("*\\SOFTWARE\\Microsoft\\AMSI\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers\\*") NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*")) | fields - _raw | collect index=notable_events source="Potential Persistence Via New AMSI Providers - Registry" marker="guid=33efc23c-6ea2-4503-8cfe-bdf82ce8f705,tags=attack.persistence," +[Removal of Potential COM Hijacking Registry Keys] +description = Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="DeleteKey" TargetObject="*\\shell\\open\\command" NOT (Image="C:\\Windows\\system32\\svchost.exe" OR (Image IN ("C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*", "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\*") Image="*\\OfficeClickToRun.exe") OR Image="C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe" OR (Image="*\\Dropbox.exe" TargetObject="*\\Dropbox.*") OR (Image="*\\AppData\\Local\\Temp\\Wireshark_uninstaller.exe" TargetObject="*\\wireshark-capture-file\\*") OR (Image IN ("C:\\Program Files\\Opera\\*", "C:\\Program Files (x86)\\Opera\\*") Image="*\\installer.exe") OR (Image="*peazip*" TargetObject="*\\PeaZip.*") OR (Image="*\\Everything.exe" TargetObject="*\\Everything.*") OR Image="C:\\Windows\\Installer\\MSI*" OR (Image="C:\\Program Files (x86)\\Java\\*" Image="*\\installer.exe" TargetObject="*\\Classes\\WOW6432Node\\CLSID\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}*")) | fields - _raw | collect index=notable_events source="Removal of Potential COM Hijacking Registry Keys" marker="guid=96f697b0-b499-4e5d-9908-a67bec11cdb6,tags=attack.defense-evasion,tags=attack.t1112," +[Terminal Server Client Connection History Cleared - Registry] +description = Detects the deletion of registry keys containing the MSTSC connection history +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 (EventType="DeleteValue" TargetObject="*\\Microsoft\\Terminal Server Client\\Default\\MRU*") OR (EventType="DeleteKey" TargetObject="*\\Microsoft\\Terminal Server Client\\Servers\\*") | fields - _raw | collect index=notable_events source="Terminal Server Client Connection History Cleared - Registry" marker="guid=07bdd2f5-9c58-4f38-aec8-e101bb79ef8d,tags=attack.defense-evasion,tags=attack.t1070,tags=attack.t1112," +[Removal Of SD Value to Hide Schedule Task - Registry] +description = Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="DeleteKey" TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\*" TargetObject="*SD*" | fields - _raw | collect index=notable_events source="Removal Of SD Value to Hide Schedule Task - Registry" marker="guid=acd74772-5f88-45c7-956b-6a7b36c294d2,tags=attack.defense-evasion,tags=attack.t1562," +[Removal Of AMSI Provider Registry Keys] +description = Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="DeleteKey" TargetObject IN ("*{2781761E-28E0-4109-99FE-B9D127C57AFE}", "*{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}") | fields - _raw | collect index=notable_events source="Removal Of AMSI Provider Registry Keys" marker="guid=41d1058a-aea7-4952-9293-29eaaf516465,tags=attack.defense-evasion,tags=attack.t1562.001," +[Removal Of Index Value to Hide Schedule Task - Registry] +description = Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="DeleteKey" TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\*" TargetObject="*Index*" | fields - _raw | collect index=notable_events source="Removal Of Index Value to Hide Schedule Task - Registry" marker="guid=526cc8bc-1cdc-48ad-8b26-f19bff969cec,tags=attack.defense-evasion,tags=attack.t1562," +[Folder Removed From Exploit Guard ProtectedFolders List - Registry] +description = Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="DeleteValue" TargetObject="*SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders*" | fields - _raw | collect index=notable_events source="Folder Removed From Exploit Guard ProtectedFolders List - Registry" marker="guid=272e55a4-9e6b-4211-acb6-78f51f0b1b40,tags=attack.defense-evasion,tags=attack.t1562.001," +[Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted] +description = Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=12 EventType="DeleteValue" TargetObject="*\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis" | fields - _raw | collect index=notable_events source="Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted" marker="guid=5dfc1465-8f65-4fde-8eb5-6194380c6a62,tags=attack.collection,tags=attack.t1113," +[Atbroker Registry Change] +description = Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject IN ("*Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs*", "*Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration*") NOT ((Image="C:\\Windows\\system32\\atbroker.exe" TargetObject="*\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration*" Details="(Empty)") OR (Image="C:\\Windows\\Installer\\MSI*" TargetObject="*Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs*")) | fields - _raw | collect index=notable_events source="Atbroker Registry Change" marker="guid=9577edbb-851f-4243-8c91-1d5b50c1a39b,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.persistence,tags=attack.t1547," +[Suspicious Camera and Microphone Access] +description = Detects Processes accessing the camera and microphone from suspicious folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\*" TargetObject="*\\NonPackaged*" TargetObject IN ("*microphone*", "*webcam*") TargetObject IN ("*:#Windows#Temp#*", "*:#$Recycle.bin#*", "*:#Temp#*", "*:#Users#Public#*", "*:#Users#Default#*", "*:#Users#Desktop#*") | fields - _raw | collect index=notable_events source="Suspicious Camera and Microphone Access" marker="guid=62120148-6b7a-42be-8b91-271c04e281a3,tags=attack.collection,tags=attack.t1125,tags=attack.t1123," +[Run Once Task Configuration in Registry] +description = Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\Microsoft\\Active Setup\\Installed Components*" TargetObject="*\\StubPath" NOT ((Details="*C:\\Program Files\\Google\\Chrome\\Application\\*" Details="*\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level*") OR (Details IN ("*C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\*", "*C:\\Program Files\\Microsoft\\Edge\\Application\\*") Details="*\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable")) | fields - _raw | collect index=notable_events source="Run Once Task Configuration in Registry" marker="guid=c74d7efc-8826-45d9-b8bb-f04fac9e4eff,tags=attack.defense-evasion,tags=attack.t1112," +[Wdigest CredGuard Registry Modification] +description = Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\IsCredGuardEnabled" | fields - _raw | collect index=notable_events source="Wdigest CredGuard Registry Modification" marker="guid=1a2d6c47-75b0-45bd-b133-2c0be75349fd,tags=attack.defense-evasion,tags=attack.t1112," +[Narrator's Feedback-Hub Persistence] +description = Detects abusing Windows 10 Narrator's Feedback-Hub +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) (EventType="DeleteValue" TargetObject="*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute") OR TargetObject="*\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)" | fields - _raw | collect index=notable_events source="Narrator's Feedback-Hub Persistence" marker="guid=f663a6d9-9d1b-49b8-b2b1-0637914d199a,tags=attack.persistence,tags=attack.t1547.001," +[HybridConnectionManager Service Installation - Registry] +description = Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\Services\\HybridConnectionManager*" OR (EventType="SetValue" Details="*Microsoft.HybridConnectionManager.Listener.exe*") | fields - _raw | collect index=notable_events source="HybridConnectionManager Service Installation - Registry" marker="guid=ac8866c7-ce44-46fd-8c17-b24acff96ca8,tags=attack.resource-development,tags=attack.t1608," +[UAC Bypass Via Wsreset] +description = Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command" | table ComputerName,Image,EventType,TargetObject | fields - _raw | collect index=notable_events source="UAC Bypass Via Wsreset" marker="guid=6ea3bf32-9680-422d-9f50-e90716b12a66,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Registry Entries For Azorult Malware] +description = Detects the presence of a registry key created during Azorult execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) EventID IN (12, 13) TargetObject="*SYSTEM\\*" TargetObject="*\\services\\localNETService" | table Image,TargetObject,TargetDetails | fields - _raw | collect index=notable_events source="Registry Entries For Azorult Malware" marker="guid=f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7,tags=attack.execution,tags=attack.t1112," +[Esentutl Volume Shadow Copy Service Keys] +description = Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*System\\CurrentControlSet\\Services\\VSS*" Image="*esentutl.exe" NOT TargetObject="*System\\CurrentControlSet\\Services\\VSS\\Start*" | fields - _raw | collect index=notable_events source="Esentutl Volume Shadow Copy Service Keys" marker="guid=5aad0995-46ab-41bd-a9ff-724f41114971,tags=attack.credential-access,tags=attack.t1003.002," +[Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback] +description = Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\WBEM\\CIMOM\\AllowAnonymousCallback*" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" marker="guid=4d431012-2ab5-4db7-a84e-b29809da2172,tags=attack.defense-evasion,tags=attack.t1562.001," +[Registry Persistence Mechanisms in Recycle Bin] +description = Detects persistence registry keys for Recycle Bin +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) (EventType="RenameKey" NewName="*\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open*") OR (EventType="SetValue" TargetObject="*\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command\\(Default)*") | fields - _raw | collect index=notable_events source="Registry Persistence Mechanisms in Recycle Bin" marker="guid=277efb8f-60be-4f10-b4d3-037802f37167,tags=attack.persistence,tags=attack.t1547," +[New PortProxy Registry Entry Added] +description = Detects the modification of the PortProxy registry key which is used for port forwarding. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\Services\\PortProxy\\v4tov4\\tcp\\*" | fields - _raw | collect index=notable_events source="New PortProxy Registry Entry Added" marker="guid=a54f842a-3713-4b45-8c84-5f136fdebd3c,tags=attack.lateral-movement,tags=attack.defense-evasion,tags=attack.command-and-control,tags=attack.t1090," +[Pandemic Registry Key] +description = Detects Pandemic Windows Implant +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\SYSTEM\\CurrentControlSet\\services\\null\\Instance*" | fields - _raw | collect index=notable_events source="Pandemic Registry Key" marker="guid=47e0852a-cf81-4494-a8e6-31864f8c86ed,tags=attack.command-and-control,tags=attack.t1105," +[Office Application Startup - Office Test] +description = Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\Software\\Microsoft\\Office test\\Special\\Perf*" | fields - _raw | collect index=notable_events source="Office Application Startup - Office Test" marker="guid=3d27f6dd-1c74-4687-b4fa-ca849d128d1c,tags=attack.persistence,tags=attack.t1137.002," +[Path To Screensaver Binary Modified] +description = Detects value modification of registry key containing path to binary used as screensaver. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\Control Panel\\Desktop\\SCRNSAVE.EXE" NOT (Image IN ("*\\rundll32.exe", "*\\explorer.exe")) | fields - _raw | collect index=notable_events source="Path To Screensaver Binary Modified" marker="guid=67a6c006-3fbe-46a7-9074-2ba3b82c3000,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1546.002," +[WINEKEY Registry Modification] +description = Detects potential malicious modification of run keys by winekey or team9 backdoor +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr" | table ComputerName,Image,EventType,TargetObject | fields - _raw | collect index=notable_events source="WINEKEY Registry Modification" marker="guid=b98968aa-dbc0-4a9c-ac35-108363cbf8d5,tags=attack.persistence,tags=attack.t1547," +[RedMimicry Winnti Playbook Registry Manipulation] +description = Detects actions caused by the RedMimicry Winnti playbook +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data*" | fields - _raw | collect index=notable_events source="RedMimicry Winnti Playbook Registry Manipulation" marker="guid=5b175490-b652-4b02-b1de-5b5b4083c5f8,tags=attack.defense-evasion,tags=attack.t1112," +[Potential Credential Dumping Via LSASS SilentProcessExit Technique] +description = Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe*" | fields - _raw | collect index=notable_events source="Potential Credential Dumping Via LSASS SilentProcessExit Technique" marker="guid=55e29995-75e7-451a-bef0-6225e2f13597,tags=attack.credential-access,tags=attack.t1003.001," +[Suspicious Run Key from Download] +description = Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) Image IN ("*\\Downloads\\*", "*\\Temporary Internet Files\\Content.Outlook\\*", "*\\Local Settings\\Temporary Internet Files\\*") TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*" | fields - _raw | collect index=notable_events source="Suspicious Run Key from Download" marker="guid=9c5037d1-c568-49b3-88c7-9846a5bdc2be,tags=attack.persistence,tags=attack.t1547.001," +[Disable Security Events Logging Adding Reg Key MiniNt] +description = Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) (TargetObject="HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" EventType="CreateKey") OR NewName="HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" | table EventID,Image,TargetObject,NewName | fields - _raw | collect index=notable_events source="Disable Security Events Logging Adding Reg Key MiniNt" marker="guid=919f2ef0-be2d-4a7a-b635-eb2b41fde044,tags=attack.defense-evasion,tags=attack.t1562.001,tags=attack.t1112," +[New DLL Added to AppInit_DLLs Registry Key] +description = DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject IN ("*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", "*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls") OR NewName IN ("*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", "*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls") NOT Details="(Empty)" | fields - _raw | collect index=notable_events source="New DLL Added to AppInit_DLLs Registry Key" marker="guid=4f84b697-c9ed-4420-8ab5-e09af5b2345d,tags=attack.persistence,tags=attack.t1546.010," +[DLL Load via LSASS] +description = Detects a method to load DLL via LSASS process using an undocumented Registry key +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject IN ("*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*", "*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*") NOT (Image="C:\\Windows\\system32\\lsass.exe" Details IN ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll")) | fields - _raw | collect index=notable_events source="DLL Load via LSASS" marker="guid=b3503044-60ce-4bf4-bbcb-e3db98788823,tags=attack.execution,tags=attack.persistence,tags=attack.t1547.008," +[PrinterNightmare Mimikatz Driver Name] +description = Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject IN ("*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\*", "*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz*") OR (TargetObject="*legitprinter*" TargetObject="*\\Control\\Print\\Environments\\Windows*") OR (TargetObject IN ("*\\Control\\Print\\Environments*", "*\\CurrentVersion\\Print\\Printers*") TargetObject IN ("*Gentil Kiwi*", "*mimikatz printer*", "*Kiwi Legit Printer*")) | fields - _raw | collect index=notable_events source="PrinterNightmare Mimikatz Driver Name" marker="guid=ba6b9e43-1d45-4d3c-a504-1043a64c8469,tags=attack.execution,tags=attack.t1204,tags=cve.2021-1675,tags=cve.2021-34527," +[NetNTLM Downgrade Attack - Registry] +description = Detects NetNTLM downgrade attack +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*SYSTEM\\*" TargetObject="*ControlSet*" TargetObject="*\\Control\\Lsa*" TargetObject IN ("*\\lmcompatibilitylevel", "*\\NtlmMinClientSec", "*\\RestrictSendingNTLMTraffic") | fields - _raw | collect index=notable_events source="NetNTLM Downgrade Attack - Registry" marker="guid=d67572a0-e2ec-45d6-b8db-c100d14b8ef2,tags=attack.defense-evasion,tags=attack.t1562.001,tags=attack.t1112," +[Windows Registry Trust Record Modification] +description = Alerts on trust record modification within the registry, indicating usage of macros +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\Security\\Trusted Documents\\TrustRecords*" | fields - _raw | collect index=notable_events source="Windows Registry Trust Record Modification" marker="guid=295a59c1-7b79-4b47-a930-df12c15fc9c2,tags=attack.initial-access,tags=attack.t1566.001," +[Windows Credential Editor Registry] +description = Detects the use of Windows Credential Editor (WCE) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*Services\\WCESERVICE\\Start*" | fields - _raw | collect index=notable_events source="Windows Credential Editor Registry" marker="guid=a6b33c02-8305-488f-8585-03cb2a7763f2,tags=attack.credential-access,tags=attack.t1003.001,tags=attack.s0005," +[Potential Qakbot Registry Activity] +description = Detects a registry key used by IceID in a campaign that distributes malicious OneNote files +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\Software\\firm\\soft\\Name" | fields - _raw | collect index=notable_events source="Potential Qakbot Registry Activity" marker="guid=1c8e96cd-2bed-487d-9de0-b46c90cade56,tags=attack.defense-evasion,tags=attack.t1112," +[Security Support Provider (SSP) Added to LSA Configuration] +description = Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject IN ("*\\Control\\Lsa\\Security Packages", "*\\Control\\Lsa\\OSConfig\\Security Packages") NOT (Image IN ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\syswow64\\MsiExec.exe")) | fields - _raw | collect index=notable_events source="Security Support Provider (SSP) Added to LSA Configuration" marker="guid=eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc,tags=attack.persistence,tags=attack.t1547.005," +[Sticky Key Like Backdoor Usage - Registry] +description = Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject IN ("*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger") | fields - _raw | collect index=notable_events source="Sticky Key Like Backdoor Usage - Registry" marker="guid=baca5663-583c-45f9-b5dc-ea96a22ce542,tags=attack.privilege-escalation,tags=attack.persistence,tags=attack.t1546.008,tags=car.2014-11-003,tags=car.2014-11-008," +[CMSTP Execution Registry Event] +description = Detects various indicators of Microsoft Connection Manager Profile Installer execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\cmmgr32.exe*" | table CommandLine,ParentCommandLine,Details | fields - _raw | collect index=notable_events source="CMSTP Execution Registry Event" marker="guid=b6d235fc-1d38-4b12-adbe-325f06728f37,tags=attack.defense-evasion,tags=attack.execution,tags=attack.t1218.003,tags=attack.g0069,tags=car.2019-04-001," +[New DLL Added to AppCertDlls Registry Key] +description = Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls" OR NewName="HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls" | table EventID,Image,TargetObject,NewName | fields - _raw | collect index=notable_events source="New DLL Added to AppCertDlls Registry Key" marker="guid=6aa1d992-5925-4e9f-a49b-845e51d1de01,tags=attack.persistence,tags=attack.t1546.009," +[Shell Open Registry Keys Manipulation] +description = Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) (EventType="SetValue" TargetObject="*Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue" Details="*\\Software\\Classes\\{*") OR TargetObject="*Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" OR (EventType="SetValue" TargetObject IN ("*Classes\\ms-settings\\shell\\open\\command\\(Default)", "*Classes\\exefile\\shell\\open\\command\\(Default)") NOT Details="(Empty)") | fields - _raw | collect index=notable_events source="Shell Open Registry Keys Manipulation" marker="guid=152f3630-77c1-4284-bcc0-4cc68ab2f6e7,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002,tags=attack.t1546.001," +[Creation of a Local Hidden User Account by Registry] +description = Sysmon registry detection of a local hidden user account. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID IN (12, 13) TargetObject="*\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*" TargetObject="*$" Image="*\\lsass.exe" | fields - _raw | collect index=notable_events source="Creation of a Local Hidden User Account by Registry" marker="guid=460479f3-80b7-42da-9c43-2cc1d54dbccd,tags=attack.persistence,tags=attack.t1136.001," +[UAC Notification Disabled] +description = Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Security Center\\UACDisableNotify*" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="UAC Notification Disabled" marker="guid=c5f6a85d-b647-40f7-bbad-c10b66bab038,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1548.002," +[Disable Macro Runtime Scan Scope] +description = Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\*" TargetObject="*\\Microsoft\\Office\\*" TargetObject="*\\Common\\Security*" TargetObject="*\\MacroRuntimeScanScope" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Disable Macro Runtime Scan Scope" marker="guid=ab871450-37dc-4a3a-997f-6662aa8ae0f1,tags=attack.defense-evasion," +[RDP Sensitive Settings Changed to Zero] +description = Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\fDenyTSConnections", "*\\fSingleSessionPerUser", "*\\UserAuthentication") Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="RDP Sensitive Settings Changed to Zero" marker="guid=a2863fbc-d5cb-48d5-83fb-d976d4b1743b,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1112," +[Persistence Via New SIP Provider] +description = Detects when an attacker register a new SIP provider for persistence and defense evasion +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType*") TargetObject IN ("*\\Dll*", "*\\$DLL*") NOT (Details IN ("WINTRUST.DLL", "mso.dll") OR (Image="C:\\Windows\\System32\\poqexec.exe" TargetObject="*\\CryptSIPDll*" Details="C:\\Windows\\System32\\PsfSip.dll")) | fields - _raw | collect index=notable_events source="Persistence Via New SIP Provider" marker="guid=5a2b21ee-6aaa-4234-ac9d-59a59edf90a1,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.t1553.003," +[Potential Persistence Via CHM Helper DLL] +description = Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Software\\Microsoft\\HtmlHelp Author\\Location*", "*\\Software\\WOW6432Node\\Microsoft\\HtmlHelp Author\\Location*") | fields - _raw | collect index=notable_events source="Potential Persistence Via CHM Helper DLL" marker="guid=976dd1f2-a484-45ec-aa1d-0e87e882262b,tags=attack.persistence," +[Change the Fax Dll] +description = Detect possible persistence using Fax DLL load when service restart +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Microsoft\\Fax\\Device Providers\\*" TargetObject="*\\ImageName*" NOT Details="%systemroot%\\system32\\fxst30.dll" | fields - _raw | collect index=notable_events source="Change the Fax Dll" marker="guid=9e3357ba-09d4-4fbd-a7c5-ad6386314513,tags=attack.defense-evasion,tags=attack.t1112," +[New Netsh Helper DLL Registered From A Suspicious Location] +description = Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\NetSh*" Details IN ("*:\\Perflogs\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\Temporary Internet*") OR (Details="*:\\Users\\*" Details="*\\Favorites\\*") OR (Details="*:\\Users\\*" Details="*\\Favourites\\*") OR (Details="*:\\Users\\*" Details="*\\Contacts\\*") OR (Details="*:\\Users\\*" Details="*\\Pictures\\*") | fields - _raw | collect index=notable_events source="New Netsh Helper DLL Registered From A Suspicious Location" marker="guid=e7b18879-676e-4a0e-ae18-27039185a8e7,tags=attack.persistence,tags=attack.t1546.007," +[Enable LM Hash Storage] +description = Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Enable LM Hash Storage" marker="guid=c420410f-c2d8-4010-856b-dffe21866437,tags=attack.defense-evasion,tags=attack.t1112," +[Registry Hide Function from User] +description = Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject IN ("*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCANetwork", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAPower", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAVolume") Details="DWORD (0x00000001)") OR (TargetObject IN ("*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor") Details="DWORD (0x00000000)") | fields - _raw | collect index=notable_events source="Registry Hide Function from User" marker="guid=5a93eb65-dffa-4543-b761-94aa60098fb6,tags=attack.defense-evasion,tags=attack.t1112," +[Disabled Windows Defender Eventlog] +description = Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled*" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Disabled Windows Defender Eventlog" marker="guid=fcddca7c-b9c0-4ddf-98da-e1e2d18b0157,tags=attack.defense-evasion,tags=attack.t1562.001," +[Disable PUA Protection on Windows Defender] +description = Detects disabling Windows Defender PUA protection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Policies\\Microsoft\\Windows Defender\\PUAProtection*" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Disable PUA Protection on Windows Defender" marker="guid=8ffc5407-52e3-478f-9596-0a7371eafe13,tags=attack.defense-evasion,tags=attack.t1562.001," +[Windows Defender Service Disabled - Registry] +description = Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Services\\WinDefend\\Start" Details="DWORD (0x00000004)" | fields - _raw | collect index=notable_events source="Windows Defender Service Disabled - Registry" marker="guid=e1aa95de-610a-427d-b9e7-9b46cfafbe6a,tags=attack.defense-evasion,tags=attack.t1562.001," +[Register New IFiltre For Persistence] +description = Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject="*\\SOFTWARE\\Classes\\.*" TargetObject="*\\PersistentHandler*") OR (TargetObject="*\\SOFTWARE\\Classes\\CLSID*" TargetObject="*\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}*") NOT (TargetObject IN ("*\\CLSID\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\*", "*\\CLSID\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\*", "*\\CLSID\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\*", "*\\CLSID\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\*", "*\\CLSID\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\*", "*\\CLSID\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\*", "*\\CLSID\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\*", "*\\CLSID\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\*", "*\\CLSID\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\*", "*\\CLSID\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\*", "*\\CLSID\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\*", "*\\CLSID\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\*", "*\\CLSID\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\*", "*\\CLSID\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\*", "*\\CLSID\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\*", "*\\CLSID\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\*", "*\\CLSID\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\*", "*\\CLSID\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\*", "*\\CLSID\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\*", "*\\CLSID\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\*", "*\\CLSID\\{B4132098-7A03-423D-9463-163CB07C151F}\\*", "*\\CLSID\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\*", "*\\CLSID\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\*", "*\\CLSID\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\*", "*\\CLSID\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\*", "*\\CLSID\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\*", "*\\CLSID\\{eec97550-47a9-11cf-b952-00aa0051fe20}*", "*\\CLSID\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\*") OR Image IN ("C:\\Windows\\System32\\*", "C:\\Program Files (x86)\\*", "C:\\Program Files\\*")) | fields - _raw | collect index=notable_events source="Register New IFiltre For Persistence" marker="guid=b23818c7-e575-4d13-8012-332075ec0a2b,tags=attack.persistence," +[Persistence Via Disk Cleanup Handler - Autorun] +description = Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\*" (TargetObject="*\\Autorun*" Details="DWORD (0x00000001)") OR (TargetObject IN ("*\\CleanupString*", "*\\PreCleanupString*") Details IN ("*cmd*", "*powershell*", "*rundll32*", "*mshta*", "*cscript*", "*wscript*", "*wsl*", "*\\Users\\Public\\*", "*\\Windows\\TEMP\\*", "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*")) | fields - _raw | collect index=notable_events source="Persistence Via Disk Cleanup Handler - Autorun" marker="guid=d4e2745c-f0c6-4bde-a3ab-b553b3f693cc,tags=attack.persistence," +[Potential Registry Persistence Attempt Via DbgManagedDebugger] +description = Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\.NETFramework\\DbgManagedDebugger" NOT Details="\"C:\\Windows\\system32\\vsjitdebugger.exe\" PID %d APPDOM %d EXTEXT \"%s\" EVTHDL %d" | fields - _raw | collect index=notable_events source="Potential Registry Persistence Attempt Via DbgManagedDebugger" marker="guid=9827ae57-3802-418f-994b-d5ecf5cd974b,tags=attack.persistence,tags=attack.t1574," +[Potential Persistence Via Shim Database Modification] +description = Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\*", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*") NOT Details="" | fields - _raw | collect index=notable_events source="Potential Persistence Via Shim Database Modification" marker="guid=dfb5b4e8-91d0-4291-b40a-e3b0d3942c45,tags=attack.persistence,tags=attack.t1546.011," +[ScreenSaver Registry Key Set] +description = Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 Image="*\\rundll32.exe" TargetObject="*\\Control Panel\\Desktop\\SCRNSAVE.EXE*" Details="*.scr" NOT (Details IN ("*C:\\Windows\\System32\\*", "*C:\\Windows\\SysWOW64\\*")) | fields - _raw | collect index=notable_events source="ScreenSaver Registry Key Set" marker="guid=40b6e656-4e11-4c0c-8772-c1cc6dae34ce,tags=attack.defense-evasion,tags=attack.t1218.011," +[Registry Modification to Hidden File Extension] +description = Hides the file extension through modification of the registry +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Details="DWORD (0x00000001)") OR (TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" Details="DWORD (0x00000002)") | fields - _raw | collect index=notable_events source="Registry Modification to Hidden File Extension" marker="guid=5df86130-4e95-4a54-90f7-26541b40aec2,tags=attack.persistence,tags=attack.t1137," +[Enable Microsoft Dynamic Data Exchange] +description = Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject="*\\Word\\Security\\AllowDDE" Details IN ("DWORD (0x00000001)", "DWORD (0x00000002)")) OR (TargetObject IN ("*\\Excel\\Security\\DisableDDEServerLaunch", "*\\Excel\\Security\\DisableDDEServerLookup") Details="DWORD (0x00000000)") | fields - _raw | collect index=notable_events source="Enable Microsoft Dynamic Data Exchange" marker="guid=63647769-326d-4dde-a419-b925cc0caf42,tags=attack.execution,tags=attack.t1559.002," +[Displaying Hidden Files Feature Disabled] +description = Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden") Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Displaying Hidden Files Feature Disabled" marker="guid=5a5152f1-463f-436b-b2f5-8eceb3964b42,tags=attack.defense-evasion,tags=attack.t1564.001," +[Potential Persistence Via Event Viewer Events.asp] +description = Detects potential registry persistence technique using the Event Viewer "Events.asp" technique +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram*", "*\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionURL*") NOT ((Image="*C:\\WINDOWS\\system32\\svchost.exe" TargetObject="*\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram" Details="%%SystemRoot%%\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe") OR (Image="*C:\\WINDOWS\\system32\\svchost.exe" TargetObject="*\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgramCommandLineParameters" Details="-url hcp://services/centers/support*topic=%%s") OR Details="http://go.microsoft.com/fwlink/events.asp" OR Details="(Empty)") | fields - _raw | collect index=notable_events source="Potential Persistence Via Event Viewer Events.asp" marker="guid=a1e11042-a74a-46e6-b07c-c4ce8ecc239b,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.t1112," +[Trust Access Disable For VBApplications] +description = Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Security\\AccessVBOM" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Trust Access Disable For VBApplications" marker="guid=1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf,tags=attack.defense-evasion,tags=attack.t1112," +[Internet Explorer DisableFirstRunCustomize Enabled] +description = Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Internet Explorer\\Main\\DisableFirstRunCustomize" Details IN ("DWORD (0x00000001)", "DWORD (0x00000002)") NOT (Image IN ("C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\ie4uinit.exe")) | fields - _raw | collect index=notable_events source="Internet Explorer DisableFirstRunCustomize Enabled" marker="guid=ab567429-1dfb-4674-b6d2-979fd2f9d125,tags=attack.defense-evasion," +[UAC Bypass via Event Viewer] +description = Detects UAC bypass method using Windows event viewer +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\mscfile\\shell\\open\\command" | fields - _raw | collect index=notable_events source="UAC Bypass via Event Viewer" marker="guid=7c81fec3-1c1d-43b0-996a-46753041b1b6,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002,tags=car.2019-04-001," +[System Scripts Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts*" TargetObject IN ("*\\Startup*", "*\\Shutdown*", "*\\Logon*", "*\\Logoff*") NOT Details="(Empty)" | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="System Scripts Autorun Keys Modification" marker="guid=e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1,tags=attack.persistence,tags=attack.t1547.001," +[DHCP Callout DLL Installation] +description = Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Services\\DHCPServer\\Parameters\\CalloutDlls", "*\\Services\\DHCPServer\\Parameters\\CalloutEnabled") | fields - _raw | collect index=notable_events source="DHCP Callout DLL Installation" marker="guid=9d3436ef-9476-4c43-acca-90ce06bdf33a,tags=attack.defense-evasion,tags=attack.t1574.002,tags=attack.t1112," +[Directory Service Restore Mode(DSRM) Registry Value Tampering] +description = Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Control\\Lsa\\DsrmAdminLogonBehavior" NOT Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Directory Service Restore Mode(DSRM) Registry Value Tampering" marker="guid=b61e87c0-50db-4b2e-8986-6a2be94b33b0,tags=attack.persistence,tags=attack.t1556," +[Potential PendingFileRenameOperations Tampering] +description = Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 EventType="SetValue" TargetObject="*\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations*" Image IN ("*\\AppData\\Local\\Temp\\*", "*\\Users\\Public\\*") OR Image IN ("*\\reg.exe", "*\\regedit.exe") | fields - _raw | collect index=notable_events source="Potential PendingFileRenameOperations Tampering" marker="guid=4eec988f-7bf0-49f1-8675-1e6a510b3a2a,tags=attack.defense-evasion,tags=attack.t1036.003," +[Disable Internal Tools or Feature in Registry] +description = Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject IN ("*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\StartMenuLogOff", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskmgr", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispBackgroundPage", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL", "*SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter", "*SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD") Details="DWORD (0x00000001)") OR (TargetObject IN ("*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled", "*SYSTEM\\CurrentControlSet\\Control\\Storage\\Write Protection", "*SYSTEM\\CurrentControlSet\\Control\\StorageDevicePolicies\\WriteProtect") Details="DWORD (0x00000000)") | fields - _raw | collect index=notable_events source="Disable Internal Tools or Feature in Registry" marker="guid=e2482f8d-3443-4237-b906-cc145d87a076,tags=attack.defense-evasion,tags=attack.t1112," +[Internet Explorer Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Software\\Wow6432Node\\Microsoft\\Internet Explorer*", "*\\Software\\Microsoft\\Internet Explorer*") TargetObject IN ("*\\Toolbar*", "*\\Extensions*", "*\\Explorer Bars*") NOT (Details="(Empty)" OR TargetObject IN ("*\\Extensions\\{2670000A-7350-4f3c-8081-5663EE0C6C49}*", "*\\Extensions\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}*", "*\\Extensions\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}*", "*\\Extensions\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}*") OR TargetObject IN ("*\\Toolbar\\ShellBrowser\\ITBar7Layout", "*\\Toolbar\\ShowDiscussionButton", "*\\Toolbar\\Locked")) | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="Internet Explorer Autorun Keys Modification" marker="guid=a80f662f-022f-4429-9b8c-b1a41aaa6688,tags=attack.persistence,tags=attack.t1547.001," +[Potential Persistence Via Excel Add-in - Registry] +description = Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*Software\\Microsoft\\Office\\*" TargetObject="*\\Excel\\Options" Details="/R *" Details="*.xll" | fields - _raw | collect index=notable_events source="Potential Persistence Via Excel Add-in - Registry" marker="guid=961e33d1-4f86-4fcf-80ab-930a708b2f82,tags=attack.persistence,tags=attack.t1137.006," +[Bypass UAC Using DelegateExecute] +description = Bypasses User Account Control using a fileless method +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\open\\command\\DelegateExecute" Details="(Empty)" | fields - _raw | collect index=notable_events source="Bypass UAC Using DelegateExecute" marker="guid=46dd5308-4572-4d12-aa43-8938f0184d4f,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1548.002," +[New ODBC Driver Registered] +description = Detects the registration of a new ODBC driver. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\ODBC\\ODBCINST.INI\\*" TargetObject="*\\Driver" NOT (TargetObject="*\\SQL Server\\*" Details="%WINDIR%\\System32\\SQLSRV32.dll") NOT ((TargetObject="*\\Microsoft Access *" Details="C:\\Progra*" Details="*\\ACEODBC.DLL") OR (TargetObject="*\\Microsoft Excel Driver*" Details="C:\\Progra*" Details="*\\ACEODBC.DLL")) | fields - _raw | collect index=notable_events source="New ODBC Driver Registered" marker="guid=3390fbef-c98d-4bdd-a863-d65ed7c610dd,tags=attack.persistence," +[Potential Persistence Via TypedPaths] +description = Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\*" NOT (Image IN ("C:\\Windows\\explorer.exe", "C:\\Windows\\SysWOW64\\explorer.exe")) | fields - _raw | collect index=notable_events source="Potential Persistence Via TypedPaths" marker="guid=086ae989-9ca6-4fe7-895a-759c5544f247,tags=attack.persistence," +[New TimeProviders Registered With Uncommon DLL Name] +description = Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Services\\W32Time\\TimeProviders*" TargetObject="*\\DllName" NOT (Details IN ("%SystemRoot%\\System32\\vmictimeprovider.dll", "%systemroot%\\system32\\w32time.dll", "C:\\Windows\\SYSTEM32\\w32time.DLL")) | fields - _raw | collect index=notable_events source="New TimeProviders Registered With Uncommon DLL Name" marker="guid=e88a6ddc-74f7-463b-9b26-f69fc0d2ce85,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1547.003," +[ETW Logging Disabled For SCM] +description = Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*Software\\Microsoft\\Windows NT\\CurrentVersion\\Tracing\\SCM\\Regular\\TracingDisabled" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="ETW Logging Disabled For SCM" marker="guid=4f281b83-0200-4b34-bf35-d24687ea57c2,tags=attack.defense-evasion,tags=attack.t1112,tags=attack.t1562," +[Winlogon Notify Key Logon Persistence] +description = Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\logon" Details="*.dll" | fields - _raw | collect index=notable_events source="Winlogon Notify Key Logon Persistence" marker="guid=bbf59793-6efb-4fa1-95ca-a7d288e52c88,tags=attack.persistence,tags=attack.t1547.004," +[Outlook Macro Execution Without Warning Setting Enabled] +description = Detects the modification of Outlook security setting to allow unprompted execution of macros. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Outlook\\Security\\Level" Details="*0x00000001*" | fields - _raw | collect index=notable_events source="Outlook Macro Execution Without Warning Setting Enabled" marker="guid=e3b50fa5-3c3f-444e-937b-0a99d33731cd,tags=attack.persistence,tags=attack.command-and-control,tags=attack.t1137,tags=attack.t1008,tags=attack.t1546," +[Windows Recall Feature Enabled - Registry] +description = Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Windows Recall Feature Enabled - Registry" marker="guid=75180c5f-4ea1-461a-a4f6-6e4700c065d4,tags=attack.collection,tags=attack.t1113," +[Usage of Renamed Sysinternals Tools - RegistrySet] +description = Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\PsExec*", "*\\ProcDump*", "*\\Handle*", "*\\LiveKd*", "*\\Process Explorer*", "*\\PsLoglist*", "*\\PsPasswd*", "*\\Active Directory Explorer*") TargetObject="*\\EulaAccepted" NOT (Image IN ("*\\PsExec.exe", "*\\PsExec64.exe", "*\\procdump.exe", "*\\procdump64.exe", "*\\handle.exe", "*\\handle64.exe", "*\\livekd.exe", "*\\livekd64.exe", "*\\procexp.exe", "*\\procexp64.exe", "*\\psloglist.exe", "*\\psloglist64.exe", "*\\pspasswd.exe", "*\\pspasswd64.exe", "*\\ADExplorer.exe", "*\\ADExplorer64.exe")) NOT Image!=* | fields - _raw | collect index=notable_events source="Usage of Renamed Sysinternals Tools - RegistrySet" marker="guid=8023f872-3f1d-4301-a384-801889917ab4,tags=attack.resource-development,tags=attack.t1588.002," +[New Application in AppCompat] +description = A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\AppCompatFlags\\Compatibility Assistant\\Store\\*" | fields - _raw | collect index=notable_events source="New Application in AppCompat" marker="guid=60936b49-fca0-4f32-993d-7415edcf9a5d,tags=attack.execution,tags=attack.t1204.002," +[New RUN Key Pointing to Suspicious Folder] +description = Detects suspicious new RUN key element pointing to an executable in a suspicious folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*", "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*") Details IN ("*:\\$Recycle.bin\\*", "*:\\Temp\\*", "*:\\Users\\Default\\*", "*:\\Users\\Desktop\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*%temp%\\*", "*%tmp%\\*") OR Details IN ("%Public%\\*", "wscript*", "cscript*") NOT (TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*" Image="C:\\Windows\\SoftwareDistribution\\Download\\*" Details="*rundll32.exe *" Details="*C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32*" Details IN ("*\\AppData\\Local\\Temp\\*", "*C:\\Windows\\Temp\\*")) | fields - _raw | collect index=notable_events source="New RUN Key Pointing to Suspicious Folder" marker="guid=02ee49e2-e294-4d0f-9278-f5b3212fc588,tags=attack.persistence,tags=attack.t1547.001," +[Persistence Via Hhctrl.ocx] +description = Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)*" NOT Details="C:\\Windows\\System32\\hhctrl.ocx" | fields - _raw | collect index=notable_events source="Persistence Via Hhctrl.ocx" marker="guid=f10ed525-97fe-4fed-be7c-2feecca941b1,tags=attack.persistence," +[Uncommon Microsoft Office Trusted Location Added] +description = Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*Security\\Trusted Locations\\Location*" TargetObject="*\\Path" NOT ((Image="*:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*" Image="*\\OfficeClickToRun.exe") OR Image IN ("*:\\Program Files\\Microsoft Office\\*", "*:\\Program Files (x86)\\Microsoft Office\\*")) NOT (Details IN ("*%APPDATA%\\Microsoft\\Templates*", "*%%APPDATA%%\\Microsoft\\Templates*", "*%APPDATA%\\Microsoft\\Word\\Startup*", "*%%APPDATA%%\\Microsoft\\Word\\Startup*", "*:\\Program Files (x86)\\Microsoft Office\\root\\Templates\\*", "*:\\Program Files\\Microsoft Office (x86)\\Templates*", "*:\\Program Files\\Microsoft Office\\root\\Templates\\*", "*:\\Program Files\\Microsoft Office\\Templates\\*")) | fields - _raw | collect index=notable_events source="Uncommon Microsoft Office Trusted Location Added" marker="guid=f742bde7-9528-42e5-bd82-84f51a8387d2,tags=attack.defense-evasion,tags=attack.t1112," +[Potential Persistence Via Mpnotify] +description = Detects when an attacker register a new SIP provider for persistence and defense evasion +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify*" | fields - _raw | collect index=notable_events source="Potential Persistence Via Mpnotify" marker="guid=92772523-d9c1-4c93-9547-b0ca500baba3,tags=attack.persistence," +[Winget Admin Settings Modification] +description = Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 Image="*\\winget.exe" TargetObject="\\REGISTRY\\A\\*" TargetObject="*\\LocalState\\admin_settings" | fields - _raw | collect index=notable_events source="Winget Admin Settings Modification" marker="guid=6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236,tags=attack.defense-evasion,tags=attack.persistence," +[VBScript Payload Stored in Registry] +description = Detects VBScript content stored into registry keys as seen being used by UNC2452 group +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*Software\\Microsoft\\Windows\\CurrentVersion*" Details IN ("*vbscript:*", "*jscript:*", "*mshtml,*", "*RunHTMLApplication*", "*Execute(*", "*CreateObject*", "*window.close*") NOT (TargetObject="*Software\\Microsoft\\Windows\\CurrentVersion\\Run*" OR (Image="*\\msiexec.exe" TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\*" Details IN ("*\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll*", "*<\\Microsoft.mshtml,fileVersion=*", "*_mshtml_dll_*", "*<\\Microsoft.mshtml,culture=*"))) | fields - _raw | collect index=notable_events source="VBScript Payload Stored in Registry" marker="guid=46490193-1b22-4c29-bdd6-5bf63907216f,tags=attack.persistence,tags=attack.t1547.001," +[Potential EventLog File Location Tampering] +description = Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\*" TargetObject="*\\File" NOT Details="*\\System32\\Winevt\\Logs\\*" | fields - _raw | collect index=notable_events source="Potential EventLog File Location Tampering" marker="guid=0cb8d736-995d-4ce7-a31e-1e8d452a1459,tags=attack.defense-evasion,tags=attack.t1562.002," +[Office Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Software\\Wow6432Node\\Microsoft\\Office*", "*\\Software\\Microsoft\\Office*") TargetObject IN ("*\\Word\\Addins*", "*\\PowerPoint\\Addins*", "*\\Outlook\\Addins*", "*\\Onenote\\Addins*", "*\\Excel\\Addins*", "*\\Access\\Addins*", "*test\\Special\\Perf*") NOT (Details="(Empty)" OR (Image IN ("C:\\Program Files\\Microsoft Office\\*", "C:\\Program Files (x86)\\Microsoft Office\\*", "C:\\Windows\\System32\\msiexec.exe*", "C:\\Windows\\System32\\regsvr32.exe*") TargetObject IN ("*\\Excel\\Addins\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\*", "*\\Excel\\Addins\\ExcelPlugInShell.PowerMapConnect\\*", "*\\Excel\\Addins\\NativeShim\\*", "*\\Excel\\Addins\\NativeShim.InquireConnector.1\\*", "*\\Excel\\Addins\\PowerPivotExcelClientAddIn.NativeEntry.1\\*", "*\\Outlook\\AddIns\\AccessAddin.DC\\*", "*\\Outlook\\AddIns\\ColleagueImport.ColleagueImportAddin\\*", "*\\Outlook\\AddIns\\EvernoteCC.EvernoteContactConnector\\*", "*\\Outlook\\AddIns\\EvernoteOLRD.Connect\\*", "*\\Outlook\\Addins\\Microsoft.VbaAddinForOutlook.1\\*", "*\\Outlook\\Addins\\OcOffice.OcForms\\*", "*\\Outlook\\Addins\\OneNote.OutlookAddin*", "*\\Outlook\\Addins\\OscAddin.Connect\\*", "*\\Outlook\\Addins\\OutlookChangeNotifier.Connect\\*", "*\\Outlook\\Addins\\UCAddin.LyncAddin.1*", "*\\Outlook\\Addins\\UCAddin.UCAddin.1*", "*\\Outlook\\Addins\\UmOutlookAddin.FormRegionAddin\\*")) OR (Image IN ("C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*", "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\*") Image="*\\OfficeClickToRun.exe") OR (Image="C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe" TargetObject="*\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt\\*")) | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="Office Autorun Keys Modification" marker="guid=baecf8fb-edbf-429f-9ade-31fc3f22b970,tags=attack.persistence,tags=attack.t1547.001," +[Disable Windows Defender Functionalities Via Registry Keys] +description = Detects when attackers or tools disable Windows Defender functionalities via the Windows registry +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\SOFTWARE\\Microsoft\\Windows Defender\\*", "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\*", "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\*") (TargetObject IN ("*\\DisableAntiSpyware", "*\\DisableAntiVirus", "*\\Real-Time Protection\\DisableBehaviorMonitoring", "*\\Real-Time Protection\\DisableIntrusionPreventionSystem", "*\\Real-Time Protection\\DisableIOAVProtection", "*\\Real-Time Protection\\DisableOnAccessProtection", "*\\Real-Time Protection\\DisableRealtimeMonitoring", "*\\Real-Time Protection\\DisableScanOnRealtimeEnable", "*\\Real-Time Protection\\DisableScriptScanning", "*\\Reporting\\DisableEnhancedNotifications", "*\\SpyNet\\DisableBlockAtFirstSeen") Details="DWORD (0x00000001)") OR (TargetObject IN ("*\\App and Browser protection\\DisallowExploitProtectionOverride", "*\\Features\\TamperProtection", "*\\MpEngine\\MpEnablePus", "*\\PUAProtection", "*\\Signature Update\\ForceUpdateFromMU", "*\\SpyNet\\SpynetReporting", "*\\SpyNet\\SubmitSamplesConsent", "*\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess") Details="DWORD (0x00000000)") NOT (Image="C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\*" Image="*\\sepWscSvc64.exe") | fields - _raw | collect index=notable_events source="Disable Windows Defender Functionalities Via Registry Keys" marker="guid=0eb46774-f1ab-4a74-8238-1155855f2263,tags=attack.defense-evasion,tags=attack.t1562.001," +[Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG] +description = Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\*" | fields - _raw | collect index=notable_events source="Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" marker="guid=7021255e-5db3-4946-a8b9-0ba7a4644a69,tags=attack.defense-evasion,tags=attack.t1218," +[Bypass UAC Using Event Viewer] +description = Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*_Classes\\mscfile\\shell\\open\\command\\(Default)" NOT Details="%SystemRoot%\\system32\\mmc.exe \"%1\" %*" | fields - _raw | collect index=notable_events source="Bypass UAC Using Event Viewer" marker="guid=674202d0-b22a-4af4-ae5f-2eda1f3da1af,tags=attack.persistence,tags=attack.t1547.010," +[Allow RDP Remote Assistance Feature] +description = Detect enable rdp feature to allow specific user to rdp connect on the targeted machine +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*System\\CurrentControlSet\\Control\\Terminal Server\\fAllowToGetHelp" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Allow RDP Remote Assistance Feature" marker="guid=37b437cf-3fc5-4c8e-9c94-1d7c9aff842b,tags=attack.defense-evasion,tags=attack.t1112," +[Potential Attachment Manager Settings Attachments Tamper] +description = Detects tampering with attachment manager settings policies attachments (See reference for more information) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\*" (TargetObject="*\\HideZoneInfoOnProperties" Details="DWORD (0x00000001)") OR (TargetObject="*\\SaveZoneInformation" Details="DWORD (0x00000002)") OR (TargetObject="*\\ScanWithAntiVirus" Details="DWORD (0x00000001)") | fields - _raw | collect index=notable_events source="Potential Attachment Manager Settings Attachments Tamper" marker="guid=ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a,tags=attack.defense-evasion," +[Hypervisor Enforced Paging Translation Disabled] +description = Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\DisableHypervisorEnforcedPagingTranslation" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Hypervisor Enforced Paging Translation Disabled" marker="guid=7f2954d2-99c2-4d42-a065-ca36740f187b,tags=attack.defense-evasion,tags=attack.t1562.001," +[Registry Persistence via Explorer Run Key] +description = Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" Details IN ("*:\\$Recycle.bin\\*", "*:\\ProgramData\\*", "*:\\Temp\\*", "*:\\Users\\Default\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*") | fields - _raw | collect index=notable_events source="Registry Persistence via Explorer Run Key" marker="guid=b7916c2a-fa2f-4795-9477-32b731f70f11,tags=attack.persistence,tags=attack.t1547.001," +[Bypass UAC Using SilentCleanup Task] +description = Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Environment\\windir" NOT Details="%SystemRoot%" | fields - _raw | collect index=notable_events source="Bypass UAC Using SilentCleanup Task" marker="guid=724ea201-6514-4f38-9739-e5973c34f49a,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1548.002," +[Hypervisor Enforced Code Integrity Disabled] +description = Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity", "*\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity", "*\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled") Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Hypervisor Enforced Code Integrity Disabled" marker="guid=8b7273a4-ba5d-4d8a-b04f-11f2900d043a,tags=attack.defense-evasion,tags=attack.t1562.001," +[ETW Logging Disabled For rpcrt4.dll] +description = Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows NT\\Rpc\\ExtErrorInformation" Details IN ("DWORD (0x00000000)", "DWORD (0x00000002)") | fields - _raw | collect index=notable_events source="ETW Logging Disabled For rpcrt4.dll" marker="guid=90f342e1-1aaa-4e43-b092-39fda57ed11e,tags=attack.defense-evasion,tags=attack.t1112,tags=attack.t1562," +[Potential WerFault ReflectDebugger Registry Value Abuse] +description = Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 EventType="SetValue" TargetObject="*\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" | fields - _raw | collect index=notable_events source="Potential WerFault ReflectDebugger Registry Value Abuse" marker="guid=0cf2e1c6-8d10-4273-8059-738778f981ad,tags=attack.defense-evasion,tags=attack.t1036.003," +[Blackbyte Ransomware Registry] +description = BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy", "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled") Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Blackbyte Ransomware Registry" marker="guid=83314318-052a-4c90-a1ad-660ece38d276,tags=attack.defense-evasion,tags=attack.t1112," +[CurrentControlSet Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SYSTEM\\CurrentControlSet\\Control*" TargetObject IN ("*\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram*", "*\\Terminal Server\\Wds\\rdpwd\\StartupPrograms*", "*\\SecurityProviders\\SecurityProviders*", "*\\SafeBoot\\AlternateShell*", "*\\Print\\Providers*", "*\\Print\\Monitors*", "*\\NetworkProvider\\Order*", "*\\Lsa\\Notification Packages*", "*\\Lsa\\Authentication Packages*", "*\\BootVerificationProgram\\ImagePath*") NOT (Details="(Empty)" OR (Image="C:\\Windows\\System32\\spoolsv.exe" TargetObject="*\\Print\\Monitors\\CutePDF Writer Monitor*" Details IN ("cpwmon64_v40.dll", "CutePDF Writer")) OR (Image="C:\\Windows\\System32\\spoolsv.exe" TargetObject="*Print\\Monitors\\Appmon\\Ports\\Microsoft.Office.OneNote_*" User IN ("*AUTHORI*", "*AUTORI*")) OR (Image="C:\\Windows\\System32\\poqexec.exe" TargetObject="*\\NetworkProvider\\Order\\ProviderOrder") OR (Image="C:\\Windows\\System32\\spoolsv.exe" TargetObject="*\\Print\\Monitors\\MONVNC\\Driver" Details="VNCpm.dll")) | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="CurrentControlSet Autorun Keys Modification" marker="guid=f674e36a-4b91-431e-8aef-f8a96c2aca35,tags=attack.persistence,tags=attack.t1547.001," +[Tamper With Sophos AV Registry Keys] +description = Detects tamper attempts to sophos av functionality via registry key modification +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled*", "*\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled*", "*\\Sophos\\SAVService\\TamperProtection\\Enabled*") Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Tamper With Sophos AV Registry Keys" marker="guid=9f4662ac-17ca-43aa-8f12-5d7b989d0101,tags=attack.defense-evasion,tags=attack.t1562.001," +[Potential Persistence Via DLLPathOverride] +description = Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language\\*" TargetObject IN ("*\\StemmerDLLPathOverride*", "*\\WBDLLPathOverride*", "*\\StemmerClass*", "*\\WBreakerClass*") | fields - _raw | collect index=notable_events source="Potential Persistence Via DLLPathOverride" marker="guid=a1b1fd53-9c4a-444c-bae0-34a330fc7aa8,tags=attack.persistence," +[Add Port Monitor Persistence in Registry] +description = Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Control\\Print\\Monitors\\*" Details="*.dll" NOT ((Image="C:\\Windows\\System32\\spoolsv.exe" TargetObject="*\\Control\\Print\\Monitors\\CutePDF Writer Monitor v4.0\\Driver*" Details="cpwmon64_v40.dll" User IN ("*AUTHORI*", "*AUTORI*")) OR TargetObject="*\\Control\\Print\\Monitors\\MONVNC\\Driver*" OR (TargetObject="*Control\\Print\\Environments\\*" TargetObject="*\\Drivers\\*" TargetObject="*\\VNC Printer*")) | fields - _raw | collect index=notable_events source="Add Port Monitor Persistence in Registry" marker="guid=944e8941-f6f6-4ee8-ac05-1c224e923c0e,tags=attack.persistence,tags=attack.t1547.010," +[Scheduled TaskCache Change by Uncommon Program] +description = Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\*" NOT (TargetObject IN ("*Microsoft\\Windows\\UpdateOrchestrator*", "*Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\\Index*", "*Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache\\Index*") OR (Image="C:\\Windows\\*" Image="*\\TiWorker.exe") OR Image="C:\\WINDOWS\\system32\\svchost.exe" OR (Image="C:\\Windows\\Microsoft.NET\\Framework*" Image="*\\ngen.exe" TargetObject IN ("*\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}*", "*\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN*")) OR Image IN ("C:\\Program Files\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\Integration\\Integrator.exe") OR Image="C:\\Windows\\System32\\msiexec.exe" OR Image IN ("C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe", "C:\\Program Files\\Dropbox\\Update\\DropboxUpdate.exe") OR (Image="C:\\Windows\\explorer.exe" TargetObject="*\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\\*") OR Image="System") | fields - _raw | collect index=notable_events source="Scheduled TaskCache Change by Uncommon Program" marker="guid=4720b7df-40c3-48fd-bbdf-fd4b3c464f0d,tags=attack.persistence,tags=attack.t1053,tags=attack.t1053.005," +[RDP Sensitive Settings Changed] +description = Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject IN ("*\\Control\\Terminal Server\\*", "*\\Windows NT\\Terminal Services\\*") TargetObject="*\\Shadow" Details IN ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)")) OR (TargetObject IN ("*\\Control\\Terminal Server\\*", "*\\Windows NT\\Terminal Services\\*") TargetObject IN ("*\\DisableRemoteDesktopAntiAlias", "*\\DisableSecuritySettings", "*\\fAllowUnsolicited", "*\\fAllowUnsolicitedFullControl") Details="DWORD (0x00000001)") OR TargetObject IN ("*\\Control\\Terminal Server\\InitialProgram*", "*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram*", "*\\services\\TermService\\Parameters\\ServiceDll*", "*\\Windows NT\\Terminal Services\\InitialProgram*") | fields - _raw | collect index=notable_events source="RDP Sensitive Settings Changed" marker="guid=3f6b7b62-61aa-45db-96bd-9c31b36b653c,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1112," +[Potential Persistence Using DebugPath] +description = Detects potential persistence using Appx DebugPath +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject="*Classes\\ActivatableClasses\\Package\\Microsoft.*" TargetObject="*\\DebugPath") OR (TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft.*" TargetObject="*\\(Default)") | fields - _raw | collect index=notable_events source="Potential Persistence Using DebugPath" marker="guid=df4dc653-1029-47ba-8231-3c44238cc0ae,tags=attack.persistence,tags=attack.t1546.015," +[ETW Logging Disabled In .NET Processes - Sysmon Registry] +description = Potential adversaries stopping ETW providers recording loaded .NET assemblies. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject="*SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" Details="DWORD (0x00000000)") OR (TargetObject IN ("*\\COMPlus_ETWEnabled", "*\\COMPlus_ETWFlags") Details IN (0, "DWORD (0x00000000)")) | fields - _raw | collect index=notable_events source="ETW Logging Disabled In .NET Processes - Sysmon Registry" marker="guid=bf4fc428-dcc3-4bbd-99fe-2422aeee2544,tags=attack.defense-evasion,tags=attack.t1112,tags=attack.t1562," +[Potential SentinelOne Shell Context Menu Scan Command Tampering] +description = Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\shell\\SentinelOneScan\\command\\*" NOT ((Details IN ("C:\\Program Files\\SentinelOne\\Sentinel Agent*", "C:\\Program Files (x86)\\SentinelOne\\Sentinel Agent*") Details="*\\SentinelScanFromContextMenu.exe*") OR Image IN ("*C:\\Program Files\\SentinelOne\\", "*C:\\Program Files (x86)\\SentinelOne\\")) | fields - _raw | collect index=notable_events source="Potential SentinelOne Shell Context Menu Scan Command Tampering" marker="guid=6c304b02-06e6-402d-8be4-d5833cdf8198,tags=attack.persistence," +[Windows Defender Exclusions Added - Registry] +description = Detects the Setting of Windows Defender Exclusions +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows Defender\\Exclusions*" | fields - _raw | collect index=notable_events source="Windows Defender Exclusions Added - Registry" marker="guid=a982fc9c-6333-4ffb-a51d-addb04e8b529,tags=attack.defense-evasion,tags=attack.t1562.001," +[Outlook Security Settings Updated - Registry] +description = Detects changes to the registry values related to outlook security settings +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Office\\*" TargetObject="*\\Outlook\\Security\\*" | fields - _raw | collect index=notable_events source="Outlook Security Settings Updated - Registry" marker="guid=c3cefdf4-6703-4e1c-bad8-bf422fc5015a,tags=attack.persistence,tags=attack.t1137," +[Modify User Shell Folders Startup Value] +description = Detect modification of the startup key to a path where a payload could be stored to be launched during startup +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders*" TargetObject="*Startup" | fields - _raw | collect index=notable_events source="Modify User Shell Folders Startup Value" marker="guid=9c226817-8dc9-46c2-a58d-66655aafd7dc,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1547.001," +[Potential Persistence Via Outlook Home Page] +description = Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Microsoft\\Office\\*" TargetObject="*\\Outlook\\WebView\\*" TargetObject="*\\URL" | fields - _raw | collect index=notable_events source="Potential Persistence Via Outlook Home Page" marker="guid=ddd171b5-2cc6-4975-9e78-f0eccd08cc76,tags=attack.persistence,tags=attack.t1112," +[NET NGenAssemblyUsageLog Registry Key Tamper] +description = Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*SOFTWARE\\Microsoft\\.NETFramework\\NGenAssemblyUsageLog" | fields - _raw | collect index=notable_events source="NET NGenAssemblyUsageLog Registry Key Tamper" marker="guid=28036918-04d3-423d-91c0-55ecf99fb892,tags=attack.defense-evasion,tags=attack.t1112," +[Potential Credential Dumping Attempt Using New NetworkProvider - REG] +description = Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\System\\CurrentControlSet\\Services\\*" TargetObject="*\\NetworkProvider*" NOT (TargetObject IN ("*\\System\\CurrentControlSet\\Services\\WebClient\\NetworkProvider*", "*\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider*", "*\\System\\CurrentControlSet\\Services\\RDPNP\\NetworkProvider*") OR Image="C:\\Windows\\System32\\poqexec.exe") | fields - _raw | collect index=notable_events source="Potential Credential Dumping Attempt Using New NetworkProvider - REG" marker="guid=0442defa-b4a2-41c9-ae2c-ea7042fc4701,tags=attack.credential-access,tags=attack.t1003," +[Service Binary in Suspicious Folder] +description = Detect the creation of a service with a service binary located in a suspicious directory +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject="HKLM\\System\\CurrentControlSet\\Services\\*" TargetObject="*\\Start" Image IN ("*\\Users\\Public\\*", "*\\Perflogs\\*", "*\\ADMIN$\\*", "*\\Temp\\*") Details IN ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")) OR (TargetObject="HKLM\\System\\CurrentControlSet\\Services\\*" TargetObject="*\\ImagePath" Details IN ("*\\Users\\Public\\*", "*\\Perflogs\\*", "*\\ADMIN$\\*", "*\\Temp\\*")) NOT (Image="*\\Common Files\\*" Image="*\\Temp\\*") | fields - _raw | collect index=notable_events source="Service Binary in Suspicious Folder" marker="guid=a07f0359-4c90-4dc4-a681-8ffea40b4f47,tags=attack.defense-evasion,tags=attack.t1112," +[Running Chrome VPN Extensions via the Registry 2 VPN Extension] +description = Running Chrome VPN Extensions via the Registry install 2 vpn extension +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*Software\\Wow6432Node\\Google\\Chrome\\Extensions*" TargetObject="*update_url" TargetObject IN ("*fdcgdnkidjaadafnichfpabhfomcebme*", "*fcfhplploccackoneaefokcmbjfbkenj*", "*bihmplhobchoageeokmgbdihknkjbknd*", "*gkojfkhlekighikafcpjkiklfbnlmeio*", "*jajilbjjinjmgcibalaakngmkilboobh*", "*gjknjjomckknofjidppipffbpoekiipm*", "*nabbmpekekjknlbkgpodfndbodhijjem*", "*kpiecbcckbofpmkkkdibbllpinceiihk*", "*nlbejmccbhkncgokjcmghpfloaajcffj*", "*omghfjlpggmjjaagoclmmobgdodcjboh*", "*bibjcjfmgapbfoljiojpipaooddpkpai*", "*mpcaainmfjjigeicjnlkdfajbioopjko*", "*jljopmgdobloagejpohpldgkiellmfnc*", "*lochiccbgeohimldjooaakjllnafhaid*", "*nhnfcgpcbfclhfafjlooihdfghaeinfc*", "*ookhnhpkphagefgdiemllfajmkdkcaim*", "*namfblliamklmeodpcelkokjbffgmeoo*", "*nbcojefnccbanplpoffopkoepjmhgdgh*", "*majdfhpaihoncoakbjgbdhglocklcgno*", "*lnfdmdhmfbimhhpaeocncdlhiodoblbd*", "*eppiocemhmnlbhjplcgkofciiegomcon*", "*cocfojppfigjeefejbpfmedgjbpchcng*", "*foiopecknacmiihiocgdjgbjokkpkohc*", "*hhdobjgopfphlmjbmnpglhfcgppchgje*", "*jgbaghohigdbgbolncodkdlpenhcmcge*", "*inligpkjkhbpifecbdjhmdpcfhnlelja*", "*higioemojdadgdbhbbbkfbebbdlfjbip*", "*hipncndjamdcmphkgngojegjblibadbe*", "*iolonopooapdagdemdoaihahlfkncfgg*", "*nhfjkakglbnnpkpldhjmpmmfefifedcj*", "*jpgljfpmoofbmlieejglhonfofmahini*", "*fgddmllnllkalaagkghckoinaemmogpe*", "*ejkaocphofnobjdedneohbbiilggdlbi*", "*keodbianoliadkoelloecbhllnpiocoi*", "*hoapmlpnmpaehilehggglehfdlnoegck*", "*poeojclicodamonabcabmapamjkkmnnk*", "*dfkdflfgjdajbhocmfjolpjbebdkcjog*", "*kcdahmgmaagjhocpipbodaokikjkampi*", "*klnkiajpmpkkkgpgbogmcgfjhdoljacg*", "*lneaocagcijjdpkcabeanfpdbmapcjjg*", "*pgfpignfckbloagkfnamnolkeaecfgfh*", "*jplnlifepflhkbkgonidnobkakhmpnmh*", "*jliodmnojccaloajphkingdnpljdhdok*", "*hnmpcagpplmpfojmgmnngilcnanddlhb*", "*ffbkglfijbcbgblgflchnbphjdllaogb*", "*kcndmbbelllkmioekdagahekgimemejo*", "*jdgilggpfmjpbodmhndmhojklgfdlhob*", "*bihhflimonbpcfagfadcnbbdngpopnjb*", "*ppajinakbfocjfnijggfndbdmjggcmde*", "*oofgbpoabipfcfjapgnbbjjaenockbdp*", "*bhnhkdgoefpmekcgnccpnhjfdgicfebm*", "*knmmpciebaoojcpjjoeonlcjacjopcpf*", "*dhadilbmmjiooceioladdphemaliiobo*", "*jedieiamjmoflcknjdjhpieklepfglin*", "*mhngpdlhojliikfknhfaglpnddniijfh*", "*omdakjcmkglenbhjadbccaookpfjihpa*", "*npgimkapccfidfkfoklhpkgmhgfejhbj*", "*akeehkgglkmpapdnanoochpfmeghfdln*", "*gbmdmipapolaohpinhblmcnpmmlgfgje*", "*aigmfoeogfnljhnofglledbhhfegannp*", "*cgojmfochfikphincbhokimmmjenhhgk*", "*ficajfeojakddincjafebjmfiefcmanc*", "*ifnaibldjfdmaipaddffmgcmekjhiloa*", "*jbnmpdkcfkochpanomnkhnafobppmccn*", "*apcfdffemoinopelidncddjbhkiblecc*", "*mjolnodfokkkaichkcjipfgblbfgojpa*", "*oifjbnnafapeiknapihcmpeodaeblbkn*", "*plpmggfglncceinmilojdkiijhmajkjh*", "*mjnbclmflcpookeapghfhapeffmpodij*", "*bblcccknbdbplgmdjnnikffefhdlobhp*", "*aojlhgbkmkahabcmcpifbolnoichfeep*", "*lcmammnjlbmlbcaniggmlejfjpjagiia*", "*knajdeaocbpmfghhmijicidfcmdgbdpm*", "*bdlcnpceagnkjnjlbbbcepohejbheilk*", "*edknjdjielmpdlnllkdmaghlbpnmjmgb*", "*eidnihaadmmancegllknfbliaijfmkgo*", "*ckiahbcmlmkpfiijecbpflfahoimklke*", "*macdlemfnignjhclfcfichcdhiomgjjb*", "*chioafkonnhbpajpengbalkececleldf*", "*amnoibeflfphhplmckdbiajkjaoomgnj*", "*llbhddikeonkpbhpncnhialfbpnilcnc*", "*pcienlhnoficegnepejpfiklggkioccm*", "*iocnglnmfkgfedpcemdflhkchokkfeii*", "*igahhbkcppaollcjeaaoapkijbnphfhb*", "*njpmifchgidinihmijhcfpbdmglecdlb*", "*ggackgngljinccllcmbgnpgpllcjepgc*", "*kchocjcihdgkoplngjemhpplmmloanja*", "*bnijmipndnicefcdbhgcjoognndbgkep*", "*lklekjodgannjcccdlbicoamibgbdnmi*", "*dbdbnchagbkhknegmhgikkleoogjcfge*", "*egblhcjfjmbjajhjhpmnlekffgaemgfh*", "*ehbhfpfdkmhcpaehaooegfdflljcnfec*", "*bkkgdjpomdnfemhhkalfkogckjdkcjkg*", "*almalgbpmcfpdaopimbdchdliminoign*", "*akkbkhnikoeojlhiiomohpdnkhbkhieh*", "*gbfgfbopcfokdpkdigfmoeaajfmpkbnh*", "*bniikohfmajhdcffljgfeiklcbgffppl*", "*lejgfmmlngaigdmmikblappdafcmkndb*", "*ffhhkmlgedgcliajaedapkdfigdobcif*", "*gcknhkkoolaabfmlnjonogaaifnjlfnp*", "*pooljnboifbodgifngpppfklhifechoe*", "*fjoaledfpmneenckfbpdfhkmimnjocfa*", "*aakchaleigkohafkfjfjbblobjifikek*", "*dpplabbmogkhghncfbfdeeokoefdjegm*", "*padekgcemlokbadohgkifijomclgjgif*", "*bfidboloedlamgdmenmlbipfnccokknp*") | fields - _raw | collect index=notable_events source="Running Chrome VPN Extensions via the Registry 2 VPN Extension" marker="guid=b64a026b-8deb-4c1d-92fd-98893209dff1,tags=attack.persistence,tags=attack.t1133," +[New BgInfo.EXE Custom DB Path Registry Configuration] +description = Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 EventType="SetValue" TargetObject="*\\Software\\Winternals\\BGInfo\\Database" | fields - _raw | collect index=notable_events source="New BgInfo.EXE Custom DB Path Registry Configuration" marker="guid=53330955-dc52-487f-a3a2-da24dcff99b5,tags=attack.defense-evasion,tags=attack.t1112," +[Disable Windows Firewall by Registry] +description = Detect set EnableFirewall to 0 to disable the Windows firewall +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile\\EnableFirewall", "*\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\EnableFirewall") Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Disable Windows Firewall by Registry" marker="guid=e78c408a-e2ea-43cd-b5ea-51975cf358c0,tags=attack.defense-evasion,tags=attack.t1562.004," +[Potential Persistence Via Shim Database In Uncommon Location] +description = Detects the installation of a new shim database where the file is located in a non-default location +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\*" TargetObject="*\\DatabasePath*" NOT Details="*:\\Windows\\AppPatch\\Custom*" | fields - _raw | collect index=notable_events source="Potential Persistence Via Shim Database In Uncommon Location" marker="guid=6b6976a3-b0e6-4723-ac24-ae38a737af41,tags=attack.persistence,tags=attack.t1546.011," +[Potential Persistence Via MyComputer Registry Keys] +description = Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer*" TargetObject="*(Default)" | fields - _raw | collect index=notable_events source="Potential Persistence Via MyComputer Registry Keys" marker="guid=8fbe98a8-8f9d-44f8-aa71-8c572e29ef06,tags=attack.persistence," +[Change Winevt Channel Access Permission Via Registry] +description = Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*" TargetObject="*\\ChannelAccess" Details IN ("*(A;;0x1;;;LA)*", "*(A;;0x1;;;SY)*", "*(A;;0x5;;;BA)*") NOT (Image="C:\\Windows\\servicing\\TrustedInstaller.exe" OR (Image="C:\\Windows\\WinSxS\\*" Image="*\\TiWorker.exe")) | fields - _raw | collect index=notable_events source="Change Winevt Channel Access Permission Via Registry" marker="guid=7d9263bd-dc47-4a58-bc92-5474abab390c,tags=attack.defense-evasion,tags=attack.t1562.002," +[Disable Administrative Share Creation at Startup] +description = Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Services\\LanmanServer\\Parameters\\*" TargetObject IN ("*\\AutoShareWks", "*\\AutoShareServer") Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Disable Administrative Share Creation at Startup" marker="guid=c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e,tags=attack.defense-evasion,tags=attack.t1070.005," +[Registry Disable System Restore] +description = Detects the modification of the registry to disable a system restore on the computer +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Policies\\Microsoft\\Windows NT\\SystemRestore*", "*\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore*") TargetObject IN ("*DisableConfig", "*DisableSR") Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Registry Disable System Restore" marker="guid=5de03871-5d46-4539-a82d-3aa992a69a83,tags=attack.impact,tags=attack.t1490," +[Potential CobaltStrike Service Installations - Registry] +description = Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\System\\CurrentControlSet\\Services*" OR (TargetObject="*\\System\\ControlSet*" TargetObject="*\\Services*") (Details="*ADMIN$*" Details="*.exe*") OR (Details="*%COMSPEC%*" Details="*start*" Details="*powershell*") | fields - _raw | collect index=notable_events source="Potential CobaltStrike Service Installations - Registry" marker="guid=61a7697c-cb79-42a8-a2ff-5f0cdfae0130,tags=attack.execution,tags=attack.privilege-escalation,tags=attack.lateral-movement,tags=attack.t1021.002,tags=attack.t1543.003,tags=attack.t1569.002," +[Potential Persistence Via COM Search Order Hijacking] +description = Detects potential COM object hijacking leveraging the COM Search Order +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\CLSID\\*" TargetObject="*\\InprocServer32\\(Default)" NOT (Details IN ("*%%systemroot%%\\system32\\*", "*%%systemroot%%\\SysWow64\\*") OR Details IN ("*\\AppData\\Local\\Microsoft\\OneDrive\\*", "*\\FileCoAuthLib64.dll*", "*\\FileSyncShell64.dll*", "*\\FileSyncApi64.dll*") OR Image="*:\\WINDOWS\\system32\\SecurityHealthService.exe" OR (Details="*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\*" Details="*\\Microsoft.Teams.AddinLoader.dll*") OR (Details="*\\AppData\\Roaming\\Dropbox\\*" Details="*\\DropboxExt64.*.dll*") OR Details="*TmopIEPlg.dll" OR Image IN ("*:\\WINDOWS\\system32\\wuauclt.exe", "*:\\WINDOWS\\system32\\svchost.exe") OR (Image IN ("*:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*", "*:\\Program Files\\Windows Defender\\*") Image="*\\MsMpEng.exe") OR Details="*\\FileRepository\\nvmdi.inf*" OR Image="*\\MicrosoftEdgeUpdateComRegisterShell64.exe" OR Image="*:\\WINDOWS\\SYSTEM32\\dxdiag.exe" OR Details IN ("*:\\Windows\\pyshellext.amd64.dll", "*:\\Windows\\pyshellext.dll") OR Details IN ("*:\\Windows\\system32\\dnssdX.dll", "*:\\Windows\\SysWOW64\\dnssdX.dll") OR Details="*:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll" OR Details IN ("*:\\Program Files\\*", "*:\\Program Files (x86)\\*") OR Details="*:\\ProgramData\\Microsoft\\*" OR Details="*:\\WINDOWS\\system32\\GamingServicesProxy.dll*" OR (Image="*:\\Windows\\System32\\poqexec.exe" Details="*:\\Windows\\System32\\Autopilot.dll*") OR (Image="*:\\Windows\\system32\\SecurityHealthService.exe" Details="*:\\Windows\\System32\\SecurityHealth*") OR (Image IN ("*:\\Windows\\System32\\poqexec.exe", "*:\\Windows\\System32\\regsvr32.exe") TargetObject="*\\InProcServer32\\(Default)")) | fields - _raw | collect index=notable_events source="Potential Persistence Via COM Search Order Hijacking" marker="guid=a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12,tags=attack.persistence,tags=attack.t1546.015," +[Hide Schedule Task Via Index Value Tamper] +description = Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\*" TargetObject="*Index*" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Hide Schedule Task Via Index Value Tamper" marker="guid=5b16df71-8615-4f7f-ac9b-6c43c0509e61,tags=attack.defense-evasion,tags=attack.t1562," +[Office Macros Warning Disabled] +description = Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Security\\VBAWarnings" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Office Macros Warning Disabled" marker="guid=91239011-fe3c-4b54-9f24-15c86bb65913,tags=attack.defense-evasion,tags=attack.t1112," +[Add Debugger Entry To Hangs Key For Persistence] +description = Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger*" | fields - _raw | collect index=notable_events source="Add Debugger Entry To Hangs Key For Persistence" marker="guid=833ef470-fa01-4631-a79b-6f291c9ac498,tags=attack.persistence," +[Change User Account Associated with the FAX Service] +description = Detect change of the user account associated with the FAX service to avoid the escalation problem. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="HKLM\\System\\CurrentControlSet\\Services\\Fax\\ObjectName" NOT Details="*NetworkService*" | fields - _raw | collect index=notable_events source="Change User Account Associated with the FAX Service" marker="guid=e3fdf743-f05b-4051-990a-b66919be1743,tags=attack.defense-evasion,tags=attack.t1112," +[Uncommon Extension In Keyboard Layout IME File Registry Value] +description = Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Control\\Keyboard Layouts\\*" TargetObject="*Ime File*" NOT Details="*.ime" | fields - _raw | collect index=notable_events source="Uncommon Extension In Keyboard Layout IME File Registry Value" marker="guid=b888e3f2-224d-4435-b00b-9dd66e9ea1f1,tags=attack.defense-evasion,tags=attack.t1562.001," +[Add DisallowRun Execution to Registry] +description = Detect set DisallowRun to 1 to prevent user running specific computer program +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Add DisallowRun Execution to Registry" marker="guid=275641a5-a492-45e2-a817-7c81e9d9d3e9,tags=attack.defense-evasion,tags=attack.t1112," +[CurrentVersion NT Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion*" TargetObject IN ("*\\Winlogon\\VmApplet*", "*\\Winlogon\\Userinit*", "*\\Winlogon\\Taskman*", "*\\Winlogon\\Shell*", "*\\Winlogon\\GpExtensions*", "*\\Winlogon\\AppSetup*", "*\\Winlogon\\AlternateShells\\AvailableShells*", "*\\Windows\\IconServiceLib*", "*\\Windows\\Appinit_Dlls*", "*\\Image File Execution Options*", "*\\Font Drivers*", "*\\Drivers32*", "*\\Windows\\Run*", "*\\Windows\\Load*") NOT (Details="(Empty)" OR (TargetObject="*\\Image File Execution Options\\*" TargetObject IN ("*\\DisableExceptionChainValidation", "*\\MitigationOptions")) OR (Image="C:\\Program Files (x86)\\Microsoft\\Temp\\*" Image="*\\MicrosoftEdgeUpdate.exe") OR TargetObject IN ("*\\ClickToRunStore\\HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\*", "*\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\*") OR Image IN ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe") OR (Image IN ("C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*", "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\*") Image="*\\OfficeClickToRun.exe") OR (Image="C:\\Windows\\system32\\svchost.exe" TargetObject IN ("*\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\PreviousPolicyAreas*", "*\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\MaxNoGPOListChangesInterval*") Details IN ("DWORD (0x00000009)", "DWORD (0x000003c0)")) OR (Image="C:\\Windows\\Microsoft.NET\\Framework*" Image="*\\ngen.exe") OR (Image="*\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe" TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary" Details="C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\*" Details="*\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"")) | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="CurrentVersion NT Autorun Keys Modification" marker="guid=cbf93e5d-ca6c-4722-8bea-e9119007c248,tags=attack.persistence,tags=attack.t1547.001," +[Potential Persistence Via GlobalFlags] +description = Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject="*\\Microsoft\\Windows NT\\CurrentVersion\\*" TargetObject="*\\Image File Execution Options\\*" TargetObject="*\\GlobalFlag*") OR (TargetObject="*\\Microsoft\\Windows NT\\CurrentVersion\\*" TargetObject="*\\SilentProcessExit\\*" TargetObject IN ("*\\ReportingMode*", "*\\MonitorProcess*")) | fields - _raw | collect index=notable_events source="Potential Persistence Via GlobalFlags" marker="guid=36803969-5421-41ec-b92f-8500f79c23b0,tags=attack.privilege-escalation,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.t1546.012,tags=car.2013-01-002," +[Registry Explorer Policy Modification] +description = Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoLogOff", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDesktop", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFind", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFileMenu", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetTaskbar", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyDocuments", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoTrayContextMenu") Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Registry Explorer Policy Modification" marker="guid=1c3121ed-041b-4d97-a075-07f54f20fb4a,tags=attack.defense-evasion,tags=attack.t1112," +[Execution DLL of Choice Using WAB.EXE] +description = This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Microsoft\\WAB\\DLLPath" NOT Details="%CommonProgramFiles%\\System\\wab32.dll" | fields - _raw | collect index=notable_events source="Execution DLL of Choice Using WAB.EXE" marker="guid=fc014922-5def-4da9-a0fc-28c973f41bfb,tags=attack.defense-evasion,tags=attack.t1218," +[RestrictedAdminMode Registry Value Tampering] +description = Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" | fields - _raw | collect index=notable_events source="RestrictedAdminMode Registry Value Tampering" marker="guid=d6ce7ebd-260b-4323-9768-a9631c8d4db2,tags=attack.defense-evasion,tags=attack.t1112," +[Potential PowerShell Execution Policy Tampering] +description = Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy", "*\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy") Details IN ("*Bypass*", "*Unrestricted*") NOT (Image IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*")) | fields - _raw | collect index=notable_events source="Potential PowerShell Execution Policy Tampering" marker="guid=fad91067-08c5-4d1a-8d8c-d96a21b37814,tags=attack.defense-evasion," +[New Root or CA or AuthRoot Certificate to Store] +description = Detects the addition of new root, CA or AuthRoot certificates to the Windows registry +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates\\*", "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*", "*\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\*", "*\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\*", "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\*", "*\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\*", "*\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*", "*\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*", "*\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\AuthRoot\\Certificates\\*") TargetObject="*\\Blob" Details="Binary Data" | fields - _raw | collect index=notable_events source="New Root or CA or AuthRoot Certificate to Store" marker="guid=d223b46b-5621-4037-88fe-fda32eead684,tags=attack.impact,tags=attack.t1490," +[Potential Persistence Via Outlook Today Page] +description = Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*Software\\Microsoft\\Office\\*" TargetObject="*\\Outlook\\Today\\*" (TargetObject="*\\Stamp" Details="DWORD (0x00000001)") OR TargetObject IN ("*\\URL", "*\\UserDefinedUrl") NOT (Image IN ("C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*", "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\*") Image="*\\OfficeClickToRun.exe") | fields - _raw | collect index=notable_events source="Potential Persistence Via Outlook Today Page" marker="guid=487bb375-12ef-41f6-baae-c6a1572b4dd1,tags=attack.persistence,tags=attack.t1112," +[Potential Persistence Via AppCompat RegisterAppRestart Layer] +description = Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers\\*" Details="*REGISTERAPPRESTART*" | fields - _raw | collect index=notable_events source="Potential Persistence Via AppCompat RegisterAppRestart Layer" marker="guid=b86852fb-4c77-48f9-8519-eb1b2c308b59,tags=attack.persistence,tags=attack.t1546.011," +[Suspicious Environment Variable Has Been Registered] +description = Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Environment\\*" Details IN ("powershell", "pwsh") OR Details IN ("*\\AppData\\Local\\Temp\\*", "*C:\\Users\\Public\\*", "*TVqQAAMAAAAEAAAA*", "*TVpQAAIAAAAEAA8A*", "*TVqAAAEAAAAEABAA*", "*TVoAAAAAAAAAAAAA*", "*TVpTAQEAAAAEAAAA*", "*SW52b2tlL*", "*ludm9rZS*", "*JbnZva2Ut*", "*SQBuAHYAbwBrAGUALQ*", "*kAbgB2AG8AawBlAC0A*", "*JAG4AdgBvAGsAZQAtA*") OR Details IN ("SUVY*", "SQBFAF*", "SQBuAH*", "cwBhA*", "aWV4*", "aQBlA*", "R2V0*", "dmFy*", "dgBhA*", "dXNpbm*", "H4sIA*", "Y21k*", "cABhAH*", "Qzpc*", "Yzpc*") | fields - _raw | collect index=notable_events source="Suspicious Environment Variable Has Been Registered" marker="guid=966315ef-c5e1-4767-ba25-fce9c8de3660,tags=attack.defense-evasion,tags=attack.persistence," +[Suspicious Service Installed] +description = Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath", "HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath") NOT (Image IN ("*\\procexp64.exe", "*\\procexp.exe", "*\\procmon64.exe", "*\\procmon.exe", "*\\handle.exe", "*\\handle64.exe") Details="*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS*") | fields - _raw | collect index=notable_events source="Suspicious Service Installed" marker="guid=f2485272-a156-4773-82d7-1d178bc4905b,tags=attack.t1562.001,tags=attack.defense-evasion," +[Potential Registry Persistence Attempt Via Windows Telemetry] +description = Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\*" TargetObject="*\\Command" Details IN ("*.bat*", "*.bin*", "*.cmd*", "*.dat*", "*.dll*", "*.exe*", "*.hta*", "*.jar*", "*.js*", "*.msi*", "*.ps*", "*.sh*", "*.vb*") NOT (Details IN ("*\\system32\\CompatTelRunner.exe*", "*\\system32\\DeviceCensus.exe*")) | fields - _raw | collect index=notable_events source="Potential Registry Persistence Attempt Via Windows Telemetry" marker="guid=73a883d0-0348-4be4-a8d8-51031c2564f8,tags=attack.persistence,tags=attack.t1053.005," +[MaxMpxCt Registry Value Changed] +description = Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Services\\LanmanServer\\Parameters\\MaxMpxCt" | fields - _raw | collect index=notable_events source="MaxMpxCt Registry Value Changed" marker="guid=0e6a9e62-627e-496c-aef5-bfa39da29b5e,tags=attack.defense-evasion,tags=attack.t1070.005," +[Enable Local Manifest Installation With Winget] +description = Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\AppInstaller\\EnableLocalManifestFiles" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Enable Local Manifest Installation With Winget" marker="guid=fa277e82-9b78-42dd-b05c-05555c7b6015,tags=attack.defense-evasion,tags=attack.persistence," +[New BgInfo.EXE Custom VBScript Registry Configuration] +description = Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 EventType="SetValue" TargetObject="*\\Software\\Winternals\\BGInfo\\UserFields\\*" Details="4*" | fields - _raw | collect index=notable_events source="New BgInfo.EXE Custom VBScript Registry Configuration" marker="guid=992dd79f-dde8-4bb0-9085-6350ba97cfb3,tags=attack.defense-evasion,tags=attack.t1112," +[PowerShell Logging Disabled Via Registry Key Tampering] +description = Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Microsoft\\Windows\\PowerShell\\*", "*\\Microsoft\\PowerShellCore\\*") TargetObject IN ("*\\ModuleLogging\\EnableModuleLogging", "*\\ScriptBlockLogging\\EnableScriptBlockLogging", "*\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging", "*\\Transcription\\EnableTranscripting", "*\\Transcription\\EnableInvocationHeader", "*\\EnableScripts") Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="PowerShell Logging Disabled Via Registry Key Tampering" marker="guid=fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7,tags=attack.defense-evasion,tags=attack.t1564.001," +[DNS-over-HTTPS Enabled by Registry] +description = Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 (TargetObject="*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" Details="DWORD (0x00000001)") OR (TargetObject="*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" Details="secure") OR (TargetObject="*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\\Enabled" Details="DWORD (0x00000001)") | fields - _raw | collect index=notable_events source="DNS-over-HTTPS Enabled by Registry" marker="guid=04b45a8a-d11d-49e4-9acc-4a1b524407a5,tags=attack.defense-evasion,tags=attack.t1140,tags=attack.t1112," +[Potential Persistence Via Visual Studio Tools for Office] +description = Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Software\\Microsoft\\Office\\Outlook\\Addins\\*", "*\\Software\\Microsoft\\Office\\Word\\Addins\\*", "*\\Software\\Microsoft\\Office\\Excel\\Addins\\*", "*\\Software\\Microsoft\\Office\\Powerpoint\\Addins\\*", "*\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\*") NOT (Image IN ("*\\msiexec.exe", "*\\regsvr32.exe") OR Image IN ("*\\excel.exe", "*\\integrator.exe", "*\\OfficeClickToRun.exe", "*\\winword.exe", "*\\visio.exe") OR Image="*\\Teams.exe" OR (Image="C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe" TargetObject="*\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt\\*")) | fields - _raw | collect index=notable_events source="Potential Persistence Via Visual Studio Tools for Office" marker="guid=9d15044a-7cfe-4d23-8085-6ebc11df7685,tags=attack.t1137.006,tags=attack.persistence," +[Wow6432Node Classes Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Wow6432Node\\Classes*" TargetObject IN ("*\\Folder\\ShellEx\\ExtShellFolderViews*", "*\\Folder\\ShellEx\\DragDropHandlers*", "*\\Folder\\ShellEx\\ColumnHandlers*", "*\\Directory\\Shellex\\DragDropHandlers*", "*\\Directory\\Shellex\\CopyHookHandlers*", "*\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance*", "*\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance*", "*\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance*", "*\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance*", "*\\AllFileSystemObjects\\ShellEx\\DragDropHandlers*", "*\\ShellEx\\PropertySheetHandlers*", "*\\ShellEx\\ContextMenuHandlers*") NOT Details="(Empty)" | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="Wow6432Node Classes Autorun Keys Modification" marker="guid=18f2065c-d36c-464a-a748-bcf909acb2e3,tags=attack.persistence,tags=attack.t1547.001," +[Disable Windows Event Logging Via Registry] +description = Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*" TargetObject="*\\Enabled" Details="DWORD (0x00000000)" NOT (Image="C:\\Windows\\system32\\wevtutil.exe" OR (Image="C:\\Windows\\winsxs\\*" Image="*\\TiWorker.exe") OR (Image="C:\\Windows\\System32\\svchost.exe" TargetObject IN ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter*", "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1\\*", "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat\\*", "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error\\*", "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational\\*")) OR (Image="C:\\Windows\\servicing\\TrustedInstaller.exe" TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser*")) NOT (Image="" OR Image!=*) | fields - _raw | collect index=notable_events source="Disable Windows Event Logging Via Registry" marker="guid=2f78da12-f7c7-430b-8b19-a28f269b77a3,tags=attack.defense-evasion,tags=attack.t1562.002," +[COM Hijack via Sdclt] +description = Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute*" | fields - _raw | collect index=notable_events source="COM Hijack via Sdclt" marker="guid=07743f65-7ec9-404a-a519-913db7118a8d,tags=attack.privilege-escalation,tags=attack.t1546,tags=attack.t1548," +[Common Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart*", "*\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun*", "*\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components*", "*\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect*", "*\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect*", "*\\SYSTEM\\Setup\\CmdLine*", "*\\Software\\Microsoft\\Ctf\\LangBarAddin*", "*\\Software\\Microsoft\\Command Processor\\Autorun*", "*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components*", "*\\SOFTWARE\\Classes\\Protocols\\Handler*", "*\\SOFTWARE\\Classes\\Protocols\\Filter*", "*\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)*", "*\\Environment\\UserInitMprLogonScript*", "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe*", "*\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks*", "*\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components*", "*\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32*", "*\\Control Panel\\Desktop\\Scrnsave.exe*") NOT (Details="(Empty)" OR TargetObject IN ("*\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Classes\\PROTOCOLS\\Handler\\*", "*\\ClickToRunStore\\HKMU\\SOFTWARE\\Classes\\PROTOCOLS\\Handler\\*") OR Details IN ("{314111c7-a502-11d2-bbca-00c04f8ec294}", "{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}", "{42089D2D-912D-4018-9087-2B87803E93FB}", "{5504BE45-A83B-4808-900A-3A5C36E7F77A}", "{807583E5-5146-11D5-A672-00B0D022E945}") OR TargetObject="*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{8A69D345-D564-463c-AFF1-A69D9E530F96}*" OR TargetObject="*\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}*" OR TargetObject="*\\Software\\Microsoft\\Active Setup\\Installed Components\\{89820200-ECBD-11cf-8B85-00AA005B4383}*" OR Image IN ("C:\\Windows\\System32\\poqexec.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe") OR (Image IN ("C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*", "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\*") Image="*\\OfficeClickToRun.exe")) | fields - _raw | collect index=notable_events source="Common Autorun Keys Modification" marker="guid=f59c3faf-50f3-464b-9f4c-1b67ab512d99,tags=attack.persistence,tags=attack.t1547.001," +[Outlook EnableUnsafeClientMailRules Setting Enabled - Registry] +description = Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Outlook\\Security\\EnableUnsafeClientMailRules" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" marker="guid=6763c6c8-bd01-4687-bc8d-4fa52cf8ba08,tags=attack.defense-evasion,tags=attack.t1112," +[UAC Bypass Using Windows Media Player - Registry] +description = Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe" Details="Binary Data" | fields - _raw | collect index=notable_events source="UAC Bypass Using Windows Media Player - Registry" marker="guid=5f9db380-ea57-4d1e-beab-8a2d33397e93,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Old TLS1.0/TLS1.1 Protocol Version Enabled] +description = Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\*", "*\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\*") TargetObject="*\\Enabled" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Old TLS1.0/TLS1.1 Protocol Version Enabled" marker="guid=439957a7-ad86-4a8f-9705-a28131c6821b,tags=attack.defense-evasion," +[Potential Persistence Via AutodialDLL] +description = Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Services\\WinSock2\\Parameters\\AutodialDLL*" | fields - _raw | collect index=notable_events source="Potential Persistence Via AutodialDLL" marker="guid=e6fe26ee-d063-4f5b-b007-39e90aaf50e3,tags=attack.persistence," +[Scripted Diagnostics Turn Off Check Enabled - Registry] +description = Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Policies\\Microsoft\\Windows\\ScriptedDiagnostics\\TurnOffCheck" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Scripted Diagnostics Turn Off Check Enabled - Registry" marker="guid=7d995e63-ec83-4aa3-89d5-8a17b5c87c86,tags=attack.defense-evasion,tags=attack.t1562.001," +[Activate Suppression of Windows Security Center Notifications] +description = Detect set Notification_Suppress to 1 to disable the Windows security center notification +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Activate Suppression of Windows Security Center Notifications" marker="guid=0c93308a-3f1b-40a9-b649-57ea1a1c1d63,tags=attack.defense-evasion,tags=attack.t1112," +[Winlogon AllowMultipleTSSessions Enable] +description = Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions" Details="*DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Winlogon AllowMultipleTSSessions Enable" marker="guid=f7997770-92c3-4ec9-b112-774c4ef96f96,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.t1112," +[Blue Mockingbird - Registry] +description = Attempts to detect system changes made by Blue Mockingbird +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll" | fields - _raw | collect index=notable_events source="Blue Mockingbird - Registry" marker="guid=92b0b372-a939-44ed-a11b-5136cf680e27,tags=attack.execution,tags=attack.t1112,tags=attack.t1047," +[Suspicious Shim Database Patching Activity] +description = Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*" TargetObject IN ("*\\csrss.exe", "*\\dllhost.exe", "*\\explorer.exe", "*\\RuntimeBroker.exe", "*\\services.exe", "*\\sihost.exe", "*\\svchost.exe", "*\\taskhostw.exe", "*\\winlogon.exe", "*\\WmiPrvSe.exe") | fields - _raw | collect index=notable_events source="Suspicious Shim Database Patching Activity" marker="guid=bf344fea-d947-4ef4-9192-34d008315d3a,tags=attack.persistence,tags=attack.t1546.011," +[Classes Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Classes*" TargetObject IN ("*\\Folder\\ShellEx\\ExtShellFolderViews*", "*\\Folder\\ShellEx\\DragDropHandlers*", "*\\Folder\\Shellex\\ColumnHandlers*", "*\\Filter*", "*\\Exefile\\Shell\\Open\\Command\\(Default)*", "*\\Directory\\Shellex\\DragDropHandlers*", "*\\Directory\\Shellex\\CopyHookHandlers*", "*\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance*", "*\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance*", "*\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance*", "*\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance*", "*\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers*", "*\\.exe*", "*\\.cmd*", "*\\ShellEx\\PropertySheetHandlers*", "*\\ShellEx\\ContextMenuHandlers*") NOT (Details="(Empty)" OR Details="{807583E5-5146-11D5-A672-00B0D022E945}" OR Image="C:\\Windows\\System32\\drvinst.exe" OR (Image="C:\\Windows\\System32\\svchost.exe" TargetObject="*\\lnkfile\\shellex\\ContextMenuHandlers\\*")) | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="Classes Autorun Keys Modification" marker="guid=9df5f547-c86a-433e-b533-f2794357e242,tags=attack.persistence,tags=attack.t1547.001," +[Potential Persistence Via Netsh Helper DLL - Registry] +description = Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\NetSh*" Details="*.dll*" | fields - _raw | collect index=notable_events source="Potential Persistence Via Netsh Helper DLL - Registry" marker="guid=c90362e0-2df3-4e61-94fe-b37615814cb1,tags=attack.persistence,tags=attack.t1546.007," +[Potential AMSI COM Server Hijacking] +description = Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)" NOT Details="%windir%\\system32\\amsi.dll" | fields - _raw | collect index=notable_events source="Potential AMSI COM Server Hijacking" marker="guid=160d2780-31f7-4922-8b3a-efce30e63e96,tags=attack.defense-evasion,tags=attack.t1562.001," +[PowerShell Script Execution Policy Enabled] +description = Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="PowerShell Script Execution Policy Enabled" marker="guid=8218c875-90b9-42e2-b60d-0b0069816d10,tags=attack.execution," +[Potentially Suspicious Desktop Background Change Via Registry] +description = Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*Control Panel\\Desktop*", "*CurrentVersion\\Policies\\ActiveDesktop*", "*CurrentVersion\\Policies\\System*") (TargetObject="*NoChangingWallpaper" Details="DWORD (0x00000001)") OR TargetObject="*\\Wallpaper" OR (TargetObject="*\\WallpaperStyle" Details="2") NOT Image="*\\svchost.exe" | fields - _raw | collect index=notable_events source="Potentially Suspicious Desktop Background Change Via Registry" marker="guid=85b88e05-dadc-430b-8a9e-53ff1cd30aae,tags=attack.defense-evasion,tags=attack.impact,tags=attack.t1112,tags=attack.t1491.001," +[Lolbas OneDriveStandaloneUpdater.exe Proxy Download] +description = Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC*" | fields - _raw | collect index=notable_events source="Lolbas OneDriveStandaloneUpdater.exe Proxy Download" marker="guid=3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d,tags=attack.command-and-control,tags=attack.t1105," +[Enabling COR Profiler Environment Variables] +description = Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\COR_ENABLE_PROFILING", "*\\COR_PROFILER", "*\\CORECLR_ENABLE_PROFILING") OR TargetObject="*\\CORECLR_PROFILER_PATH*" | fields - _raw | collect index=notable_events source="Enabling COR Profiler Environment Variables" marker="guid=ad89044a-8f49-4673-9a55-cbd88a1b374f,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1574.012," +[Suspicious Powershell In Registry Run Keys] +description = Detects potential PowerShell commands or code within registry run keys +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*" Details IN ("*powershell*", "*pwsh *", "*FromBase64String*", "*.DownloadFile(*", "*.DownloadString(*", "* -w hidden *", "* -w 1 *", "*-windowstyle hidden*", "*-window hidden*", "* -nop *", "* -encodedcommand *", "*-ExecutionPolicy Bypass*", "*Invoke-Expression*", "*IEX (*", "*Invoke-Command*", "*ICM -*", "*Invoke-WebRequest*", "*IWR *", "* -noni *", "* -noninteractive *") | fields - _raw | collect index=notable_events source="Suspicious Powershell In Registry Run Keys" marker="guid=8d85cf08-bf97-4260-ba49-986a2a65129c,tags=attack.persistence,tags=attack.t1547.001," +[CurrentVersion Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion*" TargetObject IN ("*\\ShellServiceObjectDelayLoad*", "*\\Run\\*", "*\\RunOnce\\*", "*\\RunOnceEx\\*", "*\\RunServices\\*", "*\\RunServicesOnce\\*", "*\\Policies\\System\\Shell*", "*\\Policies\\Explorer\\Run*", "*\\Group Policy\\Scripts\\Startup*", "*\\Group Policy\\Scripts\\Shutdown*", "*\\Group Policy\\Scripts\\Logon*", "*\\Group Policy\\Scripts\\Logoff*", "*\\Explorer\\ShellServiceObjects*", "*\\Explorer\\ShellIconOverlayIdentifiers*", "*\\Explorer\\ShellExecuteHooks*", "*\\Explorer\\SharedTaskScheduler*", "*\\Explorer\\Browser Helper Objects*", "*\\Authentication\\PLAP Providers*", "*\\Authentication\\Credential Providers*", "*\\Authentication\\Credential Provider Filters*") NOT (Details="(Empty)" OR TargetObject="*\\NgcFirst\\ConsecutiveSwitchCount" OR Image IN ("*\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe", "*\\AppData\\Roaming\\Spotify\\Spotify.exe", "*\\AppData\\Local\\WebEx\\WebexHost.exe") OR Image IN ("C:\\WINDOWS\\system32\\devicecensus.exe", "C:\\Windows\\system32\\winsat.exe", "C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files\\KeePass Password Safe 2\\ShInstUtil.exe", "C:\\Program Files\\Everything\\Everything.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe") OR (Image="C:\\Windows\\system32\\LogonUI.exe" TargetObject IN ("*\\Authentication\\Credential Providers\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\*", "*\\Authentication\\Credential Providers\\{BEC09223-B018-416D-A0AC-523971B639F5}\\*", "*\\Authentication\\Credential Providers\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\*", "*\\Authentication\\Credential Providers\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\*")) OR Image IN ("C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\*", "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\*", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe*") OR (Image="C:\\Windows\\system32\\regsvr32.exe" TargetObject="*DropboxExt*" Details="*A251-47B7-93E1-CDD82E34AF8B}") OR (TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Browser Assistant" Details="C:\\Program Files\\Opera\\assistant\\browser_assistant.exe") OR (TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\iTunesHelper" Details="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"") OR (TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zoommsirepair" Details="\"C:\\Program Files\\Zoom\\bin\\installer.exe\" /repair") OR (TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Greenshot" Details="C:\\Program Files\\Greenshot\\Greenshot.exe") OR (TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleDriveFS" Details="C:\\Program Files\\Google\\Drive File Stream\\*" Details="*\\GoogleDriveFS.exe*") OR (TargetObject="*GoogleDrive*" Details IN ("{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}", "{A8E52322-8734-481D-A7E2-27B309EF8D56}", "{C973DA94-CBDF-4E77-81D1-E5B794FBD146}", "{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}")) OR (Details IN ("C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \"C:\\Users\\*", "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\*") Details="*\\AppData\\Local\\Microsoft\\OneDrive\\*") OR (TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{*" Details="*\\AppData\\Local\\Package Cache\\{*" Details="*}\\python-*" Details="*.exe\" /burn.runonce") OR (Image IN ("C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*", "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\*") Image="*\\OfficeClickToRun.exe") OR Image="C:\\Program Files\\Windows Defender\\MsMpEng.exe" OR (Image="*\\Microsoft\\Teams\\current\\Teams.exe" Details="*\\Microsoft\\Teams\\Update.exe --processStart *") OR (Image="C:\\Windows\\system32\\userinit.exe" Details="ctfmon.exe /n") OR (Image="C:\\Program Files\\AVG\\Antivirus\\Setup\\*" Details IN ("\"C:\\Program Files\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "{472083B0-C522-11CF-8763-00608CC02F24}")) OR (Image IN ("*\\aurora-agent-64.exe", "*\\aurora-agent.exe") TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\Run\\aurora-dashboard" Details="C:\\Program Files\\Aurora-Agent\\tools\\aurora-dashboard.exe") OR (TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\Run\\Everything" Details="*\\Everything\\Everything.exe\" -startup")) | fields - _raw | collect index=notable_events source="CurrentVersion Autorun Keys Modification" marker="guid=20f0ee37-5942-4e45-b7d5-c5b5db9df5cd,tags=attack.persistence,tags=attack.t1547.001," +[Wow6432Node Windows NT CurrentVersion Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion*" TargetObject IN ("*\\Windows\\Appinit_Dlls*", "*\\Image File Execution Options*", "*\\Drivers32*") NOT (Details IN ("(Empty)", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options")) | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" marker="guid=480421f9-417f-4d3b-9552-fd2728443ec8,tags=attack.persistence,tags=attack.t1547.001," +[Default RDP Port Changed to Non Standard Port] +description = Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber" NOT Details="DWORD (0x00000d3d)" | fields - _raw | collect index=notable_events source="Default RDP Port Changed to Non Standard Port" marker="guid=509e84b9-a71a-40e0-834f-05470369bd1e,tags=attack.persistence,tags=attack.t1547.010," +[Disable Microsoft Defender Firewall via Registry] +description = Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*" TargetObject="*\\EnableFirewall" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Disable Microsoft Defender Firewall via Registry" marker="guid=974515da-6cc5-4c95-ae65-f97f9150ec7f,tags=attack.defense-evasion,tags=attack.t1562.004," +[Disable Windows Security Center Notifications] +description = Detect set UseActionCenterExperience to 0 to disable the Windows security center notification +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Disable Windows Security Center Notifications" marker="guid=3ae1a046-f7db-439d-b7ce-b8b366b81fa6,tags=attack.defense-evasion,tags=attack.t1112," +[Macro Enabled In A Potentially Suspicious Document] +description = Detects registry changes to Office trust records where the path is located in a potentially suspicious location +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Security\\Trusted Documents\\TrustRecords*" TargetObject IN ("*/AppData/Local/Microsoft/Windows/INetCache/*", "*/AppData/Local/Temp/*", "*/PerfLogs/*", "*C:/Users/Public/*", "*file:///D:/*", "*file:///E:/*") | fields - _raw | collect index=notable_events source="Macro Enabled In A Potentially Suspicious Document" marker="guid=a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd,tags=attack.defense-evasion,tags=attack.t1112," +[Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting] +description = Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Outlook\\LoadMacroProviderOnBoot" Details="*0x00000001*" | fields - _raw | collect index=notable_events source="Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting" marker="guid=396ae3eb-4174-4b9b-880e-dc0364d78a19,tags=attack.persistence,tags=attack.command-and-control,tags=attack.t1137,tags=attack.t1008,tags=attack.t1546," +[IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols] +description = Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults*" TargetObject IN ("*\\http", "*\\https") Details="*DWORD (0x00000000)*" | fields - _raw | collect index=notable_events source="IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" marker="guid=3fd4c8d7-8362-4557-a8e6-83b29cc0d724,tags=attack.defense-evasion," +[Suspicious Path In Keyboard Layout IME File Registry Value] +description = Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Control\\Keyboard Layouts\\*" TargetObject="*Ime File*" Details IN ("*:\\Perflogs\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Temporary Internet*") OR (Details="*:\\Users\\*" Details="*\\Favorites\\*") OR (Details="*:\\Users\\*" Details="*\\Favourites\\*") OR (Details="*:\\Users\\*" Details="*\\Contacts\\*") | fields - _raw | collect index=notable_events source="Suspicious Path In Keyboard Layout IME File Registry Value" marker="guid=9d8f9bb8-01af-4e15-a3a2-349071530530,tags=attack.defense-evasion,tags=attack.t1562.001," +[Potential Signing Bypass Via Windows Developer Features - Registry] +description = Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock*", "*\\Policies\\Microsoft\\Windows\\Appx\\*") TargetObject IN ("*\\AllowAllTrustedApps", "*\\AllowDevelopmentWithoutDevLicense") Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Potential Signing Bypass Via Windows Developer Features - Registry" marker="guid=b110ebaf-697f-4da1-afd5-b536fa27a2c1,tags=attack.defense-evasion," +[Add Debugger Entry To AeDebug For Persistence] +description = Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug\\Debugger*" Details="*.dll" NOT Details="\"C:\\WINDOWS\\system32\\vsjitdebugger.exe\" -p %ld -e %ld -j 0x%p" | fields - _raw | collect index=notable_events source="Add Debugger Entry To AeDebug For Persistence" marker="guid=092af964-4233-4373-b4ba-d86ea2890288,tags=attack.persistence," +[Registry Persistence via Service in Safe Mode] +description = Detects the modification of the registry to allow a driver or service to persist in Safe Mode. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Control\\SafeBoot\\Minimal\\*", "*\\Control\\SafeBoot\\Network\\*") TargetObject="*\\(Default)" Details="Service" NOT (Image="C:\\WINDOWS\\system32\\msiexec.exe" TargetObject IN ("*\\Control\\SafeBoot\\Minimal\\SAVService\\(Default)", "*\\Control\\SafeBoot\\Network\\SAVService\\(Default)")) | fields - _raw | collect index=notable_events source="Registry Persistence via Service in Safe Mode" marker="guid=1547e27c-3974-43e2-a7d7-7f484fb928ec,tags=attack.defense-evasion,tags=attack.t1564.001," +[WinSock2 Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters*" TargetObject IN ("*\\Protocol_Catalog9\\Catalog_Entries*", "*\\NameSpace_Catalog5\\Catalog_Entries*") NOT (Details="(Empty)" OR Image="C:\\Windows\\System32\\MsiExec.exe" OR Image="C:\\Windows\\syswow64\\MsiExec.exe") | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="WinSock2 Autorun Keys Modification" marker="guid=d6c2ce7e-afb5-4337-9ca4-4b5254ed0565,tags=attack.persistence,tags=attack.t1547.001," +[Wdigest Enable UseLogonCredential] +description = Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*WDigest\\UseLogonCredential" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Wdigest Enable UseLogonCredential" marker="guid=d6a9b252-c666-4de6-8806-5561bbbd3bdc,tags=attack.defense-evasion,tags=attack.t1112," +[UAC Bypass Abusing Winsat Path Parsing - Registry] +description = Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Root\\InventoryApplicationFile\\winsat.exe|*" TargetObject="*\\LowerCaseLongPath" Details="c:\\users\\*" Details="*\\appdata\\local\\temp\\system32\\winsat.exe" | fields - _raw | collect index=notable_events source="UAC Bypass Abusing Winsat Path Parsing - Registry" marker="guid=6597be7b-ac61-4ac8-bef4-d3ec88174853,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[New File Association Using Exefile] +description = Detects the abuse of the exefile handler in new file association. Used for bypass of security products. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*Classes\\.*" Details="exefile" | fields - _raw | collect index=notable_events source="New File Association Using Exefile" marker="guid=44a22d59-b175-4f13-8c16-cbaef5b581ff,tags=attack.defense-evasion," +[Session Manager Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\System\\CurrentControlSet\\Control\\Session Manager*" TargetObject IN ("*\\SetupExecute*", "*\\S0InitialCommand*", "*\\KnownDlls*", "*\\Execute*", "*\\BootExecute*", "*\\AppCertDlls*") NOT Details="(Empty)" | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="Session Manager Autorun Keys Modification" marker="guid=046218bd-e0d8-4113-a3c3-895a12b2b298,tags=attack.persistence,tags=attack.t1547.001,tags=attack.t1546.009," +[UAC Secure Desktop Prompt Disabled] +description = Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop*" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="UAC Secure Desktop Prompt Disabled" marker="guid=0d7ceeef-3539-4392-8953-3dc664912714,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1548.002," +[Driver Added To Disallowed Images In HVCI - Registry] +description = Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Control\\CI\\*" TargetObject="*\\HVCIDisallowedImages*" | fields - _raw | collect index=notable_events source="Driver Added To Disallowed Images In HVCI - Registry" marker="guid=555155a2-03bf-4fe7-af74-d176b3fdbe16,tags=attack.defense-evasion," +[New DNS ServerLevelPluginDll Installed] +description = Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\services\\DNS\\Parameters\\ServerLevelPluginDll" | fields - _raw | collect index=notable_events source="New DNS ServerLevelPluginDll Installed" marker="guid=e61e8a88-59a9-451c-874e-70fcc9740d67,tags=attack.defense-evasion,tags=attack.t1574.002,tags=attack.t1112," +[Potential Attachment Manager Settings Associations Tamper] +description = Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations\\*" (TargetObject="*\\DefaultFileTypeRisk" Details="DWORD (0x00006152)") OR (TargetObject="*\\LowRiskFileTypes" Details IN ("*.zip;*", "*.rar;*", "*.exe;*", "*.bat;*", "*.com;*", "*.cmd;*", "*.reg;*", "*.msi;*", "*.htm;*", "*.html;*")) | fields - _raw | collect index=notable_events source="Potential Attachment Manager Settings Associations Tamper" marker="guid=a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47,tags=attack.defense-evasion," +[Potential Ransomware Activity Using LegalNotice Message] +description = Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption*", "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText*") Details IN ("*encrypted*", "*Unlock-Password*", "*paying*") | fields - _raw | collect index=notable_events source="Potential Ransomware Activity Using LegalNotice Message" marker="guid=8b9606c9-28be-4a38-b146-0e313cc232c1,tags=attack.impact,tags=attack.t1491.001," +[Lsass Full Dump Request Via DumpType Registry Settings] +description = Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType*", "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\lsass.exe\\DumpType*") Details="DWORD (0x00000002)" | fields - _raw | collect index=notable_events source="Lsass Full Dump Request Via DumpType Registry Settings" marker="guid=33efc23c-6ea2-4503-8cfe-bdf82ce8f719,tags=attack.credential-access,tags=attack.t1003.001," +[CrashControl CrashDump Disabled] +description = Detects disabling the CrashDump per registry (as used by HermeticWiper) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*SYSTEM\\CurrentControlSet\\Control\\CrashControl*" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="CrashControl CrashDump Disabled" marker="guid=2ff692c2-4594-41ec-8fcb-46587de769e0,tags=attack.t1564,tags=attack.t1112," +[Potential Persistence Via App Paths Default Property] +description = Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths*" TargetObject IN ("*(Default)", "*Path") Details IN ("*\\Users\\Public*", "*\\AppData\\Local\\Temp\\*", "*\\Windows\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*%temp%*", "*%tmp%*", "*iex*", "*Invoke-*", "*rundll32*", "*regsvr32*", "*mshta*", "*cscript*", "*wscript*", "*.bat*", "*.hta*", "*.dll*", "*.ps1*") | fields - _raw | collect index=notable_events source="Potential Persistence Via App Paths Default Property" marker="guid=707e097c-e20f-4f67-8807-1f72ff4500d6,tags=attack.persistence,tags=attack.t1546.012," +[Periodic Backup For System Registry Hives Enabled] +description = Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Control\\Session Manager\\Configuration Manager\\EnablePeriodicBackup" Details="DWORD (0x00000001)" | fields - _raw | collect index=notable_events source="Periodic Backup For System Registry Hives Enabled" marker="guid=973ef012-8f1a-4c40-93b4-7e659a5cd17f,tags=attack.collection,tags=attack.t1113," +[PowerShell as a Service in Registry] +description = Detects that a powershell code is written to the registry as a service. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Services\\*" TargetObject="*\\ImagePath" Details IN ("*powershell*", "*pwsh*") | fields - _raw | collect index=notable_events source="PowerShell as a Service in Registry" marker="guid=4a5f5a5e-ac01-474b-9b4e-d61298c9df1d,tags=attack.execution,tags=attack.t1569.002," +[COM Object Hijacking Via Modification Of Default System CLSID Default Value] +description = Detects potential COM object hijacking via modification of default system CLSID. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\CLSID\\*" TargetObject IN ("*\\InprocServer32\\(Default)", "*\\LocalServer32\\(Default)") TargetObject IN ("*\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\*", "*\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\*", "*\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\*", "*\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\*", "*\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\*") Details IN ("*\\AppData\\Local\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "*\\System32\\spool\\drivers\\color\\*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*", "*%appdata%*", "*%temp%*", "*%tmp%*") | fields - _raw | collect index=notable_events source="COM Object Hijacking Via Modification Of Default System CLSID Default Value" marker="guid=790317c0-0a36-4a6a-a105-6e576bf99a14,tags=attack.persistence,tags=attack.t1546.015," +[Microsoft Office Protected View Disabled] +description = Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Office\\*" TargetObject="*\\Security\\ProtectedView\\*" (Details="DWORD (0x00000001)" TargetObject IN ("*\\DisableAttachementsInPV", "*\\DisableInternetFilesInPV", "*\\DisableIntranetCheck", "*\\DisableUnsafeLocationsInPV")) OR (Details="DWORD (0x00000000)" TargetObject IN ("*\\enabledatabasefileprotectedview", "*\\enableforeigntextfileprotectedview")) | fields - _raw | collect index=notable_events source="Microsoft Office Protected View Disabled" marker="guid=a5c7a43f-6009-4a8c-80c5-32abf1c53ecc,tags=attack.defense-evasion,tags=attack.t1562.001," +[Disable Privacy Settings Experience in Registry] +description = Detects registry modifications that disable Privacy Settings Experience +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Policies\\Microsoft\\Windows\\OOBE\\DisablePrivacyExperience" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Disable Privacy Settings Experience in Registry" marker="guid=0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b,tags=attack.defense-evasion,tags=attack.t1562.001," +[Sysmon Driver Altitude Change] +description = Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Services\\*" TargetObject="*\\Instances\\Sysmon Instance\\Altitude" | fields - _raw | collect index=notable_events source="Sysmon Driver Altitude Change" marker="guid=4916a35e-bfc4-47d0-8e25-a003d7067061,tags=attack.defense-evasion,tags=attack.t1562.001," +[ClickOnce Trust Prompt Tampering] +description = Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel\\*" TargetObject IN ("*\\Internet", "*\\LocalIntranet", "*\\MyComputer", "*\\TrustedSites", "*\\UntrustedSites") Details="Enabled" | fields - _raw | collect index=notable_events source="ClickOnce Trust Prompt Tampering" marker="guid=ac9159cc-c364-4304-8f0a-d63fc1a0aabb,tags=attack.defense-evasion,tags=attack.t1112," +[Potential AutoLogger Sessions Tampering] +description = Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\*" TargetObject IN ("*\\EventLog-*", "*\\Defender*") TargetObject IN ("*\\Enable", "*\\Start") Details="DWORD (0x00000000)" NOT Image="C:\\Windows\\system32\\wevtutil.exe" | fields - _raw | collect index=notable_events source="Potential AutoLogger Sessions Tampering" marker="guid=f37b4bce-49d0-4087-9f5b-58bffda77316,tags=attack.defense-evasion," +[IE Change Domain Zone] +description = Hides the file extension through modification of the registry +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\*" NOT (Details IN ("DWORD (0x00000000)", "DWORD (0x00000001)", "(Empty)")) | fields - _raw | collect index=notable_events source="IE Change Domain Zone" marker="guid=45e112d0-7759-4c2a-aa36-9f8fb79d3393,tags=attack.persistence,tags=attack.t1137," +[Disable Tamper Protection on Windows Defender] +description = Detects disabling Windows Defender Tamper Protection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows Defender\\Features\\TamperProtection*" Details="DWORD (0x00000000)" NOT ((Image="C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*" Image="*\\MsMpEng.exe") OR Image="C:\\Program Files\\Windows Defender\\MsMpEng.exe") | fields - _raw | collect index=notable_events source="Disable Tamper Protection on Windows Defender" marker="guid=93d298a1-d28f-47f1-a468-d971e7796679,tags=attack.defense-evasion,tags=attack.t1562.001," +[Hiding User Account Via SpecialAccounts Registry Key] +description = Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 EventType="SetValue" TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList*" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="Hiding User Account Via SpecialAccounts Registry Key" marker="guid=f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd,tags=attack.defense-evasion,tags=attack.t1564.002," +[Potential Persistence Via Custom Protocol Handler] +description = Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="HKCR\\*" Details="URL:*" NOT (Details="URL:ms-*" OR Image IN ("C:\\Program Files (x86)*", "C:\\Program Files\\*", "C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*")) | fields - _raw | collect index=notable_events source="Potential Persistence Via Custom Protocol Handler" marker="guid=fdbf0b9d-0182-4c43-893b-a1eaab92d085,tags=attack.defense-evasion,tags=attack.t1112," +[UAC Disabled] +description = Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA*" Details="DWORD (0x00000000)" | fields - _raw | collect index=notable_events source="UAC Disabled" marker="guid=48437c39-9e5f-47fb-af95-3d663c3f2919,tags=attack.privilege-escalation,tags=attack.defense-evasion,tags=attack.t1548.002," +[Potentially Suspicious ODBC Driver Registered] +description = Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\ODBC\\ODBCINST.INI\\*" TargetObject IN ("*\\Driver", "*\\Setup") Details IN ("*:\\PerfLogs\\*", "*:\\ProgramData\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Registration\\CRMLog*", "*:\\Windows\\System32\\com\\dmp\\*", "*:\\Windows\\System32\\FxsTmp\\*", "*:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*:\\Windows\\System32\\spool\\drivers\\color\\*", "*:\\Windows\\System32\\spool\\PRINTERS\\*", "*:\\Windows\\System32\\spool\\SERVERS\\*", "*:\\Windows\\System32\\Tasks_Migrated\\*", "*:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\*", "*:\\Windows\\SysWOW64\\com\\dmp\\*", "*:\\Windows\\SysWOW64\\FxsTmp\\*", "*:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*", "*:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*:\\Windows\\Tracing\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*") | fields - _raw | collect index=notable_events source="Potentially Suspicious ODBC Driver Registered" marker="guid=e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4,tags=attack.persistence,tags=attack.t1003," +[Disable Exploit Guard Network Protection on Windows Defender] +description = Detects disabling Windows Defender Exploit Guard Network Protection +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride*" Details="DWORD (00000001)" | fields - _raw | collect index=notable_events source="Disable Exploit Guard Network Protection on Windows Defender" marker="guid=bf9e1387-b040-4393-9851-1598f8ecfae9,tags=attack.defense-evasion,tags=attack.t1562.001," +[Custom File Open Handler Executes PowerShell] +description = Detects the abuse of custom file open handler, executing powershell +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*shell\\open\\command\\*" Details="*powershell*" Details="*-command*" | fields - _raw | collect index=notable_events source="Custom File Open Handler Executes PowerShell" marker="guid=7530b96f-ad8e-431d-a04d-ac85cc461fdc,tags=attack.defense-evasion,tags=attack.t1202," +[Modification of IE Registry Settings] +description = Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings*" NOT (Details="DWORD*" OR Details IN ("Cookie:", "Visited:", "(Empty)") OR TargetObject IN ("*\\Cache*", "*\\ZoneMap*", "*\\WpadDecision*") OR Details="Binary Data" OR TargetObject="*\\Accepted Documents\\*") | fields - _raw | collect index=notable_events source="Modification of IE Registry Settings" marker="guid=d88d0ab2-e696-4d40-a2ed-9790064e66b3,tags=attack.defense-evasion,tags=attack.t1112," +[Suspicious Application Allowed Through Exploit Guard] +description = Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications*" TargetObject IN ("*\\Users\\Public\\*", "*\\AppData\\Local\\Temp\\*", "*\\Desktop\\*", "*\\PerfLogs\\*", "*\\Windows\\Temp\\*") | fields - _raw | collect index=notable_events source="Suspicious Application Allowed Through Exploit Guard" marker="guid=42205c73-75c8-4a63-9db1-e3782e06fda0,tags=attack.defense-evasion,tags=attack.t1562.001," +[Wow6432Node CurrentVersion Autorun Keys Modification] +description = Detects modification of autostart extensibility point (ASEP) in registry. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion*" TargetObject IN ("*\\ShellServiceObjectDelayLoad*", "*\\Run\\*", "*\\RunOnce\\*", "*\\RunOnceEx\\*", "*\\RunServices\\*", "*\\RunServicesOnce\\*", "*\\Explorer\\ShellServiceObjects*", "*\\Explorer\\ShellIconOverlayIdentifiers*", "*\\Explorer\\ShellExecuteHooks*", "*\\Explorer\\SharedTaskScheduler*", "*\\Explorer\\Browser Helper Objects*") NOT (Details="(Empty)" OR (Image="*C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{*" Image="*\\setup.exe*") OR (Image="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" TargetObject="*\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\*") OR (Image IN ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe") TargetObject="*\\Explorer\\Browser Helper Objects\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\*") OR Details="*-A251-47B7-93E1-CDD82E34AF8B}" OR Details="grpconv -o" OR (Details="*C:\\Program Files*" Details="*\\Dropbox\\Client\\Dropbox.exe*" Details="* /systemstartup*") OR TargetObject="*\\Explorer\\Browser Helper Objects\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\NoExplorer" OR (Image="*\\windowsdesktop-runtime-*" TargetObject IN ("*\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}", "*\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7037b699-7382-448c-89a7-4765961d2537}") Details="\"C:\\ProgramData\\Package Cache\\*" Details="*.exe\" /burn.runonce") OR (Image IN ("C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*", "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\*") Image="*\\OfficeClickToRun.exe") OR Details="\"C:\\ProgramData\\Package Cache\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\windowsdesktop-runtime-*" OR (Image="*\\VC_redist.x64.exe" Details="*}\\VC_redist.x64.exe\" /burn.runonce") OR (Image IN ("C:\\ProgramData\\Package Cache*", "C:\\Windows\\Temp\\*") Image IN ("*\\winsdksetup.exe*", "*\\windowsdesktop-runtime-*", "*\\AspNetCoreSharedFrameworkBundle-*") Details="* /burn.runonce") OR (Image="C:\\Windows\\Installer\\MSI*" TargetObject="*\\Explorer\\Browser Helper Objects*") OR (Image="C:\\WINDOWS\\system32\\msiexec.exe" TargetObject="*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\*")) | table SecurityID,ObjectName,OldValueType,NewValueType | fields - _raw | collect index=notable_events source="Wow6432Node CurrentVersion Autorun Keys Modification" marker="guid=b29aed60-ebd1-442b-9cb5-16a1d0324adb,tags=attack.persistence,tags=attack.t1547.001," +[New BgInfo.EXE Custom WMI Query Registry Configuration] +description = Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 EventType="SetValue" TargetObject="*\\Software\\Winternals\\BGInfo\\UserFields\\*" Details="6*" | fields - _raw | collect index=notable_events source="New BgInfo.EXE Custom WMI Query Registry Configuration" marker="guid=cd277474-5c52-4423-a52b-ac2d7969902f,tags=attack.defense-evasion,tags=attack.t1112," +[COM Hijacking via TreatAs] +description = Detect modification of TreatAs key to enable "rundll32.exe -sta" command +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*TreatAs\\(Default)" NOT ((Image="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*" Image="*\\OfficeClickToRun.exe") OR Image="C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe" OR Image="C:\\Windows\\system32\\svchost.exe" OR Image IN ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) | fields - _raw | collect index=notable_events source="COM Hijacking via TreatAs" marker="guid=dc5c24af-6995-49b2-86eb-a9ff62199e82,tags=attack.persistence,tags=attack.t1546.015," +[Suspicious Keyboard Layout Load] +description = Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject IN ("*\\Keyboard Layout\\Preload\\*", "*\\Keyboard Layout\\Substitutes\\*") Details IN ("*00000429*", "*00050429*", "*0000042a*") | fields - _raw | collect index=notable_events source="Suspicious Keyboard Layout Load" marker="guid=34aa0252-6039-40ff-951f-939fd6ce47d8,tags=attack.resource-development,tags=attack.t1588.002," +[Suspicious Printer Driver Empty Manufacturer] +description = Detects a suspicious printer driver installation with an empty Manufacturer value +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\Control\\Print\\Environments\\Windows x64\\Drivers*" TargetObject="*\\Manufacturer*" Details="(Empty)" NOT (TargetObject="*\\CutePDF Writer v4.0\\*" OR TargetObject IN ("*\\VNC Printer (PS)\\*", "*\\VNC Printer (UD)\\*") OR TargetObject="*\\Version-3\\PDF24\\*") | fields - _raw | collect index=notable_events source="Suspicious Printer Driver Empty Manufacturer" marker="guid=e0813366-0407-449a-9869-a2db1119dc41,tags=attack.privilege-escalation,tags=attack.t1574,tags=cve.2021-1675," +[Potential PSFactoryBuffer COM Hijacking] +description = Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" NOT (Details IN ("%windir%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll")) | fields - _raw | collect index=notable_events source="Potential PSFactoryBuffer COM Hijacking" marker="guid=243380fa-11eb-4141-af92-e14925e77c1b,tags=attack.persistence,tags=attack.t1546.015," +[ServiceDll Hijack] +description = Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\System\\*" TargetObject="*ControlSet*" TargetObject="*\\Services\\*" TargetObject="*\\Parameters\\ServiceDll" NOT (Details="C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll" OR (Image="C:\\Windows\\system32\\lsass.exe" TargetObject="*\\Services\\NTDS\\Parameters\\ServiceDll" Details="%%systemroot%%\\system32\\ntdsa.dll") OR Image="C:\\Windows\\System32\\poqexec.exe") NOT (Image="*\\regsvr32.exe" Details="C:\\Windows\\System32\\STAgent.dll") | fields - _raw | collect index=notable_events source="ServiceDll Hijack" marker="guid=612e47e9-8a59-43a6-b404-f48683f45bd6,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1543.003," +[Potential Persistence Via LSA Extensions] +description = Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions*" | fields - _raw | collect index=notable_events source="Potential Persistence Via LSA Extensions" marker="guid=41f6531d-af6e-4c6e-918f-b946f2b85a36,tags=attack.persistence," +[Potential Persistence Via Scrobj.dll COM Hijacking] +description = Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=13 TargetObject="*InprocServer32\\(Default)" Details="C:\\WINDOWS\\system32\\scrobj.dll" | fields - _raw | collect index=notable_events source="Potential Persistence Via Scrobj.dll COM Hijacking" marker="guid=fe20dda1-6f37-4379-bbe0-a98d400cae90,tags=attack.persistence,tags=attack.t1546.015," +[Network Connection Initiated To Mega.nz] +description = Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" DestinationHostname IN ("*mega.co.nz", "*mega.nz") | fields - _raw | collect index=notable_events source="Network Connection Initiated To Mega.nz" marker="guid=fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4,tags=attack.exfiltration,tags=attack.t1567.001," +[Network Communication With Crypto Mining Pool] +description = Detects initiated network connections to crypto mining pools +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationHostname IN ("alimabi.cn", "ap.luckpool.net", "bcn.pool.minergate.com", "bcn.vip.pool.minergate.com", "bohemianpool.com", "ca-aipg.miningocean.org", "ca-dynex.miningocean.org", "ca-neurai.miningocean.org", "ca-qrl.miningocean.org", "ca-upx.miningocean.org", "ca-zephyr.miningocean.org", "ca.minexmr.com", "ca.monero.herominers.com", "cbd.monerpool.org", "cbdv2.monerpool.org", "cryptmonero.com", "crypto-pool.fr", "crypto-pool.info", "cryptonight-hub.miningpoolhub.com", "d1pool.ddns.net", "d5pool.us", "daili01.monerpool.org", "de-aipg.miningocean.org", "de-dynex.miningocean.org", "de-zephyr.miningocean.org", "de.minexmr.com", "dl.nbminer.com", "donate.graef.in", "donate.ssl.xmrig.com", "donate.v2.xmrig.com", "donate.xmrig.com", "donate2.graef.in", "drill.moneroworld.com", "dwarfpool.com", "emercoin.com", "emercoin.net", "emergate.net", "ethereumpool.co", "eu.luckpool.net", "eu.minerpool.pw", "fcn-xmr.pool.minergate.com", "fee.xmrig.com", "fr-aipg.miningocean.org", "fr-dynex.miningocean.org", "fr-neurai.miningocean.org", "fr-qrl.miningocean.org", "fr-upx.miningocean.org", "fr-zephyr.miningocean.org", "fr.minexmr.com", "hellominer.com", "herominers.com", "hk-aipg.miningocean.org", "hk-dynex.miningocean.org", "hk-neurai.miningocean.org", "hk-qrl.miningocean.org", "hk-upx.miningocean.org", "hk-zephyr.miningocean.org", "huadong1-aeon.ppxxmr.com", "iwanttoearn.money", "jw-js1.ppxxmr.com", "koto-pool.work", "lhr.nbminer.com", "lhr3.nbminer.com", "linux.monerpool.org", "lokiturtle.herominers.com", "luckpool.net", "masari.miner.rocks", "mine.c3pool.com", "mine.moneropool.com", "mine.ppxxmr.com", "mine.zpool.ca", "mine1.ppxxmr.com", "minemonero.gq", "miner.ppxxmr.com", "miner.rocks", "minercircle.com", "minergate.com", "minerpool.pw", "minerrocks.com", "miners.pro", "minerxmr.ru", "minexmr.cn", "minexmr.com", "mining-help.ru", "miningpoolhub.com", "mixpools.org", "moner.monerpool.org", "moner1min.monerpool.org", "monero-master.crypto-pool.fr", "monero.crypto-pool.fr", "monero.hashvault.pro", "monero.herominers.com", "monero.lindon-pool.win", "monero.miners.pro", "monero.riefly.id", "monero.us.to", "monerocean.stream", "monerogb.com", "monerohash.com", "moneroocean.stream", "moneropool.com", "moneropool.nl", "monerorx.com", "monerpool.org", "moriaxmr.com", "mro.pool.minergate.com", "multipool.us", "myxmr.pw", "na.luckpool.net", "nanopool.org", "nbminer.com", "node3.luckpool.net", "noobxmr.com", "pangolinminer.comgandalph3000.com", "pool.4i7i.com", "pool.armornetwork.org", "pool.cortins.tk", "pool.gntl.co.uk", "pool.hashvault.pro", "pool.minergate.com", "pool.minexmr.com", "pool.monero.hashvault.pro", "pool.ppxxmr.com", "pool.somec.cc", "pool.support", "pool.supportxmr.com", "pool.usa-138.com", "pool.xmr.pt", "pool.xmrfast.com", "pool2.armornetwork.org", "poolchange.ppxxmr.com", "pooldd.com", "poolmining.org", "poolto.be", "ppxvip1.ppxxmr.com", "ppxxmr.com", "prohash.net", "r.twotouchauthentication.online", "randomx.xmrig.com", "ratchetmining.com", "seed.emercoin.com", "seed.emercoin.net", "seed.emergate.net", "seed1.joulecoin.org", "seed2.joulecoin.org", "seed3.joulecoin.org", "seed4.joulecoin.org", "seed5.joulecoin.org", "seed6.joulecoin.org", "seed7.joulecoin.org", "seed8.joulecoin.org", "sg-aipg.miningocean.org", "sg-dynex.miningocean.org", "sg-neurai.miningocean.org", "sg-qrl.miningocean.org", "sg-upx.miningocean.org", "sg-zephyr.miningocean.org", "sg.minexmr.com", "sheepman.mine.bz", "siamining.com", "sumokoin.minerrocks.com", "supportxmr.com", "suprnova.cc", "teracycle.net", "trtl.cnpool.cc", "trtl.pool.mine2gether.com", "turtle.miner.rocks", "us-aipg.miningocean.org", "us-dynex.miningocean.org", "us-neurai.miningocean.org", "us-west.minexmr.com", "us-zephyr.miningocean.org", "usxmrpool.com", "viaxmr.com", "webservicepag.webhop.net", "xiazai.monerpool.org", "xiazai1.monerpool.org", "xmc.pool.minergate.com", "xmo.pool.minergate.com", "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-us.suprnova.cc", "xmr-usa.dwarfpool.com", "xmr.2miners.com", "xmr.5b6b7b.ru", "xmr.alimabi.cn", "xmr.bohemianpool.com", "xmr.crypto-pool.fr", "xmr.crypto-pool.info", "xmr.f2pool.com", "xmr.hashcity.org", "xmr.hex7e4.ru", "xmr.ip28.net", "xmr.monerpool.org", "xmr.mypool.online", "xmr.nanopool.org", "xmr.pool.gntl.co.uk", "xmr.pool.minergate.com", "xmr.poolto.be", "xmr.ppxxmr.com", "xmr.prohash.net", "xmr.simka.pw", "xmr.somec.cc", "xmr.suprnova.cc", "xmr.usa-138.com", "xmr.vip.pool.minergate.com", "xmr1min.monerpool.org", "xmrf.520fjh.org", "xmrf.fjhan.club", "xmrfast.com", "xmrigcc.graef.in", "xmrminer.cc", "xmrpool.de", "xmrpool.eu", "xmrpool.me", "xmrpool.net", "xmrpool.xyz", "xx11m.monerpool.org", "xx11mv2.monerpool.org", "xxx.hex7e4.ru", "zarabotaibitok.ru", "zer0day.ru") | fields - _raw | collect index=notable_events source="Network Communication With Crypto Mining Pool" marker="guid=fa5b1358-b040-4403-9868-15f7d9ab6329,tags=attack.impact,tags=attack.t1496," +[Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location] +description = Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" Image IN ("*:\\$Recycle.bin*", "*:\\Perflogs\\*", "*:\\Temp\\*", "*:\\Users\\Default\\*", "*:\\Windows\\Fonts\\*", "*:\\Windows\\IME\\*", "*:\\Windows\\System32\\Tasks\\*", "*:\\Windows\\Tasks\\*", "*\\config\\systemprofile\\*", "*\\Windows\\addins\\*") NOT (DestinationHostname IN ("*.githubusercontent.com", "*anonfiles.com", "*cdn.discordapp.com", "*ddns.net", "*dl.dropboxusercontent.com", "*ghostbin.co", "*glitch.me", "*gofile.io", "*hastebin.com", "*mediafire.com", "*mega.co.nz", "*mega.nz", "*onrender.com", "*pages.dev", "*paste.ee", "*pastebin.com", "*pastebin.pl", "*pastetext.net", "*portmap.io", "*privatlab.com", "*privatlab.net", "*send.exploit.in", "*sendspace.com", "*storage.googleapis.com", "*storjshare.io", "*supabase.co", "*temp.sh", "*transfer.sh", "*trycloudflare.com", "*ufile.io", "*w3spaces.com", "*workers.dev")) | fields - _raw | collect index=notable_events source="Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location" marker="guid=7b434893-c57d-4f41-908d-6a17bf1ae98f,tags=attack.command-and-control,tags=attack.t1105," +[Office Application Initiated Network Connection Over Uncommon Ports] +description = Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" Image IN ("*\\excel.exe", "*\\outlook.exe", "*\\powerpnt.exe", "*\\winword.exe", "*\\wordview.exe") NOT (DestinationPort IN (53, 80, 139, 443, 445) OR (Image="*:\\Program Files\\Microsoft Office\\*" Image="*\\OUTLOOK.EXE" DestinationPort IN (143, 465, 587, 993, 995))) | fields - _raw | collect index=notable_events source="Office Application Initiated Network Connection Over Uncommon Ports" marker="guid=3b5ba899-9842-4bc2-acc2-12308498bf42,tags=attack.defense-evasion,tags=attack.command-and-control," +[Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder] +description = Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Image IN ("*:\\$Recycle.bin*", "*:\\Perflogs\\*", "*:\\Temp\\*", "*:\\Users\\Default\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Fonts\\*", "*:\\Windows\\IME\\*", "*:\\Windows\\System32\\Tasks\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Temp\\*", "*\\config\\systemprofile\\*", "*\\Windows\\addins\\*") Initiated="true" DestinationHostname IN ("*.githubusercontent.com", "*anonfiles.com", "*cdn.discordapp.com", "*ddns.net", "*dl.dropboxusercontent.com", "*ghostbin.co", "*glitch.me", "*gofile.io", "*hastebin.com", "*mediafire.com", "*mega.co.nz", "*mega.nz", "*onrender.com", "*pages.dev", "*paste.ee", "*pastebin.com", "*pastebin.pl", "*pastetext.net", "*privatlab.com", "*privatlab.net", "*send.exploit.in", "*sendspace.com", "*storage.googleapis.com", "*storjshare.io", "*supabase.co", "*temp.sh", "*transfer.sh", "*trycloudflare.com", "*ufile.io", "*w3spaces.com", "*workers.dev") | fields - _raw | collect index=notable_events source="Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder" marker="guid=e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97,tags=attack.command-and-control,tags=attack.t1105," +[Suspicious Dropbox API Usage] +description = Detects an executable that isn't dropbox but communicates with the Dropbox API +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" DestinationHostname IN ("*api.dropboxapi.com", "*content.dropboxapi.com") NOT Image="*\\Dropbox*" | fields - _raw | collect index=notable_events source="Suspicious Dropbox API Usage" marker="guid=25eabf56-22f0-4915-a1ed-056b8dae0a68,tags=attack.command-and-control,tags=attack.t1105," +[Network Connection Initiated By IMEWDBLD.EXE] +description = Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" Image="*\\IMEWDBLD.exe" | fields - _raw | collect index=notable_events source="Network Connection Initiated By IMEWDBLD.EXE" marker="guid=8d7e392e-9b28-49e1-831d-5949c6281228,tags=attack.command-and-control,tags=attack.t1105," +[Network Connection Initiated By AddinUtil.EXE] +description = Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" Image="*\\addinutil.exe" | fields - _raw | collect index=notable_events source="Network Connection Initiated By AddinUtil.EXE" marker="guid=5205613d-2a63-4412-a895-3a2458b587b3,tags=attack.defense-evasion,tags=attack.t1218," +[Network Connection Initiated To DevTunnels Domain] +description = Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" DestinationHostname="*.devtunnels.ms" | fields - _raw | collect index=notable_events source="Network Connection Initiated To DevTunnels Domain" marker="guid=9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4,tags=attack.exfiltration,tags=attack.t1567.001," +[Python Initiated Connection] +description = Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" Image="*python*" NOT (DestinationIp="127.0.0.1" SourceIp="127.0.0.1") NOT ((ParentImage="C:\\ProgramData\\Anaconda3\\Scripts\\conda.exe" CommandLine="*:\\ProgramData\\Anaconda3\\Scripts\\conda-script.py*" CommandLine="*update*") OR (ParentImage="C:\\ProgramData\\Anaconda3\\python.exe" CommandLine="*C:\\ProgramData\\Anaconda3\\Scripts\\jupyter-notebook-script.py*")) | fields - _raw | collect index=notable_events source="Python Initiated Connection" marker="guid=bef0bc5a-b9ae-425d-85c6-7b2d705980c6,tags=attack.discovery,tags=attack.t1046," +[Network Connection Initiated To Visual Studio Code Tunnels Domain] +description = Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" DestinationHostname="*.tunnels.api.visualstudio.com" | fields - _raw | collect index=notable_events source="Network Connection Initiated To Visual Studio Code Tunnels Domain" marker="guid=4b657234-038e-4ad5-997c-4be42340bce4,tags=attack.exfiltration,tags=attack.t1567.001," +[Potential Remote PowerShell Session Initiated] +description = Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationPort IN (5985, 5986) Initiated="true" SourceIsIpv6="false" NOT (User IN ("*NETWORK SERVICE*", "*NETZWERKDIENST*", "*SERVICIO DE RED*", "*SERVIZIO DI RETE*") OR (User="*SERVICE R*" User="*SEAU*") OR (SourceIp IN ("::1", "127.0.0.1") DestinationIp IN ("::1", "127.0.0.1"))) NOT (Image IN ("C:\\Program Files\\Avast Software\\Avast\\AvastSvc.exe", "C:\\Program Files (x86)\\Avast Software\\Avast\\AvastSvc.exe")) | fields - _raw | collect index=notable_events source="Potential Remote PowerShell Session Initiated" marker="guid=c539afac-c12a-46ed-b1bd-5a5567c9f045,tags=attack.execution,tags=attack.t1059.001,tags=attack.lateral-movement,tags=attack.t1021.006," +[Suspicious Network Connection Binary No CommandLine] +description = Detects suspicious network connections made by a well-known Windows binary run with no command line parameters +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" Image IN ("*\\regsvr32.exe", "*\\rundll32.exe", "*\\dllhost.exe") CommandLine IN ("*\\regsvr32.exe", "*\\rundll32.exe", "*\\dllhost.exe") NOT (CommandLine="" OR CommandLine!=*) | fields - _raw | collect index=notable_events source="Suspicious Network Connection Binary No CommandLine" marker="guid=20384606-a124-4fec-acbb-8bd373728613,tags=attack.defense-evasion," +[Uncommon Outbound Kerberos Connection] +description = Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationPort=88 Initiated="true" NOT Image="C:\\Windows\\System32\\lsass.exe" NOT (Image IN ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe") OR Image IN ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe") OR Image="*\\tomcat\\bin\\tomcat8.exe") | fields - _raw | collect index=notable_events source="Uncommon Outbound Kerberos Connection" marker="guid=e54979bd-c5f9-4d6c-967b-a04b19ac4c74,tags=attack.credential-access,tags=attack.t1558,tags=attack.lateral-movement,tags=attack.t1550.003," +[Suspicious Non-Browser Network Communication With Telegram API] +description = Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationHostname="*api.telegram.org*" NOT (Image="*\\brave.exe" OR Image IN ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") OR Image IN ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") OR Image IN ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe") OR Image="*\\maxthon.exe" OR Image="C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*" OR Image="*\\WindowsApps\\MicrosoftEdge.exe" OR Image IN ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe") OR (Image IN ("C:\\Program Files (x86)\\Microsoft\\EdgeCore\\*", "C:\\Program Files\\Microsoft\\EdgeCore\\*") Image IN ("*\\msedge.exe", "*\\msedgewebview2.exe")) OR Image="*\\opera.exe" OR Image="*\\safari.exe" OR Image="*\\seamonkey.exe" OR Image="*\\vivaldi.exe" OR Image="*\\whale.exe") | fields - _raw | collect index=notable_events source="Suspicious Non-Browser Network Communication With Telegram API" marker="guid=c3dbbc9f-ef1d-470a-a90a-d343448d5875,tags=attack.command-and-control,tags=attack.t1102," +[New Connection Initiated To Potential Dead Drop Resolver Domain] +description = Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" DestinationHostname IN ("*.t.me", "*4shared.com", "*abuse.ch", "*anonfiles.com", "*cdn.discordapp.com", "*cloudflare.com", "*ddns.net", "*discord.com", "*docs.google.com", "*drive.google.com", "*dropbox.com", "*dropmefiles.com", "*facebook.com", "*feeds.rapidfeeds.com", "*fotolog.com", "*ghostbin.co/", "*githubusercontent.com", "*gofile.io", "*hastebin.com", "*imgur.com", "*livejournal.com", "*mediafire.com", "*mega.co.nz", "*mega.nz", "*onedrive.com", "*pages.dev", "*paste.ee", "*pastebin.com", "*pastebin.pl", "*pastetext.net", "*privatlab.com", "*privatlab.net", "*reddit.com", "*send.exploit.in", "*sendspace.com", "*steamcommunity.com", "*storage.googleapis.com", "*technet.microsoft.com", "*temp.sh", "*transfer.sh", "*trycloudflare.com", "*twitter.com", "*ufile.io", "*vimeo.com", "*w3spaces.com", "*wetransfer.com", "*workers.dev", "*youtube.com") NOT (Image IN ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") OR (Image="C:\\Users\\*" Image="*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe") OR Image IN ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") OR (Image="C:\\Users\\*" Image="*\\AppData\\Local\\Mozilla Firefox\\firefox.exe") OR Image IN ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe") OR Image="C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*" OR Image="*\\WindowsApps\\MicrosoftEdge.exe" OR Image IN ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe") OR (Image IN ("C:\\Program Files (x86)\\Microsoft\\EdgeCore\\*", "C:\\Program Files\\Microsoft\\EdgeCore\\*") Image IN ("*\\msedge.exe", "*\\msedgewebview2.exe")) OR (Image IN ("*C:\\Program Files (x86)\\Safari\\*", "*C:\\Program Files\\Safari\\*") Image="*\\safari.exe") OR (Image IN ("*C:\\Program Files\\Windows Defender Advanced Threat Protection\\*", "*C:\\Program Files\\Windows Defender\\*", "*C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*") Image IN ("*\\MsMpEng.exe", "*\\MsSense.exe")) OR Image IN ("*C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe", "*C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe") OR (Image="C:\\Program Files\\BraveSoftware\\*" Image="*\\brave.exe") OR (Image="*\\AppData\\Local\\Maxthon\\*" Image="*\\maxthon.exe") OR (Image="*\\AppData\\Local\\Programs\\Opera\\*" Image="*\\opera.exe") OR (Image IN ("C:\\Program Files\\SeaMonkey\\*", "C:\\Program Files (x86)\\SeaMonkey\\*") Image="*\\seamonkey.exe") OR (Image="*\\AppData\\Local\\Vivaldi\\*" Image="*\\vivaldi.exe") OR (Image IN ("C:\\Program Files\\Naver\\Naver Whale\\*", "C:\\Program Files (x86)\\Naver\\Naver Whale\\*") Image="*\\whale.exe") OR (Image IN ("C:\\Program Files\\Waterfox\\*", "C:\\Program Files (x86)\\Waterfox\\*") Image="*\\Waterfox.exe") OR (Image="*\\AppData\\Local\\Programs\\midori-ng\\*" Image="*\\Midori Next Generation.exe") OR (Image IN ("C:\\Program Files\\SlimBrowser\\*", "C:\\Program Files (x86)\\SlimBrowser\\*") Image="*\\slimbrowser.exe") OR (Image="*\\AppData\\Local\\Flock\\*" Image="*\\Flock.exe") OR (Image="*\\AppData\\Local\\Phoebe\\*" Image="*\\Phoebe.exe") OR (Image IN ("C:\\Program Files\\Falkon\\*", "C:\\Program Files (x86)\\Falkon\\*") Image="*\\falkon.exe") OR (Image IN ("C:\\Program Files (x86)\\QtWeb\\*", "C:\\Program Files\\QtWeb\\*") Image="*\\QtWeb.exe") OR (Image IN ("C:\\Program Files (x86)\\Avant Browser\\*", "C:\\Program Files\\Avant Browser\\*") Image="*\\avant.exe") OR (Image IN ("C:\\Program Files (x86)\\WindowsApps\\*", "C:\\Program Files\\WindowsApps\\*") Image="*\\WhatsApp.exe" DestinationHostname="*facebook.com") OR (Image="*\\AppData\\Roaming\\Telegram Desktop\\*" Image="*\\Telegram.exe" DestinationHostname="*.t.me") OR (Image="*\\AppData\\Local\\Microsoft\\OneDrive\\*" Image="*\\OneDrive.exe" DestinationHostname="*onedrive.com") OR (Image IN ("C:\\Program Files (x86)\\Dropbox\\Client\\*", "C:\\Program Files\\Dropbox\\Client\\*") Image IN ("*\\Dropbox.exe", "*\\DropboxInstaller.exe") DestinationHostname="*dropbox.com") OR (Image IN ("*\\MEGAsync.exe", "*\\MEGAsyncSetup32_*RC.exe", "*\\MEGAsyncSetup32.exe", "*\\MEGAsyncSetup64.exe", "*\\MEGAupdater.exe") DestinationHostname IN ("*mega.co.nz", "*mega.nz")) OR (Image IN ("*C:\\Program Files\\Google\\Drive File Stream\\*", "*C:\\Program Files (x86)\\Google\\Drive File Stream\\*") Image="*GoogleDriveFS.exe" DestinationHostname="*drive.google.com") OR (Image="*\\AppData\\Local\\Discord\\*" Image="*\\Discord.exe" DestinationHostname IN ("*discord.com", "*cdn.discordapp.com")) OR Image!=* OR Image="") | fields - _raw | collect index=notable_events source="New Connection Initiated To Potential Dead Drop Resolver Domain" marker="guid=297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7,tags=attack.command-and-control,tags=attack.t1102,tags=attack.t1102.001," +[Network Connection Initiated By Eqnedt32.EXE] +description = Detects network connections from the Equation Editor process "eqnedt32.exe". +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Image="*\\eqnedt32.exe" | fields - _raw | collect index=notable_events source="Network Connection Initiated By Eqnedt32.EXE" marker="guid=a66bc059-c370-472c-a0d7-f8fd1bf9d583,tags=attack.execution,tags=attack.t1203," +[Outbound RDP Connections Over Non-Standard Tools] +description = Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationPort=3389 Initiated="true" NOT (Image IN ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")) NOT ((Image="C:\\Windows\\System32\\dns.exe" SourcePort=53 Protocol="udp") OR Image IN ("*\\Avast Software\\Avast\\AvastSvc.exe", "*\\Avast\\AvastSvc.exe") OR Image="*\\RDCMan.exe" OR Image="C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" OR Image IN ("*\\FSAssessment.exe", "*\\FSDiscovery.exe", "*\\MobaRTE.exe", "*\\mRemote.exe", "*\\mRemoteNG.exe", "*\\Passwordstate.exe", "*\\RemoteDesktopManager.exe", "*\\RemoteDesktopManager64.exe", "*\\RemoteDesktopManagerFree.exe", "*\\RSSensor.exe", "*\\RTS2App.exe", "*\\RTSApp.exe", "*\\spiceworks-finder.exe", "*\\Terminals.exe", "*\\ws_TunnelService.exe") OR Image IN ("*\\thor.exe", "*\\thor64.exe") OR Image="C:\\Program Files\\SplunkUniversalForwarder\\bin\\*" OR Image="*\\Ranger\\SentinelRanger.exe" OR Image="C:\\Program Files\\Mozilla Firefox\\firefox.exe" OR Image IN ("C:\\Program Files\\TSplus\\Java\\bin\\HTML5service.exe", "C:\\Program Files (x86)\\TSplus\\Java\\bin\\HTML5service.exe") OR Image!=* OR Image="" OR Image="") | fields - _raw | collect index=notable_events source="Outbound RDP Connections Over Non-Standard Tools" marker="guid=ed74fe75-7594-4b4b-ae38-e38e3fd2eb23,tags=attack.lateral-movement,tags=attack.t1021.001,tags=car.2013-07-002," +[Process Initiated Network Connection To Ngrok Domain] +description = Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" DestinationHostname IN ("*.ngrok-free.app", "*.ngrok-free.dev", "*.ngrok.app", "*.ngrok.dev", "*.ngrok.io") | fields - _raw | collect index=notable_events source="Process Initiated Network Connection To Ngrok Domain" marker="guid=18249279-932f-45e2-b37a-8925f2597670,tags=attack.exfiltration,tags=attack.t1567.001," +[Network Communication Initiated To Portmap.IO Domain] +description = Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" DestinationHostname="*.portmap.io" | fields - _raw | collect index=notable_events source="Network Communication Initiated To Portmap.IO Domain" marker="guid=07837ab9-60e1-481f-a74d-c31fb496a94c,tags=attack.t1041,tags=attack.command-and-control,tags=attack.t1090.002,tags=attack.exfiltration," +[Network Connection Initiated By Regsvr32.EXE] +description = Detects a network connection initiated by "Regsvr32.exe" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" Image="*\\regsvr32.exe" | fields - _raw | collect index=notable_events source="Network Connection Initiated By Regsvr32.EXE" marker="guid=c7e91a02-d771-4a6d-a700-42587e0b1095,tags=attack.execution,tags=attack.t1559.001,tags=attack.defense-evasion,tags=attack.t1218.010," +[Suspicious Non-Browser Network Communication With Google API] +description = Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationHostname IN ("*drive.googleapis.com*", "*oauth2.googleapis.com*", "*sheets.googleapis.com*", "*www.googleapis.com*") NOT (Image!=* OR Image="") NOT (Image="*\\brave.exe" OR Image IN ("*:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "*:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") OR (Image="*:\\Program Files\\Google\\Drive File Stream\\*" Image="*\\GoogleDriveFS.exe") OR Image IN ("*:\\Program Files\\Mozilla Firefox\\firefox.exe", "*:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") OR Image IN ("*:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "*:\\Program Files\\Internet Explorer\\iexplore.exe") OR Image="*\\maxthon.exe" OR Image="*:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*" OR Image IN ("*:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "*:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe", "*\\WindowsApps\\MicrosoftEdge.exe") OR (Image IN ("*:\\Program Files (x86)\\Microsoft\\EdgeCore\\*", "*:\\Program Files\\Microsoft\\EdgeCore\\*") Image IN ("*\\msedge.exe", "*\\msedgewebview2.exe")) OR Image="*\\opera.exe" OR Image="*\\safari.exe" OR Image="*\\seamonkey.exe" OR Image="*\\vivaldi.exe" OR Image="*\\whale.exe" OR Image="*\\GoogleUpdate.exe" OR Image="*\\outlook.exe") | fields - _raw | collect index=notable_events source="Suspicious Non-Browser Network Communication With Google API" marker="guid=7e9cf7b6-e827-11ed-a05b-0242ac120003,tags=attack.command-and-control,tags=attack.t1102," +[Network Connection Initiated To Cloudflared Tunnels Domains] +description = Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" DestinationHostname IN ("*.v2.argotunnel.com", "*protocol-v2.argotunnel.com", "*trycloudflare.com", "*update.argotunnel.com") | fields - _raw | collect index=notable_events source="Network Connection Initiated To Cloudflared Tunnels Domains" marker="guid=7cd1dcdc-6edf-4896-86dc-d1f19ad64903,tags=attack.exfiltration,tags=attack.command-and-control,tags=attack.t1567.001," +[Network Connection Initiated To AzureWebsites.NET By Non-Browser Process] +description = Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" DestinationHostname="*azurewebsites.net" NOT (Image IN ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") OR (Image="C:\\Users\\*" Image="*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe") OR Image IN ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") OR (Image="C:\\Users\\*" Image="*\\AppData\\Local\\Mozilla Firefox\\firefox.exe") OR Image IN ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe") OR Image="C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*" OR Image="*\\WindowsApps\\MicrosoftEdge.exe" OR Image IN ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe") OR (Image IN ("C:\\Program Files (x86)\\Microsoft\\EdgeCore\\*", "C:\\Program Files\\Microsoft\\EdgeCore\\*") Image IN ("*\\msedge.exe", "*\\msedgewebview2.exe")) OR (Image IN ("*C:\\Program Files (x86)\\Safari\\*", "*C:\\Program Files\\Safari\\*") Image="*\\safari.exe") OR (Image IN ("*C:\\Program Files\\Windows Defender Advanced Threat Protection\\*", "*C:\\Program Files\\Windows Defender\\*", "*C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*") Image IN ("*\\MsMpEng.exe", "*\\MsSense.exe")) OR Image IN ("*C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe", "*C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe") OR (Image="C:\\Program Files\\BraveSoftware\\*" Image="*\\brave.exe") OR (Image="*\\AppData\\Local\\Maxthon\\*" Image="*\\maxthon.exe") OR (Image="*\\AppData\\Local\\Programs\\Opera\\*" Image="*\\opera.exe") OR (Image IN ("C:\\Program Files\\SeaMonkey\\*", "C:\\Program Files (x86)\\SeaMonkey\\*") Image="*\\seamonkey.exe") OR (Image="*\\AppData\\Local\\Vivaldi\\*" Image="*\\vivaldi.exe") OR (Image IN ("C:\\Program Files\\Naver\\Naver Whale\\*", "C:\\Program Files (x86)\\Naver\\Naver Whale\\*") Image="*\\whale.exe") OR (Image IN ("C:\\Program Files\\Waterfox\\*", "C:\\Program Files (x86)\\Waterfox\\*") Image="*\\Waterfox.exe") OR (Image IN ("C:\\Program Files\\SlimBrowser\\*", "C:\\Program Files (x86)\\SlimBrowser\\*") Image="*\\slimbrowser.exe") OR (Image="*\\AppData\\Local\\Flock\\*" Image="*\\Flock.exe") OR (Image="*\\AppData\\Local\\Phoebe\\*" Image="*\\Phoebe.exe") OR (Image IN ("C:\\Program Files\\Falkon\\*", "C:\\Program Files (x86)\\Falkon\\*") Image="*\\falkon.exe") OR (Image IN ("C:\\Program Files (x86)\\QtWeb\\*", "C:\\Program Files\\QtWeb\\*") Image="*\\QtWeb.exe") OR (Image IN ("C:\\Program Files (x86)\\Avant Browser\\*", "C:\\Program Files\\Avant Browser\\*") Image="*\\avant.exe") OR (Image="*\\AppData\\Local\\Discord\\*" Image="*\\Discord.exe") OR Image!=* OR Image="") | fields - _raw | collect index=notable_events source="Network Connection Initiated To AzureWebsites.NET By Non-Browser Process" marker="guid=5c80b618-0dbb-46e6-acbb-03d90bcb6d83,tags=attack.command-and-control,tags=attack.t1102,tags=attack.t1102.001," +[Suspicious Outbound SMTP Connections] +description = Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationPort IN (25, 587, 465, 2525) Initiated="true" NOT (Image IN ("*\\thunderbird.exe", "*\\outlook.exe") OR Image="C:\\Program Files\\Microsoft\\Exchange Server\\*" OR (Image="C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_*" Image="*\\HxTsr.exe")) | fields - _raw | collect index=notable_events source="Suspicious Outbound SMTP Connections" marker="guid=9976fa64-2804-423c-8a5b-646ade840773,tags=attack.exfiltration,tags=attack.t1048.003," +[Suspicious Wordpad Outbound Connections] +description = Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Initiated="true" Image="*\\wordpad.exe" NOT (DestinationPort IN (80, 139, 443, 445, 465, 587, 993, 995)) | fields - _raw | collect index=notable_events source="Suspicious Wordpad Outbound Connections" marker="guid=786cdae8-fefb-4eb2-9227-04e34060db01,tags=attack.defense-evasion,tags=attack.command-and-control," +[Potentially Suspicious Network Connection To Notion API] +description = Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationHostname="*api.notion.com*" NOT (Image="*\\AppData\\Local\\Programs\\Notion\\Notion.exe" OR Image="*\\brave.exe" OR Image IN ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") OR Image IN ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") OR Image IN ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe") OR Image="*\\maxthon.exe" OR Image="C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*" OR Image="*\\WindowsApps\\MicrosoftEdge.exe" OR Image IN ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe") OR (Image IN ("C:\\Program Files (x86)\\Microsoft\\EdgeCore\\*", "C:\\Program Files\\Microsoft\\EdgeCore\\*") Image IN ("*\\msedge.exe", "*\\msedgewebview2.exe")) OR Image="*\\opera.exe" OR Image="*\\safari.exe" OR Image="*\\seamonkey.exe" OR Image="*\\vivaldi.exe" OR Image="*\\whale.exe") | fields - _raw | collect index=notable_events source="Potentially Suspicious Network Connection To Notion API" marker="guid=7e9cf7b6-e827-11ed-a05b-15959c120003,tags=attack.command-and-control,tags=attack.t1102," +[Network Connection Initiated Via Notepad.EXE] +description = Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Image="*\\notepad.exe" NOT DestinationPort=9100 | fields - _raw | collect index=notable_events source="Network Connection Initiated Via Notepad.EXE" marker="guid=e81528db-fc02-45e8-8e98-4e84aba1f10b,tags=attack.command-and-control,tags=attack.execution,tags=attack.defense-evasion,tags=attack.t1055," +[RDP to HTTP or HTTPS Target Ports] +description = Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Image="*\\svchost.exe" Initiated="true" SourcePort=3389 DestinationPort IN (80, 443) | fields - _raw | collect index=notable_events source="RDP to HTTP or HTTPS Target Ports" marker="guid=b1e5da3b-ca8e-4adf-915c-9921f3d85481,tags=attack.command-and-control,tags=attack.t1572,tags=attack.lateral-movement,tags=attack.t1021.001,tags=car.2013-07-002," +[Uncommon Network Connection Initiated By Certutil.EXE] +description = Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Image="*\\certutil.exe" Initiated="true" DestinationPort IN (80, 135, 443, 445) | fields - _raw | collect index=notable_events source="Uncommon Network Connection Initiated By Certutil.EXE" marker="guid=0dba975d-a193-4ed1-a067-424df57570d1,tags=attack.command-and-control,tags=attack.t1105," +[Silenttrinity Stager Msbuild Activity] +description = Detects a possible remote connections to Silenttrinity c2 +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 Image="*\\msbuild.exe" DestinationPort IN (80, 443) Initiated="true" | fields - _raw | collect index=notable_events source="Silenttrinity Stager Msbuild Activity" marker="guid=50e54b8d-ad73-43f8-96a1-5191685b17a4,tags=attack.execution,tags=attack.t1127.001," +[Communication To LocaltoNet Tunneling Service Initiated] +description = Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationHostname IN ("*.localto.net", "*.localtonet.com") Initiated="true" | fields - _raw | collect index=notable_events source="Communication To LocaltoNet Tunneling Service Initiated" marker="guid=3ab65069-d82a-4d44-a759-466661a082d1,tags=attack.command-and-control,tags=attack.t1572,tags=attack.t1090,tags=attack.t1102," +[Suspicious Network Connection to IP Lookup Service APIs] +description = Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationHostname IN ("www.ip.cn", "l2.io") OR DestinationHostname IN ("*api.2ip.ua*", "*api.bigdatacloud.net*", "*api.ipify.org*", "*bot.whatismyipaddress.com*", "*canireachthe.net*", "*checkip.amazonaws.com*", "*checkip.dyndns.org*", "*curlmyip.com*", "*db-ip.com*", "*edns.ip-api.com*", "*eth0.me*", "*freegeoip.app*", "*geoipy.com*", "*getip.pro*", "*icanhazip.com*", "*ident.me*", "*ifconfig.io*", "*ifconfig.me*", "*ip-api.com*", "*ip.360.cn*", "*ip.anysrc.net*", "*ip.taobao.com*", "*ip.tyk.nu*", "*ipaddressworld.com*", "*ipapi.co*", "*ipconfig.io*", "*ipecho.net*", "*ipinfo.io*", "*ipip.net*", "*ipof.in*", "*ipv4.icanhazip.com*", "*ipv4bot.whatismyipaddress.com*", "*ipv6-test.com*", "*ipwho.is*", "*jsonip.com*", "*myexternalip.com*", "*seeip.org*", "*wgetip.com*", "*whatismyip.akamai.com*", "*whois.pconline.com.cn*", "*wtfismyip.com*") NOT (Image="*\\brave.exe" OR Image IN ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") OR Image IN ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") OR Image IN ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe") OR Image="*\\maxthon.exe" OR Image="C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*" OR Image="*\\WindowsApps\\MicrosoftEdge.exe" OR Image IN ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe") OR (Image IN ("C:\\Program Files (x86)\\Microsoft\\EdgeCore\\*", "C:\\Program Files\\Microsoft\\EdgeCore\\*") Image IN ("*\\msedge.exe", "*\\msedgewebview2.exe")) OR Image="*\\opera.exe" OR Image="*\\safari.exe" OR Image="*\\seamonkey.exe" OR Image="*\\vivaldi.exe" OR Image="*\\whale.exe") | fields - _raw | collect index=notable_events source="Suspicious Network Connection to IP Lookup Service APIs" marker="guid=edf3485d-dac4-4d50-90e4-b0e5813f7e60,tags=attack.discovery,tags=attack.t1016," +[Communication To Ngrok Tunneling Service Initiated] +description = Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=3 DestinationHostname IN ("*tunnel.us.ngrok.com*", "*tunnel.eu.ngrok.com*", "*tunnel.ap.ngrok.com*", "*tunnel.au.ngrok.com*", "*tunnel.sa.ngrok.com*", "*tunnel.jp.ngrok.com*", "*tunnel.in.ngrok.com*") | fields - _raw | collect index=notable_events source="Communication To Ngrok Tunneling Service Initiated" marker="guid=1d08ac94-400d-4469-a82f-daee9a908849,tags=attack.exfiltration,tags=attack.command-and-control,tags=attack.t1567,tags=attack.t1568.002,tags=attack.t1572,tags=attack.t1090,tags=attack.t1102,tags=attack.s0508," +[HackTool - SysmonEnte Execution] +description = Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 (TargetImage IN ("*:\\Windows\\Sysmon.exe*", "*:\\Windows\\Sysmon64.exe*") GrantedAccess="0x1400" NOT (SourceImage IN ("*:\\Program Files (x86)\\*", "*:\\Program Files\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*") OR (SourceImage="*:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*" SourceImage="*\\MsMpEng.exe"))) OR CallTrace="Ente" | fields - _raw | collect index=notable_events source="HackTool - SysmonEnte Execution" marker="guid=d29ada0f-af45-4f27-8f32-f7b77c3dbc4e,tags=attack.defense-evasion,tags=attack.t1562.002," +[HackTool - CobaltStrike BOF Injection Pattern] +description = Detects a typical pattern of a CobaltStrike BOF which inject into other processes +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 GrantedAccess IN ("0x1028", "0x1fffff")\ +| regex CallTrace="^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$" | fields - _raw | collect index=notable_events source="HackTool - CobaltStrike BOF Injection Pattern" marker="guid=09706624-b7f6-455d-9d02-adee024cee1d,tags=attack.execution,tags=attack.t1106,tags=attack.defense-evasion,tags=attack.t1562.001," +[Function Call From Undocumented COM Interface EditionUpgradeManager] +description = Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 CallTrace="*editionupgrademanagerobj.dll*" | fields - _raw | collect index=notable_events source="Function Call From Undocumented COM Interface EditionUpgradeManager" marker="guid=fb3722e4-1a06-46b6-b772-253e2e7db933,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[Credential Dumping Attempt Via Svchost] +description = Detects when a process tries to access the memory of svchost to potentially dump credentials. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*\\svchost.exe" GrantedAccess="0x143a" NOT (SourceImage IN ("*\\services.exe", "*\\msiexec.exe")) | fields - _raw | collect index=notable_events source="Credential Dumping Attempt Via Svchost" marker="guid=174afcfa-6e40-4ae9-af64-496546389294,tags=attack.t1548," +[Potential Credential Dumping Activity Via LSASS] +description = Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*\\lsass.exe" GrantedAccess IN ("*0x1038*", "*0x1438*", "*0x143a*", "*0x1fffff*") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*kernel32.dll*", "*kernelbase.dll*", "*ntdll.dll*") NOT (SourceUser IN ("*AUTHORI*", "*AUTORI*")) NOT ((CallTrace="*:\\Windows\\Temp\\asgard2-agent\\*" CallTrace="*\\thor\\thor64.exe+*" CallTrace="*|UNKNOWN(*" GrantedAccess="0x103800") OR SourceImage="*:\\Windows\\Sysmon64.exe") | fields - _raw | collect index=notable_events source="Potential Credential Dumping Activity Via LSASS" marker="guid=5ef9853e-4d0e-4a70-846f-a9ca37d876da,tags=attack.credential-access,tags=attack.t1003.001,tags=attack.s0002," +[Potential Direct Syscall of NtOpenProcess] +description = Detects potential calls to NtOpenProcess directly from NTDLL. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 CallTrace="UNKNOWN*" NOT ((TargetImage="*vcredist_x64.exe" SourceImage="*vcredist_x64.exe") OR (SourceImage IN ("*:\\Program Files (x86)\\*", "*:\\Program Files\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\WinSxS\\*") TargetImage IN ("*:\\Program Files (x86)\\*", "*:\\Program Files\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\WinSxS\\*")) OR etw_provider="Microsoft-Windows-Kernel-Audit-API-Calls") NOT ((TargetImage="*:\\Windows\\system32\\systeminfo.exe" SourceImage="*setup64.exe") OR (SourceImage="*:\\Windows\\Explorer.EXE" TargetImage="*:\\Program Files\\Cylance\\Desktop\\CylanceUI.exe") OR (SourceImage="*AmazonSSMAgentSetup.exe" TargetImage="*AmazonSSMAgentSetup.exe") OR (SourceImage="*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe" TargetImage="*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe") OR (TargetImage="*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" SourceImage="*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe") OR (TargetImage="*\\AppData\\Local\\Discord\\*" TargetImage="*\\Discord.exe") OR (SourceImage="*\\AppData\\Local\\yammerdesktop\\app-*" SourceImage="*\\Yammer.exe" TargetImage="*\\AppData\\Local\\yammerdesktop\\app-*" TargetImage="*\\Yammer.exe" GrantedAccess="0x1000") OR TargetImage="*\\Evernote\\Evernote.exe" OR (SourceImage="*:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\*" SourceImage="*\\AcroCEF.exe" TargetImage="*:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\*" TargetImage="*\\AcroCEF.exe")) | fields - _raw | collect index=notable_events source="Potential Direct Syscall of NtOpenProcess" marker="guid=3f3f3506-1895-401b-9cc3-e86b16e630d0,tags=attack.execution,tags=attack.t1106," +[Lsass Memory Dump via Comsvcs DLL] +description = Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*\\lsass.exe" SourceImage="*\\rundll32.exe" CallTrace="*comsvcs.dll*" | fields - _raw | collect index=notable_events source="Lsass Memory Dump via Comsvcs DLL" marker="guid=a49fa4d5-11db-418c-8473-1e014a8dd462,tags=attack.credential-access,tags=attack.t1003.001," +[Potentially Suspicious GrantedAccess Flags On LSASS] +description = Detects process access requests to LSASS process with potentially suspicious access flags +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*\\lsass.exe" GrantedAccess IN ("*30", "*50", "*70", "*90", "*B0", "*D0", "*F0", "*18", "*38", "*58", "*78", "*98", "*B8", "*D8", "*F8", "*1A", "*3A", "*5A", "*7A", "*9A", "*BA", "*DA", "*FA", "*0x14C2") OR GrantedAccess IN ("0x100000*", "0x1418*", "0x1438*", "0x143a*", "0x1f0fff*", "0x1f1fff*", "0x1f2fff*", "0x1f3fff*", "0x40*") NOT (SourceImage IN ("*:\\Program Files (x86)\\*", "*:\\Program Files\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*") OR (SourceImage="*:\\ProgramData\\Microsoft\\Windows Defender\\*" SourceImage="*\\MsMpEng.exe") OR (CallTrace="*|*:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{*" CallTrace="*}\\mpengine.dll+*" GrantedAccess="0x1418") OR CallTrace IN ("*|c:\\program files\\windows defender\\mprtp.dll*", "*|c:\\program files\\windows defender\\MpClient.dll*") OR (SourceImage="*\\explorer.exe" GrantedAccess="0x401")) NOT (SourceImage="*:\\ProgramData\\MALWAREBYTES\\MBAMSERVICE\\ctlrupdate\\mbupdatr.exe" OR SourceImage="*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe" OR (SourceImage="*:\\ProgramData\\VMware\\VMware Tools\\*" SourceImage="*\\vmtoolsd.exe") OR (SourceImage IN ("*\\PROCEXP64.EXE", "*\\PROCEXP.EXE") GrantedAccess="0x40") OR (SourceImage="*\\MBAMInstallerService.exe" GrantedAccess="0x40") OR (SourceImage IN ("*\\aurora-agent-64.exe", "*\\aurora-agent.exe", "*\\thor.exe", "*\\thor64.exe") GrantedAccess="0x40") OR (SourceImage IN ("*\\handle.exe", "*\\handle64.exe") GrantedAccess="0x40") OR (SourceImage="*\\AppData\\Local\\WebEx\\WebexHost.exe" GrantedAccess="0x401") OR SourceImage="*\\SteamLibrary\\steamapps\\*") | fields - _raw | collect index=notable_events source="Potentially Suspicious GrantedAccess Flags On LSASS" marker="guid=a18dd26b-6450-46de-8c91-9659150cf088,tags=attack.credential-access,tags=attack.t1003.001,tags=attack.s0002," +[Credential Dumping Activity By Python Based Tool] +description = Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*\\lsass.exe" CallTrace="*_ctypes.pyd+*" CallTrace="*:\\Windows\\System32\\KERNELBASE.dll+*" CallTrace="*:\\Windows\\SYSTEM32\\ntdll.dll+*" CallTrace IN ("*python27.dll+*", "*python3*.dll+*") GrantedAccess="0x1FFFFF" | fields - _raw | collect index=notable_events source="Credential Dumping Activity By Python Based Tool" marker="guid=f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9,tags=attack.credential-access,tags=attack.t1003.001,tags=attack.s0349," +[UAC Bypass Using WOW64 Logger DLL Hijack] +description = Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30) +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 SourceImage="*:\\Windows\\SysWOW64\\*" GrantedAccess="0x1fffff" CallTrace="UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|*" | fields - _raw | collect index=notable_events source="UAC Bypass Using WOW64 Logger DLL Hijack" marker="guid=4f6c43e2-f989-4ea5-bcd8-843b49a0317c,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1548.002," +[HackTool - LittleCorporal Generated Maldoc Injection] +description = Detects the process injection of a LittleCorporal generated Maldoc. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 SourceImage="*\\winword.exe" CallTrace="*:\\Windows\\Microsoft.NET\\Framework64\\v2.*" CallTrace="*UNKNOWN*" | fields - _raw | collect index=notable_events source="HackTool - LittleCorporal Generated Maldoc Injection" marker="guid=7bdde3bf-2a42-4c39-aa31-a92b3e17afac,tags=attack.execution,tags=attack.t1204.002,tags=attack.t1055.003," +[LSASS Access From Potentially White-Listed Processes] +description = Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*\\lsass.exe" SourceImage IN ("*\\TrolleyExpress.exe", "*\\ProcessDump.exe", "*\\dump64.exe") GrantedAccess IN ("*10", "*30", "*50", "*70", "*90", "*B0", "*D0", "*F0", "*18", "*38", "*58", "*78", "*98", "*B8", "*D8", "*F8", "*1A", "*3A", "*5A", "*7A", "*9A", "*BA", "*DA", "*FA", "*0x14C2", "*FF") | fields - _raw | collect index=notable_events source="LSASS Access From Potentially White-Listed Processes" marker="guid=4be8b654-0c01-4c9d-a10c-6b28467fc651,tags=attack.credential-access,tags=attack.t1003.001,tags=attack.s0002," +[Suspicious Svchost Process Access] +description = Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*:\\Windows\\System32\\svchost.exe" GrantedAccess="0x1F3FFF" CallTrace="*UNKNOWN*" NOT (SourceImage="*:\\Program Files\\Microsoft Visual Studio\\*" SourceImage="*\\MSBuild\\Current\\Bin\\MSBuild.exe" CallTrace IN ("*Microsoft.Build.ni.dll*", "*System.ni.dll*")) | fields - _raw | collect index=notable_events source="Suspicious Svchost Process Access" marker="guid=166e9c50-8cd9-44af-815d-d1f0c0e90dde,tags=attack.defense-evasion,tags=attack.t1562.002," +[Uncommon Process Access Rights For Target Image] +description = Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage IN ("*\\calc.exe", "*\\calculator.exe", "*\\mspaint.exe", "*\\notepad.exe", "*\\ping.exe", "*\\wordpad.exe", "*\\write.exe") GrantedAccess="0x1FFFFF" | fields - _raw | collect index=notable_events source="Uncommon Process Access Rights For Target Image" marker="guid=a24e5861-c6ca-4fde-a93c-ba9256feddf0,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1055.011," +[Suspicious LSASS Access Via MalSecLogon] +description = Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*\\lsass.exe" SourceImage="*\\svchost.exe" GrantedAccess="0x14c0" CallTrace="*seclogon.dll*" | fields - _raw | collect index=notable_events source="Suspicious LSASS Access Via MalSecLogon" marker="guid=472159c5-31b9-4f56-b794-b766faa8b0a7,tags=attack.credential-access,tags=attack.t1003.001," +[Credential Dumping Attempt Via WerFault] +description = Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 SourceImage="*\\WerFault.exe" TargetImage="*\\lsass.exe" GrantedAccess="0x1FFFFF" | fields - _raw | collect index=notable_events source="Credential Dumping Attempt Via WerFault" marker="guid=e5b33f7d-eb93-48b6-9851-09e1e610b6d7,tags=attack.credential-access,tags=attack.t1003.001,tags=attack.s0002," +[Remote LSASS Process Access Through Windows Remote Management] +description = Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*\\lsass.exe" SourceImage="*:\\Windows\\system32\\wsmprovhost.exe" NOT GrantedAccess="0x80000000" | fields - _raw | collect index=notable_events source="Remote LSASS Process Access Through Windows Remote Management" marker="guid=aa35a627-33fb-4d04-a165-d33b4afca3e8,tags=attack.credential-access,tags=attack.execution,tags=attack.t1003.001,tags=attack.t1059.001,tags=attack.lateral-movement,tags=attack.t1021.006,tags=attack.s0002," +[CMSTP Execution Process Access] +description = Detects various indicators of Microsoft Connection Manager Profile Installer execution +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 CallTrace="*cmlua.dll*" | fields - _raw | collect index=notable_events source="CMSTP Execution Process Access" marker="guid=3b4b232a-af90-427c-a22f-30b0c0837b95,tags=attack.defense-evasion,tags=attack.t1218.003,tags=attack.execution,tags=attack.t1559.001,tags=attack.g0069,tags=attack.g0080,tags=car.2019-04-001," +[HackTool - HandleKatz Duplicating LSASS Handle] +description = Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*\\lsass.exe" GrantedAccess="0x1440" CallTrace="C:\\Windows\\System32\\ntdll.dll+*" CallTrace="*|UNKNOWN(*" CallTrace="*)" | fields - _raw | collect index=notable_events source="HackTool - HandleKatz Duplicating LSASS Handle" marker="guid=b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5,tags=attack.execution,tags=attack.t1106,tags=attack.defense-evasion,tags=attack.t1003.001," +[HackTool - Generic Process Access] +description = Detects process access requests from hacktool processes based on their default image name +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 SourceImage IN ("*\\Akagi.exe", "*\\Akagi64.exe", "*\\atexec_windows.exe", "*\\Certify.exe", "*\\Certipy.exe", "*\\CoercedPotato.exe", "*\\crackmapexec.exe", "*\\CreateMiniDump.exe", "*\\dcomexec_windows.exe", "*\\dpapi_windows.exe", "*\\findDelegation_windows.exe", "*\\GetADUsers_windows.exe", "*\\GetNPUsers_windows.exe", "*\\getPac_windows.exe", "*\\getST_windows.exe", "*\\getTGT_windows.exe", "*\\GetUserSPNs_windows.exe", "*\\gmer.exe", "*\\hashcat.exe", "*\\htran.exe", "*\\ifmap_windows.exe", "*\\impersonate.exe", "*\\Inveigh.exe", "*\\LocalPotato.exe", "*\\mimikatz_windows.exe", "*\\mimikatz.exe", "*\\netview_windows.exe", "*\\nmapAnswerMachine_windows.exe", "*\\opdump_windows.exe", "*\\PasswordDump.exe", "*\\Potato.exe", "*\\PowerTool.exe", "*\\PowerTool64.exe", "*\\psexec_windows.exe", "*\\PurpleSharp.exe", "*\\pypykatz.exe", "*\\QuarksPwDump.exe", "*\\rdp_check_windows.exe", "*\\Rubeus.exe", "*\\SafetyKatz.exe", "*\\sambaPipe_windows.exe", "*\\SelectMyParent.exe", "*\\SharpChisel.exe", "*\\SharPersist.exe", "*\\SharpEvtMute.exe", "*\\SharpImpersonation.exe", "*\\SharpLDAPmonitor.exe", "*\\SharpLdapWhoami.exe", "*\\SharpUp.exe", "*\\SharpView.exe", "*\\smbclient_windows.exe", "*\\smbserver_windows.exe", "*\\sniff_windows.exe", "*\\sniffer_windows.exe", "*\\split_windows.exe", "*\\SpoolSample.exe", "*\\Stracciatella.exe", "*\\SysmonEOP.exe", "*\\temp\\rot.exe", "*\\ticketer_windows.exe", "*\\TruffleSnout.exe", "*\\winPEASany_ofs.exe", "*\\winPEASany.exe", "*\\winPEASx64_ofs.exe", "*\\winPEASx64.exe", "*\\winPEASx86_ofs.exe", "*\\winPEASx86.exe", "*\\xordump.exe") OR SourceImage IN ("*\\goldenPac*", "*\\just_dce_*", "*\\karmaSMB*", "*\\kintercept*", "*\\LocalPotato*", "*\\ntlmrelayx*", "*\\rpcdump*", "*\\samrdump*", "*\\secretsdump*", "*\\smbexec*", "*\\smbrelayx*", "*\\wmiexec*", "*\\wmipersist*", "*HotPotato*", "*Juicy Potato*", "*JuicyPotato*", "*PetitPotam*", "*RottenPotato*") | fields - _raw | collect index=notable_events source="HackTool - Generic Process Access" marker="guid=d0d2f720-d14f-448d-8242-51ff396a334e,tags=attack.credential-access,tags=attack.t1003.001,tags=attack.s0002," +[LSASS Memory Access by Tool With Dump Keyword In Name] +description = Detects LSASS process access requests from a source process with the "dump" keyword in its image name. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=10 TargetImage="*\\lsass.exe" SourceImage="*dump*" GrantedAccess IN ("*10", "*30", "*50", "*70", "*90", "*B0", "*D0", "*F0", "*18", "*38", "*58", "*78", "*98", "*B8", "*D8", "*F8", "*1A", "*3A", "*5A", "*7A", "*9A", "*BA", "*DA", "*FA", "*0x14C2", "*FF") | fields - _raw | collect index=notable_events source="LSASS Memory Access by Tool With Dump Keyword In Name" marker="guid=9bd012ee-0dff-44d7-84a0-aa698cfd87a3,tags=attack.credential-access,tags=attack.t1003.001,tags=attack.s0002," +[Sysmon Blocked File Shredding] +description = Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=28 | fields - _raw | collect index=notable_events source="Sysmon Blocked File Shredding" marker="guid=c3e5c1b1-45e9-4632-b242-27939c170239,tags=attack.defense-evasion," +[Sysmon Configuration Error] +description = Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages +search = index=evtx _index_earliest=-1h@h Description IN ("*Failed to open service configuration with error*", "*Failed to connect to the driver to update configuration*") NOT ((Description="*Failed to open service configuration with error*" Description="*Last error: The media is write protected.*") OR Description IN ("*Failed to open service configuration with error 19*", "*Failed to open service configuration with error 93*")) | fields - _raw | collect index=notable_events source="Sysmon Configuration Error" marker="guid=815cd91b-7dbc-4247-841a-d7dd1392b0a8,tags=attack.defense-evasion,tags=attack.t1564," +[Sysmon Blocked Executable] +description = Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=27 | fields - _raw | collect index=notable_events source="Sysmon Blocked Executable" marker="guid=23b71bc5-953e-4971-be4c-c896cda73fc2,tags=attack.defense-evasion," +[Sysmon Configuration Modification] +description = Detects when an attacker tries to hide from Sysmon by disabling or stopping it +search = index=evtx _index_earliest=-1h@h State="Stopped" OR "Sysmon config state changed" NOT State="Started" | fields - _raw | collect index=notable_events source="Sysmon Configuration Modification" marker="guid=1f2b5353-573f-4880-8e33-7d04dcf97744,tags=attack.defense-evasion,tags=attack.t1564," +[Sysmon Configuration Change] +description = Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=16 | fields - _raw | collect index=notable_events source="Sysmon Configuration Change" marker="guid=8ac03a65-6c84-4116-acad-dc1558ff7a77,tags=attack.defense-evasion," +[Sysmon File Executable Creation Detected] +description = Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created. +search = index=evtx _index_earliest=-1h@h Channel="Microsoft-Windows-Sysmon/Operational" EventID=29 | fields - _raw | collect index=notable_events source="Sysmon File Executable Creation Detected" marker="guid=693a44e9-7f26-4cb6-b787-214867672d3a,tags=attack.defense-evasion," +[Mimikatz Use] +description = This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) +search = index=evtx _index_earliest=-1h@h "dpapi::masterkey" OR "eo.oe.kiwi" OR "event::clear" OR "event::drop" OR "gentilkiwi.com" OR "kerberos::golden" OR "kerberos::ptc" OR "kerberos::ptt" OR "kerberos::tgt" OR "Kiwi Legit Printer" OR "lsadump::" OR "mimidrv.sys" OR "\\mimilib.dll" OR "misc::printnightmare" OR "misc::shadowcopies" OR "misc::skeleton" OR "privilege::backup" OR "privilege::debug" OR "privilege::driver" OR "sekurlsa::" NOT EventID=15 | fields - _raw | collect index=notable_events source="Mimikatz Use" marker="guid=06d71506-7beb-4f22-8888-e2e5e2ca7fd8,tags=attack.s0002,tags=attack.lateral-movement,tags=attack.credential-access,tags=car.2013-07-001,tags=car.2019-04-004,tags=attack.t1003.002,tags=attack.t1003.004,tags=attack.t1003.001,tags=attack.t1003.006," +[USB Device Plugged] +description = Detects plugged/unplugged USB devices +search = index=evtx _index_earliest=-1h@h EventID IN (2003, 2100, 2102) | fields - _raw | collect index=notable_events source="USB Device Plugged" marker="guid=1a4bd6e3-4c6e-405d-a9a3-53a116e341d4,tags=attack.initial-access,tags=attack.t1200," +[Certificate Private Key Acquired] +description = Detects when an application acquires a certificate private key +search = index=evtx _index_earliest=-1h@h EventID=70 | fields - _raw | collect index=notable_events source="Certificate Private Key Acquired" marker="guid=e2b5163d-7deb-4566-9af3-40afea6858c3,tags=attack.credential-access,tags=attack.t1649," +[Query Tor Onion Address - DNS Client] +description = Detects DNS resolution of an .onion address related to Tor routing networks +search = index=evtx _index_earliest=-1h@h EventID=3008 QueryName="*.onion*" | fields - _raw | collect index=notable_events source="Query Tor Onion Address - DNS Client" marker="guid=8384bd26-bde6-4da9-8e5d-4174a7a47ca2,tags=attack.command-and-control,tags=attack.t1090.003," +[DNS Query To Ufile.io - DNS Client] +description = Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration +search = index=evtx _index_earliest=-1h@h EventID=3008 QueryName="*ufile.io*" | fields - _raw | collect index=notable_events source="DNS Query To Ufile.io - DNS Client" marker="guid=090ffaad-c01a-4879-850c-6d57da98452d,tags=attack.exfiltration,tags=attack.t1567.002," +[DNS Query To MEGA Hosting Website - DNS Client] +description = Detects DNS queries for subdomains related to MEGA sharing website +search = index=evtx _index_earliest=-1h@h EventID=3008 QueryName="*userstorage.mega.co.nz*" | fields - _raw | collect index=notable_events source="DNS Query To MEGA Hosting Website - DNS Client" marker="guid=66474410-b883-415f-9f8d-75345a0a66a6,tags=attack.exfiltration,tags=attack.t1567.002," +[DNS Query To Put.io - DNS Client] +description = Detects DNS queries for subdomains related to "Put.io" sharing website. +search = index=evtx _index_earliest=-1h@h EventID=3008 QueryName IN ("*api.put.io*", "*upload.put.io*") | fields - _raw | collect index=notable_events source="DNS Query To Put.io - DNS Client" marker="guid=8b69fd42-9dad-4674-abef-7fdef43ef92a,tags=attack.command-and-control," +[DNS Query for Anonfiles.com Domain - DNS Client] +description = Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes +search = index=evtx _index_earliest=-1h@h EventID=3008 QueryName="*.anonfiles.com*" | fields - _raw | collect index=notable_events source="DNS Query for Anonfiles.com Domain - DNS Client" marker="guid=29f171d7-aa47-42c7-9c7b-3c87938164d9,tags=attack.exfiltration,tags=attack.t1567.002," +[Suspicious Cobalt Strike DNS Beaconing - DNS Client] +description = Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons +search = index=evtx _index_earliest=-1h@h EventID=3008 QueryName IN ("aaa.stage.*", "post.1*") OR QueryName="*.stage.123456.*" | fields - _raw | collect index=notable_events source="Suspicious Cobalt Strike DNS Beaconing - DNS Client" marker="guid=0d18728b-f5bf-4381-9dcf-915539fff6c2,tags=attack.command-and-control,tags=attack.t1071.004," +[OpenSSH Server Listening On Socket] +description = Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket. +search = index=evtx _index_earliest=-1h@h EventID=4 process="sshd" payload="Server listening on *" | fields - _raw | collect index=notable_events source="OpenSSH Server Listening On Socket" marker="guid=3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781,tags=attack.lateral-movement,tags=attack.t1021.004," +[Windows Defender Real-time Protection Disabled] +description = Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a "medium" level if this occurs too many times in your environment +search = index=evtx _index_earliest=-1h@h EventID=5001 | fields - _raw | collect index=notable_events source="Windows Defender Real-time Protection Disabled" marker="guid=b28e58e4-2a72-4fae-bdee-0fbe904db642,tags=attack.defense-evasion,tags=attack.t1562.001," +[Windows Defender Threat Detected] +description = Detects actions taken by Windows Defender malware detection engines +search = index=evtx _index_earliest=-1h@h EventID IN (1006, 1015, 1116, 1117) | fields - _raw | collect index=notable_events source="Windows Defender Threat Detected" marker="guid=57b649ef-ff42-4fb0-8bf6-62da243a1708,tags=attack.execution,tags=attack.t1059," +[Windows Defender Submit Sample Feature Disabled] +description = Detects disabling of the "Automatic Sample Submission" feature of Windows Defender. +search = index=evtx _index_earliest=-1h@h EventID=5007 NewValue="*\\Real-Time Protection\\SubmitSamplesConsent = 0x0*" | fields - _raw | collect index=notable_events source="Windows Defender Submit Sample Feature Disabled" marker="guid=91903aba-1088-42ee-b680-d6d94fe002b0,tags=attack.defense-evasion,tags=attack.t1562.001," +[Windows Defender Exclusions Added] +description = Detects the Setting of Windows Defender Exclusions +search = index=evtx _index_earliest=-1h@h EventID=5007 NewValue="*\\Microsoft\\Windows Defender\\Exclusions*" | fields - _raw | collect index=notable_events source="Windows Defender Exclusions Added" marker="guid=1321dc4e-a1fe-481d-a016-52c45f0c8b4f,tags=attack.defense-evasion,tags=attack.t1562.001," +[Windows Defender Malware Detection History Deletion] +description = Windows Defender logs when the history of detected infections is deleted. +search = index=evtx _index_earliest=-1h@h EventID=1013 | fields - _raw | collect index=notable_events source="Windows Defender Malware Detection History Deletion" marker="guid=2afe6582-e149-11ea-87d0-0242ac130003,tags=attack.defense-evasion," +[Windows Defender AMSI Trigger Detected] +description = Detects triggering of AMSI by Windows Defender. +search = index=evtx _index_earliest=-1h@h EventID=1116 SourceName="AMSI" | fields - _raw | collect index=notable_events source="Windows Defender AMSI Trigger Detected" marker="guid=ea9bf0fa-edec-4fb8-8b78-b119f2528186,tags=attack.execution,tags=attack.t1059," +[LSASS Access Detected via Attack Surface Reduction] +description = Detects Access to LSASS Process +search = index=evtx _index_earliest=-1h@h EventID=1121 Path="*\\lsass.exe" NOT ((ProcessName="C:\\Windows\\Temp\\asgard2-agent\\*" ProcessName IN ("*\\thor64.exe", "*\\thor.exe")) OR ProcessName IN ("C:\\Windows\\System32\\atiesrxx.exe", "C:\\Windows\\System32\\CompatTelRunner.exe", "C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\System32\\nvwmi64.exe", "C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\System32\\Taskmgr.exe", "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "C:\\Windows\\SysWOW64\\msiexec.exe") OR ProcessName IN ("C:\\Windows\\System32\\DriverStore\\*", "C:\\WINDOWS\\Installer\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*")) | fields - _raw | collect index=notable_events source="LSASS Access Detected via Attack Surface Reduction" marker="guid=a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98,tags=attack.credential-access,tags=attack.t1003.001," +[Windows Defender Exploit Guard Tamper] +description = Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications" +search = index=evtx _index_earliest=-1h@h (EventID=5007 NewValue="*\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications\\*" NewValue IN ("*\\Users\\Public\\*", "*\\AppData\\Local\\Temp\\*", "*\\Desktop\\*", "*\\PerfLogs\\*", "*\\Windows\\Temp\\*")) OR (EventID=5007 OldValue="*\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders\\*") | fields - _raw | collect index=notable_events source="Windows Defender Exploit Guard Tamper" marker="guid=a3ab73f1-bd46-4319-8f06-4b20d0617886,tags=attack.defense-evasion,tags=attack.t1562.001," +[PSExec and WMI Process Creations Block] +description = Detects blocking of process creations originating from PSExec and WMI commands +search = index=evtx _index_earliest=-1h@h EventID=1121 ProcessName IN ("*\\wmiprvse.exe", "*\\psexesvc.exe") | fields - _raw | collect index=notable_events source="PSExec and WMI Process Creations Block" marker="guid=97b9ce1e-c5ab-11ea-87d0-0242ac130003,tags=attack.execution,tags=attack.lateral-movement,tags=attack.t1047,tags=attack.t1569.002," +[Win Defender Restored Quarantine File] +description = Detects the restoration of files from the defender quarantine +search = index=evtx _index_earliest=-1h@h EventID=1009 | fields - _raw | collect index=notable_events source="Win Defender Restored Quarantine File" marker="guid=bc92ca75-cd42-4d61-9a37-9d5aa259c88b,tags=attack.defense-evasion,tags=attack.t1562.001," +[Microsoft Defender Tamper Protection Trigger] +description = Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" +search = index=evtx _index_earliest=-1h@h EventID=5013 Value IN ("*\\Windows Defender\\DisableAntiSpyware", "*\\Windows Defender\\DisableAntiVirus", "*\\Windows Defender\\Scan\\DisableArchiveScanning", "*\\Windows Defender\\Scan\\DisableScanningNetworkFiles", "*\\Real-Time Protection\\DisableRealtimeMonitoring", "*\\Real-Time Protection\\DisableBehaviorMonitoring", "*\\Real-Time Protection\\DisableIOAVProtection", "*\\Real-Time Protection\\DisableScriptScanning") | fields - _raw | collect index=notable_events source="Microsoft Defender Tamper Protection Trigger" marker="guid=49e5bc24-8b86-49f1-b743-535f332c2856,tags=attack.defense-evasion,tags=attack.t1562.001," +[Windows Defender Configuration Changes] +description = Detects suspicious changes to the Windows Defender configuration +search = index=evtx _index_earliest=-1h@h EventID=5007 NewValue IN ("*\\Windows Defender\\DisableAntiSpyware *", "*\\Windows Defender\\Scan\\DisableRemovableDriveScanning *", "*\\Windows Defender\\Scan\\DisableScanningMappedNetworkDrivesForFullScan *", "*\\Windows Defender\\SpyNet\\DisableBlockAtFirstSeen *", "*\\Real-Time Protection\\SpyNetReporting *") | fields - _raw | collect index=notable_events source="Windows Defender Configuration Changes" marker="guid=801bd44f-ceed-4eb6-887c-11544633c0aa,tags=attack.defense-evasion,tags=attack.t1562.001," +[Windows Defender Virus Scanning Feature Disabled] +description = Detects disabling of the Windows Defender virus scanning feature +search = index=evtx _index_earliest=-1h@h EventID=5012 | fields - _raw | collect index=notable_events source="Windows Defender Virus Scanning Feature Disabled" marker="guid=686c0b4b-9dd3-4847-9077-d6c1bbe36fcb,tags=attack.defense-evasion,tags=attack.t1562.001," +[Windows Defender Real-Time Protection Failure/Restart] +description = Detects issues with Windows Defender Real-Time Protection features +search = index=evtx _index_earliest=-1h@h EventID IN (3002, 3007) NOT (Feature_Name="%%886" Reason IN ("%%892", "%%858")) | fields - _raw | collect index=notable_events source="Windows Defender Real-Time Protection Failure/Restart" marker="guid=dd80db93-6ec2-4f4c-a017-ad40da6ffe81,tags=attack.defense-evasion,tags=attack.t1562.001," +[Windows Defender Grace Period Expired] +description = Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled. +search = index=evtx _index_earliest=-1h@h EventID=5101 | fields - _raw | collect index=notable_events source="Windows Defender Grace Period Expired" marker="guid=360a1340-398a-46b6-8d06-99b905dc69d2,tags=attack.defense-evasion,tags=attack.t1562.001," +[Windows Defender Malware And PUA Scanning Disabled] +description = Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software +search = index=evtx _index_earliest=-1h@h EventID=5010 | fields - _raw | collect index=notable_events source="Windows Defender Malware And PUA Scanning Disabled" marker="guid=bc275be9-0bec-4d77-8c8f-281a2df6710f,tags=attack.defense-evasion,tags=attack.t1562.001," +[Audit CVE Event] +description = Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log. +search = index=evtx _index_earliest=-1h@h etw_provider IN ("Microsoft-Windows-Audit-CVE", "Audit-CVE") EventID=1 | fields - _raw | collect index=notable_events source="Audit CVE Event" marker="guid=48d91a3a-2363-43ba-a456-ca71ac3da5c2,tags=attack.execution,tags=attack.t1203,tags=attack.privilege-escalation,tags=attack.t1068,tags=attack.defense-evasion,tags=attack.t1211,tags=attack.credential-access,tags=attack.t1212,tags=attack.lateral-movement,tags=attack.t1210,tags=attack.impact,tags=attack.t1499.004," +[Remote Access Tool - ScreenConnect Command Execution] +description = Detects command execution via ScreenConnect RMM +search = index=evtx _index_earliest=-1h@h etw_provider="ScreenConnect" EventID=200 Data="*Executed command of length*" | fields - _raw | collect index=notable_events source="Remote Access Tool - ScreenConnect Command Execution" marker="guid=076ebe48-cc05-4d8f-9d41-89245cd93a14,tags=attack.execution,tags=attack.t1059.003," +[Remote Access Tool - ScreenConnect File Transfer] +description = Detects file being transferred via ScreenConnect RMM +search = index=evtx _index_earliest=-1h@h etw_provider="ScreenConnect" EventID=201 Data="*Transferred files with action*" | fields - _raw | collect index=notable_events source="Remote Access Tool - ScreenConnect File Transfer" marker="guid=5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13,tags=attack.execution,tags=attack.t1059.003," +[Relevant Anti-Virus Signature Keywords In Application Log] +description = Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords. +search = index=evtx _index_earliest=-1h@h "Adfind" OR "ASP/BackDoor " OR "ATK/" OR "Backdoor.ASP" OR "Backdoor.Cobalt" OR "Backdoor.JSP" OR "Backdoor.PHP" OR "Blackworm" OR "Brutel" OR "BruteR" OR "Chopper" OR "Cobalt" OR "COBEACON" OR "Cometer" OR "CRYPTES" OR "Cryptor" OR "Destructor" OR "DumpCreds" OR "Exploit.Script.CVE" OR "FastReverseProxy" OR "Filecoder" OR "GrandCrab " OR "HackTool" OR "HKTL" OR "HTool" OR "IISExchgSpawnCMD" OR "Impacket" OR "JSP/BackDoor " OR "Keylogger" OR "Koadic" OR "Krypt" OR "Lazagne" OR "Metasploit" OR "Meterpreter" OR "MeteTool" OR "mikatz" OR "Mimikatz" OR "Mpreter" OR "MsfShell" OR "Nighthawk" OR "Packed.Generic.347" OR "PentestPowerShell" OR "Phobos" OR "PHP/BackDoor " OR "Potato" OR "PowerSploit" OR "PowerSSH" OR "PshlSpy" OR "PSWTool" OR "PWCrack" OR "PWDump" OR "Ransom" OR "Rozena" OR "Ryzerlo" OR "Sbelt" OR "Seatbelt" OR "SecurityTool " OR "SharpDump" OR "Shellcode" OR "Sliver" OR "Splinter" OR "Swrort" OR "Tescrypt" OR "TeslaCrypt" OR "TurtleLoader" OR "Valyria" OR "Webshell" NOT ("anti_ransomware_service.exe" OR "Crack" OR "cyber-protect-service.exe" OR "Keygen" OR Level=4 OR etw_provider="Microsoft-Windows-RestartManager") | fields - _raw | collect index=notable_events source="Relevant Anti-Virus Signature Keywords In Application Log" marker="guid=78bc5783-81d9-4d73-ac97-59f6db4f72a8,tags=attack.resource-development,tags=attack.t1588," +[Ntdsutil Abuse] +description = Detects potential abuse of ntdsutil to dump ntds.dit database +search = index=evtx _index_earliest=-1h@h etw_provider="ESENT" EventID IN (216, 325, 326, 327) Data="*ntds.dit*" | fields - _raw | collect index=notable_events source="Ntdsutil Abuse" marker="guid=e6e88853-5f20-4c4a-8d26-cd469fd8d31f,tags=attack.credential-access,tags=attack.t1003.003," +[Dump Ntds.dit To Suspicious Location] +description = Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location +search = index=evtx _index_earliest=-1h@h etw_provider="ESENT" EventID=325 Data="*ntds.dit*" Data IN ("*:\\ntds.dit*", "*\\Appdata\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Perflogs\\*", "*\\Temp\\*", "*\\Users\\Public\\*") | fields - _raw | collect index=notable_events source="Dump Ntds.dit To Suspicious Location" marker="guid=94dc4390-6b7c-4784-8ffc-335334404650,tags=attack.execution," +[Application Uninstalled] +description = An application has been removed. Check if it is critical. +search = index=evtx _index_earliest=-1h@h etw_provider="MsiInstaller" EventID IN (1034, 11724) | fields - _raw | collect index=notable_events source="Application Uninstalled" marker="guid=570ae5ec-33dc-427c-b815-db86228ad43e,tags=attack.impact,tags=attack.t1489," +[MSI Installation From Web] +description = Detects installation of a remote msi file from web. +search = index=evtx _index_earliest=-1h@h etw_provider="MsiInstaller" EventID IN (1040, 1042) Data="*://*" | fields - _raw | collect index=notable_events source="MSI Installation From Web" marker="guid=5594e67a-7f92-4a04-b65d-1a42fd824a60,tags=attack.defense-evasion,tags=attack.t1218,tags=attack.t1218.007," +[Atera Agent Installation] +description = Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators +search = index=evtx _index_earliest=-1h@h EventID=1033 etw_provider="MsiInstaller" Message="*AteraAgent*" | fields - _raw | collect index=notable_events source="Atera Agent Installation" marker="guid=87261fb2-69d0-42fe-b9de-88c6b5f65a43,tags=attack.t1219," +[MSI Installation From Suspicious Locations] +description = Detects MSI package installation from suspicious locations +search = index=evtx _index_earliest=-1h@h etw_provider="MsiInstaller" EventID IN (1040, 1042) Data IN ("*:\\Windows\\TEMP\\*", "*\\\\*", "*\\Desktop\\*", "*\\PerfLogs\\*", "*\\Users\\Public\\*") NOT (Data IN ("*\\AppData\\Local\\Temp\\WinGet\\*", "*C:\\Windows\\TEMP\\UpdHealthTools.msi*")) | fields - _raw | collect index=notable_events source="MSI Installation From Suspicious Locations" marker="guid=c7c8aa1c-5aff-408e-828b-998e3620b341,tags=attack.execution," +[Restricted Software Access By SRP] +description = Detects restricted access to applications by the Software Restriction Policies (SRP) policy +search = index=evtx _index_earliest=-1h@h etw_provider="Microsoft-Windows-SoftwareRestrictionPolicies" EventID IN (865, 866, 867, 868, 882) | fields - _raw | collect index=notable_events source="Restricted Software Access By SRP" marker="guid=b4c8da4a-1c12-46b0-8a2b-0a8521d03442,tags=attack.defense-evasion,tags=attack.t1072," +[Microsoft Malware Protection Engine Crash] +description = This rule detects a suspicious crash of the Microsoft Malware Protection Engine +search = index=evtx _index_earliest=-1h@h etw_provider="Application Error" EventID=1000 Data="*MsMpEng.exe*" Data="*mpengine.dll*" | fields - _raw | collect index=notable_events source="Microsoft Malware Protection Engine Crash" marker="guid=545a5da6-f103-4919-a519-e9aec1026ee4,tags=attack.defense-evasion,tags=attack.t1211,tags=attack.t1562.001," +[Potential Credential Dumping Via WER - Application] +description = Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential +search = index=evtx _index_earliest=-1h@h etw_provider="Application Error" EventID=1000 AppName="lsass.exe" ExceptionCode="c0000001" | fields - _raw | collect index=notable_events source="Potential Credential Dumping Via WER - Application" marker="guid=a18e0862-127b-43ca-be12-1a542c75c7c5,tags=attack.credential-access,tags=attack.t1003.001," +[Backup Catalog Deleted] +description = Detects backup catalog deletions +search = index=evtx _index_earliest=-1h@h EventID=524 etw_provider="Microsoft-Windows-Backup" | fields - _raw | collect index=notable_events source="Backup Catalog Deleted" marker="guid=9703792d-fd9a-456d-a672-ff92efe4806a,tags=attack.defense-evasion,tags=attack.t1070.004," +[Microsoft Malware Protection Engine Crash - WER] +description = This rule detects a suspicious crash of the Microsoft Malware Protection Engine +search = index=evtx _index_earliest=-1h@h etw_provider="Windows Error Reporting" EventID=1001 Data="*MsMpEng.exe*" Data="*mpengine.dll*" | fields - _raw | collect index=notable_events source="Microsoft Malware Protection Engine Crash - WER" marker="guid=6c82cf5c-090d-4d57-9188-533577631108,tags=attack.defense-evasion,tags=attack.t1211,tags=attack.t1562.001," +[MSSQL XPCmdshell Suspicious Execution] +description = Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands +search = index=evtx _index_earliest=-1h@h etw_provider="*MSSQL*" EventID=33205 Data="*object_name:xp_cmdshell*" Data="*statement:EXEC*" | fields - _raw | collect index=notable_events source="MSSQL XPCmdshell Suspicious Execution" marker="guid=7f103213-a04e-4d59-8261-213dddf22314,tags=attack.execution," +[MSSQL XPCmdshell Option Change] +description = Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed. +search = index=evtx _index_earliest=-1h@h etw_provider="*MSSQL*" EventID=15457 Data="*xp_cmdshell*" | fields - _raw | collect index=notable_events source="MSSQL XPCmdshell Option Change" marker="guid=d08dd86f-681e-4a00-a92c-1db218754417,tags=attack.execution," +[MSSQL Disable Audit Settings] +description = Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server +search = index=evtx _index_earliest=-1h@h etw_provider="*MSSQL*" EventID=33205 Data IN ("*statement:ALTER SERVER AUDIT*", "*statement:DROP SERVER AUDIT*") | fields - _raw | collect index=notable_events source="MSSQL Disable Audit Settings" marker="guid=350dfb37-3706-4cdc-9e2e-5e24bc3a46df,tags=attack.defense-evasion," +[MSSQL Server Failed Logon From External Network] +description = Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack. +search = index=evtx _index_earliest=-1h@h etw_provider="*MSSQL*" EventID=18456 NOT (Data IN ("*CLIENT: 10.*", "*CLIENT: 172.16.*", "*CLIENT: 172.17.*", "*CLIENT: 172.18.*", "*CLIENT: 172.19.*", "*CLIENT: 172.20.*", "*CLIENT: 172.21.*", "*CLIENT: 172.22.*", "*CLIENT: 172.23.*", "*CLIENT: 172.24.*", "*CLIENT: 172.25.*", "*CLIENT: 172.26.*", "*CLIENT: 172.27.*", "*CLIENT: 172.28.*", "*CLIENT: 172.29.*", "*CLIENT: 172.30.*", "*CLIENT: 172.31.*", "*CLIENT: 192.168.*", "*CLIENT: 127.*", "*CLIENT: 169.254.*")) | fields - _raw | collect index=notable_events source="MSSQL Server Failed Logon From External Network" marker="guid=ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d,tags=attack.credential-access,tags=attack.t1110," +[MSSQL SPProcoption Set] +description = Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started +search = index=evtx _index_earliest=-1h@h etw_provider="*MSSQL*" EventID=33205 Data="*object_name:sp_procoption*" Data="*statement:EXEC*" | fields - _raw | collect index=notable_events source="MSSQL SPProcoption Set" marker="guid=b3d57a5c-c92e-4b48-9a79-5f124b7cf964,tags=attack.persistence," +[MSSQL Add Account To Sysadmin Role] +description = Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role +search = index=evtx _index_earliest=-1h@h etw_provider="*MSSQL*" EventID=33205 Data="*object_name:sysadmin*" Data="*statement:alter server role [sysadmin] add member *" | fields - _raw | collect index=notable_events source="MSSQL Add Account To Sysadmin Role" marker="guid=08200f85-2678-463e-9c32-88dce2f073d1,tags=attack.persistence," +[MSSQL Server Failed Logon] +description = Detects failed logon attempts from clients to MSSQL server. +search = index=evtx _index_earliest=-1h@h etw_provider="*MSSQL*" EventID=18456 | fields - _raw | collect index=notable_events source="MSSQL Server Failed Logon" marker="guid=218d2855-2bba-4f61-9c85-81d0ea63ac71,tags=attack.credential-access,tags=attack.t1110," +[BITS Transfer Job Downloading File Potential Suspicious Extension] +description = Detects new BITS transfer job saving local files with potential suspicious extensions +search = index=evtx _index_earliest=-1h@h EventID=16403 LocalName IN ("*.bat", "*.dll", "*.exe", "*.hta", "*.ps1", "*.psd1", "*.sh", "*.vbe", "*.vbs") NOT (LocalName="*\\AppData\\*" RemoteName="*.com*") | fields - _raw | collect index=notable_events source="BITS Transfer Job Downloading File Potential Suspicious Extension" marker="guid=b85e5894-9b19-4d86-8c87-a2f3b81f0521,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197," +[New BITS Job Created Via PowerShell] +description = Detects the creation of a new bits job by PowerShell +search = index=evtx _index_earliest=-1h@h EventID=3 processPath IN ("*\\powershell.exe", "*\\pwsh.exe") | fields - _raw | collect index=notable_events source="New BITS Job Created Via PowerShell" marker="guid=fe3a2d49-f255-4d10-935c-bda7391108eb,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197," +[BITS Transfer Job Download From File Sharing Domains] +description = Detects BITS transfer job downloading files from a file sharing domain. +search = index=evtx _index_earliest=-1h@h EventID=16403 RemoteName IN ("*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*") | fields - _raw | collect index=notable_events source="BITS Transfer Job Download From File Sharing Domains" marker="guid=d635249d-86b5-4dad-a8c7-d7272b788586,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197," +[New BITS Job Created Via Bitsadmin] +description = Detects the creation of a new bits job by Bitsadmin +search = index=evtx _index_earliest=-1h@h EventID=3 processPath="*\\bitsadmin.exe" | fields - _raw | collect index=notable_events source="New BITS Job Created Via Bitsadmin" marker="guid=1ff315dc-2a3a-4b71-8dde-873818d25d39,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197," +[BITS Transfer Job With Uncommon Or Suspicious Remote TLD] +description = Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. +search = index=evtx _index_earliest=-1h@h EventID=16403 NOT (RemoteName IN ("*.azureedge.net/*", "*.com/*", "*.sfx.ms/*", "*download.mozilla.org/*")) | fields - _raw | collect index=notable_events source="BITS Transfer Job With Uncommon Or Suspicious Remote TLD" marker="guid=6d44fb93-e7d2-475c-9d3d-54c9c1e33427,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197," +[BITS Transfer Job Download From Direct IP] +description = Detects a BITS transfer job downloading file(s) from a direct IP address. +search = index=evtx _index_earliest=-1h@h EventID=16403 RemoteName IN ("*http://1*", "*http://2*", "*http://3*", "*http://4*", "*http://5*", "*http://6*", "*http://7*", "*http://8*", "*http://9*", "*https://1*", "*https://2*", "*https://3*", "*https://4*", "*https://5*", "*https://6*", "*https://7*", "*https://8*", "*https://9*") NOT (RemoteName IN ("*://10.*", "*://192.168.*", "*://172.16.*", "*://172.17.*", "*://172.18.*", "*://172.19.*", "*://172.20.*", "*://172.21.*", "*://172.22.*", "*://172.23.*", "*://172.24.*", "*://172.25.*", "*://172.26.*", "*://172.27.*", "*://172.28.*", "*://172.29.*", "*://172.30.*", "*://172.31.*", "*://127.*", "*://169.254.*") OR RemoteName IN ("*https://7-*", "*http://7-*")) | fields - _raw | collect index=notable_events source="BITS Transfer Job Download From Direct IP" marker="guid=90f138c1-f578-4ac3-8c49-eecfd847c8b7,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197," +[BITS Transfer Job Download To Potential Suspicious Folder] +description = Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location +search = index=evtx _index_earliest=-1h@h EventID=16403 LocalName IN ("*\\Desktop\\*", "*C:\\Users\\Public\\*", "*C:\\PerfLogs\\*") | fields - _raw | collect index=notable_events source="BITS Transfer Job Download To Potential Suspicious Folder" marker="guid=f8a56cb7-a363-44ed-a82f-5926bb44cd05,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.t1197," +[Deployment Of The AppX Package Was Blocked By The Policy] +description = Detects an appx package deployment that was blocked by the local computer policy +search = index=evtx _index_earliest=-1h@h EventID IN (441, 442, 453, 454) | fields - _raw | collect index=notable_events source="Deployment Of The AppX Package Was Blocked By The Policy" marker="guid=e021bbb5-407f-41f5-9dc9-1864c45a7a51,tags=attack.defense-evasion," +[Suspicious AppX Package Locations] +description = Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations +search = index=evtx _index_earliest=-1h@h EventID=854 Path IN ("*C:\\Users\\Public\\*", "*/users/public/*", "*C:\\PerfLogs\\*", "*C:/perflogs/*", "*\\Desktop\\*", "*/desktop/*", "*\\Downloads\\*", "*/Downloads/*", "*C:\\Windows\\Temp\\*", "*C:/Windows/Temp/*", "*\\AppdData\\Local\\Temp\\*", "*/AppdData/Local/Temp/*") | fields - _raw | collect index=notable_events source="Suspicious AppX Package Locations" marker="guid=5cdeaf3d-1489-477c-95ab-c318559fc051,tags=attack.defense-evasion," +[Potential Malicious AppX Package Installation Attempts] +description = Detects potential installation or installation attempts of known malicious appx packages +search = index=evtx _index_earliest=-1h@h EventID IN (400, 401) PackageFullName="*3669e262-ec02-4e9d-bcb4-3d008b4afac9*" | fields - _raw | collect index=notable_events source="Potential Malicious AppX Package Installation Attempts" marker="guid=09d3b48b-be17-47f5-bf4e-94e7e75d09ce,tags=attack.defense-evasion," +[Uncommon AppX Package Locations] +description = Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations +search = index=evtx _index_earliest=-1h@h EventID=854 NOT (Path IN ("*C:\\Program Files\\WindowsApps\\*", "*C:\\Program Files (x86)\\*", "*C:\\Windows\\SystemApps\\*", "*C:\\Windows\\PrintDialog\\*", "*C:\\Windows\\ImmersiveControlPanel\\*", "*x-windowsupdate://*", "*file:///C:/Program%20Files*") OR Path IN ("*https://statics.teams.cdn.office.net/*", "*microsoft.com*")) | fields - _raw | collect index=notable_events source="Uncommon AppX Package Locations" marker="guid=c977cb50-3dff-4a9f-b873-9290f56132f1,tags=attack.defense-evasion," +[Deployment AppX Package Was Blocked By AppLocker] +description = Detects an appx package deployment that was blocked by AppLocker policy +search = index=evtx _index_earliest=-1h@h EventID=412 | fields - _raw | collect index=notable_events source="Deployment AppX Package Was Blocked By AppLocker" marker="guid=6ae53108-c3a0-4bee-8f45-c7591a2c337f,tags=attack.defense-evasion," +[Suspicious Remote AppX Package Locations] +description = Detects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain. +search = index=evtx _index_earliest=-1h@h EventID=854 Path IN ("*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*") | fields - _raw | collect index=notable_events source="Suspicious Remote AppX Package Locations" marker="guid=8b48ad89-10d8-4382-a546-50588c410f0d,tags=attack.defense-evasion," +[Suspicious AppX Package Installation Attempt] +description = Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious +search = index=evtx _index_earliest=-1h@h EventID=401 ErrorCode="0x80073cff" | fields - _raw | collect index=notable_events source="Suspicious AppX Package Installation Attempt" marker="guid=898d5fc9-fbc3-43de-93ad-38e97237c344,tags=attack.defense-evasion," +[New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE] +description = Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule". +search = index=evtx _index_earliest=-1h@h EventID IN (2004, 2071, 2097) Action=3 ModifyingApplication="*:\\Windows\\System32\\wbem\\WmiPrvSE.exe" | fields - _raw | collect index=notable_events source="New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" marker="guid=eca81e8d-09e1-4d04-8614-c91f44fd0519,tags=attack.defense-evasion,tags=attack.t1562.004," +[A Rule Has Been Deleted From The Windows Firewall Exception List] +description = Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall +search = index=evtx _index_earliest=-1h@h EventID IN (2006, 2052) NOT (ModifyingApplication IN ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*") OR ModifyingApplication="C:\\Windows\\System32\\svchost.exe" OR ModifyingApplication!=* OR ModifyingApplication="") NOT (ModifyingApplication="C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*" ModifyingApplication="*\\MsMpEng.exe") | fields - _raw | collect index=notable_events source="A Rule Has Been Deleted From The Windows Firewall Exception List" marker="guid=c187c075-bb3e-4c62-b4fa-beae0ffc211f,tags=attack.defense-evasion,tags=attack.t1562.004," +[The Windows Defender Firewall Service Failed To Load Group Policy] +description = Detects activity when The Windows Defender Firewall service failed to load Group Policy +search = index=evtx _index_earliest=-1h@h EventID=2009 | fields - _raw | collect index=notable_events source="The Windows Defender Firewall Service Failed To Load Group Policy" marker="guid=7ec15688-fd24-4177-ba43-1a950537ee39,tags=attack.defense-evasion,tags=attack.t1562.004," +[Uncommon New Firewall Rule Added In Windows Firewall Exception List] +description = Detects when a rule has been added to the Windows Firewall exception list +search = index=evtx _index_earliest=-1h@h EventID IN (2004, 2071, 2097) NOT (Action=2 OR ApplicationPath IN ("*:\\Program Files (x86)\\*", "*:\\Program Files\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\WinSxS\\*") OR ApplicationPath IN ("*:\\PerfLogs\\*", "*:\\Temp\\*", "*:\\Tmp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*")) NOT (ModifyingApplication="*:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*" ModifyingApplication="*\\MsMpEng.exe*") | fields - _raw | collect index=notable_events source="Uncommon New Firewall Rule Added In Windows Firewall Exception List" marker="guid=cde0a575-7d3d-4a49-9817-b8004a7bf105,tags=attack.defense-evasion,tags=attack.t1562.004," +[All Rules Have Been Deleted From The Windows Firewall Configuration] +description = Detects when a all the rules have been deleted from the Windows Defender Firewall configuration +search = index=evtx _index_earliest=-1h@h EventID IN (2033, 2059) NOT ModifyingApplication="*:\\Windows\\System32\\svchost.exe" NOT (ModifyingApplication="*:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*" ModifyingApplication="*\\MsMpEng.exe*") | fields - _raw | collect index=notable_events source="All Rules Have Been Deleted From The Windows Firewall Configuration" marker="guid=79609c82-a488-426e-abcf-9f341a39365d,tags=attack.defense-evasion,tags=attack.t1562.004," +[Windows Defender Firewall Has Been Reset To Its Default Configuration] +description = Detects activity when Windows Defender Firewall has been reset to its default configuration +search = index=evtx _index_earliest=-1h@h EventID IN (2032, 2060) | fields - _raw | collect index=notable_events source="Windows Defender Firewall Has Been Reset To Its Default Configuration" marker="guid=04b60639-39c0-412a-9fbe-e82499c881a3,tags=attack.defense-evasion,tags=attack.t1562.004," +[New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application] +description = Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location. +search = index=evtx _index_earliest=-1h@h EventID IN (2004, 2071, 2097) ApplicationPath IN ("*:\\PerfLogs\\*", "*:\\Temp\\*", "*:\\Tmp\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*") NOT Action=2 | fields - _raw | collect index=notable_events source="New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application" marker="guid=9e2575e7-2cb9-4da1-adc8-ed94221dca5e,tags=attack.defense-evasion,tags=attack.t1562.004," +[Windows Firewall Settings Have Been Changed] +description = Detects activity when the settings of the Windows firewall have been changed +search = index=evtx _index_earliest=-1h@h EventID IN (2002, 2083, 2003, 2082, 2008) | fields - _raw | collect index=notable_events source="Windows Firewall Settings Have Been Changed" marker="guid=00bb5bd5-1379-4fcf-a965-a5b6f7478064,tags=attack.defense-evasion,tags=attack.t1562.004," +[Suspicious Rejected SMB Guest Logon From IP] +description = Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service +search = index=evtx _index_earliest=-1h@h EventID=31017 UserName="" ServerName="\\1*" | table Computer,User | fields - _raw | collect index=notable_events source="Suspicious Rejected SMB Guest Logon From IP" marker="guid=71886b70-d7b4-4dbf-acce-87d2ca135262,tags=attack.credential-access,tags=attack.t1110.001," +[Denied Access To Remote Desktop] +description = This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4825 | table EventCode,AccountName,ClientAddress | fields - _raw | collect index=notable_events source="Denied Access To Remote Desktop" marker="guid=8e5c03fa-b7f0-11ea-b242-07e0576828d9,tags=attack.lateral-movement,tags=attack.t1021.001," +[Account Tampering - Suspicious Failed Logon Reasons] +description = This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4625, 4776) Status IN ("0xC0000072", "0xC000006F", "0xC0000070", "0xC0000413", "0xC000018C", "0xC000015B") NOT SubjectUserSid="S-1-0-0" | fields - _raw | collect index=notable_events source="Account Tampering - Suspicious Failed Logon Reasons" marker="guid=9eb99343-d336-4020-a3cd-67f3819e68ee,tags=attack.persistence,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.initial-access,tags=attack.t1078," +[Locked Workstation] +description = Detects locked workstation session events that occur automatically after a standard period of inactivity. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4800 | fields - _raw | collect index=notable_events source="Locked Workstation" marker="guid=411742ad-89b0-49cb-a7b0-3971b5c1e0a4,tags=attack.impact," +[SCM Database Handle Failure] +description = Detects non-system users failing to get a handle of the SCM database. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4656 ObjectType="SC_MANAGER OBJECT" ObjectName="ServicesActive" AccessMask="0xf003f" NOT SubjectLogonId="0x3e4" | fields - _raw | collect index=notable_events source="SCM Database Handle Failure" marker="guid=13addce7-47b2-4ca0-a98f-1de964d1d669,tags=attack.discovery,tags=attack.t1010," +[Service Registry Key Read Access Request] +description = Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4663 ObjectName="*\\SYSTEM\\*" ObjectName="*ControlSet\\Services\\*" AccessList="*%%1538*" | fields - _raw | collect index=notable_events source="Service Registry Key Read Access Request" marker="guid=11d00fff-5dc3-428c-8184-801f292faec0,tags=attack.defense-evasion,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1574.011," +[Transferring Files with Credential Data via Network Shares] +description = Transferring files with well-known filenames (sensitive files with credential data) using network shares +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 RelativeTargetName IN ("*\\mimidrv*", "*\\lsass*", "*\\windows\\minidump\\*", "*\\hiberfil*", "*\\sqldmpr*", "*\\sam*", "*\\ntds.dit*", "*\\security*") | fields - _raw | collect index=notable_events source="Transferring Files with Credential Data via Network Shares" marker="guid=910ab938-668b-401b-b08c-b596e80fdca5,tags=attack.credential-access,tags=attack.t1003.002,tags=attack.t1003.001,tags=attack.t1003.003," +[Possible Shadow Credentials Added] +description = Detects possible addition of shadow credentials to an active directory object. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5136 AttributeLDAPDisplayName="msDS-KeyCredentialLink" | fields - _raw | collect index=notable_events source="Possible Shadow Credentials Added" marker="guid=f598ea0c-c25a-4f72-a219-50c44411c791,tags=attack.credential-access,tags=attack.t1556," +[Suspicious Scheduled Task Creation] +description = Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4698 TaskContent IN ("*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Users\\Public\\*", "*\\WINDOWS\\Temp\\*", "*C:\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Temporary Internet*", "*C:\\ProgramData\\*", "*C:\\Perflogs\\*") TaskContent IN ("*regsvr32*", "*rundll32*", "*cmd.exe*", "*cmd*", "*/c *", "*/k *", "*/r *", "*powershell*", "*pwsh*", "*mshta*", "*wscript*", "*cscript*", "*certutil*", "*bitsadmin*", "*bash.exe*", "*bash *", "*scrcons*", "*wmic *", "*wmic.exe*", "*forfiles*", "*scriptrunner*", "*hh.exe*") | fields - _raw | collect index=notable_events source="Suspicious Scheduled Task Creation" marker="guid=3a734d25-df5c-4b99-8034-af1ddb5883a4,tags=attack.execution,tags=attack.privilege-escalation,tags=attack.persistence,tags=attack.t1053.005," +[VSSAudit Security Event Source Registration] +description = Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen. +search = index=evtx _index_earliest=-1h@h Channel="Security" AuditSourceName="VSSAudit" EventID IN (4904, 4905) | fields - _raw | collect index=notable_events source="VSSAudit Security Event Source Registration" marker="guid=e9faba72-4974-4ab2-a4c5-46e25ad59e9b,tags=attack.credential-access,tags=attack.t1003.002," +[Register new Logon Process by Rubeus] +description = Detects potential use of Rubeus via registered new trusted logon process +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4611 LogonProcessName="User32LogonProcesss" | fields - _raw | collect index=notable_events source="Register new Logon Process by Rubeus" marker="guid=12e6d621-194f-4f59-90cc-1959e21e69f7,tags=attack.lateral-movement,tags=attack.privilege-escalation,tags=attack.t1558.003," +[Service Installed By Unusual Client - Security] +description = Detects a service installed by a client which has PID 0 or whose parent has PID 0 +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ClientProcessId=0 OR ParentProcessId=0 | fields - _raw | collect index=notable_events source="Service Installed By Unusual Client - Security" marker="guid=c4e92a97-a9ff-4392-9d2d-7a4c642768ca,tags=attack.privilege-escalation,tags=attack.t1543," +[User Added to Local Administrator Group] +description = Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4732 TargetUserName="Administr*" OR TargetSid="S-1-5-32-544" NOT SubjectUserName="*$" | fields - _raw | collect index=notable_events source="User Added to Local Administrator Group" marker="guid=c265cf08-3f99-46c1-8d59-328247057d57,tags=attack.privilege-escalation,tags=attack.t1078,tags=attack.persistence,tags=attack.t1098," +[NetNTLM Downgrade Attack] +description = Detects NetNTLM downgrade attack +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4657 ObjectName="*\\REGISTRY\\MACHINE\\SYSTEM*" ObjectName="*ControlSet*" ObjectName="*\\Control\\Lsa*" ObjectValueName IN ("LmCompatibilityLevel", "NtlmMinClientSec", "RestrictSendingNTLMTraffic") | fields - _raw | collect index=notable_events source="NetNTLM Downgrade Attack" marker="guid=d3abac66-f11c-4ed0-8acb-50cc29c97eed,tags=attack.defense-evasion,tags=attack.t1562.001,tags=attack.t1112," +[Persistence and Execution at Scale via GPO Scheduled Task] +description = Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="\\\\\*\\SYSVOL" RelativeTargetName="*ScheduledTasks.xml" AccessList IN ("*WriteData*", "*%%4417*") | fields - _raw | collect index=notable_events source="Persistence and Execution at Scale via GPO Scheduled Task" marker="guid=a8f29a7b-b137-4446-80a0-b804272f3da2,tags=attack.persistence,tags=attack.lateral-movement,tags=attack.t1053.005," +[DPAPI Domain Master Key Backup Attempt] +description = Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4692 | table ComputerName,SubjectDomainName,SubjectUserName | fields - _raw | collect index=notable_events source="DPAPI Domain Master Key Backup Attempt" marker="guid=39a94fd1-8c9a-4ff6-bf22-c058762f8014,tags=attack.credential-access,tags=attack.t1003.004," +[Unauthorized System Time Modification] +description = Detect scenarios where a potentially unauthorized application or user is modifying the system time. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4616 NOT (ProcessName IN ("C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", "C:\\Windows\\System32\\VBoxService.exe", "C:\\Windows\\System32\\oobe\\msoobe.exe") OR (ProcessName="C:\\Windows\\System32\\svchost.exe" SubjectUserSid="S-1-5-19")) | fields - _raw | collect index=notable_events source="Unauthorized System Time Modification" marker="guid=faa031b5-21ed-4e02-8881-2591f98d82ed,tags=attack.defense-evasion,tags=attack.t1070.006," +[Sysmon Channel Reference Deletion] +description = Potential threat actor tampering with Sysmon manifest and eventually disabling it +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4657 ObjectName IN ("*WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}*", "*WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational*") ObjectValueName="Enabled" NewValue=0) OR (EventID=4663 ObjectName IN ("*WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}*", "*WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational*") AccessMask=65536) | fields - _raw | collect index=notable_events source="Sysmon Channel Reference Deletion" marker="guid=18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc,tags=attack.defense-evasion,tags=attack.t1112," +[Metasploit Or Impacket Service Installation Via SMB PsExec] +description = Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceStartType=3 ServiceType="0x10" NOT ServiceName="PSEXESVC"\ +| regex ServiceFileName="^%systemroot%\\\\[a-zA-Z]{8}\\.exe$"\ +| regex ServiceName="(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)" | table ComputerName,SubjectDomainName,SubjectUserName,ServiceName,ServiceFileName | fields - _raw | collect index=notable_events source="Metasploit Or Impacket Service Installation Via SMB PsExec" marker="guid=6fb63b40-e02a-403e-9ffd-3bcc1d749442,tags=attack.lateral-movement,tags=attack.t1021.002,tags=attack.t1570,tags=attack.execution,tags=attack.t1569.002," +[RDP over Reverse SSH Tunnel WFP] +description = Detects svchost hosting RDP termsvcs communicating with the loopback address +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5156 (SourcePort=3389 DestAddress IN ("127.*", "::1")) OR (DestPort=3389 SourceAddress IN ("127.*", "::1")) NOT (FilterOrigin="AppContainer Loopback" OR Application IN ("*\\thor.exe", "*\\thor64.exe")) | fields - _raw | collect index=notable_events source="RDP over Reverse SSH Tunnel WFP" marker="guid=5bed80b6-b3e8-428e-a3ae-d3c757589e41,tags=attack.defense-evasion,tags=attack.command-and-control,tags=attack.lateral-movement,tags=attack.t1090.001,tags=attack.t1090.002,tags=attack.t1021.001,tags=car.2013-07-002," +[Potential Privileged System Service Operation - SeLoadDriverPrivilege] +description = Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4673 PrivilegeList="SeLoadDriverPrivilege" Service="-" NOT (ProcessName IN ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\rundll32.exe", "C:\\Windows\\System32\\fltMC.exe", "C:\\Windows\\HelpPane.exe", "C:\\Windows\\System32\\mmc.exe", "C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\System32\\wimserv.exe", "C:\\Windows\\System32\\RuntimeBroker.exe", "C:\\Windows\\System32\\SystemSettingsBroker.exe", "C:\\Windows\\explorer.exe") OR ProcessName IN ("*\\procexp64.exe", "*\\procexp.exe", "*\\procmon64.exe", "*\\procmon.exe", "*\\Google\\Chrome\\Application\\chrome.exe", "*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe") OR ProcessName="C:\\Program Files\\WindowsApps\\Microsoft*") | fields - _raw | collect index=notable_events source="Potential Privileged System Service Operation - SeLoadDriverPrivilege" marker="guid=f63508a0-c809-4435-b3be-ed819394d612,tags=attack.defense-evasion,tags=attack.t1562.001," +[Meterpreter or Cobalt Strike Getsystem Service Installation - Security] +description = Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 (ServiceFileName="*/c*" ServiceFileName="*echo*" ServiceFileName="*\\pipe\\*" ServiceFileName IN ("*cmd*", "*%COMSPEC%*")) OR (ServiceFileName="*rundll32*" ServiceFileName="*.dll,a*" ServiceFileName="*/p:*") OR ServiceFileName="\\\\127.0.0.1\\ADMIN$\\*" | fields - _raw | collect index=notable_events source="Meterpreter or Cobalt Strike Getsystem Service Installation - Security" marker="guid=ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34,tags=attack.privilege-escalation,tags=attack.t1134.001,tags=attack.t1134.002," +[Uncommon Outbound Kerberos Connection - Security] +description = Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5156 DestPort=88 NOT (Application IN ("\\device\\harddiskvolume*", "C:*") Application="*\\Windows\\System32\\lsass.exe") NOT ((Application IN ("\\device\\harddiskvolume*", "C:*") Application IN ("*\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "*\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) OR (Application IN ("\\device\\harddiskvolume*", "C:*") Application IN ("*\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "*\\Program Files\\Mozilla Firefox\\firefox.exe")) OR Application="*\\tomcat\\bin\\tomcat8.exe") | fields - _raw | collect index=notable_events source="Uncommon Outbound Kerberos Connection - Security" marker="guid=eca91c7c-9214-47b9-b4c5-cb1d7e4f2350,tags=attack.lateral-movement,tags=attack.t1558.003," +[Invoke-Obfuscation Via Use MSHTA - Security] +description = Detects Obfuscated Powershell via use MSHTA in Scripts +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*mshta*" ServiceFileName="*vbscript:createobject*" ServiceFileName="*.run*" ServiceFileName="*window.close*" | fields - _raw | collect index=notable_events source="Invoke-Obfuscation Via Use MSHTA - Security" marker="guid=9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[ADCS Certificate Template Configuration Vulnerability] +description = Detects certificate creation with template allowing risk permission subject +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4898 TemplateContent="*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*") OR (EventID=4899 NewTemplateContent="*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*") | fields - _raw | collect index=notable_events source="ADCS Certificate Template Configuration Vulnerability" marker="guid=5ee3a654-372f-11ec-8d3d-0242ac130003,tags=attack.privilege-escalation,tags=attack.credential-access," +[Processes Accessing the Microphone and Webcam] +description = Potential adversaries accessing the microphone and webcam in an endpoint. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4657, 4656, 4663) ObjectName IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged*", "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged*") | fields - _raw | collect index=notable_events source="Processes Accessing the Microphone and Webcam" marker="guid=8cd538a4-62d5-4e83-810b-12d41e428d6e,tags=attack.collection,tags=attack.t1123," +[ETW Logging Disabled In .NET Processes - Registry] +description = Potential adversaries stopping ETW providers recording loaded .NET assemblies. +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4657 ObjectName="*\\SOFTWARE\\Microsoft\\.NETFramework" ObjectValueName="ETWEnabled" NewValue=0) OR (EventID=4657 ObjectName="*\\Environment*" ObjectValueName IN ("COMPlus_ETWEnabled", "COMPlus_ETWFlags") NewValue=0) | fields - _raw | collect index=notable_events source="ETW Logging Disabled In .NET Processes - Registry" marker="guid=a4c90ea1-2634-4ca0-adbb-35eae169b6fc,tags=attack.defense-evasion,tags=attack.t1112,tags=attack.t1562," +[Credential Dumping Tools Service Execution - Security] +description = Detects well-known credential dumping tools execution via service execution events +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName IN ("*cachedump*", "*dumpsvc*", "*fgexec*", "*gsecdump*", "*mimidrv*", "*pwdump*", "*servpw*") | fields - _raw | collect index=notable_events source="Credential Dumping Tools Service Execution - Security" marker="guid=f0d1feba-4344-4ca9-8121-a6c97bd6df52,tags=attack.credential-access,tags=attack.execution,tags=attack.t1003.001,tags=attack.t1003.002,tags=attack.t1003.004,tags=attack.t1003.005,tags=attack.t1003.006,tags=attack.t1569.002,tags=attack.s0005," +[ISO Image Mounted] +description = Detects the mount of an ISO image on an endpoint +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4663 ObjectServer="Security" ObjectType="File" ObjectName="\\Device\\CdRom*" NOT (ObjectName IN ("\\Device\\CdRom0\\autorun.ico", "\\Device\\CdRom0\\setup.exe", "\\Device\\CdRom0\\setup64.exe")) | fields - _raw | collect index=notable_events source="ISO Image Mounted" marker="guid=0248a7bc-8a9a-4cd8-a57e-3ae8e073a073,tags=attack.initial-access,tags=attack.t1566.001," +[Windows Pcap Drivers] +description = Detects Windows Pcap driver installation based on a list of associated .sys files. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName IN ("*pcap*", "*npcap*", "*npf*", "*nm3*", "*ndiscap*", "*nmnt*", "*windivert*", "*USBPcap*", "*pktmon*") | table EventID,ServiceFileName,Account_Name,Computer_Name,Originating_Computer,ServiceName | fields - _raw | collect index=notable_events source="Windows Pcap Drivers" marker="guid=7b687634-ab20-11ea-bb37-0242ac130002,tags=attack.discovery,tags=attack.credential-access,tags=attack.t1040," +[T1047 Wmiprvse Wbemcomn DLL Hijack] +description = Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 RelativeTargetName="*\\wbem\\wbemcomn.dll" NOT SubjectUserName="*$" | fields - _raw | collect index=notable_events source="T1047 Wmiprvse Wbemcomn DLL Hijack" marker="guid=f6c68d5f-e101-4b86-8c84-7d96851fd65c,tags=attack.execution,tags=attack.t1047,tags=attack.lateral-movement,tags=attack.t1021.002," +[Mimikatz DC Sync] +description = Detects Mimikatz DC sync security events +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4662 Properties IN ("*Replicating Directory Changes All*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*9923a32a-3607-11d2-b9be-0000f87a36b2*", "*89e95b76-444d-4c62-991a-0facbeda640c*") AccessMask="0x100" NOT (SubjectDomainName="Window Manager" OR SubjectUserName IN ("NT AUT*", "MSOL_*") OR SubjectUserName="*$") | fields - _raw | collect index=notable_events source="Mimikatz DC Sync" marker="guid=611eab06-a145-4dfa-a295-3ccc5c20f59a,tags=attack.credential-access,tags=attack.s0002,tags=attack.t1003.006," +[Invoke-Obfuscation CLIP+ Launcher - Security] +description = Detects Obfuscated use of Clip.exe to execute PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*cmd*" ServiceFileName="*&&*" ServiceFileName="*clipboard]::*" | fields - _raw | collect index=notable_events source="Invoke-Obfuscation CLIP+ Launcher - Security" marker="guid=4edf51e1-cb83-4e1a-bc39-800e396068e3,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Remote Access Tool Services Have Been Installed - Security] +description = Detects service installation of different remote access tools software. These software are often abused by threat actors to perform +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceName IN ("*AmmyyAdmin*", "*Atera*", "*BASupportExpressSrvcUpdater*", "*BASupportExpressStandaloneService*", "*chromoting*", "*GoToAssist*", "*GoToMyPC*", "*jumpcloud*", "*LMIGuardianSvc*", "*LogMeIn*", "*monblanking*", "*Parsec*", "*RManService*", "*RPCPerformanceService*", "*RPCService*", "*SplashtopRemoteService*", "*SSUService*", "*TeamViewer*", "*TightVNC*", "*vncserver*", "*Zoho*") | fields - _raw | collect index=notable_events source="Remote Access Tool Services Have Been Installed - Security" marker="guid=c8b00925-926c-47e3-beea-298fd563728e,tags=attack.persistence,tags=attack.t1543.003,tags=attack.t1569.002," +[Replay Attack Detected] +description = Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4649 | fields - _raw | collect index=notable_events source="Replay Attack Detected" marker="guid=5a44727c-3b85-4713-8c44-4401d5499629,tags=attack.credential-access,tags=attack.t1558," +[Important Scheduled Task Deleted/Disabled] +description = Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4699, 4701) TaskName IN ("*\\Windows\\SystemRestore\\SR*", "*\\Windows\\Windows Defender\\*", "*\\Windows\\BitLocker*", "*\\Windows\\WindowsBackup\\*", "*\\Windows\\WindowsUpdate\\*", "*\\Windows\\UpdateOrchestrator\\Schedule*", "*\\Windows\\ExploitGuard*") NOT (EventID=4699 SubjectUserName="*$" TaskName="*\\Windows\\Windows Defender\\*") | fields - _raw | collect index=notable_events source="Important Scheduled Task Deleted/Disabled" marker="guid=7595ba94-cf3b-4471-aa03-4f6baa9e5fad,tags=attack.execution,tags=attack.privilege-escalation,tags=attack.persistence,tags=attack.t1053.005," +[Suspicious Scheduled Task Update] +description = Detects update to a scheduled task event that contain suspicious keywords. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4702 TaskContentNew IN ("*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Users\\Public\\*", "*\\WINDOWS\\Temp\\*", "*C:\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Temporary Internet*", "*C:\\ProgramData\\*", "*C:\\Perflogs\\*") TaskContentNew IN ("*regsvr32*", "*rundll32*", "*cmd.exe*", "*cmd*", "*/c *", "*/k *", "*/r *", "*powershell*", "*pwsh*", "*mshta*", "*wscript*", "*cscript*", "*certutil*", "*bitsadmin*", "*bash.exe*", "*bash *", "*scrcons*", "*wmic *", "*wmic.exe*", "*forfiles*", "*scriptrunner*", "*hh.exe*") | fields - _raw | collect index=notable_events source="Suspicious Scheduled Task Update" marker="guid=614cf376-6651-47c4-9dcc-6b9527f749f4,tags=attack.execution,tags=attack.privilege-escalation,tags=attack.persistence,tags=attack.t1053.005," +[HackTool - NoFilter Execution] +description = Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=5447 FilterName="*RonPolicy*") OR (EventID=5449 ProviderContextName="*RonPolicy*") | fields - _raw | collect index=notable_events source="HackTool - NoFilter Execution" marker="guid=7b14c76a-c602-4ae6-9717-eff868153fc0,tags=attack.privilege-escalation,tags=attack.t1134,tags=attack.t1134.001," +[CobaltStrike Service Installations - Security] +description = Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 (ServiceFileName="*ADMIN$*" ServiceFileName="*.exe*") OR (ServiceFileName="*%COMSPEC%*" ServiceFileName="*start*" ServiceFileName="*powershell*") OR ServiceFileName="*powershell -nop -w hidden -encodedcommand*" OR ServiceFileName="*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*" OR ServiceFileName="*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*" OR ServiceFileName="*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*" | fields - _raw | collect index=notable_events source="CobaltStrike Service Installations - Security" marker="guid=d7a95147-145f-4678-b85d-d1ff4a3bb3f6,tags=attack.execution,tags=attack.privilege-escalation,tags=attack.lateral-movement,tags=attack.t1021.002,tags=attack.t1543.003,tags=attack.t1569.002," +[SMB Create Remote File Admin Share] +description = Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$). +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="*C$" AccessMask="0x2" NOT SubjectUserName="*$" | fields - _raw | collect index=notable_events source="SMB Create Remote File Admin Share" marker="guid=b210394c-ba12-4f89-9117-44a2464b9511,tags=attack.lateral-movement,tags=attack.t1021.002," +[Suspicious Windows ANONYMOUS LOGON Local Account Created] +description = Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4720 SamAccountName="*ANONYMOUS*" SamAccountName="*LOGON*" | fields - _raw | collect index=notable_events source="Suspicious Windows ANONYMOUS LOGON Local Account Created" marker="guid=1bbf25b9-8038-4154-a50b-118f2a32be27,tags=attack.persistence,tags=attack.t1136.001,tags=attack.t1136.002," +[Kerberos Manipulation] +description = Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (675, 4768, 4769, 4771) Status IN ("0x9", "0xA", "0xB", "0xF", "0x10", "0x11", "0x13", "0x14", "0x1A", "0x1F", "0x21", "0x22", "0x23", "0x24", "0x26", "0x27", "0x28", "0x29", "0x2C", "0x2D", "0x2E", "0x2F", "0x31", "0x32", "0x3E", "0x3F", "0x40", "0x41", "0x43", "0x44") | fields - _raw | collect index=notable_events source="Kerberos Manipulation" marker="guid=f7644214-0eb0-4ace-9455-331ec4c09253,tags=attack.credential-access,tags=attack.t1212," +[SAM Registry Hive Handle Request] +description = Detects handles requested to SAM registry hive +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4656 ObjectType="Key" ObjectName="*\\SAM" | table ComputerName,SubjectDomainName,SubjectUserName,ProcessName,ObjectName | fields - _raw | collect index=notable_events source="SAM Registry Hive Handle Request" marker="guid=f8748f2c-89dc-4d95-afb0-5a2dfdbad332,tags=attack.discovery,tags=attack.t1012,tags=attack.credential-access,tags=attack.t1552.002," +[Invoke-Obfuscation RUNDLL LAUNCHER - Security] +description = Detects Obfuscated Powershell via RUNDLL LAUNCHER +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*rundll32.exe*" ServiceFileName="*shell32.dll*" ServiceFileName="*shellexec_rundll*" ServiceFileName="*powershell*" | fields - _raw | collect index=notable_events source="Invoke-Obfuscation RUNDLL LAUNCHER - Security" marker="guid=f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Possible PetitPotam Coerce Authentication Attempt] +description = Detect PetitPotam coerced authentication activity. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="\\\\*" ShareName="*\\IPC$" RelativeTargetName="lsarpc" SubjectUserName="ANONYMOUS LOGON" | fields - _raw | collect index=notable_events source="Possible PetitPotam Coerce Authentication Attempt" marker="guid=1ce8c8a3-2723-48ed-8246-906ac91061a6,tags=attack.credential-access,tags=attack.t1187," +[Device Installation Blocked] +description = Detects an installation of a device that is forbidden by the system policy +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=6423 | fields - _raw | collect index=notable_events source="Device Installation Blocked" marker="guid=c9eb55c3-b468-40ab-9089-db2862e42137,tags=attack.initial-access,tags=attack.t1200," +[User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'] +description = The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4673 Service="LsaRegisterLogonProcess()" Keywords="0x8010000000000000" | fields - _raw | collect index=notable_events source="User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" marker="guid=6daac7fc-77d1-449a-a71a-e6b4d59a0e54,tags=attack.lateral-movement,tags=attack.privilege-escalation,tags=attack.t1558.003," +[Security Eventlog Cleared] +description = One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=517 etw_provider="Security") OR (EventID=1102 etw_provider="Microsoft-Windows-Eventlog") | fields - _raw | collect index=notable_events source="Security Eventlog Cleared" marker="guid=d99b79d2-0a6f-4f46-ad8b-260b6e17f982,tags=attack.defense-evasion,tags=attack.t1070.001,tags=car.2016-04-002," +[A New Trust Was Created To A Domain] +description = Addition of domains is seldom and should be verified for legitimacy. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4706 | fields - _raw | collect index=notable_events source="A New Trust Was Created To A Domain" marker="guid=0255a820-e564-4e40-af2b-6ac61160335c,tags=attack.persistence,tags=attack.t1098," +[Possible Impacket SecretDump Remote Activity] +description = Detect AD credential dumping using impacket secretdump HKTL +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="\\\\\*\\ADMIN$" RelativeTargetName="*SYSTEM32\\*" RelativeTargetName="*.tmp*" | fields - _raw | collect index=notable_events source="Possible Impacket SecretDump Remote Activity" marker="guid=252902e3-5830-4cf6-bf21-c22083dfd5cf,tags=attack.credential-access,tags=attack.t1003.002,tags=attack.t1003.004,tags=attack.t1003.003," +[Remote Task Creation via ATSVC Named Pipe] +description = Detects remote task creation via at.exe or API interacting with ATSVC namedpipe +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="\\\\\*\\IPC$" RelativeTargetName="atsvc" AccessList="*WriteData*" | fields - _raw | collect index=notable_events source="Remote Task Creation via ATSVC Named Pipe" marker="guid=f6de6525-4509-495a-8a82-1f8b0ed73a00,tags=attack.lateral-movement,tags=attack.persistence,tags=car.2013-05-004,tags=car.2015-04-001,tags=attack.t1053.002," +[Invoke-Obfuscation COMPRESS OBFUSCATION - Security] +description = Detects Obfuscated Powershell via COMPRESS OBFUSCATION +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*new-object*" ServiceFileName="*text.encoding]::ascii*" ServiceFileName="*readtoend*" ServiceFileName IN ("*system.io.compression.deflatestream*", "*system.io.streamreader*") | fields - _raw | collect index=notable_events source="Invoke-Obfuscation COMPRESS OBFUSCATION - Security" marker="guid=7a922f1b-2635-4d6c-91ef-af228b198ad3,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Invoke-Obfuscation Via Use Clip - Security] +description = Detects Obfuscated Powershell via use Clip.exe in Scripts +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*(Clipboard|i*" | fields - _raw | collect index=notable_events source="Invoke-Obfuscation Via Use Clip - Security" marker="guid=1a0a2ff1-611b-4dac-8216-8a7b47c618a6,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Invoke-Obfuscation STDIN+ Launcher - Security] +description = Detects Obfuscated use of stdin to execute PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*cmd*" ServiceFileName="*powershell*" ServiceFileName IN ("*${input}*", "*noexit*") ServiceFileName IN ("* /c *", "* /r *") | fields - _raw | collect index=notable_events source="Invoke-Obfuscation STDIN+ Launcher - Security" marker="guid=0c718a5e-4284-4fb9-b4d9-b9a50b3a1974,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[PowerShell Scripts Installed as Services - Security] +description = Detects powershell script installed as a Service +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName IN ("*powershell*", "*pwsh*") | fields - _raw | collect index=notable_events source="PowerShell Scripts Installed as Services - Security" marker="guid=2a926e6a-4b81-4011-8a96-e36cc8c04302,tags=attack.execution,tags=attack.t1569.002," +[Password Dumper Activity on LSASS] +description = Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4656 ProcessName="*\\lsass.exe" AccessMask="0x705" ObjectType="SAM_DOMAIN" | fields - _raw | collect index=notable_events source="Password Dumper Activity on LSASS" marker="guid=aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c,tags=attack.credential-access,tags=attack.t1003.001," +[Active Directory Replication from Non Machine Account] +description = Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4662 AccessMask="0x100" Properties IN ("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*") NOT (SubjectUserName IN ("*$", "MSOL_*")) | table ComputerName,SubjectDomainName,SubjectUserName | fields - _raw | collect index=notable_events source="Active Directory Replication from Non Machine Account" marker="guid=17d619c1-e020-4347-957e-1d1207455c93,tags=attack.credential-access,tags=attack.t1003.006," +[Suspicious Access to Sensitive File Extensions] +description = Detects known sensitive file extensions accessed on a network share +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 RelativeTargetName IN ("*.bak", "*.dmp", "*.edb", "*.kirbi", "*.msg", "*.nsf", "*.nst", "*.oab", "*.ost", "*.pst", "*.rdp", "*\\groups.xml") | fields - _raw | collect index=notable_events source="Suspicious Access to Sensitive File Extensions" marker="guid=91c945bc-2ad1-4799-a591-4d00198a1215,tags=attack.collection,tags=attack.t1039," +[DPAPI Domain Backup Key Extraction] +description = Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4662 ObjectType="SecretObject" AccessMask="0x2" ObjectName="*BCKUPKEY*" | fields - _raw | collect index=notable_events source="DPAPI Domain Backup Key Extraction" marker="guid=4ac1f50b-3bd0-4968-902d-868b4647937e,tags=attack.credential-access,tags=attack.t1003.004," +[First Time Seen Remote Named Pipe] +description = This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="\\\\\*\\IPC$" NOT (RelativeTargetName IN ("atsvc", "samr", "lsarpc", "lsass", "winreg", "netlogon", "srvsvc", "protected_storage", "wkssvc", "browser", "netdfs", "svcctl", "spoolss", "ntsvcs", "LSM_API_service", "HydraLsPipe", "TermSrv_API_service", "MsFteWds", "sql\\query", "eventlog")) | fields - _raw | collect index=notable_events source="First Time Seen Remote Named Pipe" marker="guid=52d8b0c6-53d6-439a-9e41-52ad442ad9ad,tags=attack.lateral-movement,tags=attack.t1021.002," +[Password Policy Enumerated] +description = Detects when the password policy is enumerated. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4661 AccessList="*%%5392*" ObjectServer="Security Account Manager" | fields - _raw | collect index=notable_events source="Password Policy Enumerated" marker="guid=12ba6a38-adb3-4d6b-91ba-a7fb248e3199,tags=attack.discovery,tags=attack.t1201," +[Invoke-Obfuscation Via Use Rundll32 - Security] +description = Detects Obfuscated Powershell via use Rundll32 in Scripts +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*&&*" ServiceFileName="*rundll32*" ServiceFileName="*shell32.dll*" ServiceFileName="*shellexec_rundll*" ServiceFileName IN ("*value*", "*invoke*", "*comspec*", "*iex*") | fields - _raw | collect index=notable_events source="Invoke-Obfuscation Via Use Rundll32 - Security" marker="guid=cd0f7229-d16f-42de-8fe3-fba365fbcb3a,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Suspicious LDAP-Attributes Used] +description = Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5136 AttributeValue="*" AttributeLDAPDisplayName IN ("primaryInternationalISDNNumber", "otherFacsimileTelephoneNumber", "primaryTelexNumber") | fields - _raw | collect index=notable_events source="Suspicious LDAP-Attributes Used" marker="guid=d00a9a72-2c09-4459-ad03-5e0a23351e36,tags=attack.t1001.003,tags=attack.command-and-control," +[Potentially Suspicious AccessMask Requested From LSASS] +description = Detects process handle on LSASS process with certain access mask +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4656 ObjectName="*\\lsass.exe" AccessMask IN ("*0x40*", "*0x1400*", "*0x100000*", "*0x1410*", "*0x1010*", "*0x1438*", "*0x143a*", "*0x1418*", "*0x1f0fff*", "*0x1f1fff*", "*0x1f2fff*", "*0x1f3fff*")) OR (EventID=4663 ObjectName="*\\lsass.exe" AccessList IN ("*4484*", "*4416*")) NOT ((ProcessName IN ("*\\csrss.exe", "*\\GamingServices.exe", "*\\lsm.exe", "*\\MicrosoftEdgeUpdate.exe", "*\\minionhost.exe", "*\\MRT.exe", "*\\MsMpEng.exe", "*\\perfmon.exe", "*\\procexp.exe", "*\\procexp64.exe", "*\\svchost.exe", "*\\taskmgr.exe", "*\\thor.exe", "*\\thor64.exe", "*\\vmtoolsd.exe", "*\\VsTskMgr.exe", "*\\wininit.exe", "*\\wmiprvse.exe", "*RtkAudUService64") ProcessName IN ("*:\\Program Files (x86)\\*", "*:\\Program Files\\*", "*:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*", "*:\\Windows\\SysNative\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\SysWow64\\*", "*:\\Windows\\Temp\\asgard2-agent\\*")) OR ProcessName="*:\\Program Files*" OR ProcessName IN ("*:\\Windows\\System32\\taskhostw.exe", "*:\\Windows\\System32\\msiexec.exe", "*:\\Windows\\CCM\\CcmExec.exe") OR (ProcessName="*:\\Windows\\Sysmon64.exe" AccessList="*%%4484*") OR (ProcessName="*:\\Windows\\Temp\\asgard2-agent-sc\\aurora\\*" ProcessName="*\\aurora-agent-64.exe" AccessList="*%%4484*") OR (ProcessName="*\\x64\\SCENARIOENGINE.EXE" AccessList="*%%4484*") OR (ProcessName="*:\\Users\\*" ProcessName="*\\AppData\\Local\\Temp\\is-*" ProcessName="*\\avira_system_speedup.tmp" AccessList="*%%4484*") OR (ProcessName="*:\\Windows\\Temp\\*" ProcessName="*\\avira_speedup_setup_update.tmp" AccessList="*%%4484*") OR (ProcessName="*:\\Windows\\System32\\snmp.exe" AccessList="*%%4484*") OR (ProcessName="*:\\Windows\\SystemTemp\\*" ProcessName="*\\GoogleUpdate.exe" AccessList="*%%4484*")) NOT (ProcessName IN ("*\\procmon64.exe", "*\\procmon.exe") AccessList="*%%4484*") | fields - _raw | collect index=notable_events source="Potentially Suspicious AccessMask Requested From LSASS" marker="guid=4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76,tags=attack.credential-access,tags=car.2019-04-004,tags=attack.t1003.001," +[Tap Driver Installation - Security] +description = Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*tap0901*" | fields - _raw | collect index=notable_events source="Tap Driver Installation - Security" marker="guid=9c8afa4d-0022-48f0-9456-3712466f9701,tags=attack.exfiltration,tags=attack.t1048," +[Suspicious Kerberos RC4 Ticket Encryption] +description = Detects service ticket requests using RC4 encryption type +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4769 TicketOptions="0x40810000" TicketEncryptionType="0x17" NOT ServiceName="*$" | fields - _raw | collect index=notable_events source="Suspicious Kerberos RC4 Ticket Encryption" marker="guid=496a0e47-0a33-4dca-b009-9e6ca3591f39,tags=attack.credential-access,tags=attack.t1558.003," +[Potential AD User Enumeration From Non-Machine Account] +description = Detects read access to a domain user from a non-machine account +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4662 ObjectType="*bf967aba-0de6-11d0-a285-00aa003049e2*" AccessMask IN ("*1*", "*3*", "*4*", "*7*", "*9*", "*B*", "*D*", "*F*") NOT (SubjectUserName IN ("*$", "MSOL_*")) | fields - _raw | collect index=notable_events source="Potential AD User Enumeration From Non-Machine Account" marker="guid=ab6bffca-beff-4baa-af11-6733f296d57a,tags=attack.discovery,tags=attack.t1087.002," +[Protected Storage Service Access] +description = Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="*IPC*" RelativeTargetName="protected_storage" | fields - _raw | collect index=notable_events source="Protected Storage Service Access" marker="guid=45545954-4016-43c6-855e-eae8f1c369dc,tags=attack.lateral-movement,tags=attack.t1021.002," +[Invoke-Obfuscation VAR+ Launcher - Security] +description = Detects Obfuscated use of Environment Variables to execute PowerShell +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*cmd*" ServiceFileName="*\"set*" ServiceFileName="*-f*" ServiceFileName IN ("*/c*", "*/r*") | fields - _raw | collect index=notable_events source="Invoke-Obfuscation VAR+ Launcher - Security" marker="guid=dcf2db1f-f091-425b-a821-c05875b8925a,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Remote Service Activity via SVCCTL Named Pipe] +description = Detects remote service activity via remote access to the svcctl named pipe +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="\\\\\*\\IPC$" RelativeTargetName="svcctl" AccessList="*WriteData*" | fields - _raw | collect index=notable_events source="Remote Service Activity via SVCCTL Named Pipe" marker="guid=586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3,tags=attack.lateral-movement,tags=attack.persistence,tags=attack.t1021.002," +[Windows Defender Exclusion Deleted] +description = Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4660 ObjectName="*\\Microsoft\\Windows Defender\\Exclusions\\*" | fields - _raw | collect index=notable_events source="Windows Defender Exclusion Deleted" marker="guid=a33f8808-2812-4373-ae95-8cfb82134978,tags=attack.defense-evasion,tags=attack.t1562.001," +[HybridConnectionManager Service Installation] +description = Rule to detect the Hybrid Connection Manager service installation. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceName="HybridConnectionManager" ServiceFileName="*HybridConnectionManager*" | fields - _raw | collect index=notable_events source="HybridConnectionManager Service Installation" marker="guid=0ee4d8a5-4e67-4faf-acfa-62a78457d1f2,tags=attack.persistence,tags=attack.t1554," +[WCE wceaux.dll Access] +description = Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4656, 4658, 4660, 4663) ObjectName="*\\wceaux.dll" | fields - _raw | collect index=notable_events source="WCE wceaux.dll Access" marker="guid=1de68c67-af5c-4097-9c85-fe5578e09e67,tags=attack.credential-access,tags=attack.t1003,tags=attack.s0005," +[Hacktool Ruler] +description = This events that are generated when using the hacktool Ruler by Sensepost +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4776 Workstation="RULER") OR (EventID IN (4624, 4625) WorkstationName="RULER") | fields - _raw | collect index=notable_events source="Hacktool Ruler" marker="guid=24549159-ac1b-479c-8175-d42aea947cae,tags=attack.discovery,tags=attack.execution,tags=attack.t1087,tags=attack.t1114,tags=attack.t1059,tags=attack.t1550.002," +[Azure AD Health Service Agents Registry Keys Access] +description = This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4656, 4663) ObjectType="Key" ObjectName="\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent" NOT (ProcessName IN ("*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*", "*Microsoft.Identity.Health.Adfs.InsightsService.exe*", "*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*", "*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*", "*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*")) | fields - _raw | collect index=notable_events source="Azure AD Health Service Agents Registry Keys Access" marker="guid=1d2ab8ac-1a01-423b-9c39-001510eae8e8,tags=attack.discovery,tags=attack.t1012," +[Windows Defender Exclusion Reigstry Key - Write Access Requested] +description = Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security. +search = index=evtx _index_earliest=-1h@h Channel="Security" AccessList IN ("*%%4417*", "*%%4418*") EventID IN (4656, 4663) ObjectName="*\\Microsoft\\Windows Defender\\Exclusions\\*" | fields - _raw | collect index=notable_events source="Windows Defender Exclusion Reigstry Key - Write Access Requested" marker="guid=e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d,tags=attack.defense-evasion,tags=attack.t1562.001," +[Suspicious Remote Logon with Explicit Credentials] +description = Detects suspicious processes logging on with explicit credentials +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4648 ProcessName IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\winrs.exe", "*\\wmic.exe", "*\\net.exe", "*\\net1.exe", "*\\reg.exe") NOT (TargetServerName="localhost" OR (SubjectUserName="*$" TargetUserName="*$")) | fields - _raw | collect index=notable_events source="Suspicious Remote Logon with Explicit Credentials" marker="guid=941e5c45-cda7-4864-8cea-bbb7458d194a,tags=attack.t1078,tags=attack.lateral-movement," +[Active Directory User Backdoors] +description = Detects scenarios where one can control another users or computers account without having to use their credentials. +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4738 NOT (AllowedToDelegateTo IN ("", "-") OR AllowedToDelegateTo!=*)) OR (EventID=5136 AttributeLDAPDisplayName="msDS-AllowedToDelegateTo") OR (EventID=5136 ObjectClass="user" AttributeLDAPDisplayName="servicePrincipalName") OR (EventID=5136 AttributeLDAPDisplayName="msDS-AllowedToActOnBehalfOfOtherIdentity") | fields - _raw | collect index=notable_events source="Active Directory User Backdoors" marker="guid=300bac00-e041-4ee2-9c36-e262656a6ecc,tags=attack.t1098,tags=attack.persistence," +[ADCS Certificate Template Configuration Vulnerability with Risky EKU] +description = Detects certificate creation with template allowing risk permission subject and risky EKU +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4898 TemplateContent IN ("*1.3.6.1.5.5.7.3.2*", "*1.3.6.1.5.2.3.4*", "*1.3.6.1.4.1.311.20.2.2*", "*2.5.29.37.0*") TemplateContent="*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*") OR (EventID=4899 NewTemplateContent IN ("*1.3.6.1.5.5.7.3.2*", "*1.3.6.1.5.2.3.4*", "*1.3.6.1.4.1.311.20.2.2*", "*2.5.29.37.0*") NewTemplateContent="*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*") | fields - _raw | collect index=notable_events source="ADCS Certificate Template Configuration Vulnerability with Risky EKU" marker="guid=bfbd3291-de87-4b7c-88a2-d6a5deb28668,tags=attack.privilege-escalation,tags=attack.credential-access," +[Windows Event Auditing Disabled] +description = Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4719 AuditPolicyChanges IN ("*%%8448*", "*%%8450*") NOT (SubcategoryGuid IN ("{0CCE9210-69AE-11D9-BED3-505054503030}", "{0CCE9211-69AE-11D9-BED3-505054503030}", "{0CCE9212-69AE-11D9-BED3-505054503030}", "{0CCE9215-69AE-11D9-BED3-505054503030}", "{0CCE9217-69AE-11D9-BED3-505054503030}", "{0CCE921B-69AE-11D9-BED3-505054503030}", "{0CCE922B-69AE-11D9-BED3-505054503030}", "{0CCE922F-69AE-11D9-BED3-505054503030}", "{0CCE9230-69AE-11D9-BED3-505054503030}", "{0CCE9235-69AE-11D9-BED3-505054503030}", "{0CCE9236-69AE-11D9-BED3-505054503030}", "{0CCE9237-69AE-11D9-BED3-505054503030}", "{0CCE923F-69AE-11D9-BED3-505054503030}", "{0CCE9240-69AE-11D9-BED3-505054503030}", "{0CCE9242-69AE-11D9-BED3-505054503030}")) | fields - _raw | collect index=notable_events source="Windows Event Auditing Disabled" marker="guid=69aeb277-f15f-4d2d-b32a-55e883609563,tags=attack.defense-evasion,tags=attack.t1562.002," +[Possible DC Shadow Attack] +description = Detects DCShadow via create new SPN +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4742 ServicePrincipalNames="*GC/*") OR (EventID=5136 AttributeLDAPDisplayName="servicePrincipalName" AttributeValue="GC/*") | fields - _raw | collect index=notable_events source="Possible DC Shadow Attack" marker="guid=32e19d25-4aed-4860-a55a-be99cb0bf7ed,tags=attack.credential-access,tags=attack.t1207," +[New or Renamed User Account with '$' Character] +description = Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms. +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4720 SamAccountName="*$*") OR (EventID=4781 NewTargetUserName="*$*") NOT (EventID=4720 TargetUserName="HomeGroupUser$") | fields - _raw | collect index=notable_events source="New or Renamed User Account with '$' Character" marker="guid=cfeed607-6aa4-4bbd-9627-b637deb723c8,tags=attack.defense-evasion,tags=attack.t1036," +[Password Protected ZIP File Opened] +description = Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5379 TargetName="*Microsoft_Windows_Shell_ZipFolder:filename*" NOT TargetName="*\\Temporary Internet Files\\Content.Outlook*" | fields - _raw | collect index=notable_events source="Password Protected ZIP File Opened" marker="guid=00ba9da1-b510-4f6b-b258-8d338836180f,tags=attack.defense-evasion,tags=attack.t1027," +[Weak Encryption Enabled and Kerberoast] +description = Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4738 (NewUacValue IN ("*8***", "*9***", "*A***", "*B***", "*C***", "*D***", "*E***", "*F***") NOT (OldUacValue IN ("*8***", "*9***", "*A***", "*B***", "*C***", "*D***", "*E***", "*F***"))) OR (NewUacValue IN ("*1****", "*3****", "*5****", "*7****", "*9****", "*B****", "*D****", "*F****") NOT (OldUacValue IN ("*1****", "*3****", "*5****", "*7****", "*9****", "*B****", "*D****", "*F****"))) OR (NewUacValue IN ("*8**", "*9**", "*A**", "*B**", "*C**", "*D**", "*E**", "*F**") NOT (OldUacValue IN ("*8**", "*9**", "*A**", "*B**", "*C**", "*D**", "*E**", "*F**"))) | fields - _raw | collect index=notable_events source="Weak Encryption Enabled and Kerberoast" marker="guid=f6de9536-0441-4b3f-a646-f4e00f300ffd,tags=attack.defense-evasion,tags=attack.t1562.001," +[SysKey Registry Keys Access] +description = Detects handle requests and access operations to specific registry keys to calculate the SysKey +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4656, 4663) ObjectType="key" ObjectName IN ("*lsa\\JD", "*lsa\\GBG", "*lsa\\Skew1", "*lsa\\Data") | fields - _raw | collect index=notable_events source="SysKey Registry Keys Access" marker="guid=9a4ff3b8-6187-4fd2-8e8b-e0eae1129495,tags=attack.discovery,tags=attack.t1012," +[Password Protected ZIP File Opened (Suspicious Filenames)] +description = Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5379 TargetName="*Microsoft_Windows_Shell_ZipFolder:filename*" TargetName IN ("*invoice*", "*new order*", "*rechnung*", "*factura*", "*delivery*", "*purchase*", "*order*", "*payment*") | fields - _raw | collect index=notable_events source="Password Protected ZIP File Opened (Suspicious Filenames)" marker="guid=54f0434b-726f-48a1-b2aa-067df14516e4,tags=attack.command-and-control,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.t1105,tags=attack.t1036," +[Password Protected ZIP File Opened (Email Attachment)] +description = Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5379 TargetName="*Microsoft_Windows_Shell_ZipFolder:filename*" TargetName="*\\Temporary Internet Files\\Content.Outlook*" | fields - _raw | collect index=notable_events source="Password Protected ZIP File Opened (Email Attachment)" marker="guid=571498c8-908e-40b4-910b-d2369159a3da,tags=attack.defense-evasion,tags=attack.initial-access,tags=attack.t1027,tags=attack.t1566.001," +[External Disk Drive Or USB Storage Device Was Recognized By The System] +description = Detects external disk drives or plugged-in USB devices. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=6416 ClassName="DiskDrive" OR DeviceDescription="USB Mass Storage Device" | fields - _raw | collect index=notable_events source="External Disk Drive Or USB Storage Device Was Recognized By The System" marker="guid=f69a87ea-955e-4fb4-adb2-bb9fd6685632,tags=attack.t1091,tags=attack.t1200,tags=attack.lateral-movement,tags=attack.initial-access," +[Azure AD Health Monitoring Agent Registry Keys Access] +description = This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4656, 4663) ObjectType="Key" ObjectName="\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent" NOT (ProcessName IN ("*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*", "*Microsoft.Identity.Health.Adfs.InsightsService.exe*", "*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*", "*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*", "*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*")) | fields - _raw | collect index=notable_events source="Azure AD Health Monitoring Agent Registry Keys Access" marker="guid=ff151c33-45fa-475d-af4f-c2f93571f4fe,tags=attack.discovery,tags=attack.t1012," +[WMI Persistence - Security] +description = Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4662 ObjectType="WMI Namespace" ObjectName="*subscription*" | fields - _raw | collect index=notable_events source="WMI Persistence - Security" marker="guid=f033f3f3-fd24-4995-97d8-a3bb17550a88,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1546.003," +[Suspicious Teams Application Related ObjectAcess Event] +description = Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4663 ObjectName IN ("*\\Microsoft\\Teams\\Cookies*", "*\\Microsoft\\Teams\\Local Storage\\leveldb*") NOT ProcessName="*\\Microsoft\\Teams\\current\\Teams.exe*" | fields - _raw | collect index=notable_events source="Suspicious Teams Application Related ObjectAcess Event" marker="guid=25cde13e-8e20-4c29-b949-4e795b76f16f,tags=attack.credential-access,tags=attack.t1528," +[DCOM InternetExplorer.Application Iertutil DLL Hijack - Security] +description = Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 RelativeTargetName="*\\Internet Explorer\\iertutil.dll" NOT SubjectUserName="*$" | fields - _raw | collect index=notable_events source="DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" marker="guid=c39f0c81-7348-4965-ab27-2fde35a1b641,tags=attack.lateral-movement,tags=attack.t1021.002,tags=attack.t1021.003," +[Failed Code Integrity Checks] +description = Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (5038, 6281) | fields - _raw | collect index=notable_events source="Failed Code Integrity Checks" marker="guid=470ec5fa-7b4e-4071-b200-4c753100f49b,tags=attack.defense-evasion,tags=attack.t1027.001," +[HackTool - EDRSilencer Execution - Filter Added] +description = Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (5441, 5447) FilterName="*Custom Outbound Filter*" | fields - _raw | collect index=notable_events source="HackTool - EDRSilencer Execution - Filter Added" marker="guid=98054878-5eab-434c-85d4-72d4e5a3361b,tags=attack.defense-evasion,tags=attack.t1562," +[Remote PowerShell Sessions Network Connections (WinRM)] +description = Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5156 DestPort IN (5985, 5986) LayerRTID=44 | fields - _raw | collect index=notable_events source="Remote PowerShell Sessions Network Connections (WinRM)" marker="guid=13acf386-b8c6-4fe0-9a6e-c4756b974698,tags=attack.execution,tags=attack.t1059.001," +[Suspicious PsExec Execution] +description = detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="\\\\\*\\IPC$" RelativeTargetName IN ("*-stdin", "*-stdout", "*-stderr") NOT RelativeTargetName="PSEXESVC*" | fields - _raw | collect index=notable_events source="Suspicious PsExec Execution" marker="guid=c462f537-a1e3-41a6-b5fc-b2c2cef9bf82,tags=attack.lateral-movement,tags=attack.t1021.002," +[LSASS Access From Non System Account] +description = Detects potential mimikatz-like tools accessing LSASS from non system account +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4663, 4656) AccessMask IN ("0x100000", "0x1010", "0x1400", "0x1410", "0x1418", "0x1438", "0x143a", "0x1f0fff", "0x1f1fff", "0x1f2fff", "0x1f3fff", "0x40", "143a", "1f0fff", "1f1fff", "1f2fff", "1f3fff") ObjectType="Process" ObjectName="*\\lsass.exe" NOT (SubjectUserName="*$" OR ProcessName IN ("*:\\Program Files\\*", "*:\\Program Files (x86)\\*") OR (ProcessName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" AccessMask="0x1410")) NOT ProcessName="*\\SteamLibrary\\steamapps\\*" | fields - _raw | collect index=notable_events source="LSASS Access From Non System Account" marker="guid=962fe167-e48d-4fd6-9974-11e5b9a5d6d1,tags=attack.credential-access,tags=attack.t1003.001," +[Windows Defender Exclusion List Modified] +description = Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4657 ObjectName="*\\Microsoft\\Windows Defender\\Exclusions\\*" | fields - _raw | collect index=notable_events source="Windows Defender Exclusion List Modified" marker="guid=46a68649-f218-4f86-aea1-16a759d81820,tags=attack.defense-evasion,tags=attack.t1562.001," +[Access To ADMIN$ Network Share] +description = Detects access to ADMIN$ network share +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5140 ShareName="Admin$" NOT SubjectUserName="*$" | fields - _raw | collect index=notable_events source="Access To ADMIN$ Network Share" marker="guid=098d7118-55bc-4912-a836-dc6483a8d150,tags=attack.lateral-movement,tags=attack.t1021.002," +[DCERPC SMB Spoolss Named Pipe] +description = Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="\\\\\*\\IPC$" RelativeTargetName="spoolss" | fields - _raw | collect index=notable_events source="DCERPC SMB Spoolss Named Pipe" marker="guid=214e8f95-100a-4e04-bb31-ef6cba8ce07e,tags=attack.lateral-movement,tags=attack.t1021.002," +[Enabled User Right in AD to Control User Objects] +description = Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4704 PrivilegeList="*SeEnableDelegationPrivilege*" | fields - _raw | collect index=notable_events source="Enabled User Right in AD to Control User Objects" marker="guid=311b6ce2-7890-4383-a8c2-663a9f6b43cd,tags=attack.persistence,tags=attack.t1098," +[Local User Creation] +description = Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4720 | fields - _raw | collect index=notable_events source="Local User Creation" marker="guid=66b6be3d-55d0-4f47-9855-d69df21740ea,tags=attack.persistence,tags=attack.t1136.001," +[Hidden Local User Creation] +description = Detects the creation of a local hidden user account which should not happen for event ID 4720. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4720 TargetUserName="*$" NOT TargetUserName="HomeGroupUser$" | fields - _raw | collect index=notable_events source="Hidden Local User Creation" marker="guid=7b449a5e-1db5-4dd0-a2dc-4e3a67282538,tags=attack.persistence,tags=attack.t1136.001," +[Invoke-Obfuscation Via Stdin - Security] +description = Detects Obfuscated Powershell via Stdin in Scripts +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*set*" ServiceFileName="*&&*" ServiceFileName IN ("*environment*", "*invoke*", "*${input)*") | fields - _raw | collect index=notable_events source="Invoke-Obfuscation Via Stdin - Security" marker="guid=80b708f3-d034-40e4-a6c8-d23b7a7db3d1,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Windows Network Access Suspicious desktop.ini Action] +description = Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ObjectType="File" RelativeTargetName="*\\desktop.ini" AccessList IN ("*WriteData*", "*DELETE*", "*WriteDAC*", "*AppendData*", "*AddSubdirectory*") | fields - _raw | collect index=notable_events source="Windows Network Access Suspicious desktop.ini Action" marker="guid=35bc7e28-ee6b-492f-ab04-da58fcf6402e,tags=attack.persistence,tags=attack.t1547.009," +[PetitPotam Suspicious Kerberos TGT Request] +description = Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4768 TargetUserName="*$" CertThumbprint="*" NOT (IpAddress="::1" OR CertThumbprint="") | fields - _raw | collect index=notable_events source="PetitPotam Suspicious Kerberos TGT Request" marker="guid=6a53d871-682d-40b6-83e0-b7c1a6c4e3a5,tags=attack.credential-access,tags=attack.t1187," +[Add or Remove Computer from DC] +description = Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4741, 4743) | fields - _raw | collect index=notable_events source="Add or Remove Computer from DC" marker="guid=20d96d95-5a20-4cf1-a483-f3bda8a7c037,tags=attack.defense-evasion,tags=attack.t1207," +[Important Windows Event Auditing Disabled] +description = Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled. +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4719 SubcategoryGuid IN ("{0CCE9210-69AE-11D9-BED3-505054503030}", "{0CCE9211-69AE-11D9-BED3-505054503030}", "{0CCE9212-69AE-11D9-BED3-505054503030}", "{0CCE9215-69AE-11D9-BED3-505054503030}", "{0CCE921B-69AE-11D9-BED3-505054503030}", "{0CCE922B-69AE-11D9-BED3-505054503030}", "{0CCE922F-69AE-11D9-BED3-505054503030}", "{0CCE9230-69AE-11D9-BED3-505054503030}", "{0CCE9235-69AE-11D9-BED3-505054503030}", "{0CCE9236-69AE-11D9-BED3-505054503030}", "{0CCE9237-69AE-11D9-BED3-505054503030}", "{0CCE923F-69AE-11D9-BED3-505054503030}", "{0CCE9240-69AE-11D9-BED3-505054503030}", "{0CCE9242-69AE-11D9-BED3-505054503030}") AuditPolicyChanges IN ("*%%8448*", "*%%8450*")) OR (EventID=4719 SubcategoryGuid="{0CCE9217-69AE-11D9-BED3-505054503030}" AuditPolicyChanges="*%%8448*") | fields - _raw | collect index=notable_events source="Important Windows Event Auditing Disabled" marker="guid=ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1,tags=attack.defense-evasion,tags=attack.t1562.002," +[Reconnaissance Activity] +description = Detects activity as "net user administrator /domain" and "net group domain admins /domain" +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4661 AccessMask="0x2d" ObjectType IN ("SAM_USER", "SAM_GROUP") ObjectName="S-1-5-21-*" ObjectName IN ("*-500", "*-512") | fields - _raw | collect index=notable_events source="Reconnaissance Activity" marker="guid=968eef52-9cff-4454-8992-1e74b9cbad6c,tags=attack.discovery,tags=attack.t1087.002,tags=attack.t1069.002,tags=attack.s0039," +[Secure Deletion with SDelete] +description = Detects renaming of file while deletion with SDelete tool. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4656, 4663, 4658) ObjectName IN ("*.AAA", "*.ZZZ") | fields - _raw | collect index=notable_events source="Secure Deletion with SDelete" marker="guid=39a80702-d7ca-4a83-b776-525b1f86a36d,tags=attack.impact,tags=attack.defense-evasion,tags=attack.t1070.004,tags=attack.t1027.005,tags=attack.t1485,tags=attack.t1553.002,tags=attack.s0195," +[Addition of SID History to Active Directory Object] +description = An attacker can use the SID history attribute to gain additional privileges. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4765, 4766) OR (EventID=4738 NOT (SidHistory IN ("-", "%%1793")) NOT SidHistory!=*) | fields - _raw | collect index=notable_events source="Addition of SID History to Active Directory Object" marker="guid=2632954e-db1c-49cb-9936-67d1ef1d17d2,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1134.005," +[AD Privileged Users or Groups Reconnaissance] +description = Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4661 ObjectType IN ("SAM_USER", "SAM_GROUP") ObjectName IN ("*-512", "*-502", "*-500", "*-505", "*-519", "*-520", "*-544", "*-551", "*-555") OR ObjectName="*admin*" NOT SubjectUserName="*$" | fields - _raw | collect index=notable_events source="AD Privileged Users or Groups Reconnaissance" marker="guid=35ba1d85-724d-42a3-889f-2e2362bcaf23,tags=attack.discovery,tags=attack.t1087.002," +[Win Susp Computer Name Containing Samtheadmin] +description = Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool +search = index=evtx _index_earliest=-1h@h Channel="Security" (SamAccountName="SAMTHEADMIN-*" SamAccountName="*$") OR (TargetUserName="SAMTHEADMIN-*" TargetUserName="*$") | table EventID,SamAccountName,SubjectUserName,TargetUserName | fields - _raw | collect index=notable_events source="Win Susp Computer Name Containing Samtheadmin" marker="guid=39698b3f-da92-4bc6-bfb5-645a98386e45,tags=cve.2021-42278,tags=cve.2021-42287,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1078," +[Powerview Add-DomainObjectAcl DCSync AD Extend Right] +description = Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5136 AttributeLDAPDisplayName="ntSecurityDescriptor" AttributeValue IN ("*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*") NOT (ObjectClass IN ("dnsNode", "dnsZoneScope", "dnsZone")) | fields - _raw | collect index=notable_events source="Powerview Add-DomainObjectAcl DCSync AD Extend Right" marker="guid=2c99737c-585d-4431-b61a-c911d86ff32f,tags=attack.persistence,tags=attack.t1098," +[AD Object WriteDAC Access] +description = Detects WRITE_DAC access to a domain object +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4662 ObjectServer="DS" AccessMask="0x40000" ObjectType IN ("19195a5b-6da0-11d0-afd3-00c04fd930c9", "domainDNS") | fields - _raw | collect index=notable_events source="AD Object WriteDAC Access" marker="guid=028c7842-4243-41cd-be6f-12f3cf1a26c7,tags=attack.defense-evasion,tags=attack.t1222.001," +[Impacket PsExec Execution] +description = Detects execution of Impacket's psexec.py. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5145 ShareName="\\\\\*\\IPC$" RelativeTargetName IN ("*RemCom_stdin*", "*RemCom_stdout*", "*RemCom_stderr*") | fields - _raw | collect index=notable_events source="Impacket PsExec Execution" marker="guid=32d56ea1-417f-44ff-822b-882873f5f43b,tags=attack.lateral-movement,tags=attack.t1021.002," +[Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security] +description = Detects Obfuscated Powershell via VAR++ LAUNCHER +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4697 ServiceFileName="*&&set*" ServiceFileName="*cmd*" ServiceFileName="*/c*" ServiceFileName="*-f*" ServiceFileName IN ("*{0}*", "*{1}*", "*{2}*", "*{3}*", "*{4}*", "*{5}*") | fields - _raw | collect index=notable_events source="Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" marker="guid=4c54ba8f-73d2-4d40-8890-d9cf1dca3d30,tags=attack.defense-evasion,tags=attack.t1027,tags=attack.execution,tags=attack.t1059.001," +[Password Change on Directory Service Restore Mode (DSRM) Account] +description = Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4794 | fields - _raw | collect index=notable_events source="Password Change on Directory Service Restore Mode (DSRM) Account" marker="guid=53ad8e36-f573-46bf-97e4-15ba5bf4bb51,tags=attack.persistence,tags=attack.t1098," +[User Logoff Event] +description = Detects a user log-off activity. Could be used for example to correlate information during forensic investigations +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4634, 4647) | fields - _raw | collect index=notable_events source="User Logoff Event" marker="guid=0badd08f-c6a3-4630-90d3-6875cca440be,tags=attack.impact,tags=attack.t1531," +[SCM Database Privileged Operation] +description = Detects non-system users performing privileged operation os the SCM database +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4674 ObjectType="SC_MANAGER OBJECT" ObjectName="servicesactive" PrivilegeList="SeTakeOwnershipPrivilege" NOT (SubjectLogonId="0x3e4" ProcessName="*:\\Windows\\System32\\services.exe") | fields - _raw | collect index=notable_events source="SCM Database Privileged Operation" marker="guid=dae8171c-5ec6-4396-b210-8466585b53e9,tags=attack.privilege-escalation,tags=attack.t1548," +[Potential Privilege Escalation via Local Kerberos Relay over LDAP] +description = Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4624 LogonType=3 AuthenticationPackageName="Kerberos" IpAddress="127.0.0.1" TargetUserSid="S-1-5-21-*" TargetUserSid="*-500" | fields - _raw | collect index=notable_events source="Potential Privilege Escalation via Local Kerberos Relay over LDAP" marker="guid=749c9f5e-b353-4b90-a9c1-05243357ca4b,tags=attack.privilege-escalation,tags=attack.credential-access,tags=attack.t1548," +[A Security-Enabled Global Group Was Deleted] +description = Detects activity when a security-enabled global group is deleted +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4730, 634) | fields - _raw | collect index=notable_events source="A Security-Enabled Global Group Was Deleted" marker="guid=b237c54b-0f15-4612-a819-44b735e0de27,tags=attack.persistence,tags=attack.t1098," +[A Member Was Removed From a Security-Enabled Global Group] +description = Detects activity when a member is removed from a security-enabled global group +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (633, 4729) | fields - _raw | collect index=notable_events source="A Member Was Removed From a Security-Enabled Global Group" marker="guid=02c39d30-02b5-45d2-b435-8aebfe5a8629,tags=attack.persistence,tags=attack.t1098," +[RottenPotato Like Attack Pattern] +description = Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4624 LogonType=3 TargetUserName="ANONYMOUS LOGON" WorkstationName="-" IpAddress IN ("127.0.0.1", "::1") | fields - _raw | collect index=notable_events source="RottenPotato Like Attack Pattern" marker="guid=16f5d8ca-44bd-47c8-acbe-6fc95a16c12f,tags=attack.privilege-escalation,tags=attack.credential-access,tags=attack.t1557.001," +[RDP Login from Localhost] +description = RDP login with localhost source address may be a tunnelled login +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4624 LogonType=10 IpAddress IN ("::1", "127.0.0.1") | fields - _raw | collect index=notable_events source="RDP Login from Localhost" marker="guid=51e33403-2a37-4d66-a574-1fda1782cc31,tags=attack.lateral-movement,tags=car.2013-07-002,tags=attack.t1021.001," +[Successful Overpass the Hash Attempt] +description = Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4624 LogonType=9 LogonProcessName="seclogo" AuthenticationPackageName="Negotiate" | fields - _raw | collect index=notable_events source="Successful Overpass the Hash Attempt" marker="guid=192a0330-c20b-4356-90b6-7b7049ae0b87,tags=attack.lateral-movement,tags=attack.s0002,tags=attack.t1550.002," +[Outgoing Logon with New Credentials] +description = Detects logon events that specify new credentials +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4624 LogonType=9 | fields - _raw | collect index=notable_events source="Outgoing Logon with New Credentials" marker="guid=def8b624-e08f-4ae1-8612-1ba21190da6b,tags=attack.defense-evasion,tags=attack.lateral-movement,tags=attack.t1550," +[Potential Access Token Abuse] +description = Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag". +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4624 LogonType=9 LogonProcessName="Advapi" AuthenticationPackageName="Negotiate" ImpersonationLevel="%%1833" | fields - _raw | collect index=notable_events source="Potential Access Token Abuse" marker="guid=02f7c9c1-1ae8-4c6a-8add-04693807f92f,tags=attack.defense-evasion,tags=attack.privilege-escalation,tags=attack.t1134.001,tags=stp.4u," +[A Member Was Added to a Security-Enabled Global Group] +description = Detects activity when a member is added to a security-enabled global group +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID IN (4728, 632) | fields - _raw | collect index=notable_events source="A Member Was Added to a Security-Enabled Global Group" marker="guid=c43c26be-2e87-46c7-8661-284588c5a53e,tags=attack.persistence,tags=attack.t1098," +[Scanner PoC for CVE-2019-0708 RDP RCE Vuln] +description = Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4625 TargetUserName="AAAAAAA" | fields - _raw | collect index=notable_events source="Scanner PoC for CVE-2019-0708 RDP RCE Vuln" marker="guid=8400629e-79a9-4737-b387-5db940ab2367,tags=attack.lateral-movement,tags=attack.t1210,tags=car.2013-07-002," +[Pass the Hash Activity 2] +description = Detects the attack technique pass the hash which is used to move laterally inside the network +search = index=evtx _index_earliest=-1h@h Channel="Security" (EventID=4624 SubjectUserSid="S-1-0-0" LogonType=3 LogonProcessName="NtLmSsp" KeyLength=0) OR (EventID=4624 LogonType=9 LogonProcessName="seclogo") NOT TargetUserName="ANONYMOUS LOGON" | fields - _raw | collect index=notable_events source="Pass the Hash Activity 2" marker="guid=8eef149c-bd26-49f2-9e5a-9b00e3af499b,tags=attack.lateral-movement,tags=attack.t1550.002," +[Successful Account Login Via WMI] +description = Detects successful logon attempts performed with WMI +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4624 ProcessName="*\\WmiPrvSE.exe" | fields - _raw | collect index=notable_events source="Successful Account Login Via WMI" marker="guid=5af54681-df95-4c26-854f-2565e13cfab0,tags=attack.execution,tags=attack.t1047," +[Remote WMI ActiveScriptEventConsumers] +description = Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4624 LogonType=3 ProcessName="*scrcons.exe" NOT TargetLogonId="0x3e7" | fields - _raw | collect index=notable_events source="Remote WMI ActiveScriptEventConsumers" marker="guid=9599c180-e3a8-4743-8f92-7fb96d3be648,tags=attack.lateral-movement,tags=attack.privilege-escalation,tags=attack.persistence,tags=attack.t1546.003," +[DiagTrackEoP Default Login Username] +description = Detects the default "UserName" used by the DiagTrackEoP POC +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4624 LogonType=9 TargetOutboundUserName="thisisnotvaliduser" | fields - _raw | collect index=notable_events source="DiagTrackEoP Default Login Username" marker="guid=2111118f-7e46-4fc8-974a-59fd8ec95196,tags=attack.privilege-escalation," +[Admin User Remote Logon] +description = Detect remote login by Administrator user (depending on internal pattern). +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=4624 LogonType=10 AuthenticationPackageName="Negotiate" TargetUserName="Admin*" | fields - _raw | collect index=notable_events source="Admin User Remote Logon" marker="guid=0f63e1ef-1eb9-4226-9d54-8927ca08520a,tags=attack.lateral-movement,tags=attack.t1078.001,tags=attack.t1078.002,tags=attack.t1078.003,tags=car.2016-04-005," +[Windows Filtering Platform Blocked Connection From EDR Agent Binary] +description = Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events. +search = index=evtx _index_earliest=-1h@h Channel="Security" EventID=5157 Application IN ("*\\AmSvc.exe", "*\\cb.exe", "*\\CETASvc.exe", "*\\CNTAoSMgr.exe", "*\\CrAmTray.exe", "*\\CrsSvc.exe", "*\\CSFalconContainer.exe", "*\\CSFalconService.exe", "*\\CybereasonAV.exe", "*\\CylanceSvc.exe", "*\\cyserver.exe", "*\\CyveraService.exe", "*\\CyvrFsFlt.exe", "*\\EIConnector.exe", "*\\elastic-agent.exe", "*\\elastic-endpoint.exe", "*\\EndpointBasecamp.exe", "*\\ExecutionPreventionSvc.exe", "*\\filebeat.exe", "*\\fortiedr.exe", "*\\hmpalert.exe", "*\\hurukai.exe", "*\\LogProcessorService.exe", "*\\mcsagent.exe", "*\\mcsclient.exe", "*\\MsMpEng.exe", "*\\MsSense.exe", "*\\Ntrtscan.exe", "*\\PccNTMon.exe", "*\\QualysAgent.exe", "*\\RepMgr.exe", "*\\RepUtils.exe", "*\\RepUx.exe", "*\\RepWAV.exe", "*\\RepWSC.exe", "*\\sedservice.exe", "*\\SenseCncProxy.exe", "*\\SenseIR.exe", "*\\SenseNdr.exe", "*\\SenseSampleUploader.exe", "*\\SentinelAgent.exe", "*\\SentinelAgentWorker.exe", "*\\SentinelBrowserNativeHost.exe", "*\\SentinelHelperService.exe", "*\\SentinelServiceHost.exe", "*\\SentinelStaticEngine.exe", "*\\SentinelStaticEngineScanner.exe", "*\\sfc.exe", "*\\sophos ui.exe", "*\\sophosfilescanner.exe", "*\\sophosfs.exe", "*\\sophoshealth.exe", "*\\sophosips.exe", "*\\sophosLivequeryservice.exe", "*\\sophosnetfilter.exe", "*\\sophosntpservice.exe", "*\\sophososquery.exe", "*\\sspservice.exe", "*\\TaniumClient.exe", "*\\TaniumCX.exe", "*\\TaniumDetectEngine.exe", "*\\TMBMSRV.exe", "*\\TmCCSF.exe", "*\\TmListen.exe", "*\\TmWSCSvc.exe", "*\\Traps.exe", "*\\winlogbeat.exe", "*\\WSCommunicator.exe", "*\\xagt.exe") | fields - _raw | collect index=notable_events source="Windows Filtering Platform Blocked Connection From EDR Agent Binary" marker="guid=bacf58c6-e199-4040-a94f-95dea0f1e45a,tags=attack.defense-evasion,tags=attack.t1562," +[WMI Persistence] +description = Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. +search = index=evtx _index_earliest=-1h@h (EventID=5861 "ActiveScriptEventConsumer" OR "CommandLineEventConsumer" OR "CommandLineTemplate") OR EventID=5859 NOT (Provider="SCM Event Provider" Query="select * from MSFT_SCMEventLogEvent" User="S-1-5-32-544" PossibleCause="Permanent") | fields - _raw | collect index=notable_events source="WMI Persistence" marker="guid=0b7889b4-5577-4521-a60a-3376ee7f9f7b,tags=attack.persistence,tags=attack.privilege-escalation,tags=attack.t1546.003," +[Suspicious Application Installed] +description = Detects suspicious application installed by looking at the added shortcut to the app resolver cache +search = index=evtx _index_earliest=-1h@h (EventID=28115 Name IN ("*Zenmap*", "*AnyDesk*", "*wireshark*", "*openvpn*")) OR (EventID=28115 AppID IN ("*zenmap.exe*", "*prokzult ad*", "*wireshark*", "*openvpn*")) | fields - _raw | collect index=notable_events source="Suspicious Application Installed" marker="guid=83c161b6-ca67-4f33-8ad0-644a0737cf07,tags=attack.execution," +[Suspicious Digital Signature Of AppX Package] +description = Detects execution of AppX packages with known suspicious or malicious signature +search = index=evtx _index_earliest=-1h@h EventID=157 subjectName="CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization" | fields - _raw | collect index=notable_events source="Suspicious Digital Signature Of AppX Package" marker="guid=b5aa7d60-c17e-4538-97de-09029d6cd76b,tags=attack.defense-evasion,tags=attack.execution," +[DNS Server Error Failed Loading the ServerLevelPluginDLL] +description = Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded +search = index=evtx _index_earliest=-1h@h EventID IN (150, 770, 771) | fields - _raw | collect index=notable_events source="DNS Server Error Failed Loading the ServerLevelPluginDLL" marker="guid=cbe51394-cd93-4473-b555-edf0144952d9,tags=attack.defense-evasion,tags=attack.t1574.002," +[Failed DNS Zone Transfer] +description = Detects when a DNS zone transfer failed. +search = index=evtx _index_earliest=-1h@h EventID=6004 | fields - _raw | collect index=notable_events source="Failed DNS Zone Transfer" marker="guid=6d444368-6da1-43fe-b2fc-44202430480e,tags=attack.reconnaissance,tags=attack.t1590.002," +[NTLM Brute Force] +description = Detects common NTLM brute force device names +search = index=evtx _index_earliest=-1h@h EventID=8004 WorkstationName IN ("Rdesktop", "Remmina", "Freerdp", "Windows7", "Windows8", "Windows2012", "Windows2016", "Windows2019") | fields - _raw | collect index=notable_events source="NTLM Brute Force" marker="guid=9c8acf1a-cbf9-4db6-b63c-74baabe03e59,tags=attack.credential-access,tags=attack.t1110," +[NTLM Logon] +description = Detects logons using NTLM, which could be caused by a legacy source or attackers +search = index=evtx _index_earliest=-1h@h EventID=8002 | fields - _raw | collect index=notable_events source="NTLM Logon" marker="guid=98c3bcf1-56f2-49dc-9d8d-c66cf190238b,tags=attack.lateral-movement,tags=attack.t1550.002," +[Potential Remote Desktop Connection to Non-Domain Host] +description = Detects logons using NTLM to hosts that are potentially not part of the domain. +search = index=evtx _index_earliest=-1h@h EventID=8001 TargetName="TERMSRV*" | table Computer,UserName,DomainName,TargetName | fields - _raw | collect index=notable_events source="Potential Remote Desktop Connection to Non-Domain Host" marker="guid=ce5678bb-b9aa-4fb5-be4b-e57f686256ad,tags=attack.command-and-control,tags=attack.t1219," +[Standard User In High Privileged Group] +description = Detect standard users login that are part of high privileged groups such as the Administrator group +search = index=evtx _index_earliest=-1h@h EventID=300 TargetUserSid="S-1-5-21-*" SidList IN ("*S-1-5-32-544*", "*-500}*", "*-518}*", "*-519}*") NOT (TargetUserSid IN ("*-500", "*-518", "*-519")) | fields - _raw | collect index=notable_events source="Standard User In High Privileged Group" marker="guid=7ac407cc-0f48-4328-aede-de1d2e6fef41,tags=attack.credential-access,tags=attack.privilege-escalation," +[Unsigned Binary Loaded From Suspicious Location] +description = Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations +search = index=evtx _index_earliest=-1h@h EventID IN (11, 12) ImageName IN ("*\\Users\\Public\\*", "*\\PerfLogs\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\AppData\\Local\\Temp\\*", "*C:\\Windows\\TEMP\\*") | fields - _raw | collect index=notable_events source="Unsigned Binary Loaded From Suspicious Location" marker="guid=8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10,tags=attack.defense-evasion,tags=attack.t1574.002," +[Microsoft Defender Blocked from Loading Unsigned DLL] +description = Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL +search = index=evtx _index_earliest=-1h@h EventID IN (11, 12) ProcessPath IN ("*\\MpCmdRun.exe", "*\\NisSrv.exe") | fields - _raw | collect index=notable_events source="Microsoft Defender Blocked from Loading Unsigned DLL" marker="guid=0b0ea3cc-99c8-4730-9c53-45deee2a4c86,tags=attack.defense-evasion,tags=attack.t1574.002," +[Certificate Request Export to Exchange Webserver] +description = Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell +search = index=evtx _index_earliest=-1h@h "New-ExchangeCertificate" " -GenerateRequest" " -BinaryEncoded" " -RequestFile" "\\\\localhost\\C$" OR "\\\\127.0.0.1\\C$" OR "C:\\inetpub" OR ".aspx" | fields - _raw | collect index=notable_events source="Certificate Request Export to Exchange Webserver" marker="guid=b7bc7038-638b-4ffd-880c-292c692209ef,tags=attack.persistence,tags=attack.t1505.003," +[Exchange Set OabVirtualDirectory ExternalUrl Property] +description = Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log +search = index=evtx _index_earliest=-1h@h "Set-OabVirtualDirectory" "ExternalUrl" "Page_Load" "script" | fields - _raw | collect index=notable_events source="Exchange Set OabVirtualDirectory ExternalUrl Property" marker="guid=9db37458-4df2-46a5-95ab-307e7f29e675,tags=attack.persistence,tags=attack.t1505.003," +[ProxyLogon MSExchange OabVirtualDirectory] +description = Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory +search = index=evtx _index_earliest=-1h@h "OabVirtualDirectory" " -ExternalUrl " "eval(request" OR "http://f/