Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 1,715
high
Malicious Base64 Encoded PowerShell Keywords in Command Lines
Detects base64 encoded strings used in hidden malicious PowerShell command lines
view Sigma YAML
title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
status: test
description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
references:
- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
author: John Lambert (rule)
date: 2019-01-16
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_hidden:
CommandLine|contains: ' hidden '
selection_encoded:
CommandLine|contains:
- 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
- 'aXRzYWRtaW4gL3RyYW5zZmVy'
- 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
- 'JpdHNhZG1pbiAvdHJhbnNmZX'
- 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
- 'Yml0c2FkbWluIC90cmFuc2Zlc'
- 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
- 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
- 'JGNodW5rX3Npem'
- 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
- 'RjaHVua19zaXpl'
- 'Y2h1bmtfc2l6Z'
- 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
- 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
- 'lPLkNvbXByZXNzaW9u'
- 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
- 'SU8uQ29tcHJlc3Npb2'
- 'Ty5Db21wcmVzc2lvb'
- 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
- 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
- 'lPLk1lbW9yeVN0cmVhb'
- 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
- 'SU8uTWVtb3J5U3RyZWFt'
- 'Ty5NZW1vcnlTdHJlYW'
- '4ARwBlAHQAQwBoAHUAbgBrA'
- '5HZXRDaHVua'
- 'AEcAZQB0AEMAaAB1AG4Aaw'
- 'LgBHAGUAdABDAGgAdQBuAGsA'
- 'LkdldENodW5r'
- 'R2V0Q2h1bm'
- 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
- 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
- 'RIUkVBRF9JTkZPNj'
- 'SFJFQURfSU5GTzY0'
- 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
- 'VEhSRUFEX0lORk82N'
- 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
- 'cmVhdGVSZW1vdGVUaHJlYW'
- 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
- 'NyZWF0ZVJlbW90ZVRocmVhZ'
- 'Q3JlYXRlUmVtb3RlVGhyZWFk'
- 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
- '0AZQBtAG0AbwB2AGUA'
- '1lbW1vdm'
- 'AGUAbQBtAG8AdgBlA'
- 'bQBlAG0AbQBvAHYAZQ'
- 'bWVtbW92Z'
- 'ZW1tb3Zl'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malicious DLL File Dropped in the Teams or OneDrive Folder
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
view Sigma YAML
title: Malicious DLL File Dropped in the Teams or OneDrive Folder
id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
status: test
description: |
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
references:
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
author: frack113
date: 2022-08-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains|all:
- 'iphlpapi.dll'
- '\AppData\Local\Microsoft'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malicious Driver Load
Detects loading of known malicious drivers via their hash.
view Sigma YAML
title: Malicious Driver Load
id: 05296024-fe8a-4baf-8f3d-9a5f5624ceb2
status: test
description: Detects loading of known malicious drivers via their hash.
references:
- https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-18
modified: 2023-12-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
- attack.t1068
logsource:
product: windows
category: driver_load
detection:
selection:
Hashes|contains:
- 'MD5=5be61a24f50eb4c94d98b8a82ef58dcf'
- 'MD5=d70a80fc73dd43469934a7b1cc623c76'
- 'MD5=3b71eab204a5f7ed77811e41fed73105'
- 'MD5=528ce5ce19eb34f401ef024de7ddf222'
- 'MD5=ae548418b491cd3f31618eb9e5730973'
- 'MD5=72f53f55898548767e0276c472be41e8'
- 'MD5=508faa4647f305a97ed7167abc4d1330'
- 'MD5=ed2b653d55c03f0bffa250372d682b75'
- 'MD5=0d2ba47286f1c68e87622b3a16bf9d92'
- 'MD5=3164bd6c12dd0fe1bdf3b833d56323b9'
- 'MD5=70fd7209ce5c013a1f9e699b5cc86cdc'
- 'MD5=c71be7b112059d2dc84c0f952e04e6cc'
- 'MD5=acac842a46f3501fe407b1db1b247a0b'
- 'MD5=01c2e4d8234258451083d6ce4e8910b7'
- 'MD5=c8541a9cef64589593e999968a0385b9'
- 'MD5=e172a38ade3aa0a2bc1bf9604a54a3b5'
- 'MD5=6fcf56f6ca3210ec397e55f727353c4a'
- 'MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16'
- 'MD5=07056573d464b0f5284f7e3acedd4a3f'
- 'MD5=c7b7f1edb9bbef174e6506885561d85d'
- 'MD5=d5918d735a23f746f0e83f724c4f26e5'
- 'MD5=84763d8ca9fe5c3bff9667b2adf667de'
- 'MD5=fb593b1f1f80d20fc7f4b818065c64b6'
- 'MD5=909f3fc221acbe999483c87d9ead024a'
- 'MD5=e29f6311ae87542b3d693c1f38e4e3ad'
- 'MD5=aeb0801f22d71c7494e884d914446751'
- 'MD5=3f11a94f1ac5efdd19767c6976da9ba4'
- 'MD5=be6318413160e589080df02bb3ca6e6a'
- 'MD5=0b311af53d2f4f77d30f1aed709db257'
- 'MD5=d075d56dfce6b9b13484152b1ef40f93'
- 'MD5=27384ec4c634701012a2962c30badad2'
- 'MD5=5eb2c576597dd21a6b44557c237cf896'
- 'MD5=f56db4eba3829c0918413b5c0b42f00f'
- 'MD5=e27b2486aa5c256b662812b465b6036c'
- 'MD5=db86dfd7aefbb5be6728a63461b0f5f3'
- 'MD5=04a88f5974caa621cee18f34300fc08a'
- 'MD5=5129d8fd53d6a4aba81657ab2aa5d243'
- 'MD5=cd2c641788d5d125c316ed739c69bb59'
- 'MD5=7073cd0085fcba1cd7d3568f9e6d652c'
- 'MD5=24f0f2b4b3cdae11de1b81c537df41c7'
- 'MD5=88bea56ae9257b40063785cf47546024'
- 'MD5=63060b756377fce2ce4ab9d079ca732f'
- 'MD5=50b39072d0ee9af5ef4824eca34be6e3'
- 'MD5=57c18a8f5d1ba6d015e4d5bc698e3624'
- 'MD5=7d26985a5048bad57d9c223362f3d55c'
- 'MD5=ba54a0dbe2685e66e21d41b4529b3528'
- 'MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11'
- 'MD5=b52f51bbe6b49d0b475d943c29c4d4cb'
- 'MD5=a837302307dace2a00d07202b661bce2'
- 'MD5=78a122d926ccc371d60c861600c310f3'
- 'MD5=bdb305aa0806f8b38b7ce43c927fe919'
- 'MD5=27053e964667318e1b370150cbca9138'
- 'MD5=6a4fbcfb44717eae2145c761c1c99b6a'
- 'MD5=d13c1b76b4a1ca3ff5ab63678b51df6d'
- 'MD5=6a066d2be83cf83f343d0550b0b8f206'
- 'MD5=7108b0d4021af4c41de2c223319cd4c1'
- 'MD5=1cd158a64f3d886357535382a6fdad75'
- 'MD5=e939448b28a4edc81f1f974cebf6e7d2'
- 'MD5=4198d3db44d7c4b3ba9072d258a4fc2d'
- 'MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20'
- 'MD5=30ca3cc19f001a8f12c619daa8c6b6e3'
- 'MD5=fe9004353b25640f6a879e57f07122d7'
- 'MD5=06c7fcf3523235cf52b3eee083ec07b2'
- 'MD5=364605ad21b9275681cffef607fac273'
- 'MD5=968ddb06af90ef83c5f20fbdd4eee62e'
- 'MD5=ba50bd645d7c81416bb26a9d39998296'
- 'MD5=29e03f4811b64969e48a99300978f58c'
- 'MD5=b0770094c3c64250167b55e4db850c04'
- 'MD5=40b968ecdbe9e967d92c5da51c390eee'
- 'MD5=b6b530dd25c5eb66499968ec82e8791e'
- 'MD5=f209cb0e468ca0b76d879859d5c8c54e'
- 'MD5=76f8607fc4fb9e828d613a7214436b66'
- 'MD5=4b058945c9f2b8d8ebc485add1101ba5'
- 'MD5=faae7f5f69fde12303dd1c0c816b72b7'
- 'MD5=89d294ef7fefcdf1a6ca0ab96a856f57'
- 'MD5=ef0e1725aaf0c6c972593f860531a2ea'
- 'MD5=bbdbffebfc753b11897de2da7c9912a5'
- 'MD5=5ebfc0af031130ba9de1d5d3275734b3'
- 'MD5=22949977ce5cd96ba674b403a9c81285'
- 'MD5=77cfd3943cc34d9f5279c330cd8940bc'
- 'MD5=311de109df18e485d4a626b5dbe19bc6'
- 'MD5=2730cc25ad385acc7213a1261b21c12d'
- 'MD5=87dc81ebe85f20c1a7970e495a778e60'
- 'MD5=154b45f072fe844676e6970612fd39c7'
- 'MD5=5a4fe297c7d42539303137b6d75b150d'
- 'MD5=d6a1dd7b2c06f058b408b3613c13d413'
- 'MD5=a6e9d6505f6d2326a8a9214667c61c67'
- 'MD5=7fad9f2ef803496f482ce4728578a57a'
- 'MD5=5076fba3d90e346fd17f78db0a4aa12c'
- 'MD5=79df0eabbf2895e4e2dae15a4772868c'
- 'MD5=14580bd59c55185115fd3abe73b016a2'
- 'MD5=1f2888e57fdd6aee466962c25ba7d62d'
- 'MD5=5e9231e85cecfc6141e3644fda12a734'
- 'MD5=dc564bac7258e16627b9de0ce39fae25'
- 'MD5=4e4c068c06331130334f23957fca9e3c'
- 'MD5=1ee9f6326649cd23381eb9d7dfdeddf7'
- 'MD5=4e1f656001af3677856f664e96282a6f'
- 'MD5=36f44643178c505ea0384e0fb241e904'
- 'MD5=6b480fac7caca2f85be9a0cfe79aedfc'
- 'MD5=c1ab425977d467b64f437a6c5ad82b44'
- 'MD5=fe508caa54ffeb2285d9f00df547fe4a'
- 'MD5=d3af70287de8757cebc6f8d45bb21a20'
- 'MD5=990b949894b7dc82a8cf1131b063cb1a'
- 'MD5=c62209b8a5daf3f32ad876ad6cefda1b'
- 'MD5=c159fb0f345a8771e56aab8e16927361'
- 'MD5=19b15eeccab0752c6793f782ca665a45'
- 'MD5=1d51029dfbd616bf121b40a0d1efeb10'
- 'MD5=157a22689629ec876337f5f9409918d5'
- 'MD5=3dd829fb27353622eff34be1eabb8f18'
- 'MD5=8636fe3724f2bcba9399daffd6ef3c7e'
- 'MD5=3d0b3e19262099ade884b75ba86ca7e8'
- 'MD5=97539c78d6e2b5356ce79e40bcd4d570'
- 'MD5=0308b6888e0f197db6704ca20203eee4'
- 'MD5=091a6bd4880048514c5dd3bede15eba5'
- 'MD5=7e92f98b809430622b04e88441b2eb04'
- 'MD5=bb5bda8889d8d27ef984dbd6ad82c946'
- 'MD5=b76aee508f68b5b6dccd6e1f66f4cf8b'
- 'MD5=a822b9e6eedf69211013e192967bf523'
- 'MD5=df52f8a85eb64bc69039243d9680d8e4'
- 'MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a'
- 'MD5=44857ca402a15ab51dc5afe47abdfa44'
- 'MD5=f9844524fb0009e5b784c21c7bad4220'
- 'MD5=d34b218c386bfe8b1f9c941e374418d7'
- 'MD5=0ca010a32a9b0aeae1e46d666b83b659'
- 'MD5=93496a436c5546156a69deb255a9fed0'
- 'MD5=1cd5e231064e03c596e819b6ff48daf9'
- 'MD5=70a71fe86df717ac59dbf856d7ac5789'
- 'MD5=a33089d4e50f7d2ea8b52ca95d26ebf3'
- 'MD5=e0cc9b415d884f85c45be145872892b8'
- 'MD5=a42249a046182aaaf3a7a7db98bfa69d'
- 'MD5=c5ae6ca044bd03c3506c132b033be1dc'
- 'MD5=7ebe606acd81abf1f8cb0767c974164b'
- 'MD5=b5dcc869a91efcc6e8ea0c3c07605d63'
- 'MD5=62c18d61ed324088f963510bae43b831'
- 'MD5=093a2a635c3a27aac50efd6463f4efa1'
- 'MD5=28102acca39ad0199f262ba9958be3f4'
- 'MD5=650ef9dd70cb192027e536754d6e0f63'
- 'MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44'
- 'MD5=6771b13a53b9c7449d4891e427735ea2'
- 'MD5=072ba2309b825ce1dba37d8d924ea8ed'
- 'MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb'
- 'MD5=1325ec39e98225e487b40043faee8052'
- 'MD5=4484f4007de2c3ee4581a2cff77ca3b4'
- 'MD5=a236e7d654cd932b7d11cb604629a2d0'
- 'MD5=17509f0a98dc5c5d52c3f9ac1428a21b'
- 'MD5=840a5edf2534dd23a082cf7b28cbfc4d'
- 'MD5=77a7ed4798d02ef6636cd0fd07fc382a'
- 'MD5=a9df5964635ef8bd567ae487c3d214c4'
- 'MD5=8b75047199825c8e62fdcc1c915db8bd'
- 'MD5=d416494232c4197cb36a914df2e17677'
- 'MD5=4cf14a96485a1270fed97bb8000e4f86'
- 'MD5=35e512f9bedc89dca5ce81f35820714c'
- 'MD5=40f35792e7565aa047796758a3ce1b77'
- 'MD5=f7f31bccc9b7b2964ac85106831022b1'
- 'MD5=26aedc10d4215ba997495d3a68355f4a'
- 'MD5=10f3679384a03cb487bda9621ceb5f90'
- 'MD5=80219fb6b5954c33e16bac5ecdac651b'
- 'MD5=cee36b5c6362993fa921435979bfbe4a'
- 'MD5=e37a08f516b8a7ca64163f5d9e68fe5a'
- 'MD5=49518f7375a5f995ebe9423d8f19cfe4'
- 'MD5=920df6e42cf91bbe19707f5a86e3c5c5'
- 'MD5=2ec877e425bd7eddb663627216e3491e'
- 'MD5=550b7991d93534bc510bc4f237155a7a'
- 'MD5=98d53f6b3bec0a3417a04fbb9e17fa06'
- 'MD5=13a57a4ef721440c7c9208b51f7c05de'
- 'MD5=c5fc3605194e033bdf3781ff2adaeb61'
- 'MD5=6e625ec04c20a9dbd48c7060efbf5e92'
- 'MD5=0b9b78d1281c7d4ab50497cf6ea7452a'
- 'MD5=4e906fcb13e2793c98f47291fd69391b'
- 'MD5=2bb353891d65c9e267eb98a3a2b694c3'
- 'MD5=7d86cdda7f49f91fdb69901a002b34e7'
- 'MD5=f69b06ca7c34d16f26ea1c6861edf62a'
- 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'
- 'MD5=1fc7aeeff3ab19004d2e53eae8160ab1'
- 'MD5=24d3ea54f25e32832ac20335a1ce1062'
- 'MD5=c94f405c5929cfcccc8ad00b42c95083'
- 'MD5=b164daf106566f444dfb280d743bc2f7'
- 'MD5=93130909e562925597110a617f05e2a9'
- 'MD5=f589d4bf547c140b6ec8a511ea47c658'
- 'MD5=bf445ac375977ecf551bc2a912c58e8a'
- 'MD5=629ee55e4b5a225d048fbcd5f0a1d18b'
- 'MD5=0023ca0ca16a62d93ef51f3df98b2f94'
- 'MD5=a3d69c7e24300389b56782aa63b0e357'
- 'MD5=cbd8d370462503508e44dba023bdf9bc'
- 'MD5=67daa04716803a15fc11c9e353d77c2f'
- 'MD5=c9d4214c850e0cedf033dc8f0cd3aace'
- 'MD5=bd5b0514f3b40f139d8079138d01b5f6'
- 'MD5=19bdd9b799e3c2c54c0d7fff68b31c20'
- 'MD5=f242cffd9926c0ccf94af3bf16b6e527'
- 'MD5=5aeab9427d85951def146b4c0a44fc63'
- 'MD5=40170485cca576adb5266cf5b0d3b0bd'
- 'MD5=c277c4386a78fae1b7e17eaecf4f472b'
- 'MD5=58c37866cbc3d1338e4fc58ada924ffe'
- 'MD5=0f16a43f7989034641fd2de3eb268bf1'
- 'MD5=0ae30291c6cbfa7be39320badd6e8de0'
- 'MD5=05dd59bd4f175304480affd8f1305c37'
- 'MD5=f838f4eb36f1e7036238776c7a70f0b0'
- 'MD5=85093bb9f027027c2c61aee50796de30'
- 'MD5=ae338d91d1b05a72559b7f6ed717362d'
- 'MD5=bd91787b5dcb2189b856804e85dfa1d9'
- 'MD5=6b3c1511e12f4d27a4ea3b18020d7b84'
- 'MD5=97264fd62d4907bdac917917a07b3b7a'
- 'MD5=6ececf26ff8b03ed7ffbddadec9a9dab'
- 'MD5=47e6ac52431ca47da17248d80bf71389'
- 'MD5=eb57f03b7603f0b235af62e8cd5be8c2'
- 'MD5=e1a9aa4c14669b1fb1f67a7266f87e82'
- 'MD5=29047f0b7790e524b09a06852d31a117'
- 'MD5=4dd6250eb2d368f500949952eb013964'
- 'MD5=fb7c61ef427f9b2fdff3574ee6b1819b'
- 'MD5=844af8c877f5da723c1b82cf6e213fc1'
- 'MD5=e39152eadd76751b1d7485231b280948'
- 'MD5=ac6e29f535b2c42999c50d2fc32f2c9c'
- 'MD5=2406ea37152d2154be3fef6d69ada2c6'
- 'MD5=0ea8389589c603a8b05146bd06020597'
- 'MD5=754e21482baf18b8b0ed0f4be462ba03'
- 'MD5=c4a517a02ba9f6eac5cf06e3629cc076'
- 'MD5=32282e07db321e8d7849f2287bb6a14f'
- 'MD5=32b67a6cd6dd998b9f563ed13d54a8bc'
- 'MD5=3359e1d4244a7d724949c63e89689ef8'
- 'MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0'
- 'MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6'
- 'MD5=a90236e4962620949b720f647a91f101'
- 'MD5=ccde8c94439f9fc9c42761e4b9a23d97'
- 'MD5=68caf620ef8deaf06819cf8c80d3367b'
- 'MD5=5fec28e8f4f76e5ede24beb32a32b9d7'
- 'MD5=e8eac6642b882a6196555539149c73f2'
- 'MD5=aa98b95f5cbae8260122de06a215ee10'
- 'MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80'
- 'MD5=abc168fdca7169bf9dc40cec9761018d'
- 'MD5=7f9309f5e4defec132b622fadbcad511'
- 'MD5=4748696211bd56c2d93c21cab91e82a5'
- 'MD5=48394dce30bb8da5ae089cb8f41b86dc'
- 'MD5=65f800e1112864bf41eb815649f428d5'
- 'MD5=bd25be845c151370ff177509d95d5add'
- 'MD5=a37ed7663073319d02f2513575a22995'
- 'MD5=2c39f6172fbc967844cac12d7ab2fa55'
- 'MD5=491aec2249ad8e2020f9f9b559ab68a8'
- 'MD5=1e0eb80347e723fa31fce2abb0301d44'
- 'MD5=a26363e7b02b13f2b8d697abb90cd5c3'
- 'MD5=4118b86e490aed091b1a219dba45f332'
- 'MD5=6d131a7462e568213b44ef69156f10a5'
- 'MD5=10c2ea775c9e76e7774ab89e38f38287'
- 'SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79'
- 'SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23'
- 'SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe'
- 'SHA1=af42afda54d150810a60baa7987f9f09d49d1317'
- 'SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7'
- 'SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462'
- 'SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7'
- 'SHA1=e730eb971ecb493b69de2308b6412836303f733a'
- 'SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca'
- 'SHA1=5fef884a901e81ac173d63ade3f5c51694decf74'
- 'SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc'
- 'SHA1=6451522b1fb428e549976d0742df5034f8124b17'
- 'SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a'
- 'SHA1=cc65bf60600b64feece5575f21ab89e03a728332'
- 'SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166'
- 'SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a'
- 'SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3'
- 'SHA1=c42178977bd7bbefe084da0129ed808cb7266204'
- 'SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333'
- 'SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee'
- 'SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837'
- 'SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf'
- 'SHA1=7638c048af5beae44352764390deea597cc3e7b1'
- 'SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5'
- 'SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2'
- 'SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87'
- 'SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'
- 'SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d'
- 'SHA1=505546d82aab56889a923004654b9afdec54efe6'
- 'SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a'
- 'SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383'
- 'SHA1=844d7bcd1a928d340255ff42971cca6244a459bf'
- 'SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f'
- 'SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684'
- 'SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e'
- 'SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84'
- 'SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285'
- 'SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6'
- 'SHA1=607387cc90b93d58d6c9a432340261fde846b1d9'
- 'SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07'
- 'SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6'
- 'SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6'
- 'SHA1=b8b123a413b7bccfa8433deba4f88669c969b543'
- 'SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509'
- 'SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22'
- 'SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d'
- 'SHA1=a111dc6ae5575977feba71ee69b790e056846a02'
- 'SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3'
- 'SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2'
- 'SHA1=0de86ec7d7f16a3680df89256548301eed970393'
- 'SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2'
- 'SHA1=0883a9c54e8442a551994989db6fc694f1086d41'
- 'SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16'
- 'SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10'
- 'SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09'
- 'SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c'
- 'SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39'
- 'SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c'
- 'SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f'
- 'SHA1=994dc79255aeb662a672a1814280de73d405617a'
- 'SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1'
- 'SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5'
- 'SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b'
- 'SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61'
- 'SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9'
- 'SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7'
- 'SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b'
- 'SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd'
- 'SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2'
- 'SHA1=17fa047c1f979b180644906fe9265f21af5b0509'
- 'SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3'
- 'SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a'
- 'SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048'
- 'SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f'
- 'SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b'
- 'SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527'
- 'SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130'
- 'SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d'
- 'SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1'
- 'SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'
- 'SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08'
- 'SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec'
- 'SHA1=73bac306292b4e9107147db94d0d836fdb071e33'
- 'SHA1=9382981b05b1fb950245313992444bfa0db5f881'
- 'SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3'
- 'SHA1=9c36600c2640007d3410dea8017573a113374873'
- 'SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb'
- 'SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7'
- 'SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab'
- 'SHA1=cb25a5125fb353496b59b910263209f273f3552d'
- 'SHA1=a5f1b56615bdaabf803219613f43671233f2001c'
- 'SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38'
- 'SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7'
- 'SHA1=632c80a3c95cf589b03812539dea59594eaefae0'
- 'SHA1=e6966e360038be3b9d8c9b2582eba4e263796084'
- 'SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab'
- 'SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51'
- 'SHA1=80e4808a7fe752cac444676dbbee174367fa2083'
- 'SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0'
- 'SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2'
- 'SHA1=3825ebb0b0664b5f0789371240f65231693be37d'
- 'SHA1=de9469a5d01fb84afd41d176f363a66e410d46da'
- 'SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b'
- 'SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff'
- 'SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5'
- 'SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358'
- 'SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405'
- 'SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8'
- 'SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2'
- 'SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed'
- 'SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe'
- 'SHA1=9481cd590c69544c197b4ee055056302978a7191'
- 'SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da'
- 'SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b'
- 'SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5'
- 'SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4'
- 'SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25'
- 'SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc'
- 'SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457'
- 'SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d'
- 'SHA1=f6793243ad20359d8be40d3accac168a15a327fb'
- 'SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1'
- 'SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8'
- 'SHA1=10115219e3595b93204c70eec6db3e68a93f3144'
- 'SHA1=161bae224cf184ed6c09c77fae866d42412c6d25'
- 'SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82'
- 'SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d'
- 'SHA1=745335bcdf02fb42df7d890a24858e16094f48fd'
- 'SHA1=2a202830db58d5e942e4f6609228b14095ed2cab'
- 'SHA1=0167259abd9231c29bec32e6106ca93a13999f90'
- 'SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167'
- 'SHA1=613a9df389ad612a5187632d679da11d60f6046a'
- 'SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514'
- 'SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86'
- 'SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d'
- 'SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb'
- 'SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812'
- 'SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528'
- 'SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3'
- 'SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d'
- 'SHA1=552730553a1dea0290710465fb8189bdd0eaad42'
- 'SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35'
- 'SHA1=07f282db28771838d0e75d6618f70d76acfe6082'
- 'SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e'
- 'SHA1=22c9da04847c26188226c3a345e2126ef00aa19e'
- 'SHA1=43501832ce50ccaba2706be852813d51de5a900f'
- 'SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542'
- 'SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde'
- 'SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc'
- 'SHA1=928b5971a0f7525209d599e2ef15c31717047022'
- 'SHA1=b5696e2183d9387776820ef3afa388200f08f5a6'
- 'SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2'
- 'SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3'
- 'SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774'
- 'SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945'
- 'SHA1=064de88dbbea67c149e779aac05228e5405985c7'
- 'SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7'
- 'SHA1=98130128685c8640a8a8391cb4718e98dd8fe542'
- 'SHA1=a5914161f8a885702427cf75443fb08d28d904f0'
- 'SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad'
- 'SHA1=fff4f28287677caabc60c8ab36786c370226588d'
- 'SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5'
- 'SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2'
- 'SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda'
- 'SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4'
- 'SHA1=87e20486e804bfff393cc9ad9659858e130402a2'
- 'SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c'
- 'SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9'
- 'SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a'
- 'SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0'
- 'SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b'
- 'SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6'
- 'SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b'
- 'SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c'
- 'SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a'
- 'SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed'
- 'SHA1=76568d987f8603339b8d1958f76de2b957811f66'
- 'SHA1=e841c8494b715b27b33be6f800ca290628507aba'
- 'SHA1=b555aad38df7605985462f3899572931ee126259'
- 'SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1'
- 'SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327'
- 'SHA1=bb6ef5518df35d9508673d5011138add8c30fc27'
- 'SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b'
- 'SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307'
- 'SHA1=34b677fba9dcab9a9016332b3332ce57f5796860'
- 'SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d'
- 'SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e'
- 'SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2'
- 'SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72'
- 'SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5'
- 'SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a'
- 'SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef'
- 'SHA1=18693de1487c55e374b46a7728b5bf43300d4f69'
- 'SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98'
- 'SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c'
- 'SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5'
- 'SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8'
- 'SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c'
- 'SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196'
- 'SHA1=e42bd2f585c00a1d6557df405246081f89542d15'
- 'SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9'
- 'SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd'
- 'SHA1=948368fe309652e8d88088d23e1df39e9c2b6649'
- 'SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d'
- 'SHA1=1f25f54e9b289f76604e81e98483309612c5a471'
- 'SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d'
- 'SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d'
- 'SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09'
- 'SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f'
- 'SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652'
- 'SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad'
- 'SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c'
- 'SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a'
- 'SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b'
- 'SHA1=d02403f85be6f243054395a873b41ef8a17ea279'
- 'SHA1=4da007dd298723f920e194501bb49bab769dfb14'
- 'SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a'
- 'SHA1=221717a48ee8e2d19470579c987674f661869e17'
- 'SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa'
- 'SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56'
- 'SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375'
- 'SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3'
- 'SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe'
- 'SHA1=6d09d826581baa1817be6fbd44426db9b05f1909'
- 'SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e'
- 'SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631'
- 'SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997'
- 'SHA1=0320534df24a37a245a0b09679a5adb27018fb5f'
- 'SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0'
- 'SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef'
- 'SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202'
- 'SHA1=062457182ab08594c631a3f897aeb03c6097eb77'
- 'SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25'
- 'SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670'
- 'SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e'
- 'SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5'
- 'SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b'
- 'SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739'
- 'SHA1=020580278d74d0fe741b0f786d8dca7554359997'
- 'SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677'
- 'SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4'
- 'SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7'
- 'SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d'
- 'SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f'
- 'SHA1=c257aa4094539719a3c7b7950598ef872dbf9518'
- 'SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49'
- 'SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e'
- 'SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c'
- 'SHA1=86f34eaea117f629297218a4d196b5729e72d7b9'
- 'SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0'
- 'SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7'
- 'SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8'
- 'SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb'
- 'SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a'
- 'SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb'
- 'SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d'
- 'SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2'
- 'SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a'
- 'SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212'
- 'SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b'
- 'SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac'
- 'SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1'
- 'SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76'
- 'SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421'
- 'SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316'
- 'SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47'
- 'SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03'
- 'SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c'
- 'SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553'
- 'SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87'
- 'SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330'
- 'SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852'
- 'SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304'
- 'SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931'
- 'SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d'
- 'SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c'
- 'SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736'
- 'SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830'
- 'SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'
- 'SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a'
- 'SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a'
- 'SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a'
- 'SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0'
- 'SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392'
- 'SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd'
- 'SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee'
- 'SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01'
- 'SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254'
- 'SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231'
- 'SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39'
- 'SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d'
- 'SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1'
- 'SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae'
- 'SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'
- 'SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50'
- 'SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9'
- 'SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212'
- 'SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25'
- 'SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09'
- 'SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1'
- 'SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99'
- 'SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae'
- 'SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475'
- 'SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2'
- 'SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c'
- 'SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb'
- 'SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db'
- 'SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2'
- 'SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c'
- 'SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b'
- 'SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c'
- 'SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217'
- 'SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597'
- 'SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37'
- 'SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4'
- 'SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376'
- 'SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a'
- 'SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e'
- 'SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a'
- 'SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25'
- 'SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be'
- 'SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7'
- 'SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a'
- 'SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c'
- 'SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987'
- 'SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f'
- 'SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad'
- 'SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e'
- 'SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5'
- 'SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b'
- 'SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa'
- 'SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972'
- 'SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a'
- 'SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46'
- 'SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f'
- 'SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4'
- 'SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8'
- 'SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6'
- 'SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21'
- 'SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894'
- 'SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd'
- 'SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62'
- 'SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e'
- 'SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff'
- 'SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b'
- 'SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870'
- 'SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640'
- 'SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530'
- 'SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd'
- 'SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550'
- 'SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9'
- 'SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b'
- 'SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c'
- 'SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988'
- 'SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875'
- 'SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263'
- 'SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4'
- 'SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280'
- 'SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9'
- 'SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12'
- 'SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe'
- 'SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b'
- 'SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f'
- 'SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a'
- 'SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719'
- 'SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908'
- 'SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de'
- 'SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'
- 'SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a'
- 'SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427'
- 'SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653'
- 'SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919'
- 'SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad'
- 'SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920'
- 'SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77'
- 'SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e'
- 'SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105'
- 'SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2'
- 'SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa'
- 'SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112'
- 'SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4'
- 'SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff'
- 'SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3'
- 'SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925'
- 'SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6'
- 'SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878'
- 'SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59'
- 'SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66'
- 'SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280'
- 'SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7'
- 'SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167'
- 'SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a'
- 'SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7'
- 'SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec'
- 'SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620'
- 'SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f'
- 'SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905'
- 'SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3'
- 'SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b'
- 'SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab'
- 'SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc'
- 'SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968'
- 'SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28'
- 'SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0'
- 'SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93'
- 'SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12'
- 'SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8'
- 'SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895'
- 'SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3'
- 'SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f'
- 'SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be'
- 'SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8'
- 'SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f'
- 'SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe'
- 'SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4'
- 'SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5'
- 'SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af'
- 'SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40'
- 'SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6'
- 'SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d'
- 'SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a'
- 'SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96'
- 'SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'
- 'SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2'
- 'SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce'
- 'SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96'
- 'SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576'
- 'SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80'
- 'SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266'
- 'SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724'
- 'SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee'
- 'SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b'
- 'SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f'
- 'SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e'
- 'SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1'
- 'SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952'
- 'SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da'
- 'SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e'
- 'SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463'
- 'SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7'
- 'SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0'
- 'SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1'
- 'SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9'
- 'SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a'
- 'SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85'
- 'SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac'
- 'SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873'
- 'SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7'
- 'SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38'
- 'SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c'
- 'SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c'
- 'SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524'
- 'SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51'
- 'SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df'
- 'SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601'
- 'SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7'
- 'SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3'
- 'SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19'
- 'SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55'
- 'SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe'
- 'SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85'
- 'SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1'
- 'SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06'
- 'SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'
- 'SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3'
- 'SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55'
- 'SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778'
- 'SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6'
- 'SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6'
- 'SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43'
- 'SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3'
- 'SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7'
- 'SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715'
- 'SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434'
- 'SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0'
- 'SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f'
- 'SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327'
- 'SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d'
- 'SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021'
- 'SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4'
- 'SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15'
- 'SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f'
- 'SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2'
- 'SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677'
- 'SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d'
- 'SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d'
- 'SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f'
- 'SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57'
- 'SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc'
- 'SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'
- 'SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35'
- 'SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440'
- 'IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7'
- 'IMPHASH=7641a0c227f0a3a45b80bb8af43cd152'
- 'IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c'
- 'IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d'
- 'IMPHASH=beceab354c66949088c9e5ed1f1ff2a4'
- 'IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626'
- 'IMPHASH=420625b024fba72a24025defdf95b303'
- 'IMPHASH=65ccc2c578a984c31880b6c5e65257d3'
- 'IMPHASH=e717abe060bc5c34925fe3120ac22f45'
- 'IMPHASH=41113a3a832353963112b94f4635a383'
- 'IMPHASH=3866dd9fe63de457bdbf893bf7050ddf'
- 'IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4'
- 'IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca'
- 'IMPHASH=c9a6e83d931286d1604d1add8403e1e5'
- 'IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372'
- 'IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f'
- 'IMPHASH=8e35c9460537092672b3c7c14bccc7e0'
- 'IMPHASH=7bf14377888c429897eb10a85f70266c'
- 'IMPHASH=b351627263648b1d220bb488e7ec7202'
- 'IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a'
- 'IMPHASH=a7bd820fa5b895fab06f20739c9f24b8'
- 'IMPHASH=be0dd8b8e045356d600ee55a64d9d197'
- 'IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8'
- 'IMPHASH=6c8d5c79a850eecc2fb0291cebda618d'
- 'IMPHASH=c32d9a9af7f702814e1368c689877f3a'
- 'IMPHASH=6b387c029257f024a43a73f38afb2629'
- 'IMPHASH=df43355c636583e56e92142dcc69cc58'
- 'IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd'
- 'IMPHASH=c214aac08575c139e48d04f5aee21585'
- 'IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7'
- 'IMPHASH=059c6bd84285f4960e767f032b33f19b'
- 'IMPHASH=a09170ef09c55cdca9472c02cb1f2647'
- 'IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a'
- 'IMPHASH=0262d4147f21d681f8519ab2af79283f'
- 'IMPHASH=832219eb71b8bdb771f1d29d27b0acf4'
- 'IMPHASH=514298d18002920ee5a917fc34426417'
- 'IMPHASH=26ceec6572c630bdad60c984e51b7da4'
- 'IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90'
- 'IMPHASH=4b47f6031c558106eee17655f8f8a32f'
- 'IMPHASH=a6c4a7369500900fc172f9557cff22cf'
- 'IMPHASH=3b49942ec6cef1898e97f741b2b5df8a'
- 'IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511'
- 'IMPHASH=27f6dc8a247a22308dd1beba5086b302'
- 'IMPHASH=7d017945bf90936a6c40f73f91ed02c2'
- 'IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97'
- 'IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e'
- 'IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9'
- 'IMPHASH=87fd2b54ed568e2294300e164b8c46f7'
- 'IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a'
- 'IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff'
- 'IMPHASH=2a008187d4a73284ddcc43f1b727b513'
- 'IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127'
- 'IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4'
- 'IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4'
- 'IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malicious IP Address Sign-In Failure Rate
Indicates sign-in from a malicious IP address based on high failure rates.
view Sigma YAML
title: Malicious IP Address Sign-In Failure Rate
id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
status: test
description: Indicates sign-in from a malicious IP address based on high failure rates.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'maliciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
Convert to SIEM query
high
Malicious IP Address Sign-In Suspicious
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
view Sigma YAML
title: Malicious IP Address Sign-In Suspicious
id: 36440e1c-5c22-467a-889b-593e66498472
status: test
description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
Convert to SIEM query
high
Malicious Nishang PowerShell Commandlets
Detects Commandlet names and arguments from the Nishang exploitation framework
view Sigma YAML
title: Malicious Nishang PowerShell Commandlets
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
status: test
description: Detects Commandlet names and arguments from the Nishang exploitation framework
references:
- https://github.com/samratashok/nishang
author: Alec Costello
date: 2019-05-16
modified: 2023-01-16
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Add-ConstrainedDelegationBackdoor'
# - 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
# - 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
# - 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Copy-VSS'
- 'Create-MultipleSessions'
- 'DataToEncode'
- 'DNS_TXT_Pwnage'
- 'Do-Exfiltration-Dns'
- 'Download_Execute'
- 'Download-Execute-PS'
- 'DownloadAndExtractFromRemoteRegistry'
- 'DumpCerts'
- 'DumpCreds'
- 'DumpHashes'
- 'Enable-DuplicateToken'
- 'Enable-Duplication'
- 'Execute-Command-MSSQL'
- 'Execute-DNSTXT-Code'
- 'Execute-OnTime'
- 'ExetoText'
- 'exfill'
- 'ExfilOption'
- 'FakeDC'
- 'FireBuster'
- 'FireListener'
- 'Get-Information ' # Space at the end is required. Otherwise, we get FP with Get-InformationBarrierReportDetails or Get-InformationBarrierReportSummary
# - 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Get-PassHints'
- 'Get-Web-Credentials'
- 'Get-WebCredentials'
- 'Get-WLAN-Keys'
# - 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'HTTP-Backdoor'
# - 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-AmsiBypass'
- 'Invoke-BruteForce'
- 'Invoke-CredentialsPhish'
- 'Invoke-Decode'
- 'Invoke-Encode'
- 'Invoke-Interceptor'
- 'Invoke-JSRatRegsvr'
- 'Invoke-JSRatRundll'
- 'Invoke-MimikatzWDigestDowngrade'
- 'Invoke-NetworkRelay'
# - 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
# - 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-PowerShellIcmp'
- 'Invoke-PowerShellUdp'
- 'Invoke-Prasadhak'
- 'Invoke-PSGcat'
- 'Invoke-PsGcatAgent'
# - 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-SessionGopher'
- 'Invoke-SSIDExfil'
# - Jitter # Prone to FPs
# - 'Keylogger' # Too generic to be linked to Nishang
- 'LoggedKeys'
- 'Nishang'
- 'NotAllNameSpaces' # This is param to "Set-RemoteWMI"
- 'Out-CHM'
- 'OUT-DNSTXT'
- 'Out-HTA'
- 'Out-RundllCommand'
- 'Out-SCF'
- 'Out-SCT'
- 'Out-Shortcut'
- 'Out-WebQuery'
- 'Out-Word'
- 'Parse_Keys'
- 'Password-List'
- 'Powerpreter'
- 'Remove-Persistence'
- 'Remove-PoshRat'
- 'Remove-Update'
- 'Run-EXEonRemote'
- 'Set-DCShadowPermissions'
- 'Set-RemotePSRemoting'
- 'Set-RemoteWMI'
- 'Shellcode32'
- 'Shellcode64'
- 'StringtoBase64'
- 'TexttoExe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malicious PowerShell Commandlets - PoshModule
Detects Commandlet names from well-known PowerShell exploitation frameworks
view Sigma YAML
title: Malicious PowerShell Commandlets - PoshModule
id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
related:
- id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
type: similar
- id: 02030f2f-6199-49ec-b258-ea71b07e03dc
type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-20
modified: 2025-12-10
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains:
# Note: Please ensure alphabetical order when adding new entries
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'BadSuccessor'
- 'Check-VM'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADR' # # ADRecon related cmdlets
- 'Export-ADRCSV' # # ADRecon related cmdlets
- 'Export-ADRExcel' # # ADRecon related cmdlets
- 'Export-ADRHTML' # # ADRecon related cmdlets
- 'Export-ADRJSON' # # ADRecon related cmdlets
- 'Export-ADRXML' # # ADRecon related cmdlets
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
- 'Get-ApplicationHost'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon' # # ADRecon related cmdlets
- 'Invoke-ADSBackdoor'
- 'Invoke-AgentSmith'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DNSUpdate'
- 'Invoke-DNSExfiltrator'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerDPAPI'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tasksbackdoor'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WMIExec'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Set-MacAttribute'
- 'Set-MachineAccountAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-Dnscat2'
- 'Start-WebcamRecorder'
- 'Veeam-Get-Creds'
- 'VolumeShadowCopyTools'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malicious PowerShell Commandlets - ProcessCreation
Detects Commandlet names from well-known PowerShell exploitation frameworks
view Sigma YAML
title: Malicious PowerShell Commandlets - ProcessCreation
id: 02030f2f-6199-49ec-b258-ea71b07e03dc
related:
- id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
type: derived
- id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-12-10
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: Please ensure alphabetical order when adding new entries
CommandLine|contains:
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Check-VM'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADR'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
- 'Get-ApplicationHost'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon'
- 'Invoke-ADSBackdoor'
- 'Invoke-AgentSmith'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DNSUpdate'
- 'Invoke-DNSExfiltrator'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerDPAPI'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tasksbackdoor'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WMIExec'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Set-MacAttribute'
- 'Set-MachineAccountAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-Dnscat2'
- 'Start-WebcamRecorder'
- 'Veeam-Get-Creds'
- 'VolumeShadowCopyTools'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
view Sigma YAML
title: Malicious PowerShell Commandlets - ScriptBlock
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
related:
- id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
type: similar
- id: 02030f2f-6199-49ec-b258-ea71b07e03dc
type: similar
- id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
type: obsolete
- id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
type: obsolete
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017-03-05
modified: 2025-12-10
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
# Note: Please ensure alphabetical order when adding new entries
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNSNodeAttribute'
- 'Get-ADIDNSNodeOwner'
- 'Get-ADIDNSNodeTombstoned'
- 'Get-ADIDNSPermission'
- 'Get-ADIDNSZone'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon'
- 'Invoke-ADSBackdoor'
- 'Invoke-AgentSmith'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DNSUpdate'
- 'Invoke-DNSExfiltrator'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerDPAPI'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tasksbackdoor'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WMIExec'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-Dnscat2'
- 'Start-WebcamRecorder'
- 'VolumeShadowCopyTools'
# - 'Check-VM'
# - 'Disable-MachineAccount'
# - 'Enable-MachineAccount'
# - 'Get-ApplicationHost'
# - 'Get-MachineAccountAttribute'
# - 'Get-MachineAccountCreator'
# - 'Get-Screenshot'
# - 'HTTP-Login'
# - 'Install-ServiceBinary'
# - 'Install-SSP'
# - 'New-DNSRecordArray'
# - 'New-MachineAccount'
# - 'Port-Scan'
# - 'Remove-MachineAccount'
# - 'Set-MacAttribute'
# - 'Set-MachineAccountAttribute'
# - 'Set-Wallpaper'
filter_optional_amazon_ec2:
ScriptBlockText|contains:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malicious PowerShell Scripts - FileCreation
Detects the creation of known offensive powershell scripts used for exploitation
view Sigma YAML
title: Malicious PowerShell Scripts - FileCreation
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
related:
- id: 41025fd7-0466-4650-a813-574aaacbe7f4
type: similar
status: test
description: Detects the creation of known offensive powershell scripts used for exploitation
references:
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
date: 2018-04-07
modified: 2025-12-10
tags:
- attack.execution
- attack.t1059.001
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|endswith:
# Note: Please ensure alphabetical order when adding new entries
- '\Add-ConstrainedDelegationBackdoor.ps1'
- '\Add-Exfiltration.ps1'
- '\Add-Persistence.ps1'
- '\Add-RegBackdoor.ps1'
- '\Add-RemoteRegBackdoor.ps1'
- '\Add-ScrnSaveBackdoor.ps1'
- '\ADRecon.ps1'
- '\AzureADRecon.ps1'
- '\BadSuccessor.ps1'
- '\Check-VM.ps1'
- '\ConvertTo-ROT13.ps1'
- '\Copy-VSS.ps1'
- '\Create-MultipleSessions.ps1'
- '\DNS_TXT_Pwnage.ps1'
- '\dnscat2.ps1'
- '\Do-Exfiltration.ps1'
- '\DomainPasswordSpray.ps1'
- '\Download_Execute.ps1'
- '\Download-Execute-PS.ps1'
- '\Enable-DuplicateToken.ps1'
- '\Enabled-DuplicateToken.ps1'
- '\Execute-Command-MSSQL.ps1'
- '\Execute-DNSTXT-Code.ps1'
- '\Execute-OnTime.ps1'
- '\ExetoText.ps1'
- '\Exploit-Jboss.ps1'
- '\Find-AVSignature.ps1'
- '\Find-Fruit.ps1'
- '\Find-GPOLocation.ps1'
- '\Find-TrustedDocuments.ps1'
- '\FireBuster.ps1'
- '\FireListener.ps1'
- '\Get-ApplicationHost.ps1'
- '\Get-ChromeDump.ps1'
- '\Get-ClipboardContents.ps1'
- '\Get-ComputerDetail.ps1'
- '\Get-FoxDump.ps1'
- '\Get-GPPAutologon.ps1'
- '\Get-GPPPassword.ps1'
- '\Get-IndexedItem.ps1'
- '\Get-Keystrokes.ps1'
- '\Get-LSASecret.ps1'
- '\Get-MicrophoneAudio.ps1'
- '\Get-PassHashes.ps1'
- '\Get-PassHints.ps1'
- '\Get-RegAlwaysInstallElevated.ps1'
- '\Get-RegAutoLogon.ps1'
- '\Get-RickAstley.ps1'
- '\Get-Screenshot.ps1'
- '\Get-SecurityPackages.ps1'
- '\Get-ServiceFilePermission.ps1'
- '\Get-ServicePermission.ps1'
- '\Get-ServiceUnquoted.ps1'
- '\Get-SiteListPassword.ps1'
- '\Get-System.ps1'
- '\Get-TimedScreenshot.ps1'
- '\Get-UnattendedInstallFile.ps1'
- '\Get-Unconstrained.ps1'
- '\Get-USBKeystrokes.ps1'
- '\Get-VaultCredential.ps1'
- '\Get-VulnAutoRun.ps1'
- '\Get-VulnSchTask.ps1'
- '\Get-WebConfig.ps1'
- '\Get-WebCredentials.ps1'
- '\Get-WLAN-Keys.ps1'
- '\Gupt-Backdoor.ps1'
- '\HTTP-Backdoor.ps1'
- '\HTTP-Login.ps1'
- '\Install-ServiceBinary.ps1'
- '\Install-SSP.ps1'
- '\Invoke-ACLScanner.ps1'
- '\Invoke-ADSBackdoor.ps1'
- '\Invoke-AmsiBypass.ps1'
- '\Invoke-ARPScan.ps1'
- '\Invoke-BackdoorLNK.ps1'
- '\Invoke-BadPotato.ps1'
- '\Invoke-BetterSafetyKatz.ps1'
- '\Invoke-BruteForce.ps1'
- '\Invoke-BypassUAC.ps1'
- '\Invoke-Carbuncle.ps1'
- '\Invoke-Certify.ps1'
- '\Invoke-ConPtyShell.ps1'
- '\Invoke-CredentialInjection.ps1'
- '\Invoke-CredentialsPhish.ps1'
- '\Invoke-DAFT.ps1'
- '\Invoke-DCSync.ps1'
- '\Invoke-Decode.ps1'
- '\Invoke-DinvokeKatz.ps1'
- '\Invoke-DllInjection.ps1'
- '\Invoke-DNSExfiltrator.ps1'
- '\Invoke-DNSUpdate.ps1'
- '\Invoke-DowngradeAccount.ps1'
- '\Invoke-EgressCheck.ps1'
- '\Invoke-Encode.ps1'
- '\Invoke-EventViewer.ps1'
- '\Invoke-Eyewitness.ps1'
- '\Invoke-FakeLogonScreen.ps1'
- '\Invoke-Farmer.ps1'
- '\Invoke-Get-RBCD-Threaded.ps1'
- '\Invoke-Gopher.ps1'
- '\Invoke-Grouper2.ps1'
- '\Invoke-Grouper3.ps1'
- '\Invoke-HandleKatz.ps1'
- '\Invoke-Interceptor.ps1'
- '\Invoke-Internalmonologue.ps1'
- '\Invoke-Inveigh.ps1'
- '\Invoke-InveighRelay.ps1'
- '\Invoke-JSRatRegsvr.ps1'
- '\Invoke-JSRatRundll.ps1'
- '\Invoke-KrbRelay.ps1'
- '\Invoke-KrbRelayUp.ps1'
- '\Invoke-LdapSignCheck.ps1'
- '\Invoke-Lockless.ps1'
- '\Invoke-MalSCCM.ps1'
- '\Invoke-Mimikatz.ps1'
- '\Invoke-MimikatzWDigestDowngrade.ps1'
- '\Invoke-Mimikittenz.ps1'
- '\Invoke-MITM6.ps1'
- '\Invoke-NanoDump.ps1'
- '\Invoke-NetRipper.ps1'
- '\Invoke-NetworkRelay.ps1'
- '\Invoke-NinjaCopy.ps1'
- '\Invoke-OxidResolver.ps1'
- '\Invoke-P0wnedshell.ps1'
- '\Invoke-P0wnedshellx86.ps1'
- '\Invoke-Paranoia.ps1'
- '\Invoke-PortScan.ps1'
- '\Invoke-PoshRatHttp.ps1'
- '\Invoke-PoshRatHttps.ps1'
- '\Invoke-PostExfil.ps1'
- '\Invoke-PowerDump.ps1'
- '\Invoke-PowerDPAPI.ps1'
- '\Invoke-PowerShellIcmp.ps1'
- '\Invoke-PowerShellTCP.ps1'
- '\Invoke-PowerShellTcpOneLine.ps1'
- '\Invoke-PowerShellTcpOneLineBind.ps1'
- '\Invoke-PowerShellUdp.ps1'
- '\Invoke-PowerShellUdpOneLine.ps1'
- '\Invoke-PowerShellWMI.ps1'
- '\Invoke-PowerThIEf.ps1'
- '\Invoke-PPLDump.ps1'
- '\Invoke-Prasadhak.ps1'
- '\Invoke-PsExec.ps1'
- '\Invoke-PsGcat.ps1'
- '\Invoke-PsGcatAgent.ps1'
- '\Invoke-PSInject.ps1'
- '\Invoke-PsUaCme.ps1'
- '\Invoke-ReflectivePEInjection.ps1'
- '\Invoke-ReverseDNSLookup.ps1'
- '\Invoke-Rubeus.ps1'
- '\Invoke-RunAs.ps1'
- '\Invoke-SafetyKatz.ps1'
- '\Invoke-SauronEye.ps1'
- '\Invoke-SCShell.ps1'
- '\Invoke-Seatbelt.ps1'
- '\Invoke-ServiceAbuse.ps1'
- '\Invoke-SessionGopher.ps1'
- '\Invoke-ShellCode.ps1'
- '\Invoke-SMBScanner.ps1'
- '\Invoke-Snaffler.ps1'
- '\Invoke-Spoolsample.ps1'
- '\Invoke-SSHCommand.ps1'
- '\Invoke-SSIDExfil.ps1'
- '\Invoke-StandIn.ps1'
- '\Invoke-StickyNotesExtract.ps1'
- '\Invoke-Tater.ps1'
- '\Invoke-Thunderfox.ps1'
- '\Invoke-ThunderStruck.ps1'
- '\Invoke-TokenManipulation.ps1'
- '\Invoke-Tokenvator.ps1'
- '\Invoke-TotalExec.ps1'
- '\Invoke-UrbanBishop.ps1'
- '\Invoke-UserHunter.ps1'
- '\Invoke-VoiceTroll.ps1'
- '\Invoke-Whisker.ps1'
- '\Invoke-WinEnum.ps1'
- '\Invoke-winPEAS.ps1'
- '\Invoke-WireTap.ps1'
- '\Invoke-WmiCommand.ps1'
- '\Invoke-WScriptBypassUAC.ps1'
- '\Invoke-Zerologon.ps1'
- '\Keylogger.ps1'
- '\MailRaider.ps1'
- '\New-HoneyHash.ps1'
- '\OfficeMemScraper.ps1'
- '\Offline_Winpwn.ps1'
- '\Out-CHM.ps1'
- '\Out-DnsTxt.ps1'
- '\Out-Excel.ps1'
- '\Out-HTA.ps1'
- '\Out-Java.ps1'
- '\Out-JS.ps1'
- '\Out-Minidump.ps1'
- '\Out-RundllCommand.ps1'
- '\Out-SCF.ps1'
- '\Out-SCT.ps1'
- '\Out-Shortcut.ps1'
- '\Out-WebQuery.ps1'
- '\Out-Word.ps1'
- '\Parse_Keys.ps1'
- '\Port-Scan.ps1'
- '\PowerBreach.ps1'
- '\powercat.ps1'
- '\Powermad.ps1'
- '\PowerRunAsSystem.psm1'
- '\PowerSharpPack.ps1'
- '\PowerUp.ps1'
- '\PowerUpSQL.ps1'
- '\PowerView.ps1'
- '\PSAsyncShell.ps1'
- '\RemoteHashRetrieval.ps1'
- '\Remove-Persistence.ps1'
- '\Remove-PoshRat.ps1'
- '\Remove-Update.ps1'
- '\Run-EXEonRemote.ps1'
- '\Schtasks-Backdoor.ps1'
- '\Set-DCShadowPermissions.ps1'
- '\Set-MacAttribute.ps1'
- '\Set-RemotePSRemoting.ps1'
- '\Set-RemoteWMI.ps1'
- '\Set-Wallpaper.ps1'
- '\Show-TargetScreen.ps1'
- '\Speak.ps1'
- '\Start-CaptureServer.ps1'
- '\Start-WebcamRecorder.ps1'
- '\StringToBase64.ps1'
- '\TexttoExe.ps1'
- '\Veeam-Get-Creds.ps1'
- '\VolumeShadowCopyTools.ps1'
- '\WinPwn.ps1'
- '\WSUSpendu.ps1'
selection_invoke_sharp:
TargetFilename|contains: 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
TargetFilename|endswith: '.ps1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malicious PowerShell Scripts - PoshModule
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
view Sigma YAML
title: Malicious PowerShell Scripts - PoshModule
id: 41025fd7-0466-4650-a813-574aaacbe7f4
related:
- id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
type: similar
- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
type: obsolete
status: test
description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
references:
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-23
modified: 2025-12-10
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_generic:
ContextInfo|contains:
- 'Add-ConstrainedDelegationBackdoor.ps1'
- 'Add-Exfiltration.ps1'
- 'Add-Persistence.ps1'
- 'Add-RegBackdoor.ps1'
- 'Add-RemoteRegBackdoor.ps1'
- 'Add-ScrnSaveBackdoor.ps1'
- 'BadSuccessor.ps1'
- 'Check-VM.ps1'
- 'ConvertTo-ROT13.ps1'
- 'Copy-VSS.ps1'
- 'Create-MultipleSessions.ps1'
- 'DNS_TXT_Pwnage.ps1'
- 'dnscat2.ps1'
- 'Do-Exfiltration.ps1'
- 'DomainPasswordSpray.ps1'
- 'Download_Execute.ps1'
- 'Download-Execute-PS.ps1'
- 'Enabled-DuplicateToken.ps1'
- 'Enable-DuplicateToken.ps1'
- 'Execute-Command-MSSQL.ps1'
- 'Execute-DNSTXT-Code.ps1'
- 'Execute-OnTime.ps1'
- 'ExetoText.ps1'
- 'Exploit-Jboss.ps1'
- 'Find-AVSignature.ps1'
- 'Find-Fruit.ps1'
- 'Find-GPOLocation.ps1'
- 'Find-TrustedDocuments.ps1'
- 'FireBuster.ps1'
- 'FireListener.ps1'
- 'Get-ApplicationHost.ps1'
- 'Get-ChromeDump.ps1'
- 'Get-ClipboardContents.ps1'
- 'Get-ComputerDetail.ps1'
- 'Get-FoxDump.ps1'
- 'Get-GPPAutologon.ps1'
- 'Get-GPPPassword.ps1'
- 'Get-IndexedItem.ps1'
- 'Get-Keystrokes.ps1'
- 'Get-LSASecret.ps1'
- 'Get-MicrophoneAudio.ps1'
- 'Get-PassHashes.ps1'
- 'Get-PassHints.ps1'
- 'Get-RegAlwaysInstallElevated.ps1'
- 'Get-RegAutoLogon.ps1'
- 'Get-RickAstley.ps1'
- 'Get-Screenshot.ps1'
- 'Get-SecurityPackages.ps1'
- 'Get-ServiceFilePermission.ps1'
- 'Get-ServicePermission.ps1'
- 'Get-ServiceUnquoted.ps1'
- 'Get-SiteListPassword.ps1'
- 'Get-System.ps1'
- 'Get-TimedScreenshot.ps1'
- 'Get-UnattendedInstallFile.ps1'
- 'Get-Unconstrained.ps1'
- 'Get-USBKeystrokes.ps1'
- 'Get-VaultCredential.ps1'
- 'Get-VulnAutoRun.ps1'
- 'Get-VulnSchTask.ps1'
- 'Get-WebConfig.ps1'
- 'Get-WebCredentials.ps1'
- 'Get-WLAN-Keys.ps1'
- 'Gupt-Backdoor.ps1'
- 'HTTP-Backdoor.ps1'
- 'HTTP-Login.ps1'
- 'Install-ServiceBinary.ps1'
- 'Install-SSP.ps1'
- 'Invoke-ACLScanner.ps1'
- 'Invoke-ADSBackdoor.ps1'
- 'Invoke-AmsiBypass.ps1'
- 'Invoke-ARPScan.ps1'
- 'Invoke-BackdoorLNK.ps1'
- 'Invoke-BadPotato.ps1'
- 'Invoke-BetterSafetyKatz.ps1'
- 'Invoke-BruteForce.ps1'
- 'Invoke-BypassUAC.ps1'
- 'Invoke-Carbuncle.ps1'
- 'Invoke-Certify.ps1'
- 'Invoke-ConPtyShell.ps1'
- 'Invoke-CredentialInjection.ps1'
- 'Invoke-CredentialsPhish.ps1'
- 'Invoke-DAFT.ps1'
- 'Invoke-DCSync.ps1'
- 'Invoke-Decode.ps1'
- 'Invoke-DinvokeKatz.ps1'
- 'Invoke-DllInjection.ps1'
- 'Invoke-DNSExfiltrator.ps1'
- 'Invoke-DowngradeAccount.ps1'
- 'Invoke-EgressCheck.ps1'
- 'Invoke-Encode.ps1'
- 'Invoke-EventViewer.ps1'
- 'Invoke-Eyewitness.ps1'
- 'Invoke-FakeLogonScreen.ps1'
- 'Invoke-Farmer.ps1'
- 'Invoke-Get-RBCD-Threaded.ps1'
- 'Invoke-Gopher.ps1'
- 'Invoke-Grouper2.ps1'
- 'Invoke-Grouper3.ps1'
- 'Invoke-HandleKatz.ps1'
- 'Invoke-Interceptor.ps1'
- 'Invoke-Internalmonologue.ps1'
- 'Invoke-Inveigh.ps1'
- 'Invoke-InveighRelay.ps1'
- 'Invoke-JSRatRegsvr.ps1'
- 'Invoke-JSRatRundll.ps1'
- 'Invoke-KrbRelay.ps1'
- 'Invoke-KrbRelayUp.ps1'
- 'Invoke-LdapSignCheck.ps1'
- 'Invoke-Lockless.ps1'
- 'Invoke-MalSCCM.ps1'
- 'Invoke-Mimikatz.ps1'
- 'Invoke-MimikatzWDigestDowngrade.ps1'
- 'Invoke-Mimikittenz.ps1'
- 'Invoke-MITM6.ps1'
- 'Invoke-NanoDump.ps1'
- 'Invoke-NetRipper.ps1'
- 'Invoke-NetworkRelay.ps1'
- 'Invoke-NinjaCopy.ps1'
- 'Invoke-OxidResolver.ps1'
- 'Invoke-P0wnedshell.ps1'
- 'Invoke-P0wnedshellx86.ps1'
- 'Invoke-Paranoia.ps1'
- 'Invoke-PortScan.ps1'
- 'Invoke-PoshRatHttp.ps1'
- 'Invoke-PoshRatHttps.ps1'
- 'Invoke-PostExfil.ps1'
- 'Invoke-PowerDump.ps1'
- 'Invoke-PowerDPAPI.ps1'
- 'Invoke-PowerShellIcmp.ps1'
- 'Invoke-PowerShellTCP.ps1'
- 'Invoke-PowerShellTcpOneLine.ps1'
- 'Invoke-PowerShellTcpOneLineBind.ps1'
- 'Invoke-PowerShellUdp.ps1'
- 'Invoke-PowerShellUdpOneLine.ps1'
- 'Invoke-PowerShellWMI.ps1'
- 'Invoke-PowerThIEf.ps1'
- 'Invoke-PPLDump.ps1'
- 'Invoke-Prasadhak.ps1'
- 'Invoke-PsExec.ps1'
- 'Invoke-PsGcat.ps1'
- 'Invoke-PsGcatAgent.ps1'
- 'Invoke-PSInject.ps1'
- 'Invoke-PsUaCme.ps1'
- 'Invoke-ReflectivePEInjection.ps1'
- 'Invoke-ReverseDNSLookup.ps1'
- 'Invoke-Rubeus.ps1'
- 'Invoke-RunAs.ps1'
- 'Invoke-SafetyKatz.ps1'
- 'Invoke-SauronEye.ps1'
- 'Invoke-SCShell.ps1'
- 'Invoke-Seatbelt.ps1'
- 'Invoke-ServiceAbuse.ps1'
- 'Invoke-SessionGopher.ps1'
- 'Invoke-ShellCode.ps1'
- 'Invoke-SMBScanner.ps1'
- 'Invoke-Snaffler.ps1'
- 'Invoke-Spoolsample.ps1'
- 'Invoke-SSHCommand.ps1'
- 'Invoke-SSIDExfil.ps1'
- 'Invoke-StandIn.ps1'
- 'Invoke-StickyNotesExtract.ps1'
- 'Invoke-Tater.ps1'
- 'Invoke-Thunderfox.ps1'
- 'Invoke-ThunderStruck.ps1'
- 'Invoke-TokenManipulation.ps1'
- 'Invoke-Tokenvator.ps1'
- 'Invoke-TotalExec.ps1'
- 'Invoke-UrbanBishop.ps1'
- 'Invoke-UserHunter.ps1'
- 'Invoke-VoiceTroll.ps1'
- 'Invoke-Whisker.ps1'
- 'Invoke-WinEnum.ps1'
- 'Invoke-winPEAS.ps1'
- 'Invoke-WireTap.ps1'
- 'Invoke-WmiCommand.ps1'
- 'Invoke-WScriptBypassUAC.ps1'
- 'Invoke-Zerologon.ps1'
- 'Keylogger.ps1'
- 'MailRaider.ps1'
- 'New-HoneyHash.ps1'
- 'OfficeMemScraper.ps1'
- 'Offline_Winpwn.ps1'
- 'Out-CHM.ps1'
- 'Out-DnsTxt.ps1'
- 'Out-Excel.ps1'
- 'Out-HTA.ps1'
- 'Out-Java.ps1'
- 'Out-JS.ps1'
- 'Out-Minidump.ps1'
- 'Out-RundllCommand.ps1'
- 'Out-SCF.ps1'
- 'Out-SCT.ps1'
- 'Out-Shortcut.ps1'
- 'Out-WebQuery.ps1'
- 'Out-Word.ps1'
- 'Parse_Keys.ps1'
- 'Port-Scan.ps1'
- 'PowerBreach.ps1'
- 'powercat.ps1'
- 'PowerRunAsSystem.psm1'
- 'PowerSharpPack.ps1'
- 'PowerUp.ps1'
- 'PowerUpSQL.ps1'
- 'PowerView.ps1'
- 'PSAsyncShell.ps1'
- 'RemoteHashRetrieval.ps1'
- 'Remove-Persistence.ps1'
- 'Remove-PoshRat.ps1'
- 'Remove-Update.ps1'
- 'Run-EXEonRemote.ps1'
- 'Schtasks-Backdoor.ps1'
- 'Set-DCShadowPermissions.ps1'
- 'Set-MacAttribute.ps1'
- 'Set-RemotePSRemoting.ps1'
- 'Set-RemoteWMI.ps1'
- 'Set-Wallpaper.ps1'
- 'Show-TargetScreen.ps1'
- 'Speak.ps1'
- 'Start-CaptureServer.ps1'
- 'Start-WebcamRecorder.ps1'
- 'StringToBase64.ps1'
- 'TexttoExe.ps1'
- 'Veeam-Get-Creds.ps1'
- 'VolumeShadowCopyTools.ps1'
- 'WinPwn.ps1'
- 'WSUSpendu.ps1'
selection_invoke_sharp:
ContextInfo|contains|all:
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- '.ps1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malicious ShellIntel PowerShell Commandlets
Detects Commandlet names from ShellIntel exploitation scripts.
view Sigma YAML
title: Malicious ShellIntel PowerShell Commandlets
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
status: test
description: Detects Commandlet names from ShellIntel exploitation scripts.
references:
- https://github.com/Shellntel/scripts/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2023-01-02
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Invoke-SMBAutoBrute'
- 'Invoke-GPOLinks'
# - 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-Potato'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
Detects when an instance identity has taken an action that isn't inside SSM.
This can indicate that a compromised EC2 instance is being used as a pivot point.
view Sigma YAML
title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
id: 352a918a-34d8-4882-8470-44830c507aa3
status: test
description: |
Detects when an instance identity has taken an action that isn't inside SSM.
This can indicate that a compromised EC2 instance is being used as a pivot point.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
- https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
- https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.t1078.002
logsource:
product: aws
service: cloudtrail
detection:
selection:
userIdentity.arn|re: '.+:assumed-role/aws:.+'
filter_main_generic:
- eventSource: 'ssm.amazonaws.com'
- eventName: 'RegisterManagedInstance'
- sourceIPAddress: 'AWS Internal'
condition: selection and not 1 of filter_main_*
falsepositives:
- A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services
level: high
Convert to SIEM query
high
Malware Shellcode in Verclsid Target Process
Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
view Sigma YAML
title: Malware Shellcode in Verclsid Target Process
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
status: test
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
- https://twitter.com/JohnLaTwC/status/837743453039534080
author: John Lambert (tech), Florian Roth (Nextron Systems)
date: 2017-03-04
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- detection.emerging-threats
logsource:
category: process_access
product: windows
definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
selection_target:
TargetImage|endswith: '\verclsid.exe'
GrantedAccess: '0x1FFFFF'
selection_calltrace_1:
CallTrace|contains|all:
- '|UNKNOWN('
- 'VBE7.DLL'
selection_calltrace_2:
SourceImage|contains: '\Microsoft Office\'
CallTrace|contains: '|UNKNOWN'
condition: selection_target and 1 of selection_calltrace_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Malware User Agent
Detects suspicious user agent strings used by malware in proxy logs
view Sigma YAML
title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
- http://www.botopedia.org/search?searchword=scan&searchphrase=all
- https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
- https://perishablepress.com/blacklist/ua-2013.txt
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
- https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
- https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
- https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-07-08
modified: 2024-04-14
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# RATs
- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
- 'HttpBrowser/1.0' # HTTPBrowser RAT
- '*<|>*' # Houdini / Iniduoh / njRAT
- 'nsis_inetc (mozilla)' # ZeroAccess
- 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
# Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
# Malware
- '*zeroup*' # W32/Renos.Downloader
- 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
- '* adlib/*'
- '* tiny' # Trojan Downloader
- '* BGroom *' # Trojan Downloader
- '* changhuatong'
- '* CholTBAgent'
- 'Mozilla/5.0 WinInet'
- 'RookIE/1.0'
- 'M' # HkMain
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
- 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
- 'backdoorbot'
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
- 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
- 'Opera' # Trojan Keragany
- 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
- 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
- 'MSIE' # Toby web shell
- '*(Charon; Inferno)' # Loki Bot
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
- 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
# Ursnif
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
# Emotet
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
# Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
- 'Mozilla/5.0 (Windows NT 6.1)'
- 'AppleWebkit/587.38 (KHTML, like Gecko)'
- 'Chrome/91.0.4472.77'
- 'Safari/537.36'
- 'Edge/91.0.864.37'
- 'Firefox/89.0'
- 'Gecko/20100101'
# Others
- '* pxyscand*'
- '* asd'
- '* mdms'
- 'sample'
- 'nocase'
- 'Moxilla'
- 'Win32 *'
- '*Microsoft Internet Explorer*'
- 'agent *'
- 'AutoIt' # Suspicious - base-lining recommended
- 'IczelionDownLoad'
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
- 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
- 'antSword/v2.1' # AntSword Webshell UA
- 'rqwrwqrqwrqw' # Racoon Stealer
- 'qwrqrwrqwrqwr' # Racoon Stealer
- 'rc2.0/client' # Racoon Stealer
- 'TakeMyPainBack' # Racoon Stealer
- 'xxx' # Racoon Stealer
- '20112211' # Racoon Stealer
- '23591' # Racoon Stealer
- '901785252112' # Racoon Stealer
- '1235125521512' # Racoon Stealer
- '125122112551' # Racoon Stealer
- 'B1D3N_RIM_MY_ASS' # Racoon Stealer
- 'AYAYAYAY1337' # Racoon Stealer
- 'iMightJustPayMySelfForAFeature' # Racoon Stealer
- 'ForAFeature' # Racoon Stealer
- 'Ares_ldr_v_*' # AresLoader
# - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
- 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
- 'CLCTR' # https://github.com/silence-is-best/c2db
- 'uploader' # https://github.com/silence-is-best/c2db
- 'agent' # https://github.com/silence-is-best/c2db
- 'License' # https://github.com/silence-is-best/c2db
- 'vb wininet' # https://github.com/silence-is-best/c2db
- 'Client' # https://github.com/silence-is-best/c2db
- 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
- 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
- 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
- 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
- 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'DuckTales' # Racoon Stealer
- 'Zadanie' # Racoon Stealer
- 'GunnaWunnaBlueTips' # Racoon Stealer
- 'Xlmst' # Racoon Stealer
- 'GeekingToTheMoon' # Racoon Stealer
- 'SunShineMoonLight' # Racoon Stealer
- 'BunnyRequester' # BunnyStealer
- 'BunnyTasks' # BunnyStealer
- 'BunnyStealer' # BunnyStealer
- 'BunnyLoader_Dropper' # BunnyStealer
- 'BunnyLoader' # BunnyStealer
- 'BunnyShell' # BunnyStealer
- 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
- '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
- 'SouthSide' # Racoon Stealer
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
view Sigma YAML
title: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
id: 6345b048-8441-43a7-9bed-541133633d7a
status: test
description: |
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
references:
- https://twitter.com/gN3mes1s/status/1222088214581825540
- https://twitter.com/gN3mes1s/status/1222095963789111296
- https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dctask64.exe'
- Hashes|contains:
- 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
- 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
- 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
- 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
selection_cli:
CommandLine|contains:
- ' executecmd64 '
- ' invokeexe '
- ' injectDll '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Mask System Power Settings Via Systemctl
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
view Sigma YAML
title: Mask System Power Settings Via Systemctl
id: c172b7b5-f3a1-4af2-90b7-822c63df86cb
status: experimental
description: |
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
author: Milad Cheraghi, Nasreddine Bencherchali
date: 2025-10-17
references:
- https://www.man7.org/linux/man-pages/man1/systemctl.1.html
- https://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/
tags:
- attack.persistence
- attack.impact
- attack.t1653
logsource:
category: process_creation
product: linux
detection:
selection_systemctl:
Image|endswith: '/systemctl'
CommandLine|contains: ' mask'
selection_power_options:
CommandLine|contains:
- 'suspend.target'
- 'hibernate.target'
- 'hybrid-sleep.target'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Mavinject Inject DLL Into Running Process
Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
view Sigma YAML
title: Mavinject Inject DLL Into Running Process
id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
related:
- id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
type: obsolete
status: test
description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
- https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://reaqta.com/2017/12/mavinject-microsoft-injector/
- https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet
- https://github.com/SigmaHQ/sigma/issues/3742
- https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
author: frack113, Florian Roth
date: 2021-07-12
modified: 2022-12-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.001
- attack.t1218.013
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' /INJECTRUNNING '
filter:
ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject"
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Metasploit Or Impacket Service Installation Via SMB PsExec
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
view Sigma YAML
title: Metasploit Or Impacket Service Installation Via SMB PsExec
id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
related:
- id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
type: derived
status: test
description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-21
modified: 2022-10-05
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
ServiceStartType: 3 # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
ServiceType: '0x10'
filter:
ServiceName: 'PSEXESVC'
condition: selection and not filter
falsepositives:
- Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
level: high
Convert to SIEM query
high
Metasploit SMB Authentication
Alerts on Metasploit host's authentications on the domain.
view Sigma YAML
title: Metasploit SMB Authentication
id: 72124974-a68b-4366-b990-d30e0b2a190d
status: test
description: Alerts on Metasploit host's authentications on the domain.
references:
- https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020-05-06
modified: 2024-01-25
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4625
- 4624
LogonType: 3
AuthenticationPackageName: 'NTLM'
WorkstationName|re: '^[A-Za-z0-9]{16}$'
selection2:
EventID: 4776
Workstation|re: '^[A-Za-z0-9]{16}$'
condition: 1 of selection*
falsepositives:
- Linux hostnames composed of 16 characters.
level: high
Convert to SIEM query
high
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
view Sigma YAML
title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection_eid:
EventID: 4697
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ServiceFileName|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ServiceFileName|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_eid and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Meterpreter or Cobalt Strike Getsystem Service Installation - System
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
view Sigma YAML
title: Meterpreter or Cobalt Strike Getsystem Service Installation - System
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: system
detection:
selection_id:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ImagePath|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ImagePath|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ImagePath|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ImagePath|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_id and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Microsoft Defender Blocked from Loading Unsigned DLL
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
view Sigma YAML
title: Microsoft Defender Blocked from Loading Unsigned DLL
id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
status: test
description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-02
modified: 2022-09-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: security-mitigations
detection:
selection:
EventID:
- 11
- 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
ProcessPath|endswith:
- '\MpCmdRun.exe'
- '\NisSrv.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Microsoft Defender Tamper Protection Trigger
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
view Sigma YAML
title: Microsoft Defender Tamper Protection Trigger
id: 49e5bc24-8b86-49f1-b743-535f332c2856
status: stable
description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
references:
- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
author: Bhabesh Raj, Nasreddine Bencherchali
date: 2021-07-05
modified: 2022-12-06
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.
Value|endswith:
- '\Windows Defender\DisableAntiSpyware'
- '\Windows Defender\DisableAntiVirus'
- '\Windows Defender\Scan\DisableArchiveScanning'
- '\Windows Defender\Scan\DisableScanningNetworkFiles'
- '\Real-Time Protection\DisableRealtimeMonitoring'
- '\Real-Time Protection\DisableBehaviorMonitoring'
- '\Real-Time Protection\DisableIOAVProtection'
- '\Real-Time Protection\DisableScriptScanning'
condition: selection
falsepositives:
- Administrator might try to disable defender features during testing (must be investigated)
level: high
Convert to SIEM query
high
Microsoft IIS Connection Strings Decryption
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
view Sigma YAML
title: Microsoft IIS Connection Strings Decryption
id: 97dbf6e2-e436-44d8-abee-4261b24d3e41
status: test
description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
references:
- https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2022-12-30
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_name:
- Image|endswith: '\aspnet_regiis.exe'
- OriginalFileName: 'aspnet_regiis.exe'
selection_args:
CommandLine|contains|all:
- 'connectionStrings'
- ' -pdf'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Microsoft IIS Service Account Password Dumped
Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
view Sigma YAML
title: Microsoft IIS Service Account Password Dumped
id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
status: test
description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
references:
- https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
- https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
- https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
date: 2022-11-08
modified: 2023-01-22
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_base_name:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_base_list:
CommandLine|contains: 'list '
selection_standalone:
CommandLine|contains:
- ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900
- ' /xml'
# We cover the "-" version just in case :)
- ' -config'
- ' -xml'
selection_cmd_flags:
CommandLine|contains:
- ' /@t' # Covers both "/@text:*" and "/@t:*"
- ' /text'
- ' /show'
# We cover the "-" version just in case :)
- ' -@t'
- ' -text'
- ' -show'
selection_cmd_grep:
CommandLine|contains:
- ':\*'
- 'password'
condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
view Sigma YAML
title: Microsoft Malware Protection Engine Crash
id: 545a5da6-f103-4919-a519-e9aec1026ee4
related:
- id: 6c82cf5c-090d-4d57-9188-533577631108
type: similar
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1211
- attack.t1685
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
Data|contains|all:
- 'MsMpEng.exe'
- 'mpengine.dll'
condition: selection
falsepositives:
- MsMpEng might crash if the "C:\" partition is full
level: high
Convert to SIEM query
high
Microsoft Malware Protection Engine Crash - WER
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
view Sigma YAML
title: Microsoft Malware Protection Engine Crash - WER
id: 6c82cf5c-090d-4d57-9188-533577631108
status: test
description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
references:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- https://technet.microsoft.com/en-us/library/security/4022344
author: Florian Roth (Nextron Systems)
date: 2017-05-09
modified: 2023-04-14
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1211
- attack.t1685
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'Windows Error Reporting'
EventID: 1001
Data|contains|all:
- 'MsMpEng.exe'
- 'mpengine.dll'
condition: selection
falsepositives:
- MsMpEng might crash if the "C:\" partition is full
level: high
Convert to SIEM query
high
Microsoft Office DLL Sideload
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
view Sigma YAML
title: Microsoft Office DLL Sideload
id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f
status: test
description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-03-15
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\outllib.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files\Microsoft Office\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\OFFICE'
- 'C:\Program Files\Microsoft Office\Root\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Microsoft Office Protected View Disabled
Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
view Sigma YAML
title: Microsoft Office Protected View Disabled
id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc
related:
- id: 7c637634-c95d-4bbf-b26c-a82510874b34
type: obsolete
status: test
description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
- https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
- https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-06-08
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_path:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Office\'
- '\Security\ProtectedView\'
selection_values_1:
Details: 'DWORD (0x00000001)'
TargetObject|endswith:
- '\DisableAttachementsInPV' # Turn off Protected View for attachments opened from Outlook
- '\DisableInternetFilesInPV' # Turn off Protected View for files downloaded from Internet zone
- '\DisableIntranetCheck' # Turn off Protected View for file located in UNC paths
- '\DisableUnsafeLocationsInPV' # Turn off Protected View for unsafe locations
selection_values_0:
Details: 'DWORD (0x00000000)'
TargetObject|endswith:
- '\enabledatabasefileprotectedview'
- '\enableforeigntextfileprotectedview'
condition: selection_path and 1 of selection_values_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Mimikatz DC Sync
Detects Mimikatz DC sync security events
view Sigma YAML
title: Mimikatz DC Sync
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
status: test
description: Detects Mimikatz DC sync security events
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu
date: 2018-06-03
modified: 2022-04-26
tags:
- attack.credential-access
- attack.s0002
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties|contains:
- 'Replicating Directory Changes All'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '9923a32a-3607-11d2-b9be-0000f87a36b2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
AccessMask: '0x100'
filter1:
SubjectDomainName: 'Window Manager'
filter2:
SubjectUserName|startswith:
- 'NT AUT'
- 'MSOL_'
filter3:
SubjectUserName|endswith: '$'
condition: selection and not 1 of filter*
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
- Local Domain Admin account used for Azure AD Connect
level: high
Convert to SIEM query
high
Mimikatz Use
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
view Sigma YAML
title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
status: test
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
references:
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2017-01-10
modified: 2022-01-05
tags:
- attack.s0002
- attack.lateral-movement
- attack.credential-access
- car.2013-07-001
- car.2019-04-004
- attack.t1003.002
- attack.t1003.004
- attack.t1003.001
- attack.t1003.006
logsource:
product: windows
detection:
keywords:
- 'dpapi::masterkey'
- 'eo.oe.kiwi'
- 'event::clear'
- 'event::drop'
- 'gentilkiwi.com'
- 'kerberos::golden'
- 'kerberos::ptc'
- 'kerberos::ptt'
- 'kerberos::tgt'
- 'Kiwi Legit Printer'
- 'lsadump::'
- 'mimidrv.sys'
- '\mimilib.dll'
- 'misc::printnightmare'
- 'misc::shadowcopies'
- 'misc::skeleton'
- 'privilege::backup'
- 'privilege::debug'
- 'privilege::driver'
- 'sekurlsa::'
filter:
EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
condition: keywords and not filter
falsepositives:
- Naughty administrators
- AV Signature updates
- Files with Mimikatz in their filename
level: high
Convert to SIEM query
high
Mint Sandstorm - Log4J Wstomcat Process Execution
Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
view Sigma YAML
title: Mint Sandstorm - Log4J Wstomcat Process Execution
id: 7c97c625-0350-4f0a-8943-f6cadc88125e
status: test
description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
date: 2023-04-20
modified: 2023-11-29
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ws_tomcatservice.exe'
filter_main_repadmin:
Image|endswith: '\repadmin.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Modification of ld.so.preload
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
view Sigma YAML
title: Modification of ld.so.preload
id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
status: test
description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.006
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name: '/etc/ld.so.preload'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Modification or Deletion of an AWS RDS Cluster
Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
view Sigma YAML
title: Modification or Deletion of an AWS RDS Cluster
id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c
status: experimental
description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
references:
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
author: Ivan Saakov
date: 2024-12-06
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: rds.amazonaws.com
eventName:
- ModifyDBCluster
- DeleteDBCluster
condition: selection
falsepositives:
- Verify if the modification or deletion was performed by an authorized administrator.
- Confirm if the modification or deletion was part of a planned change or maintenance activity.
level: high
Convert to SIEM query
high
Modify User Shell Folders Startup Value
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts.
Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup.
This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
view Sigma YAML
title: Modify User Shell Folders Startup Value
id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
related:
- id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
type: similar
status: test
description: |
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts.
Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup.
This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md
- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-10-01
modified: 2026-01-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1547.001
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
TargetObject|endswith:
- '\Common Startup'
- '\Startup'
filter_main_details_null:
Details: null
filter_main_programdata_startup:
Details|contains:
- 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'
- '%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup'
filter_main_userprofile_startup_1:
Details|contains:
- '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
- '%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
filter_main_userprofile_startup_2:
Details|contains|all:
- 'C:\Users\'
- '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
# Apply more filters if new legitimate paths are identified
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/info.yml
simulation:
- type: atomic-red-team
name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
technique: T1547.001
atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b
Convert to SIEM query
high
Monero Crypto Coin Mining Pool Lookup
Detects suspicious DNS queries to Monero mining pools
view Sigma YAML
title: Monero Crypto Coin Mining Pool Lookup
id: b593fd50-7335-4682-a36c-4edcb68e4641
status: stable
description: Detects suspicious DNS queries to Monero mining pools
references:
- https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
author: Florian Roth (Nextron Systems)
date: 2021-10-24
tags:
- attack.impact
- attack.t1496
- attack.exfiltration
- attack.t1567
logsource:
category: dns
detection:
selection:
query|contains:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
condition: selection
falsepositives:
- Legitimate crypto coin mining
level: high
Convert to SIEM query
high
MpiExec Lolbin
Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
view Sigma YAML
title: MpiExec Lolbin
id: 729ce0ea-5d8f-4769-9762-e35de441586d
status: test
description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
references:
- https://twitter.com/mrd0x/status/1465058133303246867
- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2024-11-23
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_binary:
- Image|endswith: '\mpiexec.exe'
- Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217'
selection_flags:
CommandLine|contains:
- ' /n 1 '
- ' -n 1 '
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Mshtml.DLL RunHTMLApplication Suspicious Usage
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
view Sigma YAML
title: Mshtml.DLL RunHTMLApplication Suspicious Usage
id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c
related:
- id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3
type: obsolete
- id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7
type: obsolete
status: test
description: |
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
references:
- https://twitter.com/n1nj4sec/status/1421190238081277959
- https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
- http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)
date: 2022-08-14
modified: 2024-02-23
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\..\'
- 'mshtml'
CommandLine|contains:
- '#135'
- 'RunHTMLApplication'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Mstsc.EXE Execution From Uncommon Parent
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
view Sigma YAML
title: Mstsc.EXE Execution From Uncommon Parent
id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6
status: test
description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
references:
- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
tags:
- attack.lateral-movement
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Covers potential downloads/clicks from browsers
- '\brave.exe'
- '\CCleanerBrowser.exe'
- '\chrome.exe'
- '\chromium.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\microsoftedge.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
- '\whale.exe'
# Covers potential downloads/clicks from email clients
- '\outlook.exe'
selection_img:
- Image|endswith: '\mstsc.exe'
- OriginalFileName: 'mstsc.exe'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Mustang Panda Dropper
Detects specific process parameters as used by Mustang Panda droppers
view Sigma YAML
title: Mustang Panda Dropper
id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
status: test
description: Detects specific process parameters as used by Mustang Panda droppers
references:
- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
author: Florian Roth (Nextron Systems), oscd.community
date: 2019-10-30
modified: 2021-11-27
tags:
- attack.t1587.001
- attack.resource-development
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_cli:
- CommandLine|contains:
- 'Temp\wtask.exe /create'
- '%windir:~-3,1%%PUBLIC:~-9,1%'
- '/tn "Security Script '
- '%windir:~-1,1%'
- CommandLine|contains|all:
- '/E:vbscript'
- 'C:\Users\'
- '.txt'
- '/F'
selection_img:
Image|endswith: 'Temp\winwsh.exe'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
NET NGenAssemblyUsageLog Registry Key Tamper
Detects changes to the NGenAssemblyUsageLog registry key.
.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
view Sigma YAML
title: NET NGenAssemblyUsageLog Registry Key Tamper
id: 28036918-04d3-423d-91c0-55ecf99fb892
status: test
description: |
Detects changes to the NGenAssemblyUsageLog registry key.
.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
references:
- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
author: frack113
date: 2022-11-18
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
NTDS Exfiltration Filename Patterns
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
view Sigma YAML
title: NTDS Exfiltration Filename Patterns
id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
status: test
description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
references:
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
- https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2023-05-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
- '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
NTDS.DIT Creation By Uncommon Parent Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
view Sigma YAML
title: NTDS.DIT Creation By Uncommon Parent Process
id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
related:
- id: 11b1ed55-154d-4e82-8ad7-83739298f720
type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enrich the log with additional ParentImage data'
detection:
selection_file:
TargetFilename|endswith: '\ntds.dit'
selection_process_parent:
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
ParentImage|endswith:
- '\cscript.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\w3wp.exe'
- '\wscript.exe'
selection_process_parent_path:
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
ParentImage|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: selection_file and 1 of selection_process_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
NTDS.DIT Creation By Uncommon Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
view Sigma YAML
title: NTDS.DIT Creation By Uncommon Process
id: 11b1ed55-154d-4e82-8ad7-83739298f720
related:
- id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
references:
- https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/
- https://adsecurity.org/?p=2398
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2022-07-14
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection_ntds:
TargetFilename|endswith: '\ntds.dit'
selection_process_img:
Image|endswith:
# Add more suspicious processes as you see fit
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wt.exe'
selection_process_paths:
Image|contains:
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: selection_ntds and 1 of selection_process_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
NTFS Alternate Data Stream
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
view Sigma YAML
title: NTFS Alternate Data Stream
id: 8c521530-5169-495d-a199-0a3a881ad24e
status: test
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
references:
- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: Sami Ruohonen
date: 2018-07-24
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1564.004
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_content:
ScriptBlockText|contains:
- set-content
- add-content
selection_stream:
ScriptBlockText|contains: '-stream'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
NTFS Vulnerability Exploitation
This the exploitation of a NTFS vulnerability as reported without many details via Twitter
view Sigma YAML
title: NTFS Vulnerability Exploitation
id: f14719ce-d3ab-4e25-9ce6-2899092260b0
status: test
description: This the exploitation of a NTFS vulnerability as reported without many details via Twitter
references:
- https://twitter.com/jonasLyk/status/1347900440000811010
- https://twitter.com/wdormann/status/1347958161609809921
- https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/
author: Florian Roth (Nextron Systems)
date: 2021-01-11
modified: 2022-12-25
tags:
- attack.impact
- attack.t1499.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: Ntfs
EventID: 55
Origin: 'File System Driver'
Description|contains|all:
- 'contains a corrupted file record'
- 'The name of the file is "\"'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
NTLM Hash Leak Via Curl NTLM Authentication
Detects the use of curl with NTLM authentication and empty credentials (-u :), which can be abused to leak the currently logged-in user's NTLMv2 challenge-response to an
attacker-controlled server, enabling offline cracking or relay attacks.
When no credentials are provided, the Microsoft-shipped curl passes a NULL identity to Windows SSPI, which automatically falls back to the current user's logon session credentials
stored in LSASS — without requiring a plaintext password.
This behavior is exclusive to the curl binary shipped by Microsoft (available since Windows 10 / Windows Server 2019), which is built with SSPI support.
view Sigma YAML
title: NTLM Hash Leak Via Curl NTLM Authentication
id: 916eb839-895e-47f8-99ee-3008bf377a3e
status: test
description: |
Detects the use of curl with NTLM authentication and empty credentials (-u :), which can be abused to leak the currently logged-in user's NTLMv2 challenge-response to an
attacker-controlled server, enabling offline cracking or relay attacks.
When no credentials are provided, the Microsoft-shipped curl passes a NULL identity to Windows SSPI, which automatically falls back to the current user's logon session credentials
stored in LSASS — without requiring a plaintext password.
This behavior is exclusive to the curl binary shipped by Microsoft (available since Windows 10 / Windows Server 2019), which is built with SSPI support.
references:
- https://github.com/curl/curl/blob/master/lib/vauth/ntlm_sspi.c#L128-L140
- https://learn.microsoft.com/en-us/windows/win32/secauthn/acquirecredentialshandle--ntlm
- https://curl.se/docs/manpage.html#--ntlm
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-06-04
tags:
- attack.credential-access
- attack.t1187
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_ntlm_flag:
CommandLine|contains: '--ntlm'
selection_empty_creds:
CommandLine|re: '(?i)\s(-u|--user)\s*:'
condition: all of selection_*
falsepositives:
- Should be very rare as it's not widely known or used, but could occur in legitimate use cases where curl is used with NTLM authentication and empty credentials, such as in certain scripts or automation tasks.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_ntlm_hash_leak_attempt/info.yml
Convert to SIEM query
high
Narrator's Feedback-Hub Persistence
Detects abusing Windows 10 Narrator's Feedback-Hub
view Sigma YAML
title: Narrator's Feedback-Hub Persistence
id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
status: test
description: Detects abusing Windows 10 Narrator's Feedback-Hub
references:
- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2022-03-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_event
product: windows
detection:
selection1:
EventType: DeleteValue
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
selection2:
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
# Add the payload in the (Default)
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Net WebClient Casing Anomalies
Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
view Sigma YAML
title: Net WebClient Casing Anomalies
id: c86133ad-4725-4bd0-8170-210788e0a7ba
status: test
description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
references:
- https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
author: Florian Roth (Nextron Systems)
date: 2022-05-24
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_encoded:
CommandLine|contains:
- 'TgBlAFQALgB3AEUAQg'
- '4AZQBUAC4AdwBFAEIA'
- 'OAGUAVAAuAHcARQBCA'
- 'bgBFAHQALgB3AGUAYg'
- '4ARQB0AC4AdwBlAGIA'
- 'uAEUAdAAuAHcAZQBiA'
- 'TgBFAHQALgB3AGUAYg'
- 'OAEUAdAAuAHcAZQBiA'
- 'bgBlAFQALgB3AGUAYg'
- '4AZQBUAC4AdwBlAGIA'
- 'uAGUAVAAuAHcAZQBiA'
- 'TgBlAFQALgB3AGUAYg'
- 'OAGUAVAAuAHcAZQBiA'
- 'bgBFAFQALgB3AGUAYg'
- '4ARQBUAC4AdwBlAGIA'
- 'uAEUAVAAuAHcAZQBiA'
- 'bgBlAHQALgBXAGUAYg'
- '4AZQB0AC4AVwBlAGIA'
- 'uAGUAdAAuAFcAZQBiA'
- 'bgBFAHQALgBXAGUAYg'
- '4ARQB0AC4AVwBlAGIA'
- 'uAEUAdAAuAFcAZQBiA'
- 'TgBFAHQALgBXAGUAYg'
- 'OAEUAdAAuAFcAZQBiA'
- 'bgBlAFQALgBXAGUAYg'
- '4AZQBUAC4AVwBlAGIA'
- 'uAGUAVAAuAFcAZQBiA'
- 'TgBlAFQALgBXAGUAYg'
- 'OAGUAVAAuAFcAZQBiA'
- 'bgBFAFQALgBXAGUAYg'
- '4ARQBUAC4AVwBlAGIA'
- 'uAEUAVAAuAFcAZQBiA'
- 'bgBlAHQALgB3AEUAYg'
- '4AZQB0AC4AdwBFAGIA'
- 'uAGUAdAAuAHcARQBiA'
- 'TgBlAHQALgB3AEUAYg'
- 'OAGUAdAAuAHcARQBiA'
- 'bgBFAHQALgB3AEUAYg'
- '4ARQB0AC4AdwBFAGIA'
- 'uAEUAdAAuAHcARQBiA'
- 'TgBFAHQALgB3AEUAYg'
- 'OAEUAdAAuAHcARQBiA'
- 'bgBlAFQALgB3AEUAYg'
- '4AZQBUAC4AdwBFAGIA'
- 'uAGUAVAAuAHcARQBiA'
- 'TgBlAFQALgB3AEUAYg'
- 'OAGUAVAAuAHcARQBiA'
- 'bgBFAFQALgB3AEUAYg'
- '4ARQBUAC4AdwBFAGIA'
- 'uAEUAVAAuAHcARQBiA'
- 'TgBFAFQALgB3AEUAYg'
- 'OAEUAVAAuAHcARQBiA'
- 'bgBlAHQALgBXAEUAYg'
- '4AZQB0AC4AVwBFAGIA'
- 'uAGUAdAAuAFcARQBiA'
- 'TgBlAHQALgBXAEUAYg'
- 'OAGUAdAAuAFcARQBiA'
- 'bgBFAHQALgBXAEUAYg'
- '4ARQB0AC4AVwBFAGIA'
- 'uAEUAdAAuAFcARQBiA'
- 'TgBFAHQALgBXAEUAYg'
- 'OAEUAdAAuAFcARQBiA'
- 'bgBlAFQALgBXAEUAYg'
- '4AZQBUAC4AVwBFAGIA'
- 'uAGUAVAAuAFcARQBiA'
- 'TgBlAFQALgBXAEUAYg'
- 'OAGUAVAAuAFcARQBiA'
- 'bgBFAFQALgBXAEUAYg'
- '4ARQBUAC4AVwBFAGIA'
- 'uAEUAVAAuAFcARQBiA'
- 'TgBFAFQALgBXAEUAYg'
- 'OAEUAVAAuAFcARQBiA'
- 'bgBlAHQALgB3AGUAQg'
- '4AZQB0AC4AdwBlAEIA'
- 'uAGUAdAAuAHcAZQBCA'
- 'TgBlAHQALgB3AGUAQg'
- 'OAGUAdAAuAHcAZQBCA'
- 'bgBFAHQALgB3AGUAQg'
- '4ARQB0AC4AdwBlAEIA'
- 'uAEUAdAAuAHcAZQBCA'
- 'TgBFAHQALgB3AGUAQg'
- 'OAEUAdAAuAHcAZQBCA'
- 'bgBlAFQALgB3AGUAQg'
- '4AZQBUAC4AdwBlAEIA'
- 'uAGUAVAAuAHcAZQBCA'
- 'TgBlAFQALgB3AGUAQg'
- 'OAGUAVAAuAHcAZQBCA'
- 'bgBFAFQALgB3AGUAQg'
- '4ARQBUAC4AdwBlAEIA'
- 'uAEUAVAAuAHcAZQBCA'
- 'TgBFAFQALgB3AGUAQg'
- 'OAEUAVAAuAHcAZQBCA'
- 'bgBlAHQALgBXAGUAQg'
- '4AZQB0AC4AVwBlAEIA'
- 'uAGUAdAAuAFcAZQBCA'
- 'TgBlAHQALgBXAGUAQg'
- 'OAGUAdAAuAFcAZQBCA'
- 'bgBFAHQALgBXAGUAQg'
- '4ARQB0AC4AVwBlAEIA'
- 'uAEUAdAAuAFcAZQBCA'
- 'TgBFAHQALgBXAGUAQg'
- 'OAEUAdAAuAFcAZQBCA'
- 'bgBlAFQALgBXAGUAQg'
- '4AZQBUAC4AVwBlAEIA'
- 'uAGUAVAAuAFcAZQBCA'
- 'TgBlAFQALgBXAGUAQg'
- 'OAGUAVAAuAFcAZQBCA'
- 'bgBFAFQALgBXAGUAQg'
- '4ARQBUAC4AVwBlAEIA'
- 'uAEUAVAAuAFcAZQBCA'
- 'TgBFAFQALgBXAGUAQg'
- 'OAEUAVAAuAFcAZQBCA'
- 'bgBlAHQALgB3AEUAQg'
- '4AZQB0AC4AdwBFAEIA'
- 'uAGUAdAAuAHcARQBCA'
- 'TgBlAHQALgB3AEUAQg'
- 'OAGUAdAAuAHcARQBCA'
- 'bgBFAHQALgB3AEUAQg'
- '4ARQB0AC4AdwBFAEIA'
- 'uAEUAdAAuAHcARQBCA'
- 'TgBFAHQALgB3AEUAQg'
- 'OAEUAdAAuAHcARQBCA'
- 'bgBlAFQALgB3AEUAQg'
- 'uAGUAVAAuAHcARQBCA'
- 'bgBFAFQALgB3AEUAQg'
- '4ARQBUAC4AdwBFAEIA'
- 'uAEUAVAAuAHcARQBCA'
- 'TgBFAFQALgB3AEUAQg'
- 'OAEUAVAAuAHcARQBCA'
- 'TgBlAHQALgBXAEUAQg'
- '4AZQB0AC4AVwBFAEIA'
- 'OAGUAdAAuAFcARQBCA'
- 'bgBFAHQALgBXAEUAQg'
- '4ARQB0AC4AVwBFAEIA'
- 'uAEUAdAAuAFcARQBCA'
- 'TgBFAHQALgBXAEUAQg'
- 'OAEUAdAAuAFcARQBCA'
- 'bgBlAFQALgBXAEUAQg'
- '4AZQBUAC4AVwBFAEIA'
- 'uAGUAVAAuAFcARQBCA'
- 'TgBlAFQALgBXAEUAQg'
- 'OAGUAVAAuAFcARQBCA'
- 'bgBFAFQALgBXAEUAQg'
- '4ARQBUAC4AVwBFAEIA'
- 'uAEUAVAAuAFcARQBCA'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 601-650 of 1,715