Tool
EDR / XDR
VMware Carbon Black
3,646 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,646
high
Moderate
High FP
MERCURY APT Activity
Detects suspicious command line patterns seen being used by MERCURY APT
view Sigma YAML
title: MERCURY APT Activity
id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d
status: test
description: Detects suspicious command line patterns seen being used by MERCURY APT
references:
- https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
author: Florian Roth (Nextron Systems)
date: 2022-08-26
modified: 2023-03-10
tags:
- attack.execution
- attack.t1059.001
- attack.g0069
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-exec bypass -w 1 -enc'
- 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA' # Start-Job -ScriptBlock
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
MMC Executing Files with Reversed Extensions Using RTLO Abuse
Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
view Sigma YAML
title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
status: experimental
description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
references:
- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
- https://en.wikipedia.org/wiki/Right-to-left_override
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.execution
- attack.stealth
- attack.t1204.002
- attack.t1218.014
- attack.t1036.002
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|endswith: '\mmc.exe'
- OriginalFileName: 'MMC.exe'
selection_commandline:
CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file
- 'cod.msc' # Reversed `.doc`
- 'fdp.msc' # Reversed `.pdf`
- 'ftr.msc' # Reversed `.rtf`
- 'lmth.msc' # Reversed `.html`
- 'slx.msc' # Reversed `.xls`
- 'tdo.msc' # Reversed `.odt`
- 'xcod.msc' # Reversed `.docx`
- 'xslx.msc' # Reversed `.xlsx`
- 'xtpp.msc' # Reversed `.pptx`
condition: all of selection_*
falsepositives:
- Legitimate administrative actions using MMC to execute misnamed `.msc` files.
- Unconventional but non-malicious usage of RLO or reversed extensions.
level: high
Convert to SIEM query
high
Moderate
High FP
MMC Spawning Windows Shell
Detects a Windows command line executable started from MMC
view Sigma YAML
title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: test
description: Detects a Windows command line executable started from MMC
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Karneades, Swisscom CSIRT
date: 2019-08-05
modified: 2022-07-14
tags:
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|endswith: '\mmc.exe'
selection2:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- Image|contains: '\BITSADMIN'
condition: all of selection*
level: high
Convert to SIEM query
high
Moderate
High FP
MMC20 Lateral Movement
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
view Sigma YAML
title: MMC20 Lateral Movement
id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
status: test
description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'
date: 2020-03-04
modified: 2021-11-27
tags:
- attack.execution
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith: '\mmc.exe'
CommandLine|contains: '-Embedding'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
view Sigma YAML
title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b
status: test
description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
references:
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-03
modified: 2023-07-28
tags:
- attack.persistence
- attack.t1505.003
- cve.2023-34362
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
cs-uri-stem|contains:
- '/human2.aspx'
- '/_human2.aspx'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
MSDT Execution Via Answer File
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
view Sigma YAML
title: MSDT Execution Via Answer File
id: 9c8c7000-3065-44a8-a555-79bcba5d9955
status: test
description: |
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
modified: 2025-10-29
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
CommandLine|contains|windash: ' -af '
filter_main_pcwrun:
ParentImage|endswith: '\pcwrun.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Possible undocumented parents of "msdt" other than "pcwrun".
level: high
Convert to SIEM query
high
Strong
High FP
MSHTA Execution with Suspicious File Extensions
Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
view Sigma YAML
title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
- https://twitter.com/mattifestation/status/1326228491302563846
- https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
- attack.stealth
- attack.t1140
- attack.t1218.005
- attack.execution
- attack.t1059.007
- cve.2020-1599
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'mshta.exe'
selection_cli:
CommandLine|contains:
- '.7z'
- '.avi'
- '.bat'
- '.bmp'
- '.conf'
- '.csv'
- '.dll'
- '.doc'
- '.gif'
- '.gz'
- '.ini'
- '.jpe'
- '.jpg'
- '.json'
- '.lnk'
- '.log'
- '.mkv'
- '.mp3'
- '.mp4'
- '.pdf'
- '.png'
- '.ppt'
- '.rar'
- '.rtf'
- '.svg'
- '.tar'
- '.tmp'
- '.txt'
- '.xls'
- '.xml'
- '.yaml'
- '.yml'
- '.zip'
- 'vbscript'
# - '.chm' # could be prone to false positives
# - '.exe'
condition: all of selection_*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
Convert to SIEM query
high
Moderate
Low FP
MSMQ Corrupted Packet Encountered
Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
view Sigma YAML
title: MSMQ Corrupted Packet Encountered
id: ae94b10d-fee9-4767-82bb-439b309d5a27
status: test
description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
references:
- https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-21
tags:
- attack.execution
- detection.emerging-threats
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'MSMQ'
EventID: 2027
Level: 2
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
MSSQL Add Account To Sysadmin Role
Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
view Sigma YAML
title: MSSQL Add Account To Sysadmin Role
id: 08200f85-2678-463e-9c32-88dce2f073d1
status: test
description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-13
modified: 2024-06-26
tags:
- attack.persistence
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 33205
Data|contains|all:
- 'object_name:sysadmin'
- 'statement:alter server role [sysadmin] add member '
condition: selection
falsepositives:
- Rare legitimate administrative activity
level: high
Convert to SIEM query
high
Strong
Medium FP
MSSQL Disable Audit Settings
Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
view Sigma YAML
title: MSSQL Disable Audit Settings
id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df
status: test
description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-13
modified: 2024-06-26
tags:
- attack.defense-impairment
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 33205
Data|contains:
- 'statement:ALTER SERVER AUDIT'
- 'statement:DROP SERVER AUDIT'
condition: selection
falsepositives:
- This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
level: high
Convert to SIEM query
high
Strong
Medium FP
MSSQL Extended Stored Procedure Backdoor Maggie
This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
view Sigma YAML
title: MSSQL Extended Stored Procedure Backdoor Maggie
id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8
status: test
description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
references:
- https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
author: Denis Szadkowski, DIRT / DCSO CyTec
date: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546
- detection.emerging-threats
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'MSSQLSERVER'
EventID: 8128
Message|contains: 'maggie'
condition: selection
falsepositives:
- Legitimate extended stored procedures named maggie
level: high
Convert to SIEM query
high
Strong
Medium FP
MSSQL SPProcoption Set
Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
view Sigma YAML
title: MSSQL SPProcoption Set
id: b3d57a5c-c92e-4b48-9a79-5f124b7cf964
status: test
description: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-13
modified: 2024-06-26
tags:
- attack.persistence
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy to monitor for "sp_procoption" must be enabled in order to receive this event in the application log'
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 33205
Data|contains|all:
- 'object_name:sp_procoption'
- 'statement:EXEC'
condition: selection
falsepositives:
- Legitimate use of the feature by administrators (rare)
level: high
Convert to SIEM query
high
Strong
Medium FP
MSSQL XPCmdshell Option Change
Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.
view Sigma YAML
title: MSSQL XPCmdshell Option Change
id: d08dd86f-681e-4a00-a92c-1db218754417
status: test
description: |
Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2024-06-26
tags:
- attack.execution
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 15457
Data|contains: 'xp_cmdshell'
condition: selection
falsepositives:
- Legitimate enable/disable of the setting
- Note that since the event contain the change for both values. This means that this will trigger on both enable and disable
level: high
Convert to SIEM query
high
Moderate
Medium FP
MSSQL XPCmdshell Suspicious Execution
Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
view Sigma YAML
title: MSSQL XPCmdshell Suspicious Execution
id: 7f103213-a04e-4d59-8261-213dddf22314
status: test
description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2024-06-26
tags:
- attack.execution
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy to monitor for "xp_cmdshell" must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)'
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 33205
Data|contains|all:
# You can modify this to include specific commands
- 'object_name:xp_cmdshell'
- 'statement:EXEC'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Macro Enabled In A Potentially Suspicious Document
Detects registry changes to Office trust records where the path is located in a potentially suspicious location
view Sigma YAML
title: Macro Enabled In A Potentially Suspicious Document
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
related:
- id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
type: derived
status: test
description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
references:
- https://twitter.com/inversecos/status/1494174785621819397
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_value:
TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
selection_paths:
TargetObject|contains:
# Note: add more locations where you don't expect a user to executed macro enabled docs
- '/AppData/Local/Microsoft/Windows/INetCache/'
- '/AppData/Local/Temp/'
- '/PerfLogs/'
- 'C:/Users/Public/'
- 'file:///D:/'
- 'file:///E:/'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Malicious Base64 Encoded PowerShell Keywords in Command Lines
Detects base64 encoded strings used in hidden malicious PowerShell command lines
view Sigma YAML
title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
status: test
description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
references:
- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
author: John Lambert (rule)
date: 2019-01-16
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_hidden:
CommandLine|contains: ' hidden '
selection_encoded:
CommandLine|contains:
- 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
- 'aXRzYWRtaW4gL3RyYW5zZmVy'
- 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
- 'JpdHNhZG1pbiAvdHJhbnNmZX'
- 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
- 'Yml0c2FkbWluIC90cmFuc2Zlc'
- 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
- 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
- 'JGNodW5rX3Npem'
- 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
- 'RjaHVua19zaXpl'
- 'Y2h1bmtfc2l6Z'
- 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
- 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
- 'lPLkNvbXByZXNzaW9u'
- 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
- 'SU8uQ29tcHJlc3Npb2'
- 'Ty5Db21wcmVzc2lvb'
- 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
- 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
- 'lPLk1lbW9yeVN0cmVhb'
- 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
- 'SU8uTWVtb3J5U3RyZWFt'
- 'Ty5NZW1vcnlTdHJlYW'
- '4ARwBlAHQAQwBoAHUAbgBrA'
- '5HZXRDaHVua'
- 'AEcAZQB0AEMAaAB1AG4Aaw'
- 'LgBHAGUAdABDAGgAdQBuAGsA'
- 'LkdldENodW5r'
- 'R2V0Q2h1bm'
- 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
- 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
- 'RIUkVBRF9JTkZPNj'
- 'SFJFQURfSU5GTzY0'
- 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
- 'VEhSRUFEX0lORk82N'
- 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
- 'cmVhdGVSZW1vdGVUaHJlYW'
- 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
- 'NyZWF0ZVJlbW90ZVRocmVhZ'
- 'Q3JlYXRlUmVtb3RlVGhyZWFk'
- 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
- '0AZQBtAG0AbwB2AGUA'
- '1lbW1vdm'
- 'AGUAbQBtAG8AdgBlA'
- 'bQBlAG0AbQBvAHYAZQ'
- 'bWVtbW92Z'
- 'ZW1tb3Zl'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Malicious DLL File Dropped in the Teams or OneDrive Folder
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
view Sigma YAML
title: Malicious DLL File Dropped in the Teams or OneDrive Folder
id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
status: test
description: |
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
references:
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
author: frack113
date: 2022-08-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains|all:
- 'iphlpapi.dll'
- '\AppData\Local\Microsoft'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Malicious Driver Load
Detects loading of known malicious drivers via their hash.
view Sigma YAML
title: Malicious Driver Load
id: 05296024-fe8a-4baf-8f3d-9a5f5624ceb2
status: test
description: Detects loading of known malicious drivers via their hash.
references:
- https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-18
modified: 2023-12-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
- attack.t1068
logsource:
product: windows
category: driver_load
detection:
selection:
Hashes|contains:
- 'MD5=5be61a24f50eb4c94d98b8a82ef58dcf'
- 'MD5=d70a80fc73dd43469934a7b1cc623c76'
- 'MD5=3b71eab204a5f7ed77811e41fed73105'
- 'MD5=528ce5ce19eb34f401ef024de7ddf222'
- 'MD5=ae548418b491cd3f31618eb9e5730973'
- 'MD5=72f53f55898548767e0276c472be41e8'
- 'MD5=508faa4647f305a97ed7167abc4d1330'
- 'MD5=ed2b653d55c03f0bffa250372d682b75'
- 'MD5=0d2ba47286f1c68e87622b3a16bf9d92'
- 'MD5=3164bd6c12dd0fe1bdf3b833d56323b9'
- 'MD5=70fd7209ce5c013a1f9e699b5cc86cdc'
- 'MD5=c71be7b112059d2dc84c0f952e04e6cc'
- 'MD5=acac842a46f3501fe407b1db1b247a0b'
- 'MD5=01c2e4d8234258451083d6ce4e8910b7'
- 'MD5=c8541a9cef64589593e999968a0385b9'
- 'MD5=e172a38ade3aa0a2bc1bf9604a54a3b5'
- 'MD5=6fcf56f6ca3210ec397e55f727353c4a'
- 'MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16'
- 'MD5=07056573d464b0f5284f7e3acedd4a3f'
- 'MD5=c7b7f1edb9bbef174e6506885561d85d'
- 'MD5=d5918d735a23f746f0e83f724c4f26e5'
- 'MD5=84763d8ca9fe5c3bff9667b2adf667de'
- 'MD5=fb593b1f1f80d20fc7f4b818065c64b6'
- 'MD5=909f3fc221acbe999483c87d9ead024a'
- 'MD5=e29f6311ae87542b3d693c1f38e4e3ad'
- 'MD5=aeb0801f22d71c7494e884d914446751'
- 'MD5=3f11a94f1ac5efdd19767c6976da9ba4'
- 'MD5=be6318413160e589080df02bb3ca6e6a'
- 'MD5=0b311af53d2f4f77d30f1aed709db257'
- 'MD5=d075d56dfce6b9b13484152b1ef40f93'
- 'MD5=27384ec4c634701012a2962c30badad2'
- 'MD5=5eb2c576597dd21a6b44557c237cf896'
- 'MD5=f56db4eba3829c0918413b5c0b42f00f'
- 'MD5=e27b2486aa5c256b662812b465b6036c'
- 'MD5=db86dfd7aefbb5be6728a63461b0f5f3'
- 'MD5=04a88f5974caa621cee18f34300fc08a'
- 'MD5=5129d8fd53d6a4aba81657ab2aa5d243'
- 'MD5=cd2c641788d5d125c316ed739c69bb59'
- 'MD5=7073cd0085fcba1cd7d3568f9e6d652c'
- 'MD5=24f0f2b4b3cdae11de1b81c537df41c7'
- 'MD5=88bea56ae9257b40063785cf47546024'
- 'MD5=63060b756377fce2ce4ab9d079ca732f'
- 'MD5=50b39072d0ee9af5ef4824eca34be6e3'
- 'MD5=57c18a8f5d1ba6d015e4d5bc698e3624'
- 'MD5=7d26985a5048bad57d9c223362f3d55c'
- 'MD5=ba54a0dbe2685e66e21d41b4529b3528'
- 'MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11'
- 'MD5=b52f51bbe6b49d0b475d943c29c4d4cb'
- 'MD5=a837302307dace2a00d07202b661bce2'
- 'MD5=78a122d926ccc371d60c861600c310f3'
- 'MD5=bdb305aa0806f8b38b7ce43c927fe919'
- 'MD5=27053e964667318e1b370150cbca9138'
- 'MD5=6a4fbcfb44717eae2145c761c1c99b6a'
- 'MD5=d13c1b76b4a1ca3ff5ab63678b51df6d'
- 'MD5=6a066d2be83cf83f343d0550b0b8f206'
- 'MD5=7108b0d4021af4c41de2c223319cd4c1'
- 'MD5=1cd158a64f3d886357535382a6fdad75'
- 'MD5=e939448b28a4edc81f1f974cebf6e7d2'
- 'MD5=4198d3db44d7c4b3ba9072d258a4fc2d'
- 'MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20'
- 'MD5=30ca3cc19f001a8f12c619daa8c6b6e3'
- 'MD5=fe9004353b25640f6a879e57f07122d7'
- 'MD5=06c7fcf3523235cf52b3eee083ec07b2'
- 'MD5=364605ad21b9275681cffef607fac273'
- 'MD5=968ddb06af90ef83c5f20fbdd4eee62e'
- 'MD5=ba50bd645d7c81416bb26a9d39998296'
- 'MD5=29e03f4811b64969e48a99300978f58c'
- 'MD5=b0770094c3c64250167b55e4db850c04'
- 'MD5=40b968ecdbe9e967d92c5da51c390eee'
- 'MD5=b6b530dd25c5eb66499968ec82e8791e'
- 'MD5=f209cb0e468ca0b76d879859d5c8c54e'
- 'MD5=76f8607fc4fb9e828d613a7214436b66'
- 'MD5=4b058945c9f2b8d8ebc485add1101ba5'
- 'MD5=faae7f5f69fde12303dd1c0c816b72b7'
- 'MD5=89d294ef7fefcdf1a6ca0ab96a856f57'
- 'MD5=ef0e1725aaf0c6c972593f860531a2ea'
- 'MD5=bbdbffebfc753b11897de2da7c9912a5'
- 'MD5=5ebfc0af031130ba9de1d5d3275734b3'
- 'MD5=22949977ce5cd96ba674b403a9c81285'
- 'MD5=77cfd3943cc34d9f5279c330cd8940bc'
- 'MD5=311de109df18e485d4a626b5dbe19bc6'
- 'MD5=2730cc25ad385acc7213a1261b21c12d'
- 'MD5=87dc81ebe85f20c1a7970e495a778e60'
- 'MD5=154b45f072fe844676e6970612fd39c7'
- 'MD5=5a4fe297c7d42539303137b6d75b150d'
- 'MD5=d6a1dd7b2c06f058b408b3613c13d413'
- 'MD5=a6e9d6505f6d2326a8a9214667c61c67'
- 'MD5=7fad9f2ef803496f482ce4728578a57a'
- 'MD5=5076fba3d90e346fd17f78db0a4aa12c'
- 'MD5=79df0eabbf2895e4e2dae15a4772868c'
- 'MD5=14580bd59c55185115fd3abe73b016a2'
- 'MD5=1f2888e57fdd6aee466962c25ba7d62d'
- 'MD5=5e9231e85cecfc6141e3644fda12a734'
- 'MD5=dc564bac7258e16627b9de0ce39fae25'
- 'MD5=4e4c068c06331130334f23957fca9e3c'
- 'MD5=1ee9f6326649cd23381eb9d7dfdeddf7'
- 'MD5=4e1f656001af3677856f664e96282a6f'
- 'MD5=36f44643178c505ea0384e0fb241e904'
- 'MD5=6b480fac7caca2f85be9a0cfe79aedfc'
- 'MD5=c1ab425977d467b64f437a6c5ad82b44'
- 'MD5=fe508caa54ffeb2285d9f00df547fe4a'
- 'MD5=d3af70287de8757cebc6f8d45bb21a20'
- 'MD5=990b949894b7dc82a8cf1131b063cb1a'
- 'MD5=c62209b8a5daf3f32ad876ad6cefda1b'
- 'MD5=c159fb0f345a8771e56aab8e16927361'
- 'MD5=19b15eeccab0752c6793f782ca665a45'
- 'MD5=1d51029dfbd616bf121b40a0d1efeb10'
- 'MD5=157a22689629ec876337f5f9409918d5'
- 'MD5=3dd829fb27353622eff34be1eabb8f18'
- 'MD5=8636fe3724f2bcba9399daffd6ef3c7e'
- 'MD5=3d0b3e19262099ade884b75ba86ca7e8'
- 'MD5=97539c78d6e2b5356ce79e40bcd4d570'
- 'MD5=0308b6888e0f197db6704ca20203eee4'
- 'MD5=091a6bd4880048514c5dd3bede15eba5'
- 'MD5=7e92f98b809430622b04e88441b2eb04'
- 'MD5=bb5bda8889d8d27ef984dbd6ad82c946'
- 'MD5=b76aee508f68b5b6dccd6e1f66f4cf8b'
- 'MD5=a822b9e6eedf69211013e192967bf523'
- 'MD5=df52f8a85eb64bc69039243d9680d8e4'
- 'MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a'
- 'MD5=44857ca402a15ab51dc5afe47abdfa44'
- 'MD5=f9844524fb0009e5b784c21c7bad4220'
- 'MD5=d34b218c386bfe8b1f9c941e374418d7'
- 'MD5=0ca010a32a9b0aeae1e46d666b83b659'
- 'MD5=93496a436c5546156a69deb255a9fed0'
- 'MD5=1cd5e231064e03c596e819b6ff48daf9'
- 'MD5=70a71fe86df717ac59dbf856d7ac5789'
- 'MD5=a33089d4e50f7d2ea8b52ca95d26ebf3'
- 'MD5=e0cc9b415d884f85c45be145872892b8'
- 'MD5=a42249a046182aaaf3a7a7db98bfa69d'
- 'MD5=c5ae6ca044bd03c3506c132b033be1dc'
- 'MD5=7ebe606acd81abf1f8cb0767c974164b'
- 'MD5=b5dcc869a91efcc6e8ea0c3c07605d63'
- 'MD5=62c18d61ed324088f963510bae43b831'
- 'MD5=093a2a635c3a27aac50efd6463f4efa1'
- 'MD5=28102acca39ad0199f262ba9958be3f4'
- 'MD5=650ef9dd70cb192027e536754d6e0f63'
- 'MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44'
- 'MD5=6771b13a53b9c7449d4891e427735ea2'
- 'MD5=072ba2309b825ce1dba37d8d924ea8ed'
- 'MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb'
- 'MD5=1325ec39e98225e487b40043faee8052'
- 'MD5=4484f4007de2c3ee4581a2cff77ca3b4'
- 'MD5=a236e7d654cd932b7d11cb604629a2d0'
- 'MD5=17509f0a98dc5c5d52c3f9ac1428a21b'
- 'MD5=840a5edf2534dd23a082cf7b28cbfc4d'
- 'MD5=77a7ed4798d02ef6636cd0fd07fc382a'
- 'MD5=a9df5964635ef8bd567ae487c3d214c4'
- 'MD5=8b75047199825c8e62fdcc1c915db8bd'
- 'MD5=d416494232c4197cb36a914df2e17677'
- 'MD5=4cf14a96485a1270fed97bb8000e4f86'
- 'MD5=35e512f9bedc89dca5ce81f35820714c'
- 'MD5=40f35792e7565aa047796758a3ce1b77'
- 'MD5=f7f31bccc9b7b2964ac85106831022b1'
- 'MD5=26aedc10d4215ba997495d3a68355f4a'
- 'MD5=10f3679384a03cb487bda9621ceb5f90'
- 'MD5=80219fb6b5954c33e16bac5ecdac651b'
- 'MD5=cee36b5c6362993fa921435979bfbe4a'
- 'MD5=e37a08f516b8a7ca64163f5d9e68fe5a'
- 'MD5=49518f7375a5f995ebe9423d8f19cfe4'
- 'MD5=920df6e42cf91bbe19707f5a86e3c5c5'
- 'MD5=2ec877e425bd7eddb663627216e3491e'
- 'MD5=550b7991d93534bc510bc4f237155a7a'
- 'MD5=98d53f6b3bec0a3417a04fbb9e17fa06'
- 'MD5=13a57a4ef721440c7c9208b51f7c05de'
- 'MD5=c5fc3605194e033bdf3781ff2adaeb61'
- 'MD5=6e625ec04c20a9dbd48c7060efbf5e92'
- 'MD5=0b9b78d1281c7d4ab50497cf6ea7452a'
- 'MD5=4e906fcb13e2793c98f47291fd69391b'
- 'MD5=2bb353891d65c9e267eb98a3a2b694c3'
- 'MD5=7d86cdda7f49f91fdb69901a002b34e7'
- 'MD5=f69b06ca7c34d16f26ea1c6861edf62a'
- 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'
- 'MD5=1fc7aeeff3ab19004d2e53eae8160ab1'
- 'MD5=24d3ea54f25e32832ac20335a1ce1062'
- 'MD5=c94f405c5929cfcccc8ad00b42c95083'
- 'MD5=b164daf106566f444dfb280d743bc2f7'
- 'MD5=93130909e562925597110a617f05e2a9'
- 'MD5=f589d4bf547c140b6ec8a511ea47c658'
- 'MD5=bf445ac375977ecf551bc2a912c58e8a'
- 'MD5=629ee55e4b5a225d048fbcd5f0a1d18b'
- 'MD5=0023ca0ca16a62d93ef51f3df98b2f94'
- 'MD5=a3d69c7e24300389b56782aa63b0e357'
- 'MD5=cbd8d370462503508e44dba023bdf9bc'
- 'MD5=67daa04716803a15fc11c9e353d77c2f'
- 'MD5=c9d4214c850e0cedf033dc8f0cd3aace'
- 'MD5=bd5b0514f3b40f139d8079138d01b5f6'
- 'MD5=19bdd9b799e3c2c54c0d7fff68b31c20'
- 'MD5=f242cffd9926c0ccf94af3bf16b6e527'
- 'MD5=5aeab9427d85951def146b4c0a44fc63'
- 'MD5=40170485cca576adb5266cf5b0d3b0bd'
- 'MD5=c277c4386a78fae1b7e17eaecf4f472b'
- 'MD5=58c37866cbc3d1338e4fc58ada924ffe'
- 'MD5=0f16a43f7989034641fd2de3eb268bf1'
- 'MD5=0ae30291c6cbfa7be39320badd6e8de0'
- 'MD5=05dd59bd4f175304480affd8f1305c37'
- 'MD5=f838f4eb36f1e7036238776c7a70f0b0'
- 'MD5=85093bb9f027027c2c61aee50796de30'
- 'MD5=ae338d91d1b05a72559b7f6ed717362d'
- 'MD5=bd91787b5dcb2189b856804e85dfa1d9'
- 'MD5=6b3c1511e12f4d27a4ea3b18020d7b84'
- 'MD5=97264fd62d4907bdac917917a07b3b7a'
- 'MD5=6ececf26ff8b03ed7ffbddadec9a9dab'
- 'MD5=47e6ac52431ca47da17248d80bf71389'
- 'MD5=eb57f03b7603f0b235af62e8cd5be8c2'
- 'MD5=e1a9aa4c14669b1fb1f67a7266f87e82'
- 'MD5=29047f0b7790e524b09a06852d31a117'
- 'MD5=4dd6250eb2d368f500949952eb013964'
- 'MD5=fb7c61ef427f9b2fdff3574ee6b1819b'
- 'MD5=844af8c877f5da723c1b82cf6e213fc1'
- 'MD5=e39152eadd76751b1d7485231b280948'
- 'MD5=ac6e29f535b2c42999c50d2fc32f2c9c'
- 'MD5=2406ea37152d2154be3fef6d69ada2c6'
- 'MD5=0ea8389589c603a8b05146bd06020597'
- 'MD5=754e21482baf18b8b0ed0f4be462ba03'
- 'MD5=c4a517a02ba9f6eac5cf06e3629cc076'
- 'MD5=32282e07db321e8d7849f2287bb6a14f'
- 'MD5=32b67a6cd6dd998b9f563ed13d54a8bc'
- 'MD5=3359e1d4244a7d724949c63e89689ef8'
- 'MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0'
- 'MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6'
- 'MD5=a90236e4962620949b720f647a91f101'
- 'MD5=ccde8c94439f9fc9c42761e4b9a23d97'
- 'MD5=68caf620ef8deaf06819cf8c80d3367b'
- 'MD5=5fec28e8f4f76e5ede24beb32a32b9d7'
- 'MD5=e8eac6642b882a6196555539149c73f2'
- 'MD5=aa98b95f5cbae8260122de06a215ee10'
- 'MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80'
- 'MD5=abc168fdca7169bf9dc40cec9761018d'
- 'MD5=7f9309f5e4defec132b622fadbcad511'
- 'MD5=4748696211bd56c2d93c21cab91e82a5'
- 'MD5=48394dce30bb8da5ae089cb8f41b86dc'
- 'MD5=65f800e1112864bf41eb815649f428d5'
- 'MD5=bd25be845c151370ff177509d95d5add'
- 'MD5=a37ed7663073319d02f2513575a22995'
- 'MD5=2c39f6172fbc967844cac12d7ab2fa55'
- 'MD5=491aec2249ad8e2020f9f9b559ab68a8'
- 'MD5=1e0eb80347e723fa31fce2abb0301d44'
- 'MD5=a26363e7b02b13f2b8d697abb90cd5c3'
- 'MD5=4118b86e490aed091b1a219dba45f332'
- 'MD5=6d131a7462e568213b44ef69156f10a5'
- 'MD5=10c2ea775c9e76e7774ab89e38f38287'
- 'SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79'
- 'SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23'
- 'SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe'
- 'SHA1=af42afda54d150810a60baa7987f9f09d49d1317'
- 'SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7'
- 'SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462'
- 'SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7'
- 'SHA1=e730eb971ecb493b69de2308b6412836303f733a'
- 'SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca'
- 'SHA1=5fef884a901e81ac173d63ade3f5c51694decf74'
- 'SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc'
- 'SHA1=6451522b1fb428e549976d0742df5034f8124b17'
- 'SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a'
- 'SHA1=cc65bf60600b64feece5575f21ab89e03a728332'
- 'SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166'
- 'SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a'
- 'SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3'
- 'SHA1=c42178977bd7bbefe084da0129ed808cb7266204'
- 'SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333'
- 'SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee'
- 'SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837'
- 'SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf'
- 'SHA1=7638c048af5beae44352764390deea597cc3e7b1'
- 'SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5'
- 'SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2'
- 'SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87'
- 'SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'
- 'SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d'
- 'SHA1=505546d82aab56889a923004654b9afdec54efe6'
- 'SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a'
- 'SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383'
- 'SHA1=844d7bcd1a928d340255ff42971cca6244a459bf'
- 'SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f'
- 'SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684'
- 'SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e'
- 'SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84'
- 'SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285'
- 'SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6'
- 'SHA1=607387cc90b93d58d6c9a432340261fde846b1d9'
- 'SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07'
- 'SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6'
- 'SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6'
- 'SHA1=b8b123a413b7bccfa8433deba4f88669c969b543'
- 'SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509'
- 'SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22'
- 'SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d'
- 'SHA1=a111dc6ae5575977feba71ee69b790e056846a02'
- 'SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3'
- 'SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2'
- 'SHA1=0de86ec7d7f16a3680df89256548301eed970393'
- 'SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2'
- 'SHA1=0883a9c54e8442a551994989db6fc694f1086d41'
- 'SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16'
- 'SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10'
- 'SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09'
- 'SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c'
- 'SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39'
- 'SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c'
- 'SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f'
- 'SHA1=994dc79255aeb662a672a1814280de73d405617a'
- 'SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1'
- 'SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5'
- 'SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b'
- 'SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61'
- 'SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9'
- 'SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7'
- 'SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b'
- 'SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd'
- 'SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2'
- 'SHA1=17fa047c1f979b180644906fe9265f21af5b0509'
- 'SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3'
- 'SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a'
- 'SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048'
- 'SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f'
- 'SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b'
- 'SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527'
- 'SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130'
- 'SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d'
- 'SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1'
- 'SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'
- 'SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08'
- 'SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec'
- 'SHA1=73bac306292b4e9107147db94d0d836fdb071e33'
- 'SHA1=9382981b05b1fb950245313992444bfa0db5f881'
- 'SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3'
- 'SHA1=9c36600c2640007d3410dea8017573a113374873'
- 'SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb'
- 'SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7'
- 'SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab'
- 'SHA1=cb25a5125fb353496b59b910263209f273f3552d'
- 'SHA1=a5f1b56615bdaabf803219613f43671233f2001c'
- 'SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38'
- 'SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7'
- 'SHA1=632c80a3c95cf589b03812539dea59594eaefae0'
- 'SHA1=e6966e360038be3b9d8c9b2582eba4e263796084'
- 'SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab'
- 'SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51'
- 'SHA1=80e4808a7fe752cac444676dbbee174367fa2083'
- 'SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0'
- 'SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2'
- 'SHA1=3825ebb0b0664b5f0789371240f65231693be37d'
- 'SHA1=de9469a5d01fb84afd41d176f363a66e410d46da'
- 'SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b'
- 'SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff'
- 'SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5'
- 'SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358'
- 'SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405'
- 'SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8'
- 'SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2'
- 'SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed'
- 'SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe'
- 'SHA1=9481cd590c69544c197b4ee055056302978a7191'
- 'SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da'
- 'SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b'
- 'SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5'
- 'SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4'
- 'SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25'
- 'SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc'
- 'SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457'
- 'SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d'
- 'SHA1=f6793243ad20359d8be40d3accac168a15a327fb'
- 'SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1'
- 'SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8'
- 'SHA1=10115219e3595b93204c70eec6db3e68a93f3144'
- 'SHA1=161bae224cf184ed6c09c77fae866d42412c6d25'
- 'SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82'
- 'SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d'
- 'SHA1=745335bcdf02fb42df7d890a24858e16094f48fd'
- 'SHA1=2a202830db58d5e942e4f6609228b14095ed2cab'
- 'SHA1=0167259abd9231c29bec32e6106ca93a13999f90'
- 'SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167'
- 'SHA1=613a9df389ad612a5187632d679da11d60f6046a'
- 'SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514'
- 'SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86'
- 'SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d'
- 'SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb'
- 'SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812'
- 'SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528'
- 'SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3'
- 'SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d'
- 'SHA1=552730553a1dea0290710465fb8189bdd0eaad42'
- 'SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35'
- 'SHA1=07f282db28771838d0e75d6618f70d76acfe6082'
- 'SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e'
- 'SHA1=22c9da04847c26188226c3a345e2126ef00aa19e'
- 'SHA1=43501832ce50ccaba2706be852813d51de5a900f'
- 'SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542'
- 'SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde'
- 'SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc'
- 'SHA1=928b5971a0f7525209d599e2ef15c31717047022'
- 'SHA1=b5696e2183d9387776820ef3afa388200f08f5a6'
- 'SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2'
- 'SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3'
- 'SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774'
- 'SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945'
- 'SHA1=064de88dbbea67c149e779aac05228e5405985c7'
- 'SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7'
- 'SHA1=98130128685c8640a8a8391cb4718e98dd8fe542'
- 'SHA1=a5914161f8a885702427cf75443fb08d28d904f0'
- 'SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad'
- 'SHA1=fff4f28287677caabc60c8ab36786c370226588d'
- 'SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5'
- 'SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2'
- 'SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda'
- 'SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4'
- 'SHA1=87e20486e804bfff393cc9ad9659858e130402a2'
- 'SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c'
- 'SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9'
- 'SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a'
- 'SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0'
- 'SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b'
- 'SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6'
- 'SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b'
- 'SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c'
- 'SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a'
- 'SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed'
- 'SHA1=76568d987f8603339b8d1958f76de2b957811f66'
- 'SHA1=e841c8494b715b27b33be6f800ca290628507aba'
- 'SHA1=b555aad38df7605985462f3899572931ee126259'
- 'SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1'
- 'SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327'
- 'SHA1=bb6ef5518df35d9508673d5011138add8c30fc27'
- 'SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b'
- 'SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307'
- 'SHA1=34b677fba9dcab9a9016332b3332ce57f5796860'
- 'SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d'
- 'SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e'
- 'SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2'
- 'SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72'
- 'SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5'
- 'SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a'
- 'SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef'
- 'SHA1=18693de1487c55e374b46a7728b5bf43300d4f69'
- 'SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98'
- 'SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c'
- 'SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5'
- 'SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8'
- 'SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c'
- 'SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196'
- 'SHA1=e42bd2f585c00a1d6557df405246081f89542d15'
- 'SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9'
- 'SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd'
- 'SHA1=948368fe309652e8d88088d23e1df39e9c2b6649'
- 'SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d'
- 'SHA1=1f25f54e9b289f76604e81e98483309612c5a471'
- 'SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d'
- 'SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d'
- 'SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09'
- 'SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f'
- 'SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652'
- 'SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad'
- 'SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c'
- 'SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a'
- 'SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b'
- 'SHA1=d02403f85be6f243054395a873b41ef8a17ea279'
- 'SHA1=4da007dd298723f920e194501bb49bab769dfb14'
- 'SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a'
- 'SHA1=221717a48ee8e2d19470579c987674f661869e17'
- 'SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa'
- 'SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56'
- 'SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375'
- 'SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3'
- 'SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe'
- 'SHA1=6d09d826581baa1817be6fbd44426db9b05f1909'
- 'SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e'
- 'SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631'
- 'SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997'
- 'SHA1=0320534df24a37a245a0b09679a5adb27018fb5f'
- 'SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0'
- 'SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef'
- 'SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202'
- 'SHA1=062457182ab08594c631a3f897aeb03c6097eb77'
- 'SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25'
- 'SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670'
- 'SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e'
- 'SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5'
- 'SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b'
- 'SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739'
- 'SHA1=020580278d74d0fe741b0f786d8dca7554359997'
- 'SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677'
- 'SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4'
- 'SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7'
- 'SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d'
- 'SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f'
- 'SHA1=c257aa4094539719a3c7b7950598ef872dbf9518'
- 'SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49'
- 'SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e'
- 'SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c'
- 'SHA1=86f34eaea117f629297218a4d196b5729e72d7b9'
- 'SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0'
- 'SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7'
- 'SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8'
- 'SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb'
- 'SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a'
- 'SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb'
- 'SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d'
- 'SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2'
- 'SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a'
- 'SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212'
- 'SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b'
- 'SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac'
- 'SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1'
- 'SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76'
- 'SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421'
- 'SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316'
- 'SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47'
- 'SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03'
- 'SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c'
- 'SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553'
- 'SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87'
- 'SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330'
- 'SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852'
- 'SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304'
- 'SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931'
- 'SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d'
- 'SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c'
- 'SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736'
- 'SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830'
- 'SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'
- 'SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a'
- 'SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a'
- 'SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a'
- 'SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0'
- 'SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392'
- 'SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd'
- 'SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee'
- 'SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01'
- 'SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254'
- 'SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231'
- 'SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39'
- 'SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d'
- 'SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1'
- 'SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae'
- 'SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'
- 'SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50'
- 'SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9'
- 'SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212'
- 'SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25'
- 'SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09'
- 'SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1'
- 'SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99'
- 'SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae'
- 'SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475'
- 'SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2'
- 'SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c'
- 'SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb'
- 'SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db'
- 'SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2'
- 'SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c'
- 'SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b'
- 'SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c'
- 'SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217'
- 'SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597'
- 'SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37'
- 'SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4'
- 'SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376'
- 'SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a'
- 'SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e'
- 'SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a'
- 'SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25'
- 'SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be'
- 'SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7'
- 'SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a'
- 'SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c'
- 'SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987'
- 'SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f'
- 'SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad'
- 'SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e'
- 'SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5'
- 'SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b'
- 'SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa'
- 'SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972'
- 'SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a'
- 'SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46'
- 'SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f'
- 'SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4'
- 'SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8'
- 'SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6'
- 'SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21'
- 'SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894'
- 'SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd'
- 'SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62'
- 'SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e'
- 'SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff'
- 'SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b'
- 'SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870'
- 'SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640'
- 'SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530'
- 'SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd'
- 'SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550'
- 'SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9'
- 'SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b'
- 'SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c'
- 'SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988'
- 'SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875'
- 'SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263'
- 'SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4'
- 'SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280'
- 'SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9'
- 'SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12'
- 'SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe'
- 'SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b'
- 'SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f'
- 'SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a'
- 'SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719'
- 'SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908'
- 'SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de'
- 'SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'
- 'SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a'
- 'SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427'
- 'SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653'
- 'SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919'
- 'SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad'
- 'SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920'
- 'SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77'
- 'SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e'
- 'SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105'
- 'SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2'
- 'SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa'
- 'SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112'
- 'SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4'
- 'SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff'
- 'SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3'
- 'SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925'
- 'SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6'
- 'SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878'
- 'SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59'
- 'SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66'
- 'SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280'
- 'SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7'
- 'SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167'
- 'SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a'
- 'SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7'
- 'SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec'
- 'SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620'
- 'SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f'
- 'SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905'
- 'SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3'
- 'SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b'
- 'SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab'
- 'SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc'
- 'SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968'
- 'SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28'
- 'SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0'
- 'SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93'
- 'SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12'
- 'SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8'
- 'SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895'
- 'SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3'
- 'SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f'
- 'SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be'
- 'SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8'
- 'SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f'
- 'SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe'
- 'SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4'
- 'SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5'
- 'SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af'
- 'SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40'
- 'SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6'
- 'SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d'
- 'SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a'
- 'SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96'
- 'SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'
- 'SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2'
- 'SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce'
- 'SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96'
- 'SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576'
- 'SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80'
- 'SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266'
- 'SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724'
- 'SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee'
- 'SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b'
- 'SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f'
- 'SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e'
- 'SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1'
- 'SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952'
- 'SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da'
- 'SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e'
- 'SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463'
- 'SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7'
- 'SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0'
- 'SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1'
- 'SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9'
- 'SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a'
- 'SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85'
- 'SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac'
- 'SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873'
- 'SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7'
- 'SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38'
- 'SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c'
- 'SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c'
- 'SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524'
- 'SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51'
- 'SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df'
- 'SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601'
- 'SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7'
- 'SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3'
- 'SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19'
- 'SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55'
- 'SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe'
- 'SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85'
- 'SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1'
- 'SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06'
- 'SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'
- 'SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3'
- 'SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55'
- 'SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778'
- 'SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6'
- 'SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6'
- 'SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43'
- 'SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3'
- 'SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7'
- 'SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715'
- 'SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434'
- 'SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0'
- 'SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f'
- 'SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327'
- 'SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d'
- 'SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021'
- 'SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4'
- 'SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15'
- 'SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f'
- 'SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2'
- 'SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677'
- 'SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d'
- 'SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d'
- 'SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f'
- 'SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57'
- 'SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc'
- 'SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'
- 'SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35'
- 'SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440'
- 'IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7'
- 'IMPHASH=7641a0c227f0a3a45b80bb8af43cd152'
- 'IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c'
- 'IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d'
- 'IMPHASH=beceab354c66949088c9e5ed1f1ff2a4'
- 'IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626'
- 'IMPHASH=420625b024fba72a24025defdf95b303'
- 'IMPHASH=65ccc2c578a984c31880b6c5e65257d3'
- 'IMPHASH=e717abe060bc5c34925fe3120ac22f45'
- 'IMPHASH=41113a3a832353963112b94f4635a383'
- 'IMPHASH=3866dd9fe63de457bdbf893bf7050ddf'
- 'IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4'
- 'IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca'
- 'IMPHASH=c9a6e83d931286d1604d1add8403e1e5'
- 'IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372'
- 'IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f'
- 'IMPHASH=8e35c9460537092672b3c7c14bccc7e0'
- 'IMPHASH=7bf14377888c429897eb10a85f70266c'
- 'IMPHASH=b351627263648b1d220bb488e7ec7202'
- 'IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a'
- 'IMPHASH=a7bd820fa5b895fab06f20739c9f24b8'
- 'IMPHASH=be0dd8b8e045356d600ee55a64d9d197'
- 'IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8'
- 'IMPHASH=6c8d5c79a850eecc2fb0291cebda618d'
- 'IMPHASH=c32d9a9af7f702814e1368c689877f3a'
- 'IMPHASH=6b387c029257f024a43a73f38afb2629'
- 'IMPHASH=df43355c636583e56e92142dcc69cc58'
- 'IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd'
- 'IMPHASH=c214aac08575c139e48d04f5aee21585'
- 'IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7'
- 'IMPHASH=059c6bd84285f4960e767f032b33f19b'
- 'IMPHASH=a09170ef09c55cdca9472c02cb1f2647'
- 'IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a'
- 'IMPHASH=0262d4147f21d681f8519ab2af79283f'
- 'IMPHASH=832219eb71b8bdb771f1d29d27b0acf4'
- 'IMPHASH=514298d18002920ee5a917fc34426417'
- 'IMPHASH=26ceec6572c630bdad60c984e51b7da4'
- 'IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90'
- 'IMPHASH=4b47f6031c558106eee17655f8f8a32f'
- 'IMPHASH=a6c4a7369500900fc172f9557cff22cf'
- 'IMPHASH=3b49942ec6cef1898e97f741b2b5df8a'
- 'IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511'
- 'IMPHASH=27f6dc8a247a22308dd1beba5086b302'
- 'IMPHASH=7d017945bf90936a6c40f73f91ed02c2'
- 'IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97'
- 'IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e'
- 'IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9'
- 'IMPHASH=87fd2b54ed568e2294300e164b8c46f7'
- 'IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a'
- 'IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff'
- 'IMPHASH=2a008187d4a73284ddcc43f1b727b513'
- 'IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127'
- 'IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4'
- 'IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4'
- 'IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Malicious IP Address Sign-In Failure Rate
Indicates sign-in from a malicious IP address based on high failure rates.
view Sigma YAML
title: Malicious IP Address Sign-In Failure Rate
id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
status: test
description: Indicates sign-in from a malicious IP address based on high failure rates.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'maliciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Malicious IP Address Sign-In Suspicious
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
view Sigma YAML
title: Malicious IP Address Sign-In Suspicious
id: 36440e1c-5c22-467a-889b-593e66498472
status: test
description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
Convert to SIEM query
high
Moderate
High FP
Malicious Nishang PowerShell Commandlets
Detects Commandlet names and arguments from the Nishang exploitation framework
view Sigma YAML
title: Malicious Nishang PowerShell Commandlets
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
status: test
description: Detects Commandlet names and arguments from the Nishang exploitation framework
references:
- https://github.com/samratashok/nishang
author: Alec Costello
date: 2019-05-16
modified: 2023-01-16
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Add-ConstrainedDelegationBackdoor'
# - 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
# - 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
# - 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Copy-VSS'
- 'Create-MultipleSessions'
- 'DataToEncode'
- 'DNS_TXT_Pwnage'
- 'Do-Exfiltration-Dns'
- 'Download_Execute'
- 'Download-Execute-PS'
- 'DownloadAndExtractFromRemoteRegistry'
- 'DumpCerts'
- 'DumpCreds'
- 'DumpHashes'
- 'Enable-DuplicateToken'
- 'Enable-Duplication'
- 'Execute-Command-MSSQL'
- 'Execute-DNSTXT-Code'
- 'Execute-OnTime'
- 'ExetoText'
- 'exfill'
- 'ExfilOption'
- 'FakeDC'
- 'FireBuster'
- 'FireListener'
- 'Get-Information ' # Space at the end is required. Otherwise, we get FP with Get-InformationBarrierReportDetails or Get-InformationBarrierReportSummary
# - 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Get-PassHints'
- 'Get-Web-Credentials'
- 'Get-WebCredentials'
- 'Get-WLAN-Keys'
# - 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'HTTP-Backdoor'
# - 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-AmsiBypass'
- 'Invoke-BruteForce'
- 'Invoke-CredentialsPhish'
- 'Invoke-Decode'
- 'Invoke-Encode'
- 'Invoke-Interceptor'
- 'Invoke-JSRatRegsvr'
- 'Invoke-JSRatRundll'
- 'Invoke-MimikatzWDigestDowngrade'
- 'Invoke-NetworkRelay'
# - 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
# - 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-PowerShellIcmp'
- 'Invoke-PowerShellUdp'
- 'Invoke-Prasadhak'
- 'Invoke-PSGcat'
- 'Invoke-PsGcatAgent'
# - 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-SessionGopher'
- 'Invoke-SSIDExfil'
# - Jitter # Prone to FPs
# - 'Keylogger' # Too generic to be linked to Nishang
- 'LoggedKeys'
- 'Nishang'
- 'NotAllNameSpaces' # This is param to "Set-RemoteWMI"
- 'Out-CHM'
- 'OUT-DNSTXT'
- 'Out-HTA'
- 'Out-RundllCommand'
- 'Out-SCF'
- 'Out-SCT'
- 'Out-Shortcut'
- 'Out-WebQuery'
- 'Out-Word'
- 'Parse_Keys'
- 'Password-List'
- 'Powerpreter'
- 'Remove-Persistence'
- 'Remove-PoshRat'
- 'Remove-Update'
- 'Run-EXEonRemote'
- 'Set-DCShadowPermissions'
- 'Set-RemotePSRemoting'
- 'Set-RemoteWMI'
- 'Shellcode32'
- 'Shellcode64'
- 'StringtoBase64'
- 'TexttoExe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Malicious PowerShell Commandlets - PoshModule
Detects Commandlet names from well-known PowerShell exploitation frameworks
view Sigma YAML
title: Malicious PowerShell Commandlets - PoshModule
id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
related:
- id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
type: similar
- id: 02030f2f-6199-49ec-b258-ea71b07e03dc
type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-20
modified: 2025-12-10
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains:
# Note: Please ensure alphabetical order when adding new entries
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'BadSuccessor'
- 'Check-VM'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADR' # # ADRecon related cmdlets
- 'Export-ADRCSV' # # ADRecon related cmdlets
- 'Export-ADRExcel' # # ADRecon related cmdlets
- 'Export-ADRHTML' # # ADRecon related cmdlets
- 'Export-ADRJSON' # # ADRecon related cmdlets
- 'Export-ADRXML' # # ADRecon related cmdlets
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
- 'Get-ApplicationHost'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon' # # ADRecon related cmdlets
- 'Invoke-ADSBackdoor'
- 'Invoke-AgentSmith'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DNSUpdate'
- 'Invoke-DNSExfiltrator'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerDPAPI'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tasksbackdoor'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WMIExec'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Set-MacAttribute'
- 'Set-MachineAccountAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-Dnscat2'
- 'Start-WebcamRecorder'
- 'Veeam-Get-Creds'
- 'VolumeShadowCopyTools'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Malicious PowerShell Commandlets - ProcessCreation
Detects Commandlet names from well-known PowerShell exploitation frameworks
view Sigma YAML
title: Malicious PowerShell Commandlets - ProcessCreation
id: 02030f2f-6199-49ec-b258-ea71b07e03dc
related:
- id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
type: derived
- id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-12-10
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: Please ensure alphabetical order when adding new entries
CommandLine|contains:
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Check-VM'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADR'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
- 'Get-ApplicationHost'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon'
- 'Invoke-ADSBackdoor'
- 'Invoke-AgentSmith'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DNSUpdate'
- 'Invoke-DNSExfiltrator'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerDPAPI'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tasksbackdoor'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WMIExec'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Set-MacAttribute'
- 'Set-MachineAccountAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-Dnscat2'
- 'Start-WebcamRecorder'
- 'Veeam-Get-Creds'
- 'VolumeShadowCopyTools'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
view Sigma YAML
title: Malicious PowerShell Commandlets - ScriptBlock
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
related:
- id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
type: similar
- id: 02030f2f-6199-49ec-b258-ea71b07e03dc
type: similar
- id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
type: obsolete
- id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
type: obsolete
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017-03-05
modified: 2025-12-10
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
# Note: Please ensure alphabetical order when adding new entries
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNSNodeAttribute'
- 'Get-ADIDNSNodeOwner'
- 'Get-ADIDNSNodeTombstoned'
- 'Get-ADIDNSPermission'
- 'Get-ADIDNSZone'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon'
- 'Invoke-ADSBackdoor'
- 'Invoke-AgentSmith'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DNSUpdate'
- 'Invoke-DNSExfiltrator'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerDPAPI'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tasksbackdoor'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WMIExec'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-Dnscat2'
- 'Start-WebcamRecorder'
- 'VolumeShadowCopyTools'
# - 'Check-VM'
# - 'Disable-MachineAccount'
# - 'Enable-MachineAccount'
# - 'Get-ApplicationHost'
# - 'Get-MachineAccountAttribute'
# - 'Get-MachineAccountCreator'
# - 'Get-Screenshot'
# - 'HTTP-Login'
# - 'Install-ServiceBinary'
# - 'Install-SSP'
# - 'New-DNSRecordArray'
# - 'New-MachineAccount'
# - 'Port-Scan'
# - 'Remove-MachineAccount'
# - 'Set-MacAttribute'
# - 'Set-MachineAccountAttribute'
# - 'Set-Wallpaper'
filter_optional_amazon_ec2:
ScriptBlockText|contains:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Malicious PowerShell Scripts - FileCreation
Detects the creation of known offensive powershell scripts used for exploitation
view Sigma YAML
title: Malicious PowerShell Scripts - FileCreation
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
related:
- id: 41025fd7-0466-4650-a813-574aaacbe7f4
type: similar
status: test
description: Detects the creation of known offensive powershell scripts used for exploitation
references:
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
date: 2018-04-07
modified: 2025-12-10
tags:
- attack.execution
- attack.t1059.001
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|endswith:
# Note: Please ensure alphabetical order when adding new entries
- '\Add-ConstrainedDelegationBackdoor.ps1'
- '\Add-Exfiltration.ps1'
- '\Add-Persistence.ps1'
- '\Add-RegBackdoor.ps1'
- '\Add-RemoteRegBackdoor.ps1'
- '\Add-ScrnSaveBackdoor.ps1'
- '\ADRecon.ps1'
- '\AzureADRecon.ps1'
- '\BadSuccessor.ps1'
- '\Check-VM.ps1'
- '\ConvertTo-ROT13.ps1'
- '\Copy-VSS.ps1'
- '\Create-MultipleSessions.ps1'
- '\DNS_TXT_Pwnage.ps1'
- '\dnscat2.ps1'
- '\Do-Exfiltration.ps1'
- '\DomainPasswordSpray.ps1'
- '\Download_Execute.ps1'
- '\Download-Execute-PS.ps1'
- '\Enable-DuplicateToken.ps1'
- '\Enabled-DuplicateToken.ps1'
- '\Execute-Command-MSSQL.ps1'
- '\Execute-DNSTXT-Code.ps1'
- '\Execute-OnTime.ps1'
- '\ExetoText.ps1'
- '\Exploit-Jboss.ps1'
- '\Find-AVSignature.ps1'
- '\Find-Fruit.ps1'
- '\Find-GPOLocation.ps1'
- '\Find-TrustedDocuments.ps1'
- '\FireBuster.ps1'
- '\FireListener.ps1'
- '\Get-ApplicationHost.ps1'
- '\Get-ChromeDump.ps1'
- '\Get-ClipboardContents.ps1'
- '\Get-ComputerDetail.ps1'
- '\Get-FoxDump.ps1'
- '\Get-GPPAutologon.ps1'
- '\Get-GPPPassword.ps1'
- '\Get-IndexedItem.ps1'
- '\Get-Keystrokes.ps1'
- '\Get-LSASecret.ps1'
- '\Get-MicrophoneAudio.ps1'
- '\Get-PassHashes.ps1'
- '\Get-PassHints.ps1'
- '\Get-RegAlwaysInstallElevated.ps1'
- '\Get-RegAutoLogon.ps1'
- '\Get-RickAstley.ps1'
- '\Get-Screenshot.ps1'
- '\Get-SecurityPackages.ps1'
- '\Get-ServiceFilePermission.ps1'
- '\Get-ServicePermission.ps1'
- '\Get-ServiceUnquoted.ps1'
- '\Get-SiteListPassword.ps1'
- '\Get-System.ps1'
- '\Get-TimedScreenshot.ps1'
- '\Get-UnattendedInstallFile.ps1'
- '\Get-Unconstrained.ps1'
- '\Get-USBKeystrokes.ps1'
- '\Get-VaultCredential.ps1'
- '\Get-VulnAutoRun.ps1'
- '\Get-VulnSchTask.ps1'
- '\Get-WebConfig.ps1'
- '\Get-WebCredentials.ps1'
- '\Get-WLAN-Keys.ps1'
- '\Gupt-Backdoor.ps1'
- '\HTTP-Backdoor.ps1'
- '\HTTP-Login.ps1'
- '\Install-ServiceBinary.ps1'
- '\Install-SSP.ps1'
- '\Invoke-ACLScanner.ps1'
- '\Invoke-ADSBackdoor.ps1'
- '\Invoke-AmsiBypass.ps1'
- '\Invoke-ARPScan.ps1'
- '\Invoke-BackdoorLNK.ps1'
- '\Invoke-BadPotato.ps1'
- '\Invoke-BetterSafetyKatz.ps1'
- '\Invoke-BruteForce.ps1'
- '\Invoke-BypassUAC.ps1'
- '\Invoke-Carbuncle.ps1'
- '\Invoke-Certify.ps1'
- '\Invoke-ConPtyShell.ps1'
- '\Invoke-CredentialInjection.ps1'
- '\Invoke-CredentialsPhish.ps1'
- '\Invoke-DAFT.ps1'
- '\Invoke-DCSync.ps1'
- '\Invoke-Decode.ps1'
- '\Invoke-DinvokeKatz.ps1'
- '\Invoke-DllInjection.ps1'
- '\Invoke-DNSExfiltrator.ps1'
- '\Invoke-DNSUpdate.ps1'
- '\Invoke-DowngradeAccount.ps1'
- '\Invoke-EgressCheck.ps1'
- '\Invoke-Encode.ps1'
- '\Invoke-EventViewer.ps1'
- '\Invoke-Eyewitness.ps1'
- '\Invoke-FakeLogonScreen.ps1'
- '\Invoke-Farmer.ps1'
- '\Invoke-Get-RBCD-Threaded.ps1'
- '\Invoke-Gopher.ps1'
- '\Invoke-Grouper2.ps1'
- '\Invoke-Grouper3.ps1'
- '\Invoke-HandleKatz.ps1'
- '\Invoke-Interceptor.ps1'
- '\Invoke-Internalmonologue.ps1'
- '\Invoke-Inveigh.ps1'
- '\Invoke-InveighRelay.ps1'
- '\Invoke-JSRatRegsvr.ps1'
- '\Invoke-JSRatRundll.ps1'
- '\Invoke-KrbRelay.ps1'
- '\Invoke-KrbRelayUp.ps1'
- '\Invoke-LdapSignCheck.ps1'
- '\Invoke-Lockless.ps1'
- '\Invoke-MalSCCM.ps1'
- '\Invoke-Mimikatz.ps1'
- '\Invoke-MimikatzWDigestDowngrade.ps1'
- '\Invoke-Mimikittenz.ps1'
- '\Invoke-MITM6.ps1'
- '\Invoke-NanoDump.ps1'
- '\Invoke-NetRipper.ps1'
- '\Invoke-NetworkRelay.ps1'
- '\Invoke-NinjaCopy.ps1'
- '\Invoke-OxidResolver.ps1'
- '\Invoke-P0wnedshell.ps1'
- '\Invoke-P0wnedshellx86.ps1'
- '\Invoke-Paranoia.ps1'
- '\Invoke-PortScan.ps1'
- '\Invoke-PoshRatHttp.ps1'
- '\Invoke-PoshRatHttps.ps1'
- '\Invoke-PostExfil.ps1'
- '\Invoke-PowerDump.ps1'
- '\Invoke-PowerDPAPI.ps1'
- '\Invoke-PowerShellIcmp.ps1'
- '\Invoke-PowerShellTCP.ps1'
- '\Invoke-PowerShellTcpOneLine.ps1'
- '\Invoke-PowerShellTcpOneLineBind.ps1'
- '\Invoke-PowerShellUdp.ps1'
- '\Invoke-PowerShellUdpOneLine.ps1'
- '\Invoke-PowerShellWMI.ps1'
- '\Invoke-PowerThIEf.ps1'
- '\Invoke-PPLDump.ps1'
- '\Invoke-Prasadhak.ps1'
- '\Invoke-PsExec.ps1'
- '\Invoke-PsGcat.ps1'
- '\Invoke-PsGcatAgent.ps1'
- '\Invoke-PSInject.ps1'
- '\Invoke-PsUaCme.ps1'
- '\Invoke-ReflectivePEInjection.ps1'
- '\Invoke-ReverseDNSLookup.ps1'
- '\Invoke-Rubeus.ps1'
- '\Invoke-RunAs.ps1'
- '\Invoke-SafetyKatz.ps1'
- '\Invoke-SauronEye.ps1'
- '\Invoke-SCShell.ps1'
- '\Invoke-Seatbelt.ps1'
- '\Invoke-ServiceAbuse.ps1'
- '\Invoke-SessionGopher.ps1'
- '\Invoke-ShellCode.ps1'
- '\Invoke-SMBScanner.ps1'
- '\Invoke-Snaffler.ps1'
- '\Invoke-Spoolsample.ps1'
- '\Invoke-SSHCommand.ps1'
- '\Invoke-SSIDExfil.ps1'
- '\Invoke-StandIn.ps1'
- '\Invoke-StickyNotesExtract.ps1'
- '\Invoke-Tater.ps1'
- '\Invoke-Thunderfox.ps1'
- '\Invoke-ThunderStruck.ps1'
- '\Invoke-TokenManipulation.ps1'
- '\Invoke-Tokenvator.ps1'
- '\Invoke-TotalExec.ps1'
- '\Invoke-UrbanBishop.ps1'
- '\Invoke-UserHunter.ps1'
- '\Invoke-VoiceTroll.ps1'
- '\Invoke-Whisker.ps1'
- '\Invoke-WinEnum.ps1'
- '\Invoke-winPEAS.ps1'
- '\Invoke-WireTap.ps1'
- '\Invoke-WmiCommand.ps1'
- '\Invoke-WScriptBypassUAC.ps1'
- '\Invoke-Zerologon.ps1'
- '\Keylogger.ps1'
- '\MailRaider.ps1'
- '\New-HoneyHash.ps1'
- '\OfficeMemScraper.ps1'
- '\Offline_Winpwn.ps1'
- '\Out-CHM.ps1'
- '\Out-DnsTxt.ps1'
- '\Out-Excel.ps1'
- '\Out-HTA.ps1'
- '\Out-Java.ps1'
- '\Out-JS.ps1'
- '\Out-Minidump.ps1'
- '\Out-RundllCommand.ps1'
- '\Out-SCF.ps1'
- '\Out-SCT.ps1'
- '\Out-Shortcut.ps1'
- '\Out-WebQuery.ps1'
- '\Out-Word.ps1'
- '\Parse_Keys.ps1'
- '\Port-Scan.ps1'
- '\PowerBreach.ps1'
- '\powercat.ps1'
- '\Powermad.ps1'
- '\PowerRunAsSystem.psm1'
- '\PowerSharpPack.ps1'
- '\PowerUp.ps1'
- '\PowerUpSQL.ps1'
- '\PowerView.ps1'
- '\PSAsyncShell.ps1'
- '\RemoteHashRetrieval.ps1'
- '\Remove-Persistence.ps1'
- '\Remove-PoshRat.ps1'
- '\Remove-Update.ps1'
- '\Run-EXEonRemote.ps1'
- '\Schtasks-Backdoor.ps1'
- '\Set-DCShadowPermissions.ps1'
- '\Set-MacAttribute.ps1'
- '\Set-RemotePSRemoting.ps1'
- '\Set-RemoteWMI.ps1'
- '\Set-Wallpaper.ps1'
- '\Show-TargetScreen.ps1'
- '\Speak.ps1'
- '\Start-CaptureServer.ps1'
- '\Start-WebcamRecorder.ps1'
- '\StringToBase64.ps1'
- '\TexttoExe.ps1'
- '\Veeam-Get-Creds.ps1'
- '\VolumeShadowCopyTools.ps1'
- '\WinPwn.ps1'
- '\WSUSpendu.ps1'
selection_invoke_sharp:
TargetFilename|contains: 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
TargetFilename|endswith: '.ps1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Malicious PowerShell Scripts - PoshModule
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
view Sigma YAML
title: Malicious PowerShell Scripts - PoshModule
id: 41025fd7-0466-4650-a813-574aaacbe7f4
related:
- id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
type: similar
- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
type: obsolete
status: test
description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
references:
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-23
modified: 2025-12-10
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_generic:
ContextInfo|contains:
- 'Add-ConstrainedDelegationBackdoor.ps1'
- 'Add-Exfiltration.ps1'
- 'Add-Persistence.ps1'
- 'Add-RegBackdoor.ps1'
- 'Add-RemoteRegBackdoor.ps1'
- 'Add-ScrnSaveBackdoor.ps1'
- 'BadSuccessor.ps1'
- 'Check-VM.ps1'
- 'ConvertTo-ROT13.ps1'
- 'Copy-VSS.ps1'
- 'Create-MultipleSessions.ps1'
- 'DNS_TXT_Pwnage.ps1'
- 'dnscat2.ps1'
- 'Do-Exfiltration.ps1'
- 'DomainPasswordSpray.ps1'
- 'Download_Execute.ps1'
- 'Download-Execute-PS.ps1'
- 'Enabled-DuplicateToken.ps1'
- 'Enable-DuplicateToken.ps1'
- 'Execute-Command-MSSQL.ps1'
- 'Execute-DNSTXT-Code.ps1'
- 'Execute-OnTime.ps1'
- 'ExetoText.ps1'
- 'Exploit-Jboss.ps1'
- 'Find-AVSignature.ps1'
- 'Find-Fruit.ps1'
- 'Find-GPOLocation.ps1'
- 'Find-TrustedDocuments.ps1'
- 'FireBuster.ps1'
- 'FireListener.ps1'
- 'Get-ApplicationHost.ps1'
- 'Get-ChromeDump.ps1'
- 'Get-ClipboardContents.ps1'
- 'Get-ComputerDetail.ps1'
- 'Get-FoxDump.ps1'
- 'Get-GPPAutologon.ps1'
- 'Get-GPPPassword.ps1'
- 'Get-IndexedItem.ps1'
- 'Get-Keystrokes.ps1'
- 'Get-LSASecret.ps1'
- 'Get-MicrophoneAudio.ps1'
- 'Get-PassHashes.ps1'
- 'Get-PassHints.ps1'
- 'Get-RegAlwaysInstallElevated.ps1'
- 'Get-RegAutoLogon.ps1'
- 'Get-RickAstley.ps1'
- 'Get-Screenshot.ps1'
- 'Get-SecurityPackages.ps1'
- 'Get-ServiceFilePermission.ps1'
- 'Get-ServicePermission.ps1'
- 'Get-ServiceUnquoted.ps1'
- 'Get-SiteListPassword.ps1'
- 'Get-System.ps1'
- 'Get-TimedScreenshot.ps1'
- 'Get-UnattendedInstallFile.ps1'
- 'Get-Unconstrained.ps1'
- 'Get-USBKeystrokes.ps1'
- 'Get-VaultCredential.ps1'
- 'Get-VulnAutoRun.ps1'
- 'Get-VulnSchTask.ps1'
- 'Get-WebConfig.ps1'
- 'Get-WebCredentials.ps1'
- 'Get-WLAN-Keys.ps1'
- 'Gupt-Backdoor.ps1'
- 'HTTP-Backdoor.ps1'
- 'HTTP-Login.ps1'
- 'Install-ServiceBinary.ps1'
- 'Install-SSP.ps1'
- 'Invoke-ACLScanner.ps1'
- 'Invoke-ADSBackdoor.ps1'
- 'Invoke-AmsiBypass.ps1'
- 'Invoke-ARPScan.ps1'
- 'Invoke-BackdoorLNK.ps1'
- 'Invoke-BadPotato.ps1'
- 'Invoke-BetterSafetyKatz.ps1'
- 'Invoke-BruteForce.ps1'
- 'Invoke-BypassUAC.ps1'
- 'Invoke-Carbuncle.ps1'
- 'Invoke-Certify.ps1'
- 'Invoke-ConPtyShell.ps1'
- 'Invoke-CredentialInjection.ps1'
- 'Invoke-CredentialsPhish.ps1'
- 'Invoke-DAFT.ps1'
- 'Invoke-DCSync.ps1'
- 'Invoke-Decode.ps1'
- 'Invoke-DinvokeKatz.ps1'
- 'Invoke-DllInjection.ps1'
- 'Invoke-DNSExfiltrator.ps1'
- 'Invoke-DowngradeAccount.ps1'
- 'Invoke-EgressCheck.ps1'
- 'Invoke-Encode.ps1'
- 'Invoke-EventViewer.ps1'
- 'Invoke-Eyewitness.ps1'
- 'Invoke-FakeLogonScreen.ps1'
- 'Invoke-Farmer.ps1'
- 'Invoke-Get-RBCD-Threaded.ps1'
- 'Invoke-Gopher.ps1'
- 'Invoke-Grouper2.ps1'
- 'Invoke-Grouper3.ps1'
- 'Invoke-HandleKatz.ps1'
- 'Invoke-Interceptor.ps1'
- 'Invoke-Internalmonologue.ps1'
- 'Invoke-Inveigh.ps1'
- 'Invoke-InveighRelay.ps1'
- 'Invoke-JSRatRegsvr.ps1'
- 'Invoke-JSRatRundll.ps1'
- 'Invoke-KrbRelay.ps1'
- 'Invoke-KrbRelayUp.ps1'
- 'Invoke-LdapSignCheck.ps1'
- 'Invoke-Lockless.ps1'
- 'Invoke-MalSCCM.ps1'
- 'Invoke-Mimikatz.ps1'
- 'Invoke-MimikatzWDigestDowngrade.ps1'
- 'Invoke-Mimikittenz.ps1'
- 'Invoke-MITM6.ps1'
- 'Invoke-NanoDump.ps1'
- 'Invoke-NetRipper.ps1'
- 'Invoke-NetworkRelay.ps1'
- 'Invoke-NinjaCopy.ps1'
- 'Invoke-OxidResolver.ps1'
- 'Invoke-P0wnedshell.ps1'
- 'Invoke-P0wnedshellx86.ps1'
- 'Invoke-Paranoia.ps1'
- 'Invoke-PortScan.ps1'
- 'Invoke-PoshRatHttp.ps1'
- 'Invoke-PoshRatHttps.ps1'
- 'Invoke-PostExfil.ps1'
- 'Invoke-PowerDump.ps1'
- 'Invoke-PowerDPAPI.ps1'
- 'Invoke-PowerShellIcmp.ps1'
- 'Invoke-PowerShellTCP.ps1'
- 'Invoke-PowerShellTcpOneLine.ps1'
- 'Invoke-PowerShellTcpOneLineBind.ps1'
- 'Invoke-PowerShellUdp.ps1'
- 'Invoke-PowerShellUdpOneLine.ps1'
- 'Invoke-PowerShellWMI.ps1'
- 'Invoke-PowerThIEf.ps1'
- 'Invoke-PPLDump.ps1'
- 'Invoke-Prasadhak.ps1'
- 'Invoke-PsExec.ps1'
- 'Invoke-PsGcat.ps1'
- 'Invoke-PsGcatAgent.ps1'
- 'Invoke-PSInject.ps1'
- 'Invoke-PsUaCme.ps1'
- 'Invoke-ReflectivePEInjection.ps1'
- 'Invoke-ReverseDNSLookup.ps1'
- 'Invoke-Rubeus.ps1'
- 'Invoke-RunAs.ps1'
- 'Invoke-SafetyKatz.ps1'
- 'Invoke-SauronEye.ps1'
- 'Invoke-SCShell.ps1'
- 'Invoke-Seatbelt.ps1'
- 'Invoke-ServiceAbuse.ps1'
- 'Invoke-SessionGopher.ps1'
- 'Invoke-ShellCode.ps1'
- 'Invoke-SMBScanner.ps1'
- 'Invoke-Snaffler.ps1'
- 'Invoke-Spoolsample.ps1'
- 'Invoke-SSHCommand.ps1'
- 'Invoke-SSIDExfil.ps1'
- 'Invoke-StandIn.ps1'
- 'Invoke-StickyNotesExtract.ps1'
- 'Invoke-Tater.ps1'
- 'Invoke-Thunderfox.ps1'
- 'Invoke-ThunderStruck.ps1'
- 'Invoke-TokenManipulation.ps1'
- 'Invoke-Tokenvator.ps1'
- 'Invoke-TotalExec.ps1'
- 'Invoke-UrbanBishop.ps1'
- 'Invoke-UserHunter.ps1'
- 'Invoke-VoiceTroll.ps1'
- 'Invoke-Whisker.ps1'
- 'Invoke-WinEnum.ps1'
- 'Invoke-winPEAS.ps1'
- 'Invoke-WireTap.ps1'
- 'Invoke-WmiCommand.ps1'
- 'Invoke-WScriptBypassUAC.ps1'
- 'Invoke-Zerologon.ps1'
- 'Keylogger.ps1'
- 'MailRaider.ps1'
- 'New-HoneyHash.ps1'
- 'OfficeMemScraper.ps1'
- 'Offline_Winpwn.ps1'
- 'Out-CHM.ps1'
- 'Out-DnsTxt.ps1'
- 'Out-Excel.ps1'
- 'Out-HTA.ps1'
- 'Out-Java.ps1'
- 'Out-JS.ps1'
- 'Out-Minidump.ps1'
- 'Out-RundllCommand.ps1'
- 'Out-SCF.ps1'
- 'Out-SCT.ps1'
- 'Out-Shortcut.ps1'
- 'Out-WebQuery.ps1'
- 'Out-Word.ps1'
- 'Parse_Keys.ps1'
- 'Port-Scan.ps1'
- 'PowerBreach.ps1'
- 'powercat.ps1'
- 'PowerRunAsSystem.psm1'
- 'PowerSharpPack.ps1'
- 'PowerUp.ps1'
- 'PowerUpSQL.ps1'
- 'PowerView.ps1'
- 'PSAsyncShell.ps1'
- 'RemoteHashRetrieval.ps1'
- 'Remove-Persistence.ps1'
- 'Remove-PoshRat.ps1'
- 'Remove-Update.ps1'
- 'Run-EXEonRemote.ps1'
- 'Schtasks-Backdoor.ps1'
- 'Set-DCShadowPermissions.ps1'
- 'Set-MacAttribute.ps1'
- 'Set-RemotePSRemoting.ps1'
- 'Set-RemoteWMI.ps1'
- 'Set-Wallpaper.ps1'
- 'Show-TargetScreen.ps1'
- 'Speak.ps1'
- 'Start-CaptureServer.ps1'
- 'Start-WebcamRecorder.ps1'
- 'StringToBase64.ps1'
- 'TexttoExe.ps1'
- 'Veeam-Get-Creds.ps1'
- 'VolumeShadowCopyTools.ps1'
- 'WinPwn.ps1'
- 'WSUSpendu.ps1'
selection_invoke_sharp:
ContextInfo|contains|all:
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- '.ps1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Malicious ShellIntel PowerShell Commandlets
Detects Commandlet names from ShellIntel exploitation scripts.
view Sigma YAML
title: Malicious ShellIntel PowerShell Commandlets
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
status: test
description: Detects Commandlet names from ShellIntel exploitation scripts.
references:
- https://github.com/Shellntel/scripts/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2023-01-02
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Invoke-SMBAutoBrute'
- 'Invoke-GPOLinks'
# - 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-Potato'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Detects when an instance identity has taken an action that isn't inside SSM.
This can indicate that a compromised EC2 instance is being used as a pivot point.
view Sigma YAML
title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
id: 352a918a-34d8-4882-8470-44830c507aa3
status: test
description: |
Detects when an instance identity has taken an action that isn't inside SSM.
This can indicate that a compromised EC2 instance is being used as a pivot point.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.t1078.002
logsource:
product: aws
service: cloudtrail
detection:
selection:
userIdentity.arn|re: '.+:assumed-role/aws:.+'
filter_main_generic:
- eventSource: 'ssm.amazonaws.com'
- eventName: 'RegisterManagedInstance'
- sourceIPAddress: 'AWS Internal'
condition: selection and not 1 of filter_main_*
falsepositives:
- A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services
level: high
Convert to SIEM query
high
Strong
Medium FP
Malware Shellcode in Verclsid Target Process
Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
view Sigma YAML
title: Malware Shellcode in Verclsid Target Process
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
status: test
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
- https://twitter.com/JohnLaTwC/status/837743453039534080
author: John Lambert (tech), Florian Roth (Nextron Systems)
date: 2017-03-04
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- detection.emerging-threats
logsource:
category: process_access
product: windows
definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
selection_target:
TargetImage|endswith: '\verclsid.exe'
GrantedAccess: '0x1FFFFF'
selection_calltrace_1:
CallTrace|contains|all:
- '|UNKNOWN('
- 'VBE7.DLL'
selection_calltrace_2:
SourceImage|contains: '\Microsoft Office\'
CallTrace|contains: '|UNKNOWN'
condition: selection_target and 1 of selection_calltrace_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Malware User Agent
Detects suspicious user agent strings used by malware in proxy logs
view Sigma YAML
title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
- http://www.botopedia.org/search?searchword=scan&searchphrase=all
- https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
- https://perishablepress.com/blacklist/ua-2013.txt
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
- https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
- https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
- https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-07-08
modified: 2024-04-14
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# RATs
- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
- 'HttpBrowser/1.0' # HTTPBrowser RAT
- '*<|>*' # Houdini / Iniduoh / njRAT
- 'nsis_inetc (mozilla)' # ZeroAccess
- 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
# Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
# Malware
- '*zeroup*' # W32/Renos.Downloader
- 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
- '* adlib/*'
- '* tiny' # Trojan Downloader
- '* BGroom *' # Trojan Downloader
- '* changhuatong'
- '* CholTBAgent'
- 'Mozilla/5.0 WinInet'
- 'RookIE/1.0'
- 'M' # HkMain
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
- 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
- 'backdoorbot'
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
- 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
- 'Opera' # Trojan Keragany
- 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
- 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
- 'MSIE' # Toby web shell
- '*(Charon; Inferno)' # Loki Bot
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
- 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
# Ursnif
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
# Emotet
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
# Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
- 'Mozilla/5.0 (Windows NT 6.1)'
- 'AppleWebkit/587.38 (KHTML, like Gecko)'
- 'Chrome/91.0.4472.77'
- 'Safari/537.36'
- 'Edge/91.0.864.37'
- 'Firefox/89.0'
- 'Gecko/20100101'
# Others
- '* pxyscand*'
- '* asd'
- '* mdms'
- 'sample'
- 'nocase'
- 'Moxilla'
- 'Win32 *'
- '*Microsoft Internet Explorer*'
- 'agent *'
- 'AutoIt' # Suspicious - base-lining recommended
- 'IczelionDownLoad'
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
- 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
- 'antSword/v2.1' # AntSword Webshell UA
- 'rqwrwqrqwrqw' # Racoon Stealer
- 'qwrqrwrqwrqwr' # Racoon Stealer
- 'rc2.0/client' # Racoon Stealer
- 'TakeMyPainBack' # Racoon Stealer
- 'xxx' # Racoon Stealer
- '20112211' # Racoon Stealer
- '23591' # Racoon Stealer
- '901785252112' # Racoon Stealer
- '1235125521512' # Racoon Stealer
- '125122112551' # Racoon Stealer
- 'B1D3N_RIM_MY_ASS' # Racoon Stealer
- 'AYAYAYAY1337' # Racoon Stealer
- 'iMightJustPayMySelfForAFeature' # Racoon Stealer
- 'ForAFeature' # Racoon Stealer
- 'Ares_ldr_v_*' # AresLoader
# - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
- 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
- 'CLCTR' # https://github.com/silence-is-best/c2db
- 'uploader' # https://github.com/silence-is-best/c2db
- 'agent' # https://github.com/silence-is-best/c2db
- 'License' # https://github.com/silence-is-best/c2db
- 'vb wininet' # https://github.com/silence-is-best/c2db
- 'Client' # https://github.com/silence-is-best/c2db
- 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
- 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
- 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
- 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
- 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'DuckTales' # Racoon Stealer
- 'Zadanie' # Racoon Stealer
- 'GunnaWunnaBlueTips' # Racoon Stealer
- 'Xlmst' # Racoon Stealer
- 'GeekingToTheMoon' # Racoon Stealer
- 'SunShineMoonLight' # Racoon Stealer
- 'BunnyRequester' # BunnyStealer
- 'BunnyTasks' # BunnyStealer
- 'BunnyStealer' # BunnyStealer
- 'BunnyLoader_Dropper' # BunnyStealer
- 'BunnyLoader' # BunnyStealer
- 'BunnyShell' # BunnyStealer
- 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
- '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
- 'SouthSide' # Racoon Stealer
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
view Sigma YAML
title: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
id: 6345b048-8441-43a7-9bed-541133633d7a
status: test
description: |
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
references:
- https://twitter.com/gN3mes1s/status/1222088214581825540
- https://twitter.com/gN3mes1s/status/1222095963789111296
- https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dctask64.exe'
- Hashes|contains:
- 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
- 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
- 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
- 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
selection_cli:
CommandLine|contains:
- ' executecmd64 '
- ' invokeexe '
- ' injectDll '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Mask System Power Settings Via Systemctl
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
view Sigma YAML
title: Mask System Power Settings Via Systemctl
id: c172b7b5-f3a1-4af2-90b7-822c63df86cb
status: experimental
description: |
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
author: Milad Cheraghi, Nasreddine Bencherchali
date: 2025-10-17
references:
- https://www.man7.org/linux/man-pages/man1/systemctl.1.html
- https://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/
tags:
- attack.persistence
- attack.impact
- attack.t1653
logsource:
category: process_creation
product: linux
detection:
selection_systemctl:
Image|endswith: '/systemctl'
CommandLine|contains: ' mask'
selection_power_options:
CommandLine|contains:
- 'suspend.target'
- 'hibernate.target'
- 'hybrid-sleep.target'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Mavinject Inject DLL Into Running Process
Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
view Sigma YAML
title: Mavinject Inject DLL Into Running Process
id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
related:
- id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
type: obsolete
status: test
description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
- https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://reaqta.com/2017/12/mavinject-microsoft-injector/
- https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet
- https://github.com/SigmaHQ/sigma/issues/3742
- https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
author: frack113, Florian Roth
date: 2021-07-12
modified: 2022-12-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.001
- attack.t1218.013
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' /INJECTRUNNING '
filter:
ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject"
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Metasploit Or Impacket Service Installation Via SMB PsExec
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
view Sigma YAML
title: Metasploit Or Impacket Service Installation Via SMB PsExec
id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
related:
- id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
type: derived
status: test
description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-21
modified: 2022-10-05
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
ServiceStartType: 3 # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
ServiceType: '0x10'
filter:
ServiceName: 'PSEXESVC'
condition: selection and not filter
falsepositives:
- Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
level: high
Convert to SIEM query
high
Strong
Medium FP
Metasploit SMB Authentication
Alerts on Metasploit host's authentications on the domain.
view Sigma YAML
title: Metasploit SMB Authentication
id: 72124974-a68b-4366-b990-d30e0b2a190d
status: test
description: Alerts on Metasploit host's authentications on the domain.
references:
- https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020-05-06
modified: 2024-01-25
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4625
- 4624
LogonType: 3
AuthenticationPackageName: 'NTLM'
WorkstationName|re: '^[A-Za-z0-9]{16}$'
selection2:
EventID: 4776
Workstation|re: '^[A-Za-z0-9]{16}$'
condition: 1 of selection*
falsepositives:
- Linux hostnames composed of 16 characters.
level: high
Convert to SIEM query
high
Strong
Medium FP
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
view Sigma YAML
title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection_eid:
EventID: 4697
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ServiceFileName|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ServiceFileName|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_eid and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Meterpreter or Cobalt Strike Getsystem Service Installation - System
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
view Sigma YAML
title: Meterpreter or Cobalt Strike Getsystem Service Installation - System
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: system
detection:
selection_id:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ImagePath|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ImagePath|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ImagePath|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ImagePath|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_id and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Microsoft Defender Blocked from Loading Unsigned DLL
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
view Sigma YAML
title: Microsoft Defender Blocked from Loading Unsigned DLL
id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
status: test
description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-02
modified: 2022-09-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: security-mitigations
detection:
selection:
EventID:
- 11
- 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
ProcessPath|endswith:
- '\MpCmdRun.exe'
- '\NisSrv.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Microsoft Defender Tamper Protection Trigger
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
view Sigma YAML
title: Microsoft Defender Tamper Protection Trigger
id: 49e5bc24-8b86-49f1-b743-535f332c2856
status: stable
description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
references:
- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
author: Bhabesh Raj, Nasreddine Bencherchali
date: 2021-07-05
modified: 2022-12-06
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.
Value|endswith:
- '\Windows Defender\DisableAntiSpyware'
- '\Windows Defender\DisableAntiVirus'
- '\Windows Defender\Scan\DisableArchiveScanning'
- '\Windows Defender\Scan\DisableScanningNetworkFiles'
- '\Real-Time Protection\DisableRealtimeMonitoring'
- '\Real-Time Protection\DisableBehaviorMonitoring'
- '\Real-Time Protection\DisableIOAVProtection'
- '\Real-Time Protection\DisableScriptScanning'
condition: selection
falsepositives:
- Administrator might try to disable defender features during testing (must be investigated)
level: high
Convert to SIEM query
high
Moderate
High FP
Microsoft IIS Connection Strings Decryption
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
view Sigma YAML
title: Microsoft IIS Connection Strings Decryption
id: 97dbf6e2-e436-44d8-abee-4261b24d3e41
status: test
description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
references:
- https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2022-12-30
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_name:
- Image|endswith: '\aspnet_regiis.exe'
- OriginalFileName: 'aspnet_regiis.exe'
selection_args:
CommandLine|contains|all:
- 'connectionStrings'
- ' -pdf'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Microsoft IIS Service Account Password Dumped
Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
view Sigma YAML
title: Microsoft IIS Service Account Password Dumped
id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
status: test
description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
references:
- https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
- https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
- https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
date: 2022-11-08
modified: 2023-01-22
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_base_name:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_base_list:
CommandLine|contains: 'list '
selection_standalone:
CommandLine|contains:
- ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900
- ' /xml'
# We cover the "-" version just in case :)
- ' -config'
- ' -xml'
selection_cmd_flags:
CommandLine|contains:
- ' /@t' # Covers both "/@text:*" and "/@t:*"
- ' /text'
- ' /show'
# We cover the "-" version just in case :)
- ' -@t'
- ' -text'
- ' -show'
selection_cmd_grep:
CommandLine|contains:
- ':\*'
- 'password'
condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
view Sigma YAML
title: Microsoft Malware Protection Engine Crash
id: 545a5da6-f103-4919-a519-e9aec1026ee4
related:
- id: 6c82cf5c-090d-4d57-9188-533577631108
type: similar
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1211
- attack.t1685
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
Data|contains|all:
- 'MsMpEng.exe'
- 'mpengine.dll'
condition: selection
falsepositives:
- MsMpEng might crash if the "C:\" partition is full
level: high
Convert to SIEM query
high
Strong
Medium FP
Microsoft Malware Protection Engine Crash - WER
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
view Sigma YAML
title: Microsoft Malware Protection Engine Crash - WER
id: 6c82cf5c-090d-4d57-9188-533577631108
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1211
- attack.t1685
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'Windows Error Reporting'
EventID: 1001
Data|contains|all:
- 'MsMpEng.exe'
- 'mpengine.dll'
condition: selection
falsepositives:
- MsMpEng might crash if the "C:\" partition is full
level: high
Convert to SIEM query
high
Moderate
Medium FP
Microsoft Office DLL Sideload
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
view Sigma YAML
title: Microsoft Office DLL Sideload
id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f
status: test
description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-03-15
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\outllib.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files\Microsoft Office\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\OFFICE'
- 'C:\Program Files\Microsoft Office\Root\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Microsoft Office Protected View Disabled
Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
view Sigma YAML
title: Microsoft Office Protected View Disabled
id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc
related:
- id: 7c637634-c95d-4bbf-b26c-a82510874b34
type: obsolete
status: test
description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
- https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
- https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-06-08
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_path:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Office\'
- '\Security\ProtectedView\'
selection_values_1:
Details: 'DWORD (0x00000001)'
TargetObject|endswith:
- '\DisableAttachementsInPV' # Turn off Protected View for attachments opened from Outlook
- '\DisableInternetFilesInPV' # Turn off Protected View for files downloaded from Internet zone
- '\DisableIntranetCheck' # Turn off Protected View for file located in UNC paths
- '\DisableUnsafeLocationsInPV' # Turn off Protected View for unsafe locations
selection_values_0:
Details: 'DWORD (0x00000000)'
TargetObject|endswith:
- '\enabledatabasefileprotectedview'
- '\enableforeigntextfileprotectedview'
condition: selection_path and 1 of selection_values_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Mimikatz DC Sync
Detects Mimikatz DC sync security events
view Sigma YAML
title: Mimikatz DC Sync
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
status: test
description: Detects Mimikatz DC sync security events
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu
date: 2018-06-03
modified: 2022-04-26
tags:
- attack.credential-access
- attack.s0002
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties|contains:
- 'Replicating Directory Changes All'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '9923a32a-3607-11d2-b9be-0000f87a36b2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
AccessMask: '0x100'
filter1:
SubjectDomainName: 'Window Manager'
filter2:
SubjectUserName|startswith:
- 'NT AUT'
- 'MSOL_'
filter3:
SubjectUserName|endswith: '$'
condition: selection and not 1 of filter*
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
- Local Domain Admin account used for Azure AD Connect
level: high
Convert to SIEM query
high
Moderate
Low FP
Mimikatz Use
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
view Sigma YAML
title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
status: test
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
references:
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2017-01-10
modified: 2022-01-05
tags:
- attack.s0002
- attack.lateral-movement
- attack.credential-access
- car.2013-07-001
- car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006
logsource:
product: windows
detection:
keywords:
- 'dpapi::masterkey'
- 'eo.oe.kiwi'
- 'event::clear'
- 'event::drop'
- 'gentilkiwi.com'
- 'kerberos::golden'
- 'kerberos::ptc'
- 'kerberos::ptt'
- 'kerberos::tgt'
- 'Kiwi Legit Printer'
- 'lsadump::'
- 'mimidrv.sys'
- '\mimilib.dll'
- 'misc::printnightmare'
- 'misc::shadowcopies'
- 'misc::skeleton'
- 'privilege::backup'
- 'privilege::debug'
- 'privilege::driver'
- 'sekurlsa::'
filter:
EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
condition: keywords and not filter
falsepositives:
- Naughty administrators
- AV Signature updates
- Files with Mimikatz in their filename
level: high
Convert to SIEM query
high
Moderate
High FP
Mint Sandstorm - Log4J Wstomcat Process Execution
Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
view Sigma YAML
title: Mint Sandstorm - Log4J Wstomcat Process Execution
id: 7c97c625-0350-4f0a-8943-f6cadc88125e
status: test
description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
date: 2023-04-20
modified: 2023-11-29
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ws_tomcatservice.exe'
filter_main_repadmin:
Image|endswith: '\repadmin.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Modification of ld.so.preload
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
view Sigma YAML
title: Modification of ld.so.preload
id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
status: test
description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.006
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name: '/etc/ld.so.preload'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Modification or Deletion of an AWS RDS Cluster
Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
view Sigma YAML
title: Modification or Deletion of an AWS RDS Cluster
id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c
status: experimental
description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
references:
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
author: Ivan Saakov
date: 2024-12-06
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: rds.amazonaws.com
eventName:
- ModifyDBCluster
- DeleteDBCluster
condition: selection
falsepositives:
- Verify if the modification or deletion was performed by an authorized administrator.
- Confirm if the modification or deletion was part of a planned change or maintenance activity.
level: high
Convert to SIEM query
Showing 751-800 of 3,646