From c7daf153b7070fc25b7c0a16241f622bf9454b01 Mon Sep 17 00:00:00 2001 From: vastlimits Date: Thu, 27 Feb 2025 00:21:58 +0000 Subject: [PATCH] Updated converted sigma rules for version version/7.3 --- ...erAgent-ESA-am-sigma-critical-windows.conf | 516 +- config/uberAgent-ESA-am-sigma-high-macos.conf | 114 +- .../uberAgent-ESA-am-sigma-high-windows.conf | 12178 ++++++++-------- ...gent-ESA-am-sigma-informational-macos.conf | 64 +- ...nt-ESA-am-sigma-informational-windows.conf | 26 +- config/uberAgent-ESA-am-sigma-low-macos.conf | 190 +- .../uberAgent-ESA-am-sigma-low-windows.conf | 1204 +- .../uberAgent-ESA-am-sigma-medium-macos.conf | 516 +- 8 files changed, 7404 insertions(+), 7404 deletions(-) diff --git a/config/uberAgent-ESA-am-sigma-critical-windows.conf b/config/uberAgent-ESA-am-sigma-critical-windows.conf index e23e168e..8abf95ff 100644 --- a/config/uberAgent-ESA-am-sigma-critical-windows.conf +++ b/config/uberAgent-ESA-am-sigma-critical-windows.conf @@ -8,28 +8,92 @@ # [ThreatDetectionRule platform=Windows] -# Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network -# Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga -RuleId = 2f7979ae-f82b-45af-ac1d-2b10e93b0baa -RuleName = Potential DCOM InternetExplorer.Application DLL Hijack -EventType = File.Create -Tag = potential-dcom-internetexplorer.application-dll-hijack +# Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +# Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community +RuleId = 2fdefcb3-dbda-401e-ae23-f0db027628bc +RuleName = Sticky Key Like Backdoor Execution +EventType = Process.Start +Tag = proc-start-sticky-key-like-backdoor-execution RiskScore = 100 -Annotation = {"mitre_attack": ["T1021.002", "T1021.003"], "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga"} -Query = Process.Path == "System" and File.Path like r"%\\Internet Explorer\\iertutil.dll" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1546.008"], "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community"} +Query = Parent.Path like r"%\\winlogon.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\wt.exe") and (Process.CommandLine like r"%sethc.exe%" or Process.CommandLine like r"%utilman.exe%" or Process.CommandLine like r"%osk.exe%" or Process.CommandLine like r"%Magnify.exe%" or Process.CommandLine like r"%Narrator.exe%" or Process.CommandLine like r"%DisplaySwitch.exe%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the presence and execution of Inveigh via dropped artefacts -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = bb09dd3e-2b78-4819-8e35-a7c1b874e449 -RuleName = HackTool - Inveigh Execution Artefacts +# Detects the use of Windows Credential Editor (WCE) +# Author: Florian Roth (Nextron Systems) +RuleId = 7aa7009a-28b9-4344-8c1f-159489a390df +RuleName = HackTool - Windows Credential Editor (WCE) Execution +EventType = Process.Start +Tag = proc-start-hacktool-windows-credential-editor-(wce)-execution +RiskScore = 100 +Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Hashes like r"%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%" or Process.Hashes like r"%IMPHASH=e96a73c7bf33a464c510ede582318bf2%" or Process.CommandLine like r"%.exe -S" and Parent.Path like r"%\\services.exe") and not Process.Path like r"%\\clussvc.exe" +GenericProperty1 = Parent.Path +GenericProperty2 = Process.Hashes + + +[ThreatDetectionRule platform=Windows] +# Detects the execution of whoami that has been renamed to a different name to avoid detection +# Author: Florian Roth (Nextron Systems) +RuleId = f1086bf7-a0c4-4a37-9102-01e573caf4a0 +RuleName = Renamed Whoami Execution +EventType = Process.Start +Tag = proc-start-renamed-whoami-execution +RiskScore = 100 +Annotation = {"mitre_attack": ["T1033"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Name == "whoami.exe" and not Process.Path like r"%\\whoami.exe" + + +[ThreatDetectionRule platform=Windows] +# Detects the use of the Dinject PowerShell cradle based on the specific flags +# Author: Florian Roth (Nextron Systems) +RuleId = d78b5d61-187d-44b6-bf02-93486a80de5a +RuleName = HackTool - DInjector PowerShell Cradle Execution +EventType = Process.Start +Tag = proc-start-hacktool-dinjector-powershell-cradle-execution +RiskScore = 100 +Annotation = {"mitre_attack": ["T1055"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"% /am51%" and Process.CommandLine like r"% /password%" + + +[ThreatDetectionRule platform=Windows] +# Detects a WMI backdoor in Exchange Transport Agents via WMI event filters +# Author: Florian Roth (Nextron Systems) +RuleId = 797011dc-44f4-4e6f-9f10-a8ceefbe566b +RuleName = WMI Backdoor Exchange Transport Agent +EventType = Process.Start +Tag = proc-start-wmi-backdoor-exchange-transport-agent +RiskScore = 100 +Annotation = {"mitre_attack": ["T1546.003"], "author": "Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\EdgeTransport.exe" and not (Process.Path == "C:\\Windows\\System32\\conhost.exe" or Process.Path like r"C:\\Program Files\\Microsoft\\Exchange Server\\%" and Process.Path like r"%\\Bin\\OleConverter.exe") +GenericProperty1 = Parent.Path + + +[ThreatDetectionRule platform=Windows] +# Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed +# Author: Florian Roth (Nextron Systems) +RuleId = 24e3e58a-646b-4b50-adef-02ef935b9fc8 +RuleName = Hacktool Execution - Imphash +EventType = Process.Start +Tag = proc-start-hacktool-execution-imphash +RiskScore = 100 +Annotation = {"mitre_attack": ["T1588.002", "T1003"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Hashes like r"%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%" or Process.Hashes like r"%IMPHASH=3A19059BD7688CB88E70005F18EFC439%" or Process.Hashes like r"%IMPHASH=bf6223a49e45d99094406777eb6004ba%" or Process.Hashes like r"%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%" or Process.Hashes like r"%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%" or Process.Hashes like r"%IMPHASH=F9A28C458284584A93B14216308D31BD%" or Process.Hashes like r"%IMPHASH=6118619783FC175BC7EBECFF0769B46E%" or Process.Hashes like r"%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%" or Process.Hashes like r"%IMPHASH=563233BFA169ACC7892451F71AD5850A%" or Process.Hashes like r"%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%" or Process.Hashes like r"%IMPHASH=13F08707F759AF6003837A150A371BA1%" or Process.Hashes like r"%IMPHASH=1781F06048A7E58B323F0B9259BE798B%" or Process.Hashes like r"%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%" or Process.Hashes like r"%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%" or Process.Hashes like r"%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%" or Process.Hashes like r"%IMPHASH=713C29B396B907ED71A72482759ED757%" or Process.Hashes like r"%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%" or Process.Hashes like r"%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%" or Process.Hashes like r"%IMPHASH=8B114550386E31895DFAB371E741123D%" or Process.Hashes like r"%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%" or Process.Hashes like r"%IMPHASH=9D68781980370E00E0BD939EE5E6C141%" or Process.Hashes like r"%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%" or Process.Hashes like r"%IMPHASH=CB567F9498452721D77A451374955F5F%" or Process.Hashes like r"%IMPHASH=730073214094CD328547BF1F72289752%" or Process.Hashes like r"%IMPHASH=17B461A082950FC6332228572138B80C%" or Process.Hashes like r"%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%" or Process.Hashes like r"%IMPHASH=819B19D53CA6736448F9325A85736792%" or Process.Hashes like r"%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%" or Process.Hashes like r"%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%" or Process.Hashes like r"%IMPHASH=0588081AB0E63BA785938467E1B10CCA%" or Process.Hashes like r"%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%" or Process.Hashes like r"%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%" or Process.Hashes like r"%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%" or Process.Hashes like r"%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%" or Process.Hashes like r"%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%" or Process.Hashes like r"%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%" or Process.Hashes like r"%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%" or Process.Hashes like r"%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%" or Process.Hashes like r"%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%" or Process.Hashes like r"%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%" or Process.Hashes like r"%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%" or Process.Hashes like r"%IMPHASH=FFDD59E0318B85A3E480874D9796D872%" or Process.Hashes like r"%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%" or Process.Hashes like r"%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%" or Process.Hashes like r"%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%" or Process.Hashes like r"%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%" or Process.Hashes like r"%IMPHASH=0E2216679CA6E1094D63322E3412D650%" or Process.Hashes like r"%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%" or Process.Hashes like r"%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%" or Process.Hashes like r"%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%" or Process.Hashes like r"%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%" or Process.Hashes like r"%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%" or Process.Hashes like r"%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%" or Process.Hashes like r"%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%" or Process.Hashes like r"%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%" or Process.Hashes like r"%IMPHASH=7D010C6BB6A3726F327F7E239166D127%" or Process.Hashes like r"%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%" or Process.Hashes like r"%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%" or Process.Hashes like r"%IMPHASH=5834ED4291BDEB928270428EBBAF7604%" or Process.Hashes like r"%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%" or Process.Hashes like r"%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%" or Process.Hashes like r"%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%" or Process.Hashes like r"%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%" or Process.Hashes like r"%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%" or Process.Hashes like r"%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%" or Process.Hashes like r"%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%" or Process.Hashes like r"%IMPHASH=09D278F9DE118EF09163C6140255C690%" or Process.Hashes like r"%IMPHASH=03866661686829d806989e2fc5a72606%" or Process.Hashes like r"%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%" or Process.Hashes like r"%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%" or Process.Hashes like r"%IMPHASH=19584675D94829987952432E018D5056%" or Process.Hashes like r"%IMPHASH=330768A4F172E10ACB6287B87289D83B%" or Process.Hashes like r"%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%" or Process.Hashes like r"%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%" or Process.Hashes like r"%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%" or Process.Hashes like r"%IMPHASH=96DF3A3731912449521F6F8D183279B1%" or Process.Hashes like r"%IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46%" or Process.Hashes like r"%IMPHASH=51791678F351C03A0EB4E2A7B05C6E17%" or Process.Hashes like r"%IMPHASH=25CE42B079282632708FC846129E98A5%" or Process.Hashes like r"%IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20%" or Process.Hashes like r"%IMPHASH=59223B5F52D8799D38E0754855CBDF42%" or Process.Hashes like r"%IMPHASH=81E75D8F1D276C156653D3D8813E4A43%" or Process.Hashes like r"%IMPHASH=17244E8B6B8227E57FE709CCAD421420%" or Process.Hashes like r"%IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4%" or Process.Hashes like r"%IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C%" or Process.Hashes like r"%IMPHASH=40445337761D80CF465136FAFB1F63E6%" or Process.Hashes like r"%IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6%" or Process.Hashes like r"%IMPHASH=B50199E952C875241B9CE06C971CE3C1%" +GenericProperty1 = Process.Hashes + + +[ThreatDetectionRule platform=Windows] +# Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. +# Author: Florian Roth (Nextron Systems), David ANDRE +RuleId = 9e099d99-44c2-42b6-a6d8-54c3545cab29 +RuleName = HackTool - Mimikatz Kirbi File Creation EventType = File.Create -Tag = hacktool-inveigh-execution-artefacts +Tag = hacktool-mimikatz-kirbi-file-creation RiskScore = 100 -Annotation = {"mitre_attack": ["T1219"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"%\\Inveigh-Log.txt" or File.Path like r"%\\Inveigh-Cleartext.txt" or File.Path like r"%\\Inveigh-NTLMv1Users.txt" or File.Path like r"%\\Inveigh-NTLMv2Users.txt" or File.Path like r"%\\Inveigh-NTLMv1.txt" or File.Path like r"%\\Inveigh-NTLMv2.txt" or File.Path like r"%\\Inveigh-FormInput.txt" or File.Path like r"%\\Inveigh.dll" or File.Path like r"%\\Inveigh.exe" or File.Path like r"%\\Inveigh.ps1" or File.Path like r"%\\Inveigh-Relay.ps1" +Annotation = {"mitre_attack": ["T1558"], "author": "Florian Roth (Nextron Systems), David ANDRE"} +Query = File.Path like r"%.kirbi" or File.Path like r"%mimilsa.log" GenericProperty1 = File.Path @@ -47,79 +111,120 @@ GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects process activity patterns as seen being used by Sliver C2 framework implants -# Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -RuleId = 42333b2c-b425-441c-b70e-99404a17170f -RuleName = HackTool - Sliver C2 Implant Activity Pattern +# Detects the use of the filename DumpStack.log to evade Microsoft Defender +# Author: Florian Roth (Nextron Systems) +RuleId = 4f647cfa-b598-4e12-ad69-c68dd16caef8 +RuleName = DumpStack.log Defender Evasion EventType = Process.Start -Tag = proc-start-hacktool-sliver-c2-implant-activity-pattern +Tag = proc-start-dumpstack.log-defender-evasion RiskScore = 100 -Annotation = {"mitre_attack": ["T1059"], "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%" +Annotation = {"author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\DumpStack.log" or Process.CommandLine like r"% -o DumpStack.log%" [ThreatDetectionRule platform=Windows] -# Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class +# Detects the execution of the PurpleSharp adversary simulation tool +# Author: Florian Roth (Nextron Systems) +RuleId = ff23ffbc-3378-435e-992f-0624dcf93ab4 +RuleName = HackTool - PurpleSharp Execution +EventType = Process.Start +Tag = proc-start-hacktool-purplesharp-execution +RiskScore = 100 +Annotation = {"mitre_attack": ["T1587"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\purplesharp%" or Process.Name == "PurpleSharp.exe" or Process.CommandLine like r"%xyz123456.exe%" or Process.CommandLine like r"%PurpleSharp%" + + +[ThreatDetectionRule platform=Windows] +# Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network # Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga -RuleId = f354eba5-623b-450f-b073-0b5b2773b6aa -RuleName = Potential DCOM InternetExplorer.Application DLL Hijack - Image Load -EventType = Image.Load -Tag = potential-dcom-internetexplorer.application-dll-hijack-image-load +RuleId = 2f7979ae-f82b-45af-ac1d-2b10e93b0baa +RuleName = Potential DCOM InternetExplorer.Application DLL Hijack +EventType = File.Create +Tag = potential-dcom-internetexplorer.application-dll-hijack RiskScore = 100 Annotation = {"mitre_attack": ["T1021.002", "T1021.003"], "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga"} -Query = Process.Path like r"%\\Internet Explorer\\iexplore.exe" and Image.Path like r"%\\Internet Explorer\\iertutil.dll" -GenericProperty1 = Image.Path +Query = Process.Path == "System" and File.Path like r"%\\Internet Explorer\\iertutil.dll" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations +# Detects the use of Windows Credential Editor (WCE) # Author: Florian Roth (Nextron Systems) -RuleId = 889719ef-dd62-43df-86c3-768fb08dc7c0 -RuleName = Suspicious PowerShell Mailbox Export to Share +RuleId = a6b33c02-8305-488f-8585-03cb2a7763f2 +RuleName = Windows Credential Editor Registry +EventType = Reg.Any +Tag = windows-credential-editor-registry +RiskScore = 100 +Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Reg.TargetObject like r"%Services\\WCESERVICE\\Start%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject + + +[ThreatDetectionRule platform=Windows] +# Detects different hacktools used for relay attacks on Windows for privilege escalation +# Author: Florian Roth (Nextron Systems) +RuleId = 5589ab4f-a767-433c-961d-c91f3f704db1 +RuleName = Potential SMB Relay Attack Tool Execution EventType = Process.Start -Tag = proc-start-suspicious-powershell-mailbox-export-to-share +Tag = proc-start-potential-smb-relay-attack-tool-execution RiskScore = 100 -Annotation = {"author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%New-MailboxExportRequest%" and Process.CommandLine like r"% -Mailbox %" and Process.CommandLine like r"% -FilePath \\\\%" +Annotation = {"mitre_attack": ["T1557.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%PetitPotam%" or Process.Path like r"%RottenPotato%" or Process.Path like r"%HotPotato%" or Process.Path like r"%JuicyPotato%" or Process.Path like r"%\\just\_dce\_%" or Process.Path like r"%Juicy Potato%" or Process.Path like r"%\\temp\\rot.exe%" or Process.Path like r"%\\Potato.exe%" or Process.Path like r"%\\SpoolSample.exe%" or Process.Path like r"%\\Responder.exe%" or Process.Path like r"%\\smbrelayx%" or Process.Path like r"%\\ntlmrelayx%" or Process.Path like r"%\\LocalPotato%" or Process.CommandLine like r"%Invoke-Tater%" or Process.CommandLine like r"% smbrelay%" or Process.CommandLine like r"% ntlmrelay%" or Process.CommandLine like r"%cme smb %" or Process.CommandLine like r"% /ntlm:NTLMhash %" or Process.CommandLine like r"%Invoke-PetitPotam%" or Process.CommandLine like r"%.exe -t % -p %" or Process.CommandLine like r"%.exe -c \"{%" and Process.CommandLine like r"%}\" -z") and not (Process.Path like r"%HotPotatoes6%" or Process.Path like r"%HotPotatoes7%" or Process.Path like r"%HotPotatoes %") [ThreatDetectionRule platform=Windows] -# Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns -# Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) -RuleId = 1cdd9a09-06c9-4769-99ff-626e2b3991b8 -RuleName = Suspicious Double Extension File Execution +# By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. +# When the sticky keys are "activated" the privilleged shell is launched. +# Author: Sreeman +RuleId = 1070db9a-3e5d-412e-8e7b-7183b616e1b3 +RuleName = Persistence Via Sticky Key Backdoor EventType = Process.Start -Tag = proc-start-suspicious-double-extension-file-execution +Tag = proc-start-persistence-via-sticky-key-backdoor RiskScore = 100 -Annotation = {"mitre_attack": ["T1566.001"], "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%.doc.exe" or Process.Path like r"%.docx.exe" or Process.Path like r"%.xls.exe" or Process.Path like r"%.xlsx.exe" or Process.Path like r"%.ppt.exe" or Process.Path like r"%.pptx.exe" or Process.Path like r"%.rtf.exe" or Process.Path like r"%.pdf.exe" or Process.Path like r"%.txt.exe" or Process.Path like r"% .exe" or Process.Path like r"%\_\_\_\_\_\_.exe" or Process.Path like r"%.doc.js" or Process.Path like r"%.docx.js" or Process.Path like r"%.xls.js" or Process.Path like r"%.xlsx.js" or Process.Path like r"%.ppt.js" or Process.Path like r"%.pptx.js" or Process.Path like r"%.rtf.js" or Process.Path like r"%.pdf.js" or Process.Path like r"%.txt.js") and (Process.CommandLine like r"%.doc.exe%" or Process.CommandLine like r"%.docx.exe%" or Process.CommandLine like r"%.xls.exe%" or Process.CommandLine like r"%.xlsx.exe%" or Process.CommandLine like r"%.ppt.exe%" or Process.CommandLine like r"%.pptx.exe%" or Process.CommandLine like r"%.rtf.exe%" or Process.CommandLine like r"%.pdf.exe%" or Process.CommandLine like r"%.txt.exe%" or Process.CommandLine like r"% .exe%" or Process.CommandLine like r"%\_\_\_\_\_\_.exe%" or Process.CommandLine like r"%.doc.js%" or Process.CommandLine like r"%.docx.js%" or Process.CommandLine like r"%.xls.js%" or Process.CommandLine like r"%.xlsx.js%" or Process.CommandLine like r"%.ppt.js%" or Process.CommandLine like r"%.pptx.js%" or Process.CommandLine like r"%.rtf.js%" or Process.CommandLine like r"%.pdf.js%" or Process.CommandLine like r"%.txt.js%") +Annotation = {"mitre_attack": ["T1546.008"], "author": "Sreeman"} +Query = Process.CommandLine like r"%copy %" and Process.CommandLine like r"%/y %" and Process.CommandLine like r"%C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe%" [ThreatDetectionRule platform=Windows] -# F-Secure C3 produces DLLs with a default exported StartNodeRelay function. -# Author: Alfie Champion (ajpc500) -RuleId = b18c9d4c-fac9-4708-bd06-dd5bfacf200f -RuleName = HackTool - F-Secure C3 Load by Rundll32 +# Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations +# Author: Florian Roth (Nextron Systems) +RuleId = 889719ef-dd62-43df-86c3-768fb08dc7c0 +RuleName = Suspicious PowerShell Mailbox Export to Share EventType = Process.Start -Tag = proc-start-hacktool-f-secure-c3-load-by-rundll32 +Tag = proc-start-suspicious-powershell-mailbox-export-to-share RiskScore = 100 -Annotation = {"mitre_attack": ["T1218.011"], "author": "Alfie Champion (ajpc500)"} -Query = Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%.dll%" and Process.CommandLine like r"%StartNodeRelay%" +Annotation = {"author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%New-MailboxExportRequest%" and Process.CommandLine like r"% -Mailbox %" and Process.CommandLine like r"% -FilePath \\\\%" [ThreatDetectionRule platform=Windows] -# Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120 +# Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory # Author: Florian Roth (Nextron Systems) -RuleId = 8a7e90c5-fe6e-45dc-889e-057fe4378bd9 -RuleName = HackTool - SysmonEOP Execution +RuleId = 2704ab9e-afe2-4854-a3b1-0c0706d03578 +RuleName = HackTool - Dumpert Process Dumper Execution EventType = Process.Start -Tag = proc-start-hacktool-sysmoneop-execution +Tag = proc-start-hacktool-dumpert-process-dumper-execution RiskScore = 100 -Annotation = {"mitre_attack": ["T1068"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\SysmonEOP.exe" or Process.Hashes like r"%IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5%" or Process.Hashes like r"%IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC%" +Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Hashes like r"%MD5=09D278F9DE118EF09163C6140255C690%" or Process.CommandLine like r"%Dumpert.dll%" GenericProperty1 = Process.Hashes +[ThreatDetectionRule platform=Windows] +# Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process +# Author: Florian Roth (Nextron Systems) +RuleId = 55e29995-75e7-451a-bef0-6225e2f13597 +RuleName = Potential Credential Dumping Via LSASS SilentProcessExit Technique +EventType = Reg.Any +Tag = potential-credential-dumping-via-lsass-silentprocessexit-technique +RiskScore = 100 +Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Reg.TargetObject like r"%Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject + + [ThreatDetectionRule platform=Windows] # Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons # Author: Florian Roth (Nextron Systems) @@ -134,29 +239,28 @@ GenericProperty1 = Dns.QueryRequest [ThreatDetectionRule platform=Windows] -# Detects indicators of a UAC bypass method by mocking directories -# Author: Florian Roth (Nextron Systems) -RuleId = 4ac47ed3-44c2-4b1f-9d51-bf46e8914126 -RuleName = TrustedPath UAC Bypass Pattern -EventType = Process.Start -Tag = proc-start-trustedpath-uac-bypass-pattern +# Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = 614a7e17-5643-4d89-b6fe-f9df1a79641c +RuleName = Wmiprvse Wbemcomn DLL Hijack - File +EventType = File.Create +Tag = wmiprvse-wbemcomn-dll-hijack-file RiskScore = 100 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%C:\\Windows \\System32\\%" +Annotation = {"mitre_attack": ["T1047", "T1021.002"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = Process.Path == "System" and File.Path like r"%\\wbem\\wbemcomn.dll" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen -# Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -RuleId = baca5663-583c-45f9-b5dc-ea96a22ce542 -RuleName = Sticky Key Like Backdoor Usage - Registry -EventType = Reg.Any -Tag = sticky-key-like-backdoor-usage-registry +# F-Secure C3 produces DLLs with a default exported StartNodeRelay function. +# Author: Alfie Champion (ajpc500) +RuleId = b18c9d4c-fac9-4708-bd06-dd5bfacf200f +RuleName = HackTool - F-Secure C3 Load by Rundll32 +EventType = Process.Start +Tag = proc-start-hacktool-f-secure-c3-load-by-rundll32 RiskScore = 100 -Annotation = {"mitre_attack": ["T1546.008"], "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1218.011"], "author": "Alfie Champion (ajpc500)"} +Query = Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%.dll%" and Process.CommandLine like r"%StartNodeRelay%" [ThreatDetectionRule platform=Windows] @@ -185,68 +289,54 @@ Query = Process.CommandLine like r"% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Softw [ThreatDetectionRule platform=Windows] -# Detects the creation of the default output filename used by the wmiexec tool -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 8d5aca11-22b3-4f22-b7ba-90e60533e1fb -RuleName = Wmiexec Default Output File -EventType = File.Create -Tag = wmiexec-default-output-file -RiskScore = 100 -Annotation = {"mitre_attack": ["T1047"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path regex "\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$" or File.Path regex "C:\\\\__1\\d{9}\\.\\d{1,7}$" or File.Path regex "D:\\\\__1\\d{9}\\.\\d{1,7}$" -GenericProperty1 = File.Path - - -[ThreatDetectionRule platform=Windows] -# Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process -# Author: Florian Roth (Nextron Systems) -RuleId = 55e29995-75e7-451a-bef0-6225e2f13597 -RuleName = Potential Credential Dumping Via LSASS SilentProcessExit Technique -EventType = Reg.Any -Tag = potential-credential-dumping-via-lsass-silentprocessexit-technique +# Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class +# Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga +RuleId = f354eba5-623b-450f-b073-0b5b2773b6aa +RuleName = Potential DCOM InternetExplorer.Application DLL Hijack - Image Load +EventType = Image.Load +Tag = potential-dcom-internetexplorer.application-dll-hijack-image-load RiskScore = 100 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Reg.TargetObject like r"%Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1021.002", "T1021.003"], "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga"} +Query = Process.Path like r"%\\Internet Explorer\\iexplore.exe" and Image.Path like r"%\\Internet Explorer\\iertutil.dll" +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects Pandemic Windows Implant +# Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120 # Author: Florian Roth (Nextron Systems) -RuleId = 47e0852a-cf81-4494-a8e6-31864f8c86ed -RuleName = Pandemic Registry Key -EventType = Reg.Any -Tag = pandemic-registry-key +RuleId = 8a7e90c5-fe6e-45dc-889e-057fe4378bd9 +RuleName = HackTool - SysmonEOP Execution +EventType = Process.Start +Tag = proc-start-hacktool-sysmoneop-execution RiskScore = 100 -Annotation = {"mitre_attack": ["T1105"], "author": "Florian Roth (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\services\\null\\Instance%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1068"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\SysmonEOP.exe" or Process.Hashes like r"%IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5%" or Process.Hashes like r"%IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC%" +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects different hacktools used for relay attacks on Windows for privilege escalation +# Detects indicators of a UAC bypass method by mocking directories # Author: Florian Roth (Nextron Systems) -RuleId = 5589ab4f-a767-433c-961d-c91f3f704db1 -RuleName = Potential SMB Relay Attack Tool Execution +RuleId = 4ac47ed3-44c2-4b1f-9d51-bf46e8914126 +RuleName = TrustedPath UAC Bypass Pattern EventType = Process.Start -Tag = proc-start-potential-smb-relay-attack-tool-execution +Tag = proc-start-trustedpath-uac-bypass-pattern RiskScore = 100 -Annotation = {"mitre_attack": ["T1557.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%PetitPotam%" or Process.Path like r"%RottenPotato%" or Process.Path like r"%HotPotato%" or Process.Path like r"%JuicyPotato%" or Process.Path like r"%\\just\_dce\_%" or Process.Path like r"%Juicy Potato%" or Process.Path like r"%\\temp\\rot.exe%" or Process.Path like r"%\\Potato.exe%" or Process.Path like r"%\\SpoolSample.exe%" or Process.Path like r"%\\Responder.exe%" or Process.Path like r"%\\smbrelayx%" or Process.Path like r"%\\ntlmrelayx%" or Process.Path like r"%\\LocalPotato%" or Process.CommandLine like r"%Invoke-Tater%" or Process.CommandLine like r"% smbrelay%" or Process.CommandLine like r"% ntlmrelay%" or Process.CommandLine like r"%cme smb %" or Process.CommandLine like r"% /ntlm:NTLMhash %" or Process.CommandLine like r"%Invoke-PetitPotam%" or Process.CommandLine like r"%.exe -t % -p %" or Process.CommandLine like r"%.exe -c \"{%" and Process.CommandLine like r"%}\" -z") and not (Process.Path like r"%HotPotatoes6%" or Process.Path like r"%HotPotatoes7%" or Process.Path like r"%HotPotatoes %") +Annotation = {"mitre_attack": ["T1548.002"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%C:\\Windows \\System32\\%" [ThreatDetectionRule platform=Windows] -# Detects the execution of the PurpleSharp adversary simulation tool -# Author: Florian Roth (Nextron Systems) -RuleId = ff23ffbc-3378-435e-992f-0624dcf93ab4 -RuleName = HackTool - PurpleSharp Execution -EventType = Process.Start -Tag = proc-start-hacktool-purplesharp-execution +# Detects the creation of the default output filename used by the wmiexec tool +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 8d5aca11-22b3-4f22-b7ba-90e60533e1fb +RuleName = Wmiexec Default Output File +EventType = File.Create +Tag = wmiexec-default-output-file RiskScore = 100 -Annotation = {"mitre_attack": ["T1587"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\purplesharp%" or Process.Name == "PurpleSharp.exe" or Process.CommandLine like r"%xyz123456.exe%" or Process.CommandLine like r"%PurpleSharp%" +Annotation = {"mitre_attack": ["T1047"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path regex "\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$" or File.Path regex "C:\\\\__1\\d{9}\\.\\d{1,7}$" or File.Path regex "D:\\\\__1\\d{9}\\.\\d{1,7}$" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] @@ -264,16 +354,42 @@ GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects a WMI backdoor in Exchange Transport Agents via WMI event filters -# Author: Florian Roth (Nextron Systems) -RuleId = 797011dc-44f4-4e6f-9f10-a8ceefbe566b -RuleName = WMI Backdoor Exchange Transport Agent +# Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns +# Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) +RuleId = 1cdd9a09-06c9-4769-99ff-626e2b3991b8 +RuleName = Suspicious Double Extension File Execution EventType = Process.Start -Tag = proc-start-wmi-backdoor-exchange-transport-agent +Tag = proc-start-suspicious-double-extension-file-execution RiskScore = 100 -Annotation = {"mitre_attack": ["T1546.003"], "author": "Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\EdgeTransport.exe" and not (Process.Path == "C:\\Windows\\System32\\conhost.exe" or Process.Path like r"C:\\Program Files\\Microsoft\\Exchange Server\\%" and Process.Path like r"%\\Bin\\OleConverter.exe") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1566.001"], "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%.doc.exe" or Process.Path like r"%.docx.exe" or Process.Path like r"%.xls.exe" or Process.Path like r"%.xlsx.exe" or Process.Path like r"%.ppt.exe" or Process.Path like r"%.pptx.exe" or Process.Path like r"%.rtf.exe" or Process.Path like r"%.pdf.exe" or Process.Path like r"%.txt.exe" or Process.Path like r"% .exe" or Process.Path like r"%\_\_\_\_\_\_.exe" or Process.Path like r"%.doc.js" or Process.Path like r"%.docx.js" or Process.Path like r"%.xls.js" or Process.Path like r"%.xlsx.js" or Process.Path like r"%.ppt.js" or Process.Path like r"%.pptx.js" or Process.Path like r"%.rtf.js" or Process.Path like r"%.pdf.js" or Process.Path like r"%.txt.js") and (Process.CommandLine like r"%.doc.exe%" or Process.CommandLine like r"%.docx.exe%" or Process.CommandLine like r"%.xls.exe%" or Process.CommandLine like r"%.xlsx.exe%" or Process.CommandLine like r"%.ppt.exe%" or Process.CommandLine like r"%.pptx.exe%" or Process.CommandLine like r"%.rtf.exe%" or Process.CommandLine like r"%.pdf.exe%" or Process.CommandLine like r"%.txt.exe%" or Process.CommandLine like r"% .exe%" or Process.CommandLine like r"%\_\_\_\_\_\_.exe%" or Process.CommandLine like r"%.doc.js%" or Process.CommandLine like r"%.docx.js%" or Process.CommandLine like r"%.xls.js%" or Process.CommandLine like r"%.xlsx.js%" or Process.CommandLine like r"%.ppt.js%" or Process.CommandLine like r"%.pptx.js%" or Process.CommandLine like r"%.rtf.js%" or Process.CommandLine like r"%.pdf.js%" or Process.CommandLine like r"%.txt.js%") + + +[ThreatDetectionRule platform=Windows] +# Detects the presence and execution of Inveigh via dropped artefacts +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = bb09dd3e-2b78-4819-8e35-a7c1b874e449 +RuleName = HackTool - Inveigh Execution Artefacts +EventType = File.Create +Tag = hacktool-inveigh-execution-artefacts +RiskScore = 100 +Annotation = {"mitre_attack": ["T1219"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"%\\Inveigh-Log.txt" or File.Path like r"%\\Inveigh-Cleartext.txt" or File.Path like r"%\\Inveigh-NTLMv1Users.txt" or File.Path like r"%\\Inveigh-NTLMv2Users.txt" or File.Path like r"%\\Inveigh-NTLMv1.txt" or File.Path like r"%\\Inveigh-NTLMv2.txt" or File.Path like r"%\\Inveigh-FormInput.txt" or File.Path like r"%\\Inveigh.dll" or File.Path like r"%\\Inveigh.exe" or File.Path like r"%\\Inveigh.ps1" or File.Path like r"%\\Inveigh-Relay.ps1" +GenericProperty1 = File.Path + + +[ThreatDetectionRule platform=Windows] +# Detects Pandemic Windows Implant +# Author: Florian Roth (Nextron Systems) +RuleId = 47e0852a-cf81-4494-a8e6-31864f8c86ed +RuleName = Pandemic Registry Key +EventType = Reg.Any +Tag = pandemic-registry-key +RiskScore = 100 +Annotation = {"mitre_attack": ["T1105"], "author": "Florian Roth (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\services\\null\\Instance%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] @@ -290,17 +406,15 @@ GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the use of Windows Credential Editor (WCE) -# Author: Florian Roth (Nextron Systems) -RuleId = 7aa7009a-28b9-4344-8c1f-159489a390df -RuleName = HackTool - Windows Credential Editor (WCE) Execution +# Detects process activity patterns as seen being used by Sliver C2 framework implants +# Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +RuleId = 42333b2c-b425-441c-b70e-99404a17170f +RuleName = HackTool - Sliver C2 Implant Activity Pattern EventType = Process.Start -Tag = proc-start-hacktool-windows-credential-editor-(wce)-execution +Tag = proc-start-hacktool-sliver-c2-implant-activity-pattern RiskScore = 100 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Hashes like r"%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%" or Process.Hashes like r"%IMPHASH=e96a73c7bf33a464c510ede582318bf2%" or Process.CommandLine like r"%.exe -S" and Parent.Path like r"%\\services.exe") and not Process.Path like r"%\\clussvc.exe" -GenericProperty1 = Parent.Path -GenericProperty2 = Process.Hashes +Annotation = {"mitre_attack": ["T1059"], "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%" [ThreatDetectionRule platform=Windows] @@ -330,130 +444,16 @@ Query = File.Path like r"%dumpert.dmp" GenericProperty1 = File.Path -[ThreatDetectionRule platform=Windows] -# Detects the execution of whoami that has been renamed to a different name to avoid detection -# Author: Florian Roth (Nextron Systems) -RuleId = f1086bf7-a0c4-4a37-9102-01e573caf4a0 -RuleName = Renamed Whoami Execution -EventType = Process.Start -Tag = proc-start-renamed-whoami-execution -RiskScore = 100 -Annotation = {"mitre_attack": ["T1033"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Name == "whoami.exe" and not Process.Path like r"%\\whoami.exe" - - -[ThreatDetectionRule platform=Windows] -# Detects the use of Windows Credential Editor (WCE) -# Author: Florian Roth (Nextron Systems) -RuleId = a6b33c02-8305-488f-8585-03cb2a7763f2 -RuleName = Windows Credential Editor Registry -EventType = Reg.Any -Tag = windows-credential-editor-registry -RiskScore = 100 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Reg.TargetObject like r"%Services\\WCESERVICE\\Start%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject - - -[ThreatDetectionRule platform=Windows] -# Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. -# Author: Florian Roth (Nextron Systems), David ANDRE -RuleId = 9e099d99-44c2-42b6-a6d8-54c3545cab29 -RuleName = HackTool - Mimikatz Kirbi File Creation -EventType = File.Create -Tag = hacktool-mimikatz-kirbi-file-creation -RiskScore = 100 -Annotation = {"mitre_attack": ["T1558"], "author": "Florian Roth (Nextron Systems), David ANDRE"} -Query = File.Path like r"%.kirbi" or File.Path like r"%mimilsa.log" -GenericProperty1 = File.Path - - -[ThreatDetectionRule platform=Windows] -# Detects the use of the Dinject PowerShell cradle based on the specific flags -# Author: Florian Roth (Nextron Systems) -RuleId = d78b5d61-187d-44b6-bf02-93486a80de5a -RuleName = HackTool - DInjector PowerShell Cradle Execution -EventType = Process.Start -Tag = proc-start-hacktool-dinjector-powershell-cradle-execution -RiskScore = 100 -Annotation = {"mitre_attack": ["T1055"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"% /am51%" and Process.CommandLine like r"% /password%" - - -[ThreatDetectionRule platform=Windows] -# Detects the use of the filename DumpStack.log to evade Microsoft Defender -# Author: Florian Roth (Nextron Systems) -RuleId = 4f647cfa-b598-4e12-ad69-c68dd16caef8 -RuleName = DumpStack.log Defender Evasion -EventType = Process.Start -Tag = proc-start-dumpstack.log-defender-evasion -RiskScore = 100 -Annotation = {"author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\DumpStack.log" or Process.CommandLine like r"% -o DumpStack.log%" - - [ThreatDetectionRule platform=Windows] # Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen # Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -RuleId = 2fdefcb3-dbda-401e-ae23-f0db027628bc -RuleName = Sticky Key Like Backdoor Execution -EventType = Process.Start -Tag = proc-start-sticky-key-like-backdoor-execution +RuleId = baca5663-583c-45f9-b5dc-ea96a22ce542 +RuleName = Sticky Key Like Backdoor Usage - Registry +EventType = Reg.Any +Tag = sticky-key-like-backdoor-usage-registry RiskScore = 100 Annotation = {"mitre_attack": ["T1546.008"], "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community"} -Query = Parent.Path like r"%\\winlogon.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\wt.exe") and (Process.CommandLine like r"%sethc.exe%" or Process.CommandLine like r"%utilman.exe%" or Process.CommandLine like r"%osk.exe%" or Process.CommandLine like r"%Magnify.exe%" or Process.CommandLine like r"%Narrator.exe%" or Process.CommandLine like r"%DisplaySwitch.exe%") -GenericProperty1 = Parent.Path - - -[ThreatDetectionRule platform=Windows] -# By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. -# When the sticky keys are "activated" the privilleged shell is launched. -# Author: Sreeman -RuleId = 1070db9a-3e5d-412e-8e7b-7183b616e1b3 -RuleName = Persistence Via Sticky Key Backdoor -EventType = Process.Start -Tag = proc-start-persistence-via-sticky-key-backdoor -RiskScore = 100 -Annotation = {"mitre_attack": ["T1546.008"], "author": "Sreeman"} -Query = Process.CommandLine like r"%copy %" and Process.CommandLine like r"%/y %" and Process.CommandLine like r"%C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe%" - - -[ThreatDetectionRule platform=Windows] -# Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = 614a7e17-5643-4d89-b6fe-f9df1a79641c -RuleName = Wmiprvse Wbemcomn DLL Hijack - File -EventType = File.Create -Tag = wmiprvse-wbemcomn-dll-hijack-file -RiskScore = 100 -Annotation = {"mitre_attack": ["T1047", "T1021.002"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = Process.Path == "System" and File.Path like r"%\\wbem\\wbemcomn.dll" -GenericProperty1 = File.Path - - -[ThreatDetectionRule platform=Windows] -# Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed -# Author: Florian Roth (Nextron Systems) -RuleId = 24e3e58a-646b-4b50-adef-02ef935b9fc8 -RuleName = Hacktool Execution - Imphash -EventType = Process.Start -Tag = proc-start-hacktool-execution-imphash -RiskScore = 100 -Annotation = {"mitre_attack": ["T1588.002", "T1003"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Hashes like r"%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%" or Process.Hashes like r"%IMPHASH=3A19059BD7688CB88E70005F18EFC439%" or Process.Hashes like r"%IMPHASH=bf6223a49e45d99094406777eb6004ba%" or Process.Hashes like r"%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%" or Process.Hashes like r"%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%" or Process.Hashes like r"%IMPHASH=F9A28C458284584A93B14216308D31BD%" or Process.Hashes like r"%IMPHASH=6118619783FC175BC7EBECFF0769B46E%" or Process.Hashes like r"%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%" or Process.Hashes like r"%IMPHASH=563233BFA169ACC7892451F71AD5850A%" or Process.Hashes like r"%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%" or Process.Hashes like r"%IMPHASH=13F08707F759AF6003837A150A371BA1%" or Process.Hashes like r"%IMPHASH=1781F06048A7E58B323F0B9259BE798B%" or Process.Hashes like r"%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%" or Process.Hashes like r"%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%" or Process.Hashes like r"%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%" or Process.Hashes like r"%IMPHASH=713C29B396B907ED71A72482759ED757%" or Process.Hashes like r"%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%" or Process.Hashes like r"%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%" or Process.Hashes like r"%IMPHASH=8B114550386E31895DFAB371E741123D%" or Process.Hashes like r"%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%" or Process.Hashes like r"%IMPHASH=9D68781980370E00E0BD939EE5E6C141%" or Process.Hashes like r"%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%" or Process.Hashes like r"%IMPHASH=CB567F9498452721D77A451374955F5F%" or Process.Hashes like r"%IMPHASH=730073214094CD328547BF1F72289752%" or Process.Hashes like r"%IMPHASH=17B461A082950FC6332228572138B80C%" or Process.Hashes like r"%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%" or Process.Hashes like r"%IMPHASH=819B19D53CA6736448F9325A85736792%" or Process.Hashes like r"%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%" or Process.Hashes like r"%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%" or Process.Hashes like r"%IMPHASH=0588081AB0E63BA785938467E1B10CCA%" or Process.Hashes like r"%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%" or Process.Hashes like r"%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%" or Process.Hashes like r"%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%" or Process.Hashes like r"%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%" or Process.Hashes like r"%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%" or Process.Hashes like r"%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%" or Process.Hashes like r"%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%" or Process.Hashes like r"%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%" or Process.Hashes like r"%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%" or Process.Hashes like r"%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%" or Process.Hashes like r"%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%" or Process.Hashes like r"%IMPHASH=FFDD59E0318B85A3E480874D9796D872%" or Process.Hashes like r"%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%" or Process.Hashes like r"%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%" or Process.Hashes like r"%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%" or Process.Hashes like r"%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%" or Process.Hashes like r"%IMPHASH=0E2216679CA6E1094D63322E3412D650%" or Process.Hashes like r"%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%" or Process.Hashes like r"%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%" or Process.Hashes like r"%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%" or Process.Hashes like r"%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%" or Process.Hashes like r"%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%" or Process.Hashes like r"%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%" or Process.Hashes like r"%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%" or Process.Hashes like r"%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%" or Process.Hashes like r"%IMPHASH=7D010C6BB6A3726F327F7E239166D127%" or Process.Hashes like r"%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%" or Process.Hashes like r"%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%" or Process.Hashes like r"%IMPHASH=5834ED4291BDEB928270428EBBAF7604%" or Process.Hashes like r"%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%" or Process.Hashes like r"%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%" or Process.Hashes like r"%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%" or Process.Hashes like r"%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%" or Process.Hashes like r"%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%" or Process.Hashes like r"%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%" or Process.Hashes like r"%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%" or Process.Hashes like r"%IMPHASH=09D278F9DE118EF09163C6140255C690%" or Process.Hashes like r"%IMPHASH=03866661686829d806989e2fc5a72606%" or Process.Hashes like r"%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%" or Process.Hashes like r"%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%" or Process.Hashes like r"%IMPHASH=19584675D94829987952432E018D5056%" or Process.Hashes like r"%IMPHASH=330768A4F172E10ACB6287B87289D83B%" or Process.Hashes like r"%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%" or Process.Hashes like r"%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%" or Process.Hashes like r"%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%" or Process.Hashes like r"%IMPHASH=96DF3A3731912449521F6F8D183279B1%" or Process.Hashes like r"%IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46%" or Process.Hashes like r"%IMPHASH=51791678F351C03A0EB4E2A7B05C6E17%" or Process.Hashes like r"%IMPHASH=25CE42B079282632708FC846129E98A5%" or Process.Hashes like r"%IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20%" or Process.Hashes like r"%IMPHASH=59223B5F52D8799D38E0754855CBDF42%" or Process.Hashes like r"%IMPHASH=81E75D8F1D276C156653D3D8813E4A43%" or Process.Hashes like r"%IMPHASH=17244E8B6B8227E57FE709CCAD421420%" or Process.Hashes like r"%IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4%" or Process.Hashes like r"%IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C%" or Process.Hashes like r"%IMPHASH=40445337761D80CF465136FAFB1F63E6%" or Process.Hashes like r"%IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6%" or Process.Hashes like r"%IMPHASH=B50199E952C875241B9CE06C971CE3C1%" -GenericProperty1 = Process.Hashes - - -[ThreatDetectionRule platform=Windows] -# Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory -# Author: Florian Roth (Nextron Systems) -RuleId = 2704ab9e-afe2-4854-a3b1-0c0706d03578 -RuleName = HackTool - Dumpert Process Dumper Execution -EventType = Process.Start -Tag = proc-start-hacktool-dumpert-process-dumper-execution -RiskScore = 100 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Hashes like r"%MD5=09D278F9DE118EF09163C6140255C690%" or Process.CommandLine like r"%Dumpert.dll%" -GenericProperty1 = Process.Hashes +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject diff --git a/config/uberAgent-ESA-am-sigma-high-macos.conf b/config/uberAgent-ESA-am-sigma-high-macos.conf index 38dcbcb6..0c2164f3 100644 --- a/config/uberAgent-ESA-am-sigma-high-macos.conf +++ b/config/uberAgent-ESA-am-sigma-high-macos.conf @@ -7,42 +7,6 @@ # sigma convert -s -f conf -p uberagent-7.3.0 -O backend_version=7.3.0 -t uberagent /home/runner/work/uberAgent-config/uberAgent-config/build/sigma-high-macos >> uberAgent-ESA-am-sigma-high-macos.conf # -[ThreatDetectionRule platform=MacOS] -# Detects possible collection of data from the clipboard via execution of the osascript binary -# Author: Sohan G (D4rkCiph3r) -RuleId = 7794fa3c-edea-4cff-bec7-267dd4770fd7 -RuleName = Clipboard Data Collection Via OSAScript -EventType = Process.Start -Tag = proc-start-clipboard-data-collection-via-osascript -RiskScore = 75 -Annotation = {"mitre_attack": ["T1115", "T1059.002"], "author": "Sohan G (D4rkCiph3r)"} -Query = Process.CommandLine like r"%osascript%" and Process.CommandLine like r"% -e %" and Process.CommandLine like r"%clipboard%" - - -[ThreatDetectionRule platform=MacOS] -# Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device. -# Author: Tim Rauch (rule), Elastic (idea) -RuleId = f68c4a4f-19ef-4817-952c-50dce331f4b0 -RuleName = Potential WizardUpdate Malware Infection -EventType = Process.Start -Tag = proc-start-potential-wizardupdate-malware-infection -RiskScore = 75 -Annotation = {"author": "Tim Rauch (rule), Elastic (idea)"} -Query = Process.Path like r"%/sh" and Process.CommandLine like r"%=$(curl %" and Process.CommandLine like r"%eval%" or Process.Path like r"%/curl" and Process.CommandLine like r"%\_intermediate\_agent\_%" - - -[ThreatDetectionRule platform=MacOS] -# Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file. -# Author: Igor Fits, Mikhail Larin, oscd.community -RuleId = 95361ce5-c891-4b0a-87ca-e24607884a96 -RuleName = Binary Padding - MacOS -EventType = Process.Start -Tag = proc-start-binary-padding-macos -RiskScore = 75 -Annotation = {"mitre_attack": ["T1027.001"], "author": "Igor Fits, Mikhail Larin, oscd.community"} -Query = Process.Path like r"%/truncate" and Process.CommandLine like r"%-s +%" or Process.Path like r"%/dd" and (Process.CommandLine like r"%if=/dev/zero%" or Process.CommandLine like r"%if=/dev/random%" or Process.CommandLine like r"%if=/dev/urandom%") - - [ThreatDetectionRule platform=MacOS] # Detecting attempts to extract passwords with grep and laZagne # Author: Igor Fits, Mikhail Larin, oscd.community @@ -68,40 +32,52 @@ Query = Process.CommandLine like r"%osascript%" and Process.CommandLine like r"% [ThreatDetectionRule platform=MacOS] -# Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner. -# Author: Joseliyo Sanchez, @Joseliyo_Jstnk -RuleId = 09a910bf-f71f-4737-9c40-88880ba5913d -RuleName = Potential Base64 Decoded From Images +# Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution +# Author: Sohan G (D4rkCiph3r) +RuleId = 69483748-1525-4a6c-95ca-90dc8d431b68 +RuleName = Suspicious Microsoft Office Child Process - MacOS EventType = Process.Start -Tag = proc-start-potential-base64-decoded-from-images +Tag = proc-start-suspicious-microsoft-office-child-process-macos RiskScore = 75 -Annotation = {"mitre_attack": ["T1140"], "author": "Joseliyo Sanchez, @Joseliyo_Jstnk"} -Query = Process.Path like r"%/bash" and Process.CommandLine like r"%tail%" and Process.CommandLine like r"%-c%" and Process.CommandLine like r"%base64%" and Process.CommandLine like r"%-d%" and Process.CommandLine like r"%>%" and (Process.CommandLine like r"%.avif%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jfif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.pjp%" or Process.CommandLine like r"%.pjpeg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.svg%" or Process.CommandLine like r"%.webp%") +Annotation = {"mitre_attack": ["T1059.002", "T1137.002", "T1204.002"], "author": "Sohan G (D4rkCiph3r)"} +Query = (Parent.Path like r"%Microsoft Word%" or Parent.Path like r"%Microsoft Excel%" or Parent.Path like r"%Microsoft PowerPoint%" or Parent.Path like r"%Microsoft OneNote%") and (Process.Path like r"%/bash" or Process.Path like r"%/curl" or Process.Path like r"%/dash" or Process.Path like r"%/fish" or Process.Path like r"%/osacompile" or Process.Path like r"%/osascript" or Process.Path like r"%/sh" or Process.Path like r"%/zsh" or Process.Path like r"%/python" or Process.Path like r"%/python3" or Process.Path like r"%/wget") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=MacOS] -# Detects potential suspicious run-only executions compiled using OSACompile +# Detects possible collection of data from the clipboard via execution of the osascript binary # Author: Sohan G (D4rkCiph3r) -RuleId = b9d9b652-d8ed-4697-89a2-a1186ee680ac -RuleName = OSACompile Run-Only Execution +RuleId = 7794fa3c-edea-4cff-bec7-267dd4770fd7 +RuleName = Clipboard Data Collection Via OSAScript EventType = Process.Start -Tag = proc-start-osacompile-run-only-execution +Tag = proc-start-clipboard-data-collection-via-osascript RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.002"], "author": "Sohan G (D4rkCiph3r)"} -Query = Process.CommandLine like r"%osacompile%" and Process.CommandLine like r"% -x %" and Process.CommandLine like r"% -e %" +Annotation = {"mitre_attack": ["T1115", "T1059.002"], "author": "Sohan G (D4rkCiph3r)"} +Query = Process.CommandLine like r"%osascript%" and Process.CommandLine like r"% -e %" and Process.CommandLine like r"%clipboard%" [ThreatDetectionRule platform=MacOS] -# Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution -# Author: Sohan G (D4rkCiph3r) -RuleId = 69483748-1525-4a6c-95ca-90dc8d431b68 -RuleName = Suspicious Microsoft Office Child Process - MacOS +# Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file. +# Author: Igor Fits, Mikhail Larin, oscd.community +RuleId = 95361ce5-c891-4b0a-87ca-e24607884a96 +RuleName = Binary Padding - MacOS EventType = Process.Start -Tag = proc-start-suspicious-microsoft-office-child-process-macos +Tag = proc-start-binary-padding-macos RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.002", "T1137.002", "T1204.002"], "author": "Sohan G (D4rkCiph3r)"} -Query = (Parent.Path like r"%Microsoft Word%" or Parent.Path like r"%Microsoft Excel%" or Parent.Path like r"%Microsoft PowerPoint%" or Parent.Path like r"%Microsoft OneNote%") and (Process.Path like r"%/bash" or Process.Path like r"%/curl" or Process.Path like r"%/dash" or Process.Path like r"%/fish" or Process.Path like r"%/osacompile" or Process.Path like r"%/osascript" or Process.Path like r"%/sh" or Process.Path like r"%/zsh" or Process.Path like r"%/python" or Process.Path like r"%/python3" or Process.Path like r"%/wget") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1027.001"], "author": "Igor Fits, Mikhail Larin, oscd.community"} +Query = Process.Path like r"%/truncate" and Process.CommandLine like r"%-s +%" or Process.Path like r"%/dd" and (Process.CommandLine like r"%if=/dev/zero%" or Process.CommandLine like r"%if=/dev/random%" or Process.CommandLine like r"%if=/dev/urandom%") + + +[ThreatDetectionRule platform=MacOS] +# Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device. +# Author: Tim Rauch (rule), Elastic (idea) +RuleId = f68c4a4f-19ef-4817-952c-50dce331f4b0 +RuleName = Potential WizardUpdate Malware Infection +EventType = Process.Start +Tag = proc-start-potential-wizardupdate-malware-infection +RiskScore = 75 +Annotation = {"author": "Tim Rauch (rule), Elastic (idea)"} +Query = Process.Path like r"%/sh" and Process.CommandLine like r"%=$(curl %" and Process.CommandLine like r"%eval%" or Process.Path like r"%/curl" and Process.CommandLine like r"%\_intermediate\_agent\_%" [ThreatDetectionRule platform=MacOS] @@ -115,3 +91,27 @@ RiskScore = 75 Annotation = {"mitre_attack": ["T1543.001", "T1543.004"], "author": "Sohan G (D4rkCiph3r)"} Query = Process.Path like r"%/PlistBuddy" and Process.CommandLine like r"%RunAtLoad%" and Process.CommandLine like r"%true%" and (Process.CommandLine like r"%LaunchAgents%" or Process.CommandLine like r"%LaunchDaemons%") + +[ThreatDetectionRule platform=MacOS] +# Detects potential suspicious run-only executions compiled using OSACompile +# Author: Sohan G (D4rkCiph3r) +RuleId = b9d9b652-d8ed-4697-89a2-a1186ee680ac +RuleName = OSACompile Run-Only Execution +EventType = Process.Start +Tag = proc-start-osacompile-run-only-execution +RiskScore = 75 +Annotation = {"mitre_attack": ["T1059.002"], "author": "Sohan G (D4rkCiph3r)"} +Query = Process.CommandLine like r"%osacompile%" and Process.CommandLine like r"% -x %" and Process.CommandLine like r"% -e %" + + +[ThreatDetectionRule platform=MacOS] +# Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner. +# Author: Joseliyo Sanchez, @Joseliyo_Jstnk +RuleId = 09a910bf-f71f-4737-9c40-88880ba5913d +RuleName = Potential Base64 Decoded From Images +EventType = Process.Start +Tag = proc-start-potential-base64-decoded-from-images +RiskScore = 75 +Annotation = {"mitre_attack": ["T1140"], "author": "Joseliyo Sanchez, @Joseliyo_Jstnk"} +Query = Process.Path like r"%/bash" and Process.CommandLine like r"%tail%" and Process.CommandLine like r"%-c%" and Process.CommandLine like r"%base64%" and Process.CommandLine like r"%-d%" and Process.CommandLine like r"%>%" and (Process.CommandLine like r"%.avif%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jfif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.pjp%" or Process.CommandLine like r"%.pjpeg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.svg%" or Process.CommandLine like r"%.webp%") + diff --git a/config/uberAgent-ESA-am-sigma-high-windows.conf b/config/uberAgent-ESA-am-sigma-high-windows.conf index f05336b5..9f4d6e80 100644 --- a/config/uberAgent-ESA-am-sigma-high-windows.conf +++ b/config/uberAgent-ESA-am-sigma-high-windows.conf @@ -8,1483 +8,1525 @@ # [ThreatDetectionRule platform=Windows] -# Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) -# but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack -# Author: frack113, Nasreddine Bencherchali (Nextron Systems) -RuleId = b6f91281-20aa-446a-b986-38a92813a18f -RuleName = DLL Search Order Hijackig Via Additional Space in Path -EventType = File.Create -Tag = dll-search-order-hijackig-via-additional-space-in-path +# Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe +# Author: @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) +RuleId = f1f3bf22-deb2-418d-8cce-e1a45e46a5bd +RuleName = MMC20 Lateral Movement +EventType = Process.Start +Tag = proc-start-mmc20-lateral-movement RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} -Query = (File.Path like r"C:\\Windows \\%" or File.Path like r"C:\\Program Files \\%" or File.Path like r"C:\\Program Files (x86) \\%") and File.Path like r"%.dll" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1021.003"], "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)"} +Query = Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mmc.exe" and Process.CommandLine like r"%-Embedding%" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. +# Detects usage of bitsadmin downloading a file using an URL that contains an IP +# Author: Florian Roth (Nextron Systems) +RuleId = 99c840f2-2012-46fd-9141-c761987550ef +RuleName = Suspicious Download From Direct IP Via Bitsadmin +EventType = Process.Start +Tag = proc-start-suspicious-download-from-direct-ip-via-bitsadmin +RiskScore = 75 +Annotation = {"mitre_attack": ["T1197", "T1036.003"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\bitsadmin.exe" or Process.Name == "bitsadmin.exe") and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%://1%" or Process.CommandLine like r"%://2%" or Process.CommandLine like r"%://3%" or Process.CommandLine like r"%://4%" or Process.CommandLine like r"%://5%" or Process.CommandLine like r"%://6%" or Process.CommandLine like r"%://7%" or Process.CommandLine like r"%://8%" or Process.CommandLine like r"%://9%") and not Process.CommandLine like r"%://7-%" + + +[ThreatDetectionRule platform=Windows] +# Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information. +# Author: @kostastsale +RuleId = e92a4287-e072-4a40-9739-370c106bb750 +RuleName = HackTool - SOAPHound Execution +EventType = Process.Start +Tag = proc-start-hacktool-soaphound-execution +RiskScore = 75 +Annotation = {"mitre_attack": ["T1087"], "author": "@kostastsale"} +Query = (Process.CommandLine like r"% --buildcache %" or Process.CommandLine like r"% --bhdump %" or Process.CommandLine like r"% --certdump %" or Process.CommandLine like r"% --dnsdump %") and (Process.CommandLine like r"% -c %" or Process.CommandLine like r"% --cachefilename %" or Process.CommandLine like r"% -o %" or Process.CommandLine like r"% --outputdirectory%") + + +[ThreatDetectionRule platform=Windows] +# Detects when the "index" value of a scheduled task is modified from the registry +# Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = b110ebaf-697f-4da1-afd5-b536fa27a2c1 -RuleName = Potential Signing Bypass Via Windows Developer Features - Registry +RuleId = 5b16df71-8615-4f7f-ac9b-6c43c0509e61 +RuleName = Hide Schedule Task Via Index Value Tamper EventType = Reg.Any -Tag = potential-signing-bypass-via-windows-developer-features-registry +Tag = hide-schedule-task-via-index-value-tamper RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock%" or Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows\\Appx\\%") and (Reg.TargetObject like r"%\\AllowAllTrustedApps" or Reg.TargetObject like r"%\\AllowDevelopmentWithoutDevLicense") and Reg.Value.Data == "DWORD (0x00000001)" +Annotation = {"mitre_attack": ["T1562"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\%" and Reg.TargetObject like r"%Index%" and Reg.Value.Data == "DWORD (0x00000000)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detect the creation of a service with a service binary located in a suspicious directory -# Author: Florian Roth (Nextron Systems), frack113 -RuleId = a07f0359-4c90-4dc4-a681-8ffea40b4f47 -RuleName = Service Binary in Suspicious Folder -EventType = Reg.Any -Tag = service-binary-in-suspicious-folder +# Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. +# Author: frack113 +RuleId = e9b61244-893f-427c-b287-3e708f321c6b +RuleName = Potential Privilege Escalation Using Symlink Between Osk and Cmd +EventType = Process.Start +Tag = proc-start-potential-privilege-escalation-using-symlink-between-osk-and-cmd RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Florian Roth (Nextron Systems), frack113"} -Query = (Reg.TargetObject like r"HKLM\\System\\CurrentControlSet\\Services\\%" and Reg.TargetObject like r"%\\Start" and (Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\Perflogs\\%" or Process.Path like r"%\\ADMIN$\\%" or Process.Path like r"%\\Temp\\%") and (Reg.Value.Data in ["DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)"]) or Reg.TargetObject like r"HKLM\\System\\CurrentControlSet\\Services\\%" and Reg.TargetObject like r"%\\ImagePath" and (Reg.Value.Data like r"%\\Users\\Public\\%" or Reg.Value.Data like r"%\\Perflogs\\%" or Reg.Value.Data like r"%\\ADMIN$\\%" or Reg.Value.Data like r"%\\Temp\\%")) and not (Process.Path like r"%\\Common Files\\%" and Process.Path like r"%\\Temp\\%") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1546.008"], "author": "frack113"} +Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%mklink%" and Process.CommandLine like r"%\\osk.exe%" and Process.CommandLine like r"%\\cmd.exe%" [ThreatDetectionRule platform=Windows] -# Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). -# Usually this technique is used to achieve UAC bypass or privilege escalation. -# Author: Nasreddine Bencherchali (Nextron Systems), SBousseaden -RuleId = 6b98b92b-4f00-4f62-b4fe-4d1920215771 -RuleName = Potential DLL Sideloading Of Non-Existent DLLs From System Folders +# Detects usage of the Chisel tunneling tool via the commandline arguments +# Author: Florian Roth (Nextron Systems) +RuleId = 8b0e12da-d3c3-49db-bb4f-256703f380e5 +RuleName = PUA - Chisel Tunneling Tool Execution +EventType = Process.Start +Tag = proc-start-pua-chisel-tunneling-tool-execution +RiskScore = 75 +Annotation = {"mitre_attack": ["T1090.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\chisel.exe" or (Process.CommandLine like r"%exe client %" or Process.CommandLine like r"%exe server %") and (Process.CommandLine like r"%-socks5%" or Process.CommandLine like r"%-reverse%" or Process.CommandLine like r"% r:%" or Process.CommandLine like r"%:127.0.0.1:%" or Process.CommandLine like r"%-tls-skip-verify %" or Process.CommandLine like r"%:socks%") + + +[ThreatDetectionRule platform=Windows] +# Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 948a0953-f287-4806-bbcb-3b2e396df89f +RuleName = Unsigned Mfdetours.DLL Sideloading EventType = Image.Load -Tag = potential-dll-sideloading-of-non-existent-dlls-from-system-folders +Tag = unsigned-mfdetours.dll-sideloading RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems), SBousseaden"} -Query = (Image.Path like r"%:\\Windows\\System32\\TSMSISrv.dll" or Image.Path like r"%:\\Windows\\System32\\TSVIPSrv.dll" or Image.Path like r"%:\\Windows\\System32\\wbem\\wbemcomn.dll" or Image.Path like r"%:\\Windows\\System32\\WLBSCTRL.dll" or Image.Path like r"%:\\Windows\\System32\\wow64log.dll" or Image.Path like r"%:\\Windows\\System32\\WptsExtensions.dll") and not (Image.IsSigned == "true" and Image.SignatureStatus == "Valid" and Image.Signature == "Microsoft Windows") +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Image.Path like r"%\\mfdetours.dll" and not (Image.Path like r"%:\\Program Files (x86)\\Windows Kits\\10\\bin\\%" and Image.SignatureStatus == "Valid") GenericProperty1 = Image.Path -GenericProperty2 = Image.IsSigned -GenericProperty3 = Image.Signature -GenericProperty4 = Image.SignatureStatus +GenericProperty2 = Image.SignatureStatus [ThreatDetectionRule platform=Windows] -# Detects the use of SDelete to erase a file not the free space -# Author: frack113 -RuleId = a4824fca-976f-4964-b334-0621379e84c4 -RuleName = Potential File Overwrite Via Sysinternals SDelete -EventType = Process.Start -Tag = proc-start-potential-file-overwrite-via-sysinternals-sdelete +# Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation +# Author: Florian Roth (Nextron Systems) +RuleId = 7280c9f3-a5af-45d0-916a-bc01cb4151c9 +RuleName = Suspicious MSExchangeMailboxReplication ASPX Write +EventType = File.Create +Tag = suspicious-msexchangemailboxreplication-aspx-write RiskScore = 75 -Annotation = {"mitre_attack": ["T1485"], "author": "frack113"} -Query = Process.Name == "sdelete.exe" and not (Process.CommandLine like r"% -h%" or Process.CommandLine like r"% -c%" or Process.CommandLine like r"% -z%" or Process.CommandLine like r"% /?%") +Annotation = {"mitre_attack": ["T1190", "T1505.003"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\MSExchangeMailboxReplication.exe" and (File.Path like r"%.aspx" or File.Path like r"%.asp") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. -# Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. -# Author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale -RuleId = 17e53739-a1fc-4a62-b1b9-87711c2d5e44 -RuleName = Python Function Execution Security Warning Disabled In Excel - Registry +# Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 976dd1f2-a484-45ec-aa1d-0e87e882262b +RuleName = Potential Persistence Via CHM Helper DLL EventType = Reg.Any -Tag = python-function-execution-security-warning-disabled-in-excel-registry +Tag = potential-persistence-via-chm-helper-dll RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems), @Kostastsale"} -Query = Reg.TargetObject like r"%\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Excel\\Security\\PythonFunctionWarnings" and Reg.Value.Data == "DWORD (0x00000001)" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Software\\Microsoft\\HtmlHelp Author\\Location%" or Reg.TargetObject like r"%\\Software\\WOW6432Node\\Microsoft\\HtmlHelp Author\\Location%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Potential adversaries stopping ETW providers recording loaded .NET assemblies. -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = bf4fc428-dcc3-4bbd-99fe-2422aeee2544 -RuleName = ETW Logging Disabled In .NET Processes - Sysmon Registry -EventType = Reg.Any -Tag = etw-logging-disabled-in-.net-processes-sysmon-registry +# Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) +# Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) +RuleId = 4782eb5a-a513-4523-a0ac-f3082b26ac5c +RuleName = Mshtml.DLL RunHTMLApplication Suspicious Usage +EventType = Process.Start +Tag = proc-start-mshtml.dll-runhtmlapplication-suspicious-usage RiskScore = 75 -Annotation = {"mitre_attack": ["T1112", "T1562"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = Reg.TargetObject like r"%SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" and Reg.Value.Data == "DWORD (0x00000000)" or (Reg.TargetObject like r"%\\COMPlus\_ETWEnabled" or Reg.TargetObject like r"%\\COMPlus\_ETWFlags") and (Reg.Value.Data in [0, "DWORD (0x00000000)"]) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)"} +Query = Process.CommandLine like r"%\\..\\%" and Process.CommandLine like r"%mshtml%" and (Process.CommandLine like r"%#135%" or Process.CommandLine like r"%RunHTMLApplication%") [ThreatDetectionRule platform=Windows] -# Detects the creation of a macro file for Outlook. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 117d3d3a-755c-4a61-b23e-9171146d094c -RuleName = Suspicious Outlook Macro Created -EventType = File.Create -Tag = suspicious-outlook-macro-created +# Detects VBScript content stored into registry keys as seen being used by UNC2452 group +# Author: Florian Roth (Nextron Systems) +RuleId = 46490193-1b22-4c29-bdd6-5bf63907216f +RuleName = VBScript Payload Stored in Registry +EventType = Reg.Any +Tag = vbscript-payload-stored-in-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1137", "T1008", "T1546"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"%\\Microsoft\\Outlook\\VbaProject.OTM" and not Process.Path like r"%\\outlook.exe" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1547.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Reg.TargetObject like r"%Software\\Microsoft\\Windows\\CurrentVersion%" and (Reg.Value.Data like r"%vbscript:%" or Reg.Value.Data like r"%jscript:%" or Reg.Value.Data like r"%mshtml,%" or Reg.Value.Data like r"%RunHTMLApplication%" or Reg.Value.Data like r"%Execute(%" or Reg.Value.Data like r"%CreateObject%" or Reg.Value.Data like r"%window.close%") and not (Reg.TargetObject like r"%Software\\Microsoft\\Windows\\CurrentVersion\\Run%" or Process.Path like r"%\\msiexec.exe" and Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\%" and (Reg.Value.Data like r"%\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll%" or Reg.Value.Data like r"%<\\Microsoft.mshtml,fileVersion=%" or Reg.Value.Data like r"%\_mshtml\_dll\_%" or Reg.Value.Data like r"%<\\Microsoft.mshtml,culture=%")) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -RuleId = b730a276-6b63-41b8-bcf8-55930c8fc6ee -RuleName = Csc.EXE Execution Form Potentially Suspicious Parent +# Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics +# Author: Alexander McDonald +RuleId = 744a188b-0415-4792-896f-11ddb0588dbc +RuleName = Potential Process Injection Via Msra.EXE EventType = Process.Start -Tag = proc-start-csc.exe-execution-form-potentially-suspicious-parent +Tag = proc-start-potential-process-injection-via-msra.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.005", "T1059.007", "T1218.005", "T1027.004"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)"} -Query = (Process.Path like r"%\\csc.exe" or Process.Name == "csc.exe") and (Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\excel.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\onenote.exe" or Parent.Path like r"%\\outlook.exe" or Parent.Path like r"%\\powerpnt.exe" or Parent.Path like r"%\\winword.exe" or Parent.Path like r"%\\wscript.exe" or (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and (Parent.CommandLine like r"%-Encoded %" or Parent.CommandLine like r"%FromBase64String%") or Parent.CommandLine regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$" or Parent.CommandLine like r"%:\\PerfLogs\\%" or Parent.CommandLine like r"%:\\Users\\Public\\%" or Parent.CommandLine like r"%:\\Windows\\Temp\\%" or Parent.CommandLine like r"%\\Temporary Internet%" or Parent.CommandLine like r"%:\\Users\\%" and Parent.CommandLine like r"%\\Favorites\\%" or Parent.CommandLine like r"%:\\Users\\%" and Parent.CommandLine like r"%\\Favourites\\%" or Parent.CommandLine like r"%:\\Users\\%" and Parent.CommandLine like r"%\\Contacts\\%" or Parent.CommandLine like r"%:\\Users\\%" and Parent.CommandLine like r"%\\Pictures\\%") and not (Parent.Path like r"C:\\Program Files (x86)\\%" or Parent.Path like r"C:\\Program Files\\%" or Parent.Path == "C:\\Windows\\System32\\sdiagnhost.exe" or Parent.Path == "C:\\Windows\\System32\\inetsrv\\w3wp.exe") and not (Parent.Path == "C:\\ProgramData\\chocolatey\\choco.exe" or Parent.CommandLine like r"%\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection%" or Parent.CommandLine like r"%JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw%" or Parent.CommandLine like r"%cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA%" or Parent.CommandLine like r"%nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA%") +Annotation = {"mitre_attack": ["T1055"], "author": "Alexander McDonald"} +Query = Parent.Path like r"%\\msra.exe" and Parent.CommandLine like r"%msra.exe" and (Process.Path like r"%\\arp.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\nslookup.exe" or Process.Path like r"%\\route.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\whoami.exe") GenericProperty1 = Parent.Path GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. -# Author: Bhabesh Raj -RuleId = 418dc89a-9808-4b87-b1d7-e5ae0cb6effc -RuleName = Potential Mpclient.DLL Sideloading -EventType = Image.Load -Tag = potential-mpclient.dll-sideloading +# Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks +# Author: Florian Roth (Nextron Systems) +RuleId = 0a4f6091-223b-41f6-8743-f322ec84930b +RuleName = Suspicious GUP Usage +EventType = Process.Start +Tag = proc-start-suspicious-gup-usage RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "Bhabesh Raj"} -Query = Image.Path like r"%\\mpclient.dll" and (Process.Path like r"%\\MpCmdRun.exe" or Process.Path like r"%\\NisSrv.exe") and not (Process.Path like r"C:\\Program Files (x86)\\Windows Defender\\%" or Process.Path like r"C:\\Program Files\\Microsoft Security Client\\%" or Process.Path like r"C:\\Program Files\\Windows Defender\\%" or Process.Path like r"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%") -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1574.002"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\GUP.exe" and not (Process.Path like r"%\\Program Files\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Program Files (x86)\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Users\\%" and (Process.Path like r"%\\AppData\\Local\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe")) [ThreatDetectionRule platform=Windows] -# Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall -# Author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -RuleId = a35f5a72-f347-4e36-8895-9869b0d5fc6d -RuleName = Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE +# Detects the execution of Xwizard tool from a non-default directory. +# When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll". +# Author: Christian Burkard (Nextron Systems) +RuleId = 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1 +RuleName = Xwizard.EXE Execution From Non-Default Location EventType = Process.Start -Tag = proc-start-suspicious-program-location-whitelisted-in-firewall-via-netsh.exe +Tag = proc-start-xwizard.exe-execution-from-non-default-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.004"], "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community"} -Query = (Process.Path like r"%\\netsh.exe" or Process.Name == "netsh.exe") and (Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%allowedprogram%" or Process.CommandLine like r"%advfirewall%" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%rule%" and Process.CommandLine like r"%action=allow%" and Process.CommandLine like r"%program=%") and (Process.CommandLine like r"%:\\$Recycle.bin\\%" or Process.CommandLine like r"%:\\RECYCLER.BIN\\%" or Process.CommandLine like r"%:\\RECYCLERS.BIN\\%" or Process.CommandLine like r"%:\\SystemVolumeInformation\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Users\\Default\\%" or Process.CommandLine like r"%:\\Users\\Desktop\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\addins\\%" or Process.CommandLine like r"%:\\Windows\\cursors\\%" or Process.CommandLine like r"%:\\Windows\\debug\\%" or Process.CommandLine like r"%:\\Windows\\drivers\\%" or Process.CommandLine like r"%:\\Windows\\fonts\\%" or Process.CommandLine like r"%:\\Windows\\help\\%" or Process.CommandLine like r"%:\\Windows\\system32\\tasks\\%" or Process.CommandLine like r"%:\\Windows\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Local Settings\\Temporary Internet Files\\%" or Process.CommandLine like r"%\\Temporary Internet Files\\Content.Outlook\\%" or Process.CommandLine like r"%\%Public\%\\%" or Process.CommandLine like r"%\%TEMP\%%" or Process.CommandLine like r"%\%TMP\%%") +Annotation = {"mitre_attack": ["T1574.002"], "author": "Christian Burkard (Nextron Systems)"} +Query = (Process.Path like r"%\\xwizard.exe" or Process.Name == "xwizard.exe") and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%") [ThreatDetectionRule platform=Windows] -# Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. -# Author: Nasreddine Bencherchali (Nextron Systems), frack113 -RuleId = ec0722a3-eb5c-4a56-8ab2-bf6f20708592 -RuleName = Renamed Gpg.EXE Execution -EventType = Process.Start -Tag = proc-start-renamed-gpg.exe-execution +# Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 833ef470-fa01-4631-a79b-6f291c9ac498 +RuleName = Add Debugger Entry To Hangs Key For Persistence +EventType = Reg.Any +Tag = add-debugger-entry-to-hangs-key-for-persistence RiskScore = 75 -Annotation = {"mitre_attack": ["T1486"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113"} -Query = Process.Name == "gpg.exe" and not (Process.Path like r"%\\gpg.exe" or Process.Path like r"%\\gpg2.exe") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. -# This is used as an obfuscation and masquerading techniques. -# Author: Micah Babinski, @micahbabinski -RuleId = ad691d92-15f2-4181-9aa4-723c74f9ddc3 -RuleName = Potential Defense Evasion Via Right-to-Left Override +# Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 6bd75993-9888-4f91-9404-e1e4e4e34b77 +RuleName = HackTool - LocalPotato Execution EventType = Process.Start -Tag = proc-start-potential-defense-evasion-via-right-to-left-override +Tag = proc-start-hacktool-localpotato-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1036.002"], "author": "Micah Babinski, @micahbabinski"} -Query = Process.CommandLine like r"%‮%" - - -[ThreatDetectionRule platform=Windows] -# Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains -# Author: Florian Roth (Nextron Systems) -RuleId = b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c -RuleName = Suspicious PowerShell Encoded Command Patterns -EventType = Process.Start -Tag = proc-start-suspicious-powershell-encoded-command-patterns -RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.Exe", "pwsh.dll"]) and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% -en %" or Process.CommandLine like r"% -enc %" or Process.CommandLine like r"% -enco%") and (Process.CommandLine like r"% JAB%" or Process.CommandLine like r"% SUVYI%" or Process.CommandLine like r"% SQBFAFgA%" or Process.CommandLine like r"% aWV4I%" or Process.CommandLine like r"% IAB%" or Process.CommandLine like r"% PAA%" or Process.CommandLine like r"% aQBlAHgA%") and not (Parent.Path like r"%C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\%" or Parent.Path like r"%\\gc\_worker.exe%") -GenericProperty1 = Parent.Path - - -[ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of "EACore.dll" -# Author: X__Junior (Nextron Systems) -RuleId = edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5 -RuleName = Potential EACore.DLL Sideloading -EventType = Image.Load -Tag = potential-eacore.dll-sideloading -RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} -Query = Image.Path like r"%\\EACore.dll" and not (Process.Path like r"%C:\\Program Files\\Electronic Arts\\EA Desktop\\%" and Process.Path like r"%\\EACoreServer.exe%" and Image.Path like r"C:\\Program Files\\Electronic Arts\\EA Desktop\\%") -GenericProperty1 = Image.Path +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\LocalPotato.exe" or Process.CommandLine like r"%.exe -i C:\\%" and Process.CommandLine like r"%-o Windows\\%" or Process.Hashes like r"%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%" or Process.Hashes like r"%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%" +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects Azure Hybrid Connection Manager services querying the Azure service bus service -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = 7bd3902d-8b8b-4dd4-838a-c6862d40150d -RuleName = DNS HybridConnectionManager Service Bus -EventType = Dns.Query -Tag = dns-hybridconnectionmanager-service-bus +# Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 514e4c3a-c77d-4cde-a00f-046425e2301e +RuleName = Abuse of Service Permissions to Hide Services Via Set-Service +EventType = Process.Start +Tag = proc-start-abuse-of-service-permissions-to-hide-services-via-set-service RiskScore = 75 -Annotation = {"mitre_attack": ["T1554"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = Dns.QueryRequest like r"%servicebus.windows.net%" and Process.Path like r"%HybridConnectionManager%" -GenericProperty1 = Dns.QueryRequest +Annotation = {"mitre_attack": ["T1574.011"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\pwsh.exe" or Process.Name == "pwsh.dll") and Process.CommandLine like r"%Set-Service %" and Process.CommandLine like r"%DCLCWPDTSD%" and (Process.CommandLine like r"%-SecurityDescriptorSddl %" or Process.CommandLine like r"%-sd %") [ThreatDetectionRule platform=Windows] -# Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". -# Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe". -# Author: Swachchhanda Shrawan Poudel -RuleId = d2451be2-b582-4e15-8701-4196ac180260 -RuleName = Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE -EventType = Image.Load -Tag = potential-dll-sideloading-of-keyscramblerie.dll-via-keyscrambler.exe +# Detects execution of the "finger.exe" utility. +# Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. +# Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating. +# Author: Florian Roth (Nextron Systems), omkar72, oscd.community +RuleId = af491bca-e752-4b44-9c86-df5680533dbc +RuleName = Finger.EXE Execution +EventType = Process.Start +Tag = proc-start-finger.exe-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Swachchhanda Shrawan Poudel"} -Query = (Process.Path like r"%\\KeyScrambler.exe" or Process.Path like r"%\\KeyScramblerLogon.exe") and Image.Path like r"%\\KeyScramblerIE.dll" and not ((Process.Path like r"%C:\\Program Files (x86)\\KeyScrambler\\%" or Process.Path like r"%C:\\Program Files\\KeyScrambler\\%") and (Image.Path like r"%C:\\Program Files (x86)\\KeyScrambler\\%" or Image.Path like r"%C:\\Program Files\\KeyScrambler\\%") or Image.Signature == "QFX Software Corporation" and Image.SignatureStatus == "Valid") -GenericProperty1 = Image.Path -GenericProperty2 = Image.Signature -GenericProperty3 = Image.SignatureStatus +Annotation = {"mitre_attack": ["T1105"], "author": "Florian Roth (Nextron Systems), omkar72, oscd.community"} +Query = Process.Name == "finger.exe" or Process.Path like r"%\\finger.exe" [ThreatDetectionRule platform=Windows] -# Detects the use of NPS, a port forwarding and intranet penetration proxy server +# Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors # Author: Florian Roth (Nextron Systems) -RuleId = 68d37776-61db-42f5-bf54-27e87072d17e -RuleName = PUA - NPS Tunneling Tool Execution +RuleId = f14e169e-9978-4c69-acb3-1cff8200bc36 +RuleName = Suspicious GrpConv Execution EventType = Process.Start -Tag = proc-start-pua-nps-tunneling-tool-execution +Tag = proc-start-suspicious-grpconv-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1090"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\npc.exe" or Process.CommandLine like r"% -server=%" and Process.CommandLine like r"% -vkey=%" and Process.CommandLine like r"% -password=%" or Process.CommandLine like r"% -config=npc%" or Process.Hashes like r"%MD5=AE8ACF66BFE3A44148964048B826D005%" or Process.Hashes like r"%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%" or Process.Hashes like r"%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%" -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1547"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%grpconv.exe -o%" or Process.CommandLine like r"%grpconv -o%" [ThreatDetectionRule platform=Windows] -# Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files -# Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -RuleId = e66779cc-383e-4224-a3a4-267eeb585c40 -RuleName = Bypass UAC via CMSTP +# Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension +# Author: Aedan Russell, frack113, X__Junior (Nextron Systems) +RuleId = 27ba3207-dd30-4812-abbf-5d20c57d474e +RuleName = Suspicious Chromium Browser Instance Executed With Custom Extension EventType = Process.Start -Tag = proc-start-bypass-uac-via-cmstp -RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002", "T1218.003"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community"} -Query = (Process.Path like r"%\\cmstp.exe" or Process.Name == "CMSTP.EXE") and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%-s%" or Process.CommandLine like r"%/au%" or Process.CommandLine like r"%-au%" or Process.CommandLine like r"%/ni%" or Process.CommandLine like r"%-ni%") - - -[ThreatDetectionRule platform=Windows] -# Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive". -# Author: @kostastsale, Nasreddine Bencherchali (Nextron Systems) -RuleId = 31e124fb-5dc4-42a0-83b3-44a69c77b271 -RuleName = Antivirus Filter Driver Disallowed On Dev Drive - Registry -EventType = Reg.Any -Tag = antivirus-filter-driver-disallowed-on-dev-drive-registry +Tag = proc-start-suspicious-chromium-browser-instance-executed-with-custom-extension RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "@kostastsale, Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\FilterManager\\FltmgrDevDriveAllowAntivirusFilter" and Reg.Value.Data == "DWORD (0x00000000)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1176"], "author": "Aedan Russell, frack113, X__Junior (Nextron Systems)"} +Query = (Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\regsvr32.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\wscript.exe") and (Process.Path like r"%\\brave.exe" or Process.Path like r"%\\chrome.exe" or Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\opera.exe" or Process.Path like r"%\\vivaldi.exe") and Process.CommandLine like r"%--load-extension=%" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. -# Author: X__Junior (Nextron Systems) -RuleId = 0e0bc253-07ed-43f1-816d-e1b220fe8971 -RuleName = Potential RjvPlatform.DLL Sideloading From Non-Default Location -EventType = Image.Load -Tag = potential-rjvplatform.dll-sideloading-from-non-default-location +# Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) +# Author: Christian Burkard (Nextron Systems) +RuleId = 62ed5b55-f991-406a-85d9-e8e8fdf18789 +RuleName = UAC Bypass Using Consent and Comctl32 - File +EventType = File.Create +Tag = uac-bypass-using-consent-and-comctl32-file RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} -Query = Image.Path like r"%\\RjvPlatform.dll" and Process.Path == "\\SystemResetPlatform.exe" and not Process.Path like r"C:\\Windows\\System32\\SystemResetPlatform\\%" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} +Query = File.Path like r"C:\\Windows\\System32\\consent.exe.@%" and File.Path like r"%\\comctl32.dll" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects usage of the Chisel tunneling tool via the commandline arguments +# Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. +# AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. +# Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious. # Author: Florian Roth (Nextron Systems) -RuleId = 8b0e12da-d3c3-49db-bb4f-256703f380e5 -RuleName = PUA - Chisel Tunneling Tool Execution -EventType = Process.Start -Tag = proc-start-pua-chisel-tunneling-tool-execution -RiskScore = 75 -Annotation = {"mitre_attack": ["T1090.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\chisel.exe" or (Process.CommandLine like r"%exe client %" or Process.CommandLine like r"%exe server %") and (Process.CommandLine like r"%-socks5%" or Process.CommandLine like r"%-reverse%" or Process.CommandLine like r"% r:%" or Process.CommandLine like r"%:127.0.0.1:%" or Process.CommandLine like r"%-tls-skip-verify %" or Process.CommandLine like r"%:socks%") - - -[ThreatDetectionRule platform=Windows] -# Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 99b7460d-c9f1-40d7-a316-1f36f61d52ee -RuleName = Cscript/Wscript Uncommon Script Extension Execution +RuleId = f4264e47-f522-4c38-a420-04525d5b880f +RuleName = Renamed AutoIt Execution EventType = Process.Start -Tag = proc-start-cscript/wscript-uncommon-script-extension-execution +Tag = proc-start-renamed-autoit-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.005", "T1059.007"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name in ["wscript.exe", "cscript.exe"] or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%.csv%" or Process.CommandLine like r"%.dat%" or Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.ppt%" or Process.CommandLine like r"%.txt%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.xml%") +Annotation = {"mitre_attack": ["T1027"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"% /AutoIt3ExecuteScript%" or Process.CommandLine like r"% /ErrorStdOut%" or Process.Hashes like r"%IMPHASH=FDC554B3A8683918D731685855683DDF%" or Process.Hashes like r"%IMPHASH=CD30A61B60B3D60CECDB034C8C83C290%" or Process.Hashes like r"%IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000%" or Process.Name in ["AutoIt3.exe", "AutoIt2.exe", "AutoIt.exe"]) and not (Process.Path like r"%\\AutoIt.exe" or Process.Path like r"%\\AutoIt2.exe" or Process.Path like r"%\\AutoIt3\_x64.exe" or Process.Path like r"%\\AutoIt3.exe") +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID -# Author: Florian Roth (Nextron Systems) -RuleId = fe63010f-8823-4864-a96b-a7b4a0f7b929 -RuleName = LSASS Process Reconnaissance Via Findstr.EXE +# Detects Obfuscated use of Environment Variables to execute PowerShell +# Author: Jonathan Cheong, oscd.community +RuleId = 27aec9c9-dbb0-4939-8422-1742242471d0 +RuleName = Invoke-Obfuscation VAR+ Launcher EventType = Process.Start -Tag = proc-start-lsass-process-reconnaissance-via-findstr.exe +Tag = proc-start-invoke-obfuscation-var+-launcher RiskScore = 75 -Annotation = {"mitre_attack": ["T1552.006"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\find.exe" or Process.Path like r"%\\findstr.exe" or Process.Name in ["FIND.EXE", "FINDSTR.EXE"]) and Process.CommandLine like r"%lsass%" or Process.CommandLine like r"% -i \"lsass%" or Process.CommandLine like r"% /i \"lsass%" or Process.CommandLine like r"% –i \"lsass%" or Process.CommandLine like r"% —i \"lsass%" or Process.CommandLine like r"% ―i \"lsass%" or Process.CommandLine like r"% -i lsass.exe%" or Process.CommandLine like r"% /i lsass.exe%" or Process.CommandLine like r"% –i lsass.exe%" or Process.CommandLine like r"% —i lsass.exe%" or Process.CommandLine like r"% ―i lsass.exe%" or Process.CommandLine like r"%findstr \"lsass%" or Process.CommandLine like r"%findstr lsass%" or Process.CommandLine like r"%findstr.exe \"lsass%" or Process.CommandLine like r"%findstr.exe lsass%" +Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Jonathan Cheong, oscd.community"} +Query = Process.CommandLine regex "cmd.{0,5}(?:/c|/r)(?:\\s|)\\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\\"" [ThreatDetectionRule platform=Windows] -# Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking -# Author: xknow @xknow_infosec, Tim Shelton -RuleId = 087790e3-3287-436c-bccf-cbd0184a7db1 -RuleName = Potential CommandLine Path Traversal Via Cmd.EXE +# Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface +# Author: Florian Roth (Nextron Systems), Elastic (idea) +RuleId = 49f2f17b-b4c8-4172-a68b-d5bf95d05130 +RuleName = UAC Bypass via ICMLuaUtil EventType = Process.Start -Tag = proc-start-potential-commandline-path-traversal-via-cmd.exe +Tag = proc-start-uac-bypass-via-icmluautil RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.003"], "author": "xknow @xknow_infosec, Tim Shelton"} -Query = (Parent.Path like r"%\\cmd.exe" or Process.Path like r"%\\cmd.exe" or Process.Name == "cmd.exe") and (Parent.CommandLine like r"%/c%" or Parent.CommandLine like r"%/k%" or Parent.CommandLine like r"%/r%" or Process.CommandLine like r"%/c%" or Process.CommandLine like r"%/k%" or Process.CommandLine like r"%/r%") and (Parent.CommandLine == "/../../" or Process.CommandLine like r"%/../../%") and not Process.CommandLine like r"%\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java%" +Annotation = {"mitre_attack": ["T1548.002"], "author": "Florian Roth (Nextron Systems), Elastic (idea)"} +Query = Parent.Path like r"%\\dllhost.exe" and (Parent.CommandLine like r"%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%" or Parent.CommandLine like r"%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%") and not (Process.Path like r"%\\WerFault.exe" or Process.Name == "WerFault.exe") GenericProperty1 = Parent.Path GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local -# Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = c5c00f49-b3f9-45a6-997e-cfdecc6e1967 -RuleName = Suspicious Schtasks Execution AppData Folder -EventType = Process.Start -Tag = proc-start-suspicious-schtasks-execution-appdata-folder +# Detects processes creating temp files related to PCRE.NET package +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = 6e90ae7a-7cd3-473f-a035-4ebb72d961da +RuleName = PCRE.NET Package Temp Files +EventType = File.Create +Tag = pcre.net-package-temp-files RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005", "T1059.001"], "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create%" and Process.CommandLine like r"%/RU%" and Process.CommandLine like r"%/TR%" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\AppData\\Local\\%" and (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM %") and not (Parent.Path like r"%\\AppData\\Local\\Temp\\%" and Parent.Path like r"%TeamViewer\_.exe%" and Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/TN TVInstallRestore%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1059"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = File.Path like r"%\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\%" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of a specific OneLiner to download and execute powershell modules in memory. -# Author: @Kostastsale, @TheDFIRReport -RuleId = 44e24481-6202-4c62-9127-5a0ae8e3fe3d -RuleName = Obfuscated PowerShell OneLiner Execution +# Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors +# Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov +RuleId = 79ce34ca-af29-4d0e-b832-fc1b377020db +RuleName = Whoami.EXE Execution From Privileged Process EventType = Process.Start -Tag = proc-start-obfuscated-powershell-oneliner-execution +Tag = proc-start-whoami.exe-execution-from-privileged-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001", "T1562.001"], "author": "@Kostastsale, @TheDFIRReport"} -Query = Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%http://127.0.0.1%" and Process.CommandLine like r"%\%{(IRM $\_)}%" and Process.CommandLine like r"%.SubString.ToString()[67,72,64]-Join%" and Process.CommandLine like r"%Import-Module%" +Annotation = {"mitre_attack": ["T1033"], "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov"} +Query = (Process.Name == "whoami.exe" or Process.Path like r"%\\whoami.exe") and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%" or Process.User like r"%TrustedInstaller%") +GenericProperty1 = Process.User [ThreatDetectionRule platform=Windows] -# Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. -# Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. -# IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. -# Author: X__Junior (Nextron Systems) -RuleId = 9d8f9bb8-01af-4e15-a3a2-349071530530 -RuleName = Suspicious Path In Keyboard Layout IME File Registry Value +# Detects changes to "DsrmAdminLogonBehavior" registry value. +# During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. +# Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. +# If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. +# If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. +# If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used. +# Author: Nischal Khadgi +RuleId = b61e87c0-50db-4b2e-8986-6a2be94b33b0 +RuleName = Directory Service Restore Mode(DSRM) Registry Value Tampering EventType = Reg.Any -Tag = suspicious-path-in-keyboard-layout-ime-file-registry-value +Tag = directory-service-restore-mode(dsrm)-registry-value-tampering RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "X__Junior (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Control\\Keyboard Layouts\\%" and Reg.TargetObject like r"%Ime File%" and (Reg.Value.Data like r"%:\\Perflogs\\%" or Reg.Value.Data like r"%:\\Users\\Public\\%" or Reg.Value.Data like r"%:\\Windows\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Roaming\\%" or Reg.Value.Data like r"%\\Temporary Internet%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favorites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favourites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Contacts\\%") +Annotation = {"mitre_attack": ["T1556"], "author": "Nischal Khadgi"} +Query = Reg.TargetObject like r"%\\Control\\Lsa\\DsrmAdminLogonBehavior" and not Reg.Value.Data == "DWORD (0x00000000)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence -# The entries found under App Paths are used primarily for the following purposes. -# First, to map an application's executable file name to that file's fully qualified path. -# Second, to prepend information to the PATH environment variable on a per-application, per-process basis. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 707e097c-e20f-4f67-8807-1f72ff4500d6 -RuleName = Potential Persistence Via App Paths Default Property +# Detects disabling Windows Defender PUA protection +# Author: Austin Songer @austinsonger +RuleId = 8ffc5407-52e3-478f-9596-0a7371eafe13 +RuleName = Disable PUA Protection on Windows Defender EventType = Reg.Any -Tag = potential-persistence-via-app-paths-default-property +Tag = disable-pua-protection-on-windows-defender RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.012"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths%" and (Reg.TargetObject like r"%(Default)" or Reg.TargetObject like r"%Path") and (Reg.Value.Data like r"%\\Users\\Public%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%\\Windows\\Temp\\%" or Reg.Value.Data like r"%\\Desktop\\%" or Reg.Value.Data like r"%\\Downloads\\%" or Reg.Value.Data like r"%\%temp\%%" or Reg.Value.Data like r"%\%tmp\%%" or Reg.Value.Data like r"%iex%" or Reg.Value.Data like r"%Invoke-%" or Reg.Value.Data like r"%rundll32%" or Reg.Value.Data like r"%regsvr32%" or Reg.Value.Data like r"%mshta%" or Reg.Value.Data like r"%cscript%" or Reg.Value.Data like r"%wscript%" or Reg.Value.Data like r"%.bat%" or Reg.Value.Data like r"%.hta%" or Reg.Value.Data like r"%.dll%" or Reg.Value.Data like r"%.ps1%") +Annotation = {"mitre_attack": ["T1562.001"], "author": "Austin Songer @austinsonger"} +Query = Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows Defender\\PUAProtection%" and Reg.Value.Data == "DWORD (0x00000000)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = b98d0db6-511d-45de-ad02-e82a98729620 -RuleName = Remotely Hosted HTA File Executed Via Mshta.EXE +# Detection of unusual child processes by different system processes +# Author: Semanur Guneysu @semanurtg, oscd.community +RuleId = d522eca2-2973-4391-a3e0-ef0374321dae +RuleName = Abused Debug Privilege by Arbitrary Parent Processes EventType = Process.Start -Tag = proc-start-remotely-hosted-hta-file-executed-via-mshta.exe +Tag = proc-start-abused-debug-privilege-by-arbitrary-parent-processes RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\mshta.exe" or Process.Name == "MSHTA.EXE") and (Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%" or Process.CommandLine like r"%ftp://%") +Annotation = {"mitre_attack": ["T1548"], "author": "Semanur Guneysu @semanurtg, oscd.community"} +Query = (Parent.Path like r"%\\winlogon.exe" or Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\lsass.exe" or Parent.Path like r"%\\csrss.exe" or Parent.Path like r"%\\smss.exe" or Parent.Path like r"%\\wininit.exe" or Parent.Path like r"%\\spoolsv.exe" or Parent.Path like r"%\\searchindexer.exe") and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\cmd.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll", "Cmd.Exe"]) and not (Process.CommandLine like r"% route %" and Process.CommandLine like r"% ADD %") +GenericProperty1 = Parent.Path +GenericProperty2 = Process.User [ThreatDetectionRule platform=Windows] -# Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary +# Detects loading and execution of an unsigned thor scanner binary. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f10ed525-97fe-4fed-be7c-2feecca941b1 -RuleName = Persistence Via Hhctrl.ocx -EventType = Reg.Any -Tag = persistence-via-hhctrl.ocx +RuleId = ea5c131b-380d-49f9-aeb3-920694da4d4b +RuleName = Suspicious Unsigned Thor Scanner Execution +EventType = Image.Load +Tag = suspicious-unsigned-thor-scanner-execution RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)%" and not Reg.Value.Data == "C:\\Windows\\System32\\hhctrl.ocx" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\thor.exe" or Process.Path like r"%\\thor64.exe") and (Image.Path like r"%\\thor.exe" or Image.Path like r"%\\thor64.exe") and not (Image.IsSigned == "true" and Image.SignatureStatus == "valid" and Image.Signature == "Nextron Systems GmbH") +GenericProperty1 = Image.Path +GenericProperty2 = Image.IsSigned +GenericProperty3 = Image.Signature +GenericProperty4 = Image.SignatureStatus [ThreatDetectionRule platform=Windows] -# Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 40aa399c-7b02-4715-8e5f-73572b493f33 -RuleName = Suspicious File Download From IP Via Wget.EXE - Paths +# Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. +# Author: Luca Di Bartolomeo (CrimpSec) +RuleId = 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d +RuleName = HackTool - SharpMove Tool Execution EventType = Process.Start -Tag = proc-start-suspicious-file-download-from-ip-via-wget.exe-paths +Tag = proc-start-hacktool-sharpmove-tool-execution RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\wget.exe" or Process.Name == "wget.exe") and Process.CommandLine regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and Process.CommandLine like r"%http%" and (Process.CommandLine regex "\\s-O\\s" or Process.CommandLine like r"%--output-document%") and (Process.CommandLine like r"%:\\PerfLogs\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\Help\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Favorites\\%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Favourites\\%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Contacts\\%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Pictures\\%") +Annotation = {"mitre_attack": ["T1021.002"], "author": "Luca Di Bartolomeo (CrimpSec)"} +Query = Process.Path like r"%\\SharpMove.exe" or Process.Name == "SharpMove.exe" or Process.CommandLine like r"%computername=%" and (Process.CommandLine like r"%action=create%" or Process.CommandLine like r"%action=dcom%" or Process.CommandLine like r"%action=executevbs%" or Process.CommandLine like r"%action=hijackdcom%" or Process.CommandLine like r"%action=modschtask%" or Process.CommandLine like r"%action=modsvc%" or Process.CommandLine like r"%action=query%" or Process.CommandLine like r"%action=scm%" or Process.CommandLine like r"%action=startservice%" or Process.CommandLine like r"%action=taskscheduler%") [ThreatDetectionRule platform=Windows] -# Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. -# Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine. -# Author: Swachchhanda Shrawan Poudel -RuleId = 8823e85d-31d8-473e-b7f4-92da070f0fc6 -RuleName = Suspicious ShellExec_RunDLL Call Via Ordinal +# Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory +# Author: Florian Roth (Nextron Systems) +RuleId = 1a1ed54a-2ba4-4221-94d5-01dee560d71e +RuleName = Renamed CreateDump Utility Execution EventType = Process.Start -Tag = proc-start-suspicious-shellexec_rundll-call-via-ordinal +Tag = proc-start-renamed-createdump-utility-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.011"], "author": "Swachchhanda Shrawan Poudel"} -Query = Parent.CommandLine like r"%SHELL32.DLL%" and (Parent.CommandLine like r"%#568%" or Parent.CommandLine like r"%#570%" or Parent.CommandLine like r"%#572%" or Parent.CommandLine like r"%#576%") and (Parent.CommandLine like r"%comspec%" or Parent.CommandLine like r"%iex%" or Parent.CommandLine like r"%Invoke-%" or Parent.CommandLine like r"%msiexec%" or Parent.CommandLine like r"%odbcconf%" or Parent.CommandLine like r"%regsvr32%" or Parent.CommandLine like r"%\\Desktop\\%" or Parent.CommandLine like r"%\\ProgramData\\%" or Parent.CommandLine like r"%\\Temp\\%" or Parent.CommandLine like r"%\\Users\\Public\\%" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\curl.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\msxsl.exe" or Process.Path like r"%\\odbcconf.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") -GenericProperty1 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Name == "FX\_VER\_INTERNALNAME\_STR" or Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -f %" and Process.CommandLine like r"%.dmp%" or Process.CommandLine like r"% --full %" and Process.CommandLine like r"% --name %" and Process.CommandLine like r"%.dmp%") and not Process.Path like r"%\\createdump.exe" [ThreatDetectionRule platform=Windows] -# Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. -# Author: Tom Ueltschi (@c_APT_ure), Tim Shelton -RuleId = 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 -RuleName = Uncommon Userinit Child Process +# Detects Obfuscated Powershell via Stdin in Scripts +# Author: Nikita Nazarov, oscd.community +RuleId = 9c14c9fa-1a63-4a64-8e57-d19280559490 +RuleName = Invoke-Obfuscation Via Stdin EventType = Process.Start -Tag = proc-start-uncommon-userinit-child-process +Tag = proc-start-invoke-obfuscation-via-stdin RiskScore = 75 -Annotation = {"mitre_attack": ["T1037.001"], "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton"} -Query = Parent.Path like r"%\\userinit.exe" and not Process.Path like r"%:\\WINDOWS\\explorer.exe" and not (Process.CommandLine like r"%netlogon.bat%" or Process.CommandLine like r"%UsrLogon.cmd%" or Process.CommandLine == "PowerShell.exe" or Process.Path like r"%:\\Windows\\System32\\proquota.exe" or Process.Path like r"%:\\Windows\\SysWOW64\\proquota.exe" or Process.Path like r"%:\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe" or Process.Path like r"%:\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe" or Process.Path like r"%:\\Program Files (x86)\\Citrix\\System32\\icast.exe" or Process.Path like r"%:\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe" or Process.Path like r"%:\\Program Files\\Citrix\\HDX\\bin\\icast.exe" or Process.Path like r"%:\\Program Files\\Citrix\\System32\\icast.exe" or isnull(Process.Path)) -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Nikita Nazarov, oscd.community"} +Query = Process.CommandLine regex "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"" [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 90ae0469-0cee-4509-b67f-e5efcef040f7 -RuleName = Aruba Network Service Potential DLL Sideloading +# Detects the creation of files with scripting or executable extensions by Mysql daemon. +# Which could be an indicator of "User Defined Functions" abuse to download malware. +# Author: Joseph Kamau +RuleId = c61daa90-3c1e-4f18-af62-8f288b5c9aaf +RuleName = Uncommon File Creation By Mysql Daemon Process +EventType = File.Create +Tag = uncommon-file-creation-by-mysql-daemon-process +RiskScore = 75 +Annotation = {"author": "Joseph Kamau"} +Query = (Process.Path like r"%\\mysqld.exe" or Process.Path like r"%\\mysqld-nt.exe") and (File.Path like r"%.bat" or File.Path like r"%.dat" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.ps1" or File.Path like r"%.psm1" or File.Path like r"%.vbe" or File.Path like r"%.vbs") +GenericProperty1 = File.Path + + +[ThreatDetectionRule platform=Windows] +# Detects processes loading modules related to PCRE.NET package +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = 84b0a8f3-680b-4096-a45b-e9a89221727c +RuleName = PCRE.NET Package Image Load EventType = Image.Load -Tag = aruba-network-service-potential-dll-sideloading +Tag = pcre.net-package-image-load RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\arubanetsvc.exe" and (Image.Path like r"%\\wtsapi32.dll" or Image.Path like r"%\\msvcr100.dll" or Image.Path like r"%\\msvcp100.dll" or Image.Path like r"%\\dbghelp.dll" or Image.Path like r"%\\dbgcore.dll" or Image.Path like r"%\\wininet.dll" or Image.Path like r"%\\iphlpapi.dll" or Image.Path like r"%\\version.dll" or Image.Path like r"%\\cryptsp.dll" or Image.Path like r"%\\cryptbase.dll" or Image.Path like r"%\\wldp.dll" or Image.Path like r"%\\profapi.dll" or Image.Path like r"%\\sspicli.dll" or Image.Path like r"%\\winsta.dll" or Image.Path like r"%\\dpapi.dll") and not (Image.Path like r"C:\\Windows\\System32\\%" or Image.Path like r"C:\\Windows\\SysWOW64\\%" or Image.Path like r"C:\\Windows\\WinSxS\\%") +Annotation = {"mitre_attack": ["T1059"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = Image.Path like r"%\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\%" GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects PowerShell script execution via input stream redirect -# Author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community -RuleId = c83bf4b5-cdf0-437c-90fa-43d734f7c476 -RuleName = Run PowerShell Script from Redirected Input Stream +# Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local +# Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = c5c00f49-b3f9-45a6-997e-cfdecc6e1967 +RuleName = Suspicious Schtasks Execution AppData Folder EventType = Process.Start -Tag = proc-start-run-powershell-script-from-redirected-input-stream +Tag = proc-start-suspicious-schtasks-execution-appdata-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine regex "\\s-\\s*<" +Annotation = {"mitre_attack": ["T1053.005", "T1059.001"], "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create%" and Process.CommandLine like r"%/RU%" and Process.CommandLine like r"%/TR%" and Process.CommandLine like r"%C:\\Users\\%" and Process.CommandLine like r"%\\AppData\\Local\\%" and (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM %") and not (Parent.Path like r"%\\AppData\\Local\\Temp\\%" and Parent.Path like r"%TeamViewer\_.exe%" and Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/TN TVInstallRestore%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. -# Author: Tim Rauch, Elastic (idea) -RuleId = 97dbf6e2-e436-44d8-abee-4261b24d3e41 -RuleName = Microsoft IIS Connection Strings Decryption +# Detects Obfuscated use of Clip.exe to execute PowerShell +# Author: Jonathan Cheong, oscd.community +RuleId = b222df08-0e07-11eb-adc1-0242ac120002 +RuleName = Invoke-Obfuscation CLIP+ Launcher EventType = Process.Start -Tag = proc-start-microsoft-iis-connection-strings-decryption +Tag = proc-start-invoke-obfuscation-clip+-launcher RiskScore = 75 -Annotation = {"mitre_attack": ["T1003"], "author": "Tim Rauch, Elastic (idea)"} -Query = (Process.Path like r"%\\aspnet\_regiis.exe" or Process.Name == "aspnet\_regiis.exe") and Process.CommandLine like r"%connectionStrings%" and Process.CommandLine like r"% -pdf%" +Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Jonathan Cheong, oscd.community"} +Query = Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%&&%" and Process.CommandLine like r"%clipboard]::%" and Process.CommandLine like r"%-f%" and (Process.CommandLine like r"%/c%" or Process.CommandLine like r"%/r%") [ThreatDetectionRule platform=Windows] -# Detects the pattern of a UAC bypass using Windows Event Viewer -# Author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) -RuleId = 63e4f530-65dc-49cc-8f80-ccfa95c69d43 -RuleName = UAC Bypass Using EventVwr -EventType = File.Create -Tag = uac-bypass-using-eventvwr +# Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. +# Author: Wojciech Lesicki +RuleId = ae9c6a7c-9521-42a6-915e-5aaa8689d529 +RuleName = CobaltStrike Load by Rundll32 +EventType = Process.Start +Tag = proc-start-cobaltstrike-load-by-rundll32 RiskScore = 75 -Annotation = {"author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)"} -Query = (File.Path like r"%\\Microsoft\\Event Viewer\\RecentViews" or File.Path like r"%\\Microsoft\\EventV~1\\RecentViews") and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1218.011"], "author": "Wojciech Lesicki"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE" or Process.CommandLine like r"%rundll32.exe%" or Process.CommandLine like r"%rundll32 %") and Process.CommandLine like r"%.dll%" and (Process.CommandLine like r"% StartW" or Process.CommandLine like r"%,StartW") [ThreatDetectionRule platform=Windows] -# Get-Variable is a valid PowerShell cmdlet -# WindowsApps is by default in the path where PowerShell is executed. -# So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. -# Author: frack113 -RuleId = 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b -RuleName = Suspicious Get-Variable.exe Creation -EventType = File.Create -Tag = suspicious-get-variable.exe-creation +# Detects potentially suspicious file downloads from file sharing domains using wget.exe +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = a0d7e4d2-bede-4141-8896-bc6e237e977c +RuleName = Suspicious File Download From File Sharing Domain Via Wget.EXE +EventType = Process.Start +Tag = proc-start-suspicious-file-download-from-file-sharing-domain-via-wget.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1546", "T1027"], "author": "frack113"} -Query = File.Path like r"%Local\\Microsoft\\WindowsApps\\Get-Variable.exe" -GenericProperty1 = File.Path +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\wget.exe" or Process.Name == "wget.exe") and (Process.CommandLine like r"%.githubusercontent.com%" or Process.CommandLine like r"%anonfiles.com%" or Process.CommandLine like r"%cdn.discordapp.com%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%dl.dropboxusercontent.com%" or Process.CommandLine like r"%ghostbin.co%" or Process.CommandLine like r"%glitch.me%" or Process.CommandLine like r"%gofile.io%" or Process.CommandLine like r"%hastebin.com%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%onrender.com%" or Process.CommandLine like r"%pages.dev%" or Process.CommandLine like r"%paste.ee%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%pastebin.pl%" or Process.CommandLine like r"%pastetext.net%" or Process.CommandLine like r"%pixeldrain.com%" or Process.CommandLine like r"%privatlab.com%" or Process.CommandLine like r"%privatlab.net%" or Process.CommandLine like r"%send.exploit.in%" or Process.CommandLine like r"%sendspace.com%" or Process.CommandLine like r"%storage.googleapis.com%" or Process.CommandLine like r"%storjshare.io%" or Process.CommandLine like r"%supabase.co%" or Process.CommandLine like r"%temp.sh%" or Process.CommandLine like r"%transfer.sh%" or Process.CommandLine like r"%trycloudflare.com%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%w3spaces.com%" or Process.CommandLine like r"%workers.dev%") and Process.CommandLine like r"%http%" and (Process.CommandLine regex "\\s-O\\s" or Process.CommandLine like r"%--output-document%") and (Process.CommandLine like r"%.ps1" or Process.CommandLine like r"%.ps1'" or Process.CommandLine like r"%.ps1\"" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.dat'" or Process.CommandLine like r"%.dat\"" or Process.CommandLine like r"%.msi" or Process.CommandLine like r"%.msi'" or Process.CommandLine like r"%.msi\"" or Process.CommandLine like r"%.bat" or Process.CommandLine like r"%.bat'" or Process.CommandLine like r"%.bat\"" or Process.CommandLine like r"%.exe" or Process.CommandLine like r"%.exe'" or Process.CommandLine like r"%.exe\"" or Process.CommandLine like r"%.vbs" or Process.CommandLine like r"%.vbs'" or Process.CommandLine like r"%.vbs\"" or Process.CommandLine like r"%.vbe" or Process.CommandLine like r"%.vbe'" or Process.CommandLine like r"%.vbe\"" or Process.CommandLine like r"%.hta" or Process.CommandLine like r"%.hta'" or Process.CommandLine like r"%.hta\"" or Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.dll'" or Process.CommandLine like r"%.dll\"" or Process.CommandLine like r"%.psm1" or Process.CommandLine like r"%.psm1'" or Process.CommandLine like r"%.psm1\"") [ThreatDetectionRule platform=Windows] -# Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. -# Author: frack113 -RuleId = 74a12f18-505c-4114-8d0b-8448dd5485c6 -RuleName = PUA - Nimgrab Execution +# Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 10344bb3-7f65-46c2-b915-2d00d47be5b0 +RuleName = IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI EventType = Process.Start -Tag = proc-start-pua-nimgrab-execution +Tag = proc-start-ie-zonemap-setting-downgraded-to-mycomputer-zone-for-http-protocols-via-cli RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "frack113"} -Query = Process.Path like r"%\\nimgrab.exe" or Process.Hashes like r"%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%" or Process.Hashes like r"%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%" or Process.Hashes like r"%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%" -GenericProperty1 = Process.Hashes +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults%" and Process.CommandLine like r"%http%" and Process.CommandLine like r"% 0%" [ThreatDetectionRule platform=Windows] -# Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec +# Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. +# This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 -RuleName = Potential WinAPI Calls Via CommandLine -EventType = Process.Start -Tag = proc-start-potential-winapi-calls-via-commandline +RuleId = 145095eb-e273-443b-83d0-f9b519b7867b +RuleName = PDF File Created By RegEdit.EXE +EventType = File.Create +Tag = pdf-file-created-by-regedit.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1106"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.CommandLine like r"%AddSecurityPackage%" or Process.CommandLine like r"%AdjustTokenPrivileges%" or Process.CommandLine like r"%Advapi32%" or Process.CommandLine like r"%CloseHandle%" or Process.CommandLine like r"%CreateProcessWithToken%" or Process.CommandLine like r"%CreatePseudoConsole%" or Process.CommandLine like r"%CreateRemoteThread%" or Process.CommandLine like r"%CreateThread%" or Process.CommandLine like r"%CreateUserThread%" or Process.CommandLine like r"%DangerousGetHandle%" or Process.CommandLine like r"%DuplicateTokenEx%" or Process.CommandLine like r"%EnumerateSecurityPackages%" or Process.CommandLine like r"%FreeHGlobal%" or Process.CommandLine like r"%FreeLibrary%" or Process.CommandLine like r"%GetDelegateForFunctionPointer%" or Process.CommandLine like r"%GetLogonSessionData%" or Process.CommandLine like r"%GetModuleHandle%" or Process.CommandLine like r"%GetProcAddress%" or Process.CommandLine like r"%GetProcessHandle%" or Process.CommandLine like r"%GetTokenInformation%" or Process.CommandLine like r"%ImpersonateLoggedOnUser%" or Process.CommandLine like r"%kernel32%" or Process.CommandLine like r"%LoadLibrary%" or Process.CommandLine like r"%memcpy%" or Process.CommandLine like r"%MiniDumpWriteDump%" or Process.CommandLine like r"%ntdll%" or Process.CommandLine like r"%OpenDesktop%" or Process.CommandLine like r"%OpenProcess%" or Process.CommandLine like r"%OpenProcessToken%" or Process.CommandLine like r"%OpenThreadToken%" or Process.CommandLine like r"%OpenWindowStation%" or Process.CommandLine like r"%PtrToString%" or Process.CommandLine like r"%QueueUserApc%" or Process.CommandLine like r"%ReadProcessMemory%" or Process.CommandLine like r"%RevertToSelf%" or Process.CommandLine like r"%RtlCreateUserThread%" or Process.CommandLine like r"%secur32%" or Process.CommandLine like r"%SetThreadToken%" or Process.CommandLine like r"%VirtualAlloc%" or Process.CommandLine like r"%VirtualFree%" or Process.CommandLine like r"%VirtualProtect%" or Process.CommandLine like r"%WaitForSingleObject%" or Process.CommandLine like r"%WriteInt32%" or Process.CommandLine like r"%WriteProcessMemory%" or Process.CommandLine like r"%ZeroFreeGlobalAllocUnicode%") and not (Process.Path like r"%\\MpCmdRun.exe" and Process.CommandLine like r"%GetLoadLibraryWAddress32%") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\regedit.exe" and File.Path like r"%.pdf" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. -# By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. +# Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = c420410f-c2d8-4010-856b-dffe21866437 -RuleName = Enable LM Hash Storage +RuleId = 396ae3eb-4174-4b9b-880e-dc0364d78a19 +RuleName = Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting EventType = Reg.Any -Tag = enable-lm-hash-storage +Tag = potential-persistence-via-outlook-loadmacroprovideronboot-setting RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" and Reg.Value.Data == "DWORD (0x00000000)" +Annotation = {"mitre_attack": ["T1137", "T1008", "T1546"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Outlook\\LoadMacroProviderOnBoot" and Reg.Value.Data like r"%0x00000001%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. -# Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. -# Author: @Kostastsale, Nasreddine Bencherchali (Nextron Systems) -RuleId = b0ce780f-10bd-496d-9067-066d23dc3aa5 -RuleName = HackTool - SharpWSUS/WSUSpendu Execution +# Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block +# Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community +RuleId = 4bf943c6-5146-4273-98dd-e958fd1e3abf +RuleName = Invoke-Obfuscation Obfuscated IEX Invocation EventType = Process.Start -Tag = proc-start-hacktool-sharpwsus/wsuspendu-execution +Tag = proc-start-invoke-obfuscation-obfuscated-iex-invocation RiskScore = 75 -Annotation = {"mitre_attack": ["T1210"], "author": "@Kostastsale, Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"% -Inject %" and (Process.CommandLine like r"% -PayloadArgs %" or Process.CommandLine like r"% -PayloadFile %") or (Process.CommandLine like r"% approve %" or Process.CommandLine like r"% create %" or Process.CommandLine like r"% check %" or Process.CommandLine like r"% delete %") and (Process.CommandLine like r"% /payload:%" or Process.CommandLine like r"% /payload=%" or Process.CommandLine like r"% /updateid:%" or Process.CommandLine like r"% /updateid=%") +Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community"} +Query = Process.CommandLine regex "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or Process.CommandLine regex "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or Process.CommandLine regex "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or Process.CommandLine regex "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or Process.CommandLine regex "\\*mdr\\*\\W\\s*\\)\\.Name" or Process.CommandLine regex "\\$VerbosePreference\\.ToString\\(" or Process.CommandLine regex "\\[String\\]\\s*\\$VerbosePreference" [ThreatDetectionRule platform=Windows] -# Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 -# Author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) -RuleId = 25676e10-2121-446e-80a4-71ff8506af47 -RuleName = Exchange PowerShell Snap-Ins Usage -EventType = Process.Start -Tag = proc-start-exchange-powershell-snap-ins-usage +# Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel +# Author: frack113, Nasreddine Bencherchali (Nextron Systems) +RuleId = 2f78da12-f7c7-430b-8b19-a28f269b77a3 +RuleName = Disable Windows Event Logging Via Registry +EventType = Reg.Any +Tag = disable-windows-event-logging-via-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001", "T1114"], "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and Process.CommandLine like r"%Add-PSSnapin%" and (Process.CommandLine like r"%Microsoft.Exchange.Powershell.Snapin%" or Process.CommandLine like r"%Microsoft.Exchange.Management.PowerShell.SnapIn%") and not (Parent.Path == "C:\\Windows\\System32\\msiexec.exe" and Process.CommandLine like r"%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1562.002"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\%" and Reg.TargetObject like r"%\\Enabled" and Reg.Value.Data == "DWORD (0x00000000)" and not (Process.Path == "C:\\Windows\\system32\\wevtutil.exe" or Process.Path like r"C:\\Windows\\winsxs\\%" and Process.Path like r"%\\TiWorker.exe" or Process.Path == "C:\\Windows\\System32\\svchost.exe" and (Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1\\%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat\\%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error\\%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational\\%") or Process.Path == "C:\\Windows\\servicing\\TrustedInstaller.exe" and Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser%") and not (Process.Path == "" or isnull(Process.Path)) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. -# Author: Florian Roth (Nextron Systems) -RuleId = 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 -RuleName = Potentially Suspicious Regsvr32 HTTP IP Pattern +# Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. +# Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. +# As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. +# Author: Perez Diego (@darkquassar), oscd.community, Ecco +RuleId = bdc64095-d59a-42a2-8588-71fd9c9d9abc +RuleName = Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded +EventType = Image.Load +Tag = suspicious-unsigned-dbghelp/dbgcore-dll-loaded +RiskScore = 75 +Annotation = {"mitre_attack": ["T1003.001"], "author": "Perez Diego (@darkquassar), oscd.community, Ecco"} +Query = (Image.Path like r"%\\dbghelp.dll" or Image.Path like r"%\\dbgcore.dll") and Image.IsSigned == "false" +GenericProperty1 = Image.Path +GenericProperty2 = Image.IsSigned + + +[ThreatDetectionRule platform=Windows] +# Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. +# Author: Andreas Hunkeler (@Karneades) +RuleId = a537cfc3-4297-4789-92b5-345bfd845ad0 +RuleName = Service DACL Abuse To Hide Services Via Sc.EXE EventType = Process.Start -Tag = proc-start-potentially-suspicious-regsvr32-http-ip-pattern +Tag = proc-start-service-dacl-abuse-to-hide-services-via-sc.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.010"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\regsvr32.exe" or Process.Name == "REGSVR32.EXE") and (Process.CommandLine like r"% /i:http://1%" or Process.CommandLine like r"% /i:http://2%" or Process.CommandLine like r"% /i:http://3%" or Process.CommandLine like r"% /i:http://4%" or Process.CommandLine like r"% /i:http://5%" or Process.CommandLine like r"% /i:http://6%" or Process.CommandLine like r"% /i:http://7%" or Process.CommandLine like r"% /i:http://8%" or Process.CommandLine like r"% /i:http://9%" or Process.CommandLine like r"% /i:https://1%" or Process.CommandLine like r"% /i:https://2%" or Process.CommandLine like r"% /i:https://3%" or Process.CommandLine like r"% /i:https://4%" or Process.CommandLine like r"% /i:https://5%" or Process.CommandLine like r"% /i:https://6%" or Process.CommandLine like r"% /i:https://7%" or Process.CommandLine like r"% /i:https://8%" or Process.CommandLine like r"% /i:https://9%" or Process.CommandLine like r"% -i:http://1%" or Process.CommandLine like r"% -i:http://2%" or Process.CommandLine like r"% -i:http://3%" or Process.CommandLine like r"% -i:http://4%" or Process.CommandLine like r"% -i:http://5%" or Process.CommandLine like r"% -i:http://6%" or Process.CommandLine like r"% -i:http://7%" or Process.CommandLine like r"% -i:http://8%" or Process.CommandLine like r"% -i:http://9%" or Process.CommandLine like r"% -i:https://1%" or Process.CommandLine like r"% -i:https://2%" or Process.CommandLine like r"% -i:https://3%" or Process.CommandLine like r"% -i:https://4%" or Process.CommandLine like r"% -i:https://5%" or Process.CommandLine like r"% -i:https://6%" or Process.CommandLine like r"% -i:https://7%" or Process.CommandLine like r"% -i:https://8%" or Process.CommandLine like r"% -i:https://9%") +Annotation = {"mitre_attack": ["T1574.011"], "author": "Andreas Hunkeler (@Karneades)"} +Query = (Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and Process.CommandLine like r"%sdset%" and Process.CommandLine like r"%DCLCWPDTSD%" [ThreatDetectionRule platform=Windows] -# Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript +# Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 811f459f-9231-45d4-959a-0266c6311987 -RuleName = Suspicious Child Process Of BgInfo.EXE +RuleId = 5b768e71-86f2-4879-b448-81061cbae951 +RuleName = Suspicious Manipulation Of Default Accounts Via Net.EXE EventType = Process.Start -Tag = proc-start-suspicious-child-process-of-bginfo.exe +Tag = proc-start-suspicious-manipulation-of-default-accounts-via-net.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.005", "T1218", "T1202"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Parent.Path like r"%\\bginfo.exe" or Parent.Path like r"%\\bginfo64.exe") and (Process.Path like r"%\\calc.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\AppData\\Local\\%" or Process.Path like r"%\\AppData\\Roaming\\%" or Process.Path like r"%:\\Users\\Public\\%" or Process.Path like r"%:\\Temp\\%" or Process.Path like r"%:\\Windows\\Temp\\%" or Process.Path like r"%:\\PerfLogs\\%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1560.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and Process.CommandLine like r"% user %" and (Process.CommandLine like r"% Järjestelmänvalvoja %" or Process.CommandLine like r"% Rendszergazda %" or Process.CommandLine like r"% Администратор %" or Process.CommandLine like r"% Administrateur %" or Process.CommandLine like r"% Administrador %" or Process.CommandLine like r"% Administratör %" or Process.CommandLine like r"% Administrator %" or Process.CommandLine like r"% guest %" or Process.CommandLine like r"% DefaultAccount %" or Process.CommandLine like r"% \"Järjestelmänvalvoja\" %" or Process.CommandLine like r"% \"Rendszergazda\" %" or Process.CommandLine like r"% \"Администратор\" %" or Process.CommandLine like r"% \"Administrateur\" %" or Process.CommandLine like r"% \"Administrador\" %" or Process.CommandLine like r"% \"Administratör\" %" or Process.CommandLine like r"% \"Administrator\" %" or Process.CommandLine like r"% \"guest\" %" or Process.CommandLine like r"% \"DefaultAccount\" %" or Process.CommandLine like r"% 'Järjestelmänvalvoja' %" or Process.CommandLine like r"% 'Rendszergazda' %" or Process.CommandLine like r"% 'Администратор' %" or Process.CommandLine like r"% 'Administrateur' %" or Process.CommandLine like r"% 'Administrador' %" or Process.CommandLine like r"% 'Administratör' %" or Process.CommandLine like r"% 'Administrator' %" or Process.CommandLine like r"% 'guest' %" or Process.CommandLine like r"% 'DefaultAccount' %") and not (Process.CommandLine like r"%guest%" and Process.CommandLine like r"%/active no%") [ThreatDetectionRule platform=Windows] -# Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon -# Author: frack113 -RuleId = f0f7be61-9cf5-43be-9836-99d6ef448a18 -RuleName = Uninstall Crowdstrike Falcon Sensor +# Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 4abc0ec4-db5a-412f-9632-26659cddf145 +RuleName = UEFI Persistence Via Wpbbin - ProcessCreation EventType = Process.Start -Tag = proc-start-uninstall-crowdstrike-falcon-sensor +Tag = proc-start-uefi-persistence-via-wpbbin-processcreation RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "frack113"} -Query = Process.CommandLine like r"%\\WindowsSensor.exe%" and Process.CommandLine like r"% /uninstall%" and Process.CommandLine like r"% /quiet%" +Annotation = {"mitre_attack": ["T1542.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path == "C:\\Windows\\System32\\wpbbin.exe" [ThreatDetectionRule platform=Windows] -# Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system -# Author: Florian Roth (Nextron Systems) -RuleId = 4ebc877f-4612-45cb-b3a5-8e3834db36c9 -RuleName = Webshell Hacking Activity Patterns +# Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = ebea773c-a8f1-42ad-a856-00cb221966e8 +RuleName = DLL Sideloading by VMware Xfer Utility EventType = Process.Start -Tag = proc-start-webshell-hacking-activity-patterns +Tag = proc-start-dll-sideloading-by-vmware-xfer-utility RiskScore = 75 -Annotation = {"mitre_attack": ["T1505.003", "T1018", "T1033", "T1087"], "author": "Florian Roth (Nextron Systems)"} -Query = (Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\ws\_tomcatservice.exe" or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%") or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Process.CommandLine like r"%catalina.jar%" or Process.CommandLine like r"%CATALINA\_HOME%")) and (Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%comsvcs%" or Process.CommandLine like r"% -hp%" and Process.CommandLine like r"% a %" and Process.CommandLine like r"% -m%" or Process.CommandLine like r"%net%" and Process.CommandLine like r"% user %" and Process.CommandLine like r"% /add%" or Process.CommandLine like r"%net%" and Process.CommandLine like r"% localgroup %" and Process.CommandLine like r"% administrators %" and Process.CommandLine like r"%/add%" or Process.Path like r"%\\ntdsutil.exe" or Process.Path like r"%\\ldifde.exe" or Process.Path like r"%\\adfind.exe" or Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\Nanodump.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\fsutil.exe" or Process.CommandLine like r"% -decode %" or Process.CommandLine like r"% -NoP %" or Process.CommandLine like r"% -W Hidden %" or Process.CommandLine like r"% /decode %" or Process.CommandLine like r"% /ticket:%" or Process.CommandLine like r"% sekurlsa%" or Process.CommandLine like r"%.dmp full%" or Process.CommandLine like r"%.downloadfile(%" or Process.CommandLine like r"%.downloadstring(%" or Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"%process call create%" or Process.CommandLine like r"%reg save %" or Process.CommandLine like r"%whoami /priv%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\VMwareXferlogs.exe" and not Process.Path like r"C:\\Program Files\\VMware\\%" [ThreatDetectionRule platform=Windows] -# Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity -# Author: Timon Hackenjos -RuleId = 77564cc2-7382-438b-a7f6-395c2ae53b9a -RuleName = Remote Thread Created In KeePass.EXE -EventType = Process.CreateRemoteThread -Tag = remote-thread-created-in-keepass.exe +# Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. +# This binary can be abused for DLL injection, arbitrary command and process execution. +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 6345b048-8441-43a7-9bed-541133633d7a +RuleName = ManageEngine Endpoint Central Dctask64.EXE Potential Abuse +EventType = Process.Start +Tag = proc-start-manageengine-endpoint-central-dctask64.exe-potential-abuse RiskScore = 75 -Annotation = {"mitre_attack": ["T1555.005"], "author": "Timon Hackenjos"} -Query = Process.Path like r"%\\KeePass.exe" +Annotation = {"mitre_attack": ["T1055.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\dctask64.exe" or Process.Hashes like r"%IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD%" or Process.Hashes like r"%IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA%" or Process.Hashes like r"%IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3%" or Process.Hashes like r"%IMPHASH=F1039CED4B91572AB7847D26032E6BBF%") and (Process.CommandLine like r"% executecmd64 %" or Process.CommandLine like r"% invokeexe %" or Process.CommandLine like r"% injectDll %") +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting -# Author: D3F7A5105 -RuleId = 0cb8d736-995d-4ce7-a31e-1e8d452a1459 -RuleName = Potential EventLog File Location Tampering -EventType = Reg.Any -Tag = potential-eventlog-file-location-tampering +# Detects the use of various CLI utilities exfiltrating data via web requests +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 7d1aaf3d-4304-425c-b7c3-162055e0b3ab +RuleName = Potential Data Exfiltration Activity Via CommandLine Tools +EventType = Process.Start +Tag = proc-start-potential-data-exfiltration-activity-via-commandline-tools RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.002"], "author": "D3F7A5105"} -Query = Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\%" and Reg.TargetObject like r"%\\File" and not Reg.Value.Data like r"%\\System32\\Winevt\\Logs\\%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1059.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"%Invoke-WebRequest%" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%wget %" or Process.CommandLine like r"%curl %") and Process.CommandLine like r"% -ur%" and Process.CommandLine like r"% -me%" and Process.CommandLine like r"% -b%" and Process.CommandLine like r"% POST %" or Process.Path like r"%\\curl.exe" and Process.CommandLine like r"%--ur%" and (Process.CommandLine like r"% -d %" or Process.CommandLine like r"% --data %") or Process.Path like r"%\\wget.exe" and (Process.CommandLine like r"%--post-data%" or Process.CommandLine like r"%--post-file%")) and (Process.CommandLine like r"%Get-Content%" or Process.CommandLine like r"%GetBytes%" or Process.CommandLine like r"%hostname%" or Process.CommandLine like r"%ifconfig%" or Process.CommandLine like r"%ipconfig%" or Process.CommandLine like r"%net view%" or Process.CommandLine like r"%netstat%" or Process.CommandLine like r"%nltest%" or Process.CommandLine like r"%qprocess%" or Process.CommandLine like r"%sc query%" or Process.CommandLine like r"%systeminfo%" or Process.CommandLine like r"%tasklist%" or Process.CommandLine like r"%ToBase64String%" or Process.CommandLine like r"%whoami%" or Process.CommandLine like r"%type %" and Process.CommandLine like r"% > %" and Process.CommandLine like r"% C:\\%") [ThreatDetectionRule platform=Windows] -# Detects potential persistence activity via outlook home page. -# An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. -# Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand -RuleId = ddd171b5-2cc6-4975-9e78-f0eccd08cc76 -RuleName = Potential Persistence Via Outlook Home Page +# Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. +# Author: Bhabesh Raj +RuleId = 418dc89a-9808-4b87-b1d7-e5ae0cb6effc +RuleName = Potential Mpclient.DLL Sideloading +EventType = Image.Load +Tag = potential-mpclient.dll-sideloading +RiskScore = 75 +Annotation = {"mitre_attack": ["T1574.002"], "author": "Bhabesh Raj"} +Query = Image.Path like r"%\\mpclient.dll" and (Process.Path like r"%\\MpCmdRun.exe" or Process.Path like r"%\\NisSrv.exe") and not (Process.Path like r"C:\\Program Files (x86)\\Windows Defender\\%" or Process.Path like r"C:\\Program Files\\Microsoft Security Client\\%" or Process.Path like r"C:\\Program Files\\Windows Defender\\%" or Process.Path like r"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%") +GenericProperty1 = Image.Path + + +[ThreatDetectionRule platform=Windows] +# Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = ab871450-37dc-4a3a-997f-6662aa8ae0f1 +RuleName = Disable Macro Runtime Scan Scope EventType = Reg.Any -Tag = potential-persistence-via-outlook-home-page +Tag = disable-macro-runtime-scan-scope RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand"} -Query = Reg.TargetObject like r"%\\Software\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Outlook\\WebView\\%" and Reg.TargetObject like r"%\\URL" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\%" and Reg.TargetObject like r"%\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Common\\Security%" and Reg.TargetObject like r"%\\MacroRuntimeScanScope" and Reg.Value.Data == "DWORD (0x00000000)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects a suspicious child process of a Microsoft HTML Help (HH.exe) -# Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) -RuleId = 52cad028-0ff0-4854-8f67-d25dfcbc78b4 -RuleName = HTML Help HH.EXE Suspicious Child Process +# Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. +# Author: Bhabesh Raj +RuleId = 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 +RuleName = Potential Mpclient.DLL Sideloading Via Defender Binaries EventType = Process.Start -Tag = proc-start-html-help-hh.exe-suspicious-child-process +Tag = proc-start-potential-mpclient.dll-sideloading-via-defender-binaries RiskScore = 75 -Annotation = {"mitre_attack": ["T1047", "T1059.001", "T1059.003", "T1059.005", "T1059.007", "T1218", "T1218.001", "T1218.010", "T1218.011", "T1566", "T1566.001"], "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.Path like r"%\\hh.exe" and (Process.Path like r"%\\CertReq.exe" or Process.Path like r"%\\CertUtil.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\installutil.exe" or Process.Path like r"%\\MSbuild.exe" or Process.Path like r"%\\MSHTA.EXE" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1574.002"], "author": "Bhabesh Raj"} +Query = (Process.Path like r"%\\MpCmdRun.exe" or Process.Path like r"%\\NisSrv.exe") and not (Process.Path like r"C:\\Program Files (x86)\\Windows Defender\\%" or Process.Path like r"C:\\Program Files\\Microsoft Security Client\\%" or Process.Path like r"C:\\Program Files\\Windows Defender\\%" or Process.Path like r"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%") [ThreatDetectionRule platform=Windows] -# Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines -# Author: Florian Roth (Nextron Systems) -RuleId = 8d01b53f-456f-48ee-90f6-bc28e67d4e35 -RuleName = Suspicious Obfuscated PowerShell Code -EventType = Process.Start -Tag = proc-start-suspicious-obfuscated-powershell-code +# Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder +# Author: Samir Bousseaden +RuleId = 52753ea4-b3a0-4365-910d-36cff487b789 +RuleName = Hijack Legit RDP Session to Move Laterally +EventType = File.Create +Tag = hijack-legit-rdp-session-to-move-laterally RiskScore = 75 -Annotation = {"author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%IAAtAGIAeABvAHIAIAAwAHgA%" or Process.CommandLine like r"%AALQBiAHgAbwByACAAMAB4A%" or Process.CommandLine like r"%gAC0AYgB4AG8AcgAgADAAeA%" or Process.CommandLine like r"%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%" or Process.CommandLine like r"%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%" or Process.CommandLine like r"%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%" or Process.CommandLine like r"%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%" or Process.CommandLine like r"%B7ADEAfQB7ADAAfQAiACAALQBmAC%" or Process.CommandLine like r"%AewAxAH0AewAwAH0AIgAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%" or Process.CommandLine like r"%B7ADAAfQB7ADMAfQAiACAALQBmAC%" or Process.CommandLine like r"%AewAwAH0AewAzAH0AIgAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%" or Process.CommandLine like r"%B7ADIAfQB7ADAAfQAiACAALQBmAC%" or Process.CommandLine like r"%AewAyAH0AewAwAH0AIgAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%" or Process.CommandLine like r"%B7ADEAfQB7ADAAfQAnACAALQBmAC%" or Process.CommandLine like r"%AewAxAH0AewAwAH0AJwAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%" or Process.CommandLine like r"%B7ADAAfQB7ADMAfQAnACAALQBmAC%" or Process.CommandLine like r"%AewAwAH0AewAzAH0AJwAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%" or Process.CommandLine like r"%B7ADIAfQB7ADAAfQAnACAALQBmAC%" or Process.CommandLine like r"%AewAyAH0AewAwAH0AJwAgAC0AZgAg%" +Annotation = {"mitre_attack": ["T1219"], "author": "Samir Bousseaden"} +Query = Process.Path like r"%\\mstsc.exe" and File.Path like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) -# Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community -RuleId = ca2092a1-c273-4878-9b4b-0d60115bf5ea -RuleName = Suspicious Encoded PowerShell Command Line +# Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. +# This is used as an obfuscation and masquerading techniques. +# Author: Micah Babinski, @micahbabinski +RuleId = ad691d92-15f2-4181-9aa4-723c74f9ddc3 +RuleName = Potential Defense Evasion Via Right-to-Left Override EventType = Process.Start -Tag = proc-start-suspicious-encoded-powershell-command-line +Tag = proc-start-potential-defense-evasion-via-right-to-left-override RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"% -e%" and (Process.CommandLine like r"% JAB%" or Process.CommandLine like r"% SUVYI%" or Process.CommandLine like r"% SQBFAFgA%" or Process.CommandLine like r"% aQBlAHgA%" or Process.CommandLine like r"% aWV4I%" or Process.CommandLine like r"% IAA%" or Process.CommandLine like r"% IAB%" or Process.CommandLine like r"% UwB%" or Process.CommandLine like r"% cwB%") or Process.CommandLine like r"%.exe -ENCOD %" or Process.CommandLine like r"% BA^J e-%") and not Process.CommandLine like r"% -ExecutionPolicy remotesigned %" +Annotation = {"mitre_attack": ["T1036.002"], "author": "Micah Babinski, @micahbabinski"} +Query = Process.CommandLine like r"%‮%" [ThreatDetectionRule platform=Windows] -# Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" -# Author: pH-T (Nextron Systems) -RuleId = 9c0295ce-d60d-40bd-bd74-84673b7592b1 -RuleName = Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call -EventType = Process.Start -Tag = proc-start-suspicious-encoded-and-obfuscated-reflection-assembly-load-function-call +# Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. +# Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. +# IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. +# Author: X__Junior (Nextron Systems) +RuleId = 9d8f9bb8-01af-4e15-a3a2-349071530530 +RuleName = Suspicious Path In Keyboard Layout IME File Registry Value +EventType = Reg.Any +Tag = suspicious-path-in-keyboard-layout-ime-file-registry-value RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001", "T1027"], "author": "pH-T (Nextron Systems)"} -Query = Process.CommandLine like r"%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%" or Process.CommandLine like r"%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%" or Process.CommandLine like r"%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%" or Process.CommandLine like r"%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%" or Process.CommandLine like r"%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%" or Process.CommandLine like r"%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%" or Process.CommandLine like r"%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%" or Process.CommandLine like r"%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%" or Process.CommandLine like r"%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%" or Process.CommandLine like r"%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%" or Process.CommandLine like r"%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%" or Process.CommandLine like r"%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%" or Process.CommandLine like r"%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%" or Process.CommandLine like r"%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%" or Process.CommandLine like r"%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%" or Process.CommandLine like r"%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%" or Process.CommandLine like r"%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%" or Process.CommandLine like r"%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%" +Annotation = {"mitre_attack": ["T1562.001"], "author": "X__Junior (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Control\\Keyboard Layouts\\%" and Reg.TargetObject like r"%Ime File%" and (Reg.Value.Data like r"%:\\Perflogs\\%" or Reg.Value.Data like r"%:\\Users\\Public\\%" or Reg.Value.Data like r"%:\\Windows\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Roaming\\%" or Reg.Value.Data like r"%\\Temporary Internet%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favorites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favourites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Contacts\\%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords -# Author: Tim Rauch, Janantha Marasinghe, Elastic (original idea) -RuleId = 2d3cdeec-c0db-45b4-aa86-082f7eb75701 -RuleName = Microsoft IIS Service Account Password Dumped +# Detects PowerShell download and execution cradles. +# Author: Florian Roth (Nextron Systems) +RuleId = 85b0b087-eddf-4a2b-b033-d771fa2b9775 +RuleName = PowerShell Download and Execution Cradles EventType = Process.Start -Tag = proc-start-microsoft-iis-service-account-password-dumped +Tag = proc-start-powershell-download-and-execution-cradles RiskScore = 75 -Annotation = {"mitre_attack": ["T1003"], "author": "Tim Rauch, Janantha Marasinghe, Elastic (original idea)"} -Query = (Process.Path like r"%\\appcmd.exe" or Process.Name == "appcmd.exe") and Process.CommandLine like r"%list %" and (Process.CommandLine like r"% /config%" or Process.CommandLine like r"% /xml%" or Process.CommandLine like r"% -config%" or Process.CommandLine like r"% -xml%" or (Process.CommandLine like r"% /@t%" or Process.CommandLine like r"% /text%" or Process.CommandLine like r"% /show%" or Process.CommandLine like r"% -@t%" or Process.CommandLine like r"% -text%" or Process.CommandLine like r"% -show%") and (Process.CommandLine like r"%:*%" or Process.CommandLine like r"%password%")) +Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"%.DownloadString(%" or Process.CommandLine like r"%.DownloadFile(%" or Process.CommandLine like r"%Invoke-WebRequest %" or Process.CommandLine like r"%iwr %") and (Process.CommandLine like r"%;iex $%" or Process.CommandLine like r"%| IEX%" or Process.CommandLine like r"%|IEX %" or Process.CommandLine like r"%I`E`X%" or Process.CommandLine like r"%I`EX%" or Process.CommandLine like r"%IE`X%" or Process.CommandLine like r"%iex %" or Process.CommandLine like r"%IEX (%" or Process.CommandLine like r"%IEX(%" or Process.CommandLine like r"%Invoke-Expression%") [ThreatDetectionRule platform=Windows] -# Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory -# Author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -RuleId = edadb1e5-5919-4e4c-8462-a9e643b02c4b -RuleName = Process Memory Dump via RdrLeakDiag.EXE +# WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz +# Author: Georg Lauenstein (sure[secure]) +RuleId = 98b53e78-ebaf-46f8-be06-421aafd176d9 +RuleName = HackTool - winPEAS Execution EventType = Process.Start -Tag = proc-start-process-memory-dump-via-rdrleakdiag.exe +Tag = proc-start-hacktool-winpeas-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\rdrleakdiag.exe" or Process.Name == "RdrLeakDiag.exe") and (Process.CommandLine like r"%-memdmp%" or Process.CommandLine like r"%/memdmp%" or Process.CommandLine like r"%–memdmp%" or Process.CommandLine like r"%—memdmp%" or Process.CommandLine like r"%―memdmp%" or Process.CommandLine like r"%fullmemdmp%") and (Process.CommandLine like r"% -o %" or Process.CommandLine like r"% /o %" or Process.CommandLine like r"% –o %" or Process.CommandLine like r"% —o %" or Process.CommandLine like r"% ―o %" or Process.CommandLine like r"% -p %" or Process.CommandLine like r"% /p %" or Process.CommandLine like r"% –p %" or Process.CommandLine like r"% —p %" or Process.CommandLine like r"% ―p %") +Annotation = {"mitre_attack": ["T1082", "T1087", "T1046"], "author": "Georg Lauenstein (sure[secure])"} +Query = Process.Name == "winPEAS.exe" or Process.Path like r"%\\winPEASany\_ofs.exe" or Process.Path like r"%\\winPEASany.exe" or Process.Path like r"%\\winPEASx64\_ofs.exe" or Process.Path like r"%\\winPEASx64.exe" or Process.Path like r"%\\winPEASx86\_ofs.exe" or Process.Path like r"%\\winPEASx86.exe" or Process.CommandLine like r"% applicationsinfo%" or Process.CommandLine like r"% browserinfo%" or Process.CommandLine like r"% eventsinfo%" or Process.CommandLine like r"% fileanalysis%" or Process.CommandLine like r"% filesinfo%" or Process.CommandLine like r"% processinfo%" or Process.CommandLine like r"% servicesinfo%" or Process.CommandLine like r"% windowscreds%" or Process.CommandLine like r"%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%" or Parent.CommandLine like r"% -linpeas" or Process.CommandLine like r"% -linpeas" +GenericProperty1 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default. -# Author: Nasreddine Bencherchali (Nextron Systems), frack113 -RuleId = b4926b47-a9d7-434c-b3a0-adc3fa0bd13e -RuleName = Suspicious Double Extension Files -EventType = File.Create -Tag = suspicious-double-extension-files +# Detects service path modification via the "sc" binary to a suspicious command or path +# Author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) +RuleId = 138d3531-8793-4f50-a2cd-f291b2863d78 +RuleName = Suspicious Service Path Modification +EventType = Process.Start +Tag = proc-start-suspicious-service-path-modification RiskScore = 75 -Annotation = {"mitre_attack": ["T1036.007"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113"} -Query = (File.Path like r"%.exe" or File.Path like r"%.iso" or File.Path like r"%.rar" or File.Path like r"%.zip") and (File.Path like r"%.doc.%" or File.Path like r"%.docx.%" or File.Path like r"%.jpg.%" or File.Path like r"%.pdf.%" or File.Path like r"%.ppt.%" or File.Path like r"%.pptx.%" or File.Path like r"%.xls.%" or File.Path like r"%.xlsx.%") or File.Path like r"%.rar.exe" or File.Path like r"%.zip.exe" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1543.003"], "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%binPath%" and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%cmd %" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%svchost%" or Process.CommandLine like r"%dllhost%" or Process.CommandLine like r"%cmd.exe /c%" or Process.CommandLine like r"%cmd.exe /k%" or Process.CommandLine like r"%cmd.exe /r%" or Process.CommandLine like r"%cmd /c%" or Process.CommandLine like r"%cmd /k%" or Process.CommandLine like r"%cmd /r%" or Process.CommandLine like r"%C:\\Users\\Public%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%" or Process.CommandLine like r"%C:\\Windows\\TEMP\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%") [ThreatDetectionRule platform=Windows] -# Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials +# Detects a suspicious printer driver installation with an empty Manufacturer value # Author: Florian Roth (Nextron Systems) -RuleId = c3e76af5-4ce0-4a14-9c9a-25ceb8fda182 -RuleName = WerFault LSASS Process Memory Dump -EventType = File.Create -Tag = werfault-lsass-process-memory-dump -RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path == "C:\\WINDOWS\\system32\\WerFault.exe" and (File.Path like r"%\\lsass%" or File.Path like r"%lsass.exe%") -GenericProperty1 = File.Path +RuleId = e0813366-0407-449a-9869-a2db1119dc41 +RuleName = Suspicious Printer Driver Empty Manufacturer +EventType = Reg.Any +Tag = suspicious-printer-driver-empty-manufacturer +RiskScore = 75 +Annotation = {"mitre_attack": ["T1574"], "author": "Florian Roth (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Control\\Print\\Environments\\Windows x64\\Drivers%" and Reg.TargetObject like r"%\\Manufacturer%" and Reg.Value.Data == "(Empty)" and not (Reg.TargetObject like r"%\\CutePDF Writer v4.0\\%" or Reg.TargetObject like r"%\\VNC Printer (PS)\\%" or Reg.TargetObject like r"%\\VNC Printer (UD)\\%" or Reg.TargetObject like r"%\\Version-3\\PDF24\\%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. -# Author: Ján Trenčanský -RuleId = 114e7f1c-f137-48c8-8f54-3088c24ce4b9 -RuleName = Remote Access Tool - AnyDesk Silent Installation +# Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). +# Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +RuleId = ae215552-081e-44c7-805f-be16f975c8a2 +RuleName = Suspicious Debugger Registration Cmdline EventType = Process.Start -Tag = proc-start-remote-access-tool-anydesk-silent-installation +Tag = proc-start-suspicious-debugger-registration-cmdline RiskScore = 75 -Annotation = {"mitre_attack": ["T1219"], "author": "J\u00e1n Tren\u010dansk\u00fd"} -Query = Process.CommandLine like r"%--install%" and Process.CommandLine like r"%--start-with-win%" and Process.CommandLine like r"%--silent%" +Annotation = {"mitre_attack": ["T1546.008"], "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro"} +Query = Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\%" and (Process.CommandLine like r"%sethc.exe%" or Process.CommandLine like r"%utilman.exe%" or Process.CommandLine like r"%osk.exe%" or Process.CommandLine like r"%magnify.exe%" or Process.CommandLine like r"%narrator.exe%" or Process.CommandLine like r"%displayswitch.exe%" or Process.CommandLine like r"%atbroker.exe%" or Process.CommandLine like r"%HelpPane.exe%") [ThreatDetectionRule platform=Windows] -# Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe -# Author: Florian Roth (Nextron Systems) -RuleId = bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2 -RuleName = NtdllPipe Like Activity Execution +# Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros. +# Author: Antonlovesdnb +RuleId = e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 +RuleName = VBA DLL Loaded Via Office Application +EventType = Image.Load +Tag = vba-dll-loaded-via-office-application +RiskScore = 75 +Annotation = {"mitre_attack": ["T1204.002"], "author": "Antonlovesdnb"} +Query = (Process.Path like r"%\\excel.exe" or Process.Path like r"%\\mspub.exe" or Process.Path like r"%\\onenote.exe" or Process.Path like r"%\\onenoteim.exe" or Process.Path like r"%\\outlook.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\winword.exe") and (Image.Path like r"%\\VBE7.DLL" or Image.Path like r"%\\VBEUI.DLL" or Image.Path like r"%\\VBE7INTL.DLL") +GenericProperty1 = Image.Path + + +[ThreatDetectionRule platform=Windows] +# Shadow Copies deletion using operating systems utilities +# Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) +RuleId = c947b146-0abc-4c87-9c64-b17e9d7274a2 +RuleName = Shadow Copies Deletion Using Operating Systems Utilities EventType = Process.Start -Tag = proc-start-ntdllpipe-like-activity-execution +Tag = proc-start-shadow-copies-deletion-using-operating-systems-utilities RiskScore = 75 -Annotation = {"author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%type \%windir\%\\system32\\ntdll.dll%" or Process.CommandLine like r"%type \%systemroot\%\\system32\\ntdll.dll%" or Process.CommandLine like r"%type c:\\windows\\system32\\ntdll.dll%" or Process.CommandLine like r"%\\ntdll.dll > \\\\.\\pipe\\%" +Annotation = {"mitre_attack": ["T1070", "T1490"], "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\diskshadow.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe"]) and Process.CommandLine like r"%shadow%" and Process.CommandLine like r"%delete%" or (Process.Path like r"%\\wbadmin.exe" or Process.Name == "WBADMIN.EXE") and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%catalog%" and Process.CommandLine like r"%quiet%" or (Process.Path like r"%\\vssadmin.exe" or Process.Name == "VSSADMIN.EXE") and Process.CommandLine like r"%resize%" and Process.CommandLine like r"%shadowstorage%" and (Process.CommandLine like r"%unbounded%" or Process.CommandLine like r"%/MaxSize=%") [ThreatDetectionRule platform=Windows] -# Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module. +# Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 3ab79e90-9fab-4cdf-a7b2-6522bc742adb -RuleName = HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators -EventType = File.Create -Tag = hacktool-remotekrbrelay-smb-relay-secrets-dump-module-indicators +RuleId = ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 +RuleName = Potential WinAPI Calls Via CommandLine +EventType = Process.Start +Tag = proc-start-potential-winapi-calls-via-commandline RiskScore = 75 -Annotation = {"mitre_attack": ["T1219"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"%:\\windows\\temp\\sam.tmp" or File.Path like r"%:\\windows\\temp\\sec.tmp" or File.Path like r"%:\\windows\\temp\\sys.tmp" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1106"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.CommandLine like r"%AddSecurityPackage%" or Process.CommandLine like r"%AdjustTokenPrivileges%" or Process.CommandLine like r"%Advapi32%" or Process.CommandLine like r"%CloseHandle%" or Process.CommandLine like r"%CreateProcessWithToken%" or Process.CommandLine like r"%CreatePseudoConsole%" or Process.CommandLine like r"%CreateRemoteThread%" or Process.CommandLine like r"%CreateThread%" or Process.CommandLine like r"%CreateUserThread%" or Process.CommandLine like r"%DangerousGetHandle%" or Process.CommandLine like r"%DuplicateTokenEx%" or Process.CommandLine like r"%EnumerateSecurityPackages%" or Process.CommandLine like r"%FreeHGlobal%" or Process.CommandLine like r"%FreeLibrary%" or Process.CommandLine like r"%GetDelegateForFunctionPointer%" or Process.CommandLine like r"%GetLogonSessionData%" or Process.CommandLine like r"%GetModuleHandle%" or Process.CommandLine like r"%GetProcAddress%" or Process.CommandLine like r"%GetProcessHandle%" or Process.CommandLine like r"%GetTokenInformation%" or Process.CommandLine like r"%ImpersonateLoggedOnUser%" or Process.CommandLine like r"%kernel32%" or Process.CommandLine like r"%LoadLibrary%" or Process.CommandLine like r"%memcpy%" or Process.CommandLine like r"%MiniDumpWriteDump%" or Process.CommandLine like r"%ntdll%" or Process.CommandLine like r"%OpenDesktop%" or Process.CommandLine like r"%OpenProcess%" or Process.CommandLine like r"%OpenProcessToken%" or Process.CommandLine like r"%OpenThreadToken%" or Process.CommandLine like r"%OpenWindowStation%" or Process.CommandLine like r"%PtrToString%" or Process.CommandLine like r"%QueueUserApc%" or Process.CommandLine like r"%ReadProcessMemory%" or Process.CommandLine like r"%RevertToSelf%" or Process.CommandLine like r"%RtlCreateUserThread%" or Process.CommandLine like r"%secur32%" or Process.CommandLine like r"%SetThreadToken%" or Process.CommandLine like r"%VirtualAlloc%" or Process.CommandLine like r"%VirtualFree%" or Process.CommandLine like r"%VirtualProtect%" or Process.CommandLine like r"%WaitForSingleObject%" or Process.CommandLine like r"%WriteInt32%" or Process.CommandLine like r"%WriteProcessMemory%" or Process.CommandLine like r"%ZeroFreeGlobalAllocUnicode%") and not (Process.Path like r"%\\MpCmdRun.exe" and Process.CommandLine like r"%GetLoadLibraryWAddress32%") [ThreatDetectionRule platform=Windows] -# Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. -# Author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) -RuleId = edc2f8ae-2412-4dfd-b9d5-0c57727e70be -RuleName = Potential Powershell ReverseShell Connection -EventType = Process.Start -Tag = proc-start-potential-powershell-reverseshell-connection +# Detects the modification of Outlook security setting to allow unprompted execution of macros. +# Author: @ScoubiMtl +RuleId = e3b50fa5-3c3f-444e-937b-0a99d33731cd +RuleName = Outlook Macro Execution Without Warning Setting Enabled +EventType = Reg.Any +Tag = outlook-macro-execution-without-warning-setting-enabled RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name in ["PowerShell.EXE", "pwsh.dll"] or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"% Net.Sockets.TCPClient%" and Process.CommandLine like r"%.GetStream(%" and Process.CommandLine like r"%.Write(%" +Annotation = {"mitre_attack": ["T1137", "T1008", "T1546"], "author": "@ScoubiMtl"} +Query = Reg.TargetObject like r"%\\Outlook\\Security\\Level" and Reg.Value.Data like r"%0x00000001%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) -# Author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) -RuleId = 646ea171-dded-4578-8a4d-65e9822892e3 -RuleName = Process Memory Dump Via Comsvcs.DLL -EventType = Process.Start -Tag = proc-start-process-memory-dump-via-comsvcs.dll +# Detects the deletion of registry keys containing the MSTSC connection history +# Author: Christian Burkard (Nextron Systems) +RuleId = 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d +RuleName = Terminal Server Client Connection History Cleared - Registry +EventType = Reg.Any +Tag = terminal-server-client-connection-history-cleared-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE" or Process.CommandLine like r"%rundll32%") and Process.CommandLine like r"%comsvcs%" and Process.CommandLine like r"%full%" and (Process.CommandLine like r"%#-%" or Process.CommandLine like r"%#+%" or Process.CommandLine like r"%#24%" or Process.CommandLine like r"%24 %" or Process.CommandLine like r"%MiniDump%" or Process.CommandLine like r"%#65560%") or Process.CommandLine like r"%24%" and Process.CommandLine like r"%comsvcs%" and Process.CommandLine like r"%full%" and (Process.CommandLine like r"% #%" or Process.CommandLine like r"%,#%" or Process.CommandLine like r"%, #%" or Process.CommandLine like r"%\"#%") +Annotation = {"mitre_attack": ["T1070", "T1112"], "author": "Christian Burkard (Nextron Systems)"} +Query = Reg.EventType == "DeleteValue" and Reg.TargetObject like r"%\\Microsoft\\Terminal Server Client\\Default\\MRU%" or Reg.EventType == "DeleteKey" and Reg.TargetObject like r"%\\Microsoft\\Terminal Server Client\\Servers\\%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects potentially suspicious child processes of "regsvr32.exe". -# Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca -RuleName = Potentially Suspicious Child Process Of Regsvr32 -EventType = Process.Start -Tag = proc-start-potentially-suspicious-child-process-of-regsvr32 +# Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) +# Author: Tim Rauch (Nextron Systems), Elastic (idea) +RuleId = 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 +RuleName = Unusual File Modification by dns.exe +EventType = File.Write +Tag = unusual-file-modification-by-dns.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.010"], "author": "elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.Path like r"%\\regsvr32.exe" and (Process.Path like r"%\\calc.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\explorer.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\nltest.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\werfault.exe" or Process.Path like r"%\\wscript.exe") and not (Process.Path like r"%\\werfault.exe" and Process.CommandLine like r"% -u -p %") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1133"], "author": "Tim Rauch (Nextron Systems), Elastic (idea)"} +Query = Process.Path like r"%\\dns.exe" and not File.Path like r"%\\dns.log" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV -# Author: Florian Roth (Nextron Systems) -RuleId = c6fb44c6-71f5-49e6-9462-1425d328aee3 -RuleName = Powershell Base64 Encoded MpPreference Cmdlet +# Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values +# Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport +RuleId = 0d5675be-bc88-4172-86d3-1e96a4476536 +RuleName = Potential Tampering With RDP Related Registry Keys Via Reg.EXE EventType = Process.Start -Tag = proc-start-powershell-base64-encoded-mppreference-cmdlet +Tag = proc-start-potential-tampering-with-rdp-related-registry-keys-via-reg.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%QWRkLU1wUHJlZmVyZW5jZS%" or Process.CommandLine like r"%FkZC1NcFByZWZlcmVuY2Ug%" or Process.CommandLine like r"%BZGQtTXBQcmVmZXJlbmNlI%" or Process.CommandLine like r"%U2V0LU1wUHJlZmVyZW5jZS%" or Process.CommandLine like r"%NldC1NcFByZWZlcmVuY2Ug%" or Process.CommandLine like r"%TZXQtTXBQcmVmZXJlbmNlI%" or Process.CommandLine like r"%YWRkLW1wcHJlZmVyZW5jZS%" or Process.CommandLine like r"%FkZC1tcHByZWZlcmVuY2Ug%" or Process.CommandLine like r"%hZGQtbXBwcmVmZXJlbmNlI%" or Process.CommandLine like r"%c2V0LW1wcHJlZmVyZW5jZS%" or Process.CommandLine like r"%NldC1tcHByZWZlcmVuY2Ug%" or Process.CommandLine like r"%zZXQtbXBwcmVmZXJlbmNlI%" or Process.CommandLine like r"%QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA%" or Process.CommandLine like r"%UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA%" or Process.CommandLine like r"%YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA%" or Process.CommandLine like r"%cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA%" +Annotation = {"mitre_attack": ["T1021.001", "T1112"], "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport"} +Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"% add %" and Process.CommandLine like r"%\\CurrentControlSet\\Control\\Terminal Server%" and Process.CommandLine like r"%REG\_DWORD%" and Process.CommandLine like r"% /f%" and (Process.CommandLine like r"%Licensing Core%" and Process.CommandLine like r"%EnableConcurrentSessions%" or Process.CommandLine like r"%WinStations\\RDP-Tcp%" or Process.CommandLine like r"%MaxInstanceCount%" or Process.CommandLine like r"%fEnableWinStation%" or Process.CommandLine like r"%TSUserEnabled%" or Process.CommandLine like r"%TSEnabled%" or Process.CommandLine like r"%TSAppCompat%" or Process.CommandLine like r"%IdleWinStationPoolCount%" or Process.CommandLine like r"%TSAdvertise%" or Process.CommandLine like r"%AllowTSConnections%" or Process.CommandLine like r"%fSingleSessionPerUser%" or Process.CommandLine like r"%fDenyTSConnections%") [ThreatDetectionRule platform=Windows] -# Detects tamper attempts to sophos av functionality via registry key modification +# Detects when an attacker register a new SIP provider for persistence and defense evasion # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 9f4662ac-17ca-43aa-8f12-5d7b989d0101 -RuleName = Tamper With Sophos AV Registry Keys +RuleId = 92772523-d9c1-4c93-9547-b0ca500baba3 +RuleName = Potential Persistence Via Mpnotify EventType = Reg.Any -Tag = tamper-with-sophos-av-registry-keys +Tag = potential-persistence-via-mpnotify RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Reg.TargetObject like r"%\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled%" or Reg.TargetObject like r"%\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled%" or Reg.TargetObject like r"%\\Sophos\\SAVService\\TamperProtection\\Enabled%") and Reg.Value.Data == "DWORD (0x00000000)" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 160d2780-31f7-4922-8b3a-efce30e63e96 -RuleName = Potential AMSI COM Server Hijacking -EventType = Reg.Any -Tag = potential-amsi-com-server-hijacking +# Detects suspicious Windows Error Reporting manager (wermgr.exe) child process +# Author: Florian Roth (Nextron Systems) +RuleId = 396f6630-f3ac-44e3-bfc8-1b161bc00c4e +RuleName = Suspicious Child Process Of Wermgr.EXE +EventType = Process.Start +Tag = proc-start-suspicious-child-process-of-wermgr.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)" and not Reg.Value.Data == "\%windir\%\\system32\\amsi.dll" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1055", "T1036"], "author": "Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\wermgr.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\ipconfig.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\nslookup.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\wscript.exe") and not (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%C:\\Windows\\system32\\WerConCpl.dll%" and Process.CommandLine like r"%LaunchErcApp %" and (Process.CommandLine like r"%-queuereporting%" or Process.CommandLine like r"%-responsepester%")) +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 10344bb3-7f65-46c2-b915-2d00d47be5b0 -RuleName = IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI +# Detects command line parameters used by Koadic hack tool +# Author: wagga, Jonhnathan Ribeiro, oscd.community +RuleId = 5cddf373-ef00-4112-ad72-960ac29bac34 +RuleName = HackTool - Koadic Execution EventType = Process.Start -Tag = proc-start-ie-zonemap-setting-downgraded-to-mycomputer-zone-for-http-protocols-via-cli +Tag = proc-start-hacktool-koadic-execution RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults%" and Process.CommandLine like r"%http%" and Process.CommandLine like r"% 0%" +Annotation = {"mitre_attack": ["T1059.003", "T1059.005", "T1059.007"], "author": "wagga, Jonhnathan Ribeiro, oscd.community"} +Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%/q%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%chcp%" [ThreatDetectionRule platform=Windows] -# Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities -# Author: Vadim Varganov, Florian Roth (Nextron Systems) -RuleId = 318557a5-150c-4c8d-b70e-a9910e199857 -RuleName = File Creation In Suspicious Directory By Msdt.EXE +# Detects programs on a Windows system that should not write scripts to disk +# Author: frack113, Florian Roth (Nextron Systems) +RuleId = 7d604714-e071-49ff-8726-edeb95a70679 +RuleName = Legitimate Application Dropped Script EventType = File.Create -Tag = file-creation-in-suspicious-directory-by-msdt.exe +Tag = legitimate-application-dropped-script RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001"], "author": "Vadim Varganov, Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\msdt.exe" and (File.Path like r"%\\Desktop\\%" or File.Path like r"%\\Start Menu\\Programs\\Startup\\%" or File.Path like r"%C:\\PerfLogs\\%" or File.Path like r"%C:\\ProgramData\\%" or File.Path like r"%C:\\Users\\Public\\%") +Annotation = {"mitre_attack": ["T1218"], "author": "frack113, Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\eqnedt32.exe" or Process.Path like r"%\\wordpad.exe" or Process.Path like r"%\\wordview.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\certoc.exe" or Process.Path like r"%\\CertReq.exe" or Process.Path like r"%\\Desktopimgdownldr.exe" or Process.Path like r"%\\esentutl.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\AcroRd32.exe" or Process.Path like r"%\\RdrCEF.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\finger.exe") and (File.Path like r"%.ps1" or File.Path like r"%.bat" or File.Path like r"%.vbs" or File.Path like r"%.scf" or File.Path like r"%.wsf" or File.Path like r"%.wsh") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of "logman" utility in order to disable or delete Windows trace sessions -# Author: Florian Roth (Nextron Systems) -RuleId = cd1f961e-0b96-436b-b7c6-38da4583ec00 -RuleName = Suspicious Windows Trace ETW Session Tamper Via Logman.EXE -EventType = Process.Start -Tag = proc-start-suspicious-windows-trace-etw-session-tamper-via-logman.exe +# Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. +# Author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 0e20c89d-2264-44ae-8238-aeeaba609ece +RuleName = Potential Persistence Via Microsoft Office Startup Folder +EventType = File.Create +Tag = potential-persistence-via-microsoft-office-startup-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001", "T1070.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\logman.exe" or Process.Name == "Logman.exe") and (Process.CommandLine like r"%stop %" or Process.CommandLine like r"%delete %") and (Process.CommandLine like r"%Circular Kernel Context Logger%" or Process.CommandLine like r"%EventLog-%" or Process.CommandLine like r"%SYSMON TRACE%" or Process.CommandLine like r"%SysmonDnsEtwSession%") +Annotation = {"mitre_attack": ["T1137"], "author": "Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = ((File.Path like r"%\\Microsoft\\Word\\STARTUP%" or File.Path like r"%\\Office%" and File.Path like r"%\\Program Files%" and File.Path like r"%\\STARTUP%") and (File.Path like r"%.doc" or File.Path like r"%.docm" or File.Path like r"%.docx" or File.Path like r"%.dot" or File.Path like r"%.dotm" or File.Path like r"%.rtf") or (File.Path like r"%\\Microsoft\\Excel\\XLSTART%" or File.Path like r"%\\Office%" and File.Path like r"%\\Program Files%" and File.Path like r"%\\XLSTART%") and (File.Path like r"%.xls" or File.Path like r"%.xlsm" or File.Path like r"%.xlsx" or File.Path like r"%.xlt" or File.Path like r"%.xltm")) and not (Process.Path like r"%\\WINWORD.exe" or Process.Path like r"%\\EXCEL.exe") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of REGSVR32.exe with DLL files masquerading as other files -# Author: Florian Roth (Nextron Systems), frack113 -RuleId = 089fc3d2-71e8-4763-a8a5-c97fbb0a403e -RuleName = Regsvr32 DLL Execution With Suspicious File Extension +# Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc +RuleName = Suspicious Invoke-WebRequest Execution EventType = Process.Start -Tag = proc-start-regsvr32-dll-execution-with-suspicious-file-extension +Tag = proc-start-suspicious-invoke-webrequest-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.010"], "author": "Florian Roth (Nextron Systems), frack113"} -Query = (Process.Path like r"%\\regsvr32.exe" or Process.Name == "REGSVR32.EXE") and (Process.CommandLine like r"%.bin" or Process.CommandLine like r"%.bmp" or Process.CommandLine like r"%.cr2" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.eps" or Process.CommandLine like r"%.gif" or Process.CommandLine like r"%.ico" or Process.CommandLine like r"%.jpeg" or Process.CommandLine like r"%.jpg" or Process.CommandLine like r"%.nef" or Process.CommandLine like r"%.orf" or Process.CommandLine like r"%.png" or Process.CommandLine like r"%.raw" or Process.CommandLine like r"%.sr2" or Process.CommandLine like r"%.temp" or Process.CommandLine like r"%.tif" or Process.CommandLine like r"%.tiff" or Process.CommandLine like r"%.tmp" or Process.CommandLine like r"%.rtf" or Process.CommandLine like r"%.txt") +Annotation = {"mitre_attack": ["T1105"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%curl %" or Process.CommandLine like r"%Invoke-WebRequest%" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%wget %") and (Process.CommandLine like r"% -ur%" or Process.CommandLine like r"% -o%") and (Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Temp\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\%AppData\%%" or Process.CommandLine like r"%\%Public\%%" or Process.CommandLine like r"%\%Temp\%%" or Process.CommandLine like r"%\%tmp\%%" or Process.CommandLine like r"%:\\Windows\\%") [ThreatDetectionRule platform=Windows] -# Detects the modification of Outlook security setting to allow unprompted execution of macros. -# Author: @ScoubiMtl -RuleId = e3b50fa5-3c3f-444e-937b-0a99d33731cd -RuleName = Outlook Macro Execution Without Warning Setting Enabled -EventType = Reg.Any -Tag = outlook-macro-execution-without-warning-setting-enabled +# Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 05b2aa93-1210-42c8-8d9a-2fcc13b284f5 +RuleName = Service Registry Key Deleted Via Reg.EXE +EventType = Process.Start +Tag = proc-start-service-registry-key-deleted-via-reg.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1137", "T1008", "T1546"], "author": "@ScoubiMtl"} -Query = Reg.TargetObject like r"%\\Outlook\\Security\\Level" and Reg.Value.Data like r"%0x00000001%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"% delete %" and Process.CommandLine like r"%\\SYSTEM\\CurrentControlSet\\services\\%" [ThreatDetectionRule platform=Windows] -# Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ef61af62-bc74-4f58-b49b-626448227652 -RuleName = Suspicious Active Directory Database Snapshot Via ADExplorer -EventType = Process.Start -Tag = proc-start-suspicious-active-directory-database-snapshot-via-adexplorer -RiskScore = 75 -Annotation = {"mitre_attack": ["T1552.001", "T1003.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\ADExplorer.exe" or Process.Name == "AdExp") and Process.CommandLine like r"%snapshot%" and (Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%") +# Detects certain command line parameters often used during reconnaissance activity via web shells +# Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson +RuleId = bed2a484-9348-4143-8a8a-b801c979301c +RuleName = Webshell Detection With Command Line Keywords +EventType = Process.Start +Tag = proc-start-webshell-detection-with-command-line-keywords +RiskScore = 75 +Annotation = {"mitre_attack": ["T1505.003", "T1018", "T1033", "T1087"], "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson"} +Query = (Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\ws\_tomcatservice.exe" or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%") or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Process.CommandLine like r"%catalina.jar%" or Process.CommandLine like r"%CATALINA\_HOME%")) and ((Process.Name in ["net.exe", "net1.exe"]) and (Process.CommandLine like r"% user %" or Process.CommandLine like r"% use %" or Process.CommandLine like r"% group %") or Process.Name == "ping.exe" and Process.CommandLine like r"% -n %" or Process.CommandLine like r"%&cd&echo%" or Process.CommandLine like r"%cd /d %" or Process.Name == "wmic.exe" and Process.CommandLine like r"% /node:%" or (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"% -enc %" or Process.CommandLine like r"% -EncodedCommand %" or Process.CommandLine like r"% -w hidden %" or Process.CommandLine like r"% -windowstyle hidden%" or Process.CommandLine like r"%.WebClient).Download%") or Process.Path like r"%\\dsquery.exe" or Process.Path like r"%\\find.exe" or Process.Path like r"%\\findstr.exe" or Process.Path like r"%\\ipconfig.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\nslookup.exe" or Process.Path like r"%\\pathping.exe" or Process.Path like r"%\\quser.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\tasklist.exe" or Process.Path like r"%\\tracert.exe" or Process.Path like r"%\\ver.exe" or Process.Path like r"%\\wevtutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Name in ["dsquery.exe", "find.exe", "findstr.exe", "ipconfig.exe", "netstat.exe", "nslookup.exe", "pathping.exe", "quser.exe", "schtasks.exe", "sysinfo.exe", "tasklist.exe", "tracert.exe", "ver.exe", "VSSADMIN.EXE", "wevtutil.exe", "whoami.exe"] or Process.CommandLine like r"% Test-NetConnection %" or Process.CommandLine like r"%dir \\%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against -# Author: frack113 -RuleId = 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf -RuleName = HackTool - Hashcat Password Cracker Execution +# Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) +# Author: Florian Roth (Nextron Systems) +RuleId = f5e3b62f-e577-4e59-931e-0a15b2b94e1e +RuleName = HackTool - Htran/NATBypass Execution EventType = Process.Start -Tag = proc-start-hacktool-hashcat-password-cracker-execution +Tag = proc-start-hacktool-htran/natbypass-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1110.002"], "author": "frack113"} -Query = Process.Path like r"%\\hashcat.exe" or Process.CommandLine like r"%-a %" and Process.CommandLine like r"%-m 1000 %" and Process.CommandLine like r"%-r %" +Annotation = {"mitre_attack": ["T1090"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\htran.exe" or Process.Path like r"%\\lcx.exe" or Process.CommandLine like r"%.exe -tran %" or Process.CommandLine like r"%.exe -slave %" [ThreatDetectionRule platform=Windows] -# Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 044ba588-dff4-4918-9808-3f95e8160606 -RuleName = Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE -EventType = Process.Start -Tag = proc-start-copy-.dmp/.dump-files-from-remote-share-via-cmd.exe +# Detects the modification of the registry to allow a driver or service to persist in Safe Mode. +# Author: frack113 +RuleId = 1547e27c-3974-43e2-a7d7-7f484fb928ec +RuleName = Registry Persistence via Service in Safe Mode +EventType = Reg.Any +Tag = registry-persistence-via-service-in-safe-mode RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%copy %" and Process.CommandLine like r"% \\\\%" and (Process.CommandLine like r"%.dmp%" or Process.CommandLine like r"%.dump%" or Process.CommandLine like r"%.hdmp%") +Annotation = {"mitre_attack": ["T1564.001"], "author": "frack113"} +Query = (Reg.TargetObject like r"%\\Control\\SafeBoot\\Minimal\\%" or Reg.TargetObject like r"%\\Control\\SafeBoot\\Network\\%") and Reg.TargetObject like r"%\\(Default)" and Reg.Value.Data == "Service" and not (Process.Path == "C:\\WINDOWS\\system32\\msiexec.exe" and (Reg.TargetObject like r"%\\Control\\SafeBoot\\Minimal\\SAVService\\(Default)" or Reg.TargetObject like r"%\\Control\\SafeBoot\\Network\\SAVService\\(Default)")) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule -# Author: Florian Roth (Nextron Systems), oscd.community -RuleId = 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63 -RuleName = RDP Port Forwarding Rule Added Via Netsh.EXE +# Detects the execution of REGSVR32.exe with DLL files masquerading as other files +# Author: Florian Roth (Nextron Systems), frack113 +RuleId = 089fc3d2-71e8-4763-a8a5-c97fbb0a403e +RuleName = Regsvr32 DLL Execution With Suspicious File Extension EventType = Process.Start -Tag = proc-start-rdp-port-forwarding-rule-added-via-netsh.exe +Tag = proc-start-regsvr32-dll-execution-with-suspicious-file-extension RiskScore = 75 -Annotation = {"mitre_attack": ["T1090"], "author": "Florian Roth (Nextron Systems), oscd.community"} -Query = (Process.Path like r"%\\netsh.exe" or Process.Name == "netsh.exe") and Process.CommandLine like r"% i%" and Process.CommandLine like r"% p%" and Process.CommandLine like r"%=3389%" and Process.CommandLine like r"% c%" +Annotation = {"mitre_attack": ["T1218.010"], "author": "Florian Roth (Nextron Systems), frack113"} +Query = (Process.Path like r"%\\regsvr32.exe" or Process.Name == "REGSVR32.EXE") and (Process.CommandLine like r"%.bin" or Process.CommandLine like r"%.bmp" or Process.CommandLine like r"%.cr2" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.eps" or Process.CommandLine like r"%.gif" or Process.CommandLine like r"%.ico" or Process.CommandLine like r"%.jpeg" or Process.CommandLine like r"%.jpg" or Process.CommandLine like r"%.nef" or Process.CommandLine like r"%.orf" or Process.CommandLine like r"%.png" or Process.CommandLine like r"%.raw" or Process.CommandLine like r"%.sr2" or Process.CommandLine like r"%.temp" or Process.CommandLine like r"%.tif" or Process.CommandLine like r"%.tiff" or Process.CommandLine like r"%.tmp" or Process.CommandLine like r"%.rtf" or Process.CommandLine like r"%.txt") [ThreatDetectionRule platform=Windows] -# Detects potentially suspicious file download from file sharing domains using curl.exe -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 56454143-524f-49fb-b1c6-3fb8b1ad41fb -RuleName = Suspicious File Download From File Sharing Domain Via Curl.EXE -EventType = Process.Start -Tag = proc-start-suspicious-file-download-from-file-sharing-domain-via-curl.exe +# Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' +# Author: Omkar Gudhate +RuleId = 07743f65-7ec9-404a-a519-913db7118a8d +RuleName = COM Hijack via Sdclt +EventType = Reg.Any +Tag = com-hijack-via-sdclt RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\curl.exe" or Process.Name == "curl.exe") and (Process.CommandLine like r"%.githubusercontent.com%" or Process.CommandLine like r"%anonfiles.com%" or Process.CommandLine like r"%cdn.discordapp.com%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%dl.dropboxusercontent.com%" or Process.CommandLine like r"%ghostbin.co%" or Process.CommandLine like r"%glitch.me%" or Process.CommandLine like r"%gofile.io%" or Process.CommandLine like r"%hastebin.com%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%onrender.com%" or Process.CommandLine like r"%pages.dev%" or Process.CommandLine like r"%paste.ee%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%pastebin.pl%" or Process.CommandLine like r"%pastetext.net%" or Process.CommandLine like r"%pixeldrain.com%" or Process.CommandLine like r"%privatlab.com%" or Process.CommandLine like r"%privatlab.net%" or Process.CommandLine like r"%send.exploit.in%" or Process.CommandLine like r"%sendspace.com%" or Process.CommandLine like r"%storage.googleapis.com%" or Process.CommandLine like r"%storjshare.io%" or Process.CommandLine like r"%supabase.co%" or Process.CommandLine like r"%temp.sh%" or Process.CommandLine like r"%transfer.sh%" or Process.CommandLine like r"%trycloudflare.com%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%w3spaces.com%" or Process.CommandLine like r"%workers.dev%") and Process.CommandLine like r"%http%" and (Process.CommandLine like r"% -O%" or Process.CommandLine like r"%--remote-name%" or Process.CommandLine like r"%--output%") and (Process.CommandLine like r"%.ps1" or Process.CommandLine like r"%.ps1'" or Process.CommandLine like r"%.ps1\"" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.dat'" or Process.CommandLine like r"%.dat\"" or Process.CommandLine like r"%.msi" or Process.CommandLine like r"%.msi'" or Process.CommandLine like r"%.msi\"" or Process.CommandLine like r"%.bat" or Process.CommandLine like r"%.bat'" or Process.CommandLine like r"%.bat\"" or Process.CommandLine like r"%.exe" or Process.CommandLine like r"%.exe'" or Process.CommandLine like r"%.exe\"" or Process.CommandLine like r"%.vbs" or Process.CommandLine like r"%.vbs'" or Process.CommandLine like r"%.vbs\"" or Process.CommandLine like r"%.vbe" or Process.CommandLine like r"%.vbe'" or Process.CommandLine like r"%.vbe\"" or Process.CommandLine like r"%.hta" or Process.CommandLine like r"%.hta'" or Process.CommandLine like r"%.hta\"" or Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.dll'" or Process.CommandLine like r"%.dll\"" or Process.CommandLine like r"%.psm1" or Process.CommandLine like r"%.psm1'" or Process.CommandLine like r"%.psm1\"") +Annotation = {"mitre_attack": ["T1546", "T1548"], "author": "Omkar Gudhate"} +Query = Reg.TargetObject like r"%\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects AnyDesk writing binary files to disk other than "gcapi.dll". -# According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, -# which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 2d367498-5112-4ae5-a06a-96e7bc33a211 -RuleName = Suspicious Binary Writes Via AnyDesk -EventType = File.Create -Tag = suspicious-binary-writes-via-anydesk +# Detects the creation of scheduled tasks that involves a temporary folder and runs only once +# Author: Florian Roth (Nextron Systems) +RuleId = 39019a4e-317f-4ce3-ae63-309a8c6b53c5 +RuleName = Suspicious Scheduled Task Creation Involving Temp Folder +EventType = Process.Start +Tag = proc-start-suspicious-scheduled-task-creation-involving-temp-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1219"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\anydesk.exe" and (File.Path like r"%.dll" or File.Path like r"%.exe") and not File.Path like r"%\\gcapi.dll" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1053.005"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %" and Process.CommandLine like r"% /sc once %" and Process.CommandLine like r"%\\Temp\\%" [ThreatDetectionRule platform=Windows] -# Detects a driver load from a temporary directory +# Detects usage of bitsadmin downloading a file from a suspicious domain # Author: Florian Roth (Nextron Systems) -RuleId = 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 -RuleName = Driver Load From A Temporary Directory -EventType = Driver.Load -Tag = driver-load-from-a-temporary-directory +RuleId = 8518ed3d-f7c9-4601-a26c-f361a4256a0c +RuleName = Suspicious Download From File-Sharing Website Via Bitsadmin +EventType = Process.Start +Tag = proc-start-suspicious-download-from-file-sharing-website-via-bitsadmin RiskScore = 75 -Annotation = {"mitre_attack": ["T1543.003"], "author": "Florian Roth (Nextron Systems)"} -Query = Image.Path like r"%\\Temp\\%" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1197", "T1036.003"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\bitsadmin.exe" or Process.Name == "bitsadmin.exe") and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%.githubusercontent.com%" or Process.CommandLine like r"%anonfiles.com%" or Process.CommandLine like r"%cdn.discordapp.com%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%dl.dropboxusercontent.com%" or Process.CommandLine like r"%ghostbin.co%" or Process.CommandLine like r"%glitch.me%" or Process.CommandLine like r"%gofile.io%" or Process.CommandLine like r"%hastebin.com%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%onrender.com%" or Process.CommandLine like r"%pages.dev%" or Process.CommandLine like r"%paste.ee%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%pastebin.pl%" or Process.CommandLine like r"%pastetext.net%" or Process.CommandLine like r"%privatlab.com%" or Process.CommandLine like r"%privatlab.net%" or Process.CommandLine like r"%send.exploit.in%" or Process.CommandLine like r"%sendspace.com%" or Process.CommandLine like r"%storage.googleapis.com%" or Process.CommandLine like r"%storjshare.io%" or Process.CommandLine like r"%supabase.co%" or Process.CommandLine like r"%temp.sh%" or Process.CommandLine like r"%transfer.sh%" or Process.CommandLine like r"%trycloudflare.com%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%w3spaces.com%" or Process.CommandLine like r"%workers.dev%") [ThreatDetectionRule platform=Windows] -# Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively -# Author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) -RuleId = f89b08d0-77ad-4728-817b-9b16c5a69c7a -RuleName = HackTool - SharpImpersonation Execution +# Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location +# Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on +# Instead they modify the task after creation to include their malicious payload +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b +RuleName = Suspicious Modification Of Scheduled Tasks EventType = Process.Start -Tag = proc-start-hacktool-sharpimpersonation-execution +Tag = proc-start-suspicious-modification-of-scheduled-tasks RiskScore = 75 -Annotation = {"mitre_attack": ["T1134.001", "T1134.003"], "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\SharpImpersonation.exe" or Process.Name == "SharpImpersonation.exe" or Process.CommandLine like r"% user:%" and Process.CommandLine like r"% binary:%" or Process.CommandLine like r"% user:%" and Process.CommandLine like r"% shellcode:%" or Process.CommandLine like r"% technique:CreateProcessAsUserW%" or Process.CommandLine like r"% technique:ImpersonateLoggedOnuser%" +Annotation = {"mitre_attack": ["T1053.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /Change %" and Process.CommandLine like r"% /TN %" and (Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\AppData\\Roaming\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\WINDOWS\\Temp\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\Perflogs\\%" or Process.CommandLine like r"%\%ProgramData\%%" or Process.CommandLine like r"%\%appdata\%%" or Process.CommandLine like r"%\%comspec\%%" or Process.CommandLine like r"%\%localappdata\%%") and (Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd /k %" or Process.CommandLine like r"%cmd /r %" or Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd.exe /r %" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%certutil%" or Process.CommandLine like r"%bitsadmin%" or Process.CommandLine like r"%bash.exe%" or Process.CommandLine like r"%bash %" or Process.CommandLine like r"%scrcons%" or Process.CommandLine like r"%wmic %" or Process.CommandLine like r"%wmic.exe%" or Process.CommandLine like r"%forfiles%" or Process.CommandLine like r"%scriptrunner%" or Process.CommandLine like r"%hh.exe%" or Process.CommandLine like r"%hh %") [ThreatDetectionRule platform=Windows] -# Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. -# Author: Furkan Caliskan (@caliskanfurkan_) -RuleId = d3b70aad-097e-409c-9df2-450f80dc476b -RuleName = PUA - DIT Snapshot Viewer +# Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence +# Author: Tom Ueltschi (@c_APT_ure) +RuleId = 21d856f9-9281-4ded-9377-51a1a6e2a432 +RuleName = Potential Persistence Via Logon Scripts - CommandLine EventType = Process.Start -Tag = proc-start-pua-dit-snapshot-viewer +Tag = proc-start-potential-persistence-via-logon-scripts-commandline RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.003"], "author": "Furkan Caliskan (@caliskanfurkan_)"} -Query = Process.Path like r"%\\ditsnap.exe" or Process.CommandLine like r"%ditsnap.exe%" +Annotation = {"mitre_attack": ["T1037.001"], "author": "Tom Ueltschi (@c_APT_ure)"} +Query = Process.CommandLine like r"%UserInitMprLogonScript%" [ThreatDetectionRule platform=Windows] -# Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = a383dec4-deec-4e6e-913b-ed9249670848 -RuleName = Potential Signing Bypass Via Windows Developer Features -EventType = Process.Start -Tag = proc-start-potential-signing-bypass-via-windows-developer-features +# Detects a network connection that is initiated by the "notepad.exe" process. +# This might be a sign of process injection from a beacon process or something similar. +# Notepad rarely initiates a network communication except when printing documents for example. +# Author: EagleEye Team +RuleId = e81528db-fc02-45e8-8e98-4e84aba1f10b +RuleName = Network Connection Initiated Via Notepad.EXE +EventType = Net.Any +Tag = network-connection-initiated-via-notepad.exe RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\SystemSettingsAdminFlows.exe" or Process.Name == "SystemSettingsAdminFlows.EXE") and Process.CommandLine like r"%TurnOnDeveloperFeatures%" and (Process.CommandLine like r"%DeveloperUnlock%" or Process.CommandLine like r"%EnableSideloading%") +Annotation = {"mitre_attack": ["T1055"], "author": "EagleEye Team"} +Query = Process.Path like r"%\\notepad.exe" and not Net.Target.Port == 9100 +GenericProperty1 = Net.Target.Port [ThreatDetectionRule platform=Windows] -# Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = cf2e938e-9a3e-4fe8-a347-411642b28a9f -RuleName = Potential PowerShell Execution Policy Tampering - ProcCreation +# Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. +# Author: frack113 +RuleId = 74a12f18-505c-4114-8d0b-8448dd5485c6 +RuleName = PUA - Nimgrab Execution EventType = Process.Start -Tag = proc-start-potential-powershell-execution-policy-tampering-proccreation +Tag = proc-start-pua-nimgrab-execution RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.CommandLine like r"%\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy%" or Process.CommandLine like r"%\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy%") and (Process.CommandLine like r"%Bypass%" or Process.CommandLine like r"%RemoteSigned%" or Process.CommandLine like r"%Unrestricted%") +Annotation = {"mitre_attack": ["T1105"], "author": "frack113"} +Query = Process.Path like r"%\\nimgrab.exe" or Process.Hashes like r"%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%" or Process.Hashes like r"%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%" or Process.Hashes like r"%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%" +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects email exfiltration via powershell cmdlets -# Author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) -RuleId = 312d0384-401c-4b8b-abdf-685ffba9a332 -RuleName = Email Exifiltration Via Powershell +# Detects command line parameters or strings often used by crypto miners +# Author: Florian Roth (Nextron Systems) +RuleId = 66c3b204-9f88-4d0a-a7f7-8a57d521ca55 +RuleName = Potential Crypto Mining Activity EventType = Process.Start -Tag = proc-start-email-exifiltration-via-powershell +Tag = proc-start-potential-crypto-mining-activity RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Add-PSSnapin%" and Process.CommandLine like r"%Get-Recipient%" and Process.CommandLine like r"%-ExpandProperty%" and Process.CommandLine like r"%EmailAddresses%" and Process.CommandLine like r"%SmtpAddress%" and Process.CommandLine like r"%-hidetableheaders%" +Annotation = {"mitre_attack": ["T1496"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"% --cpu-priority=%" or Process.CommandLine like r"%--donate-level=0%" or Process.CommandLine like r"% -o pool.%" or Process.CommandLine like r"% --nicehash%" or Process.CommandLine like r"% --algo=rx/0 %" or Process.CommandLine like r"%stratum+tcp://%" or Process.CommandLine like r"%stratum+udp://%" or Process.CommandLine like r"%LS1kb25hdGUtbGV2ZWw9%" or Process.CommandLine like r"%0tZG9uYXRlLWxldmVsP%" or Process.CommandLine like r"%tLWRvbmF0ZS1sZXZlbD%" or Process.CommandLine like r"%c3RyYXR1bSt0Y3A6Ly%" or Process.CommandLine like r"%N0cmF0dW0rdGNwOi8v%" or Process.CommandLine like r"%zdHJhdHVtK3RjcDovL%" or Process.CommandLine like r"%c3RyYXR1bSt1ZHA6Ly%" or Process.CommandLine like r"%N0cmF0dW0rdWRwOi8v%" or Process.CommandLine like r"%zdHJhdHVtK3VkcDovL%") and not (Process.CommandLine like r"% pool.c %" or Process.CommandLine like r"% pool.o %" or Process.CommandLine like r"%gcc -%") [ThreatDetectionRule platform=Windows] -# Detects potential malicious modification of run keys by winekey or team9 backdoor -# Author: omkar72 -RuleId = b98968aa-dbc0-4a9c-ac35-108363cbf8d5 -RuleName = WINEKEY Registry Modification -EventType = Reg.Any -Tag = winekey-registry-modification +# Detects WMI command line event consumers +# Author: Thomas Patzke +RuleId = 05936ce2-ee05-4dae-9d03-9a391cf2d2c6 +RuleName = WMI Persistence - Command Line Event Consumer +EventType = Image.Load +Tag = wmi-persistence-command-line-event-consumer RiskScore = 75 -Annotation = {"mitre_attack": ["T1547"], "author": "omkar72"} -Query = Reg.TargetObject like r"%Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1546.003"], "author": "Thomas Patzke"} +Query = Process.Path == "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and Image.Path like r"%\\wbemcons.dll" +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects registry changes to Office trust records where the path is located in a potentially suspicious location +# Detects the execution of a renamed "cloudflared" binary. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd -RuleName = Macro Enabled In A Potentially Suspicious Document -EventType = Reg.Any -Tag = macro-enabled-in-a-potentially-suspicious-document +RuleId = e0c69ebd-b54f-4aed-8ae3-e3467843f3f0 +RuleName = Renamed Cloudflared.EXE Execution +EventType = Process.Start +Tag = proc-start-renamed-cloudflared.exe-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Security\\Trusted Documents\\TrustRecords%" and (Reg.TargetObject like r"%/AppData/Local/Microsoft/Windows/INetCache/%" or Reg.TargetObject like r"%/AppData/Local/Temp/%" or Reg.TargetObject like r"%/PerfLogs/%" or Reg.TargetObject like r"%C:/Users/Public/%" or Reg.TargetObject like r"%file:///D:/%" or Reg.TargetObject like r"%file:///E:/%") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1090.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.CommandLine like r"% tunnel %" and Process.CommandLine like r"%cleanup %" and (Process.CommandLine like r"%-config %" or Process.CommandLine like r"%-connector-id %") or Process.CommandLine like r"% tunnel %" and Process.CommandLine like r"% run %" and (Process.CommandLine like r"%-config %" or Process.CommandLine like r"%-credentials-contents %" or Process.CommandLine like r"%-credentials-file %" or Process.CommandLine like r"%-token %") or Process.CommandLine like r"%-url%" and Process.CommandLine like r"%tunnel%" or Process.Hashes like r"%SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29%" or Process.Hashes like r"%SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8%" or Process.Hashes like r"%SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039%" or Process.Hashes like r"%SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28%" or Process.Hashes like r"%SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7%" or Process.Hashes like r"%SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373%" or Process.Hashes like r"%SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670%" or Process.Hashes like r"%SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a%" or Process.Hashes like r"%SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0%" or Process.Hashes like r"%SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1%" or Process.Hashes like r"%SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2%" or Process.Hashes like r"%SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac%" or Process.Hashes like r"%SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f%" or Process.Hashes like r"%SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d%" or Process.Hashes like r"%SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499%" or Process.Hashes like r"%SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b%" or Process.Hashes like r"%SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f%" or Process.Hashes like r"%SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032%" or Process.Hashes like r"%SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234%" or Process.Hashes like r"%SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f%" or Process.Hashes like r"%SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058%" or Process.Hashes like r"%SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c%" or Process.Hashes like r"%SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f%" or Process.Hashes like r"%SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5%" or Process.Hashes like r"%SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3%" or Process.Hashes like r"%SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4%" or Process.Hashes like r"%SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c%" or Process.Hashes like r"%SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4%" or Process.Hashes like r"%SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f%" or Process.Hashes like r"%SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad%" or Process.Hashes like r"%SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7%" or Process.Hashes like r"%SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75%" or Process.Hashes like r"%SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6%" or Process.Hashes like r"%SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688%" or Process.Hashes like r"%SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f%" or Process.Hashes like r"%SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663%" or Process.Hashes like r"%SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77%" or Process.Hashes like r"%SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078%") and not (Process.Path like r"%\\cloudflared.exe" or Process.Path like r"%\\cloudflared-windows-386.exe" or Process.Path like r"%\\cloudflared-windows-amd64.exe") +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detect change of the user account associated with the FAX service to avoid the escalation problem. -# Author: frack113 -RuleId = e3fdf743-f05b-4051-990a-b66919be1743 -RuleName = Change User Account Associated with the FAX Service -EventType = Reg.Any -Tag = change-user-account-associated-with-the-fax-service +# Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID +# Author: Florian Roth (Nextron Systems) +RuleId = fe63010f-8823-4864-a96b-a7b4a0f7b929 +RuleName = LSASS Process Reconnaissance Via Findstr.EXE +EventType = Process.Start +Tag = proc-start-lsass-process-reconnaissance-via-findstr.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "frack113"} -Query = Reg.TargetObject == "HKLM\\System\\CurrentControlSet\\Services\\Fax\\ObjectName" and not Reg.Value.Data like r"%NetworkService%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1552.006"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\find.exe" or Process.Path like r"%\\findstr.exe" or Process.Name in ["FIND.EXE", "FINDSTR.EXE"]) and Process.CommandLine like r"%lsass%" or Process.CommandLine like r"% -i \"lsass%" or Process.CommandLine like r"% /i \"lsass%" or Process.CommandLine like r"% –i \"lsass%" or Process.CommandLine like r"% —i \"lsass%" or Process.CommandLine like r"% ―i \"lsass%" or Process.CommandLine like r"% -i lsass.exe%" or Process.CommandLine like r"% /i lsass.exe%" or Process.CommandLine like r"% –i lsass.exe%" or Process.CommandLine like r"% —i lsass.exe%" or Process.CommandLine like r"% ―i lsass.exe%" or Process.CommandLine like r"%findstr \"lsass%" or Process.CommandLine like r"%findstr lsass%" or Process.CommandLine like r"%findstr.exe \"lsass%" or Process.CommandLine like r"%findstr.exe lsass%" [ThreatDetectionRule platform=Windows] -# Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -# Author: Christian Burkard (Nextron Systems) -RuleId = 6597be7b-ac61-4ac8-bef4-d3ec88174853 -RuleName = UAC Bypass Abusing Winsat Path Parsing - Registry -EventType = Reg.Any -Tag = uac-bypass-abusing-winsat-path-parsing-registry +# Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) +# Author: Florian Roth (Nextron Systems) +RuleId = 1012f107-b8f1-4271-af30-5aed2de89b39 +RuleName = Terminal Service Process Spawn +EventType = Process.Start +Tag = proc-start-terminal-service-process-spawn RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Root\\InventoryApplicationFile\\winsat.exe|%" and Reg.TargetObject like r"%\\LowerCaseLongPath" and Reg.Value.Data like r"c:\\users\\%" and Reg.Value.Data like r"%\\appdata\\local\\temp\\system32\\winsat.exe" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data - - -[ThreatDetectionRule platform=Windows] -# Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) -# Author: Tim Rauch (Nextron Systems), Elastic (idea) -RuleId = 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 -RuleName = Unusual File Modification by dns.exe -EventType = File.Write -Tag = unusual-file-modification-by-dns.exe -RiskScore = 75 -Annotation = {"mitre_attack": ["T1133"], "author": "Tim Rauch (Nextron Systems), Elastic (idea)"} -Query = Process.Path like r"%\\dns.exe" and not File.Path like r"%\\dns.log" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1190", "T1210"], "author": "Florian Roth (Nextron Systems)"} +Query = Parent.CommandLine like r"%\\svchost.exe%" and Parent.CommandLine like r"%termsvcs%" and not (Process.Path like r"%\\rdpclip.exe" or Process.Path like r"%:\\Windows\\System32\\csrss.exe" or Process.Path like r"%:\\Windows\\System32\\wininit.exe" or Process.Path like r"%:\\Windows\\System32\\winlogon.exe" or isnull(Process.Path)) +GenericProperty1 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = a1473adb-5338-4a20-b4c3-126763e2d3d3 -RuleName = Suspicious Advpack Call Via Rundll32.EXE +# Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). +# Author: Vadim Khrykov, Cyb3rEng +RuleId = e1693bc8-7168-4eab-8718-cdcaa68a1738 +RuleName = Suspicious WMIC Execution Via Office Process EventType = Process.Start -Tag = proc-start-suspicious-advpack-call-via-rundll32.exe -RiskScore = 75 -Annotation = {"author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE" or Process.CommandLine like r"%rundll32%") and Process.CommandLine like r"%advpack%" and (Process.CommandLine like r"%#+%" and Process.CommandLine like r"%12%" or Process.CommandLine like r"%#-%") - - -[ThreatDetectionRule platform=Windows] -# Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context -# Author: Florian Roth (Nextron Systems) -RuleId = 5b40a734-99b6-4b98-a1d0-1cea51a08ab2 -RuleName = Suspicious Interactive PowerShell as SYSTEM -EventType = File.Create -Tag = suspicious-interactive-powershell-as-system +Tag = proc-start-suspicious-wmic-execution-via-office-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} -Query = File.Path in ["C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost\_history.txt", "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\StartupProfileData-Interactive"] -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1204.002", "T1047", "T1218.010"], "author": "Vadim Khrykov, Cyb3rEng"} +Query = (Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\MSACCESS.EXE" or Parent.Path like r"%\\EQNEDT32.EXE" or Parent.Path like r"%\\ONENOTE.EXE" or Parent.Path like r"%\\wordpad.exe" or Parent.Path like r"%\\wordview.exe") and (Process.Path like r"%\\wbem\\WMIC.exe" or Process.Name == "wmic.exe") and Process.CommandLine like r"%process%" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%call%" and (Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%msiexec%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%verclsid%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = ac8866c7-ce44-46fd-8c17-b24acff96ca8 -RuleName = HybridConnectionManager Service Installation - Registry -EventType = Reg.Any -Tag = hybridconnectionmanager-service-installation-registry +# Detection well-known mimikatz command line arguments +# Author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton +RuleId = a642964e-bead-4bed-8910-1bb4d63e3b4d +RuleName = HackTool - Mimikatz Execution +EventType = Process.Start +Tag = proc-start-hacktool-mimikatz-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1608"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = Reg.TargetObject like r"%\\Services\\HybridConnectionManager%" or Reg.EventType == "SetValue" and Reg.Value.Data like r"%Microsoft.HybridConnectionManager.Listener.exe%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data -GenericProperty3 = Reg.EventType +Annotation = {"mitre_attack": ["T1003.001", "T1003.002", "T1003.004", "T1003.005", "T1003.006"], "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton"} +Query = Process.CommandLine like r"%DumpCreds%" or Process.CommandLine like r"%mimikatz%" or Process.CommandLine like r"%::aadcookie%" or Process.CommandLine like r"%::detours%" or Process.CommandLine like r"%::memssp%" or Process.CommandLine like r"%::mflt%" or Process.CommandLine like r"%::ncroutemon%" or Process.CommandLine like r"%::ngcsign%" or Process.CommandLine like r"%::printnightmare%" or Process.CommandLine like r"%::skeleton%" or Process.CommandLine like r"%::preshutdown%" or Process.CommandLine like r"%::mstsc%" or Process.CommandLine like r"%::multirdp%" or Process.CommandLine like r"%rpc::%" or Process.CommandLine like r"%token::%" or Process.CommandLine like r"%crypto::%" or Process.CommandLine like r"%dpapi::%" or Process.CommandLine like r"%sekurlsa::%" or Process.CommandLine like r"%kerberos::%" or Process.CommandLine like r"%lsadump::%" or Process.CommandLine like r"%privilege::%" or Process.CommandLine like r"%process::%" or Process.CommandLine like r"%vault::%" [ThreatDetectionRule platform=Windows] -# Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution -# Author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) -RuleId = c363385c-f75d-4753-a108-c1a8e28bdbda -RuleName = Potential Manage-bde.wsf Abuse To Proxy Execution +# Detects the execution of CSharp interactive console by PowerShell +# Author: Michael R. (@nahamike01) +RuleId = a9e416a8-e613-4f8b-88b8-a7d1d1af2f61 +RuleName = Suspicious Use of CSharp Interactive Console EventType = Process.Start -Tag = proc-start-potential-manage-bde.wsf-abuse-to-proxy-execution +Tag = proc-start-suspicious-use-of-csharp-interactive-console RiskScore = 75 -Annotation = {"mitre_attack": ["T1216"], "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\wscript.exe" or Process.Name == "wscript.exe") and Process.CommandLine like r"%manage-bde.wsf%" or (Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\wscript.exe") and Parent.CommandLine like r"%manage-bde.wsf%" and not Process.Path like r"%\\cmd.exe" +Annotation = {"mitre_attack": ["T1127"], "author": "Michael R. (@nahamike01)"} +Query = Process.Path like r"%\\csi.exe" and (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\powershell\_ise.exe") and Process.Name == "csi.exe" GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 2569ed8c-1147-498a-9b8c-2ad3656b10ed -RuleName = Potential Renamed Rundll32 Execution +# Detects the export of a crital Registry key to a file. +# Author: Oddvar Moe, Sander Wiebing, oscd.community +RuleId = 82880171-b475-4201-b811-e9c826cd5eaa +RuleName = Exports Critical Registry Keys To a File EventType = Process.Start -Tag = proc-start-potential-renamed-rundll32-execution +Tag = proc-start-exports-critical-registry-keys-to-a-file RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%DllRegisterServer%" and not Process.Path like r"%\\rundll32.exe" +Annotation = {"mitre_attack": ["T1012"], "author": "Oddvar Moe, Sander Wiebing, oscd.community"} +Query = (Process.Path like r"%\\regedit.exe" or Process.Name == "REGEDIT.EXE") and (Process.CommandLine like r"% -E %" or Process.CommandLine like r"% /E %" or Process.CommandLine like r"% –E %" or Process.CommandLine like r"% —E %" or Process.CommandLine like r"% ―E %") and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security") [ThreatDetectionRule platform=Windows] -# Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. -# Author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 -RuleId = fd877b94-9bb5-4191-bb25-d79cbd93c167 -RuleName = Dumping of Sensitive Hives Via Reg.EXE -EventType = Process.Start -Tag = proc-start-dumping-of-sensitive-hives-via-reg.exe +# Detects persistence registry keys for Recycle Bin +# Author: frack113 +RuleId = 277efb8f-60be-4f10-b4d3-037802f37167 +RuleName = Registry Persistence Mechanisms in Recycle Bin +EventType = Reg.Any +Tag = registry-persistence-mechanisms-in-recycle-bin RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.002", "T1003.004", "T1003.005"], "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113"} -Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and (Process.CommandLine like r"% save %" or Process.CommandLine like r"% export %" or Process.CommandLine like r"% ˢave %" or Process.CommandLine like r"% eˣport %") and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hk˪m%" or Process.CommandLine like r"%hkey\_local\_machine%" or Process.CommandLine like r"%hkey\_˪ocal\_machine%" or Process.CommandLine like r"%hkey\_loca˪\_machine%" or Process.CommandLine like r"%hkey\_˪oca˪\_machine%") and (Process.CommandLine like r"%\\system%" or Process.CommandLine like r"%\\sam%" or Process.CommandLine like r"%\\security%" or Process.CommandLine like r"%\\ˢystem%" or Process.CommandLine like r"%\\syˢtem%" or Process.CommandLine like r"%\\ˢyˢtem%" or Process.CommandLine like r"%\\ˢam%" or Process.CommandLine like r"%\\ˢecurity%") +Annotation = {"mitre_attack": ["T1547"], "author": "frack113"} +Query = Reg.EventType == "RenameKey" and Reg.Key.Path.New like r"%\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open%" or Reg.EventType == "SetValue" and Reg.TargetObject like r"%\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command\\(Default)%" +Hive = HKLM,HKU +GenericProperty1 = Reg.Key.Path.New +GenericProperty2 = Reg.TargetObject +GenericProperty3 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. -# RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. -# This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise -# Author: frack113 -RuleId = d6ce7ebd-260b-4323-9768-a9631c8d4db2 -RuleName = RestrictedAdminMode Registry Value Tampering +# This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. +# Author: oscd.community, Natalia Shornikova +RuleId = fc014922-5def-4da9-a0fc-28c973f41bfb +RuleName = Execution DLL of Choice Using WAB.EXE EventType = Reg.Any -Tag = restrictedadminmode-registry-value-tampering +Tag = execution-dll-of-choice-using-wab.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "frack113"} -Query = Reg.TargetObject like r"%System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" +Annotation = {"mitre_attack": ["T1218"], "author": "oscd.community, Natalia Shornikova"} +Query = Reg.TargetObject like r"%\\Software\\Microsoft\\WAB\\DLLPath" and not Reg.Value.Data == "\%CommonProgramFiles\%\\System\\wab32.dll" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). -# Author: Harjot Singh, '@cyb3rjy0t' -RuleId = 9248c7e1-2bf3-4661-a22c-600a8040b446 -RuleName = Potential Rundll32 Execution With DLL Stored In ADS +# Detects usage of cmdkey to look for cached credentials on the system +# Author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 07f8bdc2-c9b3-472a-9817-5a670b872f53 +RuleName = Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE EventType = Process.Start -Tag = proc-start-potential-rundll32-execution-with-dll-stored-in-ads +Tag = proc-start-potential-reconnaissance-for-cached-credentials-via-cmdkey.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1564.004"], "author": "Harjot Singh, '@cyb3rjy0t'"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and Process.CommandLine regex "[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:" +Annotation = {"mitre_attack": ["T1003.005"], "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\cmdkey.exe" or Process.Name == "cmdkey.exe") and (Process.CommandLine like r"% -l%" or Process.CommandLine like r"% /l%" or Process.CommandLine like r"% –l%" or Process.CommandLine like r"% —l%" or Process.CommandLine like r"% ―l%") [ThreatDetectionRule platform=Windows] -# Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. -# Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. +# Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file # Author: Florian Roth (Nextron Systems) -RuleId = de46c52b-0bf8-4936-a327-aace94f94ac6 -RuleName = Process Explorer Driver Creation By Non-Sysinternals Binary +RuleId = cad1fe90-2406-44dc-bd03-59d0b58fe722 +RuleName = HackTool - NPPSpy Hacktool Usage EventType = File.Create -Tag = process-explorer-driver-creation-by-non-sysinternals-binary +Tag = hacktool-nppspy-hacktool-usage RiskScore = 75 -Annotation = {"mitre_attack": ["T1068"], "author": "Florian Roth (Nextron Systems)"} -Query = File.Path like r"%\\PROCEXP%" and File.Path like r"%.sys" and not (Process.Path like r"%\\procexp.exe" or Process.Path like r"%\\procexp64.exe") +Annotation = {"author": "Florian Roth (Nextron Systems)"} +Query = File.Path like r"%\\NPPSpy.txt" or File.Path like r"%\\NPPSpy.dll" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects VBScript content stored into registry keys as seen being used by UNC2452 group -# Author: Florian Roth (Nextron Systems) -RuleId = 46490193-1b22-4c29-bdd6-5bf63907216f -RuleName = VBScript Payload Stored in Registry +# Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 +RuleName = Potentially Suspicious ASP.NET Compilation Via AspNetCompiler +EventType = Process.Start +Tag = proc-start-potentially-suspicious-asp.net-compilation-via-aspnetcompiler +RiskScore = 75 +Annotation = {"mitre_attack": ["T1127"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%C:\\Windows\\Microsoft.NET\\Framework\\%" or Process.Path like r"%C:\\Windows\\Microsoft.NET\\Framework64\\%") and Process.Path like r"%\\aspnet\_compiler.exe" and (Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Local\\Roaming\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Tasks\\%") + + +[ThreatDetectionRule platform=Windows] +# Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 160d2780-31f7-4922-8b3a-efce30e63e96 +RuleName = Potential AMSI COM Server Hijacking EventType = Reg.Any -Tag = vbscript-payload-stored-in-registry +Tag = potential-amsi-com-server-hijacking RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Reg.TargetObject like r"%Software\\Microsoft\\Windows\\CurrentVersion%" and (Reg.Value.Data like r"%vbscript:%" or Reg.Value.Data like r"%jscript:%" or Reg.Value.Data like r"%mshtml,%" or Reg.Value.Data like r"%RunHTMLApplication%" or Reg.Value.Data like r"%Execute(%" or Reg.Value.Data like r"%CreateObject%" or Reg.Value.Data like r"%window.close%") and not (Reg.TargetObject like r"%Software\\Microsoft\\Windows\\CurrentVersion\\Run%" or Process.Path like r"%\\msiexec.exe" and Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\%" and (Reg.Value.Data like r"%\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll%" or Reg.Value.Data like r"%<\\Microsoft.mshtml,fileVersion=%" or Reg.Value.Data like r"%\_mshtml\_dll\_%" or Reg.Value.Data like r"%<\\Microsoft.mshtml,culture=%")) +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)" and not Reg.Value.Data == "\%windir\%\\system32\\amsi.dll" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory +# Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) # Author: Florian Roth (Nextron Systems) -RuleId = 4e7050dd-e548-483f-b7d6-527ab4fa784d -RuleName = NTDS.DIT Creation By Uncommon Parent Process -EventType = File.Create -Tag = ntds.dit-creation-by-uncommon-parent-process +RuleId = e9142d84-fbe0-401d-ac50-3e519fb00c89 +RuleName = WhoAmI as Parameter +EventType = Process.Start +Tag = proc-start-whoami-as-parameter RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.003"], "author": "Florian Roth (Nextron Systems)"} -Query = File.Path like r"%\\ntds.dit" and (Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%" or Parent.Path like r"%\\AppData\\%" or Parent.Path like r"%\\Temp\\%" or Parent.Path like r"%\\Public\\%" or Parent.Path like r"%\\PerfLogs\\%") -GenericProperty1 = Parent.Path -GenericProperty2 = File.Path +Annotation = {"mitre_attack": ["T1033"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%.exe whoami%" [ThreatDetectionRule platform=Windows] -# Detects base64 encoded .NET reflective loading of Assembly -# Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) -RuleId = 62b7ccc9-23b4-471e-aa15-6da3663c4d59 -RuleName = PowerShell Base64 Encoded Reflective Assembly Load +# Detects process execution from a fake recycle bin folder, often used to avoid security solution. +# Author: X__Junior (Nextron Systems) +RuleId = 5ce0f04e-3efc-42af-839d-5b3a543b76c0 +RuleName = Suspicious Process Execution From Fake Recycle.Bin Folder EventType = Process.Start -Tag = proc-start-powershell-base64-encoded-reflective-assembly-load +Tag = proc-start-suspicious-process-execution-from-fake-recycle.bin-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001", "T1027", "T1620"], "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)"} -Query = Process.CommandLine like r"%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%" or Process.CommandLine like r"%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%" or Process.CommandLine like r"%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%" or Process.CommandLine like r"%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%" or Process.CommandLine like r"%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%" or Process.CommandLine like r"%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%" or Process.CommandLine like r"%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%" or Process.CommandLine like r"%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%" or Process.CommandLine like r"%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%" or Process.CommandLine like r"%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%" or Process.CommandLine like r"%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%" or Process.CommandLine like r"%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%" +Annotation = {"author": "X__Junior (Nextron Systems)"} +Query = Process.Path like r"%RECYCLERS.BIN\\%" or Process.Path like r"%RECYCLER.BIN\\%" [ThreatDetectionRule platform=Windows] -# Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. -# Author: @pbssubhash -RuleId = 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 -RuleName = Lsass Full Dump Request Via DumpType Registry Settings -EventType = Reg.Any -Tag = lsass-full-dump-request-via-dumptype-registry-settings +# Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = a1473adb-5338-4a20-b4c3-126763e2d3d3 +RuleName = Suspicious Advpack Call Via Rundll32.EXE +EventType = Process.Start +Tag = proc-start-suspicious-advpack-call-via-rundll32.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "@pbssubhash"} -Query = (Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType%" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\lsass.exe\\DumpType%") and Reg.Value.Data == "DWORD (0x00000002)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE" or Process.CommandLine like r"%rundll32%") and Process.CommandLine like r"%advpack%" and (Process.CommandLine like r"%#+%" and Process.CommandLine like r"%12%" or Process.CommandLine like r"%#-%") [ThreatDetectionRule platform=Windows] -# Detects Obfuscated Powershell via use MSHTA in Scripts -# Author: Nikita Nazarov, oscd.community -RuleId = ac20ae82-8758-4f38-958e-b44a3140ca88 -RuleName = Invoke-Obfuscation Via Use MSHTA +# Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = ef61af62-bc74-4f58-b49b-626448227652 +RuleName = Suspicious Active Directory Database Snapshot Via ADExplorer EventType = Process.Start -Tag = proc-start-invoke-obfuscation-via-use-mshta +Tag = proc-start-suspicious-active-directory-database-snapshot-via-adexplorer RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Nikita Nazarov, oscd.community"} -Query = Process.CommandLine like r"%set%" and Process.CommandLine like r"%&&%" and Process.CommandLine like r"%mshta%" and Process.CommandLine like r"%vbscript:createobject%" and Process.CommandLine like r"%.run%" and Process.CommandLine like r"%(window.close)%" +Annotation = {"mitre_attack": ["T1552.001", "T1003.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\ADExplorer.exe" or Process.Name == "AdExp") and Process.CommandLine like r"%snapshot%" and (Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%") [ThreatDetectionRule platform=Windows] -# Detects rundll32 loading a renamed comsvcs.dll to dump process memory -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 8cde342c-ba48-4b74-b615-172c330f2e93 -RuleName = Suspicious Renamed Comsvcs DLL Loaded By Rundll32 -EventType = Image.Load -Tag = suspicious-renamed-comsvcs-dll-loaded-by-rundll32 +# Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques +# Author: Florian Roth (Nextron Systems) +RuleId = c86133ad-4725-4bd0-8170-210788e0a7ba +RuleName = Net WebClient Casing Anomalies +EventType = Process.Start +Tag = proc-start-net-webclient-casing-anomalies RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\rundll32.exe" and (Image.Hashes like r"%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%" or Image.Hashes like r"%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%" or Image.Hashes like r"%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%" or Image.Hashes like r"%IMPHASH=407ca0f7b523319d758a40d7c0193699%" or Image.Hashes like r"%IMPHASH=281d618f4e6271e527e6386ea6f748de%") and not Image.Path like r"%\\comsvcs.dll" -GenericProperty1 = Image.Path -GenericProperty2 = Image.Hashes +Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%TgBlAFQALgB3AEUAQg%" or Process.CommandLine like r"%4AZQBUAC4AdwBFAEIA%" or Process.CommandLine like r"%OAGUAVAAuAHcARQBCA%" or Process.CommandLine like r"%bgBFAHQALgB3AGUAYg%" or Process.CommandLine like r"%4ARQB0AC4AdwBlAGIA%" or Process.CommandLine like r"%uAEUAdAAuAHcAZQBiA%" or Process.CommandLine like r"%TgBFAHQALgB3AGUAYg%" or Process.CommandLine like r"%OAEUAdAAuAHcAZQBiA%" or Process.CommandLine like r"%bgBlAFQALgB3AGUAYg%" or Process.CommandLine like r"%4AZQBUAC4AdwBlAGIA%" or Process.CommandLine like r"%uAGUAVAAuAHcAZQBiA%" or Process.CommandLine like r"%TgBlAFQALgB3AGUAYg%" or Process.CommandLine like r"%OAGUAVAAuAHcAZQBiA%" or Process.CommandLine like r"%bgBFAFQALgB3AGUAYg%" or Process.CommandLine like r"%4ARQBUAC4AdwBlAGIA%" or Process.CommandLine like r"%uAEUAVAAuAHcAZQBiA%" or Process.CommandLine like r"%bgBlAHQALgBXAGUAYg%" or Process.CommandLine like r"%4AZQB0AC4AVwBlAGIA%" or Process.CommandLine like r"%uAGUAdAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBFAHQALgBXAGUAYg%" or Process.CommandLine like r"%4ARQB0AC4AVwBlAGIA%" or Process.CommandLine like r"%uAEUAdAAuAFcAZQBiA%" or Process.CommandLine like r"%TgBFAHQALgBXAGUAYg%" or Process.CommandLine like r"%OAEUAdAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBlAFQALgBXAGUAYg%" or Process.CommandLine like r"%4AZQBUAC4AVwBlAGIA%" or Process.CommandLine like r"%uAGUAVAAuAFcAZQBiA%" or Process.CommandLine like r"%TgBlAFQALgBXAGUAYg%" or Process.CommandLine like r"%OAGUAVAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBFAFQALgBXAGUAYg%" or Process.CommandLine like r"%4ARQBUAC4AVwBlAGIA%" or Process.CommandLine like r"%uAEUAVAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBlAHQALgB3AEUAYg%" or Process.CommandLine like r"%4AZQB0AC4AdwBFAGIA%" or Process.CommandLine like r"%uAGUAdAAuAHcARQBiA%" or Process.CommandLine like r"%TgBlAHQALgB3AEUAYg%" or Process.CommandLine like r"%OAGUAdAAuAHcARQBiA%" or Process.CommandLine like r"%bgBFAHQALgB3AEUAYg%" or Process.CommandLine like r"%4ARQB0AC4AdwBFAGIA%" or Process.CommandLine like r"%uAEUAdAAuAHcARQBiA%" or Process.CommandLine like r"%TgBFAHQALgB3AEUAYg%" or Process.CommandLine like r"%OAEUAdAAuAHcARQBiA%" or Process.CommandLine like r"%bgBlAFQALgB3AEUAYg%" or Process.CommandLine like r"%4AZQBUAC4AdwBFAGIA%" or Process.CommandLine like r"%uAGUAVAAuAHcARQBiA%" or Process.CommandLine like r"%TgBlAFQALgB3AEUAYg%" or Process.CommandLine like r"%OAGUAVAAuAHcARQBiA%" or Process.CommandLine like r"%bgBFAFQALgB3AEUAYg%" or Process.CommandLine like r"%4ARQBUAC4AdwBFAGIA%" or Process.CommandLine like r"%uAEUAVAAuAHcARQBiA%" or Process.CommandLine like r"%TgBFAFQALgB3AEUAYg%" or Process.CommandLine like r"%OAEUAVAAuAHcARQBiA%" or Process.CommandLine like r"%bgBlAHQALgBXAEUAYg%" or Process.CommandLine like r"%4AZQB0AC4AVwBFAGIA%" or Process.CommandLine like r"%uAGUAdAAuAFcARQBiA%" or Process.CommandLine like r"%TgBlAHQALgBXAEUAYg%" or Process.CommandLine like r"%OAGUAdAAuAFcARQBiA%" or Process.CommandLine like r"%bgBFAHQALgBXAEUAYg%" or Process.CommandLine like r"%4ARQB0AC4AVwBFAGIA%" or Process.CommandLine like r"%uAEUAdAAuAFcARQBiA%" or Process.CommandLine like r"%TgBFAHQALgBXAEUAYg%" or Process.CommandLine like r"%OAEUAdAAuAFcARQBiA%" or Process.CommandLine like r"%bgBlAFQALgBXAEUAYg%" or Process.CommandLine like r"%4AZQBUAC4AVwBFAGIA%" or Process.CommandLine like r"%uAGUAVAAuAFcARQBiA%" or Process.CommandLine like r"%TgBlAFQALgBXAEUAYg%" or Process.CommandLine like r"%OAGUAVAAuAFcARQBiA%" or Process.CommandLine like r"%bgBFAFQALgBXAEUAYg%" or Process.CommandLine like r"%4ARQBUAC4AVwBFAGIA%" or Process.CommandLine like r"%uAEUAVAAuAFcARQBiA%" or Process.CommandLine like r"%TgBFAFQALgBXAEUAYg%" or Process.CommandLine like r"%OAEUAVAAuAFcARQBiA%" or Process.CommandLine like r"%bgBlAHQALgB3AGUAQg%" or Process.CommandLine like r"%4AZQB0AC4AdwBlAEIA%" or Process.CommandLine like r"%uAGUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBlAHQALgB3AGUAQg%" or Process.CommandLine like r"%OAGUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBFAHQALgB3AGUAQg%" or Process.CommandLine like r"%4ARQB0AC4AdwBlAEIA%" or Process.CommandLine like r"%uAEUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBFAHQALgB3AGUAQg%" or Process.CommandLine like r"%OAEUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBlAFQALgB3AGUAQg%" or Process.CommandLine like r"%4AZQBUAC4AdwBlAEIA%" or Process.CommandLine like r"%uAGUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBlAFQALgB3AGUAQg%" or Process.CommandLine like r"%OAGUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBFAFQALgB3AGUAQg%" or Process.CommandLine like r"%4ARQBUAC4AdwBlAEIA%" or Process.CommandLine like r"%uAEUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBFAFQALgB3AGUAQg%" or Process.CommandLine like r"%OAEUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBlAHQALgBXAGUAQg%" or Process.CommandLine like r"%4AZQB0AC4AVwBlAEIA%" or Process.CommandLine like r"%uAGUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBlAHQALgBXAGUAQg%" or Process.CommandLine like r"%OAGUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBFAHQALgBXAGUAQg%" or Process.CommandLine like r"%4ARQB0AC4AVwBlAEIA%" or Process.CommandLine like r"%uAEUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBFAHQALgBXAGUAQg%" or Process.CommandLine like r"%OAEUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBlAFQALgBXAGUAQg%" or Process.CommandLine like r"%4AZQBUAC4AVwBlAEIA%" or Process.CommandLine like r"%uAGUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBlAFQALgBXAGUAQg%" or Process.CommandLine like r"%OAGUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBFAFQALgBXAGUAQg%" or Process.CommandLine like r"%4ARQBUAC4AVwBlAEIA%" or Process.CommandLine like r"%uAEUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBFAFQALgBXAGUAQg%" or Process.CommandLine like r"%OAEUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBlAHQALgB3AEUAQg%" or Process.CommandLine like r"%4AZQB0AC4AdwBFAEIA%" or Process.CommandLine like r"%uAGUAdAAuAHcARQBCA%" or Process.CommandLine like r"%TgBlAHQALgB3AEUAQg%" or Process.CommandLine like r"%OAGUAdAAuAHcARQBCA%" or Process.CommandLine like r"%bgBFAHQALgB3AEUAQg%" or Process.CommandLine like r"%4ARQB0AC4AdwBFAEIA%" or Process.CommandLine like r"%uAEUAdAAuAHcARQBCA%" or Process.CommandLine like r"%TgBFAHQALgB3AEUAQg%" or Process.CommandLine like r"%OAEUAdAAuAHcARQBCA%" or Process.CommandLine like r"%bgBlAFQALgB3AEUAQg%" or Process.CommandLine like r"%uAGUAVAAuAHcARQBCA%" or Process.CommandLine like r"%bgBFAFQALgB3AEUAQg%" or Process.CommandLine like r"%4ARQBUAC4AdwBFAEIA%" or Process.CommandLine like r"%uAEUAVAAuAHcARQBCA%" or Process.CommandLine like r"%TgBFAFQALgB3AEUAQg%" or Process.CommandLine like r"%OAEUAVAAuAHcARQBCA%" or Process.CommandLine like r"%TgBlAHQALgBXAEUAQg%" or Process.CommandLine like r"%4AZQB0AC4AVwBFAEIA%" or Process.CommandLine like r"%OAGUAdAAuAFcARQBCA%" or Process.CommandLine like r"%bgBFAHQALgBXAEUAQg%" or Process.CommandLine like r"%4ARQB0AC4AVwBFAEIA%" or Process.CommandLine like r"%uAEUAdAAuAFcARQBCA%" or Process.CommandLine like r"%TgBFAHQALgBXAEUAQg%" or Process.CommandLine like r"%OAEUAdAAuAFcARQBCA%" or Process.CommandLine like r"%bgBlAFQALgBXAEUAQg%" or Process.CommandLine like r"%4AZQBUAC4AVwBFAEIA%" or Process.CommandLine like r"%uAGUAVAAuAFcARQBCA%" or Process.CommandLine like r"%TgBlAFQALgBXAEUAQg%" or Process.CommandLine like r"%OAGUAVAAuAFcARQBCA%" or Process.CommandLine like r"%bgBFAFQALgBXAEUAQg%" or Process.CommandLine like r"%4ARQBUAC4AVwBFAEIA%" or Process.CommandLine like r"%uAEUAVAAuAFcARQBCA%") [ThreatDetectionRule platform=Windows] -# Detects execution of the IEExec utility to download and execute files -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 9801abb8-e297-4dbf-9fbd-57dde0e830ad -RuleName = File Download And Execution Via IEExec.EXE +# Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +# Author: Ensar Şamil, @sblmsrsn, @oscd_initiative +RuleId = 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a +RuleName = Time Travel Debugging Utility Usage EventType = Process.Start -Tag = proc-start-file-download-and-execution-via-ieexec.exe +Tag = proc-start-time-travel-debugging-utility-usage RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\IEExec.exe" or Process.Name == "IEExec.exe") and (Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%") +Annotation = {"mitre_attack": ["T1218", "T1003.001"], "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative"} +Query = Parent.Path like r"%\\tttracer.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors -# Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov -RuleId = 79ce34ca-af29-4d0e-b832-fc1b377020db -RuleName = Whoami.EXE Execution From Privileged Process -EventType = Process.Start -Tag = proc-start-whoami.exe-execution-from-privileged-process +# Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence +# Author: Cedric MAURUGEON +RuleId = 0a1f9d29-6465-4776-b091-7f43b26e4c89 +RuleName = Prefetch File Deleted +EventType = File.Delete +Tag = prefetch-file-deleted RiskScore = 75 -Annotation = {"mitre_attack": ["T1033"], "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov"} -Query = (Process.Name == "whoami.exe" or Process.Path like r"%\\whoami.exe") and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%" or Process.User like r"%TrustedInstaller%") +Annotation = {"mitre_attack": ["T1070.004"], "author": "Cedric MAURUGEON"} +Query = File.Path like r"%:\\Windows\\Prefetch\\%" and File.Path like r"%.pf" and not (Process.Path like r"%:\\windows\\system32\\svchost.exe" and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%")) GenericProperty1 = Process.User +GenericProperty2 = File.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious new RUN key element pointing to an executable in a suspicious folder -# Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing -RuleId = 02ee49e2-e294-4d0f-9278-f5b3212fc588 -RuleName = New RUN Key Pointing to Suspicious Folder -EventType = Reg.Any -Tag = new-run-key-pointing-to-suspicious-folder +# Detects a Windows command line executable started from MMC +# Author: Karneades, Swisscom CSIRT +RuleId = 05a2ab7e-ce11-4b63-86db-ab32e763e11d +RuleName = MMC Spawning Windows Shell +EventType = Process.Start +Tag = proc-start-mmc-spawning-windows-shell RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001"], "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing"} -Query = (Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\%" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%") and (Reg.Value.Data like r"%:\\$Recycle.bin\\%" or Reg.Value.Data like r"%:\\Temp\\%" or Reg.Value.Data like r"%:\\Users\\Default\\%" or Reg.Value.Data like r"%:\\Users\\Desktop\\%" or Reg.Value.Data like r"%:\\Users\\Public\\%" or Reg.Value.Data like r"%:\\Windows\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%\%temp\%\\%" or Reg.Value.Data like r"%\%tmp\%\\%" or Reg.Value.Data like r"\%Public\%\\%" or Reg.Value.Data like r"wscript%" or Reg.Value.Data like r"cscript%") and not (Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%" and Process.Path like r"C:\\Windows\\SoftwareDistribution\\Download\\%" and Reg.Value.Data like r"%rundll32.exe %" and Reg.Value.Data like r"%C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32%" and (Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%C:\\Windows\\Temp\\%")) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1021.003"], "author": "Karneades, Swisscom CSIRT"} +Query = Parent.Path like r"%\\mmc.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\BITSADMIN%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = c74c0390-3e20-41fd-a69a-128f0275a5ea -RuleName = Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths +# Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module +# Author: Bartlomiej Czyz, Relativity +RuleId = 5bb68627-3198-40ca-b458-49f973db8752 +RuleName = Rundll32 Execution Without Parameters EventType = Process.Start -Tag = proc-start-cab-file-extraction-via-wusa.exe-from-potentially-suspicious-paths +Tag = proc-start-rundll32-execution-without-parameters RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\wusa.exe" and Process.CommandLine like r"%/extract:%" and (Process.CommandLine like r"%:\\PerfLogs\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\Appdata\\Local\\Temp\\%") +Annotation = {"mitre_attack": ["T1021.002", "T1570", "T1569.002"], "author": "Bartlomiej Czyz, Relativity"} +Query = Process.CommandLine in ["rundll32.exe", "rundll32"] [ThreatDetectionRule platform=Windows] -# Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. -# Author: oscd.community, Dmitry Uchakin -RuleId = 6ea3bf32-9680-422d-9f50-e90716b12a66 -RuleName = UAC Bypass Via Wsreset +# Detects the creation of known offensive powershell scripts used for exploitation +# Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein +RuleId = f331aa1f-8c53-4fc3-b083-cc159bc971cb +RuleName = Malicious PowerShell Scripts - FileCreation +EventType = File.Create +Tag = malicious-powershell-scripts-filecreation +RiskScore = 75 +Annotation = {"mitre_attack": ["T1059.001"], "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein"} +Query = File.Path like r"%\\Add-ConstrainedDelegationBackdoor.ps1" or File.Path like r"%\\Add-Exfiltration.ps1" or File.Path like r"%\\Add-Persistence.ps1" or File.Path like r"%\\Add-RegBackdoor.ps1" or File.Path like r"%\\Add-RemoteRegBackdoor.ps1" or File.Path like r"%\\Add-ScrnSaveBackdoor.ps1" or File.Path like r"%\\ADRecon.ps1" or File.Path like r"%\\AzureADRecon.ps1" or File.Path like r"%\\Check-VM.ps1" or File.Path like r"%\\ConvertTo-ROT13.ps1" or File.Path like r"%\\Copy-VSS.ps1" or File.Path like r"%\\Create-MultipleSessions.ps1" or File.Path like r"%\\DNS\_TXT\_Pwnage.ps1" or File.Path like r"%\\dnscat2.ps1" or File.Path like r"%\\Do-Exfiltration.ps1" or File.Path like r"%\\DomainPasswordSpray.ps1" or File.Path like r"%\\Download\_Execute.ps1" or File.Path like r"%\\Download-Execute-PS.ps1" or File.Path like r"%\\Enable-DuplicateToken.ps1" or File.Path like r"%\\Enabled-DuplicateToken.ps1" or File.Path like r"%\\Execute-Command-MSSQL.ps1" or File.Path like r"%\\Execute-DNSTXT-Code.ps1" or File.Path like r"%\\Execute-OnTime.ps1" or File.Path like r"%\\ExetoText.ps1" or File.Path like r"%\\Exploit-Jboss.ps1" or File.Path like r"%\\Find-AVSignature.ps1" or File.Path like r"%\\Find-Fruit.ps1" or File.Path like r"%\\Find-GPOLocation.ps1" or File.Path like r"%\\Find-TrustedDocuments.ps1" or File.Path like r"%\\FireBuster.ps1" or File.Path like r"%\\FireListener.ps1" or File.Path like r"%\\Get-ApplicationHost.ps1" or File.Path like r"%\\Get-ChromeDump.ps1" or File.Path like r"%\\Get-ClipboardContents.ps1" or File.Path like r"%\\Get-ComputerDetail.ps1" or File.Path like r"%\\Get-FoxDump.ps1" or File.Path like r"%\\Get-GPPAutologon.ps1" or File.Path like r"%\\Get-GPPPassword.ps1" or File.Path like r"%\\Get-IndexedItem.ps1" or File.Path like r"%\\Get-Keystrokes.ps1" or File.Path like r"%\\Get-LSASecret.ps1" or File.Path like r"%\\Get-MicrophoneAudio.ps1" or File.Path like r"%\\Get-PassHashes.ps1" or File.Path like r"%\\Get-PassHints.ps1" or File.Path like r"%\\Get-RegAlwaysInstallElevated.ps1" or File.Path like r"%\\Get-RegAutoLogon.ps1" or File.Path like r"%\\Get-RickAstley.ps1" or File.Path like r"%\\Get-Screenshot.ps1" or File.Path like r"%\\Get-SecurityPackages.ps1" or File.Path like r"%\\Get-ServiceFilePermission.ps1" or File.Path like r"%\\Get-ServicePermission.ps1" or File.Path like r"%\\Get-ServiceUnquoted.ps1" or File.Path like r"%\\Get-SiteListPassword.ps1" or File.Path like r"%\\Get-System.ps1" or File.Path like r"%\\Get-TimedScreenshot.ps1" or File.Path like r"%\\Get-UnattendedInstallFile.ps1" or File.Path like r"%\\Get-Unconstrained.ps1" or File.Path like r"%\\Get-USBKeystrokes.ps1" or File.Path like r"%\\Get-VaultCredential.ps1" or File.Path like r"%\\Get-VulnAutoRun.ps1" or File.Path like r"%\\Get-VulnSchTask.ps1" or File.Path like r"%\\Get-WebConfig.ps1" or File.Path like r"%\\Get-WebCredentials.ps1" or File.Path like r"%\\Get-WLAN-Keys.ps1" or File.Path like r"%\\Gupt-Backdoor.ps1" or File.Path like r"%\\HTTP-Backdoor.ps1" or File.Path like r"%\\HTTP-Login.ps1" or File.Path like r"%\\Install-ServiceBinary.ps1" or File.Path like r"%\\Install-SSP.ps1" or File.Path like r"%\\Invoke-ACLScanner.ps1" or File.Path like r"%\\Invoke-ADSBackdoor.ps1" or File.Path like r"%\\Invoke-AmsiBypass.ps1" or File.Path like r"%\\Invoke-ARPScan.ps1" or File.Path like r"%\\Invoke-BackdoorLNK.ps1" or File.Path like r"%\\Invoke-BadPotato.ps1" or File.Path like r"%\\Invoke-BetterSafetyKatz.ps1" or File.Path like r"%\\Invoke-BruteForce.ps1" or File.Path like r"%\\Invoke-BypassUAC.ps1" or File.Path like r"%\\Invoke-Carbuncle.ps1" or File.Path like r"%\\Invoke-Certify.ps1" or File.Path like r"%\\Invoke-ConPtyShell.ps1" or File.Path like r"%\\Invoke-CredentialInjection.ps1" or File.Path like r"%\\Invoke-CredentialsPhish.ps1" or File.Path like r"%\\Invoke-DAFT.ps1" or File.Path like r"%\\Invoke-DCSync.ps1" or File.Path like r"%\\Invoke-Decode.ps1" or File.Path like r"%\\Invoke-DinvokeKatz.ps1" or File.Path like r"%\\Invoke-DllInjection.ps1" or File.Path like r"%\\Invoke-DNSUpdate.ps1" or File.Path like r"%\\Invoke-DowngradeAccount.ps1" or File.Path like r"%\\Invoke-EgressCheck.ps1" or File.Path like r"%\\Invoke-Encode.ps1" or File.Path like r"%\\Invoke-EventViewer.ps1" or File.Path like r"%\\Invoke-Eyewitness.ps1" or File.Path like r"%\\Invoke-FakeLogonScreen.ps1" or File.Path like r"%\\Invoke-Farmer.ps1" or File.Path like r"%\\Invoke-Get-RBCD-Threaded.ps1" or File.Path like r"%\\Invoke-Gopher.ps1" or File.Path like r"%\\Invoke-Grouper2.ps1" or File.Path like r"%\\Invoke-Grouper3.ps1" or File.Path like r"%\\Invoke-HandleKatz.ps1" or File.Path like r"%\\Invoke-Interceptor.ps1" or File.Path like r"%\\Invoke-Internalmonologue.ps1" or File.Path like r"%\\Invoke-Inveigh.ps1" or File.Path like r"%\\Invoke-InveighRelay.ps1" or File.Path like r"%\\Invoke-JSRatRegsvr.ps1" or File.Path like r"%\\Invoke-JSRatRundll.ps1" or File.Path like r"%\\Invoke-KrbRelay.ps1" or File.Path like r"%\\Invoke-KrbRelayUp.ps1" or File.Path like r"%\\Invoke-LdapSignCheck.ps1" or File.Path like r"%\\Invoke-Lockless.ps1" or File.Path like r"%\\Invoke-MalSCCM.ps1" or File.Path like r"%\\Invoke-Mimikatz.ps1" or File.Path like r"%\\Invoke-MimikatzWDigestDowngrade.ps1" or File.Path like r"%\\Invoke-Mimikittenz.ps1" or File.Path like r"%\\Invoke-MITM6.ps1" or File.Path like r"%\\Invoke-NanoDump.ps1" or File.Path like r"%\\Invoke-NetRipper.ps1" or File.Path like r"%\\Invoke-NetworkRelay.ps1" or File.Path like r"%\\Invoke-NinjaCopy.ps1" or File.Path like r"%\\Invoke-OxidResolver.ps1" or File.Path like r"%\\Invoke-P0wnedshell.ps1" or File.Path like r"%\\Invoke-P0wnedshellx86.ps1" or File.Path like r"%\\Invoke-Paranoia.ps1" or File.Path like r"%\\Invoke-PortScan.ps1" or File.Path like r"%\\Invoke-PoshRatHttp.ps1" or File.Path like r"%\\Invoke-PoshRatHttps.ps1" or File.Path like r"%\\Invoke-PostExfil.ps1" or File.Path like r"%\\Invoke-PowerDump.ps1" or File.Path like r"%\\Invoke-PowerShellIcmp.ps1" or File.Path like r"%\\Invoke-PowerShellTCP.ps1" or File.Path like r"%\\Invoke-PowerShellTcpOneLine.ps1" or File.Path like r"%\\Invoke-PowerShellTcpOneLineBind.ps1" or File.Path like r"%\\Invoke-PowerShellUdp.ps1" or File.Path like r"%\\Invoke-PowerShellUdpOneLine.ps1" or File.Path like r"%\\Invoke-PowerShellWMI.ps1" or File.Path like r"%\\Invoke-PowerThIEf.ps1" or File.Path like r"%\\Invoke-PPLDump.ps1" or File.Path like r"%\\Invoke-Prasadhak.ps1" or File.Path like r"%\\Invoke-PsExec.ps1" or File.Path like r"%\\Invoke-PsGcat.ps1" or File.Path like r"%\\Invoke-PsGcatAgent.ps1" or File.Path like r"%\\Invoke-PSInject.ps1" or File.Path like r"%\\Invoke-PsUaCme.ps1" or File.Path like r"%\\Invoke-ReflectivePEInjection.ps1" or File.Path like r"%\\Invoke-ReverseDNSLookup.ps1" or File.Path like r"%\\Invoke-Rubeus.ps1" or File.Path like r"%\\Invoke-RunAs.ps1" or File.Path like r"%\\Invoke-SafetyKatz.ps1" or File.Path like r"%\\Invoke-SauronEye.ps1" or File.Path like r"%\\Invoke-SCShell.ps1" or File.Path like r"%\\Invoke-Seatbelt.ps1" or File.Path like r"%\\Invoke-ServiceAbuse.ps1" or File.Path like r"%\\Invoke-SessionGopher.ps1" or File.Path like r"%\\Invoke-ShellCode.ps1" or File.Path like r"%\\Invoke-SMBScanner.ps1" or File.Path like r"%\\Invoke-Snaffler.ps1" or File.Path like r"%\\Invoke-Spoolsample.ps1" or File.Path like r"%\\Invoke-SSHCommand.ps1" or File.Path like r"%\\Invoke-SSIDExfil.ps1" or File.Path like r"%\\Invoke-StandIn.ps1" or File.Path like r"%\\Invoke-StickyNotesExtract.ps1" or File.Path like r"%\\Invoke-Tater.ps1" or File.Path like r"%\\Invoke-Thunderfox.ps1" or File.Path like r"%\\Invoke-ThunderStruck.ps1" or File.Path like r"%\\Invoke-TokenManipulation.ps1" or File.Path like r"%\\Invoke-Tokenvator.ps1" or File.Path like r"%\\Invoke-TotalExec.ps1" or File.Path like r"%\\Invoke-UrbanBishop.ps1" or File.Path like r"%\\Invoke-UserHunter.ps1" or File.Path like r"%\\Invoke-VoiceTroll.ps1" or File.Path like r"%\\Invoke-Whisker.ps1" or File.Path like r"%\\Invoke-WinEnum.ps1" or File.Path like r"%\\Invoke-winPEAS.ps1" or File.Path like r"%\\Invoke-WireTap.ps1" or File.Path like r"%\\Invoke-WmiCommand.ps1" or File.Path like r"%\\Invoke-WScriptBypassUAC.ps1" or File.Path like r"%\\Invoke-Zerologon.ps1" or File.Path like r"%\\Keylogger.ps1" or File.Path like r"%\\MailRaider.ps1" or File.Path like r"%\\New-HoneyHash.ps1" or File.Path like r"%\\OfficeMemScraper.ps1" or File.Path like r"%\\Offline\_Winpwn.ps1" or File.Path like r"%\\Out-CHM.ps1" or File.Path like r"%\\Out-DnsTxt.ps1" or File.Path like r"%\\Out-Excel.ps1" or File.Path like r"%\\Out-HTA.ps1" or File.Path like r"%\\Out-Java.ps1" or File.Path like r"%\\Out-JS.ps1" or File.Path like r"%\\Out-Minidump.ps1" or File.Path like r"%\\Out-RundllCommand.ps1" or File.Path like r"%\\Out-SCF.ps1" or File.Path like r"%\\Out-SCT.ps1" or File.Path like r"%\\Out-Shortcut.ps1" or File.Path like r"%\\Out-WebQuery.ps1" or File.Path like r"%\\Out-Word.ps1" or File.Path like r"%\\Parse\_Keys.ps1" or File.Path like r"%\\Port-Scan.ps1" or File.Path like r"%\\PowerBreach.ps1" or File.Path like r"%\\powercat.ps1" or File.Path like r"%\\Powermad.ps1" or File.Path like r"%\\PowerRunAsSystem.psm1" or File.Path like r"%\\PowerSharpPack.ps1" or File.Path like r"%\\PowerUp.ps1" or File.Path like r"%\\PowerUpSQL.ps1" or File.Path like r"%\\PowerView.ps1" or File.Path like r"%\\PSAsyncShell.ps1" or File.Path like r"%\\RemoteHashRetrieval.ps1" or File.Path like r"%\\Remove-Persistence.ps1" or File.Path like r"%\\Remove-PoshRat.ps1" or File.Path like r"%\\Remove-Update.ps1" or File.Path like r"%\\Run-EXEonRemote.ps1" or File.Path like r"%\\Schtasks-Backdoor.ps1" or File.Path like r"%\\Set-DCShadowPermissions.ps1" or File.Path like r"%\\Set-MacAttribute.ps1" or File.Path like r"%\\Set-RemotePSRemoting.ps1" or File.Path like r"%\\Set-RemoteWMI.ps1" or File.Path like r"%\\Set-Wallpaper.ps1" or File.Path like r"%\\Show-TargetScreen.ps1" or File.Path like r"%\\Speak.ps1" or File.Path like r"%\\Start-CaptureServer.ps1" or File.Path like r"%\\Start-WebcamRecorder.ps1" or File.Path like r"%\\StringToBase64.ps1" or File.Path like r"%\\TexttoExe.ps1" or File.Path like r"%\\VolumeShadowCopyTools.ps1" or File.Path like r"%\\WinPwn.ps1" or File.Path like r"%\\WSUSpendu.ps1" or File.Path like r"%Invoke-Sharp%" and File.Path like r"%.ps1" +GenericProperty1 = File.Path + + +[ThreatDetectionRule platform=Windows] +# Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = e7b18879-676e-4a0e-ae18-27039185a8e7 +RuleName = New Netsh Helper DLL Registered From A Suspicious Location EventType = Reg.Any -Tag = uac-bypass-via-wsreset +Tag = new-netsh-helper-dll-registered-from-a-suspicious-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "oscd.community, Dmitry Uchakin"} -Query = Reg.TargetObject like r"%\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command" +Annotation = {"mitre_attack": ["T1546.007"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\NetSh%" and (Reg.Value.Data like r"%:\\Perflogs\\%" or Reg.Value.Data like r"%:\\Users\\Public\\%" or Reg.Value.Data like r"%:\\Windows\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%\\Temporary Internet%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favorites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favourites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Contacts\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Pictures\\%") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection -# Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -RuleId = 452bce90-6fb0-43cc-97a5-affc283139b3 -RuleName = Suspicious Windows Defender Registry Key Tampering Via Reg.EXE +# Detects actions that clear the local ShimCache and remove forensic evidence +# Author: Florian Roth (Nextron Systems) +RuleId = b0524451-19af-4efa-a46f-562a977f792e +RuleName = ShimCache Flush EventType = Process.Start -Tag = proc-start-suspicious-windows-defender-registry-key-tampering-via-reg.exe +Tag = proc-start-shimcache-flush RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and (Process.CommandLine like r"%SOFTWARE\\Microsoft\\Windows Defender\\%" or Process.CommandLine like r"%SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center%" or Process.CommandLine like r"%SOFTWARE\\Policies\\Microsoft\\Windows Defender\\%") and (Process.CommandLine like r"% add %" and Process.CommandLine like r"%d 0%" and (Process.CommandLine like r"%DisallowExploitProtectionOverride%" or Process.CommandLine like r"%EnableControlledFolderAccess%" or Process.CommandLine like r"%MpEnablePus%" or Process.CommandLine like r"%PUAProtection%" or Process.CommandLine like r"%SpynetReporting%" or Process.CommandLine like r"%SubmitSamplesConsent%" or Process.CommandLine like r"%TamperProtection%") or Process.CommandLine like r"% add %" and Process.CommandLine like r"%d 1%" and (Process.CommandLine like r"%DisableAntiSpyware%" or Process.CommandLine like r"%DisableAntiSpywareRealtimeProtection%" or Process.CommandLine like r"%DisableAntiVirus%" or Process.CommandLine like r"%DisableArchiveScanning%" or Process.CommandLine like r"%DisableBehaviorMonitoring%" or Process.CommandLine like r"%DisableBlockAtFirstSeen%" or Process.CommandLine like r"%DisableConfig%" or Process.CommandLine like r"%DisableEnhancedNotifications%" or Process.CommandLine like r"%DisableIntrusionPreventionSystem%" or Process.CommandLine like r"%DisableIOAVProtection%" or Process.CommandLine like r"%DisableOnAccessProtection%" or Process.CommandLine like r"%DisablePrivacyMode%" or Process.CommandLine like r"%DisableRealtimeMonitoring%" or Process.CommandLine like r"%DisableRoutinelyTakingAction%" or Process.CommandLine like r"%DisableScanOnRealtimeEnable%" or Process.CommandLine like r"%DisableScriptScanning%" or Process.CommandLine like r"%Notification\_Suppress%" or Process.CommandLine like r"%SignatureDisableUpdateOnStartupWithoutEngine%")) +Annotation = {"mitre_attack": ["T1112"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%apphelp.dll%" and (Process.CommandLine like r"%ShimFlushCache%" or Process.CommandLine like r"%#250%") or Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%kernel32.dll%" and (Process.CommandLine like r"%BaseFlushAppcompatCache%" or Process.CommandLine like r"%#46%") [ThreatDetectionRule platform=Windows] -# Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 05b2aa93-1210-42c8-8d9a-2fcc13b284f5 -RuleName = Service Registry Key Deleted Via Reg.EXE +# Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. +# Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +RuleId = a238b5d0-ce2d-4414-a676-7a531b3d13d6 +RuleName = ETW Trace Evasion Activity EventType = Process.Start -Tag = proc-start-service-registry-key-deleted-via-reg.exe +Tag = proc-start-etw-trace-evasion-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"% delete %" and Process.CommandLine like r"%\\SYSTEM\\CurrentControlSet\\services\\%" +Annotation = {"mitre_attack": ["T1070", "T1562.006"], "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community"} +Query = Process.CommandLine like r"%cl%" and Process.CommandLine like r"%/Trace%" or Process.CommandLine like r"%clear-log%" and Process.CommandLine like r"%/Trace%" or Process.CommandLine like r"%sl%" and Process.CommandLine like r"%/e:false%" or Process.CommandLine like r"%set-log%" and Process.CommandLine like r"%/e:false%" or Process.CommandLine like r"%logman%" and Process.CommandLine like r"%update%" and Process.CommandLine like r"%trace%" and Process.CommandLine like r"%--p%" and Process.CommandLine like r"%-ets%" or Process.CommandLine like r"%Remove-EtwTraceProvider%" or Process.CommandLine like r"%Set-EtwTraceProvider%" and Process.CommandLine like r"%0x11%" + + +[ThreatDetectionRule platform=Windows] +# Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. +# Author: Aaron Stratton +RuleId = 551d9c1f-816c-445b-a7a6-7a3864720d60 +RuleName = Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp +EventType = Process.Start +Tag = proc-start-potential-excel.exe-dcom-lateral-movement-via-activatemicrosoftapp +RiskScore = 75 +Annotation = {"mitre_attack": ["T1021.003"], "author": "Aaron Stratton"} +Query = Parent.Path like r"%\\excel.exe" and (Process.Name in ["foxprow.exe", "schdplus.exe", "winproj.exe"] or Process.Path like r"%\\foxprow.exe" or Process.Path like r"%\\schdplus.exe" or Process.Path like r"%\\winproj.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] @@ -1502,1082 +1544,1070 @@ GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). -# Author: Vadim Khrykov, Cyb3rEng -RuleId = e1693bc8-7168-4eab-8718-cdcaa68a1738 -RuleName = Suspicious WMIC Execution Via Office Process -EventType = Process.Start -Tag = proc-start-suspicious-wmic-execution-via-office-process -RiskScore = 75 -Annotation = {"mitre_attack": ["T1204.002", "T1047", "T1218.010"], "author": "Vadim Khrykov, Cyb3rEng"} -Query = (Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\MSACCESS.EXE" or Parent.Path like r"%\\EQNEDT32.EXE" or Parent.Path like r"%\\ONENOTE.EXE" or Parent.Path like r"%\\wordpad.exe" or Parent.Path like r"%\\wordview.exe") and (Process.Path like r"%\\wbem\\WMIC.exe" or Process.Name == "wmic.exe") and Process.CommandLine like r"%process%" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%call%" and (Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%msiexec%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%verclsid%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%") -GenericProperty1 = Parent.Path - - -[ThreatDetectionRule platform=Windows] -# Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 4fc0deee-0057-4998-ab31-d24e46e0aba4 -RuleName = Potential System DLL Sideloading From Non System Locations -EventType = Image.Load -Tag = potential-system-dll-sideloading-from-non-system-locations +# Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions. +# Author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems) +RuleId = 979baf41-ca44-4540-9d0c-4fcef3b5a3a4 +RuleName = Potential File Extension Spoofing Using Right-to-Left Override +EventType = File.Create +Tag = potential-file-extension-spoofing-using-right-to-left-override RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Image.Path like r"%\\aclui.dll" or Image.Path like r"%\\activeds.dll" or Image.Path like r"%\\adsldpc.dll" or Image.Path like r"%\\aepic.dll" or Image.Path like r"%\\apphelp.dll" or Image.Path like r"%\\applicationframe.dll" or Image.Path like r"%\\appvpolicy.dll" or Image.Path like r"%\\appxalluserstore.dll" or Image.Path like r"%\\appxdeploymentclient.dll" or Image.Path like r"%\\archiveint.dll" or Image.Path like r"%\\atl.dll" or Image.Path like r"%\\audioses.dll" or Image.Path like r"%\\auditpolcore.dll" or Image.Path like r"%\\authfwcfg.dll" or Image.Path like r"%\\authz.dll" or Image.Path like r"%\\avrt.dll" or Image.Path like r"%\\batmeter.dll" or Image.Path like r"%\\bcd.dll" or Image.Path like r"%\\bcp47langs.dll" or Image.Path like r"%\\bcp47mrm.dll" or Image.Path like r"%\\bcrypt.dll" or Image.Path like r"%\\bderepair.dll" or Image.Path like r"%\\bootmenuux.dll" or Image.Path like r"%\\bootux.dll" or Image.Path like r"%\\cabinet.dll" or Image.Path like r"%\\cabview.dll" or Image.Path like r"%\\certcli.dll" or Image.Path like r"%\\certenroll.dll" or Image.Path like r"%\\cfgmgr32.dll" or Image.Path like r"%\\cldapi.dll" or Image.Path like r"%\\clipc.dll" or Image.Path like r"%\\clusapi.dll" or Image.Path like r"%\\cmpbk32.dll" or Image.Path like r"%\\cmutil.dll" or Image.Path like r"%\\coloradapterclient.dll" or Image.Path like r"%\\colorui.dll" or Image.Path like r"%\\comdlg32.dll" or Image.Path like r"%\\configmanager2.dll" or Image.Path like r"%\\connect.dll" or Image.Path like r"%\\coredplus.dll" or Image.Path like r"%\\coremessaging.dll" or Image.Path like r"%\\coreuicomponents.dll" or Image.Path like r"%\\credui.dll" or Image.Path like r"%\\cryptbase.dll" or Image.Path like r"%\\cryptdll.dll" or Image.Path like r"%\\cryptsp.dll" or Image.Path like r"%\\cryptui.dll" or Image.Path like r"%\\cryptxml.dll" or Image.Path like r"%\\cscapi.dll" or Image.Path like r"%\\cscobj.dll" or Image.Path like r"%\\cscui.dll" or Image.Path like r"%\\d2d1.dll" or Image.Path like r"%\\d3d10\_1.dll" or Image.Path like r"%\\d3d10\_1core.dll" or Image.Path like r"%\\d3d10.dll" or Image.Path like r"%\\d3d10core.dll" or Image.Path like r"%\\d3d10warp.dll" or Image.Path like r"%\\d3d11.dll" or Image.Path like r"%\\d3d12.dll" or Image.Path like r"%\\d3d9.dll" or Image.Path like r"%\\d3dx9\_43.dll" or Image.Path like r"%\\dataexchange.dll" or Image.Path like r"%\\davclnt.dll" or Image.Path like r"%\\dcntel.dll" or Image.Path like r"%\\dcomp.dll" or Image.Path like r"%\\defragproxy.dll" or Image.Path like r"%\\desktopshellext.dll" or Image.Path like r"%\\deviceassociation.dll" or Image.Path like r"%\\devicecredential.dll" or Image.Path like r"%\\devicepairing.dll" or Image.Path like r"%\\devobj.dll" or Image.Path like r"%\\devrtl.dll" or Image.Path like r"%\\dhcpcmonitor.dll" or Image.Path like r"%\\dhcpcsvc.dll" or Image.Path like r"%\\dhcpcsvc6.dll" or Image.Path like r"%\\directmanipulation.dll" or Image.Path like r"%\\dismapi.dll" or Image.Path like r"%\\dismcore.dll" or Image.Path like r"%\\dmcfgutils.dll" or Image.Path like r"%\\dmcmnutils.dll" or Image.Path like r"%\\dmcommandlineutils.dll" or Image.Path like r"%\\dmenrollengine.dll" or Image.Path like r"%\\dmenterprisediagnostics.dll" or Image.Path like r"%\\dmiso8601utils.dll" or Image.Path like r"%\\dmoleaututils.dll" or Image.Path like r"%\\dmprocessxmlfiltered.dll" or Image.Path like r"%\\dmpushproxy.dll" or Image.Path like r"%\\dmxmlhelputils.dll" or Image.Path like r"%\\dnsapi.dll" or Image.Path like r"%\\dot3api.dll" or Image.Path like r"%\\dot3cfg.dll" or Image.Path like r"%\\dpx.dll" or Image.Path like r"%\\drprov.dll" or Image.Path like r"%\\drvstore.dll" or Image.Path like r"%\\dsclient.dll" or Image.Path like r"%\\dsparse.dll" or Image.Path like r"%\\dsprop.dll" or Image.Path like r"%\\dsreg.dll" or Image.Path like r"%\\dsrole.dll" or Image.Path like r"%\\dui70.dll" or Image.Path like r"%\\duser.dll" or Image.Path like r"%\\dusmapi.dll" or Image.Path like r"%\\dwmapi.dll" or Image.Path like r"%\\dwmcore.dll" or Image.Path like r"%\\dwrite.dll" or Image.Path like r"%\\dxcore.dll" or Image.Path like r"%\\dxgi.dll" or Image.Path like r"%\\dxva2.dll" or Image.Path like r"%\\dynamoapi.dll" or Image.Path like r"%\\eappcfg.dll" or Image.Path like r"%\\eappprxy.dll" or Image.Path like r"%\\edgeiso.dll" or Image.Path like r"%\\edputil.dll" or Image.Path like r"%\\efsadu.dll" or Image.Path like r"%\\efsutil.dll" or Image.Path like r"%\\esent.dll" or Image.Path like r"%\\execmodelproxy.dll" or Image.Path like r"%\\explorerframe.dll" or Image.Path like r"%\\fastprox.dll" or Image.Path like r"%\\faultrep.dll" or Image.Path like r"%\\fddevquery.dll" or Image.Path like r"%\\feclient.dll" or Image.Path like r"%\\fhcfg.dll" or Image.Path like r"%\\fhsvcctl.dll" or Image.Path like r"%\\firewallapi.dll" or Image.Path like r"%\\flightsettings.dll" or Image.Path like r"%\\fltlib.dll" or Image.Path like r"%\\framedynos.dll" or Image.Path like r"%\\fveapi.dll" or Image.Path like r"%\\fveskybackup.dll" or Image.Path like r"%\\fvewiz.dll" or Image.Path like r"%\\fwbase.dll" or Image.Path like r"%\\fwcfg.dll" or Image.Path like r"%\\fwpolicyiomgr.dll" or Image.Path like r"%\\fwpuclnt.dll" or Image.Path like r"%\\fxsapi.dll" or Image.Path like r"%\\fxsst.dll" or Image.Path like r"%\\fxstiff.dll" or Image.Path like r"%\\getuname.dll" or Image.Path like r"%\\gpapi.dll" or Image.Path like r"%\\hid.dll" or Image.Path like r"%\\hnetmon.dll" or Image.Path like r"%\\httpapi.dll" or Image.Path like r"%\\icmp.dll" or Image.Path like r"%\\idstore.dll" or Image.Path like r"%\\ieadvpack.dll" or Image.Path like r"%\\iedkcs32.dll" or Image.Path like r"%\\iernonce.dll" or Image.Path like r"%\\iertutil.dll" or Image.Path like r"%\\ifmon.dll" or Image.Path like r"%\\ifsutil.dll" or Image.Path like r"%\\inproclogger.dll" or Image.Path like r"%\\iphlpapi.dll" or Image.Path like r"%\\iri.dll" or Image.Path like r"%\\iscsidsc.dll" or Image.Path like r"%\\iscsium.dll" or Image.Path like r"%\\isv.exe\_rsaenh.dll" or Image.Path like r"%\\iumbase.dll" or Image.Path like r"%\\iumsdk.dll" or Image.Path like r"%\\joinutil.dll" or Image.Path like r"%\\kdstub.dll" or Image.Path like r"%\\ksuser.dll" or Image.Path like r"%\\ktmw32.dll" or Image.Path like r"%\\licensemanagerapi.dll" or Image.Path like r"%\\licensingdiagspp.dll" or Image.Path like r"%\\linkinfo.dll" or Image.Path like r"%\\loadperf.dll" or Image.Path like r"%\\lockhostingframework.dll" or Image.Path like r"%\\logoncli.dll" or Image.Path like r"%\\logoncontroller.dll" or Image.Path like r"%\\lpksetupproxyserv.dll" or Image.Path like r"%\\lrwizdll.dll" or Image.Path like r"%\\magnification.dll" or Image.Path like r"%\\maintenanceui.dll" or Image.Path like r"%\\mapistub.dll" or Image.Path like r"%\\mbaexmlparser.dll" or Image.Path like r"%\\mdmdiagnostics.dll" or Image.Path like r"%\\mfc42u.dll" or Image.Path like r"%\\mfcore.dll" or Image.Path like r"%\\mfplat.dll" or Image.Path like r"%\\mi.dll" or Image.Path like r"%\\midimap.dll" or Image.Path like r"%\\mintdh.dll" or Image.Path like r"%\\miutils.dll" or Image.Path like r"%\\mlang.dll" or Image.Path like r"%\\mmdevapi.dll" or Image.Path like r"%\\mobilenetworking.dll" or Image.Path like r"%\\mpr.dll" or Image.Path like r"%\\mprapi.dll" or Image.Path like r"%\\mrmcorer.dll" or Image.Path like r"%\\msacm32.dll" or Image.Path like r"%\\mscms.dll" or Image.Path like r"%\\mscoree.dll" or Image.Path like r"%\\msctf.dll" or Image.Path like r"%\\msctfmonitor.dll" or Image.Path like r"%\\msdrm.dll" or Image.Path like r"%\\msdtctm.dll" or Image.Path like r"%\\msftedit.dll" or Image.Path like r"%\\msi.dll" or Image.Path like r"%\\msiso.dll" or Image.Path like r"%\\msutb.dll" or Image.Path like r"%\\msvcp110\_win.dll" or Image.Path like r"%\\mswb7.dll" or Image.Path like r"%\\mswsock.dll" or Image.Path like r"%\\msxml3.dll" or Image.Path like r"%\\mtxclu.dll" or Image.Path like r"%\\napinsp.dll" or Image.Path like r"%\\ncrypt.dll" or Image.Path like r"%\\ndfapi.dll" or Image.Path like r"%\\netapi32.dll" or Image.Path like r"%\\netid.dll" or Image.Path like r"%\\netiohlp.dll" or Image.Path like r"%\\netjoin.dll" or Image.Path like r"%\\netplwiz.dll" or Image.Path like r"%\\netprofm.dll" or Image.Path like r"%\\netprovfw.dll" or Image.Path like r"%\\netsetupapi.dll" or Image.Path like r"%\\netshell.dll" or Image.Path like r"%\\nettrace.dll" or Image.Path like r"%\\netutils.dll" or Image.Path like r"%\\networkexplorer.dll" or Image.Path like r"%\\newdev.dll" or Image.Path like r"%\\ninput.dll" or Image.Path like r"%\\nlaapi.dll" or Image.Path like r"%\\nlansp\_c.dll" or Image.Path like r"%\\npmproxy.dll" or Image.Path like r"%\\nshhttp.dll" or Image.Path like r"%\\nshipsec.dll" or Image.Path like r"%\\nshwfp.dll" or Image.Path like r"%\\ntdsapi.dll" or Image.Path like r"%\\ntlanman.dll" or Image.Path like r"%\\ntlmshared.dll" or Image.Path like r"%\\ntmarta.dll" or Image.Path like r"%\\ntshrui.dll" or Image.Path like r"%\\oleacc.dll" or Image.Path like r"%\\omadmapi.dll" or Image.Path like r"%\\onex.dll" or Image.Path like r"%\\opcservices.dll" or Image.Path like r"%\\osbaseln.dll" or Image.Path like r"%\\osksupport.dll" or Image.Path like r"%\\osuninst.dll" or Image.Path like r"%\\p2p.dll" or Image.Path like r"%\\p2pnetsh.dll" or Image.Path like r"%\\p9np.dll" or Image.Path like r"%\\pcaui.dll" or Image.Path like r"%\\pdh.dll" or Image.Path like r"%\\peerdistsh.dll" or Image.Path like r"%\\pkeyhelper.dll" or Image.Path like r"%\\pla.dll" or Image.Path like r"%\\playsndsrv.dll" or Image.Path like r"%\\pnrpnsp.dll" or Image.Path like r"%\\policymanager.dll" or Image.Path like r"%\\polstore.dll" or Image.Path like r"%\\powrprof.dll" or Image.Path like r"%\\printui.dll" or Image.Path like r"%\\prntvpt.dll" or Image.Path like r"%\\profapi.dll" or Image.Path like r"%\\propsys.dll" or Image.Path like r"%\\proximitycommon.dll" or Image.Path like r"%\\proximityservicepal.dll" or Image.Path like r"%\\prvdmofcomp.dll" or Image.Path like r"%\\puiapi.dll" or Image.Path like r"%\\radcui.dll" or Image.Path like r"%\\rasapi32.dll" or Image.Path like r"%\\rasdlg.dll" or Image.Path like r"%\\rasgcw.dll" or Image.Path like r"%\\rasman.dll" or Image.Path like r"%\\rasmontr.dll" or Image.Path like r"%\\reagent.dll" or Image.Path like r"%\\regapi.dll" or Image.Path like r"%\\reseteng.dll" or Image.Path like r"%\\resetengine.dll" or Image.Path like r"%\\resutils.dll" or Image.Path like r"%\\rmclient.dll" or Image.Path like r"%\\rpcnsh.dll" or Image.Path like r"%\\rsaenh.dll" or Image.Path like r"%\\rtutils.dll" or Image.Path like r"%\\rtworkq.dll" or Image.Path like r"%\\samcli.dll" or Image.Path like r"%\\samlib.dll" or Image.Path like r"%\\sapi\_onecore.dll" or Image.Path like r"%\\sas.dll" or Image.Path like r"%\\scansetting.dll" or Image.Path like r"%\\scecli.dll" or Image.Path like r"%\\schedcli.dll" or Image.Path like r"%\\secur32.dll" or Image.Path like r"%\\security.dll" or Image.Path like r"%\\sensapi.dll" or Image.Path like r"%\\shell32.dll" or Image.Path like r"%\\shfolder.dll" or Image.Path like r"%\\slc.dll" or Image.Path like r"%\\snmpapi.dll" or Image.Path like r"%\\spectrumsyncclient.dll" or Image.Path like r"%\\spp.dll" or Image.Path like r"%\\sppc.dll" or Image.Path like r"%\\sppcext.dll" or Image.Path like r"%\\srclient.dll" or Image.Path like r"%\\srcore.dll" or Image.Path like r"%\\srmtrace.dll" or Image.Path like r"%\\srpapi.dll" or Image.Path like r"%\\srvcli.dll" or Image.Path like r"%\\ssp\_isv.exe\_rsaenh.dll" or Image.Path like r"%\\ssp.exe\_rsaenh.dll" or Image.Path like r"%\\sspicli.dll" or Image.Path like r"%\\ssshim.dll" or Image.Path like r"%\\staterepository.core.dll" or Image.Path like r"%\\structuredquery.dll" or Image.Path like r"%\\sxshared.dll" or Image.Path like r"%\\systemsettingsthresholdadminflowui.dll" or Image.Path like r"%\\tapi32.dll" or Image.Path like r"%\\tbs.dll" or Image.Path like r"%\\tdh.dll" or Image.Path like r"%\\textshaping.dll" or Image.Path like r"%\\timesync.dll" or Image.Path like r"%\\tpmcoreprovisioning.dll" or Image.Path like r"%\\tquery.dll" or Image.Path like r"%\\tsworkspace.dll" or Image.Path like r"%\\ttdrecord.dll" or Image.Path like r"%\\twext.dll" or Image.Path like r"%\\twinapi.dll" or Image.Path like r"%\\twinui.appcore.dll" or Image.Path like r"%\\uianimation.dll" or Image.Path like r"%\\uiautomationcore.dll" or Image.Path like r"%\\uireng.dll" or Image.Path like r"%\\uiribbon.dll" or Image.Path like r"%\\umpdc.dll" or Image.Path like r"%\\unattend.dll" or Image.Path like r"%\\updatepolicy.dll" or Image.Path like r"%\\upshared.dll" or Image.Path like r"%\\urlmon.dll" or Image.Path like r"%\\userenv.dll" or Image.Path like r"%\\utildll.dll" or Image.Path like r"%\\uxinit.dll" or Image.Path like r"%\\uxtheme.dll" or Image.Path like r"%\\vaultcli.dll" or Image.Path like r"%\\vdsutil.dll" or Image.Path like r"%\\version.dll" or Image.Path like r"%\\virtdisk.dll" or Image.Path like r"%\\vssapi.dll" or Image.Path like r"%\\vsstrace.dll" or Image.Path like r"%\\wbemprox.dll" or Image.Path like r"%\\wbemsvc.dll" or Image.Path like r"%\\wcmapi.dll" or Image.Path like r"%\\wcnnetsh.dll" or Image.Path like r"%\\wdi.dll" or Image.Path like r"%\\wdscore.dll" or Image.Path like r"%\\webservices.dll" or Image.Path like r"%\\wecapi.dll" or Image.Path like r"%\\wer.dll" or Image.Path like r"%\\wevtapi.dll" or Image.Path like r"%\\whhelper.dll" or Image.Path like r"%\\wimgapi.dll" or Image.Path like r"%\\winbio.dll" or Image.Path like r"%\\winbrand.dll" or Image.Path like r"%\\windows.storage.dll" or Image.Path like r"%\\windows.storage.search.dll" or Image.Path like r"%\\windows.ui.immersive.dll" or Image.Path like r"%\\windowscodecs.dll" or Image.Path like r"%\\windowscodecsext.dll" or Image.Path like r"%\\windowsudk.shellcommon.dll" or Image.Path like r"%\\winhttp.dll" or Image.Path like r"%\\wininet.dll" or Image.Path like r"%\\winipsec.dll" or Image.Path like r"%\\winmde.dll" or Image.Path like r"%\\winmm.dll" or Image.Path like r"%\\winnsi.dll" or Image.Path like r"%\\winrnr.dll" or Image.Path like r"%\\winscard.dll" or Image.Path like r"%\\winsqlite3.dll" or Image.Path like r"%\\winsta.dll" or Image.Path like r"%\\winsync.dll" or Image.Path like r"%\\wkscli.dll" or Image.Path like r"%\\wlanapi.dll" or Image.Path like r"%\\wlancfg.dll" or Image.Path like r"%\\wldp.dll" or Image.Path like r"%\\wlidprov.dll" or Image.Path like r"%\\wmiclnt.dll" or Image.Path like r"%\\wmidcom.dll" or Image.Path like r"%\\wmiutils.dll" or Image.Path like r"%\\wmpdui.dll" or Image.Path like r"%\\wmsgapi.dll" or Image.Path like r"%\\wofutil.dll" or Image.Path like r"%\\wpdshext.dll" or Image.Path like r"%\\wscapi.dll" or Image.Path like r"%\\wsdapi.dll" or Image.Path like r"%\\wshbth.dll" or Image.Path like r"%\\wshelper.dll" or Image.Path like r"%\\wsmsvc.dll" or Image.Path like r"%\\wtsapi32.dll" or Image.Path like r"%\\wwancfg.dll" or Image.Path like r"%\\wwapi.dll" or Image.Path like r"%\\xmllite.dll" or Image.Path like r"%\\xolehlp.dll" or Image.Path like r"%\\xpsservices.dll" or Image.Path like r"%\\xwizards.dll" or Image.Path like r"%\\xwtpw32.dll" or Image.Path like r"%\\amsi.dll" or Image.Path like r"%\\appraiser.dll" or Image.Path like r"%\\COMRES.DLL" or Image.Path like r"%\\cryptnet.dll" or Image.Path like r"%\\DispBroker.dll" or Image.Path like r"%\\dsound.dll" or Image.Path like r"%\\dxilconv.dll" or Image.Path like r"%\\FxsCompose.dll" or Image.Path like r"%\\FXSRESM.DLL" or Image.Path like r"%\\msdtcVSp1res.dll" or Image.Path like r"%\\PrintIsolationProxy.dll" or Image.Path like r"%\\rdpendp.dll" or Image.Path like r"%\\rpchttp.dll" or Image.Path like r"%\\storageusage.dll" or Image.Path like r"%\\utcutil.dll" or Image.Path like r"%\\WfsR.dll" or Image.Path like r"%\\igd10iumd64.dll" or Image.Path like r"%\\igd12umd64.dll" or Image.Path like r"%\\igdumdim64.dll" or Image.Path like r"%\\igdusc64.dll" or Image.Path like r"%\\TSMSISrv.dll" or Image.Path like r"%\\TSVIPSrv.dll" or Image.Path like r"%\\wbemcomn.dll" or Image.Path like r"%\\WLBSCTRL.dll" or Image.Path like r"%\\wow64log.dll" or Image.Path like r"%\\WptsExtensions.dll") and not (Image.Path like r"%C:\\$WINDOWS.~BT\\%" or Image.Path like r"%C:\\$WinREAgent\\%" or Image.Path like r"%C:\\Windows\\SoftwareDistribution\\%" or Image.Path like r"%C:\\Windows\\System32\\%" or Image.Path like r"%C:\\Windows\\SystemTemp\\%" or Image.Path like r"%C:\\Windows\\SysWOW64\\%" or Image.Path like r"%C:\\Windows\\WinSxS\\%" or Image.Path like r"C:\\Windows\\Microsoft.NET\\%" and Image.Path like r"%\\cscui.dll" or Image.Path like r"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\%" and Image.Path like r"%\\version.dll" or Image.Path like r"C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime\_%" and Image.Path like r"%\\d3dx9\_43.dll") and not (Image.Path like r"C:\\Program Files\\Microsoft\\Exchange Server\\%" and Image.Path like r"%\\mswb7.dll" or Image.Path like r"C:\\Program Files\\Arsenal-Image-Mounter-%" and (Image.Path like r"%\\mi.dll" or Image.Path like r"%\\miutils.dl") or Process.Path == "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" and Image.Path == "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" or Image.Path like r"C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\%" or (Process.Path like r"%C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs%" or Process.Path like r"%C:\\Windows\\System32\\backgroundTaskHost.exe%") and Image.Path like r"C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs%" or Process.Path like r"C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs%" and Process.Path like r"%\\wldp.dll" or (Process.Path like r"C:\\Program Files\\CheckPoint\\%" or Process.Path like r"C:\\Program Files (x86)\\CheckPoint\\%") and Process.Path like r"%\\SmartConsole.exe" and (Image.Path like r"C:\\Program Files\\CheckPoint\\%" or Image.Path like r"C:\\Program Files (x86)\\CheckPoint\\%") and Image.Path like r"%\\PolicyManager.dll") -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1036.002"], "author": "Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems)"} +Query = File.Path like r"%\\u202e%" and (File.Path like r"%fpd..%" or File.Path like r"%nls..%" or File.Path like r"%vsc..%" or File.Path like r"%xcod.%" or File.Path like r"%xslx.%") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) -# Author: Florian Roth (Nextron Systems) -RuleId = e61e8a88-59a9-451c-874e-70fcc9740d67 -RuleName = New DNS ServerLevelPluginDll Installed -EventType = Reg.Any -Tag = new-dns-serverlevelplugindll-installed +# Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). +# Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +RuleId = e212d415-0e93-435f-9e1a-f29005bb4723 +RuleName = Suspicious Remote Child Process From Outlook +EventType = Process.Start +Tag = proc-start-suspicious-remote-child-process-from-outlook RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002", "T1112"], "author": "Florian Roth (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\services\\DNS\\Parameters\\ServerLevelPluginDll" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1059", "T1202"], "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.Path like r"%\\outlook.exe" and Process.Path like r"\\\\%" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process -# Author: Markus Neis -RuleId = ed5d72a6-f8f4-479d-ba79-02f6a80d7471 -RuleName = Potential LethalHTA Technique Execution +# Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +# Author: @Kostastsale, @TheDFIRReport +RuleId = 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259 +RuleName = Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 EventType = Process.Start -Tag = proc-start-potential-lethalhta-technique-execution +Tag = proc-start-potential-defense-evasion-activity-via-emoji-usage-in-commandline-1 RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.005"], "author": "Markus Neis"} -Query = Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mshta.exe" -GenericProperty1 = Parent.Path +Annotation = {"author": "@Kostastsale, @TheDFIRReport"} +Query = Process.CommandLine like r"%😀%" or Process.CommandLine like r"%😃%" or Process.CommandLine like r"%😄%" or Process.CommandLine like r"%😁%" or Process.CommandLine like r"%😆%" or Process.CommandLine like r"%😅%" or Process.CommandLine like r"%😂%" or Process.CommandLine like r"%🤣%" or Process.CommandLine like r"%🥲%" or Process.CommandLine like r"%🥹%" or Process.CommandLine like r"%☺️%" or Process.CommandLine like r"%😊%" or Process.CommandLine like r"%😇%" or Process.CommandLine like r"%🙂%" or Process.CommandLine like r"%🙃%" or Process.CommandLine like r"%😉%" or Process.CommandLine like r"%😌%" or Process.CommandLine like r"%😍%" or Process.CommandLine like r"%🥰%" or Process.CommandLine like r"%😘%" or Process.CommandLine like r"%😗%" or Process.CommandLine like r"%😙%" or Process.CommandLine like r"%😚%" or Process.CommandLine like r"%😋%" or Process.CommandLine like r"%😛%" or Process.CommandLine like r"%😝%" or Process.CommandLine like r"%😜%" or Process.CommandLine like r"%🤪%" or Process.CommandLine like r"%🤨%" or Process.CommandLine like r"%🧐%" or Process.CommandLine like r"%🤓%" or Process.CommandLine like r"%😎%" or Process.CommandLine like r"%🥸%" or Process.CommandLine like r"%🤩%" or Process.CommandLine like r"%🥳%" or Process.CommandLine like r"%😏%" or Process.CommandLine like r"%😒%" or Process.CommandLine like r"%😞%" or Process.CommandLine like r"%😔%" or Process.CommandLine like r"%😟%" or Process.CommandLine like r"%😕%" or Process.CommandLine like r"%🙁%" or Process.CommandLine like r"%☹️%" or Process.CommandLine like r"%😣%" or Process.CommandLine like r"%😖%" or Process.CommandLine like r"%😫%" or Process.CommandLine like r"%😩%" or Process.CommandLine like r"%🥺%" or Process.CommandLine like r"%😢%" or Process.CommandLine like r"%😭%" or Process.CommandLine like r"%😮‍💨%" or Process.CommandLine like r"%😤%" or Process.CommandLine like r"%😠%" or Process.CommandLine like r"%😡%" or Process.CommandLine like r"%🤬%" or Process.CommandLine like r"%🤯%" or Process.CommandLine like r"%😳%" or Process.CommandLine like r"%🥵%" or Process.CommandLine like r"%🥶%" or Process.CommandLine like r"%😱%" or Process.CommandLine like r"%😨%" or Process.CommandLine like r"%😰%" or Process.CommandLine like r"%😥%" or Process.CommandLine like r"%😓%" or Process.CommandLine like r"%🫣%" or Process.CommandLine like r"%🤗%" or Process.CommandLine like r"%🫡%" or Process.CommandLine like r"%🤔%" or Process.CommandLine like r"%🫢%" or Process.CommandLine like r"%🤭%" or Process.CommandLine like r"%🤫%" or Process.CommandLine like r"%🤥%" or Process.CommandLine like r"%😶%" or Process.CommandLine like r"%😶‍🌫️%" or Process.CommandLine like r"%😐%" or Process.CommandLine like r"%😑%" or Process.CommandLine like r"%😬%" or Process.CommandLine like r"%🫠%" or Process.CommandLine like r"%🙄%" or Process.CommandLine like r"%😯%" or Process.CommandLine like r"%😦%" or Process.CommandLine like r"%😧%" or Process.CommandLine like r"%😮%" or Process.CommandLine like r"%😲%" or Process.CommandLine like r"%🥱%" or Process.CommandLine like r"%😴%" or Process.CommandLine like r"%🤤%" or Process.CommandLine like r"%😪%" or Process.CommandLine like r"%😵%" or Process.CommandLine like r"%😵‍💫%" or Process.CommandLine like r"%🫥%" or Process.CommandLine like r"%🤐%" or Process.CommandLine like r"%🥴%" or Process.CommandLine like r"%🤢%" or Process.CommandLine like r"%🤮%" or Process.CommandLine like r"%🤧%" or Process.CommandLine like r"%😷%" or Process.CommandLine like r"%🤒%" or Process.CommandLine like r"%🤕%" or Process.CommandLine like r"%🤑%" or Process.CommandLine like r"%🤠%" or Process.CommandLine like r"%😈%" or Process.CommandLine like r"%👿%" or Process.CommandLine like r"%👹%" or Process.CommandLine like r"%👺%" or Process.CommandLine like r"%🤡%" or Process.CommandLine like r"%💩%" or Process.CommandLine like r"%👻%" or Process.CommandLine like r"%💀%" or Process.CommandLine like r"%☠️%" or Process.CommandLine like r"%👽%" or Process.CommandLine like r"%👾%" or Process.CommandLine like r"%🤖%" or Process.CommandLine like r"%🎃%" or Process.CommandLine like r"%😺%" or Process.CommandLine like r"%😸%" or Process.CommandLine like r"%😹%" or Process.CommandLine like r"%😻%" or Process.CommandLine like r"%😼%" or Process.CommandLine like r"%😽%" or Process.CommandLine like r"%🙀%" or Process.CommandLine like r"%😿%" or Process.CommandLine like r"%😾%" or Process.CommandLine like r"%👋%" or Process.CommandLine like r"%🤚%" or Process.CommandLine like r"%🖐%" or Process.CommandLine like r"%✋%" or Process.CommandLine like r"%🖖%" or Process.CommandLine like r"%👌%" or Process.CommandLine like r"%🤌%" or Process.CommandLine like r"%🤏%" or Process.CommandLine like r"%✌️%" or Process.CommandLine like r"%🤞%" or Process.CommandLine like r"%🫰%" or Process.CommandLine like r"%🤟%" or Process.CommandLine like r"%🤘%" or Process.CommandLine like r"%🤙%" or Process.CommandLine like r"%🫵%" or Process.CommandLine like r"%🫱%" or Process.CommandLine like r"%🫲%" or Process.CommandLine like r"%🫳%" or Process.CommandLine like r"%🫴%" or Process.CommandLine like r"%👈%" or Process.CommandLine like r"%👉%" or Process.CommandLine like r"%👆%" or Process.CommandLine like r"%🖕%" or Process.CommandLine like r"%👇%" or Process.CommandLine like r"%☝️%" or Process.CommandLine like r"%👍%" or Process.CommandLine like r"%👎%" or Process.CommandLine like r"%✊%" or Process.CommandLine like r"%👊%" or Process.CommandLine like r"%🤛%" or Process.CommandLine like r"%🤜%" or Process.CommandLine like r"%👏%" or Process.CommandLine like r"%🫶%" or Process.CommandLine like r"%🙌%" or Process.CommandLine like r"%👐%" or Process.CommandLine like r"%🤲%" or Process.CommandLine like r"%🤝%" or Process.CommandLine like r"%🙏%" or Process.CommandLine like r"%✍️%" or Process.CommandLine like r"%💪%" or Process.CommandLine like r"%🦾%" or Process.CommandLine like r"%🦵%" or Process.CommandLine like r"%🦿%" or Process.CommandLine like r"%🦶%" or Process.CommandLine like r"%👣%" or Process.CommandLine like r"%👂%" or Process.CommandLine like r"%🦻%" or Process.CommandLine like r"%👃%" or Process.CommandLine like r"%🫀%" or Process.CommandLine like r"%🫁%" or Process.CommandLine like r"%🧠%" or Process.CommandLine like r"%🦷%" or Process.CommandLine like r"%🦴%" or Process.CommandLine like r"%👀%" or Process.CommandLine like r"%👁%" or Process.CommandLine like r"%👅%" or Process.CommandLine like r"%👄%" or Process.CommandLine like r"%🫦%" or Process.CommandLine like r"%💋%" or Process.CommandLine like r"%🩸%" or Process.CommandLine like r"%👶%" or Process.CommandLine like r"%👧%" or Process.CommandLine like r"%🧒%" or Process.CommandLine like r"%👦%" or Process.CommandLine like r"%👩%" or Process.CommandLine like r"%🧑%" or Process.CommandLine like r"%👨%" or Process.CommandLine like r"%👩‍🦱%" or Process.CommandLine like r"%🧑‍🦱%" or Process.CommandLine like r"%👨‍🦱%" or Process.CommandLine like r"%👩‍🦰%" or Process.CommandLine like r"%🧑‍🦰%" or Process.CommandLine like r"%👨‍🦰%" or Process.CommandLine like r"%👱‍♀️%" or Process.CommandLine like r"%👱%" or Process.CommandLine like r"%👱‍♂️%" or Process.CommandLine like r"%👩‍🦳%" or Process.CommandLine like r"%🧑‍🦳%" or Process.CommandLine like r"%👨‍🦳%" or Process.CommandLine like r"%👩‍🦲%" or Process.CommandLine like r"%🧑‍🦲%" or Process.CommandLine like r"%👨‍🦲%" or Process.CommandLine like r"%🧔‍♀️%" or Process.CommandLine like r"%🧔%" or Process.CommandLine like r"%🧔‍♂️%" or Process.CommandLine like r"%👵%" or Process.CommandLine like r"%🧓%" or Process.CommandLine like r"%👴%" or Process.CommandLine like r"%👲%" or Process.CommandLine like r"%👳‍♀️%" or Process.CommandLine like r"%👳%" or Process.CommandLine like r"%👳‍♂️%" or Process.CommandLine like r"%🧕%" or Process.CommandLine like r"%👮‍♀️%" or Process.CommandLine like r"%👮%" or Process.CommandLine like r"%👮‍♂️%" or Process.CommandLine like r"%👷‍♀️%" or Process.CommandLine like r"%👷%" or Process.CommandLine like r"%👷‍♂️%" or Process.CommandLine like r"%💂‍♀️%" or Process.CommandLine like r"%💂%" or Process.CommandLine like r"%💂‍♂️%" or Process.CommandLine like r"%🕵️‍♀️%" or Process.CommandLine like r"%🕵️%" or Process.CommandLine like r"%🕵️‍♂️%" or Process.CommandLine like r"%👩‍⚕️%" or Process.CommandLine like r"%🧑‍⚕️%" or Process.CommandLine like r"%👨‍⚕️%" or Process.CommandLine like r"%👩‍🌾%" or Process.CommandLine like r"%🧑‍🌾%" or Process.CommandLine like r"%👨‍🌾%" or Process.CommandLine like r"%👩‍🍳%" or Process.CommandLine like r"%🧑‍🍳%" or Process.CommandLine like r"%👨‍🍳%" or Process.CommandLine like r"%👩‍🎓%" or Process.CommandLine like r"%🧑‍🎓%" or Process.CommandLine like r"%👨‍🎓%" or Process.CommandLine like r"%👩‍🎤%" or Process.CommandLine like r"%🧑‍🎤%" or Process.CommandLine like r"%👨‍🎤%" or Process.CommandLine like r"%👩‍🏫%" or Process.CommandLine like r"%🧑‍🏫%" or Process.CommandLine like r"%👨‍🏫%" or Process.CommandLine like r"%👩‍🏭%" or Process.CommandLine like r"%🧑‍🏭%" or Process.CommandLine like r"%👨‍🏭%" or Process.CommandLine like r"%👩‍💻%" or Process.CommandLine like r"%🧑‍💻%" or Process.CommandLine like r"%👨‍💻%" or Process.CommandLine like r"%👩‍💼%" or Process.CommandLine like r"%🧑‍💼%" or Process.CommandLine like r"%👨‍💼%" or Process.CommandLine like r"%👩‍🔧%" or Process.CommandLine like r"%🧑‍🔧%" or Process.CommandLine like r"%👨‍🔧%" or Process.CommandLine like r"%👩‍🔬%" or Process.CommandLine like r"%🧑‍🔬%" or Process.CommandLine like r"%👨‍🔬%" or Process.CommandLine like r"%👩‍🎨%" or Process.CommandLine like r"%🧑‍🎨%" or Process.CommandLine like r"%👨‍🎨%" or Process.CommandLine like r"%👩‍🚒%" or Process.CommandLine like r"%🧑‍🚒%" or Process.CommandLine like r"%👨‍🚒%" or Process.CommandLine like r"%👩‍✈️%" or Process.CommandLine like r"%🧑‍✈️%" or Process.CommandLine like r"%👨‍✈️%" or Process.CommandLine like r"%👩‍🚀%" or Process.CommandLine like r"%🧑‍🚀%" or Process.CommandLine like r"%👨‍🚀%" or Process.CommandLine like r"%👩‍⚖️%" or Process.CommandLine like r"%🧑‍⚖️%" or Process.CommandLine like r"%👨‍⚖️%" or Process.CommandLine like r"%👰‍♀️%" or Process.CommandLine like r"%👰%" or Process.CommandLine like r"%👰‍♂️%" or Process.CommandLine like r"%🤵‍♀️%" or Process.CommandLine like r"%🤵%" or Process.CommandLine like r"%🤵‍♂️%" or Process.CommandLine like r"%👸%" or Process.CommandLine like r"%🫅%" or Process.CommandLine like r"%🤴%" or Process.CommandLine like r"%🥷%" or Process.CommandLine like r"%🦸‍♀️%" or Process.CommandLine like r"%🦸%" or Process.CommandLine like r"%🦸‍♂️%" or Process.CommandLine like r"%🦹‍♀️%" or Process.CommandLine like r"%🦹%" or Process.CommandLine like r"%🦹‍♂️%" or Process.CommandLine like r"%🤶%" or Process.CommandLine like r"%🧑‍🎄%" or Process.CommandLine like r"%🎅%" or Process.CommandLine like r"%🧙‍♀️%" or Process.CommandLine like r"%🧙%" or Process.CommandLine like r"%🧙‍♂️%" or Process.CommandLine like r"%🧝‍♀️%" or Process.CommandLine like r"%🧝%" or Process.CommandLine like r"%🧝‍♂️%" or Process.CommandLine like r"%🧛‍♀️%" or Process.CommandLine like r"%🧛%" or Process.CommandLine like r"%🧛‍♂️%" or Process.CommandLine like r"%🧟‍♀️%" or Process.CommandLine like r"%🧟%" or Process.CommandLine like r"%🧟‍♂️%" or Process.CommandLine like r"%🧞‍♀️%" or Process.CommandLine like r"%🧞%" or Process.CommandLine like r"%🧞‍♂️%" or Process.CommandLine like r"%🧜‍♀️%" or Process.CommandLine like r"%🧜%" or Process.CommandLine like r"%🧜‍♂️%" or Process.CommandLine like r"%🧚‍♀️%" or Process.CommandLine like r"%🧚%" or Process.CommandLine like r"%🧚‍♂️%" or Process.CommandLine like r"%🧌%" or Process.CommandLine like r"%👼%" or Process.CommandLine like r"%🤰%" or Process.CommandLine like r"%🫄%" or Process.CommandLine like r"%🫃%" or Process.CommandLine like r"%🤱%" or Process.CommandLine like r"%👩‍🍼%" or Process.CommandLine like r"%🧑‍🍼%" or Process.CommandLine like r"%👨‍🍼%" or Process.CommandLine like r"%🙇‍♀️%" or Process.CommandLine like r"%🙇%" or Process.CommandLine like r"%🙇‍♂️%" or Process.CommandLine like r"%💁‍♀️%" or Process.CommandLine like r"%💁%" or Process.CommandLine like r"%💁‍♂️%" or Process.CommandLine like r"%🙅‍♀️%" or Process.CommandLine like r"%🙅%" or Process.CommandLine like r"%🙅‍♂️%" or Process.CommandLine like r"%🙆‍♀️%" or Process.CommandLine like r"%🙆%" or Process.CommandLine like r"%🙆‍♂️%" or Process.CommandLine like r"%🙋‍♀️%" or Process.CommandLine like r"%🙋%" or Process.CommandLine like r"%🙋‍♂️%" or Process.CommandLine like r"%🧏‍♀️%" or Process.CommandLine like r"%🧏%" or Process.CommandLine like r"%🧏‍♂️%" or Process.CommandLine like r"%🤦‍♀️%" or Process.CommandLine like r"%🤦%" or Process.CommandLine like r"%🤦‍♂️%" or Process.CommandLine like r"%🤷‍♀️%" or Process.CommandLine like r"%🤷%" or Process.CommandLine like r"%🤷‍♂️%" or Process.CommandLine like r"%🙎‍♀️%" or Process.CommandLine like r"%🙎%" or Process.CommandLine like r"%🙎‍♂️%" or Process.CommandLine like r"%🙍‍♀️%" or Process.CommandLine like r"%🙍%" or Process.CommandLine like r"%🙍‍♂️%" or Process.CommandLine like r"%💇‍♀️%" or Process.CommandLine like r"%💇%" or Process.CommandLine like r"%💇‍♂️%" or Process.CommandLine like r"%💆‍♀️%" or Process.CommandLine like r"%💆%" or Process.CommandLine like r"%💆‍♂️%" or Process.CommandLine like r"%🧖‍♀️%" or Process.CommandLine like r"%🧖%" or Process.CommandLine like r"%🧖‍♂️%" or Process.CommandLine like r"%💅%" or Process.CommandLine like r"%💃%" or Process.CommandLine like r"%🕺%" or Process.CommandLine like r"%👯‍♀️%" or Process.CommandLine like r"%👯%" or Process.CommandLine like r"%👯‍♂️%" or Process.CommandLine like r"%🕴%" or Process.CommandLine like r"%👩‍🦽%" or Process.CommandLine like r"%🧑‍🦽%" or Process.CommandLine like r"%👨‍🦽%" or Process.CommandLine like r"%👩‍🦼%" or Process.CommandLine like r"%🧑‍🦼%" or Process.CommandLine like r"%👨‍🦼%" or Process.CommandLine like r"%🚶‍♀️%" or Process.CommandLine like r"%🚶%" or Process.CommandLine like r"%🚶‍♂️%" or Process.CommandLine like r"%👩‍🦯%" or Process.CommandLine like r"%🧑‍🦯%" or Process.CommandLine like r"%👨‍🦯%" or Process.CommandLine like r"%🧎‍♀️%" or Process.CommandLine like r"%🧎%" or Process.CommandLine like r"%🧎‍♂️%" or Process.CommandLine like r"%🏃‍♀️%" or Process.CommandLine like r"%🏃%" or Process.CommandLine like r"%🏃‍♂️%" or Process.CommandLine like r"%🧍‍♀️%" or Process.CommandLine like r"%🧍%" or Process.CommandLine like r"%🧍‍♂️%" or Process.CommandLine like r"%👭%" or Process.CommandLine like r"%🧑‍🤝‍🧑%" or Process.CommandLine like r"%👬%" or Process.CommandLine like r"%👫%" or Process.CommandLine like r"%👩‍❤️‍👩%" or Process.CommandLine like r"%💑%" or Process.CommandLine like r"%👨‍❤️‍👨%" or Process.CommandLine like r"%👩‍❤️‍👨%" or Process.CommandLine like r"%👩‍❤️‍💋‍👩%" or Process.CommandLine like r"%💏%" or Process.CommandLine like r"%👨‍❤️‍💋‍👨%" or Process.CommandLine like r"%👩‍❤️‍💋‍👨%" or Process.CommandLine like r"%👪%" or Process.CommandLine like r"%👨‍👩‍👦%" or Process.CommandLine like r"%👨‍👩‍👧%" or Process.CommandLine like r"%👨‍👩‍👧‍👦%" or Process.CommandLine like r"%👨‍👩‍👦‍👦%" or Process.CommandLine like r"%👨‍👩‍👧‍👧%" or Process.CommandLine like r"%👨‍👨‍👦%" or Process.CommandLine like r"%👨‍👨‍👧%" or Process.CommandLine like r"%👨‍👨‍👧‍👦%" or Process.CommandLine like r"%👨‍👨‍👦‍👦%" or Process.CommandLine like r"%👨‍👨‍👧‍👧%" or Process.CommandLine like r"%👩‍👩‍👦%" or Process.CommandLine like r"%👩‍👩‍👧%" or Process.CommandLine like r"%👩‍👩‍👧‍👦%" or Process.CommandLine like r"%👩‍👩‍👦‍👦%" or Process.CommandLine like r"%👩‍👩‍👧‍👧%" or Process.CommandLine like r"%👨‍👦%" or Process.CommandLine like r"%👨‍👦‍👦%" or Process.CommandLine like r"%👨‍👧%" or Process.CommandLine like r"%👨‍👧‍👦%" or Process.CommandLine like r"%👨‍👧‍👧%" or Process.CommandLine like r"%👩‍👦%" or Process.CommandLine like r"%👩‍👦‍👦%" or Process.CommandLine like r"%👩‍👧%" or Process.CommandLine like r"%👩‍👧‍👦%" or Process.CommandLine like r"%👩‍👧‍👧%" or Process.CommandLine like r"%🗣%" or Process.CommandLine like r"%👤%" or Process.CommandLine like r"%👥%" or Process.CommandLine like r"%🫂%" or Process.CommandLine like r"%🧳%" or Process.CommandLine like r"%🌂%" or Process.CommandLine like r"%☂️%" or Process.CommandLine like r"%🧵%" or Process.CommandLine like r"%🪡%" or Process.CommandLine like r"%🪢%" or Process.CommandLine like r"%🧶%" or Process.CommandLine like r"%👓%" or Process.CommandLine like r"%🕶%" or Process.CommandLine like r"%🥽%" or Process.CommandLine like r"%🥼%" or Process.CommandLine like r"%🦺%" or Process.CommandLine like r"%👔%" or Process.CommandLine like r"%👕%" or Process.CommandLine like r"%👖%" or Process.CommandLine like r"%🧣%" or Process.CommandLine like r"%🧤%" or Process.CommandLine like r"%🧥%" or Process.CommandLine like r"%🧦%" or Process.CommandLine like r"%👗%" or Process.CommandLine like r"%👘%" or Process.CommandLine like r"%🥻%" or Process.CommandLine like r"%🩴%" or Process.CommandLine like r"%🩱%" or Process.CommandLine like r"%🩲%" or Process.CommandLine like r"%🩳%" or Process.CommandLine like r"%👙%" or Process.CommandLine like r"%👚%" or Process.CommandLine like r"%👛%" or Process.CommandLine like r"%👜%" or Process.CommandLine like r"%👝%" or Process.CommandLine like r"%🎒%" or Process.CommandLine like r"%👞%" or Process.CommandLine like r"%👟%" or Process.CommandLine like r"%🥾%" or Process.CommandLine like r"%🥿%" or Process.CommandLine like r"%👠%" or Process.CommandLine like r"%👡%" or Process.CommandLine like r"%🩰%" or Process.CommandLine like r"%👢%" or Process.CommandLine like r"%👑%" or Process.CommandLine like r"%👒%" or Process.CommandLine like r"%🎩%" or Process.CommandLine like r"%🎓%" or Process.CommandLine like r"%🧢%" or Process.CommandLine like r"%⛑%" or Process.CommandLine like r"%🪖%" or Process.CommandLine like r"%💄%" or Process.CommandLine like r"%💍%" or Process.CommandLine like r"%💼%" or Process.CommandLine like r"%👋🏻%" or Process.CommandLine like r"%🤚🏻%" or Process.CommandLine like r"%🖐🏻%" or Process.CommandLine like r"%✋🏻%" or Process.CommandLine like r"%🖖🏻%" or Process.CommandLine like r"%👌🏻%" or Process.CommandLine like r"%🤌🏻%" or Process.CommandLine like r"%🤏🏻%" or Process.CommandLine like r"%✌🏻%" or Process.CommandLine like r"%🤞🏻%" or Process.CommandLine like r"%🫰🏻%" or Process.CommandLine like r"%🤟🏻%" or Process.CommandLine like r"%🤘🏻%" or Process.CommandLine like r"%🤙🏻%" or Process.CommandLine like r"%🫵🏻%" or Process.CommandLine like r"%🫱🏻%" or Process.CommandLine like r"%🫲🏻%" or Process.CommandLine like r"%🫳🏻%" or Process.CommandLine like r"%🫴🏻%" or Process.CommandLine like r"%👈🏻%" or Process.CommandLine like r"%👉🏻%" or Process.CommandLine like r"%👆🏻%" or Process.CommandLine like r"%🖕🏻%" or Process.CommandLine like r"%👇🏻%" or Process.CommandLine like r"%☝🏻%" or Process.CommandLine like r"%👍🏻%" or Process.CommandLine like r"%👎🏻%" or Process.CommandLine like r"%✊🏻%" or Process.CommandLine like r"%👊🏻%" or Process.CommandLine like r"%🤛🏻%" or Process.CommandLine like r"%🤜🏻%" or Process.CommandLine like r"%👏🏻%" or Process.CommandLine like r"%🫶🏻%" or Process.CommandLine like r"%🙌🏻%" or Process.CommandLine like r"%👐🏻%" or Process.CommandLine like r"%🤲🏻%" or Process.CommandLine like r"%🙏🏻%" or Process.CommandLine like r"%✍🏻%" or Process.CommandLine like r"%💪🏻%" or Process.CommandLine like r"%🦵🏻%" or Process.CommandLine like r"%🦶🏻%" or Process.CommandLine like r"%👂🏻%" or Process.CommandLine like r"%🦻🏻%" or Process.CommandLine like r"%👃🏻%" or Process.CommandLine like r"%👶🏻%" or Process.CommandLine like r"%👧🏻%" or Process.CommandLine like r"%🧒🏻%" or Process.CommandLine like r"%👦🏻%" or Process.CommandLine like r"%👩🏻%" or Process.CommandLine like r"%🧑🏻%" or Process.CommandLine like r"%👨🏻%" or Process.CommandLine like r"%👩🏻‍🦱%" or Process.CommandLine like r"%🧑🏻‍🦱%" or Process.CommandLine like r"%👨🏻‍🦱%" or Process.CommandLine like r"%👩🏻‍🦰%" or Process.CommandLine like r"%🧑🏻‍🦰%" or Process.CommandLine like r"%👨🏻‍🦰%" or Process.CommandLine like r"%👱🏻‍♀️%" or Process.CommandLine like r"%👱🏻%" or Process.CommandLine like r"%👱🏻‍♂️%" or Process.CommandLine like r"%👩🏻‍🦳%" or Process.CommandLine like r"%🧑🏻‍🦳%" or Process.CommandLine like r"%👨🏻‍🦳%" or Process.CommandLine like r"%👩🏻‍🦲%" or Process.CommandLine like r"%🧑🏻‍🦲%" or Process.CommandLine like r"%👨🏻‍🦲%" or Process.CommandLine like r"%🧔🏻‍♀️%" or Process.CommandLine like r"%🧔🏻%" or Process.CommandLine like r"%🧔🏻‍♂️%" or Process.CommandLine like r"%👵🏻%" or Process.CommandLine like r"%🧓🏻%" or Process.CommandLine like r"%👴🏻%" or Process.CommandLine like r"%👲🏻%" or Process.CommandLine like r"%👳🏻‍♀️%" or Process.CommandLine like r"%👳🏻%" or Process.CommandLine like r"%👳🏻‍♂️%" or Process.CommandLine like r"%🧕🏻%" or Process.CommandLine like r"%👮🏻‍♀️%" or Process.CommandLine like r"%👮🏻%" or Process.CommandLine like r"%👮🏻‍♂️%" or Process.CommandLine like r"%👷🏻‍♀️%" or Process.CommandLine like r"%👷🏻%" or Process.CommandLine like r"%👷🏻‍♂️%" or Process.CommandLine like r"%💂🏻‍♀️%" or Process.CommandLine like r"%💂🏻%" or Process.CommandLine like r"%💂🏻‍♂️%" or Process.CommandLine like r"%🕵🏻‍♀️%" or Process.CommandLine like r"%🕵🏻%" or Process.CommandLine like r"%🕵🏻‍♂️%" or Process.CommandLine like r"%👩🏻‍⚕️%" or Process.CommandLine like r"%🧑🏻‍⚕️%" or Process.CommandLine like r"%👨🏻‍⚕️%" or Process.CommandLine like r"%👩🏻‍🌾%" or Process.CommandLine like r"%🧑🏻‍🌾%" or Process.CommandLine like r"%👨🏻‍🌾%" or Process.CommandLine like r"%👩🏻‍🍳%" or Process.CommandLine like r"%🧑🏻‍🍳%" or Process.CommandLine like r"%👨🏻‍🍳%" or Process.CommandLine like r"%👩🏻‍🎓%" or Process.CommandLine like r"%🧑🏻‍🎓%" or Process.CommandLine like r"%👨🏻‍🎓%" or Process.CommandLine like r"%👩🏻‍🎤%" or Process.CommandLine like r"%🧑🏻‍🎤%" or Process.CommandLine like r"%👨🏻‍🎤%" or Process.CommandLine like r"%👩🏻‍🏫%" or Process.CommandLine like r"%🧑🏻‍🏫%" or Process.CommandLine like r"%👨🏻‍🏫%" or Process.CommandLine like r"%👩🏻‍🏭%" or Process.CommandLine like r"%🧑🏻‍🏭%" or Process.CommandLine like r"%👨🏻‍🏭%" or Process.CommandLine like r"%👩🏻‍💻%" or Process.CommandLine like r"%🧑🏻‍💻%" or Process.CommandLine like r"%👨🏻‍💻%" or Process.CommandLine like r"%👩🏻‍💼%" or Process.CommandLine like r"%🧑🏻‍💼%" or Process.CommandLine like r"%👨🏻‍💼%" or Process.CommandLine like r"%👩🏻‍🔧%" or Process.CommandLine like r"%🧑🏻‍🔧%" or Process.CommandLine like r"%👨🏻‍🔧%" or Process.CommandLine like r"%👩🏻‍🔬%" or Process.CommandLine like r"%🧑🏻‍🔬%" or Process.CommandLine like r"%👨🏻‍🔬%" or Process.CommandLine like r"%👩🏻‍🎨%" or Process.CommandLine like r"%🧑🏻‍🎨%" or Process.CommandLine like r"%👨🏻‍🎨%" or Process.CommandLine like r"%👩🏻‍🚒%" or Process.CommandLine like r"%🧑🏻‍🚒%" or Process.CommandLine like r"%👨🏻‍🚒%" or Process.CommandLine like r"%👩🏻‍✈️%" or Process.CommandLine like r"%🧑🏻‍✈️%" or Process.CommandLine like r"%👨🏻‍✈️%" or Process.CommandLine like r"%👩🏻‍🚀%" or Process.CommandLine like r"%🧑🏻‍🚀%" or Process.CommandLine like r"%👨🏻‍🚀%" or Process.CommandLine like r"%👩🏻‍⚖️%" or Process.CommandLine like r"%🧑🏻‍⚖️%" or Process.CommandLine like r"%👨🏻‍⚖️%" or Process.CommandLine like r"%👰🏻‍♀️%" or Process.CommandLine like r"%👰🏻%" or Process.CommandLine like r"%👰🏻‍♂️%" or Process.CommandLine like r"%🤵🏻‍♀️%" or Process.CommandLine like r"%🤵🏻%" or Process.CommandLine like r"%🤵🏻‍♂️%" or Process.CommandLine like r"%👸🏻%" or Process.CommandLine like r"%🫅🏻%" or Process.CommandLine like r"%🤴🏻%" or Process.CommandLine like r"%🥷🏻%" or Process.CommandLine like r"%🦸🏻‍♀️%" or Process.CommandLine like r"%🦸🏻%" or Process.CommandLine like r"%🦸🏻‍♂️%" or Process.CommandLine like r"%🦹🏻‍♀️%" or Process.CommandLine like r"%🦹🏻%" or Process.CommandLine like r"%🦹🏻‍♂️%" or Process.CommandLine like r"%🤶🏻%" or Process.CommandLine like r"%🧑🏻‍🎄%" or Process.CommandLine like r"%🎅🏻%" or Process.CommandLine like r"%🧙🏻‍♀️%" or Process.CommandLine like r"%🧙🏻%" or Process.CommandLine like r"%🧙🏻‍♂️%" or Process.CommandLine like r"%🧝🏻‍♀️%" or Process.CommandLine like r"%🧝🏻%" or Process.CommandLine like r"%🧝🏻‍♂️%" or Process.CommandLine like r"%🧛🏻‍♀️%" or Process.CommandLine like r"%🧛🏻%" or Process.CommandLine like r"%🧛🏻‍♂️%" or Process.CommandLine like r"%🧜🏻‍♀️%" or Process.CommandLine like r"%🧜🏻%" or Process.CommandLine like r"%🧜🏻‍♂️%" or Process.CommandLine like r"%🧚🏻‍♀️%" or Process.CommandLine like r"%🧚🏻%" or Process.CommandLine like r"%🧚🏻‍♂️%" or Process.CommandLine like r"%👼🏻%" or Process.CommandLine like r"%🤰🏻%" or Process.CommandLine like r"%🫄🏻%" or Process.CommandLine like r"%🫃🏻%" or Process.CommandLine like r"%🤱🏻%" or Process.CommandLine like r"%👩🏻‍🍼%" or Process.CommandLine like r"%🧑🏻‍🍼%" or Process.CommandLine like r"%👨🏻‍🍼%" or Process.CommandLine like r"%🙇🏻‍♀️%" or Process.CommandLine like r"%🙇🏻%" or Process.CommandLine like r"%🙇🏻‍♂️%" or Process.CommandLine like r"%💁🏻‍♀️%" or Process.CommandLine like r"%💁🏻%" or Process.CommandLine like r"%💁🏻‍♂️%" or Process.CommandLine like r"%🙅🏻‍♀️%" or Process.CommandLine like r"%🙅🏻%" or Process.CommandLine like r"%🙅🏻‍♂️%" or Process.CommandLine like r"%🙆🏻‍♀️%" or Process.CommandLine like r"%🙆🏻%" or Process.CommandLine like r"%🙆🏻‍♂️%" or Process.CommandLine like r"%🙋🏻‍♀️%" or Process.CommandLine like r"%🙋🏻%" or Process.CommandLine like r"%🙋🏻‍♂️%" or Process.CommandLine like r"%🧏🏻‍♀️%" or Process.CommandLine like r"%🧏🏻%" or Process.CommandLine like r"%🧏🏻‍♂️%" or Process.CommandLine like r"%🤦🏻‍♀️%" or Process.CommandLine like r"%🤦🏻%" or Process.CommandLine like r"%🤦🏻‍♂️%" or Process.CommandLine like r"%🤷🏻‍♀️%" or Process.CommandLine like r"%🤷🏻%" or Process.CommandLine like r"%🤷🏻‍♂️%" or Process.CommandLine like r"%🙎🏻‍♀️%" or Process.CommandLine like r"%🙎🏻%" or Process.CommandLine like r"%🙎🏻‍♂️%" or Process.CommandLine like r"%🙍🏻‍♀️%" or Process.CommandLine like r"%🙍🏻%" or Process.CommandLine like r"%🙍🏻‍♂️%" or Process.CommandLine like r"%💇🏻‍♀️%" or Process.CommandLine like r"%💇🏻%" or Process.CommandLine like r"%💇🏻‍♂️%" or Process.CommandLine like r"%💆🏻‍♀️%" or Process.CommandLine like r"%💆🏻%" or Process.CommandLine like r"%💆🏻‍♂️%" or Process.CommandLine like r"%🧖🏻‍♀️%" or Process.CommandLine like r"%🧖🏻%" or Process.CommandLine like r"%🧖🏻‍♂️%" or Process.CommandLine like r"%💃🏻%" or Process.CommandLine like r"%🕺🏻%" or Process.CommandLine like r"%🕴🏻%" or Process.CommandLine like r"%👩🏻‍🦽%" or Process.CommandLine like r"%🧑🏻‍🦽%" or Process.CommandLine like r"%👨🏻‍🦽%" or Process.CommandLine like r"%👩🏻‍🦼%" or Process.CommandLine like r"%🧑🏻‍🦼%" or Process.CommandLine like r"%👨🏻‍🦼%" or Process.CommandLine like r"%🚶🏻‍♀️%" or Process.CommandLine like r"%🚶🏻%" or Process.CommandLine like r"%🚶🏻‍♂️%" or Process.CommandLine like r"%👩🏻‍🦯%" or Process.CommandLine like r"%🧑🏻‍🦯%" or Process.CommandLine like r"%👨🏻‍🦯%" or Process.CommandLine like r"%🧎🏻‍♀️%" or Process.CommandLine like r"%🧎🏻%" or Process.CommandLine like r"%🧎🏻‍♂️%" or Process.CommandLine like r"%🏃🏻‍♀️%" or Process.CommandLine like r"%🏃🏻%" or Process.CommandLine like r"%🏃🏻‍♂️%" or Process.CommandLine like r"%🧍🏻‍♀️%" or Process.CommandLine like r"%🧍🏻%" or Process.CommandLine like r"%🧍🏻‍♂️%" or Process.CommandLine like r"%👭🏻%" or Process.CommandLine like r"%🧑🏻‍🤝‍🧑🏻%" or Process.CommandLine like r"%👬🏻%" or Process.CommandLine like r"%👫🏻%" or Process.CommandLine like r"%🧗🏻‍♀️%" or Process.CommandLine like r"%🧗🏻%" or Process.CommandLine like r"%🧗🏻‍♂️%" or Process.CommandLine like r"%🏇🏻%" or Process.CommandLine like r"%🏂🏻%" or Process.CommandLine like r"%🏌🏻‍♀️%" or Process.CommandLine like r"%🏌🏻%" or Process.CommandLine like r"%🏌🏻‍♂️%" or Process.CommandLine like r"%🏄🏻‍♀️%" or Process.CommandLine like r"%🏄🏻%" or Process.CommandLine like r"%🏄🏻‍♂️%" or Process.CommandLine like r"%🚣🏻‍♀️%" or Process.CommandLine like r"%🚣🏻%" or Process.CommandLine like r"%🚣🏻‍♂️%" or Process.CommandLine like r"%🏊🏻‍♀️%" or Process.CommandLine like r"%🏊🏻%" or Process.CommandLine like r"%🏊🏻‍♂️%" or Process.CommandLine like r"%⛹🏻‍♀️%" or Process.CommandLine like r"%⛹🏻%" or Process.CommandLine like r"%⛹🏻‍♂️%" or Process.CommandLine like r"%🏋🏻‍♀️%" or Process.CommandLine like r"%🏋🏻%" or Process.CommandLine like r"%🏋🏻‍♂️%" or Process.CommandLine like r"%🚴🏻‍♀️%" or Process.CommandLine like r"%🚴🏻%" or Process.CommandLine like r"%🚴🏻‍♂️%" or Process.CommandLine like r"%🚵🏻‍♀️%" or Process.CommandLine like r"%🚵🏻%" or Process.CommandLine like r"%🚵🏻‍♂️%" or Process.CommandLine like r"%🤸🏻‍♀️%" or Process.CommandLine like r"%🤸🏻%" or Process.CommandLine like r"%🤸🏻‍♂️%" or Process.CommandLine like r"%🤽🏻‍♀️%" or Process.CommandLine like r"%🤽🏻%" or Process.CommandLine like r"%🤽🏻‍♂️%" or Process.CommandLine like r"%🤾🏻‍♀️%" or Process.CommandLine like r"%🤾🏻%" or Process.CommandLine like r"%🤾🏻‍♂️%" or Process.CommandLine like r"%🤹🏻‍♀️%" or Process.CommandLine like r"%🤹🏻%" or Process.CommandLine like r"%🤹🏻‍♂️%" or Process.CommandLine like r"%🧘🏻‍♀️%" or Process.CommandLine like r"%🧘🏻%" or Process.CommandLine like r"%🧘🏻‍♂️%" or Process.CommandLine like r"%🛀🏻%" or Process.CommandLine like r"%🛌🏻%" or Process.CommandLine like r"%👋🏼%" or Process.CommandLine like r"%🤚🏼%" or Process.CommandLine like r"%🖐🏼%" or Process.CommandLine like r"%✋🏼%" or Process.CommandLine like r"%🖖🏼%" or Process.CommandLine like r"%👌🏼%" or Process.CommandLine like r"%🤌🏼%" or Process.CommandLine like r"%🤏🏼%" or Process.CommandLine like r"%✌🏼%" or Process.CommandLine like r"%🤞🏼%" or Process.CommandLine like r"%🫰🏼%" or Process.CommandLine like r"%🤟🏼%" or Process.CommandLine like r"%🤘🏼%" or Process.CommandLine like r"%🤙🏼%" or Process.CommandLine like r"%🫵🏼%" or Process.CommandLine like r"%🫱🏼%" or Process.CommandLine like r"%🫲🏼%" or Process.CommandLine like r"%🫳🏼%" or Process.CommandLine like r"%🫴🏼%" or Process.CommandLine like r"%👈🏼%" or Process.CommandLine like r"%👉🏼%" or Process.CommandLine like r"%👆🏼%" or Process.CommandLine like r"%🖕🏼%" or Process.CommandLine like r"%👇🏼%" or Process.CommandLine like r"%☝🏼%" or Process.CommandLine like r"%👍🏼%" or Process.CommandLine like r"%👎🏼%" or Process.CommandLine like r"%✊🏼%" or Process.CommandLine like r"%👊🏼%" or Process.CommandLine like r"%🤛🏼%" or Process.CommandLine like r"%🤜🏼%" or Process.CommandLine like r"%👏🏼%" or Process.CommandLine like r"%🫶🏼%" or Process.CommandLine like r"%🙌🏼%" or Process.CommandLine like r"%👐🏼%" or Process.CommandLine like r"%🤲🏼%" or Process.CommandLine like r"%🙏🏼%" or Process.CommandLine like r"%✍🏼%" or Process.CommandLine like r"%💪🏼%" or Process.CommandLine like r"%🦵🏼%" or Process.CommandLine like r"%🦶🏼%" or Process.CommandLine like r"%👂🏼%" or Process.CommandLine like r"%🦻🏼%" or Process.CommandLine like r"%👃🏼%" or Process.CommandLine like r"%👶🏼%" or Process.CommandLine like r"%👧🏼%" or Process.CommandLine like r"%🧒🏼%" or Process.CommandLine like r"%👦🏼%" or Process.CommandLine like r"%👩🏼%" or Process.CommandLine like r"%🧑🏼%" or Process.CommandLine like r"%👨🏼%" or Process.CommandLine like r"%👩🏼‍🦱%" or Process.CommandLine like r"%🧑🏼‍🦱%" or Process.CommandLine like r"%👨🏼‍🦱%" or Process.CommandLine like r"%👩🏼‍🦰%" or Process.CommandLine like r"%🧑🏼‍🦰%" or Process.CommandLine like r"%👨🏼‍🦰%" or Process.CommandLine like r"%👱🏼‍♀️%" or Process.CommandLine like r"%👱🏼%" or Process.CommandLine like r"%👱🏼‍♂️%" or Process.CommandLine like r"%👩🏼‍🦳%" or Process.CommandLine like r"%🧑🏼‍🦳%" or Process.CommandLine like r"%👨🏼‍🦳%" or Process.CommandLine like r"%👩🏼‍🦲%" or Process.CommandLine like r"%🧑🏼‍🦲%" or Process.CommandLine like r"%👨🏼‍🦲%" or Process.CommandLine like r"%🧔🏼‍♀️%" or Process.CommandLine like r"%🧔🏼%" or Process.CommandLine like r"%🧔🏼‍♂️%" or Process.CommandLine like r"%👵🏼%" or Process.CommandLine like r"%🧓🏼%" or Process.CommandLine like r"%👴🏼%" or Process.CommandLine like r"%👲🏼%" or Process.CommandLine like r"%👳🏼‍♀️%" or Process.CommandLine like r"%👳🏼%" or Process.CommandLine like r"%👳🏼‍♂️%" or Process.CommandLine like r"%🧕🏼%" or Process.CommandLine like r"%👮🏼‍♀️%" or Process.CommandLine like r"%👮🏼%" or Process.CommandLine like r"%👮🏼‍♂️%" or Process.CommandLine like r"%👷🏼‍♀️%" or Process.CommandLine like r"%👷🏼%" or Process.CommandLine like r"%👷🏼‍♂️%" or Process.CommandLine like r"%💂🏼‍♀️%" or Process.CommandLine like r"%💂🏼%" or Process.CommandLine like r"%💂🏼‍♂️%" or Process.CommandLine like r"%🕵🏼‍♀️%" or Process.CommandLine like r"%🕵🏼%" or Process.CommandLine like r"%🕵🏼‍♂️%" or Process.CommandLine like r"%👩🏼‍⚕️%" or Process.CommandLine like r"%🧑🏼‍⚕️%" or Process.CommandLine like r"%👨🏼‍⚕️%" or Process.CommandLine like r"%👩🏼‍🌾%" or Process.CommandLine like r"%🧑🏼‍🌾%" or Process.CommandLine like r"%👨🏼‍🌾%" or Process.CommandLine like r"%👩🏼‍🍳%" or Process.CommandLine like r"%🧑🏼‍🍳%" or Process.CommandLine like r"%👨🏼‍🍳%" or Process.CommandLine like r"%👩🏼‍🎓%" or Process.CommandLine like r"%🧑🏼‍🎓%" or Process.CommandLine like r"%👨🏼‍🎓%" or Process.CommandLine like r"%👩🏼‍🎤%" or Process.CommandLine like r"%🧑🏼‍🎤%" or Process.CommandLine like r"%👨🏼‍🎤%" or Process.CommandLine like r"%👩🏼‍🏫%" or Process.CommandLine like r"%🧑🏼‍🏫%" or Process.CommandLine like r"%👨🏼‍🏫%" or Process.CommandLine like r"%👩🏼‍🏭%" or Process.CommandLine like r"%🧑🏼‍🏭%" or Process.CommandLine like r"%👨🏼‍🏭%" or Process.CommandLine like r"%👩🏼‍💻%" or Process.CommandLine like r"%🧑🏼‍💻%" or Process.CommandLine like r"%👨🏼‍💻%" or Process.CommandLine like r"%👩🏼‍💼%" or Process.CommandLine like r"%🧑🏼‍💼%" or Process.CommandLine like r"%👨🏼‍💼%" or Process.CommandLine like r"%👩🏼‍🔧%" or Process.CommandLine like r"%🧑🏼‍🔧%" or Process.CommandLine like r"%👨🏼‍🔧%" or Process.CommandLine like r"%👩🏼‍🔬%" or Process.CommandLine like r"%🧑🏼‍🔬%" or Process.CommandLine like r"%👨🏼‍🔬%" or Process.CommandLine like r"%👩🏼‍🎨%" or Process.CommandLine like r"%🧑🏼‍🎨%" or Process.CommandLine like r"%👨🏼‍🎨%" or Process.CommandLine like r"%👩🏼‍🚒%" or Process.CommandLine like r"%🧑🏼‍🚒%" or Process.CommandLine like r"%👨🏼‍🚒%" or Process.CommandLine like r"%👩🏼‍✈️%" or Process.CommandLine like r"%🧑🏼‍✈️%" or Process.CommandLine like r"%👨🏼‍✈️%" or Process.CommandLine like r"%👩🏼‍🚀%" or Process.CommandLine like r"%🧑🏼‍🚀%" or Process.CommandLine like r"%👨🏼‍🚀%" or Process.CommandLine like r"%👩🏼‍⚖️%" or Process.CommandLine like r"%🧑🏼‍⚖️%" or Process.CommandLine like r"%👨🏼‍⚖️%" or Process.CommandLine like r"%👰🏼‍♀️%" or Process.CommandLine like r"%👰🏼%" or Process.CommandLine like r"%👰🏼‍♂️%" or Process.CommandLine like r"%🤵🏼‍♀️%" or Process.CommandLine like r"%🤵🏼%" or Process.CommandLine like r"%🤵🏼‍♂️%" or Process.CommandLine like r"%👸🏼%" or Process.CommandLine like r"%🫅🏼%" or Process.CommandLine like r"%🤴🏼%" or Process.CommandLine like r"%🥷🏼%" or Process.CommandLine like r"%🦸🏼‍♀️%" or Process.CommandLine like r"%🦸🏼%" or Process.CommandLine like r"%🦸🏼‍♂️%" or Process.CommandLine like r"%🦹🏼‍♀️%" or Process.CommandLine like r"%🦹🏼%" or Process.CommandLine like r"%🦹🏼‍♂️%" or Process.CommandLine like r"%🤶🏼%" or Process.CommandLine like r"%🧑🏼‍🎄%" or Process.CommandLine like r"%🎅🏼%" or Process.CommandLine like r"%🧙🏼‍♀️%" or Process.CommandLine like r"%🧙🏼%" or Process.CommandLine like r"%🧙🏼‍♂️%" or Process.CommandLine like r"%🧝🏼‍♀️%" or Process.CommandLine like r"%🧝🏼%" or Process.CommandLine like r"%🧝🏼‍♂️%" or Process.CommandLine like r"%🧛🏼‍♀️%" or Process.CommandLine like r"%🧛🏼%" or Process.CommandLine like r"%🧛🏼‍♂️%" or Process.CommandLine like r"%🧜🏼‍♀️%" or Process.CommandLine like r"%🧜🏼%" or Process.CommandLine like r"%🧜🏼‍♂️%" or Process.CommandLine like r"%🧚🏼‍♀️%" or Process.CommandLine like r"%🧚🏼%" or Process.CommandLine like r"%🧚🏼‍♂️%" or Process.CommandLine like r"%👼🏼%" or Process.CommandLine like r"%🤰🏼%" or Process.CommandLine like r"%🫄🏼%" or Process.CommandLine like r"%🫃🏼%" or Process.CommandLine like r"%🤱🏼%" or Process.CommandLine like r"%👩🏼‍🍼%" or Process.CommandLine like r"%🧑🏼‍🍼%" or Process.CommandLine like r"%👨🏼‍🍼%" or Process.CommandLine like r"%🙇🏼‍♀️%" or Process.CommandLine like r"%🙇🏼%" or Process.CommandLine like r"%🙇🏼‍♂️%" or Process.CommandLine like r"%💁🏼‍♀️%" or Process.CommandLine like r"%💁🏼%" or Process.CommandLine like r"%💁🏼‍♂️%" or Process.CommandLine like r"%🙅🏼‍♀️%" or Process.CommandLine like r"%🙅🏼%" or Process.CommandLine like r"%🙅🏼‍♂️%" or Process.CommandLine like r"%🙆🏼‍♀️%" or Process.CommandLine like r"%🙆🏼%" or Process.CommandLine like r"%🙆🏼‍♂️%" or Process.CommandLine like r"%🙋🏼‍♀️%" or Process.CommandLine like r"%🙋🏼%" or Process.CommandLine like r"%🙋🏼‍♂️%" or Process.CommandLine like r"%🧏🏼‍♀️%" or Process.CommandLine like r"%🧏🏼%" or Process.CommandLine like r"%🧏🏼‍♂️%" or Process.CommandLine like r"%🤦🏼‍♀️%" or Process.CommandLine like r"%🤦🏼%" or Process.CommandLine like r"%🤦🏼‍♂️%" or Process.CommandLine like r"%🤷🏼‍♀️%" [ThreatDetectionRule platform=Windows] -# Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = a34f79a3-8e5f-4cc3-b765-de00695452c2 -RuleName = HackTool - PowerTool Execution +# Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. +# Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 +RuleName = Scheduled Task Executing Encoded Payload from Registry EventType = Process.Start -Tag = proc-start-hacktool-powertool-execution +Tag = proc-start-scheduled-task-executing-encoded-payload-from-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\PowerTool.exe" or Process.Path like r"%\\PowerTool64.exe" or Process.Name == "PowerTool.exe" +Annotation = {"mitre_attack": ["T1053.005", "T1059.001"], "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\schtasks.exe" or Process.Name == "schtasks.exe") and Process.CommandLine like r"%/Create%" and (Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"%encodedcommand%") and (Process.CommandLine like r"%Get-ItemProperty%" or Process.CommandLine like r"% gp %") and (Process.CommandLine like r"%HKCU:%" or Process.CommandLine like r"%HKLM:%" or Process.CommandLine like r"%registry::%" or Process.CommandLine like r"%HKEY\_%") [ThreatDetectionRule platform=Windows] -# Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 6e22722b-dfb1-4508-a911-49ac840b40f8 -RuleName = Suspicious Mstsc.EXE Execution With Local RDP File +# Detects usage of bitsadmin downloading a file with a suspicious extension +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200 +RuleName = File With Suspicious Extension Downloaded Via Bitsadmin EventType = Process.Start -Tag = proc-start-suspicious-mstsc.exe-execution-with-local-rdp-file +Tag = proc-start-file-with-suspicious-extension-downloaded-via-bitsadmin RiskScore = 75 -Annotation = {"mitre_attack": ["T1219"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\mstsc.exe" or Process.Name == "mstsc.exe") and (Process.CommandLine like r"%.rdp" or Process.CommandLine like r"%.rdp\"") and (Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\System32\\spool\\drivers\\color%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\_Migrated %" or Process.CommandLine like r"%:\\Windows\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\Tracing\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\Downloads\\%") +Annotation = {"mitre_attack": ["T1197", "T1036.003"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\bitsadmin.exe" or Process.Name == "bitsadmin.exe") and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%.7z%" or Process.CommandLine like r"%.asax%" or Process.CommandLine like r"%.ashx%" or Process.CommandLine like r"%.asmx%" or Process.CommandLine like r"%.asp%" or Process.CommandLine like r"%.aspx%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.cfm%" or Process.CommandLine like r"%.cgi%" or Process.CommandLine like r"%.chm%" or Process.CommandLine like r"%.cmd%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.jsp%" or Process.CommandLine like r"%.jspx%" or Process.CommandLine like r"%.log%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.ps1%" or Process.CommandLine like r"%.psm1%" or Process.CommandLine like r"%.rar%" or Process.CommandLine like r"%.scf%" or Process.CommandLine like r"%.sct%" or Process.CommandLine like r"%.txt%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.vbs%" or Process.CommandLine like r"%.war%" or Process.CommandLine like r"%.wsf%" or Process.CommandLine like r"%.wsh%" or Process.CommandLine like r"%.xll%" or Process.CommandLine like r"%.zip%") [ThreatDetectionRule platform=Windows] -# Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) -# Author: Florian Roth (Nextron Systems) -RuleId = f5e3b62f-e577-4e59-931e-0a15b2b94e1e -RuleName = HackTool - Htran/NATBypass Execution +# Detects base64 encoded .NET reflective loading of Assembly +# Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) +RuleId = 62b7ccc9-23b4-471e-aa15-6da3663c4d59 +RuleName = PowerShell Base64 Encoded Reflective Assembly Load EventType = Process.Start -Tag = proc-start-hacktool-htran/natbypass-execution +Tag = proc-start-powershell-base64-encoded-reflective-assembly-load RiskScore = 75 -Annotation = {"mitre_attack": ["T1090"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\htran.exe" or Process.Path like r"%\\lcx.exe" or Process.CommandLine like r"%.exe -tran %" or Process.CommandLine like r"%.exe -slave %" +Annotation = {"mitre_attack": ["T1059.001", "T1027", "T1620"], "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)"} +Query = Process.CommandLine like r"%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%" or Process.CommandLine like r"%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%" or Process.CommandLine like r"%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%" or Process.CommandLine like r"%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%" or Process.CommandLine like r"%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%" or Process.CommandLine like r"%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%" or Process.CommandLine like r"%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%" or Process.CommandLine like r"%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%" or Process.CommandLine like r"%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%" or Process.CommandLine like r"%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%" or Process.CommandLine like r"%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%" or Process.CommandLine like r"%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%" [ThreatDetectionRule platform=Windows] -# Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". -# Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -RuleId = 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 -RuleName = Potential Provisioning Registry Key Abuse For Binary Proxy Execution -EventType = Process.Start -Tag = proc-start-potential-provisioning-registry-key-abuse-for-binary-proxy-execution +# Detect modification of the startup key to a path where a payload could be stored to be launched during startup +# Author: frack113 +RuleId = 9c226817-8dc9-46c2-a58d-66655aafd7dc +RuleName = Modify User Shell Folders Startup Value +EventType = Reg.Any +Tag = modify-user-shell-folders-startup-value RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel"} -Query = Process.CommandLine like r"%SOFTWARE\\Microsoft\\Provisioning\\Commands\\%" +Annotation = {"mitre_attack": ["T1547.001"], "author": "frack113"} +Query = Reg.TargetObject like r"%SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders%" and Reg.TargetObject like r"%Startup" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects processes loading modules related to PCRE.NET package -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = 84b0a8f3-680b-4096-a45b-e9a89221727c -RuleName = PCRE.NET Package Image Load -EventType = Image.Load -Tag = pcre.net-package-image-load +# Detects a suspicious program execution in Outlook temp folder +# Author: Florian Roth (Nextron Systems) +RuleId = a018fdc3-46a3-44e5-9afb-2cd4af1d4b39 +RuleName = Suspicious Execution From Outlook Temporary Folder +EventType = Process.Start +Tag = proc-start-suspicious-execution-from-outlook-temporary-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = Image.Path like r"%\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\%" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1566.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\Temporary Internet Files\\Content.Outlook\\%" [ThreatDetectionRule platform=Windows] -# Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) -# Author: Jason Lynch -RuleId = aa3a6f94-890e-4e22-b634-ffdfd54792cc -RuleName = Suspicious Binary In User Directory Spawned From Office Application -EventType = Process.Start -Tag = proc-start-suspicious-binary-in-user-directory-spawned-from-office-application +# Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 3ab79e90-9fab-4cdf-a7b2-6522bc742adb +RuleName = HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators +EventType = File.Create +Tag = hacktool-remotekrbrelay-smb-relay-secrets-dump-module-indicators RiskScore = 75 -Annotation = {"mitre_attack": ["T1204.002"], "author": "Jason Lynch"} -Query = (Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\MSACCESS.exe" or Parent.Path like r"%\\EQNEDT32.exe") and Process.Path like r"C:\\users\\%" and Process.Path like r"%.exe" and not Process.Path like r"%\\Teams.exe" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1219"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"%:\\windows\\temp\\sam.tmp" or File.Path like r"%:\\windows\\temp\\sec.tmp" or File.Path like r"%:\\windows\\temp\\sys.tmp" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects potential commandline obfuscation using unicode characters. -# Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. -# Author: frack113, Florian Roth (Nextron Systems), Josh Nickels -RuleId = 584bca0f-3608-4402-80fd-4075ff6072e3 -RuleName = Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image +# Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service +# Author: Elastic (idea), Tobias Michalski (Nextron Systems) +RuleId = bb76d96b-821c-47cf-944b-7ce377864492 +RuleName = Suspicious NTLM Authentication on the Printer Spooler Service EventType = Process.Start -Tag = proc-start-potential-commandline-obfuscation-using-unicode-characters-from-suspicious-image +Tag = proc-start-suspicious-ntlm-authentication-on-the-printer-spooler-service RiskScore = 75 -Annotation = {"mitre_attack": ["T1027"], "author": "frack113, Florian Roth (Nextron Systems), Josh Nickels"} -Query = (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe") and (Process.Name in ["Cmd.EXE", "cscript.exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe"]) and (Process.CommandLine like r"%ˣ%" or Process.CommandLine like r"%˪%" or Process.CommandLine like r"%ˢ%" or Process.CommandLine like r"%∕%" or Process.CommandLine like r"%⁄%" or Process.CommandLine like r"%―%" or Process.CommandLine like r"%—%" or Process.CommandLine like r"% %" or Process.CommandLine like r"%¯%" or Process.CommandLine like r"%®%" or Process.CommandLine like r"%¶%") +Annotation = {"mitre_attack": ["T1212"], "author": "Elastic (idea), Tobias Michalski (Nextron Systems)"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and Process.CommandLine like r"%C:\\windows\\system32\\davclnt.dll,DavSetCookie%" and Process.CommandLine like r"%http%" and (Process.CommandLine like r"%spoolss%" or Process.CommandLine like r"%srvsvc%" or Process.CommandLine like r"%/print/pipe/%") [ThreatDetectionRule platform=Windows] -# This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. -# Author: oscd.community, Natalia Shornikova -RuleId = fc014922-5def-4da9-a0fc-28c973f41bfb -RuleName = Execution DLL of Choice Using WAB.EXE +# Detects the abuse of the exefile handler in new file association. Used for bypass of security products. +# Author: Andreas Hunkeler (@Karneades) +RuleId = 44a22d59-b175-4f13-8c16-cbaef5b581ff +RuleName = New File Association Using Exefile EventType = Reg.Any -Tag = execution-dll-of-choice-using-wab.exe +Tag = new-file-association-using-exefile RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "oscd.community, Natalia Shornikova"} -Query = Reg.TargetObject like r"%\\Software\\Microsoft\\WAB\\DLLPath" and not Reg.Value.Data == "\%CommonProgramFiles\%\\System\\wab32.dll" +Annotation = {"author": "Andreas Hunkeler (@Karneades)"} +Query = Reg.TargetObject like r"%Classes\\.%" and Reg.Value.Data == "exefile" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects changes to the default RDP port. -# Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. -# Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). -# Author: frack113 -RuleId = 509e84b9-a71a-40e0-834f-05470369bd1e -RuleName = Default RDP Port Changed to Non Standard Port -EventType = Reg.Any -Tag = default-rdp-port-changed-to-non-standard-port +# Detects potential commandline obfuscation using unicode characters. +# Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. +# Author: frack113, Florian Roth (Nextron Systems), Josh Nickels +RuleId = 584bca0f-3608-4402-80fd-4075ff6072e3 +RuleName = Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image +EventType = Process.Start +Tag = proc-start-potential-commandline-obfuscation-using-unicode-characters-from-suspicious-image RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.010"], "author": "frack113"} -Query = Reg.TargetObject like r"%\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber" and not Reg.Value.Data == "DWORD (0x00000d3d)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1027"], "author": "frack113, Florian Roth (Nextron Systems), Josh Nickels"} +Query = (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe") and (Process.Name in ["Cmd.EXE", "cscript.exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe"]) and (Process.CommandLine like r"%ˣ%" or Process.CommandLine like r"%˪%" or Process.CommandLine like r"%ˢ%" or Process.CommandLine like r"%∕%" or Process.CommandLine like r"%⁄%" or Process.CommandLine like r"%―%" or Process.CommandLine like r"%—%" or Process.CommandLine like r"% %" or Process.CommandLine like r"%¯%" or Process.CommandLine like r"%®%" or Process.CommandLine like r"%¶%") [ThreatDetectionRule platform=Windows] -# Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) -# Author: Florian Roth (Nextron Systems) -RuleId = c1d867fe-8d95-4487-aab4-e53f2d339f90 -RuleName = Renamed Sysinternals Sdelete Execution +# Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = cb0fe7c5-f3a3-484d-aa25-d350a7912729 +RuleName = Suspicious Driver/DLL Installation Via Odbcconf.EXE EventType = Process.Start -Tag = proc-start-renamed-sysinternals-sdelete-execution +Tag = proc-start-suspicious-driver/dll-installation-via-odbcconf.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1485"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Name == "sdelete.exe" and not (Process.Path like r"%\\sdelete.exe" or Process.Path like r"%\\sdelete64.exe") +Annotation = {"mitre_attack": ["T1218.008"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\odbcconf.exe" or Process.Name == "odbcconf.exe") and Process.CommandLine like r"%INSTALLDRIVER %" and not Process.CommandLine like r"%.dll%" [ThreatDetectionRule platform=Windows] -# Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks -# Author: Florian Roth (Nextron Systems) -RuleId = 0a4f6091-223b-41f6-8743-f322ec84930b -RuleName = Suspicious GUP Usage +# Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. +# Author: Tim Rauch, Elastic (idea) +RuleId = 97dbf6e2-e436-44d8-abee-4261b24d3e41 +RuleName = Microsoft IIS Connection Strings Decryption EventType = Process.Start -Tag = proc-start-suspicious-gup-usage +Tag = proc-start-microsoft-iis-connection-strings-decryption RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\GUP.exe" and not (Process.Path like r"%\\Program Files\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Program Files (x86)\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\Users\\%" and (Process.Path like r"%\\AppData\\Local\\Notepad++\\updater\\GUP.exe" or Process.Path like r"%\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe")) +Annotation = {"mitre_attack": ["T1003"], "author": "Tim Rauch, Elastic (idea)"} +Query = (Process.Path like r"%\\aspnet\_regiis.exe" or Process.Name == "aspnet\_regiis.exe") and Process.CommandLine like r"%connectionStrings%" and Process.CommandLine like r"% -pdf%" [ThreatDetectionRule platform=Windows] -# Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) -# Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -RuleId = f57f8d16-1f39-4dcb-a604-6c73d9b54b3d -RuleName = Sensitive File Access Via Volume Shadow Copy Backup +# Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. +# Author: Tim Rauch, Elastic (idea) +RuleId = 9bd04a79-dabe-4f1f-a5ff-92430265c96b +RuleName = Privilege Escalation via Named Pipe Impersonation EventType = Process.Start -Tag = proc-start-sensitive-file-access-via-volume-shadow-copy-backup +Tag = proc-start-privilege-escalation-via-named-pipe-impersonation RiskScore = 75 -Annotation = {"mitre_attack": ["T1490"], "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)"} -Query = Process.CommandLine like r"%\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy%" and (Process.CommandLine like r"%\\NTDS.dit%" or Process.CommandLine like r"%\\SYSTEM%" or Process.CommandLine like r"%\\SECURITY%") +Annotation = {"mitre_attack": ["T1021"], "author": "Tim Rauch, Elastic (idea)"} +Query = (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Name in ["Cmd.Exe", "PowerShell.EXE"]) and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%>%" and Process.CommandLine like r"%\\\\.\\pipe\\%" [ThreatDetectionRule platform=Windows] -# Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module -# Author: Bartlomiej Czyz, Relativity -RuleId = 5bb68627-3198-40ca-b458-49f973db8752 -RuleName = Rundll32 Execution Without Parameters +# Detects a suspicious child process of Script Event Consumer (scrcons.exe). +# Author: Sittikorn S +RuleId = f6d1dd2f-b8ce-40ca-bc23-062efb686b34 +RuleName = Script Event Consumer Spawning Process EventType = Process.Start -Tag = proc-start-rundll32-execution-without-parameters +Tag = proc-start-script-event-consumer-spawning-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1021.002", "T1570", "T1569.002"], "author": "Bartlomiej Czyz, Relativity"} -Query = Process.CommandLine in ["rundll32.exe", "rundll32"] +Annotation = {"mitre_attack": ["T1047"], "author": "Sittikorn S"} +Query = Parent.Path like r"%\\scrcons.exe" and (Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\msbuild.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. -# Author: frack113, Florian Roth -RuleId = 32410e29-5f94-4568-b6a3-d91a8adad863 -RuleName = PUA - Fast Reverse Proxy (FRP) Execution +# Detects the execution of "logman" utility in order to disable or delete Windows trace sessions +# Author: Florian Roth (Nextron Systems) +RuleId = cd1f961e-0b96-436b-b7c6-38da4583ec00 +RuleName = Suspicious Windows Trace ETW Session Tamper Via Logman.EXE EventType = Process.Start -Tag = proc-start-pua-fast-reverse-proxy-(frp)-execution +Tag = proc-start-suspicious-windows-trace-etw-session-tamper-via-logman.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1090"], "author": "frack113, Florian Roth"} -Query = Process.Path like r"%\\frpc.exe" or Process.Path like r"%\\frps.exe" or Process.CommandLine like r"%\\frpc.ini%" or Process.Hashes like r"%MD5=7D9C233B8C9E3F0EA290D2B84593C842%" or Process.Hashes like r"%SHA1=06DDC9280E1F1810677935A2477012960905942F%" or Process.Hashes like r"%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%" -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1562.001", "T1070.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\logman.exe" or Process.Name == "Logman.exe") and (Process.CommandLine like r"%stop %" or Process.CommandLine like r"%delete %") and (Process.CommandLine like r"%Circular Kernel Context Logger%" or Process.CommandLine like r"%EventLog-%" or Process.CommandLine like r"%SYSMON TRACE%" or Process.CommandLine like r"%SysmonDnsEtwSession%") [ThreatDetectionRule platform=Windows] -# Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework -# Author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch -RuleId = 10c14723-61c7-4c75-92ca-9af245723ad2 -RuleName = HackTool - Potential Impacket Lateral Movement Activity +# Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines. +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 69bd9b97-2be2-41b6-9816-fb08757a4d1a +RuleName = Potentially Suspicious Execution From Parent Process In Public Folder EventType = Process.Start -Tag = proc-start-hacktool-potential-impacket-lateral-movement-activity +Tag = proc-start-potentially-suspicious-execution-from-parent-process-in-public-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1047", "T1021.003"], "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch"} -Query = (Parent.Path like r"%\\wmiprvse.exe" or Parent.Path like r"%\\mmc.exe" or Parent.Path like r"%\\explorer.exe" or Parent.Path like r"%\\services.exe") and Process.CommandLine like r"%cmd.exe%" and Process.CommandLine like r"%/Q%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%\\\\127.0.0.1\\%" and Process.CommandLine like r"%&1%" or (Parent.CommandLine like r"%svchost.exe -k netsvcs%" or Parent.CommandLine like r"%taskeng.exe%") and Process.CommandLine like r"%cmd.exe%" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%Windows\\Temp\\%" and Process.CommandLine like r"%&1%" +Annotation = {"mitre_attack": ["T1564", "T1059"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.Path like r"%:\\Users\\Public\\%" and (Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Process.CommandLine like r"%bitsadmin%" or Process.CommandLine like r"%certutil%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%wscript%") GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. -# Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. -# As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. -# Author: Perez Diego (@darkquassar), oscd.community, Ecco -RuleId = bdc64095-d59a-42a2-8588-71fd9c9d9abc -RuleName = Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded -EventType = Image.Load -Tag = suspicious-unsigned-dbghelp/dbgcore-dll-loaded +# Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 8023f872-3f1d-4301-a384-801889917ab4 +RuleName = Usage of Renamed Sysinternals Tools - RegistrySet +EventType = Reg.Any +Tag = usage-of-renamed-sysinternals-tools-registryset RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Perez Diego (@darkquassar), oscd.community, Ecco"} -Query = (Image.Path like r"%\\dbghelp.dll" or Image.Path like r"%\\dbgcore.dll") and Image.IsSigned == "false" -GenericProperty1 = Image.Path -GenericProperty2 = Image.IsSigned +Annotation = {"mitre_attack": ["T1588.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Reg.TargetObject like r"%\\PsExec%" or Reg.TargetObject like r"%\\ProcDump%" or Reg.TargetObject like r"%\\Handle%" or Reg.TargetObject like r"%\\LiveKd%" or Reg.TargetObject like r"%\\Process Explorer%" or Reg.TargetObject like r"%\\PsLoglist%" or Reg.TargetObject like r"%\\PsPasswd%" or Reg.TargetObject like r"%\\Active Directory Explorer%") and Reg.TargetObject like r"%\\EulaAccepted" and not (Process.Path like r"%\\PsExec.exe" or Process.Path like r"%\\PsExec64.exe" or Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe" or Process.Path like r"%\\handle.exe" or Process.Path like r"%\\handle64.exe" or Process.Path like r"%\\livekd.exe" or Process.Path like r"%\\livekd64.exe" or Process.Path like r"%\\procexp.exe" or Process.Path like r"%\\procexp64.exe" or Process.Path like r"%\\psloglist.exe" or Process.Path like r"%\\psloglist64.exe" or Process.Path like r"%\\pspasswd.exe" or Process.Path like r"%\\pspasswd64.exe" or Process.Path like r"%\\ADExplorer.exe" or Process.Path like r"%\\ADExplorer64.exe") and not isnull(Process.Path) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates. -# Author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) -RuleId = 7892ec59-c5bb-496d-8968-e5d210ca3ac4 -RuleName = DPAPI Backup Keys And Certificate Export Activity IOC -EventType = File.Create -Tag = dpapi-backup-keys-and-certificate-export-activity-ioc +# Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) +# Author: Florian Roth (Nextron Systems) +RuleId = e61e8a88-59a9-451c-874e-70fcc9740d67 +RuleName = New DNS ServerLevelPluginDll Installed +EventType = Reg.Any +Tag = new-dns-serverlevelplugindll-installed RiskScore = 75 -Annotation = {"mitre_attack": ["T1555", "T1552.004"], "author": "Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)"} -Query = (File.Path like r"%ntds\_capi\_%" or File.Path like r"%ntds\_legacy\_%" or File.Path like r"%ntds\_unknown\_%") and (File.Path like r"%.cer" or File.Path like r"%.key" or File.Path like r"%.pfx" or File.Path like r"%.pvk") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1574.002", "T1112"], "author": "Florian Roth (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\services\\DNS\\Parameters\\ServerLevelPluginDll" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects suspicious addition to BitLocker related registry keys via the reg.exe utility -# Author: frack113 -RuleId = 0e0255bf-2548-47b8-9582-c0955c9283f5 -RuleName = Suspicious Reg Add BitLocker +# Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. +# Author: Florian Roth (Nextron Systems) +RuleId = 97a80ec7-0e2f-4d05-9ef4-65760e634f6b +RuleName = Security Privileges Enumeration Via Whoami.EXE EventType = Process.Start -Tag = proc-start-suspicious-reg-add-bitlocker +Tag = proc-start-security-privileges-enumeration-via-whoami.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1486"], "author": "frack113"} -Query = Process.CommandLine like r"%REG%" and Process.CommandLine like r"%ADD%" and Process.CommandLine like r"%\\SOFTWARE\\Policies\\Microsoft\\FVE%" and Process.CommandLine like r"%/v%" and Process.CommandLine like r"%/f%" and (Process.CommandLine like r"%EnableBDEWithNoTPM%" or Process.CommandLine like r"%UseAdvancedStartup%" or Process.CommandLine like r"%UseTPM%" or Process.CommandLine like r"%UseTPMKey%" or Process.CommandLine like r"%UseTPMKeyPIN%" or Process.CommandLine like r"%RecoveryKeyMessageSource%" or Process.CommandLine like r"%UseTPMPIN%" or Process.CommandLine like r"%RecoveryKeyMessage%") +Annotation = {"mitre_attack": ["T1033"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\whoami.exe" or Process.Name == "whoami.exe") and (Process.CommandLine like r"% /priv%" or Process.CommandLine like r"% -priv%") [ThreatDetectionRule platform=Windows] -# Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) -# Author: Florian Roth (Nextron Systems) -RuleId = f63b56ee-3f79-4b8a-97fb-5c48007e8573 -RuleName = New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE +# Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. +# This behavior has been observed in-the-wild by different threat actors. +# Author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) +RuleId = b2b048b0-7857-4380-b0fb-d3f0ab820b71 +RuleName = Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location EventType = Process.Start -Tag = proc-start-new-dns-serverlevelplugindll-installed-via-dnscmd.exe +Tag = proc-start-self-extracting-package-creation-via-iexpress.exe-from-potentially-suspicious-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002", "T1112"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\dnscmd.exe" and Process.CommandLine like r"%/config%" and Process.CommandLine like r"%/serverlevelplugindll%" +Annotation = {"mitre_attack": ["T1218"], "author": "Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\iexpress.exe" or Process.Name == "IEXPRESS.exe") and (Process.CommandLine like r"% -n %" or Process.CommandLine like r"% /n %" or Process.CommandLine like r"% –n %" or Process.CommandLine like r"% —n %" or Process.CommandLine like r"% ―n %") and (Process.CommandLine like r"%:\\ProgramData\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%") [ThreatDetectionRule platform=Windows] -# Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any -# anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json -# Author: frack113 -RuleId = 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d -RuleName = Lolbas OneDriveStandaloneUpdater.exe Proxy Download -EventType = Reg.Any -Tag = lolbas-onedrivestandaloneupdater.exe-proxy-download +# Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. +# Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) +RuleId = e4a6b256-3e47-40fc-89d2-7a477edd6915 +RuleName = System File Execution Location Anomaly +EventType = Process.Start +Tag = proc-start-system-file-execution-location-anomaly RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "frack113"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\atbroker.exe" or Process.Path like r"%\\audiodg.exe" or Process.Path like r"%\\bcdedit.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certreq.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\conhost.exe" or Process.Path like r"%\\consent.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\dashost.exe" or Process.Path like r"%\\defrag.exe" or Process.Path like r"%\\dfrgui.exe" or Process.Path like r"%\\dism.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\dllhst3g.exe" or Process.Path like r"%\\dwm.exe" or Process.Path like r"%\\eventvwr.exe" or Process.Path like r"%\\logonui.exe" or Process.Path like r"%\\LsaIso.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\lsm.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\ntoskrnl.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\runonce.exe" or Process.Path like r"%\\RuntimeBroker.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\services.exe" or Process.Path like r"%\\sihost.exe" or Process.Path like r"%\\smartscreen.exe" or Process.Path like r"%\\smss.exe" or Process.Path like r"%\\spoolsv.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\taskhost.exe" or Process.Path like r"%\\Taskmgr.exe" or Process.Path like r"%\\userinit.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\winlogon.exe" or Process.Path like r"%\\winver.exe" or Process.Path like r"%\\wlanext.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\wsl.exe" or Process.Path like r"%\\wsmprovhost.exe") and not (Process.Path like r"C:\\$WINDOWS.~BT\\%" or Process.Path like r"C:\\$WinREAgent\\%" or Process.Path like r"C:\\Windows\\SoftwareDistribution\\%" or Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SystemTemp\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\uus\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path in ["C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe"] or Process.Path like r"C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux%" and Process.Path like r"%\\wsl.exe") and not Process.Path like r"%\\SystemRoot\\System32\\%" [ThreatDetectionRule platform=Windows] -# Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros -# Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -RuleId = 55f0a3a1-846e-40eb-8273-677371b8d912 -RuleName = Outlook EnableUnsafeClientMailRules Setting Enabled +# Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = b98d0db6-511d-45de-ad02-e82a98729620 +RuleName = Remotely Hosted HTA File Executed Via Mshta.EXE EventType = Process.Start -Tag = proc-start-outlook-enableunsafeclientmailrules-setting-enabled +Tag = proc-start-remotely-hosted-hta-file-executed-via-mshta.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1059", "T1202"], "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%\\Outlook\\Security\\EnableUnsafeClientMailRules%" +Annotation = {"mitre_attack": ["T1218.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\mshta.exe" or Process.Name == "MSHTA.EXE") and (Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%" or Process.CommandLine like r"%ftp://%") [ThreatDetectionRule platform=Windows] -# Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. -# Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection. -# Author: Swachchhanda Shrawan Poudel -RuleId = be58d2e2-06c8-4f58-b666-b99f6dc3b6cd -RuleName = Suspicious Process Masquerading As SvcHost.EXE +# Detects PowerShell scripts to set the ACL to a file in the Windows folder +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 0944e002-e3f6-4eb5-bf69-3a3067b53d73 +RuleName = PowerShell Set-Acl On Windows Folder EventType = Process.Start -Tag = proc-start-suspicious-process-masquerading-as-svchost.exe +Tag = proc-start-powershell-set-acl-on-windows-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1036.005"], "author": "Swachchhanda Shrawan Poudel"} -Query = Process.Path like r"%\\svchost.exe" and not (Process.Path in ["C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe"] or Process.Name == "svchost.exe") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name in ["PowerShell.EXE", "pwsh.dll"] or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Set-Acl %" and Process.CommandLine like r"%-AclObject %" and (Process.CommandLine like r"%-Path \"C:\\Windows%" or Process.CommandLine like r"%-Path 'C:\\Windows%" or Process.CommandLine like r"%-Path \%windir\%%" or Process.CommandLine like r"%-Path $env:windir%") and (Process.CommandLine like r"%FullControl%" or Process.CommandLine like r"%Allow%") [ThreatDetectionRule platform=Windows] -# Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity. -# Author: The DFIR Report -RuleId = b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e -RuleName = Suspicious Binaries and Scripts in Public Folder +# Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" +# Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) +RuleId = 07a99744-56ac-40d2-97b7-2095967b0e03 +RuleName = Potential Privilege Escalation Attempt Via .Exe.Local Technique EventType = File.Create -Tag = suspicious-binaries-and-scripts-in-public-folder +Tag = potential-privilege-escalation-attempt-via-.exe.local-technique RiskScore = 75 -Annotation = {"mitre_attack": ["T1204"], "author": "The DFIR Report"} -Query = File.Path like r"%:\\Users\\Public\\%" and (File.Path like r"%.bat" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.hta" or File.Path like r"%.js" or File.Path like r"%.ps1" or File.Path like r"%.vbe" or File.Path like r"%.vbs") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)"} +Query = (File.Path like r"C:\\Windows\\System32\\logonUI.exe.local%" or File.Path like r"C:\\Windows\\System32\\werFault.exe.local%" or File.Path like r"C:\\Windows\\System32\\consent.exe.local%" or File.Path like r"C:\\Windows\\System32\\narrator.exe.local%" or File.Path like r"C:\\Windows\\System32\\wermgr.exe.local%") and File.Path like r"%\\comctl32.dll" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. -# Author: iwillkeepwatch -RuleId = eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc -RuleName = Security Support Provider (SSP) Added to LSA Configuration -EventType = Reg.Any -Tag = security-support-provider-(ssp)-added-to-lsa-configuration +# Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. +# Author: Florian Roth (Nextron Systems) +RuleId = 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 +RuleName = Suspicious Execution Location Of Wermgr.EXE +EventType = Process.Start +Tag = proc-start-suspicious-execution-location-of-wermgr.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.005"], "author": "iwillkeepwatch"} -Query = (Reg.TargetObject like r"%\\Control\\Lsa\\Security Packages" or Reg.TargetObject like r"%\\Control\\Lsa\\OSConfig\\Security Packages") and not (Process.Path in ["C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\syswow64\\MsiExec.exe"]) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\wermgr.exe" and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%") [ThreatDetectionRule platform=Windows] -# Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = d87bd452-6da1-456e-8155-7dc988157b7d -RuleName = Suspicious Usage Of ShellExec_RunDLL -EventType = Process.Start -Tag = proc-start-suspicious-usage-of-shellexec_rundll +# Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel). +# Author: NVISO +RuleId = 8e1cb247-6cf6-42fa-b440-3f27d57e9936 +RuleName = Potential Persistence Via Microsoft Office Add-In +EventType = File.Create +Tag = potential-persistence-via-microsoft-office-add-in RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%ShellExec\_RunDLL%" and (Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Temp\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%comspec%" or Process.CommandLine like r"%iex%" or Process.CommandLine like r"%Invoke-%" or Process.CommandLine like r"%msiexec%" or Process.CommandLine like r"%odbcconf%" or Process.CommandLine like r"%regsvr32%") +Annotation = {"mitre_attack": ["T1137.006"], "author": "NVISO"} +Query = File.Path like r"%\\Microsoft\\Word\\Startup\\%" and File.Path like r"%.wll" or File.Path like r"%\\Microsoft\\Excel\\Startup\\%" and File.Path like r"%.xll" or File.Path like r"%Microsoft\\Excel\\XLSTART\\%" and File.Path like r"%.xlam" or File.Path like r"%\\Microsoft\\Addins\\%" and (File.Path like r"%.xlam" or File.Path like r"%.xla" or File.Path like r"%.ppam") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. -# Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth -RuleId = d797268e-28a9-49a7-b9a8-2f5039011c5c -RuleName = Bypass UAC via WSReset.exe +# Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) +# Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +RuleId = c73124a7-3e89-44a3-bdc1-25fe4df754b1 +RuleName = Copy From VolumeShadowCopy Via Cmd.EXE EventType = Process.Start -Tag = proc-start-bypass-uac-via-wsreset.exe +Tag = proc-start-copy-from-volumeshadowcopy-via-cmd.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth"} -Query = Parent.Path like r"%\\wsreset.exe" and not (Process.Path like r"%\\conhost.exe" or Process.Name == "CONHOST.EXE") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1490"], "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)"} +Query = Process.CommandLine like r"%copy %" and Process.CommandLine like r"%\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy%" [ThreatDetectionRule platform=Windows] -# Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading. -# Author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe) -RuleId = 555155a2-03bf-4fe7-af74-d176b3fdbe16 -RuleName = Driver Added To Disallowed Images In HVCI - Registry -EventType = Reg.Any -Tag = driver-added-to-disallowed-images-in-hvci-registry +# Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +# Author: @Kostastsale, @TheDFIRReport +RuleId = f9578658-9e71-4711-b634-3f9b50cd3c06 +RuleName = Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 +EventType = Process.Start +Tag = proc-start-potential-defense-evasion-activity-via-emoji-usage-in-commandline-3 RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe)"} -Query = Reg.TargetObject like r"%\\Control\\CI\\%" and Reg.TargetObject like r"%\\HVCIDisallowedImages%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"author": "@Kostastsale, @TheDFIRReport"} +Query = Process.CommandLine like r"%🦆%" or Process.CommandLine like r"%🦅%" or Process.CommandLine like r"%🦉%" or Process.CommandLine like r"%🦇%" or Process.CommandLine like r"%🐺%" or Process.CommandLine like r"%🐗%" or Process.CommandLine like r"%🐴%" or Process.CommandLine like r"%🦄%" or Process.CommandLine like r"%🐝%" or Process.CommandLine like r"%🪱%" or Process.CommandLine like r"%🐛%" or Process.CommandLine like r"%🦋%" or Process.CommandLine like r"%🐌%" or Process.CommandLine like r"%🐞%" or Process.CommandLine like r"%🐜%" or Process.CommandLine like r"%🪰%" or Process.CommandLine like r"%🪲%" or Process.CommandLine like r"%🪳%" or Process.CommandLine like r"%🦟%" or Process.CommandLine like r"%🦗%" or Process.CommandLine like r"%🕷%" or Process.CommandLine like r"%🕸%" or Process.CommandLine like r"%🦂%" or Process.CommandLine like r"%🐢%" or Process.CommandLine like r"%🐍%" or Process.CommandLine like r"%🦎%" or Process.CommandLine like r"%🦖%" or Process.CommandLine like r"%🦕%" or Process.CommandLine like r"%🐙%" or Process.CommandLine like r"%🦑%" or Process.CommandLine like r"%🦐%" or Process.CommandLine like r"%🦞%" or Process.CommandLine like r"%🦀%" or Process.CommandLine like r"%🪸%" or Process.CommandLine like r"%🐡%" or Process.CommandLine like r"%🐠%" or Process.CommandLine like r"%🐟%" or Process.CommandLine like r"%🐬%" or Process.CommandLine like r"%🐳%" or Process.CommandLine like r"%🐋%" or Process.CommandLine like r"%🦈%" or Process.CommandLine like r"%🐊%" or Process.CommandLine like r"%🐅%" or Process.CommandLine like r"%🐆%" or Process.CommandLine like r"%🦓%" or Process.CommandLine like r"%🦍%" or Process.CommandLine like r"%🦧%" or Process.CommandLine like r"%🦣%" or Process.CommandLine like r"%🐘%" or Process.CommandLine like r"%🦛%" or Process.CommandLine like r"%🦏%" or Process.CommandLine like r"%🐪%" or Process.CommandLine like r"%🐫%" or Process.CommandLine like r"%🦒%" or Process.CommandLine like r"%🦘%" or Process.CommandLine like r"%🦬%" or Process.CommandLine like r"%🐃%" or Process.CommandLine like r"%🐂%" or Process.CommandLine like r"%🐄%" or Process.CommandLine like r"%🐎%" or Process.CommandLine like r"%🐖%" or Process.CommandLine like r"%🐏%" or Process.CommandLine like r"%🐑%" or Process.CommandLine like r"%🦙%" or Process.CommandLine like r"%🐐%" or Process.CommandLine like r"%🦌%" or Process.CommandLine like r"%🐕%" or Process.CommandLine like r"%🐩%" or Process.CommandLine like r"%🦮%" or Process.CommandLine like r"%🐕‍🦺%" or Process.CommandLine like r"%🐈%" or Process.CommandLine like r"%🐈‍⬛%" or Process.CommandLine like r"%🪶%" or Process.CommandLine like r"%🐓%" or Process.CommandLine like r"%🦃%" or Process.CommandLine like r"%🦤%" or Process.CommandLine like r"%🦚%" or Process.CommandLine like r"%🦜%" or Process.CommandLine like r"%🦢%" or Process.CommandLine like r"%🦩%" or Process.CommandLine like r"%🕊%" or Process.CommandLine like r"%🐇%" or Process.CommandLine like r"%🦝%" or Process.CommandLine like r"%🦨%" or Process.CommandLine like r"%🦡%" or Process.CommandLine like r"%🦫%" or Process.CommandLine like r"%🦦%" or Process.CommandLine like r"%🦥%" or Process.CommandLine like r"%🐁%" or Process.CommandLine like r"%🐀%" or Process.CommandLine like r"%🐿%" or Process.CommandLine like r"%🦔%" or Process.CommandLine like r"%🐾%" or Process.CommandLine like r"%🐉%" or Process.CommandLine like r"%🐲%" or Process.CommandLine like r"%🌵%" or Process.CommandLine like r"%🎄%" or Process.CommandLine like r"%🌲%" or Process.CommandLine like r"%🌳%" or Process.CommandLine like r"%🌴%" or Process.CommandLine like r"%🪹%" or Process.CommandLine like r"%🪺%" or Process.CommandLine like r"%🪵%" or Process.CommandLine like r"%🌱%" or Process.CommandLine like r"%🌿%" or Process.CommandLine like r"%☘️%" or Process.CommandLine like r"%🍀%" or Process.CommandLine like r"%🎍%" or Process.CommandLine like r"%🪴%" or Process.CommandLine like r"%🎋%" or Process.CommandLine like r"%🍃%" or Process.CommandLine like r"%🍂%" or Process.CommandLine like r"%🍁%" or Process.CommandLine like r"%🍄%" or Process.CommandLine like r"%🐚%" or Process.CommandLine like r"%🪨%" or Process.CommandLine like r"%🌾%" or Process.CommandLine like r"%💐%" or Process.CommandLine like r"%🌷%" or Process.CommandLine like r"%🪷%" or Process.CommandLine like r"%🌹%" or Process.CommandLine like r"%🥀%" or Process.CommandLine like r"%🌺%" or Process.CommandLine like r"%🌸%" or Process.CommandLine like r"%🌼%" or Process.CommandLine like r"%🌻%" or Process.CommandLine like r"%🌞%" or Process.CommandLine like r"%🌝%" or Process.CommandLine like r"%🌛%" or Process.CommandLine like r"%🌜%" or Process.CommandLine like r"%🌚%" or Process.CommandLine like r"%🌕%" or Process.CommandLine like r"%🌖%" or Process.CommandLine like r"%🌗%" or Process.CommandLine like r"%🌘%" or Process.CommandLine like r"%🌑%" or Process.CommandLine like r"%🌒%" or Process.CommandLine like r"%🌓%" or Process.CommandLine like r"%🌔%" or Process.CommandLine like r"%🌙%" or Process.CommandLine like r"%🌎%" or Process.CommandLine like r"%🌍%" or Process.CommandLine like r"%🌏%" or Process.CommandLine like r"%🪐%" or Process.CommandLine like r"%💫%" or Process.CommandLine like r"%⭐️%" or Process.CommandLine like r"%🌟%" or Process.CommandLine like r"%✨%" or Process.CommandLine like r"%⚡️%" or Process.CommandLine like r"%☄️%" or Process.CommandLine like r"%💥%" or Process.CommandLine like r"%🔥%" or Process.CommandLine like r"%🌪%" or Process.CommandLine like r"%🌈%" or Process.CommandLine like r"%☀️%" or Process.CommandLine like r"%🌤%" or Process.CommandLine like r"%⛅️%" or Process.CommandLine like r"%🌥%" or Process.CommandLine like r"%☁️%" or Process.CommandLine like r"%🌦%" or Process.CommandLine like r"%🌧%" or Process.CommandLine like r"%⛈%" or Process.CommandLine like r"%🌩%" or Process.CommandLine like r"%🌨%" or Process.CommandLine like r"%❄️%" or Process.CommandLine like r"%☃️%" or Process.CommandLine like r"%⛄️%" or Process.CommandLine like r"%🌬%" or Process.CommandLine like r"%💨%" or Process.CommandLine like r"%💧%" or Process.CommandLine like r"%💦%" or Process.CommandLine like r"%🫧%" or Process.CommandLine like r"%☔️%" or Process.CommandLine like r"%☂️%" or Process.CommandLine like r"%🌊%" or Process.CommandLine like r"%🌫🍏%" or Process.CommandLine like r"%🍎%" or Process.CommandLine like r"%🍐%" or Process.CommandLine like r"%🍊%" or Process.CommandLine like r"%🍋%" or Process.CommandLine like r"%🍌%" or Process.CommandLine like r"%🍉%" or Process.CommandLine like r"%🍇%" or Process.CommandLine like r"%🍓%" or Process.CommandLine like r"%🫐%" or Process.CommandLine like r"%🍈%" or Process.CommandLine like r"%🍒%" or Process.CommandLine like r"%🍑%" or Process.CommandLine like r"%🥭%" or Process.CommandLine like r"%🍍%" or Process.CommandLine like r"%🥥%" or Process.CommandLine like r"%🥝%" or Process.CommandLine like r"%🍅%" or Process.CommandLine like r"%🍆%" or Process.CommandLine like r"%🥑%" or Process.CommandLine like r"%🥦%" or Process.CommandLine like r"%🥬%" or Process.CommandLine like r"%🥒%" or Process.CommandLine like r"%🌶%" or Process.CommandLine like r"%🫑%" or Process.CommandLine like r"%🌽%" or Process.CommandLine like r"%🥕%" or Process.CommandLine like r"%🫒%" or Process.CommandLine like r"%🧄%" or Process.CommandLine like r"%🧅%" or Process.CommandLine like r"%🥔%" or Process.CommandLine like r"%🍠%" or Process.CommandLine like r"%🫘%" or Process.CommandLine like r"%🥐%" or Process.CommandLine like r"%🥯%" or Process.CommandLine like r"%🍞%" or Process.CommandLine like r"%🥖%" or Process.CommandLine like r"%🥨%" or Process.CommandLine like r"%🧀%" or Process.CommandLine like r"%🥚%" or Process.CommandLine like r"%🍳%" or Process.CommandLine like r"%🧈%" or Process.CommandLine like r"%🥞%" or Process.CommandLine like r"%🧇%" or Process.CommandLine like r"%🥓%" or Process.CommandLine like r"%🥩%" or Process.CommandLine like r"%🍗%" or Process.CommandLine like r"%🍖%" or Process.CommandLine like r"%🦴%" or Process.CommandLine like r"%🌭%" or Process.CommandLine like r"%🍔%" or Process.CommandLine like r"%🍟%" or Process.CommandLine like r"%🍕%" or Process.CommandLine like r"%🫓%" or Process.CommandLine like r"%🥪%" or Process.CommandLine like r"%🥙%" or Process.CommandLine like r"%🧆%" or Process.CommandLine like r"%🌮%" or Process.CommandLine like r"%🌯%" or Process.CommandLine like r"%🫔%" or Process.CommandLine like r"%🥗%" or Process.CommandLine like r"%🥘%" or Process.CommandLine like r"%🫕%" or Process.CommandLine like r"%🥫%" or Process.CommandLine like r"%🍝%" or Process.CommandLine like r"%🍜%" or Process.CommandLine like r"%🍲%" or Process.CommandLine like r"%🍛%" or Process.CommandLine like r"%🍣%" or Process.CommandLine like r"%🍱%" or Process.CommandLine like r"%🥟%" or Process.CommandLine like r"%🦪%" or Process.CommandLine like r"%🍤%" or Process.CommandLine like r"%🍙%" or Process.CommandLine like r"%🍚%" or Process.CommandLine like r"%🍘%" or Process.CommandLine like r"%🍥%" or Process.CommandLine like r"%🥠%" or Process.CommandLine like r"%🥮%" or Process.CommandLine like r"%🍢%" or Process.CommandLine like r"%🍡%" or Process.CommandLine like r"%🍧%" or Process.CommandLine like r"%🍨%" or Process.CommandLine like r"%🍦%" or Process.CommandLine like r"%🥧%" or Process.CommandLine like r"%🧁%" or Process.CommandLine like r"%🍰%" or Process.CommandLine like r"%🎂%" or Process.CommandLine like r"%🍮%" or Process.CommandLine like r"%🍭%" or Process.CommandLine like r"%🍬%" or Process.CommandLine like r"%🍫%" or Process.CommandLine like r"%🍿%" or Process.CommandLine like r"%🍩%" or Process.CommandLine like r"%🍪%" or Process.CommandLine like r"%🌰%" or Process.CommandLine like r"%🥜%" or Process.CommandLine like r"%🍯%" or Process.CommandLine like r"%🥛%" or Process.CommandLine like r"%🍼%" or Process.CommandLine like r"%🫖%" or Process.CommandLine like r"%☕️%" or Process.CommandLine like r"%🍵%" or Process.CommandLine like r"%🧃%" or Process.CommandLine like r"%🥤%" or Process.CommandLine like r"%🧋%" or Process.CommandLine like r"%🫙%" or Process.CommandLine like r"%🍶%" or Process.CommandLine like r"%🍺%" or Process.CommandLine like r"%🍻%" or Process.CommandLine like r"%🥂%" or Process.CommandLine like r"%🍷%" or Process.CommandLine like r"%🫗%" or Process.CommandLine like r"%🥃%" or Process.CommandLine like r"%🍸%" or Process.CommandLine like r"%🍹%" or Process.CommandLine like r"%🧉%" or Process.CommandLine like r"%🍾%" or Process.CommandLine like r"%🧊%" or Process.CommandLine like r"%🥄%" or Process.CommandLine like r"%🍴%" or Process.CommandLine like r"%🍽%" or Process.CommandLine like r"%🥣%" or Process.CommandLine like r"%🥡%" or Process.CommandLine like r"%🥢%" or Process.CommandLine like r"%🧂%" or Process.CommandLine like r"%⚽️%" or Process.CommandLine like r"%🏀%" or Process.CommandLine like r"%🏈%" or Process.CommandLine like r"%⚾️%" or Process.CommandLine like r"%🥎%" or Process.CommandLine like r"%🎾%" or Process.CommandLine like r"%🏐%" or Process.CommandLine like r"%🏉%" or Process.CommandLine like r"%🥏%" or Process.CommandLine like r"%🎱%" or Process.CommandLine like r"%🪀%" or Process.CommandLine like r"%🏓%" or Process.CommandLine like r"%🏸%" or Process.CommandLine like r"%🏒%" or Process.CommandLine like r"%🏑%" or Process.CommandLine like r"%🥍%" or Process.CommandLine like r"%🏏%" or Process.CommandLine like r"%🪃%" or Process.CommandLine like r"%🥅%" or Process.CommandLine like r"%⛳️%" or Process.CommandLine like r"%🪁%" or Process.CommandLine like r"%🏹%" or Process.CommandLine like r"%🎣%" or Process.CommandLine like r"%🤿%" or Process.CommandLine like r"%🥊%" or Process.CommandLine like r"%🥋%" or Process.CommandLine like r"%🎽%" or Process.CommandLine like r"%🛹%" or Process.CommandLine like r"%🛼%" or Process.CommandLine like r"%🛷%" or Process.CommandLine like r"%⛸%" or Process.CommandLine like r"%🥌%" or Process.CommandLine like r"%🎿%" or Process.CommandLine like r"%⛷%" or Process.CommandLine like r"%🏂%" or Process.CommandLine like r"%🪂%" or Process.CommandLine like r"%🏋️‍♀️%" or Process.CommandLine like r"%🏋️%" or Process.CommandLine like r"%🏋️‍♂️%" or Process.CommandLine like r"%🤼‍♀️%" or Process.CommandLine like r"%🤼%" or Process.CommandLine like r"%🤼‍♂️%" or Process.CommandLine like r"%🤸‍♀️%" or Process.CommandLine like r"%🤸%" or Process.CommandLine like r"%🤸‍♂️%" or Process.CommandLine like r"%⛹️‍♀️%" or Process.CommandLine like r"%⛹️%" or Process.CommandLine like r"%⛹️‍♂️%" or Process.CommandLine like r"%🤺%" or Process.CommandLine like r"%🤾‍♀️%" or Process.CommandLine like r"%🤾%" or Process.CommandLine like r"%🤾‍♂️%" or Process.CommandLine like r"%🏌️‍♀️%" or Process.CommandLine like r"%🏌️%" or Process.CommandLine like r"%🏌️‍♂️%" or Process.CommandLine like r"%🏇%" or Process.CommandLine like r"%🧘‍♀️%" or Process.CommandLine like r"%🧘%" or Process.CommandLine like r"%🧘‍♂️%" or Process.CommandLine like r"%🏄‍♀️%" or Process.CommandLine like r"%🏄%" or Process.CommandLine like r"%🏄‍♂️%" or Process.CommandLine like r"%🏊‍♀️%" or Process.CommandLine like r"%🏊%" or Process.CommandLine like r"%🏊‍♂️%" or Process.CommandLine like r"%🤽‍♀️%" or Process.CommandLine like r"%🤽%" or Process.CommandLine like r"%🤽‍♂️%" or Process.CommandLine like r"%🚣‍♀️%" or Process.CommandLine like r"%🚣%" or Process.CommandLine like r"%🚣‍♂️%" or Process.CommandLine like r"%🧗‍♀️%" or Process.CommandLine like r"%🧗%" or Process.CommandLine like r"%🧗‍♂️%" or Process.CommandLine like r"%🚵‍♀️%" or Process.CommandLine like r"%🚵%" or Process.CommandLine like r"%🚵‍♂️%" or Process.CommandLine like r"%🚴‍♀️%" or Process.CommandLine like r"%🚴%" or Process.CommandLine like r"%🚴‍♂️%" or Process.CommandLine like r"%🏆%" or Process.CommandLine like r"%🥇%" or Process.CommandLine like r"%🥈%" or Process.CommandLine like r"%🥉%" or Process.CommandLine like r"%🏅%" or Process.CommandLine like r"%🎖%" or Process.CommandLine like r"%🏵%" or Process.CommandLine like r"%🎗%" or Process.CommandLine like r"%🎫%" or Process.CommandLine like r"%🎟%" or Process.CommandLine like r"%🎪%" or Process.CommandLine like r"%🤹%" or Process.CommandLine like r"%🤹‍♂️%" or Process.CommandLine like r"%🤹‍♀️%" or Process.CommandLine like r"%🎭%" or Process.CommandLine like r"%🩰%" or Process.CommandLine like r"%🎨%" or Process.CommandLine like r"%🎬%" or Process.CommandLine like r"%🎤%" or Process.CommandLine like r"%🎧%" or Process.CommandLine like r"%🎼%" or Process.CommandLine like r"%🎹%" or Process.CommandLine like r"%🥁%" or Process.CommandLine like r"%🪘%" or Process.CommandLine like r"%🎷%" or Process.CommandLine like r"%🎺%" or Process.CommandLine like r"%🪗%" or Process.CommandLine like r"%🎸%" or Process.CommandLine like r"%🪕%" or Process.CommandLine like r"%🎻%" or Process.CommandLine like r"%🎲%" or Process.CommandLine like r"%♟%" or Process.CommandLine like r"%🎯%" or Process.CommandLine like r"%🎳%" or Process.CommandLine like r"%🎮%" or Process.CommandLine like r"%🎰%" or Process.CommandLine like r"%🧩%" or Process.CommandLine like r"%🚗%" or Process.CommandLine like r"%🚕%" or Process.CommandLine like r"%🚙%" or Process.CommandLine like r"%🚌%" or Process.CommandLine like r"%🚎%" or Process.CommandLine like r"%🏎%" or Process.CommandLine like r"%🚓%" or Process.CommandLine like r"%🚑%" or Process.CommandLine like r"%🚒%" or Process.CommandLine like r"%🚐%" or Process.CommandLine like r"%🛻%" or Process.CommandLine like r"%🚚%" or Process.CommandLine like r"%🚛%" or Process.CommandLine like r"%🚜%" or Process.CommandLine like r"%🦯%" or Process.CommandLine like r"%🦽%" or Process.CommandLine like r"%🦼%" or Process.CommandLine like r"%🛴%" or Process.CommandLine like r"%🚲%" or Process.CommandLine like r"%🛵%" or Process.CommandLine like r"%🏍%" or Process.CommandLine like r"%🛺%" or Process.CommandLine like r"%🚨%" or Process.CommandLine like r"%🚔%" or Process.CommandLine like r"%🚍%" or Process.CommandLine like r"%🚘%" or Process.CommandLine like r"%🚖%" or Process.CommandLine like r"%🛞%" or Process.CommandLine like r"%🚡%" or Process.CommandLine like r"%🚠%" or Process.CommandLine like r"%🚟%" or Process.CommandLine like r"%🚃%" or Process.CommandLine like r"%🚋%" or Process.CommandLine like r"%🚞%" or Process.CommandLine like r"%🚝%" or Process.CommandLine like r"%🚄%" or Process.CommandLine like r"%🚅%" or Process.CommandLine like r"%🚈%" or Process.CommandLine like r"%🚂%" or Process.CommandLine like r"%🚆%" or Process.CommandLine like r"%🚇%" or Process.CommandLine like r"%🚊%" or Process.CommandLine like r"%🚉%" or Process.CommandLine like r"%✈️%" or Process.CommandLine like r"%🛫%" or Process.CommandLine like r"%🛬%" or Process.CommandLine like r"%🛩%" or Process.CommandLine like r"%💺%" or Process.CommandLine like r"%🛰%" or Process.CommandLine like r"%🚀%" or Process.CommandLine like r"%🛸%" or Process.CommandLine like r"%🚁%" or Process.CommandLine like r"%🛶%" or Process.CommandLine like r"%⛵️%" or Process.CommandLine like r"%🚤%" or Process.CommandLine like r"%🛥%" or Process.CommandLine like r"%🛳%" or Process.CommandLine like r"%⛴%" or Process.CommandLine like r"%🚢%" or Process.CommandLine like r"%⚓️%" or Process.CommandLine like r"%🛟%" or Process.CommandLine like r"%🪝%" or Process.CommandLine like r"%⛽️%" or Process.CommandLine like r"%🚧%" or Process.CommandLine like r"%🚦%" or Process.CommandLine like r"%🚥%" or Process.CommandLine like r"%🚏%" or Process.CommandLine like r"%🗺%" or Process.CommandLine like r"%🗿%" or Process.CommandLine like r"%🗽%" or Process.CommandLine like r"%🗼%" or Process.CommandLine like r"%🏰%" or Process.CommandLine like r"%🏯%" or Process.CommandLine like r"%🏟%" or Process.CommandLine like r"%🎡%" or Process.CommandLine like r"%🎢%" or Process.CommandLine like r"%🛝%" or Process.CommandLine like r"%🎠%" or Process.CommandLine like r"%⛲️%" or Process.CommandLine like r"%⛱%" or Process.CommandLine like r"%🏖%" or Process.CommandLine like r"%🏝%" or Process.CommandLine like r"%🏜%" or Process.CommandLine like r"%🌋%" or Process.CommandLine like r"%⛰%" or Process.CommandLine like r"%🏔%" or Process.CommandLine like r"%🗻%" or Process.CommandLine like r"%🏕%" or Process.CommandLine like r"%⛺️%" or Process.CommandLine like r"%🛖%" or Process.CommandLine like r"%🏠%" or Process.CommandLine like r"%🏡%" or Process.CommandLine like r"%🏘%" or Process.CommandLine like r"%🏚%" or Process.CommandLine like r"%🏗%" or Process.CommandLine like r"%🏭%" or Process.CommandLine like r"%🏢%" or Process.CommandLine like r"%🏬%" or Process.CommandLine like r"%🏣%" or Process.CommandLine like r"%🏤%" or Process.CommandLine like r"%🏥%" or Process.CommandLine like r"%🏦%" or Process.CommandLine like r"%🏨%" or Process.CommandLine like r"%🏪%" or Process.CommandLine like r"%🏫%" or Process.CommandLine like r"%🏩%" or Process.CommandLine like r"%💒%" or Process.CommandLine like r"%🏛%" or Process.CommandLine like r"%⛪️%" or Process.CommandLine like r"%🕌%" or Process.CommandLine like r"%🕍%" or Process.CommandLine like r"%🛕%" or Process.CommandLine like r"%🕋%" or Process.CommandLine like r"%⛩%" or Process.CommandLine like r"%🛤%" or Process.CommandLine like r"%🛣%" or Process.CommandLine like r"%🗾%" or Process.CommandLine like r"%🎑%" or Process.CommandLine like r"%🏞%" or Process.CommandLine like r"%🌅%" or Process.CommandLine like r"%🌄%" or Process.CommandLine like r"%🌠%" or Process.CommandLine like r"%🎇%" or Process.CommandLine like r"%🎆%" or Process.CommandLine like r"%🌇%" or Process.CommandLine like r"%🌆%" or Process.CommandLine like r"%🏙%" or Process.CommandLine like r"%🌃%" or Process.CommandLine like r"%🌌%" or Process.CommandLine like r"%🌉%" or Process.CommandLine like r"%🌁%" or Process.CommandLine like r"%⌚️%" or Process.CommandLine like r"%📱%" or Process.CommandLine like r"%📲%" or Process.CommandLine like r"%💻%" or Process.CommandLine like r"%⌨️%" or Process.CommandLine like r"%🖥%" or Process.CommandLine like r"%🖨%" or Process.CommandLine like r"%🖱%" or Process.CommandLine like r"%🖲%" or Process.CommandLine like r"%🕹%" or Process.CommandLine like r"%🗜%" or Process.CommandLine like r"%💽%" or Process.CommandLine like r"%💾%" or Process.CommandLine like r"%💿%" or Process.CommandLine like r"%📀%" or Process.CommandLine like r"%📼%" or Process.CommandLine like r"%📷%" or Process.CommandLine like r"%📸%" or Process.CommandLine like r"%📹%" or Process.CommandLine like r"%🎥%" or Process.CommandLine like r"%📽%" or Process.CommandLine like r"%🎞%" or Process.CommandLine like r"%📞%" or Process.CommandLine like r"%☎️%" or Process.CommandLine like r"%📟%" or Process.CommandLine like r"%📠%" or Process.CommandLine like r"%📺%" or Process.CommandLine like r"%📻%" or Process.CommandLine like r"%🎙%" or Process.CommandLine like r"%🎚%" or Process.CommandLine like r"%🎛%" or Process.CommandLine like r"%🧭%" or Process.CommandLine like r"%⏱%" or Process.CommandLine like r"%⏲%" or Process.CommandLine like r"%⏰%" or Process.CommandLine like r"%🕰%" or Process.CommandLine like r"%⌛️%" or Process.CommandLine like r"%⏳%" or Process.CommandLine like r"%📡%" or Process.CommandLine like r"%🔋%" or Process.CommandLine like r"%🪫%" or Process.CommandLine like r"%🔌%" or Process.CommandLine like r"%💡%" or Process.CommandLine like r"%🔦%" or Process.CommandLine like r"%🕯%" or Process.CommandLine like r"%🪔%" or Process.CommandLine like r"%🧯%" or Process.CommandLine like r"%🛢%" or Process.CommandLine like r"%💸%" or Process.CommandLine like r"%💵%" or Process.CommandLine like r"%💴%" or Process.CommandLine like r"%💶%" or Process.CommandLine like r"%💷%" or Process.CommandLine like r"%🪙%" or Process.CommandLine like r"%💰%" or Process.CommandLine like r"%💳%" or Process.CommandLine like r"%💎%" or Process.CommandLine like r"%⚖️%" or Process.CommandLine like r"%🪜%" or Process.CommandLine like r"%🧰%" or Process.CommandLine like r"%🪛%" or Process.CommandLine like r"%🔧%" or Process.CommandLine like r"%🔨%" or Process.CommandLine like r"%⚒%" or Process.CommandLine like r"%🛠%" or Process.CommandLine like r"%⛏%" or Process.CommandLine like r"%🪚%" or Process.CommandLine like r"%🔩%" or Process.CommandLine like r"%⚙️%" or Process.CommandLine like r"%🪤%" or Process.CommandLine like r"%🧱%" or Process.CommandLine like r"%⛓%" or Process.CommandLine like r"%🧲%" or Process.CommandLine like r"%🔫%" or Process.CommandLine like r"%💣%" or Process.CommandLine like r"%🧨%" or Process.CommandLine like r"%🪓%" or Process.CommandLine like r"%🔪%" or Process.CommandLine like r"%🗡%" or Process.CommandLine like r"%⚔️%" or Process.CommandLine like r"%🛡%" or Process.CommandLine like r"%🚬%" or Process.CommandLine like r"%⚰️%" or Process.CommandLine like r"%🪦%" or Process.CommandLine like r"%⚱️%" or Process.CommandLine like r"%🏺%" or Process.CommandLine like r"%🔮%" or Process.CommandLine like r"%📿%" or Process.CommandLine like r"%🧿%" or Process.CommandLine like r"%🪬%" or Process.CommandLine like r"%💈%" or Process.CommandLine like r"%⚗️%" or Process.CommandLine like r"%🔭%" or Process.CommandLine like r"%🔬%" or Process.CommandLine like r"%🕳%" or Process.CommandLine like r"%🩹%" or Process.CommandLine like r"%🩺%" or Process.CommandLine like r"%🩻%" or Process.CommandLine like r"%🩼%" or Process.CommandLine like r"%💊%" or Process.CommandLine like r"%💉%" or Process.CommandLine like r"%🩸%" or Process.CommandLine like r"%🧬%" or Process.CommandLine like r"%🦠%" or Process.CommandLine like r"%🧫%" or Process.CommandLine like r"%🧪%" or Process.CommandLine like r"%🌡%" or Process.CommandLine like r"%🧹%" or Process.CommandLine like r"%🪠%" or Process.CommandLine like r"%🧺%" or Process.CommandLine like r"%🧻%" or Process.CommandLine like r"%🚽%" or Process.CommandLine like r"%🚰%" or Process.CommandLine like r"%🚿%" or Process.CommandLine like r"%🛁%" or Process.CommandLine like r"%🛀%" or Process.CommandLine like r"%🧼%" or Process.CommandLine like r"%🪥%" or Process.CommandLine like r"%🪒%" or Process.CommandLine like r"%🧽%" or Process.CommandLine like r"%🪣%" or Process.CommandLine like r"%🧴%" or Process.CommandLine like r"%🛎%" or Process.CommandLine like r"%🔑%" or Process.CommandLine like r"%🗝%" or Process.CommandLine like r"%🚪%" or Process.CommandLine like r"%🪑%" or Process.CommandLine like r"%🛋%" or Process.CommandLine like r"%🛏%" or Process.CommandLine like r"%🛌%" or Process.CommandLine like r"%🧸%" or Process.CommandLine like r"%🪆%" or Process.CommandLine like r"%🖼%" or Process.CommandLine like r"%🪞%" or Process.CommandLine like r"%🪟%" or Process.CommandLine like r"%🛍%" or Process.CommandLine like r"%🛒%" or Process.CommandLine like r"%🎁%" or Process.CommandLine like r"%🎈%" or Process.CommandLine like r"%🎏%" or Process.CommandLine like r"%🎀%" or Process.CommandLine like r"%🪄%" or Process.CommandLine like r"%🪅%" or Process.CommandLine like r"%🎊%" or Process.CommandLine like r"%🎉%" or Process.CommandLine like r"%🪩%" or Process.CommandLine like r"%🎎%" or Process.CommandLine like r"%🏮%" or Process.CommandLine like r"%🎐%" or Process.CommandLine like r"%🧧%" or Process.CommandLine like r"%✉️%" or Process.CommandLine like r"%📩%" or Process.CommandLine like r"%📨%" or Process.CommandLine like r"%📧%" or Process.CommandLine like r"%💌%" or Process.CommandLine like r"%📥%" or Process.CommandLine like r"%📤%" or Process.CommandLine like r"%📦%" or Process.CommandLine like r"%🏷%" or Process.CommandLine like r"%🪧%" or Process.CommandLine like r"%📪%" or Process.CommandLine like r"%📫%" or Process.CommandLine like r"%📬%" or Process.CommandLine like r"%📭%" or Process.CommandLine like r"%📮%" or Process.CommandLine like r"%📯%" or Process.CommandLine like r"%📜%" or Process.CommandLine like r"%📃%" or Process.CommandLine like r"%📄%" or Process.CommandLine like r"%📑%" or Process.CommandLine like r"%🧾%" or Process.CommandLine like r"%📊%" or Process.CommandLine like r"%📈%" or Process.CommandLine like r"%📉%" or Process.CommandLine like r"%🗒%" or Process.CommandLine like r"%🗓%" or Process.CommandLine like r"%📆%" or Process.CommandLine like r"%📅%" or Process.CommandLine like r"%🗑%" or Process.CommandLine like r"%🪪%" or Process.CommandLine like r"%📇%" or Process.CommandLine like r"%🗃%" or Process.CommandLine like r"%🗳%" or Process.CommandLine like r"%🗄%" or Process.CommandLine like r"%📋%" or Process.CommandLine like r"%📁%" or Process.CommandLine like r"%📂%" or Process.CommandLine like r"%🗂%" or Process.CommandLine like r"%🗞%" or Process.CommandLine like r"%📰%" or Process.CommandLine like r"%📓%" or Process.CommandLine like r"%📔%" or Process.CommandLine like r"%📒%" or Process.CommandLine like r"%📕%" or Process.CommandLine like r"%📗%" or Process.CommandLine like r"%📘%" or Process.CommandLine like r"%📙%" or Process.CommandLine like r"%📚%" or Process.CommandLine like r"%📖%" or Process.CommandLine like r"%🔖%" or Process.CommandLine like r"%🧷%" or Process.CommandLine like r"%🔗%" or Process.CommandLine like r"%📎%" or Process.CommandLine like r"%🖇%" or Process.CommandLine like r"%📐%" or Process.CommandLine like r"%📏%" or Process.CommandLine like r"%🧮%" or Process.CommandLine like r"%📌%" or Process.CommandLine like r"%📍%" or Process.CommandLine like r"%✂️%" or Process.CommandLine like r"%🖊%" or Process.CommandLine like r"%🖋%" or Process.CommandLine like r"%✒️%" or Process.CommandLine like r"%🖌%" or Process.CommandLine like r"%🖍%" or Process.CommandLine like r"%📝%" or Process.CommandLine like r"%✏️%" or Process.CommandLine like r"%🔍%" or Process.CommandLine like r"%🔎%" or Process.CommandLine like r"%🔏%" or Process.CommandLine like r"%🔐%" or Process.CommandLine like r"%🔒%" or Process.CommandLine like r"%🔓❤️%" or Process.CommandLine like r"%🧡%" or Process.CommandLine like r"%💛%" or Process.CommandLine like r"%💚%" or Process.CommandLine like r"%💙%" or Process.CommandLine like r"%💜%" or Process.CommandLine like r"%🖤%" or Process.CommandLine like r"%🤍%" or Process.CommandLine like r"%🤎%" or Process.CommandLine like r"%❤️‍🔥%" or Process.CommandLine like r"%❤️‍🩹%" or Process.CommandLine like r"%💔%" or Process.CommandLine like r"%❣️%" or Process.CommandLine like r"%💕%" or Process.CommandLine like r"%💞%" or Process.CommandLine like r"%💓%" or Process.CommandLine like r"%💗%" or Process.CommandLine like r"%💖%" or Process.CommandLine like r"%💘%" or Process.CommandLine like r"%💝%" or Process.CommandLine like r"%💟%" or Process.CommandLine like r"%☮️%" or Process.CommandLine like r"%✝️%" or Process.CommandLine like r"%☪️%" or Process.CommandLine like r"%🕉%" or Process.CommandLine like r"%☸️%" or Process.CommandLine like r"%✡️%" or Process.CommandLine like r"%🔯%" or Process.CommandLine like r"%🕎%" or Process.CommandLine like r"%☯️%" or Process.CommandLine like r"%☦️%" or Process.CommandLine like r"%🛐%" or Process.CommandLine like r"%⛎%" or Process.CommandLine like r"%♈️%" or Process.CommandLine like r"%♉️%" or Process.CommandLine like r"%♊️%" or Process.CommandLine like r"%♋️%" or Process.CommandLine like r"%♌️%" or Process.CommandLine like r"%♍️%" or Process.CommandLine like r"%♎️%" or Process.CommandLine like r"%♏️%" or Process.CommandLine like r"%♐️%" or Process.CommandLine like r"%♑️%" or Process.CommandLine like r"%♒️%" or Process.CommandLine like r"%♓️%" or Process.CommandLine like r"%🆔%" or Process.CommandLine like r"%⚛️%" or Process.CommandLine like r"%🉑%" or Process.CommandLine like r"%☢️%" or Process.CommandLine like r"%☣️%" or Process.CommandLine like r"%📴%" or Process.CommandLine like r"%📳%" or Process.CommandLine like r"%🈶%" or Process.CommandLine like r"%🈚️%" or Process.CommandLine like r"%🈸%" or Process.CommandLine like r"%🈺%" or Process.CommandLine like r"%🈷️%" or Process.CommandLine like r"%✴️%" or Process.CommandLine like r"%🆚%" or Process.CommandLine like r"%💮%" or Process.CommandLine like r"%🉐%" or Process.CommandLine like r"%㊙️%" or Process.CommandLine like r"%㊗️%" or Process.CommandLine like r"%🈴%" or Process.CommandLine like r"%🈵%" or Process.CommandLine like r"%🈹%" or Process.CommandLine like r"%🈲%" or Process.CommandLine like r"%🅰️%" or Process.CommandLine like r"%🅱️%" or Process.CommandLine like r"%🆎%" or Process.CommandLine like r"%🆑%" or Process.CommandLine like r"%🅾️%" or Process.CommandLine like r"%🆘%" or Process.CommandLine like r"%❌%" or Process.CommandLine like r"%⭕️%" or Process.CommandLine like r"%🛑%" or Process.CommandLine like r"%⛔️%" or Process.CommandLine like r"%📛%" or Process.CommandLine like r"%🚫%" or Process.CommandLine like r"%💯%" or Process.CommandLine like r"%💢%" or Process.CommandLine like r"%♨️%" or Process.CommandLine like r"%🚷%" or Process.CommandLine like r"%🚯%" or Process.CommandLine like r"%🚳%" or Process.CommandLine like r"%🚱%" or Process.CommandLine like r"%🔞%" or Process.CommandLine like r"%📵%" or Process.CommandLine like r"%🚭%" or Process.CommandLine like r"%❗️%" or Process.CommandLine like r"%❕%" or Process.CommandLine like r"%❓%" or Process.CommandLine like r"%❔%" or Process.CommandLine like r"%‼️%" or Process.CommandLine like r"%⁉️%" or Process.CommandLine like r"%🔅%" or Process.CommandLine like r"%🔆%" or Process.CommandLine like r"%〽️%" or Process.CommandLine like r"%⚠️%" or Process.CommandLine like r"%🚸%" or Process.CommandLine like r"%🔱%" or Process.CommandLine like r"%⚜️%" or Process.CommandLine like r"%🔰%" or Process.CommandLine like r"%♻️%" or Process.CommandLine like r"%✅%" or Process.CommandLine like r"%🈯️%" or Process.CommandLine like r"%💹%" or Process.CommandLine like r"%❇️%" or Process.CommandLine like r"%✳️%" or Process.CommandLine like r"%❎%" or Process.CommandLine like r"%🌐%" or Process.CommandLine like r"%💠%" or Process.CommandLine like r"%Ⓜ️%" or Process.CommandLine like r"%🌀%" or Process.CommandLine like r"%💤%" or Process.CommandLine like r"%🏧%" or Process.CommandLine like r"%🚾%" or Process.CommandLine like r"%♿️%" or Process.CommandLine like r"%🅿️%" or Process.CommandLine like r"%🛗%" or Process.CommandLine like r"%🈳%" or Process.CommandLine like r"%🈂️%" or Process.CommandLine like r"%🛂%" or Process.CommandLine like r"%🛃%" or Process.CommandLine like r"%🛄%" or Process.CommandLine like r"%🛅%" or Process.CommandLine like r"%🚹%" or Process.CommandLine like r"%🚺%" or Process.CommandLine like r"%🚼%" or Process.CommandLine like r"%⚧%" or Process.CommandLine like r"%🚻%" or Process.CommandLine like r"%🚮%" or Process.CommandLine like r"%🎦%" or Process.CommandLine like r"%📶%" or Process.CommandLine like r"%🈁%" or Process.CommandLine like r"%🔣%" or Process.CommandLine like r"%ℹ️%" or Process.CommandLine like r"%🔤%" or Process.CommandLine like r"%🔡%" or Process.CommandLine like r"%🔠%" or Process.CommandLine like r"%🆖%" or Process.CommandLine like r"%🆗%" or Process.CommandLine like r"%🆙%" or Process.CommandLine like r"%🆒%" or Process.CommandLine like r"%🆕%" or Process.CommandLine like r"%🆓%" or Process.CommandLine like r"%0️⃣%" or Process.CommandLine like r"%1️⃣%" or Process.CommandLine like r"%2️⃣%" or Process.CommandLine like r"%3️⃣%" or Process.CommandLine like r"%4️⃣%" or Process.CommandLine like r"%5️⃣%" or Process.CommandLine like r"%6️⃣%" or Process.CommandLine like r"%7️⃣%" or Process.CommandLine like r"%8️⃣%" or Process.CommandLine like r"%9️⃣%" or Process.CommandLine like r"%🔟%" or Process.CommandLine like r"%🔢%" or Process.CommandLine like r"%#️⃣%" or Process.CommandLine like r"%️⃣%" or Process.CommandLine like r"%⏏️%" or Process.CommandLine like r"%▶️%" or Process.CommandLine like r"%⏸%" or Process.CommandLine like r"%⏯%" or Process.CommandLine like r"%⏹%" or Process.CommandLine like r"%⏺%" or Process.CommandLine like r"%⏭%" or Process.CommandLine like r"%⏮%" or Process.CommandLine like r"%⏩%" or Process.CommandLine like r"%⏪%" or Process.CommandLine like r"%⏫%" or Process.CommandLine like r"%⏬%" or Process.CommandLine like r"%◀️%" or Process.CommandLine like r"%🔼%" or Process.CommandLine like r"%🔽%" or Process.CommandLine like r"%➡️%" or Process.CommandLine like r"%⬅️%" or Process.CommandLine like r"%⬆️%" or Process.CommandLine like r"%⬇️%" or Process.CommandLine like r"%↗️%" or Process.CommandLine like r"%↘️%" or Process.CommandLine like r"%↙️%" or Process.CommandLine like r"%↖️%" or Process.CommandLine like r"%↕️%" or Process.CommandLine like r"%↔️%" or Process.CommandLine like r"%↪️%" or Process.CommandLine like r"%↩️%" or Process.CommandLine like r"%⤴️%" or Process.CommandLine like r"%⤵️%" or Process.CommandLine like r"%🔀%" or Process.CommandLine like r"%🔁%" or Process.CommandLine like r"%🔂%" or Process.CommandLine like r"%🔄%" or Process.CommandLine like r"%🔃%" or Process.CommandLine like r"%🎵%" or Process.CommandLine like r"%🎶%" or Process.CommandLine like r"%➕%" or Process.CommandLine like r"%➖%" or Process.CommandLine like r"%➗%" or Process.CommandLine like r"%✖️%" or Process.CommandLine like r"%🟰%" or Process.CommandLine like r"%♾%" or Process.CommandLine like r"%💲%" or Process.CommandLine like r"%💱%" or Process.CommandLine like r"%™️%" or Process.CommandLine like r"%©️%" or Process.CommandLine like r"%®️%" or Process.CommandLine like r"%〰️%" or Process.CommandLine like r"%➰%" or Process.CommandLine like r"%➿%" or Process.CommandLine like r"%🔚%" or Process.CommandLine like r"%🔙%" or Process.CommandLine like r"%🔛%" or Process.CommandLine like r"%🔝%" or Process.CommandLine like r"%🔜%" or Process.CommandLine like r"%✔️%" or Process.CommandLine like r"%☑️%" or Process.CommandLine like r"%🔘%" or Process.CommandLine like r"%🔴%" or Process.CommandLine like r"%🟠%" or Process.CommandLine like r"%🟡%" or Process.CommandLine like r"%🟢%" or Process.CommandLine like r"%🔵%" or Process.CommandLine like r"%🟣%" or Process.CommandLine like r"%⚫️%" or Process.CommandLine like r"%⚪️%" or Process.CommandLine like r"%🟤%" or Process.CommandLine like r"%🔺%" or Process.CommandLine like r"%🔻%" [ThreatDetectionRule platform=Windows] -# Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. -# Author: Wojciech Lesicki -RuleId = ae9c6a7c-9521-42a6-915e-5aaa8689d529 -RuleName = CobaltStrike Load by Rundll32 +# The OpenWith.exe executes other binary +# Author: Beyu Denis, oscd.community (rule), @harr0ey (idea) +RuleId = cec8e918-30f7-4e2d-9bfa-a59cc97ae60f +RuleName = OpenWith.exe Executes Specified Binary EventType = Process.Start -Tag = proc-start-cobaltstrike-load-by-rundll32 +Tag = proc-start-openwith.exe-executes-specified-binary RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.011"], "author": "Wojciech Lesicki"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE" or Process.CommandLine like r"%rundll32.exe%" or Process.CommandLine like r"%rundll32 %") and Process.CommandLine like r"%.dll%" and (Process.CommandLine like r"% StartW" or Process.CommandLine like r"%,StartW") +Annotation = {"mitre_attack": ["T1218"], "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)"} +Query = Process.Path like r"%\\OpenWith.exe" and Process.CommandLine like r"%/c%" [ThreatDetectionRule platform=Windows] -# Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts +# Detects suspicious ways to use the "DumpMinitool.exe" binary # Author: Florian Roth (Nextron Systems) -RuleId = 93199800-b52a-4dec-b762-75212c196542 -RuleName = PUA - RunXCmd Execution +RuleId = eb1c4225-1c23-4241-8dd4-051389fde4ce +RuleName = Suspicious DumpMinitool Execution EventType = Process.Start -Tag = proc-start-pua-runxcmd-execution +Tag = proc-start-suspicious-dumpminitool-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1569.002"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"% /account=system %" or Process.CommandLine like r"% /account=ti %") and Process.CommandLine like r"%/exec=%" +Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\DumpMinitool.exe" or Process.Path like r"%\\DumpMinitool.x86.exe" or Process.Path like r"%\\DumpMinitool.arm64.exe" or Process.Name in ["DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe"]) and (not (Process.Path like r"%\\Microsoft Visual Studio\\%" or Process.Path like r"%\\Extensions\\%") or Process.CommandLine like r"%.txt%" or (Process.CommandLine like r"% Full%" or Process.CommandLine like r"% Mini%" or Process.CommandLine like r"% WithHeap%") and not Process.CommandLine like r"%--dumpType%") [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) -# Author: X__Junior (Nextron Systems) -RuleId = 4c21b805-4dd7-469f-b47d-7383a8fcb437 -RuleName = Potential Iviewers.DLL Sideloading -EventType = Image.Load -Tag = potential-iviewers.dll-sideloading +# Detects a set of suspicious network related commands often used in recon stages +# Author: Florian Roth (Nextron Systems) +RuleId = e6313acd-208c-44fc-a0ff-db85d572e90e +RuleName = Network Reconnaissance Activity +EventType = Process.Start +Tag = proc-start-network-reconnaissance-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} -Query = Image.Path like r"%\\iviewers.dll" and not (Image.Path like r"C:\\Program Files (x86)\\Windows Kits\\%" or Image.Path like r"C:\\Program Files\\Windows Kits\\%") -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1087", "T1082"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%nslookup%" and Process.CommandLine like r"%\_ldap.\_tcp.dc.\_msdcs.%" [ThreatDetectionRule platform=Windows] -# Detects that a powershell code is written to the registry as a service. -# Author: oscd.community, Natalia Shornikova -RuleId = 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d -RuleName = PowerShell as a Service in Registry +# Bypasses User Account Control using a fileless method +# Author: frack113 +RuleId = 46dd5308-4572-4d12-aa43-8938f0184d4f +RuleName = Bypass UAC Using DelegateExecute EventType = Reg.Any -Tag = powershell-as-a-service-in-registry +Tag = bypass-uac-using-delegateexecute RiskScore = 75 -Annotation = {"mitre_attack": ["T1569.002"], "author": "oscd.community, Natalia Shornikova"} -Query = Reg.TargetObject like r"%\\Services\\%" and Reg.TargetObject like r"%\\ImagePath" and (Reg.Value.Data like r"%powershell%" or Reg.Value.Data like r"%pwsh%") +Annotation = {"mitre_attack": ["T1548.002"], "author": "frack113"} +Query = Reg.TargetObject like r"%\\open\\command\\DelegateExecute" and Reg.Value.Data == "(Empty)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. +# Detects potential COM object hijacking via modification of default system CLSID. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 -RuleName = Suspicious Response File Execution Via Odbcconf.EXE -EventType = Process.Start -Tag = proc-start-suspicious-response-file-execution-via-odbcconf.exe -RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.008"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\odbcconf.exe" or Process.Name == "odbcconf.exe") and (Process.CommandLine like r"% -f %" or Process.CommandLine like r"% /f %" or Process.CommandLine like r"% –f %" or Process.CommandLine like r"% —f %" or Process.CommandLine like r"% ―f %") and not (Process.CommandLine like r"%.rsp%" or Parent.Path == "C:\\Windows\\System32\\runonce.exe" and Process.Path == "C:\\Windows\\System32\\odbcconf.exe" and Process.CommandLine like r"%.exe /E /F \"C:\\WINDOWS\\system32\\odbcconf.tmp\"%") -GenericProperty1 = Parent.Path - - -[ThreatDetectionRule platform=Windows] -# Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. -# This can be used to detect spear-phishing campaigns that use RDP files as attachments. -# Author: Florian Roth -RuleId = f748c45a-f8d3-4e6f-b617-fe176f695b8f -RuleName = .RDP File Created by Outlook Process -EventType = File.Create -Tag = .rdp-file-created-by-outlook-process +RuleId = 790317c0-0a36-4a6a-a105-6e576bf99a14 +RuleName = COM Object Hijacking Via Modification Of Default System CLSID Default Value +EventType = Reg.Any +Tag = com-object-hijacking-via-modification-of-default-system-clsid-default-value RiskScore = 75 -Annotation = {"author": "Florian Roth"} -Query = File.Path like r"%.rdp" and (File.Path like r"%\\AppData\\Local\\Packages\\Microsoft.Outlook\_%" or File.Path like r"%\\AppData\\Local\\Microsoft\\Olk\\Attachments\\%" or File.Path like r"%\\AppData\\Local\\Microsoft\\Windows\\%" and File.Path like r"%\\Content.Outlook\\%") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1546.015"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\CLSID\\%" and (Reg.TargetObject like r"%\\InprocServer32\\(Default)" or Reg.TargetObject like r"%\\LocalServer32\\(Default)") and (Reg.TargetObject like r"%\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\%" or Reg.TargetObject like r"%\\{2155fee3-2419-4373-b102-6843707eb41f}\\%" or Reg.TargetObject like r"%\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\%" or Reg.TargetObject like r"%\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\%" or Reg.TargetObject like r"%\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\%" or Reg.TargetObject like r"%\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\%" or Reg.TargetObject like r"%\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\%" or Reg.TargetObject like r"%\\{7849596a-48ea-486e-8937-a2a3009f31a9}\\%" or Reg.TargetObject like r"%\\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\\%" or Reg.TargetObject like r"%\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\\%") and (Reg.Value.Data like r"%:\\Perflogs\\%" or Reg.Value.Data like r"%\\AppData\\Local\\%" or Reg.Value.Data like r"%\\Desktop\\%" or Reg.Value.Data like r"%\\Downloads\\%" or Reg.Value.Data like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%" or Reg.Value.Data like r"%\\System32\\spool\\drivers\\color\\%" or Reg.Value.Data like r"%\\Temporary Internet%" or Reg.Value.Data like r"%\\Users\\Public\\%" or Reg.Value.Data like r"%\\Windows\\Temp\\%" or Reg.Value.Data like r"%\%appdata\%%" or Reg.Value.Data like r"%\%temp\%%" or Reg.Value.Data like r"%\%tmp\%%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favorites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favourites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Contacts\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Pictures\\%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. -# Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 1816994b-42e1-4fb1-afd2-134d88184f71 -RuleName = PowerShell Base64 Encoded WMI Classes -EventType = Process.Start -Tag = proc-start-powershell-base64-encoded-wmi-classes +# Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = f10ed525-97fe-4fed-be7c-2feecca941b1 +RuleName = Persistence Via Hhctrl.ocx +EventType = Reg.Any +Tag = persistence-via-hhctrl.ocx RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001", "T1027"], "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%" or Process.CommandLine like r"%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%" or Process.CommandLine like r"%V2luMzJfU2hhZG93Y29we%" or Process.CommandLine like r"%dpbjMyX1NoYWRvd2NvcH%" or Process.CommandLine like r"%XaW4zMl9TaGFkb3djb3B5%" or Process.CommandLine like r"%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%" or Process.CommandLine like r"%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%" or Process.CommandLine like r"%V2luMzJfU2NoZWR1bGVkSm9i%" or Process.CommandLine like r"%dpbjMyX1NjaGVkdWxlZEpvY%" or Process.CommandLine like r"%XaW4zMl9TY2hlZHVsZWRKb2%" or Process.CommandLine like r"%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%" or Process.CommandLine like r"%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%" or Process.CommandLine like r"%V2luMzJfUHJvY2Vzc%" or Process.CommandLine like r"%dpbjMyX1Byb2Nlc3%" or Process.CommandLine like r"%XaW4zMl9Qcm9jZXNz%" or Process.CommandLine like r"%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%" or Process.CommandLine like r"%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%" or Process.CommandLine like r"%V2luMzJfVXNlckFjY291bn%" or Process.CommandLine like r"%dpbjMyX1VzZXJBY2NvdW50%" or Process.CommandLine like r"%XaW4zMl9Vc2VyQWNjb3Vud%" or Process.CommandLine like r"%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%" or Process.CommandLine like r"%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%" or Process.CommandLine like r"%V2luMzJfTG9nZ2VkT25Vc2Vy%" or Process.CommandLine like r"%dpbjMyX0xvZ2dlZE9uVXNlc%" or Process.CommandLine like r"%XaW4zMl9Mb2dnZWRPblVzZX%") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)%" and not Reg.Value.Data == "C:\\Windows\\System32\\hhctrl.ocx" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 966315ef-c5e1-4767-ba25-fce9c8de3660 -RuleName = Suspicious Environment Variable Has Been Registered +# Detects that a powershell code is written to the registry as a service. +# Author: oscd.community, Natalia Shornikova +RuleId = 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d +RuleName = PowerShell as a Service in Registry EventType = Reg.Any -Tag = suspicious-environment-variable-has-been-registered +Tag = powershell-as-a-service-in-registry RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Environment\\%" and (Reg.Value.Data in ["powershell", "pwsh"] or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%C:\\Users\\Public\\%" or Reg.Value.Data like r"%TVqQAAMAAAAEAAAA%" or Reg.Value.Data like r"%TVpQAAIAAAAEAA8A%" or Reg.Value.Data like r"%TVqAAAEAAAAEABAA%" or Reg.Value.Data like r"%TVoAAAAAAAAAAAAA%" or Reg.Value.Data like r"%TVpTAQEAAAAEAAAA%" or Reg.Value.Data like r"%SW52b2tlL%" or Reg.Value.Data like r"%ludm9rZS%" or Reg.Value.Data like r"%JbnZva2Ut%" or Reg.Value.Data like r"%SQBuAHYAbwBrAGUALQ%" or Reg.Value.Data like r"%kAbgB2AG8AawBlAC0A%" or Reg.Value.Data like r"%JAG4AdgBvAGsAZQAtA%" or Reg.Value.Data like r"SUVY%" or Reg.Value.Data like r"SQBFAF%" or Reg.Value.Data like r"SQBuAH%" or Reg.Value.Data like r"cwBhA%" or Reg.Value.Data like r"aWV4%" or Reg.Value.Data like r"aQBlA%" or Reg.Value.Data like r"R2V0%" or Reg.Value.Data like r"dmFy%" or Reg.Value.Data like r"dgBhA%" or Reg.Value.Data like r"dXNpbm%" or Reg.Value.Data like r"H4sIA%" or Reg.Value.Data like r"Y21k%" or Reg.Value.Data like r"cABhAH%" or Reg.Value.Data like r"Qzpc%" or Reg.Value.Data like r"Yzpc%") +Annotation = {"mitre_attack": ["T1569.002"], "author": "oscd.community, Natalia Shornikova"} +Query = Reg.TargetObject like r"%\\Services\\%" and Reg.TargetObject like r"%\\ImagePath" and (Reg.Value.Data like r"%powershell%" or Reg.Value.Data like r"%pwsh%") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects potential web shell execution from the ScreenConnect server process. -# Author: Jason Rathbun (Blackpoint Cyber) -RuleId = b19146a3-25d4-41b4-928b-1e2a92641b1b -RuleName = Remote Access Tool - ScreenConnect Server Web Shell Execution +# Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed +# Author: Florian Roth (Nextron Systems) +RuleId = 37c1333a-a0db-48be-b64b-7393b2386e3b +RuleName = Hacktool Execution - PE Metadata EventType = Process.Start -Tag = proc-start-remote-access-tool-screenconnect-server-web-shell-execution +Tag = proc-start-hacktool-execution-pe-metadata RiskScore = 75 -Annotation = {"mitre_attack": ["T1190"], "author": "Jason Rathbun (Blackpoint Cyber)"} -Query = Parent.Path like r"%\\ScreenConnect.Service.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\csc.exe") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1588.002", "T1003"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Company == "Cube0x0" +GenericProperty1 = Process.Company [ThreatDetectionRule platform=Windows] -# Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 6004abd0-afa4-4557-ba90-49d172e0a299 -RuleName = Execute Pcwrun.EXE To Leverage Follina +# Detects the use of Tor or Tor-Browser to connect to onion routing networks +# Author: frack113 +RuleId = 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c +RuleName = Tor Client/Browser Execution EventType = Process.Start -Tag = proc-start-execute-pcwrun.exe-to-leverage-follina +Tag = proc-start-tor-client/browser-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\pcwrun.exe" and Process.CommandLine like r"%../%" +Annotation = {"mitre_attack": ["T1090.003"], "author": "frack113"} +Query = Process.Path like r"%\\tor.exe" or Process.Path like r"%\\Tor Browser\\Browser\\firefox.exe" [ThreatDetectionRule platform=Windows] -# Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. -# The process in field Process is the malicious program. A single execution can lead to hundreds of events. -# Author: Thomas Patzke -RuleId = f239b326-2f41-4d6b-9dfa-c846a60ef505 -RuleName = Password Dumper Remote Thread in LSASS -EventType = Process.CreateRemoteThread -Tag = password-dumper-remote-thread-in-lsass +# Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. +# Author: Nasreddine Bencherchali (Nextron Systems), frack113 +RuleId = ec0722a3-eb5c-4a56-8ab2-bf6f20708592 +RuleName = Renamed Gpg.EXE Execution +EventType = Process.Start +Tag = proc-start-renamed-gpg.exe-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Thomas Patzke"} -Query = Process.Path like r"%\\lsass.exe" and Thread.StartModule == "" -GenericProperty1 = Thread.StartModule +Annotation = {"mitre_attack": ["T1486"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113"} +Query = Process.Name == "gpg.exe" and not (Process.Path like r"%\\gpg.exe" or Process.Path like r"%\\gpg2.exe") [ThreatDetectionRule platform=Windows] -# Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts +# Detects scheduled task creations that have suspicious action command and folder combinations # Author: Florian Roth (Nextron Systems) -RuleId = fa00b701-44c6-4679-994d-5a18afa8a707 -RuleName = PUA - AdvancedRun Suspicious Execution +RuleId = 8a8379b8-780b-4dbf-b1e9-31c8d112fefb +RuleName = Schtasks From Suspicious Folders EventType = Process.Start -Tag = proc-start-pua-advancedrun-suspicious-execution +Tag = proc-start-schtasks-from-suspicious-folders RiskScore = 75 -Annotation = {"mitre_attack": ["T1134.002"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"%/EXEFilename%" or Process.CommandLine like r"%/CommandLine%") and (Process.CommandLine like r"% /RunAs 8 %" or Process.CommandLine like r"% /RunAs 4 %" or Process.CommandLine like r"% /RunAs 10 %" or Process.CommandLine like r"% /RunAs 11 %" or Process.CommandLine like r"%/RunAs 8" or Process.CommandLine like r"%/RunAs 4" or Process.CommandLine like r"%/RunAs 10" or Process.CommandLine like r"%/RunAs 11") +Annotation = {"mitre_attack": ["T1053.005"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\schtasks.exe" or Process.Name == "schtasks.exe") and Process.CommandLine like r"% /create %" and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%pwsh%" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd /k %" or Process.CommandLine like r"%cmd /r %" or Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd.exe /r %") and (Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%\%ProgramData\%%") [ThreatDetectionRule platform=Windows] -# Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 4beb6ae0-f85b-41e2-8f18-8668abc8af78 -RuleName = Sysinternals PsSuspend Suspicious Execution +# This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. +# Author: Florian Roth (Nextron Systems) +RuleId = 42a993dd-bb3e-48c8-b372-4d6684c4106c +RuleName = HackTool - CrackMapExec Execution EventType = Process.Start -Tag = proc-start-sysinternals-pssuspend-suspicious-execution +Tag = proc-start-hacktool-crackmapexec-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name == "pssuspend.exe" or Process.Path like r"%\\pssuspend.exe" or Process.Path like r"%\\pssuspend64.exe") and Process.CommandLine like r"%msmpeng.exe%" +Annotation = {"mitre_attack": ["T1047", "T1053", "T1059.003", "T1059.001", "T1110", "T1201"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\crackmapexec.exe" or Process.CommandLine like r"% -M pe\_inject %" or Process.CommandLine like r"% --local-auth%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -x %" or Process.CommandLine like r"% --local-auth%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% -H 'NTHASH'%" or Process.CommandLine like r"% mssql %" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% -M %" and Process.CommandLine like r"% -d %" or Process.CommandLine like r"% smb %" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -H %" and Process.CommandLine like r"% -M %" and Process.CommandLine like r"% -o %" or Process.CommandLine like r"% smb %" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% --local-auth%" or Process.CommandLine like r"% --local-auth%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% 10.%" and Process.CommandLine like r"% 192.168.%" and Process.CommandLine like r"%/24 %" [ThreatDetectionRule platform=Windows] -# Detects loading and execution of an unsigned thor scanner binary. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ea5c131b-380d-49f9-aeb3-920694da4d4b -RuleName = Suspicious Unsigned Thor Scanner Execution -EventType = Image.Load -Tag = suspicious-unsigned-thor-scanner-execution +# Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. +# Author: Furkan Caliskan (@caliskanfurkan_) +RuleId = d3b70aad-097e-409c-9df2-450f80dc476b +RuleName = PUA - DIT Snapshot Viewer +EventType = Process.Start +Tag = proc-start-pua-dit-snapshot-viewer RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\thor.exe" or Process.Path like r"%\\thor64.exe") and (Image.Path like r"%\\thor.exe" or Image.Path like r"%\\thor64.exe") and not (Image.IsSigned == "true" and Image.SignatureStatus == "valid" and Image.Signature == "Nextron Systems GmbH") -GenericProperty1 = Image.Path -GenericProperty2 = Image.IsSigned -GenericProperty3 = Image.Signature -GenericProperty4 = Image.SignatureStatus +Annotation = {"mitre_attack": ["T1003.003"], "author": "Furkan Caliskan (@caliskanfurkan_)"} +Query = Process.Path like r"%\\ditsnap.exe" or Process.CommandLine like r"%ditsnap.exe%" [ThreatDetectionRule platform=Windows] -# Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. +# Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory +# Author: Florian Roth (Nextron Systems) +RuleId = 4c0aaedc-154c-4427-ada0-d80ef9c9deb6 +RuleName = Process Access via TrolleyExpress Exclusion +EventType = Process.Start +Tag = proc-start-process-access-via-trolleyexpress-exclusion +RiskScore = 75 +Annotation = {"mitre_attack": ["T1218.011", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%\\TrolleyExpress 7%" or Process.CommandLine like r"%\\TrolleyExpress 8%" or Process.CommandLine like r"%\\TrolleyExpress 9%" or Process.CommandLine like r"%\\TrolleyExpress.exe 7%" or Process.CommandLine like r"%\\TrolleyExpress.exe 8%" or Process.CommandLine like r"%\\TrolleyExpress.exe 9%" or Process.CommandLine like r"%\\TrolleyExpress.exe -ma %" or Process.Path like r"%\\TrolleyExpress.exe" and not (Process.Name like r"%CtxInstall%" or isnull(Process.Name)) + + +[ThreatDetectionRule platform=Windows] +# Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. +# Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 814ddeca-3d31-4265-8e07-8cc54fb44903 -RuleName = LiveKD Kernel Memory Dump File Created -EventType = File.Create -Tag = livekd-kernel-memory-dump-file-created +RuleId = ee4c5d06-3abc-48cc-8885-77f1c20f4451 +RuleName = DLL Sideloading Of ShellChromeAPI.DLL +EventType = Image.Load +Tag = dll-sideloading-of-shellchromeapi.dll RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path == "C:\\Windows\\livekd.dmp" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Image.Path like r"%\\ShellChromeAPI.dll" +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects when a user downloads a file from an IP based URL using CertOC.exe +# Detects usage of the Quarks PwDump tool via commandline arguments # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a -RuleName = File Download From IP Based URL Via CertOC.EXE +RuleId = 0685b176-c816-4837-8e7b-1216f346636b +RuleName = HackTool - Quarks PwDump Execution EventType = Process.Start -Tag = proc-start-file-download-from-ip-based-url-via-certoc.exe +Tag = proc-start-hacktool-quarks-pwdump-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\certoc.exe" or Process.Name == "CertOC.exe") and Process.CommandLine regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and Process.CommandLine like r"%-GetCACAPS%" +Annotation = {"mitre_attack": ["T1003.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\QuarksPwDump.exe" or Process.CommandLine in [" -dhl", " --dump-hash-local", " -dhdc", " --dump-hash-domain-cached", " --dump-bitlocker", " -dhd ", " --dump-hash-domain ", "--ntds-file"] [ThreatDetectionRule platform=Windows] -# detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ee5e119b-1f75-4b34-add8-3be976961e39 -RuleName = Conhost.exe CommandLine Path Traversal +# Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution +# Author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) +RuleId = c363385c-f75d-4753-a108-c1a8e28bdbda +RuleName = Potential Manage-bde.wsf Abuse To Proxy Execution EventType = Process.Start -Tag = proc-start-conhost.exe-commandline-path-traversal +Tag = proc-start-potential-manage-bde.wsf-abuse-to-proxy-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.CommandLine like r"%conhost%" and Process.CommandLine like r"%/../../%" -GenericProperty1 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1216"], "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\wscript.exe" or Process.Name == "wscript.exe") and Process.CommandLine like r"%manage-bde.wsf%" or (Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\wscript.exe") and Parent.CommandLine like r"%manage-bde.wsf%" and not Process.Path like r"%\\cmd.exe" +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. -# Author: @Kostastsale, @TheDFIRReport -RuleId = 225274c4-8dd1-40db-9e09-71dff4f6fb3c -RuleName = Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 +# Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule +# Author: Florian Roth (Nextron Systems), oscd.community +RuleId = 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63 +RuleName = RDP Port Forwarding Rule Added Via Netsh.EXE EventType = Process.Start -Tag = proc-start-potential-defense-evasion-activity-via-emoji-usage-in-commandline-4 +Tag = proc-start-rdp-port-forwarding-rule-added-via-netsh.exe RiskScore = 75 -Annotation = {"author": "@Kostastsale, @TheDFIRReport"} -Query = Process.CommandLine like r"%🔸%" or Process.CommandLine like r"%🔹%" or Process.CommandLine like r"%🔶%" or Process.CommandLine like r"%🔷%" or Process.CommandLine like r"%🔳%" or Process.CommandLine like r"%🔲%" or Process.CommandLine like r"%▪️%" or Process.CommandLine like r"%▫️%" or Process.CommandLine like r"%◾️%" or Process.CommandLine like r"%◽️%" or Process.CommandLine like r"%◼️%" or Process.CommandLine like r"%◻️%" or Process.CommandLine like r"%🟥%" or Process.CommandLine like r"%🟧%" or Process.CommandLine like r"%🟨%" or Process.CommandLine like r"%🟩%" or Process.CommandLine like r"%🟦%" or Process.CommandLine like r"%🟪%" or Process.CommandLine like r"%⬛️%" or Process.CommandLine like r"%⬜️%" or Process.CommandLine like r"%🟫%" or Process.CommandLine like r"%🔈%" or Process.CommandLine like r"%🔇%" or Process.CommandLine like r"%🔉%" or Process.CommandLine like r"%🔊%" or Process.CommandLine like r"%🔔%" or Process.CommandLine like r"%🔕%" or Process.CommandLine like r"%📣%" or Process.CommandLine like r"%📢%" or Process.CommandLine like r"%👁‍🗨%" or Process.CommandLine like r"%💬%" or Process.CommandLine like r"%💭%" or Process.CommandLine like r"%🗯%" or Process.CommandLine like r"%♠️%" or Process.CommandLine like r"%♣️%" or Process.CommandLine like r"%♥️%" or Process.CommandLine like r"%♦️%" or Process.CommandLine like r"%🃏%" or Process.CommandLine like r"%🎴%" or Process.CommandLine like r"%🀄️%" or Process.CommandLine like r"%🕐%" or Process.CommandLine like r"%🕑%" or Process.CommandLine like r"%🕒%" or Process.CommandLine like r"%🕓%" or Process.CommandLine like r"%🕔%" or Process.CommandLine like r"%🕕%" or Process.CommandLine like r"%🕖%" or Process.CommandLine like r"%🕗%" or Process.CommandLine like r"%🕘%" or Process.CommandLine like r"%🕙%" or Process.CommandLine like r"%🕚%" or Process.CommandLine like r"%🕛%" or Process.CommandLine like r"%🕜%" or Process.CommandLine like r"%🕝%" or Process.CommandLine like r"%🕞%" or Process.CommandLine like r"%🕟%" or Process.CommandLine like r"%🕠%" or Process.CommandLine like r"%🕡%" or Process.CommandLine like r"%🕢%" or Process.CommandLine like r"%🕣%" or Process.CommandLine like r"%🕤%" or Process.CommandLine like r"%🕥%" or Process.CommandLine like r"%🕦%" or Process.CommandLine like r"%🕧✢%" or Process.CommandLine like r"%✣%" or Process.CommandLine like r"%✤%" or Process.CommandLine like r"%✥%" or Process.CommandLine like r"%✦%" or Process.CommandLine like r"%✧%" or Process.CommandLine like r"%★%" or Process.CommandLine like r"%☆%" or Process.CommandLine like r"%✯%" or Process.CommandLine like r"%✡︎%" or Process.CommandLine like r"%✩%" or Process.CommandLine like r"%✪%" or Process.CommandLine like r"%✫%" or Process.CommandLine like r"%✬%" or Process.CommandLine like r"%✭%" or Process.CommandLine like r"%✮%" or Process.CommandLine like r"%✶%" or Process.CommandLine like r"%✷%" or Process.CommandLine like r"%✵%" or Process.CommandLine like r"%✸%" or Process.CommandLine like r"%✹%" or Process.CommandLine like r"%→%" or Process.CommandLine like r"%⇒%" or Process.CommandLine like r"%⟹%" or Process.CommandLine like r"%⇨%" or Process.CommandLine like r"%⇾%" or Process.CommandLine like r"%➾%" or Process.CommandLine like r"%⇢%" or Process.CommandLine like r"%☛%" or Process.CommandLine like r"%☞%" or Process.CommandLine like r"%➔%" or Process.CommandLine like r"%➜%" or Process.CommandLine like r"%➙%" or Process.CommandLine like r"%➛%" or Process.CommandLine like r"%➝%" or Process.CommandLine like r"%➞%" or Process.CommandLine like r"%♠︎%" or Process.CommandLine like r"%♣︎%" or Process.CommandLine like r"%♥︎%" or Process.CommandLine like r"%♦︎%" or Process.CommandLine like r"%♤%" or Process.CommandLine like r"%♧%" or Process.CommandLine like r"%♡%" or Process.CommandLine like r"%♢%" or Process.CommandLine like r"%♚%" or Process.CommandLine like r"%♛%" or Process.CommandLine like r"%♜%" or Process.CommandLine like r"%♝%" or Process.CommandLine like r"%♞%" or Process.CommandLine like r"%♟%" or Process.CommandLine like r"%♔%" or Process.CommandLine like r"%♕%" or Process.CommandLine like r"%♖%" or Process.CommandLine like r"%♗%" or Process.CommandLine like r"%♘%" or Process.CommandLine like r"%♙%" or Process.CommandLine like r"%⚀%" or Process.CommandLine like r"%⚁%" or Process.CommandLine like r"%⚂%" or Process.CommandLine like r"%⚃%" or Process.CommandLine like r"%⚄%" or Process.CommandLine like r"%⚅%" or Process.CommandLine like r"%🂠%" or Process.CommandLine like r"%⚈%" or Process.CommandLine like r"%⚉%" or Process.CommandLine like r"%⚆%" or Process.CommandLine like r"%⚇%" or Process.CommandLine like r"%𓀀%" or Process.CommandLine like r"%𓀁%" or Process.CommandLine like r"%𓀂%" or Process.CommandLine like r"%𓀃%" or Process.CommandLine like r"%𓀄%" or Process.CommandLine like r"%𓀅%" or Process.CommandLine like r"%𓀆%" or Process.CommandLine like r"%𓀇%" or Process.CommandLine like r"%𓀈%" or Process.CommandLine like r"%𓀉%" or Process.CommandLine like r"%𓀊%" or Process.CommandLine like r"%𓀋%" or Process.CommandLine like r"%𓀌%" or Process.CommandLine like r"%𓀍%" or Process.CommandLine like r"%𓀎%" or Process.CommandLine like r"%𓀏%" or Process.CommandLine like r"%𓀐%" or Process.CommandLine like r"%𓀑%" or Process.CommandLine like r"%𓀒%" or Process.CommandLine like r"%𓀓%" or Process.CommandLine like r"%𓀔%" or Process.CommandLine like r"%𓀕%" or Process.CommandLine like r"%𓀖%" or Process.CommandLine like r"%𓀗%" or Process.CommandLine like r"%𓀘%" or Process.CommandLine like r"%𓀙%" or Process.CommandLine like r"%𓀚%" or Process.CommandLine like r"%𓀛%" or Process.CommandLine like r"%𓀜%" or Process.CommandLine like r"%𓀝🏳️%" or Process.CommandLine like r"%🏴%" or Process.CommandLine like r"%🏁%" or Process.CommandLine like r"%🚩%" or Process.CommandLine like r"%🏳️‍🌈%" or Process.CommandLine like r"%🏳️‍⚧️%" or Process.CommandLine like r"%🏴‍☠️%" or Process.CommandLine like r"%🇦🇫%" or Process.CommandLine like r"%🇦🇽%" or Process.CommandLine like r"%🇦🇱%" or Process.CommandLine like r"%🇩🇿%" or Process.CommandLine like r"%🇦🇸%" or Process.CommandLine like r"%🇦🇩%" or Process.CommandLine like r"%🇦🇴%" or Process.CommandLine like r"%🇦🇮%" or Process.CommandLine like r"%🇦🇶%" or Process.CommandLine like r"%🇦🇬%" or Process.CommandLine like r"%🇦🇷%" or Process.CommandLine like r"%🇦🇲%" or Process.CommandLine like r"%🇦🇼%" or Process.CommandLine like r"%🇦🇺%" or Process.CommandLine like r"%🇦🇹%" or Process.CommandLine like r"%🇦🇿%" or Process.CommandLine like r"%🇧🇸%" or Process.CommandLine like r"%🇧🇭%" or Process.CommandLine like r"%🇧🇩%" or Process.CommandLine like r"%🇧🇧%" or Process.CommandLine like r"%🇧🇾%" or Process.CommandLine like r"%🇧🇪%" or Process.CommandLine like r"%🇧🇿%" or Process.CommandLine like r"%🇧🇯%" or Process.CommandLine like r"%🇧🇲%" or Process.CommandLine like r"%🇧🇹%" or Process.CommandLine like r"%🇧🇴%" or Process.CommandLine like r"%🇧🇦%" or Process.CommandLine like r"%🇧🇼%" or Process.CommandLine like r"%🇧🇷%" or Process.CommandLine like r"%🇮🇴%" or Process.CommandLine like r"%🇻🇬%" or Process.CommandLine like r"%🇧🇳%" or Process.CommandLine like r"%🇧🇬%" or Process.CommandLine like r"%🇧🇫%" or Process.CommandLine like r"%🇧🇮%" or Process.CommandLine like r"%🇰🇭%" or Process.CommandLine like r"%🇨🇲%" or Process.CommandLine like r"%🇨🇦%" or Process.CommandLine like r"%🇮🇨%" or Process.CommandLine like r"%🇨🇻%" or Process.CommandLine like r"%🇧🇶%" or Process.CommandLine like r"%🇰🇾%" or Process.CommandLine like r"%🇨🇫%" or Process.CommandLine like r"%🇹🇩%" or Process.CommandLine like r"%🇨🇱%" or Process.CommandLine like r"%🇨🇳%" or Process.CommandLine like r"%🇨🇽%" or Process.CommandLine like r"%🇨🇨%" or Process.CommandLine like r"%🇨🇴%" or Process.CommandLine like r"%🇰🇲%" or Process.CommandLine like r"%🇨🇬%" or Process.CommandLine like r"%🇨🇩%" or Process.CommandLine like r"%🇨🇰%" or Process.CommandLine like r"%🇨🇷%" or Process.CommandLine like r"%🇨🇮%" or Process.CommandLine like r"%🇭🇷%" or Process.CommandLine like r"%🇨🇺%" or Process.CommandLine like r"%🇨🇼%" or Process.CommandLine like r"%🇨🇾%" or Process.CommandLine like r"%🇨🇿%" or Process.CommandLine like r"%🇩🇰%" or Process.CommandLine like r"%🇩🇯%" or Process.CommandLine like r"%🇩🇲%" or Process.CommandLine like r"%🇩🇴%" or Process.CommandLine like r"%🇪🇨%" or Process.CommandLine like r"%🇪🇬%" or Process.CommandLine like r"%🇸🇻%" or Process.CommandLine like r"%🇬🇶%" or Process.CommandLine like r"%🇪🇷%" or Process.CommandLine like r"%🇪🇪%" or Process.CommandLine like r"%🇪🇹%" or Process.CommandLine like r"%🇪🇺%" or Process.CommandLine like r"%🇫🇰%" or Process.CommandLine like r"%🇫🇴%" or Process.CommandLine like r"%🇫🇯%" or Process.CommandLine like r"%🇫🇮%" or Process.CommandLine like r"%🇫🇷%" or Process.CommandLine like r"%🇬🇫%" or Process.CommandLine like r"%🇵🇫%" or Process.CommandLine like r"%🇹🇫%" or Process.CommandLine like r"%🇬🇦%" or Process.CommandLine like r"%🇬🇲%" or Process.CommandLine like r"%🇬🇪%" or Process.CommandLine like r"%🇩🇪%" or Process.CommandLine like r"%🇬🇭%" or Process.CommandLine like r"%🇬🇮%" or Process.CommandLine like r"%🇬🇷%" or Process.CommandLine like r"%🇬🇱%" or Process.CommandLine like r"%🇬🇩%" or Process.CommandLine like r"%🇬🇵%" or Process.CommandLine like r"%🇬🇺%" or Process.CommandLine like r"%🇬🇹%" or Process.CommandLine like r"%🇬🇬%" or Process.CommandLine like r"%🇬🇳%" or Process.CommandLine like r"%🇬🇼%" or Process.CommandLine like r"%🇬🇾%" or Process.CommandLine like r"%🇭🇹%" or Process.CommandLine like r"%🇭🇳%" or Process.CommandLine like r"%🇭🇰%" or Process.CommandLine like r"%🇭🇺%" or Process.CommandLine like r"%🇮🇸%" or Process.CommandLine like r"%🇮🇳%" or Process.CommandLine like r"%🇮🇩%" or Process.CommandLine like r"%🇮🇷%" or Process.CommandLine like r"%🇮🇶%" or Process.CommandLine like r"%🇮🇪%" or Process.CommandLine like r"%🇮🇲%" or Process.CommandLine like r"%🇮🇱%" or Process.CommandLine like r"%🇮🇹%" or Process.CommandLine like r"%🇯🇲%" or Process.CommandLine like r"%🇯🇵%" or Process.CommandLine like r"%🎌%" or Process.CommandLine like r"%🇯🇪%" or Process.CommandLine like r"%🇯🇴%" or Process.CommandLine like r"%🇰🇿%" or Process.CommandLine like r"%🇰🇪%" or Process.CommandLine like r"%🇰🇮%" or Process.CommandLine like r"%🇽🇰%" or Process.CommandLine like r"%🇰🇼%" or Process.CommandLine like r"%🇰🇬%" or Process.CommandLine like r"%🇱🇦%" or Process.CommandLine like r"%🇱🇻%" or Process.CommandLine like r"%🇱🇧%" or Process.CommandLine like r"%🇱🇸%" or Process.CommandLine like r"%🇱🇷%" or Process.CommandLine like r"%🇱🇾%" or Process.CommandLine like r"%🇱🇮%" or Process.CommandLine like r"%🇱🇹%" or Process.CommandLine like r"%🇱🇺%" or Process.CommandLine like r"%🇲🇴%" or Process.CommandLine like r"%🇲🇰%" or Process.CommandLine like r"%🇲🇬%" or Process.CommandLine like r"%🇲🇼%" or Process.CommandLine like r"%🇲🇾%" or Process.CommandLine like r"%🇲🇻%" or Process.CommandLine like r"%🇲🇱%" or Process.CommandLine like r"%🇲🇹%" or Process.CommandLine like r"%🇲🇭%" or Process.CommandLine like r"%🇲🇶%" or Process.CommandLine like r"%🇲🇷%" or Process.CommandLine like r"%🇲🇺%" or Process.CommandLine like r"%🇾🇹%" or Process.CommandLine like r"%🇲🇽%" or Process.CommandLine like r"%🇫🇲%" or Process.CommandLine like r"%🇲🇩%" or Process.CommandLine like r"%🇲🇨%" or Process.CommandLine like r"%🇲🇳%" or Process.CommandLine like r"%🇲🇪%" or Process.CommandLine like r"%🇲🇸%" or Process.CommandLine like r"%🇲🇦%" or Process.CommandLine like r"%🇲🇿%" or Process.CommandLine like r"%🇲🇲%" or Process.CommandLine like r"%🇳🇦%" or Process.CommandLine like r"%🇳🇷%" or Process.CommandLine like r"%🇳🇵%" or Process.CommandLine like r"%🇳🇱%" or Process.CommandLine like r"%🇳🇨%" or Process.CommandLine like r"%🇳🇿%" or Process.CommandLine like r"%🇳🇮%" or Process.CommandLine like r"%🇳🇪%" or Process.CommandLine like r"%🇳🇬%" or Process.CommandLine like r"%🇳🇺%" or Process.CommandLine like r"%🇳🇫%" or Process.CommandLine like r"%🇰🇵%" or Process.CommandLine like r"%🇲🇵%" or Process.CommandLine like r"%🇳🇴%" or Process.CommandLine like r"%🇴🇲%" or Process.CommandLine like r"%🇵🇰%" or Process.CommandLine like r"%🇵🇼%" or Process.CommandLine like r"%🇵🇸%" or Process.CommandLine like r"%🇵🇦%" or Process.CommandLine like r"%🇵🇬%" or Process.CommandLine like r"%🇵🇾%" or Process.CommandLine like r"%🇵🇪%" or Process.CommandLine like r"%🇵🇭%" or Process.CommandLine like r"%🇵🇳%" or Process.CommandLine like r"%🇵🇱%" or Process.CommandLine like r"%🇵🇹%" or Process.CommandLine like r"%🇵🇷%" or Process.CommandLine like r"%🇶🇦%" or Process.CommandLine like r"%🇷🇪%" or Process.CommandLine like r"%🇷🇴%" or Process.CommandLine like r"%🇷🇺%" or Process.CommandLine like r"%🇷🇼%" or Process.CommandLine like r"%🇼🇸%" or Process.CommandLine like r"%🇸🇲%" or Process.CommandLine like r"%🇸🇦%" or Process.CommandLine like r"%🇸🇳%" or Process.CommandLine like r"%🇷🇸%" or Process.CommandLine like r"%🇸🇨%" or Process.CommandLine like r"%🇸🇱%" or Process.CommandLine like r"%🇸🇬%" or Process.CommandLine like r"%🇸🇽%" or Process.CommandLine like r"%🇸🇰%" or Process.CommandLine like r"%🇸🇮%" or Process.CommandLine like r"%🇬🇸%" or Process.CommandLine like r"%🇸🇧%" or Process.CommandLine like r"%🇸🇴%" or Process.CommandLine like r"%🇿🇦%" or Process.CommandLine like r"%🇰🇷%" or Process.CommandLine like r"%🇸🇸%" or Process.CommandLine like r"%🇪🇸%" or Process.CommandLine like r"%🇱🇰%" or Process.CommandLine like r"%🇧🇱%" or Process.CommandLine like r"%🇸🇭%" or Process.CommandLine like r"%🇰🇳%" or Process.CommandLine like r"%🇱🇨%" or Process.CommandLine like r"%🇵🇲%" or Process.CommandLine like r"%🇻🇨%" or Process.CommandLine like r"%🇸🇩%" or Process.CommandLine like r"%🇸🇷%" or Process.CommandLine like r"%🇸🇿%" or Process.CommandLine like r"%🇸🇪%" or Process.CommandLine like r"%🇨🇭%" or Process.CommandLine like r"%🇸🇾%" or Process.CommandLine like r"%🇹🇼%" or Process.CommandLine like r"%🇹🇯%" or Process.CommandLine like r"%🇹🇿%" or Process.CommandLine like r"%🇹🇭%" or Process.CommandLine like r"%🇹🇱%" or Process.CommandLine like r"%🇹🇬%" or Process.CommandLine like r"%🇹🇰%" or Process.CommandLine like r"%🇹🇴%" or Process.CommandLine like r"%🇹🇹%" or Process.CommandLine like r"%🇹🇳%" or Process.CommandLine like r"%🇹🇷%" or Process.CommandLine like r"%🇹🇲%" or Process.CommandLine like r"%🇹🇨%" or Process.CommandLine like r"%🇹🇻%" or Process.CommandLine like r"%🇻🇮%" or Process.CommandLine like r"%🇺🇬%" or Process.CommandLine like r"%🇺🇦%" or Process.CommandLine like r"%🇦🇪%" or Process.CommandLine like r"%🇬🇧%" or Process.CommandLine like r"%🏴󠁧󠁢󠁥󠁮󠁧󠁿%" or Process.CommandLine like r"%🏴󠁧󠁢󠁳󠁣󠁴󠁿%" or Process.CommandLine like r"%🏴󠁧󠁢󠁷󠁬󠁳󠁿%" or Process.CommandLine like r"%🇺🇳%" or Process.CommandLine like r"%🇺🇸%" or Process.CommandLine like r"%🇺🇾%" or Process.CommandLine like r"%🇺🇿%" or Process.CommandLine like r"%🇻🇺%" or Process.CommandLine like r"%🇻🇦%" or Process.CommandLine like r"%🇻🇪%" or Process.CommandLine like r"%🇻🇳%" or Process.CommandLine like r"%🇼🇫%" or Process.CommandLine like r"%🇪🇭%" or Process.CommandLine like r"%🇾🇪%" or Process.CommandLine like r"%🇿🇲%" or Process.CommandLine like r"%🇿🇼🫠%" or Process.CommandLine like r"%🫢%" or Process.CommandLine like r"%🫣%" or Process.CommandLine like r"%🫡%" or Process.CommandLine like r"%🫥%" or Process.CommandLine like r"%🫤%" or Process.CommandLine like r"%🥹%" or Process.CommandLine like r"%🫱%" or Process.CommandLine like r"%🫱🏻%" or Process.CommandLine like r"%🫱🏼%" or Process.CommandLine like r"%🫱🏽%" or Process.CommandLine like r"%🫱🏾%" or Process.CommandLine like r"%🫱🏿%" or Process.CommandLine like r"%🫲%" or Process.CommandLine like r"%🫲🏻%" or Process.CommandLine like r"%🫲🏼%" or Process.CommandLine like r"%🫲🏽%" or Process.CommandLine like r"%🫲🏾%" or Process.CommandLine like r"%🫲🏿%" or Process.CommandLine like r"%🫳%" or Process.CommandLine like r"%🫳🏻%" or Process.CommandLine like r"%🫳🏼%" or Process.CommandLine like r"%🫳🏽%" or Process.CommandLine like r"%🫳🏾%" or Process.CommandLine like r"%🫳🏿%" or Process.CommandLine like r"%🫴%" or Process.CommandLine like r"%🫴🏻%" or Process.CommandLine like r"%🫴🏼%" or Process.CommandLine like r"%🫴🏽%" or Process.CommandLine like r"%🫴🏾%" or Process.CommandLine like r"%🫴🏿%" or Process.CommandLine like r"%🫰%" or Process.CommandLine like r"%🫰🏻%" or Process.CommandLine like r"%🫰🏼%" or Process.CommandLine like r"%🫰🏽%" or Process.CommandLine like r"%🫰🏾%" or Process.CommandLine like r"%🫰🏿%" or Process.CommandLine like r"%🫵%" or Process.CommandLine like r"%🫵🏻%" or Process.CommandLine like r"%🫵🏼%" or Process.CommandLine like r"%🫵🏽%" or Process.CommandLine like r"%🫵🏾%" or Process.CommandLine like r"%🫵🏿%" or Process.CommandLine like r"%🫶%" or Process.CommandLine like r"%🫶🏻%" or Process.CommandLine like r"%🫶🏼%" or Process.CommandLine like r"%🫶🏽%" or Process.CommandLine like r"%🫶🏾%" or Process.CommandLine like r"%🫶🏿%" or Process.CommandLine like r"%🤝🏻%" or Process.CommandLine like r"%🤝🏼%" or Process.CommandLine like r"%🤝🏽%" or Process.CommandLine like r"%🤝🏾%" or Process.CommandLine like r"%🤝🏿%" or Process.CommandLine like r"%🫱🏻‍🫲🏼%" or Process.CommandLine like r"%🫱🏻‍🫲🏽%" or Process.CommandLine like r"%🫱🏻‍🫲🏾%" or Process.CommandLine like r"%🫱🏻‍🫲🏿%" or Process.CommandLine like r"%🫱🏼‍🫲🏻%" or Process.CommandLine like r"%🫱🏼‍🫲🏽%" or Process.CommandLine like r"%🫱🏼‍🫲🏾%" or Process.CommandLine like r"%🫱🏼‍🫲🏿%" or Process.CommandLine like r"%🫱🏽‍🫲🏻%" or Process.CommandLine like r"%🫱🏽‍🫲🏼%" or Process.CommandLine like r"%🫱🏽‍🫲🏾%" or Process.CommandLine like r"%🫱🏽‍🫲🏿%" or Process.CommandLine like r"%🫱🏾‍🫲🏻%" or Process.CommandLine like r"%🫱🏾‍🫲🏼%" or Process.CommandLine like r"%🫱🏾‍🫲🏽%" or Process.CommandLine like r"%🫱🏾‍🫲🏿%" or Process.CommandLine like r"%🫱🏿‍🫲🏻%" or Process.CommandLine like r"%🫱🏿‍🫲🏼%" or Process.CommandLine like r"%🫱🏿‍🫲🏽%" or Process.CommandLine like r"%🫱🏿‍🫲🏾%" or Process.CommandLine like r"%🫦%" or Process.CommandLine like r"%🫅%" or Process.CommandLine like r"%🫅🏻%" or Process.CommandLine like r"%🫅🏼%" or Process.CommandLine like r"%🫅🏽%" or Process.CommandLine like r"%🫅🏾%" or Process.CommandLine like r"%🫅🏿%" or Process.CommandLine like r"%🫃%" or Process.CommandLine like r"%🫃🏻%" or Process.CommandLine like r"%🫃🏼%" or Process.CommandLine like r"%🫃🏽%" or Process.CommandLine like r"%🫃🏾%" or Process.CommandLine like r"%🫃🏿%" or Process.CommandLine like r"%🫄%" or Process.CommandLine like r"%🫄🏻%" or Process.CommandLine like r"%🫄🏼%" or Process.CommandLine like r"%🫄🏽%" or Process.CommandLine like r"%🫄🏾%" or Process.CommandLine like r"%🫄🏿%" or Process.CommandLine like r"%🧌%" or Process.CommandLine like r"%🪸%" or Process.CommandLine like r"%🪷%" or Process.CommandLine like r"%🪹%" or Process.CommandLine like r"%🪺%" or Process.CommandLine like r"%🫘%" or Process.CommandLine like r"%🫗%" or Process.CommandLine like r"%🫙%" or Process.CommandLine like r"%🛝%" or Process.CommandLine like r"%🛞%" or Process.CommandLine like r"%🛟%" or Process.CommandLine like r"%🪬%" or Process.CommandLine like r"%🪩%" or Process.CommandLine like r"%🪫%" or Process.CommandLine like r"%🩼%" or Process.CommandLine like r"%🩻%" or Process.CommandLine like r"%🫧%" or Process.CommandLine like r"%🪪%" or Process.CommandLine like r"%🟰%" or Process.CommandLine like r"%😮‍💨%" or Process.CommandLine like r"%😵‍💫%" or Process.CommandLine like r"%😶‍🌫️%" or Process.CommandLine like r"%❤️‍🔥%" or Process.CommandLine like r"%❤️‍🩹%" or Process.CommandLine like r"%🧔‍♀️%" or Process.CommandLine like r"%🧔🏻‍♀️%" or Process.CommandLine like r"%🧔🏼‍♀️%" or Process.CommandLine like r"%🧔🏽‍♀️%" or Process.CommandLine like r"%🧔🏾‍♀️%" or Process.CommandLine like r"%🧔🏿‍♀️%" or Process.CommandLine like r"%🧔‍♂️%" or Process.CommandLine like r"%🧔🏻‍♂️%" or Process.CommandLine like r"%🧔🏼‍♂️%" or Process.CommandLine like r"%🧔🏽‍♂️%" or Process.CommandLine like r"%🧔🏾‍♂️%" or Process.CommandLine like r"%🧔🏿‍♂️%" or Process.CommandLine like r"%💑🏻%" or Process.CommandLine like r"%💑🏼%" or Process.CommandLine like r"%💑🏽%" or Process.CommandLine like r"%💑🏾%" or Process.CommandLine like r"%💑🏿%" or Process.CommandLine like r"%💏🏻%" or Process.CommandLine like r"%💏🏼%" or Process.CommandLine like r"%💏🏽%" or Process.CommandLine like r"%💏🏾%" or Process.CommandLine like r"%💏🏿%" or Process.CommandLine like r"%👨🏻‍❤️‍👨🏻%" or Process.CommandLine like r"%👨🏻‍❤️‍👨🏼%" or Process.CommandLine like r"%👨🏻‍❤️‍👨🏽%" or Process.CommandLine like r"%👨🏻‍❤️‍👨🏾%" or Process.CommandLine like r"%👨🏻‍❤️‍👨🏿%" or Process.CommandLine like r"%👨🏼‍❤️‍👨🏻%" or Process.CommandLine like r"%👨🏼‍❤️‍👨🏼%" or Process.CommandLine like r"%👨🏼‍❤️‍👨🏽%" or Process.CommandLine like r"%👨🏼‍❤️‍👨🏾%" or Process.CommandLine like r"%👨🏼‍❤️‍👨🏿%" or Process.CommandLine like r"%👨🏽‍❤️‍👨🏻%" or Process.CommandLine like r"%👨🏽‍❤️‍👨🏼%" or Process.CommandLine like r"%👨🏽‍❤️‍👨🏽%" or Process.CommandLine like r"%👨🏽‍❤️‍👨🏾%" or Process.CommandLine like r"%👨🏽‍❤️‍👨🏿%" or Process.CommandLine like r"%👨🏾‍❤️‍👨🏻%" or Process.CommandLine like r"%👨🏾‍❤️‍👨🏼%" or Process.CommandLine like r"%👨🏾‍❤️‍👨🏽%" or Process.CommandLine like r"%👨🏾‍❤️‍👨🏾%" or Process.CommandLine like r"%👨🏾‍❤️‍👨🏿%" or Process.CommandLine like r"%👨🏿‍❤️‍👨🏻%" or Process.CommandLine like r"%👨🏿‍❤️‍👨🏼%" or Process.CommandLine like r"%👨🏿‍❤️‍👨🏽%" or Process.CommandLine like r"%👨🏿‍❤️‍👨🏾%" or Process.CommandLine like r"%👨🏿‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏻‍❤️‍👨🏻%" or Process.CommandLine like r"%👩🏻‍❤️‍👨🏼%" or Process.CommandLine like r"%👩🏻‍❤️‍👨🏽%" or Process.CommandLine like r"%👩🏻‍❤️‍👨🏾%" or Process.CommandLine like r"%👩🏻‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏻‍❤️‍👩🏻%" or Process.CommandLine like r"%👩🏻‍❤️‍👩🏼%" or Process.CommandLine like r"%👩🏻‍❤️‍👩🏽%" or Process.CommandLine like r"%👩🏻‍❤️‍👩🏾%" or Process.CommandLine like r"%👩🏻‍❤️‍👩🏿%" or Process.CommandLine like r"%👩🏼‍❤️‍👨🏻%" or Process.CommandLine like r"%👩🏼‍❤️‍👨🏼%" or Process.CommandLine like r"%👩🏼‍❤️‍👨🏽%" or Process.CommandLine like r"%👩🏼‍❤️‍👨🏾%" or Process.CommandLine like r"%👩🏼‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏼‍❤️‍👩🏻%" or Process.CommandLine like r"%👩🏼‍❤️‍👩🏼%" or Process.CommandLine like r"%👩🏼‍❤️‍👩🏽%" or Process.CommandLine like r"%👩🏼‍❤️‍👩🏾%" or Process.CommandLine like r"%👩🏼‍❤️‍👩🏿%" or Process.CommandLine like r"%👩🏽‍❤️‍👨🏻%" or Process.CommandLine like r"%👩🏽‍❤️‍👨🏼%" or Process.CommandLine like r"%👩🏽‍❤️‍👨🏽%" or Process.CommandLine like r"%👩🏽‍❤️‍👨🏾%" or Process.CommandLine like r"%👩🏽‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏽‍❤️‍👩🏻%" or Process.CommandLine like r"%👩🏽‍❤️‍👩🏼%" or Process.CommandLine like r"%👩🏽‍❤️‍👩🏽%" or Process.CommandLine like r"%👩🏽‍❤️‍👩🏾%" or Process.CommandLine like r"%👩🏽‍❤️‍👩🏿%" or Process.CommandLine like r"%👩🏾‍❤️‍👨🏻%" or Process.CommandLine like r"%👩🏾‍❤️‍👨🏼%" or Process.CommandLine like r"%👩🏾‍❤️‍👨🏽%" or Process.CommandLine like r"%👩🏾‍❤️‍👨🏾%" or Process.CommandLine like r"%👩🏾‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏾‍❤️‍👩🏻%" or Process.CommandLine like r"%👩🏾‍❤️‍👩🏼%" or Process.CommandLine like r"%👩🏾‍❤️‍👩🏽%" or Process.CommandLine like r"%👩🏾‍❤️‍👩🏾%" or Process.CommandLine like r"%👩🏾‍❤️‍👩🏿%" or Process.CommandLine like r"%👩🏿‍❤️‍👨🏻%" or Process.CommandLine like r"%👩🏿‍❤️‍👨🏼%" or Process.CommandLine like r"%👩🏿‍❤️‍👨🏽%" or Process.CommandLine like r"%👩🏿‍❤️‍👨🏾%" or Process.CommandLine like r"%👩🏿‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏿‍❤️‍👩🏻%" or Process.CommandLine like r"%👩🏿‍❤️‍👩🏼%" or Process.CommandLine like r"%👩🏿‍❤️‍👩🏽%" or Process.CommandLine like r"%👩🏿‍❤️‍👩🏾%" or Process.CommandLine like r"%👩🏿‍❤️‍👩🏿%" or Process.CommandLine like r"%🧑🏻‍❤️‍🧑🏼%" or Process.CommandLine like r"%🧑🏻‍❤️‍🧑🏽%" or Process.CommandLine like r"%🧑🏻‍❤️‍🧑🏾%" or Process.CommandLine like r"%🧑🏻‍❤️‍🧑🏿%" or Process.CommandLine like r"%🧑🏼‍❤️‍🧑🏻%" or Process.CommandLine like r"%🧑🏼‍❤️‍🧑🏽%" or Process.CommandLine like r"%🧑🏼‍❤️‍🧑🏾%" or Process.CommandLine like r"%🧑🏼‍❤️‍🧑🏿%" or Process.CommandLine like r"%🧑🏽‍❤️‍🧑🏻%" or Process.CommandLine like r"%🧑🏽‍❤️‍🧑🏼%" or Process.CommandLine like r"%🧑🏽‍❤️‍🧑🏾%" or Process.CommandLine like r"%🧑🏽‍❤️‍🧑🏿%" or Process.CommandLine like r"%🧑🏾‍❤️‍🧑🏻%" or Process.CommandLine like r"%🧑🏾‍❤️‍🧑🏼%" or Process.CommandLine like r"%🧑🏾‍❤️‍🧑🏽%" or Process.CommandLine like r"%🧑🏾‍❤️‍🧑🏿%" or Process.CommandLine like r"%🧑🏿‍❤️‍🧑🏻%" or Process.CommandLine like r"%🧑🏿‍❤️‍🧑🏼%" or Process.CommandLine like r"%🧑🏿‍❤️‍🧑🏽%" or Process.CommandLine like r"%🧑🏿‍❤️‍🧑🏾%" or Process.CommandLine like r"%👨🏻‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👨🏻‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👨🏻‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👨🏻‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👨🏻‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👨🏼‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👨🏼‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👨🏼‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👨🏼‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👨🏼‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👨🏽‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👨🏽‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👨🏽‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👨🏽‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👨🏽‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👨🏾‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👨🏾‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👨🏾‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👨🏾‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👨🏾‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👨🏿‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👨🏿‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👨🏿‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👨🏿‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👨🏿‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👩🏻%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👩🏼%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👩🏽%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👩🏾%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👩🏿%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👩🏻%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👩🏼%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👩🏽%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👩🏾%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👩🏿%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👩🏻%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👩🏼%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👩🏽%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👩🏾%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👩🏿%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👩🏻%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👩🏼%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👩🏽%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👩🏾%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👩🏿%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👩🏻%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👩🏼%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👩🏽%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👩🏾%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👩🏿%" or Process.CommandLine like r"%🧑🏻‍❤️‍💋‍🧑🏼%" or Process.CommandLine like r"%🧑🏻‍❤️‍💋‍🧑🏽%" or Process.CommandLine like r"%🧑🏻‍❤️‍💋‍🧑🏾%" or Process.CommandLine like r"%🧑🏻‍❤️‍💋‍🧑🏿%" or Process.CommandLine like r"%🧑🏼‍❤️‍💋‍🧑🏻%" or Process.CommandLine like r"%🧑🏼‍❤️‍💋‍🧑🏽%" or Process.CommandLine like r"%🧑🏼‍❤️‍💋‍🧑🏾%" or Process.CommandLine like r"%🧑🏼‍❤️‍💋‍🧑🏿%" or Process.CommandLine like r"%🧑🏽‍❤️‍💋‍🧑🏻%" or Process.CommandLine like r"%🧑🏽‍❤️‍💋‍🧑🏼%" or Process.CommandLine like r"%🧑🏽‍❤️‍💋‍🧑🏾%" or Process.CommandLine like r"%🧑🏽‍❤️‍💋‍🧑🏿%" or Process.CommandLine like r"%🧑🏾‍❤️‍💋‍🧑🏻%" or Process.CommandLine like r"%🧑🏾‍❤️‍💋‍🧑🏼%" or Process.CommandLine like r"%🧑🏾‍❤️‍💋‍🧑🏽%" or Process.CommandLine like r"%🧑🏾‍❤️‍💋‍🧑🏿%" or Process.CommandLine like r"%🧑🏿‍❤️‍💋‍🧑🏻%" or Process.CommandLine like r"%🧑🏿‍❤️‍💋‍🧑🏼%" or Process.CommandLine like r"%🧑🏿‍❤️‍💋‍🧑🏽%" or Process.CommandLine like r"%🧑🏿‍❤️‍💋‍🧑🏾%" +Annotation = {"mitre_attack": ["T1090"], "author": "Florian Roth (Nextron Systems), oscd.community"} +Query = (Process.Path like r"%\\netsh.exe" or Process.Name == "netsh.exe") and Process.CommandLine like r"% i%" and Process.CommandLine like r"% p%" and Process.CommandLine like r"%=3389%" and Process.CommandLine like r"% c%" [ThreatDetectionRule platform=Windows] -# Detects suspicious ways to run Invoke-Execution using IEX alias -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 09576804-7a05-458e-a817-eb718ca91f54 -RuleName = Suspicious PowerShell IEX Execution Patterns +# Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. +# Author: Florian Roth (Nextron Systems) +RuleId = 737e618a-a410-49b5-bec3-9e55ff7fbc15 +RuleName = Suspicious Calculator Usage EventType = Process.Start -Tag = proc-start-suspicious-powershell-iex-execution-patterns +Tag = proc-start-suspicious-calculator-usage RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"% | iex;%" or Process.CommandLine like r"% | iex %" or Process.CommandLine like r"% | iex}%" or Process.CommandLine like r"% | IEX ;%" or Process.CommandLine like r"% | IEX -Error%" or Process.CommandLine like r"% | IEX (new%" or Process.CommandLine like r"%);IEX %") and (Process.CommandLine like r"%::FromBase64String%" or Process.CommandLine like r"%.GetString([System.Convert]::%") or Process.CommandLine like r"%)|iex;$%" or Process.CommandLine like r"%);iex($%" or Process.CommandLine like r"%);iex $%" or Process.CommandLine like r"% | IEX | %" or Process.CommandLine like r"% | iex\\\"%" +Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%\\calc.exe %" or Process.Path like r"%\\calc.exe" and not (Process.Path like r"%:\\Windows\\System32\\%" or Process.Path like r"%:\\Windows\\SysWOW64\\%" or Process.Path like r"%:\\Windows\\WinSxS\\%") [ThreatDetectionRule platform=Windows] -# Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. +# Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f99abdf0-6283-4e71-bd2b-b5c048a94743 -RuleName = Potentially Suspicious Office Document Executed From Trusted Location +RuleId = dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 +RuleName = Delete Important Scheduled Task EventType = Process.Start -Tag = proc-start-potentially-suspicious-office-document-executed-from-trusted-location +Tag = proc-start-delete-important-scheduled-task RiskScore = 75 -Annotation = {"mitre_attack": ["T1202"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Parent.Path like r"%\\explorer.exe" or Parent.Path like r"%\\dopus.exe") and (Process.Path like r"%\\EXCEL.EXE" or Process.Path like r"%\\POWERPNT.EXE" or Process.Path like r"%\\WINWORD.exe" or Process.Name in ["Excel.exe", "POWERPNT.EXE", "WinWord.exe"]) and (Process.CommandLine like r"%\\AppData\\Roaming\\Microsoft\\Templates%" or Process.CommandLine like r"%\\AppData\\Roaming\\Microsoft\\Word\\Startup\\%" or Process.CommandLine like r"%\\Microsoft Office\\root\\Templates\\%" or Process.CommandLine like r"%\\Microsoft Office\\Templates\\%") and not (Process.CommandLine like r"%.dotx" or Process.CommandLine like r"%.xltx" or Process.CommandLine like r"%.potx") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1489"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/delete%" and Process.CommandLine like r"%/tn%" and (Process.CommandLine like r"%\\Windows\\BitLocker%" or Process.CommandLine like r"%\\Windows\\ExploitGuard%" or Process.CommandLine like r"%\\Windows\\SystemRestore\\SR%" or Process.CommandLine like r"%\\Windows\\UpdateOrchestrator\\%" or Process.CommandLine like r"%\\Windows\\Windows Defender\\%" or Process.CommandLine like r"%\\Windows\\WindowsBackup\\%" or Process.CommandLine like r"%\\Windows\\WindowsUpdate\\%") [ThreatDetectionRule platform=Windows] -# Detects Obfuscated use of stdin to execute PowerShell -# Author: Jonathan Cheong, oscd.community -RuleId = 6c96fc76-0eb1-11eb-adc1-0242ac120002 -RuleName = Invoke-Obfuscation STDIN+ Launcher +# Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. +# SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = c7d33b50-f690-4b51-8cfb-0fb912a31e57 +RuleName = HackTool - SharpDPAPI Execution EventType = Process.Start -Tag = proc-start-invoke-obfuscation-stdin+-launcher +Tag = proc-start-hacktool-sharpdpapi-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Jonathan Cheong, oscd.community"} -Query = Process.CommandLine regex "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\\"" +Annotation = {"mitre_attack": ["T1134.001", "T1134.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\SharpDPAPI.exe" or Process.Name == "SharpDPAPI.exe" or (Process.CommandLine like r"% backupkey %" or Process.CommandLine like r"% blob %" or Process.CommandLine like r"% certificates %" or Process.CommandLine like r"% credentials %" or Process.CommandLine like r"% keepass %" or Process.CommandLine like r"% masterkeys %" or Process.CommandLine like r"% rdg %" or Process.CommandLine like r"% vaults %") and (Process.CommandLine like r"% {%" and Process.CommandLine like r"%}:%" or Process.CommandLine like r"% /file:%" or Process.CommandLine like r"% /machine%" or Process.CommandLine like r"% /mkfile:%" or Process.CommandLine like r"% /password:%" or Process.CommandLine like r"% /pvk:%" or Process.CommandLine like r"% /server:%" or Process.CommandLine like r"% /target:%" or Process.CommandLine like r"% /unprotect%") [ThreatDetectionRule platform=Windows] -# Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. -# Author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 0e20c89d-2264-44ae-8238-aeeaba609ece -RuleName = Potential Persistence Via Microsoft Office Startup Folder +# Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity. +# Author: The DFIR Report +RuleId = b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e +RuleName = Suspicious Binaries and Scripts in Public Folder EventType = File.Create -Tag = potential-persistence-via-microsoft-office-startup-folder +Tag = suspicious-binaries-and-scripts-in-public-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1137"], "author": "Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = ((File.Path like r"%\\Microsoft\\Word\\STARTUP%" or File.Path like r"%\\Office%" and File.Path like r"%\\Program Files%" and File.Path like r"%\\STARTUP%") and (File.Path like r"%.doc" or File.Path like r"%.docm" or File.Path like r"%.docx" or File.Path like r"%.dot" or File.Path like r"%.dotm" or File.Path like r"%.rtf") or (File.Path like r"%\\Microsoft\\Excel\\XLSTART%" or File.Path like r"%\\Office%" and File.Path like r"%\\Program Files%" and File.Path like r"%\\XLSTART%") and (File.Path like r"%.xls" or File.Path like r"%.xlsm" or File.Path like r"%.xlsx" or File.Path like r"%.xlt" or File.Path like r"%.xltm")) and not (Process.Path like r"%\\WINWORD.exe" or Process.Path like r"%\\EXCEL.exe") +Annotation = {"mitre_attack": ["T1204"], "author": "The DFIR Report"} +Query = File.Path like r"%:\\Users\\Public\\%" and (File.Path like r"%.bat" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.hta" or File.Path like r"%.js" or File.Path like r"%.ps1" or File.Path like r"%.vbe" or File.Path like r"%.vbs") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. -# Author: X__Junior -RuleId = 0cf2e1c6-8d10-4273-8059-738778f981ad -RuleName = Potential WerFault ReflectDebugger Registry Value Abuse -EventType = Reg.Any -Tag = potential-werfault-reflectdebugger-registry-value-abuse +# Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. +# Author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) +RuleId = edc2f8ae-2412-4dfd-b9d5-0c57727e70be +RuleName = Potential Powershell ReverseShell Connection +EventType = Process.Start +Tag = proc-start-potential-powershell-reverseshell-connection RiskScore = 75 -Annotation = {"mitre_attack": ["T1036.003"], "author": "X__Junior"} -Query = Reg.EventType == "SetValue" and Reg.TargetObject like r"%\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.EventType +Annotation = {"mitre_attack": ["T1059.001"], "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name in ["PowerShell.EXE", "pwsh.dll"] or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"% Net.Sockets.TCPClient%" and Process.CommandLine like r"%.GetStream(%" and Process.CommandLine like r"%.Write(%" [ThreatDetectionRule platform=Windows] -# Detects various execution patterns of the CrackMapExec pentesting framework -# Author: Thomas Patzke -RuleId = 058f4380-962d-40a5-afce-50207d36d7e2 -RuleName = HackTool - CrackMapExec Execution Patterns +# Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands +# Author: Cian Heasley, Florian Roth (Nextron Systems) +RuleId = f64e5c19-879c-4bae-b471-6d84c8339677 +RuleName = Webshell Tool Reconnaissance Activity EventType = Process.Start -Tag = proc-start-hacktool-crackmapexec-execution-patterns +Tag = proc-start-webshell-tool-reconnaissance-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1047", "T1053", "T1059.003", "T1059.001"], "author": "Thomas Patzke"} -Query = Process.CommandLine like r"%cmd.exe /Q /c % 1> \\\\%\\%\\% 2>&1%" or Process.CommandLine like r"%cmd.exe /C % > \\\\%\\%\\% 2>&1%" or Process.CommandLine like r"%cmd.exe /C % > %\\Temp\\% 2>&1%" or Process.CommandLine like r"%powershell.exe -exec bypass -noni -nop -w 1 -C \"%" or Process.CommandLine like r"%powershell.exe -noni -nop -w 1 -enc %" +Annotation = {"mitre_attack": ["T1505.003"], "author": "Cian Heasley, Florian Roth (Nextron Systems)"} +Query = (Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\ws\_tomcatservice.exe" or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%") or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Process.CommandLine like r"%CATALINA\_HOME%" or Process.CommandLine like r"%catalina.jar%")) and (Process.CommandLine like r"%perl --help%" or Process.CommandLine like r"%perl -h%" or Process.CommandLine like r"%python --help%" or Process.CommandLine like r"%python -h%" or Process.CommandLine like r"%python3 --help%" or Process.CommandLine like r"%python3 -h%" or Process.CommandLine like r"%wget --help%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. -# Author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) -RuleId = ffa6861c-4461-4f59-8a41-578c39f3f23e -RuleName = LSASS Dump Keyword In CommandLine -EventType = Process.Start -Tag = proc-start-lsass-dump-keyword-in-commandline +# Detects an executable initiating a network connection to "ngrok" tunneling domains. +# Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. +# While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. +# Author: Florian Roth (Nextron Systems) +RuleId = 1d08ac94-400d-4469-a82f-daee9a908849 +RuleName = Communication To Ngrok Tunneling Service Initiated +EventType = Net.Any +Tag = communication-to-ngrok-tunneling-service-initiated RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%lsass.dmp%" or Process.CommandLine like r"%lsass.zip%" or Process.CommandLine like r"%lsass.rar%" or Process.CommandLine like r"%Andrew.dmp%" or Process.CommandLine like r"%Coredump.dmp%" or Process.CommandLine like r"%NotLSASS.zip%" or Process.CommandLine like r"%lsass\_2%" or Process.CommandLine like r"%lsassdump%" or Process.CommandLine like r"%lsassdmp%" or Process.CommandLine like r"%lsass%" and Process.CommandLine like r"%.dmp%" or Process.CommandLine like r"%SQLDmpr%" and Process.CommandLine like r"%.mdmp%" or Process.CommandLine like r"%nanodump%" and Process.CommandLine like r"%.dmp%" +Annotation = {"mitre_attack": ["T1567", "T1568.002", "T1572", "T1090", "T1102"], "author": "Florian Roth (Nextron Systems)"} +Query = Net.Target.Name like r"%tunnel.us.ngrok.com%" or Net.Target.Name like r"%tunnel.eu.ngrok.com%" or Net.Target.Name like r"%tunnel.ap.ngrok.com%" or Net.Target.Name like r"%tunnel.au.ngrok.com%" or Net.Target.Name like r"%tunnel.sa.ngrok.com%" or Net.Target.Name like r"%tunnel.jp.ngrok.com%" or Net.Target.Name like r"%tunnel.in.ngrok.com%" +GenericProperty1 = Net.Target.Name [ThreatDetectionRule platform=Windows] -# Detects loading of known vulnerable drivers via their hash. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8 -RuleName = Vulnerable Driver Load -EventType = Driver.Load -Tag = vulnerable-driver-load +# Detects suspicious addition to BitLocker related registry keys via the reg.exe utility +# Author: frack113 +RuleId = 0e0255bf-2548-47b8-9582-c0955c9283f5 +RuleName = Suspicious Reg Add BitLocker +EventType = Process.Start +Tag = proc-start-suspicious-reg-add-bitlocker RiskScore = 75 -Annotation = {"mitre_attack": ["T1543.003", "T1068"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Image.Hashes like r"%MD5=c996d7971c49252c582171d9380360f2%" or Image.Hashes like r"%MD5=da7e98b23b49b7293ee06713032c74f6%" or Image.Hashes like r"%MD5=9496585198d726000ea505abc39dbfe9%" or Image.Hashes like r"%MD5=649ff59b8e571c1fc6535b31662407aa%" or Image.Hashes like r"%MD5=4429f85e2415742c7cf8c9f54905c4b9%" or Image.Hashes like r"%MD5=a610cd4c762b5af8575285dafb9baa8f%" or Image.Hashes like r"%MD5=d5e76d125d624f8025d534f49e3c4162%" or Image.Hashes like r"%MD5=9c8fffef24fc480917236f9a20b80a47%" or Image.Hashes like r"%MD5=65b979bcab915c3922578fe77953d789%" or Image.Hashes like r"%MD5=598f8fb2317350e5f90b7bd16baf5738%" or Image.Hashes like r"%MD5=6691e873354f1914692df104718eebad%" or Image.Hashes like r"%MD5=4814205270caa80d35569eee8081838e%" or Image.Hashes like r"%MD5=7f9128654c3def08c28e0e13efff0fee%" or Image.Hashes like r"%MD5=ce952204558ea66ec1a9632dcbdde8bd%" or Image.Hashes like r"%MD5=0c0195c48b6b8582fa6f6373032118da%" or Image.Hashes like r"%MD5=370a4ca29a7cf1d6bc0744afc12b236c%" or Image.Hashes like r"%MD5=67e03f83c503c3f11843942df32efe5a%" or Image.Hashes like r"%MD5=8a70921638ff82bb924456deadcd20e6%" or Image.Hashes like r"%MD5=8a212a246b3c41f3ddce5888aaaaacd6%" or Image.Hashes like r"%MD5=a346417e9ae2c17a8fbf73302eeb611d%" or Image.Hashes like r"%MD5=d4f7c14e92b36c341c41ae93159407dd%" or Image.Hashes like r"%MD5=748cf64b95ca83abc35762ad2c25458f%" or Image.Hashes like r"%MD5=79ab228766c76cfdf42a64722821711e%" or Image.Hashes like r"%MD5=ce67e51b8c0370d1bfe421b79fa8b656%" or Image.Hashes like r"%MD5=25190f667f31318dd9a2e36383d5709f%" or Image.Hashes like r"%MD5=1f263a57c5ef46c8577744ecb32c9548%" or Image.Hashes like r"%MD5=c6cfa2d6e4c443e673c2c12417ea3001%" or Image.Hashes like r"%MD5=cceb3a7e3bd0203c807168b393a65a74%" or Image.Hashes like r"%MD5=56b54823a79a53747cbe11f8c4db7b1e%" or Image.Hashes like r"%MD5=988dabdcf990b134b0ac1e00512c30c4%" or Image.Hashes like r"%MD5=09e77d71d626574e6142894caca6e6dd%" or Image.Hashes like r"%MD5=c832a4313ff082258240b61b88efa025%" or Image.Hashes like r"%MD5=44499d3cab387aa78a4a6eca2ac181fb%" or Image.Hashes like r"%MD5=6ff59faea912903af0ba8e80e58612bc%" or Image.Hashes like r"%MD5=7461f0f9b931044a9d5f1d44eb4e8e09%" or Image.Hashes like r"%MD5=08bac71557df8a9b1381c8c165f64520%" or Image.Hashes like r"%MD5=fea9319d67177ed6f36438d2bd9392fb%" or Image.Hashes like r"%MD5=6dd82d91f981893be57ff90101a7f7f1%" or Image.Hashes like r"%MD5=d4119a5cb07ce945c6549eae74e39731%" or Image.Hashes like r"%MD5=cf1113723e3c1c71af80d228f040c198%" or Image.Hashes like r"%MD5=0e625b7a7c3f75524e307b160f8db337%" or Image.Hashes like r"%MD5=6e1faeee0ebfcb384208772410fe1e86%" or Image.Hashes like r"%MD5=58a92520dda53166e322118ee0503364%" or Image.Hashes like r"%MD5=916ba55fc004b85939ee0cc86a5191c5%" or Image.Hashes like r"%MD5=f16b44cca74d3c3645e4c0a6bb5c0cb9%" or Image.Hashes like r"%MD5=db2fc89098ac722dabe3c37ed23de340%" or Image.Hashes like r"%MD5=6f5cf7feb9bb8108b68f169b8e625ffe%" or Image.Hashes like r"%MD5=d2588631d8aae2a3e54410eaf54f0679%" or Image.Hashes like r"%MD5=72acbdd8fac58b71b301980eab3ebfc8%" or Image.Hashes like r"%MD5=9cc757a18b86408efc1ce3ed20cbcdac%" or Image.Hashes like r"%MD5=230fd3749904ca045ea5ec0aa14006e9%" or Image.Hashes like r"%MD5=79329e2917623181888605bc5b302711%" or Image.Hashes like r"%MD5=3e4a1384a27013ab7b767a88b8a1bd34%" or Image.Hashes like r"%MD5=bafd6bad121e42f940a0b8abc587eadf%" or Image.Hashes like r"%MD5=02a1d77ef13bd41cad04abcce896d0b9%" or Image.Hashes like r"%MD5=de331f863627dc489f547725d7292bbd%" or Image.Hashes like r"%MD5=29122f970a9e766ef01a73e0616d68b3%" or Image.Hashes like r"%MD5=2b8814cff6351c2b775387770053bdec%" or Image.Hashes like r"%MD5=332db70d2c5c332768ab063ba6ac8433%" or Image.Hashes like r"%MD5=40f39a98fb513411dacdfc5b2d972206%" or Image.Hashes like r"%MD5=644d687c9f96c82ea2974ccacd8cd549%" or Image.Hashes like r"%MD5=825703c494e0d270f797f1ecf070f698%" or Image.Hashes like r"%MD5=afae2a21e36158f5cf4f76f896649c75%" or Image.Hashes like r"%MD5=dd050e79c515e4a6d1ae36cac5545025%" or Image.Hashes like r"%MD5=6133e1008f8c6fc32d4b1a60941bab85%" or Image.Hashes like r"%MD5=0e2fc7e7f85c980eb698b9e468c20366%" or Image.Hashes like r"%MD5=94c80490b02cc655d2d80597c3aef08f%" or Image.Hashes like r"%MD5=4d487f77be4471900d6ccbc47242cc25%" or Image.Hashes like r"%MD5=2e3dbb01b282a526bdc3031e0663c41c%" or Image.Hashes like r"%MD5=93a23503e26773c27ed1da06bb79e7a4%" or Image.Hashes like r"%MD5=ffd0c87d9bf894af26823fbde94c71b6%" or Image.Hashes like r"%MD5=a86150f2e29b35369afa2cafd7aa9764%" or Image.Hashes like r"%MD5=6126065af2fc2639473d12ee3c0c198e%" or Image.Hashes like r"%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%" or Image.Hashes like r"%MD5=f0db5af13c457a299a64cf524c64b042%" or Image.Hashes like r"%MD5=e5e8ecb20bc5630414707295327d755e%" or Image.Hashes like r"%MD5=659a59d7e26b7730361244e12201378e%" or Image.Hashes like r"%MD5=8f47af49c330c9fcf3451ad2252b9e04%" or Image.Hashes like r"%MD5=dd9596c18818288845423c68f3f39800%" or Image.Hashes like r"%MD5=a7d3ebfb3843ee28d9ca18b496bd0eb2%" or Image.Hashes like r"%MD5=20125794b807116617d43f02b616e092%" or Image.Hashes like r"%MD5=46cae59443ae41f4dbb42e050a9b501a%" or Image.Hashes like r"%MD5=21e13f2cb269defeae5e1d09887d47bb%" or Image.Hashes like r"%MD5=5bab40019419a2713298a5c9173e5d30%" or Image.Hashes like r"%MD5=7314c2bc19c6608d511ef36e17a12c98%" or Image.Hashes like r"%MD5=24061b0958874c1cb2a5a8e9d25482d4%" or Image.Hashes like r"%MD5=31a4631d77b2357ac9618e2a60021f11%" or Image.Hashes like r"%MD5=130c5aec46bdec8d534df7222d160fdb%" or Image.Hashes like r"%MD5=592065b29131af32aa18a9e546be9617%" or Image.Hashes like r"%MD5=2d64d681d79e0d26650928259530c075%" or Image.Hashes like r"%MD5=1ce19950e23c975f677b80ff59d04fae%" or Image.Hashes like r"%MD5=318e309e11199ec69d8928c46a4d901b%" or Image.Hashes like r"%MD5=d78a29306f42d42cd48ad6bc6c6a7602%" or Image.Hashes like r"%MD5=6a094d8e4b00dd1d93eb494099e98478%" or Image.Hashes like r"%MD5=0be80db5d9368fdb29fe9d9bfdd02e7c%" or Image.Hashes like r"%MD5=ba23266992ad964eff6d358d946b76bd%" or Image.Hashes like r"%MD5=560069dc51d3cc7f9cf1f4e940f93cae%" or Image.Hashes like r"%MD5=a785b3bc4309d2eb111911c1b55e793f%" or Image.Hashes like r"%MD5=ac591a3b4df82a589edbb236263ec70a%" or Image.Hashes like r"%MD5=a664904f69756834049e9e272abb6fea%" or Image.Hashes like r"%MD5=19f32bf24b725f103f49dc3fa2f4f0bd%" or Image.Hashes like r"%MD5=2509a71a02296aa65a3428ddfac22180%" or Image.Hashes like r"%MD5=9988fc825675d4d3e2298537fc78e303%" or Image.Hashes like r"%MD5=dab9142dc12480bb39f25c9911df6c6c%" or Image.Hashes like r"%MD5=2c47725db0c5eb5c2ecc32ff208bceb6%" or Image.Hashes like r"%MD5=bdfe1f0346c066971e1f3d96f7fdaa2c%" or Image.Hashes like r"%MD5=7644bed8b74dc294ac77bf406df8ad77%" or Image.Hashes like r"%MD5=9ade14e58996a6abbfe2409d6cddba6a%" or Image.Hashes like r"%MD5=5212e0957468d3f94d90fa7a0f06b58f%" or Image.Hashes like r"%MD5=96e10a2904fff9491762a4fb549ad580%" or Image.Hashes like r"%MD5=0c55128c301921ce71991a6d546756ad%" or Image.Hashes like r"%MD5=97e90c869b5b0f493b833710931c39ed%" or Image.Hashes like r"%MD5=f36b8094c2fbf57f99870bfaeeacb25c%" or Image.Hashes like r"%MD5=b3d6378185356326fd8ee4329b0b7698%" or Image.Hashes like r"%MD5=9321a61a25c7961d9f36852ecaa86f55%" or Image.Hashes like r"%MD5=f758e7d53184faab5bc51f751937fa36%" or Image.Hashes like r"%MD5=1f7b2a00fe0c55d17d1b04c5e0507970%" or Image.Hashes like r"%MD5=239224202ccdea1f09813a70be8413ee%" or Image.Hashes like r"%MD5=996ded363410dfd38af50c76bd5b4fbc%" or Image.Hashes like r"%MD5=0fc2653b1c45f08ca0abd1eb7772e3c0%" or Image.Hashes like r"%MD5=79b8119b012352d255961e76605567d6%" or Image.Hashes like r"%MD5=2e1f8a2a80221deb93496a861693c565%" or Image.Hashes like r"%MD5=697bbd86ee1d386ae1e99759b1e38919%" or Image.Hashes like r"%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%" or Image.Hashes like r"%MD5=2971d4ee95f640d2818e38d8877c8984%" or Image.Hashes like r"%MD5=962a33a191dbe56915fd196e3a868cf0%" or Image.Hashes like r"%MD5=7575b35fee4ec8dbd0a61dbca3b972e3%" or Image.Hashes like r"%MD5=2d7f1c02b94d6f0f3e10107e5ea8e141%" or Image.Hashes like r"%MD5=057ec65bac5e786affeb97c0a0d1db15%" or Image.Hashes like r"%MD5=483abeee17e4e30a760ec8c0d6d31d6d%" or Image.Hashes like r"%MD5=f23b2adcfab58e33872e5c2d0041ad88%" or Image.Hashes like r"%MD5=2601cf769ad6ffee727997679693f774%" or Image.Hashes like r"%MD5=b4598c05d5440250633e25933fff42b0%" or Image.Hashes like r"%MD5=2e5f016ff9378be41fe98fa62f99b12d%" or Image.Hashes like r"%MD5=75d6c3469347de1cdfa3b1b9f1544208%" or Image.Hashes like r"%MD5=828bb9cb1dd449cd65a29b18ec46055f%" or Image.Hashes like r"%MD5=1bd38ac06ef8709ad23af666622609c9%" or Image.Hashes like r"%MD5=e747f164fc89566f934f9ec5627cd8c3%" or Image.Hashes like r"%MD5=a01c412699b6f21645b2885c2bae4454%" or Image.Hashes like r"%MD5=a216803d691d92acc44ac77d981aa767%" or Image.Hashes like r"%MD5=112b4a6d8c205c1287c66ad0009c3226%" or Image.Hashes like r"%MD5=68dde686d6999ad2e5d182b20403240b%" or Image.Hashes like r"%MD5=2d854c6772f0daa8d1fde4168d26c36b%" or Image.Hashes like r"%MD5=9a9dbf5107848c254381be67a4c1b1dd%" or Image.Hashes like r"%MD5=3ecd3ca61ffc54b0d93f8b19161b83da%" or Image.Hashes like r"%MD5=1ad400766530669d14a077514599e7f3%" or Image.Hashes like r"%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%" or Image.Hashes like r"%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%" or Image.Hashes like r"%MD5=043d5a1fc66662a3f91b8a9c027f9be9%" or Image.Hashes like r"%MD5=a0e2223868b6133c5712ba5ed20c3e8a%" or Image.Hashes like r"%MD5=2b3e0db4f00d4b3d0b4d178234b02e72%" or Image.Hashes like r"%MD5=1610342659cb8eb4a0361dbc047a2221%" or Image.Hashes like r"%MD5=c842827d4704a5ef53a809463254e1cc%" or Image.Hashes like r"%MD5=bf2a954160cb155df0df433929e9102b%" or Image.Hashes like r"%MD5=81b72492d45982cd7a4a138676329fd6%" or Image.Hashes like r"%MD5=2a2867e1f323320fdeef40c1da578a9a%" or Image.Hashes like r"%MD5=b3f132ce34207b7be899f4978276b66d%" or Image.Hashes like r"%MD5=3247014ba35d406475311a2eab0c4657%" or Image.Hashes like r"%MD5=88d5fc86f0dd3a8b42463f8d5503a570%" or Image.Hashes like r"%MD5=0be5c6476dd58072c93af4fca62ee4b3%" or Image.Hashes like r"%MD5=3cf7a55ec897cc938aebb8161cb8e74f%" or Image.Hashes like r"%MD5=931d4f01b5a88027ef86437f1b862000%" or Image.Hashes like r"%MD5=d253c19194a18030296ae62a10821640%" or Image.Hashes like r"%MD5=c5f5d109f11aadebae94c77b27cb026f%" or Image.Hashes like r"%MD5=15dd3ef7df34f9b464e9b38c2deb0793%" or Image.Hashes like r"%MD5=e913a51f66e380837ffe8da6707d4cc4%" or Image.Hashes like r"%MD5=c552dae8eaadd708a38704e8d62cf64d%" or Image.Hashes like r"%MD5=1f8a9619ab644728ce4cf86f3ad879ea%" or Image.Hashes like r"%MD5=f7edd110de10f9a50c2922f1450819aa%" or Image.Hashes like r"%MD5=be17a598e0f5314748ade0871ad343e7%" or Image.Hashes like r"%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%" or Image.Hashes like r"%MD5=880686bceaf66bfde3c80569eb1ebfa7%" or Image.Hashes like r"%MD5=bc1eeb4993a601e6f7776233028ac095%" or Image.Hashes like r"%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%" or Image.Hashes like r"%MD5=3a1ba5cd653a9ddce30c58e7c8ae28ae%" or Image.Hashes like r"%MD5=5054083cf29649a76c94658ba7ff5bce%" or Image.Hashes like r"%MD5=dedd07993780d973c22c93e77ab69fa3%" or Image.Hashes like r"%MD5=3aacaa62758fa6d178043d78ba89bebc%" or Image.Hashes like r"%MD5=f1a203406a680cc7e4017844b129dcbf%" or Image.Hashes like r"%MD5=2399e6f7f868d05623be03a616b4811e%" or Image.Hashes like r"%MD5=0d5774527af6e30905317839686b449d%" or Image.Hashes like r"%MD5=5bbe4e52bd33f1cdd4cf38c7c65f80ae%" or Image.Hashes like r"%MD5=047c06d4d38ea443c9af23a501c4480d%" or Image.Hashes like r"%MD5=a72e10ecea2fdeb8b9d4f45d0294086b%" or Image.Hashes like r"%MD5=c9c25778efe890baa4087e32937016a0%" or Image.Hashes like r"%MD5=0ba6afe0ea182236f98365bd977adfdf%" or Image.Hashes like r"%MD5=e626956c883c7ff3aeb0414570135a58%" or Image.Hashes like r"%MD5=3e796eb95aca7e620d6a0c2118d6871b%" or Image.Hashes like r"%MD5=f3f5c518bc3715492cb0b7c59e94c357%" or Image.Hashes like r"%MD5=4e92f1c677e08fd09b57032c5b47ca46%" or Image.Hashes like r"%MD5=f22740ba54a400fd2be7690bb204aa08%" or Image.Hashes like r"%MD5=3467b0d996251dc56a72fc51a536dd6b%" or Image.Hashes like r"%MD5=198b723e13a270bb664dcb9fb6ed42e6%" or Image.Hashes like r"%MD5=bdc3b6b83dde7111d5d6b9a2aadf233f%" or Image.Hashes like r"%MD5=3651a6990fe38711ebb285143f867a43%" or Image.Hashes like r"%MD5=7db75077d53a63531ef2742d98ca6acc%" or Image.Hashes like r"%MD5=55c36d43dd930069148008902f431ea5%" or Image.Hashes like r"%MD5=f026460a7a720d0b8394f28a1f9203dc%" or Image.Hashes like r"%MD5=cb22776d06f1e81cc87faeb0245acde8%" or Image.Hashes like r"%MD5=b994110f069d197222508a724d8afdac%" or Image.Hashes like r"%MD5=e6eaee1b3e41f404c289e22df66ef66b%" or Image.Hashes like r"%MD5=29872c7376c42e2a64fa838dad98aa11%" or Image.Hashes like r"%MD5=d21fba3d09e5b060bd08796916166218%" or Image.Hashes like r"%MD5=880611326b768c4922e9da8a8effc582%" or Image.Hashes like r"%MD5=9c3c250646e11052b1e38500ee0e467b%" or Image.Hashes like r"%MD5=178cc9403816c082d22a1d47fa1f9c85%" or Image.Hashes like r"%MD5=2c1045bb133b7c9f5115e7f2b20c267a%" or Image.Hashes like r"%MD5=707ab1170389eba44ffd4cfad01b5969%" or Image.Hashes like r"%MD5=ddf2655068467d981242ea96e3b88614%" or Image.Hashes like r"%MD5=7907e14f9bcf3a4689c9a74a1a873cb6%" or Image.Hashes like r"%MD5=b3424a229d845a88340045c29327c529%" or Image.Hashes like r"%MD5=0b0447072ada1636a14087574a512c82%" or Image.Hashes like r"%MD5=0be4a11bc261f3cd8b4dbfebee88c209%" or Image.Hashes like r"%MD5=7dd538bcaa98d6c063ead8606066333f%" or Image.Hashes like r"%MD5=8a108158431e9a7d08e330fd7a46d175%" or Image.Hashes like r"%MD5=e6ea0e8d2edcc6cad3c414a889d17ac4%" or Image.Hashes like r"%MD5=288471f132c7249f598032d03575f083%" or Image.Hashes like r"%MD5=11fb599312cb1cf43ca5e879ed6fb71e%" or Image.Hashes like r"%MD5=2348508499406dec3b508f349949cb51%" or Image.Hashes like r"%MD5=fe820a5f99b092c3660762c6fc6c64e0%" or Image.Hashes like r"%MD5=c508d28487121828c3a1c2b57acb05be%" or Image.Hashes like r"%MD5=91755cc5c3ccf97313dc2bece813b4d9%" or Image.Hashes like r"%MD5=2f8653034a35526df88ea0c62b035a42%" or Image.Hashes like r"%MD5=3dbf69f935ea48571ea6b0f5a2878896%" or Image.Hashes like r"%MD5=7e3a6f880486a4782b896e6dbd9cc26f%" or Image.Hashes like r"%MD5=2850608430dd089f24386f3336c84729%" or Image.Hashes like r"%MD5=a711e6ab17802fabf2e69e0cd57c54cd%" or Image.Hashes like r"%MD5=2eec12c17d6b8deeeac485f47131d150%" or Image.Hashes like r"%MD5=e7ab83a655b0cd934a19d94ac81e4eec%" or Image.Hashes like r"%MD5=a91a1bc393971a662a3210dac8c17dfd%" or Image.Hashes like r"%MD5=2fed983ec44d1e7cffb0d516407746f2%" or Image.Hashes like r"%MD5=18439fe2aaeddfd355ef88091cb6c15f%" or Image.Hashes like r"%MD5=592756f68ab8ae590662b0c4212a3bb9%" or Image.Hashes like r"%MD5=d63c9c1a427a134461258b7b8742858f%" or Image.Hashes like r"%MD5=6e25148bb384469f3d5386dc5217548a%" or Image.Hashes like r"%MD5=700d6a0331befd4ed9cfbb3234b335e7%" or Image.Hashes like r"%MD5=e68972cd9f28f0be0f9df7207aba9d1d%" or Image.Hashes like r"%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%" or Image.Hashes like r"%MD5=c796a92a66ec725b7b7febbdc13dc69b%" or Image.Hashes like r"%MD5=5b6c21e8366220f7511e6904ffeeced9%" or Image.Hashes like r"%MD5=8741e6df191c805028b92cec44b1ba88%" or Image.Hashes like r"%MD5=b47dee29b5e6e1939567a926c7a3e6a4%" or Image.Hashes like r"%MD5=dff6c75c9754a6be61a47a273364cdf7%" or Image.Hashes like r"%MD5=d86269ba823c9ecf49a145540cd0b3df%" or Image.Hashes like r"%MD5=3c55092900343d3d28564e2d34e7be2c%" or Image.Hashes like r"%MD5=fef9dd9ea587f8886ade43c1befbdafe%" or Image.Hashes like r"%MD5=96c5900331bd17344f338d006888bae5%" or Image.Hashes like r"%MD5=7e7e3f5532b6af24dcc252ac4b240311%" or Image.Hashes like r"%MD5=c6f8983dd3d75640c072a8459b8fa55a%" or Image.Hashes like r"%MD5=1caf5070493459ba029d988dbb2c7422%" or Image.Hashes like r"%MD5=2b653950483196f0d175ba6bc35f1125%" or Image.Hashes like r"%MD5=15814b675e9d08953f2c64e4e5ccb4f4%" or Image.Hashes like r"%MD5=de4001f89ed139d1ed6ae5586d48997a%" or Image.Hashes like r"%MD5=dc943bf367ae77016ae399df8e71d38a%" or Image.Hashes like r"%MD5=524cd77f4c100cf20af4004f740b0268%" or Image.Hashes like r"%MD5=e5f8fcdfb52155ed4dffd8a205b3d091%" or Image.Hashes like r"%MD5=925ee3f3227c3b63e141ba16bd83f024%" or Image.Hashes like r"%MD5=fbf729350ca08a7673b115ce9c9eb7e5%" or Image.Hashes like r"%MD5=eb0a8eeb444033ebf9b4b304f114f2c8%" or Image.Hashes like r"%MD5=c7a57cd4bea07dadba2e2fb914379910%" or Image.Hashes like r"%MD5=384370c812acb7181f972d57dc77c324%" or Image.Hashes like r"%MD5=d43dcba796b40234267ad2862fa52600%" or Image.Hashes like r"%MD5=b0954711c133d284a171dd560c8f492a%" or Image.Hashes like r"%MD5=262969a3fab32b9e17e63e2d17a57744%" or Image.Hashes like r"%MD5=05a6f843c43d75fbce8e885bb8656aa4%" or Image.Hashes like r"%MD5=992ded5b623be3c228f32edb4ca3f2d2%" or Image.Hashes like r"%MD5=13a0d3f9d5f39adaca0a8d3bb327eb31%" or Image.Hashes like r"%MD5=f5051c756035ef5de9c4c48bacb0612b%" or Image.Hashes like r"%MD5=1276f735d22cf04676a719edc6b0df18%" or Image.Hashes like r"%MD5=d4a299c595d35264b5cfd12490a138dc%" or Image.Hashes like r"%MD5=f4e1997192d5a95a38965c9e15c687fc%" or Image.Hashes like r"%MD5=05369fa594a033e48b7921018b3263fb%" or Image.Hashes like r"%MD5=ed07f1a8038596574184e09211dfc30f%" or Image.Hashes like r"%MD5=e1ebc6c5257a277115a7e61ee3e5e42f%" or Image.Hashes like r"%MD5=821adf5ba68fd8cc7f4f1bc915fe47de%" or Image.Hashes like r"%MD5=b12d1630fd50b2a21fd91e45d522ba3a%" or Image.Hashes like r"%MD5=729dd4df669dc96e74f4180c6ee2a64b%" or Image.Hashes like r"%MD5=c6b5a3ae07b165a6e5fff7e31ff91016%" or Image.Hashes like r"%MD5=e36f6f7401ae11e11f69d744703914db%" or Image.Hashes like r"%MD5=9ba7c30177d2897bb3f7b3dc2f95ae0a%" or Image.Hashes like r"%MD5=b5326548762bfaae7a42d5b0898dfeac%" or Image.Hashes like r"%MD5=f2f728d2f69765f5dfda913d407783d2%" or Image.Hashes like r"%MD5=637cf50b06bc53deae846b252d56bbdc%" or Image.Hashes like r"%MD5=c37b575c3a96b9788c26cefcf43f3542%" or Image.Hashes like r"%MD5=e4266262a77fffdea2584283f6c4f51d%" or Image.Hashes like r"%MD5=054299e09cea38df2b84e6b29348b418%" or Image.Hashes like r"%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%" or Image.Hashes like r"%MD5=d717f8de642b65f029829c34fbd13a45%" or Image.Hashes like r"%MD5=e79c91c27df3eaf82fb7bd1280172517%" or Image.Hashes like r"%MD5=fd7de498a72b2daf89f321d23948c3c4%" or Image.Hashes like r"%MD5=6682176866d6bd6b4ea3c8e398bd3aae%" or Image.Hashes like r"%MD5=eb525d99a31eb4fff09814e83593a494%" or Image.Hashes like r"%MD5=e323413de3caec7f7730b43c551f26a0%" or Image.Hashes like r"%MD5=353e5d424668d785f13c904fde3bac84%" or Image.Hashes like r"%MD5=3b9698a9ee85f0b4edf150deef790ccd%" or Image.Hashes like r"%MD5=3f8cdaf7413000d34d6a1a1d5341a11b%" or Image.Hashes like r"%MD5=dcd966874b4c8c952662d2d16ddb4d7c%" or Image.Hashes like r"%MD5=3fda3d414c31ad73efd8ccceeaa3bdc2%" or Image.Hashes like r"%MD5=ca6931fcbc1492d7283aa9dc0149032e%" or Image.Hashes like r"%MD5=084bd27e151fef55b5d80025c3114d35%" or Image.Hashes like r"%MD5=7c887f2b1a56b84d86828529604957db%" or Image.Hashes like r"%MD5=c24800c382b38707e556af957e9e94fd%" or Image.Hashes like r"%MD5=f84da507b3067f019c340b737cd68d32%" or Image.Hashes like r"%MD5=d3026938514218766cb6d3b36ccfa322%" or Image.Hashes like r"%MD5=6917ef5d483ed30be14f8085eaef521b%" or Image.Hashes like r"%MD5=945ef111161bae49075107e5bc11a23f%" or Image.Hashes like r"%MD5=44a3b9cc0a8e89c11544932b295ea113%" or Image.Hashes like r"%MD5=6cc3c3be2de12310a35a6ab2aed141d6%" or Image.Hashes like r"%MD5=085d3423f3c12a17119920f1a293ab4d%" or Image.Hashes like r"%MD5=547971da89a47b6ad6459cd7d7854e12%" or Image.Hashes like r"%MD5=aa5dd4beca6f67733e04d9d050ecd523%" or Image.Hashes like r"%MD5=903c149851e9929ec45daefc544fcd99%" or Image.Hashes like r"%MD5=ba5f0f6347780c2ed911bbf888e75bef%" or Image.Hashes like r"%MD5=1873a2ce2df273d409c47094bc269285%" or Image.Hashes like r"%MD5=97e3a44ec4ae58c8cc38eefc613e950e%" or Image.Hashes like r"%MD5=1cb26adeca26aefb5a61065e990402da%" or Image.Hashes like r"%MD5=17fe96af33f1fe475957689aeb5f816e%" or Image.Hashes like r"%MD5=c5b8e612360277ac70aa328432a99fd6%" or Image.Hashes like r"%MD5=62f8d7f884366df6100c7e892e3d70bf%" or Image.Hashes like r"%MD5=a5deee418b7b580ca89db8a871dc1645%" or Image.Hashes like r"%MD5=5f44a01ccc530b34051b9d0ccb5bb842%" or Image.Hashes like r"%MD5=25ede0fd525a30d31998ea62876961ec%" or Image.Hashes like r"%MD5=1c61eb82f1269d8d6be8de2411133811%" or Image.Hashes like r"%MD5=338a98e1c27bc76f09331fcd7ae413a5%" or Image.Hashes like r"%MD5=f66b96aa7ae430b56289409241645099%" or Image.Hashes like r"%MD5=8ea94766cd7890483449dc193d267993%" or Image.Hashes like r"%MD5=75fa19142531cbf490770c2988a7db64%" or Image.Hashes like r"%MD5=ee3b74cdfed959782dff84153e3d5a6e%" or Image.Hashes like r"%MD5=fdf975524d4cdb4f127d79aac571ae9e%" or Image.Hashes like r"%MD5=688a10e87af9bcf0e40277d927923a00%" or Image.Hashes like r"%MD5=62792c30836ae7861c3ca2409cd35c02%" or Image.Hashes like r"%MD5=b62e2371158a082e239f5883bd6000d1%" or Image.Hashes like r"%MD5=1f01257d9730f805b2a1d69099ef891d%" or Image.Hashes like r"%MD5=b934322c68c30dceca96c0274a51f7b0%" or Image.Hashes like r"%MD5=76355d5eafdfa3e9b7580b9153de1f30%" or Image.Hashes like r"%MD5=9fdcd543574a712a80d62da8bfd8331c%" or Image.Hashes like r"%MD5=1440c0da81c700bd61142bc569477d81%" or Image.Hashes like r"%MD5=4c76554d9a72653c6156ca0024d21a8e%" or Image.Hashes like r"%MD5=148bd10da8c8d64928a213c7bf1f2fca%" or Image.Hashes like r"%MD5=95e4c7b0384da89dce8ea6f31c3613d9%" or Image.Hashes like r"%MD5=e6cb1728c50bd020e531d19a14904e1c%" or Image.Hashes like r"%MD5=62f02339fe267dc7438f603bfb5431a1%" or Image.Hashes like r"%MD5=0a4e6bd5cc2e9172e461408be47c3149%" or Image.Hashes like r"%MD5=28cb0b64134ad62c2acf77db8501a619%" or Image.Hashes like r"%MD5=4ecfb46fcdce95623f994bd29bbe59cb%" or Image.Hashes like r"%MD5=7ee0c884e7d282958c5b3a9e47f23e13%" or Image.Hashes like r"%MD5=dbc415304403be25ac83047c170b0ec2%" or Image.Hashes like r"%MD5=0c7f66cd219817eaab41f36d4bc0d4cd%" or Image.Hashes like r"%MD5=3c9c537167923723429c86ab38743e7d%" or Image.Hashes like r"%MD5=a57b47489febc552515778dd0fd1e51c%" or Image.Hashes like r"%MD5=680dcb5c39c1ec40ac3897bb3e9f27b9%" or Image.Hashes like r"%MD5=5f9785e7535f8f602cb294a54962c9e7%" or Image.Hashes like r"%MD5=e4ea7ebfa142d20a92fbe468a77eafa6%" or Image.Hashes like r"%MD5=32365e3e64d28cc94756ac9a09b67f06%" or Image.Hashes like r"%MD5=be9eeea2a8cac5f6cd92c97f234e2fe1%" or Image.Hashes like r"%MD5=5bd30b502168013c9ea03a5c2f1c9776%" or Image.Hashes like r"%MD5=ba21bfa3d05661ba216873a9ef66a6e2%" or Image.Hashes like r"%MD5=dad8f40626ed4702e0e8502562d93d7c%" or Image.Hashes like r"%MD5=8fbb1ffc6f13f9d5ee8480b36baffc52%" or Image.Hashes like r"%MD5=bedc99bbcedaf89e2ee1aa574c5a2fa4%" or Image.Hashes like r"%MD5=9dd414590e695ea208139c23db8a5aa3%" or Image.Hashes like r"%MD5=270052c61f4de95ebfbf3a49fb39235f%" or Image.Hashes like r"%MD5=19c0c18384d6a6d65462be891692df9c%" or Image.Hashes like r"%MD5=a26e600652c33dd054731b4693bf5b01%" or Image.Hashes like r"%MD5=8b779fe1d71839ad361226f66f1b3fe5%" or Image.Hashes like r"%MD5=8ad9dfc971df71cd43788ade6acf8e7d%" or Image.Hashes like r"%MD5=2dbc09c853c4bf2e058d29aaa21fa803%" or Image.Hashes like r"%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%" or Image.Hashes like r"%MD5=fef60a37301e1f5a3020fa3487fb2cd7%" or Image.Hashes like r"%MD5=4353b713487a2945b823423bbbf709bd%" or Image.Hashes like r"%MD5=875c44411674b75feb07592aeffa09c1%" or Image.Hashes like r"%MD5=b971b79bdca77e8755e615909a1c7a9f%" or Image.Hashes like r"%MD5=ad03f225247b58a57584b40a4d1746d3%" or Image.Hashes like r"%MD5=2229d5a9a92b62df4df9cf51f48436f7%" or Image.Hashes like r"%MD5=5bb840db439eb281927588dbce5f5418%" or Image.Hashes like r"%MD5=fd80c3d38669b302de4b4b736941c0d1%" or Image.Hashes like r"%MD5=d1440503d1528c55fdc569678a663667%" or Image.Hashes like r"%MD5=d1e57c74bafa56e8e2641290d153f4d2%" or Image.Hashes like r"%MD5=c9b046a6961957cc6c93a5192d3e61e3%" or Image.Hashes like r"%MD5=ff795e4f387c3e22291083b7d6b92ffb%" or Image.Hashes like r"%MD5=782f165b1d2db23f78e82fee0127cc14%" or Image.Hashes like r"%MD5=002a58b90a589913a07012253662c98c%" or Image.Hashes like r"%MD5=0211ab46b73a2623b86c1cfcb30579ab%" or Image.Hashes like r"%MD5=d0a5b98788e480c12afc65ad3e6d4478%" or Image.Hashes like r"%MD5=d6cc5709aca6a6b868962a6506d48abc%" or Image.Hashes like r"%MD5=08001b0cdb0946433366032827d7a187%" or Image.Hashes like r"%MD5=8fc6cafd4e63a3271edf6a1897a892ae%" or Image.Hashes like r"%MD5=0e207ef80361b3d047a2358d0e2206b4%" or Image.Hashes like r"%MD5=b10b210c5944965d0dc85e70a0b19a42%" or Image.Hashes like r"%MD5=006d9d615cdcc105f642ab599b66f94e%" or Image.Hashes like r"%MD5=b32497762d916dba6c827e31205b67dd%" or Image.Hashes like r"%MD5=f766a9bb7cd46ba8c871484058f908f0%" or Image.Hashes like r"%MD5=546db985012d988e4482acfae4a935a8%" or Image.Hashes like r"%MD5=700e9902b0a28979724582f116288bad%" or Image.Hashes like r"%MD5=0395b4e0eb21693590ad1cfdf7044b8b%" or Image.Hashes like r"%MD5=d95c9a241e52b4f967fa4cdb7b99fc80%" or Image.Hashes like r"%MD5=ee91da973bebe6442527b3d1abcc3c80%" or Image.Hashes like r"%MD5=1a234f4643f5658bab07bfa611282267%" or Image.Hashes like r"%MD5=1898ceda3247213c084f43637ef163b3%" or Image.Hashes like r"%MD5=1b5c3c458e31bede55145d0644e88d75%" or Image.Hashes like r"%MD5=42132c7a755064f94314b01afb80e73c%" or Image.Hashes like r"%MD5=1b76363059fef4f7da752eb0dfb0c1e1%" or Image.Hashes like r"%MD5=cc8855fe30a9cdef895177a4cf1a3dad%" or Image.Hashes like r"%MD5=6d4159694e1754f262e326b52a3b305a%" or Image.Hashes like r"%MD5=b7ca4c32c844df9b61634052ae276387%" or Image.Hashes like r"%MD5=361a598d8bb92c13b18abb7cac850b01%" or Image.Hashes like r"%MD5=27bcbeec8a466178a6057b64bef66512%" or Image.Hashes like r"%MD5=f310b453ac562f2c53d30aa6e35506bb%" or Image.Hashes like r"%MD5=14add4f16d80595e6e816abf038141e5%" or Image.Hashes like r"%MD5=ab53d07f18a9697139ddc825b466f696%" or Image.Hashes like r"%MD5=278761b706276f9b49e1e2fd21b9cb07%" or Image.Hashes like r"%MD5=60e84516c6ec6dfdae7b422d1f7cab06%" or Image.Hashes like r"%MD5=20afd54ca260e2bf6589fac72935fecf%" or Image.Hashes like r"%MD5=3ad7b36a584504b3c70b5f552ba33015%" or Image.Hashes like r"%MD5=9f3b5de6fe46429bed794813c6ae8421%" or Image.Hashes like r"%MD5=7b9717c608a5f5a1c816128a609e9575%" or Image.Hashes like r"%MD5=798de15f187c1f013095bbbeb6fb6197%" or Image.Hashes like r"%MD5=66066d9852bc65988fb4777f0ff3fbb4%" or Image.Hashes like r"%MD5=13dda15ef67eb265869fc371c72d6ef0%" or Image.Hashes like r"%MD5=63e333d64a8716e1ae59f914cb686ae8%" or Image.Hashes like r"%MD5=3411fdf098aa20193eee5ffa36ba43b2%" or Image.Hashes like r"%MD5=ad6d5177656dfc5b43def5d13d32f9f6%" or Image.Hashes like r"%MD5=97221e16e7a99a00592ca278c49ffbfc%" or Image.Hashes like r"%MD5=010c0e5ac584e3ab97a2daf84cf436f5%" or Image.Hashes like r"%MD5=29b1ddc69e89b160cc3722e5e0738fd8%" or Image.Hashes like r"%MD5=aad4fb47cb39a9ab4159662a29e1ee88%" or Image.Hashes like r"%MD5=4e093256b034925ecd6b29473ff16858%" or Image.Hashes like r"%MD5=51c233297c3aa16c4222e35ded1139b6%" or Image.Hashes like r"%MD5=9945823e9846724c70d2f8d66a403300%" or Image.Hashes like r"%MD5=aa2ef08d48b66bd814280976614468a7%" or Image.Hashes like r"%MD5=33fc573c0e8bedfe3614e17219273429%" or Image.Hashes like r"%MD5=c08063f052308b6f5882482615387f30%" or Image.Hashes like r"%MD5=c8c6fadcb7cb85f197ab77e6a7b67aa9%" or Image.Hashes like r"%MD5=3f29f651a3c4ff5ce16d61deccf46618%" or Image.Hashes like r"%MD5=08c1bce6627764c9f8c79439555c5636%" or Image.Hashes like r"%MD5=1da1cfe6aa15325c9ecf8f8c9b2cd12d%" or Image.Hashes like r"%MD5=c1d063c9422a19944cdaa6714623f2ec%" or Image.Hashes like r"%MD5=b0809d8adc254c52f9d06362489ce474%" or Image.Hashes like r"%MD5=a22626febc924eb219a953f1ee2b9600%" or Image.Hashes like r"%MD5=5a615f4641287e5e88968f5455627d45%" or Image.Hashes like r"%MD5=de2aac9468158c73880e31509924d7e0%" or Image.Hashes like r"%MD5=dd38cc344d2a0da1c03e92eb4b89a193%" or Image.Hashes like r"%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%" or Image.Hashes like r"%MD5=0634299fc837b47b531e4762d946b2ae%" or Image.Hashes like r"%MD5=e4ff4edce076f21f5f8d082a62c9db8b%" or Image.Hashes like r"%MD5=43ed1d08c19626688db34f63e55114fb%" or Image.Hashes like r"%MD5=6c28461e78f8d908ca9a66bad2e212f7%" or Image.Hashes like r"%MD5=8aa9d47ec9a0713c56b6dec3d601d105%" or Image.Hashes like r"%MD5=c9390a8f3ca511c1306a039ca5d80997%" or Image.Hashes like r"%MD5=c60a4bc4fec820d88113afb1da6e4db3%" or Image.Hashes like r"%MD5=6b3abe55c4d39e305a11b4d1091dfaac%" or Image.Hashes like r"%MD5=f4a31e08f89e5f002ef3cf7b1224af5f%" or Image.Hashes like r"%MD5=d7cf689e6c63d37bc071499f687300dd%" or Image.Hashes like r"%MD5=7c0b186d1912686cfcb8cd9cdebabe58%" or Image.Hashes like r"%MD5=8cb2ffb8bb0bbf8cd0dd685611854637%" or Image.Hashes like r"%MD5=9b359b722ac80c4e0a5235264e1e0156%" or Image.Hashes like r"%MD5=09927915aba84c8acd91efdaac674b86%" or Image.Hashes like r"%MD5=e4b50e44d1f12a47e18259b41074f126%" or Image.Hashes like r"%MD5=0ec361f2fba49c73260af351c39ff9cb%" or Image.Hashes like r"%MD5=65ad6a7c43f8d566afd5676f9447b6c1%" or Image.Hashes like r"%MD5=ddb7da975d90b2a9c9c58e1af55f0285%" or Image.Hashes like r"%MD5=8291dcbcbccc2ce28195d04ac616a1b5%" or Image.Hashes like r"%MD5=2da269863ed99be7b6b8ec2adc710648%" or Image.Hashes like r"%MD5=2ab9f5a66d75adb01171bb04ab4380f2%" or Image.Hashes like r"%MD5=3a7c69293fcd5688cc398691093ec06a%" or Image.Hashes like r"%MD5=13a2b915f6d93e52505656773d53096f%" or Image.Hashes like r"%MD5=7bd840ff7f15df79a9a71fec7db1243e%" or Image.Hashes like r"%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%" or Image.Hashes like r"%MD5=a1547e8b2ca0516d0d9191a55b8536c0%" or Image.Hashes like r"%MD5=e04ff937f6fd273b774f23aed5dd8c13%" or Image.Hashes like r"%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%" or Image.Hashes like r"%MD5=cb31f1b637056a3d374e22865c41e6d9%" or Image.Hashes like r"%MD5=c69c292e0b76b25a5fa0e16136770e11%" or Image.Hashes like r"%MD5=cebf532d1e3c109418687cb9207516ad%" or Image.Hashes like r"%MD5=eeb8e039f6d942538eb4b0252117899a%" or Image.Hashes like r"%MD5=4d99d02f49e027332a0a9c31c674e13b%" or Image.Hashes like r"%MD5=e9a30edef1105b8a64218f892b2e56ed%" or Image.Hashes like r"%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%" or Image.Hashes like r"%MD5=70196d88c03f2ea557281b24dad85de5%" or Image.Hashes like r"%MD5=708ac9f7b12b6ca4553fd8d0c7299296%" or Image.Hashes like r"%MD5=cafbf85b902f189ba35f3d7823aad195%" or Image.Hashes like r"%MD5=d48f681f70e19d2fa521df63bc72ab9e%" or Image.Hashes like r"%MD5=6ae9d25e02b54367a4e93c2492b8b02e%" or Image.Hashes like r"%MD5=f14359ceb3705d77353b244bb795b552%" or Image.Hashes like r"%MD5=0d992b69029d1f23a872ff5a3352fb5b%" or Image.Hashes like r"%MD5=9993a2a45c745bb0139bf3e8decd626c%" or Image.Hashes like r"%MD5=6d67da13cf84f15f6797ed929dd8cf5d%" or Image.Hashes like r"%MD5=c2eb4539a4f6ab6edd01bdc191619975%" or Image.Hashes like r"%MD5=349fa788a4a7b57e37e426aca9b736d5%" or Image.Hashes like r"%MD5=4c016fd76ed5c05e84ca8cab77993961%" or Image.Hashes like r"%MD5=ea14899d1bfba397bc731770765768d1%" or Image.Hashes like r"%MD5=4ec08e0bcdf3e880e7f5a7d78a73440c%" or Image.Hashes like r"%MD5=e65fa439efa9e5ad1d2c9aee40c7238e%" or Image.Hashes like r"%MD5=0898af0888d8f7a9544ef56e5e16354e%" or Image.Hashes like r"%MD5=10e681ce84afdd642e59ddfdb28284e9%" or Image.Hashes like r"%MD5=b5f96dd5cc7d14a9860ab99d161bf171%" or Image.Hashes like r"%MD5=37c3a9fef349d13685ec9c2acaaeafce%" or Image.Hashes like r"%MD5=027e10a5048b135862d638b9085d1402%" or Image.Hashes like r"%MD5=b0baac4d6cbac384a633c71858b35a2e%" or Image.Hashes like r"%MD5=d0a5f9ace1f0c459cef714156db1de02%" or Image.Hashes like r"%MD5=b34361d151c793415ef92ee5d368c053%" or Image.Hashes like r"%MD5=f0fdfdf3303e2f7c141aa3a24d523af1%" or Image.Hashes like r"%MD5=d424f369f7e010249619f0ecbe5f3805%" or Image.Hashes like r"%MD5=639252292bb40b3f10f8a6842aee3cd4%" or Image.Hashes like r"%MD5=7e6e2ed880c7ab115fca68136051f9ce%" or Image.Hashes like r"%MD5=f8dce1eb0f9fcaf07f68fe290aa629e4%" or Image.Hashes like r"%MD5=fa222bed731713904320723b9c085b11%" or Image.Hashes like r"%MD5=aa69b4255e786d968adbd75ba5cf3e93%" or Image.Hashes like r"%MD5=06ffbb2cbf5ac9ef95773b4f5c4c896a%" or Image.Hashes like r"%MD5=00685003005b0b437af929f0499545e4%" or Image.Hashes like r"%MD5=85e606523ce390f7fcd8370d5f4b812a%" or Image.Hashes like r"%MD5=23cf3da010497eb2bf39a5c5a57e437c%" or Image.Hashes like r"%MD5=dc9be271f403e2278071d6ece408ff28%" or Image.Hashes like r"%MD5=6b16512bffe88146a7915f749bd81641%" or Image.Hashes like r"%MD5=c2585e2696e21e25c05122e37e75a947%" or Image.Hashes like r"%MD5=165178829b5587a628977bfca6fd6900%" or Image.Hashes like r"%MD5=24156523b923fd9dcfdd0ac684dcdb20%" or Image.Hashes like r"%MD5=750d1f07ea9d10b38a33636036c30cca%" or Image.Hashes like r"%MD5=fc90bcc43daa48882be359a17b71abf7%" or Image.Hashes like r"%MD5=09672532194b4bff5e0f7a7d782c7bf2%" or Image.Hashes like r"%MD5=212bfd1ef00e199a365aeb74a8182609%" or Image.Hashes like r"%MD5=e3d290406de40c32095bd76dc88179fb%" or Image.Hashes like r"%MD5=715572dfe6fb10b16f980bfa242f3fa5%" or Image.Hashes like r"%MD5=c8f88ca47b393da6acf87fa190e81333%" or Image.Hashes like r"%MD5=d0c2caa17c7b6d2200e1b5aa9d07135e%" or Image.Hashes like r"%MD5=16a8e8437b94d6207af2f25fd4801b6d%" or Image.Hashes like r"%MD5=7bdf418a65ec33ec8ff47e7de705a4e1%" or Image.Hashes like r"%MD5=31f34de4374a6ed0e70a022a0efa2570%" or Image.Hashes like r"%MD5=cfad9185ffcf5850b5810c28b24d5fc8%" or Image.Hashes like r"%MD5=6ba221afb17342a3c81245a4958516a2%" or Image.Hashes like r"%MD5=f44f6ec546850ceb796a2cb528928a91%" or Image.Hashes like r"%MD5=34a7fab63a4ed5a0b61eb204828e08e5%" or Image.Hashes like r"%MD5=a92bf3c219a5fa82087b6c31bdf36ff3%" or Image.Hashes like r"%MD5=fa0d1fca7c5b44ce3b799389434fcaa5%" or Image.Hashes like r"%MD5=affe4764d880e78b2afb2643b15b8d41%" or Image.Hashes like r"%MD5=f80ceb0dbb889663f0bee058b109ce0e%" or Image.Hashes like r"%MD5=25ebe6f757129adbe78ec312a5f1800b%" or Image.Hashes like r"%MD5=7f7b8cde26c4943c9465e412adbb790f%" or Image.Hashes like r"%MD5=bfe96411cf67edb3cee2b9894b910cd5%" or Image.Hashes like r"%MD5=6e2178dc5f9e37e6b4b6cbdaef1b12b1%" or Image.Hashes like r"%MD5=0420fa6704fd0590c5ce7176fdada650%" or Image.Hashes like r"%MD5=7ed6030f14e66e743241f2c1fa783e69%" or Image.Hashes like r"%MD5=61e8367fb57297a949c9a80c2e0e5a38%" or Image.Hashes like r"%MD5=7951fa3096c99295d681acb0742506bf%" or Image.Hashes like r"%MD5=bcd60bf152fdec05cd40562b466be252%" or Image.Hashes like r"%MD5=376b1e8957227a3639ec1482900d9b97%" or Image.Hashes like r"%MD5=7331720a5522d5cd972623326cf87a3f%" or Image.Hashes like r"%MD5=8e78ab9b9709bafb11695a0a6eddeff9%" or Image.Hashes like r"%MD5=8abbb12e61045984eda19e2dc77b235e%" or Image.Hashes like r"%MD5=0199a59af05d9986842ecbdee3884f0c%" or Image.Hashes like r"%MD5=729afa54490443da66c2685bd77cb1f0%" or Image.Hashes like r"%MD5=95c88d25e211a4d52a82c53e5d93e634%" or Image.Hashes like r"%MD5=aa55dd14064cb808613d09195e3ba749%" or Image.Hashes like r"%MD5=ef1afb3a5ddad6795721f824690b4a69%" or Image.Hashes like r"%MD5=db46c56849bbce9a55a03283efc8c280%" or Image.Hashes like r"%MD5=991230087394738976dbd44f92516cae%" or Image.Hashes like r"%MD5=3af19d325f9dcdf360276ae5e7c136ea%" or Image.Hashes like r"%MD5=98763a3dee3cf03de334f00f95fc071a%" or Image.Hashes like r"%MD5=4b194021d6bd6650cbd1aed9370b2329%" or Image.Hashes like r"%MD5=517d484bdbad4637188ec7a908335b86%" or Image.Hashes like r"%MD5=2ddd3c0e23bc0fd63702910c597298b4%" or Image.Hashes like r"%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%" or Image.Hashes like r"%MD5=6bada94085b6709694f8327c211d12e1%" or Image.Hashes like r"%MD5=5c5f1c2dc6c2479bafec7c010c41c6ec%" or Image.Hashes like r"%MD5=ab81264493c218a0e875a0d50104ac9f%" or Image.Hashes like r"%MD5=ea2ff60fcce3b9ffe0bd77658b88512d%" or Image.Hashes like r"%MD5=76d1d4d285f74059f32b8ad19a146d0c%" or Image.Hashes like r"%MD5=b9cf3294c13cdea624ab95ca3e2e483f%" or Image.Hashes like r"%MD5=0cd0fe9d16b62415b116686a2f414f8c%" or Image.Hashes like r"%MD5=2503c4cf31588f0b011eb992ca3ee7ff%" or Image.Hashes like r"%MD5=f0470f82ba58bc4309f83a0f2aefa4d5%" or Image.Hashes like r"%MD5=db72def618cbc3c5f9aa82f091b54250%" or Image.Hashes like r"%MD5=2ff629de3667fcd606a0693951f1c1a9%" or Image.Hashes like r"%MD5=119f0656ab4bb872f79ee5d421e2b9f9%" or Image.Hashes like r"%MD5=55a7c51dc2aa959c41e391db8f6b8b4f%" or Image.Hashes like r"%MD5=009876ab9cf3a3d4e3fc3afe13ae839e%" or Image.Hashes like r"%MD5=f8a13d4413a93dd005fad116cbd6b6f7%" or Image.Hashes like r"%MD5=5093f38d597532d59d4df9018056f0d1%" or Image.Hashes like r"%MD5=00f887e74faad40e6e97d9d0e9c71370%" or Image.Hashes like r"%MD5=0215d0681979987fe908fb19dab83399%" or Image.Hashes like r"%MD5=7962d91b1f53ce55c7338788bd4eb378%" or Image.Hashes like r"%MD5=1bca427ab8e67a9db833eb8f0ff92196%" or Image.Hashes like r"%MD5=a730b97ab977aa444fa261902822a905%" or Image.Hashes like r"%MD5=a453083b8f4ca7cb60cac327e97edbe2%" or Image.Hashes like r"%MD5=afc2448b4080f695e76e059a96958cab%" or Image.Hashes like r"%MD5=4f963d716a60737e5b59299f00daf285%" or Image.Hashes like r"%MD5=ee59b64ae296a87bf7a6aee38ad09617%" or Image.Hashes like r"%MD5=1c9d2a993e99054050b596d88b307d95%" or Image.Hashes like r"%MD5=5cd0ec261c8c2a39d9105fbbcad4e5b9%" or Image.Hashes like r"%MD5=4c6d311e0b13c4f469f717db4ab4d0e7%" or Image.Hashes like r"%MD5=84fb76ee319073e77fb364bbbbff5461%" or Image.Hashes like r"%MD5=d660fc7255646d5014d45c3bca9c6e20%" or Image.Hashes like r"%MD5=ecccbf1e7c727f923c9d709707800e6c%" or Image.Hashes like r"%MD5=94ccef76fda12ab0b8270f9b2980552b%" or Image.Hashes like r"%MD5=f853abe0dc162601e66e4a346faed854%" or Image.Hashes like r"%MD5=154fd286c96665946d55a7d49923ad7e%" or Image.Hashes like r"%MD5=a5afd20e34bcd634ebd25b3ab2ff3403%" or Image.Hashes like r"%MD5=c9c7113f5e15f70fcc576e835c859d56%" or Image.Hashes like r"%MD5=ad22a7b010de6f9c6f39c350a471a440%" or Image.Hashes like r"%MD5=7a6a6d6921cd1a4e1d61f9672a4560d6%" or Image.Hashes like r"%MD5=9af5ae780b6a9ea485fa15f28ddb20a7%" or Image.Hashes like r"%MD5=1f15a513abc039533ca996552ba27e51%" or Image.Hashes like r"%MD5=d1bac75205c389d6d5d6418f0457c29b%" or Image.Hashes like r"%MD5=36527fdb70ed6f74b70a98129f82ad62%" or Image.Hashes like r"%MD5=3d5164e85d740bce0391e2b81d49d308%" or Image.Hashes like r"%MD5=30550db8f400b1e11593dffd644abb67%" or Image.Hashes like r"%MD5=b17fb1ad5e880467cf7e61b1ee8e3448%" or Image.Hashes like r"%MD5=6f5d54ab483659ac78672440422ae3f1%" or Image.Hashes like r"%MD5=f042e8318cf20957c2339d96690c3186%" or Image.Hashes like r"%MD5=5158f786afa19945d19bee9179065e4d%" or Image.Hashes like r"%MD5=328a2cb2da464b0c2beb898ff9ae9f3a%" or Image.Hashes like r"%MD5=e7273e17ac85dc4272c4c4400091a19e%" or Image.Hashes like r"%MD5=d74d202646e5a6d0d2c4207e1f949826%" or Image.Hashes like r"%MD5=9ce1b0e5cfa8223cec3be1c7616e9f63%" or Image.Hashes like r"%MD5=55cd6b46ac25bbe01245f2270a0d6cb8%" or Image.Hashes like r"%MD5=b8b6686324f7aa77f570bc019ec214e6%" or Image.Hashes like r"%MD5=d104621c93213942b7b43d65b5d8d33e%" or Image.Hashes like r"%MD5=8cc5a4045a80a822cbc1e9eadff8e533%" or Image.Hashes like r"%MD5=ef18d594c862d6d3704b777fa3445ac2%" or Image.Hashes like r"%MD5=b941c8364308990ee4cc6eadf7214e0f%" or Image.Hashes like r"%MD5=2ca1044a04cb2f0ce5bd0a5832981e04%" or Image.Hashes like r"%MD5=f8fe655b7d63dbdc53b0983a0d143028%" or Image.Hashes like r"%MD5=cd9f0fcecf1664facb3671c0130dc8bb%" or Image.Hashes like r"%MD5=3e9ee8418f22a8ae0e2bf6ff293988fa%" or Image.Hashes like r"%MD5=3bf217f8ef018ca5ea20947bfdfc0a4d%" or Image.Hashes like r"%MD5=778b7feea3c750d44745d3bf294bd4ce%" or Image.Hashes like r"%MD5=4514a0e8bcab7de4cff55999cdf00cd1%" or Image.Hashes like r"%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%" or Image.Hashes like r"%MD5=159f89d9870e208abd8b912c3d1d3ae9%" or Image.Hashes like r"%MD5=e425c66663c96d5a9f030b0ad4d219a8%" or Image.Hashes like r"%MD5=85b756463ab0c000f816260d49923cde%" or Image.Hashes like r"%MD5=acd221ff7cf10b6117fd609929cde395%" or Image.Hashes like r"%MD5=a87689b1067edacc48fddf90020dee23%" or Image.Hashes like r"%MD5=0d123be07e2dfd2b2ade49ad2a905a5b%" or Image.Hashes like r"%MD5=3ae11bde32cdbd8637124ada866a5a7e%" or Image.Hashes like r"%MD5=cc35379f0421b907004a9099611ee2cd%" or Image.Hashes like r"%MD5=23b807c09b9b6ea85ed5c508aab200b7%" or Image.Hashes like r"%MD5=26d973d6d9a0d133dfda7d8c1adc04b7%" or Image.Hashes like r"%MD5=eba6b88bc7bca21658bda9533f0bbff8%" or Image.Hashes like r"%MD5=9eb524c5f92e5b80374b8261292fdeb5%" or Image.Hashes like r"%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%" or Image.Hashes like r"%MD5=c61876aaca6ce822be18adb9d9bd4260%" or Image.Hashes like r"%MD5=aae268c4b593156bdae25af5a2a4af21%" or Image.Hashes like r"%MD5=de711decdd763a73098372f752bf5a1c%" or Image.Hashes like r"%MD5=1b32c54b95121ab1683c7b83b2db4b96%" or Image.Hashes like r"%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%" or Image.Hashes like r"%MD5=07493c774aa406478005e8fe52c788b2%" or Image.Hashes like r"%MD5=9b9d367cb53df0a2e0850760c840d016%" or Image.Hashes like r"%MD5=70c2c29643ee1edd3bbcd2ef1ffc9a73%" or Image.Hashes like r"%MD5=766f9ea38918827df59a6aed204d2b09%" or Image.Hashes like r"%MD5=f670d1570c75ab1d8e870c1c6e3baba1%" or Image.Hashes like r"%MD5=34edf3464c3f5605c1ca3a071f12e28c%" or Image.Hashes like r"%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%" or Image.Hashes like r"%MD5=31469f1313871690e8dc2e8ee4799b22%" or Image.Hashes like r"%MD5=79483cb29a0c428e1362ec8642109eee%" or Image.Hashes like r"%MD5=c607c37af638fa4eac751976a6afbaa6%" or Image.Hashes like r"%MD5=fb7637cfe8562095937f4d6cff420784%" or Image.Hashes like r"%MD5=d98d2f80b94f70780b46d1f079a38d93%" or Image.Hashes like r"%MD5=35fbc4c04c31c1a40e666be6529c6321%" or Image.Hashes like r"%MD5=969f1d19449dc5c2535dd5786093f651%" or Image.Hashes like r"%MD5=986f083e5fd01eea4ec3b2575a110a95%" or Image.Hashes like r"%MD5=ccf523b951afaa0147f22e2a7aae4976%" or Image.Hashes like r"%MD5=978cd6d9666627842340ef774fd9e2ac%" or Image.Hashes like r"%MD5=9d8cb58b9a9e177ddd599791a58a654d%" or Image.Hashes like r"%MD5=e3fda6120dfa016a76d975fdab7954f6%" or Image.Hashes like r"%MD5=e99e86480d4206beb898dda82b71ca44%" or Image.Hashes like r"%MD5=a2be99e4904264baa5649c4d4cd13a17%" or Image.Hashes like r"%MD5=563b33cfc3c815feff659caaa94edc33%" or Image.Hashes like r"%MD5=18b4bbeae6b07d2e21729b8698bbd25a%" or Image.Hashes like r"%MD5=f51065667fb127cf6de984daea2f6b24%" or Image.Hashes like r"%MD5=35c8fdf881909fa28c92b1c2741ac60b%" or Image.Hashes like r"%MD5=477e02a8e31cde2e76a8fb020df095c2%" or Image.Hashes like r"%MD5=6b6dfb6d952a2e36efd4a387fdb94637%" or Image.Hashes like r"%MD5=f7d963c14a691a022301afa31de9ecef%" or Image.Hashes like r"%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%" or Image.Hashes like r"%MD5=2e48c3b8042fdcef0ed435562407bd21%" or Image.Hashes like r"%MD5=ada5f19423f91795c0372ff39d745acf%" or Image.Hashes like r"%MD5=702d5606cf2199e0edea6f0e0d27cd10%" or Image.Hashes like r"%MD5=0809f48fd30845d983d569b847fa83cf%" or Image.Hashes like r"%MD5=743c403d20a89db5ed84c874768b7119%" or Image.Hashes like r"%MD5=ed6348707f177629739df73b97ba1b6e%" or Image.Hashes like r"%MD5=f33c3f08536f988aac84d72d83b139a6%" or Image.Hashes like r"%MD5=34686a4b10f239d781772e9e94486c1a%" or Image.Hashes like r"%MD5=d77fb9fb256b0c2ec0258c39b80dc513%" or Image.Hashes like r"%MD5=b2e4e588ce7b993cc31c18a0721d904d%" or Image.Hashes like r"%MD5=eda6e97b453388bb51ce84b8a11d9d13%" or Image.Hashes like r"%MD5=d90cdd8f2826e5ea3faf8e258f20dc40%" or Image.Hashes like r"%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%" or Image.Hashes like r"%MD5=b5ada7fd226d20ec6634fc24768f9e22%" or Image.Hashes like r"%MD5=843e39865b29bb3df825bd273f195a98%" or Image.Hashes like r"%MD5=7671bbf15b7a8c8f59a0c42a1765136a%" or Image.Hashes like r"%MD5=6c5e50ef2069896f408cdaaddd307893%" or Image.Hashes like r"%MD5=67b5b8607234bf63ce1e6a52b4a05f87%" or Image.Hashes like r"%MD5=24589081b827989b52d954dcd88035d0%" or Image.Hashes like r"%MD5=8fcf90cb5f9cb7205c075c662720f762%" or Image.Hashes like r"%MD5=812e960977116bf6d6c1ccf8b5dd351f%" or Image.Hashes like r"%MD5=a4fda97f452b8f8705695a729f5969f7%" or Image.Hashes like r"%MD5=6f7125540e5e90957ba5f8d755a8d570%" or Image.Hashes like r"%MD5=5a1ee9e6a177f305765f09b0ae6ac1c5%" or Image.Hashes like r"%MD5=4b42a7a6327827a8dbdecf367832c0cd%" or Image.Hashes like r"%MD5=663f2fb92608073824ee3106886120f3%" or Image.Hashes like r"%MD5=d6c4baecff632d6ad63c45fc39e04b2f%" or Image.Hashes like r"%MD5=4ae55080ec8aed49343e40d08370195c%" or Image.Hashes like r"%MD5=21be10f66bb65c1d406407faa0b9ba95%" or Image.Hashes like r"%MD5=e9ccb6bac8715918a2ac35d8f0b4e1e6%" or Image.Hashes like r"%MD5=a223f8584bcb978c003dd451b1439f8d%" or Image.Hashes like r"%MD5=f30db62d02a69c36ccb01ac9d41dc085%" or Image.Hashes like r"%MD5=d396332f9d7b71c10b3b83da030690f0%" or Image.Hashes like r"%MD5=715ac0756234a203cb7ce8524b6ddc0d%" or Image.Hashes like r"%MD5=b94ffce20e36b2930eb3ac72f72c00d6%" or Image.Hashes like r"%MD5=efb4ed2040b9b3d408aab8dc15df5a06%" or Image.Hashes like r"%MD5=8f1255efd2ed0d3b03a02c6b236c06d6%" or Image.Hashes like r"%MD5=530feb1e37831302f58b7c219be6b844%" or Image.Hashes like r"%MD5=2e219df70fccb79351f0452cba86623e%" or Image.Hashes like r"%MD5=99c131567c10c25589e741e69a8f8aa3%" or Image.Hashes like r"%MD5=6fb3d42a4f07d8115d59eb2ea6504de5%" or Image.Hashes like r"%MD5=839cbbc86453960e9eb6db814b776a40%" or Image.Hashes like r"%MD5=3c1f92a1386fa6cf1ba51bae5e9a98dd%" or Image.Hashes like r"%MD5=46edb648c1b5c3abd76bd5e912dac026%" or Image.Hashes like r"%MD5=bd067efb8cafd971142bc964b4f85df1%" or Image.Hashes like r"%MD5=3db2afc15e7cc78bd11f4c726060db5c%" or Image.Hashes like r"%MD5=01f092be2a36a5574005e25368426ad2%" or Image.Hashes like r"%MD5=65c069af3875494ec686afbb0c3da399%" or Image.Hashes like r"%MD5=ce65b7adcf954eb36df62ea3d4a628c7%" or Image.Hashes like r"%MD5=ae5eb2759305402821aeddc52ba9a6d6%" or Image.Hashes like r"%MD5=048549f7e9978aff602a24dea98ee48a%" or Image.Hashes like r"%MD5=da8437200af5f3f790e301b9958993d2%" or Image.Hashes like r"%MD5=590875a0b2eeb171403fc7d0f5110cb2%" or Image.Hashes like r"%MD5=bc71da7c055e3172226090ba5d8e2248%" or Image.Hashes like r"%MD5=d76b56b79b1c95e8dcd7ee88cb0d25ab%" or Image.Hashes like r"%MD5=14eead4d42728e9340ec8399a225c124%" or Image.Hashes like r"%MD5=1b2e3b7f2966f2f6e6a1bb89f97228e5%" or Image.Hashes like r"%MD5=5e9d5c59ba1f1060f53909c129df3355%" or Image.Hashes like r"%MD5=0ac31915ec9a6b7d4d4bba8fe6d60ff7%" or Image.Hashes like r"%MD5=6909b5e86e00b4033fedfca1775b0e33%" or Image.Hashes like r"%MD5=2b4e66fac6503494a2c6f32bb6ab3826%" or Image.Hashes like r"%MD5=a125390293d50091b643cfa096c2148c%" or Image.Hashes like r"%MD5=79bfbeb4e8cfdd0cb1d73612360bd811%" or Image.Hashes like r"%MD5=389823db299b350f2ee830d47376eeac%" or Image.Hashes like r"%MD5=a17c403c4b74d4fa920c3887066daeb2%" or Image.Hashes like r"%MD5=1793e1d4247b29313325d1462dec81e2%" or Image.Hashes like r"%MD5=c31610f4c383204a1fc105c54b7403c9%" or Image.Hashes like r"%MD5=0ec31f45e2e698a83131b4443f9a6dd7%" or Image.Hashes like r"%MD5=4885e1bf1971c8fa9e7686fd5199f500%" or Image.Hashes like r"%MD5=f83c61adbb154d46dd8f77923aa7e9c3%" or Image.Hashes like r"%MD5=5cc5c26fc99175997d84fe95c61ab2c2%" or Image.Hashes like r"%MD5=49832b4f726cdff825257bee33ad8451%" or Image.Hashes like r"%MD5=1493d342e7a36553c56b2adea150949e%" or Image.Hashes like r"%MD5=df9953fa93e1793456a8d428ba7e5700%" or Image.Hashes like r"%MD5=40bc58b7615d00eb55ad9ba700c340c1%" or Image.Hashes like r"%MD5=ba2c0fa201c74621cddd8638497b3c70%" or Image.Hashes like r"%MD5=3c9f9c1b802f66cf03cbe82dec2bd454%" or Image.Hashes like r"%MD5=7d84a4ed0fcca3d098881a3f3283724b%" or Image.Hashes like r"%MD5=0e14b69dcf67c20343f85f9fdb5b9300%" or Image.Hashes like r"%MD5=17b97fbe2e8834d7ad30211635e1b271%" or Image.Hashes like r"%MD5=7fbd3b4488a12eab56c54e7bb91516f3%" or Image.Hashes like r"%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%" or Image.Hashes like r"%MD5=260eef181a9bf2849bfec54c1736613b%" or Image.Hashes like r"%MD5=dbde0572d702d0a05c0d509d5624a4d7%" or Image.Hashes like r"%MD5=5c5973d2caf86e96311f6399513ab8df%" or Image.Hashes like r"%MD5=0703c1e07186cb98837a2ae76f50d42e%" or Image.Hashes like r"%MD5=5970e8de1b337ca665114511b9d10806%" or Image.Hashes like r"%MD5=2580fb4131353ec417b0df59811f705c%" or Image.Hashes like r"%MD5=fa63a634189bd4d6570964e2161426b0%" or Image.Hashes like r"%MD5=ee57cbe6ec6a703678eaa6c59542ff57%" or Image.Hashes like r"%MD5=e140cb81bd27434fc4fd9080b7551922%" or Image.Hashes like r"%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%" or Image.Hashes like r"%MD5=a3af4a4fa6cba27284f8289436c2f074%" or Image.Hashes like r"%MD5=192519661fe6d132f233d0355c3f4a6d%" or Image.Hashes like r"%MD5=394e290aff9d4e78e504cedfb2d99350%" or Image.Hashes like r"%MD5=2e7d824a49d731da9fc96262a29c85ce%" or Image.Hashes like r"%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%" or Image.Hashes like r"%MD5=2d8e4f38b36c334d0a32a7324832501d%" or Image.Hashes like r"%MD5=443689645455987cb347154b391f734d%" or Image.Hashes like r"%MD5=9258e3cb20e24a93d4afdee9f5a0299c%" or Image.Hashes like r"%MD5=0067c788e1cb174f008c325ebde56c22%" or Image.Hashes like r"%MD5=79f7e6f98a5d3ab6601622be4471027f%" or Image.Hashes like r"%MD5=1c31d4e9ad2d2b5600ae9d0c0969fe59%" or Image.Hashes like r"%MD5=2f1ebc14bd8a29b89896737ca4076002%" or Image.Hashes like r"%MD5=43830326cd5fae66f5508e27cbec39a0%" or Image.Hashes like r"%MD5=df5f8e118a97d1b38833fcdf7127ab29%" or Image.Hashes like r"%MD5=8de7dcade65a1f51605a076c1d2b3456%" or Image.Hashes like r"%MD5=fadf9c1365981066c39489397840f848%" or Image.Hashes like r"%MD5=2c957aa79231fad8e221e035db6d0d81%" or Image.Hashes like r"%MD5=fd81af62964f5dd5eb4a828543a33dcf%" or Image.Hashes like r"%MD5=045ef7a39288ba1f4b8d6eca43def44f%" or Image.Hashes like r"%MD5=90f8c1b76f786814d03ef4c51d4abb6d%" or Image.Hashes like r"%MD5=17719a7f571d4cd08223f0b30f71b8b8%" or Image.Hashes like r"%MD5=bdd8dc8880dfbc19d729ca51071de288%" or Image.Hashes like r"%MD5=d79b8b7bed8d30387c22663b24e8c191%" or Image.Hashes like r"%MD5=57cd52ed992b634e74d2ddf9853a73b3%" or Image.Hashes like r"%MD5=1c294146fc77565030603878fd0106f9%" or Image.Hashes like r"%MD5=b7946feaeae34d51f045c4f986fa62ce%" or Image.Hashes like r"%MD5=86fd54c56dcafe2de918c36f8dfda67e%" or Image.Hashes like r"%MD5=adc1e141b57505fd011bc1efb1ae6967%" or Image.Hashes like r"%MD5=6822566b28be75b2a76446a57064369f%" or Image.Hashes like r"%MD5=d9ce18960c23f38706ae9c6584d9ac90%" or Image.Hashes like r"%MD5=935a7df222f19ac532e831e6bf9e8e45%" or Image.Hashes like r"%MD5=664ad9cf500916c94fc2c0020660ac4e%" or Image.Hashes like r"%MD5=356bda2bf0f6899a2c08b2da3ec69f13%" or Image.Hashes like r"%MD5=dacb62578b3ea191ea37486d15f4f83c%" or Image.Hashes like r"%MD5=89c7bd12495e29413038224cb61db02e%" or Image.Hashes like r"%MD5=f60a9b88c6ff07d4990d8653d0025683%" or Image.Hashes like r"%MD5=710b290a00598fbb1bcc49b30174b2c9%" or Image.Hashes like r"%MD5=5c9f240e0b83df758993837d18859cbe%" or Image.Hashes like r"%MD5=cb0c5d3639fcd810cde94b7b990aa51c%" or Image.Hashes like r"%MD5=4d17b32be70ef39eae5d5edeb5e89877%" or Image.Hashes like r"%MD5=0d4306983e694c1f34920bae12d887e6%" or Image.Hashes like r"%MD5=2751c7fd7f09479fa2b15168695adebc%" or Image.Hashes like r"%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%" or Image.Hashes like r"%MD5=0a653d9d0594b152ca835d0b2593269f%" or Image.Hashes like r"%MD5=02198692732722681f246c1b33f7a9d9%" or Image.Hashes like r"%MD5=9d884ecd3b6c3f2509851ea15ffefbef%" or Image.Hashes like r"%MD5=3473faea65fba5d4fbe54c0898a3c044%" or Image.Hashes like r"%MD5=013719e840e955c2e4cd9d18c94a2625%" or Image.Hashes like r"%MD5=5e71c0814287763d529822d0a022e693%" or Image.Hashes like r"%MD5=9f94028cbcf6789103cb5bb6fcef355d%" or Image.Hashes like r"%MD5=0d8daf471d871deb90225d2953c0eb95%" or Image.Hashes like r"%MD5=ad612a7eb913b5f7d25703cd44953c35%" or Image.Hashes like r"%MD5=fe3fb6719e86481a3514ab9e00a55bcf%" or Image.Hashes like r"%MD5=3e87e3346441539d3a90278a120766df%" or Image.Hashes like r"%MD5=fa173832dca1b1faeba095e5c82a1559%" or Image.Hashes like r"%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%" or Image.Hashes like r"%MD5=803a371a78d528a44ef8777f67443b16%" or Image.Hashes like r"%MD5=257483d5d8b268d0d679956c7acdf02d%" or Image.Hashes like r"%MD5=02fc655279b8ea3ef37237c488b675cc%" or Image.Hashes like r"%MD5=94999245e9580c6228b22ac44c66044c%" or Image.Hashes like r"%MD5=88aada8325a3659736b3a7201c825664%" or Image.Hashes like r"%MD5=92927c47d6ff139c9b19674c9d0088f6%" or Image.Hashes like r"%MD5=05bf59560656c8a9a3191812b0e1235b%" or Image.Hashes like r"%MD5=c098f8aeb67eeb2262dbf681690a9306%" or Image.Hashes like r"%MD5=eb61616a7bc58e3f5b8cf855d04808c3%" or Image.Hashes like r"%MD5=e3aaa0c1c3a5e99eb9970ebe4b5a3183%" or Image.Hashes like r"%MD5=5efbbfcc6adac121c8e2fe76641ed329%" or Image.Hashes like r"%MD5=4eb4069c230a5dc40cd5d60d2cb3e0d0%" or Image.Hashes like r"%MD5=e0528f756bbb2ab83c60f9fd6f541e42%" or Image.Hashes like r"%MD5=eb4de413782193e824773723d790cfc4%" or Image.Hashes like r"%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%" or Image.Hashes like r"%MD5=97580157f65612f765f39af594b86697%" or Image.Hashes like r"%MD5=21e72a43aedefcd70ca8999cc353b51b%" or Image.Hashes like r"%MD5=d6b259b2dfe80bdf4d026063accd752c%" or Image.Hashes like r"%MD5=ca7b41ce335051bf9dd7fa4a55581296%" or Image.Hashes like r"%MD5=084a13f18856d610d44d3109a9d2acde%" or Image.Hashes like r"%MD5=a5f637d61719d37a5b4868c385e363c0%" or Image.Hashes like r"%MD5=1392b92179b07b672720763d9b1028a5%" or Image.Hashes like r"%MD5=1a5a95d6bedbe29e5acf5eb6a727c634%" or Image.Hashes like r"%MD5=a71020c6d6d42c5000e9993425247e06%" or Image.Hashes like r"%MD5=a9f220b1507a3c9a327a99995ff99c82%" or Image.Hashes like r"%MD5=7c40ec9ed020cc9404de8fe3a5361a09%" or Image.Hashes like r"%MD5=fe937e1ed4c8f1d4eac12b065093ae63%" or Image.Hashes like r"%MD5=4ca0dba9e224473d664c25e411f5a3bd%" or Image.Hashes like r"%MD5=2a8662e91a51d8e04a94fa580c7d3828%" or Image.Hashes like r"%MD5=942c6a8332d5dd06d8f4b2a9cb386ff4%" or Image.Hashes like r"%MD5=0283b43c6bc965175a1c92b255d39556%" or Image.Hashes like r"%MD5=2d91d45cd09dfc3f8e89da1c261fd1ac%" or Image.Hashes like r"%MD5=187ddca26d119573223cf0a32ba55a61%" or Image.Hashes like r"%MD5=1549e6cbce408acaddeb4d24796f2eaf%" or Image.Hashes like r"%MD5=6beb1d8146f5a4aaa2f7b8c0c9bced30%" or Image.Hashes like r"%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%" or Image.Hashes like r"%MD5=e0fb44aba5e7798f2dc637c6d1f6ca84%" or Image.Hashes like r"%MD5=de1cc5c266140bff9d964fab87a29421%" or Image.Hashes like r"%MD5=66e0db8a5b0425459d0430547ecbb3db%" or Image.Hashes like r"%MD5=03ca3b1cff154ab8855043abadd07956%" or Image.Hashes like r"%MD5=2a5fb925125af951bd76c00579d61666%" or Image.Hashes like r"%MD5=a2c5f994e9b4a74b2f5b51c7a44c4401%" or Image.Hashes like r"%MD5=5c55fcfe39336de769bfa258ab4c901d%" or Image.Hashes like r"%MD5=aa12c1cb47c443c6108bfe7fc1a34d98%" or Image.Hashes like r"%MD5=8407ddfab85ae664e507c30314090385%" or Image.Hashes like r"%MD5=be54aabf09c3fa4671b6efacafa389e3%" or Image.Hashes like r"%MD5=296bde4d0ed32c6069eb90c502187d0d%" or Image.Hashes like r"%MD5=1d768959aaa194d60e4524ce47708377%" or Image.Hashes like r"%MD5=dca1c62c793f84bb2d8e41ca50efbff1%" or Image.Hashes like r"%MD5=2a5ccd95292f03f0dd4899d18b55b428%" or Image.Hashes like r"%MD5=1f950cfd5ed8dd9de3de004f5416fe20%" or Image.Hashes like r"%MD5=35493772986f610753be29121cd68234%" or Image.Hashes like r"%MD5=6212832f13b296ddbc85b24e22edb5ec%" or Image.Hashes like r"%MD5=9b157f1261a8a42e4ef5ec23dd4cda9e%" or Image.Hashes like r"%MD5=b89b097b8b8aecb8341d05136f334ebb%" or Image.Hashes like r"%MD5=8942e9fa2459b1e179a6535ca16a2fb4%" or Image.Hashes like r"%MD5=64efbffaa153b0d53dc1bccda4279299%" or Image.Hashes like r"%MD5=70dcd07d38017b43f710061f37cb4a91%" or Image.Hashes like r"%MD5=537e2c3020b1d48b125da593e66508ec%" or Image.Hashes like r"%MD5=05b4463677e2566414ad53434ad9e7e5%" or Image.Hashes like r"%MD5=7be3a7a743f2013c3e90355219626c2c%" or Image.Hashes like r"%MD5=7f258c0161e9edca8e7f85ac0dd68e46%" or Image.Hashes like r"%MD5=81df475ab8d37343f0ad2a55b1397a8f%" or Image.Hashes like r"%MD5=f0aeb731d83f7ab6008c92c97faf6233%" or Image.Hashes like r"%MD5=507a649eb585d8d0447eab0532ef0c73%" or Image.Hashes like r"%MD5=5c5e3c7ca39d9472099ea81c329b7d75%" or Image.Hashes like r"%MD5=a31246180e61140ad7ff9dd7edf1f6a1%" or Image.Hashes like r"%MD5=9226339848e359f5e4cd519bef7dcd39%" or Image.Hashes like r"%MD5=f544f9925cab71786e57241c10e08633%" or Image.Hashes like r"%MD5=88d2143ae62878dada3aa0a6d8f7cea8%" or Image.Hashes like r"%MD5=c06dda757b92e79540551efd00b99d4b%" or Image.Hashes like r"%MD5=41ce6b172542a9a227e34a45881e1d2a%" or Image.Hashes like r"%MD5=9bcb97a1697a70f59405786759af63b8%" or Image.Hashes like r"%MD5=17c7bcae7ebabb95af2f7c91b19c361c%" or Image.Hashes like r"%MD5=aaa8999a169e39fb8b48ae49cd6ac30a%" or Image.Hashes like r"%MD5=9a5a35112c4f8016abcc6363b44d3385%" or Image.Hashes like r"%MD5=6b2df08bacf640cc2ac6f20c76af07ee%" or Image.Hashes like r"%MD5=ab4656d1ec4d4cc83c76f639a5340e84%" or Image.Hashes like r"%MD5=697f698b59f32f66cd8166e43a5c49c7%" or Image.Hashes like r"%MD5=4e90cd77509738d30d3181a4d0880bfa%" or Image.Hashes like r"%MD5=e3bdb307b32b13b8f7e621e8d5cc8cd3%" or Image.Hashes like r"%MD5=16472fca75ab4b5647c99de608949cde%" or Image.Hashes like r"%MD5=24fe18891c173a7c76426d08d2b0630e%" or Image.Hashes like r"%MD5=2faa725dd9bb22b2100e3010f8a72182%" or Image.Hashes like r"%MD5=251e1ce4e8e9b9418830ed3dc8edd5e3%" or Image.Hashes like r"%MD5=1f3522c5db7b9dcdd7729148f105018e%" or Image.Hashes like r"%MD5=d5a642329cce4df94b8dc1ba9660ae34%" or Image.Hashes like r"%MD5=b2600502a5b962b8cdfac2ead24b17b4%" or Image.Hashes like r"%MD5=c9cb486b4f652c9cfb8411803f8ed5f0%" or Image.Hashes like r"%MD5=73c98438ac64a68e88b7b0afd11ba140%" or Image.Hashes like r"%MD5=ab7b28b532beba6a6c0217bc406b80ee%" or Image.Hashes like r"%MD5=75dbd5db9892d7451d0429bec1aabe1a%" or Image.Hashes like r"%MD5=d4a10447fdaff7a001715191c1f914b6%" or Image.Hashes like r"%MD5=31eca8c0b32135850d5a50aee11fec87%" or Image.Hashes like r"%MD5=2cc65e805757cfc4f87889cdceb546cd%" or Image.Hashes like r"%MD5=96b463b6fa426ae42c414177af550ba2%" or Image.Hashes like r"%MD5=ef5ba21690c2f4ba7e62bf022b2df1f7%" or Image.Hashes like r"%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%" or Image.Hashes like r"%MD5=1ed043249c21ab201edccb37f1d40af9%" or Image.Hashes like r"%MD5=86635fdc8e28957e6c01fc483fe7b020%" or Image.Hashes like r"%MD5=520c18f50d3cb2ce162767c4c1998b86%" or Image.Hashes like r"%MD5=569676d3d45b0964ac6dd0815be8ff8c%" or Image.Hashes like r"%MD5=3f39f013168428c8e505a7b9e6cba8a2%" or Image.Hashes like r"%MD5=68726474c69b738eac3a62e06b33addc%" or Image.Hashes like r"%MD5=c04a5cdcb446dc708d9302be4e91e46d%" or Image.Hashes like r"%MD5=a179c4093d05a3e1ee73f6ff07f994aa%" or Image.Hashes like r"%MD5=1a22a85489a94db6ff68cd624ef43bad%" or Image.Hashes like r"%MD5=4ad30223df1361726ff64417f8515272%" or Image.Hashes like r"%MD5=4cee9945f9a3e8f2433f5aa8c58671fb%" or Image.Hashes like r"%MD5=f56f30ac68c35dd4680054cdfd8f3f00%" or Image.Hashes like r"%MD5=31a331a88c6280555859455518a95c35%" or Image.Hashes like r"%MD5=650f6531db6fb0ed25d7fc70be35a4da%" or Image.Hashes like r"%MD5=82854a57630059d1ce2870159dc2f86b%" or Image.Hashes like r"%MD5=d556cb79967e92b5cc69686d16c1d846%" or Image.Hashes like r"%MD5=5b1e1a9dade81f1e80fdc0a2d3f9006e%" or Image.Hashes like r"%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%" or Image.Hashes like r"%MD5=a60c9173563b940203cf4ad38ccf2082%" or Image.Hashes like r"%MD5=95a95e28cf5ee4ece6ffbaf169358192%" or Image.Hashes like r"%MD5=397580c24c544d477688fcfca9c9b542%" or Image.Hashes like r"%MD5=c5d1f8ed329ebb86ddd01e414a6a1718%" or Image.Hashes like r"%MD5=ab4ee84e09b09012ac86d3a875af9d43%" or Image.Hashes like r"%MD5=c9a293762319d73c8ee84bcaaf81b7b3%" or Image.Hashes like r"%MD5=a641e3dccba765a10718c9cb0da7879e%" or Image.Hashes like r"%MD5=dd39a86852b498b891672ffbcd071c03%" or Image.Hashes like r"%MD5=715f8efab1d1c660e4188055c4b28eed%" or Image.Hashes like r"%MD5=c046ca4da48db1524ddf3a49a8d02b65%" or Image.Hashes like r"%MD5=f5e6ef0dcbb3d4a608e9e0bba4d80d0a%" or Image.Hashes like r"%MD5=bf581e9eb91bace0b02a2c5a54bf1419%" or Image.Hashes like r"%MD5=d6c2e061b21c32c585aca5f38335c21c%" or Image.Hashes like r"%MD5=7aa34cd9ea5649c24a814e292b270b6f%" or Image.Hashes like r"%MD5=5eabc87416f59e894adfde065d0405fa%" or Image.Hashes like r"%MD5=7ffdd78d63ca7307a96843cfe806799e%" or Image.Hashes like r"%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%" or Image.Hashes like r"%MD5=113056ec5c679b6f74c9556339ebf962%" or Image.Hashes like r"%MD5=f7745b42882dec947f6629ab9b7c39b7%" or Image.Hashes like r"%MD5=4b60ef388071e0baf299496e3d6590ae%" or Image.Hashes like r"%MD5=c006d1844f20b91d0ea52bf32d611f30%" or Image.Hashes like r"%MD5=a0074303fe697a36d9397c0122e04973%" or Image.Hashes like r"%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%" or Image.Hashes like r"%MD5=2e887e52e45bba3c47ccd0e75fc5266f%" or Image.Hashes like r"%MD5=7eeb4c0cb786a409b94066986addf315%" or Image.Hashes like r"%MD5=e28ce623e3e5fa1d2fe16c721efad4c2%" or Image.Hashes like r"%MD5=0eb3dfeffb49d32310d96f3aa3e8ca61%" or Image.Hashes like r"%MD5=a15235fcec1c9b65d736661d4bec0d38%" or Image.Hashes like r"%MD5=0ad87bba19f0b71ccb2d32239abd49ec%" or Image.Hashes like r"%MD5=1c9001dcd34b4db414f0c54242fedf49%" or Image.Hashes like r"%MD5=490b1f404c4f31f4538b36736c990136%" or Image.Hashes like r"%MD5=1dc94a6a82697c62a04e461d7a94d0b0%" or Image.Hashes like r"%MD5=555446a3ca8d9237403471d4744e39f4%" or Image.Hashes like r"%MD5=100fe0bc0c183d16e1f08d1a2ad624a8%" or Image.Hashes like r"%MD5=37086ae5244442ba552803984a11d6cb%" or Image.Hashes like r"%MD5=5d4df0bac74e9ac62af6bc99440b050b%" or Image.Hashes like r"%MD5=94cdf2cf363be5a8749670bea4db65cd%" or Image.Hashes like r"%MD5=3a48f0e4297947663fbb11702aa1d728%" or Image.Hashes like r"%MD5=98583b2f2efe12d2a167217a3838c498%" or Image.Hashes like r"%MD5=7437d4070b5c018e05354c179f1d5e2a%" or Image.Hashes like r"%MD5=7d46d0ddaf8c7e1776a70c220bf47524%" or Image.Hashes like r"%MD5=3c4154866f3d483fdc9f4f64ef868888%" or Image.Hashes like r"%MD5=91203acddac81511d17a68a030d063a8%" or Image.Hashes like r"%MD5=7d87a9c54e49943bf18574c6f02788ee%" or Image.Hashes like r"%MD5=8d63e1a9ff4cafee1af179c0c544365c%" or Image.Hashes like r"%MD5=34069a15ae3aa0e879cd0d81708e4bcc%" or Image.Hashes like r"%MD5=e4788e5b3e5f0a0bbb318a9c426c2812%" or Image.Hashes like r"%MD5=1c591efa8660d4d36a75db9b82474174%" or Image.Hashes like r"%MD5=e9e786bdba458b8b4f9e93d034f73d00%" or Image.Hashes like r"%MD5=d5db81974ffda566fa821400419f59be%" or Image.Hashes like r"%MD5=a926b64be7c27ccb96e687a3924de298%" or Image.Hashes like r"%MD5=1c4acf27317a2b5eaedff3ce6094794d%" or Image.Hashes like r"%MD5=cd1c8a66e885b7a8b464094395566a46%" or Image.Hashes like r"%MD5=edfa69e9132a56778d6363cd41843893%" or Image.Hashes like r"%MD5=1ed08a6264c5c92099d6d1dae5e8f530%" or Image.Hashes like r"%MD5=f690bfc0799e51a626ba3931960c3173%" or Image.Hashes like r"%MD5=7c983b4e66c4697ad3ce7efc9166b505%" or Image.Hashes like r"%MD5=4a06bcd96ef0b90a1753a805b4235f28%" or Image.Hashes like r"%MD5=c28b4a60ebd4b8c12861829cc13aa6ff%" or Image.Hashes like r"%MD5=e700a820f117f65e813b216fccbf78c9%" or Image.Hashes like r"%MD5=515c75d77c64909690c18c08ef3fc310%" or Image.Hashes like r"%MD5=7056549baa6da18910151b08121e2c94%" or Image.Hashes like r"%MD5=61b068b10abfa0776f3b96a208d75bf9%" or Image.Hashes like r"%MD5=c901887f28bbb55a10eb934755b47227%" or Image.Hashes like r"%MD5=0761c357aed5f591142edaefdf0c89c8%" or Image.Hashes like r"%MD5=f141db170bb4c6e088f30ddc58404ad3%" or Image.Hashes like r"%MD5=6d97ee5b3300d0f7fa359f2712834c40%" or Image.Hashes like r"%MD5=53f103e490bc11624ef6a51a6d3bdc05%" or Image.Hashes like r"%MD5=3482acba11c71e45026747dbe366a7d9%" or Image.Hashes like r"%MD5=7475bfea6ea1cd54029208ed59b96c6b%" or Image.Hashes like r"%MD5=d011d5fecdc94754bf02014cb229d6bc%" or Image.Hashes like r"%MD5=42f7cc4be348c3efd98b0f1233cf2d69%" or Image.Hashes like r"%MD5=45c2d133d41d2732f3653ed615a745c8%" or Image.Hashes like r"%MD5=71fffc05cff351a6f26f78441cfebe26%" or Image.Hashes like r"%MD5=da6f7407c4656a2dbaf16a407aff1a38%" or Image.Hashes like r"%MD5=5dd25029499cd5656927e9c559955b07%" or Image.Hashes like r"%MD5=a82c01606dc27d05d9d3bfb6bb807e32%" or Image.Hashes like r"%MD5=8a973be665923e9708974e72228f9805%" or Image.Hashes like r"%MD5=312e31851e0fc2072dbf9a128557d6ef%" or Image.Hashes like r"%MD5=4ff880566f22919ed94ffae215d39da5%" or Image.Hashes like r"%MD5=fcc5de75c1837b631ed77ea4638704b9%" or Image.Hashes like r"%MD5=279f3b94c2b9ab5911515bc3e0ecf175%" or Image.Hashes like r"%MD5=61d6b1c71ad94f8485e966bebc36d092%" or Image.Hashes like r"%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%" or Image.Hashes like r"%MD5=4a829b8cf1f8fdb69e1d58ae04e6106e%" or Image.Hashes like r"%MD5=e4d4a22cbf94e6b0a92fc36d46741f56%" or Image.Hashes like r"%MD5=e4a0bba88605d4c07b58a2cc3fac0fe9%" or Image.Hashes like r"%MD5=272446de15c63095940a3dad0b426f21%" or Image.Hashes like r"%MD5=f160ecce1500a5a5877c123584e86b17%" or Image.Hashes like r"%MD5=0a2ec9e3e236698185978a5fc76e74e6%" or Image.Hashes like r"%MD5=21ca6a013a75fcf6f930d4b08803973a%" or Image.Hashes like r"%MD5=e432956d19714c65723f9c407ffea0c5%" or Image.Hashes like r"%MD5=4e4b9bdcc6b8d97828ae1972d750a08d%" or Image.Hashes like r"%MD5=67e3b720cee8184c714585a85f8058a0%" or Image.Hashes like r"%MD5=03c9d5f24fd65ad57de2d8a2c7960a70%" or Image.Hashes like r"%MD5=f65e545771fd922693f0ec68b2141012%" or Image.Hashes like r"%MD5=7a16fca3d56c6038c692ec75b2bfee15%" or Image.Hashes like r"%MD5=5adebdb94abb4c76dad2b7ecb1384a9d%" or Image.Hashes like r"%MD5=003dc41d148ec3286dc7df404ba3f2aa%" or Image.Hashes like r"%MD5=0490f5961e0980792f5cb5aedf081dd7%" or Image.Hashes like r"%MD5=d3e40644a91327da2b1a7241606fe559%" or Image.Hashes like r"%MD5=49938383844ceec33dba794fb751c9a5%" or Image.Hashes like r"%MD5=f7393fb917aed182e4cbef25ce8af950%" or Image.Hashes like r"%MD5=549e5148be5e7be17f9d416d8a0e333e%" or Image.Hashes like r"%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%" or Image.Hashes like r"%MD5=96fb2101f85fa81871256107bdd25169%" or Image.Hashes like r"%MD5=aa9adcf64008e13d7e68b56fdd307ead%" or Image.Hashes like r"%MD5=62eed4173c566a248531fb6f20a5900d%" or Image.Hashes like r"%MD5=87982977500b93330df08bf372435641%" or Image.Hashes like r"%MD5=9e0af1fe4d6dd2ca4721810ed1c930d6%" or Image.Hashes like r"%MD5=9b5533c4af38759d167d5399e83b475f%" or Image.Hashes like r"%MD5=bd5d4d07ae09e9f418d6b4ac6d9f2ed5%" or Image.Hashes like r"%MD5=22ca5fe8fb0e5e22e6fb0848108c03f4%" or Image.Hashes like r"%MD5=7b43dfd84de5e81162ebcfafb764b769%" or Image.Hashes like r"%MD5=ccb09eb78e047c931708149992c2e435%" or Image.Hashes like r"%MD5=8c1d181480796d7d3366a9381fd7782d%" or Image.Hashes like r"%MD5=b5192270857c1f17f7290acbaadf097d%" or Image.Hashes like r"%MD5=fe71c99a5830f94d77a8792741d6e6c7%" or Image.Hashes like r"%MD5=238769fd8379ec476c1114bd2bd28ca6%" or Image.Hashes like r"%MD5=cf7aeedd674417b648fc334d179c94ae%" or Image.Hashes like r"%MD5=52b7cd123f6d1b9ed76b08f2ee7d9433%" or Image.Hashes like r"%MD5=8d14b013fc2b555e404b1c3301150c34%" or Image.Hashes like r"%MD5=2e492f14a1087374368562d01cd609aa%" or Image.Hashes like r"%MD5=65e6718a547495c692e090d7887d247b%" or Image.Hashes like r"%MD5=51e7b58f6e9b776568ffbd4dd9972a60%" or Image.Hashes like r"%MD5=84c4d8ae023ca9bb60694fa467141247%" or Image.Hashes like r"%MD5=69ac6165912cb263a656497cc70155e6%" or Image.Hashes like r"%MD5=30efb7d485fc9c28fe82a97deac29626%" or Image.Hashes like r"%MD5=f4b2580cf0477493908b7ed81e4482f8%" or Image.Hashes like r"%MD5=fc6dadb97bd3b7a61d06f20d0d2e1bac%" or Image.Hashes like r"%MD5=595363661db3e50acc4de05b0215cc6f%" or Image.Hashes like r"%MD5=cec257dcac9e708cefb17f8984dd0a70%" or Image.Hashes like r"%MD5=0e51d96a3b878b396708535f49a6d7cb%" or Image.Hashes like r"%MD5=f34489c0f0d0a16b4db8a17281b57eba%" or Image.Hashes like r"%MD5=80b4041695810f98e1c71ff0cf420b6d%" or Image.Hashes like r"%MD5=7978d858168fadd05c17779da5f4695a%" or Image.Hashes like r"%MD5=557fd33ee99db6fe263cfcb82b7866b3%" or Image.Hashes like r"%MD5=7b9e1e5e8ff4f18f84108bb9f7b5d108%" or Image.Hashes like r"%MD5=9b91a44a488e4d539f2e55476b216024%" or Image.Hashes like r"%MD5=3b23808de1403961205352e94b8f2f9b%" or Image.Hashes like r"%MD5=13bd61916343d94ebefc9a7911d7bf88%" or Image.Hashes like r"%MD5=936729b8dc2282037bc1504c2680e3ad%" or Image.Hashes like r"%MD5=9f70cd5edcc4efc48ae21e04fb03be9d%" or Image.Hashes like r"%MD5=75e50ae2e0f783e0caf912f45e15248a%" or Image.Hashes like r"%MD5=444f538daa9f7b340cfd43974ed43690%" or Image.Hashes like r"%MD5=8b47c5580b130dd3f580af09323bc949%" or Image.Hashes like r"%MD5=daf11013cf4c879a54ed6a86a05bee3c%" or Image.Hashes like r"%MD5=eff3a9cc3e99ef3ddae57df72807f0c7%" or Image.Hashes like r"%MD5=9982da703f13140997e137b1e745a2e3%" or Image.Hashes like r"%MD5=f778489c7105a63e9e789a02412aaa5f%" or Image.Hashes like r"%MD5=723381977ce7df57ec623db52b84f426%" or Image.Hashes like r"%MD5=1db988eb9ac5f99756c33b91830a9cf6%" or Image.Hashes like r"%MD5=c02f70960fa934b8defa16a03d7f6556%" or Image.Hashes like r"%MD5=5e35c049bc8076406910da36edf9212d%" or Image.Hashes like r"%MD5=241a095631570a9cef4f126c87605c60%" or Image.Hashes like r"%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%" or Image.Hashes like r"%MD5=b418293e25632c5f377bf034bb450e57%" or Image.Hashes like r"%MD5=4f191abc652d8f7442ca2636725e1ed6%" or Image.Hashes like r"%MD5=34e55ccceec34a8567c8b95d662ba886%" or Image.Hashes like r"%MD5=4f5ca81806098204c4dea0927a8fec66%" or Image.Hashes like r"%MD5=8b287636041792f640f92e77e560725e%" or Image.Hashes like r"%MD5=56a515173b211832e20fbc64e5a0447c%" or Image.Hashes like r"%MD5=2315a8919cfb167e718d8c788ed3ceca%" or Image.Hashes like r"%MD5=2d465b4487dc81effaa84f122b71c24f%" or Image.Hashes like r"%MD5=29ccff428e5eb70ae429c3da8968e1ec%" or Image.Hashes like r"%MD5=28d6b138adc174a86c0f6248d8a88275%" or Image.Hashes like r"%MD5=9beecfb3146f19400880da61476ef940%" or Image.Hashes like r"%MD5=d5556c54c474cf0bff25804bfbe788d3%" or Image.Hashes like r"%MD5=f7a09ac4a91a6390f8d00bf09f53ae37%" or Image.Hashes like r"%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%" or Image.Hashes like r"%MD5=06897b431c07886454e0681723dd53e6%" or Image.Hashes like r"%MD5=c533d6d64b474ffc3169a0e0fc0a701a%" or Image.Hashes like r"%MD5=c52dce2bee8ec88748411e470ff531f6%" or Image.Hashes like r"%MD5=71858fa117e6f3309606d5cdb57e6e09%" or Image.Hashes like r"%MD5=259381daae0357fbfefe1d92188c496a%" or Image.Hashes like r"%MD5=ceac1347acae9ad9496d4b0593256522%" or Image.Hashes like r"%MD5=4124de3cb72f5dfd7288389862b03f2a%" or Image.Hashes like r"%MD5=edbf206c27c3aa7d1890899dffcc03ec%" or Image.Hashes like r"%MD5=a5ff71e189b462d2b1f0e9e8c4668d79%" or Image.Hashes like r"%MD5=c49a1956a6a25ffc25ad97d6762b0989%" or Image.Hashes like r"%MD5=c475c7d0f2d934f150b6c32c01479134%" or Image.Hashes like r"%MD5=eb7f6d01c97783013115ad1a2833401a%" or Image.Hashes like r"%MD5=e98f4cc2cbf9ec23fd84da30c0625884%" or Image.Hashes like r"%MD5=bf74d0706f5ab9c34067192260f4efb0%" or Image.Hashes like r"%MD5=0752f113d983030939b4ab98b0812cf0%" or Image.Hashes like r"%MD5=7c22b7686c75a2bb7409b3c392cc791a%" or Image.Hashes like r"%MD5=07efb8259b42975d502a058db8a3fd21%" or Image.Hashes like r"%MD5=def0da6c95d14f7020e533028224250e%" or Image.Hashes like r"%MD5=d4a9f80ecb448da510e5bf82c4a699ee%" or Image.Hashes like r"%MD5=c5e7e8ca0d76a13a568901b6b304c3ba%" or Image.Hashes like r"%MD5=59f6320772a2e6b0b3587536be4cc022%" or Image.Hashes like r"%MD5=0cd2504a2e0a8ad81d9a3a6a1fad7306%" or Image.Hashes like r"%MD5=0ccc4e9396e0be9c4639faec53715831%" or Image.Hashes like r"%MD5=c15eb30e806ad5e771b23423fd2040b0%" or Image.Hashes like r"%MD5=f3d14fcdb86db8d75416ce173c6061af%" or Image.Hashes like r"%MD5=637f2708da54e792c27f1141d5bb09cd%" or Image.Hashes like r"%MD5=779af226b7b72ff9d78ce1f03d4a3389%" or Image.Hashes like r"%MD5=a17c58c0582ee560c72f60764ed63224%" or Image.Hashes like r"%MD5=c2c1b8c00b99e913d992a870ed478a24%" or Image.Hashes like r"%MD5=2b6a17ec50d3a21e030ed78f7acbd2af%" or Image.Hashes like r"%MD5=76bb1a4332666222a8e3e1339e267179%" or Image.Hashes like r"%MD5=0ef05030abd55ba6b02faa2c0970f67f%" or Image.Hashes like r"%MD5=56a9e9b5334f8698a0ede27c64140982%" or Image.Hashes like r"%MD5=9e0659d443a2b9d1afc75a160f500605%" or Image.Hashes like r"%MD5=bc6ff00fb3a14437c94b37ac9a2101d4%" or Image.Hashes like r"%MD5=2da209dde8188076a9579bd256dc90d0%" or Image.Hashes like r"%MD5=11dc5523bb559f8d2ce637f6a2b70dea%" or Image.Hashes like r"%MD5=12908c285b9d68ee1f39186110df0f1e%" or Image.Hashes like r"%MD5=73a40e29f61e5d142c8f42b28a351190%" or Image.Hashes like r"%MD5=0797bb21d7a0210fedf4f3533ee82494%" or Image.Hashes like r"%MD5=6846c2035b4c56b488d2ce2c69a57261%" or Image.Hashes like r"%MD5=dbf11f3fad1db3eb08e2ee24b5ebfb95%" or Image.Hashes like r"%MD5=41339c852c6e8e4c94323f500c87a79c%" or Image.Hashes like r"%MD5=ce57844fb185d0cdd9d3ce9e5b6a891d%" or Image.Hashes like r"%MD5=3ab94fba7196e84a97e83b15f7bcb270%" or Image.Hashes like r"%MD5=0291ced808eafe406d3d9b56d2fc0c26%" or Image.Hashes like r"%MD5=3836e2db9034543f63943cdbb52a691a%" or Image.Hashes like r"%MD5=0dff47f3b14fb1c1bad47cc517f0581a%" or Image.Hashes like r"%MD5=e8ebba56ea799e1e62748c59e1a4c586%" or Image.Hashes like r"%MD5=2c54859a67306e20bfdc8887b537de72%" or Image.Hashes like r"%MD5=4e67277648c63b79563360dac22b5492%" or Image.Hashes like r"%MD5=26ce59f9fc8639fd7fed53ce3b785015%" or Image.Hashes like r"%MD5=2927eac51c46944ab69ba81462fb9045%" or Image.Hashes like r"%MD5=1a6e12c2d11e208bdf72a8962120fae7%" or Image.Hashes like r"%MD5=daf800da15b33bf1a84ee7afc59f0656%" or Image.Hashes like r"%MD5=9cbdb5fb6dc63cb13f10b6333407cbb9%" or Image.Hashes like r"%MD5=9650db2ef0a44984845841ab24972ced%" or Image.Hashes like r"%MD5=96a8b535b5e14b582ca5679a3e2a5946%" or Image.Hashes like r"%MD5=33b3842172f21ba22982bfb6bffbda27%" or Image.Hashes like r"%MD5=2391fb461b061d0e5fccb050d4af7941%" or Image.Hashes like r"%MD5=8bf290b5eda99fc2697373a87f4e1927%" or Image.Hashes like r"%MD5=5fade7137c14a94b323f3b7886fba2a9%" or Image.Hashes like r"%MD5=a89ca92145fc330adced0dd005421183%" or Image.Hashes like r"%MD5=96421b56dbda73e9b965f027a3bda7ba%" or Image.Hashes like r"%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%" or Image.Hashes like r"%MD5=6fa271b6816affaef640808fc51ac8af%" or Image.Hashes like r"%MD5=94d45bb36b13f4e936badb382fc133fe%" or Image.Hashes like r"%MD5=e027daa2f81961d09aef88093e107d93%" or Image.Hashes like r"%MD5=b1b8e6b85dd03c7f1290b1a071fc79c1%" or Image.Hashes like r"%MD5=07fc1e043654fdde56da98d93523635c%" or Image.Hashes like r"%MD5=118f3fdba730094d17aa1b259586aef6%" or Image.Hashes like r"%MD5=2714c93eb240375a2893ed7f8818004f%" or Image.Hashes like r"%MD5=641243746597fbd650e5000d95811ea3%" or Image.Hashes like r"%MD5=449bb1c656fa30de7702f17e35b11cd3%" or Image.Hashes like r"%MD5=96c850e53caca0469e1c4604e6c1aad1%" or Image.Hashes like r"%MD5=12cecc3c14160f32b21279c1a36b8338%" or Image.Hashes like r"%MD5=949ef0df929a71d6cc77494dfcb1ddeb%" or Image.Hashes like r"%MD5=8065a7659562005127673ac52898675f%" or Image.Hashes like r"%MD5=1033f0849180aac4b101a914bc8c53b4%" or Image.Hashes like r"%MD5=8f73c1c48ffddfca7d1a98faf83d18ff%" or Image.Hashes like r"%MD5=648adec580746afbbf59904c1e150c73%" or Image.Hashes like r"%MD5=e84605c8e290de6b92ce81d2f6a175d2%" or Image.Hashes like r"%MD5=300d6ac47a146eb8eb159f51bc13f7cf%" or Image.Hashes like r"%MD5=392d7180653b0ca77a78bdf15953d865%" or Image.Hashes like r"%MD5=f0e21ababe63668fb3fbd02e90cd1fa9%" or Image.Hashes like r"%MD5=e0bfbdf3793ea2742c03f5a82cb305a5%" or Image.Hashes like r"%MD5=00143c457c8885fd935fc5d5a6ba07a4%" or Image.Hashes like r"%MD5=c8d3784a3ab7a04ad34ea0aba32289ca%" or Image.Hashes like r"%MD5=9532893c1d358188d66b0d7b0784bb6b%" or Image.Hashes like r"%MD5=564d84a799db39b381a582a0b2f738c4%" or Image.Hashes like r"%MD5=fd3b7234419fafc9bdd533f48896ed73%" or Image.Hashes like r"%MD5=be5f46fd1056f02a7a241e052fa5888f%" or Image.Hashes like r"%MD5=2128e6c044ee86f822d952a261af0b48%" or Image.Hashes like r"%MD5=4b817d0e7714b9d43db43ae4a22a161e%" or Image.Hashes like r"%MD5=eaec88a63db9cf9cee53471263afe6fb%" or Image.Hashes like r"%MD5=ecdc79141b7002b246770d01606504f2%" or Image.Hashes like r"%MD5=ad866d83b4f0391aecceb4e507011831%" or Image.Hashes like r"%MD5=88a6d84f4f1cc188741271ac1999a4e9%" or Image.Hashes like r"%MD5=8580165a2803591e007380db9097bbcc%" or Image.Hashes like r"%MD5=5c4df33951d20253a98aa7b5e78e571a%" or Image.Hashes like r"%MD5=27d21eeff199ed555a29ca0ea4453cfb%" or Image.Hashes like r"%MD5=43bfc857406191963f4f3d9f1b76a7bf%" or Image.Hashes like r"%MD5=0fbf893691a376b168d8cdf427b89945%" or Image.Hashes like r"%MD5=1762105b28eb90d19e9ab3acde16ead6%" or Image.Hashes like r"%MD5=b41dcdb2e710dffba2d8ea1defb0f087%" or Image.Hashes like r"%MD5=c42caa9cdcc50c01cb2fed985a03fe23%" or Image.Hashes like r"%MD5=c516acb873c7f8c24a0431df8287756e%" or Image.Hashes like r"%MD5=343ada10d948db29251f2d9c809af204%" or Image.Hashes like r"%MD5=790ccca8341919bb8bb49262a21fca0e%" or Image.Hashes like r"%MD5=51207adb8dab983332d6b22c29fe8129%" or Image.Hashes like r"%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%" or Image.Hashes like r"%MD5=7c4e513702a0322b0e3bce29dea9e3e9%" or Image.Hashes like r"%MD5=8ac6d458abbe4f5280996eb90235377c%" or Image.Hashes like r"%MD5=6a1ff4806c1a6e897208f48a1f5b062f%" or Image.Hashes like r"%MD5=a4531040276080441974d9e00d8d4cfa%" or Image.Hashes like r"%MD5=d1f9ffe5569642c8f8c10ed7ee5d9391%" or Image.Hashes like r"%MD5=09b3d078ffa3b4ed0ad2e477a2ee341f%" or Image.Hashes like r"%MD5=83601bbe5563d92c1fdb4e960d84dc77%" or Image.Hashes like r"%MD5=1414629b1ee93d2652ff49b2eb829940%" or Image.Hashes like r"%MD5=84b17daba8715089542641990c1ea3c2%" or Image.Hashes like r"%MD5=6ae4dec687ac6d1b635a4e351dddf73e%" or Image.Hashes like r"%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%" or Image.Hashes like r"%MD5=1e1a3d43bd598b231207ff3e70f78454%" or Image.Hashes like r"%MD5=07f83829e7429e60298440cd1e601a6a%" or Image.Hashes like r"%MD5=7c72a7e1d42b0790773efd8700e24952%" or Image.Hashes like r"%MD5=f41eea88057d3dd1a56027c4174eed22%" or Image.Hashes like r"%MD5=f53fa44c7b591a2be105344790543369%" or Image.Hashes like r"%MD5=08e06b839499cb4b752347399db41b57%" or Image.Hashes like r"%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%" or Image.Hashes like r"%MD5=785045f8b25cd2e937ddc6b09debe01a%" or Image.Hashes like r"%MD5=53bb10742e10991af4ad280fcb134151%" or Image.Hashes like r"%MD5=76c643ab29d497317085e5db8c799960%" or Image.Hashes like r"%MD5=bce7f34912ff59a3926216b206deb09f%" or Image.Hashes like r"%MD5=c4f5619ce04d4bee38024d08513c77fd%" or Image.Hashes like r"%MD5=2a3ce41bb2a7894d939fbd1b20dae5a0%" or Image.Hashes like r"%MD5=86bec99cd121b0386a5acc1c368a9d49%" or Image.Hashes like r"%MD5=e076dadf37dd43a6b36aeed957abee9e%" or Image.Hashes like r"%MD5=4a85754636c694572ca9f440d254f5ce%" or Image.Hashes like r"%MD5=f4b7b84a6828d2f9205b55cf8cfc7742%" or Image.Hashes like r"%MD5=8f5b84350bfc4fe3a65d921b4bd0e737%" or Image.Hashes like r"%MD5=f9d04e99e4cab90973226a4555bc6d57%" or Image.Hashes like r"%MD5=bc5366760098dc14ec00ae36c359f42b%" or Image.Hashes like r"%MD5=b79475c4783efdd8122694c6b5669a79%" or Image.Hashes like r"%MD5=5f4a232d92480a1bebbe025ef64dc760%" or Image.Hashes like r"%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%" or Image.Hashes like r"%MD5=69ba501a268f09f694ff0e8e208aa20e%" or Image.Hashes like r"%MD5=030c8432981e4d41b191624b3e07afe2%" or Image.Hashes like r"%MD5=c56a9ed0192c5a2b39691e54f2132a2f%" or Image.Hashes like r"%SHA1=38a863bcd37c9c56d53274753d5b0e614ba6c8bb%" or Image.Hashes like r"%SHA1=87d2b638e5dfab1e37961d27ca734b83ece02804%" or Image.Hashes like r"%SHA1=1a56614ea7d335c844b7fc6edd5feb59b8df7b55%" or Image.Hashes like r"%SHA1=f02af84393e9627ba808d4159841854a6601cf80%" or Image.Hashes like r"%SHA1=75649b228a22ce1e2a306844e0d48f714fb03f28%" or Image.Hashes like r"%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%" or Image.Hashes like r"%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%" or Image.Hashes like r"%SHA1=388068adc9ec46a0bbc8173bcb0d5f9cf8af6ea5%" or Image.Hashes like r"%SHA1=fce3a95b222c810c56e7ed5a3d7fb059eb693682%" or Image.Hashes like r"%SHA1=f4728f490d741b04b611164a7d997e34458e3a5e%" or Image.Hashes like r"%SHA1=4d516b1c9b7a81de2836ab24ba6b880c11807255%" or Image.Hashes like r"%SHA1=bda26e533ef971d501095950010081b772920afc%" or Image.Hashes like r"%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%" or Image.Hashes like r"%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%" or Image.Hashes like r"%SHA1=b82c034e41d463f4e68b0a7d334f2d7611049bcb%" or Image.Hashes like r"%SHA1=8795df6494b724d9f279f007db33c24c27a91d08%" or Image.Hashes like r"%SHA1=b8d19cd28788ce4570623a5433b091a5fbd4c26d%" or Image.Hashes like r"%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%" or Image.Hashes like r"%SHA1=72f16e6a18ba87248dd72f52445c916ad2e4edc2%" or Image.Hashes like r"%SHA1=c0568bcdf57db1fa43cdee5a2a12b768a0064622%" or Image.Hashes like r"%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%" or Image.Hashes like r"%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%" or Image.Hashes like r"%SHA1=0edf51a0fac3b90f6961c2b20bbaeb4ccfc1ea84%" or Image.Hashes like r"%SHA1=6102b73489e1d319c0db7b84cb2c426c5f680120%" or Image.Hashes like r"%SHA1=c16d7b2fbe69a28ccbcf87348903277f22805bf3%" or Image.Hashes like r"%SHA1=c21510569fd84a5fe04508aa28e3cf9c8cc45b7a%" or Image.Hashes like r"%SHA1=2207cdee7deaba1492ae2349392864f19eb4dfaf%" or Image.Hashes like r"%SHA1=2f86a4828ba86034f0c043db3e3db33aa2cf5da5%" or Image.Hashes like r"%SHA1=569f4605c65c2a217b28aefeb8570f9ea663e4b7%" or Image.Hashes like r"%SHA1=cd828ee0725f6185861fd0a9d3bd78f1d96e55bf%" or Image.Hashes like r"%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%" or Image.Hashes like r"%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%" or Image.Hashes like r"%SHA1=7877bd7da617ec92a5c47f0da1f0abcf6484d905%" or Image.Hashes like r"%SHA1=3adea4a3a91504dc2e3c5e9247c6427cd5c73bab%" or Image.Hashes like r"%SHA1=55015f64783ddd148674a74d8137bcd6ccd6231d%" or Image.Hashes like r"%SHA1=f8d7369527cc6976283cc73cd761f93bd1cec49d%" or Image.Hashes like r"%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%" or Image.Hashes like r"%SHA1=091df975fa983e4ad44435ca092dbf84911f28a5%" or Image.Hashes like r"%SHA1=928d26cce64ad458e1f602cc2aea848e0b04eaaf%" or Image.Hashes like r"%SHA1=a7baff6666fc2d259c22f986b8a153c7b1d1d8be%" or Image.Hashes like r"%SHA1=90d73db752eac6ffc53555281fc5aa92297285ec%" or Image.Hashes like r"%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%" or Image.Hashes like r"%SHA1=a0bf00e4ef2b1a79ccf2361c6b303688641ed94c%" or Image.Hashes like r"%SHA1=4a2bb97d395634b67194856d79a1ee5209aa06a7%" or Image.Hashes like r"%SHA1=e0ee5ea6693c26f21b143ef9b133f53efe443b1e%" or Image.Hashes like r"%SHA1=c70989ed7a6ad9d7cd40ae970e90f3c3f2f84860%" or Image.Hashes like r"%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%" or Image.Hashes like r"%SHA1=c05df2e56e05b97e3ca8c6a61865cae722ed3066%" or Image.Hashes like r"%SHA1=dbf6e72c08824fe49c29b7660c9965c37d983e93%" or Image.Hashes like r"%SHA1=bed323603a33fa8b2fc7568149345184690f0390%" or Image.Hashes like r"%SHA1=2365a66c1eddfcf8385d9ff38ba8bd5f6f2e4fc2%" or Image.Hashes like r"%SHA1=59b0b8e3478f3d21213a8afda84181c4ed0a79a7%" or Image.Hashes like r"%SHA1=297fdf58e60d54bcddf2694c21ceb9da9ec17915%" or Image.Hashes like r"%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%" or Image.Hashes like r"%SHA1=adf9328e60c714ff0b98083bcf2f4ee2d58b960b%" or Image.Hashes like r"%SHA1=78834ff75e2ff8b7456e85114802e58bc9fda457%" or Image.Hashes like r"%SHA1=0a5ef5b72e621a639860c03f1cac499567082f39%" or Image.Hashes like r"%SHA1=aadaec4c31d661c249e4cf455ec752fffa3e5cfc%" or Image.Hashes like r"%SHA1=492a47426b04f00c0d5b711ad8c872aad3aa3a1d%" or Image.Hashes like r"%SHA1=064847af77afca8a879a9bf34cb87b64b5e69165%" or Image.Hashes like r"%SHA1=468cc011807704c04892ed209cf81d7896a12a0c%" or Image.Hashes like r"%SHA1=1013d5a0fd6074a8c40dbf3a88e3e06fbf3bcf41%" or Image.Hashes like r"%SHA1=fc62b746e0e726537bf848b48212f46db585af6d%" or Image.Hashes like r"%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%" or Image.Hashes like r"%SHA1=eceb51233f013e04406da11482324d45e70281c7%" or Image.Hashes like r"%SHA1=ff9887cfd695916a06319b3a96f7ab2e6343a20e%" or Image.Hashes like r"%SHA1=67e87ca093da64a23cf0fc0be2b35e03d1bf1543%" or Image.Hashes like r"%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%" or Image.Hashes like r"%SHA1=62244c704b0f227444d3a515ea0dc1003418a028%" or Image.Hashes like r"%SHA1=4d6e532830058fadd861ff9eac16de8cfc6974ce%" or Image.Hashes like r"%SHA1=ebced350ea447df8e10ebb080e3a3e5b32aca348%" or Image.Hashes like r"%SHA1=6de3d5c2e33d91eef975a30bc07b0e53a68e77b8%" or Image.Hashes like r"%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%" or Image.Hashes like r"%SHA1=0be77bb3720283c9a970a97dab25d2a312e86110%" or Image.Hashes like r"%SHA1=213ba055863d4226da26a759e8a254062ea77814%" or Image.Hashes like r"%SHA1=9099482b26e9ba8e1d303418afc9111a3bffd6b3%" or Image.Hashes like r"%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%" or Image.Hashes like r"%SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8%" or Image.Hashes like r"%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%" or Image.Hashes like r"%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%" or Image.Hashes like r"%SHA1=f6d826d73bf819dbc9a058f2b55c88d6d4b634e3%" or Image.Hashes like r"%SHA1=8278db134d3b505c735306393fdf104d014fb3bf%" or Image.Hashes like r"%SHA1=22c909898f5babe37cc421b4f5ed0522196f8127%" or Image.Hashes like r"%SHA1=e8311ba74bc6b35b1171b81056d0148913b1d61c%" or Image.Hashes like r"%SHA1=3eea0f5fb180c6f865fc83ac75ef3ad5b1376775%" or Image.Hashes like r"%SHA1=8e2511ae90643584ceb0d98f0f780cd6b7290604%" or Image.Hashes like r"%SHA1=8a922499f7a1b978555b46c30f90de1339760c74%" or Image.Hashes like r"%SHA1=2540205480ea3d59e4031de3c6632e3ce2596459%" or Image.Hashes like r"%SHA1=8edcd4b35f5ae88d14e83252390659c6fc79eae3%" or Image.Hashes like r"%SHA1=aaffdc89befa42e375f822366bbded8c245baf94%" or Image.Hashes like r"%SHA1=1d9fd846e12104ae31fd6f6040b93fc689abf047%" or Image.Hashes like r"%SHA1=3d3b42d7b0af68da01019274e341b03d7c54f752%" or Image.Hashes like r"%SHA1=88811e1a542f33431b9f8b74cb8bf27209b27f17%" or Image.Hashes like r"%SHA1=67b45c1e204d44824cd7858455e1acedbd7ffbb3%" or Image.Hashes like r"%SHA1=fff7ee0febb8c93539220ca49d4206616e15c666%" or Image.Hashes like r"%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%" or Image.Hashes like r"%SHA1=d302ae7f016299af323a3542d840004888ab91ff%" or Image.Hashes like r"%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%" or Image.Hashes like r"%SHA1=228b1ff5cd519faa15d9c2f8cfefd7e683bc3f2b%" or Image.Hashes like r"%SHA1=63cf021c8662fa23ce3e4075a4f849431e473058%" or Image.Hashes like r"%SHA1=ca4d2bd6022f71e1a48b08728c0ac83c68e91281%" or Image.Hashes like r"%SHA1=d43b2ac1221f2eaf2c170788280255cfef3edd72%" or Image.Hashes like r"%SHA1=db3ce886a47027c09bb668c7049362ab86c82ceb%" or Image.Hashes like r"%SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1%" or Image.Hashes like r"%SHA1=745bad097052134548fe159f158c04be5616afc2%" or Image.Hashes like r"%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%" or Image.Hashes like r"%SHA1=0e47bd9b67500a67ce18c24328d6d0db8ae2c493%" or Image.Hashes like r"%SHA1=ef95f500b60c49f40ed6ce3014ffdb294b301e95%" or Image.Hashes like r"%SHA1=2ee7b3f6bcc9e95a9ae60bcb9bbc483b0400077d%" or Image.Hashes like r"%SHA1=b3f5185d7824ea2c2d931c292f4d8f77903a4d2a%" or Image.Hashes like r"%SHA1=029c678674f482ababe8bbfdb93152392457109d%" or Image.Hashes like r"%SHA1=aadebbcbde0e7edd35e29d98871289a75e744aad%" or Image.Hashes like r"%SHA1=a88546fb61a2fa7dab978a9cb678469e8f0ed475%" or Image.Hashes like r"%SHA1=90abd7670c84c47e6ffc45c67d676db8c12b1939%" or Image.Hashes like r"%SHA1=4fe873544c34243826489997a5ff14ed39dd090d%" or Image.Hashes like r"%SHA1=d06d119579156b1ec732c50f0f64358762eb631a%" or Image.Hashes like r"%SHA1=27eab595ec403580236e04101172247c4f5d5426%" or Image.Hashes like r"%SHA1=d1670bd08cfd376fc2b70c6193f3099078f1d72f%" or Image.Hashes like r"%SHA1=7ee675f0106e36d9159c5507b96c3237fb9348cd%" or Image.Hashes like r"%SHA1=fde6ab389a6e0a9b2ef1713df9d43cca5f1f3da8%" or Image.Hashes like r"%SHA1=d61acd857242185a56e101642d15b9b5f0558c26%" or Image.Hashes like r"%SHA1=9d44260558807daff61a0cc0c6a8719c3adacd2d%" or Image.Hashes like r"%SHA1=3f17ff83dc8a5f875fb1b3a5d3b9fcbe407a99f0%" or Image.Hashes like r"%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%" or Image.Hashes like r"%SHA1=a951953e3c1bb08653ed7b0daec38be7b0169c27%" or Image.Hashes like r"%SHA1=35f803d483af51762bee3ec130de6a03362ce920%" or Image.Hashes like r"%SHA1=ed3f11383a47710fa840e13a7a9286227fa1474c%" or Image.Hashes like r"%SHA1=004d9353f334e42c79a12c3a31785a96f330bbef%" or Image.Hashes like r"%SHA1=0b77242d4e920f2fcb2b506502cfe3985381defc%" or Image.Hashes like r"%SHA1=8146ed4a9c9a2f7e7aeae0a0539610c3c1cd3563%" or Image.Hashes like r"%SHA1=2261198385d62d2117f50f631652eded0ecc71db%" or Image.Hashes like r"%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%" or Image.Hashes like r"%SHA1=ef0504dd90eb451f51d2c4f987fb7833c91c755b%" or Image.Hashes like r"%SHA1=34b2986f1ff5146f7145433f1ef5dfe6210131d0%" or Image.Hashes like r"%SHA1=472cc191937349a712aabcbc4d118c1c982ab7c9%" or Image.Hashes like r"%SHA1=7c43d43d95232e37aa09c5e2bcd3a7699d6b7479%" or Image.Hashes like r"%SHA1=de2c073c8b4db6ffd11a99784d307f880444e5d3%" or Image.Hashes like r"%SHA1=e88259de797573fa515603ad3354aed0bce572f1%" or Image.Hashes like r"%SHA1=f70eb454c0e9ea67a18c625faf7a666665801035%" or Image.Hashes like r"%SHA1=4a2e034d2702aba6bca5d9405ba533ed1274ff0c%" or Image.Hashes like r"%SHA1=8788f4b39cbf037270904bdb8118c8b037ee6562%" or Image.Hashes like r"%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%" or Image.Hashes like r"%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%" or Image.Hashes like r"%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%" or Image.Hashes like r"%SHA1=5b866f522bcdf80e6a9fda71b385f917317f6551%" or Image.Hashes like r"%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%" or Image.Hashes like r"%SHA1=517504aaf8afc9748d6aec657d46a6f7bbc60c09%" or Image.Hashes like r"%SHA1=f0d6b0bcd5f47b41d3c3192e244314d99d1df409%" or Image.Hashes like r"%SHA1=3f43412c563889a5f5350f415f7040a71cc25221%" or Image.Hashes like r"%SHA1=8031ecbff95f299b53113ccd105582defad38d7b%" or Image.Hashes like r"%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%" or Image.Hashes like r"%SHA1=55c64235d223baeb8577a2445fdaa6bedcde23db%" or Image.Hashes like r"%SHA1=12154f58b68902a40a7165035d37974128deb902%" or Image.Hashes like r"%SHA1=fa60a89980aad30db3a358fb1c1536a4d31dff6c%" or Image.Hashes like r"%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%" or Image.Hashes like r"%SHA1=9310239b75394b75a963336fbd154038fc13c4e3%" or Image.Hashes like r"%SHA1=7673cebd15488cbbb4ca65209f92faab3f933205%" or Image.Hashes like r"%SHA1=3a3342f4ca8cc45c6b86f64b1a7d7659020b429f%" or Image.Hashes like r"%SHA1=190c20e130a9156442eebcf913746c69b9485eec%" or Image.Hashes like r"%SHA1=3c9c86c0b215ecbab0eeb4479c204dba65258b8e%" or Image.Hashes like r"%SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89%" or Image.Hashes like r"%SHA1=c00ad2a252b53cf2d0dc74b53d1af987982e1ad1%" or Image.Hashes like r"%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%" or Image.Hashes like r"%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%" or Image.Hashes like r"%SHA1=7cd4aea9c1f82111bf7f9d4934be95e9bb6f8ae0%" or Image.Hashes like r"%SHA1=d32408c3b79b1f007331d2a3c78b1a7e96f37f79%" or Image.Hashes like r"%SHA1=a6a71fb4f91080aff2a3a42811b4bd86fb22168d%" or Image.Hashes like r"%SHA1=a0c7c913d7b5724a46581b6e00dd72c26c37794d%" or Image.Hashes like r"%SHA1=6f8b0e1c7d7bd7beed853e0d51ca03f143e5b703%" or Image.Hashes like r"%SHA1=91ee32b464f6385fc8c44b867ca3dec665cbe886%" or Image.Hashes like r"%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%" or Image.Hashes like r"%SHA1=75dd52e28c40cd22e38ae2a74b52eb0cddfcb2c4%" or Image.Hashes like r"%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%" or Image.Hashes like r"%SHA1=f9cced7ccdc1f149ad8ad13a264c4425aee89b8e%" or Image.Hashes like r"%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%" or Image.Hashes like r"%SHA1=e4e40032376279e29487afc18527804dce792883%" or Image.Hashes like r"%SHA1=bebf97411946749b9050989d9c40352dbe8269ea%" or Image.Hashes like r"%SHA1=cfcecf6207d16aeb0af29aac8a4a2f104483018e%" or Image.Hashes like r"%SHA1=b21cba198d721737aabd882ada6c91295a5975ed%" or Image.Hashes like r"%SHA1=8f540936f2484d020e270e41529624407b7e107e%" or Image.Hashes like r"%SHA1=32888d789edc91095da2e0a5d6c564c2aebcee68%" or Image.Hashes like r"%SHA1=10fc6933deb7de9813e07d864ce03334a4f489d9%" or Image.Hashes like r"%SHA1=09d3ff3c57f5154735e676f2c0a10b5e51336bb3%" or Image.Hashes like r"%SHA1=d022f5e3c1bba43871af254a16ab0e378ea66184%" or Image.Hashes like r"%SHA1=6c445ceb38d5b1212ce2e7498888dd9562a57875%" or Image.Hashes like r"%SHA1=cf9b4d606467108e4b845ecb8ede2f5865bd6c33%" or Image.Hashes like r"%SHA1=c4ce0bb8a939c4f4cff955d9b3cdd9eb52746cc9%" or Image.Hashes like r"%SHA1=8325e8d7fd2edc126dcf1089dee8da64e79fb12e%" or Image.Hashes like r"%SHA1=2bb68b195f66f53f90f17b364928929d5b2883b5%" or Image.Hashes like r"%SHA1=d3a6f86245212e1ef9e0e906818027ec14a239cb%" or Image.Hashes like r"%SHA1=5672e2212c3b427c1aef83fcd725b587a3d3f979%" or Image.Hashes like r"%SHA1=7cee31d3aaee8771c872626feedeeb5d09db008c%" or Image.Hashes like r"%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%" or Image.Hashes like r"%SHA1=4f0d9122f57f4f8df41f3c3950359eb1284b9ab5%" or Image.Hashes like r"%SHA1=59c4960851af9240dded4173c4f823727af19512%" or Image.Hashes like r"%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%" or Image.Hashes like r"%SHA1=9393698058ce1187eb87e8c148cfe4804761142d%" or Image.Hashes like r"%SHA1=ed219d966a6e74275895cc0b975b79397760ea9f%" or Image.Hashes like r"%SHA1=4dba2ac32ed58ead57dd36b18d1cb30cc1c7b9aa%" or Image.Hashes like r"%SHA1=d2be76e79741454b4611675b58446e10fc3d0c6c%" or Image.Hashes like r"%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%" or Image.Hashes like r"%SHA1=6b54b8f7edca5fb25a8ef1a1d31e14b9738db579%" or Image.Hashes like r"%SHA1=52d9bbe41eea0b60507c469f7810d80343c03c2b%" or Image.Hashes like r"%SHA1=f7330a6a4d9df2f35ab93a28c8ee1eb14a74be6e%" or Image.Hashes like r"%SHA1=589a7d4df869395601ba7538a65afae8c4616385%" or Image.Hashes like r"%SHA1=61d44c9a1ef992bc29502f725d1672d551b9bc3f%" or Image.Hashes like r"%SHA1=da689e8e0e3fc4c7114b44d185eef4c768e15946%" or Image.Hashes like r"%SHA1=170a50139f95ad1ec94d51fdd94c1966dbed0e47%" or Image.Hashes like r"%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%" or Image.Hashes like r"%SHA1=bfff0073c936b9a7e2ad6848deb6f9bf03205488%" or Image.Hashes like r"%SHA1=1586f121d38cc42e5d04fe2f56091e91c6cdd8fa%" or Image.Hashes like r"%SHA1=96ec8c16f6a54b48e9a7f0d0416a529f4bf9ac11%" or Image.Hashes like r"%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%" or Image.Hashes like r"%SHA1=4d4535c111c7b568cb8a3bece27a97d738512a6b%" or Image.Hashes like r"%SHA1=258f1cdc79bd20c2e6630a0865abfe60473b98d5%" or Image.Hashes like r"%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%" or Image.Hashes like r"%SHA1=2c2fc258871499b206963c0f933583cedcdf9ea2%" or Image.Hashes like r"%SHA1=6a2912c8e2aa4373852585bc1134b83c637bc9fd%" or Image.Hashes like r"%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%" or Image.Hashes like r"%SHA1=1951ae94c6ee63fa801208771b5784f021c70c60%" or Image.Hashes like r"%SHA1=8b53284fb23d34ca144544b19f8fba63700830d8%" or Image.Hashes like r"%SHA1=6bfeac43be3ebd8d95a5eba963e18d97d76d2b05%" or Image.Hashes like r"%SHA1=2ae1456bb0fa5a016954b03967878fb6db4d81eb%" or Image.Hashes like r"%SHA1=63f9ee1e7aefd961cf36eeffd455977f1b940f6c%" or Image.Hashes like r"%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%" or Image.Hashes like r"%SHA1=baa94f0f816d7a41a63e7f1aa9dd3d64a9450ed0%" or Image.Hashes like r"%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%" or Image.Hashes like r"%SHA1=bff4c3696d81002c56f473a8ab353ef0e45854c0%" or Image.Hashes like r"%SHA1=64df813dc0774ef57d21141dcb38d08059fd8660%" or Image.Hashes like r"%SHA1=bdfb1a2b08d823009c912808425b357d22480ecc%" or Image.Hashes like r"%SHA1=470633a3a1e1b1f13c3f6c5192ce881efd206d7c%" or Image.Hashes like r"%SHA1=65f6a4a23846277914d90ba6c12742eecf1be22d%" or Image.Hashes like r"%SHA1=ed40c1f7da98634869b415530e250f4a665a8c48%" or Image.Hashes like r"%SHA1=1ab702c495cb7832d4cc1ff896277fa56ed8f30d%" or Image.Hashes like r"%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%" or Image.Hashes like r"%SHA1=b3b523504af5228c49060ec8dea9f8adce05e117%" or Image.Hashes like r"%SHA1=108575d8f0b98fed29514a54052f7bf5a8cb3ff0%" or Image.Hashes like r"%SHA1=8fafd70bae94bbc22786c9328ee9126fed54dbae%" or Image.Hashes like r"%SHA1=d3b23a0b70d6d279abd8db109f08a8b0721ce327%" or Image.Hashes like r"%SHA1=190ec384e6eb1dafca80df05055ead620b2502ba%" or Image.Hashes like r"%SHA1=6b25acbcb41a593aca6314885572fc22d16582a2%" or Image.Hashes like r"%SHA1=341225961c15a969c62de38b4ec1938f65fda178%" or Image.Hashes like r"%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%" or Image.Hashes like r"%SHA1=5812387783d61c6ab5702213bb968590a18065e3%" or Image.Hashes like r"%SHA1=e700fcfae0582275dbaee740f4f44b081703d20d%" or Image.Hashes like r"%SHA1=a2167b723dfb24bf8565cbe2de0ecce77307fb9e%" or Image.Hashes like r"%SHA1=7cf7644e38746c9be4537b395285888d5572ae1b%" or Image.Hashes like r"%SHA1=3b8ddf860861cc4040dea2d2d09f80582547d105%" or Image.Hashes like r"%SHA1=1a17cc64e47d3db7085a4dc365049a2d4552dc8a%" or Image.Hashes like r"%SHA1=9b3f57693f0f69d3729762d59a10439e738b9031%" or Image.Hashes like r"%SHA1=63bb17160115f16b3fca1f028b13033af4e468c6%" or Image.Hashes like r"%SHA1=631fdd1ef2d6f2d98e36f8fc7adbf90fbfb0a1e8%" or Image.Hashes like r"%SHA1=06ec56736c2fc070066079bb628c17b089b58f6c%" or Image.Hashes like r"%SHA1=d1ba4c95697a25ec265a3908acbff269e29e760c%" or Image.Hashes like r"%SHA1=e40182c106f6f09fd79494686329b95477d6beb5%" or Image.Hashes like r"%SHA1=c74f6293be68533995e4b95469e6dddedd1c3905%" or Image.Hashes like r"%SHA1=ec457a53ea03287cbbd1edcd5f27835a518ef144%" or Image.Hashes like r"%SHA1=1a01f3bdbfae4f8111674068a001aaf3363f21ea%" or Image.Hashes like r"%SHA1=ce1d0ebaeaa4fe3ecb49242f1e80bc7a4e43fd8c%" or Image.Hashes like r"%SHA1=f77413ec3bd9ed3f31fc53a4c755dc4123e0068f%" or Image.Hashes like r"%SHA1=17614fdee3b89272e99758983b99111cbb1b312c%" or Image.Hashes like r"%SHA1=8b63eb0f5dbb844ee5f6682f0badef872ae569bf%" or Image.Hashes like r"%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%" or Image.Hashes like r"%SHA1=c8674fe95460a37819e06d9df304254931033ca7%" or Image.Hashes like r"%SHA1=273634ac170d1a6abd32e0db597376a6f62eb59e%" or Image.Hashes like r"%SHA1=dd4cd182192b43d4105786ba87f55a036ec45ef2%" or Image.Hashes like r"%SHA1=f9eb4c942a89b4ba39d2bdbfd23716937ccb9925%" or Image.Hashes like r"%SHA1=94144619920bd086028bb5647b1649a35438028c%" or Image.Hashes like r"%SHA1=2871a631f36cd1ea2fd268036087d28070ef2c52%" or Image.Hashes like r"%SHA1=57cf65b024d9e2831729def42db2362d7c90dcfa%" or Image.Hashes like r"%SHA1=d3daa971580b9f94002f7257de44fcef13bb1673%" or Image.Hashes like r"%SHA1=8ac5703e67c3e6e0585cb8dbb86d196c5362f9bb%" or Image.Hashes like r"%SHA1=756fd2b82bf92538786b1bd283c6ef2f9794761e%" or Image.Hashes like r"%SHA1=c775ca665ed4858acc3f7e75e025cbbda1f8c687%" or Image.Hashes like r"%SHA1=a8be6203c5a87ecc3ae1c452b7b6dbdf3a9f82ae%" or Image.Hashes like r"%SHA1=085c0ea6980cb93a3afa076764b7866467ac987c%" or Image.Hashes like r"%SHA1=09f117d83f2f206ee37f1eb19eea576a0ac9bdcc%" or Image.Hashes like r"%SHA1=c41ff2067634a1cce6b8ec657cdfd87e7f6974e3%" or Image.Hashes like r"%SHA1=ddec18909571a9d5992f93636628756b7aa9b9a2%" or Image.Hashes like r"%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%" or Image.Hashes like r"%SHA1=06ec62c590ca0f1f2575300c151c84640d2523c0%" or Image.Hashes like r"%SHA1=f95b59cab63408343ecbdb0e71db34e83f75b503%" or Image.Hashes like r"%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%" or Image.Hashes like r"%SHA1=9360774a37906e3b3c9fab39721cb9400dd31c46%" or Image.Hashes like r"%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%" or Image.Hashes like r"%SHA1=dc393d30453daa1f853f47797e48c142ac77a37b%" or Image.Hashes like r"%SHA1=b70321d078f2e9c9826303bdc87ba9b7be290807%" or Image.Hashes like r"%SHA1=4cd5bf02edf6883a08dfed7702267612e21ed56e%" or Image.Hashes like r"%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%" or Image.Hashes like r"%SHA1=296757d5663290f172e99e60b9059f989cba4c4e%" or Image.Hashes like r"%SHA1=0caf4e86b14aaab7e10815389fcd635988bc6637%" or Image.Hashes like r"%SHA1=449ff4f5ce2fdddac05a6c82e45a7e802b1c1305%" or Image.Hashes like r"%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%" or Image.Hashes like r"%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%" or Image.Hashes like r"%SHA1=4818d7517054d5cba38b679bdf7f8495fd152729%" or Image.Hashes like r"%SHA1=47df454cb030c1f4f7002d46b1308a32b03148e7%" or Image.Hashes like r"%SHA1=28fa0e9429af24197134306b6c7189263e939136%" or Image.Hashes like r"%SHA1=186b6523e8e2fa121d6d3b8cb106e9a5b918af4f%" or Image.Hashes like r"%SHA1=9dbd255ee29be0e552f7f5f30d6ffb97e6cd0b0d%" or Image.Hashes like r"%SHA1=76a756cc61653abcadd63db4a74c48d92607a861%" or Image.Hashes like r"%SHA1=15df139494d2c40a645fb010908551185c27f3c5%" or Image.Hashes like r"%SHA1=64879accdb4dbbaac55d91185c82f2b193f0c869%" or Image.Hashes like r"%SHA1=55777e18eb95b6c9c3e6df903f0ac36056fa83da%" or Image.Hashes like r"%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%" or Image.Hashes like r"%SHA1=135b261eb03e830c57b1729e3a4653f9c27c7522%" or Image.Hashes like r"%SHA1=deaf7d0c934cc428981ffa5bf528ca920bc692dc%" or Image.Hashes like r"%SHA1=309a799f1a00868ab05cdbb851b3297db34d9b0d%" or Image.Hashes like r"%SHA1=d5beca70469e0dcb099ba35979155e7c91876fd2%" or Image.Hashes like r"%SHA1=376d59d0b19905ebb9b89913a5bdfacde1bd5a1e%" or Image.Hashes like r"%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%" or Image.Hashes like r"%SHA1=dfd801b6c2715f5525f8ffb38e3396a5ad9b831d%" or Image.Hashes like r"%SHA1=92befb8b3d17bd3f510d09d464ec0131f8a43b8f%" or Image.Hashes like r"%SHA1=b671677079bf7c660579bee08b8875a48ff61896%" or Image.Hashes like r"%SHA1=0d6fb0cb9566b4e4ca4586f26fe0631ffa847f2c%" or Image.Hashes like r"%SHA1=bca4bbe4388ebeb834688e97fac281c09b0f3ac1%" or Image.Hashes like r"%SHA1=0b3836d5d98bc8862a380aae19caa3e77a2d93ef%" or Image.Hashes like r"%SHA1=b394f84e093cb144568e18aaf5b857dff77091fa%" or Image.Hashes like r"%SHA1=7329bb4a7ca98556fa6b05bd4f9b236186e845d1%" or Image.Hashes like r"%SHA1=0307d76750dd98d707c699aee3b626643afb6936%" or Image.Hashes like r"%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%" or Image.Hashes like r"%SHA1=2740cd167a9ccb81c8e8719ce0d2ae31babc631c%" or Image.Hashes like r"%SHA1=77a011b5d5d5aaf421a543fcee22cb7979807c60%" or Image.Hashes like r"%SHA1=a197a02025946aca96d6e74746f84774df31249e%" or Image.Hashes like r"%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%" or Image.Hashes like r"%SHA1=c71597c89bd8e937886e3390bc8ac4f17cdeae7c%" or Image.Hashes like r"%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%" or Image.Hashes like r"%SHA1=e71caa502d0fe3a7383ce26285a6022e63acda97%" or Image.Hashes like r"%SHA1=446130c61555e5c9224197963d32e108cd899ea0%" or Image.Hashes like r"%SHA1=218e4bbdd5ce810c48b938307d01501c442b75f4%" or Image.Hashes like r"%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%" or Image.Hashes like r"%SHA1=0cb14c1049c0e81c8655ab7ee7d698c11758ea06%" or Image.Hashes like r"%SHA1=f3c20ce4282587c920e9ff5da2150fac7858172e%" or Image.Hashes like r"%SHA1=dd49a71f158c879fb8d607cc558b507c7c8bc5b9%" or Image.Hashes like r"%SHA1=7d34bb240cb5dec51ffcc7bf062c8d613819ac30%" or Image.Hashes like r"%SHA1=0b01c4c1f18d72eb622be2553114f32edfe7b7aa%" or Image.Hashes like r"%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%" or Image.Hashes like r"%SHA1=4186ac693003f92fdf1efbd27fb8f6473a7cc53e%" or Image.Hashes like r"%SHA1=01b95ae502aa09aabc69a0482fcc8198f7765950%" or Image.Hashes like r"%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%" or Image.Hashes like r"%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%" or Image.Hashes like r"%SHA1=c614ab686e844c7a7d2b20bc7061ab15290e2cfd%" or Image.Hashes like r"%SHA1=2cf75df00c69d907cfe683cb25077015d05be65d%" or Image.Hashes like r"%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%" or Image.Hashes like r"%SHA1=a528cdeed550844ca7d31c9e231a700b4185d0da%" or Image.Hashes like r"%SHA1=8ec28d7da81cf202f03761842738d740c0bb2fed%" or Image.Hashes like r"%SHA1=e606282505af817698206672db632332e8c3d3ff%" or Image.Hashes like r"%SHA1=47830d6d3ee2d2a643abf46a72738d77f14114bc%" or Image.Hashes like r"%SHA1=57ea07ab767f11c81c6468b1f8a3d5f4618b800b%" or Image.Hashes like r"%SHA1=34b0f1b2038a1572ee6381022a24333357b033c4%" or Image.Hashes like r"%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%" or Image.Hashes like r"%SHA1=a14d96b65d3968181d57b57ee60c533cb621b707%" or Image.Hashes like r"%SHA1=cd248648eafca6ef77c1b76237a6482f449f13be%" or Image.Hashes like r"%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%" or Image.Hashes like r"%SHA1=64ff172bafc33f14ca5f2e35f9753d41e239a5e4%" or Image.Hashes like r"%SHA1=74bf2ec32cb881424a79e99709071870148d242d%" or Image.Hashes like r"%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%" or Image.Hashes like r"%SHA1=3c81cdfd99d91c7c9de7921607be12233ed0dfd8%" or Image.Hashes like r"%SHA1=c1a5aacf05c00080e04d692a99c46ab445bf8b6e%" or Image.Hashes like r"%SHA1=1768fb2b4796f624fa52b95dfdfbfb922ac21019%" or Image.Hashes like r"%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%" or Image.Hashes like r"%SHA1=6df6d5b30d04b9adb9d2c99de18ed108b011d52b%" or Image.Hashes like r"%SHA1=8589a284f1a087ad5b548fb1a933289781b4cedc%" or Image.Hashes like r"%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%" or Image.Hashes like r"%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%" or Image.Hashes like r"%SHA1=f5bafebfbfb67a022452870289ac7849e9ee1f61%" or Image.Hashes like r"%SHA1=5965ca5462cd9f24c67a1a1c4ef277fab8ea81d3%" or Image.Hashes like r"%SHA1=804013a12f2f6ba2e55c4542cbdc50ca01761905%" or Image.Hashes like r"%SHA1=30c6e1da8745c3d53df696af407ef095a8398273%" or Image.Hashes like r"%SHA1=2fed7eddd63f10ed4649d9425b94f86140f91385%" or Image.Hashes like r"%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%" or Image.Hashes like r"%SHA1=5ce273aa80ed3b0394e593a999059096682736ae%" or Image.Hashes like r"%SHA1=36397c6879978223ba52acd97da99e8067ab7f05%" or Image.Hashes like r"%SHA1=8a23735d9a143ad526bf73c6553e36e8a8d2e561%" or Image.Hashes like r"%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%" or Image.Hashes like r"%SHA1=f2ce790bf47b01a7e1ef5291d8fa341d5f66883a%" or Image.Hashes like r"%SHA1=f52c2d897fa00910d5566503dd5a297970f13dc6%" or Image.Hashes like r"%SHA1=256d285347acd715ed8920e41e5ec928ae9201a8%" or Image.Hashes like r"%SHA1=58fe23f1bb9d4bcc1b07b102222a7d776cc90f6c%" or Image.Hashes like r"%SHA1=55d84fd3e5db4bdbd3fb6c56a84b6b8a320c7c58%" or Image.Hashes like r"%SHA1=a71c17bfeefd76a9f89e74a52a2b6fdd3efbabe2%" or Image.Hashes like r"%SHA1=83b5e60943a92050fccb8acef7aa464c8f81d38e%" or Image.Hashes like r"%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%" or Image.Hashes like r"%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%" or Image.Hashes like r"%SHA1=9db1585c0fab6a9feb411c39267ac4ad29171696%" or Image.Hashes like r"%SHA1=2eddb10eecef740ec2f9158fa39410ec32262fc3%" or Image.Hashes like r"%SHA1=ad60e40a148accec0950d8d13bf7182c2bd5dfef%" or Image.Hashes like r"%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%" or Image.Hashes like r"%SHA1=5a7bcb1864d1e8ecde0b58d21b98518ca4b2f1f2%" or Image.Hashes like r"%SHA1=d6de8983dbd9c4c83f514f4edf1ac7be7f68632f%" or Image.Hashes like r"%SHA1=07f60b2b0e56cb15aad3ca8a96d9fe3a91491329%" or Image.Hashes like r"%SHA1=6b90a6eeef66bb9302665081e30bf9802ca956cc%" or Image.Hashes like r"%SHA1=634b1e9d0aafac1ec4373291cefb52c121e8d265%" or Image.Hashes like r"%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%" or Image.Hashes like r"%SHA1=ec04d8c814f6884c009a7b51c452e73895794e64%" or Image.Hashes like r"%SHA1=fdf4a0af89f0c8276ad6d540c75beece380703ab%" or Image.Hashes like r"%SHA1=76046978d8e4409e53d8126a8dcfc3bf8602c37f%" or Image.Hashes like r"%SHA1=13df48ab4cd412651b2604829ce9b61d39a791bb%" or Image.Hashes like r"%SHA1=cb25d537f4e2872e5fcbd893da8ce3807137df80%" or Image.Hashes like r"%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%" or Image.Hashes like r"%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%" or Image.Hashes like r"%SHA1=c1fe7870e202733123715cacae9b02c29494d94d%" or Image.Hashes like r"%SHA1=9c256edd10823ca76c0443a330e523027b70522d%" or Image.Hashes like r"%SHA1=079627e0f5b1ad1fb3fe64038a09bc6e8b8d289d%" or Image.Hashes like r"%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%" or Image.Hashes like r"%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%" or Image.Hashes like r"%SHA1=3f338ab65bac9550b8749bb1208edb0f7d7bcb81%" or Image.Hashes like r"%SHA1=723fd9dd0957403ed131c72340e1996648f77a48%" or Image.Hashes like r"%SHA1=e0d83953a9efef81ba0fa9de1e3446b6f0a23cc6%" or Image.Hashes like r"%SHA1=1d5d2c5853619c25518ba0c55fd7477050e708fb%" or Image.Hashes like r"%SHA1=838823f25436cadc9a145ddac076dce3e0b84d96%" or Image.Hashes like r"%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%" or Image.Hashes like r"%SHA1=363068731e87bcee19ad5cb802e14f9248465d31%" or Image.Hashes like r"%SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4%" or Image.Hashes like r"%SHA1=0d8a832b9383fcdc23e83487b188ddd30963ca82%" or Image.Hashes like r"%SHA1=db6170ee2ee0a3292deceb2fc88ef26d938ebf2d%" or Image.Hashes like r"%SHA1=a9ea84ee976c66977bb7497aa374bba4f0dd2b27%" or Image.Hashes like r"%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%" or Image.Hashes like r"%SHA1=e067024ec42b556fb1e89ca52ef6719aa09cdf89%" or Image.Hashes like r"%SHA1=0ed0c4d6c3b6b478cbfd7fb0bd1e1b5457a757cc%" or Image.Hashes like r"%SHA1=54a4772212da2025bd8fb2dc913e1c4490e7a0cd%" or Image.Hashes like r"%SHA1=68ca9c27131aa35c7f433dc914da74f4b3d8793f%" or Image.Hashes like r"%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%" or Image.Hashes like r"%SHA1=cc3e5e45aca5b670035dfb008f0a88cecfd91cf7%" or Image.Hashes like r"%SHA1=8d676504c2680cf71c0c91afb18af40ea83b6c22%" or Image.Hashes like r"%SHA1=ba5b4eaa7cab012b71a8a973899eeee47a12becc%" or Image.Hashes like r"%SHA1=1901467b6f04a93b35d3ca0727c8a14f3ce3ed52%" or Image.Hashes like r"%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%" or Image.Hashes like r"%SHA1=116679c4b2cca6ec69453309d9d85d3793cbe05f%" or Image.Hashes like r"%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%" or Image.Hashes like r"%SHA1=e702221d059b86d49ed11395adffa82ef32a1bce%" or Image.Hashes like r"%SHA1=dd085542683898a680311a0d1095ea2dffe865e2%" or Image.Hashes like r"%SHA1=69849d68d1857c83b09e1956a46fe879260d2aab%" or Image.Hashes like r"%SHA1=a23a0627297a71a4414193e12a8c074e7bbb8a2e%" or Image.Hashes like r"%SHA1=91530e1e1fb25a26f3e0d6587200ddbaecb45c74%" or Image.Hashes like r"%SHA1=247065af09fc6fd56b07d3f5c26f555a5ccbfda4%" or Image.Hashes like r"%SHA1=e840904ce12cc2f94eb1ec16b0b89e2822c24805%" or Image.Hashes like r"%SHA1=e5bfb18f63fcfb7dc09b0292602112ea7837ef7a%" or Image.Hashes like r"%SHA1=dc6e62dbde5869a6adc92253fff6326b6af5c8d4%" or Image.Hashes like r"%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%" or Image.Hashes like r"%SHA1=40dba13a059679401fcaf7d4dbe80db03c9d265c%" or Image.Hashes like r"%SHA1=acb5d7e182a108ee02c5cb879fc94e0d6db7dd68%" or Image.Hashes like r"%SHA1=543933cce83f2e75d1b6a8abdb41199ddef8406c%" or Image.Hashes like r"%SHA1=0f2fdfb249c260c892334e62ab77ac88fcb8b5e4%" or Image.Hashes like r"%SHA1=81a319685d0b6112edee4bc25d14d6236f4e12da%" or Image.Hashes like r"%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%" or Image.Hashes like r"%SHA1=488b20ed53c2060c41b9a0cac1efb39a888df7c5%" or Image.Hashes like r"%SHA1=e1069365cb580e3525090f2fa28efd4127223588%" or Image.Hashes like r"%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%" or Image.Hashes like r"%SHA1=67dfd415c729705396ce54166bd70faf09ac7f10%" or Image.Hashes like r"%SHA1=c8ec23066a50800d42913d5e439700c5cd6a2287%" or Image.Hashes like r"%SHA1=07f62d9b6321bed0008e106e9ce4240cb3f76da2%" or Image.Hashes like r"%SHA1=a57eefa0c653b49bd60b6f46d7c441a78063b682%" or Image.Hashes like r"%SHA1=a4ae87b7802c82dfb6a4d26ab52788410af98532%" or Image.Hashes like r"%SHA1=bc949bc040333fdc9140b897b0066ef125343ef6%" or Image.Hashes like r"%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%" or Image.Hashes like r"%SHA1=6bb68e1894bfbc1ac86bcdc048f7fe7743de2f92%" or Image.Hashes like r"%SHA1=a54ae1793e9d77e61416e0d9fb81269a4bc8f8a2%" or Image.Hashes like r"%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%" or Image.Hashes like r"%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%" or Image.Hashes like r"%SHA1=844d2345bde50bf8ee7e86117cf7b8c6e6f00be4%" or Image.Hashes like r"%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%" or Image.Hashes like r"%SHA1=d0452363b41385f6a6778f970f3744dde4701d8f%" or Image.Hashes like r"%SHA1=d72de7e8f0118153dd5cf784f724e725865fc523%" or Image.Hashes like r"%SHA1=340ce5d8859f923222bea5917f40c4259cce1bbc%" or Image.Hashes like r"%SHA1=e1bf5dd17f84bce3b2891dffa855d81a21914418%" or Image.Hashes like r"%SHA1=e4cbb48aa1aff6cf4ea94ef3b7afb6c245ac47e8%" or Image.Hashes like r"%SHA1=0e1df95042081fa2408782f14ce483f0db19d5ab%" or Image.Hashes like r"%SHA1=d2fb46277c36498e87d0f47415b7980440d40e3d%" or Image.Hashes like r"%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%" or Image.Hashes like r"%SHA1=4a887ae6b773000864f9228800aab75e6ff34240%" or Image.Hashes like r"%SHA1=283c7dc5b029dbc41027df16716ec12761a53df8%" or Image.Hashes like r"%SHA1=dcdc9b2bc8e79d44846086d0d482cb7c589f09b8%" or Image.Hashes like r"%SHA1=ec8c0b2f49756b8784b3523e70cd8821b05b95eb%" or Image.Hashes like r"%SHA1=16c6bcef489f190a48e9d3b1f35972db89516479%" or Image.Hashes like r"%SHA1=ffabdf33635bdc1ed1714bc8bbfd7b73ef78a37c%" or Image.Hashes like r"%SHA1=7c625de858710d3673f6cb0cd8d0643d5422c688%" or Image.Hashes like r"%SHA1=faa61346430aedc952d820f7b16b973c9bf133c3%" or Image.Hashes like r"%SHA1=1e959d6ae22c4d9fa5613c3a9d3b6e1b472be05d%" or Image.Hashes like r"%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%" or Image.Hashes like r"%SHA1=1de9f25d189faa294468517b15947a523538ce9d%" or Image.Hashes like r"%SHA1=d8e8dcc8531b8d07f8dabc9e79c19aac6eeca793%" or Image.Hashes like r"%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%" or Image.Hashes like r"%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%" or Image.Hashes like r"%SHA1=4786253daac6c60ffc0d2871fdd68023ec93dfb3%" or Image.Hashes like r"%SHA1=ea58d72db03df85b04d1412a9b90d88ba68ab43d%" or Image.Hashes like r"%SHA1=48a09ca5fdbc214e675083c2259e051b0629457b%" or Image.Hashes like r"%SHA1=ea63567ea8d168cb6e9aae705b80a09f927b2f77%" or Image.Hashes like r"%SHA1=8347487b32b993da87275e3d44ff3683c8130d33%" or Image.Hashes like r"%SHA1=4471935df0e68fe149425703b66f1efca3d82168%" or Image.Hashes like r"%SHA1=eaddeefe13bca118369faf95eee85b0a2a553221%" or Image.Hashes like r"%SHA1=98600e919b8579d89e232a253d7277355b652750%" or Image.Hashes like r"%SHA1=444a2b778e2fc26067c49dde0aff0dcfb85f2b64%" or Image.Hashes like r"%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%" or Image.Hashes like r"%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%" or Image.Hashes like r"%SHA1=6210dabb908cc750379cc7563beb884b3895e046%" or Image.Hashes like r"%SHA1=22c08d67bf687bf7ddd57056e274cbbbdb647561%" or Image.Hashes like r"%SHA1=1a8b737dff81aa9e338b1fce0dc96ee7ee467bd5%" or Image.Hashes like r"%SHA1=a9b8d7afa2e4685280aebbeb162600cfce4e48c8%" or Image.Hashes like r"%SHA1=8800a33a37c640922ce6a2996cd822ed4603b8bb%" or Image.Hashes like r"%SHA1=4f94789cffb23c301f93d6913b594748684abf6a%" or Image.Hashes like r"%SHA1=511b06898770337609ee065547dbf14ce3de5a95%" or Image.Hashes like r"%SHA1=c32e6cddc7731408c747fd47af3d62861719fd7b%" or Image.Hashes like r"%SHA1=a93197c8c1897a95c4fb0367d7451019ae9f3054%" or Image.Hashes like r"%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%" or Image.Hashes like r"%SHA1=a59006308c4b5d33bb8f34ac6fb16701814fb8dc%" or Image.Hashes like r"%SHA1=3e917f0986802d47c0ffe4d6f5944998987c4160%" or Image.Hashes like r"%SHA1=b406920634361f4b7d7c1ec3b11bb40872d85105%" or Image.Hashes like r"%SHA1=9ec6f54c74bcc48e355226c26513a7240fd9462d%" or Image.Hashes like r"%SHA1=79f1a6f5486523e6d8dcfef696bc949fc767613d%" or Image.Hashes like r"%SHA1=dce4322406004fc884d91ed9a88a36daca7ae19a%" or Image.Hashes like r"%SHA1=dbe26c67a4cabba16d339a1b256ca008effcf6c8%" or Image.Hashes like r"%SHA1=9f5453c36aa03760d935e062ac9e1f548d14e894%" or Image.Hashes like r"%SHA1=da361c56c18ea98e1c442aac7c322ff20f64486b%" or Image.Hashes like r"%SHA1=14c9cd9e2cf2b0aae56c46ff9ad1c89a8a980050%" or Image.Hashes like r"%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%" or Image.Hashes like r"%SHA1=ef80da613442047697bec35ea228cde477c09a3d%" or Image.Hashes like r"%SHA1=c834c4931b074665d56ccab437dfcc326649d612%" or Image.Hashes like r"%SHA1=aa2ea973bb248b18973e57339307cfb8d309f687%" or Image.Hashes like r"%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%" or Image.Hashes like r"%SHA1=977fd907b6a2509019d8ef4f6213039f2523f2b5%" or Image.Hashes like r"%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%" or Image.Hashes like r"%SHA1=a45687965357036df17b8ff380e3a43a8fbb2ca9%" or Image.Hashes like r"%SHA1=59aead65b240a163ad47b2d1cf33cdb330608317%" or Image.Hashes like r"%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%" or Image.Hashes like r"%SHA1=ddd36f96f5a509855f55eed9eb4cba9758d6339a%" or Image.Hashes like r"%SHA1=a838303cda908530ef124f8d6f7fb69938b613bc%" or Image.Hashes like r"%SHA1=84d44e166072bccf1f8e1e9eb51880ffa065a274%" or Image.Hashes like r"%SHA1=88d00eff21221f95a0307da229bc9fe1afb6861b%" or Image.Hashes like r"%SHA1=9ca90642cff9ca71c7022c0f9dfd87da2b6a0bff%" or Image.Hashes like r"%SHA1=a98734cd388f5b4b3caca5ce61cb03b05a8ad570%" or Image.Hashes like r"%SHA1=bad84fca57ab0ef0af9230a93e0cc3d149f9ccd0%" or Image.Hashes like r"%SHA1=ce5681896e7631b6e83cccb7aa056a33e72a1bbe%" or Image.Hashes like r"%SHA1=0634878c3f6048a38ec82869d7c6df2f69f3e210%" or Image.Hashes like r"%SHA1=eacfc73f5f45f229867ee8b2eb1f9649b5dd422e%" or Image.Hashes like r"%SHA1=dc8fa4648c674e3a7148dd8e8c35f668a3701a52%" or Image.Hashes like r"%SHA1=02316decf9e5165b431c599643f6856e86b95e7c%" or Image.Hashes like r"%SHA1=cc3186debacb98e0b0fb40ad82816bea10741099%" or Image.Hashes like r"%SHA1=87f313fc30ec8759b391e9d6c08f79b02f3ecebd%" or Image.Hashes like r"%SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e%" or Image.Hashes like r"%SHA1=62fdb0b43c56530a6a0ba434037d131f236d1266%" or Image.Hashes like r"%SHA1=5088c71a740ef7c4156dcaa31e543052fe226e1c%" or Image.Hashes like r"%SHA1=64d0447cbb0d6a45010b94eb9d5b0b90296edcbf%" or Image.Hashes like r"%SHA1=0aecdc0b8208b81b0c37eef3b0eaea8d8ebef42e%" or Image.Hashes like r"%SHA1=2fe874274bac6842819c1e9fe9477e6d5240944d%" or Image.Hashes like r"%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%" or Image.Hashes like r"%SHA1=ba0938512d7abab23a72279b914d0ea0fb46e498%" or Image.Hashes like r"%SHA1=3d8cc9123be74b31c597b0014c2a72090f0c44ef%" or Image.Hashes like r"%SHA1=1f1ce28c10453acbc9d3844b4604c59c0ab0ad46%" or Image.Hashes like r"%SHA1=724dde837df2ff92b3ea7026fe8a0c4e5773898f%" or Image.Hashes like r"%SHA1=8ab7e9ba3c26bcd5d6d0646c6d2b2693e22aac1c%" or Image.Hashes like r"%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%" or Image.Hashes like r"%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%" or Image.Hashes like r"%SHA1=bea745b598dd957924d3465ebc04c5b830d5724f%" or Image.Hashes like r"%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%" or Image.Hashes like r"%SHA1=99bd8c1f5eeedd9f6a9252df5dbd0e42ef5999a4%" or Image.Hashes like r"%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%" or Image.Hashes like r"%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%" or Image.Hashes like r"%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%" or Image.Hashes like r"%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%" or Image.Hashes like r"%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%" or Image.Hashes like r"%SHA1=43f53a739eda1e58f470e8e9ff9aa1437e5d9546%" or Image.Hashes like r"%SHA1=879e92a7427bdbcc051a18bbb3727ac68154e825%" or Image.Hashes like r"%SHA1=be270d94744b62b0d36bef905ef6296165ffcee9%" or Image.Hashes like r"%SHA1=108439a4c4508e8dca659905128a4633d8851fd9%" or Image.Hashes like r"%SHA1=fe0afc6dd03a9bd7f6e673cc6b4af2266737e3d1%" or Image.Hashes like r"%SHA1=343ec3073fc84968e40a145dc9260a403966bcb4%" or Image.Hashes like r"%SHA1=0d9c77aca860a43cca87a0c00f69e2ab07ab0b67%" or Image.Hashes like r"%SHA1=c60cf6dea446e4a52c6b1cfc2a76e9aadd954dab%" or Image.Hashes like r"%SHA1=bd3e1d5aacac6406a7bcea3b471bbfa863efbc3d%" or Image.Hashes like r"%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%" or Image.Hashes like r"%SHA1=53a194e1a30ed9b2d3acd87c2752cfa6645eea76%" or Image.Hashes like r"%SHA1=06ecf73790f0277b8e27c8138e2c9ad0fc876438%" or Image.Hashes like r"%SHA1=a22c111045b4358f8279190e50851c443534fc24%" or Image.Hashes like r"%SHA1=d2c7aa9b424015f970fe7506ae5d1c69a8ac11f6%" or Image.Hashes like r"%SHA1=2eeab9786dac3f5f69e642f6e29f4e4819038551%" or Image.Hashes like r"%SHA1=8ea50d7d13ff2d1306fed30a2d136dd6245eb3bc%" or Image.Hashes like r"%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%" or Image.Hashes like r"%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%" or Image.Hashes like r"%SHA1=66e95daee3d1244a029d7f3d91915f1f233d1916%" or Image.Hashes like r"%SHA1=175fb76c7cd8f0aeb916f4acb3b03f8b2d51846a%" or Image.Hashes like r"%SHA1=0536c9f15094ca8ddeef6dec75d93dc35366d8a9%" or Image.Hashes like r"%SHA1=65886384708d5a6c86f3c4c16a7e7cdbf68de92a%" or Image.Hashes like r"%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%" or Image.Hashes like r"%SHA1=25d812a5ece19ea375178ef9d60415841087726e%" or Image.Hashes like r"%SHA1=24b47ba7179755e3b12a59d55ae6b2c3d2bd1505%" or Image.Hashes like r"%SHA1=a547c5b1543a4c3a4f91208d377a2b513088f4a4%" or Image.Hashes like r"%SHA1=604870e76e55078dfb8055d49ae8565ed6177f7c%" or Image.Hashes like r"%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%" or Image.Hashes like r"%SHA1=962e2ac84c28ed5e373d4d4ccb434eceee011974%" or Image.Hashes like r"%SHA1=94b014123412fbe8709b58ec72594f8053037ae9%" or Image.Hashes like r"%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%" or Image.Hashes like r"%SHA1=6dac7a8fa9589caae0db9d6775361d26011c80b2%" or Image.Hashes like r"%SHA1=cd7b0c6b6ef809e7fb1f68ba36150eceabe500f7%" or Image.Hashes like r"%SHA1=1d2ab091d5c0b6e5977f7fa5c4a7bfb8ea302dc7%" or Image.Hashes like r"%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%" or Image.Hashes like r"%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%" or Image.Hashes like r"%SHA1=59c0fa0d61576d9eb839c9c7e15d57047ee7fe29%" or Image.Hashes like r"%SHA1=48be0ec2e8cb90cac2be49ef71e44390a0f648ce%" or Image.Hashes like r"%SHA1=0e030cf5e5996f0778452567e144f75936dc278f%" or Image.Hashes like r"%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%" or Image.Hashes like r"%SHA1=6cc28df318a9420b49a252d6e8aaeda0330dc67d%" or Image.Hashes like r"%SHA1=59e6effdb23644ca03e60618095dc172a28f846e%" or Image.Hashes like r"%SHA1=df177a0c8c1113449f008f8e833105344b419834%" or Image.Hashes like r"%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%" or Image.Hashes like r"%SHA1=c0a8e45e57bb6d82524417d6fb7e955ab95621c0%" or Image.Hashes like r"%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%" or Image.Hashes like r"%SHA1=363b907c3b4f37968e9c8e1b7eeca5a5c5d530f8%" or Image.Hashes like r"%SHA1=53f7a84a8cebe0e3f84894c6b9119466d1a8ddaf%" or Image.Hashes like r"%SHA1=7ee65bedaf7967c752831c83e26540e65358175e%" or Image.Hashes like r"%SHA1=e525f54b762c10703c975132e8fc21b6cd88d39b%" or Image.Hashes like r"%SHA1=3a1f19b7a269723e244756dac1fc27c793276fe7%" or Image.Hashes like r"%SHA1=d6b61c685cfaa36c85f1672ac95844f8293c70d0%" or Image.Hashes like r"%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%" or Image.Hashes like r"%SHA1=96523f72e4283f9816d3da8f2270690dd1dd263e%" or Image.Hashes like r"%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%" or Image.Hashes like r"%SHA1=b3c111d7192cfa8824e5c9b7c0660c37978025d6%" or Image.Hashes like r"%SHA1=49b1e6a922a8d2cb2101c48155dfc08c17d09341%" or Image.Hashes like r"%SHA1=282fca60f0c37eb6d76400bca24567945e43c6d8%" or Image.Hashes like r"%SHA1=2a06006e54c62a2e8bdf14313f90f0ab5d2f8de8%" or Image.Hashes like r"%SHA1=4692730f6b56eeb0399460c72ade8a15ddd43a62%" or Image.Hashes like r"%SHA1=fe10018af723986db50701c8532df5ed98b17c39%" or Image.Hashes like r"%SHA1=b34fc245d561905c06a8058753d25244aaecbb61%" or Image.Hashes like r"%SHA1=2ade3347df84d6707f39d9b821890440bcfdb5e9%" or Image.Hashes like r"%SHA1=5e9538d76b75f87f94ca5409ae3ddc363e8aba7f%" or Image.Hashes like r"%SHA1=5a69d921926ef0abf03757edf22c0d8d30c15d4b%" or Image.Hashes like r"%SHA1=986c1fdfe7c9731f4de15680a475a72cf2245121%" or Image.Hashes like r"%SHA1=42eb220fdfb76c6e0649a3e36acccbdf36e287f1%" or Image.Hashes like r"%SHA1=7192e22e0f8343058ec29fb7b8065e09ce389a5b%" or Image.Hashes like r"%SHA1=b2b01c728e0e8ef7b2e9040d6db9828bd4a5b48d%" or Image.Hashes like r"%SHA1=b99a5396094b6b20cea72fbf0c0083030155f74e%" or Image.Hashes like r"%SHA1=628e63caf72c29042e162f5f7570105d2108e3c2%" or Image.Hashes like r"%SHA1=1fb12c5db2acad8849677e97d7ce860d2bb2329e%" or Image.Hashes like r"%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%" or Image.Hashes like r"%SHA1=46be4e6cd8117ac13531bff30edcf564f39bcc52%" or Image.Hashes like r"%SHA1=377f7e7382908690189aede31fcdd532baa186b5%" or Image.Hashes like r"%SHA1=5b4619596c89ed17ccbe92fd5c0a823033f2f1e1%" or Image.Hashes like r"%SHA1=bda102afbc60f3f3c5bcbd5390ffbbbb89170b9c%" or Image.Hashes like r"%SHA1=ca33c88cd74e00ece898dca32a24bdfcacc3f756%" or Image.Hashes like r"%SHA1=7d1ff4096a75f9fcc67c7c9c810d99874c096b6b%" or Image.Hashes like r"%SHA1=1a83c8b63d675c940aaec10f70c0c7698e9b0165%" or Image.Hashes like r"%SHA1=f8e88630dae53e0b54edefdefa36d96c3dcbd776%" or Image.Hashes like r"%SHA1=e33eac9d3b9b5c0db3db096332f059bf315a2343%" or Image.Hashes like r"%SHA1=5635bb2478929010693bc3b23f8b7fe5fdbc3aed%" or Image.Hashes like r"%SHA1=3fd7fda9c7dfdb2a845c39971572bd090bee3b1d%" or Image.Hashes like r"%SHA1=3e790c4e893513566916c76a677b0f98bd7334dd%" or Image.Hashes like r"%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%" or Image.Hashes like r"%SHA1=5ca6a52230507b1dffab7acd501540bc10f1ab81%" or Image.Hashes like r"%SHA1=820d339fd3dbb632a790d6506ddf6aee925fcffe%" or Image.Hashes like r"%SHA1=0ac0c21ca05161eaa6a042f347391a2a2fc78c96%" or Image.Hashes like r"%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%" or Image.Hashes like r"%SHA1=4f077a95908b154ea12faa95de711cb44359c162%" or Image.Hashes like r"%SHA1=29a190727140f40cea9514a6420f5a195e36386b%" or Image.Hashes like r"%SHA1=dbf3abdc85d6a0801c4af4cd1b77c44d5f57b03e%" or Image.Hashes like r"%SHA1=de0c16e3812924212f04e15caa09763ae4770403%" or Image.Hashes like r"%SHA1=3b1f1e96fc8a7eb93b14b1213f797f164a313cee%" or Image.Hashes like r"%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%" or Image.Hashes like r"%SHA1=4c021c4a5592c07d4d415ab11b23a70ba419174b%" or Image.Hashes like r"%SHA1=9d191bee98f0af4969a26113098e3ea85483ae2d%" or Image.Hashes like r"%SHA1=ac31d15851c0af14d60cfce23f00c4b7887d3cb7%" or Image.Hashes like r"%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%" or Image.Hashes like r"%SHA1=5f8ae70b25b664433c6942d5963acadf2042cfe8%" or Image.Hashes like r"%SHA1=a37616f0575a683bd81a0f49fadbbc87e1525eba%" or Image.Hashes like r"%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%" or Image.Hashes like r"%SHA1=c22c28a32a5e43a76514faf4fac14d135e0d4ffd%" or Image.Hashes like r"%SHA1=7c996d9ef7e47a3b197ff69798333dc29a04cc8a%" or Image.Hashes like r"%SHA1=cb0bc86d437ab78c1fbefdaf1af965522ebdd65d%" or Image.Hashes like r"%SHA1=4a1a499857accc04b4d586df3f0e0c2b3546e825%" or Image.Hashes like r"%SHA1=c3a893680cd33706546a7a3e8fbcc4bd063ce07e%" or Image.Hashes like r"%SHA1=df58f9b193c6916aaec7606c0de5eba70c8ec665%" or Image.Hashes like r"%SHA1=fc69138b9365fa60e21243369940c8dcfcca5db1%" or Image.Hashes like r"%SHA1=3fbe337b6ed1a1a63ae8b4240c01bd68ed531674%" or Image.Hashes like r"%SHA1=07c244739803f60a75d60347c17edc02d5d10b5d%" or Image.Hashes like r"%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%" or Image.Hashes like r"%SHA1=6e191d72b980c8f08a0f60efa01f0b5bf3b34afb%" or Image.Hashes like r"%SHA1=d697a3f4993e7cb15efdeda3b1a798ae25a2d0e9%" or Image.Hashes like r"%SHA1=5cfec6aa4842e5bafff23937f5efca71f21cf7ca%" or Image.Hashes like r"%SHA1=def86c7dee1f788c717ac1917f1b5bbfada25a95%" or Image.Hashes like r"%SHA1=c22dc62e10378191840285814838fe9ed1af55d7%" or Image.Hashes like r"%SHA1=58b31fb2b623bd2c5d5c8c49b657a14a674664a4%" or Image.Hashes like r"%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%" or Image.Hashes like r"%SHA1=b62c5bae9c6541620379115a7ba0036ecfa19537%" or Image.Hashes like r"%SHA1=585df373a9c56072ab6074afee8f1ec3778d70f8%" or Image.Hashes like r"%SHA1=64ab599d34c26f53afe076a84c54db7ba1a53def%" or Image.Hashes like r"%SHA1=f130e82524d8f5af403c3b0e0ffa4b64fedeec92%" or Image.Hashes like r"%SHA1=bd87aecc0ac1d1c2ab72be1090d39fab657f7cc6%" or Image.Hashes like r"%SHA1=5499f1bca93a3613428e8c18ac93a93b9a7249fb%" or Image.Hashes like r"%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%" or Image.Hashes like r"%SHA1=2f9b0cd96d961e49d5d3b416028fd3a0e43d6a28%" or Image.Hashes like r"%SHA1=1da0c712ff42bd9112ac6afadb7c4d3ae2f20fb7%" or Image.Hashes like r"%SHA1=ef8de780cfe839ecf6dc0dc161ae645bff9b853c%" or Image.Hashes like r"%SHA1=feb8e6e7419713a2993c48b9758c039bd322b699%" or Image.Hashes like r"%SHA1=d9b05c5ffc5eddf65186ba802bb1ece0249cab05%" or Image.Hashes like r"%SHA1=08596732304351b311970ff96b21f451f23b1e25%" or Image.Hashes like r"%SHA1=687b8962febbbea4cf6b3c11181fd76acb7dfd5a%" or Image.Hashes like r"%SHA1=9d0b824892fbfb0b943911326f95cd0264c60f7d%" or Image.Hashes like r"%SHA1=2ed4b51429b0a3303a645effc84022512f829836%" or Image.Hashes like r"%SHA1=1a40773dc430d7cb102710812b8c61fc51dfb79b%" or Image.Hashes like r"%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%" or Image.Hashes like r"%SHA1=983a8d4b1cb68140740a7680f929d493463e32e3%" or Image.Hashes like r"%SHA1=c4b6e2351a72311a6e8f71186b218951a27fb97f%" or Image.Hashes like r"%SHA1=6b090c558b877b6abb0d1051610cadbc6335ecbb%" or Image.Hashes like r"%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%" or Image.Hashes like r"%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%" or Image.Hashes like r"%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%" or Image.Hashes like r"%SHA1=27aa3f1b4baccd70d95ea75a0a3e54e735728aa2%" or Image.Hashes like r"%SHA1=005ac9213a8a4a6c421787a7b25c0bc7b9f3b309%" or Image.Hashes like r"%SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162%" or Image.Hashes like r"%SHA1=c1777fcb7005b707f8c86b2370f3278a8ccd729f%" or Image.Hashes like r"%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%" or Image.Hashes like r"%SHA1=cfa85a19d9a2f7f687b0decdc4a5480b6e30cb8c%" or Image.Hashes like r"%SHA1=0e60414750c48676d7aa9c9ec81c0a3b3a4d53d0%" or Image.Hashes like r"%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%" or Image.Hashes like r"%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%" or Image.Hashes like r"%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%" or Image.Hashes like r"%SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af%" or Image.Hashes like r"%SHA1=19bf65bdd9d77f54f1e8ccf189dc114e752344b0%" or Image.Hashes like r"%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%" or Image.Hashes like r"%SHA1=9f22ebcd2915471e7526f30aa53c24b557a689f5%" or Image.Hashes like r"%SHA1=562368c390b0dadf2356b8b3c747357ecef2dfc8%" or Image.Hashes like r"%SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d%" or Image.Hashes like r"%SHA1=03a56369b8b143049a6ec9f6cc4ef91ac2775863%" or Image.Hashes like r"%SHA1=82034032b30bbb78d634d6f52c7d7770a73b1b3c%" or Image.Hashes like r"%SHA1=3059bc49e027a79ff61f0147edbc5cd56ad5fc2d%" or Image.Hashes like r"%SHA1=af5f642b105d86f82ba6d5e7a55d6404bfb50875%" or Image.Hashes like r"%SHA1=f86ae53eb61d3c7c316effe86395a4c0376b06db%" or Image.Hashes like r"%SHA1=3fd55927d5997d33f5449e9a355eb5c0452e0de3%" or Image.Hashes like r"%SHA1=d942dac4033dcd681161181d50ce3661d1e12b96%" or Image.Hashes like r"%SHA1=dd55015f5406f0051853fd7cca3ab0406b5a2d52%" or Image.Hashes like r"%SHA1=336ed563ef96c40eece92a4d13de9f9b69991c8a%" or Image.Hashes like r"%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%" or Image.Hashes like r"%SHA1=ada23b709cb2bef8bedd612dc345db2e2fdbfaca%" or Image.Hashes like r"%SHA1=bd421ffdcc074ecca954d9b2c2fbce9301e9a36c%" or Image.Hashes like r"%SHA1=42f6bfcf558ef6da9254ed263a89abf4e909b5d5%" or Image.Hashes like r"%SHA1=9eef72e0c4d5055f6ae5fe49f7f812de29afbf37%" or Image.Hashes like r"%SHA1=007b2c7d72a5a89b424095dbb7f67ff2aeddb277%" or Image.Hashes like r"%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%" or Image.Hashes like r"%SHA1=35a817d949b2eab012506bed0a3b4628dd884471%" or Image.Hashes like r"%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%" or Image.Hashes like r"%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%" or Image.Hashes like r"%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%" or Image.Hashes like r"%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%" or Image.Hashes like r"%SHA1=34ec04159d2c653a583a73285e6e2ac3c7b416dd%" or Image.Hashes like r"%SHA1=4f30f64b5dfcdc889f4a5e25b039c93dd8551c71%" or Image.Hashes like r"%SHA1=13572d36428ef32cfed3af7a8bb011ee756302b0%" or Image.Hashes like r"%SHA1=17d28a90ef4d3dbb083371f99943ff938f3b39f6%" or Image.Hashes like r"%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%" or Image.Hashes like r"%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%" or Image.Hashes like r"%SHA1=c8a4a64b412fd8ef079661db4a4a7cd7394514ca%" or Image.Hashes like r"%SHA1=24343ec4dfec11796a8800a3059b630e8be89070%" or Image.Hashes like r"%SHA1=a55b709cec2288384b12eafa8be4930e7c075ec9%" or Image.Hashes like r"%SHA1=5853e44ea0b6b4e9844651aa57d631193c1ed0f0%" or Image.Hashes like r"%SHA1=e3266b046d278194ade4d8f677772d0cb4ecfaf1%" or Image.Hashes like r"%SHA1=717669a1e2380cb61cc4e34618e118cc9cabbcd0%" or Image.Hashes like r"%SHA1=0adc1320421f02f2324e764aa344018758514436%" or Image.Hashes like r"%SHA1=7e900b0370a1d3cb8a3ea5394d7d094f95ec5dc0%" or Image.Hashes like r"%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%" or Image.Hashes like r"%SHA1=68b97bfaf61294743ba15ef36357cdb8e963b56e%" or Image.Hashes like r"%SHA1=e0d12e44db3f57ee7ea723683a6fd346dacf2e3e%" or Image.Hashes like r"%SHA1=31529d0e73f7fbfbe8c28367466c404c0e3e1d5a%" or Image.Hashes like r"%SHA1=04967bfd248d30183992c6c9fd2d9e07ae8d68ad%" or Image.Hashes like r"%SHA1=4d14d25b540bf8623d09c06107b8ca7bb7625c30%" or Image.Hashes like r"%SHA1=01779ee53f999464465ed690d823d160f73f10e7%" or Image.Hashes like r"%SHA1=e83fc2331ae1ea792b6cff7e970f607fee7346be%" or Image.Hashes like r"%SHA1=c8864c0c66ea45011c1c4e79328a3a1acf7e84a9%" or Image.Hashes like r"%SHA1=a92207062fb72e6e173b2ffdb12c76834455f5d3%" or Image.Hashes like r"%SHA1=6e58421e37c022410455b1c7b01f1e3c949df1cd%" or Image.Hashes like r"%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%" or Image.Hashes like r"%SHA1=4885cd221fa1ea330b9e4c1702be955d68bd3f6a%" or Image.Hashes like r"%SHA1=f7413250e7e8ad83c350092d78f0f75fcca9f474%" or Image.Hashes like r"%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%" or Image.Hashes like r"%SHA1=970af806aa5e9a57d42298ab5ffa6e0d0e46deda%" or Image.Hashes like r"%SHA1=fe02ae340dc7fe08e4ad26dab9de418924e21603%" or Image.Hashes like r"%SHA1=85941b94524da181be8aad290127aa18fc71895c%" or Image.Hashes like r"%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%" or Image.Hashes like r"%SHA1=9cc694dcb532e94554a2a1ef7c6ced3e2f86ef5a%" or Image.Hashes like r"%SHA1=398e8209e5c5fdcb6c287c5f9561e91887caca7d%" or Image.Hashes like r"%SHA1=4e56e0b1d12664c05615c69697a2f5c5d893058a%" or Image.Hashes like r"%SHA1=ee877b496777763e853dd81fefd0924509bc5be0%" or Image.Hashes like r"%SHA1=3f347117d21cd8229dd99fa03d6c92601067c604%" or Image.Hashes like r"%SHA1=61f5904e9ff0d7e83ad89f0e7a3741e7f2fbf799%" or Image.Hashes like r"%SHA1=7ce978092fadbef44441a5f8dcb434df2464f193%" or Image.Hashes like r"%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%" or Image.Hashes like r"%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%" or Image.Hashes like r"%SHA1=91d026cd98de124d281fd6a8e7c54ddf6b913804%" or Image.Hashes like r"%SHA1=db006fa522142a197686c01116a6cf60e0001ef7%" or Image.Hashes like r"%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%" or Image.Hashes like r"%SHA1=089411e052ea17d66033155f77ae683c50147018%" or Image.Hashes like r"%SHA1=263181bc8c2c6af06b9a06d994e4b651c3ab1849%" or Image.Hashes like r"%SHA1=30e7258a5816a6db19cdda2b2603a8c3276f05c2%" or Image.Hashes like r"%SHA1=96047b280e0d6ddde9df1c79ca5f561219a0370d%" or Image.Hashes like r"%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%" or Image.Hashes like r"%SHA1=4c6ec22bc10947d089167b19d83a26bdd69f0dd1%" or Image.Hashes like r"%SHA1=ccd547ef957189eddb6ee213e5e0136e980186f9%" or Image.Hashes like r"%SHA1=8d3be83cf3bb36dbce974654b5330adb38792c2d%" or Image.Hashes like r"%SHA1=d0216ebc81618c22d9d51f2f702c739625f40037%" or Image.Hashes like r"%SHA1=18f34a0005e82a9a1556ba40b997b0eae554d5fd%" or Image.Hashes like r"%SHA1=3784d1b09a515c8824e05e9ea422c935e693080c%" or Image.Hashes like r"%SHA1=5c94c8894799f02f19e45fcab44ee33e653a4d17%" or Image.Hashes like r"%SHA1=88839168e50a4739dd4193f2d8f93a30cd1f14d8%" or Image.Hashes like r"%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%" or Image.Hashes like r"%SHA1=5742ad3d30bd34c0c26c466ac6475a2b832ad59e%" or Image.Hashes like r"%SHA1=d452fc8541ed5e97a6cbc93d08892c82991cdaad%" or Image.Hashes like r"%SHA1=eac1b9e1848dc455ed780292f20cd6a0c38a3406%" or Image.Hashes like r"%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%" or Image.Hashes like r"%SHA1=d48757b74eff02255f74614f35aa27abbe3f72c7%" or Image.Hashes like r"%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%" or Image.Hashes like r"%SHA1=08efd5e24b5ebfef63b5e488144dc9fb6524eaf1%" or Image.Hashes like r"%SHA1=cb212a826324909fdedd2b572a59a5be877f1d7d%" or Image.Hashes like r"%SHA1=b0aede5a66e13469c46acbc3b01ccf038acf222c%" or Image.Hashes like r"%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%" or Image.Hashes like r"%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%" or Image.Hashes like r"%SHA1=75d0b9bdfa79e5d43ec8b4c0996f559075723de7%" or Image.Hashes like r"%SHA1=1bd4ae9a406bf010e34cdd38e823f732972b18e3%" or Image.Hashes like r"%SHA1=b74338c91c6effabc02ae0ced180428ab1024c7d%" or Image.Hashes like r"%SHA1=6679cb0907ade366cf577d55be07eabc9fb83861%" or Image.Hashes like r"%SHA1=6ce0094a9aacdc050ff568935014607b8f23ff00%" or Image.Hashes like r"%SHA1=f7b3457a6fd008656e7216b1f09db2ff062f1ca4%" or Image.Hashes like r"%SHA1=89656051126c3e97477a9985d363fbdde0bc159e%" or Image.Hashes like r"%SHA1=1ecb7b9658eb819a80b8ebdaa2e69f0d84162622%" or Image.Hashes like r"%SHA1=aaaf565fa30834aba3f29a97fc58d15e372500b5%" or Image.Hashes like r"%SHA1=b49ac8fefc6d1274d84fef44c1e5183cc7accba1%" or Image.Hashes like r"%SHA1=9f2b550c58c71d407898594b110a9320d5b15793%" or Image.Hashes like r"%SHA1=3f6a997b04d2299ba0e9f505803e8d60d0755f44%" or Image.Hashes like r"%SHA1=ec0c3c61a293a90f36db5f8ed91cbf33c2b14a19%" or Image.Hashes like r"%SHA1=d73dabcb3f55935b701542fd26875006217ebbbe%" or Image.Hashes like r"%SHA1=dda8c7e852fe07d67c110dab163354a2a85f44a5%" or Image.Hashes like r"%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%" or Image.Hashes like r"%SHA1=9e8a87401dc7cc56b3a628b554ba395b1868520f%" or Image.Hashes like r"%SHA1=35b28b15835aa0775b57f460d8a03e53dc1fb30f%" or Image.Hashes like r"%SHA1=09c567b8dd7c7f93884c2e6b71a7149fc0a7a1b5%" or Image.Hashes like r"%SHA1=9f6883e59fd6c136cfc556b7b388a4c363dc0516%" or Image.Hashes like r"%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%" or Image.Hashes like r"%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%" or Image.Hashes like r"%SHA1=5abffd08f4939a0dee81a5d95cf1c02e2e14218c%" or Image.Hashes like r"%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%" or Image.Hashes like r"%SHA1=5eb693c9cc49c7d6a03f7960ddcfd8f468e5656b%" or Image.Hashes like r"%SHA1=4518758452af35d593e0cae80d9841a86af6d3de%" or Image.Hashes like r"%SHA1=da42cefde56d673850f5ef69e7934d39a6de3025%" or Image.Hashes like r"%SHA1=c32dfdb0ee859de618484f3ab7a43ee1d9a25d1c%" or Image.Hashes like r"%SHA1=471ca4b5bb5fe68543264dd52acb99fddd7b3c6d%" or Image.Hashes like r"%SHA1=290d6376658cf0f8182de0fae40b503098fa09fd%" or Image.Hashes like r"%SHA1=2bc9047f08a664ade481d0bbf554d3a0b49424ca%" or Image.Hashes like r"%SHA1=1f84d89dd0ae5008c827ce274848d551aff3fc33%" or Image.Hashes like r"%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%" or Image.Hashes like r"%SHA1=cb5229acdf87493e45d54886e6371fc59fc09ee5%" or Image.Hashes like r"%SHA1=2db49bdf8029fdcda0a2f722219ae744eae918b0%" or Image.Hashes like r"%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%" or Image.Hashes like r"%SHA1=24f6e827984cca5d9aa3e4c6f3c0c5603977795a%" or Image.Hashes like r"%SHA1=db3debacd5f6152abd7a457d7910a0ec4457c0d7%" or Image.Hashes like r"%SHA1=96323381a98790b8ffac1654cb65e12dbbe6aff1%" or Image.Hashes like r"%SHA1=7241b25c3a3ee9f36b52de3db2fc27db7065af37%" or Image.Hashes like r"%SHA1=3c956b524e73586195d704b874e36d49fe42cb6a%" or Image.Hashes like r"%SHA1=fb25e6886d98fe044d0eb7bd42d24a93286266e0%" or Image.Hashes like r"%SHA1=caa0cb48368542a54949be18475d45b342fb76e5%" or Image.Hashes like r"%SHA1=4c16dcc7e6d7dd29a5f6600e50fc01a272c940e1%" or Image.Hashes like r"%SHA1=1f3a9265963b660392c4053329eb9436deeed339%" or Image.Hashes like r"%SHA1=b0c7ec472abf544c5524b644a7114cba0505951e%" or Image.Hashes like r"%SHA1=622e7bffda8c80997e149ac11492625572e386e0%" or Image.Hashes like r"%SHA1=4ffa89f8dbdade28813e12db035cf9bd8665ef72%" or Image.Hashes like r"%SHA1=5fece994f2409810a0ad050b3ca9b633c93919e4%" or Image.Hashes like r"%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%" or Image.Hashes like r"%SHA1=2fa92d3739735bc9ac4dc38f42d909d97cc5c2a8%" or Image.Hashes like r"%SHA1=fece30b9b862bf99ae6a41e49f524fe6f32e215e%" or Image.Hashes like r"%SHA1=ae344c123ef6d206235f2a8448d07f86433db5a6%" or Image.Hashes like r"%SHA1=ad1616ea6dc17c91d983e829aa8a6706e81a3d27%" or Image.Hashes like r"%SHA1=c127c4d0917f54cee13a61c6c0029c95ae0746cf%" or Image.Hashes like r"%SHA1=84341ed15d645c4daedcdd39863998761e4cb0e3%" or Image.Hashes like r"%SHA1=fb4ce6de14f2be00a137e8dde2c68bb5b137ab9c%" or Image.Hashes like r"%SHA1=22c905fcdd7964726b4be5e8b5a9781322687a45%" or Image.Hashes like r"%SHA1=4927d843577bada119a17b249ff4e7f5e9983a92%" or Image.Hashes like r"%SHA1=d083e69055556a36df7c6e02115cbbf90726f35c%" or Image.Hashes like r"%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%" or Image.Hashes like r"%SHA1=86e59b17272a3e7d9976c980ded939bf8bf75069%" or Image.Hashes like r"%SHA1=eb0021e29488c97a0e42a084a4fe5a0695eccb7b%" or Image.Hashes like r"%SHA1=388819a7048179848425441c60b3a8390ad04a69%" or Image.Hashes like r"%SHA1=611411538b2bc9045d29bbd07e6845e918343e3c%" or Image.Hashes like r"%SHA1=43011eb72be4775fec37aa436753c4d6827395d1%" or Image.Hashes like r"%SHA1=18938e0d924ee7c0febdbf2676a099e828182c1c%" or Image.Hashes like r"%SHA1=1743b073cccf44368dc83ed3659057eb5f644b06%" or Image.Hashes like r"%SHA1=fb1570b4865083dfce1fcff2bd72e9e1b03cead5%" or Image.Hashes like r"%SHA1=96c2e1d7c9a8ad242f8f478e871f645895d3e451%" or Image.Hashes like r"%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%" or Image.Hashes like r"%SHA1=70258117b5efe65476f85143fd14fa0b7f148adb%" or Image.Hashes like r"%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%" or Image.Hashes like r"%SHA1=24b3f962587b0062ac9a1ec71bcc3836b12306d2%" or Image.Hashes like r"%SHA1=663803d7ab5aff28be37c2e7e8c7b98b91c5733e%" or Image.Hashes like r"%SHA1=2739c2cfa8306e6f78c335c55639566b3d450644%" or Image.Hashes like r"%SHA1=2027e5e8f2cfdfbd9081f99b65af4921626d77f9%" or Image.Hashes like r"%SHA1=eb44a05f8bba3d15e38454bd92999a856e6574eb%" or Image.Hashes like r"%SHA1=d7597d27eeb2658a7c7362193f4e5c813c5013e5%" or Image.Hashes like r"%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%" or Image.Hashes like r"%SHA1=1e6c2763f97e4275bba581de880124d64666a2fe%" or Image.Hashes like r"%SHA1=19977d45e98b48c901596fb0a49a7623cee4c782%" or Image.Hashes like r"%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%" or Image.Hashes like r"%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%" or Image.Hashes like r"%SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba%" or Image.Hashes like r"%SHA1=8d0f33d073720597164f7321603578cd13346d1f%" or Image.Hashes like r"%SHA1=229716e61f74db821d5065bac533469efb54867b%" or Image.Hashes like r"%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%" or Image.Hashes like r"%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%" or Image.Hashes like r"%SHA1=469c04cb7841eedd43227facaf60a6d55cf21fd7%" or Image.Hashes like r"%SHA1=722aa0fa468b63c5d7ea308d77230ae3169d5f83%" or Image.Hashes like r"%SHA1=bfd8568f19d4273a1288726342d7620cc9070ae5%" or Image.Hashes like r"%SHA1=17b3163aecd1f512f1603548ef6eb4947fbec95e%" or Image.Hashes like r"%SHA1=ce549714a11bd43b52be709581c6e144957136ec%" or Image.Hashes like r"%SHA1=a3224815aedc14bb46f09535e9b8ca7eaa4963bf%" or Image.Hashes like r"%SHA1=ba0d6c596b78a1fc166747d7523ca6316ef87e9f%" or Image.Hashes like r"%SHA1=f85f5e5d747433b274e53c8377bf24fbc08758b6%" or Image.Hashes like r"%SHA1=2e9466d5a814c20403be7c7a5811039ca833bd5d%" or Image.Hashes like r"%SHA1=3bb1dddb4157b6b8175fc6e1e7c33bef7870c500%" or Image.Hashes like r"%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%" or Image.Hashes like r"%SHA1=a958734d25865cbc6bcbc11090ab9d6b72799143%" or Image.Hashes like r"%SHA1=11fcaeda49848474cee9989a00d8f29cb727acb7%" or Image.Hashes like r"%SHA1=45328110873640d8fed9fc72f7d2eadd3d17ceae%" or Image.Hashes like r"%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%" or Image.Hashes like r"%SHA1=3fd5cd30085450a509eaa6367af26f6c4b9741b6%" or Image.Hashes like r"%SHA1=f1b3bdc3beb2dca19940d53eb5a0aed85b807e30%" or Image.Hashes like r"%SHA1=948fa3149742f73bf3089893407df1b20f78a563%" or Image.Hashes like r"%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%" or Image.Hashes like r"%SHA1=5eed0ce6487d0b8d0a6989044c4fcab1bd845d9e%" or Image.Hashes like r"%SHA1=ce31292b05c0ae1dc639a6ee95bb3bc7350f2aaf%" or Image.Hashes like r"%SHA1=1a53902327bac3ab323ee63ed215234b735c64da%" or Image.Hashes like r"%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%" or Image.Hashes like r"%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%" or Image.Hashes like r"%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%" or Image.Hashes like r"%SHA1=ba3faca988ff56f4850dede2587d5a3eff7c6677%" or Image.Hashes like r"%SHA1=8f266edf9f536c7fc5bb3797a1cf9039fde8e97c%" or Image.Hashes like r"%SHA1=d57c732050d7160161e096a8b238cb05d89d1bb2%" or Image.Hashes like r"%SHA1=7480c7f7346ce1f86a7429d9728235f03a11f227%" or Image.Hashes like r"%SHA1=40abf7edb4c76fb3f22418f03198151c5363f1cb%" or Image.Hashes like r"%SHA1=43b61039f415d14189d578012b6cb1bd2303d304%" or Image.Hashes like r"%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%" or Image.Hashes like r"%SHA1=a809831166a70700b59076e0dbc8975f57b14398%" or Image.Hashes like r"%SHA1=22c9cd0f5986e91b733fbd5eda377720fd76c86d%" or Image.Hashes like r"%SHA1=d7b20ac695002334f804ffc67705ce6ac5732f91%" or Image.Hashes like r"%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%" or Image.Hashes like r"%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%" or Image.Hashes like r"%SHA1=72a5ac213ec1681d173bee4f1807c70a77b41bf6%" or Image.Hashes like r"%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%" or Image.Hashes like r"%SHA1=891c8d482e23222498022845a6b349fe1a186bcc%" or Image.Hashes like r"%SHA1=6a60c5dc7d881ddb5d6fe954f10b8aa10d214e72%" or Image.Hashes like r"%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%" or Image.Hashes like r"%SHA1=e40ea8d498328b90c4afbb0bb0e8b91b826f688e%" or Image.Hashes like r"%SHA1=356172a2e12fd3d54e758aaa4ff0759074259144%" or Image.Hashes like r"%SHA1=7115929de6fc6b9f09142a878d1a1bf358af5f24%" or Image.Hashes like r"%SHA1=1b84abffd814b9f4595296b3e5ede0c44e630967%" or Image.Hashes like r"%SHA1=40d29aa7b3fafd27c8b27c7ca7a3089ccb88d69b%" or Image.Hashes like r"%SHA1=1c3f2579310ddd7ae09ce9ca1cc537a771b83c9f%" or Image.Hashes like r"%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%" or Image.Hashes like r"%SHA1=879fcc6795cebe67718388228e715c470de87dca%" or Image.Hashes like r"%SHA1=b33b99ae2653b4e675beb7d9eb2c925a1f105bd4%" or Image.Hashes like r"%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%" or Image.Hashes like r"%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%" or Image.Hashes like r"%SHA1=c31049605f028a56ce939cd2f97c2e56c12d99f8%" or Image.Hashes like r"%SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962%" or Image.Hashes like r"%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%" or Image.Hashes like r"%SHA1=3048f3422b2b31b74eace0dab3f5c4440bdc7bb2%" or Image.Hashes like r"%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%" or Image.Hashes like r"%SHA1=0ff2ad8941fbb80cbccb6db7db1990c01c2869b1%" or Image.Hashes like r"%SHA1=6d3c760251d6e6ea7ff4f4fcac14876fac829cf9%" or Image.Hashes like r"%SHA1=20cf02c95e329cf2fd4563cddcbd434aad81ccb4%" or Image.Hashes like r"%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%" or Image.Hashes like r"%SHA1=e835776e0dc68c994dd18e8628454520156c93e3%" or Image.Hashes like r"%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%" or Image.Hashes like r"%SHA1=97bc298a1d12a493bf14e6523e4ff48d64832954%" or Image.Hashes like r"%SHA1=fb349c3cde212ef33a11a9d58a622dc58dff3f74%" or Image.Hashes like r"%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%" or Image.Hashes like r"%SHA1=b0a684474eb746876faa617a28824bee93ba24f0%" or Image.Hashes like r"%SHA1=a01c42a5be7950adbc7228a9612255ac3a06b904%" or Image.Hashes like r"%SHA1=a22dead5cdf05bd2f79a4d0066ffcf01c7d303ec%" or Image.Hashes like r"%SHA1=f7ce71891738a976cd8d4b516c8d7a8e2f6b0ad6%" or Image.Hashes like r"%SHA1=441f87633ee6fbea5dee1268d1b9b936a596464d%" or Image.Hashes like r"%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%" or Image.Hashes like r"%SHA1=32f27451c377c8b5ea66be5475c2f2733cffe306%" or Image.Hashes like r"%SHA1=58ebfb7de214ee09f6bf71c8cc9c139dd4c8b016%" or Image.Hashes like r"%SHA1=f5293ac70d75cdfe580ff6a9edcc83236012eaf1%" or Image.Hashes like r"%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%" or Image.Hashes like r"%SHA1=0b63e76fad88ac48dbfc7cf227890332fcd994a5%" or Image.Hashes like r"%SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f%" or Image.Hashes like r"%SHA1=160a237295a9e5cbb64ca686a84e47553a14f71d%" or Image.Hashes like r"%SHA1=f5d58452620b55c2931cba75eb701f4cde90a9e4%" or Image.Hashes like r"%SHA1=a24840e32071e0f64e1dff8ca540604896811587%" or Image.Hashes like r"%SHA1=fad8e308f6d2e6a9cfaf9e6189335126a3c69acb%" or Image.Hashes like r"%SHA1=6da2dd8a0b4c0e09a04613bbabfc07c0b848ec77%" or Image.Hashes like r"%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%" or Image.Hashes like r"%SHA1=f049e68720a5f377a5c529ca82d1147fe21b4c33%" or Image.Hashes like r"%SHA1=c4454a3a4a95e6772acb8a3d998b78a329259566%" or Image.Hashes like r"%SHA1=5291b17205accf847433388fe17553e96ad434ec%" or Image.Hashes like r"%SHA1=8b037d7a7cb612eabd8e20a9ce93afd92a6db2c2%" or Image.Hashes like r"%SHA1=0cca79962d9af574169f5dec12b1f4ca8e5e1868%" or Image.Hashes like r"%SHA1=87d47340d1940eaeb788523606804855818569e3%" or Image.Hashes like r"%SHA1=272ffcda920a8e2440eb0d31dcd05485e0d597ad%" or Image.Hashes like r"%SHA1=e28b754d4d332ea57349110c019d841cf4d27356%" or Image.Hashes like r"%SHA1=d1c38145addfed1bcd1b400334ff5a5e2ef9a5c6%" or Image.Hashes like r"%SHA1=c201d5d0ab945095c3b1a356b3b228af1aa652fc%" or Image.Hashes like r"%SHA1=39e57a0bb3b349c70ad5f11592f9282860bbcc0a%" or Image.Hashes like r"%SHA1=5622caf22032e5cbef52f48077cfbcbbbe85e961%" or Image.Hashes like r"%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%" or Image.Hashes like r"%SHA1=da03799bb0025a476e3e15cc5f426e5412aeef02%" or Image.Hashes like r"%SHA1=b5dfa3396136236cc9a5c91f06514fa717508ef5%" or Image.Hashes like r"%SHA1=ba63502aaf8c5a7c2464e83295948447e938a844%" or Image.Hashes like r"%SHA1=21ce232de0f306a162d6407fe1826aff435b2a04%" or Image.Hashes like r"%SHA1=36a6f75f05ac348af357fdecbabe1a184fe8d315%" or Image.Hashes like r"%SHA1=03257294ee74f69881002c4bf764b9cb83b759d6%" or Image.Hashes like r"%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%" or Image.Hashes like r"%SHA1=1045c63eccb54c8aee9fd83ffe48306dc7fe272c%" or Image.Hashes like r"%SHA1=8f4b79b8026da7f966d38a8ba494c113c5e3894b%" or Image.Hashes like r"%SHA1=f736ccbb44c4de97cf9e9022e1379a4f58f5a5b8%" or Image.Hashes like r"%SHA1=d612165251d5f1dcfb1f1a762c88d956f49ce344%" or Image.Hashes like r"%SHA1=fac870d438bf62ecd5d5c8c58cc9bfda6f246b8b%" or Image.Hashes like r"%SHA1=86b1186a4e282341daf2088204ab9ff2d0402d28%" or Image.Hashes like r"%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%" or Image.Hashes like r"%SHA1=0cac0dbaa7adb7bba6e92c7cd2d514be7e86a914%" or Image.Hashes like r"%SHA1=1b25fbab2dbee5504dc94fbcc298cd8669c097a8%" or Image.Hashes like r"%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%" or Image.Hashes like r"%SHA1=8d6d6745a2adc9e5aa025c38875554ae6440d1ad%" or Image.Hashes like r"%SHA1=f42aa04b69a2e2241958b972ef24b65f91c3af12%" or Image.Hashes like r"%SHA1=44a3a00394a6d233a27189482852babf070ffebe%" or Image.Hashes like r"%SHA1=3e406325a717d7163ca31e81beae822d03cbe3d8%" or Image.Hashes like r"%SHA1=fc154983af4a5be15ae1e4b54e2050530b8bc057%" or Image.Hashes like r"%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%" or Image.Hashes like r"%SHA1=f9c916d163b85057414300ca214ebdf751172ecf%" or Image.Hashes like r"%SHA1=195b91a1a43de8bfb52a4869fbf53d7a226a6559%" or Image.Hashes like r"%SHA1=d62fa51e520022483bdc5847141658de689c0c29%" or Image.Hashes like r"%SHA1=9329a0ce2749a3a6bea2028ce7562d74c417db64%" or Image.Hashes like r"%SHA1=cfdb2085eaf729c7967f5d4efe16da3d50d07a23%" or Image.Hashes like r"%SHA1=184729ec2ffd0928a408255a23b3f532ffb3db3d%" or Image.Hashes like r"%SHA1=45a9f95a7a018925148152b888d09d478d56bbf5%" or Image.Hashes like r"%SHA1=a5f9aef55c64722ff2db96039af3b9c7dd8163e3%" or Image.Hashes like r"%SHA1=483e58ed495e4067a7c42ca48e8a5f600b14e018%" or Image.Hashes like r"%SHA1=b9b72a5be3871ddc0446bae35548ea176c4ea613%" or Image.Hashes like r"%SHA1=18f09ec53f0b7d2b1ab64949157e0e84628d0f0a%" or Image.Hashes like r"%SHA1=de2b56ef7a30a4697e9c4cdcae0fc215d45d061d%" or Image.Hashes like r"%SHA1=e2e7a2b2550b889235aafd9ffd1966ccd20badfe%" or Image.Hashes like r"%SHA1=016aa643fbd8e10484741436bcacc0d9eee483c8%" or Image.Hashes like r"%SHA1=5c88d9fcc491c7f1078c224e1d6c9f5bda8f3d8a%" or Image.Hashes like r"%SHA1=86e893e59352fcb220768fb758fcc5bbd91dd39e%" or Image.Hashes like r"%SHA1=1568117f691b41f989f10562f354ee574a6abc2d%" or Image.Hashes like r"%SHA1=5c2262f9e160047b9f4dee53bbfd958ec27ec22e%" or Image.Hashes like r"%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%" or Image.Hashes like r"%SHA1=8db4376a86bd2164513c178a578a0bf8d90e7292%" or Image.Hashes like r"%SHA1=4a04596acf79115f15add3921ce30a96f594d7ce%" or Image.Hashes like r"%SHA1=16a091bfd1fd616d4607cac367782b1d2ab07491%" or Image.Hashes like r"%SHA1=cf664e30f8bd548444458eef6d56d5c2e2713e2a%" or Image.Hashes like r"%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%" or Image.Hashes like r"%SHA1=f544f25104fe997ec873f5cec64c7aa722263fb4%" or Image.Hashes like r"%SHA1=be797c91768ac854bd3b82a093e55db83da0cb11%" or Image.Hashes like r"%SHA1=cea540a2864ece0a868d841ab27680ff841fcbe6%" or Image.Hashes like r"%SHA1=b4f1877156bf3157bff1170ba878848b2f22d2d5%" or Image.Hashes like r"%SHA1=55cffb0ef56e52686b0c407b94bbea3701d6eccd%" or Image.Hashes like r"%SHA1=b6543d006cb2579fb768205c479524e432c04204%" or Image.Hashes like r"%SHA1=879b32fcf78044cbc74b57717ab3ae18e77bc2fb%" or Image.Hashes like r"%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%" or Image.Hashes like r"%SHA1=4a7324ca485973d514fd087699f6d759ff32743b%" or Image.Hashes like r"%SHA1=e41808b022656befb7dc42bbeceaf867e2fec6b2%" or Image.Hashes like r"%SHA1=1e09f3dd6ba9386fa9126f0116e49c2371401e01%" or Image.Hashes like r"%SHA1=5bdd44eb321557c5d3ab056959397f0048ac90e6%" or Image.Hashes like r"%SHA1=42bb38b0b93d83b62fe2604b154ada9314c98df7%" or Image.Hashes like r"%SHA1=c47b890dda9882f9f37eccc27d58d6a774a2901f%" or Image.Hashes like r"%SHA1=2cc70b772b42e0208f345c7c70d78f7536812f99%" or Image.Hashes like r"%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%" or Image.Hashes like r"%SHA1=b7a2f2760f9819cb242b2e4f5b7bab0a65944c81%" or Image.Hashes like r"%SHA1=7a1689cde189378e7db84456212b0e438f9bf90a%" or Image.Hashes like r"%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%" or Image.Hashes like r"%SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0%" or Image.Hashes like r"%SHA1=0a6e0f9f3d7179a99345d40e409895c12919195b%" or Image.Hashes like r"%SHA1=2dd916cb8a9973b5890829361c1f9c0d532ba5d6%" or Image.Hashes like r"%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%" or Image.Hashes like r"%SHA1=dcfeca5e883a084e89ecd734c4528b922a1099b9%" or Image.Hashes like r"%SHA1=f56fec3f2012cd7fc4528626debc590909ed74b6%" or Image.Hashes like r"%SHA1=d126c6974a21e9c5fdd7ff1ca60bcc37c9353b47%" or Image.Hashes like r"%SHA1=a6aa7926aa46beaf9882a93053536b75ef2c7536%" or Image.Hashes like r"%SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6%" or Image.Hashes like r"%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%" or Image.Hashes like r"%SHA1=7ba4607763c6fef1b2562b72044a20ca2a0303e2%" or Image.Hashes like r"%SHA1=bec66e0a4842048c25732f7ea2bbe989ea400abf%" or Image.Hashes like r"%SHA1=fd87b70f94674b02d62bb01ae6e62d75c618f5c8%" or Image.Hashes like r"%SHA1=d17656f11b899d58dca7b6c3dd6eef3d65ae88e2%" or Image.Hashes like r"%SHA1=c1c869deee6293eee3d0d84b6706d90fab8f8558%" or Image.Hashes like r"%SHA1=f56186b6a7aa3dd7832c9d821f9d2d93bc2a9360%" or Image.Hashes like r"%SHA1=e9d7d7d42fd534abf52da23c0d6ec238cefde071%" or Image.Hashes like r"%SHA1=8d0ae69fbe0c6575b6f8caf3983dd3ddc65aadb5%" or Image.Hashes like r"%SHA1=b67945815e40b1cd90708c57c57dab12ed29da83%" or Image.Hashes like r"%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%" or Image.Hashes like r"%SHA1=a4e2e227f984f344d48f4bf088ca9d020c63db4e%" or Image.Hashes like r"%SHA1=a34adabde63514e1916713a588905c4019f83efb%" or Image.Hashes like r"%SHA1=3270720a066492b046d7180ca6e60602c764cac7%" or Image.Hashes like r"%SHA1=2bcb81f1b643071180e8ed8f7e42f49606669976%" or Image.Hashes like r"%SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a%" or Image.Hashes like r"%SHA1=bb1f9cc94e83c59c90b055fe13bb4604b2c624df%" or Image.Hashes like r"%SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d%" or Image.Hashes like r"%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%" or Image.Hashes like r"%SHA1=6ecfc7ccc4843812bfccfb7e91594c018f0a0ff9%" or Image.Hashes like r"%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%" or Image.Hashes like r"%SHA1=c520a368c472869c3dc356a7bcfa88046352e4d9%" or Image.Hashes like r"%SHA1=254dce914e13b90003b0ae72d8705d92fe7c8dd0%" or Image.Hashes like r"%SHA1=e9f576137181c261dc3b23871d1d822731d54a12%" or Image.Hashes like r"%SHA1=ec1eafb87340b18c7ef3bc349fed1ddd5d3678f6%" or Image.Hashes like r"%SHA1=1c537fd17836283364349475c6138e6667cf1164%" or Image.Hashes like r"%SHA1=cfdf9c9125755f4e81fa7cc5410d7740fdfea4ed%" or Image.Hashes like r"%SHA1=252157ab2e33eed7aa112d1c93c720cadcee31ae%" or Image.Hashes like r"%SHA1=97f668aa01ebbbf2f5f93419d146e6608d203efd%" or Image.Hashes like r"%SHA1=9feacc95d30107ce3e1e9a491e2c12d73eef2979%" or Image.Hashes like r"%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%" or Image.Hashes like r"%SHA1=0f78974194b604122b1cd4e82768155f946f6d24%" or Image.Hashes like r"%SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c%" or Image.Hashes like r"%SHA1=d363011d6991219d7f152609164aba63c266b740%" or Image.Hashes like r"%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%" or Image.Hashes like r"%SHA1=db3538f324f9e52defaba7be1ab991008e43d012%" or Image.Hashes like r"%SHA1=008a292f71f49be1fb538f876de6556ce7b5603a%" or Image.Hashes like r"%SHA1=e35969966769e7760094cbcffb294d0d04a09db6%" or Image.Hashes like r"%SHA1=5236728c7562b047a9371403137a6e169e2026a6%" or Image.Hashes like r"%SHA1=862387e84baaf506c10080620cc46df2bda03eea%" or Image.Hashes like r"%SHA1=c0100f8a8697a240604b3ea88848dd94947c7fd3%" or Image.Hashes like r"%SHA1=ad05bff5fe45df9e08252717fc2bc2af57bf026f%" or Image.Hashes like r"%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%" or Image.Hashes like r"%SHA1=637d0de7fa2a06e462dad40a575cb0fa4a38d377%" or Image.Hashes like r"%SHA1=0904b8fa4654197eefd6380c81bbb2149ffe0634%" or Image.Hashes like r"%SHA1=928b9b180ff5deb9f9dd3a38c4758bcf09298c47%" or Image.Hashes like r"%SHA1=432fa24e0ce4b3673113c90b34d6e52dc7bac471%" or Image.Hashes like r"%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%" or Image.Hashes like r"%SHA1=444f96d8943aec21d26f665203f3fb80b9a2a260%" or Image.Hashes like r"%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%" or Image.Hashes like r"%SHA1=eba5483bb47ec6ff51d91a9bdf1eee3b6344493d%" or Image.Hashes like r"%SHA1=e3048cd05573dc1d30b1088859bc728ef67aaad0%" or Image.Hashes like r"%SHA1=537923c633d8fc94d9ae45ad9d89e5346f581f17%" or Image.Hashes like r"%SHA1=022f7aa4d0f04d594588ae9fa65c90bcc4bda833%" or Image.Hashes like r"%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%" or Image.Hashes like r"%SHA1=7a107291a9fad0d298a606eb34798d423c4a5683%" or Image.Hashes like r"%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%" or Image.Hashes like r"%SHA1=0fd700fee341148661616ecd8af8eca5e9fa60e3%" or Image.Hashes like r"%SHA1=3aba6dd15260875eb290e9d67992066141aa0bb0%" or Image.Hashes like r"%SHA1=a5596d4d329add26b9ca9fa7005302148dfacfd8%" or Image.Hashes like r"%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%" or Image.Hashes like r"%SHA1=22fc833e07dd163315095d32ebcd3b3e377c33a4%" or Image.Hashes like r"%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%" or Image.Hashes like r"%SHA1=c9522cf7f6d6637aaff096b4b16b0d81f6ee1c37%" or Image.Hashes like r"%SHA1=d11659145d6627f3d93975528d92fb6814171f91%" or Image.Hashes like r"%SHA1=d3d2fe8080f0b18465520785f3a955e1a24ae462%" or Image.Hashes like r"%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%" or Image.Hashes like r"%SHA1=ea37a4241fa4d92c168d052c4e095ccd22a83080%" or Image.Hashes like r"%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%" or Image.Hashes like r"%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%" or Image.Hashes like r"%SHA1=dc69a6cdf048e2c4a370d4b5cafd717d236374ea%" or Image.Hashes like r"%SHA1=24daa825adedcbbb1d098cbe9d68c40389901b64%" or Image.Hashes like r"%SHA1=2bf6b88b84d27cdf0699d6d18b08a1b36310cdd1%" or Image.Hashes like r"%SHA1=dc55217b6043d819eadebd423ff07704ee103231%" or Image.Hashes like r"%SHA1=2ba0db7465cf4ffb272f803a9d77292b79c1e6df%" or Image.Hashes like r"%SHA1=52ea274e399df8706067fdc5ac52af0480461887%" or Image.Hashes like r"%SHA1=d8adf4f02513367c2b273abb0bc02f7eb3a5ef19%" or Image.Hashes like r"%SHA1=6887668eb41637bbbab285d41a36093c6b17a8fa%" or Image.Hashes like r"%SHA1=d6b1b3311263bfb170f2091d22f373c2215051b7%" or Image.Hashes like r"%SHA1=fad014ec98529644b5db5388d96bc4f9b77dcdc3%" or Image.Hashes like r"%SHA1=a714a2a045fa8f46d0165b78fe3eecf129c1de3a%" or Image.Hashes like r"%SHA1=a09334489fb18443c8793cb0395860518193cc3c%" or Image.Hashes like r"%SHA1=49d58f7565bacf10539bc63f1d2fe342b3c3d85a%" or Image.Hashes like r"%SHA1=e4fcb363cfe9de0e32096fa5be94a41577a89bb0%" or Image.Hashes like r"%SHA1=6a60f5fa0dfc6c1fa55b24a29df7464ee01a9717%" or Image.Hashes like r"%SHA1=8b86c99328e4eb542663164685c6926e7e54ac20%" or Image.Hashes like r"%SHA1=431550db5c160b56e801f220ceeb515dc16e68d2%" or Image.Hashes like r"%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%" or Image.Hashes like r"%SHA1=dd893cd3520b2015790f7f48023d833f8fe81374%" or Image.Hashes like r"%SHA1=7626036baf98ddcb492a8ec34e58c022ebd70a80%" or Image.Hashes like r"%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%" or Image.Hashes like r"%SHA1=c01caaa74439af49ca81cb5b200a167e7d32343c%" or Image.Hashes like r"%SHA1=26a8ab6ea80ab64d5736b9b72a39d90121156e76%" or Image.Hashes like r"%SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f%" or Image.Hashes like r"%SHA1=f6f7b5776001149496092a95fb10218dea5d6a6b%" or Image.Hashes like r"%SHA1=166759fd511613414d3213942fe2575b926a6226%" or Image.Hashes like r"%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%" or Image.Hashes like r"%SHA1=0a89a6f6f40213356487bfcfb0b129e4f6375180%" or Image.Hashes like r"%SHA1=f640c94e71921479cc48d06b59aba41ffa50a769%" or Image.Hashes like r"%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%" or Image.Hashes like r"%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%" or Image.Hashes like r"%SHA1=3ca51b23f8562485820883e894b448413891183a%" or Image.Hashes like r"%SHA1=8275977e4b586e485e9025222d0a582fcb9e1e8f%" or Image.Hashes like r"%SHA1=30846313e3387298f1f81c694102133568d6d48d%" or Image.Hashes like r"%SHA1=b52886433e608926a0b6e623217009e4071b107e%" or Image.Hashes like r"%SHA1=d19d1d3aa30391922989f4c6e3f7dc4937dcefbf%" or Image.Hashes like r"%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%" or Image.Hashes like r"%SHA1=091a039f5f2ae1bb0fa0f83660f4c178fd3a5a10%" or Image.Hashes like r"%SHA1=6293ff11805cd33bccbcca9f0132bff3ae2e2534%" or Image.Hashes like r"%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%" or Image.Hashes like r"%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%" or Image.Hashes like r"%SHA1=1479717fab67d98bbc3665f6b12adddfca74e0ef%" or Image.Hashes like r"%SHA1=fc8fbd92f6e64682360885c188d1bdfbc14ca579%" or Image.Hashes like r"%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%" or Image.Hashes like r"%SHA1=6df42ea7c0e6ee02062bf9ca2aa4aa5cd3775274%" or Image.Hashes like r"%SHA1=c40ff3ebf6b5579108165be63250634823db32ec%" or Image.Hashes like r"%SHA1=cef5a329f7a36c76a546d9528e57245127f37246%" or Image.Hashes like r"%SHA1=7c46ecc5ce8e5f6e236a3b169fb46bb357ac3546%" or Image.Hashes like r"%SHA1=a32232a426c552667f710d2dcbd2fb9f9c50331d%" or Image.Hashes like r"%SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327%" or Image.Hashes like r"%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%" or Image.Hashes like r"%SHA1=d496a8d3e71eaacd873ccef1d1f6801e54959713%" or Image.Hashes like r"%SHA1=437b56dc106d2e649d2c243c86729b6e6461d535%" or Image.Hashes like r"%SHA1=f10ec1b88c3a383c2a0c03362d31960836e3fb5f%" or Image.Hashes like r"%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%" or Image.Hashes like r"%SHA1=7503a1ed7f6fbd068f8c900dd5ddb291417e3464%" or Image.Hashes like r"%SHA1=24aafe3c727c6a3bd1942db78327ada8fcb8c084%" or Image.Hashes like r"%SHA1=8453fc3198349cf0561c87efc329c81e7240c3da%" or Image.Hashes like r"%SHA1=51b9867c391be3ce56ba7e1c3cba8c76777245b2%" or Image.Hashes like r"%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%" or Image.Hashes like r"%SHA1=eb2496304073727564b513efd6387a77ce395443%" or Image.Hashes like r"%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%" or Image.Hashes like r"%SHA1=736531c76b8d9c56e26561bf430e10ecabff0186%" or Image.Hashes like r"%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%" or Image.Hashes like r"%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%" or Image.Hashes like r"%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%" or Image.Hashes like r"%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%" or Image.Hashes like r"%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%" or Image.Hashes like r"%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%" or Image.Hashes like r"%SHA1=80ea425e193bd0e05161e8e1dc34fb0eae5f9017%" or Image.Hashes like r"%SHA1=2e546d86d3b1e4eaa92b6ec4768de79f70eb922f%" or Image.Hashes like r"%SHA1=b91c34bb846fd5b2f13f627b7da16c78e3ee7b0f%" or Image.Hashes like r"%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%" or Image.Hashes like r"%SHA1=c02cb8256dfb37f690f2698473fe5428d17bc178%" or Image.Hashes like r"%SHA1=c2d18ce26ce2435845f534146d7f353b662ad2b9%" or Image.Hashes like r"%SHA1=05eff2001f595f9e2894c6b5eee756ae72379a6d%" or Image.Hashes like r"%SHA1=0a19a9c4c9185b80188da529ec9c9f45cbe73186%" or Image.Hashes like r"%SHA1=e7d8fc86b90f75864b7e2415235e17df4d85ee31%" or Image.Hashes like r"%SHA1=8e64c32bcfd70361956674f45964a8b0c8aa6388%" or Image.Hashes like r"%SHA1=97941faf575e43e59fe8ee167de457c2cf75c9eb%" or Image.Hashes like r"%SHA1=7e8efd93a1dad02385ec56c8f3b1cfd23aa47977%" or Image.Hashes like r"%SHA1=850d7df29256b4f537eddafe95cfea59fb118fe2%" or Image.Hashes like r"%SHA1=e2f40590b404a24e775f781525d8ed01f1b1156d%" or Image.Hashes like r"%SHA1=ff9048c451644c9c5ff2ba1408b194a0970b49e6%" or Image.Hashes like r"%SHA1=53f7fc4feb66af748f2ab295394bf4de62ae9fcc%" or Image.Hashes like r"%SHA1=3def50587309440e3b9e595bdbe4dde8d69a64e7%" or Image.Hashes like r"%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%" or Image.Hashes like r"%SHA1=f3029dba668285aac04117273599ac12a94a3564%" or Image.Hashes like r"%SHA1=adab368ed3c17b8f2dc0b2173076668b6153e03a%" or Image.Hashes like r"%SHA1=c45d03076fa6e66c1b8b74b020ad84712755e3df%" or Image.Hashes like r"%SHA1=0d27a3166575ec5983ec58de2591552cfa90ef92%" or Image.Hashes like r"%SHA1=d28b604b9bb608979cc0eab1e9e93e11c721aa3d%" or Image.Hashes like r"%SHA1=70bb3b831880e058524735b14f2a0f1a72916a4c%" or Image.Hashes like r"%SHA1=5a55c227ca13e9373b87f1ef6534533c7ce1f4fb%" or Image.Hashes like r"%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%" or Image.Hashes like r"%SHA1=4075de7d7d2169d650c5ccede8251463913511e6%" or Image.Hashes like r"%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%" or Image.Hashes like r"%SHA1=619413b5a6d6aeb4d58c409d54fe4a981dd7e4d9%" or Image.Hashes like r"%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%" or Image.Hashes like r"%SHA1=d9c1913a6c76b883568910094dfa1d67aad80c84%" or Image.Hashes like r"%SHA1=49174d56cce618c77ae4013fe28861c80bf5ba97%" or Image.Hashes like r"%SHA1=e11f48631c6e0277e21a8bdf9be513651305f0d5%" or Image.Hashes like r"%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%" or Image.Hashes like r"%SHA1=d5326fea00bcde2ef7155acf3285c245c9fb4ece%" or Image.Hashes like r"%SHA1=e8234c44f3b7e4c510ef868e8c080e00e2832b07%" or Image.Hashes like r"%SHA1=9449f211c3c47821b638513d239e5f2c778dc523%" or Image.Hashes like r"%SHA1=456a1acacaa02664517c2f2fb854216e8e967f9d%" or Image.Hashes like r"%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%" or Image.Hashes like r"%SHA1=b314742af197a786218c6dd704b438469445eefa%" or Image.Hashes like r"%SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371%" or Image.Hashes like r"%SHA1=fbfabf309680fbf7c0f6f14c5a0e4840c894e393%" or Image.Hashes like r"%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%" or Image.Hashes like r"%SHA1=6ed5c2313eecd97b78aa5dcdb442dd47345c9e43%" or Image.Hashes like r"%SHA1=1f26424eaf046dbf800ae2ac52d9bb38494d061a%" or Image.Hashes like r"%SHA1=b7fa8278ab7bc485727d075e761a72042c4595f7%" or Image.Hashes like r"%SHA1=10b9ae9286837b3bf6a00771c7e81adbdea3cbfe%" or Image.Hashes like r"%SHA1=850f15fd67d9177a50f3efef07a805b9613f50d6%" or Image.Hashes like r"%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%" or Image.Hashes like r"%SHA1=164c899638bc83099c0379ea76485194564c956c%" or Image.Hashes like r"%SHA1=15f16fe63105b8f9cc0ef2bc8f97cfa5deb40662%" or Image.Hashes like r"%SHA1=b304cb10c88ddd8461bad429ebfd2fd1b809ac2b%" or Image.Hashes like r"%SHA1=a95a126b539989e29e68969bfab16df291e7fa8a%" or Image.Hashes like r"%SHA1=4f02fb7387ca0bc598c3bcb66c5065d08dbb3f73%" or Image.Hashes like r"%SHA1=1e8bccbd74f194db6411011017716c8c6b730d03%" or Image.Hashes like r"%SHA1=0cc60a56e245e70f664906b7b67dfe1b4a08a5b7%" or Image.Hashes like r"%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%" or Image.Hashes like r"%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%" or Image.Hashes like r"%SHA1=879e327292616c56bd4aafc279fbda6cc393b74d%" or Image.Hashes like r"%SHA1=45e8f87afa41143e0c5850f9e054d18ec9c8a6c0%" or Image.Hashes like r"%SHA1=b53c360b35174bd89f97f681bf7c17f40e519eb6%" or Image.Hashes like r"%SHA1=c3be2bbd9b3f696bc9d51d5973cc00ca059fb172%" or Image.Hashes like r"%SHA1=5bb2d46ba666c03c56c326f0bbc85cc48a87dfa3%" or Image.Hashes like r"%SHA1=9b8c7eda28bfad07ffe5f84a892299bc7e118442%" or Image.Hashes like r"%SHA1=762a5b4c7beb2af675617dca6dcd6afd36ce0afd%" or Image.Hashes like r"%SHA1=6d9e22a275a5477ea446e6c56ee45671fbcbb5f6%" or Image.Hashes like r"%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%" or Image.Hashes like r"%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%" or Image.Hashes like r"%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%" or Image.Hashes like r"%SHA1=f61e56359c663a769073782a0a3ffd3679c2694a%" or Image.Hashes like r"%SHA1=dd2b90c9796237036ac7136a172d96274dea14c8%" or Image.Hashes like r"%SHA1=af5b7556706e09ee9e74ee2e87eab5c0a49d2d35%" or Image.Hashes like r"%SHA1=57cc324326ab6c4239f8c10d2d1ce8862b2ce4d5%" or Image.Hashes like r"%SHA1=bed5bad7f405aa828a146c7f71d09c31d0c32051%" or Image.Hashes like r"%SHA1=34a07ae39b232cc3dbbe657b34660e692ff2043a%" or Image.Hashes like r"%SHA1=3f67a43ae174a715795e49f72bc350302de83323%" or Image.Hashes like r"%SHA1=a3d612a5ea3439ba72157bd96e390070bdddbbf3%" or Image.Hashes like r"%SHA1=655a9487d7a935322e19bb92d2465849055d029d%" or Image.Hashes like r"%SHA1=f70989f8b17971f13d45ee537e4ce98e93acbbaf%" or Image.Hashes like r"%SHA1=4044e5da1f16441fe7eb27cff7a76887a1aa7fec%" or Image.Hashes like r"%SHA1=7b4c922415e13deaf54bb2771f2ae30814ee1d14%" or Image.Hashes like r"%SHA1=8c11430372889bae1f91e8d068e2b2ad56dfc6bf%" or Image.Hashes like r"%SHA1=4f376b1d1439477a426ef3c52e8c1c69c2cb5305%" or Image.Hashes like r"%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%" or Image.Hashes like r"%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%" or Image.Hashes like r"%SHA1=7fb52290883a6b69a96d480f2867643396727e83%" or Image.Hashes like r"%SHA1=82dbac75b73ff4b92bdcbf6977a6683e1dcfe995%" or Image.Hashes like r"%SHA1=5b83c61178afb87ef7d58fd786808effcaaae861%" or Image.Hashes like r"%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%" or Image.Hashes like r"%SHA1=ebafebe5e94fdf12bd2159ed66d73268576bc7d9%" or Image.Hashes like r"%SHA1=5e4b93591f905854fb870011464291c3508aff44%" or Image.Hashes like r"%SHA1=a38aac44ee232fb50a6abf145e8dd921ca3e7d78%" or Image.Hashes like r"%SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b%" or Image.Hashes like r"%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%" or Image.Hashes like r"%SHA256=66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796%" or Image.Hashes like r"%SHA256=e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994%" or Image.Hashes like r"%SHA256=5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea%" or Image.Hashes like r"%SHA256=b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a%" or Image.Hashes like r"%SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4%" or Image.Hashes like r"%SHA256=c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547%" or Image.Hashes like r"%SHA256=506f56996fbcd34ff8a27e6948a2e2e21e6dbf42dab6e3a6438402000b969fd1%" or Image.Hashes like r"%SHA256=4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61%" or Image.Hashes like r"%SHA256=9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504%" or Image.Hashes like r"%SHA256=5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa%" or Image.Hashes like r"%SHA256=a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f%" or Image.Hashes like r"%SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675%" or Image.Hashes like r"%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%" or Image.Hashes like r"%SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb%" or Image.Hashes like r"%SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c%" or Image.Hashes like r"%SHA256=247aadaf17ed894fcacf3fc4e109b005540e3659fd0249190eb33725d3d3082f%" or Image.Hashes like r"%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%" or Image.Hashes like r"%SHA256=dfe57c6a4ef4d2491be325d67428698a61d9c5d2a24dbada10043d313be2c8cc%" or Image.Hashes like r"%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%" or Image.Hashes like r"%SHA256=46cf46e1073b7c99142964b7c4bef1e5285fabcf2c6dbe5be99000a393d9f474%" or Image.Hashes like r"%SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a%" or Image.Hashes like r"%SHA256=4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba%" or Image.Hashes like r"%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%" or Image.Hashes like r"%SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2%" or Image.Hashes like r"%SHA256=a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00%" or Image.Hashes like r"%SHA256=e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16%" or Image.Hashes like r"%SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712%" or Image.Hashes like r"%SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f%" or Image.Hashes like r"%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%" or Image.Hashes like r"%SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763%" or Image.Hashes like r"%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%" or Image.Hashes like r"%SHA256=5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879%" or Image.Hashes like r"%SHA256=68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248%" or Image.Hashes like r"%SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75%" or Image.Hashes like r"%SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d%" or Image.Hashes like r"%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%" or Image.Hashes like r"%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%" or Image.Hashes like r"%SHA256=b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e%" or Image.Hashes like r"%SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1%" or Image.Hashes like r"%SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439%" or Image.Hashes like r"%SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de%" or Image.Hashes like r"%SHA256=d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee%" or Image.Hashes like r"%SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a%" or Image.Hashes like r"%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%" or Image.Hashes like r"%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%" or Image.Hashes like r"%SHA256=a6f8aa3de5b4aea58eddd45807d722c864d4bc4a38ad573174af864e21f0d526%" or Image.Hashes like r"%SHA256=0c018eaa293c03febe2aef1e868fca782a06b49d7d2f9f388ae5fb57604c5250%" or Image.Hashes like r"%SHA256=223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1%" or Image.Hashes like r"%SHA256=18047c2d45758a43d6b7e56bcd4aa90354c899795baf944f037850c48d8e892a%" or Image.Hashes like r"%SHA256=442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243%" or Image.Hashes like r"%SHA256=7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8%" or Image.Hashes like r"%SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47%" or Image.Hashes like r"%SHA256=0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2%" or Image.Hashes like r"%SHA256=9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c%" or Image.Hashes like r"%SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3%" or Image.Hashes like r"%SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6%" or Image.Hashes like r"%SHA256=a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce%" or Image.Hashes like r"%SHA256=d3b5fd13a53eee5c468c8bfde4bfa7b968c761f9b781bb80ccd5637ee052ee7d%" or Image.Hashes like r"%SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59%" or Image.Hashes like r"%SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1%" or Image.Hashes like r"%SHA256=16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c%" or Image.Hashes like r"%SHA256=0bd164da36bd637bb76ca66602d732af912bd9299cb3d520d26db528cb54826d%" or Image.Hashes like r"%SHA256=c3d479d7efd0f6b502d6829b893711bdd51aac07d66326b41ef5451bafdfcb29%" or Image.Hashes like r"%SHA256=4eb1b9f3fe3c79f20c9cdeba92f6d6eb9b9ed15b546851e1f5338c0b7d36364b%" or Image.Hashes like r"%SHA256=fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70%" or Image.Hashes like r"%SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8%" or Image.Hashes like r"%SHA256=7149fbd191d7e4941a32a3118ab017426b551d5d369f20c94c4f36ae4ef54f26%" or Image.Hashes like r"%SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f%" or Image.Hashes like r"%SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa%" or Image.Hashes like r"%SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed%" or Image.Hashes like r"%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%" or Image.Hashes like r"%SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36%" or Image.Hashes like r"%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%" or Image.Hashes like r"%SHA256=cbd4f66ae09797fcd1dc943261a526710acc8dd4b24e6f67ed4a1fce8b0ae31c%" or Image.Hashes like r"%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%" or Image.Hashes like r"%SHA256=b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1%" or Image.Hashes like r"%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%" or Image.Hashes like r"%SHA256=a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e%" or Image.Hashes like r"%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%" or Image.Hashes like r"%SHA256=4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158%" or Image.Hashes like r"%SHA256=d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8%" or Image.Hashes like r"%SHA256=f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672%" or Image.Hashes like r"%SHA256=f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2%" or Image.Hashes like r"%SHA256=3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284%" or Image.Hashes like r"%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%" or Image.Hashes like r"%SHA256=1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd%" or Image.Hashes like r"%SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b%" or Image.Hashes like r"%SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0%" or Image.Hashes like r"%SHA256=bac7e75745d0cb8819de738b73edded02a07111587c4531383dccd4562922b65%" or Image.Hashes like r"%SHA256=8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750%" or Image.Hashes like r"%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%" or Image.Hashes like r"%SHA256=03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d%" or Image.Hashes like r"%SHA256=af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1%" or Image.Hashes like r"%SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173%" or Image.Hashes like r"%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%" or Image.Hashes like r"%SHA256=38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8%" or Image.Hashes like r"%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%" or Image.Hashes like r"%SHA256=ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156%" or Image.Hashes like r"%SHA256=a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f%" or Image.Hashes like r"%SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6%" or Image.Hashes like r"%SHA256=d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6%" or Image.Hashes like r"%SHA256=f9bc6b2d5822c5b3a7b1023adceb25b47b41e664347860be4603ee81b644590e%" or Image.Hashes like r"%SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677%" or Image.Hashes like r"%SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3%" or Image.Hashes like r"%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%" or Image.Hashes like r"%SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea%" or Image.Hashes like r"%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%" or Image.Hashes like r"%SHA256=45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271%" or Image.Hashes like r"%SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91%" or Image.Hashes like r"%SHA256=ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498%" or Image.Hashes like r"%SHA256=3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486%" or Image.Hashes like r"%SHA256=e6a2b1937fa277526a1e0ca9f9b32f85ab9cb7cb1a32250dd9c607e93fc2924f%" or Image.Hashes like r"%SHA256=f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229%" or Image.Hashes like r"%SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8%" or Image.Hashes like r"%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%" or Image.Hashes like r"%SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf%" or Image.Hashes like r"%SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190%" or Image.Hashes like r"%SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb%" or Image.Hashes like r"%SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135%" or Image.Hashes like r"%SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d%" or Image.Hashes like r"%SHA256=ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9%" or Image.Hashes like r"%SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f%" or Image.Hashes like r"%SHA256=eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd%" or Image.Hashes like r"%SHA256=a10b4ed33a13c08804da8b46fd1b7bd653a6f2bb65668e82086de1940c5bb5d1%" or Image.Hashes like r"%SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e%" or Image.Hashes like r"%SHA256=9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340%" or Image.Hashes like r"%SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775%" or Image.Hashes like r"%SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba%" or Image.Hashes like r"%SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf%" or Image.Hashes like r"%SHA256=7c933f5d07ccb4bd715666cd6eb35a774b266ddd8d212849535a54192a44f667%" or Image.Hashes like r"%SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb%" or Image.Hashes like r"%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%" or Image.Hashes like r"%SHA256=c0ae3349ebaac9a99c47ec55d5f7de00dc03bd7c5cd15799bc00646d642aa8de%" or Image.Hashes like r"%SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a%" or Image.Hashes like r"%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%" or Image.Hashes like r"%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%" or Image.Hashes like r"%SHA256=c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad%" or Image.Hashes like r"%SHA256=e8b51ab681714e491ab1a59a7c9419db39db04b0dd7be11293f3a0951afe740e%" or Image.Hashes like r"%SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef%" or Image.Hashes like r"%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%" or Image.Hashes like r"%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%" or Image.Hashes like r"%SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8%" or Image.Hashes like r"%SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3%" or Image.Hashes like r"%SHA256=42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180%" or Image.Hashes like r"%SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c%" or Image.Hashes like r"%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%" or Image.Hashes like r"%SHA256=67e9d1f6f7ed58d86b025d3578cb7a3f3c389b9dd425b7f46bb1056e83bffc78%" or Image.Hashes like r"%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%" or Image.Hashes like r"%SHA256=0aca4447ee54d635f76b941f6100b829dc8b2e0df27bdf584acb90f15f12fbda%" or Image.Hashes like r"%SHA256=49ae47b6b4d5e1b791b89e0395659d42a29a79c3e6ec52cbfcb9f9cef857a9dd%" or Image.Hashes like r"%SHA256=0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c%" or Image.Hashes like r"%SHA256=e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21%" or Image.Hashes like r"%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%" or Image.Hashes like r"%SHA256=41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f%" or Image.Hashes like r"%SHA256=d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c%" or Image.Hashes like r"%SHA256=b617a072c578cea38c460e2851f3d122ba1b7cfa1f5ee3e9f5927663ac37af61%" or Image.Hashes like r"%SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f%" or Image.Hashes like r"%SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb%" or Image.Hashes like r"%SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d%" or Image.Hashes like r"%SHA256=c9c60f560440ff16ad3c767ff5b7658d5bda61ea1166efe9b7f450447557136e%" or Image.Hashes like r"%SHA256=7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5%" or Image.Hashes like r"%SHA256=680ddece32fe99f056e770cb08641f5b585550798dfdf723441a11364637c7e6%" or Image.Hashes like r"%SHA256=1c425793a8ce87be916969d6d7e9dd0687b181565c3b483ce53ad1ec6fb72a17%" or Image.Hashes like r"%SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad%" or Image.Hashes like r"%SHA256=4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb%" or Image.Hashes like r"%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%" or Image.Hashes like r"%SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970%" or Image.Hashes like r"%SHA256=0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec%" or Image.Hashes like r"%SHA256=5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00%" or Image.Hashes like r"%SHA256=3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928%" or Image.Hashes like r"%SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f%" or Image.Hashes like r"%SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833%" or Image.Hashes like r"%SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c%" or Image.Hashes like r"%SHA256=38e6d7c2787b6289629c72b1ec87655392267044b4e4b830c0232243657ee8f9%" or Image.Hashes like r"%SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0%" or Image.Hashes like r"%SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa%" or Image.Hashes like r"%SHA256=0b8887921e4a22e24fd058ba5ac40061b4bb569ac7207b9548168af9d6995e7c%" or Image.Hashes like r"%SHA256=8a982eed9cbc724d50a9ddf4f74ecbcd67b4fdcd9c2bb1795bc88c2d9caf7506%" or Image.Hashes like r"%SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293%" or Image.Hashes like r"%SHA256=e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce%" or Image.Hashes like r"%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%" or Image.Hashes like r"%SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039%" or Image.Hashes like r"%SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683%" or Image.Hashes like r"%SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418%" or Image.Hashes like r"%SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5%" or Image.Hashes like r"%SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b%" or Image.Hashes like r"%SHA256=33bc9a17a0909e32a3ae7e6f089b7f050591dd6f3f7a8172575606bec01889ef%" or Image.Hashes like r"%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%" or Image.Hashes like r"%SHA256=53b9e423baf946983d03ce309ec5e006ba18c9956dcd97c68a8b714d18c8ffcf%" or Image.Hashes like r"%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%" or Image.Hashes like r"%SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e%" or Image.Hashes like r"%SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe%" or Image.Hashes like r"%SHA256=76940e313c27c7ff692051fbf1fbdec19c8c31a6723a9de7e15c3c1bec8186f6%" or Image.Hashes like r"%SHA256=eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed%" or Image.Hashes like r"%SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf%" or Image.Hashes like r"%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%" or Image.Hashes like r"%SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af%" or Image.Hashes like r"%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%" or Image.Hashes like r"%SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9%" or Image.Hashes like r"%SHA256=67cd6166d791bdf74453e19c015b2cb1e85e41892c04580034b65f9f03fe2e79%" or Image.Hashes like r"%SHA256=71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713%" or Image.Hashes like r"%SHA256=8ae383546761069b26826dfbf2ac0233169d155bca6a94160488092b4e70b222%" or Image.Hashes like r"%SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7%" or Image.Hashes like r"%SHA256=a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641%" or Image.Hashes like r"%SHA256=29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36%" or Image.Hashes like r"%SHA256=7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3%" or Image.Hashes like r"%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%" or Image.Hashes like r"%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%" or Image.Hashes like r"%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%" or Image.Hashes like r"%SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456%" or Image.Hashes like r"%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%" or Image.Hashes like r"%SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1%" or Image.Hashes like r"%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%" or Image.Hashes like r"%SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60%" or Image.Hashes like r"%SHA256=4737750788c72d2fc9cf95681c622357263075d65b23e54c4dc3f31446cad37b%" or Image.Hashes like r"%SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c%" or Image.Hashes like r"%SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c%" or Image.Hashes like r"%SHA256=3b2ad08123e8ed2516548240cfcdf5eefd89293f31070a6cd3949ee1b66fed14%" or Image.Hashes like r"%SHA256=edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5%" or Image.Hashes like r"%SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b%" or Image.Hashes like r"%SHA256=39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d%" or Image.Hashes like r"%SHA256=0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502%" or Image.Hashes like r"%SHA256=5da0ffe33987f8d5fb9c151f0eff29b99f42233b27efcad596add27bdc5c88ff%" or Image.Hashes like r"%SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9%" or Image.Hashes like r"%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%" or Image.Hashes like r"%SHA256=bceaf970b60b4457eca3c181f649a1c67f4602778171e53d9bdc9b97a09603ca%" or Image.Hashes like r"%SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b%" or Image.Hashes like r"%SHA256=db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7%" or Image.Hashes like r"%SHA256=32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e%" or Image.Hashes like r"%SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c%" or Image.Hashes like r"%SHA256=bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042%" or Image.Hashes like r"%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%" or Image.Hashes like r"%SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145%" or Image.Hashes like r"%SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478%" or Image.Hashes like r"%SHA256=b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5%" or Image.Hashes like r"%SHA256=edfc38f91b5e198f3bf80ef6dcaebb5e86963936bcd2e5280088ca90d6998b8c%" or Image.Hashes like r"%SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48%" or Image.Hashes like r"%SHA256=0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7%" or Image.Hashes like r"%SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f%" or Image.Hashes like r"%SHA256=b3a191ccd1df19cdf17fe6637d48266ac84c4310b013ad6973d8cb336b06ff69%" or Image.Hashes like r"%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%" or Image.Hashes like r"%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%" or Image.Hashes like r"%SHA256=c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778%" or Image.Hashes like r"%SHA256=0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75%" or Image.Hashes like r"%SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c%" or Image.Hashes like r"%SHA256=bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c%" or Image.Hashes like r"%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%" or Image.Hashes like r"%SHA256=00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c%" or Image.Hashes like r"%SHA256=7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca%" or Image.Hashes like r"%SHA256=3b19a7207a55d752db1b366b1dea2fd2c7620a825a3f0dcffca10af76611118c%" or Image.Hashes like r"%SHA256=fe2fb5d6cfcd64aeb62e6bf5b71fd2b2a87886eb97ab59e5353ba740da9f5db5%" or Image.Hashes like r"%SHA256=7fd90500b57f9ac959c87f713fe9ca59e669e6e1512f77fccb6a75cdc0dfee8e%" or Image.Hashes like r"%SHA256=0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901%" or Image.Hashes like r"%SHA256=e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc%" or Image.Hashes like r"%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%" or Image.Hashes like r"%SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1%" or Image.Hashes like r"%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%" or Image.Hashes like r"%SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b%" or Image.Hashes like r"%SHA256=65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d%" or Image.Hashes like r"%SHA256=0e10d3c73596e359462dc6bfcb886768486ff59e158f0f872d23c5e9a2f7c168%" or Image.Hashes like r"%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%" or Image.Hashes like r"%SHA256=060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f%" or Image.Hashes like r"%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%" or Image.Hashes like r"%SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486%" or Image.Hashes like r"%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%" or Image.Hashes like r"%SHA256=642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54%" or Image.Hashes like r"%SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9%" or Image.Hashes like r"%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%" or Image.Hashes like r"%SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac%" or Image.Hashes like r"%SHA256=6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d%" or Image.Hashes like r"%SHA256=1ce9e4600859293c59d884ea721e9b20b2410f6ef80699f8a78a6b9fad505dfc%" or Image.Hashes like r"%SHA256=33d7046a5d41f4010ad5df632577154ed223dac2ab0ca2da57dbf1724db45a57%" or Image.Hashes like r"%SHA256=653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d%" or Image.Hashes like r"%SHA256=20dd9542d30174585f2623642c7fbbda84e2347e4365e804e3f3d81f530c4ece%" or Image.Hashes like r"%SHA256=3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2%" or Image.Hashes like r"%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%" or Image.Hashes like r"%SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512%" or Image.Hashes like r"%SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743%" or Image.Hashes like r"%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%" or Image.Hashes like r"%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%" or Image.Hashes like r"%SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5%" or Image.Hashes like r"%SHA256=613d6cc154586c21b330018142a89eac4504e185f0be7f86af975e5b6c046c55%" or Image.Hashes like r"%SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298%" or Image.Hashes like r"%SHA256=b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c%" or Image.Hashes like r"%SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab%" or Image.Hashes like r"%SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd%" or Image.Hashes like r"%SHA256=854bc946b557ed78c7d40547eb39e293e83942a693c94d0e798d1c4fbde7efa9%" or Image.Hashes like r"%SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc%" or Image.Hashes like r"%SHA256=aa0c52cebd64a0115c0e7faf4316a52208f738f66a54b4871bd4162eb83dc41a%" or Image.Hashes like r"%SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade%" or Image.Hashes like r"%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%" or Image.Hashes like r"%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%" or Image.Hashes like r"%SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9%" or Image.Hashes like r"%SHA256=69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce%" or Image.Hashes like r"%SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761%" or Image.Hashes like r"%SHA256=16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23%" or Image.Hashes like r"%SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0%" or Image.Hashes like r"%SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c%" or Image.Hashes like r"%SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2%" or Image.Hashes like r"%SHA256=f2ed6c1906663016123559d9f3407bc67f64e0d235fa6f10810a3fa7bb322967%" or Image.Hashes like r"%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%" or Image.Hashes like r"%SHA256=c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a%" or Image.Hashes like r"%SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48%" or Image.Hashes like r"%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%" or Image.Hashes like r"%SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f%" or Image.Hashes like r"%SHA256=d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd%" or Image.Hashes like r"%SHA256=636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220%" or Image.Hashes like r"%SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22%" or Image.Hashes like r"%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%" or Image.Hashes like r"%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%" or Image.Hashes like r"%SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408%" or Image.Hashes like r"%SHA256=4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f%" or Image.Hashes like r"%SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2%" or Image.Hashes like r"%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%" or Image.Hashes like r"%SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5%" or Image.Hashes like r"%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%" or Image.Hashes like r"%SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6%" or Image.Hashes like r"%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%" or Image.Hashes like r"%SHA256=9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01%" or Image.Hashes like r"%SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258%" or Image.Hashes like r"%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%" or Image.Hashes like r"%SHA256=d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b%" or Image.Hashes like r"%SHA256=c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65%" or Image.Hashes like r"%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%" or Image.Hashes like r"%SHA256=f583cfb8aab7d084dc052dbd0b9d56693308cbb26bd1b607c2aedf8ee2b25e44%" or Image.Hashes like r"%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%" or Image.Hashes like r"%SHA256=bac1cd96ba242cdf29f8feac501110739f1524f0db1c8fcad59409e77b8928ba%" or Image.Hashes like r"%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%" or Image.Hashes like r"%SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc%" or Image.Hashes like r"%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%" or Image.Hashes like r"%SHA256=73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061%" or Image.Hashes like r"%SHA256=ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1%" or Image.Hashes like r"%SHA256=c181ce9a57e8d763db89ba7c45702a8cf66ef1bb58e3f21874cf0265711f886b%" or Image.Hashes like r"%SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02%" or Image.Hashes like r"%SHA256=51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb%" or Image.Hashes like r"%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%" or Image.Hashes like r"%SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a%" or Image.Hashes like r"%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%" or Image.Hashes like r"%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%" or Image.Hashes like r"%SHA256=83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc%" or Image.Hashes like r"%SHA256=8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250%" or Image.Hashes like r"%SHA256=61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874%" or Image.Hashes like r"%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%" or Image.Hashes like r"%SHA256=a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af%" or Image.Hashes like r"%SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff%" or Image.Hashes like r"%SHA256=6297556f66cd6619057f3a5b216b314f8a27eebb5fa575ee07a1944aca71ae80%" or Image.Hashes like r"%SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184%" or Image.Hashes like r"%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%" or Image.Hashes like r"%SHA256=3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1%" or Image.Hashes like r"%SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e%" or Image.Hashes like r"%SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587%" or Image.Hashes like r"%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%" or Image.Hashes like r"%SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89%" or Image.Hashes like r"%SHA256=72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35%" or Image.Hashes like r"%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%" or Image.Hashes like r"%SHA256=b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027%" or Image.Hashes like r"%SHA256=0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d%" or Image.Hashes like r"%SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924%" or Image.Hashes like r"%SHA256=5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c%" or Image.Hashes like r"%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%" or Image.Hashes like r"%SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4%" or Image.Hashes like r"%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%" or Image.Hashes like r"%SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131%" or Image.Hashes like r"%SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f%" or Image.Hashes like r"%SHA256=8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881%" or Image.Hashes like r"%SHA256=9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3%" or Image.Hashes like r"%SHA256=dd2c1aa4e14c825f3715891bfa2b6264650a794f366d5f73ed1ef1d79ff0dbf9%" or Image.Hashes like r"%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%" or Image.Hashes like r"%SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7%" or Image.Hashes like r"%SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2%" or Image.Hashes like r"%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%" or Image.Hashes like r"%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%" or Image.Hashes like r"%SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0%" or Image.Hashes like r"%SHA256=1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3%" or Image.Hashes like r"%SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0%" or Image.Hashes like r"%SHA256=87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b%" or Image.Hashes like r"%SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92%" or Image.Hashes like r"%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%" or Image.Hashes like r"%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%" or Image.Hashes like r"%SHA256=837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2%" or Image.Hashes like r"%SHA256=db73b0fa032be22405fa0b52fbfe3b30e56ac4787e620e4854c32668ae43bc33%" or Image.Hashes like r"%SHA256=773999db2f07c50aad70e50c1983fa95804369d25a5b4f10bd610f864c27f2fc%" or Image.Hashes like r"%SHA256=f64a78b1294e6837f12f171a663d8831f232b1012fd8bae3c2c6368fbf71219b%" or Image.Hashes like r"%SHA256=733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e%" or Image.Hashes like r"%SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21%" or Image.Hashes like r"%SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194%" or Image.Hashes like r"%SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48%" or Image.Hashes like r"%SHA256=747a4dc50915053649c499a508853a42d9e325a5eec22e586571e338c6d32465%" or Image.Hashes like r"%SHA256=903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b%" or Image.Hashes like r"%SHA256=6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259%" or Image.Hashes like r"%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%" or Image.Hashes like r"%SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5%" or Image.Hashes like r"%SHA256=55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03%" or Image.Hashes like r"%SHA256=f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686%" or Image.Hashes like r"%SHA256=4ba224af60a50cad10d0091c89134c72fc021da8d34a6f25c4827184dc6ca5c7%" or Image.Hashes like r"%SHA256=40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554%" or Image.Hashes like r"%SHA256=1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b%" or Image.Hashes like r"%SHA256=53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b%" or Image.Hashes like r"%SHA256=7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6%" or Image.Hashes like r"%SHA256=6e76764d750ebd835aa4bb055830d278df530303585614c1dc743f8d5adf97d7%" or Image.Hashes like r"%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%" or Image.Hashes like r"%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%" or Image.Hashes like r"%SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b%" or Image.Hashes like r"%SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20%" or Image.Hashes like r"%SHA256=00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03%" or Image.Hashes like r"%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%" or Image.Hashes like r"%SHA256=d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c%" or Image.Hashes like r"%SHA256=6ef0b34649186fb98a7431b606e77ee35e755894b038755ba98e577bd51b2c72%" or Image.Hashes like r"%SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98%" or Image.Hashes like r"%SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa%" or Image.Hashes like r"%SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d%" or Image.Hashes like r"%SHA256=3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb%" or Image.Hashes like r"%SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f%" or Image.Hashes like r"%SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e%" or Image.Hashes like r"%SHA256=760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510%" or Image.Hashes like r"%SHA256=b749566057dee0439f54b0d38935e5939b5cb011c46d7022530f748ebc63efe5%" or Image.Hashes like r"%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%" or Image.Hashes like r"%SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf%" or Image.Hashes like r"%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%" or Image.Hashes like r"%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%" or Image.Hashes like r"%SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248%" or Image.Hashes like r"%SHA256=ac26150bc98ee0419a8b23e4cda3566e0eba94718ba8059346a9696401e9793d%" or Image.Hashes like r"%SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0%" or Image.Hashes like r"%SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa%" or Image.Hashes like r"%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%" or Image.Hashes like r"%SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c%" or Image.Hashes like r"%SHA256=0a9b608461d55815e99700607a52fbdb7d598f968126d38e10cc4293ac4b1ad8%" or Image.Hashes like r"%SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3%" or Image.Hashes like r"%SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e%" or Image.Hashes like r"%SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5%" or Image.Hashes like r"%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%" or Image.Hashes like r"%SHA256=2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f%" or Image.Hashes like r"%SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1%" or Image.Hashes like r"%SHA256=8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c%" or Image.Hashes like r"%SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8%" or Image.Hashes like r"%SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3%" or Image.Hashes like r"%SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1%" or Image.Hashes like r"%SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1%" or Image.Hashes like r"%SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775%" or Image.Hashes like r"%SHA256=ad0309c2d225d8540a47250e3773876e05ce6a47a7767511e2f68645562c0686%" or Image.Hashes like r"%SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0%" or Image.Hashes like r"%SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa%" or Image.Hashes like r"%SHA256=3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9%" or Image.Hashes like r"%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%" or Image.Hashes like r"%SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c%" or Image.Hashes like r"%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%" or Image.Hashes like r"%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%" or Image.Hashes like r"%SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2%" or Image.Hashes like r"%SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9%" or Image.Hashes like r"%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%" or Image.Hashes like r"%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%" or Image.Hashes like r"%SHA256=c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa%" or Image.Hashes like r"%SHA256=11208bbba148736309a8d2a4ab9ab6b8f22f2297547b100d8bdfd7d413fe98b2%" or Image.Hashes like r"%SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504%" or Image.Hashes like r"%SHA256=d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b%" or Image.Hashes like r"%SHA256=c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b%" or Image.Hashes like r"%SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126%" or Image.Hashes like r"%SHA256=81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05%" or Image.Hashes like r"%SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9%" or Image.Hashes like r"%SHA256=828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2%" or Image.Hashes like r"%SHA256=182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714%" or Image.Hashes like r"%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%" or Image.Hashes like r"%SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d%" or Image.Hashes like r"%SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185%" or Image.Hashes like r"%SHA256=f1fbec90c60ee4daba1b35932db9f3556633b2777b1039163841a91cf997938e%" or Image.Hashes like r"%SHA256=9917144b7240b1ce0cadb1210fd26182744fbbdf145943037c4b93e44aced207%" or Image.Hashes like r"%SHA256=c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1%" or Image.Hashes like r"%SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1%" or Image.Hashes like r"%SHA256=ad215185dc833c54d523350ef3dbc10b3357a88fc4dde00281d9af81ea0764d5%" or Image.Hashes like r"%SHA256=e2d6cdc3d8960a50d9f292bb337b3235956a61e4e8b16cf158cb979b777f42aa%" or Image.Hashes like r"%SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d%" or Image.Hashes like r"%SHA256=dbebf6d463c2dbf61836b3eba09b643e1d79a02652a32482ca58894703b9addb%" or Image.Hashes like r"%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%" or Image.Hashes like r"%SHA256=e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5%" or Image.Hashes like r"%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%" or Image.Hashes like r"%SHA256=70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7%" or Image.Hashes like r"%SHA256=909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77%" or Image.Hashes like r"%SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918%" or Image.Hashes like r"%SHA256=90574d2c406b9738aae8fc629c3983c5e47a6282a43b052f38b5dd313380c30a%" or Image.Hashes like r"%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%" or Image.Hashes like r"%SHA256=5daa8fa3b5db2e6225a2effea41af95fe7ffc579550c4081c8028ed33bc023b8%" or Image.Hashes like r"%SHA256=115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406%" or Image.Hashes like r"%SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4%" or Image.Hashes like r"%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%" or Image.Hashes like r"%SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25%" or Image.Hashes like r"%SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501%" or Image.Hashes like r"%SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c%" or Image.Hashes like r"%SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f%" or Image.Hashes like r"%SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b%" or Image.Hashes like r"%SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26%" or Image.Hashes like r"%SHA256=b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c%" or Image.Hashes like r"%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%" or Image.Hashes like r"%SHA256=f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2%" or Image.Hashes like r"%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%" or Image.Hashes like r"%SHA256=4c807bacfcf5c30686e26812ec8d5581a824b82fee7434260c27c33eee2dfbe2%" or Image.Hashes like r"%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%" or Image.Hashes like r"%SHA256=700b9839fde53e91f0847053b4d2eb8d9bd3aca098844510f1fa3bab6a37eb24%" or Image.Hashes like r"%SHA256=d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e%" or Image.Hashes like r"%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%" or Image.Hashes like r"%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%" or Image.Hashes like r"%SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d%" or Image.Hashes like r"%SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85%" or Image.Hashes like r"%SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512%" or Image.Hashes like r"%SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df%" or Image.Hashes like r"%SHA256=ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8%" or Image.Hashes like r"%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%" or Image.Hashes like r"%SHA256=5d7bfe05792189eaf7193bee85f0c792c33315cfcb40b2e62cc7baef6cafbc5c%" or Image.Hashes like r"%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%" or Image.Hashes like r"%SHA256=4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0%" or Image.Hashes like r"%SHA256=7ef8949637cb947f1a4e1d4e68d31d1385a600d1b1054b53e7417767461fafa7%" or Image.Hashes like r"%SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0%" or Image.Hashes like r"%SHA256=4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4%" or Image.Hashes like r"%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%" or Image.Hashes like r"%SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d%" or Image.Hashes like r"%SHA256=da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb%" or Image.Hashes like r"%SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90%" or Image.Hashes like r"%SHA256=cf66fcbcb8b2ea7fb4398f398b7480c50f6a451b51367718c36330182c1bb496%" or Image.Hashes like r"%SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463%" or Image.Hashes like r"%SHA256=1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d%" or Image.Hashes like r"%SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467%" or Image.Hashes like r"%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%" or Image.Hashes like r"%SHA256=b78eb7f12ba718183313cf336655996756411b7dcc8648157aaa4c891ca9dbee%" or Image.Hashes like r"%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%" or Image.Hashes like r"%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%" or Image.Hashes like r"%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%" or Image.Hashes like r"%SHA256=5ab48bf8c099611b217cc9f78af2f92e9aaeedf1cea4c95d5dd562f51e9f0d09%" or Image.Hashes like r"%SHA256=274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab%" or Image.Hashes like r"%SHA256=89bc3cb4522f9b0bf467a93a4123ef623c28244e25a9c34d4aae11f705d187e7%" or Image.Hashes like r"%SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd%" or Image.Hashes like r"%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%" or Image.Hashes like r"%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%" or Image.Hashes like r"%SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5%" or Image.Hashes like r"%SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb%" or Image.Hashes like r"%SHA256=afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3%" or Image.Hashes like r"%SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2%" or Image.Hashes like r"%SHA256=9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91%" or Image.Hashes like r"%SHA256=97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c%" or Image.Hashes like r"%SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850%" or Image.Hashes like r"%SHA256=065a34b786b0ccf6f88c136408943c3d2bd3da14357ee1e55e81e05d67a4c9bc%" or Image.Hashes like r"%SHA256=3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d%" or Image.Hashes like r"%SHA256=c188b36f258f38193ace21a7d254f0aec36b59ad7e3f9bcb9c2958108effebad%" or Image.Hashes like r"%SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c%" or Image.Hashes like r"%SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c%" or Image.Hashes like r"%SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88%" or Image.Hashes like r"%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%" or Image.Hashes like r"%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%" or Image.Hashes like r"%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%" or Image.Hashes like r"%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%" or Image.Hashes like r"%SHA256=a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e%" or Image.Hashes like r"%SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b%" or Image.Hashes like r"%SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882%" or Image.Hashes like r"%SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae%" or Image.Hashes like r"%SHA256=5be106b92424b12865338b3f541b3c244dce9693fe15f763316f0c6d6fc073ee%" or Image.Hashes like r"%SHA256=b84dc9b885193ced6a1b6842a365a4f18d1683951bb11a5c780ab737ffa06684%" or Image.Hashes like r"%SHA256=dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d%" or Image.Hashes like r"%SHA256=3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb%" or Image.Hashes like r"%SHA256=f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1%" or Image.Hashes like r"%SHA256=8bf01cd6d55502838853851703eb297ec71361fa9a0b088a30c2434f4d2bf9c6%" or Image.Hashes like r"%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%" or Image.Hashes like r"%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%" or Image.Hashes like r"%SHA256=1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43%" or Image.Hashes like r"%SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad%" or Image.Hashes like r"%SHA256=a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c%" or Image.Hashes like r"%SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed%" or Image.Hashes like r"%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%" or Image.Hashes like r"%SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a%" or Image.Hashes like r"%SHA256=70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505%" or Image.Hashes like r"%SHA256=76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb%" or Image.Hashes like r"%SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c%" or Image.Hashes like r"%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%" or Image.Hashes like r"%SHA256=1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a%" or Image.Hashes like r"%SHA256=ef438a754fd940d145cc5d658ddac666a06871d71652b258946c21efe4b7e517%" or Image.Hashes like r"%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%" or Image.Hashes like r"%SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee%" or Image.Hashes like r"%SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5%" or Image.Hashes like r"%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%" or Image.Hashes like r"%SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285%" or Image.Hashes like r"%SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb%" or Image.Hashes like r"%SHA256=d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e%" or Image.Hashes like r"%SHA256=b531f0a11ca481d5125c93c977325e135a04058019f939169ce3cdedaddd422d%" or Image.Hashes like r"%SHA256=fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a%" or Image.Hashes like r"%SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc%" or Image.Hashes like r"%SHA256=5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3%" or Image.Hashes like r"%SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a%" or Image.Hashes like r"%SHA256=b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f%" or Image.Hashes like r"%SHA256=786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc%" or Image.Hashes like r"%SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca%" or Image.Hashes like r"%SHA256=212c05b487cd4e64de2a1077b789e47e9ac3361efa24d9aab3cc6ad4bd3bd76a%" or Image.Hashes like r"%SHA256=5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab%" or Image.Hashes like r"%SHA256=79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd%" or Image.Hashes like r"%SHA256=9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95%" or Image.Hashes like r"%SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada%" or Image.Hashes like r"%SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26%" or Image.Hashes like r"%SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036%" or Image.Hashes like r"%SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7%" or Image.Hashes like r"%SHA256=ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc%" or Image.Hashes like r"%SHA256=b2bc7514201727d773c09a1cfcfae793fcdbad98024251ccb510df0c269b04e6%" or Image.Hashes like r"%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%" or Image.Hashes like r"%SHA256=eef68fdc5df91660410fb9bed005ed08c258c44d66349192faf5bb5f09f5fa90%" or Image.Hashes like r"%SHA256=582b62ffbcbcdd62c0fc624cdf106545af71078f1edfe1129401d64f3eefaa3a%" or Image.Hashes like r"%SHA256=326b53365f8486c78608139cac84619eff90be361f7ade9db70f9867dd94dcc9%" or Image.Hashes like r"%SHA256=9bd8b0289955a6eb791f45c3203f08a64cbd457fd1b9d598a6fbbca5d0372e36%" or Image.Hashes like r"%SHA256=655110646bff890c448c0951e11132dc3592bda6e080696341b930d090224723%" or Image.Hashes like r"%SHA256=8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f%" or Image.Hashes like r"%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%" or Image.Hashes like r"%SHA256=f2a4ddc38e68efd2eac27b2562529926f5ade93575a82e8d3e0abb2b37347257%" or Image.Hashes like r"%SHA256=e89afd283d5789b8064d5487e04b97e2cd3fc0c711a8cec230543ebdf9ffc534%" or Image.Hashes like r"%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%" or Image.Hashes like r"%SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572%" or Image.Hashes like r"%SHA256=81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d%" or Image.Hashes like r"%SHA256=2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9%" or Image.Hashes like r"%SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7%" or Image.Hashes like r"%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%" or Image.Hashes like r"%SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289%" or Image.Hashes like r"%SHA256=71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5%" or Image.Hashes like r"%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%" or Image.Hashes like r"%SHA256=848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891%" or Image.Hashes like r"%SHA256=14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c%" or Image.Hashes like r"%SHA256=49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94%" or Image.Hashes like r"%SHA256=a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53%" or Image.Hashes like r"%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%" or Image.Hashes like r"%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%" or Image.Hashes like r"%SHA256=c8ff7c9f510f7a2ed88d9b336d8c9339698d5e1ee14bfb91aa89703ec06dce42%" or Image.Hashes like r"%SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917%" or Image.Hashes like r"%SHA256=348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1%" or Image.Hashes like r"%SHA256=f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad%" or Image.Hashes like r"%SHA256=5fbfd7c4ea3db1197ad38d5a945acf6f2f42cb350380cf8ae276bc80b0dedb77%" or Image.Hashes like r"%SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c%" or Image.Hashes like r"%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%" or Image.Hashes like r"%SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a%" or Image.Hashes like r"%SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d%" or Image.Hashes like r"%SHA256=7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc%" or Image.Hashes like r"%SHA256=7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f%" or Image.Hashes like r"%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%" or Image.Hashes like r"%SHA256=39f137083e6c0200543e1f8d3c074f857d141bdb8c8f09338d48520537b881aa%" or Image.Hashes like r"%SHA256=0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182%" or Image.Hashes like r"%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%" or Image.Hashes like r"%SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c%" or Image.Hashes like r"%SHA256=a0dd3d43ab891777b11d4fdcb3b7f246b80bc66d12f7810cf268a5f6f4f8eb7b%" or Image.Hashes like r"%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%" or Image.Hashes like r"%SHA256=e9919d1546c7dfef62ff01b87f739812de0a57463611c12012013ae689023ce1%" or Image.Hashes like r"%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%" or Image.Hashes like r"%SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f%" or Image.Hashes like r"%SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28%" or Image.Hashes like r"%SHA256=b9ed73af3aef69dc1fb91731d6d0a649e93f83d0f07ddb9729d71c2d00ed0801%" or Image.Hashes like r"%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%" or Image.Hashes like r"%SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148%" or Image.Hashes like r"%SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6%" or Image.Hashes like r"%SHA256=5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4%" or Image.Hashes like r"%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%" or Image.Hashes like r"%SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e%" or Image.Hashes like r"%SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d%" or Image.Hashes like r"%SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9%" or Image.Hashes like r"%SHA256=648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f%" or Image.Hashes like r"%SHA256=6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440%" or Image.Hashes like r"%SHA256=b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25%" or Image.Hashes like r"%SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b%" or Image.Hashes like r"%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%" or Image.Hashes like r"%SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6%" or Image.Hashes like r"%SHA256=22e125c284a55eb730f03ec27b87ab84cf897f9d046b91c76bea2b5809fd51c5%" or Image.Hashes like r"%SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289%" or Image.Hashes like r"%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%" or Image.Hashes like r"%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%" or Image.Hashes like r"%SHA256=b7bba82777c9912e6a728c3e873c5a8fd3546982e0d5fa88e64b3e2122f9bc3b%" or Image.Hashes like r"%SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399%" or Image.Hashes like r"%SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085%" or Image.Hashes like r"%SHA256=f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585%" or Image.Hashes like r"%SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135%" or Image.Hashes like r"%SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396%" or Image.Hashes like r"%SHA256=d21aba58222930cb75946a0fb72b4adc96de583d3f7d8dc13829b804eb877257%" or Image.Hashes like r"%SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354%" or Image.Hashes like r"%SHA256=2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266%" or Image.Hashes like r"%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%" or Image.Hashes like r"%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%" or Image.Hashes like r"%SHA256=0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57%" or Image.Hashes like r"%SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae%" or Image.Hashes like r"%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%" or Image.Hashes like r"%SHA256=cb59a641adb623a65a9b5af1db2ffd921fd1ca1bc046a6df85d5f2e00fd0b5a5%" or Image.Hashes like r"%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%" or Image.Hashes like r"%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%" or Image.Hashes like r"%SHA256=51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292%" or Image.Hashes like r"%SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30%" or Image.Hashes like r"%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%" or Image.Hashes like r"%SHA256=83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c%" or Image.Hashes like r"%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%" or Image.Hashes like r"%SHA256=51f002ee44e46889cf5b99a724dd10cc2bd3e22545e2a2cb3bd6b1dd3af5ba11%" or Image.Hashes like r"%SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd%" or Image.Hashes like r"%SHA256=e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717%" or Image.Hashes like r"%SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a%" or Image.Hashes like r"%SHA256=b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890%" or Image.Hashes like r"%SHA256=bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091%" or Image.Hashes like r"%SHA256=6575ea9b319beb3845d43ce2c70ea55f0414da2055fa82eec324c4cebdefe893%" or Image.Hashes like r"%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%" or Image.Hashes like r"%SHA256=63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e%" or Image.Hashes like r"%SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2%" or Image.Hashes like r"%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%" or Image.Hashes like r"%SHA256=26d69e677d30bb53c7ac7f3fce76291fe2c44720ef17ee386f95f08ec5175288%" or Image.Hashes like r"%SHA256=b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71%" or Image.Hashes like r"%SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305%" or Image.Hashes like r"%SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4%" or Image.Hashes like r"%SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69%" or Image.Hashes like r"%SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1%" or Image.Hashes like r"%SHA256=d7a61c671eab1dfaa62fe1088a85f6d52fb11f2f32a53822a49521ca2c16585e%" or Image.Hashes like r"%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%" or Image.Hashes like r"%SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4%" or Image.Hashes like r"%SHA256=478bcb750017cb6541f3dd0d08a47370f3c92eec998bc3825b5d8e08ee831b70%" or Image.Hashes like r"%SHA256=1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7%" or Image.Hashes like r"%SHA256=e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21%" or Image.Hashes like r"%SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f%" or Image.Hashes like r"%SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e%" or Image.Hashes like r"%SHA256=4ace6dded819e87f3686af2006cb415ed75554881a28c54de606975c41975112%" or Image.Hashes like r"%SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a%" or Image.Hashes like r"%SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f%" or Image.Hashes like r"%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%" or Image.Hashes like r"%SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524%" or Image.Hashes like r"%SHA256=202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213%" or Image.Hashes like r"%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%" or Image.Hashes like r"%SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd%" or Image.Hashes like r"%SHA256=00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922%" or Image.Hashes like r"%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%" or Image.Hashes like r"%SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5%" or Image.Hashes like r"%SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8%" or Image.Hashes like r"%SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867%" or Image.Hashes like r"%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%" or Image.Hashes like r"%SHA256=c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b%" or Image.Hashes like r"%SHA256=c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038%" or Image.Hashes like r"%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%" or Image.Hashes like r"%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%" or Image.Hashes like r"%SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3%" or Image.Hashes like r"%SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14%" or Image.Hashes like r"%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%" or Image.Hashes like r"%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%" or Image.Hashes like r"%SHA256=405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1%" or Image.Hashes like r"%SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229%" or Image.Hashes like r"%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%" or Image.Hashes like r"%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%" or Image.Hashes like r"%SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687%" or Image.Hashes like r"%SHA256=ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d%" or Image.Hashes like r"%SHA256=b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c%" or Image.Hashes like r"%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%" or Image.Hashes like r"%SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9%" or Image.Hashes like r"%SHA256=11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f%" or Image.Hashes like r"%SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c%" or Image.Hashes like r"%SHA256=2a11b4f125d8537e69af7b684494e49ef2a30a219634988e278177fa36c934eb%" or Image.Hashes like r"%SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f%" or Image.Hashes like r"%SHA256=37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20%" or Image.Hashes like r"%SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b%" or Image.Hashes like r"%SHA256=c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0%" or Image.Hashes like r"%SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc%" or Image.Hashes like r"%SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2%" or Image.Hashes like r"%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%" or Image.Hashes like r"%SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba%" or Image.Hashes like r"%SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e%" or Image.Hashes like r"%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%" or Image.Hashes like r"%SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b%" or Image.Hashes like r"%SHA256=ffd03584246730397e231eb8d16c1449aef2c3bc79bf9da3ebf8400a21b20ae7%" or Image.Hashes like r"%SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646%" or Image.Hashes like r"%SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7%" or Image.Hashes like r"%SHA256=c640930c29ea3610a3a5cebee573235ec70267ed223b79b9fa45a80081e686a4%" or Image.Hashes like r"%SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc%" or Image.Hashes like r"%SHA256=16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1%" or Image.Hashes like r"%SHA256=24e70c87d58fa5771f02b9ddf0d8870cba6b26e35c6455a2c77f482e2080d3e9%" or Image.Hashes like r"%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%" or Image.Hashes like r"%SHA256=8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c%" or Image.Hashes like r"%SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4%" or Image.Hashes like r"%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%" or Image.Hashes like r"%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%" or Image.Hashes like r"%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%" or Image.Hashes like r"%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%" or Image.Hashes like r"%SHA256=d9a2bf0f5ba185170441f003dc46fbb570e1c9fdf2132ab7de28b87ba7ad1a0c%" or Image.Hashes like r"%SHA256=0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180%" or Image.Hashes like r"%SHA256=b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763%" or Image.Hashes like r"%SHA256=bfc121e93fcbf9bd42736cfe7675ae2cc805be9a58f1a0d8cc3aa5b42e49a13f%" or Image.Hashes like r"%SHA256=b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b%" or Image.Hashes like r"%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%" or Image.Hashes like r"%SHA256=5bdba1561ec5b23b1d56ea8cee411147d1526595f03a9281166a563b3641fa2a%" or Image.Hashes like r"%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%" or Image.Hashes like r"%SHA256=66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e%" or Image.Hashes like r"%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%" or Image.Hashes like r"%SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961%" or Image.Hashes like r"%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%" or Image.Hashes like r"%SHA256=9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be%" or Image.Hashes like r"%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%" or Image.Hashes like r"%SHA256=fc3e8554602c476e2edfa92ba4f6fb2e5ba0db433b9fbd7d8be1036e454d2584%" or Image.Hashes like r"%SHA256=bef87650c29faf421e7ad666bf47d7a78a45f291b438c8d1c4b6a66e5b54c6fc%" or Image.Hashes like r"%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%" or Image.Hashes like r"%SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c%" or Image.Hashes like r"%SHA256=4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d%" or Image.Hashes like r"%SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879%" or Image.Hashes like r"%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%" or Image.Hashes like r"%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%" or Image.Hashes like r"%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%" or Image.Hashes like r"%SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3%" or Image.Hashes like r"%SHA256=f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de%" or Image.Hashes like r"%SHA256=567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270%" or Image.Hashes like r"%SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba%" or Image.Hashes like r"%SHA256=b074caef2fbf7e1dc8870edccb65254858d95836f466b4e9e6ca398bf7a27aa3%" or Image.Hashes like r"%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%" or Image.Hashes like r"%SHA256=8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409%" or Image.Hashes like r"%SHA256=f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d%" or Image.Hashes like r"%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%" or Image.Hashes like r"%SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa%" or Image.Hashes like r"%SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa%" or Image.Hashes like r"%SHA256=9e2622d8e7a0ec136ba1fff639833f05137f8a1ff03e7a93b9a4aea25e7abb8d%" or Image.Hashes like r"%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%" or Image.Hashes like r"%SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7%" or Image.Hashes like r"%SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2%" or Image.Hashes like r"%SHA256=3ac8e54be2804f5fa60d0d23a11ba323fba078a942c96279425aabad935b8236%" or Image.Hashes like r"%SHA256=468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5%" or Image.Hashes like r"%SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b%" or Image.Hashes like r"%SHA256=ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4%" or Image.Hashes like r"%SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441%" or Image.Hashes like r"%SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989%" or Image.Hashes like r"%SHA256=0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7%" or Image.Hashes like r"%SHA256=daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5%" or Image.Hashes like r"%SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa%" or Image.Hashes like r"%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%" or Image.Hashes like r"%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%" or Image.Hashes like r"%SHA256=7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0%" or Image.Hashes like r"%SHA256=f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6%" or Image.Hashes like r"%SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d%" or Image.Hashes like r"%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%" or Image.Hashes like r"%SHA256=0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664%" or Image.Hashes like r"%SHA256=dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53%" or Image.Hashes like r"%SHA256=f48f31bf9c6abbd44124b66bce2ab1200176e31ef1e901733761f2b5ceb60fb2%" or Image.Hashes like r"%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%" or Image.Hashes like r"%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%" or Image.Hashes like r"%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%" or Image.Hashes like r"%SHA256=3678ba63d62efd3b706d1b661d631ded801485c08b5eb9a3ef38380c6cff319a%" or Image.Hashes like r"%SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd%" or Image.Hashes like r"%SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd%" or Image.Hashes like r"%SHA256=3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5%" or Image.Hashes like r"%SHA256=f13f6a4bf7711216c9e911f18dfa2735222551fb1f8c1a645a8674c1983ccea6%" or Image.Hashes like r"%SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0%" or Image.Hashes like r"%SHA256=898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289%" or Image.Hashes like r"%SHA256=834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78%" or Image.Hashes like r"%SHA256=d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4%" or Image.Hashes like r"%SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c%" or Image.Hashes like r"%SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7%" or Image.Hashes like r"%SHA256=8001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258%" or Image.Hashes like r"%SHA256=4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51%" or Image.Hashes like r"%SHA256=1336469ec0711736e742b730d356af23f8139da6038979cfe4de282de1365d3b%" or Image.Hashes like r"%SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75%" or Image.Hashes like r"%SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9%" or Image.Hashes like r"%SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d%" or Image.Hashes like r"%SHA256=85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3%" or Image.Hashes like r"%SHA256=31e2e5c3290989e8624820cf5af886fd778ee8187fed593f33a6178f65103f37%" or Image.Hashes like r"%SHA256=1deae340bf619319adce00701de887f7434deab4d5547a1742aeedb5634d23c6%" or Image.Hashes like r"%SHA256=442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c%" or Image.Hashes like r"%SHA256=ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1%" or Image.Hashes like r"%SHA256=53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6%" or Image.Hashes like r"%SHA256=f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65%" or Image.Hashes like r"%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%" or Image.Hashes like r"%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%" or Image.Hashes like r"%SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094%" or Image.Hashes like r"%SHA256=87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5%" or Image.Hashes like r"%SHA256=c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633%" or Image.Hashes like r"%SHA256=78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663%" or Image.Hashes like r"%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%" or Image.Hashes like r"%SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc%" or Image.Hashes like r"%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%" or Image.Hashes like r"%SHA256=be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0%" or Image.Hashes like r"%SHA256=7108613244f16c2279c3c917aa49cef8acf0b92fdaa9ace19bf5cf634360d727%" or Image.Hashes like r"%SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f%" or Image.Hashes like r"%SHA256=20e52e0d7f579dc6884cc6e80266fddceda69ea5fdd0b095c0874b0d877e48a2%" or Image.Hashes like r"%SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a%" or Image.Hashes like r"%SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566%" or Image.Hashes like r"%SHA256=b3e645e8817696fa5d5e2255f9328f3b6a2e5fce91737f4d654ff155dc9851e5%" or Image.Hashes like r"%SHA256=3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458%" or Image.Hashes like r"%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%" or Image.Hashes like r"%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%" or Image.Hashes like r"%SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192%" or Image.Hashes like r"%SHA256=d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7%" or Image.Hashes like r"%SHA256=e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb%" or Image.Hashes like r"%SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356%" or Image.Hashes like r"%SHA256=d330ab003206ce5e9828607562790aa8dd0453f6b7452f5c6053e3c6b6761d25%" or Image.Hashes like r"%SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058%" or Image.Hashes like r"%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%" or Image.Hashes like r"%SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c%" or Image.Hashes like r"%SHA256=5fe5a6f88fbbc85be9efe81204eee11dff1a683b426019d330b1276a3b5424f4%" or Image.Hashes like r"%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%" or Image.Hashes like r"%SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d%" or Image.Hashes like r"%SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d%" or Image.Hashes like r"%SHA256=af298d940b186f922464d2ef19ccfc129c77126a4f337ecf357b4fe5162a477c%" or Image.Hashes like r"%SHA256=6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097%" or Image.Hashes like r"%SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01%" or Image.Hashes like r"%SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63%" or Image.Hashes like r"%SHA256=be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7%" or Image.Hashes like r"%SHA256=2288c418ddadd5a1db4e58c118d8455b01fd33728664408ce23b9346ae0ca057%" or Image.Hashes like r"%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%" or Image.Hashes like r"%SHA256=64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5%" or Image.Hashes like r"%SHA256=7de1ce434f957df7bbdf6578dd0bf06ed1269f3cc182802d5c499f5570a85b3a%" or Image.Hashes like r"%SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2%" or Image.Hashes like r"%SHA256=ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9%" or Image.Hashes like r"%SHA256=f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114%" or Image.Hashes like r"%SHA256=8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047%" or Image.Hashes like r"%SHA256=0584520b4b3bdad1d177329bd9952c0589b2a99eb9676cb324d1fce46dad0b9a%" or Image.Hashes like r"%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%" or Image.Hashes like r"%SHA256=4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4%" or Image.Hashes like r"%SHA256=a0e583bd88eb198558442f69a8bbfc96f4c5c297befea295138cfd2070f745c5%" or Image.Hashes like r"%SHA256=9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91%" or Image.Hashes like r"%SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7%" or Image.Hashes like r"%SHA256=d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e%" or Image.Hashes like r"%SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a%" or Image.Hashes like r"%SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c%" or Image.Hashes like r"%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%" or Image.Hashes like r"%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%" or Image.Hashes like r"%SHA256=1e9ec6b3e83055ae90f3664a083c46885c506d33de5e2a49f5f1189e89fa9f0a%" or Image.Hashes like r"%SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df%" or Image.Hashes like r"%SHA256=2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958%" or Image.Hashes like r"%SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0%" or Image.Hashes like r"%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%" or Image.Hashes like r"%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%" or Image.Hashes like r"%SHA256=d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565%" or Image.Hashes like r"%SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1%" or Image.Hashes like r"%SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad%" or Image.Hashes like r"%SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9%" or Image.Hashes like r"%SHA256=a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67%" or Image.Hashes like r"%SHA256=d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2%" or Image.Hashes like r"%SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc%" or Image.Hashes like r"%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%" or Image.Hashes like r"%SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2%" or Image.Hashes like r"%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%" or Image.Hashes like r"%SHA256=d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4%" or Image.Hashes like r"%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%" or Image.Hashes like r"%SHA256=c35f3a9da8e81e75642af20103240618b641d39724f9df438bf0f361122876b0%" or Image.Hashes like r"%SHA256=ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3%" or Image.Hashes like r"%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%" or Image.Hashes like r"%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%" or Image.Hashes like r"%SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853%" or Image.Hashes like r"%SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38%" or Image.Hashes like r"%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%" or Image.Hashes like r"%SHA256=3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f%" or Image.Hashes like r"%SHA256=7fc01f25c4c18a6c539cda38fdbf34b2ff02a15ffd1d93a7215e1f48f76fb3be%" or Image.Hashes like r"%SHA256=6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7%" or Image.Hashes like r"%SHA256=18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7%" or Image.Hashes like r"%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%" or Image.Hashes like r"%SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7%" or Image.Hashes like r"%SHA256=88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3%" or Image.Hashes like r"%SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba%" or Image.Hashes like r"%SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961%" or Image.Hashes like r"%SHA256=46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28%" or Image.Hashes like r"%SHA256=73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a%" or Image.Hashes like r"%SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc%" or Image.Hashes like r"%SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63%" or Image.Hashes like r"%SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d%" or Image.Hashes like r"%SHA256=922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832%" or Image.Hashes like r"%SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a%" or Image.Hashes like r"%SHA256=bb0742036c82709e02f25f98a9ff37c36a8c228bcaa98e40629fac8cde95b421%" or Image.Hashes like r"%SHA256=7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96%" or Image.Hashes like r"%SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8%" or Image.Hashes like r"%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%" or Image.Hashes like r"%SHA256=1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718%" or Image.Hashes like r"%SHA256=11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768%" or Image.Hashes like r"%SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf%" or Image.Hashes like r"%SHA256=5449e4dd1b75a7d52922c30baeca0ca8e32fe2210d1e72af2a2f314a5c2268fb%" or Image.Hashes like r"%SHA256=54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876%" or Image.Hashes like r"%SHA256=98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e%" or Image.Hashes like r"%SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3%" or Image.Hashes like r"%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%" or Image.Hashes like r"%SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c%" or Image.Hashes like r"%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%" or Image.Hashes like r"%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%" or Image.Hashes like r"%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%" or Image.Hashes like r"%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%" or Image.Hashes like r"%SHA256=1cedd5815bb6e20d3697103cfc0275f5015f469e6007e8cac16892c97731c695%" or Image.Hashes like r"%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%" or Image.Hashes like r"%SHA256=b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f%" or Image.Hashes like r"%SHA256=7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25%" or Image.Hashes like r"%SHA256=6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0%" or Image.Hashes like r"%SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496%" or Image.Hashes like r"%SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b%" or Image.Hashes like r"%SHA256=0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3%" or Image.Hashes like r"%SHA256=ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7%" or Image.Hashes like r"%SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6%" or Image.Hashes like r"%SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae%" or Image.Hashes like r"%SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704%" or Image.Hashes like r"%SHA256=63af3fdb1e85949c8adccb43f09ca4556ae258b363a99ae599e1e834d34c8670%" or Image.Hashes like r"%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%" or Image.Hashes like r"%SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134%" or Image.Hashes like r"%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%" or Image.Hashes like r"%SHA256=e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef%" or Image.Hashes like r"%SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9%" or Image.Hashes like r"%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%" or Image.Hashes like r"%SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605%" or Image.Hashes like r"%SHA256=ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d%" or Image.Hashes like r"%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%" or Image.Hashes like r"%SHA256=0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02%" or Image.Hashes like r"%SHA256=c8926e31be2d1355e542793af8ff9ccc4d1d60cae40c9564b2400dd4e1090bda%" or Image.Hashes like r"%SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de%" or Image.Hashes like r"%SHA256=0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c%" or Image.Hashes like r"%SHA256=dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233%" or Image.Hashes like r"%SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0%" or Image.Hashes like r"%SHA256=423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18%" or Image.Hashes like r"%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%" or Image.Hashes like r"%SHA256=ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7%" or Image.Hashes like r"%SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4%" or Image.Hashes like r"%SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc%" or Image.Hashes like r"%SHA256=a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6%" or Image.Hashes like r"%SHA256=d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757%" or Image.Hashes like r"%SHA256=11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359%" or Image.Hashes like r"%SHA256=1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67%" or Image.Hashes like r"%SHA256=2695390a8a7448390fe383beb1eee06d582202683f0273d6e72ef39a8cf709e1%" or Image.Hashes like r"%SHA256=ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18%" or Image.Hashes like r"%SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22%" or Image.Hashes like r"%SHA256=b9e0c2a569ab02742fa3a37846310a1d4e46ba2bfd4f80e16f00865fc62690cb%" or Image.Hashes like r"%SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758%" or Image.Hashes like r"%SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5%" or Image.Hashes like r"%SHA256=a188760f1bf36584a2720014ca982252c6bcd824e7619a98580e28be6090dccc%" or Image.Hashes like r"%SHA256=442f12adebf7cb166b19e8aead2b0440450fd1f33f5db384a39776bb2656474a%" or Image.Hashes like r"%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%" or Image.Hashes like r"%SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0%" or Image.Hashes like r"%SHA256=0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0%" or Image.Hashes like r"%SHA256=94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915%" or Image.Hashes like r"%SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347%" or Image.Hashes like r"%SHA256=47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d%" or Image.Hashes like r"%SHA256=a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e%" or Image.Hashes like r"%SHA256=c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413%" or Image.Hashes like r"%SHA256=082d4d4d4ba1bda5e1599bd24e930ae9f000e7d12b00f7021cca90a4600ea470%" or Image.Hashes like r"%SHA256=84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451%" or Image.Hashes like r"%SHA256=64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66%" or Image.Hashes like r"%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%" or Image.Hashes like r"%SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8%" or Image.Hashes like r"%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%" or Image.Hashes like r"%SHA256=9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727%" or Image.Hashes like r"%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%" or Image.Hashes like r"%SHA256=96df0b01eeba3e6e50759d400df380db27f0d0e34812d0374d22ac1758230452%" or Image.Hashes like r"%SHA256=df4c02beb039d15ff0c691bbc3595c9edfc1d24e783c8538a859bc5ea537188d%" or Image.Hashes like r"%SHA256=3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50%" or Image.Hashes like r"%SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280%" or Image.Hashes like r"%SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c%" or Image.Hashes like r"%SHA256=0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5%" or Image.Hashes like r"%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%" or Image.Hashes like r"%SHA256=41765151df57125286b398cc107ff8007972f4653527f876d133dac1548865d6%" or Image.Hashes like r"%SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54%" or Image.Hashes like r"%SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3%" or Image.Hashes like r"%SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233%" or Image.Hashes like r"%SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230%" or Image.Hashes like r"%SHA256=39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0%" or Image.Hashes like r"%SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c%" or Image.Hashes like r"%SHA256=6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d%" or Image.Hashes like r"%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%" or Image.Hashes like r"%SHA256=05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686%" or Image.Hashes like r"%SHA256=a6c05b10a5c090b743a61fa225b09e390e2dd2bd6cb4fd96b987f1e0d3f2124a%" or Image.Hashes like r"%SHA256=ce231637422709d927fb6fa0c4f2215b9c0e3ebbd951fb2fa97b8e64da479b96%" or Image.Hashes like r"%SHA256=26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd%" or Image.Hashes like r"%SHA256=ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613%" or Image.Hashes like r"%SHA256=fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17%" or Image.Hashes like r"%SHA256=37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60%" or Image.Hashes like r"%SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1%" or Image.Hashes like r"%SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668%" or Image.Hashes like r"%SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4%" or Image.Hashes like r"%SHA256=b1e4455499c6a90ba9a861120a015a6b6f17e64479462b869ad0f05edf6552de%" or Image.Hashes like r"%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%" or Image.Hashes like r"%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%" or Image.Hashes like r"%SHA256=50aa2b3a762abb1306fa003c60de3c78e89ea5d29aab8a9c6479792d2be3c2d7%" or Image.Hashes like r"%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%" or Image.Hashes like r"%SHA256=6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943%" or Image.Hashes like r"%SHA256=61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629%" or Image.Hashes like r"%SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e%" or Image.Hashes like r"%SHA256=d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd%" or Image.Hashes like r"%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%" or Image.Hashes like r"%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%" or Image.Hashes like r"%SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8%" or Image.Hashes like r"%SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6%" or Image.Hashes like r"%SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06%" or Image.Hashes like r"%SHA256=ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91%" or Image.Hashes like r"%SHA256=0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0%" or Image.Hashes like r"%SHA256=b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe%" or Image.Hashes like r"%SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7%" or Image.Hashes like r"%SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee%" or Image.Hashes like r"%SHA256=48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548%" or Image.Hashes like r"%SHA256=87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b%" or Image.Hashes like r"%SHA256=54bf602a6f1baaec5809a630a5c33f76f1c3147e4b05cecf17b96a93b1d41dca%" or Image.Hashes like r"%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%" or Image.Hashes like r"%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%" or Image.Hashes like r"%SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15%" or Image.Hashes like r"%SHA256=fded693528f7e6ac1af253e0bd2726607308fdaa904f1e7242ed44e1c0b29ae8%" or Image.Hashes like r"%SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef%" or Image.Hashes like r"%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%" or Image.Hashes like r"%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%" or Image.Hashes like r"%SHA256=8edab185e765f9806fa57153db1ede00e68270d2351443ee1de30674eca8d9b6%" or Image.Hashes like r"%SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15%" or Image.Hashes like r"%SHA256=8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7%" or Image.Hashes like r"%SHA256=c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746%" or Image.Hashes like r"%SHA256=77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f%" or Image.Hashes like r"%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%" or Image.Hashes like r"%SHA256=3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8%" or Image.Hashes like r"%SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9%" or Image.Hashes like r"%SHA256=5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9%" or Image.Hashes like r"%SHA256=c7079033659ac9459b3b7ab2510805832db2e2a70fe9beb1a6e13c1f51890d88%" or Image.Hashes like r"%SHA256=bbbeb5020b58e6942ec7dec0d1d518e95fc12ddae43f54ef0829d3393c6afd63%" or Image.Hashes like r"%SHA256=38535a0e9fc0684308eb5d6aa6284669bc9743f11cb605b79883b8c13ef906ad%" or Image.Hashes like r"%SHA256=65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377%" or Image.Hashes like r"%SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35%" or Image.Hashes like r"%SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24%" or Image.Hashes like r"%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%" or Image.Hashes like r"%SHA256=bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e%" or Image.Hashes like r"%SHA256=df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858%" or Image.Hashes like r"%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%" or Image.Hashes like r"%SHA256=159dcf37dc723d6db2bad46ed6a1b0e31d72390ec298a5413c7be318aef4a241%" or Image.Hashes like r"%SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476%" or Image.Hashes like r"%SHA256=cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183%" or Image.Hashes like r"%SHA256=2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b%" or Image.Hashes like r"%SHA256=033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7%" or Image.Hashes like r"%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%" or Image.Hashes like r"%SHA256=1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a%" or Image.Hashes like r"%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%" or Image.Hashes like r"%SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471%" or Image.Hashes like r"%SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109%" or Image.Hashes like r"%SHA256=368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1%" or Image.Hashes like r"%SHA256=070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103%" or Image.Hashes like r"%SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10%" or Image.Hashes like r"%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%" or Image.Hashes like r"%SHA256=f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e%" or Image.Hashes like r"%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%" or Image.Hashes like r"%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%" or Image.Hashes like r"%SHA256=5bf3985644308662ebfa2fbcc11fb4d3e2a0c817ad3da1a791020f8c8589ebc8%" or Image.Hashes like r"%SHA256=a19fc837ca342d2db43ee8ad7290df48a1b8b85996c58a19ca3530101862a804%" or Image.Hashes like r"%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%" or Image.Hashes like r"%SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272%" or Image.Hashes like r"%SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39%" or Image.Hashes like r"%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%" or Image.Hashes like r"%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%" or Image.Hashes like r"%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%" or Image.Hashes like r"%SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db%" or Image.Hashes like r"%SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797%" or Image.Hashes like r"%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%" or Image.Hashes like r"%SHA256=6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402%" or Image.Hashes like r"%SHA256=2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e%" or Image.Hashes like r"%SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf%" or Image.Hashes like r"%SHA256=767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b%" or Image.Hashes like r"%SHA256=dba8db472e51edd59f0bbaf4e09df71613d4dd26fd05f14a9bc7e3fc217a78aa%" or Image.Hashes like r"%SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573%" or Image.Hashes like r"%SHA256=797c1f883d90d25e7fd553624bb16bfd5db24c2658aa0c3c51c715d5833c10fd%" or Image.Hashes like r"%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%" or Image.Hashes like r"%SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b%" or Image.Hashes like r"%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%" or Image.Hashes like r"%SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00%" or Image.Hashes like r"%SHA256=d9a3dc47699949c8ec0c704346fb2ee86ff9010daa0dbac953cfa5f76b52fcd1%" or Image.Hashes like r"%SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9%" or Image.Hashes like r"%SHA256=572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4%" or Image.Hashes like r"%SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9%" or Image.Hashes like r"%SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a%" or Image.Hashes like r"%SHA256=91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4%" or Image.Hashes like r"%SHA256=5de78cf5f0b1b09e7145db84e91a2223c3ed4d83cceb3ef073c068cf88b9d444%" or Image.Hashes like r"%SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b%" or Image.Hashes like r"%SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47%" or Image.Hashes like r"%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%" or Image.Hashes like r"%SHA256=40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59%" or Image.Hashes like r"%SHA256=7277130afa0b1506998d7bc58567b0d83f52a27175f4c7c4a7186347095fceed%" or Image.Hashes like r"%SHA256=6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388%" or Image.Hashes like r"%SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015%" or Image.Hashes like r"%SHA256=775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9%" or Image.Hashes like r"%SHA256=125e4475a5437634cab529da9ea2ef0f4f65f89fb25a06349d731f283c27d9fe%" or Image.Hashes like r"%SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c%" or Image.Hashes like r"%SHA256=08828990218ebb4415c1bb33fa2b0a009efd0784b18b3f7ecd3bc078343f7208%" or Image.Hashes like r"%SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0%" or Image.Hashes like r"%SHA256=e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc%" or Image.Hashes like r"%SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43%" or Image.Hashes like r"%SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578%" or Image.Hashes like r"%SHA256=1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441%" or Image.Hashes like r"%SHA256=dd0bd7b8fae8e8835ba09118a02a06a51e111fccbe16916414844aab91cfeed4%" or Image.Hashes like r"%SHA256=17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d%" or Image.Hashes like r"%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%" or Image.Hashes like r"%SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2%" or Image.Hashes like r"%SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880%" or Image.Hashes like r"%SHA256=db0d425708ba908aedf5f8762d6fdca7636ae3a537372889446176c0237a2836%" or Image.Hashes like r"%SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282%" or Image.Hashes like r"%SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e%" or Image.Hashes like r"%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%" or Image.Hashes like r"%SHA256=7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0%" or Image.Hashes like r"%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%" or Image.Hashes like r"%SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0%" or Image.Hashes like r"%SHA256=3d8cfc9abea6d83dfea6da03260ff81be3b7b304321274f696ff0fdb9920c645%" or Image.Hashes like r"%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%" or Image.Hashes like r"%SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf%" or Image.Hashes like r"%SHA256=07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88%" or Image.Hashes like r"%SHA256=423d58265b22504f512a84faf787c1af17c44445ae68f7adcaa68b6f970e7bd5%" or Image.Hashes like r"%SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b%" or Image.Hashes like r"%SHA256=ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33%" or Image.Hashes like r"%SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a%" or Image.Hashes like r"%SHA256=270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc%" or Image.Hashes like r"%SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab%" or Image.Hashes like r"%SHA256=fa21e3d2bfb9fafddec0488852377fbb2dbdd6c066ca05bb5c4b6aa840fb7879%" or Image.Hashes like r"%SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe%" or Image.Hashes like r"%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%" or Image.Hashes like r"%SHA256=7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f%" or Image.Hashes like r"%SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9%" or Image.Hashes like r"%SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c%" or Image.Hashes like r"%SHA256=d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8%" or Image.Hashes like r"%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%" or Image.Hashes like r"%SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3%" or Image.Hashes like r"%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%" or Image.Hashes like r"%SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097%" or Image.Hashes like r"%SHA256=4ec7af309a9359c332d300861655faeceb68bb1cd836dd66d10dd4fac9c01a28%" or Image.Hashes like r"%SHA256=1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590%" or Image.Hashes like r"%SHA256=defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd%" or Image.Hashes like r"%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%" or Image.Hashes like r"%SHA256=d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb%" or Image.Hashes like r"%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%" or Image.Hashes like r"%SHA256=e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe%" or Image.Hashes like r"%SHA256=a6c11d3bec2a94c40933ec1d3604cfe87617ba828b14f4cded6cfe85656debc0%" or Image.Hashes like r"%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%" or Image.Hashes like r"%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%" or Image.Hashes like r"%SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7%" or Image.Hashes like r"%SHA256=bd3cf8b9af255b5d4735782d3653be38578ff5be18846b13d05867a6159aaa53%" or Image.Hashes like r"%SHA256=84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51%" or Image.Hashes like r"%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%" or Image.Hashes like r"%SHA256=e34afe0a8c5459d13e7a11f20d62c7762b2a55613aaf6dbeb887e014b5f19295%" or Image.Hashes like r"%SHA256=d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e%" or Image.Hashes like r"%SHA256=0e9072759433abf3304667b332354e0c635964ff930de034294bf13d40da2a6f%" or Image.Hashes like r"%SHA256=0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49%" or Image.Hashes like r"%SHA256=13ae4d9dcacba8133d8189e59d9352272e15629e6bca580c32aff9810bd96e44%" or Image.Hashes like r"%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%" or Image.Hashes like r"%SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805%" or Image.Hashes like r"%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%" or Image.Hashes like r"%SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c%" or Image.Hashes like r"%SHA256=c6db7f2750e7438196ec906cc9eba540ef49ceca6dbd981038cef1dc50662a73%" or Image.Hashes like r"%SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38%" or Image.Hashes like r"%SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0%" or Image.Hashes like r"%SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506%" or Image.Hashes like r"%SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3%" or Image.Hashes like r"%SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3%" or Image.Hashes like r"%SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921%" or Image.Hashes like r"%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%" or Image.Hashes like r"%SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a%" or Image.Hashes like r"%SHA256=e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65%" or Image.Hashes like r"%SHA256=8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65%" or Image.Hashes like r"%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%" or Image.Hashes like r"%SHA256=eba14a2b4cefd74edaf38d963775352dc3618977e30261aab52be682a76b536f%" or Image.Hashes like r"%SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2%" or Image.Hashes like r"%SHA256=bae4372a9284db52dedc1c1100cefa758b3ec8d9d4f0e5588a8db34ded5edb1f%" or Image.Hashes like r"%SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2%" or Image.Hashes like r"%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%" or Image.Hashes like r"%SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445%" or Image.Hashes like r"%SHA256=31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5%" or Image.Hashes like r"%SHA256=e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f%" or Image.Hashes like r"%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%" or Image.Hashes like r"%SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8%" or Image.Hashes like r"%SHA256=66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea%" or Image.Hashes like r"%SHA256=d3eaf041ce5f3fd59885ead2cb4ce5c61ac9d83d41f626512942a50e3da7b75a%" or Image.Hashes like r"%SHA256=a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec%" or Image.Hashes like r"%SHA256=8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040%" or Image.Hashes like r"%SHA256=748ccadb6bf6cdf4c5a5a1bb9950ee167d8b27c5817da71d38e2bc922ffce73d%" or Image.Hashes like r"%SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56%" or Image.Hashes like r"%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%" or Image.Hashes like r"%SHA256=1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f%" or Image.Hashes like r"%SHA256=d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4%" or Image.Hashes like r"%SHA256=019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f%" or Image.Hashes like r"%SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782%" or Image.Hashes like r"%SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56%" or Image.Hashes like r"%SHA256=cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461%" or Image.Hashes like r"%SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb%" or Image.Hashes like r"%SHA256=07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8%" or Image.Hashes like r"%SHA256=43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee%" or Image.Hashes like r"%SHA256=dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b%" or Image.Hashes like r"%SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280%" or Image.Hashes like r"%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%" or Image.Hashes like r"%SHA256=a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1%" or Image.Hashes like r"%SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e%" or Image.Hashes like r"%SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461%" or Image.Hashes like r"%SHA256=13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9%" or Image.Hashes like r"%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%" or Image.Hashes like r"%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%" or Image.Hashes like r"%SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5%" or Image.Hashes like r"%SHA256=9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a%" or Image.Hashes like r"%SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247%" or Image.Hashes like r"%SHA256=d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3%" or Image.Hashes like r"%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%" or Image.Hashes like r"%SHA256=1076504a145810dfe331324007569b95d0310ac1e08951077ac3baf668b2a486%" or Image.Hashes like r"%SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4%" or Image.Hashes like r"%SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f%" or Image.Hashes like r"%SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1%" or Image.Hashes like r"%SHA256=386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8%" or Image.Hashes like r"%SHA256=163912dfa4ad141e689e1625e994ab7c1f335410ebff0ade86bda3b7cdf6e065%" or Image.Hashes like r"%SHA256=e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822%" or Image.Hashes like r"%SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06%" or Image.Hashes like r"%SHA256=003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4%" or Image.Hashes like r"%SHA256=d2e843d9729da9b19d6085edf69b90b057c890a74142f5202707057ee9c0b568%" or Image.Hashes like r"%SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40%" or Image.Hashes like r"%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%" or Image.Hashes like r"%SHA256=d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23%" or Image.Hashes like r"%SHA256=3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76%" or Image.Hashes like r"%SHA256=e26a21e1b79ecaee7033e05edb0bd72aca463c23bd6fdf5835916ce2dfdf1a63%" or Image.Hashes like r"%SHA256=00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd%" or Image.Hashes like r"%SHA256=707b4b5f5c4585156d8a4d8c39cf26729f5ad05d7f77b17f48e670e808e3e6a0%" or Image.Hashes like r"%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%" or Image.Hashes like r"%SHA256=b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44%" or Image.Hashes like r"%SHA256=b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d%" or Image.Hashes like r"%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%" or Image.Hashes like r"%SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def%" or Image.Hashes like r"%SHA256=793a26c5c4c154a40f84c3d3165deb807062b26796acaae94b72f453e95230d5%" or Image.Hashes like r"%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%" or Image.Hashes like r"%SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40%" or Image.Hashes like r"%SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe%" or Image.Hashes like r"%SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b%" or Image.Hashes like r"%SHA256=7c830ed39c9de8fe711632bf44846615f84b10db383f47b7d7c9db29a2bd829a%" or Image.Hashes like r"%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%" or Image.Hashes like r"%SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036%" or Image.Hashes like r"%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%" or Image.Hashes like r"%IMPHASH=88e21ed9e717781eaf87209acbdbb567%" or Image.Hashes like r"%IMPHASH=481d7bb63a8e5eaba756137e6ef22e54%" or Image.Hashes like r"%IMPHASH=cef6a450f196b28e634aa3c0655d8eda%" or Image.Hashes like r"%IMPHASH=0e0722c16a5ded199f64b26fccd2115a%" or Image.Hashes like r"%IMPHASH=f0cd7cce1d03cf9df1b8266701f92b46%" or Image.Hashes like r"%IMPHASH=cc88330f6dca52a40e258f689d3e2db4%" or Image.Hashes like r"%IMPHASH=835e364e2175338d970c2aaee365f3dc%" or Image.Hashes like r"%IMPHASH=82e75304c5b7ed87121b8b89c82f2389%" or Image.Hashes like r"%IMPHASH=9470f56376e665fb981a35b303436041%" or Image.Hashes like r"%IMPHASH=37b1eada43ad08093dfa4de7a411d15f%" or Image.Hashes like r"%IMPHASH=a2d936fa82b7340d28a697fb344046d8%" or Image.Hashes like r"%IMPHASH=16b23f4c6ea47d01340a2cce4bf613f7%" or Image.Hashes like r"%IMPHASH=32b632f6379bfaac9f4f3a030a694f55%" or Image.Hashes like r"%IMPHASH=052280a42374b8d779c10cd0d8118691%" or Image.Hashes like r"%IMPHASH=540992ba6f31301ba27604515a78ad79%" or Image.Hashes like r"%IMPHASH=a5fd3b0143c8db98017ec1b2b2528360%" or Image.Hashes like r"%IMPHASH=1e13511288689b63b2e1348bf5eb567b%" or Image.Hashes like r"%IMPHASH=dd406d43857d7f5ad1b0aec04fdb7e5f%" or Image.Hashes like r"%IMPHASH=cf1a39b9408348cddaa4a2827283534c%" or Image.Hashes like r"%IMPHASH=0dcd262801389f839ce909cb173448e2%" or Image.Hashes like r"%IMPHASH=9e15ce38f071c916bea830247f1241bb%" or Image.Hashes like r"%IMPHASH=5716c52252afe18d09f6c1bc6e5ef3ef%" or Image.Hashes like r"%IMPHASH=ecf8495ba751a7e38d6be4c5c80f2bef%" or Image.Hashes like r"%IMPHASH=f475387e3959dbea86854d61602db136%" or Image.Hashes like r"%IMPHASH=98dc1b41bda471f7eabdce8a5d16c09d%" or Image.Hashes like r"%IMPHASH=8b7e7c20da6ca9ac4bdb3927fe2b266a%" or Image.Hashes like r"%IMPHASH=14075e605bff546182d682f41afefea2%" or Image.Hashes like r"%IMPHASH=b8302791cd2edfe6dd562c4854ea495f%" or Image.Hashes like r"%IMPHASH=a1d29a3af6402793ec9d23883512938a%" or Image.Hashes like r"%IMPHASH=aa01c534155ce919d797860feb531eae%" or Image.Hashes like r"%IMPHASH=ebb99842fa08915eb8b7f67d8dc7a13a%" or Image.Hashes like r"%IMPHASH=89f3f52b23bdf03bd2bb7eb3cfab8817%" or Image.Hashes like r"%IMPHASH=8605f70bcc472025c2e78082388ed00b%" or Image.Hashes like r"%IMPHASH=27365d8741d23e179699f1f11a619c7d%" or Image.Hashes like r"%IMPHASH=dc0a0f2d424a59b4d17033f58f01b027%" or Image.Hashes like r"%IMPHASH=48e2ef3c2d32ecca62510d90e12b6632%" or Image.Hashes like r"%IMPHASH=a793af44219650b4dd07d8a19ede33f1%" or Image.Hashes like r"%IMPHASH=5f4063ab963abff76d0d83d239697e36%" or Image.Hashes like r"%IMPHASH=7716b766e630388f64de1961719be3d4%" or Image.Hashes like r"%IMPHASH=8ed3fbdefcc1982cd7decc40ace9d2e7%" or Image.Hashes like r"%IMPHASH=6e796fd10b55f58fd0ec9f122a14e918%" or Image.Hashes like r"%IMPHASH=2d7766896629499b1484227afaf43dd7%" or Image.Hashes like r"%IMPHASH=0579e15c488a56c544e8fac130d826ba%" or Image.Hashes like r"%IMPHASH=e1d88d0526dfa369c3661355dbd8773d%" or Image.Hashes like r"%IMPHASH=8ec78cf864273fd81203678b61c41f04%" or Image.Hashes like r"%IMPHASH=ff605557fd515d7ab30ff41dbd8bd24a%" or Image.Hashes like r"%IMPHASH=234f0978e7f2aa0beb9501ff53d94e5b%" or Image.Hashes like r"%IMPHASH=77d6a7153b3015318622b793227fb394%" or Image.Hashes like r"%IMPHASH=6c42ea981bc29a7e2ed56d297e0b56dc%" or Image.Hashes like r"%IMPHASH=23eb5ffc060c6c52546d38e2b63019bd%" or Image.Hashes like r"%IMPHASH=ee9cc2f584c2f06fbff67d484adcf426%" or Image.Hashes like r"%IMPHASH=d6dc99d60798b2647006ddba21671160%" or Image.Hashes like r"%IMPHASH=1427c5f0f4fb100e26a3911f8209504b%" or Image.Hashes like r"%IMPHASH=a095f31019d7a32d0a0507879a1822b1%" or Image.Hashes like r"%IMPHASH=b8a35d469bc164d86ac7c64e93b0037b%" or Image.Hashes like r"%IMPHASH=0e9dfd08346bbe128159bff440d13389%" or Image.Hashes like r"%IMPHASH=bd607d71fdc1444aa96dc431591c5c44%" or Image.Hashes like r"%IMPHASH=f4b8d579fbdb32eabd01954394f5bf3a%" or Image.Hashes like r"%IMPHASH=edc2197e927392567cf09f7de410b5bb%" or Image.Hashes like r"%IMPHASH=7fb9382c0d754d5aac897d7a3e72b10c%" or Image.Hashes like r"%IMPHASH=1422b8d354b95d9cd880c8726df45dfc%" or Image.Hashes like r"%IMPHASH=0c959096cf4b3180530cc7865ef29157%" or Image.Hashes like r"%IMPHASH=aca7bbc6be02770c50b07eb6f94d1d78%" or Image.Hashes like r"%IMPHASH=3f4c9025125027e307b7e52dd577303b%" or Image.Hashes like r"%IMPHASH=68062e8b9d3c1e6cc62a9cae16a12b81%" or Image.Hashes like r"%IMPHASH=228bac53e82887d1ed92f51a667a8231%" or Image.Hashes like r"%IMPHASH=8919b7bae28d98c4a9e5967c9c55ce70%" or Image.Hashes like r"%IMPHASH=7e798c3abcbd0f1cfa8b2b9688e01936%" or Image.Hashes like r"%IMPHASH=8add42784f4693f421d85a2bcbadc620%" or Image.Hashes like r"%IMPHASH=fbcdb079e9c13a82f98b79bb6ce86175%" or Image.Hashes like r"%IMPHASH=a94892b77a6474429b9f692d9952a9d5%" or Image.Hashes like r"%IMPHASH=aa03d5a319bc221875846e19e01276f7%" or Image.Hashes like r"%IMPHASH=26150d69f50aa9247c3f3f17521d18a2%" or Image.Hashes like r"%IMPHASH=beb40a1e9d5c89308d1c56958ddac27d%" or Image.Hashes like r"%IMPHASH=59b3f3fa2775e407721c2491ddb2890b%" or Image.Hashes like r"%IMPHASH=c314c92b5c25c6f4323e3efaf8bde47a%" or Image.Hashes like r"%IMPHASH=d8752c1d5954bea175ac00df5acebb09%" or Image.Hashes like r"%IMPHASH=54e54063abbf1edaa9cf9ed8a18916d6%" or Image.Hashes like r"%IMPHASH=4aaef0105216f062a5f3ee071a72770c%" or Image.Hashes like r"%IMPHASH=67f975f0734a5b0598223fbe00b3367e%" or Image.Hashes like r"%IMPHASH=175c5711f3c49a0d929e9e2314b21c6b%" or Image.Hashes like r"%IMPHASH=12befc0a82dcb0585359d335ed47af19%" or Image.Hashes like r"%IMPHASH=24b344cd341f8b20003ac85be08df979%" or Image.Hashes like r"%IMPHASH=08c7f29f5cb29ba70e49879da2e8ddce%" or Image.Hashes like r"%IMPHASH=fc9c0ba924e7f104eda5254aaeacc5e8%" or Image.Hashes like r"%IMPHASH=5192bc7311bdeb1f3977bdc0d2e943e4%" or Image.Hashes like r"%IMPHASH=7363079b9aae7d58bd33c691a613c83c%" or Image.Hashes like r"%IMPHASH=e2c63196ed5368f03dabed73b1ff3409%" or Image.Hashes like r"%IMPHASH=8211bd4f00a3d9928a11a6ac3329fc46%" or Image.Hashes like r"%IMPHASH=2699b7ae36fcadd71425ebafd231d0d1%" or Image.Hashes like r"%IMPHASH=8d2a933d039e8b8134ef41236d5ea843%" or Image.Hashes like r"%IMPHASH=cc335217d6f7ab7a53dcfa55cbda5fb0%" or Image.Hashes like r"%IMPHASH=f9141c3df8f7ec7b3f2d46265a3b5528%" or Image.Hashes like r"%IMPHASH=e0813a780309a0af84b605d95bd194e4%" or Image.Hashes like r"%IMPHASH=e5fd4339e7b94543b16624a27ba1c872%" or Image.Hashes like r"%IMPHASH=fffbca93e6322995552b841c7d65b033%" or Image.Hashes like r"%IMPHASH=105b74485670215ab231a942c9101ccf%" or Image.Hashes like r"%IMPHASH=74081c86ad3e9771011f162c107927de%" or Image.Hashes like r"%IMPHASH=2df11474daf362b1b2fa3d3a89b6acbe%" or Image.Hashes like r"%IMPHASH=22a9d7a42282b48c566b4423363d3a3e%" or Image.Hashes like r"%IMPHASH=4fbdc03e4487f98fb59360ea5b3e640d%" or Image.Hashes like r"%IMPHASH=b262e8d078ede007ebd0aa71b9152863%" or Image.Hashes like r"%IMPHASH=abbab73b191d90dc642cbbc1f31d750d%" or Image.Hashes like r"%IMPHASH=a5b3ea8c2012c517c472ad6befd37134%" or Image.Hashes like r"%IMPHASH=9d7183c1d8107495354c4fad9dae3452%" or Image.Hashes like r"%IMPHASH=7d004bbe0f546a91c93562d324307fa7%" or Image.Hashes like r"%IMPHASH=b84820037d6a51ba108e0e81ce01db0b%" or Image.Hashes like r"%IMPHASH=68b717fa2ab9431cd176776363359d48%" or Image.Hashes like r"%IMPHASH=b0356152212dc6e33752847235064fb0%" or Image.Hashes like r"%IMPHASH=baa420e9d4e3baf0d65d4fc2bf497708%" or Image.Hashes like r"%IMPHASH=85fd19df117fbc21efbcb1d587063e12%" or Image.Hashes like r"%IMPHASH=8122311437457ccae22578e301c6a17d%" or Image.Hashes like r"%IMPHASH=f939ef0b7f792672866386600f82aa04%" or Image.Hashes like r"%IMPHASH=d7de998e454f947f62d4a6b66490563b%" or Image.Hashes like r"%IMPHASH=17a9b50297a2334d8e9dfc3411bbe8ab%" or Image.Hashes like r"%IMPHASH=6816dabcee7b7d027bfbb93a16297afa%" or Image.Hashes like r"%IMPHASH=6723b1d5bd0f1fc13216cb44541e619e%" or Image.Hashes like r"%IMPHASH=71e84092e69114f0792419cb8b2b0fd1%" or Image.Hashes like r"%IMPHASH=9c8c681f74950997cd571fd838a847b8%" or Image.Hashes like r"%IMPHASH=95fe5e937e5acf9bea948fe0256e46ae%" or Image.Hashes like r"%IMPHASH=fc789f89340a45f1ab6c49e61b1f6b40%" or Image.Hashes like r"%IMPHASH=b8d0a36d2b14d79dfa08fb2e121f0920%" or Image.Hashes like r"%IMPHASH=6ce93eab57a73915ecd5c202a339f6ce%" or Image.Hashes like r"%IMPHASH=59b168c8ba0db46cb70d1d5a103e6c41%" or Image.Hashes like r"%IMPHASH=3edc60bda68569cac7ad7604728ff40d%" or Image.Hashes like r"%IMPHASH=3e8e7e5e779c7064e6bab177167e9e7a%" or Image.Hashes like r"%IMPHASH=b05ee5c816a30bc52378c759486af0b9%" or Image.Hashes like r"%IMPHASH=f7d07bcaa23837d219dcb64e76290252%" or Image.Hashes like r"%IMPHASH=d658b06ec1ce39670b02a2dd83e29d03%" or Image.Hashes like r"%IMPHASH=11bfcbdb0787ef461d442f973c392cf6%" or Image.Hashes like r"%IMPHASH=f531646e31cc12dfaac5b8352653c384%" or Image.Hashes like r"%IMPHASH=9b3ad85a76080f989d24cd89da90175a%" or Image.Hashes like r"%IMPHASH=5f6fd4ffba177389f414dd1a6ded24b4%" or Image.Hashes like r"%IMPHASH=4b0b017b23567cf8b9e1268957acd032%" or Image.Hashes like r"%IMPHASH=b4a71a1265f5f82cf383af17e229acb5%" or Image.Hashes like r"%IMPHASH=0ebf1214948a636eba076b14cd8f72d5%" or Image.Hashes like r"%IMPHASH=c05e71aad32edcbe71ae0ef1621f8693%" or Image.Hashes like r"%IMPHASH=427cd9c70cca88ca1db61a5ddc3b8450%" or Image.Hashes like r"%IMPHASH=236bc37dff7a92a4d25d807cf038e674%" or Image.Hashes like r"%IMPHASH=e38cca61999fb8a0308c0eb798b07989%" or Image.Hashes like r"%IMPHASH=3815f9107b799b863cd905178e6e07d0%" or Image.Hashes like r"%IMPHASH=3c91d549b68e320924bcde3856993e87%" or Image.Hashes like r"%IMPHASH=bb56f25a810b329868a0ff8e94080bad%" or Image.Hashes like r"%IMPHASH=f5030145594c486434040aa2636a5dde%" or Image.Hashes like r"%IMPHASH=d8101af81fd826b492ced1994ebd3268%" or Image.Hashes like r"%IMPHASH=b5967a61e1a4e1d57b3d8ffefc5721ed%" or Image.Hashes like r"%IMPHASH=799c9c020c6fcfd11a4172bc861f74af%" or Image.Hashes like r"%IMPHASH=2b9471e7bb8c05dc55d0a2ff0591ea98%" or Image.Hashes like r"%IMPHASH=6a47c957830ccce7ef43ed96aacf7c2c%" or Image.Hashes like r"%IMPHASH=b1e749ba779687a5127817da3d47af2c%" or Image.Hashes like r"%IMPHASH=202a0f2f992ec379e2876776ae9de661%" or Image.Hashes like r"%IMPHASH=f5df2479285c7b593b3630b8357032e3%" or Image.Hashes like r"%IMPHASH=32204eaf2afa5b348ab17de07362885c%" or Image.Hashes like r"%IMPHASH=1de2e6e58f6b19c4ec9ad6ca9fce5c14%" or Image.Hashes like r"%IMPHASH=64d934652c680b7759f6e75d05ee3072%" or Image.Hashes like r"%IMPHASH=176d8e75a27a45e2c6f5d4cceca4d869%" or Image.Hashes like r"%IMPHASH=f0820e8f674e44e5c2a3f899ec561c1d%" or Image.Hashes like r"%IMPHASH=f4fa225abfb5a5263241a01a2c3f2b8f%" or Image.Hashes like r"%IMPHASH=a18b467c3b43f334ca455c495a3ef70d%" or Image.Hashes like r"%IMPHASH=a8633e68c2ad9f3dc83775d8d5b21c5b%" or Image.Hashes like r"%IMPHASH=9d5a58052468c8e07ff3d5bd730e5d00%" or Image.Hashes like r"%IMPHASH=69260cce3156aa2dc0540fb78f5fe826%" or Image.Hashes like r"%IMPHASH=b1336b0cb67918ed39f1f88c354910d0%" or Image.Hashes like r"%IMPHASH=f119bff607049d431d0968fbaf6532f3%" or Image.Hashes like r"%IMPHASH=c91146dfe120f6e8fbed2150d9e020ca%" or Image.Hashes like r"%IMPHASH=1e6875beefe8571686d3e8530f8c4bfb%" or Image.Hashes like r"%IMPHASH=acdf419d1d03923be256205b9c33eec8%" or Image.Hashes like r"%IMPHASH=756adaea6a3f9f0cdaff73d1a49ca201%" or Image.Hashes like r"%IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511%" or Image.Hashes like r"%IMPHASH=6e7cd05c0da9f82449a8b3795418ee00%" or Image.Hashes like r"%IMPHASH=8c3af6c25ab40c4daefb4f836d12e1c8%" or Image.Hashes like r"%IMPHASH=4792bcb395d06f9efb72e8020c4af5e6%" or Image.Hashes like r"%IMPHASH=d5bc15465b63888cc8b98ecc63a81517%" or Image.Hashes like r"%IMPHASH=7f53340c91c108efedb5b8678c5207b3%" or Image.Hashes like r"%IMPHASH=3f4a90b2976641ad2c0164792b24d322%" or Image.Hashes like r"%IMPHASH=d221afaadf43ceedb581e665435c56c7%" or Image.Hashes like r"%IMPHASH=f212bbc758bb52fc661839b1d194b76e%" or Image.Hashes like r"%IMPHASH=e938b727f5a033818337f7ba0584500f%" or Image.Hashes like r"%IMPHASH=3ac083b0ee2b752436a8a1532179f032%" or Image.Hashes like r"%IMPHASH=2e9ef79ea88178e29516dfa435a58900%" or Image.Hashes like r"%IMPHASH=24c3d3be20e794c17844d030be03fd2f%" or Image.Hashes like r"%IMPHASH=700a9350ac8b218ab9fc62cf25337ad3%" or Image.Hashes like r"%IMPHASH=e586fd1c5af87b43696b9d29b09bf1b1%" or Image.Hashes like r"%IMPHASH=2233472cee6457ad207017803048aaff%" or Image.Hashes like r"%IMPHASH=f046e37fa7914491dc25a6f7718da341%" or Image.Hashes like r"%IMPHASH=683bc425e3d8c21f9473a238a0645a4e%" or Image.Hashes like r"%IMPHASH=f08e2ac6ca73cd2a924ed25dc6813638%" or Image.Hashes like r"%IMPHASH=e2306e26abfd90a5ce4dad0e266b3905%" or Image.Hashes like r"%IMPHASH=10917aa77669c6ae714f074d89be9ab8%" or Image.Hashes like r"%IMPHASH=db62897eb9d2098e988f830159c04c82%" or Image.Hashes like r"%IMPHASH=51780bba04121d6be13f69de08721445%" or Image.Hashes like r"%IMPHASH=29a2e15ac1622a3daf7da5a78f0cef08%" or Image.Hashes like r"%IMPHASH=5988ec9f159fefbdf89d893aa634dd92%" or Image.Hashes like r"%IMPHASH=05d3de62beab8e88de1dafd3b24a16f6%" or Image.Hashes like r"%IMPHASH=88380fdfc880da4da407c38f34fe8a3c%" or Image.Hashes like r"%IMPHASH=8a424cd36ae3eab0d11332ce3b982a02%" or Image.Hashes like r"%IMPHASH=60a2fba979aaa0d0ccd09c12ca3d9e57%" or Image.Hashes like r"%IMPHASH=85f86c7c8ce81a78e84efa545d7edc65%" or Image.Hashes like r"%IMPHASH=9523103b30fb194643b97ccc3ab7abb0%" or Image.Hashes like r"%IMPHASH=0c2219c9c5eab786fa876f74356eea20%" or Image.Hashes like r"%IMPHASH=7abb0911ca4cc4697ee1e9897932d3ac%" or Image.Hashes like r"%IMPHASH=c6a0f65ba653ee78255cc9e314abc442%" or Image.Hashes like r"%IMPHASH=44e6f2f64092b48f8eb926c36ebd1d56%" or Image.Hashes like r"%IMPHASH=13300d56528646611f26704266713952%" or Image.Hashes like r"%IMPHASH=095c0cdb9c0421da216371c1f4e8790e%" or Image.Hashes like r"%IMPHASH=45f8f347e3fb919f3164a4a3278f1c71%" or Image.Hashes like r"%IMPHASH=0e4f5481813eeec4e5dd96e36020135f%" or Image.Hashes like r"%IMPHASH=1d05fb30a58133da2e9dbdfcf51b80fd%" or Image.Hashes like r"%IMPHASH=2561727ac42d399030b3c46477c428f4%" or Image.Hashes like r"%IMPHASH=be69e763a6a858c3e7e1ea6e3af12691%" or Image.Hashes like r"%IMPHASH=7fba20994f76fb31b9f5a2b3f0c00055%" or Image.Hashes like r"%IMPHASH=1d9cdf46ff335712634c292180c06755%" or Image.Hashes like r"%IMPHASH=ad4586d21c9469bf636b5e8660e9d702%" or Image.Hashes like r"%IMPHASH=958dd67f866ae27cf716e30a025b266f%" or Image.Hashes like r"%IMPHASH=1dd3b83f2b007f862a1d8de4a1d3303f%" or Image.Hashes like r"%IMPHASH=b4c562c2c654abd2cc71658646314976%" or Image.Hashes like r"%IMPHASH=679eba16ab2d51543b7007708838ef7c%" or Image.Hashes like r"%IMPHASH=a1603fe7f02448c6b33687ddb9304c7f%" or Image.Hashes like r"%IMPHASH=9e2cf28fe320bbf74972509536569c8e%" or Image.Hashes like r"%IMPHASH=f233a65b937c69b447824889fb7425ff%" or Image.Hashes like r"%IMPHASH=b3204707f6e489cd5a2484881eaf78ca%" or Image.Hashes like r"%IMPHASH=c61a46ffe79d3f7d6307c0d2ae5f391e%" or Image.Hashes like r"%IMPHASH=28c5045218461018dbde27212ab0f227%" or Image.Hashes like r"%IMPHASH=af34db96db910a3fa7a56f2fac8ed5e1%" or Image.Hashes like r"%IMPHASH=e80eeed7225a880bbde0d038a5fe1af4%" or Image.Hashes like r"%IMPHASH=62473b41d695f075ad96abc4a408de5b%" or Image.Hashes like r"%IMPHASH=56307b5227183c002e4231320a72b961%" or Image.Hashes like r"%IMPHASH=dd7c5c0c762169d40ee01280e4ac74fc%" or Image.Hashes like r"%IMPHASH=9915439d37f385dbffc72bf835f3ee02%" or Image.Hashes like r"%IMPHASH=4199ed50502e00f57d9b66e9305450f5%" or Image.Hashes like r"%IMPHASH=71c580daf556775f690f0af3db12506f%" or Image.Hashes like r"%IMPHASH=c1ab6741cd29de98a138f2bd639f620a%" or Image.Hashes like r"%IMPHASH=32247962aa01af8ad5dca696260a05ab%" or Image.Hashes like r"%IMPHASH=1d774a94ad511efe5ebfe70acc6f8c85%" or Image.Hashes like r"%IMPHASH=690a0fb27a0c47c785d6bbbfc2e56501%" or Image.Hashes like r"%IMPHASH=78727a5fac8bd281903014ee00dcd553%" or Image.Hashes like r"%IMPHASH=f5ebade1d3a6d3bde264b0c7f9f639e7%" or Image.Hashes like r"%IMPHASH=4343c9c0b78ee21e895f10d929c240d4%" or Image.Hashes like r"%IMPHASH=f510a429c6ce5c8d414550518b3823d2%" or Image.Hashes like r"%IMPHASH=45acfe4a83f61d872fb904a1f08ef991%" or Image.Hashes like r"%IMPHASH=cbf26c6e8cf7e294bda273e7026a2789%" or Image.Hashes like r"%IMPHASH=84d83741445d9f5a6717b874fed3d8f3%" or Image.Hashes like r"%IMPHASH=0b40636205c64cacfd2e4f407518ad58%" or Image.Hashes like r"%IMPHASH=b4627789883457d50964a248104cb4c2%" or Image.Hashes like r"%IMPHASH=a7ff164c1ee5113a0a09e66b2cd03544%" or Image.Hashes like r"%IMPHASH=a0a13575e37906924a0b79043b4005c6%" or Image.Hashes like r"%IMPHASH=955e7b12a8fa06444c68e54026c45de1%" or Image.Hashes like r"%IMPHASH=8f52e36711c80bb9d7e30995e0092e83%" or Image.Hashes like r"%IMPHASH=05fbe4619edf747787879d9323951439%" or Image.Hashes like r"%IMPHASH=865c945f842a3f5f5453fb90d12f6765%" or Image.Hashes like r"%IMPHASH=89f925b54b95944513671d79eba5fe07%" or Image.Hashes like r"%IMPHASH=f4c5b0399665885a7dd34f7cdbbc586f%" or Image.Hashes like r"%IMPHASH=2ece23bdef16ee294bd905c7ba1be589%" or Image.Hashes like r"%IMPHASH=e800cd3299d4cda0d9e02255acc3b7dd%" or Image.Hashes like r"%IMPHASH=a86fb9a41955bda815ab902fb58baa27%" or Image.Hashes like r"%IMPHASH=2f7ea575cf15da16c8f117eee37046d8%" or Image.Hashes like r"%IMPHASH=223a76f59831e1a59980b603f81c271d%" or Image.Hashes like r"%IMPHASH=c17c0bd619c1e188ffe27bd328dd7d08%" or Image.Hashes like r"%IMPHASH=1429d5c551f71d3ce6a7cc54c9348e95%" or Image.Hashes like r"%IMPHASH=3552d8a0022e7f3136b667e6d1e402f2%" or Image.Hashes like r"%IMPHASH=67d92a28cd2923a923adf7fd958905d8%" or Image.Hashes like r"%IMPHASH=3c9af2347198d96c8ab5b189b4e3db37%" or Image.Hashes like r"%IMPHASH=f43aa654b4bfb882a0af098ad3f899e9%" or Image.Hashes like r"%IMPHASH=518e77c070ae21af7c558962cd1854a3%" or Image.Hashes like r"%IMPHASH=8e96d1a56746c6f6f30f1a0963ce2f26%" or Image.Hashes like r"%IMPHASH=b19743993dc7f1d48b2a86fe9b9c91e3%" or Image.Hashes like r"%IMPHASH=acd1b0130287133223d26c91f27f6899%" or Image.Hashes like r"%IMPHASH=82942c060f79cefd3bf1acdf5c207561%" or Image.Hashes like r"%IMPHASH=bc5c06a7fa9555f3f34043d828d9b123%" or Image.Hashes like r"%IMPHASH=ccdeab2a83fbf2fef2e418cccd133ec1%" or Image.Hashes like r"%IMPHASH=2424cf613f90884493009dd6bee95693%" or Image.Hashes like r"%IMPHASH=5c77661ac2951da388949d9a834eb694%" or Image.Hashes like r"%IMPHASH=2a20cc9578bb34a4bb10b87b49b24982%" or Image.Hashes like r"%IMPHASH=3ee1cb6085fbe05e46e2b88493426848%" or Image.Hashes like r"%IMPHASH=cb876abd8c6ca8a47d50aec4a520a020%" or Image.Hashes like r"%IMPHASH=80ae2342fd6c7f5e1c642918e33dafb1%" or Image.Hashes like r"%IMPHASH=aa274f6b4b15691fd725d7044f98bf36%" or Image.Hashes like r"%IMPHASH=5e4c9e685f9b7d77c90ff710972bb7dd%" or Image.Hashes like r"%IMPHASH=4fb06df8cb54846e42943f0d3ae96e2f%" or Image.Hashes like r"%IMPHASH=74cc5d779ee7dbc9f389bab9dcccac50%" or Image.Hashes like r"%IMPHASH=0707fe3c02c8d2a4d6219bd0596d76f3%" or Image.Hashes like r"%IMPHASH=7863a0f25a0647ed7d52641222bd709a%" or Image.Hashes like r"%IMPHASH=75018719e85e67b75e73c57d682dbcbf%" or Image.Hashes like r"%IMPHASH=e08b2d7c450761f01ec9ed4ef0ca56a4%" or Image.Hashes like r"%IMPHASH=2263350df91a5a4f5e10e68b3b822029%" or Image.Hashes like r"%IMPHASH=6f0b9814da4da038669c47e77c2f268f%" or Image.Hashes like r"%IMPHASH=9fb64527ca6d4541cc256b1abd1e4101%" or Image.Hashes like r"%IMPHASH=27db67ffa112f866f1d34c32226e09cf%" or Image.Hashes like r"%IMPHASH=5bb79a6caa12076a6d140085cb53892e%" or Image.Hashes like r"%IMPHASH=d169b0949781ca2a6efea5a106266a02%" or Image.Hashes like r"%IMPHASH=5a50a9a44f5d36af5df1bde995d22e42%" or Image.Hashes like r"%IMPHASH=626c8ecbc636968157d73f18ac315926%" or Image.Hashes like r"%IMPHASH=f12ae9073d95c22ed89247253d59f500%" or Image.Hashes like r"%IMPHASH=44cbd2ee295f1a35795eb4cd7cdd0864%" or Image.Hashes like r"%IMPHASH=840e656bdb2987fa422092ec9d588895%" or Image.Hashes like r"%IMPHASH=d57ef6278dcd7049063e8fb6ade9effc%" or Image.Hashes like r"%IMPHASH=392aa6863da8d7c14ad7386026e93b58%" or Image.Hashes like r"%IMPHASH=5662b51943d85b7ca47a99cac81af985%" or Image.Hashes like r"%IMPHASH=8418ac0d7aaa9015794e55ea54733342%" or Image.Hashes like r"%IMPHASH=163436e69f8e582bdc1c1e6f735de23b%" or Image.Hashes like r"%IMPHASH=24e4c876bb5db0b0e0a4e92f0a3d3a48%" or Image.Hashes like r"%IMPHASH=3198fc43051f03c6c71587dbf232f75c%" or Image.Hashes like r"%IMPHASH=9321f9c47129fbc728ead2710e22f1a5%" or Image.Hashes like r"%IMPHASH=1a0d0d460994cfde55ee908d62330ee0%" or Image.Hashes like r"%IMPHASH=82f5b92ccd99d13f4dd6ed6aaf0441bc%" or Image.Hashes like r"%IMPHASH=634f3c43b014dc8845b086c9328a678c%" or Image.Hashes like r"%IMPHASH=81acb4bb89ef49c4e7f30513b4750e53%" or Image.Hashes like r"%IMPHASH=d61d30746681d0fda9bfd9e8af061b2a%" or Image.Hashes like r"%IMPHASH=7453e39bd87c63550451ba2fa354dd8e%" or Image.Hashes like r"%IMPHASH=bb437241f56020db0fcbf8f8629bdb07%" or Image.Hashes like r"%IMPHASH=1e8ee6407390a2d52051bec21c771fdb%" or Image.Hashes like r"%IMPHASH=7c24141cdcfc23f5eb0e2b6792d80740%" or Image.Hashes like r"%IMPHASH=a7f2c2e8e9d6c90e28819d1a3ab84bc8%" or Image.Hashes like r"%IMPHASH=1b0788bb68804273159b8ace9cba7ea3%" or Image.Hashes like r"%IMPHASH=9521d8684357766840dbcac2b4cee67d%" or Image.Hashes like r"%IMPHASH=b4c2607b2af5376910bf80b561e9a18a%" or Image.Hashes like r"%IMPHASH=f138fdbc6c7fbf73e135717c7d7eac27%" or Image.Hashes like r"%IMPHASH=82525a4a571f0f8d4e4f42ec6bb3900e%" or Image.Hashes like r"%IMPHASH=8bbc742eaed888736a715757f0584fb6%" or Image.Hashes like r"%IMPHASH=be527e5f470fbc661f914c81bfc9af38%" or Image.Hashes like r"%IMPHASH=ad374977f06fefefbb9c77155f7a0733%" or Image.Hashes like r"%IMPHASH=111e6d92e02f02f737654c5b1cfe9f6f%" or Image.Hashes like r"%IMPHASH=31907ffcac211e27136b14bb2f442070%" or Image.Hashes like r"%IMPHASH=60e068470635cf20cc19b7f8e8cbfc5f%" or Image.Hashes like r"%IMPHASH=8a5edbe5251fe141ea0262d5d572178b%" or Image.Hashes like r"%IMPHASH=0265c50548889ffd5c2d3a2539885efe%" or Image.Hashes like r"%IMPHASH=9376f1c4ab79240cc948b77bf9e8814b%" or Image.Hashes like r"%IMPHASH=82b2288ac7f842e42de15c5bc96f1772%" or Image.Hashes like r"%IMPHASH=317f02ddc9809d608a9bf63ce24e9550%" or Image.Hashes like r"%IMPHASH=65abf5c92cc2239f2dc9d589458569c9%" or Image.Hashes like r"%IMPHASH=12fef92a55cb5e1533b89d8e6a5892b2%" or Image.Hashes like r"%IMPHASH=fd133033a24971502ff0b2f189215c56%" or Image.Hashes like r"%IMPHASH=050d389675730da0d9d75367659cd53b%" or Image.Hashes like r"%IMPHASH=c590cbf2d6cbf206a2e47e8ed91dd944%" or Image.Hashes like r"%IMPHASH=505e0a016962137ca6169bce64ba2f53%" or Image.Hashes like r"%IMPHASH=02a27dc9a48b694b7df4b821eb65178c%" or Image.Hashes like r"%IMPHASH=bfe13c695e41d3eee414d3929b1bd523%" or Image.Hashes like r"%IMPHASH=5095ddaed3abc22c1510a141d72735cc%" or Image.Hashes like r"%IMPHASH=8f96c3ef5dda3fe697d4a4d6326dbe37%" or Image.Hashes like r"%IMPHASH=e1ecbd956bd016618b07e7dddcaf6e60%" or Image.Hashes like r"%IMPHASH=07a42e80559d960b176c0fc8fd309bfe%" or Image.Hashes like r"%IMPHASH=f86759bb4de4320918615dc06e998a39%" or Image.Hashes like r"%IMPHASH=c9f08d92efe88afb2545eb82a8870233%" or Image.Hashes like r"%IMPHASH=6b867dee14a77d0ada8ccad99b16291e%" or Image.Hashes like r"%IMPHASH=744af2b62301859b4ccdffba53551b15%" or Image.Hashes like r"%IMPHASH=ec5ee9a38e54ed3d4a6e6545672cb651%" or Image.Hashes like r"%IMPHASH=c3c9e6c0c33bad17eb055ec795fc113e%" or Image.Hashes like r"%IMPHASH=31a3c2c72c9a565dc4ba75ef26677569%" or Image.Hashes like r"%IMPHASH=7bc998aaa9fe4b4fd5e133554f42d913%" or Image.Hashes like r"%IMPHASH=bb981f82c2bfc3c22471df92d9d0fb89%" or Image.Hashes like r"%IMPHASH=ad34ea17f90a34f6f84a399a96383ada%" or Image.Hashes like r"%IMPHASH=30c0ed518c03fa46fa0bfe76f2db0e42%" or Image.Hashes like r"%IMPHASH=587191d77c08023e6e95463153e45463%" or Image.Hashes like r"%IMPHASH=c83f076c00d2b0a6ba9dc82f56a97631%" or Image.Hashes like r"%IMPHASH=cb8db41ab8c06472574e58b9466f4070%" or Image.Hashes like r"%IMPHASH=391ffad95759bc4bac2b737d0d0eaa84%" or Image.Hashes like r"%IMPHASH=c52384bc825d2414de3195672971339e%" or Image.Hashes like r"%IMPHASH=b0e74761cced2dde5173ae05ec562085%" or Image.Hashes like r"%IMPHASH=4bd0bd7710a7f71d38f056241c8ce0a7%" or Image.Hashes like r"%IMPHASH=ad0cdf3bab32983050527655bce40f96%" or Image.Hashes like r"%IMPHASH=e1a5435877b427be967867a25b1d263e%" or Image.Hashes like r"%IMPHASH=61b719638eacc2c5ca299805d4819e69%" or Image.Hashes like r"%IMPHASH=7687d0eba49315582228ef660f61b471%" or Image.Hashes like r"%IMPHASH=e7cbb1ce75bfc69f53855066a936042d%" or Image.Hashes like r"%IMPHASH=bc44fdc145156a15d0a803d18877b218%" or Image.Hashes like r"%IMPHASH=d5e7fc56a905088dbc79b8e27b98faea%" or Image.Hashes like r"%IMPHASH=3702511999371bac8982d01820dd70f2%" or Image.Hashes like r"%IMPHASH=d14ea0e632fc8485d77e7eba3c4d4537%" or Image.Hashes like r"%IMPHASH=2e7d3b001306473cbff3d0dc11a6fcbc%" or Image.Hashes like r"%IMPHASH=e717a2158439123c6fca79b6b2c0ba49%" or Image.Hashes like r"%IMPHASH=6736c04d5ff512e5e2eb608414276513%" or Image.Hashes like r"%IMPHASH=225e24ee3c4081a16ef32831b70bf8ef%" or Image.Hashes like r"%IMPHASH=48028b3b694466c1c0eb1d91ef5c02cb%" or Image.Hashes like r"%IMPHASH=37f7c6238c9ce110408e01ae1bc45635%" or Image.Hashes like r"%IMPHASH=b95bc1a99081d695b1c0b37b90a4a0be%" or Image.Hashes like r"%IMPHASH=78eaf4d62617f6b614d318cc70c6548a%" or Image.Hashes like r"%IMPHASH=55db306bc2be3ff71a6b91fd9db051b8%" or Image.Hashes like r"%IMPHASH=021fd02a8adad420116496b6f2759960%" or Image.Hashes like r"%IMPHASH=b3e26c5e0de2d01597dca208ef27cc38%" or Image.Hashes like r"%IMPHASH=67affe6126c1d4a774b2504061c96a2e%" or Image.Hashes like r"%IMPHASH=656ad5c2eac95f75d3fe6d5ca59e0d8d%" or Image.Hashes like r"%IMPHASH=5ea78a193212fe61ac722f45f0b0eab9%" or Image.Hashes like r"%IMPHASH=77ec8b2c372741f12098f084a13a56a8%" or Image.Hashes like r"%IMPHASH=f27327907e57c0c2c9fddc68eab2eb7b%" or Image.Hashes like r"%IMPHASH=b679ac08daf4b4ce8a58d85a8e0904ac%" or Image.Hashes like r"%IMPHASH=f2c2ee1ff03c54f384f4eee8c2533107%" or Image.Hashes like r"%IMPHASH=c12f7aec6ebe84a8390c82720adfc237%" or Image.Hashes like r"%IMPHASH=0a8eeabf5981efb2116244785cb03900%" or Image.Hashes like r"%IMPHASH=7f8c74638fcf297f8216aa5b184f61d6%" or Image.Hashes like r"%IMPHASH=d41fa95d4642dc981f10de36f4dc8cd7%" or Image.Hashes like r"%IMPHASH=8d616e68080def2200312de80392efa7%" or Image.Hashes like r"%IMPHASH=cde9174249f04dad0f79890c976c0792%" or Image.Hashes like r"%IMPHASH=858ceae385cdcfcbc7814644564c23e6%" or Image.Hashes like r"%IMPHASH=d232ae5bad7ce02f4eece90ef370c7a0%" or Image.Hashes like r"%IMPHASH=c7f08aed5725fe6a53a62ebe354ff135%" or Image.Hashes like r"%IMPHASH=cc81a908891587ccac8059435eda4c66%" or Image.Hashes like r"%IMPHASH=bd4f9a93da2bb4b5f6e90d4f9381661c%" or Image.Hashes like r"%IMPHASH=01aa65221a48929f0a34a27c4e3011b1%" or Image.Hashes like r"%IMPHASH=409d2ab916237fb129c57aacbb7cb4fe%" or Image.Hashes like r"%IMPHASH=65181bc89a1c2b5854548236269846c1%" or Image.Hashes like r"%IMPHASH=787e32b3fd816479fb93f9af0b6d0da3%" or Image.Hashes like r"%IMPHASH=8e89024d2c0ef0451c12b956a2b55b91%" or Image.Hashes like r"%IMPHASH=0cba56fa162378bc4ee09e94a4e2fe33%" or Image.Hashes like r"%IMPHASH=b7a0100fe60d7a8263da64820f7d0120%" or Image.Hashes like r"%IMPHASH=d16f507665603095c26147a7adcb93b8%" or Image.Hashes like r"%IMPHASH=0b663530751cc11f34273fee7921c431%" or Image.Hashes like r"%IMPHASH=604b5bd94f1892fd9e9025ef7a2bbe54%" or Image.Hashes like r"%IMPHASH=cb8397a3262c80b558aff93ab75b6a7b%" or Image.Hashes like r"%IMPHASH=d6c920c10d4d0f92f0ac14c3fefed233%" or Image.Hashes like r"%IMPHASH=9fd359d308a1e93106189b4ebd945855%" or Image.Hashes like r"%IMPHASH=c94e5ad0f33374535392364a5a193253%" or Image.Hashes like r"%IMPHASH=751c6b5c201f8c52f5512350cad88ddc%" or Image.Hashes like r"%IMPHASH=eac62dd0c27ed557fa4b641fa4050d04%" or Image.Hashes like r"%IMPHASH=506a31d768aec26b297c45b50026c820%" or Image.Hashes like r"%IMPHASH=60805da513b95c3d18a93b988bdfb58f%" or Image.Hashes like r"%IMPHASH=3aa0ceb8fcd07cf2514d1cb0b9bccf4b%" or Image.Hashes like r"%IMPHASH=c1579e4266fbdc47a5abc493a2d9d597%" or Image.Hashes like r"%IMPHASH=adfd4c0b031598afecb6f3f585f5f581%" or Image.Hashes like r"%IMPHASH=7a286ef4179598007a8afe9e5af95a48%" or Image.Hashes like r"%IMPHASH=c7912c850407aa93c979d95c4f593507%" or Image.Hashes like r"%IMPHASH=bec5dc89f030df7a96d19483fad4cc0a%" or Image.Hashes like r"%IMPHASH=b91054cdc4c8b3169cfe6c157f6d9f07%" or Image.Hashes like r"%IMPHASH=d67b7c7501e5261df5e66b3219fa52ee%" or Image.Hashes like r"%IMPHASH=b142d772a67c40535c8d8fabb6861748%" or Image.Hashes like r"%IMPHASH=1957e33acbc826c69f452ae1d1b89ac9%" or Image.Hashes like r"%IMPHASH=7a4a0df0bde1f8da6547a580d5bee7c3%" or Image.Hashes like r"%IMPHASH=085a78615099ffefa2df0a31da3058d8%" or Image.Hashes like r"%IMPHASH=e804d4ee2c20f3eb1d3c955e38a2fe11%" or Image.Hashes like r"%IMPHASH=6f2d756d22c285a46206de3bfde6c79d%" or Image.Hashes like r"%IMPHASH=071356ee9d8c7f91cbe8fa3c448286a2%" or Image.Hashes like r"%IMPHASH=ebf30b4cd57a4f4548a03eab0f6c418c%" or Image.Hashes like r"%IMPHASH=08ab07a2bc35aea02cd6d1efbb954cb3%" or Image.Hashes like r"%IMPHASH=cb15f8046e159c17b0510738fa18f758%" or Image.Hashes like r"%IMPHASH=07a513d1599c93bd34f01323b1ef7430%" or Image.Hashes like r"%IMPHASH=2430f988dcdc3828f6079e1e2cc71dc8%" or Image.Hashes like r"%IMPHASH=8b41eacbfbe5f5348579e27d30767e74%" or Image.Hashes like r"%IMPHASH=afee876e89b51e2cc7c91353fb588fe6%" or Image.Hashes like r"%IMPHASH=e11e41c95c1872ac3ebbd7768b16cf9e%" or Image.Hashes like r"%IMPHASH=e9077c03c44a511c2c8eaf5bad9ab90b%" or Image.Hashes like r"%IMPHASH=d6d76f43ccc3872b879b0df583364c78%" or Image.Hashes like r"%IMPHASH=62dbb90b4be9282d52aff9ae1a101d6b%" or Image.Hashes like r"%IMPHASH=3ec1e7e215efad2711248558465da9ad%" or Image.Hashes like r"%IMPHASH=96f270be3f73ec3fc2f2237fe84efca0%" or Image.Hashes like r"%IMPHASH=9ad5f7496f8c918d6c0536751d3accae%" or Image.Hashes like r"%IMPHASH=b1ed268dfdf4f39960971eb5822a4755%" or Image.Hashes like r"%IMPHASH=4c0161f638d5acafe23fcee3c5e86f15%" or Image.Hashes like r"%IMPHASH=9928d53dbe860aba1b7c891831680629%" or Image.Hashes like r"%IMPHASH=d122c1eaa50839be14c31876d0d4e0be%" or Image.Hashes like r"%IMPHASH=8f4588156ea7d9af8e4c162ce4c3ff23%" or Image.Hashes like r"%IMPHASH=abdaca21ab5c831000b0aa4b8f357716%" or Image.Hashes like r"%IMPHASH=0555907292d07d9f78205416eb1924d3%" or Image.Hashes like r"%IMPHASH=832f0fb3579a07b1c4bec82b4478306b%" or Image.Hashes like r"%IMPHASH=340e874a1ca966e45fc2a314ef228cce%" or Image.Hashes like r"%IMPHASH=b35d1d3faa6c97b106b343823d5df867%" or Image.Hashes like r"%IMPHASH=7e1327419d10a7eeece5579526f75d9f%" or Image.Hashes like r"%IMPHASH=084b99aebda8a13e4f774a2ced272e85%" or Image.Hashes like r"%IMPHASH=81ba5280406320ce6f03a9817d7d6035%" or Image.Hashes like r"%IMPHASH=e4f1a9234e4ea105321909d4c0e597ae%" or Image.Hashes like r"%IMPHASH=68a12eb3f32f7e193bd0d722ea6be4ab%" or Image.Hashes like r"%IMPHASH=c3fd2e688276a184b2528ee590054e5a%" or Image.Hashes like r"%IMPHASH=531d2392dbdd314fb1d9318fe9e5c4d2%" or Image.Hashes like r"%IMPHASH=29a1da8841f5363423dcba1a9773809a%" or Image.Hashes like r"%IMPHASH=9fc4a96d982ebfd6b9d87c0f3ebef681%" or Image.Hashes like r"%IMPHASH=304c4fcf70cfc8299a3b6eed8e7bbb31%" or Image.Hashes like r"%IMPHASH=3415f704b3149ea9a3d3a54036b208dd%" or Image.Hashes like r"%IMPHASH=7cf815757705e26b809574488ed56d0e%" or Image.Hashes like r"%IMPHASH=28d780857f0f6616f938aca3a38b5072%" or Image.Hashes like r"%IMPHASH=235102691b04f562ae8aa7ece38d8bc9%" or Image.Hashes like r"%IMPHASH=262d8fbbf1f514399bb3f230cddc12af%" or Image.Hashes like r"%IMPHASH=0f3ddbe229201f6fa9a3dbbaf842a556%" or Image.Hashes like r"%IMPHASH=bd093a7d5ba5632ee52f3466a688ee55%" or Image.Hashes like r"%IMPHASH=a9e22f5e8f4965960716d94ba7639c9f%" or Image.Hashes like r"%IMPHASH=528ac7a1e034801d1f20238971c6ec19%" or Image.Hashes like r"%IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4%" or Image.Hashes like r"%IMPHASH=7c8c655791b5c853e45aa174e5cc1333%" or Image.Hashes like r"%IMPHASH=a53b095a8d7366075d445892070cde51%" or Image.Hashes like r"%IMPHASH=f079f8637a1d4fe2fb93af2a267b68ef%" or Image.Hashes like r"%IMPHASH=0ebd5902a82ddfef8ed96678c1573a7b%" or Image.Hashes like r"%IMPHASH=9a970527986cd03e5a25d18b372624a1%" or Image.Hashes like r"%IMPHASH=87fde0c3f8e7dff7ab0d718d6b1252c8%" or Image.Hashes like r"%IMPHASH=959dce366573a7aae10b74a08931722a%" or Image.Hashes like r"%IMPHASH=fce118020e70919e5c8c629687f89e56%" or Image.Hashes like r"%IMPHASH=86682585c620fa85096a7bedaf990cd1%" or Image.Hashes like r"%IMPHASH=5f9cf5b0511f3c1129b467d273b921f2%" or Image.Hashes like r"%IMPHASH=543f80399f79401471523d335ea61642%" or Image.Hashes like r"%IMPHASH=3ca448454c33a5c72ad5e774de47930a%" or Image.Hashes like r"%IMPHASH=51ecd9b363fde1f003f4b4f20c874b1b%" or Image.Hashes like r"%IMPHASH=1f2627fc453dc35031a9502372bd3549%" or Image.Hashes like r"%IMPHASH=2cf48a541dc193e91bb2a831adcf278e%" or Image.Hashes like r"%IMPHASH=805e4a267f9495e7c0c430d92b78f8bd%" or Image.Hashes like r"%IMPHASH=92caaf6ebb43bbe61f3da8526172f776%" or Image.Hashes like r"%IMPHASH=421730c2b3fa3a7d78c2eda3da1be6a8%" or Image.Hashes like r"%IMPHASH=aa54fa0523f677e56d6d8199e5e18732%" or Image.Hashes like r"%IMPHASH=8ee2435c62b02fe0372cde028be489cb%" or Image.Hashes like r"%IMPHASH=50b6a9c4df6d0c9f517c804ad1307d7c%" or Image.Hashes like r"%IMPHASH=037b9d19995faadf69a2ce134473e346%" or Image.Hashes like r"%IMPHASH=2c19472843b56c67efb80d8c447f3cfe%" or Image.Hashes like r"%IMPHASH=a74f61fdcea718cb9579907b2caf54ab%" or Image.Hashes like r"%IMPHASH=84d45ee8df6f63b5af419d89003a97bc%" or Image.Hashes like r"%IMPHASH=69dbb4c8bbe4d8c2e1493f82170b93c4%" or Image.Hashes like r"%IMPHASH=6903b92e7760c5d7f7c181b64eb13176%" or Image.Hashes like r"%IMPHASH=d6f977640d4810a784d152e4d3c63a6b%" or Image.Hashes like r"%IMPHASH=473c3773ca11aa7371dbf350919c5724%" or Image.Hashes like r"%IMPHASH=87842ffa59724bda8389394bcaeb5d73%" or Image.Hashes like r"%IMPHASH=18502b56d9ea5dea7f9d31ef85db31d5%" or Image.Hashes like r"%IMPHASH=b6f67458e30912358144df4adf5264fd%" or Image.Hashes like r"%IMPHASH=a49a51d7f2ae972483961eb64d17888e%" or Image.Hashes like r"%IMPHASH=81e2eb25e24938b90806de865630a2b2%" or Image.Hashes like r"%IMPHASH=96861132665e8d66c0a91e6c02cc6639%" or Image.Hashes like r"%IMPHASH=69163e5596280d3319375c9bcd4b5da1%" or Image.Hashes like r"%IMPHASH=4946030efb34ab167180563899d5eb27%" or Image.Hashes like r"%IMPHASH=4c304943af1b07b15a5efa80f17d9b89%" or Image.Hashes like r"%IMPHASH=821d74031d3f625bcbd0df08b70f1e77%" or Image.Hashes like r"%IMPHASH=1bef18e9dda6f1e7bbf7eb76e9ccf16b%" or Image.Hashes like r"%IMPHASH=21f58b1f2de6ad0e9c019da7a4e7317b%" or Image.Hashes like r"%IMPHASH=91387ac37086b9b519f945b58095f38d%" or Image.Hashes like r"%IMPHASH=dcd41632f0ad9683e5c9c7cc083f78f7%" or Image.Hashes like r"%IMPHASH=ced7ea67fdf3d89a48849e0062278f7d%" or Image.Hashes like r"%IMPHASH=5713a0c2b363c49706fa0e60151511a8%" or Image.Hashes like r"%IMPHASH=089e8a8f2bb007852c63b64e66430293%" or Image.Hashes like r"%IMPHASH=383be1d728b0be96be1b810a131705ee%" or Image.Hashes like r"%IMPHASH=3d42ff70269b824dd9d4a8cb905669f9%" or Image.Hashes like r"%IMPHASH=363922cc73591e60f2af113182414230%" or Image.Hashes like r"%IMPHASH=fa084cdc36f03f1aeddaa3450e2781b1%" or Image.Hashes like r"%IMPHASH=3c61f9a38aaa7650fcd33b46e794d1bb%" or Image.Hashes like r"%IMPHASH=42e3f2ffa29901e572f2df03cb872159%" or Image.Hashes like r"%IMPHASH=4c5fc4519f1417f0630c3343aab7c9d2%" or Image.Hashes like r"%IMPHASH=d5d40497d82daf7e44255ede810ce7a6%" or Image.Hashes like r"%IMPHASH=91ee149529956a79a91eeb8c48f00b3d%" or Image.Hashes like r"%IMPHASH=a387f215b4964a3ca2e3c92f235a6d1b%" or Image.Hashes like r"%IMPHASH=ca6e77f472ebd5b2ade876e7c773bb57%" or Image.Hashes like r"%IMPHASH=67bace81ce26ddf73732dd75cbd0c0f2%" or Image.Hashes like r"%IMPHASH=18b8de84bd7aa83fec79d2c6aaf0a4f5%" or Image.Hashes like r"%IMPHASH=519cf5394541bf5e2869edeec81521e1%" or Image.Hashes like r"%IMPHASH=cae90f82e91b9a60af9a0e36c1f73be4%" or Image.Hashes like r"%IMPHASH=643f4d79f35dddc9bb5cc04a0f0c18d3%" or Image.Hashes like r"%IMPHASH=6b7d4c6283b9b951b7b2f47a0c5be8c7%" or Image.Hashes like r"%IMPHASH=b4c857bd3a7b1d8125c0f62aec45401e%" or Image.Hashes like r"%IMPHASH=49a12b06131d938e9dc40c693b88ba7f%" or Image.Hashes like r"%IMPHASH=f74aa24adc713dbb957ccb18f3c16a71%" or Image.Hashes like r"%IMPHASH=6faad89adbfc9d5448bb1bd12e7714cd%" or Image.Hashes like r"%IMPHASH=5759d90322a7311eaccf4f0ab2c2a7c4%" or Image.Hashes like r"%IMPHASH=8b6c1a09e11200591663b880a94a8d18%" or Image.Hashes like r"%IMPHASH=eade2a2576f329e4971bf5044ab24ac7%" or Image.Hashes like r"%IMPHASH=8b47d6faba90b5c89e27f7119c987e1a%" or Image.Hashes like r"%IMPHASH=4433528b0f664177546dd3e229f0daa5%" or Image.Hashes like r"%IMPHASH=c0f234205c50cc713673353c9653eea1%" or Image.Hashes like r"%IMPHASH=b4b90c1b054ebe273bff4b2fd6927990%" or Image.Hashes like r"%IMPHASH=f2dc136141066311fddef65f7f417c44%" or Image.Hashes like r"%IMPHASH=12a08688ec92616a8b639d85cc13a3ed%" or Image.Hashes like r"%IMPHASH=296afaa5ea70bbd17135afcd04758148%" or Image.Hashes like r"%IMPHASH=8232d2f79ce126e84cc044543ad82790%" or Image.Hashes like r"%IMPHASH=e10e743d152cf62f219a7e9192fb533d%" or Image.Hashes like r"%IMPHASH=e5af2438da6df2aa9750aa632c80cfa4%" or Image.Hashes like r"%IMPHASH=3a4e0bc46866ca54459753f62c879b62%" or Image.Hashes like r"%IMPHASH=10cb3185e13390f8931a50a131448cdf%" or Image.Hashes like r"%IMPHASH=4fb27d2712ef4afdb67e0921d64a5f1e%" or Image.Hashes like r"%IMPHASH=a96a02cf5f7896a9a9f045d1986bd83c%" or Image.Hashes like r"%IMPHASH=fd894d394a8ca9abd74f7210ed931682%" or Image.Hashes like r"%IMPHASH=ca07de87d444c1d2d10e16e9dcc2dc19%" or Image.Hashes like r"%IMPHASH=1aa10b05dee9268d7ce87f5f56ea9ded%" or Image.Hashes like r"%IMPHASH=485f7e86663d49c68c8b5f705d310f50%" or Image.Hashes like r"%IMPHASH=5899e93373114ca9e458e906675132b7%" or Image.Hashes like r"%IMPHASH=be2d638c3933fc3f5a96e539f9910c5f%" or Image.Hashes like r"%IMPHASH=fbfa302bf7eb5d615d0968541ee49ce4%" or Image.Hashes like r"%IMPHASH=f9b9487f25a2c1e08c02f391387c5323%" or Image.Hashes like r"%IMPHASH=ef102e058f6b88af0d66d26236257706%" or Image.Hashes like r"%IMPHASH=0f371a913e9fa3ba3a923718e489debb%" -GenericProperty1 = Image.Hashes +Annotation = {"mitre_attack": ["T1486"], "author": "frack113"} +Query = Process.CommandLine like r"%REG%" and Process.CommandLine like r"%ADD%" and Process.CommandLine like r"%\\SOFTWARE\\Policies\\Microsoft\\FVE%" and Process.CommandLine like r"%/v%" and Process.CommandLine like r"%/f%" and (Process.CommandLine like r"%EnableBDEWithNoTPM%" or Process.CommandLine like r"%UseAdvancedStartup%" or Process.CommandLine like r"%UseTPM%" or Process.CommandLine like r"%UseTPMKey%" or Process.CommandLine like r"%UseTPMKeyPIN%" or Process.CommandLine like r"%RecoveryKeyMessageSource%" or Process.CommandLine like r"%UseTPMPIN%" or Process.CommandLine like r"%RecoveryKeyMessage%") [ThreatDetectionRule platform=Windows] -# Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) -# Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io -RuleId = 438025f9-5856-4663-83f7-52f878a70a50 -RuleName = Suspicious Microsoft Office Child Process +# Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking +# Author: xknow @xknow_infosec, Tim Shelton +RuleId = 087790e3-3287-436c-bccf-cbd0184a7db1 +RuleName = Potential CommandLine Path Traversal Via Cmd.EXE EventType = Process.Start -Tag = proc-start-suspicious-microsoft-office-child-process +Tag = proc-start-potential-commandline-path-traversal-via-cmd.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1047", "T1204.002", "T1218.010"], "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io"} -Query = (Parent.Path like r"%\\EQNEDT32.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\MSACCESS.EXE" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\ONENOTE.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\wordpad.exe" or Parent.Path like r"%\\wordview.exe") and (Process.Name in ["bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe"] or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certoc.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\control.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\curl.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\ieexec.exe" or Process.Path like r"%\\installutil.exe" or Process.Path like r"%\\javaw.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\Microsoft.Workflow.Compiler.exe" or Process.Path like r"%\\msbuild.exe" or Process.Path like r"%\\msdt.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msidb.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\msxsl.exe" or Process.Path like r"%\\odbcconf.exe" or Process.Path like r"%\\pcalua.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regasm.exe" or Process.Path like r"%\\regsvcs.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\verclsid.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\workfolders.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\AppData\\%" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\ProgramData\\%" or Process.Path like r"%\\Windows\\Tasks\\%" or Process.Path like r"%\\Windows\\Temp\\%" or Process.Path like r"%\\Windows\\System32\\Tasks\\%") +Annotation = {"mitre_attack": ["T1059.003"], "author": "xknow @xknow_infosec, Tim Shelton"} +Query = (Parent.Path like r"%\\cmd.exe" or Process.Path like r"%\\cmd.exe" or Process.Name == "cmd.exe") and (Parent.CommandLine like r"%/c%" or Parent.CommandLine like r"%/k%" or Parent.CommandLine like r"%/r%" or Process.CommandLine like r"%/c%" or Process.CommandLine like r"%/k%" or Process.CommandLine like r"%/r%") and (Parent.CommandLine == "/../../" or Process.CommandLine like r"%/../../%") and not Process.CommandLine like r"%\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java%" GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember". -# Author: Florian Roth (Nextron Systems) -RuleId = ffa28e60-bdb1-46e0-9f82-05f7a61cc06e -RuleName = User Added to Remote Desktop Users Group +# Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. +# Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. +# Author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 129966c9-de17-4334-a123-8b58172e664d +RuleName = Potential Windows Defender AV Bypass Via Dump64.EXE Rename EventType = Process.Start -Tag = proc-start-user-added-to-remote-desktop-users-group +Tag = proc-start-potential-windows-defender-av-bypass-via-dump64.exe-rename RiskScore = 75 -Annotation = {"mitre_attack": ["T1133", "T1136.001", "T1021.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"%localgroup %" and Process.CommandLine like r"% /add%" or Process.CommandLine like r"%Add-LocalGroupMember %" and Process.CommandLine like r"% -Group %") and (Process.CommandLine like r"%Remote Desktop Users%" or Process.CommandLine like r"%Utilisateurs du Bureau à distance%" or Process.CommandLine like r"%Usuarios de escritorio remoto%") +Annotation = {"mitre_attack": ["T1003.001"], "author": "Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r":\\Program Files%" and Process.Path like r"%\\Microsoft Visual Studio\\%" and Process.Path like r"%\\dump64.exe" and (Process.Name == "procdump" or Process.CommandLine like r"% -ma %" or Process.CommandLine like r"% -mp %") [ThreatDetectionRule platform=Windows] -# Detects usage of "IMEWDBLD.exe" to download arbitrary files -# Author: Swachchhanda Shrawan Poudel -RuleId = 863218bd-c7d0-4c52-80cd-0a96c09f54af -RuleName = Arbitrary File Download Via IMEWDBLD.EXE +# Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 258fc8ce-8352-443a-9120-8a11e4857fa5 +RuleName = Potential Arbitrary Command Execution Using Msdt.EXE EventType = Process.Start -Tag = proc-start-arbitrary-file-download-via-imewdbld.exe +Tag = proc-start-potential-arbitrary-command-execution-using-msdt.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Swachchhanda Shrawan Poudel"} -Query = (Process.Path like r"%\\IMEWDBLD.exe" or Process.Name == "imewdbld.exe") and (Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%") +Annotation = {"mitre_attack": ["T1202"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\msdt.exe" or Process.Name == "msdt.exe") and (Process.CommandLine like r"%IT\_BrowseForFile=%" or Process.CommandLine like r"% PCWDiagnostic%" and (Process.CommandLine like r"% -af %" or Process.CommandLine like r"% /af %" or Process.CommandLine like r"% –af %" or Process.CommandLine like r"% —af %" or Process.CommandLine like r"% ―af %")) [ThreatDetectionRule platform=Windows] -# Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. -# Author: frack113 -RuleId = 91a2c315-9ee6-4052-a853-6f6a8238f90d -RuleName = Findstr GPP Passwords +# Detects python spawning a pretty tty +# Author: Nextron Systems +RuleId = 480e7e51-e797-47e3-8d72-ebfce65b6d8d +RuleName = Python Spawning Pretty TTY on Windows EventType = Process.Start -Tag = proc-start-findstr-gpp-passwords +Tag = proc-start-python-spawning-pretty-tty-on-windows RiskScore = 75 -Annotation = {"mitre_attack": ["T1552.006"], "author": "frack113"} -Query = (Process.Path like r"%\\find.exe" or Process.Path like r"%\\findstr.exe" or Process.Name in ["FIND.EXE", "FINDSTR.EXE"]) and Process.CommandLine like r"%cpassword%" and Process.CommandLine like r"%\\sysvol\\%" and Process.CommandLine like r"%.xml%" +Annotation = {"mitre_attack": ["T1059"], "author": "Nextron Systems"} +Query = (Process.Path like r"%python.exe" or Process.Path like r"%python3.exe" or Process.Path like r"%python2.exe") and (Process.CommandLine like r"%import pty%" and Process.CommandLine like r"%.spawn(%" or Process.CommandLine like r"%from pty import spawn%") [ThreatDetectionRule platform=Windows] -# Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. -# Involved domains are bin.equinox.io for download and *.ngrok.io for connections. -# Author: Florian Roth (Nextron Systems) -RuleId = ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 -RuleName = PUA - Ngrok Execution +# Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. +# Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +RuleId = 1444443e-6757-43e4-9ea4-c8fc705f79a2 +RuleName = Boot Configuration Tampering Via Bcdedit.EXE EventType = Process.Start -Tag = proc-start-pua-ngrok-execution +Tag = proc-start-boot-configuration-tampering-via-bcdedit.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1572"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"% tcp 139%" or Process.CommandLine like r"% tcp 445%" or Process.CommandLine like r"% tcp 3389%" or Process.CommandLine like r"% tcp 5985%" or Process.CommandLine like r"% tcp 5986%" or Process.CommandLine like r"% start %" and Process.CommandLine like r"%--all%" and Process.CommandLine like r"%--config%" and Process.CommandLine like r"%.yml%" or Process.Path like r"%ngrok.exe" and (Process.CommandLine like r"% tcp %" or Process.CommandLine like r"% http %" or Process.CommandLine like r"% authtoken %") or Process.CommandLine like r"%.exe authtoken %" or Process.CommandLine like r"%.exe start --all%" +Annotation = {"mitre_attack": ["T1490"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community"} +Query = (Process.Path like r"%\\bcdedit.exe" or Process.Name == "bcdedit.exe") and Process.CommandLine like r"%set%" and (Process.CommandLine like r"%bootstatuspolicy%" and Process.CommandLine like r"%ignoreallfailures%" or Process.CommandLine like r"%recoveryenabled%" and Process.CommandLine like r"%no%") [ThreatDetectionRule platform=Windows] -# Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. +# Detects when an attacker registers a new AMSI provider in order to achieve persistence # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f742bde7-9528-42e5-bd82-84f51a8387d2 -RuleName = Uncommon Microsoft Office Trusted Location Added +RuleId = 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 +RuleName = Potential Persistence Via New AMSI Providers - Registry EventType = Reg.Any -Tag = uncommon-microsoft-office-trusted-location-added +Tag = potential-persistence-via-new-amsi-providers-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%Security\\Trusted Locations\\Location%" and Reg.TargetObject like r"%\\Path" and not (Process.Path like r"%:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\%" and Process.Path like r"%\\OfficeClickToRun.exe" or Process.Path like r"%:\\Program Files\\Microsoft Office\\%" or Process.Path like r"%:\\Program Files (x86)\\Microsoft Office\\%") and not (Reg.Value.Data like r"%\%APPDATA\%\\Microsoft\\Templates%" or Reg.Value.Data like r"%\%\%APPDATA\%\%\\Microsoft\\Templates%" or Reg.Value.Data like r"%\%APPDATA\%\\Microsoft\\Word\\Startup%" or Reg.Value.Data like r"%\%\%APPDATA\%\%\\Microsoft\\Word\\Startup%" or Reg.Value.Data like r"%:\\Program Files (x86)\\Microsoft Office\\root\\Templates\\%" or Reg.Value.Data like r"%:\\Program Files\\Microsoft Office (x86)\\Templates%" or Reg.Value.Data like r"%:\\Program Files\\Microsoft Office\\root\\Templates\\%" or Reg.Value.Data like r"%:\\Program Files\\Microsoft Office\\Templates\\%") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.EventType == "CreateKey" and (Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\AMSI\\Providers\\%" or Reg.TargetObject like r"%\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers\\%") and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Program Files\\%" or Process.Path like r"C:\\Program Files (x86)\\%") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. -# Author: Nasreddine Bencherchali (Nextron Systems), frack113 -RuleId = f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd -RuleName = Hiding User Account Via SpecialAccounts Registry Key -EventType = Reg.Any -Tag = hiding-user-account-via-specialaccounts-registry-key +# Detects renamed vmnat.exe or portable version that can be used for DLL side-loading +# Author: elhoim +RuleId = 7b4f794b-590a-4ad4-ba18-7964a2832205 +RuleName = Renamed Vmnat.exe Execution +EventType = Process.Start +Tag = proc-start-renamed-vmnat.exe-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1564.002"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113"} -Query = Reg.EventType == "SetValue" and Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList%" and Reg.Value.Data == "DWORD (0x00000000)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data -GenericProperty3 = Reg.EventType +Annotation = {"mitre_attack": ["T1574.002"], "author": "elhoim"} +Query = Process.Name == "vmnat.exe" and not Process.Path like r"%vmnat.exe" [ThreatDetectionRule platform=Windows] -# Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. +# Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ba4cfc11-d0fa-4d94-bf20-7c332c412e76 -RuleName = Potentially Suspicious DLL Registered Via Odbcconf.EXE +RuleId = 6e22722b-dfb1-4508-a911-49ac840b40f8 +RuleName = Suspicious Mstsc.EXE Execution With Local RDP File EventType = Process.Start -Tag = proc-start-potentially-suspicious-dll-registered-via-odbcconf.exe +Tag = proc-start-suspicious-mstsc.exe-execution-with-local-rdp-file RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.008"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\odbcconf.exe" or Process.Name == "odbcconf.exe") and Process.CommandLine like r"%REGSVR %" and not Process.CommandLine like r"%.dll%" +Annotation = {"mitre_attack": ["T1219"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\mstsc.exe" or Process.Name == "mstsc.exe") and (Process.CommandLine like r"%.rdp" or Process.CommandLine like r"%.rdp\"") and (Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\System32\\spool\\drivers\\color%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\_Migrated %" or Process.CommandLine like r"%:\\Windows\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\Tracing\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\Downloads\\%") [ThreatDetectionRule platform=Windows] -# Detects cmstp loading "dll" or "ocx" files from suspicious locations -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 75e508f7-932d-4ebc-af77-269237a84ce1 -RuleName = DLL Loaded From Suspicious Location Via Cmspt.EXE -EventType = Image.Load -Tag = dll-loaded-from-suspicious-location-via-cmspt.exe +# Detects potential persistence behavior using the windows telemetry registry key. +# Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. +# This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. +# The problem is, it will run any arbitrary command without restriction of location or type. +# Author: Lednyov Alexey, oscd.community, Sreeman +RuleId = 73a883d0-0348-4be4-a8d8-51031c2564f8 +RuleName = Potential Registry Persistence Attempt Via Windows Telemetry +EventType = Reg.Any +Tag = potential-registry-persistence-attempt-via-windows-telemetry RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\cmstp.exe" and (Image.Path like r"%\\PerfLogs\\%" or Image.Path like r"%\\ProgramData\\%" or Image.Path like r"%\\Users\\%" or Image.Path like r"%\\Windows\\Temp\\%" or Image.Path like r"%C:\\Temp\\%") and (Image.Path like r"%.dll" or Image.Path like r"%.ocx") -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1053.005"], "author": "Lednyov Alexey, oscd.community, Sreeman"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\%" and Reg.TargetObject like r"%\\Command" and (Reg.Value.Data like r"%.bat%" or Reg.Value.Data like r"%.bin%" or Reg.Value.Data like r"%.cmd%" or Reg.Value.Data like r"%.dat%" or Reg.Value.Data like r"%.dll%" or Reg.Value.Data like r"%.exe%" or Reg.Value.Data like r"%.hta%" or Reg.Value.Data like r"%.jar%" or Reg.Value.Data like r"%.js%" or Reg.Value.Data like r"%.msi%" or Reg.Value.Data like r"%.ps%" or Reg.Value.Data like r"%.sh%" or Reg.Value.Data like r"%.vb%") and not (Reg.Value.Data like r"%\\system32\\CompatTelRunner.exe%" or Reg.Value.Data like r"%\\system32\\DeviceCensus.exe%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) -# Author: Florian Roth (Nextron Systems) -RuleId = e6c54d94-498c-4562-a37c-b469d8e9a275 -RuleName = Suspicious PowerShell Download and Execute Pattern +# Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe +# Author: Austin Songer (@austinsonger) +RuleId = 961e0abb-1b1e-4c84-a453-aafe56ad0d34 +RuleName = Execution via stordiag.exe EventType = Process.Start -Tag = proc-start-suspicious-powershell-download-and-execute-pattern +Tag = proc-start-execution-via-stordiag.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%IEX ((New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"%IEX (New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"%IEX((New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"%IEX(New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"% -command (New-Object System.Net.WebClient).DownloadFile(%" or Process.CommandLine like r"% -c (New-Object System.Net.WebClient).DownloadFile(%" +Annotation = {"mitre_attack": ["T1218"], "author": "Austin Songer (@austinsonger)"} +Query = Parent.Path like r"%\\stordiag.exe" and (Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\fltmc.exe") and not (Parent.Path like r"c:\\windows\\system32\\%" or Parent.Path like r"c:\\windows\\syswow64\\%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects scheduled task creations or modification on a suspicious schedule type -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 24c8392b-aa3c-46b7-a545-43f71657fe98 -RuleName = Suspicious Schtasks Schedule Types +# Detects command line parameters used by Hydra password guessing hack tool +# Author: Vasiliy Burov +RuleId = aaafa146-074c-11eb-adc1-0242ac120002 +RuleName = HackTool - Hydra Password Bruteforce Execution EventType = Process.Start -Tag = proc-start-suspicious-schtasks-schedule-types +Tag = proc-start-hacktool-hydra-password-bruteforce-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\schtasks.exe" or Process.Name == "schtasks.exe") and (Process.CommandLine like r"% ONLOGON %" or Process.CommandLine like r"% ONSTART %" or Process.CommandLine like r"% ONCE %" or Process.CommandLine like r"% ONIDLE %") and not (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM%" or Process.CommandLine like r"%HIGHEST%") +Annotation = {"mitre_attack": ["T1110", "T1110.001"], "author": "Vasiliy Burov"} +Query = Process.CommandLine like r"%-u %" and Process.CommandLine like r"%-p %" and (Process.CommandLine like r"%^USER^%" or Process.CommandLine like r"%^PASS^%") [ThreatDetectionRule platform=Windows] -# Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. -# Author: frack113 -RuleId = 69ca006d-b9a9-47f5-80ff-ecd4d25d481a -RuleName = HackTool - TruffleSnout Execution -EventType = Process.Start -Tag = proc-start-hacktool-trufflesnout-execution +# Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) +# Author: Christian Burkard (Nextron Systems) +RuleId = bdd8157d-8e85-4397-bb82-f06cc9c71dbb +RuleName = UAC Bypass Using IEInstal - File +EventType = File.Create +Tag = uac-bypass-using-ieinstal-file RiskScore = 75 -Annotation = {"mitre_attack": ["T1482"], "author": "frack113"} -Query = Process.Name == "TruffleSnout.exe" or Process.Path like r"%\\TruffleSnout.exe" +Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} +Query = Process.Path == "C:\\Program Files\\Internet Explorer\\IEInstal.exe" and File.Path like r"C:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Temp\\%" and File.Path like r"%consent.exe" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects Windows shells and scripting applications that write files to suspicious folders -# Author: Florian Roth (Nextron Systems) -RuleId = 1277f594-a7d1-4f28-a2d3-73af5cbeab43 -RuleName = Windows Shell/Scripting Application File Write to Suspicious Folder +# Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 4fc0deee-0057-4998-ab31-d24e46e0aba4 +RuleName = Potential System DLL Sideloading From Non System Locations +EventType = Image.Load +Tag = potential-system-dll-sideloading-from-non-system-locations +RiskScore = 75 +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Image.Path like r"%\\aclui.dll" or Image.Path like r"%\\activeds.dll" or Image.Path like r"%\\adsldpc.dll" or Image.Path like r"%\\aepic.dll" or Image.Path like r"%\\apphelp.dll" or Image.Path like r"%\\applicationframe.dll" or Image.Path like r"%\\appvpolicy.dll" or Image.Path like r"%\\appxalluserstore.dll" or Image.Path like r"%\\appxdeploymentclient.dll" or Image.Path like r"%\\archiveint.dll" or Image.Path like r"%\\atl.dll" or Image.Path like r"%\\audioses.dll" or Image.Path like r"%\\auditpolcore.dll" or Image.Path like r"%\\authfwcfg.dll" or Image.Path like r"%\\authz.dll" or Image.Path like r"%\\avrt.dll" or Image.Path like r"%\\batmeter.dll" or Image.Path like r"%\\bcd.dll" or Image.Path like r"%\\bcp47langs.dll" or Image.Path like r"%\\bcp47mrm.dll" or Image.Path like r"%\\bcrypt.dll" or Image.Path like r"%\\bderepair.dll" or Image.Path like r"%\\bootmenuux.dll" or Image.Path like r"%\\bootux.dll" or Image.Path like r"%\\cabinet.dll" or Image.Path like r"%\\cabview.dll" or Image.Path like r"%\\certcli.dll" or Image.Path like r"%\\certenroll.dll" or Image.Path like r"%\\cfgmgr32.dll" or Image.Path like r"%\\cldapi.dll" or Image.Path like r"%\\clipc.dll" or Image.Path like r"%\\clusapi.dll" or Image.Path like r"%\\cmpbk32.dll" or Image.Path like r"%\\cmutil.dll" or Image.Path like r"%\\coloradapterclient.dll" or Image.Path like r"%\\colorui.dll" or Image.Path like r"%\\comdlg32.dll" or Image.Path like r"%\\configmanager2.dll" or Image.Path like r"%\\connect.dll" or Image.Path like r"%\\coredplus.dll" or Image.Path like r"%\\coremessaging.dll" or Image.Path like r"%\\coreuicomponents.dll" or Image.Path like r"%\\credui.dll" or Image.Path like r"%\\cryptbase.dll" or Image.Path like r"%\\cryptdll.dll" or Image.Path like r"%\\cryptsp.dll" or Image.Path like r"%\\cryptui.dll" or Image.Path like r"%\\cryptxml.dll" or Image.Path like r"%\\cscapi.dll" or Image.Path like r"%\\cscobj.dll" or Image.Path like r"%\\cscui.dll" or Image.Path like r"%\\d2d1.dll" or Image.Path like r"%\\d3d10\_1.dll" or Image.Path like r"%\\d3d10\_1core.dll" or Image.Path like r"%\\d3d10.dll" or Image.Path like r"%\\d3d10core.dll" or Image.Path like r"%\\d3d10warp.dll" or Image.Path like r"%\\d3d11.dll" or Image.Path like r"%\\d3d12.dll" or Image.Path like r"%\\d3d9.dll" or Image.Path like r"%\\d3dx9\_43.dll" or Image.Path like r"%\\dataexchange.dll" or Image.Path like r"%\\davclnt.dll" or Image.Path like r"%\\dcntel.dll" or Image.Path like r"%\\dcomp.dll" or Image.Path like r"%\\defragproxy.dll" or Image.Path like r"%\\desktopshellext.dll" or Image.Path like r"%\\deviceassociation.dll" or Image.Path like r"%\\devicecredential.dll" or Image.Path like r"%\\devicepairing.dll" or Image.Path like r"%\\devobj.dll" or Image.Path like r"%\\devrtl.dll" or Image.Path like r"%\\dhcpcmonitor.dll" or Image.Path like r"%\\dhcpcsvc.dll" or Image.Path like r"%\\dhcpcsvc6.dll" or Image.Path like r"%\\directmanipulation.dll" or Image.Path like r"%\\dismapi.dll" or Image.Path like r"%\\dismcore.dll" or Image.Path like r"%\\dmcfgutils.dll" or Image.Path like r"%\\dmcmnutils.dll" or Image.Path like r"%\\dmcommandlineutils.dll" or Image.Path like r"%\\dmenrollengine.dll" or Image.Path like r"%\\dmenterprisediagnostics.dll" or Image.Path like r"%\\dmiso8601utils.dll" or Image.Path like r"%\\dmoleaututils.dll" or Image.Path like r"%\\dmprocessxmlfiltered.dll" or Image.Path like r"%\\dmpushproxy.dll" or Image.Path like r"%\\dmxmlhelputils.dll" or Image.Path like r"%\\dnsapi.dll" or Image.Path like r"%\\dot3api.dll" or Image.Path like r"%\\dot3cfg.dll" or Image.Path like r"%\\dpx.dll" or Image.Path like r"%\\drprov.dll" or Image.Path like r"%\\drvstore.dll" or Image.Path like r"%\\dsclient.dll" or Image.Path like r"%\\dsparse.dll" or Image.Path like r"%\\dsprop.dll" or Image.Path like r"%\\dsreg.dll" or Image.Path like r"%\\dsrole.dll" or Image.Path like r"%\\dui70.dll" or Image.Path like r"%\\duser.dll" or Image.Path like r"%\\dusmapi.dll" or Image.Path like r"%\\dwmapi.dll" or Image.Path like r"%\\dwmcore.dll" or Image.Path like r"%\\dwrite.dll" or Image.Path like r"%\\dxcore.dll" or Image.Path like r"%\\dxgi.dll" or Image.Path like r"%\\dxva2.dll" or Image.Path like r"%\\dynamoapi.dll" or Image.Path like r"%\\eappcfg.dll" or Image.Path like r"%\\eappprxy.dll" or Image.Path like r"%\\edgeiso.dll" or Image.Path like r"%\\edputil.dll" or Image.Path like r"%\\efsadu.dll" or Image.Path like r"%\\efsutil.dll" or Image.Path like r"%\\esent.dll" or Image.Path like r"%\\execmodelproxy.dll" or Image.Path like r"%\\explorerframe.dll" or Image.Path like r"%\\fastprox.dll" or Image.Path like r"%\\faultrep.dll" or Image.Path like r"%\\fddevquery.dll" or Image.Path like r"%\\feclient.dll" or Image.Path like r"%\\fhcfg.dll" or Image.Path like r"%\\fhsvcctl.dll" or Image.Path like r"%\\firewallapi.dll" or Image.Path like r"%\\flightsettings.dll" or Image.Path like r"%\\fltlib.dll" or Image.Path like r"%\\framedynos.dll" or Image.Path like r"%\\fveapi.dll" or Image.Path like r"%\\fveskybackup.dll" or Image.Path like r"%\\fvewiz.dll" or Image.Path like r"%\\fwbase.dll" or Image.Path like r"%\\fwcfg.dll" or Image.Path like r"%\\fwpolicyiomgr.dll" or Image.Path like r"%\\fwpuclnt.dll" or Image.Path like r"%\\fxsapi.dll" or Image.Path like r"%\\fxsst.dll" or Image.Path like r"%\\fxstiff.dll" or Image.Path like r"%\\getuname.dll" or Image.Path like r"%\\gpapi.dll" or Image.Path like r"%\\hid.dll" or Image.Path like r"%\\hnetmon.dll" or Image.Path like r"%\\httpapi.dll" or Image.Path like r"%\\icmp.dll" or Image.Path like r"%\\idstore.dll" or Image.Path like r"%\\ieadvpack.dll" or Image.Path like r"%\\iedkcs32.dll" or Image.Path like r"%\\iernonce.dll" or Image.Path like r"%\\iertutil.dll" or Image.Path like r"%\\ifmon.dll" or Image.Path like r"%\\ifsutil.dll" or Image.Path like r"%\\inproclogger.dll" or Image.Path like r"%\\iphlpapi.dll" or Image.Path like r"%\\iri.dll" or Image.Path like r"%\\iscsidsc.dll" or Image.Path like r"%\\iscsium.dll" or Image.Path like r"%\\isv.exe\_rsaenh.dll" or Image.Path like r"%\\iumbase.dll" or Image.Path like r"%\\iumsdk.dll" or Image.Path like r"%\\joinutil.dll" or Image.Path like r"%\\kdstub.dll" or Image.Path like r"%\\ksuser.dll" or Image.Path like r"%\\ktmw32.dll" or Image.Path like r"%\\licensemanagerapi.dll" or Image.Path like r"%\\licensingdiagspp.dll" or Image.Path like r"%\\linkinfo.dll" or Image.Path like r"%\\loadperf.dll" or Image.Path like r"%\\lockhostingframework.dll" or Image.Path like r"%\\logoncli.dll" or Image.Path like r"%\\logoncontroller.dll" or Image.Path like r"%\\lpksetupproxyserv.dll" or Image.Path like r"%\\lrwizdll.dll" or Image.Path like r"%\\magnification.dll" or Image.Path like r"%\\maintenanceui.dll" or Image.Path like r"%\\mapistub.dll" or Image.Path like r"%\\mbaexmlparser.dll" or Image.Path like r"%\\mdmdiagnostics.dll" or Image.Path like r"%\\mfc42u.dll" or Image.Path like r"%\\mfcore.dll" or Image.Path like r"%\\mfplat.dll" or Image.Path like r"%\\mi.dll" or Image.Path like r"%\\midimap.dll" or Image.Path like r"%\\mintdh.dll" or Image.Path like r"%\\miutils.dll" or Image.Path like r"%\\mlang.dll" or Image.Path like r"%\\mmdevapi.dll" or Image.Path like r"%\\mobilenetworking.dll" or Image.Path like r"%\\mpr.dll" or Image.Path like r"%\\mprapi.dll" or Image.Path like r"%\\mrmcorer.dll" or Image.Path like r"%\\msacm32.dll" or Image.Path like r"%\\mscms.dll" or Image.Path like r"%\\mscoree.dll" or Image.Path like r"%\\msctf.dll" or Image.Path like r"%\\msctfmonitor.dll" or Image.Path like r"%\\msdrm.dll" or Image.Path like r"%\\msdtctm.dll" or Image.Path like r"%\\msftedit.dll" or Image.Path like r"%\\msi.dll" or Image.Path like r"%\\msiso.dll" or Image.Path like r"%\\msutb.dll" or Image.Path like r"%\\msvcp110\_win.dll" or Image.Path like r"%\\mswb7.dll" or Image.Path like r"%\\mswsock.dll" or Image.Path like r"%\\msxml3.dll" or Image.Path like r"%\\mtxclu.dll" or Image.Path like r"%\\napinsp.dll" or Image.Path like r"%\\ncrypt.dll" or Image.Path like r"%\\ndfapi.dll" or Image.Path like r"%\\netapi32.dll" or Image.Path like r"%\\netid.dll" or Image.Path like r"%\\netiohlp.dll" or Image.Path like r"%\\netjoin.dll" or Image.Path like r"%\\netplwiz.dll" or Image.Path like r"%\\netprofm.dll" or Image.Path like r"%\\netprovfw.dll" or Image.Path like r"%\\netsetupapi.dll" or Image.Path like r"%\\netshell.dll" or Image.Path like r"%\\nettrace.dll" or Image.Path like r"%\\netutils.dll" or Image.Path like r"%\\networkexplorer.dll" or Image.Path like r"%\\newdev.dll" or Image.Path like r"%\\ninput.dll" or Image.Path like r"%\\nlaapi.dll" or Image.Path like r"%\\nlansp\_c.dll" or Image.Path like r"%\\npmproxy.dll" or Image.Path like r"%\\nshhttp.dll" or Image.Path like r"%\\nshipsec.dll" or Image.Path like r"%\\nshwfp.dll" or Image.Path like r"%\\ntdsapi.dll" or Image.Path like r"%\\ntlanman.dll" or Image.Path like r"%\\ntlmshared.dll" or Image.Path like r"%\\ntmarta.dll" or Image.Path like r"%\\ntshrui.dll" or Image.Path like r"%\\oleacc.dll" or Image.Path like r"%\\omadmapi.dll" or Image.Path like r"%\\onex.dll" or Image.Path like r"%\\opcservices.dll" or Image.Path like r"%\\osbaseln.dll" or Image.Path like r"%\\osksupport.dll" or Image.Path like r"%\\osuninst.dll" or Image.Path like r"%\\p2p.dll" or Image.Path like r"%\\p2pnetsh.dll" or Image.Path like r"%\\p9np.dll" or Image.Path like r"%\\pcaui.dll" or Image.Path like r"%\\pdh.dll" or Image.Path like r"%\\peerdistsh.dll" or Image.Path like r"%\\pkeyhelper.dll" or Image.Path like r"%\\pla.dll" or Image.Path like r"%\\playsndsrv.dll" or Image.Path like r"%\\pnrpnsp.dll" or Image.Path like r"%\\policymanager.dll" or Image.Path like r"%\\polstore.dll" or Image.Path like r"%\\powrprof.dll" or Image.Path like r"%\\printui.dll" or Image.Path like r"%\\prntvpt.dll" or Image.Path like r"%\\profapi.dll" or Image.Path like r"%\\propsys.dll" or Image.Path like r"%\\proximitycommon.dll" or Image.Path like r"%\\proximityservicepal.dll" or Image.Path like r"%\\prvdmofcomp.dll" or Image.Path like r"%\\puiapi.dll" or Image.Path like r"%\\radcui.dll" or Image.Path like r"%\\rasapi32.dll" or Image.Path like r"%\\rasdlg.dll" or Image.Path like r"%\\rasgcw.dll" or Image.Path like r"%\\rasman.dll" or Image.Path like r"%\\rasmontr.dll" or Image.Path like r"%\\reagent.dll" or Image.Path like r"%\\regapi.dll" or Image.Path like r"%\\reseteng.dll" or Image.Path like r"%\\resetengine.dll" or Image.Path like r"%\\resutils.dll" or Image.Path like r"%\\rmclient.dll" or Image.Path like r"%\\rpcnsh.dll" or Image.Path like r"%\\rsaenh.dll" or Image.Path like r"%\\rtutils.dll" or Image.Path like r"%\\rtworkq.dll" or Image.Path like r"%\\samcli.dll" or Image.Path like r"%\\samlib.dll" or Image.Path like r"%\\sapi\_onecore.dll" or Image.Path like r"%\\sas.dll" or Image.Path like r"%\\scansetting.dll" or Image.Path like r"%\\scecli.dll" or Image.Path like r"%\\schedcli.dll" or Image.Path like r"%\\secur32.dll" or Image.Path like r"%\\security.dll" or Image.Path like r"%\\sensapi.dll" or Image.Path like r"%\\shell32.dll" or Image.Path like r"%\\shfolder.dll" or Image.Path like r"%\\slc.dll" or Image.Path like r"%\\snmpapi.dll" or Image.Path like r"%\\spectrumsyncclient.dll" or Image.Path like r"%\\spp.dll" or Image.Path like r"%\\sppc.dll" or Image.Path like r"%\\sppcext.dll" or Image.Path like r"%\\srclient.dll" or Image.Path like r"%\\srcore.dll" or Image.Path like r"%\\srmtrace.dll" or Image.Path like r"%\\srpapi.dll" or Image.Path like r"%\\srvcli.dll" or Image.Path like r"%\\ssp\_isv.exe\_rsaenh.dll" or Image.Path like r"%\\ssp.exe\_rsaenh.dll" or Image.Path like r"%\\sspicli.dll" or Image.Path like r"%\\ssshim.dll" or Image.Path like r"%\\staterepository.core.dll" or Image.Path like r"%\\structuredquery.dll" or Image.Path like r"%\\sxshared.dll" or Image.Path like r"%\\systemsettingsthresholdadminflowui.dll" or Image.Path like r"%\\tapi32.dll" or Image.Path like r"%\\tbs.dll" or Image.Path like r"%\\tdh.dll" or Image.Path like r"%\\textshaping.dll" or Image.Path like r"%\\timesync.dll" or Image.Path like r"%\\tpmcoreprovisioning.dll" or Image.Path like r"%\\tquery.dll" or Image.Path like r"%\\tsworkspace.dll" or Image.Path like r"%\\ttdrecord.dll" or Image.Path like r"%\\twext.dll" or Image.Path like r"%\\twinapi.dll" or Image.Path like r"%\\twinui.appcore.dll" or Image.Path like r"%\\uianimation.dll" or Image.Path like r"%\\uiautomationcore.dll" or Image.Path like r"%\\uireng.dll" or Image.Path like r"%\\uiribbon.dll" or Image.Path like r"%\\umpdc.dll" or Image.Path like r"%\\unattend.dll" or Image.Path like r"%\\updatepolicy.dll" or Image.Path like r"%\\upshared.dll" or Image.Path like r"%\\urlmon.dll" or Image.Path like r"%\\userenv.dll" or Image.Path like r"%\\utildll.dll" or Image.Path like r"%\\uxinit.dll" or Image.Path like r"%\\uxtheme.dll" or Image.Path like r"%\\vaultcli.dll" or Image.Path like r"%\\vdsutil.dll" or Image.Path like r"%\\version.dll" or Image.Path like r"%\\virtdisk.dll" or Image.Path like r"%\\vssapi.dll" or Image.Path like r"%\\vsstrace.dll" or Image.Path like r"%\\wbemprox.dll" or Image.Path like r"%\\wbemsvc.dll" or Image.Path like r"%\\wcmapi.dll" or Image.Path like r"%\\wcnnetsh.dll" or Image.Path like r"%\\wdi.dll" or Image.Path like r"%\\wdscore.dll" or Image.Path like r"%\\webservices.dll" or Image.Path like r"%\\wecapi.dll" or Image.Path like r"%\\wer.dll" or Image.Path like r"%\\wevtapi.dll" or Image.Path like r"%\\whhelper.dll" or Image.Path like r"%\\wimgapi.dll" or Image.Path like r"%\\winbio.dll" or Image.Path like r"%\\winbrand.dll" or Image.Path like r"%\\windows.storage.dll" or Image.Path like r"%\\windows.storage.search.dll" or Image.Path like r"%\\windows.ui.immersive.dll" or Image.Path like r"%\\windowscodecs.dll" or Image.Path like r"%\\windowscodecsext.dll" or Image.Path like r"%\\windowsudk.shellcommon.dll" or Image.Path like r"%\\winhttp.dll" or Image.Path like r"%\\wininet.dll" or Image.Path like r"%\\winipsec.dll" or Image.Path like r"%\\winmde.dll" or Image.Path like r"%\\winmm.dll" or Image.Path like r"%\\winnsi.dll" or Image.Path like r"%\\winrnr.dll" or Image.Path like r"%\\winscard.dll" or Image.Path like r"%\\winsqlite3.dll" or Image.Path like r"%\\winsta.dll" or Image.Path like r"%\\winsync.dll" or Image.Path like r"%\\wkscli.dll" or Image.Path like r"%\\wlanapi.dll" or Image.Path like r"%\\wlancfg.dll" or Image.Path like r"%\\wldp.dll" or Image.Path like r"%\\wlidprov.dll" or Image.Path like r"%\\wmiclnt.dll" or Image.Path like r"%\\wmidcom.dll" or Image.Path like r"%\\wmiutils.dll" or Image.Path like r"%\\wmpdui.dll" or Image.Path like r"%\\wmsgapi.dll" or Image.Path like r"%\\wofutil.dll" or Image.Path like r"%\\wpdshext.dll" or Image.Path like r"%\\wscapi.dll" or Image.Path like r"%\\wsdapi.dll" or Image.Path like r"%\\wshbth.dll" or Image.Path like r"%\\wshelper.dll" or Image.Path like r"%\\wsmsvc.dll" or Image.Path like r"%\\wtsapi32.dll" or Image.Path like r"%\\wwancfg.dll" or Image.Path like r"%\\wwapi.dll" or Image.Path like r"%\\xmllite.dll" or Image.Path like r"%\\xolehlp.dll" or Image.Path like r"%\\xpsservices.dll" or Image.Path like r"%\\xwizards.dll" or Image.Path like r"%\\xwtpw32.dll" or Image.Path like r"%\\amsi.dll" or Image.Path like r"%\\appraiser.dll" or Image.Path like r"%\\COMRES.DLL" or Image.Path like r"%\\cryptnet.dll" or Image.Path like r"%\\DispBroker.dll" or Image.Path like r"%\\dsound.dll" or Image.Path like r"%\\dxilconv.dll" or Image.Path like r"%\\FxsCompose.dll" or Image.Path like r"%\\FXSRESM.DLL" or Image.Path like r"%\\msdtcVSp1res.dll" or Image.Path like r"%\\PrintIsolationProxy.dll" or Image.Path like r"%\\rdpendp.dll" or Image.Path like r"%\\rpchttp.dll" or Image.Path like r"%\\storageusage.dll" or Image.Path like r"%\\utcutil.dll" or Image.Path like r"%\\WfsR.dll" or Image.Path like r"%\\igd10iumd64.dll" or Image.Path like r"%\\igd12umd64.dll" or Image.Path like r"%\\igdumdim64.dll" or Image.Path like r"%\\igdusc64.dll" or Image.Path like r"%\\TSMSISrv.dll" or Image.Path like r"%\\TSVIPSrv.dll" or Image.Path like r"%\\wbemcomn.dll" or Image.Path like r"%\\WLBSCTRL.dll" or Image.Path like r"%\\wow64log.dll" or Image.Path like r"%\\WptsExtensions.dll") and not (Image.Path like r"%C:\\$WINDOWS.~BT\\%" or Image.Path like r"%C:\\$WinREAgent\\%" or Image.Path like r"%C:\\Windows\\SoftwareDistribution\\%" or Image.Path like r"%C:\\Windows\\System32\\%" or Image.Path like r"%C:\\Windows\\SystemTemp\\%" or Image.Path like r"%C:\\Windows\\SysWOW64\\%" or Image.Path like r"%C:\\Windows\\WinSxS\\%" or Image.Path like r"C:\\Windows\\Microsoft.NET\\%" and Image.Path like r"%\\cscui.dll" or Image.Path like r"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\%" and Image.Path like r"%\\version.dll" or Image.Path like r"C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime\_%" and Image.Path like r"%\\d3dx9\_43.dll") and not (Image.Path like r"C:\\Program Files\\Microsoft\\Exchange Server\\%" and Image.Path like r"%\\mswb7.dll" or Image.Path like r"C:\\Program Files\\Arsenal-Image-Mounter-%" and (Image.Path like r"%\\mi.dll" or Image.Path like r"%\\miutils.dl") or Process.Path == "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" and Image.Path == "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" or Image.Path like r"C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\%" or (Process.Path like r"%C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs%" or Process.Path like r"%C:\\Windows\\System32\\backgroundTaskHost.exe%") and Image.Path like r"C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs%" or Process.Path like r"C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs%" and Process.Path like r"%\\wldp.dll" or (Process.Path like r"C:\\Program Files\\CheckPoint\\%" or Process.Path like r"C:\\Program Files (x86)\\CheckPoint\\%") and Process.Path like r"%\\SmartConsole.exe" and (Image.Path like r"C:\\Program Files\\CheckPoint\\%" or Image.Path like r"C:\\Program Files (x86)\\CheckPoint\\%") and Image.Path like r"%\\PolicyManager.dll") +GenericProperty1 = Image.Path + + +[ThreatDetectionRule platform=Windows] +# Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. +# Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. +# Author: frack113 +RuleId = 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9 +RuleName = Creation Exe for Service with Unquoted Path EventType = File.Create -Tag = windows-shell/scripting-application-file-write-to-suspicious-folder +Tag = creation-exe-for-service-with-unquoted-path RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\bash.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\msbuild.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\wscript.exe") and (File.Path like r"C:\\PerfLogs\\%" or File.Path like r"C:\\Users\\Public\\%") or (Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\wmic.exe") and (File.Path like r"%C:\\PerfLogs\\%" or File.Path like r"%C:\\Users\\Public\\%" or File.Path like r"%C:\\Windows\\Temp\\%") +Annotation = {"mitre_attack": ["T1547.009"], "author": "frack113"} +Query = File.Path == "C:\\program.exe" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects a suspicious program execution in Outlook temp folder +# Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. # Author: Florian Roth (Nextron Systems) -RuleId = a018fdc3-46a3-44e5-9afb-2cd4af1d4b39 -RuleName = Suspicious Execution From Outlook Temporary Folder -EventType = Process.Start -Tag = proc-start-suspicious-execution-from-outlook-temporary-folder +RuleId = a5a2d357-1ab8-4675-a967-ef9990a59391 +RuleName = LSASS Process Memory Dump Files +EventType = File.Create +Tag = lsass-process-memory-dump-files RiskScore = 75 -Annotation = {"mitre_attack": ["T1566.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\Temporary Internet Files\\Content.Outlook\\%" +Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = File.Path like r"%\\Andrew.dmp" or File.Path like r"%\\Coredump.dmp" or File.Path like r"%\\lsass.dmp" or File.Path like r"%\\lsass.rar" or File.Path like r"%\\lsass.zip" or File.Path like r"%\\NotLSASS.zip" or File.Path like r"%\\PPLBlade.dmp" or File.Path like r"%\\rustive.dmp" or File.Path like r"%\\lsass\_2%" or File.Path like r"%\\lsassdmp%" or File.Path like r"%\\lsassdump%" or File.Path like r"%\\lsass%" and File.Path like r"%.dmp%" or File.Path like r"%SQLDmpr%" and File.Path like r"%.mdmp" or (File.Path like r"%\\nanodump%" or File.Path like r"%\\proc\_%") and File.Path like r"%.dmp" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects using WorkFolders.exe to execute an arbitrary control.exe -# Author: Maxime Thiebaut (@0xThiebaut) -RuleId = 0bbc6369-43e3-453d-9944-cae58821c173 -RuleName = Execution via WorkFolders.exe -EventType = Process.Start -Tag = proc-start-execution-via-workfolders.exe +# Detects default lsass dump filename generated by SafetyKatz. +# Author: Markus Neis +RuleId = e074832a-eada-4fd7-94a1-10642b130e16 +RuleName = HackTool - SafetyKatz Dump Indicator +EventType = File.Create +Tag = hacktool-safetykatz-dump-indicator RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Maxime Thiebaut (@0xThiebaut)"} -Query = Process.Path like r"%\\control.exe" and Parent.Path like r"%\\WorkFolders.exe" and not Process.Path == "C:\\Windows\\System32\\control.exe" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1003.001"], "author": "Markus Neis"} +Query = File.Path like r"%\\Temp\\debug.bin" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines. -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 69bd9b97-2be2-41b6-9816-fb08757a4d1a -RuleName = Potentially Suspicious Execution From Parent Process In Public Folder +# Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = ba4cfc11-d0fa-4d94-bf20-7c332c412e76 +RuleName = Potentially Suspicious DLL Registered Via Odbcconf.EXE EventType = Process.Start -Tag = proc-start-potentially-suspicious-execution-from-parent-process-in-public-folder +Tag = proc-start-potentially-suspicious-dll-registered-via-odbcconf.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1564", "T1059"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.Path like r"%:\\Users\\Public\\%" and (Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Process.CommandLine like r"%bitsadmin%" or Process.CommandLine like r"%certutil%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%wscript%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1218.008"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\odbcconf.exe" or Process.Name == "odbcconf.exe") and Process.CommandLine like r"%REGSVR %" and not Process.CommandLine like r"%.dll%" [ThreatDetectionRule platform=Windows] -# Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. -# Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. -# Author: frack113 -RuleId = 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9 -RuleName = Creation Exe for Service with Unquoted Path -EventType = File.Create -Tag = creation-exe-for-service-with-unquoted-path +# Attempts to detect system changes made by Blue Mockingbird +# Author: Trent Liffick (@tliffick) +RuleId = 92b0b372-a939-44ed-a11b-5136cf680e27 +RuleName = Blue Mockingbird - Registry +EventType = Reg.Any +Tag = blue-mockingbird-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.009"], "author": "frack113"} -Query = File.Path == "C:\\program.exe" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1112", "T1047"], "author": "Trent Liffick (@tliffick)"} +Query = Reg.TargetObject like r"%\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects usage of bitsadmin downloading a file with a suspicious extension -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200 -RuleName = File With Suspicious Extension Downloaded Via Bitsadmin -EventType = Process.Start -Tag = proc-start-file-with-suspicious-extension-downloaded-via-bitsadmin +# Detects files written by the different tools that exploit HiveNightmare +# Author: Florian Roth (Nextron Systems) +RuleId = 6ea858a8-ba71-4a12-b2cc-5d83312404c7 +RuleName = HackTool - Typical HiveNightmare SAM File Export +EventType = File.Create +Tag = hacktool-typical-hivenightmare-sam-file-export RiskScore = 75 -Annotation = {"mitre_attack": ["T1197", "T1036.003"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\bitsadmin.exe" or Process.Name == "bitsadmin.exe") and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%.7z%" or Process.CommandLine like r"%.asax%" or Process.CommandLine like r"%.ashx%" or Process.CommandLine like r"%.asmx%" or Process.CommandLine like r"%.asp%" or Process.CommandLine like r"%.aspx%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.cfm%" or Process.CommandLine like r"%.cgi%" or Process.CommandLine like r"%.chm%" or Process.CommandLine like r"%.cmd%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.jsp%" or Process.CommandLine like r"%.jspx%" or Process.CommandLine like r"%.log%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.ps1%" or Process.CommandLine like r"%.psm1%" or Process.CommandLine like r"%.rar%" or Process.CommandLine like r"%.scf%" or Process.CommandLine like r"%.sct%" or Process.CommandLine like r"%.txt%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.vbs%" or Process.CommandLine like r"%.war%" or Process.CommandLine like r"%.wsf%" or Process.CommandLine like r"%.wsh%" or Process.CommandLine like r"%.xll%" or Process.CommandLine like r"%.zip%") +Annotation = {"mitre_attack": ["T1552.001"], "author": "Florian Roth (Nextron Systems)"} +Query = File.Path like r"%\\hive\_sam\_%" or File.Path like r"%\\SAM-2021-%" or File.Path like r"%\\SAM-2022-%" or File.Path like r"%\\SAM-2023-%" or File.Path like r"%\\SAM-haxx%" or File.Path like r"%\\Sam.save%" or File.Path == "C:\\windows\\temp\\sam" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service +# Detects a ping command that uses a hex encoded IP address # Author: Florian Roth (Nextron Systems) -RuleId = cd8c163e-a19b-402e-bdd5-419ff5859f12 -RuleName = HackTool - ADCSPwn Execution +RuleId = 1a0d4aba-7668-4365-9ce4-6d79ab088dfd +RuleName = Ping Hex IP EventType = Process.Start -Tag = proc-start-hacktool-adcspwn-execution +Tag = proc-start-ping-hex-ip RiskScore = 75 -Annotation = {"mitre_attack": ["T1557.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"% --adcs %" and Process.CommandLine like r"% --port %" +Annotation = {"mitre_attack": ["T1140", "T1027"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\ping.exe" and Process.CommandLine like r"%0x%" [ThreatDetectionRule platform=Windows] -# Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = d047726b-c71c-4048-a99b-2e2f50dc107d -RuleName = Kavremover Dropped Binary LOLBIN Usage +# Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process +# Author: Markus Neis +RuleId = ed5d72a6-f8f4-479d-ba79-02f6a80d7471 +RuleName = Potential LethalHTA Technique Execution EventType = Process.Start -Tag = proc-start-kavremover-dropped-binary-lolbin-usage +Tag = proc-start-potential-lethalhta-technique-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1127"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"% run run-cmd %" and not (Parent.Path like r"%\\cleanapi.exe" or Parent.Path like r"%\\kavremover.exe") +Annotation = {"mitre_attack": ["T1218.005"], "author": "Markus Neis"} +Query = Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mshta.exe" GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence -# Author: Cedric MAURUGEON -RuleId = 0a1f9d29-6465-4776-b091-7f43b26e4c89 -RuleName = Prefetch File Deleted -EventType = File.Delete -Tag = prefetch-file-deleted +# Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8 +RuleName = Suspicious New Service Creation +EventType = Process.Start +Tag = proc-start-suspicious-new-service-creation RiskScore = 75 -Annotation = {"mitre_attack": ["T1070.004"], "author": "Cedric MAURUGEON"} -Query = File.Path like r"%:\\Windows\\Prefetch\\%" and File.Path like r"%.pf" and not (Process.Path like r"%:\\windows\\system32\\svchost.exe" and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%")) -GenericProperty1 = Process.User -GenericProperty2 = File.Path +Annotation = {"mitre_attack": ["T1543.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%binPath=%" or Process.CommandLine like r"%New-Service%" and Process.CommandLine like r"%-BinaryPathName%") and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%svchost%" or Process.CommandLine like r"%dllhost%" or Process.CommandLine like r"%cmd %" or Process.CommandLine like r"%cmd.exe /c%" or Process.CommandLine like r"%cmd.exe /k%" or Process.CommandLine like r"%cmd.exe /r%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%C:\\Users\\Public%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%" or Process.CommandLine like r"%C:\\Windows\\TEMP\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%") [ThreatDetectionRule platform=Windows] -# Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 396ae3eb-4174-4b9b-880e-dc0364d78a19 -RuleName = Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting +# Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". +# Author: Swachchhanda Shrawan Poudel +RuleId = 7021255e-5db3-4946-a8b9-0ba7a4644a69 +RuleName = Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG EventType = Reg.Any -Tag = potential-persistence-via-outlook-loadmacroprovideronboot-setting +Tag = potential-provisioning-registry-key-abuse-for-binary-proxy-execution-reg RiskScore = 75 -Annotation = {"mitre_attack": ["T1137", "T1008", "T1546"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Outlook\\LoadMacroProviderOnBoot" and Reg.Value.Data like r"%0x00000001%" +Annotation = {"mitre_attack": ["T1218"], "author": "Swachchhanda Shrawan Poudel"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# The Devtoolslauncher.exe executes other binary -# Author: Beyu Denis, oscd.community (rule), @_felamos (idea) -RuleId = cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6 -RuleName = Devtoolslauncher.exe Executes Specified Binary -EventType = Process.Start -Tag = proc-start-devtoolslauncher.exe-executes-specified-binary +# Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. +# Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. +# Author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale +RuleId = 17e53739-a1fc-4a62-b1b9-87711c2d5e44 +RuleName = Python Function Execution Security Warning Disabled In Excel - Registry +EventType = Reg.Any +Tag = python-function-execution-security-warning-disabled-in-excel-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)"} -Query = Process.Path like r"%\\devtoolslauncher.exe" and Process.CommandLine like r"%LaunchForDeploy%" +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems), @Kostastsale"} +Query = Reg.TargetObject like r"%\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Excel\\Security\\PythonFunctionWarnings" and Reg.Value.Data == "DWORD (0x00000001)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2 -RuleName = Kernel Memory Dump Via LiveKD -EventType = Process.Start -Tag = proc-start-kernel-memory-dump-via-livekd +# Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration. +# Author: Florian Roth (Nextron Systems) +RuleId = 3a8da4e0-36c1-40d2-8b29-b3e890d5172a +RuleName = NTDS Exfiltration Filename Patterns +EventType = File.Create +Tag = ntds-exfiltration-filename-patterns RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\livekd.exe" or Process.Path like r"%\\livekd64.exe" or Process.Name == "livekd.exe") and (Process.CommandLine like r"% -m%" or Process.CommandLine like r"% /m%" or Process.CommandLine like r"% –m%" or Process.CommandLine like r"% —m%" or Process.CommandLine like r"% ―m%") +Annotation = {"mitre_attack": ["T1003.003"], "author": "Florian Roth (Nextron Systems)"} +Query = File.Path like r"%\\All.cab" or File.Path like r"%.ntds.cleartext" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the creation of scheduled tasks that involves a temporary folder and runs only once -# Author: Florian Roth (Nextron Systems) -RuleId = 39019a4e-317f-4ce3-ae63-309a8c6b53c5 -RuleName = Suspicious Scheduled Task Creation Involving Temp Folder +# Detects the execution of a specific OneLiner to download and execute powershell modules in memory. +# Author: @Kostastsale, @TheDFIRReport +RuleId = 44e24481-6202-4c62-9127-5a0ae8e3fe3d +RuleName = Obfuscated PowerShell OneLiner Execution EventType = Process.Start -Tag = proc-start-suspicious-scheduled-task-creation-involving-temp-folder +Tag = proc-start-obfuscated-powershell-oneliner-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %" and Process.CommandLine like r"% /sc once %" and Process.CommandLine like r"%\\Temp\\%" +Annotation = {"mitre_attack": ["T1059.001", "T1562.001"], "author": "@Kostastsale, @TheDFIRReport"} +Query = Process.Path like r"%\\powershell.exe" and Process.CommandLine like r"%http://127.0.0.1%" and Process.CommandLine like r"%\%{(IRM $\_)}%" and Process.CommandLine like r"%.SubString.ToString()[67,72,64]-Join%" and Process.CommandLine like r"%Import-Module%" [ThreatDetectionRule platform=Windows] -# Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. +# Detects potentially suspicious file download from file sharing domains using curl.exe # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 7f2954d2-99c2-4d42-a065-ca36740f187b -RuleName = Hypervisor Enforced Paging Translation Disabled -EventType = Reg.Any -Tag = hypervisor-enforced-paging-translation-disabled +RuleId = 56454143-524f-49fb-b1c6-3fb8b1ad41fb +RuleName = Suspicious File Download From File Sharing Domain Via Curl.EXE +EventType = Process.Start +Tag = proc-start-suspicious-file-download-from-file-sharing-domain-via-curl.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\DisableHypervisorEnforcedPagingTranslation" and Reg.Value.Data == "DWORD (0x00000001)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\curl.exe" or Process.Name == "curl.exe") and (Process.CommandLine like r"%.githubusercontent.com%" or Process.CommandLine like r"%anonfiles.com%" or Process.CommandLine like r"%cdn.discordapp.com%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%dl.dropboxusercontent.com%" or Process.CommandLine like r"%ghostbin.co%" or Process.CommandLine like r"%glitch.me%" or Process.CommandLine like r"%gofile.io%" or Process.CommandLine like r"%hastebin.com%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%onrender.com%" or Process.CommandLine like r"%pages.dev%" or Process.CommandLine like r"%paste.ee%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%pastebin.pl%" or Process.CommandLine like r"%pastetext.net%" or Process.CommandLine like r"%pixeldrain.com%" or Process.CommandLine like r"%privatlab.com%" or Process.CommandLine like r"%privatlab.net%" or Process.CommandLine like r"%send.exploit.in%" or Process.CommandLine like r"%sendspace.com%" or Process.CommandLine like r"%storage.googleapis.com%" or Process.CommandLine like r"%storjshare.io%" or Process.CommandLine like r"%supabase.co%" or Process.CommandLine like r"%temp.sh%" or Process.CommandLine like r"%transfer.sh%" or Process.CommandLine like r"%trycloudflare.com%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%w3spaces.com%" or Process.CommandLine like r"%workers.dev%") and Process.CommandLine like r"%http%" and (Process.CommandLine like r"% -O%" or Process.CommandLine like r"%--remote-name%" or Process.CommandLine like r"%--output%") and (Process.CommandLine like r"%.ps1" or Process.CommandLine like r"%.ps1'" or Process.CommandLine like r"%.ps1\"" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.dat'" or Process.CommandLine like r"%.dat\"" or Process.CommandLine like r"%.msi" or Process.CommandLine like r"%.msi'" or Process.CommandLine like r"%.msi\"" or Process.CommandLine like r"%.bat" or Process.CommandLine like r"%.bat'" or Process.CommandLine like r"%.bat\"" or Process.CommandLine like r"%.exe" or Process.CommandLine like r"%.exe'" or Process.CommandLine like r"%.exe\"" or Process.CommandLine like r"%.vbs" or Process.CommandLine like r"%.vbs'" or Process.CommandLine like r"%.vbs\"" or Process.CommandLine like r"%.vbe" or Process.CommandLine like r"%.vbe'" or Process.CommandLine like r"%.vbe\"" or Process.CommandLine like r"%.hta" or Process.CommandLine like r"%.hta'" or Process.CommandLine like r"%.hta\"" or Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.dll'" or Process.CommandLine like r"%.dll\"" or Process.CommandLine like r"%.psm1" or Process.CommandLine like r"%.psm1'" or Process.CommandLine like r"%.psm1\"") [ThreatDetectionRule platform=Windows] @@ -2593,718 +2623,681 @@ Query = (Process.Path like r"%\\createdump.exe" or Process.Name == "FX\_VER\_INT [ThreatDetectionRule platform=Windows] -# Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' -# Author: Omkar Gudhate -RuleId = 07743f65-7ec9-404a-a519-913db7118a8d -RuleName = COM Hijack via Sdclt -EventType = Reg.Any -Tag = com-hijack-via-sdclt +# Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) +# Author: Max Altgelt (Nextron Systems) +RuleId = 8a4519e8-e64a-40b6-ae85-ba8ad2177559 +RuleName = Renamed BrowserCore.EXE Execution +EventType = Process.Start +Tag = proc-start-renamed-browsercore.exe-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1546", "T1548"], "author": "Omkar Gudhate"} -Query = Reg.TargetObject like r"%\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1528", "T1036.003"], "author": "Max Altgelt (Nextron Systems)"} +Query = Process.Name == "BrowserCore.exe" and not Process.Path like r"%\\BrowserCore.exe" [ThreatDetectionRule platform=Windows] -# Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) -# Author: Nextron Systems, @Kostastsale -RuleId = f3d39c45-de1a-4486-a687-ab126124f744 -RuleName = Sdiagnhost Calling Suspicious Child Process -EventType = Process.Start -Tag = proc-start-sdiagnhost-calling-suspicious-child-process +# Detects the creation of a office macro file from a a suspicious process +# Author: frack113, Nasreddine Bencherchali (Nextron Systems) +RuleId = b1c50487-1967-4315-a026-6491686d860e +RuleName = Office Macro File Creation From Suspicious Process +EventType = File.Create +Tag = office-macro-file-creation-from-suspicious-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1036", "T1218"], "author": "Nextron Systems, @Kostastsale"} -Query = Parent.Path like r"%\\sdiagnhost.exe" and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\taskkill.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\calc.exe") and not (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%bits%" or Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%-noprofile -" or Process.CommandLine like r"%-noprofile")) +Annotation = {"mitre_attack": ["T1566.001"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\regsvr32.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\wscript.exe") and (File.Path like r"%.docm" or File.Path like r"%.dotm" or File.Path like r"%.xlsm" or File.Path like r"%.xltm" or File.Path like r"%.potm" or File.Path like r"%.pptm") GenericProperty1 = Parent.Path +GenericProperty2 = File.Path [ThreatDetectionRule platform=Windows] -# Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. -# This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. -# Author: Janantha Marasinghe (https://github.com/blueteam0ps) -RuleId = 0a13e132-651d-11eb-ae93-0242ac130002 -RuleName = Audit Policy Tampering Via Auditpol +# Files with well-known filenames (sensitive files with credential data) copying +# Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +RuleId = e7be6119-fc37-43f0-ad4f-1f3f99be2f9f +RuleName = Copying Sensitive Files with Credential Data EventType = Process.Start -Tag = proc-start-audit-policy-tampering-via-auditpol +Tag = proc-start-copying-sensitive-files-with-credential-data RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.002"], "author": "Janantha Marasinghe (https://github.com/blueteam0ps)"} -Query = (Process.Path like r"%\\auditpol.exe" or Process.Name == "AUDITPOL.EXE") and (Process.CommandLine like r"%disable%" or Process.CommandLine like r"%clear%" or Process.CommandLine like r"%remove%" or Process.CommandLine like r"%restore%") +Annotation = {"mitre_attack": ["T1003.002", "T1003.003"], "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community"} +Query = (Process.Path like r"%\\esentutl.exe" or Process.Name == "\\esentutl.exe") and (Process.CommandLine like r"%vss%" or Process.CommandLine like r"% -m %" or Process.CommandLine like r"% /m %" or Process.CommandLine like r"% –m %" or Process.CommandLine like r"% —m %" or Process.CommandLine like r"% ―m %" or Process.CommandLine like r"% -y %" or Process.CommandLine like r"% /y %" or Process.CommandLine like r"% –y %" or Process.CommandLine like r"% —y %" or Process.CommandLine like r"% ―y %") or Process.CommandLine like r"%\\config\\RegBack\\sam%" or Process.CommandLine like r"%\\config\\RegBack\\security%" or Process.CommandLine like r"%\\config\\RegBack\\system%" or Process.CommandLine like r"%\\config\\sam%" or Process.CommandLine like r"%\\config\\security%" or Process.CommandLine like r"%\\config\\system %" or Process.CommandLine like r"%\\repair\\sam%" or Process.CommandLine like r"%\\repair\\security%" or Process.CommandLine like r"%\\repair\\system%" or Process.CommandLine like r"%\\windows\\ntds\\ntds.dit%" [ThreatDetectionRule platform=Windows] -# Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = b6e04788-29e1-4557-bb14-77f761848ab8 -RuleName = Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE +# Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader +# Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) +RuleId = b66474aa-bd92-4333-a16c-298155b120df +RuleName = Potential Persistence Via Powershell Search Order Hijacking - Task EventType = Process.Start -Tag = proc-start-potentially-suspicious-file-download-from-file-sharing-domain-via-powershell.exe +Tag = proc-start-potential-persistence-via-powershell-search-order-hijacking-task RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%anonfiles.com%" or Process.CommandLine like r"%cdn.discordapp.com%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%dl.dropboxusercontent.com%" or Process.CommandLine like r"%ghostbin.co%" or Process.CommandLine like r"%glitch.me%" or Process.CommandLine like r"%gofile.io%" or Process.CommandLine like r"%hastebin.com%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%onrender.com%" or Process.CommandLine like r"%pages.dev%" or Process.CommandLine like r"%paste.ee%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%pastebin.pl%" or Process.CommandLine like r"%pastetext.net%" or Process.CommandLine like r"%pixeldrain.com%" or Process.CommandLine like r"%privatlab.com%" or Process.CommandLine like r"%privatlab.net%" or Process.CommandLine like r"%send.exploit.in%" or Process.CommandLine like r"%sendspace.com%" or Process.CommandLine like r"%storage.googleapis.com%" or Process.CommandLine like r"%storjshare.io%" or Process.CommandLine like r"%supabase.co%" or Process.CommandLine like r"%temp.sh%" or Process.CommandLine like r"%transfer.sh%" or Process.CommandLine like r"%trycloudflare.com%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%w3spaces.com%" or Process.CommandLine like r"%workers.dev%") and (Process.CommandLine like r"%.DownloadString(%" or Process.CommandLine like r"%.DownloadFile(%" or Process.CommandLine like r"%Invoke-WebRequest %" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%wget %") +Annotation = {"mitre_attack": ["T1053.005", "T1059.001"], "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)"} +Query = Parent.Path == "C:\\WINDOWS\\System32\\svchost.exe" and Parent.CommandLine like r"%-k netsvcs%" and Parent.CommandLine like r"%-s Schedule%" and (Process.CommandLine like r"% -windowstyle hidden" or Process.CommandLine like r"% -w hidden" or Process.CommandLine like r"% -ep bypass" or Process.CommandLine like r"% -noni") +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects the pattern of UAC Bypass using Event Viewer RecentViews +# Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 30fc8de7-d833-40c4-96b6-28319fbc4f6c -RuleName = UAC Bypass Using Event Viewer RecentViews -EventType = Process.Start -Tag = proc-start-uac-bypass-using-event-viewer-recentviews +RuleId = 90ae0469-0cee-4509-b67f-e5efcef040f7 +RuleName = Aruba Network Service Potential DLL Sideloading +EventType = Image.Load +Tag = aruba-network-service-potential-dll-sideloading RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.CommandLine like r"%\\Event Viewer\\RecentViews%" or Process.CommandLine like r"%\\EventV~1\\RecentViews%") and Process.CommandLine like r"%>%" +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\arubanetsvc.exe" and (Image.Path like r"%\\wtsapi32.dll" or Image.Path like r"%\\msvcr100.dll" or Image.Path like r"%\\msvcp100.dll" or Image.Path like r"%\\dbghelp.dll" or Image.Path like r"%\\dbgcore.dll" or Image.Path like r"%\\wininet.dll" or Image.Path like r"%\\iphlpapi.dll" or Image.Path like r"%\\version.dll" or Image.Path like r"%\\cryptsp.dll" or Image.Path like r"%\\cryptbase.dll" or Image.Path like r"%\\wldp.dll" or Image.Path like r"%\\profapi.dll" or Image.Path like r"%\\sspicli.dll" or Image.Path like r"%\\winsta.dll" or Image.Path like r"%\\dpapi.dll") and not (Image.Path like r"C:\\Windows\\System32\\%" or Image.Path like r"C:\\Windows\\SysWOW64\\%" or Image.Path like r"C:\\Windows\\WinSxS\\%") +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects UAC bypass method using Windows event viewer -# Author: Florian Roth (Nextron Systems) -RuleId = 7c81fec3-1c1d-43b0-996a-46753041b1b6 -RuleName = UAC Bypass via Event Viewer +# Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 +RuleName = Outlook EnableUnsafeClientMailRules Setting Enabled - Registry EventType = Reg.Any -Tag = uac-bypass-via-event-viewer +Tag = outlook-enableunsafeclientmailrules-setting-enabled-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Florian Roth (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\mscfile\\shell\\open\\command" +Annotation = {"mitre_attack": ["T1112"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Outlook\\Security\\EnableUnsafeClientMailRules" and Reg.Value.Data == "DWORD (0x00000001)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects a suspicious execution of a Microsoft HTML Help (HH.exe) -# Author: Maxim Pavlunin -RuleId = e8a95b5e-c891-46e2-b33a-93937d3abc31 -RuleName = Suspicious HH.EXE Execution +# Detects the malicious use of a control panel item +# Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) +RuleId = 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4 +RuleName = Control Panel Items EventType = Process.Start -Tag = proc-start-suspicious-hh.exe-execution +Tag = proc-start-control-panel-items RiskScore = 75 -Annotation = {"mitre_attack": ["T1047", "T1059.001", "T1059.003", "T1059.005", "T1059.007", "T1218", "T1218.001", "T1218.010", "T1218.011", "T1566", "T1566.001"], "author": "Maxim Pavlunin"} -Query = (Process.Name == "HH.exe" or Process.Path like r"%\\hh.exe") and (Process.CommandLine like r"%.application%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\Content.Outlook\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%") +Annotation = {"mitre_attack": ["T1218.002", "T1546"], "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)"} +Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"%add%" and Process.CommandLine like r"%CurrentVersion\\Control Panel\\CPLs%" or Process.CommandLine like r"%.cpl" and not (Process.CommandLine like r"%\\System32\\%" or Process.CommandLine like r"%\%System\%%" or Process.CommandLine like r"%|C:\\Windows\\system32|%" or Process.CommandLine like r"%regsvr32 %" and Process.CommandLine like r"% /s %" and Process.CommandLine like r"%igfxCPL.cpl%") [ThreatDetectionRule platform=Windows] -# Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells -# Author: Florian Roth (Nextron Systems), MSTI (query) -RuleId = fa3c117a-bc0d-416e-a31b-0c0e80653efb -RuleName = Chopper Webshell Process Pattern -EventType = Process.Start -Tag = proc-start-chopper-webshell-process-pattern +# Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. +# Author: Nasreddine Bencherchali (Nextron Systems), frack113 +RuleId = f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd +RuleName = Hiding User Account Via SpecialAccounts Registry Key +EventType = Reg.Any +Tag = hiding-user-account-via-specialaccounts-registry-key RiskScore = 75 -Annotation = {"mitre_attack": ["T1505.003", "T1018", "T1033", "T1087"], "author": "Florian Roth (Nextron Systems), MSTI (query)"} -Query = (Process.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\w3wp.exe") and (Process.CommandLine like r"%&ipconfig&echo%" or Process.CommandLine like r"%&quser&echo%" or Process.CommandLine like r"%&whoami&echo%" or Process.CommandLine like r"%&c:&echo%" or Process.CommandLine like r"%&cd&echo%" or Process.CommandLine like r"%&dir&echo%" or Process.CommandLine like r"%&echo [E]%" or Process.CommandLine like r"%&echo [S]%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1564.002"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113"} +Query = Reg.EventType == "SetValue" and Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList%" and Reg.Value.Data == "DWORD (0x00000000)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data +GenericProperty3 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. -# Author: SecurityAura -RuleId = 6e2a900a-ced9-4e4a-a9c2-13e706f9518a -RuleName = HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump -EventType = File.Create -Tag = hacktool-potential-remote-credential-dumping-activity-via-crackmapexec-or-impacket-secretsdump +# Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 2cf29f11-e356-4f61-98c0-1bdb9393d6da +RuleName = Renamed Visual Studio Code Tunnel Execution +EventType = Process.Start +Tag = proc-start-renamed-visual-studio-code-tunnel-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1003"], "author": "SecurityAura"} -Query = Process.Path like r"%\\svchost.exe" and File.Path regex "\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1071.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (isnull(Process.Name) and Process.CommandLine like r"%.exe tunnel" or Process.CommandLine like r"%.exe tunnel%" and Process.CommandLine like r"%--name %" and Process.CommandLine like r"%--accept-server-license-terms%" or Process.CommandLine like r"%tunnel %" and Process.CommandLine like r"%service%" and Process.CommandLine like r"%internal-run%" and Process.CommandLine like r"%tunnel-service.log%") and not (Process.Path like r"%\\code-tunnel.exe" or Process.Path like r"%\\code.exe") or Parent.CommandLine like r"% tunnel" and Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%/d /c %" and Process.CommandLine like r"%\\servers\\Stable-%" and Process.CommandLine like r"%code-server.cmd%" and not (Parent.Path like r"%\\code-tunnel.exe" or Parent.Path like r"%\\code.exe") +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects uninstallation or termination of security products using the WMIC utility -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 847d5ff3-8a31-4737-a970-aeae8fe21765 -RuleName = Potential Tampering With Security Products Via WMIC +# Detects suspicious child process creations of VMware Tools process which may indicate persistence setup +# Author: bohops, Bhabesh Raj +RuleId = 5687f942-867b-4578-ade7-1e341c46e99a +RuleName = VMToolsd Suspicious Child Process EventType = Process.Start -Tag = proc-start-potential-tampering-with-security-products-via-wmic +Tag = proc-start-vmtoolsd-suspicious-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.CommandLine like r"%wmic%" and Process.CommandLine like r"%product where %" and Process.CommandLine like r"%call%" and Process.CommandLine like r"%uninstall%" and Process.CommandLine like r"%/nointeractive%" or Process.CommandLine like r"%wmic%" and Process.CommandLine like r"%caption like %" and (Process.CommandLine like r"%call delete%" or Process.CommandLine like r"%call terminate%") or Process.CommandLine like r"%process %" and Process.CommandLine like r"%where %" and Process.CommandLine like r"%delete%") and (Process.CommandLine like r"%\%carbon\%%" or Process.CommandLine like r"%\%cylance\%%" or Process.CommandLine like r"%\%endpoint\%%" or Process.CommandLine like r"%\%eset\%%" or Process.CommandLine like r"%\%malware\%%" or Process.CommandLine like r"%\%Sophos\%%" or Process.CommandLine like r"%\%symantec\%%" or Process.CommandLine like r"%Antivirus%" or Process.CommandLine like r"%AVG %" or Process.CommandLine like r"%Carbon Black%" or Process.CommandLine like r"%CarbonBlack%" or Process.CommandLine like r"%Cb Defense Sensor 64-bit%" or Process.CommandLine like r"%Crowdstrike Sensor%" or Process.CommandLine like r"%Cylance %" or Process.CommandLine like r"%Dell Threat Defense%" or Process.CommandLine like r"%DLP Endpoint%" or Process.CommandLine like r"%Endpoint Detection%" or Process.CommandLine like r"%Endpoint Protection%" or Process.CommandLine like r"%Endpoint Security%" or Process.CommandLine like r"%Endpoint Sensor%" or Process.CommandLine like r"%ESET File Security%" or Process.CommandLine like r"%LogRhythm System Monitor Service%" or Process.CommandLine like r"%Malwarebytes%" or Process.CommandLine like r"%McAfee Agent%" or Process.CommandLine like r"%Microsoft Security Client%" or Process.CommandLine like r"%Sophos Anti-Virus%" or Process.CommandLine like r"%Sophos AutoUpdate%" or Process.CommandLine like r"%Sophos Credential Store%" or Process.CommandLine like r"%Sophos Management Console%" or Process.CommandLine like r"%Sophos Management Database%" or Process.CommandLine like r"%Sophos Management Server%" or Process.CommandLine like r"%Sophos Remote Management System%" or Process.CommandLine like r"%Sophos Update Manager%" or Process.CommandLine like r"%Threat Protection%" or Process.CommandLine like r"%VirusScan%" or Process.CommandLine like r"%Webroot SecureAnywhere%" or Process.CommandLine like r"%Windows Defender%") +Annotation = {"mitre_attack": ["T1059"], "author": "bohops, Bhabesh Raj"} +Query = Parent.Path like r"%\\vmtoolsd.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Process.Name in ["Cmd.Exe", "cscript.exe", "MSHTA.EXE", "PowerShell.EXE", "pwsh.dll", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe"]) and not (Process.Path like r"%\\cmd.exe" and (Process.CommandLine like r"%\\VMware\\VMware Tools\\poweron-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\poweroff-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\resume-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\suspend-vm-default.bat%") or Process.Path like r"%\\cmd.exe" and Process.CommandLine == "" or Process.Path like r"%\\cmd.exe" and isnull(Process.CommandLine)) +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects commands that temporarily turn off Volume Snapshots -# Author: Florian Roth (Nextron Systems) -RuleId = dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a -RuleName = Disabled Volume Snapshots +# Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0 +RuleName = HackTool - Wmiexec Default Powershell Command EventType = Process.Start -Tag = proc-start-disabled-volume-snapshots +Tag = proc-start-hacktool-wmiexec-default-powershell-command RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%\\Services\\VSS\\Diag%" and Process.CommandLine like r"%/d Disabled%" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%" [ThreatDetectionRule platform=Windows] -# Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder -# Author: Florian Roth (Nextron Systems), MSTI (query, idea) -RuleId = bd1212e5-78da-431e-95fa-c58e3237a8e6 -RuleName = Suspicious ASPX File Drop by Exchange -EventType = File.Create -Tag = suspicious-aspx-file-drop-by-exchange +# Detects suspicious PowerShell invocation with a parameter substring +# Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) +RuleId = 36210e0d-5b19-485d-a087-c096088885f0 +RuleName = Suspicious PowerShell Parameter Substring +EventType = Process.Start +Tag = proc-start-suspicious-powershell-parameter-substring RiskScore = 75 -Annotation = {"mitre_attack": ["T1505.003"], "author": "Florian Roth (Nextron Systems), MSTI (query, idea)"} -Query = Process.Path like r"%\\w3wp.exe" and Process.CommandLine like r"%MSExchange%" and (File.Path like r"%FrontEnd\\HttpProxy\\%" or File.Path like r"%\\inetpub\\wwwroot\\aspnet\_client\\%") and (File.Path like r"%.aspx" or File.Path like r"%.asp" or File.Path like r"%.ashx") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"% -windowstyle h %" or Process.CommandLine like r"% -windowstyl h%" or Process.CommandLine like r"% -windowsty h%" or Process.CommandLine like r"% -windowst h%" or Process.CommandLine like r"% -windows h%" or Process.CommandLine like r"% -windo h%" or Process.CommandLine like r"% -wind h%" or Process.CommandLine like r"% -win h%" or Process.CommandLine like r"% -wi h%" or Process.CommandLine like r"% -win h %" or Process.CommandLine like r"% -win hi %" or Process.CommandLine like r"% -win hid %" or Process.CommandLine like r"% -win hidd %" or Process.CommandLine like r"% -win hidde %" or Process.CommandLine like r"% -NoPr %" or Process.CommandLine like r"% -NoPro %" or Process.CommandLine like r"% -NoProf %" or Process.CommandLine like r"% -NoProfi %" or Process.CommandLine like r"% -NoProfil %" or Process.CommandLine like r"% -nonin %" or Process.CommandLine like r"% -nonint %" or Process.CommandLine like r"% -noninte %" or Process.CommandLine like r"% -noninter %" or Process.CommandLine like r"% -nonintera %" or Process.CommandLine like r"% -noninterac %" or Process.CommandLine like r"% -noninteract %" or Process.CommandLine like r"% -noninteracti %" or Process.CommandLine like r"% -noninteractiv %" or Process.CommandLine like r"% -ec %" or Process.CommandLine like r"% -encodedComman %" or Process.CommandLine like r"% -encodedComma %" or Process.CommandLine like r"% -encodedComm %" or Process.CommandLine like r"% -encodedCom %" or Process.CommandLine like r"% -encodedCo %" or Process.CommandLine like r"% -encodedC %" or Process.CommandLine like r"% -encoded %" or Process.CommandLine like r"% -encode %" or Process.CommandLine like r"% -encod %" or Process.CommandLine like r"% -enco %" or Process.CommandLine like r"% -en %" or Process.CommandLine like r"% -executionpolic %" or Process.CommandLine like r"% -executionpoli %" or Process.CommandLine like r"% -executionpol %" or Process.CommandLine like r"% -executionpo %" or Process.CommandLine like r"% -executionp %" or Process.CommandLine like r"% -execution bypass%" or Process.CommandLine like r"% -executio bypass%" or Process.CommandLine like r"% -executi bypass%" or Process.CommandLine like r"% -execut bypass%" or Process.CommandLine like r"% -execu bypass%" or Process.CommandLine like r"% -exec bypass%" or Process.CommandLine like r"% -exe bypass%" or Process.CommandLine like r"% -ex bypass%" or Process.CommandLine like r"% -ep bypass%" or Process.CommandLine like r"% /windowstyle h %" or Process.CommandLine like r"% /windowstyl h%" or Process.CommandLine like r"% /windowsty h%" or Process.CommandLine like r"% /windowst h%" or Process.CommandLine like r"% /windows h%" or Process.CommandLine like r"% /windo h%" or Process.CommandLine like r"% /wind h%" or Process.CommandLine like r"% /win h%" or Process.CommandLine like r"% /wi h%" or Process.CommandLine like r"% /win h %" or Process.CommandLine like r"% /win hi %" or Process.CommandLine like r"% /win hid %" or Process.CommandLine like r"% /win hidd %" or Process.CommandLine like r"% /win hidde %" or Process.CommandLine like r"% /NoPr %" or Process.CommandLine like r"% /NoPro %" or Process.CommandLine like r"% /NoProf %" or Process.CommandLine like r"% /NoProfi %" or Process.CommandLine like r"% /NoProfil %" or Process.CommandLine like r"% /nonin %" or Process.CommandLine like r"% /nonint %" or Process.CommandLine like r"% /noninte %" or Process.CommandLine like r"% /noninter %" or Process.CommandLine like r"% /nonintera %" or Process.CommandLine like r"% /noninterac %" or Process.CommandLine like r"% /noninteract %" or Process.CommandLine like r"% /noninteracti %" or Process.CommandLine like r"% /noninteractiv %" or Process.CommandLine like r"% /ec %" or Process.CommandLine like r"% /encodedComman %" or Process.CommandLine like r"% /encodedComma %" or Process.CommandLine like r"% /encodedComm %" or Process.CommandLine like r"% /encodedCom %" or Process.CommandLine like r"% /encodedCo %" or Process.CommandLine like r"% /encodedC %" or Process.CommandLine like r"% /encoded %" or Process.CommandLine like r"% /encode %" or Process.CommandLine like r"% /encod %" or Process.CommandLine like r"% /enco %" or Process.CommandLine like r"% /en %" or Process.CommandLine like r"% /executionpolic %" or Process.CommandLine like r"% /executionpoli %" or Process.CommandLine like r"% /executionpol %" or Process.CommandLine like r"% /executionpo %" or Process.CommandLine like r"% /executionp %" or Process.CommandLine like r"% /execution bypass%" or Process.CommandLine like r"% /executio bypass%" or Process.CommandLine like r"% /executi bypass%" or Process.CommandLine like r"% /execut bypass%" or Process.CommandLine like r"% /execu bypass%" or Process.CommandLine like r"% /exec bypass%" or Process.CommandLine like r"% /exe bypass%" or Process.CommandLine like r"% /ex bypass%" or Process.CommandLine like r"% /ep bypass%") [ThreatDetectionRule platform=Windows] -# Detects when an attacker registers a new AMSI provider in order to achieve persistence -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 -RuleName = Potential Persistence Via New AMSI Providers - Registry -EventType = Reg.Any -Tag = potential-persistence-via-new-amsi-providers-registry +# Detects the creation of tasks from processes executed from suspicious locations +# Author: Florian Roth (Nextron Systems) +RuleId = 80e1f67a-4596-4351-98f5-a9c3efabac95 +RuleName = Suspicious Scheduled Task Write to System32 Tasks +EventType = File.Create +Tag = suspicious-scheduled-task-write-to-system32-tasks RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.EventType == "CreateKey" and (Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\AMSI\\Providers\\%" or Reg.TargetObject like r"%\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers\\%") and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Program Files\\%" or Process.Path like r"C:\\Program Files (x86)\\%") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.EventType +Annotation = {"mitre_attack": ["T1053"], "author": "Florian Roth (Nextron Systems)"} +Query = File.Path like r"%\\Windows\\System32\\Tasks%" and (Process.Path like r"%\\AppData\\%" or Process.Path like r"%C:\\PerfLogs%" or Process.Path like r"%\\Windows\\System32\\config\\systemprofile%") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects actions that clear the local ShimCache and remove forensic evidence -# Author: Florian Roth (Nextron Systems) -RuleId = b0524451-19af-4efa-a46f-562a977f792e -RuleName = ShimCache Flush +# Detects the execution of a renamed "Msdt.exe" binary +# Author: pH-T (Nextron Systems) +RuleId = bd1c6866-65fc-44b2-be51-5588fcff82b9 +RuleName = Renamed Msdt.EXE Execution EventType = Process.Start -Tag = proc-start-shimcache-flush +Tag = proc-start-renamed-msdt.exe-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%apphelp.dll%" and (Process.CommandLine like r"%ShimFlushCache%" or Process.CommandLine like r"%#250%") or Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%kernel32.dll%" and (Process.CommandLine like r"%BaseFlushAppcompatCache%" or Process.CommandLine like r"%#46%") +Annotation = {"mitre_attack": ["T1036.003"], "author": "pH-T (Nextron Systems)"} +Query = Process.Name == "msdt.exe" and not Process.Path like r"%\\msdt.exe" [ThreatDetectionRule platform=Windows] -# Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) -# Author: Christian Burkard (Nextron Systems) -RuleId = 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 -RuleName = Shell Open Registry Keys Manipulation +# Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. +# Author: frack113 +RuleId = 961e33d1-4f86-4fcf-80ab-930a708b2f82 +RuleName = Potential Persistence Via Excel Add-in - Registry EventType = Reg.Any -Tag = shell-open-registry-keys-manipulation +Tag = potential-persistence-via-excel-add-in-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002", "T1546.001"], "author": "Christian Burkard (Nextron Systems)"} -Query = Reg.EventType == "SetValue" and Reg.TargetObject like r"%Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue" and Reg.Value.Data like r"%\\Software\\Classes\\{%" or Reg.TargetObject like r"%Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or Reg.EventType == "SetValue" and (Reg.TargetObject like r"%Classes\\ms-settings\\shell\\open\\command\\(Default)" or Reg.TargetObject like r"%Classes\\exefile\\shell\\open\\command\\(Default)") and not Reg.Value.Data == "(Empty)" +Annotation = {"mitre_attack": ["T1137.006"], "author": "frack113"} +Query = Reg.TargetObject like r"%Software\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Excel\\Options" and Reg.Value.Data like r"/R %" and Reg.Value.Data like r"%.xll" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data -GenericProperty3 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detection of unusual child processes by different system processes -# Author: Semanur Guneysu @semanurtg, oscd.community -RuleId = d522eca2-2973-4391-a3e0-ef0374321dae -RuleName = Abused Debug Privilege by Arbitrary Parent Processes +# Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 9fc3072c-dc8f-4bf7-b231-18950000fadd +RuleName = Potential Recon Activity Using DriverQuery.EXE EventType = Process.Start -Tag = proc-start-abused-debug-privilege-by-arbitrary-parent-processes +Tag = proc-start-potential-recon-activity-using-driverquery.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1548"], "author": "Semanur Guneysu @semanurtg, oscd.community"} -Query = (Parent.Path like r"%\\winlogon.exe" or Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\lsass.exe" or Parent.Path like r"%\\csrss.exe" or Parent.Path like r"%\\smss.exe" or Parent.Path like r"%\\wininit.exe" or Parent.Path like r"%\\spoolsv.exe" or Parent.Path like r"%\\searchindexer.exe") and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\cmd.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll", "Cmd.Exe"]) and not (Process.CommandLine like r"% route %" and Process.CommandLine like r"% ADD %") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%driverquery.exe" or Process.Name == "drvqry.exe") and (Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\regsvr32.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\AppData\\Local\\%" or Parent.Path like r"%\\Users\\Public\\%" or Parent.Path like r"%\\Windows\\Temp\\%") GenericProperty1 = Parent.Path -GenericProperty2 = Process.User [ThreatDetectionRule platform=Windows] -# Detects a suspicious script executions from temporary folder -# Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton -RuleId = a6a39bdb-935c-4f0a-ab77-35f4bbf44d33 -RuleName = Suspicious Script Execution From Temp Folder +# The Tasks folder in system32 and syswow64 are globally writable paths. +# Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application +# in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr +# Author: Sreeman +RuleId = cc4e02ba-9c06-48e2-b09e-2500cace9ae0 +RuleName = Tasks Folder Evasion EventType = Process.Start -Tag = proc-start-suspicious-script-execution-from-temp-folder +Tag = proc-start-tasks-folder-evasion RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%\\Windows\\Temp%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\AppData\\Roaming\\Temp%" or Process.CommandLine like r"%\%TEMP\%%" or Process.CommandLine like r"%\%TMP\%%" or Process.CommandLine like r"%\%LocalAppData\%\\Temp%") and not (Process.CommandLine like r"% >%" or Process.CommandLine like r"%Out-File%" or Process.CommandLine like r"%ConvertTo-Json%" or Process.CommandLine like r"%-WindowStyle hidden -Verb runAs%" or Process.CommandLine like r"%\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\Amazon\\EC2-Windows\\%") +Annotation = {"mitre_attack": ["T1574.002"], "author": "Sreeman"} +Query = (Process.CommandLine like r"%echo %" or Process.CommandLine like r"%copy %" or Process.CommandLine like r"%type %" or Process.CommandLine like r"%file createnew%") and (Process.CommandLine like r"% C:\\Windows\\System32\\Tasks\\%" or Process.CommandLine like r"% C:\\Windows\\SysWow64\\Tasks\\%") [ThreatDetectionRule platform=Windows] -# Detects PowerShell script execution from Alternate Data Stream (ADS) -# Author: Sergey Soldatov, Kaspersky Lab, oscd.community -RuleId = 45a594aa-1fbd-4972-a809-ff5a99dd81b8 -RuleName = Run PowerShell Script from ADS -EventType = Process.Start -Tag = proc-start-run-powershell-script-from-ads +# Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 +RuleName = Potential Persistence Via MyComputer Registry Keys +EventType = Reg.Any +Tag = potential-persistence-via-mycomputer-registry-keys RiskScore = 75 -Annotation = {"mitre_attack": ["T1564.004"], "author": "Sergey Soldatov, Kaspersky Lab, oscd.community"} -Query = (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Get-Content%" and Process.CommandLine like r"%-Stream%" -GenericProperty1 = Parent.Path +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer%" and Reg.TargetObject like r"%(Default)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. -# Adversaries may abuse time providers to execute DLLs when the system boots. -# The Windows Time service (W32Time) enables time synchronization across and within domains. -# Author: frack113 -RuleId = e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 -RuleName = New TimeProviders Registered With Uncommon DLL Name -EventType = Reg.Any -Tag = new-timeproviders-registered-with-uncommon-dll-name -RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.003"], "author": "frack113"} -Query = Reg.TargetObject like r"%\\Services\\W32Time\\TimeProviders%" and Reg.TargetObject like r"%\\DllName" and not (Reg.Value.Data in ["\%SystemRoot\%\\System32\\vmictimeprovider.dll", "\%systemroot\%\\system32\\w32time.dll", "C:\\Windows\\SYSTEM32\\w32time.DLL"]) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data - - -[ThreatDetectionRule platform=Windows] -# Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. -# Author: @Kostastsale, @TheDFIRReport -RuleId = c98f2a0d-e1b8-4f76-90d3-359caf88d6b9 -RuleName = Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 +# Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 +RuleName = Suspicious Process Created Via Wmic.EXE EventType = Process.Start -Tag = proc-start-potential-defense-evasion-activity-via-emoji-usage-in-commandline-2 +Tag = proc-start-suspicious-process-created-via-wmic.exe RiskScore = 75 -Annotation = {"author": "@Kostastsale, @TheDFIRReport"} -Query = Process.CommandLine like r"%🤷🏼%" or Process.CommandLine like r"%🤷🏼‍♂️%" or Process.CommandLine like r"%🙎🏼‍♀️%" or Process.CommandLine like r"%🙎🏼%" or Process.CommandLine like r"%🙎🏼‍♂️%" or Process.CommandLine like r"%🙍🏼‍♀️%" or Process.CommandLine like r"%🙍🏼%" or Process.CommandLine like r"%🙍🏼‍♂️%" or Process.CommandLine like r"%💇🏼‍♀️%" or Process.CommandLine like r"%💇🏼%" or Process.CommandLine like r"%💇🏼‍♂️%" or Process.CommandLine like r"%💆🏼‍♀️%" or Process.CommandLine like r"%💆🏼%" or Process.CommandLine like r"%💆🏼‍♂️%" or Process.CommandLine like r"%🧖🏼‍♀️%" or Process.CommandLine like r"%🧖🏼%" or Process.CommandLine like r"%🧖🏼‍♂️%" or Process.CommandLine like r"%💃🏼%" or Process.CommandLine like r"%🕺🏼%" or Process.CommandLine like r"%🕴🏼%" or Process.CommandLine like r"%👩🏼‍🦽%" or Process.CommandLine like r"%🧑🏼‍🦽%" or Process.CommandLine like r"%👨🏼‍🦽%" or Process.CommandLine like r"%👩🏼‍🦼%" or Process.CommandLine like r"%🧑🏼‍🦼%" or Process.CommandLine like r"%👨🏼‍🦼%" or Process.CommandLine like r"%🚶🏼‍♀️%" or Process.CommandLine like r"%🚶🏼%" or Process.CommandLine like r"%🚶🏼‍♂️%" or Process.CommandLine like r"%👩🏼‍🦯%" or Process.CommandLine like r"%🧑🏼‍🦯%" or Process.CommandLine like r"%👨🏼‍🦯%" or Process.CommandLine like r"%🧎🏼‍♀️%" or Process.CommandLine like r"%🧎🏼%" or Process.CommandLine like r"%🧎🏼‍♂️%" or Process.CommandLine like r"%🏃🏼‍♀️%" or Process.CommandLine like r"%🏃🏼%" or Process.CommandLine like r"%🏃🏼‍♂️%" or Process.CommandLine like r"%🧍🏼‍♀️%" or Process.CommandLine like r"%🧍🏼%" or Process.CommandLine like r"%🧍🏼‍♂️%" or Process.CommandLine like r"%👭🏼%" or Process.CommandLine like r"%🧑🏼‍🤝‍🧑🏼%" or Process.CommandLine like r"%👬🏼%" or Process.CommandLine like r"%👫🏼%" or Process.CommandLine like r"%🧗🏼‍♀️%" or Process.CommandLine like r"%🧗🏼%" or Process.CommandLine like r"%🧗🏼‍♂️%" or Process.CommandLine like r"%🏇🏼%" or Process.CommandLine like r"%🏂🏼%" or Process.CommandLine like r"%🏌🏼‍♀️%" or Process.CommandLine like r"%🏌🏼%" or Process.CommandLine like r"%🏌🏼‍♂️%" or Process.CommandLine like r"%🏄🏼‍♀️%" or Process.CommandLine like r"%🏄🏼%" or Process.CommandLine like r"%🏄🏼‍♂️%" or Process.CommandLine like r"%🚣🏼‍♀️%" or Process.CommandLine like r"%🚣🏼%" or Process.CommandLine like r"%🚣🏼‍♂️%" or Process.CommandLine like r"%🏊🏼‍♀️%" or Process.CommandLine like r"%🏊🏼%" or Process.CommandLine like r"%🏊🏼‍♂️%" or Process.CommandLine like r"%⛹🏼‍♀️%" or Process.CommandLine like r"%⛹🏼%" or Process.CommandLine like r"%⛹🏼‍♂️%" or Process.CommandLine like r"%🏋🏼‍♀️%" or Process.CommandLine like r"%🏋🏼%" or Process.CommandLine like r"%🏋🏼‍♂️%" or Process.CommandLine like r"%🚴🏼‍♀️%" or Process.CommandLine like r"%🚴🏼%" or Process.CommandLine like r"%🚴🏼‍♂️%" or Process.CommandLine like r"%🚵🏼‍♀️%" or Process.CommandLine like r"%🚵🏼%" or Process.CommandLine like r"%🚵🏼‍♂️%" or Process.CommandLine like r"%🤸🏼‍♀️%" or Process.CommandLine like r"%🤸🏼%" or Process.CommandLine like r"%🤸🏼‍♂️%" or Process.CommandLine like r"%🤽🏼‍♀️%" or Process.CommandLine like r"%🤽🏼%" or Process.CommandLine like r"%🤽🏼‍♂️%" or Process.CommandLine like r"%🤾🏼‍♀️%" or Process.CommandLine like r"%🤾🏼%" or Process.CommandLine like r"%🤾🏼‍♂️%" or Process.CommandLine like r"%🤹🏼‍♀️%" or Process.CommandLine like r"%🤹🏼%" or Process.CommandLine like r"%🤹🏼‍♂️%" or Process.CommandLine like r"%🧘🏼‍♀️%" or Process.CommandLine like r"%🧘🏼%" or Process.CommandLine like r"%🧘🏼‍♂️%" or Process.CommandLine like r"%🛀🏼%" or Process.CommandLine like r"%🛌🏼%" or Process.CommandLine like r"%👋🏽%" or Process.CommandLine like r"%🤚🏽%" or Process.CommandLine like r"%🖐🏽%" or Process.CommandLine like r"%✋🏽%" or Process.CommandLine like r"%🖖🏽%" or Process.CommandLine like r"%👌🏽%" or Process.CommandLine like r"%🤌🏽%" or Process.CommandLine like r"%🤏🏽%" or Process.CommandLine like r"%✌🏽%" or Process.CommandLine like r"%🤞🏽%" or Process.CommandLine like r"%🫰🏽%" or Process.CommandLine like r"%🤟🏽%" or Process.CommandLine like r"%🤘🏽%" or Process.CommandLine like r"%🤙🏽%" or Process.CommandLine like r"%🫵🏽%" or Process.CommandLine like r"%🫱🏽%" or Process.CommandLine like r"%🫲🏽%" or Process.CommandLine like r"%🫳🏽%" or Process.CommandLine like r"%🫴🏽%" or Process.CommandLine like r"%👈🏽%" or Process.CommandLine like r"%👉🏽%" or Process.CommandLine like r"%👆🏽%" or Process.CommandLine like r"%🖕🏽%" or Process.CommandLine like r"%👇🏽%" or Process.CommandLine like r"%☝🏽%" or Process.CommandLine like r"%👍🏽%" or Process.CommandLine like r"%👎🏽%" or Process.CommandLine like r"%✊🏽%" or Process.CommandLine like r"%👊🏽%" or Process.CommandLine like r"%🤛🏽%" or Process.CommandLine like r"%🤜🏽%" or Process.CommandLine like r"%👏🏽%" or Process.CommandLine like r"%🫶🏽%" or Process.CommandLine like r"%🙌🏽%" or Process.CommandLine like r"%👐🏽%" or Process.CommandLine like r"%🤲🏽%" or Process.CommandLine like r"%🙏🏽%" or Process.CommandLine like r"%✍🏽%" or Process.CommandLine like r"%💪🏽%" or Process.CommandLine like r"%🦵🏽%" or Process.CommandLine like r"%🦶🏽%" or Process.CommandLine like r"%👂🏽%" or Process.CommandLine like r"%🦻🏽%" or Process.CommandLine like r"%👃🏽%" or Process.CommandLine like r"%👶🏽%" or Process.CommandLine like r"%👧🏽%" or Process.CommandLine like r"%🧒🏽%" or Process.CommandLine like r"%👦🏽%" or Process.CommandLine like r"%👩🏽%" or Process.CommandLine like r"%🧑🏽%" or Process.CommandLine like r"%👨🏽%" or Process.CommandLine like r"%👩🏽‍🦱%" or Process.CommandLine like r"%🧑🏽‍🦱%" or Process.CommandLine like r"%👨🏽‍🦱%" or Process.CommandLine like r"%👩🏽‍🦰%" or Process.CommandLine like r"%🧑🏽‍🦰%" or Process.CommandLine like r"%👨🏽‍🦰%" or Process.CommandLine like r"%👱🏽‍♀️%" or Process.CommandLine like r"%👱🏽%" or Process.CommandLine like r"%👱🏽‍♂️%" or Process.CommandLine like r"%👩🏽‍🦳%" or Process.CommandLine like r"%🧑🏽‍🦳%" or Process.CommandLine like r"%👨🏽‍🦳%" or Process.CommandLine like r"%👩🏽‍🦲%" or Process.CommandLine like r"%🧑🏽‍🦲%" or Process.CommandLine like r"%👨🏽‍🦲%" or Process.CommandLine like r"%🧔🏽‍♀️%" or Process.CommandLine like r"%🧔🏽%" or Process.CommandLine like r"%🧔🏽‍♂️%" or Process.CommandLine like r"%👵🏽%" or Process.CommandLine like r"%🧓🏽%" or Process.CommandLine like r"%👴🏽%" or Process.CommandLine like r"%👲🏽%" or Process.CommandLine like r"%👳🏽‍♀️%" or Process.CommandLine like r"%👳🏽%" or Process.CommandLine like r"%👳🏽‍♂️%" or Process.CommandLine like r"%🧕🏽%" or Process.CommandLine like r"%👮🏽‍♀️%" or Process.CommandLine like r"%👮🏽%" or Process.CommandLine like r"%👮🏽‍♂️%" or Process.CommandLine like r"%👷🏽‍♀️%" or Process.CommandLine like r"%👷🏽%" or Process.CommandLine like r"%👷🏽‍♂️%" or Process.CommandLine like r"%💂🏽‍♀️%" or Process.CommandLine like r"%💂🏽%" or Process.CommandLine like r"%💂🏽‍♂️%" or Process.CommandLine like r"%🕵🏽‍♀️%" or Process.CommandLine like r"%🕵🏽%" or Process.CommandLine like r"%🕵🏽‍♂️%" or Process.CommandLine like r"%👩🏽‍⚕️%" or Process.CommandLine like r"%🧑🏽‍⚕️%" or Process.CommandLine like r"%👨🏽‍⚕️%" or Process.CommandLine like r"%👩🏽‍🌾%" or Process.CommandLine like r"%🧑🏽‍🌾%" or Process.CommandLine like r"%👨🏽‍🌾%" or Process.CommandLine like r"%👩🏽‍🍳%" or Process.CommandLine like r"%🧑🏽‍🍳%" or Process.CommandLine like r"%👨🏽‍🍳%" or Process.CommandLine like r"%👩🏽‍🎓%" or Process.CommandLine like r"%🧑🏽‍🎓%" or Process.CommandLine like r"%👨🏽‍🎓%" or Process.CommandLine like r"%👩🏽‍🎤%" or Process.CommandLine like r"%🧑🏽‍🎤%" or Process.CommandLine like r"%👨🏽‍🎤%" or Process.CommandLine like r"%👩🏽‍🏫%" or Process.CommandLine like r"%🧑🏽‍🏫%" or Process.CommandLine like r"%👨🏽‍🏫%" or Process.CommandLine like r"%👩🏽‍🏭%" or Process.CommandLine like r"%🧑🏽‍🏭%" or Process.CommandLine like r"%👨🏽‍🏭%" or Process.CommandLine like r"%👩🏽‍💻%" or Process.CommandLine like r"%🧑🏽‍💻%" or Process.CommandLine like r"%👨🏽‍💻%" or Process.CommandLine like r"%👩🏽‍💼%" or Process.CommandLine like r"%🧑🏽‍💼%" or Process.CommandLine like r"%👨🏽‍💼%" or Process.CommandLine like r"%👩🏽‍🔧%" or Process.CommandLine like r"%🧑🏽‍🔧%" or Process.CommandLine like r"%👨🏽‍🔧%" or Process.CommandLine like r"%👩🏽‍🔬%" or Process.CommandLine like r"%🧑🏽‍🔬%" or Process.CommandLine like r"%👨🏽‍🔬%" or Process.CommandLine like r"%👩🏽‍🎨%" or Process.CommandLine like r"%🧑🏽‍🎨%" or Process.CommandLine like r"%👨🏽‍🎨%" or Process.CommandLine like r"%👩🏽‍🚒%" or Process.CommandLine like r"%🧑🏽‍🚒%" or Process.CommandLine like r"%👨🏽‍🚒%" or Process.CommandLine like r"%👩🏽‍✈️%" or Process.CommandLine like r"%🧑🏽‍✈️%" or Process.CommandLine like r"%👨🏽‍✈️%" or Process.CommandLine like r"%👩🏽‍🚀%" or Process.CommandLine like r"%🧑🏽‍🚀%" or Process.CommandLine like r"%👨🏽‍🚀%" or Process.CommandLine like r"%👩🏽‍⚖️%" or Process.CommandLine like r"%🧑🏽‍⚖️%" or Process.CommandLine like r"%👨🏽‍⚖️%" or Process.CommandLine like r"%👰🏽‍♀️%" or Process.CommandLine like r"%👰🏽%" or Process.CommandLine like r"%👰🏽‍♂️%" or Process.CommandLine like r"%🤵🏽‍♀️%" or Process.CommandLine like r"%🤵🏽%" or Process.CommandLine like r"%🤵🏽‍♂️%" or Process.CommandLine like r"%👸🏽%" or Process.CommandLine like r"%🫅🏽%" or Process.CommandLine like r"%🤴🏽%" or Process.CommandLine like r"%🥷🏽%" or Process.CommandLine like r"%🦸🏽‍♀️%" or Process.CommandLine like r"%🦸🏽%" or Process.CommandLine like r"%🦸🏽‍♂️%" or Process.CommandLine like r"%🦹🏽‍♀️%" or Process.CommandLine like r"%🦹🏽%" or Process.CommandLine like r"%🦹🏽‍♂️%" or Process.CommandLine like r"%🤶🏽%" or Process.CommandLine like r"%🧑🏽‍🎄%" or Process.CommandLine like r"%🎅🏽%" or Process.CommandLine like r"%🧙🏽‍♀️%" or Process.CommandLine like r"%🧙🏽%" or Process.CommandLine like r"%🧙🏽‍♂️%" or Process.CommandLine like r"%🧝🏽‍♀️%" or Process.CommandLine like r"%🧝🏽%" or Process.CommandLine like r"%🧝🏽‍♂️%" or Process.CommandLine like r"%🧛🏽‍♀️%" or Process.CommandLine like r"%🧛🏽%" or Process.CommandLine like r"%🧛🏽‍♂️%" or Process.CommandLine like r"%🧜🏽‍♀️%" or Process.CommandLine like r"%🧜🏽%" or Process.CommandLine like r"%🧜🏽‍♂️%" or Process.CommandLine like r"%🧚🏽‍♀️%" or Process.CommandLine like r"%🧚🏽%" or Process.CommandLine like r"%🧚🏽‍♂️%" or Process.CommandLine like r"%👼🏽%" or Process.CommandLine like r"%🤰🏽%" or Process.CommandLine like r"%🫄🏽%" or Process.CommandLine like r"%🫃🏽%" or Process.CommandLine like r"%🤱🏽%" or Process.CommandLine like r"%👩🏽‍🍼%" or Process.CommandLine like r"%🧑🏽‍🍼%" or Process.CommandLine like r"%👨🏽‍🍼%" or Process.CommandLine like r"%🙇🏽‍♀️%" or Process.CommandLine like r"%🙇🏽%" or Process.CommandLine like r"%🙇🏽‍♂️%" or Process.CommandLine like r"%💁🏽‍♀️%" or Process.CommandLine like r"%💁🏽%" or Process.CommandLine like r"%💁🏽‍♂️%" or Process.CommandLine like r"%🙅🏽‍♀️%" or Process.CommandLine like r"%🙅🏽%" or Process.CommandLine like r"%🙅🏽‍♂️%" or Process.CommandLine like r"%🙆🏽‍♀️%" or Process.CommandLine like r"%🙆🏽%" or Process.CommandLine like r"%🙆🏽‍♂️%" or Process.CommandLine like r"%🙋🏽‍♀️%" or Process.CommandLine like r"%🙋🏽%" or Process.CommandLine like r"%🙋🏽‍♂️%" or Process.CommandLine like r"%🧏🏽‍♀️%" or Process.CommandLine like r"%🧏🏽%" or Process.CommandLine like r"%🧏🏽‍♂️%" or Process.CommandLine like r"%🤦🏽‍♀️%" or Process.CommandLine like r"%🤦🏽%" or Process.CommandLine like r"%🤦🏽‍♂️%" or Process.CommandLine like r"%🤷🏽‍♀️%" or Process.CommandLine like r"%🤷🏽%" or Process.CommandLine like r"%🤷🏽‍♂️%" or Process.CommandLine like r"%🙎🏽‍♀️%" or Process.CommandLine like r"%🙎🏽%" or Process.CommandLine like r"%🙎🏽‍♂️%" or Process.CommandLine like r"%🙍🏽‍♀️%" or Process.CommandLine like r"%🙍🏽%" or Process.CommandLine like r"%🙍🏽‍♂️%" or Process.CommandLine like r"%💇🏽‍♀️%" or Process.CommandLine like r"%💇🏽%" or Process.CommandLine like r"%💇🏽‍♂️%" or Process.CommandLine like r"%💆🏽‍♀️%" or Process.CommandLine like r"%💆🏽%" or Process.CommandLine like r"%💆🏽‍♂️%" or Process.CommandLine like r"%🧖🏽‍♀️%" or Process.CommandLine like r"%🧖🏽%" or Process.CommandLine like r"%🧖🏽‍♂️%" or Process.CommandLine like r"%💃🏽%" or Process.CommandLine like r"%🕺🏽%" or Process.CommandLine like r"%🕴🏽%" or Process.CommandLine like r"%👩🏽‍🦽%" or Process.CommandLine like r"%🧑🏽‍🦽%" or Process.CommandLine like r"%👨🏽‍🦽%" or Process.CommandLine like r"%👩🏽‍🦼%" or Process.CommandLine like r"%🧑🏽‍🦼%" or Process.CommandLine like r"%👨🏽‍🦼%" or Process.CommandLine like r"%🚶🏽‍♀️%" or Process.CommandLine like r"%🚶🏽%" or Process.CommandLine like r"%🚶🏽‍♂️%" or Process.CommandLine like r"%👩🏽‍🦯%" or Process.CommandLine like r"%🧑🏽‍🦯%" or Process.CommandLine like r"%👨🏽‍🦯%" or Process.CommandLine like r"%🧎🏽‍♀️%" or Process.CommandLine like r"%🧎🏽%" or Process.CommandLine like r"%🧎🏽‍♂️%" or Process.CommandLine like r"%🏃🏽‍♀️%" or Process.CommandLine like r"%🏃🏽%" or Process.CommandLine like r"%🏃🏽‍♂️%" or Process.CommandLine like r"%🧍🏽‍♀️%" or Process.CommandLine like r"%🧍🏽%" or Process.CommandLine like r"%🧍🏽‍♂️%" or Process.CommandLine like r"%👭🏽%" or Process.CommandLine like r"%🧑🏽‍🤝‍🧑🏽%" or Process.CommandLine like r"%👬🏽%" or Process.CommandLine like r"%👫🏽%" or Process.CommandLine like r"%🧗🏽‍♀️%" or Process.CommandLine like r"%🧗🏽%" or Process.CommandLine like r"%🧗🏽‍♂️%" or Process.CommandLine like r"%🏇🏽%" or Process.CommandLine like r"%🏂🏽%" or Process.CommandLine like r"%🏌🏽‍♀️%" or Process.CommandLine like r"%🏌🏽%" or Process.CommandLine like r"%🏌🏽‍♂️%" or Process.CommandLine like r"%🏄🏽‍♀️%" or Process.CommandLine like r"%🏄🏽%" or Process.CommandLine like r"%🏄🏽‍♂️%" or Process.CommandLine like r"%🚣🏽‍♀️%" or Process.CommandLine like r"%🚣🏽%" or Process.CommandLine like r"%🚣🏽‍♂️%" or Process.CommandLine like r"%🏊🏽‍♀️%" or Process.CommandLine like r"%🏊🏽%" or Process.CommandLine like r"%🏊🏽‍♂️%" or Process.CommandLine like r"%⛹🏽‍♀️%" or Process.CommandLine like r"%⛹🏽%" or Process.CommandLine like r"%⛹🏽‍♂️%" or Process.CommandLine like r"%🏋🏽‍♀️%" or Process.CommandLine like r"%🏋🏽%" or Process.CommandLine like r"%🏋🏽‍♂️%" or Process.CommandLine like r"%🚴🏽‍♀️%" or Process.CommandLine like r"%🚴🏽%" or Process.CommandLine like r"%🚴🏽‍♂️%" or Process.CommandLine like r"%🚵🏽‍♀️%" or Process.CommandLine like r"%🚵🏽%" or Process.CommandLine like r"%🚵🏽‍♂️%" or Process.CommandLine like r"%🤸🏽‍♀️%" or Process.CommandLine like r"%🤸🏽%" or Process.CommandLine like r"%🤸🏽‍♂️%" or Process.CommandLine like r"%🤽🏽‍♀️%" or Process.CommandLine like r"%🤽🏽%" or Process.CommandLine like r"%🤽🏽‍♂️%" or Process.CommandLine like r"%🤾🏽‍♀️%" or Process.CommandLine like r"%🤾🏽%" or Process.CommandLine like r"%🤾🏽‍♂️%" or Process.CommandLine like r"%🤹🏽‍♀️%" or Process.CommandLine like r"%🤹🏽%" or Process.CommandLine like r"%🤹🏽‍♂️%" or Process.CommandLine like r"%🧘🏽‍♀️%" or Process.CommandLine like r"%🧘🏽%" or Process.CommandLine like r"%🧘🏽‍♂️%" or Process.CommandLine like r"%🛀🏽%" or Process.CommandLine like r"%🛌🏽%" or Process.CommandLine like r"%👋🏾%" or Process.CommandLine like r"%🤚🏾%" or Process.CommandLine like r"%🖐🏾%" or Process.CommandLine like r"%✋🏾%" or Process.CommandLine like r"%🖖🏾%" or Process.CommandLine like r"%👌🏾%" or Process.CommandLine like r"%🤌🏾%" or Process.CommandLine like r"%🤏🏾%" or Process.CommandLine like r"%✌🏾%" or Process.CommandLine like r"%🤞🏾%" or Process.CommandLine like r"%🫰🏾%" or Process.CommandLine like r"%🤟🏾%" or Process.CommandLine like r"%🤘🏾%" or Process.CommandLine like r"%🤙🏾%" or Process.CommandLine like r"%🫵🏾%" or Process.CommandLine like r"%🫱🏾%" or Process.CommandLine like r"%🫲🏾%" or Process.CommandLine like r"%🫳🏾%" or Process.CommandLine like r"%🫴🏾%" or Process.CommandLine like r"%👈🏾%" or Process.CommandLine like r"%👉🏾%" or Process.CommandLine like r"%👆🏾%" or Process.CommandLine like r"%🖕🏾%" or Process.CommandLine like r"%👇🏾%" or Process.CommandLine like r"%☝🏾%" or Process.CommandLine like r"%👍🏾%" or Process.CommandLine like r"%👎🏾%" or Process.CommandLine like r"%✊🏾%" or Process.CommandLine like r"%👊🏾%" or Process.CommandLine like r"%🤛🏾%" or Process.CommandLine like r"%🤜🏾%" or Process.CommandLine like r"%👏🏾%" or Process.CommandLine like r"%🫶🏾%" or Process.CommandLine like r"%🙌🏾%" or Process.CommandLine like r"%👐🏾%" or Process.CommandLine like r"%🤲🏾%" or Process.CommandLine like r"%🙏🏾%" or Process.CommandLine like r"%✍🏾%" or Process.CommandLine like r"%💪🏾%" or Process.CommandLine like r"%🦵🏾%" or Process.CommandLine like r"%🦶🏾%" or Process.CommandLine like r"%👂🏾%" or Process.CommandLine like r"%🦻🏾%" or Process.CommandLine like r"%👃🏾%" or Process.CommandLine like r"%👶🏾%" or Process.CommandLine like r"%👧🏾%" or Process.CommandLine like r"%🧒🏾%" or Process.CommandLine like r"%👦🏾%" or Process.CommandLine like r"%👩🏾%" or Process.CommandLine like r"%🧑🏾%" or Process.CommandLine like r"%👨🏾%" or Process.CommandLine like r"%👩🏾‍🦱%" or Process.CommandLine like r"%🧑🏾‍🦱%" or Process.CommandLine like r"%👨🏾‍🦱%" or Process.CommandLine like r"%👩🏾‍🦰%" or Process.CommandLine like r"%🧑🏾‍🦰%" or Process.CommandLine like r"%👨🏾‍🦰%" or Process.CommandLine like r"%👱🏾‍♀️%" or Process.CommandLine like r"%👱🏾%" or Process.CommandLine like r"%👱🏾‍♂️%" or Process.CommandLine like r"%👩🏾‍🦳%" or Process.CommandLine like r"%🧑🏾‍🦳%" or Process.CommandLine like r"%👨🏾‍🦳%" or Process.CommandLine like r"%👩🏾‍🦲%" or Process.CommandLine like r"%🧑🏾‍🦲%" or Process.CommandLine like r"%👨🏾‍🦲%" or Process.CommandLine like r"%🧔🏾‍♀️%" or Process.CommandLine like r"%🧔🏾%" or Process.CommandLine like r"%🧔🏾‍♂️%" or Process.CommandLine like r"%👵🏾%" or Process.CommandLine like r"%🧓🏾%" or Process.CommandLine like r"%👴🏾%" or Process.CommandLine like r"%👲🏾%" or Process.CommandLine like r"%👳🏾‍♀️%" or Process.CommandLine like r"%👳🏾%" or Process.CommandLine like r"%👳🏾‍♂️%" or Process.CommandLine like r"%🧕🏾%" or Process.CommandLine like r"%👮🏾‍♀️%" or Process.CommandLine like r"%👮🏾%" or Process.CommandLine like r"%👮🏾‍♂️%" or Process.CommandLine like r"%👷🏾‍♀️%" or Process.CommandLine like r"%👷🏾%" or Process.CommandLine like r"%👷🏾‍♂️%" or Process.CommandLine like r"%💂🏾‍♀️%" or Process.CommandLine like r"%💂🏾%" or Process.CommandLine like r"%💂🏾‍♂️%" or Process.CommandLine like r"%🕵🏾‍♀️%" or Process.CommandLine like r"%🕵🏾%" or Process.CommandLine like r"%🕵🏾‍♂️%" or Process.CommandLine like r"%👩🏾‍⚕️%" or Process.CommandLine like r"%🧑🏾‍⚕️%" or Process.CommandLine like r"%👨🏾‍⚕️%" or Process.CommandLine like r"%👩🏾‍🌾%" or Process.CommandLine like r"%🧑🏾‍🌾%" or Process.CommandLine like r"%👨🏾‍🌾%" or Process.CommandLine like r"%👩🏾‍🍳%" or Process.CommandLine like r"%🧑🏾‍🍳%" or Process.CommandLine like r"%👨🏾‍🍳%" or Process.CommandLine like r"%👩🏾‍🎓%" or Process.CommandLine like r"%🧑🏾‍🎓%" or Process.CommandLine like r"%👨🏾‍🎓%" or Process.CommandLine like r"%👩🏾‍🎤%" or Process.CommandLine like r"%🧑🏾‍🎤%" or Process.CommandLine like r"%👨🏾‍🎤%" or Process.CommandLine like r"%👩🏾‍🏫%" or Process.CommandLine like r"%🧑🏾‍🏫%" or Process.CommandLine like r"%👨🏾‍🏫%" or Process.CommandLine like r"%👩🏾‍🏭%" or Process.CommandLine like r"%🧑🏾‍🏭%" or Process.CommandLine like r"%👨🏾‍🏭%" or Process.CommandLine like r"%👩🏾‍💻%" or Process.CommandLine like r"%🧑🏾‍💻%" or Process.CommandLine like r"%👨🏾‍💻%" or Process.CommandLine like r"%👩🏾‍💼%" or Process.CommandLine like r"%🧑🏾‍💼%" or Process.CommandLine like r"%👨🏾‍💼%" or Process.CommandLine like r"%👩🏾‍🔧%" or Process.CommandLine like r"%🧑🏾‍🔧%" or Process.CommandLine like r"%👨🏾‍🔧%" or Process.CommandLine like r"%👩🏾‍🔬%" or Process.CommandLine like r"%🧑🏾‍🔬%" or Process.CommandLine like r"%👨🏾‍🔬%" or Process.CommandLine like r"%👩🏾‍🎨%" or Process.CommandLine like r"%🧑🏾‍🎨%" or Process.CommandLine like r"%👨🏾‍🎨%" or Process.CommandLine like r"%👩🏾‍🚒%" or Process.CommandLine like r"%🧑🏾‍🚒%" or Process.CommandLine like r"%👨🏾‍🚒%" or Process.CommandLine like r"%👩🏾‍✈️%" or Process.CommandLine like r"%🧑🏾‍✈️%" or Process.CommandLine like r"%👨🏾‍✈️%" or Process.CommandLine like r"%👩🏾‍🚀%" or Process.CommandLine like r"%🧑🏾‍🚀%" or Process.CommandLine like r"%👨🏾‍🚀%" or Process.CommandLine like r"%👩🏾‍⚖️%" or Process.CommandLine like r"%🧑🏾‍⚖️%" or Process.CommandLine like r"%👨🏾‍⚖️%" or Process.CommandLine like r"%👰🏾‍♀️%" or Process.CommandLine like r"%👰🏾%" or Process.CommandLine like r"%👰🏾‍♂️%" or Process.CommandLine like r"%🤵🏾‍♀️%" or Process.CommandLine like r"%🤵🏾%" or Process.CommandLine like r"%🤵🏾‍♂️%" or Process.CommandLine like r"%👸🏾%" or Process.CommandLine like r"%🫅🏾%" or Process.CommandLine like r"%🤴🏾%" or Process.CommandLine like r"%🥷🏾%" or Process.CommandLine like r"%🦸🏾‍♀️%" or Process.CommandLine like r"%🦸🏾%" or Process.CommandLine like r"%🦸🏾‍♂️%" or Process.CommandLine like r"%🦹🏾‍♀️%" or Process.CommandLine like r"%🦹🏾%" or Process.CommandLine like r"%🦹🏾‍♂️%" or Process.CommandLine like r"%🤶🏾%" or Process.CommandLine like r"%🧑🏾‍🎄%" or Process.CommandLine like r"%🎅🏾%" or Process.CommandLine like r"%🧙🏾‍♀️%" or Process.CommandLine like r"%🧙🏾%" or Process.CommandLine like r"%🧙🏾‍♂️%" or Process.CommandLine like r"%🧝🏾‍♀️%" or Process.CommandLine like r"%🧝🏾%" or Process.CommandLine like r"%🧝🏾‍♂️%" or Process.CommandLine like r"%🧛🏾‍♀️%" or Process.CommandLine like r"%🧛🏾%" or Process.CommandLine like r"%🧛🏾‍♂️%" or Process.CommandLine like r"%🧜🏾‍♀️%" or Process.CommandLine like r"%🧜🏾%" or Process.CommandLine like r"%🧜🏾‍♂️%" or Process.CommandLine like r"%🧚🏾‍♀️%" or Process.CommandLine like r"%🧚🏾%" or Process.CommandLine like r"%🧚🏾‍♂️%" or Process.CommandLine like r"%👼🏾%" or Process.CommandLine like r"%🤰🏾%" or Process.CommandLine like r"%🫄🏾%" or Process.CommandLine like r"%🫃🏾%" or Process.CommandLine like r"%🤱🏾%" or Process.CommandLine like r"%👩🏾‍🍼%" or Process.CommandLine like r"%🧑🏾‍🍼%" or Process.CommandLine like r"%👨🏾‍🍼%" or Process.CommandLine like r"%🙇🏾‍♀️%" or Process.CommandLine like r"%🙇🏾%" or Process.CommandLine like r"%🙇🏾‍♂️%" or Process.CommandLine like r"%💁🏾‍♀️%" or Process.CommandLine like r"%💁🏾%" or Process.CommandLine like r"%💁🏾‍♂️%" or Process.CommandLine like r"%🙅🏾‍♀️%" or Process.CommandLine like r"%🙅🏾%" or Process.CommandLine like r"%🙅🏾‍♂️%" or Process.CommandLine like r"%🙆🏾‍♀️%" or Process.CommandLine like r"%🙆🏾%" or Process.CommandLine like r"%🙆🏾‍♂️%" or Process.CommandLine like r"%🙋🏾‍♀️%" or Process.CommandLine like r"%🙋🏾%" or Process.CommandLine like r"%🙋🏾‍♂️%" or Process.CommandLine like r"%🧏🏾‍♀️%" or Process.CommandLine like r"%🧏🏾%" or Process.CommandLine like r"%🧏🏾‍♂️%" or Process.CommandLine like r"%🤦🏾‍♀️%" or Process.CommandLine like r"%🤦🏾%" or Process.CommandLine like r"%🤦🏾‍♂️%" or Process.CommandLine like r"%🤷🏾‍♀️%" or Process.CommandLine like r"%🤷🏾%" or Process.CommandLine like r"%🤷🏾‍♂️%" or Process.CommandLine like r"%🙎🏾‍♀️%" or Process.CommandLine like r"%🙎🏾%" or Process.CommandLine like r"%🙎🏾‍♂️%" or Process.CommandLine like r"%🙍🏾‍♀️%" or Process.CommandLine like r"%🙍🏾%" or Process.CommandLine like r"%🙍🏾‍♂️%" or Process.CommandLine like r"%💇🏾‍♀️%" or Process.CommandLine like r"%💇🏾%" or Process.CommandLine like r"%💇🏾‍♂️%" or Process.CommandLine like r"%💆🏾‍♀️%" or Process.CommandLine like r"%💆🏾%" or Process.CommandLine like r"%💆🏾‍♂️%" or Process.CommandLine like r"%🧖🏾‍♀️%" or Process.CommandLine like r"%🧖🏾%" or Process.CommandLine like r"%🧖🏾‍♂️%" or Process.CommandLine like r"%💃🏾%" or Process.CommandLine like r"%🕺🏾%" or Process.CommandLine like r"%👩🏾‍🦽%" or Process.CommandLine like r"%🧑🏾‍🦽%" or Process.CommandLine like r"%👨🏾‍🦽%" or Process.CommandLine like r"%👩🏾‍🦼%" or Process.CommandLine like r"%🧑🏾‍🦼%" or Process.CommandLine like r"%👨🏾‍🦼%" or Process.CommandLine like r"%🚶🏾‍♀️%" or Process.CommandLine like r"%🚶🏾%" or Process.CommandLine like r"%🚶🏾‍♂️%" or Process.CommandLine like r"%👩🏾‍🦯%" or Process.CommandLine like r"%🧑🏾‍🦯%" or Process.CommandLine like r"%👨🏾‍🦯%" or Process.CommandLine like r"%🧎🏾‍♀️%" or Process.CommandLine like r"%🧎🏾%" or Process.CommandLine like r"%🧎🏾‍♂️%" or Process.CommandLine like r"%🏃🏾‍♀️%" or Process.CommandLine like r"%🏃🏾%" or Process.CommandLine like r"%🏃🏾‍♂️%" or Process.CommandLine like r"%🧍🏾‍♀️%" or Process.CommandLine like r"%🧍🏾%" or Process.CommandLine like r"%🧍🏾‍♂️%" or Process.CommandLine like r"%👭🏾%" or Process.CommandLine like r"%🧑🏾‍🤝‍🧑🏾%" or Process.CommandLine like r"%👬🏾%" or Process.CommandLine like r"%👫🏾%" or Process.CommandLine like r"%🧗🏾‍♀️%" or Process.CommandLine like r"%🧗🏾%" or Process.CommandLine like r"%🧗🏾‍♂️%" or Process.CommandLine like r"%🏇🏾%" or Process.CommandLine like r"%🏂🏾%" or Process.CommandLine like r"%🏌🏾‍♀️%" or Process.CommandLine like r"%🏌🏾%" or Process.CommandLine like r"%🏌🏾‍♂️%" or Process.CommandLine like r"%🏄🏾‍♀️%" or Process.CommandLine like r"%🏄🏾%" or Process.CommandLine like r"%🏄🏾‍♂️%" or Process.CommandLine like r"%🚣🏾‍♀️%" or Process.CommandLine like r"%🚣🏾%" or Process.CommandLine like r"%🚣🏾‍♂️%" or Process.CommandLine like r"%🏊🏾‍♀️%" or Process.CommandLine like r"%🏊🏾%" or Process.CommandLine like r"%🏊🏾‍♂️%" or Process.CommandLine like r"%⛹🏾‍♀️%" or Process.CommandLine like r"%⛹🏾%" or Process.CommandLine like r"%⛹🏾‍♂️%" or Process.CommandLine like r"%🏋🏾‍♀️%" or Process.CommandLine like r"%🏋🏾%" or Process.CommandLine like r"%🏋🏾‍♂️%" or Process.CommandLine like r"%🚴🏾‍♀️%" or Process.CommandLine like r"%🚴🏾%" or Process.CommandLine like r"%🚴🏾‍♂️%" or Process.CommandLine like r"%🚵🏾‍♀️%" or Process.CommandLine like r"%🚵🏾%" or Process.CommandLine like r"%🚵🏾‍♂️%" or Process.CommandLine like r"%🤸🏾‍♀️%" or Process.CommandLine like r"%🤸🏾%" or Process.CommandLine like r"%🤸🏾‍♂️%" or Process.CommandLine like r"%🤽🏾‍♀️%" or Process.CommandLine like r"%🤽🏾%" or Process.CommandLine like r"%🤽🏾‍♂️%" or Process.CommandLine like r"%🤾🏾‍♀️%" or Process.CommandLine like r"%🤾🏾%" or Process.CommandLine like r"%🤾🏾‍♂️%" or Process.CommandLine like r"%🤹🏾‍♀️%" or Process.CommandLine like r"%🤹🏾%" or Process.CommandLine like r"%🤹🏾‍♂️%" or Process.CommandLine like r"%🧘🏾‍♀️%" or Process.CommandLine like r"%🧘🏾%" or Process.CommandLine like r"%🧘🏾‍♂️%" or Process.CommandLine like r"%🛀🏾%" or Process.CommandLine like r"%🛌🏾%" or Process.CommandLine like r"%👋🏿%" or Process.CommandLine like r"%🤚🏿%" or Process.CommandLine like r"%🖐🏿%" or Process.CommandLine like r"%✋🏿%" or Process.CommandLine like r"%🖖🏿%" or Process.CommandLine like r"%👌🏿%" or Process.CommandLine like r"%🤌🏿%" or Process.CommandLine like r"%🤏🏿%" or Process.CommandLine like r"%✌🏿%" or Process.CommandLine like r"%🤞🏿%" or Process.CommandLine like r"%🫰🏿%" or Process.CommandLine like r"%🤟🏿%" or Process.CommandLine like r"%🤘🏿%" or Process.CommandLine like r"%🤙🏿%" or Process.CommandLine like r"%🫵🏿%" or Process.CommandLine like r"%🫱🏿%" or Process.CommandLine like r"%🫲🏿%" or Process.CommandLine like r"%🫳🏿%" or Process.CommandLine like r"%🫴🏿%" or Process.CommandLine like r"%👈🏿%" or Process.CommandLine like r"%👉🏿%" or Process.CommandLine like r"%👆🏿%" or Process.CommandLine like r"%🖕🏿%" or Process.CommandLine like r"%👇🏿%" or Process.CommandLine like r"%☝🏿%" or Process.CommandLine like r"%👍🏿%" or Process.CommandLine like r"%👎🏿%" or Process.CommandLine like r"%✊🏿%" or Process.CommandLine like r"%👊🏿%" or Process.CommandLine like r"%🤛🏿%" or Process.CommandLine like r"%🤜🏿%" or Process.CommandLine like r"%👏🏿%" or Process.CommandLine like r"%🫶🏿%" or Process.CommandLine like r"%🙌🏿%" or Process.CommandLine like r"%👐🏿%" or Process.CommandLine like r"%🤲🏿%" or Process.CommandLine like r"%🙏🏿%" or Process.CommandLine like r"%✍🏿%" or Process.CommandLine like r"%🤳🏿%" or Process.CommandLine like r"%💪🏿%" or Process.CommandLine like r"%🦵🏿%" or Process.CommandLine like r"%🦶🏿%" or Process.CommandLine like r"%👂🏿%" or Process.CommandLine like r"%🦻🏿%" or Process.CommandLine like r"%👃🏿%" or Process.CommandLine like r"%👶🏿%" or Process.CommandLine like r"%👧🏿%" or Process.CommandLine like r"%🧒🏿%" or Process.CommandLine like r"%👦🏿%" or Process.CommandLine like r"%👩🏿%" or Process.CommandLine like r"%🧑🏿%" or Process.CommandLine like r"%👨🏿%" or Process.CommandLine like r"%👩🏿‍🦱%" or Process.CommandLine like r"%🧑🏿‍🦱%" or Process.CommandLine like r"%👨🏿‍🦱%" or Process.CommandLine like r"%👩🏿‍🦰%" or Process.CommandLine like r"%🧑🏿‍🦰%" or Process.CommandLine like r"%👨🏿‍🦰%" or Process.CommandLine like r"%👱🏿‍♀️%" or Process.CommandLine like r"%👱🏿%" or Process.CommandLine like r"%👱🏿‍♂️%" or Process.CommandLine like r"%👩🏿‍🦳%" or Process.CommandLine like r"%🧑🏿‍🦳%" or Process.CommandLine like r"%👨🏿‍🦳%" or Process.CommandLine like r"%👩🏿‍🦲%" or Process.CommandLine like r"%🧑🏿‍🦲%" or Process.CommandLine like r"%👨🏿‍🦲%" or Process.CommandLine like r"%🧔🏿‍♀️%" or Process.CommandLine like r"%🧔🏿%" or Process.CommandLine like r"%🧔🏿‍♂️%" or Process.CommandLine like r"%👵🏿%" or Process.CommandLine like r"%🧓🏿%" or Process.CommandLine like r"%👴🏿%" or Process.CommandLine like r"%👲🏿%" or Process.CommandLine like r"%👳🏿‍♀️%" or Process.CommandLine like r"%👳🏿%" or Process.CommandLine like r"%👳🏿‍♂️%" or Process.CommandLine like r"%🧕🏿%" or Process.CommandLine like r"%👮🏿‍♀️%" or Process.CommandLine like r"%👮🏿%" or Process.CommandLine like r"%👮🏿‍♂️%" or Process.CommandLine like r"%👷🏿‍♀️%" or Process.CommandLine like r"%👷🏿%" or Process.CommandLine like r"%👷🏿‍♂️%" or Process.CommandLine like r"%💂🏿‍♀️%" or Process.CommandLine like r"%💂🏿%" or Process.CommandLine like r"%💂🏿‍♂️%" or Process.CommandLine like r"%🕵🏿‍♀️%" or Process.CommandLine like r"%🕵🏿%" or Process.CommandLine like r"%🕵🏿‍♂️%" or Process.CommandLine like r"%👩🏿‍⚕️%" or Process.CommandLine like r"%🧑🏿‍⚕️%" or Process.CommandLine like r"%👨🏿‍⚕️%" or Process.CommandLine like r"%👩🏿‍🌾%" or Process.CommandLine like r"%🧑🏿‍🌾%" or Process.CommandLine like r"%👨🏿‍🌾%" or Process.CommandLine like r"%👩🏿‍🍳%" or Process.CommandLine like r"%🧑🏿‍🍳%" or Process.CommandLine like r"%👨🏿‍🍳%" or Process.CommandLine like r"%👩🏿‍🎓%" or Process.CommandLine like r"%🧑🏿‍🎓%" or Process.CommandLine like r"%👨🏿‍🎓%" or Process.CommandLine like r"%👩🏿‍🎤%" or Process.CommandLine like r"%🧑🏿‍🎤%" or Process.CommandLine like r"%👨🏿‍🎤%" or Process.CommandLine like r"%👩🏿‍🏫%" or Process.CommandLine like r"%🧑🏿‍🏫%" or Process.CommandLine like r"%👨🏿‍🏫%" or Process.CommandLine like r"%👩🏿‍🏭%" or Process.CommandLine like r"%🧑🏿‍🏭%" or Process.CommandLine like r"%👨🏿‍🏭%" or Process.CommandLine like r"%👩🏿‍💻%" or Process.CommandLine like r"%🧑🏿‍💻%" or Process.CommandLine like r"%👨🏿‍💻%" or Process.CommandLine like r"%👩🏿‍💼%" or Process.CommandLine like r"%🧑🏿‍💼%" or Process.CommandLine like r"%👨🏿‍💼%" or Process.CommandLine like r"%👩🏿‍🔧%" or Process.CommandLine like r"%🧑🏿‍🔧%" or Process.CommandLine like r"%👨🏿‍🔧%" or Process.CommandLine like r"%👩🏿‍🔬%" or Process.CommandLine like r"%🧑🏿‍🔬%" or Process.CommandLine like r"%👨🏿‍🔬%" or Process.CommandLine like r"%👩🏿‍🎨%" or Process.CommandLine like r"%🧑🏿‍🎨%" or Process.CommandLine like r"%👨🏿‍🎨%" or Process.CommandLine like r"%👩🏿‍🚒%" or Process.CommandLine like r"%🧑🏿‍🚒%" or Process.CommandLine like r"%👨🏿‍🚒%" or Process.CommandLine like r"%👩🏿‍✈️%" or Process.CommandLine like r"%🧑🏿‍✈️%" or Process.CommandLine like r"%👨🏿‍✈️%" or Process.CommandLine like r"%👩🏿‍🚀%" or Process.CommandLine like r"%🧑🏿‍🚀%" or Process.CommandLine like r"%👨🏿‍🚀%" or Process.CommandLine like r"%👩🏿‍⚖️%" or Process.CommandLine like r"%🧑🏿‍⚖️%" or Process.CommandLine like r"%👨🏿‍⚖️%" or Process.CommandLine like r"%👰🏿‍♀️%" or Process.CommandLine like r"%👰🏿%" or Process.CommandLine like r"%👰🏿‍♂️%" or Process.CommandLine like r"%🤵🏿‍♀️%" or Process.CommandLine like r"%🤵🏿%" or Process.CommandLine like r"%🤵🏿‍♂️%" or Process.CommandLine like r"%👸🏿%" or Process.CommandLine like r"%🫅🏿%" or Process.CommandLine like r"%🤴🏿%" or Process.CommandLine like r"%🥷🏿%" or Process.CommandLine like r"%🦸🏿‍♀️%" or Process.CommandLine like r"%🦸🏿%" or Process.CommandLine like r"%🦸🏿‍♂️%" or Process.CommandLine like r"%🦹🏿‍♀️%" or Process.CommandLine like r"%🦹🏿%" or Process.CommandLine like r"%🦹🏿‍♂️%" or Process.CommandLine like r"%🤶🏿%" or Process.CommandLine like r"%🧑🏿‍🎄%" or Process.CommandLine like r"%🎅🏿%" or Process.CommandLine like r"%🧙🏿‍♀️%" or Process.CommandLine like r"%🧙🏿%" or Process.CommandLine like r"%🧙🏿‍♂️%" or Process.CommandLine like r"%🧝🏿‍♀️%" or Process.CommandLine like r"%🧝🏿%" or Process.CommandLine like r"%🧝🏿‍♂️%" or Process.CommandLine like r"%🧛🏿‍♀️%" or Process.CommandLine like r"%🧛🏿%" or Process.CommandLine like r"%🧛🏿‍♂️%" or Process.CommandLine like r"%🧜🏿‍♀️%" or Process.CommandLine like r"%🧜🏿%" or Process.CommandLine like r"%🧜🏿‍♂️%" or Process.CommandLine like r"%🧚🏿‍♀️%" or Process.CommandLine like r"%🧚🏿%" or Process.CommandLine like r"%🧚🏿‍♂️%" or Process.CommandLine like r"%👼🏿%" or Process.CommandLine like r"%🤰🏿%" or Process.CommandLine like r"%🫄🏿%" or Process.CommandLine like r"%🫃🏿%" or Process.CommandLine like r"%🤱🏿%" or Process.CommandLine like r"%👩🏿‍🍼%" or Process.CommandLine like r"%🧑🏿‍🍼%" or Process.CommandLine like r"%👨🏿‍🍼%" or Process.CommandLine like r"%🙇🏿‍♀️%" or Process.CommandLine like r"%🙇🏿%" or Process.CommandLine like r"%🙇🏿‍♂️%" or Process.CommandLine like r"%💁🏿‍♀️%" or Process.CommandLine like r"%💁🏿%" or Process.CommandLine like r"%💁🏿‍♂️%" or Process.CommandLine like r"%🙅🏿‍♀️%" or Process.CommandLine like r"%🙅🏿%" or Process.CommandLine like r"%🙅🏿‍♂️%" or Process.CommandLine like r"%🙆🏿‍♀️%" or Process.CommandLine like r"%🙆🏿%" or Process.CommandLine like r"%🙆🏿‍♂️%" or Process.CommandLine like r"%🙋🏿‍♀️%" or Process.CommandLine like r"%🙋🏿%" or Process.CommandLine like r"%🙋🏿‍♂️%" or Process.CommandLine like r"%🧏🏿‍♀️%" or Process.CommandLine like r"%🧏🏿%" or Process.CommandLine like r"%🧏🏿‍♂️%" or Process.CommandLine like r"%🤦🏿‍♀️%" or Process.CommandLine like r"%🤦🏿%" or Process.CommandLine like r"%🤦🏿‍♂️%" or Process.CommandLine like r"%🤷🏿‍♀️%" or Process.CommandLine like r"%🤷🏿%" or Process.CommandLine like r"%🤷🏿‍♂️%" or Process.CommandLine like r"%🙎🏿‍♀️%" or Process.CommandLine like r"%🙎🏿%" or Process.CommandLine like r"%🙎🏿‍♂️%" or Process.CommandLine like r"%🙍🏿‍♀️%" or Process.CommandLine like r"%🙍🏿%" or Process.CommandLine like r"%🙍🏿‍♂️%" or Process.CommandLine like r"%💇🏿‍♀️%" or Process.CommandLine like r"%💇🏿%" or Process.CommandLine like r"%💇🏿‍♂️%" or Process.CommandLine like r"%💆🏿‍♀️%" or Process.CommandLine like r"%💆🏿%" or Process.CommandLine like r"%💆🏿‍♂️%" or Process.CommandLine like r"%🧖🏿‍♀️%" or Process.CommandLine like r"%🧖🏿%" or Process.CommandLine like r"%🧖🏿‍♂️%" or Process.CommandLine like r"%💃🏿%" or Process.CommandLine like r"%🕺🏿%" or Process.CommandLine like r"%🕴🏿%" or Process.CommandLine like r"%👩🏿‍🦽%" or Process.CommandLine like r"%🧑🏿‍🦽%" or Process.CommandLine like r"%👨🏿‍🦽%" or Process.CommandLine like r"%👩🏿‍🦼%" or Process.CommandLine like r"%🧑🏿‍🦼%" or Process.CommandLine like r"%👨🏿‍🦼%" or Process.CommandLine like r"%🚶🏿‍♀️%" or Process.CommandLine like r"%🚶🏿%" or Process.CommandLine like r"%🚶🏿‍♂️%" or Process.CommandLine like r"%👩🏿‍🦯%" or Process.CommandLine like r"%🧑🏿‍🦯%" or Process.CommandLine like r"%👨🏿‍🦯%" or Process.CommandLine like r"%🧎🏿‍♀️%" or Process.CommandLine like r"%🧎🏿%" or Process.CommandLine like r"%🧎🏿‍♂️%" or Process.CommandLine like r"%🏃🏿‍♀️%" or Process.CommandLine like r"%🏃🏿%" or Process.CommandLine like r"%🏃🏿‍♂️%" or Process.CommandLine like r"%🧍🏿‍♀️%" or Process.CommandLine like r"%🧍🏿%" or Process.CommandLine like r"%🧍🏿‍♂️%" or Process.CommandLine like r"%👭🏿%" or Process.CommandLine like r"%🧑🏿‍🤝‍🧑🏿%" or Process.CommandLine like r"%👬🏿%" or Process.CommandLine like r"%👫🏿%" or Process.CommandLine like r"%🧗🏿‍♀️%" or Process.CommandLine like r"%🧗🏿%" or Process.CommandLine like r"%🧗🏿‍♂️%" or Process.CommandLine like r"%🏇🏿%" or Process.CommandLine like r"%🏂🏿%" or Process.CommandLine like r"%🏌🏿‍♀️%" or Process.CommandLine like r"%🏌🏿%" or Process.CommandLine like r"%🏌🏿‍♂️%" or Process.CommandLine like r"%🏄🏿‍♀️%" or Process.CommandLine like r"%🏄🏿%" or Process.CommandLine like r"%🏄🏿‍♂️%" or Process.CommandLine like r"%🚣🏿‍♀️%" or Process.CommandLine like r"%🚣🏿%" or Process.CommandLine like r"%🚣🏿‍♂️%" or Process.CommandLine like r"%🏊🏿‍♀️%" or Process.CommandLine like r"%🏊🏿%" or Process.CommandLine like r"%🏊🏿‍♂️%" or Process.CommandLine like r"%⛹🏿‍♀️%" or Process.CommandLine like r"%⛹🏿%" or Process.CommandLine like r"%⛹🏿‍♂️%" or Process.CommandLine like r"%🏋🏿‍♀️%" or Process.CommandLine like r"%🏋🏿%" or Process.CommandLine like r"%🏋🏿‍♂️%" or Process.CommandLine like r"%🚴🏿‍♀️%" or Process.CommandLine like r"%🚴🏿%" or Process.CommandLine like r"%🚴🏿‍♂️%" or Process.CommandLine like r"%🚵🏿‍♀️%" or Process.CommandLine like r"%🚵🏿%" or Process.CommandLine like r"%🚵🏿‍♂️%" or Process.CommandLine like r"%🤸🏿‍♀️%" or Process.CommandLine like r"%🤸🏿%" or Process.CommandLine like r"%🤸🏿‍♂️%" or Process.CommandLine like r"%🤽🏿‍♀️%" or Process.CommandLine like r"%🤽🏿%" or Process.CommandLine like r"%🤽🏿‍♂️%" or Process.CommandLine like r"%🤾🏿‍♀️%" or Process.CommandLine like r"%🤾🏿%" or Process.CommandLine like r"%🤾🏿‍♂️%" or Process.CommandLine like r"%🤹🏿‍♀️%" or Process.CommandLine like r"%🤹🏿%" or Process.CommandLine like r"%🤹🏿‍♂️%" or Process.CommandLine like r"%🧘🏿‍♀️%" or Process.CommandLine like r"%🧘🏿%" or Process.CommandLine like r"%🧘🏿‍♂️%" or Process.CommandLine like r"%🛀🏿%" or Process.CommandLine like r"%🛌🏿%" or Process.CommandLine like r"%🐶%" or Process.CommandLine like r"%🐱%" or Process.CommandLine like r"%🐭%" or Process.CommandLine like r"%🐹%" or Process.CommandLine like r"%🐰%" or Process.CommandLine like r"%🦊%" or Process.CommandLine like r"%🐻%" or Process.CommandLine like r"%🐼%" or Process.CommandLine like r"%🐻‍❄️%" or Process.CommandLine like r"%🐨%" or Process.CommandLine like r"%🐯%" or Process.CommandLine like r"%🦁%" or Process.CommandLine like r"%🐮%" or Process.CommandLine like r"%🐷%" or Process.CommandLine like r"%🐽%" or Process.CommandLine like r"%🐸%" or Process.CommandLine like r"%🐵%" or Process.CommandLine like r"%🙈%" or Process.CommandLine like r"%🙉%" or Process.CommandLine like r"%🙊%" or Process.CommandLine like r"%🐒%" or Process.CommandLine like r"%🐔%" or Process.CommandLine like r"%🐧%" or Process.CommandLine like r"%🐦%" or Process.CommandLine like r"%🐤%" or Process.CommandLine like r"%🐣%" or Process.CommandLine like r"%🐥%" +Annotation = {"mitre_attack": ["T1047"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%process %" and Process.CommandLine like r"%call %" and Process.CommandLine like r"%create %" and (Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%bitsadmin%" or Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd.exe /r %" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd /k %" or Process.CommandLine like r"%cmd /r %" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%pwsh%" or Process.CommandLine like r"%certutil%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Local\\%" or Process.CommandLine like r"%\%temp\%%" or Process.CommandLine like r"%\%tmp\%%" or Process.CommandLine like r"%\%ProgramData\%%" or Process.CommandLine like r"%\%appdata\%%" or Process.CommandLine like r"%\%comspec\%%" or Process.CommandLine like r"%\%localappdata\%%") [ThreatDetectionRule platform=Windows] -# Detects a suspicious script execution in temporary folders or folders accessible by environment variables -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 1228c958-e64e-4e71-92ad-7d429f4138ba -RuleName = Script Interpreter Execution From Suspicious Folder -EventType = Process.Start -Tag = proc-start-script-interpreter-execution-from-suspicious-folder +# Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = d7b50671-d1ad-4871-aa60-5aa5b331fe04 +RuleName = Suspicious File Creation In Uncommon AppData Folder +EventType = File.Create +Tag = suspicious-file-creation-in-uncommon-appdata-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\wscript.exe" or Process.CommandLine like r"% -ep bypass %" or Process.CommandLine like r"% -ExecutionPolicy bypass %" or Process.CommandLine like r"% -w hidden %" or Process.CommandLine like r"%/e:javascript %" or Process.CommandLine like r"%/e:Jscript %" or Process.CommandLine like r"%/e:vbscript %" or Process.Name in ["cscript.exe", "mshta.exe", "wscript.exe"]) and (Process.CommandLine like r"%:\\Perflogs\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\AppData\\Roaming\\Temp%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%\\Windows\\Temp%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Favorites\\%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Favourites\\%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Contacts\\%") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"C:\\Users\\%" and File.Path like r"%\\AppData\\%" and (File.Path like r"%.bat" or File.Path like r"%.cmd" or File.Path like r"%.cpl" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.hta" or File.Path like r"%.iso" or File.Path like r"%.lnk" or File.Path like r"%.msi" or File.Path like r"%.ps1" or File.Path like r"%.psm1" or File.Path like r"%.scr" or File.Path like r"%.vbe" or File.Path like r"%.vbs") and not (File.Path like r"C:\\Users\\%" and (File.Path like r"%\\AppData\\Local\\%" or File.Path like r"%\\AppData\\LocalLow\\%" or File.Path like r"%\\AppData\\Roaming\\%")) +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the export of a crital Registry key to a file. -# Author: Oddvar Moe, Sander Wiebing, oscd.community -RuleId = 82880171-b475-4201-b811-e9c826cd5eaa -RuleName = Exports Critical Registry Keys To a File +# Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2 +RuleName = Kernel Memory Dump Via LiveKD EventType = Process.Start -Tag = proc-start-exports-critical-registry-keys-to-a-file +Tag = proc-start-kernel-memory-dump-via-livekd RiskScore = 75 -Annotation = {"mitre_attack": ["T1012"], "author": "Oddvar Moe, Sander Wiebing, oscd.community"} -Query = (Process.Path like r"%\\regedit.exe" or Process.Name == "REGEDIT.EXE") and (Process.CommandLine like r"% -E %" or Process.CommandLine like r"% /E %" or Process.CommandLine like r"% –E %" or Process.CommandLine like r"% —E %" or Process.CommandLine like r"% ―E %") and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\livekd.exe" or Process.Path like r"%\\livekd64.exe" or Process.Name == "livekd.exe") and (Process.CommandLine like r"% -m%" or Process.CommandLine like r"% /m%" or Process.CommandLine like r"% –m%" or Process.CommandLine like r"% —m%" or Process.CommandLine like r"% ―m%") [ThreatDetectionRule platform=Windows] -# Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 48ea844d-19b1-4642-944e-fe39c2cc1fec -RuleName = UAC Bypass Using IDiagnostic Profile - File -EventType = File.Create -Tag = uac-bypass-using-idiagnostic-profile-file +# Detects suspicious process patterns used in NTDS.DIT exfiltration +# Author: Florian Roth (Nextron Systems) +RuleId = 8bc64091-6875-4881-aaf9-7bd25b5dda08 +RuleName = Suspicious Process Patterns NTDS.DIT Exfil +EventType = Process.Start +Tag = proc-start-suspicious-process-patterns-ntds.dit-exfil RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\DllHost.exe" and File.Path like r"C:\\Windows\\System32\\%" and File.Path like r"%.dll" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1003.003"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\NTDSDump.exe" or Process.Path like r"%\\NTDSDumpEx.exe" or Process.CommandLine like r"%ntds.dit%" and Process.CommandLine like r"%system.hiv%" or Process.CommandLine like r"%NTDSgrab.ps1%" or Process.CommandLine like r"%ac i ntds%" and Process.CommandLine like r"%create full%" or Process.CommandLine like r"%/c copy %" and Process.CommandLine like r"%\\windows\\ntds\\ntds.dit%" or Process.CommandLine like r"%activate instance ntds%" and Process.CommandLine like r"%create full%" or Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%ntds.dit%" or Process.CommandLine like r"%ntds.dit%" and (Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%" or Parent.Path like r"%\\AppData\\%" or Parent.Path like r"%\\Temp\\%" or Parent.Path like r"%\\Public\\%" or Parent.Path like r"%\\PerfLogs\\%" or Process.Path like r"%\\apache%" or Process.Path like r"%\\tomcat%" or Process.Path like r"%\\AppData\\%" or Process.Path like r"%\\Temp\\%" or Process.Path like r"%\\Public\\%" or Process.Path like r"%\\PerfLogs\\%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages -# Author: frack113 -RuleId = 8b9606c9-28be-4a38-b146-0e313cc232c1 -RuleName = Potential Ransomware Activity Using LegalNotice Message +# Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder +# Author: Florian Roth (Nextron Systems), oscd.community +RuleId = b7916c2a-fa2f-4795-9477-32b731f70f11 +RuleName = Registry Persistence via Explorer Run Key EventType = Reg.Any -Tag = potential-ransomware-activity-using-legalnotice-message +Tag = registry-persistence-via-explorer-run-key RiskScore = 75 -Annotation = {"mitre_attack": ["T1491.001"], "author": "frack113"} -Query = (Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption%" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText%") and (Reg.Value.Data like r"%encrypted%" or Reg.Value.Data like r"%Unlock-Password%" or Reg.Value.Data like r"%paying%") +Annotation = {"mitre_attack": ["T1547.001"], "author": "Florian Roth (Nextron Systems), oscd.community"} +Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" and (Reg.Value.Data like r"%:\\$Recycle.bin\\%" or Reg.Value.Data like r"%:\\ProgramData\\%" or Reg.Value.Data like r"%:\\Temp\\%" or Reg.Value.Data like r"%:\\Users\\Default\\%" or Reg.Value.Data like r"%:\\Users\\Public\\%" or Reg.Value.Data like r"%:\\Windows\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects Windows executables that write files with suspicious extensions -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = b8fd0e93-ff58-4cbd-8f48-1c114e342e62 -RuleName = Windows Binaries Write Suspicious Extensions -EventType = File.Create -Tag = windows-binaries-write-suspicious-extensions -RiskScore = 75 -Annotation = {"mitre_attack": ["T1036"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = ((Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\RuntimeBroker.exe" or Process.Path like r"%\\sihost.exe" or Process.Path like r"%\\smss.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\winlogon.exe") and (File.Path like r"%.bat" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.hta" or File.Path like r"%.iso" or File.Path like r"%.ps1" or File.Path like r"%.txt" or File.Path like r"%.vbe" or File.Path like r"%.vbs") or (Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\svchost.exe") and (File.Path like r"%.bat" or File.Path like r"%.hta" or File.Path like r"%.iso" or File.Path like r"%.ps1" or File.Path like r"%.vbe" or File.Path like r"%.vbs")) and not (Process.Path == "C:\\Windows\\System32\\dllhost.exe" and File.Path like r"%:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Temp\\\_\_PSScriptPolicyTest\_%" and File.Path like r"%.ps1" or Process.Path == "C:\\Windows\\system32\\svchost.exe" and File.Path like r"%C:\\Windows\\System32\\GroupPolicy\\DataStore\\%" and File.Path like r"%\\sysvol\\%" and File.Path like r"%\\Policies\\%" and File.Path like r"%\\Machine\\Scripts\\Startup\\%" and (File.Path like r"%.ps1" or File.Path like r"%.bat")) -GenericProperty1 = File.Path - - -[ThreatDetectionRule platform=Windows] -# Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse -# Author: Michael Haag -RuleId = 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f -RuleName = PowerShell Web Access Feature Enabled Via DISM +# Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). +# Author: frack113 +RuleId = 37db85d1-b089-490a-a59a-c7b6f984f480 +RuleName = Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE EventType = Process.Start -Tag = proc-start-powershell-web-access-feature-enabled-via-dism +Tag = proc-start-sysmon-discovery-via-default-driver-altitude-using-findstr.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Michael Haag"} -Query = (Process.Path like r"%\\dism.exe" or Process.Name == "DISM.EXE") and Process.CommandLine like r"%WindowsPowerShellWebAccess%" and Process.CommandLine like r"%/online%" and Process.CommandLine like r"%/enable-feature%" +Annotation = {"mitre_attack": ["T1518.001"], "author": "frack113"} +Query = (Process.Path like r"%\\find.exe" or Process.Path like r"%\\findstr.exe" or Process.Name in ["FIND.EXE", "FINDSTR.EXE"]) and Process.CommandLine like r"% 385201%" [ThreatDetectionRule platform=Windows] -# Detects DNS queries to an ".onion" address related to Tor routing networks -# Author: frack113 -RuleId = b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 -RuleName = DNS Query Tor .Onion Address - Sysmon -EventType = Dns.Query -Tag = dns-query-tor-.onion-address-sysmon +# Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = a1b1fd53-9c4a-444c-bae0-34a330fc7aa8 +RuleName = Potential Persistence Via DLLPathOverride +EventType = Reg.Any +Tag = potential-persistence-via-dllpathoverride RiskScore = 75 -Annotation = {"mitre_attack": ["T1090.003"], "author": "frack113"} -Query = Dns.QueryRequest like r"%.onion%" -GenericProperty1 = Dns.QueryRequest +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language\\%" and (Reg.TargetObject like r"%\\StemmerDLLPathOverride%" or Reg.TargetObject like r"%\\WBDLLPathOverride%" or Reg.TargetObject like r"%\\StemmerClass%" or Reg.TargetObject like r"%\\WBreakerClass%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. -# Author: frack113 -RuleId = a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 -RuleName = RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses +# Detects the use of NPS, a port forwarding and intranet penetration proxy server +# Author: Florian Roth (Nextron Systems) +RuleId = 68d37776-61db-42f5-bf54-27e87072d17e +RuleName = PUA - NPS Tunneling Tool Execution EventType = Process.Start -Tag = proc-start-remotefxvgpudisablement-abuse-via-atomictestharnesses +Tag = proc-start-pua-nps-tunneling-tool-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "frack113"} -Query = Process.CommandLine like r"%Invoke-ATHRemoteFXvGPUDisablementCommand%" or Process.CommandLine like r"%Invoke-ATHRemoteFXvGPUDisableme%" +Annotation = {"mitre_attack": ["T1090"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\npc.exe" or Process.CommandLine like r"% -server=%" and Process.CommandLine like r"% -vkey=%" and Process.CommandLine like r"% -password=%" or Process.CommandLine like r"% -config=npc%" or Process.Hashes like r"%MD5=AE8ACF66BFE3A44148964048B826D005%" or Process.Hashes like r"%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%" or Process.Hashes like r"%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%" +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. -# Author: @ROxPinTeddy -RuleId = faa48cae-6b25-4f00-a094-08947fef582f -RuleName = Rar Usage with Password and Compression Level -EventType = Process.Start -Tag = proc-start-rar-usage-with-password-and-compression-level +# Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 9313dc13-d04c-46d8-af4a-a930cc55d93b +RuleName = Potential DLL Sideloading Via VMware Xfer +EventType = Image.Load +Tag = potential-dll-sideloading-via-vmware-xfer RiskScore = 75 -Annotation = {"mitre_attack": ["T1560.001"], "author": "@ROxPinTeddy"} -Query = Process.CommandLine like r"% -hp%" and (Process.CommandLine like r"% -m%" or Process.CommandLine like r"% a %") +Annotation = {"mitre_attack": ["T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\VMwareXferlogs.exe" and Image.Path like r"%\\glib-2.0.dll" and not Image.Path like r"C:\\Program Files\\VMware\\%" +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects potentially suspicious child processes of "aspnet_compiler.exe". -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 9ccba514-7cb6-4c5c-b377-700758f2f120 -RuleName = Suspicious Child Process of AspNetCompiler -EventType = Process.Start -Tag = proc-start-suspicious-child-process-of-aspnetcompiler +# Detects changes in Sysmon driver altitude value. +# If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. +# Author: B.Talebi +RuleId = 4916a35e-bfc4-47d0-8e25-a003d7067061 +RuleName = Sysmon Driver Altitude Change +EventType = Reg.Any +Tag = sysmon-driver-altitude-change RiskScore = 75 -Annotation = {"mitre_attack": ["T1127"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.Path like r"%\\aspnet\_compiler.exe" and (Process.Path like r"%\\calc.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\AppData\\Local\\Temp\\%" or Process.Path like r"%\\AppData\\Local\\Roaming\\%" or Process.Path like r"%:\\Temp\\%" or Process.Path like r"%:\\Windows\\Temp\\%" or Process.Path like r"%:\\Windows\\System32\\Tasks\\%" or Process.Path like r"%:\\Windows\\Tasks\\%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1562.001"], "author": "B.Talebi"} +Query = Reg.TargetObject like r"%\\Services\\%" and Reg.TargetObject like r"%\\Instances\\Sysmon Instance\\Altitude" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques +# Detects suspicious encoded character syntax often used for defense evasion # Author: Florian Roth (Nextron Systems) -RuleId = c86133ad-4725-4bd0-8170-210788e0a7ba -RuleName = Net WebClient Casing Anomalies +RuleId = e312efd0-35a1-407f-8439-b8d434b438a6 +RuleName = Potential PowerShell Obfuscation Via WCHAR EventType = Process.Start -Tag = proc-start-net-webclient-casing-anomalies +Tag = proc-start-potential-powershell-obfuscation-via-wchar RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%TgBlAFQALgB3AEUAQg%" or Process.CommandLine like r"%4AZQBUAC4AdwBFAEIA%" or Process.CommandLine like r"%OAGUAVAAuAHcARQBCA%" or Process.CommandLine like r"%bgBFAHQALgB3AGUAYg%" or Process.CommandLine like r"%4ARQB0AC4AdwBlAGIA%" or Process.CommandLine like r"%uAEUAdAAuAHcAZQBiA%" or Process.CommandLine like r"%TgBFAHQALgB3AGUAYg%" or Process.CommandLine like r"%OAEUAdAAuAHcAZQBiA%" or Process.CommandLine like r"%bgBlAFQALgB3AGUAYg%" or Process.CommandLine like r"%4AZQBUAC4AdwBlAGIA%" or Process.CommandLine like r"%uAGUAVAAuAHcAZQBiA%" or Process.CommandLine like r"%TgBlAFQALgB3AGUAYg%" or Process.CommandLine like r"%OAGUAVAAuAHcAZQBiA%" or Process.CommandLine like r"%bgBFAFQALgB3AGUAYg%" or Process.CommandLine like r"%4ARQBUAC4AdwBlAGIA%" or Process.CommandLine like r"%uAEUAVAAuAHcAZQBiA%" or Process.CommandLine like r"%bgBlAHQALgBXAGUAYg%" or Process.CommandLine like r"%4AZQB0AC4AVwBlAGIA%" or Process.CommandLine like r"%uAGUAdAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBFAHQALgBXAGUAYg%" or Process.CommandLine like r"%4ARQB0AC4AVwBlAGIA%" or Process.CommandLine like r"%uAEUAdAAuAFcAZQBiA%" or Process.CommandLine like r"%TgBFAHQALgBXAGUAYg%" or Process.CommandLine like r"%OAEUAdAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBlAFQALgBXAGUAYg%" or Process.CommandLine like r"%4AZQBUAC4AVwBlAGIA%" or Process.CommandLine like r"%uAGUAVAAuAFcAZQBiA%" or Process.CommandLine like r"%TgBlAFQALgBXAGUAYg%" or Process.CommandLine like r"%OAGUAVAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBFAFQALgBXAGUAYg%" or Process.CommandLine like r"%4ARQBUAC4AVwBlAGIA%" or Process.CommandLine like r"%uAEUAVAAuAFcAZQBiA%" or Process.CommandLine like r"%bgBlAHQALgB3AEUAYg%" or Process.CommandLine like r"%4AZQB0AC4AdwBFAGIA%" or Process.CommandLine like r"%uAGUAdAAuAHcARQBiA%" or Process.CommandLine like r"%TgBlAHQALgB3AEUAYg%" or Process.CommandLine like r"%OAGUAdAAuAHcARQBiA%" or Process.CommandLine like r"%bgBFAHQALgB3AEUAYg%" or Process.CommandLine like r"%4ARQB0AC4AdwBFAGIA%" or Process.CommandLine like r"%uAEUAdAAuAHcARQBiA%" or Process.CommandLine like r"%TgBFAHQALgB3AEUAYg%" or Process.CommandLine like r"%OAEUAdAAuAHcARQBiA%" or Process.CommandLine like r"%bgBlAFQALgB3AEUAYg%" or Process.CommandLine like r"%4AZQBUAC4AdwBFAGIA%" or Process.CommandLine like r"%uAGUAVAAuAHcARQBiA%" or Process.CommandLine like r"%TgBlAFQALgB3AEUAYg%" or Process.CommandLine like r"%OAGUAVAAuAHcARQBiA%" or Process.CommandLine like r"%bgBFAFQALgB3AEUAYg%" or Process.CommandLine like r"%4ARQBUAC4AdwBFAGIA%" or Process.CommandLine like r"%uAEUAVAAuAHcARQBiA%" or Process.CommandLine like r"%TgBFAFQALgB3AEUAYg%" or Process.CommandLine like r"%OAEUAVAAuAHcARQBiA%" or Process.CommandLine like r"%bgBlAHQALgBXAEUAYg%" or Process.CommandLine like r"%4AZQB0AC4AVwBFAGIA%" or Process.CommandLine like r"%uAGUAdAAuAFcARQBiA%" or Process.CommandLine like r"%TgBlAHQALgBXAEUAYg%" or Process.CommandLine like r"%OAGUAdAAuAFcARQBiA%" or Process.CommandLine like r"%bgBFAHQALgBXAEUAYg%" or Process.CommandLine like r"%4ARQB0AC4AVwBFAGIA%" or Process.CommandLine like r"%uAEUAdAAuAFcARQBiA%" or Process.CommandLine like r"%TgBFAHQALgBXAEUAYg%" or Process.CommandLine like r"%OAEUAdAAuAFcARQBiA%" or Process.CommandLine like r"%bgBlAFQALgBXAEUAYg%" or Process.CommandLine like r"%4AZQBUAC4AVwBFAGIA%" or Process.CommandLine like r"%uAGUAVAAuAFcARQBiA%" or Process.CommandLine like r"%TgBlAFQALgBXAEUAYg%" or Process.CommandLine like r"%OAGUAVAAuAFcARQBiA%" or Process.CommandLine like r"%bgBFAFQALgBXAEUAYg%" or Process.CommandLine like r"%4ARQBUAC4AVwBFAGIA%" or Process.CommandLine like r"%uAEUAVAAuAFcARQBiA%" or Process.CommandLine like r"%TgBFAFQALgBXAEUAYg%" or Process.CommandLine like r"%OAEUAVAAuAFcARQBiA%" or Process.CommandLine like r"%bgBlAHQALgB3AGUAQg%" or Process.CommandLine like r"%4AZQB0AC4AdwBlAEIA%" or Process.CommandLine like r"%uAGUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBlAHQALgB3AGUAQg%" or Process.CommandLine like r"%OAGUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBFAHQALgB3AGUAQg%" or Process.CommandLine like r"%4ARQB0AC4AdwBlAEIA%" or Process.CommandLine like r"%uAEUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBFAHQALgB3AGUAQg%" or Process.CommandLine like r"%OAEUAdAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBlAFQALgB3AGUAQg%" or Process.CommandLine like r"%4AZQBUAC4AdwBlAEIA%" or Process.CommandLine like r"%uAGUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBlAFQALgB3AGUAQg%" or Process.CommandLine like r"%OAGUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBFAFQALgB3AGUAQg%" or Process.CommandLine like r"%4ARQBUAC4AdwBlAEIA%" or Process.CommandLine like r"%uAEUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%TgBFAFQALgB3AGUAQg%" or Process.CommandLine like r"%OAEUAVAAuAHcAZQBCA%" or Process.CommandLine like r"%bgBlAHQALgBXAGUAQg%" or Process.CommandLine like r"%4AZQB0AC4AVwBlAEIA%" or Process.CommandLine like r"%uAGUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBlAHQALgBXAGUAQg%" or Process.CommandLine like r"%OAGUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBFAHQALgBXAGUAQg%" or Process.CommandLine like r"%4ARQB0AC4AVwBlAEIA%" or Process.CommandLine like r"%uAEUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBFAHQALgBXAGUAQg%" or Process.CommandLine like r"%OAEUAdAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBlAFQALgBXAGUAQg%" or Process.CommandLine like r"%4AZQBUAC4AVwBlAEIA%" or Process.CommandLine like r"%uAGUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBlAFQALgBXAGUAQg%" or Process.CommandLine like r"%OAGUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBFAFQALgBXAGUAQg%" or Process.CommandLine like r"%4ARQBUAC4AVwBlAEIA%" or Process.CommandLine like r"%uAEUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%TgBFAFQALgBXAGUAQg%" or Process.CommandLine like r"%OAEUAVAAuAFcAZQBCA%" or Process.CommandLine like r"%bgBlAHQALgB3AEUAQg%" or Process.CommandLine like r"%4AZQB0AC4AdwBFAEIA%" or Process.CommandLine like r"%uAGUAdAAuAHcARQBCA%" or Process.CommandLine like r"%TgBlAHQALgB3AEUAQg%" or Process.CommandLine like r"%OAGUAdAAuAHcARQBCA%" or Process.CommandLine like r"%bgBFAHQALgB3AEUAQg%" or Process.CommandLine like r"%4ARQB0AC4AdwBFAEIA%" or Process.CommandLine like r"%uAEUAdAAuAHcARQBCA%" or Process.CommandLine like r"%TgBFAHQALgB3AEUAQg%" or Process.CommandLine like r"%OAEUAdAAuAHcARQBCA%" or Process.CommandLine like r"%bgBlAFQALgB3AEUAQg%" or Process.CommandLine like r"%uAGUAVAAuAHcARQBCA%" or Process.CommandLine like r"%bgBFAFQALgB3AEUAQg%" or Process.CommandLine like r"%4ARQBUAC4AdwBFAEIA%" or Process.CommandLine like r"%uAEUAVAAuAHcARQBCA%" or Process.CommandLine like r"%TgBFAFQALgB3AEUAQg%" or Process.CommandLine like r"%OAEUAVAAuAHcARQBCA%" or Process.CommandLine like r"%TgBlAHQALgBXAEUAQg%" or Process.CommandLine like r"%4AZQB0AC4AVwBFAEIA%" or Process.CommandLine like r"%OAGUAdAAuAFcARQBCA%" or Process.CommandLine like r"%bgBFAHQALgBXAEUAQg%" or Process.CommandLine like r"%4ARQB0AC4AVwBFAEIA%" or Process.CommandLine like r"%uAEUAdAAuAFcARQBCA%" or Process.CommandLine like r"%TgBFAHQALgBXAEUAQg%" or Process.CommandLine like r"%OAEUAdAAuAFcARQBCA%" or Process.CommandLine like r"%bgBlAFQALgBXAEUAQg%" or Process.CommandLine like r"%4AZQBUAC4AVwBFAEIA%" or Process.CommandLine like r"%uAGUAVAAuAFcARQBCA%" or Process.CommandLine like r"%TgBlAFQALgBXAEUAQg%" or Process.CommandLine like r"%OAGUAVAAuAFcARQBCA%" or Process.CommandLine like r"%bgBFAFQALgBXAEUAQg%" or Process.CommandLine like r"%4ARQBUAC4AVwBFAEIA%" or Process.CommandLine like r"%uAEUAVAAuAFcARQBCA%") +Annotation = {"mitre_attack": ["T1059.001", "T1027"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%(WCHAR)0x%" [ThreatDetectionRule platform=Windows] -# Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. +# Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 42a5f1e7-9603-4f6d-97ae-3f37d130d794 -RuleName = Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE +RuleId = d87bd452-6da1-456e-8155-7dc988157b7d +RuleName = Suspicious Usage Of ShellExec_RunDLL EventType = Process.Start -Tag = proc-start-suspicious-file-downloaded-from-file-sharing-website-via-certutil.exe +Tag = proc-start-suspicious-usage-of-shellexec_rundll RiskScore = 75 -Annotation = {"mitre_attack": ["T1027"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\certutil.exe" or Process.Name == "CertUtil.exe") and (Process.CommandLine like r"%urlcache %" or Process.CommandLine like r"%verifyctl %") and (Process.CommandLine like r"%.githubusercontent.com%" or Process.CommandLine like r"%anonfiles.com%" or Process.CommandLine like r"%cdn.discordapp.com%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%dl.dropboxusercontent.com%" or Process.CommandLine like r"%ghostbin.co%" or Process.CommandLine like r"%glitch.me%" or Process.CommandLine like r"%gofile.io%" or Process.CommandLine like r"%hastebin.com%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%onrender.com%" or Process.CommandLine like r"%pages.dev%" or Process.CommandLine like r"%paste.ee%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%pastebin.pl%" or Process.CommandLine like r"%pastetext.net%" or Process.CommandLine like r"%privatlab.com%" or Process.CommandLine like r"%privatlab.net%" or Process.CommandLine like r"%send.exploit.in%" or Process.CommandLine like r"%sendspace.com%" or Process.CommandLine like r"%storage.googleapis.com%" or Process.CommandLine like r"%storjshare.io%" or Process.CommandLine like r"%supabase.co%" or Process.CommandLine like r"%temp.sh%" or Process.CommandLine like r"%transfer.sh%" or Process.CommandLine like r"%trycloudflare.com%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%w3spaces.com%" or Process.CommandLine like r"%workers.dev%") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%ShellExec\_RunDLL%" and (Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Temp\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%comspec%" or Process.CommandLine like r"%iex%" or Process.CommandLine like r"%Invoke-%" or Process.CommandLine like r"%msiexec%" or Process.CommandLine like r"%odbcconf%" or Process.CommandLine like r"%regsvr32%") [ThreatDetectionRule platform=Windows] -# Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember". -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 10fb649c-3600-4d37-b1e6-56ea90bb7e09 -RuleName = User Added To Highly Privileged Group -EventType = Process.Start -Tag = proc-start-user-added-to-highly-privileged-group +# Detects the pattern of a UAC bypass using Windows Event Viewer +# Author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) +RuleId = 63e4f530-65dc-49cc-8f80-ccfa95c69d43 +RuleName = UAC Bypass Using EventVwr +EventType = File.Create +Tag = uac-bypass-using-eventvwr RiskScore = 75 -Annotation = {"mitre_attack": ["T1098"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.CommandLine like r"%localgroup %" and Process.CommandLine like r"% /add%" or Process.CommandLine like r"%Add-LocalGroupMember %" and Process.CommandLine like r"% -Group %") and (Process.CommandLine like r"%Group Policy Creator Owners%" or Process.CommandLine like r"%Schema Admins%") +Annotation = {"author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)"} +Query = (File.Path like r"%\\Microsoft\\Event Viewer\\RecentViews" or File.Path like r"%\\Microsoft\\EventV~1\\RecentViews") and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe -# Author: @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) -RuleId = f1f3bf22-deb2-418d-8cce-e1a45e46a5bd -RuleName = MMC20 Lateral Movement -EventType = Process.Start -Tag = proc-start-mmc20-lateral-movement +# Detects creation of a malicious DLL file in the location where the OneDrive or Team applications +# Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded +# Author: frack113 +RuleId = 1908fcc1-1b92-4272-8214-0fbaf2fa5163 +RuleName = Malicious DLL File Dropped in the Teams or OneDrive Folder +EventType = File.Create +Tag = malicious-dll-file-dropped-in-the-teams-or-onedrive-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1021.003"], "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)"} -Query = Parent.Path like r"%\\svchost.exe" and Process.Path like r"%\\mmc.exe" and Process.CommandLine like r"%-Embedding%" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1574.002"], "author": "frack113"} +Query = File.Path like r"%iphlpapi.dll%" and File.Path like r"%\\AppData\\Local\\Microsoft%" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files -# Author: Christian Burkard (Nextron Systems) -RuleId = 4480827a-9799-4232-b2c4-ccc6c4e9e12b -RuleName = Suspicious Certreq Command to Download +# Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil +# Author: Tim Rauch, Elastic (idea) +RuleId = 21ff4ca9-f13a-41ad-b828-0077b2af2e40 +RuleName = Deletion of Volume Shadow Copies via WMI with PowerShell EventType = Process.Start -Tag = proc-start-suspicious-certreq-command-to-download +Tag = proc-start-deletion-of-volume-shadow-copies-via-wmi-with-powershell RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "Christian Burkard (Nextron Systems)"} -Query = (Process.Path like r"%\\certreq.exe" or Process.Name == "CertReq.exe") and Process.CommandLine like r"% -Post %" and Process.CommandLine like r"% -config %" and Process.CommandLine like r"% http%" and Process.CommandLine like r"% C:\\windows\\win.ini %" - - -[ThreatDetectionRule platform=Windows] -# Detects programs on a Windows system that should not write an archive to disk -# Author: frack113, Florian Roth -RuleId = 654fcc6d-840d-4844-9b07-2c3300e54a26 -RuleName = Legitimate Application Dropped Archive -EventType = File.Create -Tag = legitimate-application-dropped-archive -RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "frack113, Florian Roth"} -Query = (Process.Path like r"%\\winword.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\msaccess.exe" or Process.Path like r"%\\mspub.exe" or Process.Path like r"%\\eqnedt32.exe" or Process.Path like r"%\\visio.exe" or Process.Path like r"%\\wordpad.exe" or Process.Path like r"%\\wordview.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\certoc.exe" or Process.Path like r"%\\CertReq.exe" or Process.Path like r"%\\Desktopimgdownldr.exe" or Process.Path like r"%\\esentutl.exe" or Process.Path like r"%\\finger.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\AcroRd32.exe" or Process.Path like r"%\\RdrCEF.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\hh.exe") and (File.Path like r"%.zip" or File.Path like r"%.rar" or File.Path like r"%.7z" or File.Path like r"%.diagcab" or File.Path like r"%.appx") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1490"], "author": "Tim Rauch, Elastic (idea)"} +Query = (Process.CommandLine like r"%Get-WmiObject%" or Process.CommandLine like r"%gwmi%" or Process.CommandLine like r"%Get-CimInstance%" or Process.CommandLine like r"%gcim%") and Process.CommandLine like r"%Win32\_ShadowCopy%" and (Process.CommandLine like r"%.Delete()%" or Process.CommandLine like r"%Remove-WmiObject%" or Process.CommandLine like r"%rwmi%" or Process.CommandLine like r"%Remove-CimInstance%" or Process.CommandLine like r"%rcim%") [ThreatDetectionRule platform=Windows] -# Detects default file names outputted by the BloodHound collection tool SharpHound -# Author: C.J. May -RuleId = 02773bed-83bf-469f-b7ff-e676e7d78bab -RuleName = BloodHound Collection Files +# Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) +# Author: Christian Burkard (Nextron Systems) +RuleId = 41bb431f-56d8-4691-bb56-ed34e390906f +RuleName = UAC Bypass Using MSConfig Token Modification - File EventType = File.Create -Tag = bloodhound-collection-files +Tag = uac-bypass-using-msconfig-token-modification-file RiskScore = 75 -Annotation = {"mitre_attack": ["T1087.001", "T1087.002", "T1482", "T1069.001", "T1069.002", "T1059.001"], "author": "C.J. May"} -Query = (File.Path like r"%BloodHound.zip" or File.Path like r"%\_computers.json" or File.Path like r"%\_containers.json" or File.Path like r"%\_domains.json" or File.Path like r"%\_gpos.json" or File.Path like r"%\_groups.json" or File.Path like r"%\_ous.json" or File.Path like r"%\_users.json") and not (Process.Path like r"%\\svchost.exe" and File.Path like r"C:\\Program Files\\WindowsApps\\Microsoft.%" and File.Path like r"%\\pocket\_containers.json") +Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} +Query = File.Path like r"C:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Temp\\pkgmgr.exe" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument -# Author: Nasreddine Bencherchali (Nextron Systems), memory-shards -RuleId = c0b40568-b1e9-4b03-8d6c-b096da6da9ab -RuleName = Suspicious AgentExecutor PowerShell Execution -EventType = Process.Start -Tag = proc-start-suspicious-agentexecutor-powershell-execution -RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards"} -Query = (Process.Path like r"%\\AgentExecutor.exe" or Process.Name == "AgentExecutor.exe") and (Process.CommandLine like r"% -powershell%" or Process.CommandLine like r"% -remediationScript%") and not (Process.CommandLine like r"%C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\%" or Process.CommandLine like r"%C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\%" or Parent.Path like r"%\\Microsoft.Management.Services.IntuneWindowsAgent.exe") -GenericProperty1 = Parent.Path - - -[ThreatDetectionRule platform=Windows] -# Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs +# Detects the creation of the LiveKD driver by a process image other than "livekd.exe". # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = d7b50671-d1ad-4871-aa60-5aa5b331fe04 -RuleName = Suspicious File Creation In Uncommon AppData Folder +RuleId = 059c5af9-5131-4d8d-92b2-de4ad6146712 +RuleName = LiveKD Driver Creation By Uncommon Process EventType = File.Create -Tag = suspicious-file-creation-in-uncommon-appdata-folder +Tag = livekd-driver-creation-by-uncommon-process RiskScore = 75 Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"C:\\Users\\%" and File.Path like r"%\\AppData\\%" and (File.Path like r"%.bat" or File.Path like r"%.cmd" or File.Path like r"%.cpl" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.hta" or File.Path like r"%.iso" or File.Path like r"%.lnk" or File.Path like r"%.msi" or File.Path like r"%.ps1" or File.Path like r"%.psm1" or File.Path like r"%.scr" or File.Path like r"%.vbe" or File.Path like r"%.vbs") and not (File.Path like r"C:\\Users\\%" and (File.Path like r"%\\AppData\\Local\\%" or File.Path like r"%\\AppData\\LocalLow\\%" or File.Path like r"%\\AppData\\Roaming\\%")) +Query = File.Path == "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and not (Process.Path like r"%\\livekd.exe" or Process.Path like r"%\\livek64.exe") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 4abc0ec4-db5a-412f-9632-26659cddf145 -RuleName = UEFI Persistence Via Wpbbin - ProcessCreation +# Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example +# Author: Ilya Krestinichev +RuleId = 54786ddc-5b8a-11ed-9b6a-0242ac120002 +RuleName = Suspicious Ping/Del Command Combination EventType = Process.Start -Tag = proc-start-uefi-persistence-via-wpbbin-processcreation +Tag = proc-start-suspicious-ping/del-command-combination RiskScore = 75 -Annotation = {"mitre_attack": ["T1542.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path == "C:\\Windows\\System32\\wpbbin.exe" +Annotation = {"mitre_attack": ["T1070.004"], "author": "Ilya Krestinichev"} +Query = (Process.CommandLine like r"% -n %" or Process.CommandLine like r"% /n %" or Process.CommandLine like r"% –n %" or Process.CommandLine like r"% —n %" or Process.CommandLine like r"% ―n %") and Process.CommandLine like r"%Nul%" and (Process.CommandLine like r"% -f %" or Process.CommandLine like r"% /f %" or Process.CommandLine like r"% –f %" or Process.CommandLine like r"% —f %" or Process.CommandLine like r"% ―f %" or Process.CommandLine like r"% -q %" or Process.CommandLine like r"% /q %" or Process.CommandLine like r"% –q %" or Process.CommandLine like r"% —q %" or Process.CommandLine like r"% ―q %") and Process.CommandLine like r"%ping%" and Process.CommandLine like r"%del %" [ThreatDetectionRule platform=Windows] -# Detects potential persistence behavior using the windows telemetry registry key. -# Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. -# This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. -# The problem is, it will run any arbitrary command without restriction of location or type. -# Author: Lednyov Alexey, oscd.community, Sreeman -RuleId = 73a883d0-0348-4be4-a8d8-51031c2564f8 -RuleName = Potential Registry Persistence Attempt Via Windows Telemetry -EventType = Reg.Any -Tag = potential-registry-persistence-attempt-via-windows-telemetry +# Detects Obfuscated Powershell via VAR++ LAUNCHER +# Author: Timur Zinniatullin, oscd.community +RuleId = e9f55347-2928-4c06-88e5-1a7f8169942e +RuleName = Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +EventType = Process.Start +Tag = proc-start-invoke-obfuscation-var++-launcher-obfuscation RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005"], "author": "Lednyov Alexey, oscd.community, Sreeman"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\%" and Reg.TargetObject like r"%\\Command" and (Reg.Value.Data like r"%.bat%" or Reg.Value.Data like r"%.bin%" or Reg.Value.Data like r"%.cmd%" or Reg.Value.Data like r"%.dat%" or Reg.Value.Data like r"%.dll%" or Reg.Value.Data like r"%.exe%" or Reg.Value.Data like r"%.hta%" or Reg.Value.Data like r"%.jar%" or Reg.Value.Data like r"%.js%" or Reg.Value.Data like r"%.msi%" or Reg.Value.Data like r"%.ps%" or Reg.Value.Data like r"%.sh%" or Reg.Value.Data like r"%.vb%") and not (Reg.Value.Data like r"%\\system32\\CompatTelRunner.exe%" or Reg.Value.Data like r"%\\system32\\DeviceCensus.exe%") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Timur Zinniatullin, oscd.community"} +Query = Process.CommandLine like r"%&&set%" and Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%-f%" and (Process.CommandLine like r"%{0}%" or Process.CommandLine like r"%{1}%" or Process.CommandLine like r"%{2}%" or Process.CommandLine like r"%{3}%" or Process.CommandLine like r"%{4}%" or Process.CommandLine like r"%{5}%") [ThreatDetectionRule platform=Windows] -# Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 976dd1f2-a484-45ec-aa1d-0e87e882262b -RuleName = Potential Persistence Via CHM Helper DLL -EventType = Reg.Any -Tag = potential-persistence-via-chm-helper-dll +# Detects attackers attempting to disable Windows Defender using Powershell +# Author: ok @securonix invrep-de, oscd.community, frack113 +RuleId = a7ee1722-c3c5-aeff-3212-c777e4733217 +RuleName = Disable Windows Defender AV Security Monitoring +EventType = Process.Start +Tag = proc-start-disable-windows-defender-av-security-monitoring RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Software\\Microsoft\\HtmlHelp Author\\Location%" or Reg.TargetObject like r"%\\Software\\WOW6432Node\\Microsoft\\HtmlHelp Author\\Location%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1562.001"], "author": "ok @securonix invrep-de, oscd.community, frack113"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%-DisableBehaviorMonitoring $true%" or Process.CommandLine like r"%-DisableRuntimeMonitoring $true%") or (Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and (Process.CommandLine like r"%stop%" and Process.CommandLine like r"%WinDefend%" or Process.CommandLine like r"%delete%" and Process.CommandLine like r"%WinDefend%" or Process.CommandLine like r"%config%" and Process.CommandLine like r"%WinDefend%" and Process.CommandLine like r"%start=disabled%") [ThreatDetectionRule platform=Windows] -# Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory -# Author: Florian Roth (Nextron Systems) -RuleId = 1a1ed54a-2ba4-4221-94d5-01dee560d71e -RuleName = Renamed CreateDump Utility Execution +# Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 2569ed8c-1147-498a-9b8c-2ad3656b10ed +RuleName = Potential Renamed Rundll32 Execution EventType = Process.Start -Tag = proc-start-renamed-createdump-utility-execution +Tag = proc-start-potential-renamed-rundll32-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Name == "FX\_VER\_INTERNALNAME\_STR" or Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -f %" and Process.CommandLine like r"%.dmp%" or Process.CommandLine like r"% --full %" and Process.CommandLine like r"% --name %" and Process.CommandLine like r"%.dmp%") and not Process.Path like r"%\\createdump.exe" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%DllRegisterServer%" and not Process.Path like r"%\\rundll32.exe" [ThreatDetectionRule platform=Windows] -# Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -# Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -RuleId = 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a -RuleName = Time Travel Debugging Utility Usage -EventType = Process.Start -Tag = proc-start-time-travel-debugging-utility-usage +# Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 11b1ed55-154d-4e82-8ad7-83739298f720 +RuleName = NTDS.DIT Creation By Uncommon Process +EventType = File.Create +Tag = ntds.dit-creation-by-uncommon-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1218", "T1003.001"], "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative"} -Query = Parent.Path like r"%\\tttracer.exe" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1003.002", "T1003.003"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"%\\ntds.dit" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\wsl.exe" or Process.Path like r"%\\wt.exe" or Process.Path like r"%\\AppData\\%" or Process.Path like r"%\\Temp\\%" or Process.Path like r"%\\Public\\%" or Process.Path like r"%\\PerfLogs\\%") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files -# Author: frack113 -RuleId = 9719a8aa-401c-41af-8108-ced7ec9cd75c -RuleName = Windows Defender Definition Files Removed -EventType = Process.Start -Tag = proc-start-windows-defender-definition-files-removed +# Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. +# The process in field Process is the malicious program. A single execution can lead to hundreds of events. +# Author: Thomas Patzke +RuleId = f239b326-2f41-4d6b-9dfa-c846a60ef505 +RuleName = Password Dumper Remote Thread in LSASS +EventType = Process.CreateRemoteThread +Tag = password-dumper-remote-thread-in-lsass RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "frack113"} -Query = (Process.Path like r"%\\MpCmdRun.exe" or Process.Name == "MpCmdRun.exe") and Process.CommandLine like r"% -RemoveDefinitions%" and Process.CommandLine like r"% -All%" +Annotation = {"mitre_attack": ["T1003.001"], "author": "Thomas Patzke"} +Query = Process.Path like r"%\\lsass.exe" and Thread.StartModule == "" +GenericProperty1 = Thread.StartModule [ThreatDetectionRule platform=Windows] -# Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 89ca78fd-b37c-4310-b3d3-81a023f83936 -RuleName = Schtasks Creation Or Modification With SYSTEM Privileges +# Detects the execution of msiexec.exe from an uncommon directory +# Author: Florian Roth (Nextron Systems) +RuleId = e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144 +RuleName = Potential MsiExec Masquerading EventType = Process.Start -Tag = proc-start-schtasks-creation-or-modification-with-system-privileges +Tag = proc-start-potential-msiexec-masquerading RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\schtasks.exe" and (Process.CommandLine like r"% /change %" or Process.CommandLine like r"% /create %") and Process.CommandLine like r"%/ru %" and (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM %") and not (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/TN TVInstallRestore%" and Process.CommandLine like r"%\\TeamViewer\_.exe%" or Process.CommandLine like r"%Subscription Heartbeat%" and Process.CommandLine like r"%\\HeartbeatConfig.xml%" and Process.CommandLine like r"%\\Microsoft Shared\\OFFICE%" or Process.CommandLine like r"%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %" or Process.CommandLine like r"%:\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira\_speedup\_setup.exe%" or Process.CommandLine like r"%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%") +Annotation = {"mitre_attack": ["T1036.005"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\msiexec.exe" or Process.Name == "\\msiexec.exe") and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%") [ThreatDetectionRule platform=Windows] -# Detects the use of Tor or Tor-Browser to connect to onion routing networks -# Author: frack113 -RuleId = 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c -RuleName = Tor Client/Browser Execution +# Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = a383dec4-deec-4e6e-913b-ed9249670848 +RuleName = Potential Signing Bypass Via Windows Developer Features EventType = Process.Start -Tag = proc-start-tor-client/browser-execution +Tag = proc-start-potential-signing-bypass-via-windows-developer-features RiskScore = 75 -Annotation = {"mitre_attack": ["T1090.003"], "author": "frack113"} -Query = Process.Path like r"%\\tor.exe" or Process.Path like r"%\\Tor Browser\\Browser\\firefox.exe" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\SystemSettingsAdminFlows.exe" or Process.Name == "SystemSettingsAdminFlows.EXE") and Process.CommandLine like r"%TurnOnDeveloperFeatures%" and (Process.CommandLine like r"%DeveloperUnlock%" or Process.CommandLine like r"%EnableSideloading%") [ThreatDetectionRule platform=Windows] -# Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 295c9289-acee-4503-a571-8eacaef36b28 -RuleName = Vulnerable HackSys Extreme Vulnerable Driver Load -EventType = Driver.Load -Tag = vulnerable-hacksys-extreme-vulnerable-driver-load +# Attempts to load dismcore.dll after dropping it +# Author: oscd.community, Dmitry Uchakin +RuleId = a5ea83a7-05a5-44c1-be2e-addccbbd8c03 +RuleName = UAC Bypass With Fake DLL +EventType = Image.Load +Tag = uac-bypass-with-fake-dll RiskScore = 75 -Annotation = {"mitre_attack": ["T1543.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Image.Path like r"%\\HEVD.sys" or Image.Hashes like r"%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%" or Image.Hashes like r"%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%" +Annotation = {"mitre_attack": ["T1548.002", "T1574.002"], "author": "oscd.community, Dmitry Uchakin"} +Query = Process.Path like r"%\\dism.exe" and Image.Path like r"%\\dismcore.dll" and not Image.Path == "C:\\Windows\\System32\\Dism\\dismcore.dll" GenericProperty1 = Image.Path -GenericProperty2 = Image.Hashes [ThreatDetectionRule platform=Windows] -# Detects any GAC DLL being loaded by an Office Product -# Author: Antonlovesdnb -RuleId = 90217a70-13fc-48e4-b3db-0d836c5824ac -RuleName = GAC DLL Loaded Via Office Applications -EventType = Image.Load -Tag = gac-dll-loaded-via-office-applications +# Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious +# Author: Syed Hasan (@syedhasan009) +RuleId = 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d +RuleName = Scheduled TaskCache Change by Uncommon Program +EventType = Reg.Any +Tag = scheduled-taskcache-change-by-uncommon-program RiskScore = 75 -Annotation = {"mitre_attack": ["T1204.002"], "author": "Antonlovesdnb"} -Query = (Process.Path like r"%\\excel.exe" or Process.Path like r"%\\mspub.exe" or Process.Path like r"%\\onenote.exe" or Process.Path like r"%\\onenoteim.exe" or Process.Path like r"%\\outlook.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\winword.exe") and Image.Path like r"C:\\Windows\\Microsoft.NET\\assembly\\GAC\_MSIL%" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1053", "T1053.005"], "author": "Syed Hasan (@syedhasan009)"} +Query = Reg.TargetObject like r"%SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\%" and not (Reg.TargetObject like r"%Microsoft\\Windows\\UpdateOrchestrator%" or Reg.TargetObject like r"%Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\\Index%" or Reg.TargetObject like r"%Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache\\Index%" or Process.Path like r"C:\\Windows\\%" and Process.Path like r"%\\TiWorker.exe" or Process.Path == "C:\\WINDOWS\\system32\\svchost.exe" or Process.Path like r"C:\\Windows\\Microsoft.NET\\Framework%" and Process.Path like r"%\\ngen.exe" and (Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%" or Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN%") or Process.Path in ["C:\\Program Files\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\Integration\\Integrator.exe"] or Process.Path == "C:\\Windows\\System32\\msiexec.exe" or Process.Path in ["C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe", "C:\\Program Files\\Dropbox\\Update\\DropboxUpdate.exe"] or Process.Path == "C:\\Windows\\explorer.exe" and Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\\%" or Process.Path == "System") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects a suspicious RDP session redirect using tscon.exe +# Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) # Author: Florian Roth (Nextron Systems) -RuleId = f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb -RuleName = Suspicious RDP Redirect Using TSCON +RuleId = 7c0dcd3d-acf8-4f71-9570-f448b0034f94 +RuleName = PsExec Service Child Process Execution as LOCAL SYSTEM EventType = Process.Start -Tag = proc-start-suspicious-rdp-redirect-using-tscon +Tag = proc-start-psexec-service-child-process-execution-as-local-system RiskScore = 75 -Annotation = {"mitre_attack": ["T1563.002", "T1021.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"% /dest:rdp-tcp#%" +Annotation = {"author": "Florian Roth (Nextron Systems)"} +Query = Parent.Path == "C:\\Windows\\PSEXESVC.exe" and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") +GenericProperty1 = Parent.Path +GenericProperty2 = Process.User [ThreatDetectionRule platform=Windows] -# Detects when a file with a suspicious extension is created in the startup folder -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 28208707-fe31-437f-9a7f-4b1108b94d2e -RuleName = Suspicious Startup Folder Persistence +# Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ +# Author: frack113 +RuleId = e15b518d-b4ce-4410-a9cd-501f23ce4a18 +RuleName = Suspicious Creation with Colorcpl EventType = File.Create -Tag = suspicious-startup-folder-persistence +Tag = suspicious-creation-with-colorcpl RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"%\\Windows\\Start Menu\\Programs\\Startup\\%" and (File.Path like r"%.vbs" or File.Path like r"%.vbe" or File.Path like r"%.bat" or File.Path like r"%.ps1" or File.Path like r"%.hta" or File.Path like r"%.dll" or File.Path like r"%.jar" or File.Path like r"%.msi" or File.Path like r"%.scr" or File.Path like r"%.cmd") +Annotation = {"mitre_attack": ["T1564"], "author": "frack113"} +Query = Process.Path like r"%\\colorcpl.exe" and not (File.Path like r"%.icm" or File.Path like r"%.gmmp" or File.Path like r"%.cdmp" or File.Path like r"%.camp") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the image load of VSS DLL by uncommon executables -# Author: frack113 -RuleId = 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 -RuleName = Suspicious Volume Shadow Copy Vssapi.dll Load -EventType = Image.Load -Tag = suspicious-volume-shadow-copy-vssapi.dll-load -RiskScore = 75 -Annotation = {"mitre_attack": ["T1490"], "author": "frack113"} -Query = Image.Path like r"%\\vssapi.dll" and not (Process.Path in ["C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe"] or Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\Temp\\{%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\Program Files\\%" or Process.Path like r"C:\\Program Files (x86)\\%" or Process.Path like r"C:\\ProgramData\\Package Cache\\%") -GenericProperty1 = Image.Path +# Detects using SettingSyncHost.exe to run hijacked binary +# Author: Anton Kutepov, oscd.community +RuleId = b2ddd389-f676-4ac4-845a-e00781a48e5f +RuleName = Using SettingSyncHost.exe as LOLBin +EventType = Process.Start +Tag = proc-start-using-settingsynchost.exe-as-lolbin +RiskScore = 75 +Annotation = {"mitre_attack": ["T1574.008"], "author": "Anton Kutepov, oscd.community"} +Query = not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%") and Parent.CommandLine like r"%cmd.exe /c%" and Parent.CommandLine like r"%RoamDiag.cmd%" and Parent.CommandLine like r"%-outputpath%" +GenericProperty1 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 833ef470-fa01-4631-a79b-6f291c9ac498 -RuleName = Add Debugger Entry To Hangs Key For Persistence -EventType = Reg.Any -Tag = add-debugger-entry-to-hangs-key-for-persistence +# Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 +# Author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) +RuleId = 25676e10-2121-446e-80a4-71ff8506af47 +RuleName = Exchange PowerShell Snap-Ins Usage +EventType = Process.Start +Tag = proc-start-exchange-powershell-snap-ins-usage RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1059.001", "T1114"], "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and Process.CommandLine like r"%Add-PSSnapin%" and (Process.CommandLine like r"%Microsoft.Exchange.Powershell.Snapin%" or Process.CommandLine like r"%Microsoft.Exchange.Management.PowerShell.SnapIn%") and not (Parent.Path == "C:\\Windows\\System32\\msiexec.exe" and Process.CommandLine like r"%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics -# Author: Alexander McDonald -RuleId = 744a188b-0415-4792-896f-11ddb0588dbc -RuleName = Potential Process Injection Via Msra.EXE +# Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. +# Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 434c08ba-8406-4d15-8b24-782cb071a691 +RuleName = PowerShell Execution With Potential Decryption Capabilities EventType = Process.Start -Tag = proc-start-potential-process-injection-via-msra.exe +Tag = proc-start-powershell-execution-with-potential-decryption-capabilities RiskScore = 75 -Annotation = {"mitre_attack": ["T1055"], "author": "Alexander McDonald"} -Query = Parent.Path like r"%\\msra.exe" and Parent.CommandLine like r"%msra.exe" and (Process.Path like r"%\\arp.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\nslookup.exe" or Process.Path like r"%\\route.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\whoami.exe") -GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine +Annotation = {"author": "X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%Get-ChildItem %" or Process.CommandLine like r"%dir %" or Process.CommandLine like r"%gci %" or Process.CommandLine like r"%ls %") and (Process.CommandLine like r"%Get-Content %" or Process.CommandLine like r"%gc %" or Process.CommandLine like r"%cat %" or Process.CommandLine like r"%type %" or Process.CommandLine like r"%ReadAllBytes%") and (Process.CommandLine like r"% ^| %" and Process.CommandLine like r"%*.lnk%" and Process.CommandLine like r"%-Recurse%" and Process.CommandLine like r"%-Skip %" or Process.CommandLine like r"% -ExpandProperty %" and Process.CommandLine like r"%*.lnk%" and Process.CommandLine like r"%WriteAllBytes%" and Process.CommandLine like r"% .length %") [ThreatDetectionRule platform=Windows] -# Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. -# Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. -# Author: Nasreddine Bencherchali (Nextron Systems), frack113 -RuleId = 8b93a509-1cb8-42e1-97aa-ee24224cdc15 -RuleName = Sensitive File Dump Via Wbadmin.EXE +# Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 07aa184a-870d-413d-893a-157f317f6f58 +RuleName = Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS EventType = Process.Start -Tag = proc-start-sensitive-file-dump-via-wbadmin.exe +Tag = proc-start-suspicious-reconnaissance-activity-via-gathernetworkinfo.vbs RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.003"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113"} -Query = (Process.Path like r"%\\wbadmin.exe" or Process.Name == "WBADMIN.EXE") and (Process.CommandLine like r"%start%" or Process.CommandLine like r"%backup%") and (Process.CommandLine like r"%\\config\\SAM%" or Process.CommandLine like r"%\\config\\SECURITY%" or Process.CommandLine like r"%\\config\\SYSTEM%" or Process.CommandLine like r"%\\Windows\\NTDS\\NTDS.dit%") +Annotation = {"mitre_attack": ["T1615", "T1059.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%gatherNetworkInfo.vbs%" and not (Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe") + + +[ThreatDetectionRule platform=Windows] +# Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading. +# Author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe) +RuleId = 555155a2-03bf-4fe7-af74-d176b3fdbe16 +RuleName = Driver Added To Disallowed Images In HVCI - Registry +EventType = Reg.Any +Tag = driver-added-to-disallowed-images-in-hvci-registry +RiskScore = 75 +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe)"} +Query = Reg.TargetObject like r"%\\Control\\CI\\%" and Reg.TargetObject like r"%\\HVCIDisallowedImages%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] @@ -3321,703 +3314,687 @@ GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. -# This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 145095eb-e273-443b-83d0-f9b519b7867b -RuleName = PDF File Created By RegEdit.EXE -EventType = File.Create -Tag = pdf-file-created-by-regedit.exe +# Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse +# Author: Michael Haag +RuleId = 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f +RuleName = PowerShell Web Access Feature Enabled Via DISM +EventType = Process.Start +Tag = proc-start-powershell-web-access-feature-enabled-via-dism RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\regedit.exe" and File.Path like r"%.pdf" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1548.002"], "author": "Michael Haag"} +Query = (Process.Path like r"%\\dism.exe" or Process.Name == "DISM.EXE") and Process.CommandLine like r"%WindowsPowerShellWebAccess%" and Process.CommandLine like r"%/online%" and Process.CommandLine like r"%/enable-feature%" [ThreatDetectionRule platform=Windows] -# Detects encoded base64 MZ header in the commandline -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 22e58743-4ac8-4a9f-bf19-00a0428d8c5f -RuleName = Base64 MZ Header In CommandLine +# Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files +# Author: Christian Burkard (Nextron Systems) +RuleId = 4480827a-9799-4232-b2c4-ccc6c4e9e12b +RuleName = Suspicious Certreq Command to Download EventType = Process.Start -Tag = proc-start-base64-mz-header-in-commandline +Tag = proc-start-suspicious-certreq-command-to-download RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%TVqQAAMAAAAEAAAA%" or Process.CommandLine like r"%TVpQAAIAAAAEAA8A%" or Process.CommandLine like r"%TVqAAAEAAAAEABAA%" or Process.CommandLine like r"%TVoAAAAAAAAAAAAA%" or Process.CommandLine like r"%TVpTAQEAAAAEAAAA%" +Annotation = {"mitre_attack": ["T1105"], "author": "Christian Burkard (Nextron Systems)"} +Query = (Process.Path like r"%\\certreq.exe" or Process.Name == "CertReq.exe") and Process.CommandLine like r"% -Post %" and Process.CommandLine like r"% -config %" and Process.CommandLine like r"% http%" and Process.CommandLine like r"% C:\\windows\\win.ini %" [ThreatDetectionRule platform=Windows] -# Detects suspicious child process creations of VMware Tools process which may indicate persistence setup -# Author: bohops, Bhabesh Raj -RuleId = 5687f942-867b-4578-ade7-1e341c46e99a -RuleName = VMToolsd Suspicious Child Process +# Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells +# Author: Florian Roth (Nextron Systems), MSTI (query) +RuleId = fa3c117a-bc0d-416e-a31b-0c0e80653efb +RuleName = Chopper Webshell Process Pattern EventType = Process.Start -Tag = proc-start-vmtoolsd-suspicious-child-process +Tag = proc-start-chopper-webshell-process-pattern RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "bohops, Bhabesh Raj"} -Query = Parent.Path like r"%\\vmtoolsd.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Process.Name in ["Cmd.Exe", "cscript.exe", "MSHTA.EXE", "PowerShell.EXE", "pwsh.dll", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe"]) and not (Process.Path like r"%\\cmd.exe" and (Process.CommandLine like r"%\\VMware\\VMware Tools\\poweron-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\poweroff-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\resume-vm-default.bat%" or Process.CommandLine like r"%\\VMware\\VMware Tools\\suspend-vm-default.bat%") or Process.Path like r"%\\cmd.exe" and Process.CommandLine == "" or Process.Path like r"%\\cmd.exe" and isnull(Process.CommandLine)) +Annotation = {"mitre_attack": ["T1505.003", "T1018", "T1033", "T1087"], "author": "Florian Roth (Nextron Systems), MSTI (query)"} +Query = (Process.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\w3wp.exe") and (Process.CommandLine like r"%&ipconfig&echo%" or Process.CommandLine like r"%&quser&echo%" or Process.CommandLine like r"%&whoami&echo%" or Process.CommandLine like r"%&c:&echo%" or Process.CommandLine like r"%&cd&echo%" or Process.CommandLine like r"%&dir&echo%" or Process.CommandLine like r"%&echo [E]%" or Process.CommandLine like r"%&echo [S]%") GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 42205c73-75c8-4a63-9db1-e3782e06fda0 -RuleName = Suspicious Application Allowed Through Exploit Guard +# Detects when attackers or tools disable Windows Defender functionalities via the Windows registry +# Author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel +RuleId = 0eb46774-f1ab-4a74-8238-1155855f2263 +RuleName = Disable Windows Defender Functionalities Via Registry Keys EventType = Reg.Any -Tag = suspicious-application-allowed-through-exploit-guard +Tag = disable-windows-defender-functionalities-via-registry-keys RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications%" and (Reg.TargetObject like r"%\\Users\\Public\\%" or Reg.TargetObject like r"%\\AppData\\Local\\Temp\\%" or Reg.TargetObject like r"%\\Desktop\\%" or Reg.TargetObject like r"%\\PerfLogs\\%" or Reg.TargetObject like r"%\\Windows\\Temp\\%") +Annotation = {"mitre_attack": ["T1562.001"], "author": "AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel"} +Query = (Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows Defender\\%" or Reg.TargetObject like r"%\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\%" or Reg.TargetObject like r"%\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\%") and ((Reg.TargetObject like r"%\\DisableAntiSpyware" or Reg.TargetObject like r"%\\DisableAntiVirus" or Reg.TargetObject like r"%\\DisableBehaviorMonitoring" or Reg.TargetObject like r"%\\DisableBlockAtFirstSeen" or Reg.TargetObject like r"%\\DisableEnhancedNotifications" or Reg.TargetObject like r"%\\DisableIntrusionPreventionSystem" or Reg.TargetObject like r"%\\DisableIOAVProtection" or Reg.TargetObject like r"%\\DisableOnAccessProtection" or Reg.TargetObject like r"%\\DisableRealtimeMonitoring" or Reg.TargetObject like r"%\\DisableScanOnRealtimeEnable" or Reg.TargetObject like r"%\\DisableScriptScanning") and Reg.Value.Data == "DWORD (0x00000001)" or (Reg.TargetObject like r"%\\DisallowExploitProtectionOverride" or Reg.TargetObject like r"%\\Features\\TamperProtection" or Reg.TargetObject like r"%\\MpEngine\\MpEnablePus" or Reg.TargetObject like r"%\\PUAProtection" or Reg.TargetObject like r"%\\Signature Update\\ForceUpdateFromMU" or Reg.TargetObject like r"%\\SpyNet\\SpynetReporting" or Reg.TargetObject like r"%\\SpyNet\\SubmitSamplesConsent" or Reg.TargetObject like r"%\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess") and Reg.Value.Data == "DWORD (0x00000000)") and not (Process.Path like r"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\%" and Process.Path like r"%\\sepWscSvc64.exe") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the modification of the registry to allow a driver or service to persist in Safe Mode. -# Author: frack113 -RuleId = 1547e27c-3974-43e2-a7d7-7f484fb928ec -RuleName = Registry Persistence via Service in Safe Mode -EventType = Reg.Any -Tag = registry-persistence-via-service-in-safe-mode +# Detects a potentially suspicious execution from an uncommon folder. +# Author: Florian Roth (Nextron Systems), Tim Shelton +RuleId = 3dfd06d2-eaf4-4532-9555-68aca59f57c4 +RuleName = Process Execution From A Potentially Suspicious Folder +EventType = Process.Start +Tag = proc-start-process-execution-from-a-potentially-suspicious-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1564.001"], "author": "frack113"} -Query = (Reg.TargetObject like r"%\\Control\\SafeBoot\\Minimal\\%" or Reg.TargetObject like r"%\\Control\\SafeBoot\\Network\\%") and Reg.TargetObject like r"%\\(Default)" and Reg.Value.Data == "Service" and not (Process.Path == "C:\\WINDOWS\\system32\\msiexec.exe" and (Reg.TargetObject like r"%\\Control\\SafeBoot\\Minimal\\SAVService\\(Default)" or Reg.TargetObject like r"%\\Control\\SafeBoot\\Network\\SAVService\\(Default)")) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems), Tim Shelton"} +Query = (Process.Path like r"%:\\Perflogs\\%" or Process.Path like r"%:\\Users\\All Users\\%" or Process.Path like r"%:\\Users\\Default\\%" or Process.Path like r"%:\\Users\\NetworkService\\%" or Process.Path like r"%:\\Windows\\addins\\%" or Process.Path like r"%:\\Windows\\debug\\%" or Process.Path like r"%:\\Windows\\Fonts\\%" or Process.Path like r"%:\\Windows\\Help\\%" or Process.Path like r"%:\\Windows\\IME\\%" or Process.Path like r"%:\\Windows\\Media\\%" or Process.Path like r"%:\\Windows\\repair\\%" or Process.Path like r"%:\\Windows\\security\\%" or Process.Path like r"%:\\Windows\\System32\\Tasks\\%" or Process.Path like r"%:\\Windows\\Tasks\\%" or Process.Path like r"%$Recycle.bin%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Intel\\Logs\\%" or Process.Path like r"%\\RSA\\MachineKeys\\%") and not (Process.Path like r"C:\\Users\\Public\\IBM\\ClientSolutions\\Start\_Programs\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\%" and Process.Path like r"%\\CitrixReceiverUpdater.exe") [ThreatDetectionRule platform=Windows] -# The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. -# Author: NVISO -RuleId = 828af599-4c53-4ed2-ba4a-a9f835c434ea -RuleName = Fax Service DLL Search Order Hijack -EventType = Image.Load -Tag = fax-service-dll-search-order-hijack +# Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 4beb6ae0-f85b-41e2-8f18-8668abc8af78 +RuleName = Sysinternals PsSuspend Suspicious Execution +EventType = Process.Start +Tag = proc-start-sysinternals-pssuspend-suspicious-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "NVISO"} -Query = Process.Path like r"%\\fxssvc.exe" and Image.Path like r"%ualapi.dll" and not Image.Path like r"C:\\Windows\\WinSxS\\%" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name == "pssuspend.exe" or Process.Path like r"%\\pssuspend.exe" or Process.Path like r"%\\pssuspend64.exe") and Process.CommandLine like r"%msmpeng.exe%" [ThreatDetectionRule platform=Windows] -# Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +# Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 -RuleName = Potential Credential Dumping Attempt Using New NetworkProvider - CLI +RuleId = 5f6a601c-2ecb-498b-9c33-660362323afa +RuleName = Root Certificate Installed From Susp Locations EventType = Process.Start -Tag = proc-start-potential-credential-dumping-attempt-using-new-networkprovider-cli +Tag = proc-start-root-certificate-installed-from-susp-locations RiskScore = 75 -Annotation = {"mitre_attack": ["T1003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%\\System\\CurrentControlSet\\Services\\%" and Process.CommandLine like r"%\\NetworkProvider%" +Annotation = {"mitre_attack": ["T1553.004"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%Import-Certificate%" and Process.CommandLine like r"% -FilePath %" and Process.CommandLine like r"%Cert:\\LocalMachine\\Root%" and (Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\TEMP\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Perflogs\\%" or Process.CommandLine like r"%:\\Users\\Public\\%") [ThreatDetectionRule platform=Windows] -# Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 086ae989-9ca6-4fe7-895a-759c5544f247 -RuleName = Potential Persistence Via TypedPaths -EventType = Reg.Any -Tag = potential-persistence-via-typedpaths +# Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +# Author: @Kostastsale, @TheDFIRReport +RuleId = 225274c4-8dd1-40db-9e09-71dff4f6fb3c +RuleName = Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 +EventType = Process.Start +Tag = proc-start-potential-defense-evasion-activity-via-emoji-usage-in-commandline-4 RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\%" and not (Process.Path in ["C:\\Windows\\explorer.exe", "C:\\Windows\\SysWOW64\\explorer.exe"]) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"author": "@Kostastsale, @TheDFIRReport"} +Query = Process.CommandLine like r"%🔸%" or Process.CommandLine like r"%🔹%" or Process.CommandLine like r"%🔶%" or Process.CommandLine like r"%🔷%" or Process.CommandLine like r"%🔳%" or Process.CommandLine like r"%🔲%" or Process.CommandLine like r"%▪️%" or Process.CommandLine like r"%▫️%" or Process.CommandLine like r"%◾️%" or Process.CommandLine like r"%◽️%" or Process.CommandLine like r"%◼️%" or Process.CommandLine like r"%◻️%" or Process.CommandLine like r"%🟥%" or Process.CommandLine like r"%🟧%" or Process.CommandLine like r"%🟨%" or Process.CommandLine like r"%🟩%" or Process.CommandLine like r"%🟦%" or Process.CommandLine like r"%🟪%" or Process.CommandLine like r"%⬛️%" or Process.CommandLine like r"%⬜️%" or Process.CommandLine like r"%🟫%" or Process.CommandLine like r"%🔈%" or Process.CommandLine like r"%🔇%" or Process.CommandLine like r"%🔉%" or Process.CommandLine like r"%🔊%" or Process.CommandLine like r"%🔔%" or Process.CommandLine like r"%🔕%" or Process.CommandLine like r"%📣%" or Process.CommandLine like r"%📢%" or Process.CommandLine like r"%👁‍🗨%" or Process.CommandLine like r"%💬%" or Process.CommandLine like r"%💭%" or Process.CommandLine like r"%🗯%" or Process.CommandLine like r"%♠️%" or Process.CommandLine like r"%♣️%" or Process.CommandLine like r"%♥️%" or Process.CommandLine like r"%♦️%" or Process.CommandLine like r"%🃏%" or Process.CommandLine like r"%🎴%" or Process.CommandLine like r"%🀄️%" or Process.CommandLine like r"%🕐%" or Process.CommandLine like r"%🕑%" or Process.CommandLine like r"%🕒%" or Process.CommandLine like r"%🕓%" or Process.CommandLine like r"%🕔%" or Process.CommandLine like r"%🕕%" or Process.CommandLine like r"%🕖%" or Process.CommandLine like r"%🕗%" or Process.CommandLine like r"%🕘%" or Process.CommandLine like r"%🕙%" or Process.CommandLine like r"%🕚%" or Process.CommandLine like r"%🕛%" or Process.CommandLine like r"%🕜%" or Process.CommandLine like r"%🕝%" or Process.CommandLine like r"%🕞%" or Process.CommandLine like r"%🕟%" or Process.CommandLine like r"%🕠%" or Process.CommandLine like r"%🕡%" or Process.CommandLine like r"%🕢%" or Process.CommandLine like r"%🕣%" or Process.CommandLine like r"%🕤%" or Process.CommandLine like r"%🕥%" or Process.CommandLine like r"%🕦%" or Process.CommandLine like r"%🕧✢%" or Process.CommandLine like r"%✣%" or Process.CommandLine like r"%✤%" or Process.CommandLine like r"%✥%" or Process.CommandLine like r"%✦%" or Process.CommandLine like r"%✧%" or Process.CommandLine like r"%★%" or Process.CommandLine like r"%☆%" or Process.CommandLine like r"%✯%" or Process.CommandLine like r"%✡︎%" or Process.CommandLine like r"%✩%" or Process.CommandLine like r"%✪%" or Process.CommandLine like r"%✫%" or Process.CommandLine like r"%✬%" or Process.CommandLine like r"%✭%" or Process.CommandLine like r"%✮%" or Process.CommandLine like r"%✶%" or Process.CommandLine like r"%✷%" or Process.CommandLine like r"%✵%" or Process.CommandLine like r"%✸%" or Process.CommandLine like r"%✹%" or Process.CommandLine like r"%→%" or Process.CommandLine like r"%⇒%" or Process.CommandLine like r"%⟹%" or Process.CommandLine like r"%⇨%" or Process.CommandLine like r"%⇾%" or Process.CommandLine like r"%➾%" or Process.CommandLine like r"%⇢%" or Process.CommandLine like r"%☛%" or Process.CommandLine like r"%☞%" or Process.CommandLine like r"%➔%" or Process.CommandLine like r"%➜%" or Process.CommandLine like r"%➙%" or Process.CommandLine like r"%➛%" or Process.CommandLine like r"%➝%" or Process.CommandLine like r"%➞%" or Process.CommandLine like r"%♠︎%" or Process.CommandLine like r"%♣︎%" or Process.CommandLine like r"%♥︎%" or Process.CommandLine like r"%♦︎%" or Process.CommandLine like r"%♤%" or Process.CommandLine like r"%♧%" or Process.CommandLine like r"%♡%" or Process.CommandLine like r"%♢%" or Process.CommandLine like r"%♚%" or Process.CommandLine like r"%♛%" or Process.CommandLine like r"%♜%" or Process.CommandLine like r"%♝%" or Process.CommandLine like r"%♞%" or Process.CommandLine like r"%♟%" or Process.CommandLine like r"%♔%" or Process.CommandLine like r"%♕%" or Process.CommandLine like r"%♖%" or Process.CommandLine like r"%♗%" or Process.CommandLine like r"%♘%" or Process.CommandLine like r"%♙%" or Process.CommandLine like r"%⚀%" or Process.CommandLine like r"%⚁%" or Process.CommandLine like r"%⚂%" or Process.CommandLine like r"%⚃%" or Process.CommandLine like r"%⚄%" or Process.CommandLine like r"%⚅%" or Process.CommandLine like r"%🂠%" or Process.CommandLine like r"%⚈%" or Process.CommandLine like r"%⚉%" or Process.CommandLine like r"%⚆%" or Process.CommandLine like r"%⚇%" or Process.CommandLine like r"%𓀀%" or Process.CommandLine like r"%𓀁%" or Process.CommandLine like r"%𓀂%" or Process.CommandLine like r"%𓀃%" or Process.CommandLine like r"%𓀄%" or Process.CommandLine like r"%𓀅%" or Process.CommandLine like r"%𓀆%" or Process.CommandLine like r"%𓀇%" or Process.CommandLine like r"%𓀈%" or Process.CommandLine like r"%𓀉%" or Process.CommandLine like r"%𓀊%" or Process.CommandLine like r"%𓀋%" or Process.CommandLine like r"%𓀌%" or Process.CommandLine like r"%𓀍%" or Process.CommandLine like r"%𓀎%" or Process.CommandLine like r"%𓀏%" or Process.CommandLine like r"%𓀐%" or Process.CommandLine like r"%𓀑%" or Process.CommandLine like r"%𓀒%" or Process.CommandLine like r"%𓀓%" or Process.CommandLine like r"%𓀔%" or Process.CommandLine like r"%𓀕%" or Process.CommandLine like r"%𓀖%" or Process.CommandLine like r"%𓀗%" or Process.CommandLine like r"%𓀘%" or Process.CommandLine like r"%𓀙%" or Process.CommandLine like r"%𓀚%" or Process.CommandLine like r"%𓀛%" or Process.CommandLine like r"%𓀜%" or Process.CommandLine like r"%𓀝🏳️%" or Process.CommandLine like r"%🏴%" or Process.CommandLine like r"%🏁%" or Process.CommandLine like r"%🚩%" or Process.CommandLine like r"%🏳️‍🌈%" or Process.CommandLine like r"%🏳️‍⚧️%" or Process.CommandLine like r"%🏴‍☠️%" or Process.CommandLine like r"%🇦🇫%" or Process.CommandLine like r"%🇦🇽%" or Process.CommandLine like r"%🇦🇱%" or Process.CommandLine like r"%🇩🇿%" or Process.CommandLine like r"%🇦🇸%" or Process.CommandLine like r"%🇦🇩%" or Process.CommandLine like r"%🇦🇴%" or Process.CommandLine like r"%🇦🇮%" or Process.CommandLine like r"%🇦🇶%" or Process.CommandLine like r"%🇦🇬%" or Process.CommandLine like r"%🇦🇷%" or Process.CommandLine like r"%🇦🇲%" or Process.CommandLine like r"%🇦🇼%" or Process.CommandLine like r"%🇦🇺%" or Process.CommandLine like r"%🇦🇹%" or Process.CommandLine like r"%🇦🇿%" or Process.CommandLine like r"%🇧🇸%" or Process.CommandLine like r"%🇧🇭%" or Process.CommandLine like r"%🇧🇩%" or Process.CommandLine like r"%🇧🇧%" or Process.CommandLine like r"%🇧🇾%" or Process.CommandLine like r"%🇧🇪%" or Process.CommandLine like r"%🇧🇿%" or Process.CommandLine like r"%🇧🇯%" or Process.CommandLine like r"%🇧🇲%" or Process.CommandLine like r"%🇧🇹%" or Process.CommandLine like r"%🇧🇴%" or Process.CommandLine like r"%🇧🇦%" or Process.CommandLine like r"%🇧🇼%" or Process.CommandLine like r"%🇧🇷%" or Process.CommandLine like r"%🇮🇴%" or Process.CommandLine like r"%🇻🇬%" or Process.CommandLine like r"%🇧🇳%" or Process.CommandLine like r"%🇧🇬%" or Process.CommandLine like r"%🇧🇫%" or Process.CommandLine like r"%🇧🇮%" or Process.CommandLine like r"%🇰🇭%" or Process.CommandLine like r"%🇨🇲%" or Process.CommandLine like r"%🇨🇦%" or Process.CommandLine like r"%🇮🇨%" or Process.CommandLine like r"%🇨🇻%" or Process.CommandLine like r"%🇧🇶%" or Process.CommandLine like r"%🇰🇾%" or Process.CommandLine like r"%🇨🇫%" or Process.CommandLine like r"%🇹🇩%" or Process.CommandLine like r"%🇨🇱%" or Process.CommandLine like r"%🇨🇳%" or Process.CommandLine like r"%🇨🇽%" or Process.CommandLine like r"%🇨🇨%" or Process.CommandLine like r"%🇨🇴%" or Process.CommandLine like r"%🇰🇲%" or Process.CommandLine like r"%🇨🇬%" or Process.CommandLine like r"%🇨🇩%" or Process.CommandLine like r"%🇨🇰%" or Process.CommandLine like r"%🇨🇷%" or Process.CommandLine like r"%🇨🇮%" or Process.CommandLine like r"%🇭🇷%" or Process.CommandLine like r"%🇨🇺%" or Process.CommandLine like r"%🇨🇼%" or Process.CommandLine like r"%🇨🇾%" or Process.CommandLine like r"%🇨🇿%" or Process.CommandLine like r"%🇩🇰%" or Process.CommandLine like r"%🇩🇯%" or Process.CommandLine like r"%🇩🇲%" or Process.CommandLine like r"%🇩🇴%" or Process.CommandLine like r"%🇪🇨%" or Process.CommandLine like r"%🇪🇬%" or Process.CommandLine like r"%🇸🇻%" or Process.CommandLine like r"%🇬🇶%" or Process.CommandLine like r"%🇪🇷%" or Process.CommandLine like r"%🇪🇪%" or Process.CommandLine like r"%🇪🇹%" or Process.CommandLine like r"%🇪🇺%" or Process.CommandLine like r"%🇫🇰%" or Process.CommandLine like r"%🇫🇴%" or Process.CommandLine like r"%🇫🇯%" or Process.CommandLine like r"%🇫🇮%" or Process.CommandLine like r"%🇫🇷%" or Process.CommandLine like r"%🇬🇫%" or Process.CommandLine like r"%🇵🇫%" or Process.CommandLine like r"%🇹🇫%" or Process.CommandLine like r"%🇬🇦%" or Process.CommandLine like r"%🇬🇲%" or Process.CommandLine like r"%🇬🇪%" or Process.CommandLine like r"%🇩🇪%" or Process.CommandLine like r"%🇬🇭%" or Process.CommandLine like r"%🇬🇮%" or Process.CommandLine like r"%🇬🇷%" or Process.CommandLine like r"%🇬🇱%" or Process.CommandLine like r"%🇬🇩%" or Process.CommandLine like r"%🇬🇵%" or Process.CommandLine like r"%🇬🇺%" or Process.CommandLine like r"%🇬🇹%" or Process.CommandLine like r"%🇬🇬%" or Process.CommandLine like r"%🇬🇳%" or Process.CommandLine like r"%🇬🇼%" or Process.CommandLine like r"%🇬🇾%" or Process.CommandLine like r"%🇭🇹%" or Process.CommandLine like r"%🇭🇳%" or Process.CommandLine like r"%🇭🇰%" or Process.CommandLine like r"%🇭🇺%" or Process.CommandLine like r"%🇮🇸%" or Process.CommandLine like r"%🇮🇳%" or Process.CommandLine like r"%🇮🇩%" or Process.CommandLine like r"%🇮🇷%" or Process.CommandLine like r"%🇮🇶%" or Process.CommandLine like r"%🇮🇪%" or Process.CommandLine like r"%🇮🇲%" or Process.CommandLine like r"%🇮🇱%" or Process.CommandLine like r"%🇮🇹%" or Process.CommandLine like r"%🇯🇲%" or Process.CommandLine like r"%🇯🇵%" or Process.CommandLine like r"%🎌%" or Process.CommandLine like r"%🇯🇪%" or Process.CommandLine like r"%🇯🇴%" or Process.CommandLine like r"%🇰🇿%" or Process.CommandLine like r"%🇰🇪%" or Process.CommandLine like r"%🇰🇮%" or Process.CommandLine like r"%🇽🇰%" or Process.CommandLine like r"%🇰🇼%" or Process.CommandLine like r"%🇰🇬%" or Process.CommandLine like r"%🇱🇦%" or Process.CommandLine like r"%🇱🇻%" or Process.CommandLine like r"%🇱🇧%" or Process.CommandLine like r"%🇱🇸%" or Process.CommandLine like r"%🇱🇷%" or Process.CommandLine like r"%🇱🇾%" or Process.CommandLine like r"%🇱🇮%" or Process.CommandLine like r"%🇱🇹%" or Process.CommandLine like r"%🇱🇺%" or Process.CommandLine like r"%🇲🇴%" or Process.CommandLine like r"%🇲🇰%" or Process.CommandLine like r"%🇲🇬%" or Process.CommandLine like r"%🇲🇼%" or Process.CommandLine like r"%🇲🇾%" or Process.CommandLine like r"%🇲🇻%" or Process.CommandLine like r"%🇲🇱%" or Process.CommandLine like r"%🇲🇹%" or Process.CommandLine like r"%🇲🇭%" or Process.CommandLine like r"%🇲🇶%" or Process.CommandLine like r"%🇲🇷%" or Process.CommandLine like r"%🇲🇺%" or Process.CommandLine like r"%🇾🇹%" or Process.CommandLine like r"%🇲🇽%" or Process.CommandLine like r"%🇫🇲%" or Process.CommandLine like r"%🇲🇩%" or Process.CommandLine like r"%🇲🇨%" or Process.CommandLine like r"%🇲🇳%" or Process.CommandLine like r"%🇲🇪%" or Process.CommandLine like r"%🇲🇸%" or Process.CommandLine like r"%🇲🇦%" or Process.CommandLine like r"%🇲🇿%" or Process.CommandLine like r"%🇲🇲%" or Process.CommandLine like r"%🇳🇦%" or Process.CommandLine like r"%🇳🇷%" or Process.CommandLine like r"%🇳🇵%" or Process.CommandLine like r"%🇳🇱%" or Process.CommandLine like r"%🇳🇨%" or Process.CommandLine like r"%🇳🇿%" or Process.CommandLine like r"%🇳🇮%" or Process.CommandLine like r"%🇳🇪%" or Process.CommandLine like r"%🇳🇬%" or Process.CommandLine like r"%🇳🇺%" or Process.CommandLine like r"%🇳🇫%" or Process.CommandLine like r"%🇰🇵%" or Process.CommandLine like r"%🇲🇵%" or Process.CommandLine like r"%🇳🇴%" or Process.CommandLine like r"%🇴🇲%" or Process.CommandLine like r"%🇵🇰%" or Process.CommandLine like r"%🇵🇼%" or Process.CommandLine like r"%🇵🇸%" or Process.CommandLine like r"%🇵🇦%" or Process.CommandLine like r"%🇵🇬%" or Process.CommandLine like r"%🇵🇾%" or Process.CommandLine like r"%🇵🇪%" or Process.CommandLine like r"%🇵🇭%" or Process.CommandLine like r"%🇵🇳%" or Process.CommandLine like r"%🇵🇱%" or Process.CommandLine like r"%🇵🇹%" or Process.CommandLine like r"%🇵🇷%" or Process.CommandLine like r"%🇶🇦%" or Process.CommandLine like r"%🇷🇪%" or Process.CommandLine like r"%🇷🇴%" or Process.CommandLine like r"%🇷🇺%" or Process.CommandLine like r"%🇷🇼%" or Process.CommandLine like r"%🇼🇸%" or Process.CommandLine like r"%🇸🇲%" or Process.CommandLine like r"%🇸🇦%" or Process.CommandLine like r"%🇸🇳%" or Process.CommandLine like r"%🇷🇸%" or Process.CommandLine like r"%🇸🇨%" or Process.CommandLine like r"%🇸🇱%" or Process.CommandLine like r"%🇸🇬%" or Process.CommandLine like r"%🇸🇽%" or Process.CommandLine like r"%🇸🇰%" or Process.CommandLine like r"%🇸🇮%" or Process.CommandLine like r"%🇬🇸%" or Process.CommandLine like r"%🇸🇧%" or Process.CommandLine like r"%🇸🇴%" or Process.CommandLine like r"%🇿🇦%" or Process.CommandLine like r"%🇰🇷%" or Process.CommandLine like r"%🇸🇸%" or Process.CommandLine like r"%🇪🇸%" or Process.CommandLine like r"%🇱🇰%" or Process.CommandLine like r"%🇧🇱%" or Process.CommandLine like r"%🇸🇭%" or Process.CommandLine like r"%🇰🇳%" or Process.CommandLine like r"%🇱🇨%" or Process.CommandLine like r"%🇵🇲%" or Process.CommandLine like r"%🇻🇨%" or Process.CommandLine like r"%🇸🇩%" or Process.CommandLine like r"%🇸🇷%" or Process.CommandLine like r"%🇸🇿%" or Process.CommandLine like r"%🇸🇪%" or Process.CommandLine like r"%🇨🇭%" or Process.CommandLine like r"%🇸🇾%" or Process.CommandLine like r"%🇹🇼%" or Process.CommandLine like r"%🇹🇯%" or Process.CommandLine like r"%🇹🇿%" or Process.CommandLine like r"%🇹🇭%" or Process.CommandLine like r"%🇹🇱%" or Process.CommandLine like r"%🇹🇬%" or Process.CommandLine like r"%🇹🇰%" or Process.CommandLine like r"%🇹🇴%" or Process.CommandLine like r"%🇹🇹%" or Process.CommandLine like r"%🇹🇳%" or Process.CommandLine like r"%🇹🇷%" or Process.CommandLine like r"%🇹🇲%" or Process.CommandLine like r"%🇹🇨%" or Process.CommandLine like r"%🇹🇻%" or Process.CommandLine like r"%🇻🇮%" or Process.CommandLine like r"%🇺🇬%" or Process.CommandLine like r"%🇺🇦%" or Process.CommandLine like r"%🇦🇪%" or Process.CommandLine like r"%🇬🇧%" or Process.CommandLine like r"%🏴󠁧󠁢󠁥󠁮󠁧󠁿%" or Process.CommandLine like r"%🏴󠁧󠁢󠁳󠁣󠁴󠁿%" or Process.CommandLine like r"%🏴󠁧󠁢󠁷󠁬󠁳󠁿%" or Process.CommandLine like r"%🇺🇳%" or Process.CommandLine like r"%🇺🇸%" or Process.CommandLine like r"%🇺🇾%" or Process.CommandLine like r"%🇺🇿%" or Process.CommandLine like r"%🇻🇺%" or Process.CommandLine like r"%🇻🇦%" or Process.CommandLine like r"%🇻🇪%" or Process.CommandLine like r"%🇻🇳%" or Process.CommandLine like r"%🇼🇫%" or Process.CommandLine like r"%🇪🇭%" or Process.CommandLine like r"%🇾🇪%" or Process.CommandLine like r"%🇿🇲%" or Process.CommandLine like r"%🇿🇼🫠%" or Process.CommandLine like r"%🫢%" or Process.CommandLine like r"%🫣%" or Process.CommandLine like r"%🫡%" or Process.CommandLine like r"%🫥%" or Process.CommandLine like r"%🫤%" or Process.CommandLine like r"%🥹%" or Process.CommandLine like r"%🫱%" or Process.CommandLine like r"%🫱🏻%" or Process.CommandLine like r"%🫱🏼%" or Process.CommandLine like r"%🫱🏽%" or Process.CommandLine like r"%🫱🏾%" or Process.CommandLine like r"%🫱🏿%" or Process.CommandLine like r"%🫲%" or Process.CommandLine like r"%🫲🏻%" or Process.CommandLine like r"%🫲🏼%" or Process.CommandLine like r"%🫲🏽%" or Process.CommandLine like r"%🫲🏾%" or Process.CommandLine like r"%🫲🏿%" or Process.CommandLine like r"%🫳%" or Process.CommandLine like r"%🫳🏻%" or Process.CommandLine like r"%🫳🏼%" or Process.CommandLine like r"%🫳🏽%" or Process.CommandLine like r"%🫳🏾%" or Process.CommandLine like r"%🫳🏿%" or Process.CommandLine like r"%🫴%" or Process.CommandLine like r"%🫴🏻%" or Process.CommandLine like r"%🫴🏼%" or Process.CommandLine like r"%🫴🏽%" or Process.CommandLine like r"%🫴🏾%" or Process.CommandLine like r"%🫴🏿%" or Process.CommandLine like r"%🫰%" or Process.CommandLine like r"%🫰🏻%" or Process.CommandLine like r"%🫰🏼%" or Process.CommandLine like r"%🫰🏽%" or Process.CommandLine like r"%🫰🏾%" or Process.CommandLine like r"%🫰🏿%" or Process.CommandLine like r"%🫵%" or Process.CommandLine like r"%🫵🏻%" or Process.CommandLine like r"%🫵🏼%" or Process.CommandLine like r"%🫵🏽%" or Process.CommandLine like r"%🫵🏾%" or Process.CommandLine like r"%🫵🏿%" or Process.CommandLine like r"%🫶%" or Process.CommandLine like r"%🫶🏻%" or Process.CommandLine like r"%🫶🏼%" or Process.CommandLine like r"%🫶🏽%" or Process.CommandLine like r"%🫶🏾%" or Process.CommandLine like r"%🫶🏿%" or Process.CommandLine like r"%🤝🏻%" or Process.CommandLine like r"%🤝🏼%" or Process.CommandLine like r"%🤝🏽%" or Process.CommandLine like r"%🤝🏾%" or Process.CommandLine like r"%🤝🏿%" or Process.CommandLine like r"%🫱🏻‍🫲🏼%" or Process.CommandLine like r"%🫱🏻‍🫲🏽%" or Process.CommandLine like r"%🫱🏻‍🫲🏾%" or Process.CommandLine like r"%🫱🏻‍🫲🏿%" or Process.CommandLine like r"%🫱🏼‍🫲🏻%" or Process.CommandLine like r"%🫱🏼‍🫲🏽%" or Process.CommandLine like r"%🫱🏼‍🫲🏾%" or Process.CommandLine like r"%🫱🏼‍🫲🏿%" or Process.CommandLine like r"%🫱🏽‍🫲🏻%" or Process.CommandLine like r"%🫱🏽‍🫲🏼%" or Process.CommandLine like r"%🫱🏽‍🫲🏾%" or Process.CommandLine like r"%🫱🏽‍🫲🏿%" or Process.CommandLine like r"%🫱🏾‍🫲🏻%" or Process.CommandLine like r"%🫱🏾‍🫲🏼%" or Process.CommandLine like r"%🫱🏾‍🫲🏽%" or Process.CommandLine like r"%🫱🏾‍🫲🏿%" or Process.CommandLine like r"%🫱🏿‍🫲🏻%" or Process.CommandLine like r"%🫱🏿‍🫲🏼%" or Process.CommandLine like r"%🫱🏿‍🫲🏽%" or Process.CommandLine like r"%🫱🏿‍🫲🏾%" or Process.CommandLine like r"%🫦%" or Process.CommandLine like r"%🫅%" or Process.CommandLine like r"%🫅🏻%" or Process.CommandLine like r"%🫅🏼%" or Process.CommandLine like r"%🫅🏽%" or Process.CommandLine like r"%🫅🏾%" or Process.CommandLine like r"%🫅🏿%" or Process.CommandLine like r"%🫃%" or Process.CommandLine like r"%🫃🏻%" or Process.CommandLine like r"%🫃🏼%" or Process.CommandLine like r"%🫃🏽%" or Process.CommandLine like r"%🫃🏾%" or Process.CommandLine like r"%🫃🏿%" or Process.CommandLine like r"%🫄%" or Process.CommandLine like r"%🫄🏻%" or Process.CommandLine like r"%🫄🏼%" or Process.CommandLine like r"%🫄🏽%" or Process.CommandLine like r"%🫄🏾%" or Process.CommandLine like r"%🫄🏿%" or Process.CommandLine like r"%🧌%" or Process.CommandLine like r"%🪸%" or Process.CommandLine like r"%🪷%" or Process.CommandLine like r"%🪹%" or Process.CommandLine like r"%🪺%" or Process.CommandLine like r"%🫘%" or Process.CommandLine like r"%🫗%" or Process.CommandLine like r"%🫙%" or Process.CommandLine like r"%🛝%" or Process.CommandLine like r"%🛞%" or Process.CommandLine like r"%🛟%" or Process.CommandLine like r"%🪬%" or Process.CommandLine like r"%🪩%" or Process.CommandLine like r"%🪫%" or Process.CommandLine like r"%🩼%" or Process.CommandLine like r"%🩻%" or Process.CommandLine like r"%🫧%" or Process.CommandLine like r"%🪪%" or Process.CommandLine like r"%🟰%" or Process.CommandLine like r"%😮‍💨%" or Process.CommandLine like r"%😵‍💫%" or Process.CommandLine like r"%😶‍🌫️%" or Process.CommandLine like r"%❤️‍🔥%" or Process.CommandLine like r"%❤️‍🩹%" or Process.CommandLine like r"%🧔‍♀️%" or Process.CommandLine like r"%🧔🏻‍♀️%" or Process.CommandLine like r"%🧔🏼‍♀️%" or Process.CommandLine like r"%🧔🏽‍♀️%" or Process.CommandLine like r"%🧔🏾‍♀️%" or Process.CommandLine like r"%🧔🏿‍♀️%" or Process.CommandLine like r"%🧔‍♂️%" or Process.CommandLine like r"%🧔🏻‍♂️%" or Process.CommandLine like r"%🧔🏼‍♂️%" or Process.CommandLine like r"%🧔🏽‍♂️%" or Process.CommandLine like r"%🧔🏾‍♂️%" or Process.CommandLine like r"%🧔🏿‍♂️%" or Process.CommandLine like r"%💑🏻%" or Process.CommandLine like r"%💑🏼%" or Process.CommandLine like r"%💑🏽%" or Process.CommandLine like r"%💑🏾%" or Process.CommandLine like r"%💑🏿%" or Process.CommandLine like r"%💏🏻%" or Process.CommandLine like r"%💏🏼%" or Process.CommandLine like r"%💏🏽%" or Process.CommandLine like r"%💏🏾%" or Process.CommandLine like r"%💏🏿%" or Process.CommandLine like r"%👨🏻‍❤️‍👨🏻%" or Process.CommandLine like r"%👨🏻‍❤️‍👨🏼%" or Process.CommandLine like r"%👨🏻‍❤️‍👨🏽%" or Process.CommandLine like r"%👨🏻‍❤️‍👨🏾%" or Process.CommandLine like r"%👨🏻‍❤️‍👨🏿%" or Process.CommandLine like r"%👨🏼‍❤️‍👨🏻%" or Process.CommandLine like r"%👨🏼‍❤️‍👨🏼%" or Process.CommandLine like r"%👨🏼‍❤️‍👨🏽%" or Process.CommandLine like r"%👨🏼‍❤️‍👨🏾%" or Process.CommandLine like r"%👨🏼‍❤️‍👨🏿%" or Process.CommandLine like r"%👨🏽‍❤️‍👨🏻%" or Process.CommandLine like r"%👨🏽‍❤️‍👨🏼%" or Process.CommandLine like r"%👨🏽‍❤️‍👨🏽%" or Process.CommandLine like r"%👨🏽‍❤️‍👨🏾%" or Process.CommandLine like r"%👨🏽‍❤️‍👨🏿%" or Process.CommandLine like r"%👨🏾‍❤️‍👨🏻%" or Process.CommandLine like r"%👨🏾‍❤️‍👨🏼%" or Process.CommandLine like r"%👨🏾‍❤️‍👨🏽%" or Process.CommandLine like r"%👨🏾‍❤️‍👨🏾%" or Process.CommandLine like r"%👨🏾‍❤️‍👨🏿%" or Process.CommandLine like r"%👨🏿‍❤️‍👨🏻%" or Process.CommandLine like r"%👨🏿‍❤️‍👨🏼%" or Process.CommandLine like r"%👨🏿‍❤️‍👨🏽%" or Process.CommandLine like r"%👨🏿‍❤️‍👨🏾%" or Process.CommandLine like r"%👨🏿‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏻‍❤️‍👨🏻%" or Process.CommandLine like r"%👩🏻‍❤️‍👨🏼%" or Process.CommandLine like r"%👩🏻‍❤️‍👨🏽%" or Process.CommandLine like r"%👩🏻‍❤️‍👨🏾%" or Process.CommandLine like r"%👩🏻‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏻‍❤️‍👩🏻%" or Process.CommandLine like r"%👩🏻‍❤️‍👩🏼%" or Process.CommandLine like r"%👩🏻‍❤️‍👩🏽%" or Process.CommandLine like r"%👩🏻‍❤️‍👩🏾%" or Process.CommandLine like r"%👩🏻‍❤️‍👩🏿%" or Process.CommandLine like r"%👩🏼‍❤️‍👨🏻%" or Process.CommandLine like r"%👩🏼‍❤️‍👨🏼%" or Process.CommandLine like r"%👩🏼‍❤️‍👨🏽%" or Process.CommandLine like r"%👩🏼‍❤️‍👨🏾%" or Process.CommandLine like r"%👩🏼‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏼‍❤️‍👩🏻%" or Process.CommandLine like r"%👩🏼‍❤️‍👩🏼%" or Process.CommandLine like r"%👩🏼‍❤️‍👩🏽%" or Process.CommandLine like r"%👩🏼‍❤️‍👩🏾%" or Process.CommandLine like r"%👩🏼‍❤️‍👩🏿%" or Process.CommandLine like r"%👩🏽‍❤️‍👨🏻%" or Process.CommandLine like r"%👩🏽‍❤️‍👨🏼%" or Process.CommandLine like r"%👩🏽‍❤️‍👨🏽%" or Process.CommandLine like r"%👩🏽‍❤️‍👨🏾%" or Process.CommandLine like r"%👩🏽‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏽‍❤️‍👩🏻%" or Process.CommandLine like r"%👩🏽‍❤️‍👩🏼%" or Process.CommandLine like r"%👩🏽‍❤️‍👩🏽%" or Process.CommandLine like r"%👩🏽‍❤️‍👩🏾%" or Process.CommandLine like r"%👩🏽‍❤️‍👩🏿%" or Process.CommandLine like r"%👩🏾‍❤️‍👨🏻%" or Process.CommandLine like r"%👩🏾‍❤️‍👨🏼%" or Process.CommandLine like r"%👩🏾‍❤️‍👨🏽%" or Process.CommandLine like r"%👩🏾‍❤️‍👨🏾%" or Process.CommandLine like r"%👩🏾‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏾‍❤️‍👩🏻%" or Process.CommandLine like r"%👩🏾‍❤️‍👩🏼%" or Process.CommandLine like r"%👩🏾‍❤️‍👩🏽%" or Process.CommandLine like r"%👩🏾‍❤️‍👩🏾%" or Process.CommandLine like r"%👩🏾‍❤️‍👩🏿%" or Process.CommandLine like r"%👩🏿‍❤️‍👨🏻%" or Process.CommandLine like r"%👩🏿‍❤️‍👨🏼%" or Process.CommandLine like r"%👩🏿‍❤️‍👨🏽%" or Process.CommandLine like r"%👩🏿‍❤️‍👨🏾%" or Process.CommandLine like r"%👩🏿‍❤️‍👨🏿%" or Process.CommandLine like r"%👩🏿‍❤️‍👩🏻%" or Process.CommandLine like r"%👩🏿‍❤️‍👩🏼%" or Process.CommandLine like r"%👩🏿‍❤️‍👩🏽%" or Process.CommandLine like r"%👩🏿‍❤️‍👩🏾%" or Process.CommandLine like r"%👩🏿‍❤️‍👩🏿%" or Process.CommandLine like r"%🧑🏻‍❤️‍🧑🏼%" or Process.CommandLine like r"%🧑🏻‍❤️‍🧑🏽%" or Process.CommandLine like r"%🧑🏻‍❤️‍🧑🏾%" or Process.CommandLine like r"%🧑🏻‍❤️‍🧑🏿%" or Process.CommandLine like r"%🧑🏼‍❤️‍🧑🏻%" or Process.CommandLine like r"%🧑🏼‍❤️‍🧑🏽%" or Process.CommandLine like r"%🧑🏼‍❤️‍🧑🏾%" or Process.CommandLine like r"%🧑🏼‍❤️‍🧑🏿%" or Process.CommandLine like r"%🧑🏽‍❤️‍🧑🏻%" or Process.CommandLine like r"%🧑🏽‍❤️‍🧑🏼%" or Process.CommandLine like r"%🧑🏽‍❤️‍🧑🏾%" or Process.CommandLine like r"%🧑🏽‍❤️‍🧑🏿%" or Process.CommandLine like r"%🧑🏾‍❤️‍🧑🏻%" or Process.CommandLine like r"%🧑🏾‍❤️‍🧑🏼%" or Process.CommandLine like r"%🧑🏾‍❤️‍🧑🏽%" or Process.CommandLine like r"%🧑🏾‍❤️‍🧑🏿%" or Process.CommandLine like r"%🧑🏿‍❤️‍🧑🏻%" or Process.CommandLine like r"%🧑🏿‍❤️‍🧑🏼%" or Process.CommandLine like r"%🧑🏿‍❤️‍🧑🏽%" or Process.CommandLine like r"%🧑🏿‍❤️‍🧑🏾%" or Process.CommandLine like r"%👨🏻‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👨🏻‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👨🏻‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👨🏻‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👨🏻‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👨🏼‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👨🏼‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👨🏼‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👨🏼‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👨🏼‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👨🏽‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👨🏽‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👨🏽‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👨🏽‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👨🏽‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👨🏾‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👨🏾‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👨🏾‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👨🏾‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👨🏾‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👨🏿‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👨🏿‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👨🏿‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👨🏿‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👨🏿‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👩🏻%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👩🏼%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👩🏽%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👩🏾%" or Process.CommandLine like r"%👩🏻‍❤️‍💋‍👩🏿%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👩🏻%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👩🏼%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👩🏽%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👩🏾%" or Process.CommandLine like r"%👩🏼‍❤️‍💋‍👩🏿%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👩🏻%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👩🏼%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👩🏽%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👩🏾%" or Process.CommandLine like r"%👩🏽‍❤️‍💋‍👩🏿%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👩🏻%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👩🏼%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👩🏽%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👩🏾%" or Process.CommandLine like r"%👩🏾‍❤️‍💋‍👩🏿%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👨🏻%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👨🏼%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👨🏽%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👨🏾%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👨🏿%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👩🏻%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👩🏼%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👩🏽%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👩🏾%" or Process.CommandLine like r"%👩🏿‍❤️‍💋‍👩🏿%" or Process.CommandLine like r"%🧑🏻‍❤️‍💋‍🧑🏼%" or Process.CommandLine like r"%🧑🏻‍❤️‍💋‍🧑🏽%" or Process.CommandLine like r"%🧑🏻‍❤️‍💋‍🧑🏾%" or Process.CommandLine like r"%🧑🏻‍❤️‍💋‍🧑🏿%" or Process.CommandLine like r"%🧑🏼‍❤️‍💋‍🧑🏻%" or Process.CommandLine like r"%🧑🏼‍❤️‍💋‍🧑🏽%" or Process.CommandLine like r"%🧑🏼‍❤️‍💋‍🧑🏾%" or Process.CommandLine like r"%🧑🏼‍❤️‍💋‍🧑🏿%" or Process.CommandLine like r"%🧑🏽‍❤️‍💋‍🧑🏻%" or Process.CommandLine like r"%🧑🏽‍❤️‍💋‍🧑🏼%" or Process.CommandLine like r"%🧑🏽‍❤️‍💋‍🧑🏾%" or Process.CommandLine like r"%🧑🏽‍❤️‍💋‍🧑🏿%" or Process.CommandLine like r"%🧑🏾‍❤️‍💋‍🧑🏻%" or Process.CommandLine like r"%🧑🏾‍❤️‍💋‍🧑🏼%" or Process.CommandLine like r"%🧑🏾‍❤️‍💋‍🧑🏽%" or Process.CommandLine like r"%🧑🏾‍❤️‍💋‍🧑🏿%" or Process.CommandLine like r"%🧑🏿‍❤️‍💋‍🧑🏻%" or Process.CommandLine like r"%🧑🏿‍❤️‍💋‍🧑🏼%" or Process.CommandLine like r"%🧑🏿‍❤️‍💋‍🧑🏽%" or Process.CommandLine like r"%🧑🏿‍❤️‍💋‍🧑🏾%" [ThreatDetectionRule platform=Windows] -# Sysmon registry detection of a local hidden user account. +# Detects shell32.dll executing a DLL in a suspicious directory # Author: Christian Burkard (Nextron Systems) -RuleId = 460479f3-80b7-42da-9c43-2cc1d54dbccd -RuleName = Creation of a Local Hidden User Account by Registry -EventType = Reg.Any -Tag = creation-of-a-local-hidden-user-account-by-registry +RuleId = 32b96012-7892-429e-b26c-ac2bf46066ff +RuleName = Shell32 DLL Execution in Suspicious Directory +EventType = Process.Start +Tag = proc-start-shell32-dll-execution-in-suspicious-directory RiskScore = 75 -Annotation = {"mitre_attack": ["T1136.001"], "author": "Christian Burkard (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SAM\\SAM\\Domains\\Account\\Users\\Names\\%" and Reg.TargetObject like r"%$" and Process.Path like r"%\\lsass.exe" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1218.011"], "author": "Christian Burkard (Nextron Systems)"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%Control\_RunDLL%" and (Process.CommandLine like r"%\%AppData\%%" or Process.CommandLine like r"%\%LocalAppData\%%" or Process.CommandLine like r"%\%Temp\%%" or Process.CommandLine like r"%\%tmp\%%" or Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Temp\\%" or Process.CommandLine like r"%\\Users\\Public\\%") [ThreatDetectionRule platform=Windows] -# Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. -# AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. -# Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious. -# Author: Florian Roth (Nextron Systems) -RuleId = f4264e47-f522-4c38-a420-04525d5b880f -RuleName = Renamed AutoIt Execution +# Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. +# Author: X__Junior (Nextron Systems) +RuleId = 264982dc-dbad-4dce-b707-1e0d3e0f73d9 +RuleName = Renamed NirCmd.EXE Execution EventType = Process.Start -Tag = proc-start-renamed-autoit-execution +Tag = proc-start-renamed-nircmd.exe-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1027"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"% /AutoIt3ExecuteScript%" or Process.CommandLine like r"% /ErrorStdOut%" or Process.Hashes like r"%IMPHASH=FDC554B3A8683918D731685855683DDF%" or Process.Hashes like r"%IMPHASH=CD30A61B60B3D60CECDB034C8C83C290%" or Process.Hashes like r"%IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000%" or Process.Name in ["AutoIt3.exe", "AutoIt2.exe", "AutoIt.exe"]) and not (Process.Path like r"%\\AutoIt.exe" or Process.Path like r"%\\AutoIt2.exe" or Process.Path like r"%\\AutoIt3\_x64.exe" or Process.Path like r"%\\AutoIt3.exe") -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1059", "T1202"], "author": "X__Junior (Nextron Systems)"} +Query = Process.Name == "NirCmd.exe" and not (Process.Path like r"%\\nircmd.exe" or Process.Path like r"%\\nircmdc.exe") [ThreatDetectionRule platform=Windows] -# Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions. -# Author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems) -RuleId = 979baf41-ca44-4540-9d0c-4fcef3b5a3a4 -RuleName = Potential File Extension Spoofing Using Right-to-Left Override -EventType = File.Create -Tag = potential-file-extension-spoofing-using-right-to-left-override +# Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +# Author: @Kostastsale, @TheDFIRReport +RuleId = c98f2a0d-e1b8-4f76-90d3-359caf88d6b9 +RuleName = Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 +EventType = Process.Start +Tag = proc-start-potential-defense-evasion-activity-via-emoji-usage-in-commandline-2 RiskScore = 75 -Annotation = {"mitre_attack": ["T1036.002"], "author": "Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems)"} -Query = File.Path like r"%\\u202e%" and (File.Path like r"%fpd..%" or File.Path like r"%nls..%" or File.Path like r"%vsc..%" or File.Path like r"%xcod.%" or File.Path like r"%xslx.%") -GenericProperty1 = File.Path +Annotation = {"author": "@Kostastsale, @TheDFIRReport"} +Query = Process.CommandLine like r"%🤷🏼%" or Process.CommandLine like r"%🤷🏼‍♂️%" or Process.CommandLine like r"%🙎🏼‍♀️%" or Process.CommandLine like r"%🙎🏼%" or Process.CommandLine like r"%🙎🏼‍♂️%" or Process.CommandLine like r"%🙍🏼‍♀️%" or Process.CommandLine like r"%🙍🏼%" or Process.CommandLine like r"%🙍🏼‍♂️%" or Process.CommandLine like r"%💇🏼‍♀️%" or Process.CommandLine like r"%💇🏼%" or Process.CommandLine like r"%💇🏼‍♂️%" or Process.CommandLine like r"%💆🏼‍♀️%" or Process.CommandLine like r"%💆🏼%" or Process.CommandLine like r"%💆🏼‍♂️%" or Process.CommandLine like r"%🧖🏼‍♀️%" or Process.CommandLine like r"%🧖🏼%" or Process.CommandLine like r"%🧖🏼‍♂️%" or Process.CommandLine like r"%💃🏼%" or Process.CommandLine like r"%🕺🏼%" or Process.CommandLine like r"%🕴🏼%" or Process.CommandLine like r"%👩🏼‍🦽%" or Process.CommandLine like r"%🧑🏼‍🦽%" or Process.CommandLine like r"%👨🏼‍🦽%" or Process.CommandLine like r"%👩🏼‍🦼%" or Process.CommandLine like r"%🧑🏼‍🦼%" or Process.CommandLine like r"%👨🏼‍🦼%" or Process.CommandLine like r"%🚶🏼‍♀️%" or Process.CommandLine like r"%🚶🏼%" or Process.CommandLine like r"%🚶🏼‍♂️%" or Process.CommandLine like r"%👩🏼‍🦯%" or Process.CommandLine like r"%🧑🏼‍🦯%" or Process.CommandLine like r"%👨🏼‍🦯%" or Process.CommandLine like r"%🧎🏼‍♀️%" or Process.CommandLine like r"%🧎🏼%" or Process.CommandLine like r"%🧎🏼‍♂️%" or Process.CommandLine like r"%🏃🏼‍♀️%" or Process.CommandLine like r"%🏃🏼%" or Process.CommandLine like r"%🏃🏼‍♂️%" or Process.CommandLine like r"%🧍🏼‍♀️%" or Process.CommandLine like r"%🧍🏼%" or Process.CommandLine like r"%🧍🏼‍♂️%" or Process.CommandLine like r"%👭🏼%" or Process.CommandLine like r"%🧑🏼‍🤝‍🧑🏼%" or Process.CommandLine like r"%👬🏼%" or Process.CommandLine like r"%👫🏼%" or Process.CommandLine like r"%🧗🏼‍♀️%" or Process.CommandLine like r"%🧗🏼%" or Process.CommandLine like r"%🧗🏼‍♂️%" or Process.CommandLine like r"%🏇🏼%" or Process.CommandLine like r"%🏂🏼%" or Process.CommandLine like r"%🏌🏼‍♀️%" or Process.CommandLine like r"%🏌🏼%" or Process.CommandLine like r"%🏌🏼‍♂️%" or Process.CommandLine like r"%🏄🏼‍♀️%" or Process.CommandLine like r"%🏄🏼%" or Process.CommandLine like r"%🏄🏼‍♂️%" or Process.CommandLine like r"%🚣🏼‍♀️%" or Process.CommandLine like r"%🚣🏼%" or Process.CommandLine like r"%🚣🏼‍♂️%" or Process.CommandLine like r"%🏊🏼‍♀️%" or Process.CommandLine like r"%🏊🏼%" or Process.CommandLine like r"%🏊🏼‍♂️%" or Process.CommandLine like r"%⛹🏼‍♀️%" or Process.CommandLine like r"%⛹🏼%" or Process.CommandLine like r"%⛹🏼‍♂️%" or Process.CommandLine like r"%🏋🏼‍♀️%" or Process.CommandLine like r"%🏋🏼%" or Process.CommandLine like r"%🏋🏼‍♂️%" or Process.CommandLine like r"%🚴🏼‍♀️%" or Process.CommandLine like r"%🚴🏼%" or Process.CommandLine like r"%🚴🏼‍♂️%" or Process.CommandLine like r"%🚵🏼‍♀️%" or Process.CommandLine like r"%🚵🏼%" or Process.CommandLine like r"%🚵🏼‍♂️%" or Process.CommandLine like r"%🤸🏼‍♀️%" or Process.CommandLine like r"%🤸🏼%" or Process.CommandLine like r"%🤸🏼‍♂️%" or Process.CommandLine like r"%🤽🏼‍♀️%" or Process.CommandLine like r"%🤽🏼%" or Process.CommandLine like r"%🤽🏼‍♂️%" or Process.CommandLine like r"%🤾🏼‍♀️%" or Process.CommandLine like r"%🤾🏼%" or Process.CommandLine like r"%🤾🏼‍♂️%" or Process.CommandLine like r"%🤹🏼‍♀️%" or Process.CommandLine like r"%🤹🏼%" or Process.CommandLine like r"%🤹🏼‍♂️%" or Process.CommandLine like r"%🧘🏼‍♀️%" or Process.CommandLine like r"%🧘🏼%" or Process.CommandLine like r"%🧘🏼‍♂️%" or Process.CommandLine like r"%🛀🏼%" or Process.CommandLine like r"%🛌🏼%" or Process.CommandLine like r"%👋🏽%" or Process.CommandLine like r"%🤚🏽%" or Process.CommandLine like r"%🖐🏽%" or Process.CommandLine like r"%✋🏽%" or Process.CommandLine like r"%🖖🏽%" or Process.CommandLine like r"%👌🏽%" or Process.CommandLine like r"%🤌🏽%" or Process.CommandLine like r"%🤏🏽%" or Process.CommandLine like r"%✌🏽%" or Process.CommandLine like r"%🤞🏽%" or Process.CommandLine like r"%🫰🏽%" or Process.CommandLine like r"%🤟🏽%" or Process.CommandLine like r"%🤘🏽%" or Process.CommandLine like r"%🤙🏽%" or Process.CommandLine like r"%🫵🏽%" or Process.CommandLine like r"%🫱🏽%" or Process.CommandLine like r"%🫲🏽%" or Process.CommandLine like r"%🫳🏽%" or Process.CommandLine like r"%🫴🏽%" or Process.CommandLine like r"%👈🏽%" or Process.CommandLine like r"%👉🏽%" or Process.CommandLine like r"%👆🏽%" or Process.CommandLine like r"%🖕🏽%" or Process.CommandLine like r"%👇🏽%" or Process.CommandLine like r"%☝🏽%" or Process.CommandLine like r"%👍🏽%" or Process.CommandLine like r"%👎🏽%" or Process.CommandLine like r"%✊🏽%" or Process.CommandLine like r"%👊🏽%" or Process.CommandLine like r"%🤛🏽%" or Process.CommandLine like r"%🤜🏽%" or Process.CommandLine like r"%👏🏽%" or Process.CommandLine like r"%🫶🏽%" or Process.CommandLine like r"%🙌🏽%" or Process.CommandLine like r"%👐🏽%" or Process.CommandLine like r"%🤲🏽%" or Process.CommandLine like r"%🙏🏽%" or Process.CommandLine like r"%✍🏽%" or Process.CommandLine like r"%💪🏽%" or Process.CommandLine like r"%🦵🏽%" or Process.CommandLine like r"%🦶🏽%" or Process.CommandLine like r"%👂🏽%" or Process.CommandLine like r"%🦻🏽%" or Process.CommandLine like r"%👃🏽%" or Process.CommandLine like r"%👶🏽%" or Process.CommandLine like r"%👧🏽%" or Process.CommandLine like r"%🧒🏽%" or Process.CommandLine like r"%👦🏽%" or Process.CommandLine like r"%👩🏽%" or Process.CommandLine like r"%🧑🏽%" or Process.CommandLine like r"%👨🏽%" or Process.CommandLine like r"%👩🏽‍🦱%" or Process.CommandLine like r"%🧑🏽‍🦱%" or Process.CommandLine like r"%👨🏽‍🦱%" or Process.CommandLine like r"%👩🏽‍🦰%" or Process.CommandLine like r"%🧑🏽‍🦰%" or Process.CommandLine like r"%👨🏽‍🦰%" or Process.CommandLine like r"%👱🏽‍♀️%" or Process.CommandLine like r"%👱🏽%" or Process.CommandLine like r"%👱🏽‍♂️%" or Process.CommandLine like r"%👩🏽‍🦳%" or Process.CommandLine like r"%🧑🏽‍🦳%" or Process.CommandLine like r"%👨🏽‍🦳%" or Process.CommandLine like r"%👩🏽‍🦲%" or Process.CommandLine like r"%🧑🏽‍🦲%" or Process.CommandLine like r"%👨🏽‍🦲%" or Process.CommandLine like r"%🧔🏽‍♀️%" or Process.CommandLine like r"%🧔🏽%" or Process.CommandLine like r"%🧔🏽‍♂️%" or Process.CommandLine like r"%👵🏽%" or Process.CommandLine like r"%🧓🏽%" or Process.CommandLine like r"%👴🏽%" or Process.CommandLine like r"%👲🏽%" or Process.CommandLine like r"%👳🏽‍♀️%" or Process.CommandLine like r"%👳🏽%" or Process.CommandLine like r"%👳🏽‍♂️%" or Process.CommandLine like r"%🧕🏽%" or Process.CommandLine like r"%👮🏽‍♀️%" or Process.CommandLine like r"%👮🏽%" or Process.CommandLine like r"%👮🏽‍♂️%" or Process.CommandLine like r"%👷🏽‍♀️%" or Process.CommandLine like r"%👷🏽%" or Process.CommandLine like r"%👷🏽‍♂️%" or Process.CommandLine like r"%💂🏽‍♀️%" or Process.CommandLine like r"%💂🏽%" or Process.CommandLine like r"%💂🏽‍♂️%" or Process.CommandLine like r"%🕵🏽‍♀️%" or Process.CommandLine like r"%🕵🏽%" or Process.CommandLine like r"%🕵🏽‍♂️%" or Process.CommandLine like r"%👩🏽‍⚕️%" or Process.CommandLine like r"%🧑🏽‍⚕️%" or Process.CommandLine like r"%👨🏽‍⚕️%" or Process.CommandLine like r"%👩🏽‍🌾%" or Process.CommandLine like r"%🧑🏽‍🌾%" or Process.CommandLine like r"%👨🏽‍🌾%" or Process.CommandLine like r"%👩🏽‍🍳%" or Process.CommandLine like r"%🧑🏽‍🍳%" or Process.CommandLine like r"%👨🏽‍🍳%" or Process.CommandLine like r"%👩🏽‍🎓%" or Process.CommandLine like r"%🧑🏽‍🎓%" or Process.CommandLine like r"%👨🏽‍🎓%" or Process.CommandLine like r"%👩🏽‍🎤%" or Process.CommandLine like r"%🧑🏽‍🎤%" or Process.CommandLine like r"%👨🏽‍🎤%" or Process.CommandLine like r"%👩🏽‍🏫%" or Process.CommandLine like r"%🧑🏽‍🏫%" or Process.CommandLine like r"%👨🏽‍🏫%" or Process.CommandLine like r"%👩🏽‍🏭%" or Process.CommandLine like r"%🧑🏽‍🏭%" or Process.CommandLine like r"%👨🏽‍🏭%" or Process.CommandLine like r"%👩🏽‍💻%" or Process.CommandLine like r"%🧑🏽‍💻%" or Process.CommandLine like r"%👨🏽‍💻%" or Process.CommandLine like r"%👩🏽‍💼%" or Process.CommandLine like r"%🧑🏽‍💼%" or Process.CommandLine like r"%👨🏽‍💼%" or Process.CommandLine like r"%👩🏽‍🔧%" or Process.CommandLine like r"%🧑🏽‍🔧%" or Process.CommandLine like r"%👨🏽‍🔧%" or Process.CommandLine like r"%👩🏽‍🔬%" or Process.CommandLine like r"%🧑🏽‍🔬%" or Process.CommandLine like r"%👨🏽‍🔬%" or Process.CommandLine like r"%👩🏽‍🎨%" or Process.CommandLine like r"%🧑🏽‍🎨%" or Process.CommandLine like r"%👨🏽‍🎨%" or Process.CommandLine like r"%👩🏽‍🚒%" or Process.CommandLine like r"%🧑🏽‍🚒%" or Process.CommandLine like r"%👨🏽‍🚒%" or Process.CommandLine like r"%👩🏽‍✈️%" or Process.CommandLine like r"%🧑🏽‍✈️%" or Process.CommandLine like r"%👨🏽‍✈️%" or Process.CommandLine like r"%👩🏽‍🚀%" or Process.CommandLine like r"%🧑🏽‍🚀%" or Process.CommandLine like r"%👨🏽‍🚀%" or Process.CommandLine like r"%👩🏽‍⚖️%" or Process.CommandLine like r"%🧑🏽‍⚖️%" or Process.CommandLine like r"%👨🏽‍⚖️%" or Process.CommandLine like r"%👰🏽‍♀️%" or Process.CommandLine like r"%👰🏽%" or Process.CommandLine like r"%👰🏽‍♂️%" or Process.CommandLine like r"%🤵🏽‍♀️%" or Process.CommandLine like r"%🤵🏽%" or Process.CommandLine like r"%🤵🏽‍♂️%" or Process.CommandLine like r"%👸🏽%" or Process.CommandLine like r"%🫅🏽%" or Process.CommandLine like r"%🤴🏽%" or Process.CommandLine like r"%🥷🏽%" or Process.CommandLine like r"%🦸🏽‍♀️%" or Process.CommandLine like r"%🦸🏽%" or Process.CommandLine like r"%🦸🏽‍♂️%" or Process.CommandLine like r"%🦹🏽‍♀️%" or Process.CommandLine like r"%🦹🏽%" or Process.CommandLine like r"%🦹🏽‍♂️%" or Process.CommandLine like r"%🤶🏽%" or Process.CommandLine like r"%🧑🏽‍🎄%" or Process.CommandLine like r"%🎅🏽%" or Process.CommandLine like r"%🧙🏽‍♀️%" or Process.CommandLine like r"%🧙🏽%" or Process.CommandLine like r"%🧙🏽‍♂️%" or Process.CommandLine like r"%🧝🏽‍♀️%" or Process.CommandLine like r"%🧝🏽%" or Process.CommandLine like r"%🧝🏽‍♂️%" or Process.CommandLine like r"%🧛🏽‍♀️%" or Process.CommandLine like r"%🧛🏽%" or Process.CommandLine like r"%🧛🏽‍♂️%" or Process.CommandLine like r"%🧜🏽‍♀️%" or Process.CommandLine like r"%🧜🏽%" or Process.CommandLine like r"%🧜🏽‍♂️%" or Process.CommandLine like r"%🧚🏽‍♀️%" or Process.CommandLine like r"%🧚🏽%" or Process.CommandLine like r"%🧚🏽‍♂️%" or Process.CommandLine like r"%👼🏽%" or Process.CommandLine like r"%🤰🏽%" or Process.CommandLine like r"%🫄🏽%" or Process.CommandLine like r"%🫃🏽%" or Process.CommandLine like r"%🤱🏽%" or Process.CommandLine like r"%👩🏽‍🍼%" or Process.CommandLine like r"%🧑🏽‍🍼%" or Process.CommandLine like r"%👨🏽‍🍼%" or Process.CommandLine like r"%🙇🏽‍♀️%" or Process.CommandLine like r"%🙇🏽%" or Process.CommandLine like r"%🙇🏽‍♂️%" or Process.CommandLine like r"%💁🏽‍♀️%" or Process.CommandLine like r"%💁🏽%" or Process.CommandLine like r"%💁🏽‍♂️%" or Process.CommandLine like r"%🙅🏽‍♀️%" or Process.CommandLine like r"%🙅🏽%" or Process.CommandLine like r"%🙅🏽‍♂️%" or Process.CommandLine like r"%🙆🏽‍♀️%" or Process.CommandLine like r"%🙆🏽%" or Process.CommandLine like r"%🙆🏽‍♂️%" or Process.CommandLine like r"%🙋🏽‍♀️%" or Process.CommandLine like r"%🙋🏽%" or Process.CommandLine like r"%🙋🏽‍♂️%" or Process.CommandLine like r"%🧏🏽‍♀️%" or Process.CommandLine like r"%🧏🏽%" or Process.CommandLine like r"%🧏🏽‍♂️%" or Process.CommandLine like r"%🤦🏽‍♀️%" or Process.CommandLine like r"%🤦🏽%" or Process.CommandLine like r"%🤦🏽‍♂️%" or Process.CommandLine like r"%🤷🏽‍♀️%" or Process.CommandLine like r"%🤷🏽%" or Process.CommandLine like r"%🤷🏽‍♂️%" or Process.CommandLine like r"%🙎🏽‍♀️%" or Process.CommandLine like r"%🙎🏽%" or Process.CommandLine like r"%🙎🏽‍♂️%" or Process.CommandLine like r"%🙍🏽‍♀️%" or Process.CommandLine like r"%🙍🏽%" or Process.CommandLine like r"%🙍🏽‍♂️%" or Process.CommandLine like r"%💇🏽‍♀️%" or Process.CommandLine like r"%💇🏽%" or Process.CommandLine like r"%💇🏽‍♂️%" or Process.CommandLine like r"%💆🏽‍♀️%" or Process.CommandLine like r"%💆🏽%" or Process.CommandLine like r"%💆🏽‍♂️%" or Process.CommandLine like r"%🧖🏽‍♀️%" or Process.CommandLine like r"%🧖🏽%" or Process.CommandLine like r"%🧖🏽‍♂️%" or Process.CommandLine like r"%💃🏽%" or Process.CommandLine like r"%🕺🏽%" or Process.CommandLine like r"%🕴🏽%" or Process.CommandLine like r"%👩🏽‍🦽%" or Process.CommandLine like r"%🧑🏽‍🦽%" or Process.CommandLine like r"%👨🏽‍🦽%" or Process.CommandLine like r"%👩🏽‍🦼%" or Process.CommandLine like r"%🧑🏽‍🦼%" or Process.CommandLine like r"%👨🏽‍🦼%" or Process.CommandLine like r"%🚶🏽‍♀️%" or Process.CommandLine like r"%🚶🏽%" or Process.CommandLine like r"%🚶🏽‍♂️%" or Process.CommandLine like r"%👩🏽‍🦯%" or Process.CommandLine like r"%🧑🏽‍🦯%" or Process.CommandLine like r"%👨🏽‍🦯%" or Process.CommandLine like r"%🧎🏽‍♀️%" or Process.CommandLine like r"%🧎🏽%" or Process.CommandLine like r"%🧎🏽‍♂️%" or Process.CommandLine like r"%🏃🏽‍♀️%" or Process.CommandLine like r"%🏃🏽%" or Process.CommandLine like r"%🏃🏽‍♂️%" or Process.CommandLine like r"%🧍🏽‍♀️%" or Process.CommandLine like r"%🧍🏽%" or Process.CommandLine like r"%🧍🏽‍♂️%" or Process.CommandLine like r"%👭🏽%" or Process.CommandLine like r"%🧑🏽‍🤝‍🧑🏽%" or Process.CommandLine like r"%👬🏽%" or Process.CommandLine like r"%👫🏽%" or Process.CommandLine like r"%🧗🏽‍♀️%" or Process.CommandLine like r"%🧗🏽%" or Process.CommandLine like r"%🧗🏽‍♂️%" or Process.CommandLine like r"%🏇🏽%" or Process.CommandLine like r"%🏂🏽%" or Process.CommandLine like r"%🏌🏽‍♀️%" or Process.CommandLine like r"%🏌🏽%" or Process.CommandLine like r"%🏌🏽‍♂️%" or Process.CommandLine like r"%🏄🏽‍♀️%" or Process.CommandLine like r"%🏄🏽%" or Process.CommandLine like r"%🏄🏽‍♂️%" or Process.CommandLine like r"%🚣🏽‍♀️%" or Process.CommandLine like r"%🚣🏽%" or Process.CommandLine like r"%🚣🏽‍♂️%" or Process.CommandLine like r"%🏊🏽‍♀️%" or Process.CommandLine like r"%🏊🏽%" or Process.CommandLine like r"%🏊🏽‍♂️%" or Process.CommandLine like r"%⛹🏽‍♀️%" or Process.CommandLine like r"%⛹🏽%" or Process.CommandLine like r"%⛹🏽‍♂️%" or Process.CommandLine like r"%🏋🏽‍♀️%" or Process.CommandLine like r"%🏋🏽%" or Process.CommandLine like r"%🏋🏽‍♂️%" or Process.CommandLine like r"%🚴🏽‍♀️%" or Process.CommandLine like r"%🚴🏽%" or Process.CommandLine like r"%🚴🏽‍♂️%" or Process.CommandLine like r"%🚵🏽‍♀️%" or Process.CommandLine like r"%🚵🏽%" or Process.CommandLine like r"%🚵🏽‍♂️%" or Process.CommandLine like r"%🤸🏽‍♀️%" or Process.CommandLine like r"%🤸🏽%" or Process.CommandLine like r"%🤸🏽‍♂️%" or Process.CommandLine like r"%🤽🏽‍♀️%" or Process.CommandLine like r"%🤽🏽%" or Process.CommandLine like r"%🤽🏽‍♂️%" or Process.CommandLine like r"%🤾🏽‍♀️%" or Process.CommandLine like r"%🤾🏽%" or Process.CommandLine like r"%🤾🏽‍♂️%" or Process.CommandLine like r"%🤹🏽‍♀️%" or Process.CommandLine like r"%🤹🏽%" or Process.CommandLine like r"%🤹🏽‍♂️%" or Process.CommandLine like r"%🧘🏽‍♀️%" or Process.CommandLine like r"%🧘🏽%" or Process.CommandLine like r"%🧘🏽‍♂️%" or Process.CommandLine like r"%🛀🏽%" or Process.CommandLine like r"%🛌🏽%" or Process.CommandLine like r"%👋🏾%" or Process.CommandLine like r"%🤚🏾%" or Process.CommandLine like r"%🖐🏾%" or Process.CommandLine like r"%✋🏾%" or Process.CommandLine like r"%🖖🏾%" or Process.CommandLine like r"%👌🏾%" or Process.CommandLine like r"%🤌🏾%" or Process.CommandLine like r"%🤏🏾%" or Process.CommandLine like r"%✌🏾%" or Process.CommandLine like r"%🤞🏾%" or Process.CommandLine like r"%🫰🏾%" or Process.CommandLine like r"%🤟🏾%" or Process.CommandLine like r"%🤘🏾%" or Process.CommandLine like r"%🤙🏾%" or Process.CommandLine like r"%🫵🏾%" or Process.CommandLine like r"%🫱🏾%" or Process.CommandLine like r"%🫲🏾%" or Process.CommandLine like r"%🫳🏾%" or Process.CommandLine like r"%🫴🏾%" or Process.CommandLine like r"%👈🏾%" or Process.CommandLine like r"%👉🏾%" or Process.CommandLine like r"%👆🏾%" or Process.CommandLine like r"%🖕🏾%" or Process.CommandLine like r"%👇🏾%" or Process.CommandLine like r"%☝🏾%" or Process.CommandLine like r"%👍🏾%" or Process.CommandLine like r"%👎🏾%" or Process.CommandLine like r"%✊🏾%" or Process.CommandLine like r"%👊🏾%" or Process.CommandLine like r"%🤛🏾%" or Process.CommandLine like r"%🤜🏾%" or Process.CommandLine like r"%👏🏾%" or Process.CommandLine like r"%🫶🏾%" or Process.CommandLine like r"%🙌🏾%" or Process.CommandLine like r"%👐🏾%" or Process.CommandLine like r"%🤲🏾%" or Process.CommandLine like r"%🙏🏾%" or Process.CommandLine like r"%✍🏾%" or Process.CommandLine like r"%💪🏾%" or Process.CommandLine like r"%🦵🏾%" or Process.CommandLine like r"%🦶🏾%" or Process.CommandLine like r"%👂🏾%" or Process.CommandLine like r"%🦻🏾%" or Process.CommandLine like r"%👃🏾%" or Process.CommandLine like r"%👶🏾%" or Process.CommandLine like r"%👧🏾%" or Process.CommandLine like r"%🧒🏾%" or Process.CommandLine like r"%👦🏾%" or Process.CommandLine like r"%👩🏾%" or Process.CommandLine like r"%🧑🏾%" or Process.CommandLine like r"%👨🏾%" or Process.CommandLine like r"%👩🏾‍🦱%" or Process.CommandLine like r"%🧑🏾‍🦱%" or Process.CommandLine like r"%👨🏾‍🦱%" or Process.CommandLine like r"%👩🏾‍🦰%" or Process.CommandLine like r"%🧑🏾‍🦰%" or Process.CommandLine like r"%👨🏾‍🦰%" or Process.CommandLine like r"%👱🏾‍♀️%" or Process.CommandLine like r"%👱🏾%" or Process.CommandLine like r"%👱🏾‍♂️%" or Process.CommandLine like r"%👩🏾‍🦳%" or Process.CommandLine like r"%🧑🏾‍🦳%" or Process.CommandLine like r"%👨🏾‍🦳%" or Process.CommandLine like r"%👩🏾‍🦲%" or Process.CommandLine like r"%🧑🏾‍🦲%" or Process.CommandLine like r"%👨🏾‍🦲%" or Process.CommandLine like r"%🧔🏾‍♀️%" or Process.CommandLine like r"%🧔🏾%" or Process.CommandLine like r"%🧔🏾‍♂️%" or Process.CommandLine like r"%👵🏾%" or Process.CommandLine like r"%🧓🏾%" or Process.CommandLine like r"%👴🏾%" or Process.CommandLine like r"%👲🏾%" or Process.CommandLine like r"%👳🏾‍♀️%" or Process.CommandLine like r"%👳🏾%" or Process.CommandLine like r"%👳🏾‍♂️%" or Process.CommandLine like r"%🧕🏾%" or Process.CommandLine like r"%👮🏾‍♀️%" or Process.CommandLine like r"%👮🏾%" or Process.CommandLine like r"%👮🏾‍♂️%" or Process.CommandLine like r"%👷🏾‍♀️%" or Process.CommandLine like r"%👷🏾%" or Process.CommandLine like r"%👷🏾‍♂️%" or Process.CommandLine like r"%💂🏾‍♀️%" or Process.CommandLine like r"%💂🏾%" or Process.CommandLine like r"%💂🏾‍♂️%" or Process.CommandLine like r"%🕵🏾‍♀️%" or Process.CommandLine like r"%🕵🏾%" or Process.CommandLine like r"%🕵🏾‍♂️%" or Process.CommandLine like r"%👩🏾‍⚕️%" or Process.CommandLine like r"%🧑🏾‍⚕️%" or Process.CommandLine like r"%👨🏾‍⚕️%" or Process.CommandLine like r"%👩🏾‍🌾%" or Process.CommandLine like r"%🧑🏾‍🌾%" or Process.CommandLine like r"%👨🏾‍🌾%" or Process.CommandLine like r"%👩🏾‍🍳%" or Process.CommandLine like r"%🧑🏾‍🍳%" or Process.CommandLine like r"%👨🏾‍🍳%" or Process.CommandLine like r"%👩🏾‍🎓%" or Process.CommandLine like r"%🧑🏾‍🎓%" or Process.CommandLine like r"%👨🏾‍🎓%" or Process.CommandLine like r"%👩🏾‍🎤%" or Process.CommandLine like r"%🧑🏾‍🎤%" or Process.CommandLine like r"%👨🏾‍🎤%" or Process.CommandLine like r"%👩🏾‍🏫%" or Process.CommandLine like r"%🧑🏾‍🏫%" or Process.CommandLine like r"%👨🏾‍🏫%" or Process.CommandLine like r"%👩🏾‍🏭%" or Process.CommandLine like r"%🧑🏾‍🏭%" or Process.CommandLine like r"%👨🏾‍🏭%" or Process.CommandLine like r"%👩🏾‍💻%" or Process.CommandLine like r"%🧑🏾‍💻%" or Process.CommandLine like r"%👨🏾‍💻%" or Process.CommandLine like r"%👩🏾‍💼%" or Process.CommandLine like r"%🧑🏾‍💼%" or Process.CommandLine like r"%👨🏾‍💼%" or Process.CommandLine like r"%👩🏾‍🔧%" or Process.CommandLine like r"%🧑🏾‍🔧%" or Process.CommandLine like r"%👨🏾‍🔧%" or Process.CommandLine like r"%👩🏾‍🔬%" or Process.CommandLine like r"%🧑🏾‍🔬%" or Process.CommandLine like r"%👨🏾‍🔬%" or Process.CommandLine like r"%👩🏾‍🎨%" or Process.CommandLine like r"%🧑🏾‍🎨%" or Process.CommandLine like r"%👨🏾‍🎨%" or Process.CommandLine like r"%👩🏾‍🚒%" or Process.CommandLine like r"%🧑🏾‍🚒%" or Process.CommandLine like r"%👨🏾‍🚒%" or Process.CommandLine like r"%👩🏾‍✈️%" or Process.CommandLine like r"%🧑🏾‍✈️%" or Process.CommandLine like r"%👨🏾‍✈️%" or Process.CommandLine like r"%👩🏾‍🚀%" or Process.CommandLine like r"%🧑🏾‍🚀%" or Process.CommandLine like r"%👨🏾‍🚀%" or Process.CommandLine like r"%👩🏾‍⚖️%" or Process.CommandLine like r"%🧑🏾‍⚖️%" or Process.CommandLine like r"%👨🏾‍⚖️%" or Process.CommandLine like r"%👰🏾‍♀️%" or Process.CommandLine like r"%👰🏾%" or Process.CommandLine like r"%👰🏾‍♂️%" or Process.CommandLine like r"%🤵🏾‍♀️%" or Process.CommandLine like r"%🤵🏾%" or Process.CommandLine like r"%🤵🏾‍♂️%" or Process.CommandLine like r"%👸🏾%" or Process.CommandLine like r"%🫅🏾%" or Process.CommandLine like r"%🤴🏾%" or Process.CommandLine like r"%🥷🏾%" or Process.CommandLine like r"%🦸🏾‍♀️%" or Process.CommandLine like r"%🦸🏾%" or Process.CommandLine like r"%🦸🏾‍♂️%" or Process.CommandLine like r"%🦹🏾‍♀️%" or Process.CommandLine like r"%🦹🏾%" or Process.CommandLine like r"%🦹🏾‍♂️%" or Process.CommandLine like r"%🤶🏾%" or Process.CommandLine like r"%🧑🏾‍🎄%" or Process.CommandLine like r"%🎅🏾%" or Process.CommandLine like r"%🧙🏾‍♀️%" or Process.CommandLine like r"%🧙🏾%" or Process.CommandLine like r"%🧙🏾‍♂️%" or Process.CommandLine like r"%🧝🏾‍♀️%" or Process.CommandLine like r"%🧝🏾%" or Process.CommandLine like r"%🧝🏾‍♂️%" or Process.CommandLine like r"%🧛🏾‍♀️%" or Process.CommandLine like r"%🧛🏾%" or Process.CommandLine like r"%🧛🏾‍♂️%" or Process.CommandLine like r"%🧜🏾‍♀️%" or Process.CommandLine like r"%🧜🏾%" or Process.CommandLine like r"%🧜🏾‍♂️%" or Process.CommandLine like r"%🧚🏾‍♀️%" or Process.CommandLine like r"%🧚🏾%" or Process.CommandLine like r"%🧚🏾‍♂️%" or Process.CommandLine like r"%👼🏾%" or Process.CommandLine like r"%🤰🏾%" or Process.CommandLine like r"%🫄🏾%" or Process.CommandLine like r"%🫃🏾%" or Process.CommandLine like r"%🤱🏾%" or Process.CommandLine like r"%👩🏾‍🍼%" or Process.CommandLine like r"%🧑🏾‍🍼%" or Process.CommandLine like r"%👨🏾‍🍼%" or Process.CommandLine like r"%🙇🏾‍♀️%" or Process.CommandLine like r"%🙇🏾%" or Process.CommandLine like r"%🙇🏾‍♂️%" or Process.CommandLine like r"%💁🏾‍♀️%" or Process.CommandLine like r"%💁🏾%" or Process.CommandLine like r"%💁🏾‍♂️%" or Process.CommandLine like r"%🙅🏾‍♀️%" or Process.CommandLine like r"%🙅🏾%" or Process.CommandLine like r"%🙅🏾‍♂️%" or Process.CommandLine like r"%🙆🏾‍♀️%" or Process.CommandLine like r"%🙆🏾%" or Process.CommandLine like r"%🙆🏾‍♂️%" or Process.CommandLine like r"%🙋🏾‍♀️%" or Process.CommandLine like r"%🙋🏾%" or Process.CommandLine like r"%🙋🏾‍♂️%" or Process.CommandLine like r"%🧏🏾‍♀️%" or Process.CommandLine like r"%🧏🏾%" or Process.CommandLine like r"%🧏🏾‍♂️%" or Process.CommandLine like r"%🤦🏾‍♀️%" or Process.CommandLine like r"%🤦🏾%" or Process.CommandLine like r"%🤦🏾‍♂️%" or Process.CommandLine like r"%🤷🏾‍♀️%" or Process.CommandLine like r"%🤷🏾%" or Process.CommandLine like r"%🤷🏾‍♂️%" or Process.CommandLine like r"%🙎🏾‍♀️%" or Process.CommandLine like r"%🙎🏾%" or Process.CommandLine like r"%🙎🏾‍♂️%" or Process.CommandLine like r"%🙍🏾‍♀️%" or Process.CommandLine like r"%🙍🏾%" or Process.CommandLine like r"%🙍🏾‍♂️%" or Process.CommandLine like r"%💇🏾‍♀️%" or Process.CommandLine like r"%💇🏾%" or Process.CommandLine like r"%💇🏾‍♂️%" or Process.CommandLine like r"%💆🏾‍♀️%" or Process.CommandLine like r"%💆🏾%" or Process.CommandLine like r"%💆🏾‍♂️%" or Process.CommandLine like r"%🧖🏾‍♀️%" or Process.CommandLine like r"%🧖🏾%" or Process.CommandLine like r"%🧖🏾‍♂️%" or Process.CommandLine like r"%💃🏾%" or Process.CommandLine like r"%🕺🏾%" or Process.CommandLine like r"%👩🏾‍🦽%" or Process.CommandLine like r"%🧑🏾‍🦽%" or Process.CommandLine like r"%👨🏾‍🦽%" or Process.CommandLine like r"%👩🏾‍🦼%" or Process.CommandLine like r"%🧑🏾‍🦼%" or Process.CommandLine like r"%👨🏾‍🦼%" or Process.CommandLine like r"%🚶🏾‍♀️%" or Process.CommandLine like r"%🚶🏾%" or Process.CommandLine like r"%🚶🏾‍♂️%" or Process.CommandLine like r"%👩🏾‍🦯%" or Process.CommandLine like r"%🧑🏾‍🦯%" or Process.CommandLine like r"%👨🏾‍🦯%" or Process.CommandLine like r"%🧎🏾‍♀️%" or Process.CommandLine like r"%🧎🏾%" or Process.CommandLine like r"%🧎🏾‍♂️%" or Process.CommandLine like r"%🏃🏾‍♀️%" or Process.CommandLine like r"%🏃🏾%" or Process.CommandLine like r"%🏃🏾‍♂️%" or Process.CommandLine like r"%🧍🏾‍♀️%" or Process.CommandLine like r"%🧍🏾%" or Process.CommandLine like r"%🧍🏾‍♂️%" or Process.CommandLine like r"%👭🏾%" or Process.CommandLine like r"%🧑🏾‍🤝‍🧑🏾%" or Process.CommandLine like r"%👬🏾%" or Process.CommandLine like r"%👫🏾%" or Process.CommandLine like r"%🧗🏾‍♀️%" or Process.CommandLine like r"%🧗🏾%" or Process.CommandLine like r"%🧗🏾‍♂️%" or Process.CommandLine like r"%🏇🏾%" or Process.CommandLine like r"%🏂🏾%" or Process.CommandLine like r"%🏌🏾‍♀️%" or Process.CommandLine like r"%🏌🏾%" or Process.CommandLine like r"%🏌🏾‍♂️%" or Process.CommandLine like r"%🏄🏾‍♀️%" or Process.CommandLine like r"%🏄🏾%" or Process.CommandLine like r"%🏄🏾‍♂️%" or Process.CommandLine like r"%🚣🏾‍♀️%" or Process.CommandLine like r"%🚣🏾%" or Process.CommandLine like r"%🚣🏾‍♂️%" or Process.CommandLine like r"%🏊🏾‍♀️%" or Process.CommandLine like r"%🏊🏾%" or Process.CommandLine like r"%🏊🏾‍♂️%" or Process.CommandLine like r"%⛹🏾‍♀️%" or Process.CommandLine like r"%⛹🏾%" or Process.CommandLine like r"%⛹🏾‍♂️%" or Process.CommandLine like r"%🏋🏾‍♀️%" or Process.CommandLine like r"%🏋🏾%" or Process.CommandLine like r"%🏋🏾‍♂️%" or Process.CommandLine like r"%🚴🏾‍♀️%" or Process.CommandLine like r"%🚴🏾%" or Process.CommandLine like r"%🚴🏾‍♂️%" or Process.CommandLine like r"%🚵🏾‍♀️%" or Process.CommandLine like r"%🚵🏾%" or Process.CommandLine like r"%🚵🏾‍♂️%" or Process.CommandLine like r"%🤸🏾‍♀️%" or Process.CommandLine like r"%🤸🏾%" or Process.CommandLine like r"%🤸🏾‍♂️%" or Process.CommandLine like r"%🤽🏾‍♀️%" or Process.CommandLine like r"%🤽🏾%" or Process.CommandLine like r"%🤽🏾‍♂️%" or Process.CommandLine like r"%🤾🏾‍♀️%" or Process.CommandLine like r"%🤾🏾%" or Process.CommandLine like r"%🤾🏾‍♂️%" or Process.CommandLine like r"%🤹🏾‍♀️%" or Process.CommandLine like r"%🤹🏾%" or Process.CommandLine like r"%🤹🏾‍♂️%" or Process.CommandLine like r"%🧘🏾‍♀️%" or Process.CommandLine like r"%🧘🏾%" or Process.CommandLine like r"%🧘🏾‍♂️%" or Process.CommandLine like r"%🛀🏾%" or Process.CommandLine like r"%🛌🏾%" or Process.CommandLine like r"%👋🏿%" or Process.CommandLine like r"%🤚🏿%" or Process.CommandLine like r"%🖐🏿%" or Process.CommandLine like r"%✋🏿%" or Process.CommandLine like r"%🖖🏿%" or Process.CommandLine like r"%👌🏿%" or Process.CommandLine like r"%🤌🏿%" or Process.CommandLine like r"%🤏🏿%" or Process.CommandLine like r"%✌🏿%" or Process.CommandLine like r"%🤞🏿%" or Process.CommandLine like r"%🫰🏿%" or Process.CommandLine like r"%🤟🏿%" or Process.CommandLine like r"%🤘🏿%" or Process.CommandLine like r"%🤙🏿%" or Process.CommandLine like r"%🫵🏿%" or Process.CommandLine like r"%🫱🏿%" or Process.CommandLine like r"%🫲🏿%" or Process.CommandLine like r"%🫳🏿%" or Process.CommandLine like r"%🫴🏿%" or Process.CommandLine like r"%👈🏿%" or Process.CommandLine like r"%👉🏿%" or Process.CommandLine like r"%👆🏿%" or Process.CommandLine like r"%🖕🏿%" or Process.CommandLine like r"%👇🏿%" or Process.CommandLine like r"%☝🏿%" or Process.CommandLine like r"%👍🏿%" or Process.CommandLine like r"%👎🏿%" or Process.CommandLine like r"%✊🏿%" or Process.CommandLine like r"%👊🏿%" or Process.CommandLine like r"%🤛🏿%" or Process.CommandLine like r"%🤜🏿%" or Process.CommandLine like r"%👏🏿%" or Process.CommandLine like r"%🫶🏿%" or Process.CommandLine like r"%🙌🏿%" or Process.CommandLine like r"%👐🏿%" or Process.CommandLine like r"%🤲🏿%" or Process.CommandLine like r"%🙏🏿%" or Process.CommandLine like r"%✍🏿%" or Process.CommandLine like r"%🤳🏿%" or Process.CommandLine like r"%💪🏿%" or Process.CommandLine like r"%🦵🏿%" or Process.CommandLine like r"%🦶🏿%" or Process.CommandLine like r"%👂🏿%" or Process.CommandLine like r"%🦻🏿%" or Process.CommandLine like r"%👃🏿%" or Process.CommandLine like r"%👶🏿%" or Process.CommandLine like r"%👧🏿%" or Process.CommandLine like r"%🧒🏿%" or Process.CommandLine like r"%👦🏿%" or Process.CommandLine like r"%👩🏿%" or Process.CommandLine like r"%🧑🏿%" or Process.CommandLine like r"%👨🏿%" or Process.CommandLine like r"%👩🏿‍🦱%" or Process.CommandLine like r"%🧑🏿‍🦱%" or Process.CommandLine like r"%👨🏿‍🦱%" or Process.CommandLine like r"%👩🏿‍🦰%" or Process.CommandLine like r"%🧑🏿‍🦰%" or Process.CommandLine like r"%👨🏿‍🦰%" or Process.CommandLine like r"%👱🏿‍♀️%" or Process.CommandLine like r"%👱🏿%" or Process.CommandLine like r"%👱🏿‍♂️%" or Process.CommandLine like r"%👩🏿‍🦳%" or Process.CommandLine like r"%🧑🏿‍🦳%" or Process.CommandLine like r"%👨🏿‍🦳%" or Process.CommandLine like r"%👩🏿‍🦲%" or Process.CommandLine like r"%🧑🏿‍🦲%" or Process.CommandLine like r"%👨🏿‍🦲%" or Process.CommandLine like r"%🧔🏿‍♀️%" or Process.CommandLine like r"%🧔🏿%" or Process.CommandLine like r"%🧔🏿‍♂️%" or Process.CommandLine like r"%👵🏿%" or Process.CommandLine like r"%🧓🏿%" or Process.CommandLine like r"%👴🏿%" or Process.CommandLine like r"%👲🏿%" or Process.CommandLine like r"%👳🏿‍♀️%" or Process.CommandLine like r"%👳🏿%" or Process.CommandLine like r"%👳🏿‍♂️%" or Process.CommandLine like r"%🧕🏿%" or Process.CommandLine like r"%👮🏿‍♀️%" or Process.CommandLine like r"%👮🏿%" or Process.CommandLine like r"%👮🏿‍♂️%" or Process.CommandLine like r"%👷🏿‍♀️%" or Process.CommandLine like r"%👷🏿%" or Process.CommandLine like r"%👷🏿‍♂️%" or Process.CommandLine like r"%💂🏿‍♀️%" or Process.CommandLine like r"%💂🏿%" or Process.CommandLine like r"%💂🏿‍♂️%" or Process.CommandLine like r"%🕵🏿‍♀️%" or Process.CommandLine like r"%🕵🏿%" or Process.CommandLine like r"%🕵🏿‍♂️%" or Process.CommandLine like r"%👩🏿‍⚕️%" or Process.CommandLine like r"%🧑🏿‍⚕️%" or Process.CommandLine like r"%👨🏿‍⚕️%" or Process.CommandLine like r"%👩🏿‍🌾%" or Process.CommandLine like r"%🧑🏿‍🌾%" or Process.CommandLine like r"%👨🏿‍🌾%" or Process.CommandLine like r"%👩🏿‍🍳%" or Process.CommandLine like r"%🧑🏿‍🍳%" or Process.CommandLine like r"%👨🏿‍🍳%" or Process.CommandLine like r"%👩🏿‍🎓%" or Process.CommandLine like r"%🧑🏿‍🎓%" or Process.CommandLine like r"%👨🏿‍🎓%" or Process.CommandLine like r"%👩🏿‍🎤%" or Process.CommandLine like r"%🧑🏿‍🎤%" or Process.CommandLine like r"%👨🏿‍🎤%" or Process.CommandLine like r"%👩🏿‍🏫%" or Process.CommandLine like r"%🧑🏿‍🏫%" or Process.CommandLine like r"%👨🏿‍🏫%" or Process.CommandLine like r"%👩🏿‍🏭%" or Process.CommandLine like r"%🧑🏿‍🏭%" or Process.CommandLine like r"%👨🏿‍🏭%" or Process.CommandLine like r"%👩🏿‍💻%" or Process.CommandLine like r"%🧑🏿‍💻%" or Process.CommandLine like r"%👨🏿‍💻%" or Process.CommandLine like r"%👩🏿‍💼%" or Process.CommandLine like r"%🧑🏿‍💼%" or Process.CommandLine like r"%👨🏿‍💼%" or Process.CommandLine like r"%👩🏿‍🔧%" or Process.CommandLine like r"%🧑🏿‍🔧%" or Process.CommandLine like r"%👨🏿‍🔧%" or Process.CommandLine like r"%👩🏿‍🔬%" or Process.CommandLine like r"%🧑🏿‍🔬%" or Process.CommandLine like r"%👨🏿‍🔬%" or Process.CommandLine like r"%👩🏿‍🎨%" or Process.CommandLine like r"%🧑🏿‍🎨%" or Process.CommandLine like r"%👨🏿‍🎨%" or Process.CommandLine like r"%👩🏿‍🚒%" or Process.CommandLine like r"%🧑🏿‍🚒%" or Process.CommandLine like r"%👨🏿‍🚒%" or Process.CommandLine like r"%👩🏿‍✈️%" or Process.CommandLine like r"%🧑🏿‍✈️%" or Process.CommandLine like r"%👨🏿‍✈️%" or Process.CommandLine like r"%👩🏿‍🚀%" or Process.CommandLine like r"%🧑🏿‍🚀%" or Process.CommandLine like r"%👨🏿‍🚀%" or Process.CommandLine like r"%👩🏿‍⚖️%" or Process.CommandLine like r"%🧑🏿‍⚖️%" or Process.CommandLine like r"%👨🏿‍⚖️%" or Process.CommandLine like r"%👰🏿‍♀️%" or Process.CommandLine like r"%👰🏿%" or Process.CommandLine like r"%👰🏿‍♂️%" or Process.CommandLine like r"%🤵🏿‍♀️%" or Process.CommandLine like r"%🤵🏿%" or Process.CommandLine like r"%🤵🏿‍♂️%" or Process.CommandLine like r"%👸🏿%" or Process.CommandLine like r"%🫅🏿%" or Process.CommandLine like r"%🤴🏿%" or Process.CommandLine like r"%🥷🏿%" or Process.CommandLine like r"%🦸🏿‍♀️%" or Process.CommandLine like r"%🦸🏿%" or Process.CommandLine like r"%🦸🏿‍♂️%" or Process.CommandLine like r"%🦹🏿‍♀️%" or Process.CommandLine like r"%🦹🏿%" or Process.CommandLine like r"%🦹🏿‍♂️%" or Process.CommandLine like r"%🤶🏿%" or Process.CommandLine like r"%🧑🏿‍🎄%" or Process.CommandLine like r"%🎅🏿%" or Process.CommandLine like r"%🧙🏿‍♀️%" or Process.CommandLine like r"%🧙🏿%" or Process.CommandLine like r"%🧙🏿‍♂️%" or Process.CommandLine like r"%🧝🏿‍♀️%" or Process.CommandLine like r"%🧝🏿%" or Process.CommandLine like r"%🧝🏿‍♂️%" or Process.CommandLine like r"%🧛🏿‍♀️%" or Process.CommandLine like r"%🧛🏿%" or Process.CommandLine like r"%🧛🏿‍♂️%" or Process.CommandLine like r"%🧜🏿‍♀️%" or Process.CommandLine like r"%🧜🏿%" or Process.CommandLine like r"%🧜🏿‍♂️%" or Process.CommandLine like r"%🧚🏿‍♀️%" or Process.CommandLine like r"%🧚🏿%" or Process.CommandLine like r"%🧚🏿‍♂️%" or Process.CommandLine like r"%👼🏿%" or Process.CommandLine like r"%🤰🏿%" or Process.CommandLine like r"%🫄🏿%" or Process.CommandLine like r"%🫃🏿%" or Process.CommandLine like r"%🤱🏿%" or Process.CommandLine like r"%👩🏿‍🍼%" or Process.CommandLine like r"%🧑🏿‍🍼%" or Process.CommandLine like r"%👨🏿‍🍼%" or Process.CommandLine like r"%🙇🏿‍♀️%" or Process.CommandLine like r"%🙇🏿%" or Process.CommandLine like r"%🙇🏿‍♂️%" or Process.CommandLine like r"%💁🏿‍♀️%" or Process.CommandLine like r"%💁🏿%" or Process.CommandLine like r"%💁🏿‍♂️%" or Process.CommandLine like r"%🙅🏿‍♀️%" or Process.CommandLine like r"%🙅🏿%" or Process.CommandLine like r"%🙅🏿‍♂️%" or Process.CommandLine like r"%🙆🏿‍♀️%" or Process.CommandLine like r"%🙆🏿%" or Process.CommandLine like r"%🙆🏿‍♂️%" or Process.CommandLine like r"%🙋🏿‍♀️%" or Process.CommandLine like r"%🙋🏿%" or Process.CommandLine like r"%🙋🏿‍♂️%" or Process.CommandLine like r"%🧏🏿‍♀️%" or Process.CommandLine like r"%🧏🏿%" or Process.CommandLine like r"%🧏🏿‍♂️%" or Process.CommandLine like r"%🤦🏿‍♀️%" or Process.CommandLine like r"%🤦🏿%" or Process.CommandLine like r"%🤦🏿‍♂️%" or Process.CommandLine like r"%🤷🏿‍♀️%" or Process.CommandLine like r"%🤷🏿%" or Process.CommandLine like r"%🤷🏿‍♂️%" or Process.CommandLine like r"%🙎🏿‍♀️%" or Process.CommandLine like r"%🙎🏿%" or Process.CommandLine like r"%🙎🏿‍♂️%" or Process.CommandLine like r"%🙍🏿‍♀️%" or Process.CommandLine like r"%🙍🏿%" or Process.CommandLine like r"%🙍🏿‍♂️%" or Process.CommandLine like r"%💇🏿‍♀️%" or Process.CommandLine like r"%💇🏿%" or Process.CommandLine like r"%💇🏿‍♂️%" or Process.CommandLine like r"%💆🏿‍♀️%" or Process.CommandLine like r"%💆🏿%" or Process.CommandLine like r"%💆🏿‍♂️%" or Process.CommandLine like r"%🧖🏿‍♀️%" or Process.CommandLine like r"%🧖🏿%" or Process.CommandLine like r"%🧖🏿‍♂️%" or Process.CommandLine like r"%💃🏿%" or Process.CommandLine like r"%🕺🏿%" or Process.CommandLine like r"%🕴🏿%" or Process.CommandLine like r"%👩🏿‍🦽%" or Process.CommandLine like r"%🧑🏿‍🦽%" or Process.CommandLine like r"%👨🏿‍🦽%" or Process.CommandLine like r"%👩🏿‍🦼%" or Process.CommandLine like r"%🧑🏿‍🦼%" or Process.CommandLine like r"%👨🏿‍🦼%" or Process.CommandLine like r"%🚶🏿‍♀️%" or Process.CommandLine like r"%🚶🏿%" or Process.CommandLine like r"%🚶🏿‍♂️%" or Process.CommandLine like r"%👩🏿‍🦯%" or Process.CommandLine like r"%🧑🏿‍🦯%" or Process.CommandLine like r"%👨🏿‍🦯%" or Process.CommandLine like r"%🧎🏿‍♀️%" or Process.CommandLine like r"%🧎🏿%" or Process.CommandLine like r"%🧎🏿‍♂️%" or Process.CommandLine like r"%🏃🏿‍♀️%" or Process.CommandLine like r"%🏃🏿%" or Process.CommandLine like r"%🏃🏿‍♂️%" or Process.CommandLine like r"%🧍🏿‍♀️%" or Process.CommandLine like r"%🧍🏿%" or Process.CommandLine like r"%🧍🏿‍♂️%" or Process.CommandLine like r"%👭🏿%" or Process.CommandLine like r"%🧑🏿‍🤝‍🧑🏿%" or Process.CommandLine like r"%👬🏿%" or Process.CommandLine like r"%👫🏿%" or Process.CommandLine like r"%🧗🏿‍♀️%" or Process.CommandLine like r"%🧗🏿%" or Process.CommandLine like r"%🧗🏿‍♂️%" or Process.CommandLine like r"%🏇🏿%" or Process.CommandLine like r"%🏂🏿%" or Process.CommandLine like r"%🏌🏿‍♀️%" or Process.CommandLine like r"%🏌🏿%" or Process.CommandLine like r"%🏌🏿‍♂️%" or Process.CommandLine like r"%🏄🏿‍♀️%" or Process.CommandLine like r"%🏄🏿%" or Process.CommandLine like r"%🏄🏿‍♂️%" or Process.CommandLine like r"%🚣🏿‍♀️%" or Process.CommandLine like r"%🚣🏿%" or Process.CommandLine like r"%🚣🏿‍♂️%" or Process.CommandLine like r"%🏊🏿‍♀️%" or Process.CommandLine like r"%🏊🏿%" or Process.CommandLine like r"%🏊🏿‍♂️%" or Process.CommandLine like r"%⛹🏿‍♀️%" or Process.CommandLine like r"%⛹🏿%" or Process.CommandLine like r"%⛹🏿‍♂️%" or Process.CommandLine like r"%🏋🏿‍♀️%" or Process.CommandLine like r"%🏋🏿%" or Process.CommandLine like r"%🏋🏿‍♂️%" or Process.CommandLine like r"%🚴🏿‍♀️%" or Process.CommandLine like r"%🚴🏿%" or Process.CommandLine like r"%🚴🏿‍♂️%" or Process.CommandLine like r"%🚵🏿‍♀️%" or Process.CommandLine like r"%🚵🏿%" or Process.CommandLine like r"%🚵🏿‍♂️%" or Process.CommandLine like r"%🤸🏿‍♀️%" or Process.CommandLine like r"%🤸🏿%" or Process.CommandLine like r"%🤸🏿‍♂️%" or Process.CommandLine like r"%🤽🏿‍♀️%" or Process.CommandLine like r"%🤽🏿%" or Process.CommandLine like r"%🤽🏿‍♂️%" or Process.CommandLine like r"%🤾🏿‍♀️%" or Process.CommandLine like r"%🤾🏿%" or Process.CommandLine like r"%🤾🏿‍♂️%" or Process.CommandLine like r"%🤹🏿‍♀️%" or Process.CommandLine like r"%🤹🏿%" or Process.CommandLine like r"%🤹🏿‍♂️%" or Process.CommandLine like r"%🧘🏿‍♀️%" or Process.CommandLine like r"%🧘🏿%" or Process.CommandLine like r"%🧘🏿‍♂️%" or Process.CommandLine like r"%🛀🏿%" or Process.CommandLine like r"%🛌🏿%" or Process.CommandLine like r"%🐶%" or Process.CommandLine like r"%🐱%" or Process.CommandLine like r"%🐭%" or Process.CommandLine like r"%🐹%" or Process.CommandLine like r"%🐰%" or Process.CommandLine like r"%🦊%" or Process.CommandLine like r"%🐻%" or Process.CommandLine like r"%🐼%" or Process.CommandLine like r"%🐻‍❄️%" or Process.CommandLine like r"%🐨%" or Process.CommandLine like r"%🐯%" or Process.CommandLine like r"%🦁%" or Process.CommandLine like r"%🐮%" or Process.CommandLine like r"%🐷%" or Process.CommandLine like r"%🐽%" or Process.CommandLine like r"%🐸%" or Process.CommandLine like r"%🐵%" or Process.CommandLine like r"%🙈%" or Process.CommandLine like r"%🙉%" or Process.CommandLine like r"%🙊%" or Process.CommandLine like r"%🐒%" or Process.CommandLine like r"%🐔%" or Process.CommandLine like r"%🐧%" or Process.CommandLine like r"%🐦%" or Process.CommandLine like r"%🐤%" or Process.CommandLine like r"%🐣%" or Process.CommandLine like r"%🐥%" [ThreatDetectionRule platform=Windows] -# Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = 5aad0995-46ab-41bd-a9ff-724f41114971 -RuleName = Esentutl Volume Shadow Copy Service Keys -EventType = Reg.Any -Tag = esentutl-volume-shadow-copy-service-keys -RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.002"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = Reg.TargetObject like r"%System\\CurrentControlSet\\Services\\VSS%" and Process.Path like r"%esentutl.exe" and not Reg.TargetObject like r"%System\\CurrentControlSet\\Services\\VSS\\Start%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject - - -[ThreatDetectionRule platform=Windows] -# Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. -# Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -RuleId = 2433a154-bb3d-42e4-86c3-a26bdac91c45 -RuleName = Renamed PingCastle Binary Execution +# Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework +# Author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch +RuleId = 10c14723-61c7-4c75-92ca-9af245723ad2 +RuleName = HackTool - Potential Impacket Lateral Movement Activity EventType = Process.Start -Tag = proc-start-renamed-pingcastle-binary-execution +Tag = proc-start-hacktool-potential-impacket-lateral-movement-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1059", "T1202"], "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)"} -Query = (Process.Name in ["PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe"] or Process.CommandLine like r"%--scanner aclcheck%" or Process.CommandLine like r"%--scanner antivirus%" or Process.CommandLine like r"%--scanner computerversion%" or Process.CommandLine like r"%--scanner foreignusers%" or Process.CommandLine like r"%--scanner laps\_bitlocker%" or Process.CommandLine like r"%--scanner localadmin%" or Process.CommandLine like r"%--scanner nullsession%" or Process.CommandLine like r"%--scanner nullsession-trust%" or Process.CommandLine like r"%--scanner oxidbindings%" or Process.CommandLine like r"%--scanner remote%" or Process.CommandLine like r"%--scanner share%" or Process.CommandLine like r"%--scanner smb%" or Process.CommandLine like r"%--scanner smb3querynetwork%" or Process.CommandLine like r"%--scanner spooler%" or Process.CommandLine like r"%--scanner startup%" or Process.CommandLine like r"%--scanner zerologon%" or Process.CommandLine like r"%--no-enum-limit%" or Process.CommandLine like r"%--healthcheck%" and Process.CommandLine like r"%--level Full%" or Process.CommandLine like r"%--healthcheck%" and Process.CommandLine like r"%--server %") and not (Process.Path like r"%\\PingCastleReporting.exe" or Process.Path like r"%\\PingCastleCloud.exe" or Process.Path like r"%\\PingCastle.exe") +Annotation = {"mitre_attack": ["T1047", "T1021.003"], "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch"} +Query = (Parent.Path like r"%\\wmiprvse.exe" or Parent.Path like r"%\\mmc.exe" or Parent.Path like r"%\\explorer.exe" or Parent.Path like r"%\\services.exe") and Process.CommandLine like r"%cmd.exe%" and Process.CommandLine like r"%/Q%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%\\\\127.0.0.1\\%" and Process.CommandLine like r"%&1%" or (Parent.CommandLine like r"%svchost.exe -k netsvcs%" or Parent.CommandLine like r"%taskeng.exe%") and Process.CommandLine like r"%cmd.exe%" and Process.CommandLine like r"%/C%" and Process.CommandLine like r"%Windows\\Temp\\%" and Process.CommandLine like r"%&1%" +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. +# Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity # Author: Florian Roth (Nextron Systems) -RuleId = 42a993dd-bb3e-48c8-b372-4d6684c4106c -RuleName = HackTool - CrackMapExec Execution +RuleId = 1775e15e-b61b-4d14-a1a3-80981298085a +RuleName = Rundll32 Execution Without CommandLine Parameters EventType = Process.Start -Tag = proc-start-hacktool-crackmapexec-execution +Tag = proc-start-rundll32-execution-without-commandline-parameters RiskScore = 75 -Annotation = {"mitre_attack": ["T1047", "T1053", "T1059.003", "T1059.001", "T1110", "T1201"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\crackmapexec.exe" or Process.CommandLine like r"% -M pe\_inject %" or Process.CommandLine like r"% --local-auth%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -x %" or Process.CommandLine like r"% --local-auth%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% -H 'NTHASH'%" or Process.CommandLine like r"% mssql %" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% -M %" and Process.CommandLine like r"% -d %" or Process.CommandLine like r"% smb %" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -H %" and Process.CommandLine like r"% -M %" and Process.CommandLine like r"% -o %" or Process.CommandLine like r"% smb %" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% --local-auth%" or Process.CommandLine like r"% --local-auth%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% 10.%" and Process.CommandLine like r"% 192.168.%" and Process.CommandLine like r"%/24 %" +Annotation = {"mitre_attack": ["T1202"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"%\\rundll32.exe" or Process.CommandLine like r"%\\rundll32.exe\"" or Process.CommandLine like r"%\\rundll32") and not (Parent.Path like r"%\\AppData\\Local\\%" or Parent.Path like r"%\\Microsoft\\Edge\\%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 258fc8ce-8352-443a-9120-8a11e4857fa5 -RuleName = Potential Arbitrary Command Execution Using Msdt.EXE +# Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". +# Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +RuleId = 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 +RuleName = Potential Provisioning Registry Key Abuse For Binary Proxy Execution EventType = Process.Start -Tag = proc-start-potential-arbitrary-command-execution-using-msdt.exe +Tag = proc-start-potential-provisioning-registry-key-abuse-for-binary-proxy-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1202"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\msdt.exe" or Process.Name == "msdt.exe") and (Process.CommandLine like r"%IT\_BrowseForFile=%" or Process.CommandLine like r"% PCWDiagnostic%" and (Process.CommandLine like r"% -af %" or Process.CommandLine like r"% /af %" or Process.CommandLine like r"% –af %" or Process.CommandLine like r"% —af %" or Process.CommandLine like r"% ―af %")) +Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel"} +Query = Process.CommandLine like r"%SOFTWARE\\Microsoft\\Provisioning\\Commands\\%" [ThreatDetectionRule platform=Windows] -# Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 514e4c3a-c77d-4cde-a00f-046425e2301e -RuleName = Abuse of Service Permissions to Hide Services Via Set-Service +# Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands +# Author: Florian Roth (Nextron Systems) +RuleId = f2c64357-b1d2-41b7-849f-34d2682c0fad +RuleName = Suspicious Command Patterns In Scheduled Task Creation EventType = Process.Start -Tag = proc-start-abuse-of-service-permissions-to-hide-services-via-set-service +Tag = proc-start-suspicious-command-patterns-in-scheduled-task-creation RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.011"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\pwsh.exe" or Process.Name == "pwsh.dll") and Process.CommandLine like r"%Set-Service %" and Process.CommandLine like r"%DCLCWPDTSD%" and (Process.CommandLine like r"%-SecurityDescriptorSddl %" or Process.CommandLine like r"%-sd %") +Annotation = {"mitre_attack": ["T1053.005"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create %" and ((Process.CommandLine like r"%/sc minute %" or Process.CommandLine like r"%/ru system %") and (Process.CommandLine like r"%cmd /c%" or Process.CommandLine like r"%cmd /k%" or Process.CommandLine like r"%cmd /r%" or Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd.exe /r %") or Process.CommandLine like r"% -decode %" or Process.CommandLine like r"% -enc %" or Process.CommandLine like r"% -w hidden %" or Process.CommandLine like r"% bypass %" or Process.CommandLine like r"% IEX%" or Process.CommandLine like r"%.DownloadData%" or Process.CommandLine like r"%.DownloadFile%" or Process.CommandLine like r"%.DownloadString%" or Process.CommandLine like r"%/c start /min %" or Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"%mshta http%" or Process.CommandLine like r"%mshta.exe http%" or (Process.CommandLine like r"%:\\ProgramData\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Tmp\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\%AppData\%%" or Process.CommandLine like r"%\%Temp\%%" or Process.CommandLine like r"%\%tmp\%%") and (Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%curl%" or Process.CommandLine like r"%wscript%")) [ThreatDetectionRule platform=Windows] -# Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. -# Author: Florian Roth (Nextron Systems) -RuleId = 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60 -RuleName = Uncommon FileSystem Load Attempt By Format.com -EventType = Process.Start -Tag = proc-start-uncommon-filesystem-load-attempt-by-format.com +# Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting +# Author: D3F7A5105 +RuleId = 0cb8d736-995d-4ce7-a31e-1e8d452a1459 +RuleName = Potential EventLog File Location Tampering +EventType = Reg.Any +Tag = potential-eventlog-file-location-tampering RiskScore = 75 -Annotation = {"author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\format.com" and Process.CommandLine like r"%/fs:%" and not (Process.CommandLine like r"%/fs:exFAT%" or Process.CommandLine like r"%/fs:FAT%" or Process.CommandLine like r"%/fs:NTFS%" or Process.CommandLine like r"%/fs:ReFS%" or Process.CommandLine like r"%/fs:UDF%") +Annotation = {"mitre_attack": ["T1562.002"], "author": "D3F7A5105"} +Query = Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\%" and Reg.TargetObject like r"%\\File" and not Reg.Value.Data like r"%\\System32\\Winevt\\Logs\\%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks -# Author: Florian Roth (Nextron Systems) -RuleId = 534f2ef7-e8a2-4433-816d-c91bccde289b -RuleName = Explorer NOUACCHECK Flag -EventType = Process.Start -Tag = proc-start-explorer-nouaccheck-flag +# Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. +# Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. +# Author: frack113 +RuleId = bbf59793-6efb-4fa1-95ca-a7d288e52c88 +RuleName = Winlogon Notify Key Logon Persistence +EventType = Reg.Any +Tag = winlogon-notify-key-logon-persistence RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\explorer.exe" and Process.CommandLine like r"%/NOUACCHECK%" and not (Parent.CommandLine == "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" or Parent.Path == "C:\\Windows\\System32\\svchost.exe") -GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1547.004"], "author": "frack113"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\logon" and Reg.Value.Data like r"%.dll" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects creation of local users via the net.exe command with the option "never expire" +# Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = b9f0e6f5-09b4-4358-bae4-08408705bd5c -RuleName = New User Created Via Net.EXE With Never Expire Option +RuleId = d047726b-c71c-4048-a99b-2e2f50dc107d +RuleName = Kavremover Dropped Binary LOLBIN Usage EventType = Process.Start -Tag = proc-start-new-user-created-via-net.exe-with-never-expire-option +Tag = proc-start-kavremover-dropped-binary-lolbin-usage RiskScore = 75 -Annotation = {"mitre_attack": ["T1136.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and Process.CommandLine like r"%user%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%expires:never%" +Annotation = {"mitre_attack": ["T1127"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"% run run-cmd %" and not (Parent.Path like r"%\\cleanapi.exe" or Parent.Path like r"%\\kavremover.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation -# Author: Florian Roth (Nextron Systems) -RuleId = 7280c9f3-a5af-45d0-916a-bc01cb4151c9 -RuleName = Suspicious MSExchangeMailboxReplication ASPX Write +# Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = fccfb43e-09a7-4bd2-8b37-a5a7df33386d +RuleName = .RDP File Created By Uncommon Application EventType = File.Create -Tag = suspicious-msexchangemailboxreplication-aspx-write +Tag = .rdp-file-created-by-uncommon-application RiskScore = 75 -Annotation = {"mitre_attack": ["T1190", "T1505.003"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\MSExchangeMailboxReplication.exe" and (File.Path like r"%.aspx" or File.Path like r"%.asp") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"%.rdp" and (Process.Path like r"%\\brave.exe" or Process.Path like r"%\\CCleaner Browser\\Application\\CCleanerBrowser.exe" or Process.Path like r"%\\chromium.exe" or Process.Path like r"%\\firefox.exe" or Process.Path like r"%\\Google\\Chrome\\Application\\chrome.exe" or Process.Path like r"%\\iexplore.exe" or Process.Path like r"%\\microsoftedge.exe" or Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\Opera.exe" or Process.Path like r"%\\Vivaldi.exe" or Process.Path like r"%\\Whale.exe" or Process.Path like r"%\\olk.exe" or Process.Path like r"%\\Outlook.exe" or Process.Path like r"%\\RuntimeBroker.exe" or Process.Path like r"%\\Thunderbird.exe" or Process.Path like r"%\\Discord.exe" or Process.Path like r"%\\Keybase.exe" or Process.Path like r"%\\msteams.exe" or Process.Path like r"%\\Slack.exe" or Process.Path like r"%\\teams.exe") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 6640f31c-01ad-49b5-beb5-83498a5cd8bd -RuleName = Potential Arbitrary Code Execution Via Node.EXE -EventType = Process.Start -Tag = proc-start-potential-arbitrary-code-execution-via-node.exe +# Detects potential persistence activity via outlook home page. +# An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. +# Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand +RuleId = ddd171b5-2cc6-4975-9e78-f0eccd08cc76 +RuleName = Potential Persistence Via Outlook Home Page +EventType = Reg.Any +Tag = potential-persistence-via-outlook-home-page RiskScore = 75 -Annotation = {"mitre_attack": ["T1127"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\node.exe" and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% --eval %") and Process.CommandLine like r"%.exec(%" and Process.CommandLine like r"%net.socket%" and Process.CommandLine like r"%.connect%" and Process.CommandLine like r"%child\_process%" +Annotation = {"mitre_attack": ["T1112"], "author": "Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand"} +Query = Reg.TargetObject like r"%\\Software\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Outlook\\WebView\\%" and Reg.TargetObject like r"%\\URL" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) -# Author: Bhabesh Raj -RuleId = 871b9555-69ca-4993-99d3-35a59f9f3599 -RuleName = Suspicious UltraVNC Execution +# Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors +# Author: Florian Roth (Nextron Systems), Microsoft (idea) +RuleId = 043c4b8b-3a54-4780-9682-081cb6b8185c +RuleName = Suspicious IIS Module Registration EventType = Process.Start -Tag = proc-start-suspicious-ultravnc-execution +Tag = proc-start-suspicious-iis-module-registration RiskScore = 75 -Annotation = {"mitre_attack": ["T1021.005"], "author": "Bhabesh Raj"} -Query = Process.CommandLine like r"%-autoreconnect %" and Process.CommandLine like r"%-connect %" and Process.CommandLine like r"%-id:%" +Annotation = {"mitre_attack": ["T1505.004"], "author": "Florian Roth (Nextron Systems), Microsoft (idea)"} +Query = Parent.Path like r"%\\w3wp.exe" and (Process.CommandLine like r"%appcmd.exe add module%" or Process.CommandLine like r"% system.enterpriseservices.internal.publish%" and Process.Path like r"%\\powershell.exe" or Process.CommandLine like r"%gacutil%" and Process.CommandLine like r"% /I%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap. +# Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 273a8dd8-3742-4302-bcc7-7df5a80fe425 -RuleName = VMMap Unsigned Dbghelp.DLL Potential Sideloading -EventType = Image.Load -Tag = vmmap-unsigned-dbghelp.dll-potential-sideloading +RuleId = 395907ee-96e5-4666-af2e-2ca91688e151 +RuleName = Wab Execution From Non Default Location +EventType = Process.Start +Tag = proc-start-wab-execution-from-non-default-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Image.Path like r"%C:\\Debuggers\\dbghelp.dll%" and (Process.Path like r"%\\vmmap.exe" or Process.Path like r"%\\vmmap64.exe") and not Image.IsSigned == "true" -GenericProperty1 = Image.Path -GenericProperty2 = Image.IsSigned +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\wab.exe" or Process.Path like r"%\\wabmig.exe") and not (Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\Program Files\\Windows Mail\\%" or Process.Path like r"C:\\Program Files (x86)\\Windows Mail\\%") [ThreatDetectionRule platform=Windows] -# Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context. -# Author: frack113, omkar72, oscd.community, Wojciech Lesicki -RuleId = e0b06658-7d1d-4cd3-bf15-03467507ff7c -RuleName = Suspicious DotNET CLR Usage Log Artifact -EventType = File.Create -Tag = suspicious-dotnet-clr-usage-log-artifact +# Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. +# Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth +RuleId = d797268e-28a9-49a7-b9a8-2f5039011c5c +RuleName = Bypass UAC via WSReset.exe +EventType = Process.Start +Tag = proc-start-bypass-uac-via-wsreset.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "frack113, omkar72, oscd.community, Wojciech Lesicki"} -Query = (File.Path like r"%\\UsageLogs\\cmstp.exe.log" or File.Path like r"%\\UsageLogs\\cscript.exe.log" or File.Path like r"%\\UsageLogs\\mshta.exe.log" or File.Path like r"%\\UsageLogs\\msxsl.exe.log" or File.Path like r"%\\UsageLogs\\regsvr32.exe.log" or File.Path like r"%\\UsageLogs\\rundll32.exe.log" or File.Path like r"%\\UsageLogs\\svchost.exe.log" or File.Path like r"%\\UsageLogs\\wscript.exe.log" or File.Path like r"%\\UsageLogs\\wmic.exe.log") and not (Parent.Path like r"%\\MsiExec.exe" and Parent.CommandLine like r"% -Embedding%" and Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%Temp%" and Process.CommandLine like r"%zzzzInvokeManagedCustomActionOutOfProc%") +Annotation = {"mitre_attack": ["T1548.002"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth"} +Query = Parent.Path like r"%\\wsreset.exe" and not (Process.Path like r"%\\conhost.exe" or Process.Name == "CONHOST.EXE") GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine -GenericProperty3 = File.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious encoded character syntax often used for defense evasion -# Author: Florian Roth (Nextron Systems) -RuleId = e312efd0-35a1-407f-8439-b8d434b438a6 -RuleName = Potential PowerShell Obfuscation Via WCHAR +# Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. +# Author: Swachchhanda Shrawan Poudel +RuleId = 75d0a94e-6252-448d-a7be-d953dff527bb +RuleName = Remote XSL Execution Via Msxsl.EXE EventType = Process.Start -Tag = proc-start-potential-powershell-obfuscation-via-wchar +Tag = proc-start-remote-xsl-execution-via-msxsl.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001", "T1027"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%(WCHAR)0x%" +Annotation = {"mitre_attack": ["T1220"], "author": "Swachchhanda Shrawan Poudel"} +Query = Process.Path like r"%\\msxsl.exe" and Process.CommandLine like r"%http%" [ThreatDetectionRule platform=Windows] -# Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. -# Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 434c08ba-8406-4d15-8b24-782cb071a691 -RuleName = PowerShell Execution With Potential Decryption Capabilities +# When configured with suitable command line arguments, w32tm can act as a delay mechanism +# Author: frack113 +RuleId = 6da2c9f5-7c53-401b-aacb-92c040ce1215 +RuleName = Use of W32tm as Timer EventType = Process.Start -Tag = proc-start-powershell-execution-with-potential-decryption-capabilities +Tag = proc-start-use-of-w32tm-as-timer RiskScore = 75 -Annotation = {"author": "X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%Get-ChildItem %" or Process.CommandLine like r"%dir %" or Process.CommandLine like r"%gci %" or Process.CommandLine like r"%ls %") and (Process.CommandLine like r"%Get-Content %" or Process.CommandLine like r"%gc %" or Process.CommandLine like r"%cat %" or Process.CommandLine like r"%type %" or Process.CommandLine like r"%ReadAllBytes%") and (Process.CommandLine like r"% ^| %" and Process.CommandLine like r"%*.lnk%" and Process.CommandLine like r"%-Recurse%" and Process.CommandLine like r"%-Skip %" or Process.CommandLine like r"% -ExpandProperty %" and Process.CommandLine like r"%*.lnk%" and Process.CommandLine like r"%WriteAllBytes%" and Process.CommandLine like r"% .length %") +Annotation = {"mitre_attack": ["T1124"], "author": "frack113"} +Query = (Process.Path like r"%\\w32tm.exe" or Process.Name == "w32time.dll") and Process.CommandLine like r"%/stripchart%" and Process.CommandLine like r"%/computer:%" and Process.CommandLine like r"%/period:%" and Process.CommandLine like r"%/dataonly%" and Process.CommandLine like r"%/samples:%" [ThreatDetectionRule platform=Windows] -# Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +# Detects encoded base64 MZ header in the commandline # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 5f6a601c-2ecb-498b-9c33-660362323afa -RuleName = Root Certificate Installed From Susp Locations +RuleId = 22e58743-4ac8-4a9f-bf19-00a0428d8c5f +RuleName = Base64 MZ Header In CommandLine EventType = Process.Start -Tag = proc-start-root-certificate-installed-from-susp-locations +Tag = proc-start-base64-mz-header-in-commandline RiskScore = 75 -Annotation = {"mitre_attack": ["T1553.004"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%Import-Certificate%" and Process.CommandLine like r"% -FilePath %" and Process.CommandLine like r"%Cert:\\LocalMachine\\Root%" and (Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\TEMP\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Perflogs\\%" or Process.CommandLine like r"%:\\Users\\Public\\%") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%TVqQAAMAAAAEAAAA%" or Process.CommandLine like r"%TVpQAAIAAAAEAA8A%" or Process.CommandLine like r"%TVqAAAEAAAAEABAA%" or Process.CommandLine like r"%TVoAAAAAAAAAAAAA%" or Process.CommandLine like r"%TVpTAQEAAAAEAAAA%" [ThreatDetectionRule platform=Windows] -# Attempts to load dismcore.dll after dropping it -# Author: oscd.community, Dmitry Uchakin -RuleId = a5ea83a7-05a5-44c1-be2e-addccbbd8c03 -RuleName = UAC Bypass With Fake DLL -EventType = Image.Load -Tag = uac-bypass-with-fake-dll +# Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. +# Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +RuleId = 2433a154-bb3d-42e4-86c3-a26bdac91c45 +RuleName = Renamed PingCastle Binary Execution +EventType = Process.Start +Tag = proc-start-renamed-pingcastle-binary-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002", "T1574.002"], "author": "oscd.community, Dmitry Uchakin"} -Query = Process.Path like r"%\\dism.exe" and Image.Path like r"%\\dismcore.dll" and not Image.Path == "C:\\Windows\\System32\\Dism\\dismcore.dll" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1059", "T1202"], "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)"} +Query = (Process.Name in ["PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe"] or Process.CommandLine like r"%--scanner aclcheck%" or Process.CommandLine like r"%--scanner antivirus%" or Process.CommandLine like r"%--scanner computerversion%" or Process.CommandLine like r"%--scanner foreignusers%" or Process.CommandLine like r"%--scanner laps\_bitlocker%" or Process.CommandLine like r"%--scanner localadmin%" or Process.CommandLine like r"%--scanner nullsession%" or Process.CommandLine like r"%--scanner nullsession-trust%" or Process.CommandLine like r"%--scanner oxidbindings%" or Process.CommandLine like r"%--scanner remote%" or Process.CommandLine like r"%--scanner share%" or Process.CommandLine like r"%--scanner smb%" or Process.CommandLine like r"%--scanner smb3querynetwork%" or Process.CommandLine like r"%--scanner spooler%" or Process.CommandLine like r"%--scanner startup%" or Process.CommandLine like r"%--scanner zerologon%" or Process.CommandLine like r"%--no-enum-limit%" or Process.CommandLine like r"%--healthcheck%" and Process.CommandLine like r"%--level Full%" or Process.CommandLine like r"%--healthcheck%" and Process.CommandLine like r"%--server %") and not (Process.Path like r"%\\PingCastleReporting.exe" or Process.Path like r"%\\PingCastleCloud.exe" or Process.Path like r"%\\PingCastle.exe") [ThreatDetectionRule platform=Windows] -# Detection well-known mimikatz command line arguments -# Author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton -RuleId = a642964e-bead-4bed-8910-1bb4d63e3b4d -RuleName = HackTool - Mimikatz Execution -EventType = Process.Start -Tag = proc-start-hacktool-mimikatz-execution +# Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = d6a9b252-c666-4de6-8806-5561bbbd3bdc +RuleName = Wdigest Enable UseLogonCredential +EventType = Reg.Any +Tag = wdigest-enable-uselogoncredential RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001", "T1003.002", "T1003.004", "T1003.005", "T1003.006"], "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton"} -Query = Process.CommandLine like r"%DumpCreds%" or Process.CommandLine like r"%mimikatz%" or Process.CommandLine like r"%::aadcookie%" or Process.CommandLine like r"%::detours%" or Process.CommandLine like r"%::memssp%" or Process.CommandLine like r"%::mflt%" or Process.CommandLine like r"%::ncroutemon%" or Process.CommandLine like r"%::ngcsign%" or Process.CommandLine like r"%::printnightmare%" or Process.CommandLine like r"%::skeleton%" or Process.CommandLine like r"%::preshutdown%" or Process.CommandLine like r"%::mstsc%" or Process.CommandLine like r"%::multirdp%" or Process.CommandLine like r"%rpc::%" or Process.CommandLine like r"%token::%" or Process.CommandLine like r"%crypto::%" or Process.CommandLine like r"%dpapi::%" or Process.CommandLine like r"%sekurlsa::%" or Process.CommandLine like r"%kerberos::%" or Process.CommandLine like r"%lsadump::%" or Process.CommandLine like r"%privilege::%" or Process.CommandLine like r"%process::%" or Process.CommandLine like r"%vault::%" +Annotation = {"mitre_attack": ["T1112"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = Reg.TargetObject like r"%WDigest\\UseLogonCredential" and Reg.Value.Data == "DWORD (0x00000001)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects use of Cobalt Strike commands accidentally entered in the CMD shell -# Author: _pete_0, TheDFIRReport -RuleId = 647c7b9e-d784-4fda-b9a0-45c565a7b729 -RuleName = Operator Bloopers Cobalt Strike Commands -EventType = Process.Start -Tag = proc-start-operator-bloopers-cobalt-strike-commands +# Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities +# Author: Vadim Varganov, Florian Roth (Nextron Systems) +RuleId = 318557a5-150c-4c8d-b70e-a9910e199857 +RuleName = File Creation In Suspicious Directory By Msdt.EXE +EventType = File.Create +Tag = file-creation-in-suspicious-directory-by-msdt.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.003"], "author": "_pete_0, TheDFIRReport"} -Query = (Process.Name == "Cmd.Exe" or Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"cmd %" or Process.CommandLine like r"cmd.exe%" or Process.CommandLine like r"c:\\windows\\system32\\cmd.exe%") and (Process.CommandLine like r"%psinject%" or Process.CommandLine like r"%spawnas%" or Process.CommandLine like r"%make\_token%" or Process.CommandLine like r"%remote-exec%" or Process.CommandLine like r"%rev2self%" or Process.CommandLine like r"%dcsync%" or Process.CommandLine like r"%logonpasswords%" or Process.CommandLine like r"%execute-assembly%" or Process.CommandLine like r"%getsystem%") +Annotation = {"mitre_attack": ["T1547.001"], "author": "Vadim Varganov, Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\msdt.exe" and (File.Path like r"%\\Desktop\\%" or File.Path like r"%\\Start Menu\\Programs\\Startup\\%" or File.Path like r"%C:\\PerfLogs\\%" or File.Path like r"%C:\\ProgramData\\%" or File.Path like r"%C:\\Users\\Public\\%") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects service path modification via the "sc" binary to a suspicious command or path -# Author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) -RuleId = 138d3531-8793-4f50-a2cd-f291b2863d78 -RuleName = Suspicious Service Path Modification -EventType = Process.Start -Tag = proc-start-suspicious-service-path-modification +# Detects potential DLL sideloading of rcdll.dll +# Author: X__Junior (Nextron Systems) +RuleId = 6e78b74f-c762-4800-82ad-f66787f10c8a +RuleName = Potential Rcdll.DLL Sideloading +EventType = Image.Load +Tag = potential-rcdll.dll-sideloading RiskScore = 75 -Annotation = {"mitre_attack": ["T1543.003"], "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%binPath%" and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%cmd %" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%svchost%" or Process.CommandLine like r"%dllhost%" or Process.CommandLine like r"%cmd.exe /c%" or Process.CommandLine like r"%cmd.exe /k%" or Process.CommandLine like r"%cmd.exe /r%" or Process.CommandLine like r"%cmd /c%" or Process.CommandLine like r"%cmd /k%" or Process.CommandLine like r"%cmd /r%" or Process.CommandLine like r"%C:\\Users\\Public%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%" or Process.CommandLine like r"%C:\\Windows\\TEMP\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%") +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} +Query = Image.Path like r"%\\rcdll.dll" and not (Image.Path like r"C:\\Program Files (x86)\\Microsoft Visual Studio\\%" or Image.Path like r"C:\\Program Files (x86)\\Windows Kits\\%") +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects the use of KrbRelay, a Kerberos relaying tool -# Author: Florian Roth (Nextron Systems) -RuleId = e96253b8-6b3b-4f90-9e59-3b24b99cf9b4 -RuleName = HackTool - KrbRelay Execution +# Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. +# The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. +# Author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri +RuleId = 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e +RuleName = DSInternals Suspicious PowerShell Cmdlets EventType = Process.Start -Tag = proc-start-hacktool-krbrelay-execution +Tag = proc-start-dsinternals-suspicious-powershell-cmdlets RiskScore = 75 -Annotation = {"mitre_attack": ["T1558.003"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\KrbRelay.exe" or Process.Name == "KrbRelay.exe" or Process.CommandLine like r"% -spn %" and Process.CommandLine like r"% -clsid %" and Process.CommandLine like r"% -rbcd %" or Process.CommandLine like r"%shadowcred%" and Process.CommandLine like r"%clsid%" and Process.CommandLine like r"%spn%" or Process.CommandLine like r"%spn %" and Process.CommandLine like r"%session %" and Process.CommandLine like r"%clsid %" +Annotation = {"mitre_attack": ["T1059.001"], "author": "Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri"} +Query = Process.CommandLine like r"%Add-ADDBSidHistory%" or Process.CommandLine like r"%Add-ADNgcKey%" or Process.CommandLine like r"%Add-ADReplNgcKey%" or Process.CommandLine like r"%ConvertFrom-ADManagedPasswordBlob%" or Process.CommandLine like r"%ConvertFrom-GPPrefPassword%" or Process.CommandLine like r"%ConvertFrom-ManagedPasswordBlob%" or Process.CommandLine like r"%ConvertFrom-UnattendXmlPassword%" or Process.CommandLine like r"%ConvertFrom-UnicodePassword%" or Process.CommandLine like r"%ConvertTo-AADHash%" or Process.CommandLine like r"%ConvertTo-GPPrefPassword%" or Process.CommandLine like r"%ConvertTo-KerberosKey%" or Process.CommandLine like r"%ConvertTo-LMHash%" or Process.CommandLine like r"%ConvertTo-MsoPasswordHash%" or Process.CommandLine like r"%ConvertTo-NTHash%" or Process.CommandLine like r"%ConvertTo-OrgIdHash%" or Process.CommandLine like r"%ConvertTo-UnicodePassword%" or Process.CommandLine like r"%Disable-ADDBAccount%" or Process.CommandLine like r"%Enable-ADDBAccount%" or Process.CommandLine like r"%Get-ADDBAccount%" or Process.CommandLine like r"%Get-ADDBBackupKey%" or Process.CommandLine like r"%Get-ADDBDomainController%" or Process.CommandLine like r"%Get-ADDBGroupManagedServiceAccount%" or Process.CommandLine like r"%Get-ADDBKdsRootKey%" or Process.CommandLine like r"%Get-ADDBSchemaAttribute%" or Process.CommandLine like r"%Get-ADDBServiceAccount%" or Process.CommandLine like r"%Get-ADDefaultPasswordPolicy%" or Process.CommandLine like r"%Get-ADKeyCredential%" or Process.CommandLine like r"%Get-ADPasswordPolicy%" or Process.CommandLine like r"%Get-ADReplAccount%" or Process.CommandLine like r"%Get-ADReplBackupKey%" or Process.CommandLine like r"%Get-ADReplicationAccount%" or Process.CommandLine like r"%Get-ADSIAccount%" or Process.CommandLine like r"%Get-AzureADUserEx%" or Process.CommandLine like r"%Get-BootKey%" or Process.CommandLine like r"%Get-KeyCredential%" or Process.CommandLine like r"%Get-LsaBackupKey%" or Process.CommandLine like r"%Get-LsaPolicy%" or Process.CommandLine like r"%Get-SamPasswordPolicy%" or Process.CommandLine like r"%Get-SysKey%" or Process.CommandLine like r"%Get-SystemKey%" or Process.CommandLine like r"%New-ADDBRestoreFromMediaScript%" or Process.CommandLine like r"%New-ADKeyCredential%" or Process.CommandLine like r"%New-ADNgcKey%" or Process.CommandLine like r"%New-NTHashSet%" or Process.CommandLine like r"%Remove-ADDBObject%" or Process.CommandLine like r"%Save-DPAPIBlob%" or Process.CommandLine like r"%Set-ADAccountPasswordHash%" or Process.CommandLine like r"%Set-ADDBAccountPassword%" or Process.CommandLine like r"%Set-ADDBBootKey%" or Process.CommandLine like r"%Set-ADDBDomainController%" or Process.CommandLine like r"%Set-ADDBPrimaryGroup%" or Process.CommandLine like r"%Set-ADDBSysKey%" or Process.CommandLine like r"%Set-AzureADUserEx%" or Process.CommandLine like r"%Set-LsaPolicy%" or Process.CommandLine like r"%Set-SamAccountPasswordHash%" or Process.CommandLine like r"%Set-WinUserPasswordHash%" or Process.CommandLine like r"%Test-ADDBPasswordQuality%" or Process.CommandLine like r"%Test-ADPasswordQuality%" or Process.CommandLine like r"%Test-ADReplPasswordQuality%" or Process.CommandLine like r"%Test-PasswordQuality%" or Process.CommandLine like r"%Unlock-ADDBAccount%" or Process.CommandLine like r"%Write-ADNgcKey%" or Process.CommandLine like r"%Write-ADReplNgcKey%" [ThreatDetectionRule platform=Windows] -# Detects PowerShell writing startup shortcuts. -# This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. -# Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. -# In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" -# Author: Christopher Peacock '@securepeacock', SCYTHE -RuleId = 92fa78e7-4d39-45f1-91a3-8b23f3f1088d -RuleName = Potential Startup Shortcut Persistence Via PowerShell.EXE +# Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 086ae989-9ca6-4fe7-895a-759c5544f247 +RuleName = Potential Persistence Via TypedPaths +EventType = Reg.Any +Tag = potential-persistence-via-typedpaths +RiskScore = 75 +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\%" and not (Process.Path in ["C:\\Windows\\explorer.exe", "C:\\Windows\\SysWOW64\\explorer.exe"]) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject + + +[ThreatDetectionRule platform=Windows] +# Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = fcc6d700-68d9-4241-9a1a-06874d621b06 +RuleName = Suspicious File Created Via OneNote Application EventType = File.Create -Tag = potential-startup-shortcut-persistence-via-powershell.exe +Tag = suspicious-file-created-via-onenote-application RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001"], "author": "Christopher Peacock '@securepeacock', SCYTHE"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and File.Path like r"%\\start menu\\programs\\startup\\%" and File.Path like r"%.lnk" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\onenote.exe" or Process.Path like r"%\\onenotem.exe" or Process.Path like r"%\\onenoteim.exe") and File.Path like r"%\\AppData\\Local\\Temp\\OneNote\\%" and (File.Path like r"%.bat" or File.Path like r"%.chm" or File.Path like r"%.cmd" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.hta" or File.Path like r"%.htm" or File.Path like r"%.html" or File.Path like r"%.js" or File.Path like r"%.lnk" or File.Path like r"%.ps1" or File.Path like r"%.vbe" or File.Path like r"%.vbs" or File.Path like r"%.wsf") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = 7707a579-e0d8-4886-a853-ce47e4575aaa -RuleName = Wmiprvse Wbemcomn DLL Hijack -EventType = Image.Load -Tag = wmiprvse-wbemcomn-dll-hijack +# Detects use of Cobalt Strike commands accidentally entered in the CMD shell +# Author: _pete_0, TheDFIRReport +RuleId = 647c7b9e-d784-4fda-b9a0-45c565a7b729 +RuleName = Operator Bloopers Cobalt Strike Commands +EventType = Process.Start +Tag = proc-start-operator-bloopers-cobalt-strike-commands RiskScore = 75 -Annotation = {"mitre_attack": ["T1047", "T1021.002"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = Process.Path like r"%\\wmiprvse.exe" and Image.Path like r"%\\wbem\\wbemcomn.dll" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1059.003"], "author": "_pete_0, TheDFIRReport"} +Query = (Process.Name == "Cmd.Exe" or Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"cmd %" or Process.CommandLine like r"cmd.exe%" or Process.CommandLine like r"c:\\windows\\system32\\cmd.exe%") and (Process.CommandLine like r"%psinject%" or Process.CommandLine like r"%spawnas%" or Process.CommandLine like r"%make\_token%" or Process.CommandLine like r"%remote-exec%" or Process.CommandLine like r"%rev2self%" or Process.CommandLine like r"%dcsync%" or Process.CommandLine like r"%logonpasswords%" or Process.CommandLine like r"%execute-assembly%" or Process.CommandLine like r"%getsystem%") [ThreatDetectionRule platform=Windows] -# Detects a potentially suspicious execution from an uncommon folder. -# Author: Florian Roth (Nextron Systems), Tim Shelton -RuleId = 3dfd06d2-eaf4-4532-9555-68aca59f57c4 -RuleName = Process Execution From A Potentially Suspicious Folder -EventType = Process.Start -Tag = proc-start-process-execution-from-a-potentially-suspicious-folder +# Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations +# Author: X__Junior (Nextron Systems) +RuleId = 799a5f48-0ac1-4e0f-9152-71d137d48c2a +RuleName = Abusable DLL Potential Sideloading From Suspicious Location +EventType = Image.Load +Tag = abusable-dll-potential-sideloading-from-suspicious-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems), Tim Shelton"} -Query = (Process.Path like r"%:\\Perflogs\\%" or Process.Path like r"%:\\Users\\All Users\\%" or Process.Path like r"%:\\Users\\Default\\%" or Process.Path like r"%:\\Users\\NetworkService\\%" or Process.Path like r"%:\\Windows\\addins\\%" or Process.Path like r"%:\\Windows\\debug\\%" or Process.Path like r"%:\\Windows\\Fonts\\%" or Process.Path like r"%:\\Windows\\Help\\%" or Process.Path like r"%:\\Windows\\IME\\%" or Process.Path like r"%:\\Windows\\Media\\%" or Process.Path like r"%:\\Windows\\repair\\%" or Process.Path like r"%:\\Windows\\security\\%" or Process.Path like r"%:\\Windows\\System32\\Tasks\\%" or Process.Path like r"%:\\Windows\\Tasks\\%" or Process.Path like r"%$Recycle.bin%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Intel\\Logs\\%" or Process.Path like r"%\\RSA\\MachineKeys\\%") and not (Process.Path like r"C:\\Users\\Public\\IBM\\ClientSolutions\\Start\_Programs\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\%" and Process.Path like r"%\\CitrixReceiverUpdater.exe") +Annotation = {"mitre_attack": ["T1059"], "author": "X__Junior (Nextron Systems)"} +Query = (Image.Path like r"%\\coreclr.dll" or Image.Path like r"%\\facesdk.dll" or Image.Path like r"%\\HPCustPartUI.dll" or Image.Path like r"%\\libcef.dll" or Image.Path like r"%\\ZIPDLL.dll") and (Image.Path like r"%:\\Perflogs\\%" or Image.Path like r"%:\\Users\\Public\\%" or Image.Path like r"%\\Temporary Internet%" or Image.Path like r"%\\Windows\\Temp\\%" or Image.Path like r"%:\\Users\\%" and Image.Path like r"%\\Favorites\\%" or Image.Path like r"%:\\Users\\%" and Image.Path like r"%\\Favourites\\%" or Image.Path like r"%:\\Users\\%" and Image.Path like r"%\\Contacts\\%" or Image.Path like r"%:\\Users\\%" and Image.Path like r"%\\Pictures\\%") +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. -# Author: Tim Rauch, Elastic (idea) -RuleId = 9bd04a79-dabe-4f1f-a5ff-92430265c96b -RuleName = Privilege Escalation via Named Pipe Impersonation -EventType = Process.Start -Tag = proc-start-privilege-escalation-via-named-pipe-impersonation +# Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. +# Author: Swachchhanda Shrawan Poudel +RuleId = 69ca12af-119d-44ed-b50f-a47af0ebc364 +RuleName = LSASS Process Memory Dump Creation Via Taskmgr.EXE +EventType = File.Create +Tag = lsass-process-memory-dump-creation-via-taskmgr.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1021"], "author": "Tim Rauch, Elastic (idea)"} -Query = (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Name in ["Cmd.Exe", "PowerShell.EXE"]) and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%>%" and Process.CommandLine like r"%\\\\.\\pipe\\%" +Annotation = {"mitre_attack": ["T1003.001"], "author": "Swachchhanda Shrawan Poudel"} +Query = (Process.Path like r"%:\\Windows\\system32\\taskmgr.exe" or Process.Path like r"%:\\Windows\\SysWOW64\\taskmgr.exe") and File.Path like r"%\\AppData\\Local\\Temp\\%" and File.Path like r"%\\lsass%" and File.Path like r"%.DMP%" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. -# The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. -# Attackers abuse this utility to install malicious MOF scripts -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 1dd05363-104e-4b4a-b963-196a534b03a1 -RuleName = Potential Suspicious Mofcomp Execution +# Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) +# Author: Nextron Systems, @Kostastsale +RuleId = f3d39c45-de1a-4486-a687-ab126124f744 +RuleName = Sdiagnhost Calling Suspicious Child Process EventType = Process.Start -Tag = proc-start-potential-suspicious-mofcomp-execution +Tag = proc-start-sdiagnhost-calling-suspicious-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\mofcomp.exe" or Process.Name == "mofcomp.exe") and (Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\wsl.exe" or Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\cscript.exe" or Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\WINDOWS\\Temp\\%" or Process.CommandLine like r"%\%temp\%%" or Process.CommandLine like r"%\%tmp\%%" or Process.CommandLine like r"%\%appdata\%%") and not (Parent.Path == "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and Process.CommandLine like r"%C:\\Windows\\TEMP\\%" and Process.CommandLine like r"%.mof") and not (Process.CommandLine like r"%C:\\Windows\\TEMP\\%" and Process.CommandLine like r"%.mof") +Annotation = {"mitre_attack": ["T1036", "T1218"], "author": "Nextron Systems, @Kostastsale"} +Query = Parent.Path like r"%\\sdiagnhost.exe" and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\taskkill.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\calc.exe") and not (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%bits%" or Process.Path like r"%\\powershell.exe" and (Process.CommandLine like r"%-noprofile -" or Process.CommandLine like r"%-noprofile")) GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 5b768e71-86f2-4879-b448-81061cbae951 -RuleName = Suspicious Manipulation Of Default Accounts Via Net.EXE +# Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) +# Author: Andreas Hunkeler (@Karneades), Florian Roth +RuleId = 0d34ed8b-1c12-4ff2-828c-16fc860b766d +RuleName = Suspicious Processes Spawned by Java.EXE EventType = Process.Start -Tag = proc-start-suspicious-manipulation-of-default-accounts-via-net.exe +Tag = proc-start-suspicious-processes-spawned-by-java.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1560.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and Process.CommandLine like r"% user %" and (Process.CommandLine like r"% Järjestelmänvalvoja %" or Process.CommandLine like r"% Rendszergazda %" or Process.CommandLine like r"% Администратор %" or Process.CommandLine like r"% Administrateur %" or Process.CommandLine like r"% Administrador %" or Process.CommandLine like r"% Administratör %" or Process.CommandLine like r"% Administrator %" or Process.CommandLine like r"% guest %" or Process.CommandLine like r"% DefaultAccount %" or Process.CommandLine like r"% \"Järjestelmänvalvoja\" %" or Process.CommandLine like r"% \"Rendszergazda\" %" or Process.CommandLine like r"% \"Администратор\" %" or Process.CommandLine like r"% \"Administrateur\" %" or Process.CommandLine like r"% \"Administrador\" %" or Process.CommandLine like r"% \"Administratör\" %" or Process.CommandLine like r"% \"Administrator\" %" or Process.CommandLine like r"% \"guest\" %" or Process.CommandLine like r"% \"DefaultAccount\" %" or Process.CommandLine like r"% 'Järjestelmänvalvoja' %" or Process.CommandLine like r"% 'Rendszergazda' %" or Process.CommandLine like r"% 'Администратор' %" or Process.CommandLine like r"% 'Administrateur' %" or Process.CommandLine like r"% 'Administrador' %" or Process.CommandLine like r"% 'Administratör' %" or Process.CommandLine like r"% 'Administrator' %" or Process.CommandLine like r"% 'guest' %" or Process.CommandLine like r"% 'DefaultAccount' %") and not (Process.CommandLine like r"%guest%" and Process.CommandLine like r"%/active no%") +Annotation = {"author": "Andreas Hunkeler (@Karneades), Florian Roth"} +Query = Parent.Path like r"%\\java.exe" and (Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\curl.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\query.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the PowerShell command lines with special characters -# Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) -RuleId = d7bcd677-645d-4691-a8d4-7a5602b780d1 -RuleName = Potential PowerShell Command Line Obfuscation +# Detects the use of KrbRelay, a Kerberos relaying tool +# Author: Florian Roth (Nextron Systems) +RuleId = e96253b8-6b3b-4f90-9e59-3b24b99cf9b4 +RuleName = HackTool - KrbRelay Execution EventType = Process.Start -Tag = proc-start-potential-powershell-command-line-obfuscation +Tag = proc-start-hacktool-krbrelay-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine regex "\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+" or Process.CommandLine regex "\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{" or Process.CommandLine regex "\\^.*\\^.*\\^.*\\^.*\\^" or Process.CommandLine regex "`.*`.*`.*`.*`") and not (Parent.Path == "C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe" or Process.CommandLine like r"%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%" or Process.CommandLine like r"%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1558.003"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\KrbRelay.exe" or Process.Name == "KrbRelay.exe" or Process.CommandLine like r"% -spn %" and Process.CommandLine like r"% -clsid %" and Process.CommandLine like r"% -rbcd %" or Process.CommandLine like r"%shadowcred%" and Process.CommandLine like r"%clsid%" and Process.CommandLine like r"%spn%" or Process.CommandLine like r"%spn %" and Process.CommandLine like r"%session %" and Process.CommandLine like r"%clsid %" [ThreatDetectionRule platform=Windows] -# Detects changes to "DsrmAdminLogonBehavior" registry value. -# During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. -# Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. -# If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. -# If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. -# If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used. -# Author: Nischal Khadgi -RuleId = b61e87c0-50db-4b2e-8986-6a2be94b33b0 -RuleName = Directory Service Restore Mode(DSRM) Registry Value Tampering +# Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages +# Author: frack113 +RuleId = 8b9606c9-28be-4a38-b146-0e313cc232c1 +RuleName = Potential Ransomware Activity Using LegalNotice Message EventType = Reg.Any -Tag = directory-service-restore-mode(dsrm)-registry-value-tampering +Tag = potential-ransomware-activity-using-legalnotice-message RiskScore = 75 -Annotation = {"mitre_attack": ["T1556"], "author": "Nischal Khadgi"} -Query = Reg.TargetObject like r"%\\Control\\Lsa\\DsrmAdminLogonBehavior" and not Reg.Value.Data == "DWORD (0x00000000)" +Annotation = {"mitre_attack": ["T1491.001"], "author": "frack113"} +Query = (Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption%" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText%") and (Reg.Value.Data like r"%encrypted%" or Reg.Value.Data like r"%Unlock-Password%" or Reg.Value.Data like r"%paying%") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. -# Author: Sreeman, Nasreddine Bencherchali (Nextron Systems) -RuleId = 21dd6d38-2b18-4453-9404-a0fe4a0cc288 -RuleName = Curl Download And Execute Combination +# Detects suspicious PowerShell scripts accessing SAM hives +# Author: Florian Roth (Nextron Systems) +RuleId = 1af57a4b-460a-4738-9034-db68b880c665 +RuleName = PowerShell SAM Copy EventType = Process.Start -Tag = proc-start-curl-download-and-execute-combination +Tag = proc-start-powershell-sam-copy RiskScore = 75 -Annotation = {"mitre_attack": ["T1218", "T1105"], "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.CommandLine like r"% -c %" or Process.CommandLine like r"% /c %" or Process.CommandLine like r"% –c %" or Process.CommandLine like r"% —c %" or Process.CommandLine like r"% ―c %") and Process.CommandLine like r"%curl %" and Process.CommandLine like r"%http%" and Process.CommandLine like r"%-o%" and Process.CommandLine like r"%&%" +Annotation = {"mitre_attack": ["T1003.002"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%\\HarddiskVolumeShadowCopy%" and Process.CommandLine like r"%System32\\config\\sam%" and (Process.CommandLine like r"%Copy-Item%" or Process.CommandLine like r"%cp $\_.%" or Process.CommandLine like r"%cpi $\_.%" or Process.CommandLine like r"%copy $\_.%" or Process.CommandLine like r"%.File]::Copy(%") [ThreatDetectionRule platform=Windows] -# Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. -# Author: omkar72, oscd.community -RuleId = 4508a70e-97ef-4300-b62b-ff27992990ea -RuleName = DotNet CLR DLL Loaded By Scripting Applications -EventType = Image.Load -Tag = dotnet-clr-dll-loaded-by-scripting-applications +# Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 +# Author: pH-T (Nextron Systems) +RuleId = 970823b7-273b-460a-8afc-3a6811998529 +RuleName = Uncommon One Time Only Scheduled Task At 00:00 +EventType = Process.Start +Tag = proc-start-uncommon-one-time-only-scheduled-task-at-00:00 RiskScore = 75 -Annotation = {"mitre_attack": ["T1055"], "author": "omkar72, oscd.community"} -Query = (Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msxsl.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") and (Image.Path like r"%\\clr.dll" or Image.Path like r"%\\mscoree.dll" or Image.Path like r"%\\mscorlib.dll") -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1053.005"], "author": "pH-T (Nextron Systems)"} +Query = (Process.Path like r"%\\schtasks.exe%" or Process.Name == "schtasks.exe") and (Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%vbscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%wmic %" or Process.CommandLine like r"%wmic.exe%" or Process.CommandLine like r"%regsvr32.exe%" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%\\AppData\\%") and Process.CommandLine like r"%once%" and Process.CommandLine like r"%00:00%" [ThreatDetectionRule platform=Windows] -# Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47 -RuleName = Potential Attachment Manager Settings Associations Tamper -EventType = Reg.Any -Tag = potential-attachment-manager-settings-associations-tamper +# Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) +# Author: Florian Roth (Nextron Systems) +RuleId = a4694263-59a8-4608-a3a0-6f8d3a51664c +RuleName = Suspicious Key Manager Access +EventType = Process.Start +Tag = proc-start-suspicious-key-manager-access RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations\\%" and (Reg.TargetObject like r"%\\DefaultFileTypeRisk" and Reg.Value.Data == "DWORD (0x00006152)" or Reg.TargetObject like r"%\\LowRiskFileTypes" and (Reg.Value.Data like r"%.zip;%" or Reg.Value.Data like r"%.rar;%" or Reg.Value.Data like r"%.exe;%" or Reg.Value.Data like r"%.bat;%" or Reg.Value.Data like r"%.com;%" or Reg.Value.Data like r"%.cmd;%" or Reg.Value.Data like r"%.reg;%" or Reg.Value.Data like r"%.msi;%" or Reg.Value.Data like r"%.htm;%" or Reg.Value.Data like r"%.html;%")) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1555.004"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and Process.CommandLine like r"%keymgr%" and Process.CommandLine like r"%KRShowKeyMgr%" [ThreatDetectionRule platform=Windows] -# Detects the creation of the LiveKD driver by a process image other than "livekd.exe". +# Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning +# Author: Markus Neis, @Kostastsale +RuleId = 30edb182-aa75-42c0-b0a9-e998bb29067c +RuleName = Potential AMSI Bypass Via .NET Reflection +EventType = Process.Start +Tag = proc-start-potential-amsi-bypass-via-.net-reflection +RiskScore = 75 +Annotation = {"mitre_attack": ["T1562.001"], "author": "Markus Neis, @Kostastsale"} +Query = Process.CommandLine like r"%System.Management.Automation.AmsiUtils%" and Process.CommandLine like r"%amsiInitFailed%" or Process.CommandLine like r"%[Ref].Assembly.GetType%" and Process.CommandLine like r"%SetValue($null,$true)%" and Process.CommandLine like r"%NonPublic,Static%" + + +[ThreatDetectionRule platform=Windows] +# Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 059c5af9-5131-4d8d-92b2-de4ad6146712 -RuleName = LiveKD Driver Creation By Uncommon Process -EventType = File.Create -Tag = livekd-driver-creation-by-uncommon-process +RuleId = 6640f31c-01ad-49b5-beb5-83498a5cd8bd +RuleName = Potential Arbitrary Code Execution Via Node.EXE +EventType = Process.Start +Tag = proc-start-potential-arbitrary-code-execution-via-node.exe RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path == "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and not (Process.Path like r"%\\livekd.exe" or Process.Path like r"%\\livek64.exe") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1127"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\node.exe" and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% --eval %") and Process.CommandLine like r"%.exec(%" and Process.CommandLine like r"%net.socket%" and Process.CommandLine like r"%.connect%" and Process.CommandLine like r"%child\_process%" [ThreatDetectionRule platform=Windows] -# Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. -# This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. -# Author: Ahmed Farouk, Nasreddine Bencherchali -RuleId = a7df0e9e-91a5-459a-a003-4cde67c2ff5d -RuleName = Potentially Suspicious Command Executed Via Run Dialog Box - Registry +# Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. +# Author: frack113, Nasreddine Bencherchali (Nextron Systems) +RuleId = a5c7a43f-6009-4a8c-80c5-32abf1c53ecc +RuleName = Microsoft Office Protected View Disabled EventType = Reg.Any -Tag = potentially-suspicious-command-executed-via-run-dialog-box-registry +Tag = microsoft-office-protected-view-disabled RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Ahmed Farouk, Nasreddine Bencherchali"} -Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU%" and ((Reg.Value.Data like r"%powershell%" or Reg.Value.Data like r"%pwsh%") and (Reg.Value.Data like r"% -e %" or Reg.Value.Data like r"% -ec %" or Reg.Value.Data like r"% -en %" or Reg.Value.Data like r"% -enc %" or Reg.Value.Data like r"% -enco%" or Reg.Value.Data like r"%ftp%" or Reg.Value.Data like r"%Hidden%" or Reg.Value.Data like r"%http%" or Reg.Value.Data like r"%iex%" or Reg.Value.Data like r"%Invoke-%") or Reg.Value.Data like r"%wmic%" and (Reg.Value.Data like r"%shadowcopy%" or Reg.Value.Data like r"%process call create%")) +Annotation = {"mitre_attack": ["T1562.001"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Security\\ProtectedView\\%" and (Reg.Value.Data == "DWORD (0x00000001)" and (Reg.TargetObject like r"%\\DisableAttachementsInPV" or Reg.TargetObject like r"%\\DisableInternetFilesInPV" or Reg.TargetObject like r"%\\DisableIntranetCheck" or Reg.TargetObject like r"%\\DisableUnsafeLocationsInPV") or Reg.Value.Data == "DWORD (0x00000000)" and (Reg.TargetObject like r"%\\enabledatabasefileprotectedview" or Reg.TargetObject like r"%\\enableforeigntextfileprotectedview")) Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects changes to environment variables related to ETW logging via the CommandLine. -# This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = 41421f44-58f9-455d-838a-c398859841d4 -RuleName = ETW Logging Tamper In .NET Processes Via CommandLine +# Detects the use of NirCmd tool for command execution as SYSTEM user +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = d9047477-0359-48c9-b8c7-792cedcdc9c4 +RuleName = PUA - NirCmd Execution As LOCAL SYSTEM EventType = Process.Start -Tag = proc-start-etw-logging-tamper-in-.net-processes-via-commandline +Tag = proc-start-pua-nircmd-execution-as-local-system RiskScore = 75 -Annotation = {"mitre_attack": ["T1562"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = Process.CommandLine like r"%COMPlus\_ETWEnabled%" or Process.CommandLine like r"%COMPlus\_ETWFlags%" +Annotation = {"mitre_attack": ["T1569.002"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"% runassystem %" [ThreatDetectionRule platform=Windows] -# Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence -# Author: Florian Roth (Nextron Systems) -RuleId = ebef4391-1a81-4761-a40a-1db446c0e625 -RuleName = New ActiveScriptEventConsumer Created Via Wmic.EXE +# Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. +# Author: FPT.EagleEye Team, wagga +RuleId = 869b9ca7-9ea2-4a5a-8325-e80e62f75445 +RuleName = Suspicious Child Process Of SQL Server EventType = Process.Start -Tag = proc-start-new-activescripteventconsumer-created-via-wmic.exe +Tag = proc-start-suspicious-child-process-of-sql-server RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.003"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%ActiveScriptEventConsumer%" and Process.CommandLine like r"% CREATE %" +Annotation = {"mitre_attack": ["T1505.003", "T1190"], "author": "FPT.EagleEye Team, wagga"} +Query = Parent.Path like r"%\\sqlservr.exe" and (Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\nltest.exe" or Process.Path like r"%\\ping.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\tasklist.exe" or Process.Path like r"%\\wsl.exe") and not (Parent.Path like r"C:\\Program Files\\Microsoft SQL Server\\%" and Parent.Path like r"%DATEV\_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and Process.Path == "C:\\Windows\\System32\\cmd.exe" and Process.CommandLine like r"\"C:\\Windows\\system32\\cmd.exe\" %") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. -# Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) -RuleId = 91239011-fe3c-4b54-9f24-15c86bb65913 -RuleName = Office Macros Warning Disabled +# Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 272e55a4-9e6b-4211-acb6-78f51f0b1b40 +RuleName = Folder Removed From Exploit Guard ProtectedFolders List - Registry EventType = Reg.Any -Tag = office-macros-warning-disabled +Tag = folder-removed-from-exploit-guard-protectedfolders-list-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Security\\VBAWarnings" and Reg.Value.Data == "DWORD (0x00000001)" +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.EventType == "DeleteValue" and Reg.TargetObject like r"%SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data - - -[ThreatDetectionRule platform=Windows] -# Detects suspicious processes including shells spawnd from WinRM host process -# Author: Andreas Hunkeler (@Karneades), Markus Neis -RuleId = 5cc2cda8-f261-4d88-a2de-e9e193c86716 -RuleName = Suspicious Processes Spawned by WinRM -EventType = Process.Start -Tag = proc-start-suspicious-processes-spawned-by-winrm -RiskScore = 75 -Annotation = {"mitre_attack": ["T1190"], "author": "Andreas Hunkeler (@Karneades), Markus Neis"} -Query = Parent.Path like r"%\\wsmprovhost.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wsl.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\bitsadmin.exe") -GenericProperty1 = Parent.Path +GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects rundll32 execution where the DLL is located on a remote location (share) -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 5cdb711b-5740-4fb2-ba88-f7945027afac -RuleName = Rundll32 UNC Path Execution -EventType = Process.Start -Tag = proc-start-rundll32-unc-path-execution +# Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library +# Author: Greg (rule) +RuleId = ec8c4047-fad9-416a-8c81-0f479353d7f6 +RuleName = Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE +EventType = Image.Load +Tag = diagnostic-library-sdiageng.dll-loaded-by-msdt.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1021.002", "T1218.011"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE" or Process.CommandLine like r"%rundll32%") and Process.CommandLine like r"% \\\\%" +Annotation = {"mitre_attack": ["T1202"], "author": "Greg (rule)"} +Query = Process.Path like r"%\\msdt.exe" and Image.Path like r"%\\sdiageng.dll" +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 -RuleName = Outlook EnableUnsafeClientMailRules Setting Enabled - Registry +# Detects UAC bypass method using Windows event viewer +# Author: Florian Roth (Nextron Systems) +RuleId = 7c81fec3-1c1d-43b0-996a-46753041b1b6 +RuleName = UAC Bypass via Event Viewer EventType = Reg.Any -Tag = outlook-enableunsafeclientmailrules-setting-enabled-registry +Tag = uac-bypass-via-event-viewer RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Outlook\\Security\\EnableUnsafeClientMailRules" and Reg.Value.Data == "DWORD (0x00000001)" +Annotation = {"mitre_attack": ["T1548.002"], "author": "Florian Roth (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\mscfile\\shell\\open\\command" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects attackers attempting to disable Windows Defender using Powershell -# Author: ok @securonix invrep-de, oscd.community, frack113 -RuleId = a7ee1722-c3c5-aeff-3212-c777e4733217 -RuleName = Disable Windows Defender AV Security Monitoring -EventType = Process.Start -Tag = proc-start-disable-windows-defender-av-security-monitoring +# Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context +# Author: Florian Roth (Nextron Systems) +RuleId = 5b40a734-99b6-4b98-a1d0-1cea51a08ab2 +RuleName = Suspicious Interactive PowerShell as SYSTEM +EventType = File.Create +Tag = suspicious-interactive-powershell-as-system RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "ok @securonix invrep-de, oscd.community, frack113"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%-DisableBehaviorMonitoring $true%" or Process.CommandLine like r"%-DisableRuntimeMonitoring $true%") or (Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and (Process.CommandLine like r"%stop%" and Process.CommandLine like r"%WinDefend%" or Process.CommandLine like r"%delete%" and Process.CommandLine like r"%WinDefend%" or Process.CommandLine like r"%config%" and Process.CommandLine like r"%WinDefend%" and Process.CommandLine like r"%start=disabled%") +Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} +Query = File.Path in ["C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost\_history.txt", "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\StartupProfileData-Interactive"] +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. -# This binary can be abused for DLL injection, arbitrary command and process execution. -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 6345b048-8441-43a7-9bed-541133633d7a -RuleName = ManageEngine Endpoint Central Dctask64.EXE Potential Abuse +# Detects the use of SDelete to erase a file not the free space +# Author: frack113 +RuleId = a4824fca-976f-4964-b334-0621379e84c4 +RuleName = Potential File Overwrite Via Sysinternals SDelete EventType = Process.Start -Tag = proc-start-manageengine-endpoint-central-dctask64.exe-potential-abuse +Tag = proc-start-potential-file-overwrite-via-sysinternals-sdelete RiskScore = 75 -Annotation = {"mitre_attack": ["T1055.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\dctask64.exe" or Process.Hashes like r"%IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD%" or Process.Hashes like r"%IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA%" or Process.Hashes like r"%IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3%" or Process.Hashes like r"%IMPHASH=F1039CED4B91572AB7847D26032E6BBF%") and (Process.CommandLine like r"% executecmd64 %" or Process.CommandLine like r"% invokeexe %" or Process.CommandLine like r"% injectDll %") -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1485"], "author": "frack113"} +Query = Process.Name == "sdelete.exe" and not (Process.CommandLine like r"% -h%" or Process.CommandLine like r"% -c%" or Process.CommandLine like r"% -z%" or Process.CommandLine like r"% /?%") [ThreatDetectionRule platform=Windows] @@ -4034,405 +4011,370 @@ GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. -# Author: @pbssubhash -RuleId = 6902955a-01b7-432c-b32a-6f5f81d8f625 -RuleName = LSASS Process Dump Artefact In CrashDumps Folder -EventType = File.Create -Tag = lsass-process-dump-artefact-in-crashdumps-folder -RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "@pbssubhash"} -Query = File.Path like r"C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\%" and File.Path like r"%lsass.exe.%" and File.Path like r"%.dmp" -GenericProperty1 = File.Path - - -[ThreatDetectionRule platform=Windows] -# The OpenWith.exe executes other binary -# Author: Beyu Denis, oscd.community (rule), @harr0ey (idea) -RuleId = cec8e918-30f7-4e2d-9bfa-a59cc97ae60f -RuleName = OpenWith.exe Executes Specified Binary +# Detects usage of winget to add a new insecure (http) download source. +# Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 +RuleName = Add Insecure Download Source To Winget EventType = Process.Start -Tag = proc-start-openwith.exe-executes-specified-binary +Tag = proc-start-add-insecure-download-source-to-winget RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)"} -Query = Process.Path like r"%\\OpenWith.exe" and Process.CommandLine like r"%/c%" +Annotation = {"mitre_attack": ["T1059"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\winget.exe" or Process.Name == "winget.exe") and Process.CommandLine like r"%source %" and Process.CommandLine like r"%add %" and Process.CommandLine like r"%http://%" [ThreatDetectionRule platform=Windows] -# Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators +# Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags # Author: Florian Roth (Nextron Systems) -RuleId = 51ae86a2-e2e1-4097-ad85-c46cb6851de4 -RuleName = Renamed PsExec Service Execution +RuleId = 52d097e2-063e-4c9c-8fbb-855c8948d135 +RuleName = Suspicious Windows Update Agent Empty Cmdline EventType = Process.Start -Tag = proc-start-renamed-psexec-service-execution +Tag = proc-start-suspicious-windows-update-agent-empty-cmdline RiskScore = 75 -Annotation = {"author": "Florian Roth (Nextron Systems)"} -Query = Process.Name == "psexesvc.exe" and not Process.Path == "C:\\Windows\\PSEXESVC.exe" +Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\Wuauclt.exe" or Process.Name == "Wuauclt.exe") and (Process.CommandLine like r"%Wuauclt" or Process.CommandLine like r"%Wuauclt.exe") [ThreatDetectionRule platform=Windows] -# Detects possible NTLM coercion via certutil using the 'syncwithWU' flag -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 6c6d9280-e6d0-4b9d-80ac-254701b64916 -RuleName = Potential NTLM Coercion Via Certutil.EXE -EventType = Process.Start -Tag = proc-start-potential-ntlm-coercion-via-certutil.exe +# Detects abusing Windows 10 Narrator's Feedback-Hub +# Author: Dmitriy Lifanov, oscd.community +RuleId = f663a6d9-9d1b-49b8-b2b1-0637914d199a +RuleName = Narrator's Feedback-Hub Persistence +EventType = Reg.Any +Tag = narrator's-feedback-hub-persistence RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\certutil.exe" or Process.Name == "CertUtil.exe") and Process.CommandLine like r"% -syncwithWU %" and Process.CommandLine like r"% \\\\%" +Annotation = {"mitre_attack": ["T1547.001"], "author": "Dmitriy Lifanov, oscd.community"} +Query = Reg.EventType == "DeleteValue" and Reg.TargetObject like r"%\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute" or Reg.TargetObject like r"%\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information. -# Author: @kostastsale -RuleId = e92a4287-e072-4a40-9739-370c106bb750 -RuleName = HackTool - SOAPHound Execution +# Detects the import of a alternate datastream to the registry with regedit.exe. +# Author: Oddvar Moe, Sander Wiebing, oscd.community +RuleId = 0b80ade5-6997-4b1d-99a1-71701778ea61 +RuleName = Imports Registry Key From an ADS EventType = Process.Start -Tag = proc-start-hacktool-soaphound-execution +Tag = proc-start-imports-registry-key-from-an-ads RiskScore = 75 -Annotation = {"mitre_attack": ["T1087"], "author": "@kostastsale"} -Query = (Process.CommandLine like r"% --buildcache %" or Process.CommandLine like r"% --bhdump %" or Process.CommandLine like r"% --certdump %" or Process.CommandLine like r"% --dnsdump %") and (Process.CommandLine like r"% -c %" or Process.CommandLine like r"% --cachefilename %" or Process.CommandLine like r"% -o %" or Process.CommandLine like r"% --outputdirectory%") +Annotation = {"mitre_attack": ["T1112"], "author": "Oddvar Moe, Sander Wiebing, oscd.community"} +Query = (Process.Path like r"%\\regedit.exe" or Process.Name == "REGEDIT.EXE") and (Process.CommandLine like r"% /i %" or Process.CommandLine like r"%.reg%") and Process.CommandLine regex ":[^ \\\\]" and not (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% /e %" or Process.CommandLine like r"% –e %" or Process.CommandLine like r"% —e %" or Process.CommandLine like r"% ―e %" or Process.CommandLine like r"% -a %" or Process.CommandLine like r"% /a %" or Process.CommandLine like r"% –a %" or Process.CommandLine like r"% —a %" or Process.CommandLine like r"% ―a %" or Process.CommandLine like r"% -c %" or Process.CommandLine like r"% /c %" or Process.CommandLine like r"% –c %" or Process.CommandLine like r"% —c %" or Process.CommandLine like r"% ―c %") [ThreatDetectionRule platform=Windows] -# Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) -# Author: Tim Rauch (Nextron Systems), Elastic (idea) -RuleId = 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 -RuleName = Unusual File Deletion by Dns.exe -EventType = File.Delete -Tag = unusual-file-deletion-by-dns.exe -RiskScore = 75 -Annotation = {"mitre_attack": ["T1133"], "author": "Tim Rauch (Nextron Systems), Elastic (idea)"} -Query = Process.Path like r"%\\dns.exe" and not File.Path like r"%\\dns.log" -GenericProperty1 = File.Path - - -[ThreatDetectionRule platform=Windows] -# Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = bf344fea-d947-4ef4-9192-34d008315d3a -RuleName = Suspicious Shim Database Patching Activity +# Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. +# Author: frack113 +RuleId = 41d1058a-aea7-4952-9293-29eaaf516465 +RuleName = Removal Of AMSI Provider Registry Keys EventType = Reg.Any -Tag = suspicious-shim-database-patching-activity +Tag = removal-of-amsi-provider-registry-keys RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.011"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\%" and (Reg.TargetObject like r"%\\csrss.exe" or Reg.TargetObject like r"%\\dllhost.exe" or Reg.TargetObject like r"%\\explorer.exe" or Reg.TargetObject like r"%\\RuntimeBroker.exe" or Reg.TargetObject like r"%\\services.exe" or Reg.TargetObject like r"%\\sihost.exe" or Reg.TargetObject like r"%\\svchost.exe" or Reg.TargetObject like r"%\\taskhostw.exe" or Reg.TargetObject like r"%\\winlogon.exe" or Reg.TargetObject like r"%\\WmiPrvSe.exe") +Annotation = {"mitre_attack": ["T1562.001"], "author": "frack113"} +Query = Reg.EventType == "DeleteKey" and (Reg.TargetObject like r"%{2781761E-28E0-4109-99FE-B9D127C57AFE}" or Reg.TargetObject like r"%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware -# Author: Sander Wiebing -RuleId = 01aeb693-138d-49d2-9403-c4f52d7d3d62 -RuleName = RDP Connection Allowed Via Netsh.EXE +# Detects suspicious powershell command line parameters used in Empire +# Author: Florian Roth (Nextron Systems) +RuleId = 79f4ede3-402e-41c8-bc3e-ebbf5f162581 +RuleName = HackTool - Empire PowerShell Launch Parameters EventType = Process.Start -Tag = proc-start-rdp-connection-allowed-via-netsh.exe +Tag = proc-start-hacktool-empire-powershell-launch-parameters RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.004"], "author": "Sander Wiebing"} -Query = (Process.Path like r"%\\netsh.exe" or Process.Name == "netsh.exe") and Process.CommandLine like r"%firewall %" and Process.CommandLine like r"%add %" and Process.CommandLine like r"%tcp %" and Process.CommandLine like r"%3389%" and (Process.CommandLine like r"%portopening%" or Process.CommandLine like r"%allow%") +Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"% -NoP -sta -NonI -W Hidden -Enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc %" or Process.CommandLine like r"% -NoP -NonI -W Hidden -enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc%" or Process.CommandLine like r"% -enc SQB%" or Process.CommandLine like r"% -nop -exec bypass -EncodedCommand %" [ThreatDetectionRule platform=Windows] -# Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware -# Author: X__Junior (Nextron Systems) -RuleId = cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca -RuleName = Suspicious File Creation Activity From Fake Recycle.Bin Folder -EventType = File.Create -Tag = suspicious-file-creation-activity-from-fake-recycle.bin-folder +# Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = e7888eb1-13b0-4616-bd99-4bc0c2b054b9 +RuleName = Dllhost.EXE Execution Anomaly +EventType = Process.Start +Tag = proc-start-dllhost.exe-execution-anomaly RiskScore = 75 -Annotation = {"author": "X__Junior (Nextron Systems)"} -Query = Process.Path like r"%RECYCLERS.BIN\\%" or Process.Path like r"%RECYCLER.BIN\\%" or File.Path like r"%RECYCLERS.BIN\\%" or File.Path like r"%RECYCLER.BIN\\%" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1055"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\dllhost.exe" and (Process.CommandLine in ["dllhost.exe", "dllhost"]) and not isnull(Process.CommandLine) [ThreatDetectionRule platform=Windows] -# Attempts to detect system changes made by Blue Mockingbird -# Author: Trent Liffick (@tliffick) -RuleId = 92b0b372-a939-44ed-a11b-5136cf680e27 -RuleName = Blue Mockingbird - Registry -EventType = Reg.Any -Tag = blue-mockingbird-registry +# Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers +# Author: Florian Roth (Nextron Systems) +RuleId = ab9e3b40-0c85-4ba1-aede-455d226fd124 +RuleName = Suspicious Redirection to Local Admin Share +EventType = Process.Start +Tag = proc-start-suspicious-redirection-to-local-admin-share RiskScore = 75 -Annotation = {"mitre_attack": ["T1112", "T1047"], "author": "Trent Liffick (@tliffick)"} -Query = Reg.TargetObject like r"%\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1048"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%>%" and (Process.CommandLine like r"%\\\\127.0.0.1\\admin$\\%" or Process.CommandLine like r"%\\\\localhost\\admin$\\%") [ThreatDetectionRule platform=Windows] -# Detects when a user installs certificates by using CertOC.exe to load the target DLL file. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 84232095-ecca-4015-b0d7-7726507ee793 -RuleName = Suspicious DLL Loaded via CertOC.EXE +# Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service +# Author: Florian Roth (Nextron Systems) +RuleId = cea2b7ea-792b-405f-95a1-b903ea06458f +RuleName = Suspicious Child Process Of Manage Engine ServiceDesk EventType = Process.Start -Tag = proc-start-suspicious-dll-loaded-via-certoc.exe +Tag = proc-start-suspicious-child-process-of-manage-engine-servicedesk RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\certoc.exe" or Process.Name == "CertOC.exe") and (Process.CommandLine like r"% -LoadDLL %" or Process.CommandLine like r"% /LoadDLL %" or Process.CommandLine like r"% –LoadDLL %" or Process.CommandLine like r"% —LoadDLL %" or Process.CommandLine like r"% ―LoadDLL %") and (Process.CommandLine like r"%\\Appdata\\Local\\Temp\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%C:\\Windows\\Tasks\\%" or Process.CommandLine like r"%C:\\Windows\\Temp\\%") +Annotation = {"mitre_attack": ["T1102"], "author": "Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\ManageEngine\\ServiceDesk\\%" and Parent.Path like r"%\\java.exe%" and (Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\calc.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\curl.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\query.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") and not ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"% stop%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). -# Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -RuleId = e212d415-0e93-435f-9e1a-f29005bb4723 -RuleName = Suspicious Remote Child Process From Outlook +# Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same +# Author: Florian Roth (Nextron Systems) +RuleId = ca621ba5-54ab-4035-9942-d378e6fcde3c +RuleName = HackTool - HandleKatz LSASS Dumper Execution EventType = Process.Start -Tag = proc-start-suspicious-remote-child-process-from-outlook +Tag = proc-start-hacktool-handlekatz-lsass-dumper-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1059", "T1202"], "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.Path like r"%\\outlook.exe" and Process.Path like r"\\\\%" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\loader.exe" and Process.CommandLine like r"%--pid:%" or Process.Hashes like r"%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%" or Process.Hashes like r"%IMPHASH=0E2216679CA6E1094D63322E3412D650%" or Process.CommandLine like r"%--pid:%" and Process.CommandLine like r"%--outfile:%" and (Process.CommandLine like r"%.dmp%" or Process.CommandLine like r"%lsass%" or Process.CommandLine like r"%.obf%" or Process.CommandLine like r"%dump%") +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation +# Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory # Author: Florian Roth (Nextron Systems) -RuleId = 1a42dfa6-6cb2-4df9-9b48-295be477e835 -RuleName = Vulnerable WinRing0 Driver Load -EventType = Driver.Load -Tag = vulnerable-winring0-driver-load +RuleId = 4e7050dd-e548-483f-b7d6-527ab4fa784d +RuleName = NTDS.DIT Creation By Uncommon Parent Process +EventType = File.Create +Tag = ntds.dit-creation-by-uncommon-parent-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1543.003"], "author": "Florian Roth (Nextron Systems)"} -Query = Image.Hashes like r"%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%" or Image.Path like r"%\\WinRing0x64.sys" or Image.Path like r"%\\WinRing0.sys" or Image.Path like r"%\\WinRing0.dll" or Image.Path like r"%\\WinRing0x64.dll" or Image.Path like r"%\\winring00x64.sys" -GenericProperty1 = Image.Path -GenericProperty2 = Image.Hashes +Annotation = {"mitre_attack": ["T1003.003"], "author": "Florian Roth (Nextron Systems)"} +Query = File.Path like r"%\\ntds.dit" and (Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%" or Parent.Path like r"%\\AppData\\%" or Parent.Path like r"%\\Temp\\%" or Parent.Path like r"%\\Public\\%" or Parent.Path like r"%\\PerfLogs\\%") +GenericProperty1 = Parent.Path +GenericProperty2 = File.Path [ThreatDetectionRule platform=Windows] -# The Tasks folder in system32 and syswow64 are globally writable paths. -# Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application -# in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr -# Author: Sreeman -RuleId = cc4e02ba-9c06-48e2-b09e-2500cace9ae0 -RuleName = Tasks Folder Evasion +# Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation +# Author: frack113 +RuleId = deb9b646-a508-44ee-b7c9-d8965921c6b6 +RuleName = Powershell Token Obfuscation - Process Creation EventType = Process.Start -Tag = proc-start-tasks-folder-evasion +Tag = proc-start-powershell-token-obfuscation-process-creation RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "Sreeman"} -Query = (Process.CommandLine like r"%echo %" or Process.CommandLine like r"%copy %" or Process.CommandLine like r"%type %" or Process.CommandLine like r"%file createnew%") and (Process.CommandLine like r"% C:\\Windows\\System32\\Tasks\\%" or Process.CommandLine like r"% C:\\Windows\\SysWow64\\Tasks\\%") +Annotation = {"mitre_attack": ["T1027.009"], "author": "frack113"} +Query = (Process.CommandLine regex "\\w+`(\\w+|-|.)`[\\w+|\\s]" or Process.CommandLine regex "\"(\\{\\d\\})+\"\\s*-f" or Process.CommandLine regex "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and not Process.CommandLine like r"%${env:path}%" [ThreatDetectionRule platform=Windows] -# Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 207b0396-3689-42d9-8399-4222658efc99 -RuleName = Potential Privilege Escalation To LOCAL SYSTEM -EventType = Process.Start -Tag = proc-start-potential-privilege-escalation-to-local-system +# Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. +# Author: X__Junior (Nextron Systems) +RuleId = 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb +RuleName = Potential Waveedit.DLL Sideloading +EventType = Image.Load +Tag = potential-waveedit.dll-sideloading RiskScore = 75 -Annotation = {"mitre_attack": ["T1587.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.CommandLine like r"% -s cmd%" or Process.CommandLine like r"% /s cmd%" or Process.CommandLine like r"% –s cmd%" or Process.CommandLine like r"% —s cmd%" or Process.CommandLine like r"% ―s cmd%" or Process.CommandLine like r"% -s -i cmd%" or Process.CommandLine like r"% -s /i cmd%" or Process.CommandLine like r"% -s –i cmd%" or Process.CommandLine like r"% -s —i cmd%" or Process.CommandLine like r"% -s ―i cmd%" or Process.CommandLine like r"% /s -i cmd%" or Process.CommandLine like r"% /s /i cmd%" or Process.CommandLine like r"% /s –i cmd%" or Process.CommandLine like r"% /s —i cmd%" or Process.CommandLine like r"% /s ―i cmd%" or Process.CommandLine like r"% –s -i cmd%" or Process.CommandLine like r"% –s /i cmd%" or Process.CommandLine like r"% –s –i cmd%" or Process.CommandLine like r"% –s —i cmd%" or Process.CommandLine like r"% –s ―i cmd%" or Process.CommandLine like r"% —s -i cmd%" or Process.CommandLine like r"% —s /i cmd%" or Process.CommandLine like r"% —s –i cmd%" or Process.CommandLine like r"% —s —i cmd%" or Process.CommandLine like r"% —s ―i cmd%" or Process.CommandLine like r"% ―s -i cmd%" or Process.CommandLine like r"% ―s /i cmd%" or Process.CommandLine like r"% ―s –i cmd%" or Process.CommandLine like r"% ―s —i cmd%" or Process.CommandLine like r"% ―s ―i cmd%" or Process.CommandLine like r"% -i -s cmd%" or Process.CommandLine like r"% -i /s cmd%" or Process.CommandLine like r"% -i –s cmd%" or Process.CommandLine like r"% -i —s cmd%" or Process.CommandLine like r"% -i ―s cmd%" or Process.CommandLine like r"% /i -s cmd%" or Process.CommandLine like r"% /i /s cmd%" or Process.CommandLine like r"% /i –s cmd%" or Process.CommandLine like r"% /i —s cmd%" or Process.CommandLine like r"% /i ―s cmd%" or Process.CommandLine like r"% –i -s cmd%" or Process.CommandLine like r"% –i /s cmd%" or Process.CommandLine like r"% –i –s cmd%" or Process.CommandLine like r"% –i —s cmd%" or Process.CommandLine like r"% –i ―s cmd%" or Process.CommandLine like r"% —i -s cmd%" or Process.CommandLine like r"% —i /s cmd%" or Process.CommandLine like r"% —i –s cmd%" or Process.CommandLine like r"% —i —s cmd%" or Process.CommandLine like r"% —i ―s cmd%" or Process.CommandLine like r"% ―i -s cmd%" or Process.CommandLine like r"% ―i /s cmd%" or Process.CommandLine like r"% ―i –s cmd%" or Process.CommandLine like r"% ―i —s cmd%" or Process.CommandLine like r"% ―i ―s cmd%" or Process.CommandLine like r"% -s pwsh%" or Process.CommandLine like r"% /s pwsh%" or Process.CommandLine like r"% –s pwsh%" or Process.CommandLine like r"% —s pwsh%" or Process.CommandLine like r"% ―s pwsh%" or Process.CommandLine like r"% -s -i pwsh%" or Process.CommandLine like r"% -s /i pwsh%" or Process.CommandLine like r"% -s –i pwsh%" or Process.CommandLine like r"% -s —i pwsh%" or Process.CommandLine like r"% -s ―i pwsh%" or Process.CommandLine like r"% /s -i pwsh%" or Process.CommandLine like r"% /s /i pwsh%" or Process.CommandLine like r"% /s –i pwsh%" or Process.CommandLine like r"% /s —i pwsh%" or Process.CommandLine like r"% /s ―i pwsh%" or Process.CommandLine like r"% –s -i pwsh%" or Process.CommandLine like r"% –s /i pwsh%" or Process.CommandLine like r"% –s –i pwsh%" or Process.CommandLine like r"% –s —i pwsh%" or Process.CommandLine like r"% –s ―i pwsh%" or Process.CommandLine like r"% —s -i pwsh%" or Process.CommandLine like r"% —s /i pwsh%" or Process.CommandLine like r"% —s –i pwsh%" or Process.CommandLine like r"% —s —i pwsh%" or Process.CommandLine like r"% —s ―i pwsh%" or Process.CommandLine like r"% ―s -i pwsh%" or Process.CommandLine like r"% ―s /i pwsh%" or Process.CommandLine like r"% ―s –i pwsh%" or Process.CommandLine like r"% ―s —i pwsh%" or Process.CommandLine like r"% ―s ―i pwsh%" or Process.CommandLine like r"% -i -s pwsh%" or Process.CommandLine like r"% -i /s pwsh%" or Process.CommandLine like r"% -i –s pwsh%" or Process.CommandLine like r"% -i —s pwsh%" or Process.CommandLine like r"% -i ―s pwsh%" or Process.CommandLine like r"% /i -s pwsh%" or Process.CommandLine like r"% /i /s pwsh%" or Process.CommandLine like r"% /i –s pwsh%" or Process.CommandLine like r"% /i —s pwsh%" or Process.CommandLine like r"% /i ―s pwsh%" or Process.CommandLine like r"% –i -s pwsh%" or Process.CommandLine like r"% –i /s pwsh%" or Process.CommandLine like r"% –i –s pwsh%" or Process.CommandLine like r"% –i —s pwsh%" or Process.CommandLine like r"% –i ―s pwsh%" or Process.CommandLine like r"% —i -s pwsh%" or Process.CommandLine like r"% —i /s pwsh%" or Process.CommandLine like r"% —i –s pwsh%" or Process.CommandLine like r"% —i —s pwsh%" or Process.CommandLine like r"% —i ―s pwsh%" or Process.CommandLine like r"% ―i -s pwsh%" or Process.CommandLine like r"% ―i /s pwsh%" or Process.CommandLine like r"% ―i –s pwsh%" or Process.CommandLine like r"% ―i —s pwsh%" or Process.CommandLine like r"% ―i ―s pwsh%" or Process.CommandLine like r"% -s powershell%" or Process.CommandLine like r"% /s powershell%" or Process.CommandLine like r"% –s powershell%" or Process.CommandLine like r"% —s powershell%" or Process.CommandLine like r"% ―s powershell%" or Process.CommandLine like r"% -s -i powershell%" or Process.CommandLine like r"% -s /i powershell%" or Process.CommandLine like r"% -s –i powershell%" or Process.CommandLine like r"% -s —i powershell%" or Process.CommandLine like r"% -s ―i powershell%" or Process.CommandLine like r"% /s -i powershell%" or Process.CommandLine like r"% /s /i powershell%" or Process.CommandLine like r"% /s –i powershell%" or Process.CommandLine like r"% /s —i powershell%" or Process.CommandLine like r"% /s ―i powershell%" or Process.CommandLine like r"% –s -i powershell%" or Process.CommandLine like r"% –s /i powershell%" or Process.CommandLine like r"% –s –i powershell%" or Process.CommandLine like r"% –s —i powershell%" or Process.CommandLine like r"% –s ―i powershell%" or Process.CommandLine like r"% —s -i powershell%" or Process.CommandLine like r"% —s /i powershell%" or Process.CommandLine like r"% —s –i powershell%" or Process.CommandLine like r"% —s —i powershell%" or Process.CommandLine like r"% —s ―i powershell%" or Process.CommandLine like r"% ―s -i powershell%" or Process.CommandLine like r"% ―s /i powershell%" or Process.CommandLine like r"% ―s –i powershell%" or Process.CommandLine like r"% ―s —i powershell%" or Process.CommandLine like r"% ―s ―i powershell%" or Process.CommandLine like r"% -i -s powershell%" or Process.CommandLine like r"% -i /s powershell%" or Process.CommandLine like r"% -i –s powershell%" or Process.CommandLine like r"% -i —s powershell%" or Process.CommandLine like r"% -i ―s powershell%" or Process.CommandLine like r"% /i -s powershell%" or Process.CommandLine like r"% /i /s powershell%" or Process.CommandLine like r"% /i –s powershell%" or Process.CommandLine like r"% /i —s powershell%" or Process.CommandLine like r"% /i ―s powershell%" or Process.CommandLine like r"% –i -s powershell%" or Process.CommandLine like r"% –i /s powershell%" or Process.CommandLine like r"% –i –s powershell%" or Process.CommandLine like r"% –i —s powershell%" or Process.CommandLine like r"% –i ―s powershell%" or Process.CommandLine like r"% —i -s powershell%" or Process.CommandLine like r"% —i /s powershell%" or Process.CommandLine like r"% —i –s powershell%" or Process.CommandLine like r"% —i —s powershell%" or Process.CommandLine like r"% —i ―s powershell%" or Process.CommandLine like r"% ―i -s powershell%" or Process.CommandLine like r"% ―i /s powershell%" or Process.CommandLine like r"% ―i –s powershell%" or Process.CommandLine like r"% ―i —s powershell%" or Process.CommandLine like r"% ―i ―s powershell%") and not (Process.CommandLine like r"%paexec%" or Process.CommandLine like r"%PsExec%" or Process.CommandLine like r"%accepteula%") +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} +Query = Image.Path like r"%\\waveedit.dll" and not ((Process.Path in ["C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe", "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe"]) and (Image.Path like r"C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\%" or Image.Path like r"C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\%")) +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects the abuse of custom file open handler, executing powershell -# Author: CD_R0M_ -RuleId = 7530b96f-ad8e-431d-a04d-ac85cc461fdc -RuleName = Custom File Open Handler Executes PowerShell -EventType = Reg.Any -Tag = custom-file-open-handler-executes-powershell +# Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines +# Author: Florian Roth (Nextron Systems) +RuleId = 8d01b53f-456f-48ee-90f6-bc28e67d4e35 +RuleName = Suspicious Obfuscated PowerShell Code +EventType = Process.Start +Tag = proc-start-suspicious-obfuscated-powershell-code RiskScore = 75 -Annotation = {"mitre_attack": ["T1202"], "author": "CD_R0M_"} -Query = Reg.TargetObject like r"%shell\\open\\command\\%" and Reg.Value.Data like r"%powershell%" and Reg.Value.Data like r"%-command%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%IAAtAGIAeABvAHIAIAAwAHgA%" or Process.CommandLine like r"%AALQBiAHgAbwByACAAMAB4A%" or Process.CommandLine like r"%gAC0AYgB4AG8AcgAgADAAeA%" or Process.CommandLine like r"%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%" or Process.CommandLine like r"%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%" or Process.CommandLine like r"%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%" or Process.CommandLine like r"%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%" or Process.CommandLine like r"%B7ADEAfQB7ADAAfQAiACAALQBmAC%" or Process.CommandLine like r"%AewAxAH0AewAwAH0AIgAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%" or Process.CommandLine like r"%B7ADAAfQB7ADMAfQAiACAALQBmAC%" or Process.CommandLine like r"%AewAwAH0AewAzAH0AIgAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%" or Process.CommandLine like r"%B7ADIAfQB7ADAAfQAiACAALQBmAC%" or Process.CommandLine like r"%AewAyAH0AewAwAH0AIgAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%" or Process.CommandLine like r"%B7ADEAfQB7ADAAfQAnACAALQBmAC%" or Process.CommandLine like r"%AewAxAH0AewAwAH0AJwAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%" or Process.CommandLine like r"%B7ADAAfQB7ADMAfQAnACAALQBmAC%" or Process.CommandLine like r"%AewAwAH0AewAzAH0AJwAgAC0AZgAg%" or Process.CommandLine like r"%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%" or Process.CommandLine like r"%B7ADIAfQB7ADAAfQAnACAALQBmAC%" or Process.CommandLine like r"%AewAyAH0AewAwAH0AJwAgAC0AZgAg%" [ThreatDetectionRule platform=Windows] -# Detects active directory enumeration activity using known AdFind CLI flags +# Detects dump of credentials in VeeamBackup dbo # Author: frack113 -RuleId = 455b9d50-15a1-4b99-853f-8d37655a4c1b -RuleName = PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE +RuleId = b57ba453-b384-4ab9-9f40-1038086b4e53 +RuleName = VeeamBackup Database Credentials Dump Via Sqlcmd.EXE EventType = Process.Start -Tag = proc-start-pua-suspicious-activedirectory-enumeration-via-adfind.exe +Tag = proc-start-veeambackup-database-credentials-dump-via-sqlcmd.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1087.002"], "author": "frack113"} -Query = Process.CommandLine like r"%lockoutduration%" or Process.CommandLine like r"%lockoutthreshold%" or Process.CommandLine like r"%lockoutobservationwindow%" or Process.CommandLine like r"%maxpwdage%" or Process.CommandLine like r"%minpwdage%" or Process.CommandLine like r"%minpwdlength%" or Process.CommandLine like r"%pwdhistorylength%" or Process.CommandLine like r"%pwdproperties%" or Process.CommandLine like r"%-sc admincountdmp%" or Process.CommandLine like r"%-sc exchaddresses%" +Annotation = {"mitre_attack": ["T1005"], "author": "frack113"} +Query = Process.Path like r"%\\sqlcmd.exe" and Process.CommandLine like r"%SELECT%" and Process.CommandLine like r"%TOP%" and Process.CommandLine like r"%[VeeamBackup].[dbo].[Credentials]%" [ThreatDetectionRule platform=Windows] -# Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. -# Author: frack113 -RuleId = e9b61244-893f-427c-b287-3e708f321c6b -RuleName = Potential Privilege Escalation Using Symlink Between Osk and Cmd +# Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = d7662ff6-9e97-4596-a61d-9839e32dee8d +RuleName = Add SafeBoot Keys Via Reg Utility EventType = Process.Start -Tag = proc-start-potential-privilege-escalation-using-symlink-between-osk-and-cmd +Tag = proc-start-add-safeboot-keys-via-reg-utility RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.008"], "author": "frack113"} -Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%mklink%" and Process.CommandLine like r"%\\osk.exe%" and Process.CommandLine like r"%\\cmd.exe%" +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"%\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot%" and (Process.CommandLine like r"% copy %" or Process.CommandLine like r"% add %") [ThreatDetectionRule platform=Windows] -# Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. -# Author: Swachchhanda Shrawan Poudel -RuleId = d557dc06-62e8-4468-a8e8-7984124908ce -RuleName = HackTool - WinPwn Execution +# Detects Cobalt Strike module/commands accidentally entered in CMD shell +# Author: _pete_0, TheDFIRReport +RuleId = 4f154fb6-27d1-4813-a759-78b93e0b9c48 +RuleName = Operator Bloopers Cobalt Strike Modules EventType = Process.Start -Tag = proc-start-hacktool-winpwn-execution +Tag = proc-start-operator-bloopers-cobalt-strike-modules RiskScore = 75 -Annotation = {"mitre_attack": ["T1046", "T1082", "T1106", "T1518", "T1548.002", "T1552.001", "T1555", "T1555.003"], "author": "Swachchhanda Shrawan Poudel"} -Query = Process.CommandLine like r"%Offline\_Winpwn%" or Process.CommandLine like r"%WinPwn %" or Process.CommandLine like r"%WinPwn.exe%" or Process.CommandLine like r"%WinPwn.ps1%" +Annotation = {"mitre_attack": ["T1059.003"], "author": "_pete_0, TheDFIRReport"} +Query = (Process.Name == "Cmd.Exe" or Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"%Invoke-UserHunter%" or Process.CommandLine like r"%Invoke-ShareFinder%" or Process.CommandLine like r"%Invoke-Kerberoast%" or Process.CommandLine like r"%Invoke-SMBAutoBrute%" or Process.CommandLine like r"%Invoke-Nightmare%" or Process.CommandLine like r"%zerologon%" or Process.CommandLine like r"%av\_query%") [ThreatDetectionRule platform=Windows] -# Detects the execution of msiexec.exe from an uncommon directory +# Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features # Author: Florian Roth (Nextron Systems) -RuleId = e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144 -RuleName = Potential MsiExec Masquerading +RuleId = fb50eb7a-5ab1-43ae-bcc9-091818cb8424 +RuleName = Disabled IE Security Features EventType = Process.Start -Tag = proc-start-potential-msiexec-masquerading +Tag = proc-start-disabled-ie-security-features RiskScore = 75 -Annotation = {"mitre_attack": ["T1036.005"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\msiexec.exe" or Process.Name == "\\msiexec.exe") and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%") +Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"% -name IEHarden %" and Process.CommandLine like r"% -value 0 %" or Process.CommandLine like r"% -name DEPOff %" and Process.CommandLine like r"% -value 1 %" or Process.CommandLine like r"% -name DisableFirstRunCustomize %" and Process.CommandLine like r"% -value 2 %" [ThreatDetectionRule platform=Windows] -# Detects registry keys related to NetWire RAT -# Author: Christopher Peacock -RuleId = 1d218616-71b0-4c40-855b-9dbe75510f7f -RuleName = Potential NetWire RAT Activity - Registry -EventType = Reg.Any -Tag = potential-netwire-rat-activity-registry +# Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = a34f79a3-8e5f-4cc3-b765-de00695452c2 +RuleName = HackTool - PowerTool Execution +EventType = Process.Start +Tag = proc-start-hacktool-powertool-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Christopher Peacock"} -Query = Reg.EventType == "CreateKey" and Reg.TargetObject like r"%\\software\\NetWire%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.EventType +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\PowerTool.exe" or Process.Path like r"%\\PowerTool64.exe" or Process.Name == "PowerTool.exe" [ThreatDetectionRule platform=Windows] -# Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 +# Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 # Author: Florian Roth (Nextron Systems) -RuleId = 731231b9-0b5d-4219-94dd-abb6959aa7ea -RuleName = Suspicious Rundll32 Activity Invoking Sys File +RuleId = 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd +RuleName = Suspicious Rundll32 Invoking Inline VBScript EventType = Process.Start -Tag = proc-start-suspicious-rundll32-activity-invoking-sys-file +Tag = proc-start-suspicious-rundll32-invoking-inline-vbscript RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.011"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%rundll32.exe%" and (Process.CommandLine like r"%.sys,%" or Process.CommandLine like r"%.sys %") - +Annotation = {"mitre_attack": ["T1055"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%Execute%" and Process.CommandLine like r"%RegRead%" and Process.CommandLine like r"%window.close%" + [ThreatDetectionRule platform=Windows] -# Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. +# Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 # Author: Florian Roth (Nextron Systems) -RuleId = df55196f-f105-44d3-a675-e9dfb6cc2f2b -RuleName = Renamed AdFind Execution +RuleId = 731231b9-0b5d-4219-94dd-abb6959aa7ea +RuleName = Suspicious Rundll32 Activity Invoking Sys File EventType = Process.Start -Tag = proc-start-renamed-adfind-execution +Tag = proc-start-suspicious-rundll32-activity-invoking-sys-file RiskScore = 75 -Annotation = {"mitre_attack": ["T1018", "T1087.002", "T1482", "T1069.002"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"%domainlist%" or Process.CommandLine like r"%trustdmp%" or Process.CommandLine like r"%dcmodes%" or Process.CommandLine like r"%adinfo%" or Process.CommandLine like r"% dclist %" or Process.CommandLine like r"%computer\_pwdnotreqd%" or Process.CommandLine like r"%objectcategory=%" or Process.CommandLine like r"%-subnets -f%" or Process.CommandLine like r"%name=\"Domain Admins\"%" or Process.CommandLine like r"%-sc u:%" or Process.CommandLine like r"%domainncs%" or Process.CommandLine like r"%dompol%" or Process.CommandLine like r"% oudmp %" or Process.CommandLine like r"%subnetdmp%" or Process.CommandLine like r"%gpodmp%" or Process.CommandLine like r"%fspdmp%" or Process.CommandLine like r"%users\_noexpire%" or Process.CommandLine like r"%computers\_active%" or Process.CommandLine like r"%computers\_pwdnotreqd%" or Process.Hashes like r"%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%" or Process.Hashes like r"%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%" or Process.Name == "AdFind.exe") and not Process.Path like r"%\\AdFind.exe" -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1218.011"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%rundll32.exe%" and (Process.CommandLine like r"%.sys,%" or Process.CommandLine like r"%.sys %") [ThreatDetectionRule platform=Windows] -# Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel +# Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 2cf29f11-e356-4f61-98c0-1bdb9393d6da -RuleName = Renamed Visual Studio Code Tunnel Execution +RuleId = ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6 +RuleName = Mstsc.EXE Execution From Uncommon Parent EventType = Process.Start -Tag = proc-start-renamed-visual-studio-code-tunnel-execution +Tag = proc-start-mstsc.exe-execution-from-uncommon-parent RiskScore = 75 -Annotation = {"mitre_attack": ["T1071.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (isnull(Process.Name) and Process.CommandLine like r"%.exe tunnel" or Process.CommandLine like r"%.exe tunnel%" and Process.CommandLine like r"%--name %" and Process.CommandLine like r"%--accept-server-license-terms%" or Process.CommandLine like r"%tunnel %" and Process.CommandLine like r"%service%" and Process.CommandLine like r"%internal-run%" and Process.CommandLine like r"%tunnel-service.log%") and not (Process.Path like r"%\\code-tunnel.exe" or Process.Path like r"%\\code.exe") or Parent.CommandLine like r"% tunnel" and Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%/d /c %" and Process.CommandLine like r"%\\servers\\Stable-%" and Process.CommandLine like r"%code-server.cmd%" and not (Parent.Path like r"%\\code-tunnel.exe" or Parent.Path like r"%\\code.exe") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Parent.Path like r"%\\brave.exe" or Parent.Path like r"%\\CCleanerBrowser.exe" or Parent.Path like r"%\\chrome.exe" or Parent.Path like r"%\\chromium.exe" or Parent.Path like r"%\\firefox.exe" or Parent.Path like r"%\\iexplore.exe" or Parent.Path like r"%\\microsoftedge.exe" or Parent.Path like r"%\\msedge.exe" or Parent.Path like r"%\\opera.exe" or Parent.Path like r"%\\vivaldi.exe" or Parent.Path like r"%\\whale.exe" or Parent.Path like r"%\\outlook.exe") and (Process.Path like r"%\\mstsc.exe" or Process.Name == "mstsc.exe") GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) -# Author: Christian Burkard (Nextron Systems) -RuleId = bdd8157d-8e85-4397-bb82-f06cc9c71dbb -RuleName = UAC Bypass Using IEInstal - File +# Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware +# Author: X__Junior (Nextron Systems) +RuleId = cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca +RuleName = Suspicious File Creation Activity From Fake Recycle.Bin Folder EventType = File.Create -Tag = uac-bypass-using-ieinstal-file +Tag = suspicious-file-creation-activity-from-fake-recycle.bin-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} -Query = Process.Path == "C:\\Program Files\\Internet Explorer\\IEInstal.exe" and File.Path like r"C:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Temp\\%" and File.Path like r"%consent.exe" +Annotation = {"author": "X__Junior (Nextron Systems)"} +Query = Process.Path like r"%RECYCLERS.BIN\\%" or Process.Path like r"%RECYCLER.BIN\\%" or File.Path like r"%RECYCLERS.BIN\\%" or File.Path like r"%RECYCLER.BIN\\%" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution -# Author: Michael Haag -RuleId = 03cc0c25-389f-4bf8-b48d-11878079f1ca -RuleName = Suspicious MSHTA Child Process -EventType = Process.Start -Tag = proc-start-suspicious-mshta-child-process +# Detects potential malicious modification of run keys by winekey or team9 backdoor +# Author: omkar72 +RuleId = b98968aa-dbc0-4a9c-ac35-108363cbf8d5 +RuleName = WINEKEY Registry Modification +EventType = Reg.Any +Tag = winekey-registry-modification RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.005"], "author": "Michael Haag"} -Query = Parent.Path like r"%\\mshta.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Name in ["Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe", "cscript.exe", "Bash.exe", "reg.exe", "REGSVR32.EXE", "bitsadmin.exe"]) -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1547"], "author": "omkar72"} +Query = Reg.TargetObject like r"%Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects a set of suspicious network related commands often used in recon stages +# Detects a service binary running in a suspicious directory # Author: Florian Roth (Nextron Systems) -RuleId = e6313acd-208c-44fc-a0ff-db85d572e90e -RuleName = Network Reconnaissance Activity +RuleId = 883faa95-175a-4e22-8181-e5761aeb373c +RuleName = Suspicious Service Binary Directory EventType = Process.Start -Tag = proc-start-network-reconnaissance-activity +Tag = proc-start-suspicious-service-binary-directory RiskScore = 75 -Annotation = {"mitre_attack": ["T1087", "T1082"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%nslookup%" and Process.CommandLine like r"%\_ldap.\_tcp.dc.\_msdcs.%" +Annotation = {"mitre_attack": ["T1202"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\$Recycle.bin%" or Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\Contacts\\%" or Process.Path like r"%\\Users\\Searches\\%" or Process.Path like r"%C:\\Perflogs\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\addins\\%") and (Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\svchost.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. -# This way we are also able to catch cases in which the attacker has renamed the procdump executable. -# Author: Florian Roth (Nextron Systems) -RuleId = 5afee48e-67dd-4e03-a783-f74259dcf998 -RuleName = Potential LSASS Process Dump Via Procdump +# Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 63d1ccc0-2a43-4f4b-9289-361b308991ff +RuleName = Wab/Wabmig Unusual Parent Or Child Processes EventType = Process.Start -Tag = proc-start-potential-lsass-process-dump-via-procdump +Tag = proc-start-wab/wabmig-unusual-parent-or-child-processes RiskScore = 75 -Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"% -ma %" or Process.CommandLine like r"% /ma %" or Process.CommandLine like r"% –ma %" or Process.CommandLine like r"% —ma %" or Process.CommandLine like r"% ―ma %") and Process.CommandLine like r"% ls%" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Parent.Path like r"%\\WmiPrvSE.exe" or Parent.Path like r"%\\svchost.exe" or Parent.Path like r"%\\dllhost.exe") and (Process.Path like r"%\\wab.exe" or Process.Path like r"%\\wabmig.exe") or Parent.Path like r"%\\wab.exe" or Parent.Path like r"%\\wabmig.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption -# Author: frack113 -RuleId = 83314318-052a-4c90-a1ad-660ece38d276 -RuleName = Blackbyte Ransomware Registry -EventType = Reg.Any -Tag = blackbyte-ransomware-registry +# Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line +# Author: Florian Roth (Nextron Systems) +RuleId = fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c +RuleName = PowerShell Base64 Encoded FromBase64String Cmdlet +EventType = Process.Start +Tag = proc-start-powershell-base64-encoded-frombase64string-cmdlet RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "frack113"} -Query = (Reg.TargetObject in ["HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy", "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled"]) and Reg.Value.Data == "DWORD (0x00000001)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1140", "T1059.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%OjpGcm9tQmFzZTY0U3RyaW5n%" or Process.CommandLine like r"%o6RnJvbUJhc2U2NFN0cmluZ%" or Process.CommandLine like r"%6OkZyb21CYXNlNjRTdHJpbm%" or Process.CommandLine like r"%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%" or Process.CommandLine like r"%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%" or Process.CommandLine like r"%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%" [ThreatDetectionRule platform=Windows] -# Detects disabling Windows Defender PUA protection -# Author: Austin Songer @austinsonger -RuleId = 8ffc5407-52e3-478f-9596-0a7371eafe13 -RuleName = Disable PUA Protection on Windows Defender -EventType = Reg.Any -Tag = disable-pua-protection-on-windows-defender +# Files with well-known filenames (parts of credential dump software or files produced by them) creation +# Author: Teymur Kheirkhabarov, oscd.community +RuleId = 8fbf3271-1ef6-4e94-8210-03c2317947f6 +RuleName = Cred Dump Tools Dropped Files +EventType = File.Create +Tag = cred-dump-tools-dropped-files RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Austin Songer @austinsonger"} -Query = Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows Defender\\PUAProtection%" and Reg.Value.Data == "DWORD (0x00000000)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005"], "author": "Teymur Kheirkhabarov, oscd.community"} +Query = File.Path like r"%\\fgdump-log%" or File.Path like r"%\\kirbi%" or File.Path like r"%\\pwdump%" or File.Path like r"%\\pwhashes%" or File.Path like r"%\\wce\_ccache%" or File.Path like r"%\\wce\_krbtkts%" or File.Path like r"%\\cachedump.exe" or File.Path like r"%\\cachedump64.exe" or File.Path like r"%\\DumpExt.dll" or File.Path like r"%\\DumpSvc.exe" or File.Path like r"%\\Dumpy.exe" or File.Path like r"%\\fgexec.exe" or File.Path like r"%\\lsremora.dll" or File.Path like r"%\\lsremora64.dll" or File.Path like r"%\\NTDS.out" or File.Path like r"%\\procdump64.exe" or File.Path like r"%\\pstgdump.exe" or File.Path like r"%\\pwdump.exe" or File.Path like r"%\\SAM.out" or File.Path like r"%\\SECURITY.out" or File.Path like r"%\\servpw.exe" or File.Path like r"%\\servpw64.exe" or File.Path like r"%\\SYSTEM.out" or File.Path like r"%\\test.pwd" or File.Path like r"%\\wceaux.dll" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) -# Author: Florian Roth (Nextron Systems) -RuleId = 4627c6ae-6899-46e2-aa0c-6ebcb1becd19 -RuleName = HackTool - Impacket Tools Execution +# Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +# Author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) +RuleId = f89b08d0-77ad-4728-817b-9b16c5a69c7a +RuleName = HackTool - SharpImpersonation Execution EventType = Process.Start -Tag = proc-start-hacktool-impacket-tools-execution +Tag = proc-start-hacktool-sharpimpersonation-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1557.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\goldenPac%" or Process.Path like r"%\\karmaSMB%" or Process.Path like r"%\\kintercept%" or Process.Path like r"%\\ntlmrelayx%" or Process.Path like r"%\\rpcdump%" or Process.Path like r"%\\samrdump%" or Process.Path like r"%\\secretsdump%" or Process.Path like r"%\\smbexec%" or Process.Path like r"%\\smbrelayx%" or Process.Path like r"%\\wmiexec%" or Process.Path like r"%\\wmipersist%" or Process.Path like r"%\\atexec\_windows.exe" or Process.Path like r"%\\dcomexec\_windows.exe" or Process.Path like r"%\\dpapi\_windows.exe" or Process.Path like r"%\\findDelegation\_windows.exe" or Process.Path like r"%\\GetADUsers\_windows.exe" or Process.Path like r"%\\GetNPUsers\_windows.exe" or Process.Path like r"%\\getPac\_windows.exe" or Process.Path like r"%\\getST\_windows.exe" or Process.Path like r"%\\getTGT\_windows.exe" or Process.Path like r"%\\GetUserSPNs\_windows.exe" or Process.Path like r"%\\ifmap\_windows.exe" or Process.Path like r"%\\mimikatz\_windows.exe" or Process.Path like r"%\\netview\_windows.exe" or Process.Path like r"%\\nmapAnswerMachine\_windows.exe" or Process.Path like r"%\\opdump\_windows.exe" or Process.Path like r"%\\psexec\_windows.exe" or Process.Path like r"%\\rdp\_check\_windows.exe" or Process.Path like r"%\\sambaPipe\_windows.exe" or Process.Path like r"%\\smbclient\_windows.exe" or Process.Path like r"%\\smbserver\_windows.exe" or Process.Path like r"%\\sniff\_windows.exe" or Process.Path like r"%\\sniffer\_windows.exe" or Process.Path like r"%\\split\_windows.exe" or Process.Path like r"%\\ticketer\_windows.exe" +Annotation = {"mitre_attack": ["T1134.001", "T1134.003"], "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\SharpImpersonation.exe" or Process.Name == "SharpImpersonation.exe" or Process.CommandLine like r"% user:%" and Process.CommandLine like r"% binary:%" or Process.CommandLine like r"% user:%" and Process.CommandLine like r"% shellcode:%" or Process.CommandLine like r"% technique:CreateProcessAsUserW%" or Process.CommandLine like r"% technique:ImpersonateLoggedOnuser%" [ThreatDetectionRule platform=Windows] @@ -4451,28 +4393,75 @@ GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the use of various CLI utilities exfiltrating data via web requests +# Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +# Author: frack113 +RuleId = b2317cfa-4a47-4ead-b3ff-297438c0bc2d +RuleName = HackTool - SharpView Execution +EventType = Process.Start +Tag = proc-start-hacktool-sharpview-execution +RiskScore = 75 +Annotation = {"mitre_attack": ["T1049", "T1069.002", "T1482", "T1135", "T1033"], "author": "frack113"} +Query = Process.Name == "SharpView.exe" or Process.Path like r"%\\SharpView.exe" or Process.CommandLine like r"%Add-RemoteConnection%" or Process.CommandLine like r"%Convert-ADName%" or Process.CommandLine like r"%ConvertFrom-SID%" or Process.CommandLine like r"%ConvertFrom-UACValue%" or Process.CommandLine like r"%Convert-SidToName%" or Process.CommandLine like r"%Export-PowerViewCSV%" or Process.CommandLine like r"%Find-DomainObjectPropertyOutlier%" or Process.CommandLine like r"%Find-DomainProcess%" or Process.CommandLine like r"%Find-DomainShare%" or Process.CommandLine like r"%Find-DomainUserEvent%" or Process.CommandLine like r"%Find-DomainUserLocation%" or Process.CommandLine like r"%Find-ForeignGroup%" or Process.CommandLine like r"%Find-ForeignUser%" or Process.CommandLine like r"%Find-GPOComputerAdmin%" or Process.CommandLine like r"%Find-GPOLocation%" or Process.CommandLine like r"%Find-Interesting%" or Process.CommandLine like r"%Find-LocalAdminAccess%" or Process.CommandLine like r"%Find-ManagedSecurityGroups%" or Process.CommandLine like r"%Get-CachedRDPConnection%" or Process.CommandLine like r"%Get-DFSshare%" or Process.CommandLine like r"%Get-DomainComputer%" or Process.CommandLine like r"%Get-DomainController%" or Process.CommandLine like r"%Get-DomainDFSShare%" or Process.CommandLine like r"%Get-DomainDNSRecord%" or Process.CommandLine like r"%Get-DomainFileServer%" or Process.CommandLine like r"%Get-DomainForeign%" or Process.CommandLine like r"%Get-DomainGPO%" or Process.CommandLine like r"%Get-DomainGroup%" or Process.CommandLine like r"%Get-DomainGUIDMap%" or Process.CommandLine like r"%Get-DomainManagedSecurityGroup%" or Process.CommandLine like r"%Get-DomainObject%" or Process.CommandLine like r"%Get-DomainOU%" or Process.CommandLine like r"%Get-DomainPolicy%" or Process.CommandLine like r"%Get-DomainSID%" or Process.CommandLine like r"%Get-DomainSite%" or Process.CommandLine like r"%Get-DomainSPNTicket%" or Process.CommandLine like r"%Get-DomainSubnet%" or Process.CommandLine like r"%Get-DomainTrust%" or Process.CommandLine like r"%Get-DomainUserEvent%" or Process.CommandLine like r"%Get-ForestDomain%" or Process.CommandLine like r"%Get-ForestGlobalCatalog%" or Process.CommandLine like r"%Get-ForestTrust%" or Process.CommandLine like r"%Get-GptTmpl%" or Process.CommandLine like r"%Get-GroupsXML%" or Process.CommandLine like r"%Get-LastLoggedOn%" or Process.CommandLine like r"%Get-LoggedOnLocal%" or Process.CommandLine like r"%Get-NetComputer%" or Process.CommandLine like r"%Get-NetDomain%" or Process.CommandLine like r"%Get-NetFileServer%" or Process.CommandLine like r"%Get-NetForest%" or Process.CommandLine like r"%Get-NetGPO%" or Process.CommandLine like r"%Get-NetGroupMember%" or Process.CommandLine like r"%Get-NetLocalGroup%" or Process.CommandLine like r"%Get-NetLoggedon%" or Process.CommandLine like r"%Get-NetOU%" or Process.CommandLine like r"%Get-NetProcess%" or Process.CommandLine like r"%Get-NetRDPSession%" or Process.CommandLine like r"%Get-NetSession%" or Process.CommandLine like r"%Get-NetShare%" or Process.CommandLine like r"%Get-NetSite%" or Process.CommandLine like r"%Get-NetSubnet%" or Process.CommandLine like r"%Get-NetUser%" or Process.CommandLine like r"%Get-PathAcl%" or Process.CommandLine like r"%Get-PrincipalContext%" or Process.CommandLine like r"%Get-RegistryMountedDrive%" or Process.CommandLine like r"%Get-RegLoggedOn%" or Process.CommandLine like r"%Get-WMIRegCachedRDPConnection%" or Process.CommandLine like r"%Get-WMIRegLastLoggedOn%" or Process.CommandLine like r"%Get-WMIRegMountedDrive%" or Process.CommandLine like r"%Get-WMIRegProxy%" or Process.CommandLine like r"%Invoke-ACLScanner%" or Process.CommandLine like r"%Invoke-CheckLocalAdminAccess%" or Process.CommandLine like r"%Invoke-Kerberoast%" or Process.CommandLine like r"%Invoke-MapDomainTrust%" or Process.CommandLine like r"%Invoke-RevertToSelf%" or Process.CommandLine like r"%Invoke-Sharefinder%" or Process.CommandLine like r"%Invoke-UserImpersonation%" or Process.CommandLine like r"%Remove-DomainObjectAcl%" or Process.CommandLine like r"%Remove-RemoteConnection%" or Process.CommandLine like r"%Request-SPNTicket%" or Process.CommandLine like r"%Set-DomainObject%" or Process.CommandLine like r"%Test-AdminAccess%" + + +[ThreatDetectionRule platform=Windows] +# Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 7d1aaf3d-4304-425c-b7c3-162055e0b3ab -RuleName = Potential Data Exfiltration Activity Via CommandLine Tools +RuleId = 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 +RuleName = Potential Data Stealing Via Chromium Headless Debugging EventType = Process.Start -Tag = proc-start-potential-data-exfiltration-activity-via-commandline-tools +Tag = proc-start-potential-data-stealing-via-chromium-headless-debugging RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = ((Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"%Invoke-WebRequest%" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%wget %" or Process.CommandLine like r"%curl %") and Process.CommandLine like r"% -ur%" and Process.CommandLine like r"% -me%" and Process.CommandLine like r"% -b%" and Process.CommandLine like r"% POST %" or Process.Path like r"%\\curl.exe" and Process.CommandLine like r"%--ur%" and (Process.CommandLine like r"% -d %" or Process.CommandLine like r"% --data %") or Process.Path like r"%\\wget.exe" and (Process.CommandLine like r"%--post-data%" or Process.CommandLine like r"%--post-file%")) and (Process.CommandLine like r"%Get-Content%" or Process.CommandLine like r"%GetBytes%" or Process.CommandLine like r"%hostname%" or Process.CommandLine like r"%ifconfig%" or Process.CommandLine like r"%ipconfig%" or Process.CommandLine like r"%net view%" or Process.CommandLine like r"%netstat%" or Process.CommandLine like r"%nltest%" or Process.CommandLine like r"%qprocess%" or Process.CommandLine like r"%sc query%" or Process.CommandLine like r"%systeminfo%" or Process.CommandLine like r"%tasklist%" or Process.CommandLine like r"%ToBase64String%" or Process.CommandLine like r"%whoami%" or Process.CommandLine like r"%type %" and Process.CommandLine like r"% > %" and Process.CommandLine like r"% C:\\%") +Annotation = {"mitre_attack": ["T1185"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%--remote-debugging-%" and Process.CommandLine like r"%--user-data-dir%" and Process.CommandLine like r"%--headless%" [ThreatDetectionRule platform=Windows] -# Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service +# Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence # Author: Florian Roth (Nextron Systems) -RuleId = cea2b7ea-792b-405f-95a1-b903ea06458f -RuleName = Suspicious Child Process Of Manage Engine ServiceDesk +RuleId = ebef4391-1a81-4761-a40a-1db446c0e625 +RuleName = New ActiveScriptEventConsumer Created Via Wmic.EXE EventType = Process.Start -Tag = proc-start-suspicious-child-process-of-manage-engine-servicedesk +Tag = proc-start-new-activescripteventconsumer-created-via-wmic.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1102"], "author": "Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\ManageEngine\\ServiceDesk\\%" and Parent.Path like r"%\\java.exe%" and (Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\calc.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\curl.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\query.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") and not ((Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"% stop%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1546.003"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%ActiveScriptEventConsumer%" and Process.CommandLine like r"% CREATE %" + + +[ThreatDetectionRule platform=Windows] +# Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers +# Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton +RuleId = b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 +RuleName = Potential PowerShell Obfuscation Via Reversed Commands +EventType = Process.Start +Tag = proc-start-potential-powershell-obfuscation-via-reversed-commands +RiskScore = 75 +Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%hctac%" or Process.CommandLine like r"%kaerb%" or Process.CommandLine like r"%dnammoc%" or Process.CommandLine like r"%ekovn%" or Process.CommandLine like r"%eliFd%" or Process.CommandLine like r"%rahc%" or Process.CommandLine like r"%etirw%" or Process.CommandLine like r"%golon%" or Process.CommandLine like r"%tninon%" or Process.CommandLine like r"%eddih%" or Process.CommandLine like r"%tpircS%" or Process.CommandLine like r"%ssecorp%" or Process.CommandLine like r"%llehsrewop%" or Process.CommandLine like r"%esnopser%" or Process.CommandLine like r"%daolnwod%" or Process.CommandLine like r"%tneilCbeW%" or Process.CommandLine like r"%tneilc%" or Process.CommandLine like r"%ptth%" or Process.CommandLine like r"%elifotevas%" or Process.CommandLine like r"%46esab%" or Process.CommandLine like r"%htaPpmeTteG%" or Process.CommandLine like r"%tcejbO%" or Process.CommandLine like r"%maerts%" or Process.CommandLine like r"%hcaerof%" or Process.CommandLine like r"%retupmoc%") and not (Process.CommandLine like r"% -EncodedCommand %" or Process.CommandLine like r"% -enc %") + + +[ThreatDetectionRule platform=Windows] +# Detects email exfiltration via powershell cmdlets +# Author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) +RuleId = 312d0384-401c-4b8b-abdf-685ffba9a332 +RuleName = Email Exifiltration Via Powershell +EventType = Process.Start +Tag = proc-start-email-exifiltration-via-powershell +RiskScore = 75 +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Add-PSSnapin%" and Process.CommandLine like r"%Get-Recipient%" and Process.CommandLine like r"%-ExpandProperty%" and Process.CommandLine like r"%EmailAddresses%" and Process.CommandLine like r"%SmtpAddress%" and Process.CommandLine like r"%-hidetableheaders%" + + +[ThreatDetectionRule platform=Windows] +# Detects execution of "reg.exe" to disable security services such as Windows Defender. +# Author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim +RuleId = 5e95028c-5229-4214-afae-d653d573d0ec +RuleName = Security Service Disabled Via Reg.EXE +EventType = Process.Start +Tag = proc-start-security-service-disabled-via-reg.exe +RiskScore = 75 +Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim"} +Query = Process.CommandLine like r"%reg%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%d 4%" and Process.CommandLine like r"%v Start%" and (Process.CommandLine like r"%\\AppIDSvc%" or Process.CommandLine like r"%\\MsMpSvc%" or Process.CommandLine like r"%\\NisSrv%" or Process.CommandLine like r"%\\SecurityHealthService%" or Process.CommandLine like r"%\\Sense%" or Process.CommandLine like r"%\\UsoSvc%" or Process.CommandLine like r"%\\WdBoot%" or Process.CommandLine like r"%\\WdFilter%" or Process.CommandLine like r"%\\WdNisDrv%" or Process.CommandLine like r"%\\WdNisSvc%" or Process.CommandLine like r"%\\WinDefend%" or Process.CommandLine like r"%\\wscsvc%" or Process.CommandLine like r"%\\wuauserv%") [ThreatDetectionRule platform=Windows] @@ -4489,638 +4478,591 @@ GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -# Author: Christian Burkard (Nextron Systems) -RuleId = 155dbf56-e0a4-4dd0-8905-8a98705045e8 -RuleName = UAC Bypass Abusing Winsat Path Parsing - File -EventType = File.Create -Tag = uac-bypass-abusing-winsat-path-parsing-file -RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} -Query = File.Path like r"C:\\Users\\%" and (File.Path like r"%\\AppData\\Local\\Temp\\system32\\winsat.exe" or File.Path like r"%\\AppData\\Local\\Temp\\system32\\winmm.dll") -GenericProperty1 = File.Path - - -[ThreatDetectionRule platform=Windows] -# Detects the setting of the environement variable "windir" to a non default value. -# Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. -# The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. -# Author: frack113, Nextron Systems -RuleId = 724ea201-6514-4f38-9739-e5973c34f49a -RuleName = Bypass UAC Using SilentCleanup Task +# Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4 +RuleName = Potentially Suspicious ODBC Driver Registered EventType = Reg.Any -Tag = bypass-uac-using-silentcleanup-task +Tag = potentially-suspicious-odbc-driver-registered RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "frack113, Nextron Systems"} -Query = Reg.TargetObject like r"%\\Environment\\windir" and not Reg.Value.Data == "\%SystemRoot\%" +Annotation = {"mitre_attack": ["T1003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\ODBC\\ODBCINST.INI\\%" and (Reg.TargetObject like r"%\\Driver" or Reg.TargetObject like r"%\\Setup") and (Reg.Value.Data like r"%:\\PerfLogs\\%" or Reg.Value.Data like r"%:\\ProgramData\\%" or Reg.Value.Data like r"%:\\Temp\\%" or Reg.Value.Data like r"%:\\Users\\Public\\%" or Reg.Value.Data like r"%:\\Windows\\Registration\\CRMLog%" or Reg.Value.Data like r"%:\\Windows\\System32\\com\\dmp\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\FxsTmp\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\spool\\drivers\\color\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\spool\\PRINTERS\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\spool\\SERVERS\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\Tasks\_Migrated\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Reg.Value.Data like r"%:\\Windows\\SysWOW64\\com\\dmp\\%" or Reg.Value.Data like r"%:\\Windows\\SysWOW64\\FxsTmp\\%" or Reg.Value.Data like r"%:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\%" or Reg.Value.Data like r"%:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Reg.Value.Data like r"%:\\Windows\\Tasks\\%" or Reg.Value.Data like r"%:\\Windows\\Temp\\%" or Reg.Value.Data like r"%:\\Windows\\Tracing\\%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Roaming\\%") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects uncommon child process of Setres.EXE. -# Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. -# It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path. -# Author: @gott_cyber, Nasreddine Bencherchali (Nextron Systems) -RuleId = 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 -RuleName = Uncommon Child Process Of Setres.EXE -EventType = Process.Start -Tag = proc-start-uncommon-child-process-of-setres.exe -RiskScore = 75 -Annotation = {"mitre_attack": ["T1218", "T1202"], "author": "@gott_cyber, Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.Path like r"%\\setres.exe" and Process.Path like r"%\\choice%" and not (Process.Path like r"%C:\\Windows\\System32\\choice.exe" or Process.Path like r"%C:\\Windows\\SysWOW64\\choice.exe") -GenericProperty1 = Parent.Path +# Get-Variable is a valid PowerShell cmdlet +# WindowsApps is by default in the path where PowerShell is executed. +# So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. +# Author: frack113 +RuleId = 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b +RuleName = Suspicious Get-Variable.exe Creation +EventType = File.Create +Tag = suspicious-get-variable.exe-creation +RiskScore = 75 +Annotation = {"mitre_attack": ["T1546", "T1027"], "author": "frack113"} +Query = File.Path like r"%Local\\Microsoft\\WindowsApps\\Get-Variable.exe" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects potential COM object hijacking via modification of default system CLSID. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 790317c0-0a36-4a6a-a105-6e576bf99a14 -RuleName = COM Object Hijacking Via Modification Of Default System CLSID Default Value -EventType = Reg.Any -Tag = com-object-hijacking-via-modification-of-default-system-clsid-default-value +# Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. +# Author: @ROxPinTeddy +RuleId = faa48cae-6b25-4f00-a094-08947fef582f +RuleName = Rar Usage with Password and Compression Level +EventType = Process.Start +Tag = proc-start-rar-usage-with-password-and-compression-level RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.015"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\CLSID\\%" and (Reg.TargetObject like r"%\\InprocServer32\\(Default)" or Reg.TargetObject like r"%\\LocalServer32\\(Default)") and (Reg.TargetObject like r"%\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\%" or Reg.TargetObject like r"%\\{2155fee3-2419-4373-b102-6843707eb41f}\\%" or Reg.TargetObject like r"%\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\%" or Reg.TargetObject like r"%\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\%" or Reg.TargetObject like r"%\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\%" or Reg.TargetObject like r"%\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\%" or Reg.TargetObject like r"%\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\%" or Reg.TargetObject like r"%\\{7849596a-48ea-486e-8937-a2a3009f31a9}\\%" or Reg.TargetObject like r"%\\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\\%" or Reg.TargetObject like r"%\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\\%") and (Reg.Value.Data like r"%:\\Perflogs\\%" or Reg.Value.Data like r"%\\AppData\\Local\\%" or Reg.Value.Data like r"%\\Desktop\\%" or Reg.Value.Data like r"%\\Downloads\\%" or Reg.Value.Data like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%" or Reg.Value.Data like r"%\\System32\\spool\\drivers\\color\\%" or Reg.Value.Data like r"%\\Temporary Internet%" or Reg.Value.Data like r"%\\Users\\Public\\%" or Reg.Value.Data like r"%\\Windows\\Temp\\%" or Reg.Value.Data like r"%\%appdata\%%" or Reg.Value.Data like r"%\%temp\%%" or Reg.Value.Data like r"%\%tmp\%%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favorites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favourites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Contacts\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Pictures\\%") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1560.001"], "author": "@ROxPinTeddy"} +Query = Process.CommandLine like r"% -hp%" and (Process.CommandLine like r"% -m%" or Process.CommandLine like r"% a %") [ThreatDetectionRule platform=Windows] -# Detects the execution GMER tool based on image and hash fields. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 9082ff1f-88ab-4678-a3cc-5bcff99fc74d -RuleName = HackTool - GMER Rootkit Detector and Remover Execution +# Detects the use of IOX - a tool for port forwarding and intranet proxy purposes +# Author: Florian Roth (Nextron Systems) +RuleId = d7654f02-e04b-4934-9838-65c46f187ebc +RuleName = PUA- IOX Tunneling Tool Execution EventType = Process.Start -Tag = proc-start-hacktool-gmer-rootkit-detector-and-remover-execution +Tag = proc-start-pua-iox-tunneling-tool-execution RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\gmer.exe" or Process.Hashes like r"%MD5=E9DC058440D321AA17D0600B3CA0AB04%" or Process.Hashes like r"%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%" or Process.Hashes like r"%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%" +Annotation = {"mitre_attack": ["T1090"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\iox.exe" or Process.CommandLine like r"%.exe fwd -l %" or Process.CommandLine like r"%.exe fwd -r %" or Process.CommandLine like r"%.exe proxy -l %" or Process.CommandLine like r"%.exe proxy -r %" or Process.Hashes like r"%MD5=9DB2D314DD3F704A02051EF5EA210993%" or Process.Hashes like r"%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%" or Process.Hashes like r"%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%" GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification -# Author: frack113 -RuleId = 674202d0-b22a-4af4-ae5f-2eda1f3da1af -RuleName = Bypass UAC Using Event Viewer -EventType = Reg.Any -Tag = bypass-uac-using-event-viewer +# Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 42a5f1e7-9603-4f6d-97ae-3f37d130d794 +RuleName = Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE +EventType = Process.Start +Tag = proc-start-suspicious-file-downloaded-from-file-sharing-website-via-certutil.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.010"], "author": "frack113"} -Query = Reg.TargetObject like r"%\_Classes\\mscfile\\shell\\open\\command\\(Default)" and not Reg.Value.Data like r"\%SystemRoot\%\\system32\\mmc.exe \"\%1\" \%%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1027"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\certutil.exe" or Process.Name == "CertUtil.exe") and (Process.CommandLine like r"%urlcache %" or Process.CommandLine like r"%verifyctl %") and (Process.CommandLine like r"%.githubusercontent.com%" or Process.CommandLine like r"%anonfiles.com%" or Process.CommandLine like r"%cdn.discordapp.com%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%dl.dropboxusercontent.com%" or Process.CommandLine like r"%ghostbin.co%" or Process.CommandLine like r"%glitch.me%" or Process.CommandLine like r"%gofile.io%" or Process.CommandLine like r"%hastebin.com%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%onrender.com%" or Process.CommandLine like r"%pages.dev%" or Process.CommandLine like r"%paste.ee%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%pastebin.pl%" or Process.CommandLine like r"%pastetext.net%" or Process.CommandLine like r"%privatlab.com%" or Process.CommandLine like r"%privatlab.net%" or Process.CommandLine like r"%send.exploit.in%" or Process.CommandLine like r"%sendspace.com%" or Process.CommandLine like r"%storage.googleapis.com%" or Process.CommandLine like r"%storjshare.io%" or Process.CommandLine like r"%supabase.co%" or Process.CommandLine like r"%temp.sh%" or Process.CommandLine like r"%transfer.sh%" or Process.CommandLine like r"%trycloudflare.com%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%w3spaces.com%" or Process.CommandLine like r"%workers.dev%") [ThreatDetectionRule platform=Windows] -# Detects suspicious PowerShell invocation with a parameter substring -# Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) -RuleId = 36210e0d-5b19-485d-a087-c096088885f0 -RuleName = Suspicious PowerShell Parameter Substring +# Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = b6e04788-29e1-4557-bb14-77f761848ab8 +RuleName = Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE EventType = Process.Start -Tag = proc-start-suspicious-powershell-parameter-substring +Tag = proc-start-potentially-suspicious-file-download-from-file-sharing-domain-via-powershell.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"% -windowstyle h %" or Process.CommandLine like r"% -windowstyl h%" or Process.CommandLine like r"% -windowsty h%" or Process.CommandLine like r"% -windowst h%" or Process.CommandLine like r"% -windows h%" or Process.CommandLine like r"% -windo h%" or Process.CommandLine like r"% -wind h%" or Process.CommandLine like r"% -win h%" or Process.CommandLine like r"% -wi h%" or Process.CommandLine like r"% -win h %" or Process.CommandLine like r"% -win hi %" or Process.CommandLine like r"% -win hid %" or Process.CommandLine like r"% -win hidd %" or Process.CommandLine like r"% -win hidde %" or Process.CommandLine like r"% -NoPr %" or Process.CommandLine like r"% -NoPro %" or Process.CommandLine like r"% -NoProf %" or Process.CommandLine like r"% -NoProfi %" or Process.CommandLine like r"% -NoProfil %" or Process.CommandLine like r"% -nonin %" or Process.CommandLine like r"% -nonint %" or Process.CommandLine like r"% -noninte %" or Process.CommandLine like r"% -noninter %" or Process.CommandLine like r"% -nonintera %" or Process.CommandLine like r"% -noninterac %" or Process.CommandLine like r"% -noninteract %" or Process.CommandLine like r"% -noninteracti %" or Process.CommandLine like r"% -noninteractiv %" or Process.CommandLine like r"% -ec %" or Process.CommandLine like r"% -encodedComman %" or Process.CommandLine like r"% -encodedComma %" or Process.CommandLine like r"% -encodedComm %" or Process.CommandLine like r"% -encodedCom %" or Process.CommandLine like r"% -encodedCo %" or Process.CommandLine like r"% -encodedC %" or Process.CommandLine like r"% -encoded %" or Process.CommandLine like r"% -encode %" or Process.CommandLine like r"% -encod %" or Process.CommandLine like r"% -enco %" or Process.CommandLine like r"% -en %" or Process.CommandLine like r"% -executionpolic %" or Process.CommandLine like r"% -executionpoli %" or Process.CommandLine like r"% -executionpol %" or Process.CommandLine like r"% -executionpo %" or Process.CommandLine like r"% -executionp %" or Process.CommandLine like r"% -execution bypass%" or Process.CommandLine like r"% -executio bypass%" or Process.CommandLine like r"% -executi bypass%" or Process.CommandLine like r"% -execut bypass%" or Process.CommandLine like r"% -execu bypass%" or Process.CommandLine like r"% -exec bypass%" or Process.CommandLine like r"% -exe bypass%" or Process.CommandLine like r"% -ex bypass%" or Process.CommandLine like r"% -ep bypass%" or Process.CommandLine like r"% /windowstyle h %" or Process.CommandLine like r"% /windowstyl h%" or Process.CommandLine like r"% /windowsty h%" or Process.CommandLine like r"% /windowst h%" or Process.CommandLine like r"% /windows h%" or Process.CommandLine like r"% /windo h%" or Process.CommandLine like r"% /wind h%" or Process.CommandLine like r"% /win h%" or Process.CommandLine like r"% /wi h%" or Process.CommandLine like r"% /win h %" or Process.CommandLine like r"% /win hi %" or Process.CommandLine like r"% /win hid %" or Process.CommandLine like r"% /win hidd %" or Process.CommandLine like r"% /win hidde %" or Process.CommandLine like r"% /NoPr %" or Process.CommandLine like r"% /NoPro %" or Process.CommandLine like r"% /NoProf %" or Process.CommandLine like r"% /NoProfi %" or Process.CommandLine like r"% /NoProfil %" or Process.CommandLine like r"% /nonin %" or Process.CommandLine like r"% /nonint %" or Process.CommandLine like r"% /noninte %" or Process.CommandLine like r"% /noninter %" or Process.CommandLine like r"% /nonintera %" or Process.CommandLine like r"% /noninterac %" or Process.CommandLine like r"% /noninteract %" or Process.CommandLine like r"% /noninteracti %" or Process.CommandLine like r"% /noninteractiv %" or Process.CommandLine like r"% /ec %" or Process.CommandLine like r"% /encodedComman %" or Process.CommandLine like r"% /encodedComma %" or Process.CommandLine like r"% /encodedComm %" or Process.CommandLine like r"% /encodedCom %" or Process.CommandLine like r"% /encodedCo %" or Process.CommandLine like r"% /encodedC %" or Process.CommandLine like r"% /encoded %" or Process.CommandLine like r"% /encode %" or Process.CommandLine like r"% /encod %" or Process.CommandLine like r"% /enco %" or Process.CommandLine like r"% /en %" or Process.CommandLine like r"% /executionpolic %" or Process.CommandLine like r"% /executionpoli %" or Process.CommandLine like r"% /executionpol %" or Process.CommandLine like r"% /executionpo %" or Process.CommandLine like r"% /executionp %" or Process.CommandLine like r"% /execution bypass%" or Process.CommandLine like r"% /executio bypass%" or Process.CommandLine like r"% /executi bypass%" or Process.CommandLine like r"% /execut bypass%" or Process.CommandLine like r"% /execu bypass%" or Process.CommandLine like r"% /exec bypass%" or Process.CommandLine like r"% /exe bypass%" or Process.CommandLine like r"% /ex bypass%" or Process.CommandLine like r"% /ep bypass%") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%anonfiles.com%" or Process.CommandLine like r"%cdn.discordapp.com%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%dl.dropboxusercontent.com%" or Process.CommandLine like r"%ghostbin.co%" or Process.CommandLine like r"%glitch.me%" or Process.CommandLine like r"%gofile.io%" or Process.CommandLine like r"%hastebin.com%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%onrender.com%" or Process.CommandLine like r"%pages.dev%" or Process.CommandLine like r"%paste.ee%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%pastebin.pl%" or Process.CommandLine like r"%pastetext.net%" or Process.CommandLine like r"%pixeldrain.com%" or Process.CommandLine like r"%privatlab.com%" or Process.CommandLine like r"%privatlab.net%" or Process.CommandLine like r"%send.exploit.in%" or Process.CommandLine like r"%sendspace.com%" or Process.CommandLine like r"%storage.googleapis.com%" or Process.CommandLine like r"%storjshare.io%" or Process.CommandLine like r"%supabase.co%" or Process.CommandLine like r"%temp.sh%" or Process.CommandLine like r"%transfer.sh%" or Process.CommandLine like r"%trycloudflare.com%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%w3spaces.com%" or Process.CommandLine like r"%workers.dev%") and (Process.CommandLine like r"%.DownloadString(%" or Process.CommandLine like r"%.DownloadFile(%" or Process.CommandLine like r"%Invoke-WebRequest %" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%wget %") [ThreatDetectionRule platform=Windows] -# Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. -# Author: Florian Roth (Nextron Systems) -RuleId = a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc -RuleName = Raccine Uninstall -EventType = Process.Start -Tag = proc-start-raccine-uninstall +# Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = f50f3c09-557d-492d-81db-9064a8d4e211 +RuleName = Suspicious Execution Of Renamed Sysinternals Tools - Registry +EventType = Reg.Any +Tag = suspicious-execution-of-renamed-sysinternals-tools-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%taskkill %" and Process.CommandLine like r"%RaccineSettings.exe%" or Process.CommandLine like r"%reg.exe%" and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%Raccine Tray%" or Process.CommandLine like r"%schtasks%" and Process.CommandLine like r"%/DELETE%" and Process.CommandLine like r"%Raccine Rules Updater%" +Annotation = {"mitre_attack": ["T1588.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.EventType == "CreateKey" and (Reg.TargetObject like r"%\\Active Directory Explorer%" or Reg.TargetObject like r"%\\Handle%" or Reg.TargetObject like r"%\\LiveKd%" or Reg.TargetObject like r"%\\ProcDump%" or Reg.TargetObject like r"%\\Process Explorer%" or Reg.TargetObject like r"%\\PsExec%" or Reg.TargetObject like r"%\\PsLoggedon%" or Reg.TargetObject like r"%\\PsLoglist%" or Reg.TargetObject like r"%\\PsPasswd%" or Reg.TargetObject like r"%\\PsPing%" or Reg.TargetObject like r"%\\PsService%" or Reg.TargetObject like r"%\\SDelete%") and Reg.TargetObject like r"%\\EulaAccepted" and not (Process.Path like r"%\\ADExplorer.exe" or Process.Path like r"%\\ADExplorer64.exe" or Process.Path like r"%\\handle.exe" or Process.Path like r"%\\handle64.exe" or Process.Path like r"%\\livekd.exe" or Process.Path like r"%\\livekd64.exe" or Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe" or Process.Path like r"%\\procexp.exe" or Process.Path like r"%\\procexp64.exe" or Process.Path like r"%\\PsExec.exe" or Process.Path like r"%\\PsExec64.exe" or Process.Path like r"%\\PsLoggedon.exe" or Process.Path like r"%\\PsLoggedon64.exe" or Process.Path like r"%\\psloglist.exe" or Process.Path like r"%\\psloglist64.exe" or Process.Path like r"%\\pspasswd.exe" or Process.Path like r"%\\pspasswd64.exe" or Process.Path like r"%\\PsPing.exe" or Process.Path like r"%\\PsPing64.exe" or Process.Path like r"%\\PsService.exe" or Process.Path like r"%\\PsService64.exe" or Process.Path like r"%\\sdelete.exe") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects default lsass dump filename generated by SafetyKatz. -# Author: Markus Neis -RuleId = e074832a-eada-4fd7-94a1-10642b130e16 -RuleName = HackTool - SafetyKatz Dump Indicator -EventType = File.Create -Tag = hacktool-safetykatz-dump-indicator +# Potential adversaries stopping ETW providers recording loaded .NET assemblies. +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = bf4fc428-dcc3-4bbd-99fe-2422aeee2544 +RuleName = ETW Logging Disabled In .NET Processes - Sysmon Registry +EventType = Reg.Any +Tag = etw-logging-disabled-in-.net-processes-sysmon-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Markus Neis"} -Query = File.Path like r"%\\Temp\\debug.bin" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1112", "T1562"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = Reg.TargetObject like r"%SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" and Reg.Value.Data == "DWORD (0x00000000)" or (Reg.TargetObject like r"%\\COMPlus\_ETWEnabled" or Reg.TargetObject like r"%\\COMPlus\_ETWFlags") and (Reg.Value.Data in [0, "DWORD (0x00000000)"]) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line -# Author: Florian Roth (Nextron Systems) -RuleId = 8f70ac5f-1f6f-4f8e-b454-db19561216c5 -RuleName = PowerShell DownloadFile -EventType = Process.Start -Tag = proc-start-powershell-downloadfile +# Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. +# Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) +RuleId = 91239011-fe3c-4b54-9f24-15c86bb65913 +RuleName = Office Macros Warning Disabled +EventType = Reg.Any +Tag = office-macros-warning-disabled RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001", "T1104", "T1105"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%.DownloadFile%" and Process.CommandLine like r"%System.Net.WebClient%" +Annotation = {"mitre_attack": ["T1112"], "author": "Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Security\\VBAWarnings" and Reg.Value.Data == "DWORD (0x00000001)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f11f2808-adb4-46c0-802a-8660db50fa99 -RuleName = ImagingDevices Unusual Parent/Child Processes -EventType = Process.Start -Tag = proc-start-imagingdevices-unusual-parent/child-processes +# Detects the creation of a file with an uncommon extension in an Office application startup folder +# Author: frack113, Nasreddine Bencherchali (Nextron Systems) +RuleId = a10a2c40-2c4d-49f8-b557-1a946bc55d9d +RuleName = Uncommon File Created In Office Startup Folder +EventType = File.Create +Tag = uncommon-file-created-in-office-startup-folder RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Parent.Path like r"%\\WmiPrvSE.exe" or Parent.Path like r"%\\svchost.exe" or Parent.Path like r"%\\dllhost.exe") and Process.Path like r"%\\ImagingDevices.exe" or Parent.Path like r"%\\ImagingDevices.exe" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1587.001"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} +Query = ((File.Path like r"%\\Microsoft\\Word\\STARTUP%" or File.Path like r"%\\Office%" and File.Path like r"%\\Program Files%" and File.Path like r"%\\STARTUP%") and not (File.Path like r"%.docb" or File.Path like r"%.docm" or File.Path like r"%.docx" or File.Path like r"%.dotm" or File.Path like r"%.mdb" or File.Path like r"%.mdw" or File.Path like r"%.pdf" or File.Path like r"%.wll" or File.Path like r"%.wwl") or (File.Path like r"%\\Microsoft\\Excel\\XLSTART%" or File.Path like r"%\\Office%" and File.Path like r"%\\Program Files%" and File.Path like r"%\\XLSTART%") and not (File.Path like r"%.xll" or File.Path like r"%.xls" or File.Path like r"%.xlsm" or File.Path like r"%.xlsx" or File.Path like r"%.xlt" or File.Path like r"%.xltm" or File.Path like r"%.xlw")) and not (Process.Path like r"%:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\%" and Process.Path like r"%\\OfficeClickToRun.exe" or (Process.Path like r"%:\\Program Files\\Microsoft Office\\%" or Process.Path like r"%:\\Program Files (x86)\\Microsoft Office\\%") and (Process.Path like r"%\\winword.exe" or Process.Path like r"%\\excel.exe")) +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. -# Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. -# Author: @Kostastsale -RuleId = 023c654f-8f16-44d9-bb2b-00ff36a62af9 -RuleName = Python Function Execution Security Warning Disabled In Excel -EventType = Process.Start -Tag = proc-start-python-function-execution-security-warning-disabled-in-excel +# BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption +# Author: frack113 +RuleId = 83314318-052a-4c90-a1ad-660ece38d276 +RuleName = Blackbyte Ransomware Registry +EventType = Reg.Any +Tag = blackbyte-ransomware-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "@Kostastsale"} -Query = Process.CommandLine like r"%\\Microsoft\\Office\\%" and Process.CommandLine like r"%\\Excel\\Security%" and Process.CommandLine like r"%PythonFunctionWarnings%" and Process.CommandLine like r"% 0%" +Annotation = {"mitre_attack": ["T1112"], "author": "frack113"} +Query = (Reg.TargetObject in ["HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy", "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled"]) and Reg.Value.Data == "DWORD (0x00000001)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag -# Author: frack113, Florian Roth -RuleId = 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 -RuleName = Mavinject Inject DLL Into Running Process +# Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored +# Author: frack113 +RuleId = a29808fd-ef50-49ff-9c7a-59a9b040b404 +RuleName = HackTool - Pypykatz Credentials Dumping Activity EventType = Process.Start -Tag = proc-start-mavinject-inject-dll-into-running-process +Tag = proc-start-hacktool-pypykatz-credentials-dumping-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1055.001", "T1218.013"], "author": "frack113, Florian Roth"} -Query = Process.CommandLine like r"% /INJECTRUNNING %" and not Parent.Path == "C:\\Windows\\System32\\AppVClient.exe" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1003.002"], "author": "frack113"} +Query = (Process.Path like r"%\\pypykatz.exe" or Process.Path like r"%\\python.exe") and Process.CommandLine like r"%live%" and Process.CommandLine like r"%registry%" [ThreatDetectionRule platform=Windows] -# Detects usage of winget to add a new insecure (http) download source. -# Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 -RuleName = Add Insecure Download Source To Winget +# Detects base64 encoded strings used in hidden malicious PowerShell command lines +# Author: John Lambert (rule) +RuleId = f26c6093-6f14-4b12-800f-0fcb46f5ffd0 +RuleName = Malicious Base64 Encoded PowerShell Keywords in Command Lines EventType = Process.Start -Tag = proc-start-add-insecure-download-source-to-winget +Tag = proc-start-malicious-base64-encoded-powershell-keywords-in-command-lines RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\winget.exe" or Process.Name == "winget.exe") and Process.CommandLine like r"%source %" and Process.CommandLine like r"%add %" and Process.CommandLine like r"%http://%" +Annotation = {"mitre_attack": ["T1059.001"], "author": "John Lambert (rule)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and Process.CommandLine like r"% hidden %" and (Process.CommandLine like r"%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%" or Process.CommandLine like r"%aXRzYWRtaW4gL3RyYW5zZmVy%" or Process.CommandLine like r"%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%" or Process.CommandLine like r"%JpdHNhZG1pbiAvdHJhbnNmZX%" or Process.CommandLine like r"%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%" or Process.CommandLine like r"%Yml0c2FkbWluIC90cmFuc2Zlc%" or Process.CommandLine like r"%AGMAaAB1AG4AawBfAHMAaQB6AGUA%" or Process.CommandLine like r"%JABjAGgAdQBuAGsAXwBzAGkAegBlA%" or Process.CommandLine like r"%JGNodW5rX3Npem%" or Process.CommandLine like r"%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%" or Process.CommandLine like r"%RjaHVua19zaXpl%" or Process.CommandLine like r"%Y2h1bmtfc2l6Z%" or Process.CommandLine like r"%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%" or Process.CommandLine like r"%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%" or Process.CommandLine like r"%lPLkNvbXByZXNzaW9u%" or Process.CommandLine like r"%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%" or Process.CommandLine like r"%SU8uQ29tcHJlc3Npb2%" or Process.CommandLine like r"%Ty5Db21wcmVzc2lvb%" or Process.CommandLine like r"%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%" or Process.CommandLine like r"%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%" or Process.CommandLine like r"%lPLk1lbW9yeVN0cmVhb%" or Process.CommandLine like r"%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%" or Process.CommandLine like r"%SU8uTWVtb3J5U3RyZWFt%" or Process.CommandLine like r"%Ty5NZW1vcnlTdHJlYW%" or Process.CommandLine like r"%4ARwBlAHQAQwBoAHUAbgBrA%" or Process.CommandLine like r"%5HZXRDaHVua%" or Process.CommandLine like r"%AEcAZQB0AEMAaAB1AG4Aaw%" or Process.CommandLine like r"%LgBHAGUAdABDAGgAdQBuAGsA%" or Process.CommandLine like r"%LkdldENodW5r%" or Process.CommandLine like r"%R2V0Q2h1bm%" or Process.CommandLine like r"%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%" or Process.CommandLine like r"%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%" or Process.CommandLine like r"%RIUkVBRF9JTkZPNj%" or Process.CommandLine like r"%SFJFQURfSU5GTzY0%" or Process.CommandLine like r"%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%" or Process.CommandLine like r"%VEhSRUFEX0lORk82N%" or Process.CommandLine like r"%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%" or Process.CommandLine like r"%cmVhdGVSZW1vdGVUaHJlYW%" or Process.CommandLine like r"%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%" or Process.CommandLine like r"%NyZWF0ZVJlbW90ZVRocmVhZ%" or Process.CommandLine like r"%Q3JlYXRlUmVtb3RlVGhyZWFk%" or Process.CommandLine like r"%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%" or Process.CommandLine like r"%0AZQBtAG0AbwB2AGUA%" or Process.CommandLine like r"%1lbW1vdm%" or Process.CommandLine like r"%AGUAbQBtAG8AdgBlA%" or Process.CommandLine like r"%bQBlAG0AbQBvAHYAZQ%" or Process.CommandLine like r"%bWVtbW92Z%" or Process.CommandLine like r"%ZW1tb3Zl%") [ThreatDetectionRule platform=Windows] -# Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry -# Author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali -RuleId = e1aa95de-610a-427d-b9e7-9b46cfafbe6a -RuleName = Windows Defender Service Disabled - Registry +# Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) +# Author: Christian Burkard (Nextron Systems) +RuleId = 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 +RuleName = Shell Open Registry Keys Manipulation EventType = Reg.Any -Tag = windows-defender-service-disabled-registry +Tag = shell-open-registry-keys-manipulation RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "J\u00e1n Tren\u010dansk\u00fd, frack113, AlertIQ, Nasreddine Bencherchali"} -Query = Reg.TargetObject like r"%\\Services\\WinDefend\\Start" and Reg.Value.Data == "DWORD (0x00000004)" +Annotation = {"mitre_attack": ["T1548.002", "T1546.001"], "author": "Christian Burkard (Nextron Systems)"} +Query = Reg.EventType == "SetValue" and Reg.TargetObject like r"%Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue" and Reg.Value.Data like r"%\\Software\\Classes\\{%" or Reg.TargetObject like r"%Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or Reg.EventType == "SetValue" and (Reg.TargetObject like r"%Classes\\ms-settings\\shell\\open\\command\\(Default)" or Reg.TargetObject like r"%Classes\\exefile\\shell\\open\\command\\(Default)") and not Reg.Value.Data == "(Empty)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data +GenericProperty3 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f9999590-1f94-4a34-a91e-951e47bedefd -RuleName = Suspicious Provlaunch.EXE Child Process +# Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced +# Author: Florian Roth (Nextron Systems) +RuleId = 12827a56-61a4-476a-a9cb-f3068f191073 +RuleName = HackTool - KrbRelayUp Execution EventType = Process.Start -Tag = proc-start-suspicious-provlaunch.exe-child-process +Tag = proc-start-hacktool-krbrelayup-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.Path like r"%\\provlaunch.exe" and (Process.Path like r"%\\calc.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%:\\PerfLogs\\%" or Process.Path like r"%:\\Temp\\%" or Process.Path like r"%:\\Users\\Public\\%" or Process.Path like r"%\\AppData\\Temp\\%" or Process.Path like r"%\\Windows\\System32\\Tasks\\%" or Process.Path like r"%\\Windows\\Tasks\\%" or Process.Path like r"%\\Windows\\Temp\\%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1558.003", "T1550.003"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\KrbRelayUp.exe" or Process.Name == "KrbRelayUp.exe" or Process.CommandLine like r"% relay %" and Process.CommandLine like r"% -Domain %" and Process.CommandLine like r"% -ComputerName %" or Process.CommandLine like r"% krbscm %" and Process.CommandLine like r"% -sc %" or Process.CommandLine like r"% spawn %" and Process.CommandLine like r"% -d %" and Process.CommandLine like r"% -cn %" and Process.CommandLine like r"% -cp %" [ThreatDetectionRule platform=Windows] -# Detects programs on a Windows system that should not write executables to disk -# Author: frack113, Florian Roth (Nextron Systems) -RuleId = f0540f7e-2db3-4432-b9e0-3965486744bc -RuleName = Legitimate Application Dropped Executable -EventType = File.Create -Tag = legitimate-application-dropped-executable +# Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files +# Author: frack113 +RuleId = 9719a8aa-401c-41af-8108-ced7ec9cd75c +RuleName = Windows Defender Definition Files Removed +EventType = Process.Start +Tag = proc-start-windows-defender-definition-files-removed RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "frack113, Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\eqnedt32.exe" or Process.Path like r"%\\wordpad.exe" or Process.Path like r"%\\wordview.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\certoc.exe" or Process.Path like r"%\\CertReq.exe" or Process.Path like r"%\\Desktopimgdownldr.exe" or Process.Path like r"%\\esentutl.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\AcroRd32.exe" or Process.Path like r"%\\RdrCEF.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\finger.exe") and (File.Path like r"%.exe" or File.Path like r"%.dll" or File.Path like r"%.ocx") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1562.001"], "author": "frack113"} +Query = (Process.Path like r"%\\MpCmdRun.exe" or Process.Name == "MpCmdRun.exe") and Process.CommandLine like r"% -RemoveDefinitions%" and Process.CommandLine like r"% -All%" [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of rcdll.dll -# Author: X__Junior (Nextron Systems) -RuleId = 6e78b74f-c762-4800-82ad-f66787f10c8a -RuleName = Potential Rcdll.DLL Sideloading -EventType = Image.Load -Tag = potential-rcdll.dll-sideloading +# Detects PowerShell script execution from Alternate Data Stream (ADS) +# Author: Sergey Soldatov, Kaspersky Lab, oscd.community +RuleId = 45a594aa-1fbd-4972-a809-ff5a99dd81b8 +RuleName = Run PowerShell Script from ADS +EventType = Process.Start +Tag = proc-start-run-powershell-script-from-ads RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} -Query = Image.Path like r"%\\rcdll.dll" and not (Image.Path like r"C:\\Program Files (x86)\\Microsoft Visual Studio\\%" or Image.Path like r"C:\\Program Files (x86)\\Windows Kits\\%") -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1564.004"], "author": "Sergey Soldatov, Kaspersky Lab, oscd.community"} +Query = (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Get-Content%" and Process.CommandLine like r"%-Stream%" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of "appverifUI.dll" -# Author: X__Junior (Nextron Systems) -RuleId = ee6cea48-c5b6-4304-a332-10fc6446f484 -RuleName = Potential appverifUI.DLL Sideloading -EventType = Image.Load -Tag = potential-appverifui.dll-sideloading +# Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 8834e2f7-6b4b-4f09-8906-d2276470ee23 +RuleName = PsExec/PAExec Escalation to LOCAL SYSTEM +EventType = Process.Start +Tag = proc-start-psexec/paexec-escalation-to-local-system RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} -Query = Image.Path like r"%\\appverifUI.dll" and not ((Process.Path in ["C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe"]) and (Image.Path like r"C:\\Windows\\System32\\%" or Image.Path like r"C:\\Windows\\SysWOW64\\%" or Image.Path like r"C:\\Windows\\WinSxS\\%")) -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1587.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.CommandLine like r"% -s cmd%" or Process.CommandLine like r"% /s cmd%" or Process.CommandLine like r"% –s cmd%" or Process.CommandLine like r"% —s cmd%" or Process.CommandLine like r"% ―s cmd%" or Process.CommandLine like r"% -s -i cmd%" or Process.CommandLine like r"% -s /i cmd%" or Process.CommandLine like r"% -s –i cmd%" or Process.CommandLine like r"% -s —i cmd%" or Process.CommandLine like r"% -s ―i cmd%" or Process.CommandLine like r"% /s -i cmd%" or Process.CommandLine like r"% /s /i cmd%" or Process.CommandLine like r"% /s –i cmd%" or Process.CommandLine like r"% /s —i cmd%" or Process.CommandLine like r"% /s ―i cmd%" or Process.CommandLine like r"% –s -i cmd%" or Process.CommandLine like r"% –s /i cmd%" or Process.CommandLine like r"% –s –i cmd%" or Process.CommandLine like r"% –s —i cmd%" or Process.CommandLine like r"% –s ―i cmd%" or Process.CommandLine like r"% —s -i cmd%" or Process.CommandLine like r"% —s /i cmd%" or Process.CommandLine like r"% —s –i cmd%" or Process.CommandLine like r"% —s —i cmd%" or Process.CommandLine like r"% —s ―i cmd%" or Process.CommandLine like r"% ―s -i cmd%" or Process.CommandLine like r"% ―s /i cmd%" or Process.CommandLine like r"% ―s –i cmd%" or Process.CommandLine like r"% ―s —i cmd%" or Process.CommandLine like r"% ―s ―i cmd%" or Process.CommandLine like r"% -i -s cmd%" or Process.CommandLine like r"% -i /s cmd%" or Process.CommandLine like r"% -i –s cmd%" or Process.CommandLine like r"% -i —s cmd%" or Process.CommandLine like r"% -i ―s cmd%" or Process.CommandLine like r"% /i -s cmd%" or Process.CommandLine like r"% /i /s cmd%" or Process.CommandLine like r"% /i –s cmd%" or Process.CommandLine like r"% /i —s cmd%" or Process.CommandLine like r"% /i ―s cmd%" or Process.CommandLine like r"% –i -s cmd%" or Process.CommandLine like r"% –i /s cmd%" or Process.CommandLine like r"% –i –s cmd%" or Process.CommandLine like r"% –i —s cmd%" or Process.CommandLine like r"% –i ―s cmd%" or Process.CommandLine like r"% —i -s cmd%" or Process.CommandLine like r"% —i /s cmd%" or Process.CommandLine like r"% —i –s cmd%" or Process.CommandLine like r"% —i —s cmd%" or Process.CommandLine like r"% —i ―s cmd%" or Process.CommandLine like r"% ―i -s cmd%" or Process.CommandLine like r"% ―i /s cmd%" or Process.CommandLine like r"% ―i –s cmd%" or Process.CommandLine like r"% ―i —s cmd%" or Process.CommandLine like r"% ―i ―s cmd%" or Process.CommandLine like r"% -s pwsh%" or Process.CommandLine like r"% /s pwsh%" or Process.CommandLine like r"% –s pwsh%" or Process.CommandLine like r"% —s pwsh%" or Process.CommandLine like r"% ―s pwsh%" or Process.CommandLine like r"% -s -i pwsh%" or Process.CommandLine like r"% -s /i pwsh%" or Process.CommandLine like r"% -s –i pwsh%" or Process.CommandLine like r"% -s —i pwsh%" or Process.CommandLine like r"% -s ―i pwsh%" or Process.CommandLine like r"% /s -i pwsh%" or Process.CommandLine like r"% /s /i pwsh%" or Process.CommandLine like r"% /s –i pwsh%" or Process.CommandLine like r"% /s —i pwsh%" or Process.CommandLine like r"% /s ―i pwsh%" or Process.CommandLine like r"% –s -i pwsh%" or Process.CommandLine like r"% –s /i pwsh%" or Process.CommandLine like r"% –s –i pwsh%" or Process.CommandLine like r"% –s —i pwsh%" or Process.CommandLine like r"% –s ―i pwsh%" or Process.CommandLine like r"% —s -i pwsh%" or Process.CommandLine like r"% —s /i pwsh%" or Process.CommandLine like r"% —s –i pwsh%" or Process.CommandLine like r"% —s —i pwsh%" or Process.CommandLine like r"% —s ―i pwsh%" or Process.CommandLine like r"% ―s -i pwsh%" or Process.CommandLine like r"% ―s /i pwsh%" or Process.CommandLine like r"% ―s –i pwsh%" or Process.CommandLine like r"% ―s —i pwsh%" or Process.CommandLine like r"% ―s ―i pwsh%" or Process.CommandLine like r"% -i -s pwsh%" or Process.CommandLine like r"% -i /s pwsh%" or Process.CommandLine like r"% -i –s pwsh%" or Process.CommandLine like r"% -i —s pwsh%" or Process.CommandLine like r"% -i ―s pwsh%" or Process.CommandLine like r"% /i -s pwsh%" or Process.CommandLine like r"% /i /s pwsh%" or Process.CommandLine like r"% /i –s pwsh%" or Process.CommandLine like r"% /i —s pwsh%" or Process.CommandLine like r"% /i ―s pwsh%" or Process.CommandLine like r"% –i -s pwsh%" or Process.CommandLine like r"% –i /s pwsh%" or Process.CommandLine like r"% –i –s pwsh%" or Process.CommandLine like r"% –i —s pwsh%" or Process.CommandLine like r"% –i ―s pwsh%" or Process.CommandLine like r"% —i -s pwsh%" or Process.CommandLine like r"% —i /s pwsh%" or Process.CommandLine like r"% —i –s pwsh%" or Process.CommandLine like r"% —i —s pwsh%" or Process.CommandLine like r"% —i ―s pwsh%" or Process.CommandLine like r"% ―i -s pwsh%" or Process.CommandLine like r"% ―i /s pwsh%" or Process.CommandLine like r"% ―i –s pwsh%" or Process.CommandLine like r"% ―i —s pwsh%" or Process.CommandLine like r"% ―i ―s pwsh%" or Process.CommandLine like r"% -s powershell%" or Process.CommandLine like r"% /s powershell%" or Process.CommandLine like r"% –s powershell%" or Process.CommandLine like r"% —s powershell%" or Process.CommandLine like r"% ―s powershell%" or Process.CommandLine like r"% -s -i powershell%" or Process.CommandLine like r"% -s /i powershell%" or Process.CommandLine like r"% -s –i powershell%" or Process.CommandLine like r"% -s —i powershell%" or Process.CommandLine like r"% -s ―i powershell%" or Process.CommandLine like r"% /s -i powershell%" or Process.CommandLine like r"% /s /i powershell%" or Process.CommandLine like r"% /s –i powershell%" or Process.CommandLine like r"% /s —i powershell%" or Process.CommandLine like r"% /s ―i powershell%" or Process.CommandLine like r"% –s -i powershell%" or Process.CommandLine like r"% –s /i powershell%" or Process.CommandLine like r"% –s –i powershell%" or Process.CommandLine like r"% –s —i powershell%" or Process.CommandLine like r"% –s ―i powershell%" or Process.CommandLine like r"% —s -i powershell%" or Process.CommandLine like r"% —s /i powershell%" or Process.CommandLine like r"% —s –i powershell%" or Process.CommandLine like r"% —s —i powershell%" or Process.CommandLine like r"% —s ―i powershell%" or Process.CommandLine like r"% ―s -i powershell%" or Process.CommandLine like r"% ―s /i powershell%" or Process.CommandLine like r"% ―s –i powershell%" or Process.CommandLine like r"% ―s —i powershell%" or Process.CommandLine like r"% ―s ―i powershell%" or Process.CommandLine like r"% -i -s powershell%" or Process.CommandLine like r"% -i /s powershell%" or Process.CommandLine like r"% -i –s powershell%" or Process.CommandLine like r"% -i —s powershell%" or Process.CommandLine like r"% -i ―s powershell%" or Process.CommandLine like r"% /i -s powershell%" or Process.CommandLine like r"% /i /s powershell%" or Process.CommandLine like r"% /i –s powershell%" or Process.CommandLine like r"% /i —s powershell%" or Process.CommandLine like r"% /i ―s powershell%" or Process.CommandLine like r"% –i -s powershell%" or Process.CommandLine like r"% –i /s powershell%" or Process.CommandLine like r"% –i –s powershell%" or Process.CommandLine like r"% –i —s powershell%" or Process.CommandLine like r"% –i ―s powershell%" or Process.CommandLine like r"% —i -s powershell%" or Process.CommandLine like r"% —i /s powershell%" or Process.CommandLine like r"% —i –s powershell%" or Process.CommandLine like r"% —i —s powershell%" or Process.CommandLine like r"% —i ―s powershell%" or Process.CommandLine like r"% ―i -s powershell%" or Process.CommandLine like r"% ―i /s powershell%" or Process.CommandLine like r"% ―i –s powershell%" or Process.CommandLine like r"% ―i —s powershell%" or Process.CommandLine like r"% ―i ―s powershell%") and (Process.CommandLine like r"%psexec%" or Process.CommandLine like r"%paexec%" or Process.CommandLine like r"%accepteula%") [ThreatDetectionRule platform=Windows] -# Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. -# Author: Andreas Hunkeler (@Karneades) -RuleId = a537cfc3-4297-4789-92b5-345bfd845ad0 -RuleName = Service DACL Abuse To Hide Services Via Sc.EXE +# Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) +# Author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +RuleId = 646ea171-dded-4578-8a4d-65e9822892e3 +RuleName = Process Memory Dump Via Comsvcs.DLL EventType = Process.Start -Tag = proc-start-service-dacl-abuse-to-hide-services-via-sc.exe +Tag = proc-start-process-memory-dump-via-comsvcs.dll RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.011"], "author": "Andreas Hunkeler (@Karneades)"} -Query = (Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and Process.CommandLine like r"%sdset%" and Process.CommandLine like r"%DCLCWPDTSD%" +Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE" or Process.CommandLine like r"%rundll32%") and Process.CommandLine like r"%comsvcs%" and Process.CommandLine like r"%full%" and (Process.CommandLine like r"%#-%" or Process.CommandLine like r"%#+%" or Process.CommandLine like r"%#24%" or Process.CommandLine like r"%24 %" or Process.CommandLine like r"%MiniDump%" or Process.CommandLine like r"%#65560%") or Process.CommandLine like r"%24%" and Process.CommandLine like r"%comsvcs%" and Process.CommandLine like r"%full%" and (Process.CommandLine like r"% #%" or Process.CommandLine like r"%,#%" or Process.CommandLine like r"%, #%" or Process.CommandLine like r"%\"#%") [ThreatDetectionRule platform=Windows] -# Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +# Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon +# Author: frack113 +RuleId = f0f7be61-9cf5-43be-9836-99d6ef448a18 +RuleName = Uninstall Crowdstrike Falcon Sensor +EventType = Process.Start +Tag = proc-start-uninstall-crowdstrike-falcon-sensor +RiskScore = 75 +Annotation = {"mitre_attack": ["T1562.001"], "author": "frack113"} +Query = Process.CommandLine like r"%\\WindowsSensor.exe%" and Process.CommandLine like r"% /uninstall%" and Process.CommandLine like r"% /quiet%" + + +[ThreatDetectionRule platform=Windows] +# Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) # Author: Christian Burkard (Nextron Systems) -RuleId = 5f9db380-ea57-4d1e-beab-8a2d33397e93 -RuleName = UAC Bypass Using Windows Media Player - Registry +RuleId = 6597be7b-ac61-4ac8-bef4-d3ec88174853 +RuleName = UAC Bypass Abusing Winsat Path Parsing - Registry EventType = Reg.Any -Tag = uac-bypass-using-windows-media-player-registry +Tag = uac-bypass-abusing-winsat-path-parsing-registry RiskScore = 75 Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe" and Reg.Value.Data == "Binary Data" +Query = Reg.TargetObject like r"%\\Root\\InventoryApplicationFile\\winsat.exe|%" and Reg.TargetObject like r"%\\LowerCaseLongPath" and Reg.Value.Data like r"c:\\users\\%" and Reg.Value.Data like r"%\\appdata\\local\\temp\\system32\\winsat.exe" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects execution of "reg.exe" to disable security services such as Windows Defender. -# Author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim -RuleId = 5e95028c-5229-4214-afae-d653d573d0ec -RuleName = Security Service Disabled Via Reg.EXE +# Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files +# Author: Sreeman, Florian Roth (Nextron Systems) +RuleId = 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e +RuleName = File Download with Headless Browser EventType = Process.Start -Tag = proc-start-security-service-disabled-via-reg.exe +Tag = proc-start-file-download-with-headless-browser RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim"} -Query = Process.CommandLine like r"%reg%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%d 4%" and Process.CommandLine like r"%v Start%" and (Process.CommandLine like r"%\\AppIDSvc%" or Process.CommandLine like r"%\\MsMpSvc%" or Process.CommandLine like r"%\\NisSrv%" or Process.CommandLine like r"%\\SecurityHealthService%" or Process.CommandLine like r"%\\Sense%" or Process.CommandLine like r"%\\UsoSvc%" or Process.CommandLine like r"%\\WdBoot%" or Process.CommandLine like r"%\\WdFilter%" or Process.CommandLine like r"%\\WdNisDrv%" or Process.CommandLine like r"%\\WdNisSvc%" or Process.CommandLine like r"%\\WinDefend%" or Process.CommandLine like r"%\\wscsvc%" or Process.CommandLine like r"%\\wuauserv%") +Annotation = {"mitre_attack": ["T1105"], "author": "Sreeman, Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\brave.exe" or Process.Path like r"%\\chrome.exe" or Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\opera.exe" or Process.Path like r"%\\vivaldi.exe") and Process.CommandLine like r"%--headless%" and Process.CommandLine like r"%dump-dom%" and Process.CommandLine like r"%http%" [ThreatDetectionRule platform=Windows] -# Detects suspicious Windows Error Reporting manager (wermgr.exe) child process -# Author: Florian Roth (Nextron Systems) -RuleId = 396f6630-f3ac-44e3-bfc8-1b161bc00c4e -RuleName = Suspicious Child Process Of Wermgr.EXE -EventType = Process.Start -Tag = proc-start-suspicious-child-process-of-wermgr.exe +# Detects programs on a Windows system that should not write executables to disk +# Author: frack113, Florian Roth (Nextron Systems) +RuleId = f0540f7e-2db3-4432-b9e0-3965486744bc +RuleName = Legitimate Application Dropped Executable +EventType = File.Create +Tag = legitimate-application-dropped-executable RiskScore = 75 -Annotation = {"mitre_attack": ["T1055", "T1036"], "author": "Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\wermgr.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\ipconfig.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\nslookup.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\wscript.exe") and not (Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%C:\\Windows\\system32\\WerConCpl.dll%" and Process.CommandLine like r"%LaunchErcApp %" and (Process.CommandLine like r"%-queuereporting%" or Process.CommandLine like r"%-responsepester%")) -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1218"], "author": "frack113, Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\eqnedt32.exe" or Process.Path like r"%\\wordpad.exe" or Process.Path like r"%\\wordview.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\certoc.exe" or Process.Path like r"%\\CertReq.exe" or Process.Path like r"%\\Desktopimgdownldr.exe" or Process.Path like r"%\\esentutl.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\AcroRd32.exe" or Process.Path like r"%\\RdrCEF.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\finger.exe") and (File.Path like r"%.exe" or File.Path like r"%.dll" or File.Path like r"%.ocx") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious use of XORDump process memory dumping utility -# Author: Florian Roth (Nextron Systems) -RuleId = 66e563f9-1cbd-4a22-a957-d8b7c0f44372 -RuleName = HackTool - XORDump Execution +# Detects potential process patterns related to Cobalt Strike beacon activity +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = f35c5d71-b489-4e22-a115-f003df287317 +RuleName = Potential CobaltStrike Process Patterns EventType = Process.Start -Tag = proc-start-hacktool-xordump-execution +Tag = proc-start-potential-cobaltstrike-process-patterns RiskScore = 75 -Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\xordump.exe" or Process.CommandLine like r"% -process lsass.exe %" or Process.CommandLine like r"% -m comsvcs %" or Process.CommandLine like r"% -m dbghelp %" or Process.CommandLine like r"% -m dbgcore %" +Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%cmd.exe /C whoami" and Parent.Path like r"C:\\Temp\\%" or (Parent.Path like r"%\\runonce.exe" or Parent.Path like r"%\\dllhost.exe") and Process.CommandLine like r"%cmd.exe /c echo%" and Process.CommandLine like r"%> \\\\.\\pipe%" or Parent.CommandLine like r"%cmd.exe /C echo%" and Parent.CommandLine like r"% > \\\\.\\pipe%" and Process.CommandLine like r"%conhost.exe 0xffffffff -ForceV1" or Parent.CommandLine like r"%/C whoami" and Process.CommandLine like r"%conhost.exe 0xffffffff -ForceV1" +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects attackers using tooling with bad opsec defaults. -# E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. -# One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. -# Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) -RuleId = a7c3d773-caef-227e-a7e7-c2f13c622329 -RuleName = Bad Opsec Defaults Sacrificial Processes With Improper Arguments -EventType = Process.Start -Tag = proc-start-bad-opsec-defaults-sacrificial-processes-with-improper-arguments +# Detects suspicious new RUN key element pointing to an executable in a suspicious folder +# Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing +RuleId = 02ee49e2-e294-4d0f-9278-f5b3212fc588 +RuleName = New RUN Key Pointing to Suspicious Folder +EventType = Reg.Any +Tag = new-run-key-pointing-to-suspicious-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.011"], "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)"} -Query = (Process.Path like r"%\\WerFault.exe" and Process.CommandLine like r"%WerFault.exe" or Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%rundll32.exe" or Process.Path like r"%\\regsvcs.exe" and Process.CommandLine like r"%regsvcs.exe" or Process.Path like r"%\\regasm.exe" and Process.CommandLine like r"%regasm.exe" or Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%regsvr32.exe") and not (Parent.Path like r"%\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{%" and Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%rundll32.exe" or (Parent.Path like r"%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\%" or Parent.Path like r"%\\AppData\\Local\\Google\\Chrome\\Application\\%") and Parent.Path like r"%\\Installer\\setup.exe" and Parent.CommandLine like r"%--uninstall %" and Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%rundll32.exe") -GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1547.001"], "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing"} +Query = (Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\%" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%") and (Reg.Value.Data like r"%:\\$Recycle.bin\\%" or Reg.Value.Data like r"%:\\Temp\\%" or Reg.Value.Data like r"%:\\Users\\Default\\%" or Reg.Value.Data like r"%:\\Users\\Desktop\\%" or Reg.Value.Data like r"%:\\Users\\Public\\%" or Reg.Value.Data like r"%:\\Windows\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%\%temp\%\\%" or Reg.Value.Data like r"%\%tmp\%\\%" or Reg.Value.Data like r"\%Public\%\\%" or Reg.Value.Data like r"wscript%" or Reg.Value.Data like r"cscript%") and not (Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\%" and Process.Path like r"C:\\Windows\\SoftwareDistribution\\Download\\%" and Reg.Value.Data like r"%rundll32.exe %" and Reg.Value.Data like r"%C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32%" and (Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%C:\\Windows\\Temp\\%")) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab) -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 9c8c7000-3065-44a8-a555-79bcba5d9955 -RuleName = Execute MSDT Via Answer File +# Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process +# Author: Florian Roth (Nextron Systems) +RuleId = 8c0eca51-0f88-4db2-9183-fdfb10c703f9 +RuleName = LSA PPL Protection Disabled Via Reg.EXE EventType = Process.Start -Tag = proc-start-execute-msdt-via-answer-file +Tag = proc-start-lsa-ppl-protection-disabled-via-reg.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\msdt.exe" and Process.CommandLine like r"%\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml%" and (Process.CommandLine like r"% -af %" or Process.CommandLine like r"% /af %") and not Parent.Path like r"%\\pcwrun.exe" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1562.010"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"%SYSTEM\\CurrentControlSet\\Control\\Lsa%" and Process.CommandLine like r"% add %" and Process.CommandLine like r"% /d 0%" and Process.CommandLine like r"% /v RunAsPPL %" [ThreatDetectionRule platform=Windows] -# Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". -# Author: Swachchhanda Shrawan Poudel -RuleId = 7021255e-5db3-4946-a8b9-0ba7a4644a69 -RuleName = Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG -EventType = Reg.Any -Tag = potential-provisioning-registry-key-abuse-for-binary-proxy-execution-reg +# Detects programs on a Windows system that should not write an archive to disk +# Author: frack113, Florian Roth +RuleId = 654fcc6d-840d-4844-9b07-2c3300e54a26 +RuleName = Legitimate Application Dropped Archive +EventType = File.Create +Tag = legitimate-application-dropped-archive RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Swachchhanda Shrawan Poudel"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1218"], "author": "frack113, Florian Roth"} +Query = (Process.Path like r"%\\winword.exe" or Process.Path like r"%\\excel.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\msaccess.exe" or Process.Path like r"%\\mspub.exe" or Process.Path like r"%\\eqnedt32.exe" or Process.Path like r"%\\visio.exe" or Process.Path like r"%\\wordpad.exe" or Process.Path like r"%\\wordview.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\certoc.exe" or Process.Path like r"%\\CertReq.exe" or Process.Path like r"%\\Desktopimgdownldr.exe" or Process.Path like r"%\\esentutl.exe" or Process.Path like r"%\\finger.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\AcroRd32.exe" or Process.Path like r"%\\RdrCEF.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\hh.exe") and (File.Path like r"%.zip" or File.Path like r"%.rar" or File.Path like r"%.7z" or File.Path like r"%.diagcab" or File.Path like r"%.appx") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe -# Author: Austin Songer (@austinsonger) -RuleId = 961e0abb-1b1e-4c84-a453-aafe56ad0d34 -RuleName = Execution via stordiag.exe -EventType = Process.Start -Tag = proc-start-execution-via-stordiag.exe +# Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 295c9289-acee-4503-a571-8eacaef36b28 +RuleName = Vulnerable HackSys Extreme Vulnerable Driver Load +EventType = Driver.Load +Tag = vulnerable-hacksys-extreme-vulnerable-driver-load RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Austin Songer (@austinsonger)"} -Query = Parent.Path like r"%\\stordiag.exe" and (Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\fltmc.exe") and not (Parent.Path like r"c:\\windows\\system32\\%" or Parent.Path like r"c:\\windows\\syswow64\\%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1543.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Image.Path like r"%\\HEVD.sys" or Image.Hashes like r"%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%" or Image.Hashes like r"%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%" +GenericProperty1 = Image.Path +GenericProperty2 = Image.Hashes [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading using comctl32.dll to obtain system privileges -# Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) -RuleId = 6360757a-d460-456c-8b13-74cf0e60cceb -RuleName = Potential DLL Sideloading Via comctl32.dll -EventType = Image.Load -Tag = potential-dll-sideloading-via-comctl32.dll +# Detects file creation events with filename patterns used by CrackMapExec. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a +RuleName = HackTool - CrackMapExec File Indicators +EventType = File.Create +Tag = hacktool-crackmapexec-file-indicators RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)"} -Query = (Image.Path like r"C:\\Windows\\System32\\logonUI.exe.local\\%" or Image.Path like r"C:\\Windows\\System32\\werFault.exe.local\\%" or Image.Path like r"C:\\Windows\\System32\\consent.exe.local\\%" or Image.Path like r"C:\\Windows\\System32\\narrator.exe.local\\%" or Image.Path like r"C:\\windows\\system32\\wermgr.exe.local\\%") and Image.Path like r"%\\comctl32.dll" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1003.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"C:\\Windows\\Temp\\%" and (File.Path like r"%\\temp.ps1" or File.Path like r"%\\msol.ps1" or File.Path regex "\\\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\\.txt$" or File.Path regex "\\\\[a-zA-Z]{8}\\.tmp$") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects possible Sysmon filter driver unloaded via fltmc.exe -# Author: Kirill Kiryanov, oscd.community -RuleId = 4d7cda18-1b12-4e52-b45c-d28653210df8 -RuleName = Sysmon Driver Unloaded Via Fltmc.EXE +# Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts +# Author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior +RuleId = ce72ef99-22f1-43d4-8695-419dcb5d9330 +RuleName = Suspicious Windows Service Tampering EventType = Process.Start -Tag = proc-start-sysmon-driver-unloaded-via-fltmc.exe +Tag = proc-start-suspicious-windows-service-tampering RiskScore = 75 -Annotation = {"mitre_attack": ["T1070", "T1562", "T1562.002"], "author": "Kirill Kiryanov, oscd.community"} -Query = (Process.Path like r"%\\fltMC.exe" or Process.Name == "fltMC.exe") and Process.CommandLine like r"%unload%" and Process.CommandLine like r"%sysmon%" +Annotation = {"mitre_attack": ["T1489", "T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior"} +Query = (Process.Name in ["net.exe", "net1.exe", "PowerShell.EXE", "psservice.exe", "pwsh.dll", "sc.exe"] or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\PsService.exe" or Process.Path like r"%\\PsService64.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\sc.exe") and (Process.CommandLine like r"% delete %" or Process.CommandLine like r"% pause %" or Process.CommandLine like r"% stop %" or Process.CommandLine like r"%Stop-Service %" or Process.CommandLine like r"%Remove-Service %" or Process.CommandLine like r"%config%" and Process.CommandLine like r"%start=disabled%") and (Process.CommandLine like r"%143Svc%" or Process.CommandLine like r"%Acronis VSS Provider%" or Process.CommandLine like r"%AcronisAgent%" or Process.CommandLine like r"%AcrSch2Svc%" or Process.CommandLine like r"%AdobeARMservice%" or Process.CommandLine like r"%AHS Service%" or Process.CommandLine like r"%Antivirus%" or Process.CommandLine like r"%Apache4%" or Process.CommandLine like r"%ARSM%" or Process.CommandLine like r"%aswBcc%" or Process.CommandLine like r"%AteraAgent%" or Process.CommandLine like r"%Avast Business Console Client Antivirus Service%" or Process.CommandLine like r"%avast! Antivirus%" or Process.CommandLine like r"%AVG Antivirus%" or Process.CommandLine like r"%avgAdminClient%" or Process.CommandLine like r"%AvgAdminServer%" or Process.CommandLine like r"%AVP1%" or Process.CommandLine like r"%BackupExec%" or Process.CommandLine like r"%bedbg%" or Process.CommandLine like r"%BITS%" or Process.CommandLine like r"%BrokerInfrastructure%" or Process.CommandLine like r"%CASLicenceServer%" or Process.CommandLine like r"%CASWebServer%" or Process.CommandLine like r"%Client Agent 7.60%" or Process.CommandLine like r"%Core Browsing Protection%" or Process.CommandLine like r"%Core Mail Protection%" or Process.CommandLine like r"%Core Scanning Server%" or Process.CommandLine like r"%DCAgent%" or Process.CommandLine like r"%dwmrcs%" or Process.CommandLine like r"%EhttpSr%" or Process.CommandLine like r"%ekrn%" or Process.CommandLine like r"%Enterprise Client Service%" or Process.CommandLine like r"%epag%" or Process.CommandLine like r"%EPIntegrationService%" or Process.CommandLine like r"%EPProtectedService%" or Process.CommandLine like r"%EPRedline%" or Process.CommandLine like r"%EPSecurityService%" or Process.CommandLine like r"%EPUpdateService%" or Process.CommandLine like r"%EraserSvc11710%" or Process.CommandLine like r"%EsgShKernel%" or Process.CommandLine like r"%ESHASRV%" or Process.CommandLine like r"%FA\_Scheduler%" or Process.CommandLine like r"%FirebirdGuardianDefaultInstance%" or Process.CommandLine like r"%FirebirdServerDefaultInstance%" or Process.CommandLine like r"%FontCache3.0.0.0%" or Process.CommandLine like r"%HealthTLService%" or Process.CommandLine like r"%hmpalertsvc%" or Process.CommandLine like r"%HMS%" or Process.CommandLine like r"%HostControllerService%" or Process.CommandLine like r"%hvdsvc%" or Process.CommandLine like r"%IAStorDataMgrSvc%" or Process.CommandLine like r"%IBMHPS%" or Process.CommandLine like r"%ibmspsvc%" or Process.CommandLine like r"%IISAdmin%" or Process.CommandLine like r"%IMANSVC%" or Process.CommandLine like r"%IMAP4Svc%" or Process.CommandLine like r"%instance2%" or Process.CommandLine like r"%KAVFS%" or Process.CommandLine like r"%KAVFSGT%" or Process.CommandLine like r"%kavfsslp%" or Process.CommandLine like r"%KeyIso%" or Process.CommandLine like r"%klbackupdisk%" or Process.CommandLine like r"%klbackupflt%" or Process.CommandLine like r"%klflt%" or Process.CommandLine like r"%klhk%" or Process.CommandLine like r"%KLIF%" or Process.CommandLine like r"%klim6%" or Process.CommandLine like r"%klkbdflt%" or Process.CommandLine like r"%klmouflt%" or Process.CommandLine like r"%klnagent%" or Process.CommandLine like r"%klpd%" or Process.CommandLine like r"%kltap%" or Process.CommandLine like r"%KSDE1.0.0%" or Process.CommandLine like r"%LogProcessorService%" or Process.CommandLine like r"%M8EndpointAgent%" or Process.CommandLine like r"%macmnsvc%" or Process.CommandLine like r"%masvc%" or Process.CommandLine like r"%MBAMService%" or Process.CommandLine like r"%MBCloudEA%" or Process.CommandLine like r"%MBEndpointAgent%" or Process.CommandLine like r"%McAfeeDLPAgentService%" or Process.CommandLine like r"%McAfeeEngineService%" or Process.CommandLine like r"%MCAFEEEVENTPARSERSRV%" or Process.CommandLine like r"%McAfeeFramework%" or Process.CommandLine like r"%MCAFEETOMCATSRV530%" or Process.CommandLine like r"%McShield%" or Process.CommandLine like r"%McTaskManager%" or Process.CommandLine like r"%mfefire%" or Process.CommandLine like r"%mfemms%" or Process.CommandLine like r"%mfevto%" or Process.CommandLine like r"%mfevtp%" or Process.CommandLine like r"%mfewc%" or Process.CommandLine like r"%MMS%" or Process.CommandLine like r"%mozyprobackup%" or Process.CommandLine like r"%mpssvc%" or Process.CommandLine like r"%MSComplianceAudit%" or Process.CommandLine like r"%MSDTC%" or Process.CommandLine like r"%MsDtsServer%" or Process.CommandLine like r"%MSExchange%" or Process.CommandLine like r"%msftesq1SPROO%" or Process.CommandLine like r"%msftesql$PROD%" or Process.CommandLine like r"%msftesql$SQLEXPRESS%" or Process.CommandLine like r"%MSOLAP$SQL\_2008%" or Process.CommandLine like r"%MSOLAP$SYSTEM\_BGC%" or Process.CommandLine like r"%MSOLAP$TPS%" or Process.CommandLine like r"%MSOLAP$TPSAMA%" or Process.CommandLine like r"%MSOLAPSTPS%" or Process.CommandLine like r"%MSOLAPSTPSAMA%" or Process.CommandLine like r"%mssecflt%" or Process.CommandLine like r"%MSSQ!I.SPROFXENGAGEMEHT%" or Process.CommandLine like r"%MSSQ0SHAREPOINT%" or Process.CommandLine like r"%MSSQ0SOPHOS%" or Process.CommandLine like r"%MSSQL%" or Process.CommandLine like r"%MSSQLFDLauncher$%" or Process.CommandLine like r"%MySQL%" or Process.CommandLine like r"%NanoServiceMain%" or Process.CommandLine like r"%NetMsmqActivator%" or Process.CommandLine like r"%NetPipeActivator%" or Process.CommandLine like r"%netprofm%" or Process.CommandLine like r"%NetTcpActivator%" or Process.CommandLine like r"%NetTcpPortSharing%" or Process.CommandLine like r"%ntrtscan%" or Process.CommandLine like r"%nvspwmi%" or Process.CommandLine like r"%ofcservice%" or Process.CommandLine like r"%Online Protection System%" or Process.CommandLine like r"%OracleClientCache80%" or Process.CommandLine like r"%OracleDBConsole%" or Process.CommandLine like r"%OracleMTSRecoveryService%" or Process.CommandLine like r"%OracleOraDb11g\_home1%" or Process.CommandLine like r"%OracleService%" or Process.CommandLine like r"%OracleVssWriter%" or Process.CommandLine like r"%osppsvc%" or Process.CommandLine like r"%PandaAetherAgent%" or Process.CommandLine like r"%PccNTUpd%" or Process.CommandLine like r"%PDVFSService%" or Process.CommandLine like r"%POP3Svc%" or Process.CommandLine like r"%postgresql-x64-9.4%" or Process.CommandLine like r"%POVFSService%" or Process.CommandLine like r"%PSUAService%" or Process.CommandLine like r"%Quick Update Service%" or Process.CommandLine like r"%RepairService%" or Process.CommandLine like r"%ReportServer%" or Process.CommandLine like r"%ReportServer$%" or Process.CommandLine like r"%RESvc%" or Process.CommandLine like r"%RpcEptMapper%" or Process.CommandLine like r"%sacsvr%" or Process.CommandLine like r"%SamSs%" or Process.CommandLine like r"%SAVAdminService%" or Process.CommandLine like r"%SAVService%" or Process.CommandLine like r"%ScSecSvc%" or Process.CommandLine like r"%SDRSVC%" or Process.CommandLine like r"%SearchExchangeTracing%" or Process.CommandLine like r"%sense%" or Process.CommandLine like r"%SentinelAgent%" or Process.CommandLine like r"%SentinelHelperService%" or Process.CommandLine like r"%SepMasterService%" or Process.CommandLine like r"%ShMonitor%" or Process.CommandLine like r"%Smcinst%" or Process.CommandLine like r"%SmcService%" or Process.CommandLine like r"%SMTPSvc%" or Process.CommandLine like r"%SNAC%" or Process.CommandLine like r"%SntpService%" or Process.CommandLine like r"%Sophos%" or Process.CommandLine like r"%SQ1SafeOLRService%" or Process.CommandLine like r"%SQL Backups%" or Process.CommandLine like r"%SQL Server%" or Process.CommandLine like r"%SQLAgent%" or Process.CommandLine like r"%SQLANYs\_Sage\_FAS\_Fixed\_Assets%" or Process.CommandLine like r"%SQLBrowser%" or Process.CommandLine like r"%SQLsafe%" or Process.CommandLine like r"%SQLSERVERAGENT%" or Process.CommandLine like r"%SQLTELEMETRY%" or Process.CommandLine like r"%SQLWriter%" or Process.CommandLine like r"%SSISTELEMETRY130%" or Process.CommandLine like r"%SstpSvc%" or Process.CommandLine like r"%storflt%" or Process.CommandLine like r"%svcGenericHost%" or Process.CommandLine like r"%swc\_service%" or Process.CommandLine like r"%swi\_filter%" or Process.CommandLine like r"%swi\_service%" or Process.CommandLine like r"%swi\_update%" or Process.CommandLine like r"%Symantec%" or Process.CommandLine like r"%sysmon%" or Process.CommandLine like r"%TeamViewer%" or Process.CommandLine like r"%Telemetryserver%" or Process.CommandLine like r"%ThreatLockerService%" or Process.CommandLine like r"%TMBMServer%" or Process.CommandLine like r"%TmCCSF%" or Process.CommandLine like r"%TmFilter%" or Process.CommandLine like r"%TMiCRCScanService%" or Process.CommandLine like r"%tmlisten%" or Process.CommandLine like r"%TMLWCSService%" or Process.CommandLine like r"%TmPfw%" or Process.CommandLine like r"%TmPreFilter%" or Process.CommandLine like r"%TmProxy%" or Process.CommandLine like r"%TMSmartRelayService%" or Process.CommandLine like r"%tmusa%" or Process.CommandLine like r"%Tomcat%" or Process.CommandLine like r"%Trend Micro Deep Security Manager%" or Process.CommandLine like r"%TrueKey%" or Process.CommandLine like r"%UFNet%" or Process.CommandLine like r"%UI0Detect%" or Process.CommandLine like r"%UniFi%" or Process.CommandLine like r"%UTODetect%" or Process.CommandLine like r"%vds%" or Process.CommandLine like r"%Veeam%" or Process.CommandLine like r"%VeeamDeploySvc%" or Process.CommandLine like r"%Veritas System Recovery%" or Process.CommandLine like r"%vmic%" or Process.CommandLine like r"%VMTools%" or Process.CommandLine like r"%vmvss%" or Process.CommandLine like r"%VSApiNt%" or Process.CommandLine like r"%VSS%" or Process.CommandLine like r"%W3Svc%" or Process.CommandLine like r"%wbengine%" or Process.CommandLine like r"%WdNisSvc%" or Process.CommandLine like r"%WeanClOudSve%" or Process.CommandLine like r"%Weems JY%" or Process.CommandLine like r"%WinDefend%" or Process.CommandLine like r"%wmms%" or Process.CommandLine like r"%wozyprobackup%" or Process.CommandLine like r"%WPFFontCache\_v0400%" or Process.CommandLine like r"%WRSVC%" or Process.CommandLine like r"%wsbexchange%" or Process.CommandLine like r"%WSearch%" or Process.CommandLine like r"%wscsvc%" or Process.CommandLine like r"%Zoolz 2 Service%") [ThreatDetectionRule platform=Windows] -# Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands +# Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service # Author: Florian Roth (Nextron Systems) -RuleId = f2c64357-b1d2-41b7-849f-34d2682c0fad -RuleName = Suspicious Command Patterns In Scheduled Task Creation +RuleId = cd8c163e-a19b-402e-bdd5-419ff5859f12 +RuleName = HackTool - ADCSPwn Execution EventType = Process.Start -Tag = proc-start-suspicious-command-patterns-in-scheduled-task-creation +Tag = proc-start-hacktool-adcspwn-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create %" and ((Process.CommandLine like r"%/sc minute %" or Process.CommandLine like r"%/ru system %") and (Process.CommandLine like r"%cmd /c%" or Process.CommandLine like r"%cmd /k%" or Process.CommandLine like r"%cmd /r%" or Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd.exe /r %") or Process.CommandLine like r"% -decode %" or Process.CommandLine like r"% -enc %" or Process.CommandLine like r"% -w hidden %" or Process.CommandLine like r"% bypass %" or Process.CommandLine like r"% IEX%" or Process.CommandLine like r"%.DownloadData%" or Process.CommandLine like r"%.DownloadFile%" or Process.CommandLine like r"%.DownloadString%" or Process.CommandLine like r"%/c start /min %" or Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"%mshta http%" or Process.CommandLine like r"%mshta.exe http%" or (Process.CommandLine like r"%:\\ProgramData\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Tmp\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\%AppData\%%" or Process.CommandLine like r"%\%Temp\%%" or Process.CommandLine like r"%\%tmp\%%") and (Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%curl%" or Process.CommandLine like r"%wscript%")) +Annotation = {"mitre_attack": ["T1557.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"% --adcs %" and Process.CommandLine like r"% --port %" [ThreatDetectionRule platform=Windows] -# Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. +# Ransomware create txt file in the user Desktop # Author: frack113 -RuleId = 961e33d1-4f86-4fcf-80ab-930a708b2f82 -RuleName = Potential Persistence Via Excel Add-in - Registry -EventType = Reg.Any -Tag = potential-persistence-via-excel-add-in-registry +RuleId = caf02a0a-1e1c-4552-9b48-5e070bd88d11 +RuleName = Suspicious Creation TXT File in User Desktop +EventType = File.Create +Tag = suspicious-creation-txt-file-in-user-desktop RiskScore = 75 -Annotation = {"mitre_attack": ["T1137.006"], "author": "frack113"} -Query = Reg.TargetObject like r"%Software\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Excel\\Options" and Reg.Value.Data like r"/R %" and Reg.Value.Data like r"%.xll" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1486"], "author": "frack113"} +Query = Process.Path like r"%\\cmd.exe" and File.Path like r"%\\Users\\%" and File.Path like r"%\\Desktop\\%" and File.Path like r"%.txt" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. -# Author: @Kostastsale, @TheDFIRReport -RuleId = f9578658-9e71-4711-b634-3f9b50cd3c06 -RuleName = Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 -EventType = Process.Start -Tag = proc-start-potential-defense-evasion-activity-via-emoji-usage-in-commandline-3 -RiskScore = 75 -Annotation = {"author": "@Kostastsale, @TheDFIRReport"} -Query = Process.CommandLine like r"%🦆%" or Process.CommandLine like r"%🦅%" or Process.CommandLine like r"%🦉%" or Process.CommandLine like r"%🦇%" or Process.CommandLine like r"%🐺%" or Process.CommandLine like r"%🐗%" or Process.CommandLine like r"%🐴%" or Process.CommandLine like r"%🦄%" or Process.CommandLine like r"%🐝%" or Process.CommandLine like r"%🪱%" or Process.CommandLine like r"%🐛%" or Process.CommandLine like r"%🦋%" or Process.CommandLine like r"%🐌%" or Process.CommandLine like r"%🐞%" or Process.CommandLine like r"%🐜%" or Process.CommandLine like r"%🪰%" or Process.CommandLine like r"%🪲%" or Process.CommandLine like r"%🪳%" or Process.CommandLine like r"%🦟%" or Process.CommandLine like r"%🦗%" or Process.CommandLine like r"%🕷%" or Process.CommandLine like r"%🕸%" or Process.CommandLine like r"%🦂%" or Process.CommandLine like r"%🐢%" or Process.CommandLine like r"%🐍%" or Process.CommandLine like r"%🦎%" or Process.CommandLine like r"%🦖%" or Process.CommandLine like r"%🦕%" or Process.CommandLine like r"%🐙%" or Process.CommandLine like r"%🦑%" or Process.CommandLine like r"%🦐%" or Process.CommandLine like r"%🦞%" or Process.CommandLine like r"%🦀%" or Process.CommandLine like r"%🪸%" or Process.CommandLine like r"%🐡%" or Process.CommandLine like r"%🐠%" or Process.CommandLine like r"%🐟%" or Process.CommandLine like r"%🐬%" or Process.CommandLine like r"%🐳%" or Process.CommandLine like r"%🐋%" or Process.CommandLine like r"%🦈%" or Process.CommandLine like r"%🐊%" or Process.CommandLine like r"%🐅%" or Process.CommandLine like r"%🐆%" or Process.CommandLine like r"%🦓%" or Process.CommandLine like r"%🦍%" or Process.CommandLine like r"%🦧%" or Process.CommandLine like r"%🦣%" or Process.CommandLine like r"%🐘%" or Process.CommandLine like r"%🦛%" or Process.CommandLine like r"%🦏%" or Process.CommandLine like r"%🐪%" or Process.CommandLine like r"%🐫%" or Process.CommandLine like r"%🦒%" or Process.CommandLine like r"%🦘%" or Process.CommandLine like r"%🦬%" or Process.CommandLine like r"%🐃%" or Process.CommandLine like r"%🐂%" or Process.CommandLine like r"%🐄%" or Process.CommandLine like r"%🐎%" or Process.CommandLine like r"%🐖%" or Process.CommandLine like r"%🐏%" or Process.CommandLine like r"%🐑%" or Process.CommandLine like r"%🦙%" or Process.CommandLine like r"%🐐%" or Process.CommandLine like r"%🦌%" or Process.CommandLine like r"%🐕%" or Process.CommandLine like r"%🐩%" or Process.CommandLine like r"%🦮%" or Process.CommandLine like r"%🐕‍🦺%" or Process.CommandLine like r"%🐈%" or Process.CommandLine like r"%🐈‍⬛%" or Process.CommandLine like r"%🪶%" or Process.CommandLine like r"%🐓%" or Process.CommandLine like r"%🦃%" or Process.CommandLine like r"%🦤%" or Process.CommandLine like r"%🦚%" or Process.CommandLine like r"%🦜%" or Process.CommandLine like r"%🦢%" or Process.CommandLine like r"%🦩%" or Process.CommandLine like r"%🕊%" or Process.CommandLine like r"%🐇%" or Process.CommandLine like r"%🦝%" or Process.CommandLine like r"%🦨%" or Process.CommandLine like r"%🦡%" or Process.CommandLine like r"%🦫%" or Process.CommandLine like r"%🦦%" or Process.CommandLine like r"%🦥%" or Process.CommandLine like r"%🐁%" or Process.CommandLine like r"%🐀%" or Process.CommandLine like r"%🐿%" or Process.CommandLine like r"%🦔%" or Process.CommandLine like r"%🐾%" or Process.CommandLine like r"%🐉%" or Process.CommandLine like r"%🐲%" or Process.CommandLine like r"%🌵%" or Process.CommandLine like r"%🎄%" or Process.CommandLine like r"%🌲%" or Process.CommandLine like r"%🌳%" or Process.CommandLine like r"%🌴%" or Process.CommandLine like r"%🪹%" or Process.CommandLine like r"%🪺%" or Process.CommandLine like r"%🪵%" or Process.CommandLine like r"%🌱%" or Process.CommandLine like r"%🌿%" or Process.CommandLine like r"%☘️%" or Process.CommandLine like r"%🍀%" or Process.CommandLine like r"%🎍%" or Process.CommandLine like r"%🪴%" or Process.CommandLine like r"%🎋%" or Process.CommandLine like r"%🍃%" or Process.CommandLine like r"%🍂%" or Process.CommandLine like r"%🍁%" or Process.CommandLine like r"%🍄%" or Process.CommandLine like r"%🐚%" or Process.CommandLine like r"%🪨%" or Process.CommandLine like r"%🌾%" or Process.CommandLine like r"%💐%" or Process.CommandLine like r"%🌷%" or Process.CommandLine like r"%🪷%" or Process.CommandLine like r"%🌹%" or Process.CommandLine like r"%🥀%" or Process.CommandLine like r"%🌺%" or Process.CommandLine like r"%🌸%" or Process.CommandLine like r"%🌼%" or Process.CommandLine like r"%🌻%" or Process.CommandLine like r"%🌞%" or Process.CommandLine like r"%🌝%" or Process.CommandLine like r"%🌛%" or Process.CommandLine like r"%🌜%" or Process.CommandLine like r"%🌚%" or Process.CommandLine like r"%🌕%" or Process.CommandLine like r"%🌖%" or Process.CommandLine like r"%🌗%" or Process.CommandLine like r"%🌘%" or Process.CommandLine like r"%🌑%" or Process.CommandLine like r"%🌒%" or Process.CommandLine like r"%🌓%" or Process.CommandLine like r"%🌔%" or Process.CommandLine like r"%🌙%" or Process.CommandLine like r"%🌎%" or Process.CommandLine like r"%🌍%" or Process.CommandLine like r"%🌏%" or Process.CommandLine like r"%🪐%" or Process.CommandLine like r"%💫%" or Process.CommandLine like r"%⭐️%" or Process.CommandLine like r"%🌟%" or Process.CommandLine like r"%✨%" or Process.CommandLine like r"%⚡️%" or Process.CommandLine like r"%☄️%" or Process.CommandLine like r"%💥%" or Process.CommandLine like r"%🔥%" or Process.CommandLine like r"%🌪%" or Process.CommandLine like r"%🌈%" or Process.CommandLine like r"%☀️%" or Process.CommandLine like r"%🌤%" or Process.CommandLine like r"%⛅️%" or Process.CommandLine like r"%🌥%" or Process.CommandLine like r"%☁️%" or Process.CommandLine like r"%🌦%" or Process.CommandLine like r"%🌧%" or Process.CommandLine like r"%⛈%" or Process.CommandLine like r"%🌩%" or Process.CommandLine like r"%🌨%" or Process.CommandLine like r"%❄️%" or Process.CommandLine like r"%☃️%" or Process.CommandLine like r"%⛄️%" or Process.CommandLine like r"%🌬%" or Process.CommandLine like r"%💨%" or Process.CommandLine like r"%💧%" or Process.CommandLine like r"%💦%" or Process.CommandLine like r"%🫧%" or Process.CommandLine like r"%☔️%" or Process.CommandLine like r"%☂️%" or Process.CommandLine like r"%🌊%" or Process.CommandLine like r"%🌫🍏%" or Process.CommandLine like r"%🍎%" or Process.CommandLine like r"%🍐%" or Process.CommandLine like r"%🍊%" or Process.CommandLine like r"%🍋%" or Process.CommandLine like r"%🍌%" or Process.CommandLine like r"%🍉%" or Process.CommandLine like r"%🍇%" or Process.CommandLine like r"%🍓%" or Process.CommandLine like r"%🫐%" or Process.CommandLine like r"%🍈%" or Process.CommandLine like r"%🍒%" or Process.CommandLine like r"%🍑%" or Process.CommandLine like r"%🥭%" or Process.CommandLine like r"%🍍%" or Process.CommandLine like r"%🥥%" or Process.CommandLine like r"%🥝%" or Process.CommandLine like r"%🍅%" or Process.CommandLine like r"%🍆%" or Process.CommandLine like r"%🥑%" or Process.CommandLine like r"%🥦%" or Process.CommandLine like r"%🥬%" or Process.CommandLine like r"%🥒%" or Process.CommandLine like r"%🌶%" or Process.CommandLine like r"%🫑%" or Process.CommandLine like r"%🌽%" or Process.CommandLine like r"%🥕%" or Process.CommandLine like r"%🫒%" or Process.CommandLine like r"%🧄%" or Process.CommandLine like r"%🧅%" or Process.CommandLine like r"%🥔%" or Process.CommandLine like r"%🍠%" or Process.CommandLine like r"%🫘%" or Process.CommandLine like r"%🥐%" or Process.CommandLine like r"%🥯%" or Process.CommandLine like r"%🍞%" or Process.CommandLine like r"%🥖%" or Process.CommandLine like r"%🥨%" or Process.CommandLine like r"%🧀%" or Process.CommandLine like r"%🥚%" or Process.CommandLine like r"%🍳%" or Process.CommandLine like r"%🧈%" or Process.CommandLine like r"%🥞%" or Process.CommandLine like r"%🧇%" or Process.CommandLine like r"%🥓%" or Process.CommandLine like r"%🥩%" or Process.CommandLine like r"%🍗%" or Process.CommandLine like r"%🍖%" or Process.CommandLine like r"%🦴%" or Process.CommandLine like r"%🌭%" or Process.CommandLine like r"%🍔%" or Process.CommandLine like r"%🍟%" or Process.CommandLine like r"%🍕%" or Process.CommandLine like r"%🫓%" or Process.CommandLine like r"%🥪%" or Process.CommandLine like r"%🥙%" or Process.CommandLine like r"%🧆%" or Process.CommandLine like r"%🌮%" or Process.CommandLine like r"%🌯%" or Process.CommandLine like r"%🫔%" or Process.CommandLine like r"%🥗%" or Process.CommandLine like r"%🥘%" or Process.CommandLine like r"%🫕%" or Process.CommandLine like r"%🥫%" or Process.CommandLine like r"%🍝%" or Process.CommandLine like r"%🍜%" or Process.CommandLine like r"%🍲%" or Process.CommandLine like r"%🍛%" or Process.CommandLine like r"%🍣%" or Process.CommandLine like r"%🍱%" or Process.CommandLine like r"%🥟%" or Process.CommandLine like r"%🦪%" or Process.CommandLine like r"%🍤%" or Process.CommandLine like r"%🍙%" or Process.CommandLine like r"%🍚%" or Process.CommandLine like r"%🍘%" or Process.CommandLine like r"%🍥%" or Process.CommandLine like r"%🥠%" or Process.CommandLine like r"%🥮%" or Process.CommandLine like r"%🍢%" or Process.CommandLine like r"%🍡%" or Process.CommandLine like r"%🍧%" or Process.CommandLine like r"%🍨%" or Process.CommandLine like r"%🍦%" or Process.CommandLine like r"%🥧%" or Process.CommandLine like r"%🧁%" or Process.CommandLine like r"%🍰%" or Process.CommandLine like r"%🎂%" or Process.CommandLine like r"%🍮%" or Process.CommandLine like r"%🍭%" or Process.CommandLine like r"%🍬%" or Process.CommandLine like r"%🍫%" or Process.CommandLine like r"%🍿%" or Process.CommandLine like r"%🍩%" or Process.CommandLine like r"%🍪%" or Process.CommandLine like r"%🌰%" or Process.CommandLine like r"%🥜%" or Process.CommandLine like r"%🍯%" or Process.CommandLine like r"%🥛%" or Process.CommandLine like r"%🍼%" or Process.CommandLine like r"%🫖%" or Process.CommandLine like r"%☕️%" or Process.CommandLine like r"%🍵%" or Process.CommandLine like r"%🧃%" or Process.CommandLine like r"%🥤%" or Process.CommandLine like r"%🧋%" or Process.CommandLine like r"%🫙%" or Process.CommandLine like r"%🍶%" or Process.CommandLine like r"%🍺%" or Process.CommandLine like r"%🍻%" or Process.CommandLine like r"%🥂%" or Process.CommandLine like r"%🍷%" or Process.CommandLine like r"%🫗%" or Process.CommandLine like r"%🥃%" or Process.CommandLine like r"%🍸%" or Process.CommandLine like r"%🍹%" or Process.CommandLine like r"%🧉%" or Process.CommandLine like r"%🍾%" or Process.CommandLine like r"%🧊%" or Process.CommandLine like r"%🥄%" or Process.CommandLine like r"%🍴%" or Process.CommandLine like r"%🍽%" or Process.CommandLine like r"%🥣%" or Process.CommandLine like r"%🥡%" or Process.CommandLine like r"%🥢%" or Process.CommandLine like r"%🧂%" or Process.CommandLine like r"%⚽️%" or Process.CommandLine like r"%🏀%" or Process.CommandLine like r"%🏈%" or Process.CommandLine like r"%⚾️%" or Process.CommandLine like r"%🥎%" or Process.CommandLine like r"%🎾%" or Process.CommandLine like r"%🏐%" or Process.CommandLine like r"%🏉%" or Process.CommandLine like r"%🥏%" or Process.CommandLine like r"%🎱%" or Process.CommandLine like r"%🪀%" or Process.CommandLine like r"%🏓%" or Process.CommandLine like r"%🏸%" or Process.CommandLine like r"%🏒%" or Process.CommandLine like r"%🏑%" or Process.CommandLine like r"%🥍%" or Process.CommandLine like r"%🏏%" or Process.CommandLine like r"%🪃%" or Process.CommandLine like r"%🥅%" or Process.CommandLine like r"%⛳️%" or Process.CommandLine like r"%🪁%" or Process.CommandLine like r"%🏹%" or Process.CommandLine like r"%🎣%" or Process.CommandLine like r"%🤿%" or Process.CommandLine like r"%🥊%" or Process.CommandLine like r"%🥋%" or Process.CommandLine like r"%🎽%" or Process.CommandLine like r"%🛹%" or Process.CommandLine like r"%🛼%" or Process.CommandLine like r"%🛷%" or Process.CommandLine like r"%⛸%" or Process.CommandLine like r"%🥌%" or Process.CommandLine like r"%🎿%" or Process.CommandLine like r"%⛷%" or Process.CommandLine like r"%🏂%" or Process.CommandLine like r"%🪂%" or Process.CommandLine like r"%🏋️‍♀️%" or Process.CommandLine like r"%🏋️%" or Process.CommandLine like r"%🏋️‍♂️%" or Process.CommandLine like r"%🤼‍♀️%" or Process.CommandLine like r"%🤼%" or Process.CommandLine like r"%🤼‍♂️%" or Process.CommandLine like r"%🤸‍♀️%" or Process.CommandLine like r"%🤸%" or Process.CommandLine like r"%🤸‍♂️%" or Process.CommandLine like r"%⛹️‍♀️%" or Process.CommandLine like r"%⛹️%" or Process.CommandLine like r"%⛹️‍♂️%" or Process.CommandLine like r"%🤺%" or Process.CommandLine like r"%🤾‍♀️%" or Process.CommandLine like r"%🤾%" or Process.CommandLine like r"%🤾‍♂️%" or Process.CommandLine like r"%🏌️‍♀️%" or Process.CommandLine like r"%🏌️%" or Process.CommandLine like r"%🏌️‍♂️%" or Process.CommandLine like r"%🏇%" or Process.CommandLine like r"%🧘‍♀️%" or Process.CommandLine like r"%🧘%" or Process.CommandLine like r"%🧘‍♂️%" or Process.CommandLine like r"%🏄‍♀️%" or Process.CommandLine like r"%🏄%" or Process.CommandLine like r"%🏄‍♂️%" or Process.CommandLine like r"%🏊‍♀️%" or Process.CommandLine like r"%🏊%" or Process.CommandLine like r"%🏊‍♂️%" or Process.CommandLine like r"%🤽‍♀️%" or Process.CommandLine like r"%🤽%" or Process.CommandLine like r"%🤽‍♂️%" or Process.CommandLine like r"%🚣‍♀️%" or Process.CommandLine like r"%🚣%" or Process.CommandLine like r"%🚣‍♂️%" or Process.CommandLine like r"%🧗‍♀️%" or Process.CommandLine like r"%🧗%" or Process.CommandLine like r"%🧗‍♂️%" or Process.CommandLine like r"%🚵‍♀️%" or Process.CommandLine like r"%🚵%" or Process.CommandLine like r"%🚵‍♂️%" or Process.CommandLine like r"%🚴‍♀️%" or Process.CommandLine like r"%🚴%" or Process.CommandLine like r"%🚴‍♂️%" or Process.CommandLine like r"%🏆%" or Process.CommandLine like r"%🥇%" or Process.CommandLine like r"%🥈%" or Process.CommandLine like r"%🥉%" or Process.CommandLine like r"%🏅%" or Process.CommandLine like r"%🎖%" or Process.CommandLine like r"%🏵%" or Process.CommandLine like r"%🎗%" or Process.CommandLine like r"%🎫%" or Process.CommandLine like r"%🎟%" or Process.CommandLine like r"%🎪%" or Process.CommandLine like r"%🤹%" or Process.CommandLine like r"%🤹‍♂️%" or Process.CommandLine like r"%🤹‍♀️%" or Process.CommandLine like r"%🎭%" or Process.CommandLine like r"%🩰%" or Process.CommandLine like r"%🎨%" or Process.CommandLine like r"%🎬%" or Process.CommandLine like r"%🎤%" or Process.CommandLine like r"%🎧%" or Process.CommandLine like r"%🎼%" or Process.CommandLine like r"%🎹%" or Process.CommandLine like r"%🥁%" or Process.CommandLine like r"%🪘%" or Process.CommandLine like r"%🎷%" or Process.CommandLine like r"%🎺%" or Process.CommandLine like r"%🪗%" or Process.CommandLine like r"%🎸%" or Process.CommandLine like r"%🪕%" or Process.CommandLine like r"%🎻%" or Process.CommandLine like r"%🎲%" or Process.CommandLine like r"%♟%" or Process.CommandLine like r"%🎯%" or Process.CommandLine like r"%🎳%" or Process.CommandLine like r"%🎮%" or Process.CommandLine like r"%🎰%" or Process.CommandLine like r"%🧩%" or Process.CommandLine like r"%🚗%" or Process.CommandLine like r"%🚕%" or Process.CommandLine like r"%🚙%" or Process.CommandLine like r"%🚌%" or Process.CommandLine like r"%🚎%" or Process.CommandLine like r"%🏎%" or Process.CommandLine like r"%🚓%" or Process.CommandLine like r"%🚑%" or Process.CommandLine like r"%🚒%" or Process.CommandLine like r"%🚐%" or Process.CommandLine like r"%🛻%" or Process.CommandLine like r"%🚚%" or Process.CommandLine like r"%🚛%" or Process.CommandLine like r"%🚜%" or Process.CommandLine like r"%🦯%" or Process.CommandLine like r"%🦽%" or Process.CommandLine like r"%🦼%" or Process.CommandLine like r"%🛴%" or Process.CommandLine like r"%🚲%" or Process.CommandLine like r"%🛵%" or Process.CommandLine like r"%🏍%" or Process.CommandLine like r"%🛺%" or Process.CommandLine like r"%🚨%" or Process.CommandLine like r"%🚔%" or Process.CommandLine like r"%🚍%" or Process.CommandLine like r"%🚘%" or Process.CommandLine like r"%🚖%" or Process.CommandLine like r"%🛞%" or Process.CommandLine like r"%🚡%" or Process.CommandLine like r"%🚠%" or Process.CommandLine like r"%🚟%" or Process.CommandLine like r"%🚃%" or Process.CommandLine like r"%🚋%" or Process.CommandLine like r"%🚞%" or Process.CommandLine like r"%🚝%" or Process.CommandLine like r"%🚄%" or Process.CommandLine like r"%🚅%" or Process.CommandLine like r"%🚈%" or Process.CommandLine like r"%🚂%" or Process.CommandLine like r"%🚆%" or Process.CommandLine like r"%🚇%" or Process.CommandLine like r"%🚊%" or Process.CommandLine like r"%🚉%" or Process.CommandLine like r"%✈️%" or Process.CommandLine like r"%🛫%" or Process.CommandLine like r"%🛬%" or Process.CommandLine like r"%🛩%" or Process.CommandLine like r"%💺%" or Process.CommandLine like r"%🛰%" or Process.CommandLine like r"%🚀%" or Process.CommandLine like r"%🛸%" or Process.CommandLine like r"%🚁%" or Process.CommandLine like r"%🛶%" or Process.CommandLine like r"%⛵️%" or Process.CommandLine like r"%🚤%" or Process.CommandLine like r"%🛥%" or Process.CommandLine like r"%🛳%" or Process.CommandLine like r"%⛴%" or Process.CommandLine like r"%🚢%" or Process.CommandLine like r"%⚓️%" or Process.CommandLine like r"%🛟%" or Process.CommandLine like r"%🪝%" or Process.CommandLine like r"%⛽️%" or Process.CommandLine like r"%🚧%" or Process.CommandLine like r"%🚦%" or Process.CommandLine like r"%🚥%" or Process.CommandLine like r"%🚏%" or Process.CommandLine like r"%🗺%" or Process.CommandLine like r"%🗿%" or Process.CommandLine like r"%🗽%" or Process.CommandLine like r"%🗼%" or Process.CommandLine like r"%🏰%" or Process.CommandLine like r"%🏯%" or Process.CommandLine like r"%🏟%" or Process.CommandLine like r"%🎡%" or Process.CommandLine like r"%🎢%" or Process.CommandLine like r"%🛝%" or Process.CommandLine like r"%🎠%" or Process.CommandLine like r"%⛲️%" or Process.CommandLine like r"%⛱%" or Process.CommandLine like r"%🏖%" or Process.CommandLine like r"%🏝%" or Process.CommandLine like r"%🏜%" or Process.CommandLine like r"%🌋%" or Process.CommandLine like r"%⛰%" or Process.CommandLine like r"%🏔%" or Process.CommandLine like r"%🗻%" or Process.CommandLine like r"%🏕%" or Process.CommandLine like r"%⛺️%" or Process.CommandLine like r"%🛖%" or Process.CommandLine like r"%🏠%" or Process.CommandLine like r"%🏡%" or Process.CommandLine like r"%🏘%" or Process.CommandLine like r"%🏚%" or Process.CommandLine like r"%🏗%" or Process.CommandLine like r"%🏭%" or Process.CommandLine like r"%🏢%" or Process.CommandLine like r"%🏬%" or Process.CommandLine like r"%🏣%" or Process.CommandLine like r"%🏤%" or Process.CommandLine like r"%🏥%" or Process.CommandLine like r"%🏦%" or Process.CommandLine like r"%🏨%" or Process.CommandLine like r"%🏪%" or Process.CommandLine like r"%🏫%" or Process.CommandLine like r"%🏩%" or Process.CommandLine like r"%💒%" or Process.CommandLine like r"%🏛%" or Process.CommandLine like r"%⛪️%" or Process.CommandLine like r"%🕌%" or Process.CommandLine like r"%🕍%" or Process.CommandLine like r"%🛕%" or Process.CommandLine like r"%🕋%" or Process.CommandLine like r"%⛩%" or Process.CommandLine like r"%🛤%" or Process.CommandLine like r"%🛣%" or Process.CommandLine like r"%🗾%" or Process.CommandLine like r"%🎑%" or Process.CommandLine like r"%🏞%" or Process.CommandLine like r"%🌅%" or Process.CommandLine like r"%🌄%" or Process.CommandLine like r"%🌠%" or Process.CommandLine like r"%🎇%" or Process.CommandLine like r"%🎆%" or Process.CommandLine like r"%🌇%" or Process.CommandLine like r"%🌆%" or Process.CommandLine like r"%🏙%" or Process.CommandLine like r"%🌃%" or Process.CommandLine like r"%🌌%" or Process.CommandLine like r"%🌉%" or Process.CommandLine like r"%🌁%" or Process.CommandLine like r"%⌚️%" or Process.CommandLine like r"%📱%" or Process.CommandLine like r"%📲%" or Process.CommandLine like r"%💻%" or Process.CommandLine like r"%⌨️%" or Process.CommandLine like r"%🖥%" or Process.CommandLine like r"%🖨%" or Process.CommandLine like r"%🖱%" or Process.CommandLine like r"%🖲%" or Process.CommandLine like r"%🕹%" or Process.CommandLine like r"%🗜%" or Process.CommandLine like r"%💽%" or Process.CommandLine like r"%💾%" or Process.CommandLine like r"%💿%" or Process.CommandLine like r"%📀%" or Process.CommandLine like r"%📼%" or Process.CommandLine like r"%📷%" or Process.CommandLine like r"%📸%" or Process.CommandLine like r"%📹%" or Process.CommandLine like r"%🎥%" or Process.CommandLine like r"%📽%" or Process.CommandLine like r"%🎞%" or Process.CommandLine like r"%📞%" or Process.CommandLine like r"%☎️%" or Process.CommandLine like r"%📟%" or Process.CommandLine like r"%📠%" or Process.CommandLine like r"%📺%" or Process.CommandLine like r"%📻%" or Process.CommandLine like r"%🎙%" or Process.CommandLine like r"%🎚%" or Process.CommandLine like r"%🎛%" or Process.CommandLine like r"%🧭%" or Process.CommandLine like r"%⏱%" or Process.CommandLine like r"%⏲%" or Process.CommandLine like r"%⏰%" or Process.CommandLine like r"%🕰%" or Process.CommandLine like r"%⌛️%" or Process.CommandLine like r"%⏳%" or Process.CommandLine like r"%📡%" or Process.CommandLine like r"%🔋%" or Process.CommandLine like r"%🪫%" or Process.CommandLine like r"%🔌%" or Process.CommandLine like r"%💡%" or Process.CommandLine like r"%🔦%" or Process.CommandLine like r"%🕯%" or Process.CommandLine like r"%🪔%" or Process.CommandLine like r"%🧯%" or Process.CommandLine like r"%🛢%" or Process.CommandLine like r"%💸%" or Process.CommandLine like r"%💵%" or Process.CommandLine like r"%💴%" or Process.CommandLine like r"%💶%" or Process.CommandLine like r"%💷%" or Process.CommandLine like r"%🪙%" or Process.CommandLine like r"%💰%" or Process.CommandLine like r"%💳%" or Process.CommandLine like r"%💎%" or Process.CommandLine like r"%⚖️%" or Process.CommandLine like r"%🪜%" or Process.CommandLine like r"%🧰%" or Process.CommandLine like r"%🪛%" or Process.CommandLine like r"%🔧%" or Process.CommandLine like r"%🔨%" or Process.CommandLine like r"%⚒%" or Process.CommandLine like r"%🛠%" or Process.CommandLine like r"%⛏%" or Process.CommandLine like r"%🪚%" or Process.CommandLine like r"%🔩%" or Process.CommandLine like r"%⚙️%" or Process.CommandLine like r"%🪤%" or Process.CommandLine like r"%🧱%" or Process.CommandLine like r"%⛓%" or Process.CommandLine like r"%🧲%" or Process.CommandLine like r"%🔫%" or Process.CommandLine like r"%💣%" or Process.CommandLine like r"%🧨%" or Process.CommandLine like r"%🪓%" or Process.CommandLine like r"%🔪%" or Process.CommandLine like r"%🗡%" or Process.CommandLine like r"%⚔️%" or Process.CommandLine like r"%🛡%" or Process.CommandLine like r"%🚬%" or Process.CommandLine like r"%⚰️%" or Process.CommandLine like r"%🪦%" or Process.CommandLine like r"%⚱️%" or Process.CommandLine like r"%🏺%" or Process.CommandLine like r"%🔮%" or Process.CommandLine like r"%📿%" or Process.CommandLine like r"%🧿%" or Process.CommandLine like r"%🪬%" or Process.CommandLine like r"%💈%" or Process.CommandLine like r"%⚗️%" or Process.CommandLine like r"%🔭%" or Process.CommandLine like r"%🔬%" or Process.CommandLine like r"%🕳%" or Process.CommandLine like r"%🩹%" or Process.CommandLine like r"%🩺%" or Process.CommandLine like r"%🩻%" or Process.CommandLine like r"%🩼%" or Process.CommandLine like r"%💊%" or Process.CommandLine like r"%💉%" or Process.CommandLine like r"%🩸%" or Process.CommandLine like r"%🧬%" or Process.CommandLine like r"%🦠%" or Process.CommandLine like r"%🧫%" or Process.CommandLine like r"%🧪%" or Process.CommandLine like r"%🌡%" or Process.CommandLine like r"%🧹%" or Process.CommandLine like r"%🪠%" or Process.CommandLine like r"%🧺%" or Process.CommandLine like r"%🧻%" or Process.CommandLine like r"%🚽%" or Process.CommandLine like r"%🚰%" or Process.CommandLine like r"%🚿%" or Process.CommandLine like r"%🛁%" or Process.CommandLine like r"%🛀%" or Process.CommandLine like r"%🧼%" or Process.CommandLine like r"%🪥%" or Process.CommandLine like r"%🪒%" or Process.CommandLine like r"%🧽%" or Process.CommandLine like r"%🪣%" or Process.CommandLine like r"%🧴%" or Process.CommandLine like r"%🛎%" or Process.CommandLine like r"%🔑%" or Process.CommandLine like r"%🗝%" or Process.CommandLine like r"%🚪%" or Process.CommandLine like r"%🪑%" or Process.CommandLine like r"%🛋%" or Process.CommandLine like r"%🛏%" or Process.CommandLine like r"%🛌%" or Process.CommandLine like r"%🧸%" or Process.CommandLine like r"%🪆%" or Process.CommandLine like r"%🖼%" or Process.CommandLine like r"%🪞%" or Process.CommandLine like r"%🪟%" or Process.CommandLine like r"%🛍%" or Process.CommandLine like r"%🛒%" or Process.CommandLine like r"%🎁%" or Process.CommandLine like r"%🎈%" or Process.CommandLine like r"%🎏%" or Process.CommandLine like r"%🎀%" or Process.CommandLine like r"%🪄%" or Process.CommandLine like r"%🪅%" or Process.CommandLine like r"%🎊%" or Process.CommandLine like r"%🎉%" or Process.CommandLine like r"%🪩%" or Process.CommandLine like r"%🎎%" or Process.CommandLine like r"%🏮%" or Process.CommandLine like r"%🎐%" or Process.CommandLine like r"%🧧%" or Process.CommandLine like r"%✉️%" or Process.CommandLine like r"%📩%" or Process.CommandLine like r"%📨%" or Process.CommandLine like r"%📧%" or Process.CommandLine like r"%💌%" or Process.CommandLine like r"%📥%" or Process.CommandLine like r"%📤%" or Process.CommandLine like r"%📦%" or Process.CommandLine like r"%🏷%" or Process.CommandLine like r"%🪧%" or Process.CommandLine like r"%📪%" or Process.CommandLine like r"%📫%" or Process.CommandLine like r"%📬%" or Process.CommandLine like r"%📭%" or Process.CommandLine like r"%📮%" or Process.CommandLine like r"%📯%" or Process.CommandLine like r"%📜%" or Process.CommandLine like r"%📃%" or Process.CommandLine like r"%📄%" or Process.CommandLine like r"%📑%" or Process.CommandLine like r"%🧾%" or Process.CommandLine like r"%📊%" or Process.CommandLine like r"%📈%" or Process.CommandLine like r"%📉%" or Process.CommandLine like r"%🗒%" or Process.CommandLine like r"%🗓%" or Process.CommandLine like r"%📆%" or Process.CommandLine like r"%📅%" or Process.CommandLine like r"%🗑%" or Process.CommandLine like r"%🪪%" or Process.CommandLine like r"%📇%" or Process.CommandLine like r"%🗃%" or Process.CommandLine like r"%🗳%" or Process.CommandLine like r"%🗄%" or Process.CommandLine like r"%📋%" or Process.CommandLine like r"%📁%" or Process.CommandLine like r"%📂%" or Process.CommandLine like r"%🗂%" or Process.CommandLine like r"%🗞%" or Process.CommandLine like r"%📰%" or Process.CommandLine like r"%📓%" or Process.CommandLine like r"%📔%" or Process.CommandLine like r"%📒%" or Process.CommandLine like r"%📕%" or Process.CommandLine like r"%📗%" or Process.CommandLine like r"%📘%" or Process.CommandLine like r"%📙%" or Process.CommandLine like r"%📚%" or Process.CommandLine like r"%📖%" or Process.CommandLine like r"%🔖%" or Process.CommandLine like r"%🧷%" or Process.CommandLine like r"%🔗%" or Process.CommandLine like r"%📎%" or Process.CommandLine like r"%🖇%" or Process.CommandLine like r"%📐%" or Process.CommandLine like r"%📏%" or Process.CommandLine like r"%🧮%" or Process.CommandLine like r"%📌%" or Process.CommandLine like r"%📍%" or Process.CommandLine like r"%✂️%" or Process.CommandLine like r"%🖊%" or Process.CommandLine like r"%🖋%" or Process.CommandLine like r"%✒️%" or Process.CommandLine like r"%🖌%" or Process.CommandLine like r"%🖍%" or Process.CommandLine like r"%📝%" or Process.CommandLine like r"%✏️%" or Process.CommandLine like r"%🔍%" or Process.CommandLine like r"%🔎%" or Process.CommandLine like r"%🔏%" or Process.CommandLine like r"%🔐%" or Process.CommandLine like r"%🔒%" or Process.CommandLine like r"%🔓❤️%" or Process.CommandLine like r"%🧡%" or Process.CommandLine like r"%💛%" or Process.CommandLine like r"%💚%" or Process.CommandLine like r"%💙%" or Process.CommandLine like r"%💜%" or Process.CommandLine like r"%🖤%" or Process.CommandLine like r"%🤍%" or Process.CommandLine like r"%🤎%" or Process.CommandLine like r"%❤️‍🔥%" or Process.CommandLine like r"%❤️‍🩹%" or Process.CommandLine like r"%💔%" or Process.CommandLine like r"%❣️%" or Process.CommandLine like r"%💕%" or Process.CommandLine like r"%💞%" or Process.CommandLine like r"%💓%" or Process.CommandLine like r"%💗%" or Process.CommandLine like r"%💖%" or Process.CommandLine like r"%💘%" or Process.CommandLine like r"%💝%" or Process.CommandLine like r"%💟%" or Process.CommandLine like r"%☮️%" or Process.CommandLine like r"%✝️%" or Process.CommandLine like r"%☪️%" or Process.CommandLine like r"%🕉%" or Process.CommandLine like r"%☸️%" or Process.CommandLine like r"%✡️%" or Process.CommandLine like r"%🔯%" or Process.CommandLine like r"%🕎%" or Process.CommandLine like r"%☯️%" or Process.CommandLine like r"%☦️%" or Process.CommandLine like r"%🛐%" or Process.CommandLine like r"%⛎%" or Process.CommandLine like r"%♈️%" or Process.CommandLine like r"%♉️%" or Process.CommandLine like r"%♊️%" or Process.CommandLine like r"%♋️%" or Process.CommandLine like r"%♌️%" or Process.CommandLine like r"%♍️%" or Process.CommandLine like r"%♎️%" or Process.CommandLine like r"%♏️%" or Process.CommandLine like r"%♐️%" or Process.CommandLine like r"%♑️%" or Process.CommandLine like r"%♒️%" or Process.CommandLine like r"%♓️%" or Process.CommandLine like r"%🆔%" or Process.CommandLine like r"%⚛️%" or Process.CommandLine like r"%🉑%" or Process.CommandLine like r"%☢️%" or Process.CommandLine like r"%☣️%" or Process.CommandLine like r"%📴%" or Process.CommandLine like r"%📳%" or Process.CommandLine like r"%🈶%" or Process.CommandLine like r"%🈚️%" or Process.CommandLine like r"%🈸%" or Process.CommandLine like r"%🈺%" or Process.CommandLine like r"%🈷️%" or Process.CommandLine like r"%✴️%" or Process.CommandLine like r"%🆚%" or Process.CommandLine like r"%💮%" or Process.CommandLine like r"%🉐%" or Process.CommandLine like r"%㊙️%" or Process.CommandLine like r"%㊗️%" or Process.CommandLine like r"%🈴%" or Process.CommandLine like r"%🈵%" or Process.CommandLine like r"%🈹%" or Process.CommandLine like r"%🈲%" or Process.CommandLine like r"%🅰️%" or Process.CommandLine like r"%🅱️%" or Process.CommandLine like r"%🆎%" or Process.CommandLine like r"%🆑%" or Process.CommandLine like r"%🅾️%" or Process.CommandLine like r"%🆘%" or Process.CommandLine like r"%❌%" or Process.CommandLine like r"%⭕️%" or Process.CommandLine like r"%🛑%" or Process.CommandLine like r"%⛔️%" or Process.CommandLine like r"%📛%" or Process.CommandLine like r"%🚫%" or Process.CommandLine like r"%💯%" or Process.CommandLine like r"%💢%" or Process.CommandLine like r"%♨️%" or Process.CommandLine like r"%🚷%" or Process.CommandLine like r"%🚯%" or Process.CommandLine like r"%🚳%" or Process.CommandLine like r"%🚱%" or Process.CommandLine like r"%🔞%" or Process.CommandLine like r"%📵%" or Process.CommandLine like r"%🚭%" or Process.CommandLine like r"%❗️%" or Process.CommandLine like r"%❕%" or Process.CommandLine like r"%❓%" or Process.CommandLine like r"%❔%" or Process.CommandLine like r"%‼️%" or Process.CommandLine like r"%⁉️%" or Process.CommandLine like r"%🔅%" or Process.CommandLine like r"%🔆%" or Process.CommandLine like r"%〽️%" or Process.CommandLine like r"%⚠️%" or Process.CommandLine like r"%🚸%" or Process.CommandLine like r"%🔱%" or Process.CommandLine like r"%⚜️%" or Process.CommandLine like r"%🔰%" or Process.CommandLine like r"%♻️%" or Process.CommandLine like r"%✅%" or Process.CommandLine like r"%🈯️%" or Process.CommandLine like r"%💹%" or Process.CommandLine like r"%❇️%" or Process.CommandLine like r"%✳️%" or Process.CommandLine like r"%❎%" or Process.CommandLine like r"%🌐%" or Process.CommandLine like r"%💠%" or Process.CommandLine like r"%Ⓜ️%" or Process.CommandLine like r"%🌀%" or Process.CommandLine like r"%💤%" or Process.CommandLine like r"%🏧%" or Process.CommandLine like r"%🚾%" or Process.CommandLine like r"%♿️%" or Process.CommandLine like r"%🅿️%" or Process.CommandLine like r"%🛗%" or Process.CommandLine like r"%🈳%" or Process.CommandLine like r"%🈂️%" or Process.CommandLine like r"%🛂%" or Process.CommandLine like r"%🛃%" or Process.CommandLine like r"%🛄%" or Process.CommandLine like r"%🛅%" or Process.CommandLine like r"%🚹%" or Process.CommandLine like r"%🚺%" or Process.CommandLine like r"%🚼%" or Process.CommandLine like r"%⚧%" or Process.CommandLine like r"%🚻%" or Process.CommandLine like r"%🚮%" or Process.CommandLine like r"%🎦%" or Process.CommandLine like r"%📶%" or Process.CommandLine like r"%🈁%" or Process.CommandLine like r"%🔣%" or Process.CommandLine like r"%ℹ️%" or Process.CommandLine like r"%🔤%" or Process.CommandLine like r"%🔡%" or Process.CommandLine like r"%🔠%" or Process.CommandLine like r"%🆖%" or Process.CommandLine like r"%🆗%" or Process.CommandLine like r"%🆙%" or Process.CommandLine like r"%🆒%" or Process.CommandLine like r"%🆕%" or Process.CommandLine like r"%🆓%" or Process.CommandLine like r"%0️⃣%" or Process.CommandLine like r"%1️⃣%" or Process.CommandLine like r"%2️⃣%" or Process.CommandLine like r"%3️⃣%" or Process.CommandLine like r"%4️⃣%" or Process.CommandLine like r"%5️⃣%" or Process.CommandLine like r"%6️⃣%" or Process.CommandLine like r"%7️⃣%" or Process.CommandLine like r"%8️⃣%" or Process.CommandLine like r"%9️⃣%" or Process.CommandLine like r"%🔟%" or Process.CommandLine like r"%🔢%" or Process.CommandLine like r"%#️⃣%" or Process.CommandLine like r"%️⃣%" or Process.CommandLine like r"%⏏️%" or Process.CommandLine like r"%▶️%" or Process.CommandLine like r"%⏸%" or Process.CommandLine like r"%⏯%" or Process.CommandLine like r"%⏹%" or Process.CommandLine like r"%⏺%" or Process.CommandLine like r"%⏭%" or Process.CommandLine like r"%⏮%" or Process.CommandLine like r"%⏩%" or Process.CommandLine like r"%⏪%" or Process.CommandLine like r"%⏫%" or Process.CommandLine like r"%⏬%" or Process.CommandLine like r"%◀️%" or Process.CommandLine like r"%🔼%" or Process.CommandLine like r"%🔽%" or Process.CommandLine like r"%➡️%" or Process.CommandLine like r"%⬅️%" or Process.CommandLine like r"%⬆️%" or Process.CommandLine like r"%⬇️%" or Process.CommandLine like r"%↗️%" or Process.CommandLine like r"%↘️%" or Process.CommandLine like r"%↙️%" or Process.CommandLine like r"%↖️%" or Process.CommandLine like r"%↕️%" or Process.CommandLine like r"%↔️%" or Process.CommandLine like r"%↪️%" or Process.CommandLine like r"%↩️%" or Process.CommandLine like r"%⤴️%" or Process.CommandLine like r"%⤵️%" or Process.CommandLine like r"%🔀%" or Process.CommandLine like r"%🔁%" or Process.CommandLine like r"%🔂%" or Process.CommandLine like r"%🔄%" or Process.CommandLine like r"%🔃%" or Process.CommandLine like r"%🎵%" or Process.CommandLine like r"%🎶%" or Process.CommandLine like r"%➕%" or Process.CommandLine like r"%➖%" or Process.CommandLine like r"%➗%" or Process.CommandLine like r"%✖️%" or Process.CommandLine like r"%🟰%" or Process.CommandLine like r"%♾%" or Process.CommandLine like r"%💲%" or Process.CommandLine like r"%💱%" or Process.CommandLine like r"%™️%" or Process.CommandLine like r"%©️%" or Process.CommandLine like r"%®️%" or Process.CommandLine like r"%〰️%" or Process.CommandLine like r"%➰%" or Process.CommandLine like r"%➿%" or Process.CommandLine like r"%🔚%" or Process.CommandLine like r"%🔙%" or Process.CommandLine like r"%🔛%" or Process.CommandLine like r"%🔝%" or Process.CommandLine like r"%🔜%" or Process.CommandLine like r"%✔️%" or Process.CommandLine like r"%☑️%" or Process.CommandLine like r"%🔘%" or Process.CommandLine like r"%🔴%" or Process.CommandLine like r"%🟠%" or Process.CommandLine like r"%🟡%" or Process.CommandLine like r"%🟢%" or Process.CommandLine like r"%🔵%" or Process.CommandLine like r"%🟣%" or Process.CommandLine like r"%⚫️%" or Process.CommandLine like r"%⚪️%" or Process.CommandLine like r"%🟤%" or Process.CommandLine like r"%🔺%" or Process.CommandLine like r"%🔻%" - - -[ThreatDetectionRule platform=Windows] -# Detects usage of cmdkey to look for cached credentials on the system -# Author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 07f8bdc2-c9b3-472a-9817-5a670b872f53 -RuleName = Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE -EventType = Process.Start -Tag = proc-start-potential-reconnaissance-for-cached-credentials-via-cmdkey.exe -RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.005"], "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\cmdkey.exe" or Process.Name == "cmdkey.exe") and (Process.CommandLine like r"% -l%" or Process.CommandLine like r"% /l%" or Process.CommandLine like r"% –l%" or Process.CommandLine like r"% —l%" or Process.CommandLine like r"% ―l%") - - -[ThreatDetectionRule platform=Windows] -# Detects usage of bitsadmin downloading a file from a suspicious domain -# Author: Florian Roth (Nextron Systems) -RuleId = 8518ed3d-f7c9-4601-a26c-f361a4256a0c -RuleName = Suspicious Download From File-Sharing Website Via Bitsadmin +# Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. +# Author: frack113, Florian Roth +RuleId = 32410e29-5f94-4568-b6a3-d91a8adad863 +RuleName = PUA - Fast Reverse Proxy (FRP) Execution EventType = Process.Start -Tag = proc-start-suspicious-download-from-file-sharing-website-via-bitsadmin +Tag = proc-start-pua-fast-reverse-proxy-(frp)-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1197", "T1036.003"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\bitsadmin.exe" or Process.Name == "bitsadmin.exe") and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%.githubusercontent.com%" or Process.CommandLine like r"%anonfiles.com%" or Process.CommandLine like r"%cdn.discordapp.com%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%dl.dropboxusercontent.com%" or Process.CommandLine like r"%ghostbin.co%" or Process.CommandLine like r"%glitch.me%" or Process.CommandLine like r"%gofile.io%" or Process.CommandLine like r"%hastebin.com%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%onrender.com%" or Process.CommandLine like r"%pages.dev%" or Process.CommandLine like r"%paste.ee%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%pastebin.pl%" or Process.CommandLine like r"%pastetext.net%" or Process.CommandLine like r"%privatlab.com%" or Process.CommandLine like r"%privatlab.net%" or Process.CommandLine like r"%send.exploit.in%" or Process.CommandLine like r"%sendspace.com%" or Process.CommandLine like r"%storage.googleapis.com%" or Process.CommandLine like r"%storjshare.io%" or Process.CommandLine like r"%supabase.co%" or Process.CommandLine like r"%temp.sh%" or Process.CommandLine like r"%transfer.sh%" or Process.CommandLine like r"%trycloudflare.com%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%w3spaces.com%" or Process.CommandLine like r"%workers.dev%") +Annotation = {"mitre_attack": ["T1090"], "author": "frack113, Florian Roth"} +Query = Process.Path like r"%\\frpc.exe" or Process.Path like r"%\\frps.exe" or Process.CommandLine like r"%\\frpc.ini%" or Process.Hashes like r"%MD5=7D9C233B8C9E3F0EA290D2B84593C842%" or Process.Hashes like r"%SHA1=06DDC9280E1F1810677935A2477012960905942F%" or Process.Hashes like r"%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%" +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers +# Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 9fc3072c-dc8f-4bf7-b231-18950000fadd -RuleName = Potential Recon Activity Using DriverQuery.EXE +RuleId = f44800ac-38ec-471f-936e-3fa7d9c53100 +RuleName = PUA - CleanWipe Execution EventType = Process.Start -Tag = proc-start-potential-recon-activity-using-driverquery.exe +Tag = proc-start-pua-cleanwipe-execution RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%driverquery.exe" or Process.Name == "drvqry.exe") and (Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\regsvr32.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\AppData\\Local\\%" or Parent.Path like r"%\\Users\\Public\\%" or Parent.Path like r"%\\Windows\\Temp\\%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\SepRemovalToolNative\_x64.exe" or Process.Path like r"%\\CATClean.exe" and Process.CommandLine like r"%--uninstall%" or Process.Path like r"%\\NetInstaller.exe" and Process.CommandLine like r"%-r%" or Process.Path like r"%\\WFPUnins.exe" and Process.CommandLine like r"%/uninstall%" and Process.CommandLine like r"%/enterprise%" [ThreatDetectionRule platform=Windows] -# Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 13e6fe51-d478-4c7e-b0f2-6da9b400a829 -RuleName = Suspicious File Downloaded From Direct IP Via Certutil.EXE +# Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting +# Author: Teymur Kheirkhabarov, Ecco, Florian Roth +RuleId = 15619216-e993-4721-b590-4c520615a67d +RuleName = Potential Meterpreter/CobaltStrike Activity EventType = Process.Start -Tag = proc-start-suspicious-file-downloaded-from-direct-ip-via-certutil.exe +Tag = proc-start-potential-meterpreter/cobaltstrike-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1027"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\certutil.exe" or Process.Name == "CertUtil.exe") and (Process.CommandLine like r"%urlcache %" or Process.CommandLine like r"%verifyctl %") and (Process.CommandLine like r"%://1%" or Process.CommandLine like r"%://2%" or Process.CommandLine like r"%://3%" or Process.CommandLine like r"%://4%" or Process.CommandLine like r"%://5%" or Process.CommandLine like r"%://6%" or Process.CommandLine like r"%://7%" or Process.CommandLine like r"%://8%" or Process.CommandLine like r"%://9%") and not Process.CommandLine like r"%://7-%" +Annotation = {"mitre_attack": ["T1134.001", "T1134.002"], "author": "Teymur Kheirkhabarov, Ecco, Florian Roth"} +Query = Parent.Path like r"%\\services.exe" and (Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%" and (Process.CommandLine like r"%cmd%" or Process.CommandLine like r"%\%COMSPEC\%%") or Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%.dll,a%" and Process.CommandLine like r"%/p:%") and not Process.CommandLine like r"%MpCmdRun%" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) +# Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine # Author: Florian Roth (Nextron Systems) -RuleId = a4694263-59a8-4608-a3a0-6f8d3a51664c -RuleName = Suspicious Key Manager Access +RuleId = 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d +RuleName = HackTool - CreateMiniDump Execution EventType = Process.Start -Tag = proc-start-suspicious-key-manager-access +Tag = proc-start-hacktool-createminidump-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1555.004"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and Process.CommandLine like r"%keymgr%" and Process.CommandLine like r"%KRShowKeyMgr%" +Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\CreateMiniDump.exe" or Process.Hashes like r"%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%" +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 -# Author: pH-T (Nextron Systems) -RuleId = 970823b7-273b-460a-8afc-3a6811998529 -RuleName = Uncommon One Time Only Scheduled Task At 00:00 +# Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) +# Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community +RuleId = ca2092a1-c273-4878-9b4b-0d60115bf5ea +RuleName = Suspicious Encoded PowerShell Command Line EventType = Process.Start -Tag = proc-start-uncommon-one-time-only-scheduled-task-at-00:00 +Tag = proc-start-suspicious-encoded-powershell-command-line RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005"], "author": "pH-T (Nextron Systems)"} -Query = (Process.Path like r"%\\schtasks.exe%" or Process.Name == "schtasks.exe") and (Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%vbscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%wmic %" or Process.CommandLine like r"%wmic.exe%" or Process.CommandLine like r"%regsvr32.exe%" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%\\AppData\\%") and Process.CommandLine like r"%once%" and Process.CommandLine like r"%00:00%" +Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"% -e%" and (Process.CommandLine like r"% JAB%" or Process.CommandLine like r"% SUVYI%" or Process.CommandLine like r"% SQBFAFgA%" or Process.CommandLine like r"% aQBlAHgA%" or Process.CommandLine like r"% aWV4I%" or Process.CommandLine like r"% IAA%" or Process.CommandLine like r"% IAB%" or Process.CommandLine like r"% UwB%" or Process.CommandLine like r"% cwB%") or Process.CommandLine like r"%.exe -ENCOD %" or Process.CommandLine like r"% BA^J e-%") and not Process.CommandLine like r"% -ExecutionPolicy remotesigned %" [ThreatDetectionRule platform=Windows] -# Detects when the "index" value of a scheduled task is modified from the registry -# Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 5b16df71-8615-4f7f-ac9b-6c43c0509e61 -RuleName = Hide Schedule Task Via Index Value Tamper -EventType = Reg.Any -Tag = hide-schedule-task-via-index-value-tamper +# Detects javaw.exe in AppData folder as used by Adwind / JRAT +# Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +RuleId = 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 +RuleName = Adwind RAT / JRAT File Artifact +EventType = File.Create +Tag = adwind-rat-/-jrat-file-artifact RiskScore = 75 -Annotation = {"mitre_attack": ["T1562"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\%" and Reg.TargetObject like r"%Index%" and Reg.Value.Data == "DWORD (0x00000000)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1059.005", "T1059.007"], "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community"} +Query = File.Path like r"%\\AppData\\Roaming\\Oracle\\bin\\java%" and File.Path like r"%.exe%" or File.Path like r"%\\Retrive%" and File.Path like r"%.vbs%" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Ransomware create txt file in the user Desktop -# Author: frack113 -RuleId = caf02a0a-1e1c-4552-9b48-5e070bd88d11 -RuleName = Suspicious Creation TXT File in User Desktop -EventType = File.Create -Tag = suspicious-creation-txt-file-in-user-desktop +# Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. +# This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +# Author: Janantha Marasinghe (https://github.com/blueteam0ps) +RuleId = 0a13e132-651d-11eb-ae93-0242ac130002 +RuleName = Audit Policy Tampering Via Auditpol +EventType = Process.Start +Tag = proc-start-audit-policy-tampering-via-auditpol RiskScore = 75 -Annotation = {"mitre_attack": ["T1486"], "author": "frack113"} -Query = Process.Path like r"%\\cmd.exe" and File.Path like r"%\\Users\\%" and File.Path like r"%\\Desktop\\%" and File.Path like r"%.txt" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1562.002"], "author": "Janantha Marasinghe (https://github.com/blueteam0ps)"} +Query = (Process.Path like r"%\\auditpol.exe" or Process.Name == "AUDITPOL.EXE") and (Process.CommandLine like r"%disable%" or Process.CommandLine like r"%clear%" or Process.CommandLine like r"%remove%" or Process.CommandLine like r"%restore%") [ThreatDetectionRule platform=Windows] -# Detects files written by the different tools that exploit HiveNightmare -# Author: Florian Roth (Nextron Systems) -RuleId = 6ea858a8-ba71-4a12-b2cc-5d83312404c7 -RuleName = HackTool - Typical HiveNightmare SAM File Export -EventType = File.Create -Tag = hacktool-typical-hivenightmare-sam-file-export +# Detects when a user downloads a file from an IP based URL using CertOC.exe +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a +RuleName = File Download From IP Based URL Via CertOC.EXE +EventType = Process.Start +Tag = proc-start-file-download-from-ip-based-url-via-certoc.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1552.001"], "author": "Florian Roth (Nextron Systems)"} -Query = File.Path like r"%\\hive\_sam\_%" or File.Path like r"%\\SAM-2021-%" or File.Path like r"%\\SAM-2022-%" or File.Path like r"%\\SAM-2023-%" or File.Path like r"%\\SAM-haxx%" or File.Path like r"%\\Sam.save%" or File.Path == "C:\\windows\\temp\\sam" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1105"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\certoc.exe" or Process.Name == "CertOC.exe") and Process.CommandLine regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and Process.CommandLine like r"%-GetCACAPS%" [ThreatDetectionRule platform=Windows] -# Detects the execution of malicious OneNote documents that contain embedded scripts. -# When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories. -# Author: @kostastsale -RuleId = 84b1706c-932a-44c4-ae28-892b28a25b94 -RuleName = OneNote.EXE Execution of Malicious Embedded Scripts +# Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) +# Author: Tim Rauch, Elastic (idea) +RuleId = a4e3d776-f12e-42c2-8510-9e6ed1f43ec3 +RuleName = Unusual Child Process of dns.exe EventType = Process.Start -Tag = proc-start-onenote.exe-execution-of-malicious-embedded-scripts +Tag = proc-start-unusual-child-process-of-dns.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.001"], "author": "@kostastsale"} -Query = Parent.Path like r"%\\onenote.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe") and (Process.CommandLine like r"%\\exported\\%" or Process.CommandLine like r"%\\onenoteofflinecache\_files\\%") +Annotation = {"mitre_attack": ["T1133"], "author": "Tim Rauch, Elastic (idea)"} +Query = Parent.Path like r"%\\dns.exe" and not Process.Path like r"%\\conhost.exe" GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects usage of the Quarks PwDump tool via commandline arguments -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 0685b176-c816-4837-8e7b-1216f346636b -RuleName = HackTool - Quarks PwDump Execution -EventType = Process.Start -Tag = proc-start-hacktool-quarks-pwdump-execution +# Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. +# Author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk +RuleId = 243380fa-11eb-4141-af92-e14925e77c1b +RuleName = Potential PSFactoryBuffer COM Hijacking +EventType = Reg.Any +Tag = potential-psfactorybuffer-com-hijacking RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\QuarksPwDump.exe" or Process.CommandLine in [" -dhl", " --dump-hash-local", " -dhdc", " --dump-hash-domain-cached", " --dump-bitlocker", " -dhd ", " --dump-hash-domain ", "--ntds-file"] +Annotation = {"mitre_attack": ["T1546.015"], "author": "BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk"} +Query = Reg.TargetObject like r"%\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" and not (Reg.Value.Data in ["\%windir\%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll"]) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious +# Detects possible NTLM coercion via certutil using the 'syncwithWU' flag # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ea0cdc3e-2239-4f26-a947-4e8f8224e464 -RuleName = Suspicious File Encoded To Base64 Via Certutil.EXE +RuleId = 6c6d9280-e6d0-4b9d-80ac-254701b64916 +RuleName = Potential NTLM Coercion Via Certutil.EXE EventType = Process.Start -Tag = proc-start-suspicious-file-encoded-to-base64-via-certutil.exe +Tag = proc-start-potential-ntlm-coercion-via-certutil.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1027"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\certutil.exe" or Process.Name == "CertUtil.exe") and (Process.CommandLine like r"%-encode%" or Process.CommandLine like r"%/encode%" or Process.CommandLine like r"%–encode%" or Process.CommandLine like r"%—encode%" or Process.CommandLine like r"%―encode%") and (Process.CommandLine like r"%.acl%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.mp3%" or Process.CommandLine like r"%.pdf%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.ppt%" or Process.CommandLine like r"%.tmp%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.xml%") +Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\certutil.exe" or Process.Name == "CertUtil.exe") and Process.CommandLine like r"% -syncwithWU %" and Process.CommandLine like r"% \\\\%" [ThreatDetectionRule platform=Windows] -# Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. -# Author: Florian Roth (Nextron Systems) -RuleId = 737e618a-a410-49b5-bec3-9e55ff7fbc15 -RuleName = Suspicious Calculator Usage +# Detects possible Sysmon filter driver unloaded via fltmc.exe +# Author: Kirill Kiryanov, oscd.community +RuleId = 4d7cda18-1b12-4e52-b45c-d28653210df8 +RuleName = Sysmon Driver Unloaded Via Fltmc.EXE EventType = Process.Start -Tag = proc-start-suspicious-calculator-usage +Tag = proc-start-sysmon-driver-unloaded-via-fltmc.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%\\calc.exe %" or Process.Path like r"%\\calc.exe" and not (Process.Path like r"%:\\Windows\\System32\\%" or Process.Path like r"%:\\Windows\\SysWOW64\\%" or Process.Path like r"%:\\Windows\\WinSxS\\%") +Annotation = {"mitre_attack": ["T1070", "T1562", "T1562.002"], "author": "Kirill Kiryanov, oscd.community"} +Query = (Process.Path like r"%\\fltMC.exe" or Process.Name == "fltMC.exe") and Process.CommandLine like r"%unload%" and Process.CommandLine like r"%sysmon%" [ThreatDetectionRule platform=Windows] -# Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. +# Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember". # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 948a0953-f287-4806-bbcb-3b2e396df89f -RuleName = Unsigned Mfdetours.DLL Sideloading -EventType = Image.Load -Tag = unsigned-mfdetours.dll-sideloading -RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Image.Path like r"%\\mfdetours.dll" and not (Image.Path like r"%:\\Program Files (x86)\\Windows Kits\\10\\bin\\%" and Image.SignatureStatus == "Valid") -GenericProperty1 = Image.Path -GenericProperty2 = Image.SignatureStatus - - -[ThreatDetectionRule platform=Windows] -# Detects persistence registry keys for Recycle Bin -# Author: frack113 -RuleId = 277efb8f-60be-4f10-b4d3-037802f37167 -RuleName = Registry Persistence Mechanisms in Recycle Bin -EventType = Reg.Any -Tag = registry-persistence-mechanisms-in-recycle-bin +RuleId = 10fb649c-3600-4d37-b1e6-56ea90bb7e09 +RuleName = User Added To Highly Privileged Group +EventType = Process.Start +Tag = proc-start-user-added-to-highly-privileged-group RiskScore = 75 -Annotation = {"mitre_attack": ["T1547"], "author": "frack113"} -Query = Reg.EventType == "RenameKey" and Reg.Key.Path.New like r"%\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open%" or Reg.EventType == "SetValue" and Reg.TargetObject like r"%\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command\\(Default)%" -Hive = HKLM,HKU -GenericProperty1 = Reg.Key.Path.New -GenericProperty2 = Reg.TargetObject -GenericProperty3 = Reg.EventType +Annotation = {"mitre_attack": ["T1098"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.CommandLine like r"%localgroup %" and Process.CommandLine like r"% /add%" or Process.CommandLine like r"%Add-LocalGroupMember %" and Process.CommandLine like r"% -Group %") and (Process.CommandLine like r"%Group Policy Creator Owners%" or Process.CommandLine like r"%Schema Admins%") [ThreatDetectionRule platform=Windows] @@ -5137,386 +5079,321 @@ GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the use of NirCmd tool for command execution as SYSTEM user -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = d9047477-0359-48c9-b8c7-792cedcdc9c4 -RuleName = PUA - NirCmd Execution As LOCAL SYSTEM -EventType = Process.Start -Tag = proc-start-pua-nircmd-execution-as-local-system -RiskScore = 75 -Annotation = {"mitre_attack": ["T1569.002"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"% runassystem %" - - -[ThreatDetectionRule platform=Windows] -# Detects a method to load DLL via LSASS process using an undocumented Registry key +# Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows # Author: Florian Roth (Nextron Systems) -RuleId = b3503044-60ce-4bf4-bbcb-e3db98788823 -RuleName = DLL Load via LSASS -EventType = Reg.Any -Tag = dll-load-via-lsass +RuleId = 679085d5-f427-4484-9f58-1dc30a7c426d +RuleName = WinDivert Driver Load +EventType = Driver.Load +Tag = windivert-driver-load RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.008"], "author": "Florian Roth (Nextron Systems)"} -Query = (Reg.TargetObject like r"%\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt%" or Reg.TargetObject like r"%\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt%") and not (Process.Path == "C:\\Windows\\system32\\lsass.exe" and (Reg.Value.Data in ["\%\%systemroot\%\%\\system32\\ntdsa.dll", "\%\%systemroot\%\%\\system32\\lsadb.dll"])) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1599.001", "T1557.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Image.Path like r"%\\WinDivert.sys%" or Image.Path like r"%\\WinDivert64.sys%" or Image.Path like r"%\\NordDivert.sys%" or Image.Path like r"%\\lingtiwfp.sys%" or Image.Path like r"%\\eswfp.sys%" or Image.Hashes like r"%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%" or Image.Hashes like r"%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%" or Image.Hashes like r"%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%" or Image.Hashes like r"%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%" or Image.Hashes like r"%IMPHASH=58623490691babe8330adc81cd04a663%" or Image.Hashes like r"%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%" or Image.Hashes like r"%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%" or Image.Hashes like r"%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%" or Image.Hashes like r"%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%" or Image.Hashes like r"%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%" or Image.Hashes like r"%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%" or Image.Hashes like r"%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%" or Image.Hashes like r"%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%" or Image.Hashes like r"%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%" or Image.Hashes like r"%IMPHASH=a74929edfc3289895e3f2885278947ae%" or Image.Hashes like r"%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%" or Image.Hashes like r"%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%" or Image.Hashes like r"%IMPHASH=c28cd6ccd83179e79dac132a553693d9%" +GenericProperty1 = Image.Path +GenericProperty2 = Image.Hashes [ThreatDetectionRule platform=Windows] -# Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = d6a9b252-c666-4de6-8806-5561bbbd3bdc -RuleName = Wdigest Enable UseLogonCredential +# Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. +# Author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) +RuleId = 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 +RuleName = IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols EventType = Reg.Any -Tag = wdigest-enable-uselogoncredential +Tag = ie-zonemap-setting-downgraded-to-mycomputer-zone-for-http-protocols RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = Reg.TargetObject like r"%WDigest\\UseLogonCredential" and Reg.Value.Data == "DWORD (0x00000001)" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)"} +Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults%" and (Reg.TargetObject like r"%\\http" or Reg.TargetObject like r"%\\https") and Reg.Value.Data like r"%DWORD (0x00000000)%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects abusing Windows 10 Narrator's Feedback-Hub -# Author: Dmitriy Lifanov, oscd.community -RuleId = f663a6d9-9d1b-49b8-b2b1-0637914d199a -RuleName = Narrator's Feedback-Hub Persistence -EventType = Reg.Any -Tag = narrator's-feedback-hub-persistence -RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001"], "author": "Dmitriy Lifanov, oscd.community"} -Query = Reg.EventType == "DeleteValue" and Reg.TargetObject like r"%\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute" or Reg.TargetObject like r"%\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.EventType - - -[ThreatDetectionRule platform=Windows] -# Detects the execution of a renamed ProcDump executable. -# This often done by attackers or malware in order to evade defensive mechanisms. -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 -RuleName = Renamed ProcDump Execution +# Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros +# Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +RuleId = 55f0a3a1-846e-40eb-8273-677371b8d912 +RuleName = Outlook EnableUnsafeClientMailRules Setting Enabled EventType = Process.Start -Tag = proc-start-renamed-procdump-execution +Tag = proc-start-outlook-enableunsafeclientmailrules-setting-enabled RiskScore = 75 -Annotation = {"mitre_attack": ["T1036.003"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name == "procdump" or (Process.CommandLine like r"% -ma %" or Process.CommandLine like r"% /ma %" or Process.CommandLine like r"% –ma %" or Process.CommandLine like r"% —ma %" or Process.CommandLine like r"% ―ma %" or Process.CommandLine like r"% -mp %" or Process.CommandLine like r"% /mp %" or Process.CommandLine like r"% –mp %" or Process.CommandLine like r"% —mp %" or Process.CommandLine like r"% ―mp %") and (Process.CommandLine like r"% -accepteula%" or Process.CommandLine like r"% /accepteula%" or Process.CommandLine like r"% –accepteula%" or Process.CommandLine like r"% —accepteula%" or Process.CommandLine like r"% ―accepteula%")) and not (Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe") +Annotation = {"mitre_attack": ["T1059", "T1202"], "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%\\Outlook\\Security\\EnableUnsafeClientMailRules%" [ThreatDetectionRule platform=Windows] -# Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored -# Author: frack113 -RuleId = a29808fd-ef50-49ff-9c7a-59a9b040b404 -RuleName = HackTool - Pypykatz Credentials Dumping Activity +# Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. +# This binary can be abused for DLL injection, arbitrary command and process execution. +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 340a090b-c4e9-412e-bb36-b4b16fe96f9b +RuleName = Renamed ZOHO Dctask64 Execution EventType = Process.Start -Tag = proc-start-hacktool-pypykatz-credentials-dumping-activity +Tag = proc-start-renamed-zoho-dctask64-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.002"], "author": "frack113"} -Query = (Process.Path like r"%\\pypykatz.exe" or Process.Path like r"%\\python.exe") and Process.CommandLine like r"%live%" and Process.CommandLine like r"%registry%" +Annotation = {"mitre_attack": ["T1036", "T1055.001", "T1202", "T1218"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Hashes like r"%IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD%" or Process.Hashes like r"%IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA%" or Process.Hashes like r"%IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3%" or Process.Hashes like r"%IMPHASH=F1039CED4B91572AB7847D26032E6BBF%") and not Process.Path like r"%\\dctask64.exe" +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers -# Author: Florian Roth (Nextron Systems) -RuleId = ab9e3b40-0c85-4ba1-aede-455d226fd124 -RuleName = Suspicious Redirection to Local Admin Share -EventType = Process.Start -Tag = proc-start-suspicious-redirection-to-local-admin-share +# Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. +# Author: Ilyas Ochkov, oscd.community +RuleId = 919f2ef0-be2d-4a7a-b635-eb2b41fde044 +RuleName = Disable Security Events Logging Adding Reg Key MiniNt +EventType = Reg.Any +Tag = disable-security-events-logging-adding-reg-key-minint RiskScore = 75 -Annotation = {"mitre_attack": ["T1048"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%>%" and (Process.CommandLine like r"%\\\\127.0.0.1\\admin$\\%" or Process.CommandLine like r"%\\\\localhost\\admin$\\%") +Annotation = {"mitre_attack": ["T1562.001", "T1112"], "author": "Ilyas Ochkov, oscd.community"} +Query = Reg.TargetObject == "HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" and Reg.EventType == "CreateKey" or Reg.Key.Path.New == "HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" +Hive = HKLM,HKU +GenericProperty1 = Reg.Key.Path.New +GenericProperty2 = Reg.TargetObject +GenericProperty3 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel -# Author: frack113, Nasreddine Bencherchali (Nextron Systems) -RuleId = 2f78da12-f7c7-430b-8b19-a28f269b77a3 -RuleName = Disable Windows Event Logging Via Registry +# Detects the abuse of custom file open handler, executing powershell +# Author: CD_R0M_ +RuleId = 7530b96f-ad8e-431d-a04d-ac85cc461fdc +RuleName = Custom File Open Handler Executes PowerShell EventType = Reg.Any -Tag = disable-windows-event-logging-via-registry +Tag = custom-file-open-handler-executes-powershell RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.002"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\%" and Reg.TargetObject like r"%\\Enabled" and Reg.Value.Data == "DWORD (0x00000000)" and not (Process.Path == "C:\\Windows\\system32\\wevtutil.exe" or Process.Path like r"C:\\Windows\\winsxs\\%" and Process.Path like r"%\\TiWorker.exe" or Process.Path == "C:\\Windows\\System32\\svchost.exe" and (Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1\\%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat\\%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error\\%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational\\%") or Process.Path == "C:\\Windows\\servicing\\TrustedInstaller.exe" and Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser%") and not (Process.Path == "" or isnull(Process.Path)) +Annotation = {"mitre_attack": ["T1202"], "author": "CD_R0M_"} +Query = Reg.TargetObject like r"%shell\\open\\command\\%" and Reg.Value.Data like r"%powershell%" and Reg.Value.Data like r"%-command%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder -# Author: Florian Roth (Nextron Systems), oscd.community -RuleId = b7916c2a-fa2f-4795-9477-32b731f70f11 -RuleName = Registry Persistence via Explorer Run Key +# Detects suspicious process patterns found in logs when CrackMapExec is used +# Author: Florian Roth (Nextron Systems) +RuleId = f26307d8-14cd-47e3-a26b-4b4769f24af6 +RuleName = HackTool - CrackMapExec Process Patterns +EventType = Process.Start +Tag = proc-start-hacktool-crackmapexec-process-patterns +RiskScore = 75 +Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%tasklist /fi %" and Process.CommandLine like r"%Imagename eq lsass.exe%" and (Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd.exe /r %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd /r %" or Process.CommandLine like r"%cmd /k %") and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") or Process.CommandLine like r"%do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump%" and Process.CommandLine like r"%\\Windows\\Temp\\%" and Process.CommandLine like r"% full%" and Process.CommandLine like r"%\%\%B%" or Process.CommandLine like r"%tasklist /v /fo csv%" and Process.CommandLine like r"%findstr /i \"lsass\"%" +GenericProperty1 = Process.User + + +[ThreatDetectionRule platform=Windows] +# Detect change of the user account associated with the FAX service to avoid the escalation problem. +# Author: frack113 +RuleId = e3fdf743-f05b-4051-990a-b66919be1743 +RuleName = Change User Account Associated with the FAX Service EventType = Reg.Any -Tag = registry-persistence-via-explorer-run-key +Tag = change-user-account-associated-with-the-fax-service RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001"], "author": "Florian Roth (Nextron Systems), oscd.community"} -Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" and (Reg.Value.Data like r"%:\\$Recycle.bin\\%" or Reg.Value.Data like r"%:\\ProgramData\\%" or Reg.Value.Data like r"%:\\Temp\\%" or Reg.Value.Data like r"%:\\Users\\Default\\%" or Reg.Value.Data like r"%:\\Users\\Public\\%" or Reg.Value.Data like r"%:\\Windows\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%") +Annotation = {"mitre_attack": ["T1112"], "author": "frack113"} +Query = Reg.TargetObject == "HKLM\\System\\CurrentControlSet\\Services\\Fax\\ObjectName" and not Reg.Value.Data like r"%NetworkService%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 395907ee-96e5-4666-af2e-2ca91688e151 -RuleName = Wab Execution From Non Default Location +# Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 207b0396-3689-42d9-8399-4222658efc99 +RuleName = Potential Privilege Escalation To LOCAL SYSTEM EventType = Process.Start -Tag = proc-start-wab-execution-from-non-default-location +Tag = proc-start-potential-privilege-escalation-to-local-system RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\wab.exe" or Process.Path like r"%\\wabmig.exe") and not (Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\Program Files\\Windows Mail\\%" or Process.Path like r"C:\\Program Files (x86)\\Windows Mail\\%") +Annotation = {"mitre_attack": ["T1587.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.CommandLine like r"% -s cmd%" or Process.CommandLine like r"% /s cmd%" or Process.CommandLine like r"% –s cmd%" or Process.CommandLine like r"% —s cmd%" or Process.CommandLine like r"% ―s cmd%" or Process.CommandLine like r"% -s -i cmd%" or Process.CommandLine like r"% -s /i cmd%" or Process.CommandLine like r"% -s –i cmd%" or Process.CommandLine like r"% -s —i cmd%" or Process.CommandLine like r"% -s ―i cmd%" or Process.CommandLine like r"% /s -i cmd%" or Process.CommandLine like r"% /s /i cmd%" or Process.CommandLine like r"% /s –i cmd%" or Process.CommandLine like r"% /s —i cmd%" or Process.CommandLine like r"% /s ―i cmd%" or Process.CommandLine like r"% –s -i cmd%" or Process.CommandLine like r"% –s /i cmd%" or Process.CommandLine like r"% –s –i cmd%" or Process.CommandLine like r"% –s —i cmd%" or Process.CommandLine like r"% –s ―i cmd%" or Process.CommandLine like r"% —s -i cmd%" or Process.CommandLine like r"% —s /i cmd%" or Process.CommandLine like r"% —s –i cmd%" or Process.CommandLine like r"% —s —i cmd%" or Process.CommandLine like r"% —s ―i cmd%" or Process.CommandLine like r"% ―s -i cmd%" or Process.CommandLine like r"% ―s /i cmd%" or Process.CommandLine like r"% ―s –i cmd%" or Process.CommandLine like r"% ―s —i cmd%" or Process.CommandLine like r"% ―s ―i cmd%" or Process.CommandLine like r"% -i -s cmd%" or Process.CommandLine like r"% -i /s cmd%" or Process.CommandLine like r"% -i –s cmd%" or Process.CommandLine like r"% -i —s cmd%" or Process.CommandLine like r"% -i ―s cmd%" or Process.CommandLine like r"% /i -s cmd%" or Process.CommandLine like r"% /i /s cmd%" or Process.CommandLine like r"% /i –s cmd%" or Process.CommandLine like r"% /i —s cmd%" or Process.CommandLine like r"% /i ―s cmd%" or Process.CommandLine like r"% –i -s cmd%" or Process.CommandLine like r"% –i /s cmd%" or Process.CommandLine like r"% –i –s cmd%" or Process.CommandLine like r"% –i —s cmd%" or Process.CommandLine like r"% –i ―s cmd%" or Process.CommandLine like r"% —i -s cmd%" or Process.CommandLine like r"% —i /s cmd%" or Process.CommandLine like r"% —i –s cmd%" or Process.CommandLine like r"% —i —s cmd%" or Process.CommandLine like r"% —i ―s cmd%" or Process.CommandLine like r"% ―i -s cmd%" or Process.CommandLine like r"% ―i /s cmd%" or Process.CommandLine like r"% ―i –s cmd%" or Process.CommandLine like r"% ―i —s cmd%" or Process.CommandLine like r"% ―i ―s cmd%" or Process.CommandLine like r"% -s pwsh%" or Process.CommandLine like r"% /s pwsh%" or Process.CommandLine like r"% –s pwsh%" or Process.CommandLine like r"% —s pwsh%" or Process.CommandLine like r"% ―s pwsh%" or Process.CommandLine like r"% -s -i pwsh%" or Process.CommandLine like r"% -s /i pwsh%" or Process.CommandLine like r"% -s –i pwsh%" or Process.CommandLine like r"% -s —i pwsh%" or Process.CommandLine like r"% -s ―i pwsh%" or Process.CommandLine like r"% /s -i pwsh%" or Process.CommandLine like r"% /s /i pwsh%" or Process.CommandLine like r"% /s –i pwsh%" or Process.CommandLine like r"% /s —i pwsh%" or Process.CommandLine like r"% /s ―i pwsh%" or Process.CommandLine like r"% –s -i pwsh%" or Process.CommandLine like r"% –s /i pwsh%" or Process.CommandLine like r"% –s –i pwsh%" or Process.CommandLine like r"% –s —i pwsh%" or Process.CommandLine like r"% –s ―i pwsh%" or Process.CommandLine like r"% —s -i pwsh%" or Process.CommandLine like r"% —s /i pwsh%" or Process.CommandLine like r"% —s –i pwsh%" or Process.CommandLine like r"% —s —i pwsh%" or Process.CommandLine like r"% —s ―i pwsh%" or Process.CommandLine like r"% ―s -i pwsh%" or Process.CommandLine like r"% ―s /i pwsh%" or Process.CommandLine like r"% ―s –i pwsh%" or Process.CommandLine like r"% ―s —i pwsh%" or Process.CommandLine like r"% ―s ―i pwsh%" or Process.CommandLine like r"% -i -s pwsh%" or Process.CommandLine like r"% -i /s pwsh%" or Process.CommandLine like r"% -i –s pwsh%" or Process.CommandLine like r"% -i —s pwsh%" or Process.CommandLine like r"% -i ―s pwsh%" or Process.CommandLine like r"% /i -s pwsh%" or Process.CommandLine like r"% /i /s pwsh%" or Process.CommandLine like r"% /i –s pwsh%" or Process.CommandLine like r"% /i —s pwsh%" or Process.CommandLine like r"% /i ―s pwsh%" or Process.CommandLine like r"% –i -s pwsh%" or Process.CommandLine like r"% –i /s pwsh%" or Process.CommandLine like r"% –i –s pwsh%" or Process.CommandLine like r"% –i —s pwsh%" or Process.CommandLine like r"% –i ―s pwsh%" or Process.CommandLine like r"% —i -s pwsh%" or Process.CommandLine like r"% —i /s pwsh%" or Process.CommandLine like r"% —i –s pwsh%" or Process.CommandLine like r"% —i —s pwsh%" or Process.CommandLine like r"% —i ―s pwsh%" or Process.CommandLine like r"% ―i -s pwsh%" or Process.CommandLine like r"% ―i /s pwsh%" or Process.CommandLine like r"% ―i –s pwsh%" or Process.CommandLine like r"% ―i —s pwsh%" or Process.CommandLine like r"% ―i ―s pwsh%" or Process.CommandLine like r"% -s powershell%" or Process.CommandLine like r"% /s powershell%" or Process.CommandLine like r"% –s powershell%" or Process.CommandLine like r"% —s powershell%" or Process.CommandLine like r"% ―s powershell%" or Process.CommandLine like r"% -s -i powershell%" or Process.CommandLine like r"% -s /i powershell%" or Process.CommandLine like r"% -s –i powershell%" or Process.CommandLine like r"% -s —i powershell%" or Process.CommandLine like r"% -s ―i powershell%" or Process.CommandLine like r"% /s -i powershell%" or Process.CommandLine like r"% /s /i powershell%" or Process.CommandLine like r"% /s –i powershell%" or Process.CommandLine like r"% /s —i powershell%" or Process.CommandLine like r"% /s ―i powershell%" or Process.CommandLine like r"% –s -i powershell%" or Process.CommandLine like r"% –s /i powershell%" or Process.CommandLine like r"% –s –i powershell%" or Process.CommandLine like r"% –s —i powershell%" or Process.CommandLine like r"% –s ―i powershell%" or Process.CommandLine like r"% —s -i powershell%" or Process.CommandLine like r"% —s /i powershell%" or Process.CommandLine like r"% —s –i powershell%" or Process.CommandLine like r"% —s —i powershell%" or Process.CommandLine like r"% —s ―i powershell%" or Process.CommandLine like r"% ―s -i powershell%" or Process.CommandLine like r"% ―s /i powershell%" or Process.CommandLine like r"% ―s –i powershell%" or Process.CommandLine like r"% ―s —i powershell%" or Process.CommandLine like r"% ―s ―i powershell%" or Process.CommandLine like r"% -i -s powershell%" or Process.CommandLine like r"% -i /s powershell%" or Process.CommandLine like r"% -i –s powershell%" or Process.CommandLine like r"% -i —s powershell%" or Process.CommandLine like r"% -i ―s powershell%" or Process.CommandLine like r"% /i -s powershell%" or Process.CommandLine like r"% /i /s powershell%" or Process.CommandLine like r"% /i –s powershell%" or Process.CommandLine like r"% /i —s powershell%" or Process.CommandLine like r"% /i ―s powershell%" or Process.CommandLine like r"% –i -s powershell%" or Process.CommandLine like r"% –i /s powershell%" or Process.CommandLine like r"% –i –s powershell%" or Process.CommandLine like r"% –i —s powershell%" or Process.CommandLine like r"% –i ―s powershell%" or Process.CommandLine like r"% —i -s powershell%" or Process.CommandLine like r"% —i /s powershell%" or Process.CommandLine like r"% —i –s powershell%" or Process.CommandLine like r"% —i —s powershell%" or Process.CommandLine like r"% —i ―s powershell%" or Process.CommandLine like r"% ―i -s powershell%" or Process.CommandLine like r"% ―i /s powershell%" or Process.CommandLine like r"% ―i –s powershell%" or Process.CommandLine like r"% ―i —s powershell%" or Process.CommandLine like r"% ―i ―s powershell%") and not (Process.CommandLine like r"%paexec%" or Process.CommandLine like r"%PsExec%" or Process.CommandLine like r"%accepteula%") [ThreatDetectionRule platform=Windows] -# Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = ea011323-7045-460b-b2d7-0f7442ea6b38 -RuleName = Potential PsExec Remote Execution +# Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. +# Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. +# Author: Nasreddine Bencherchali (Nextron Systems), frack113 +RuleId = 84972c80-251c-4c3a-9079-4f00aad93938 +RuleName = Sensitive File Recovery From Backup Via Wbadmin.EXE EventType = Process.Start -Tag = proc-start-potential-psexec-remote-execution +Tag = proc-start-sensitive-file-recovery-from-backup-via-wbadmin.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1587.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%accepteula%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% \\\\%" +Annotation = {"mitre_attack": ["T1003.003"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113"} +Query = (Process.Path like r"%\\wbadmin.exe" or Process.Name == "WBADMIN.EXE") and Process.CommandLine like r"% recovery%" and Process.CommandLine like r"%recoveryTarget%" and Process.CommandLine like r"%itemtype:File%" and (Process.CommandLine like r"%\\config\\SAM%" or Process.CommandLine like r"%\\config\\SECURITY%" or Process.CommandLine like r"%\\config\\SYSTEM%" or Process.CommandLine like r"%\\Windows\\NTDS\\NTDS.dit%") [ThreatDetectionRule platform=Windows] -# Detects the creation of a file with an uncommon extension in an Office application startup folder -# Author: frack113, Nasreddine Bencherchali (Nextron Systems) -RuleId = a10a2c40-2c4d-49f8-b557-1a946bc55d9d -RuleName = Uncommon File Created In Office Startup Folder +# Detects default file names outputted by the BloodHound collection tool SharpHound +# Author: C.J. May +RuleId = 02773bed-83bf-469f-b7ff-e676e7d78bab +RuleName = BloodHound Collection Files EventType = File.Create -Tag = uncommon-file-created-in-office-startup-folder +Tag = bloodhound-collection-files RiskScore = 75 -Annotation = {"mitre_attack": ["T1587.001"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} -Query = ((File.Path like r"%\\Microsoft\\Word\\STARTUP%" or File.Path like r"%\\Office%" and File.Path like r"%\\Program Files%" and File.Path like r"%\\STARTUP%") and not (File.Path like r"%.docb" or File.Path like r"%.docm" or File.Path like r"%.docx" or File.Path like r"%.dotm" or File.Path like r"%.mdb" or File.Path like r"%.mdw" or File.Path like r"%.pdf" or File.Path like r"%.wll" or File.Path like r"%.wwl") or (File.Path like r"%\\Microsoft\\Excel\\XLSTART%" or File.Path like r"%\\Office%" and File.Path like r"%\\Program Files%" and File.Path like r"%\\XLSTART%") and not (File.Path like r"%.xll" or File.Path like r"%.xls" or File.Path like r"%.xlsm" or File.Path like r"%.xlsx" or File.Path like r"%.xlt" or File.Path like r"%.xltm" or File.Path like r"%.xlw")) and not (Process.Path like r"%:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\%" and Process.Path like r"%\\OfficeClickToRun.exe" or (Process.Path like r"%:\\Program Files\\Microsoft Office\\%" or Process.Path like r"%:\\Program Files (x86)\\Microsoft Office\\%") and (Process.Path like r"%\\winword.exe" or Process.Path like r"%\\excel.exe")) +Annotation = {"mitre_attack": ["T1087.001", "T1087.002", "T1482", "T1069.001", "T1069.002", "T1059.001"], "author": "C.J. May"} +Query = (File.Path like r"%BloodHound.zip" or File.Path like r"%\_computers.json" or File.Path like r"%\_containers.json" or File.Path like r"%\_domains.json" or File.Path like r"%\_gpos.json" or File.Path like r"%\_groups.json" or File.Path like r"%\_ous.json" or File.Path like r"%\_users.json") and not (Process.Path like r"%\\svchost.exe" and File.Path like r"C:\\Program Files\\WindowsApps\\Microsoft.%" and File.Path like r"%\\pocket\_containers.json") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) -# Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) -RuleId = 4782eb5a-a513-4523-a0ac-f3082b26ac5c -RuleName = Mshtml.DLL RunHTMLApplication Suspicious Usage -EventType = Process.Start -Tag = proc-start-mshtml.dll-runhtmlapplication-suspicious-usage +# Detects the setting of the environement variable "windir" to a non default value. +# Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. +# The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. +# Author: frack113, Nextron Systems +RuleId = 724ea201-6514-4f38-9739-e5973c34f49a +RuleName = Bypass UAC Using SilentCleanup Task +EventType = Reg.Any +Tag = bypass-uac-using-silentcleanup-task RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)"} -Query = Process.CommandLine like r"%\\..\\%" and Process.CommandLine like r"%mshtml%" and (Process.CommandLine like r"%#135%" or Process.CommandLine like r"%RunHTMLApplication%") +Annotation = {"mitre_attack": ["T1548.002"], "author": "frack113, Nextron Systems"} +Query = Reg.TargetObject like r"%\\Environment\\windir" and not Reg.Value.Data == "\%SystemRoot\%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. -# Author: Eli Salem, Sander Wiebing, oscd.community -RuleId = 77946e79-97f1-45a2-84b4-f37b5c0d8682 -RuleName = Suspicious Registry Modification From ADS Via Regini.EXE +# Detects the deletion of all backups or system state backups via "wbadmin.exe". +# This technique is used by numerous ransomware families and actors. +# This may only be successful on server platforms that have Windows Backup enabled. +# Author: frack113, Nasreddine Bencherchali (Nextron Systems) +RuleId = 639c9081-f482-47d3-a0bd-ddee3d4ecd76 +RuleName = All Backups Deleted Via Wbadmin.EXE EventType = Process.Start -Tag = proc-start-suspicious-registry-modification-from-ads-via-regini.exe +Tag = proc-start-all-backups-deleted-via-wbadmin.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Eli Salem, Sander Wiebing, oscd.community"} -Query = (Process.Path like r"%\\regini.exe" or Process.Name == "REGINI.EXE") and Process.CommandLine regex ":[^ \\\\]" +Annotation = {"mitre_attack": ["T1490"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\wbadmin.exe" or Process.Name == "WBADMIN.EXE") and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%backup%" and Process.CommandLine like r"%keepVersions:0%" [ThreatDetectionRule platform=Windows] -# Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) -# Author: Florian Roth (Nextron Systems) -RuleId = 7c0dcd3d-acf8-4f71-9570-f448b0034f94 -RuleName = PsExec Service Child Process Execution as LOCAL SYSTEM -EventType = Process.Start -Tag = proc-start-psexec-service-child-process-execution-as-local-system +# Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. +# In it's default mode, it builds a self deleting .bat file which executes malicious command. +# The detection rule relies on creation of the malicious bat file (debug.bat by default). +# Author: Subhash Popuri (@pbssubhash) +RuleId = 602a1f13-c640-4d73-b053-be9a2fa58b96 +RuleName = HackTool - Powerup Write Hijack DLL +EventType = File.Create +Tag = hacktool-powerup-write-hijack-dll RiskScore = 75 -Annotation = {"author": "Florian Roth (Nextron Systems)"} -Query = Parent.Path == "C:\\Windows\\PSEXESVC.exe" and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") -GenericProperty1 = Parent.Path -GenericProperty2 = Process.User +Annotation = {"mitre_attack": ["T1574.001"], "author": "Subhash Popuri (@pbssubhash)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and File.Path like r"%.bat" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects an interactive AT job, which may be used as a form of privilege escalation. -# Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -RuleId = 60fc936d-2eb0-4543-8a13-911c750a1dfc -RuleName = Interactive AT Job +# Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. +# This could be a sign of obfuscation of a fat finger problem (typo by the developer). +# Author: Florian Roth (Nextron Systems) +RuleId = a16980c2-0c56-4de0-9a79-17971979efdd +RuleName = Cmd.EXE Missing Space Characters Execution Anomaly EventType = Process.Start -Tag = proc-start-interactive-at-job +Tag = proc-start-cmd.exe-missing-space-characters-execution-anomaly RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.002"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community"} -Query = Process.Path like r"%\\at.exe" and Process.CommandLine like r"%interactive%" +Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"%cmd.exe/c%" or Process.CommandLine like r"%\\cmd/c%" or Process.CommandLine like r"%\"cmd/c%" or Process.CommandLine like r"%cmd.exe/k%" or Process.CommandLine like r"%\\cmd/k%" or Process.CommandLine like r"%\"cmd/k%" or Process.CommandLine like r"%cmd.exe/r%" or Process.CommandLine like r"%\\cmd/r%" or Process.CommandLine like r"%\"cmd/r%" or Process.CommandLine like r"%/cwhoami%" or Process.CommandLine like r"%/cpowershell%" or Process.CommandLine like r"%/cschtasks%" or Process.CommandLine like r"%/cbitsadmin%" or Process.CommandLine like r"%/ccertutil%" or Process.CommandLine like r"%/kwhoami%" or Process.CommandLine like r"%/kpowershell%" or Process.CommandLine like r"%/kschtasks%" or Process.CommandLine like r"%/kbitsadmin%" or Process.CommandLine like r"%/kcertutil%" or Process.CommandLine like r"%cmd.exe /c%" or Process.CommandLine like r"%cmd /c%" or Process.CommandLine like r"%cmd.exe /k%" or Process.CommandLine like r"%cmd /k%" or Process.CommandLine like r"%cmd.exe /r%" or Process.CommandLine like r"%cmd /r%") and not (Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd /k %" or Process.CommandLine like r"%cmd.exe /r %" or Process.CommandLine like r"%cmd /r %" or Process.CommandLine like r"%AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node\_modules%" or Process.CommandLine like r"%cmd.exe/c ." or Process.CommandLine == "cmd.exe /c") [ThreatDetectionRule platform=Windows] -# Detects the use of NSudo tool for command execution -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -RuleId = 771d1eb5-9587-4568-95fb-9ec44153a012 -RuleName = PUA - NSudo Execution +# Detects changes to environment variables related to ETW logging via the CommandLine. +# This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = 41421f44-58f9-455d-838a-c398859841d4 +RuleName = ETW Logging Tamper In .NET Processes Via CommandLine EventType = Process.Start -Tag = proc-start-pua-nsudo-execution +Tag = proc-start-etw-logging-tamper-in-.net-processes-via-commandline RiskScore = 75 -Annotation = {"mitre_attack": ["T1569.002"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali"} -Query = (Process.Path like r"%\\NSudo.exe" or Process.Path like r"%\\NSudoLC.exe" or Process.Path like r"%\\NSudoLG.exe" or Process.Name in ["NSudo.exe", "NSudoLC.exe", "NSudoLG.exe"]) and (Process.CommandLine like r"%-U:S %" or Process.CommandLine like r"%-U:T %" or Process.CommandLine like r"%-U:E %" or Process.CommandLine like r"%-P:E %" or Process.CommandLine like r"%-M:S %" or Process.CommandLine like r"%-M:H %" or Process.CommandLine like r"%-U=S %" or Process.CommandLine like r"%-U=T %" or Process.CommandLine like r"%-U=E %" or Process.CommandLine like r"%-P=E %" or Process.CommandLine like r"%-M=S %" or Process.CommandLine like r"%-M=H %" or Process.CommandLine like r"%-ShowWindowMode:Hide%") +Annotation = {"mitre_attack": ["T1562"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = Process.CommandLine like r"%COMPlus\_ETWEnabled%" or Process.CommandLine like r"%COMPlus\_ETWFlags%" [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. -# Author: X__Junior (Nextron Systems) -RuleId = 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb -RuleName = Potential Waveedit.DLL Sideloading +# Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = 7707a579-e0d8-4886-a853-ce47e4575aaa +RuleName = Wmiprvse Wbemcomn DLL Hijack EventType = Image.Load -Tag = potential-waveedit.dll-sideloading +Tag = wmiprvse-wbemcomn-dll-hijack RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} -Query = Image.Path like r"%\\waveedit.dll" and not ((Process.Path in ["C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe", "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe"]) and (Image.Path like r"C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\%" or Image.Path like r"C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\%")) +Annotation = {"mitre_attack": ["T1047", "T1021.002"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = Process.Path like r"%\\wmiprvse.exe" and Image.Path like r"%\\wbem\\wbemcomn.dll" GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed -# Author: Florian Roth (Nextron Systems) -RuleId = 37c1333a-a0db-48be-b64b-7393b2386e3b -RuleName = Hacktool Execution - PE Metadata +# Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) +# Author: Bhabesh Raj +RuleId = 871b9555-69ca-4993-99d3-35a59f9f3599 +RuleName = Suspicious UltraVNC Execution EventType = Process.Start -Tag = proc-start-hacktool-execution-pe-metadata +Tag = proc-start-suspicious-ultravnc-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1588.002", "T1003"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Company == "Cube0x0" -GenericProperty1 = Process.Company +Annotation = {"mitre_attack": ["T1021.005"], "author": "Bhabesh Raj"} +Query = Process.CommandLine like r"%-autoreconnect %" and Process.CommandLine like r"%-connect %" and Process.CommandLine like r"%-id:%" [ThreatDetectionRule platform=Windows] -# Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = fcc6d700-68d9-4241-9a1a-06874d621b06 -RuleName = Suspicious File Created Via OneNote Application +# Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension +# Author: Florian Roth (Nextron Systems) +RuleId = fc4f4817-0c53-4683-a4ee-b17a64bc1039 +RuleName = Suspicious Desktopimgdownldr Target File EventType = File.Create -Tag = suspicious-file-created-via-onenote-application +Tag = suspicious-desktopimgdownldr-target-file RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\onenote.exe" or Process.Path like r"%\\onenotem.exe" or Process.Path like r"%\\onenoteim.exe") and File.Path like r"%\\AppData\\Local\\Temp\\OneNote\\%" and (File.Path like r"%.bat" or File.Path like r"%.chm" or File.Path like r"%.cmd" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.hta" or File.Path like r"%.htm" or File.Path like r"%.html" or File.Path like r"%.js" or File.Path like r"%.lnk" or File.Path like r"%.ps1" or File.Path like r"%.vbe" or File.Path like r"%.vbs" or File.Path like r"%.wsf") +Annotation = {"mitre_attack": ["T1105"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\svchost.exe" and File.Path like r"%\\Personalization\\LockScreenImage\\%" and not File.Path like r"%C:\\Windows\\%" and not (File.Path like r"%.jpg%" or File.Path like r"%.jpeg%" or File.Path like r"%.png%") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = a1b1fd53-9c4a-444c-bae0-34a330fc7aa8 -RuleName = Potential Persistence Via DLLPathOverride -EventType = Reg.Any -Tag = potential-persistence-via-dllpathoverride -RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language\\%" and (Reg.TargetObject like r"%\\StemmerDLLPathOverride%" or Reg.TargetObject like r"%\\WBDLLPathOverride%" or Reg.TargetObject like r"%\\StemmerClass%" or Reg.TargetObject like r"%\\WBreakerClass%") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject - - -[ThreatDetectionRule platform=Windows] -# Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. -# Author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) -RuleId = 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 -RuleName = IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols -EventType = Reg.Any -Tag = ie-zonemap-setting-downgraded-to-mycomputer-zone-for-http-protocols -RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)"} -Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults%" and (Reg.TargetObject like r"%\\http" or Reg.TargetObject like r"%\\https") and Reg.Value.Data like r"%DWORD (0x00000000)%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data - - -[ThreatDetectionRule platform=Windows] -# Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 272e55a4-9e6b-4211-acb6-78f51f0b1b40 -RuleName = Folder Removed From Exploit Guard ProtectedFolders List - Registry -EventType = Reg.Any -Tag = folder-removed-from-exploit-guard-protectedfolders-list-registry -RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.EventType == "DeleteValue" and Reg.TargetObject like r"%SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.EventType - - -[ThreatDetectionRule platform=Windows] -# Detects the abuse of the exefile handler in new file association. Used for bypass of security products. -# Author: Andreas Hunkeler (@Karneades) -RuleId = 44a22d59-b175-4f13-8c16-cbaef5b581ff -RuleName = New File Association Using Exefile +# Detects changes to the default RDP port. +# Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. +# Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). +# Author: frack113 +RuleId = 509e84b9-a71a-40e0-834f-05470369bd1e +RuleName = Default RDP Port Changed to Non Standard Port EventType = Reg.Any -Tag = new-file-association-using-exefile +Tag = default-rdp-port-changed-to-non-standard-port RiskScore = 75 -Annotation = {"author": "Andreas Hunkeler (@Karneades)"} -Query = Reg.TargetObject like r"%Classes\\.%" and Reg.Value.Data == "exefile" +Annotation = {"mitre_attack": ["T1547.010"], "author": "frack113"} +Query = Reg.TargetObject like r"%\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber" and not Reg.Value.Data == "DWORD (0x00000d3d)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects AdFind execution with common flags seen used during attacks -# Author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community -RuleId = 9a132afa-654e-11eb-ae93-0242ac130002 -RuleName = PUA - AdFind Suspicious Execution -EventType = Process.Start -Tag = proc-start-pua-adfind-suspicious-execution -RiskScore = 75 -Annotation = {"mitre_attack": ["T1018", "T1087.002", "T1482", "T1069.002"], "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community"} -Query = Process.CommandLine like r"%domainlist%" or Process.CommandLine like r"%trustdmp%" or Process.CommandLine like r"%dcmodes%" or Process.CommandLine like r"%adinfo%" or Process.CommandLine like r"% dclist %" or Process.CommandLine like r"%computer\_pwdnotreqd%" or Process.CommandLine like r"%objectcategory=%" or Process.CommandLine like r"%-subnets -f%" or Process.CommandLine like r"%name=\"Domain Admins\"%" or Process.CommandLine like r"%-sc u:%" or Process.CommandLine like r"%domainncs%" or Process.CommandLine like r"%dompol%" or Process.CommandLine like r"% oudmp %" or Process.CommandLine like r"%subnetdmp%" or Process.CommandLine like r"%gpodmp%" or Process.CommandLine like r"%fspdmp%" or Process.CommandLine like r"%users\_noexpire%" or Process.CommandLine like r"%computers\_active%" or Process.CommandLine like r"%computers\_pwdnotreqd%" - - -[ThreatDetectionRule platform=Windows] -# Detects suspicious mshta process execution patterns -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = e32f92d1-523e-49c3-9374-bdb13b46a3ba -RuleName = Suspicious Mshta.EXE Execution Patterns -EventType = Process.Start -Tag = proc-start-suspicious-mshta.exe-execution-patterns -RiskScore = 75 -Annotation = {"mitre_attack": ["T1106"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\mshta.exe" or Process.Name == "MSHTA.EXE") and (Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\regsvr32.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\wscript.exe") and (Process.CommandLine like r"%\\AppData\\Local\\%" or Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\Users\\Public\\%" or Process.CommandLine like r"%C:\\Windows\\Temp\\%") or (Process.Path like r"%\\mshta.exe" or Process.Name == "MSHTA.EXE") and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.CommandLine like r"%.htm%" or Process.CommandLine like r"%.hta%" or Process.CommandLine like r"%mshta.exe" or Process.CommandLine like r"%mshta") -GenericProperty1 = Parent.Path - - -[ThreatDetectionRule platform=Windows] -# Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products -# Author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton -RuleId = fc0e89b5-adb0-43c1-b749-c12a10ec37de -RuleName = SafeBoot Registry Key Deleted Via Reg.EXE -EventType = Process.Start -Tag = proc-start-safeboot-registry-key-deleted-via-reg.exe +# Detects Processes accessing the camera and microphone from suspicious folder +# Author: Den Iuzvyk +RuleId = 62120148-6b7a-42be-8b91-271c04e281a3 +RuleName = Suspicious Camera and Microphone Access +EventType = Reg.Any +Tag = suspicious-camera-and-microphone-access RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton"} -Query = (Process.Path like r"%reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"% delete %" and Process.CommandLine like r"%\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot%" +Annotation = {"mitre_attack": ["T1125", "T1123"], "author": "Den Iuzvyk"} +Query = Reg.TargetObject like r"%\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\%" and Reg.TargetObject like r"%\\NonPackaged%" and (Reg.TargetObject like r"%microphone%" or Reg.TargetObject like r"%webcam%") and (Reg.TargetObject like r"%:#Windows#Temp#%" or Reg.TargetObject like r"%:#$Recycle.bin#%" or Reg.TargetObject like r"%:#Temp#%" or Reg.TargetObject like r"%:#Users#Public#%" or Reg.TargetObject like r"%:#Users#Default#%" or Reg.TargetObject like r"%:#Users#Desktop#%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension -# Author: Florian Roth (Nextron Systems) -RuleId = fc4f4817-0c53-4683-a4ee-b17a64bc1039 -RuleName = Suspicious Desktopimgdownldr Target File +# Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe +# Author: Tim Shelton +RuleId = 002bdb95-0cf1-46a6-9e08-d38c128a6127 +RuleName = WScript or CScript Dropper - File EventType = File.Create -Tag = suspicious-desktopimgdownldr-target-file +Tag = wscript-or-cscript-dropper-file RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\svchost.exe" and File.Path like r"%\\Personalization\\LockScreenImage\\%" and not File.Path like r"%C:\\Windows\\%" and not (File.Path like r"%.jpg%" or File.Path like r"%.jpeg%" or File.Path like r"%.png%") +Annotation = {"mitre_attack": ["T1059.005", "T1059.007"], "author": "Tim Shelton"} +Query = (Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (File.Path like r"C:\\Users\\%" or File.Path like r"C:\\ProgramData%") and (File.Path like r"%.jse" or File.Path like r"%.vbe" or File.Path like r"%.js" or File.Path like r"%.vba" or File.Path like r"%.vbs") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects various indicators of Microsoft Connection Manager Profile Installer execution -# Author: Nik Seetharaman -RuleId = 7d4cdc5a-0076-40ca-aac8-f7e714570e47 -RuleName = CMSTP Execution Process Creation +# Detects potentially suspicious child processes of "regsvr32.exe". +# Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca +RuleName = Potentially Suspicious Child Process Of Regsvr32 EventType = Process.Start -Tag = proc-start-cmstp-execution-process-creation +Tag = proc-start-potentially-suspicious-child-process-of-regsvr32 RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.003"], "author": "Nik Seetharaman"} -Query = Parent.Path like r"%\\cmstp.exe" +Annotation = {"mitre_attack": ["T1218.010"], "author": "elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.Path like r"%\\regsvr32.exe" and (Process.Path like r"%\\calc.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\explorer.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\nltest.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\werfault.exe" or Process.Path like r"%\\wscript.exe") and not (Process.Path like r"%\\werfault.exe" and Process.CommandLine like r"% -u -p %") GenericProperty1 = Parent.Path @@ -5533,4098 +5410,4211 @@ Query = (Process.Path like r"%\\wuauclt.exe" or Process.Name == "wuauclt.exe") a [ThreatDetectionRule platform=Windows] -# Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. -# Author: Swachchhanda Shrawan Poudel -RuleId = 75d0a94e-6252-448d-a7be-d953dff527bb -RuleName = Remote XSL Execution Via Msxsl.EXE -EventType = Process.Start -Tag = proc-start-remote-xsl-execution-via-msxsl.exe +# Detects Windows executables that write files with suspicious extensions +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = b8fd0e93-ff58-4cbd-8f48-1c114e342e62 +RuleName = Windows Binaries Write Suspicious Extensions +EventType = File.Create +Tag = windows-binaries-write-suspicious-extensions RiskScore = 75 -Annotation = {"mitre_attack": ["T1220"], "author": "Swachchhanda Shrawan Poudel"} -Query = Process.Path like r"%\\msxsl.exe" and Process.CommandLine like r"%http%" +Annotation = {"mitre_attack": ["T1036"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = ((Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\RuntimeBroker.exe" or Process.Path like r"%\\sihost.exe" or Process.Path like r"%\\smss.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\winlogon.exe") and (File.Path like r"%.bat" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.hta" or File.Path like r"%.iso" or File.Path like r"%.ps1" or File.Path like r"%.txt" or File.Path like r"%.vbe" or File.Path like r"%.vbs") or (Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\svchost.exe") and (File.Path like r"%.bat" or File.Path like r"%.hta" or File.Path like r"%.iso" or File.Path like r"%.ps1" or File.Path like r"%.vbe" or File.Path like r"%.vbs")) and not (Process.Path == "C:\\Windows\\System32\\dllhost.exe" and File.Path like r"%:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Temp\\\_\_PSScriptPolicyTest\_%" and File.Path like r"%.ps1" or Process.Path == "C:\\Windows\\system32\\svchost.exe" and File.Path like r"%C:\\Windows\\System32\\GroupPolicy\\DataStore\\%" and File.Path like r"%\\sysvol\\%" and File.Path like r"%\\Policies\\%" and File.Path like r"%\\Machine\\Scripts\\Startup\\%" and (File.Path like r"%.ps1" or File.Path like r"%.bat")) +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = fccfb43e-09a7-4bd2-8b37-a5a7df33386d -RuleName = .RDP File Created By Uncommon Application -EventType = File.Create -Tag = .rdp-file-created-by-uncommon-application +# Detects various indicators of Microsoft Connection Manager Profile Installer execution +# Author: Nik Seetharaman +RuleId = b6d235fc-1d38-4b12-adbe-325f06728f37 +RuleName = CMSTP Execution Registry Event +EventType = Reg.Any +Tag = cmstp-execution-registry-event RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"%.rdp" and (Process.Path like r"%\\brave.exe" or Process.Path like r"%\\CCleaner Browser\\Application\\CCleanerBrowser.exe" or Process.Path like r"%\\chromium.exe" or Process.Path like r"%\\firefox.exe" or Process.Path like r"%\\Google\\Chrome\\Application\\chrome.exe" or Process.Path like r"%\\iexplore.exe" or Process.Path like r"%\\microsoftedge.exe" or Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\Opera.exe" or Process.Path like r"%\\Vivaldi.exe" or Process.Path like r"%\\Whale.exe" or Process.Path like r"%\\olk.exe" or Process.Path like r"%\\Outlook.exe" or Process.Path like r"%\\RuntimeBroker.exe" or Process.Path like r"%\\Thunderbird.exe" or Process.Path like r"%\\Discord.exe" or Process.Path like r"%\\Keybase.exe" or Process.Path like r"%\\msteams.exe" or Process.Path like r"%\\Slack.exe" or Process.Path like r"%\\teams.exe") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1218.003"], "author": "Nik Seetharaman"} +Query = Reg.TargetObject like r"%\\cmmgr32.exe%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system +# Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4 -RuleName = PSEXEC Remote Execution File Artefact -EventType = File.Create -Tag = psexec-remote-execution-file-artefact +RuleId = 273a8dd8-3742-4302-bcc7-7df5a80fe425 +RuleName = VMMap Unsigned Dbghelp.DLL Potential Sideloading +EventType = Image.Load +Tag = vmmap-unsigned-dbghelp.dll-potential-sideloading RiskScore = 75 -Annotation = {"mitre_attack": ["T1136.002", "T1543.003", "T1570"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"C:\\Windows\\PSEXEC-%" and File.Path like r"%.key" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Image.Path like r"%C:\\Debuggers\\dbghelp.dll%" and (Process.Path like r"%\\vmmap.exe" or Process.Path like r"%\\vmmap64.exe") and not Image.IsSigned == "true" +GenericProperty1 = Image.Path +GenericProperty2 = Image.IsSigned [ThreatDetectionRule platform=Windows] -# Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name -# Author: Florian Roth (Nextron Systems) -RuleId = 79b06761-465f-4f88-9ef2-150e24d3d737 -RuleName = Potential SysInternals ProcDump Evasion +# Detects the creation of a schtask via PowerSploit or Empire Default Configuration. +# Author: Markus Neis, @Karneades +RuleId = 56c217c3-2de2-479b-990f-5c109ba8458f +RuleName = HackTool - Default PowerSploit/Empire Scheduled Task Creation EventType = Process.Start -Tag = proc-start-potential-sysinternals-procdump-evasion +Tag = proc-start-hacktool-default-powersploit/empire-scheduled-task-creation RiskScore = 75 -Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%copy procdump%" or Process.CommandLine like r"%move procdump%" or Process.CommandLine like r"%copy %" and Process.CommandLine like r"%.dmp %" and (Process.CommandLine like r"%2.dmp%" or Process.CommandLine like r"%lsass%" or Process.CommandLine like r"%out.dmp%") or Process.CommandLine like r"%copy lsass.exe\_%" or Process.CommandLine like r"%move lsass.exe\_%" +Annotation = {"mitre_attack": ["T1053.005", "T1059.001"], "author": "Markus Neis, @Karneades"} +Query = (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create%" and Process.CommandLine like r"%powershell.exe -NonI%" and Process.CommandLine like r"%/TN Updater /TR%" and (Process.CommandLine like r"%/SC ONLOGON%" or Process.CommandLine like r"%/SC DAILY /ST%" or Process.CommandLine like r"%/SC ONIDLE%" or Process.CommandLine like r"%/SC HOURLY%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects potentially suspicious child processes of "GoogleUpdate.exe" -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 84b1ecf9-6eff-4004-bafb-bae5c0e251b2 -RuleName = Potentially Suspicious GoogleUpdate Child Process +# Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022. +# Author: @sam0x90 +RuleId = 2f9356ae-bf43-41b8-b858-4496d83b2acb +RuleName = ISO File Created Within Temp Folders +EventType = File.Create +Tag = iso-file-created-within-temp-folders +RiskScore = 75 +Annotation = {"mitre_attack": ["T1566.001"], "author": "@sam0x90"} +Query = File.Path like r"%\\AppData\\Local\\Temp\\%" and File.Path like r"%.zip\\%" and File.Path like r"%.iso" or File.Path like r"%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\%" and File.Path like r"%.iso" +GenericProperty1 = File.Path + + +[ThreatDetectionRule platform=Windows] +# Detects suspicious mshta process execution patterns +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = e32f92d1-523e-49c3-9374-bdb13b46a3ba +RuleName = Suspicious Mshta.EXE Execution Patterns EventType = Process.Start -Tag = proc-start-potentially-suspicious-googleupdate-child-process +Tag = proc-start-suspicious-mshta.exe-execution-patterns RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.Path like r"%\\GoogleUpdate.exe" and not (Process.Path like r"%\\Google%" or Process.Path like r"%\\setup.exe" or Process.Path like r"%chrome\_updater.exe" or Process.Path like r"%chrome\_installer.exe" or isnull(Process.Path)) +Annotation = {"mitre_attack": ["T1106"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\mshta.exe" or Process.Name == "MSHTA.EXE") and (Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\regsvr32.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\wscript.exe") and (Process.CommandLine like r"%\\AppData\\Local\\%" or Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\Users\\Public\\%" or Process.CommandLine like r"%C:\\Windows\\Temp\\%") or (Process.Path like r"%\\mshta.exe" or Process.Name == "MSHTA.EXE") and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.CommandLine like r"%.htm%" or Process.CommandLine like r"%.hta%" or Process.CommandLine like r"%mshta.exe" or Process.CommandLine like r"%mshta") GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects usage of bitsadmin downloading a file using an URL that contains an IP -# Author: Florian Roth (Nextron Systems) -RuleId = 99c840f2-2012-46fd-9141-c761987550ef -RuleName = Suspicious Download From Direct IP Via Bitsadmin +# It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. +# Author: David Burkett, @signalblur +RuleId = 16c37b52-b141-42a5-a3ea-bbe098444397 +RuleName = Suspect Svchost Activity EventType = Process.Start -Tag = proc-start-suspicious-download-from-direct-ip-via-bitsadmin +Tag = proc-start-suspect-svchost-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1197", "T1036.003"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\bitsadmin.exe" or Process.Name == "bitsadmin.exe") and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%://1%" or Process.CommandLine like r"%://2%" or Process.CommandLine like r"%://3%" or Process.CommandLine like r"%://4%" or Process.CommandLine like r"%://5%" or Process.CommandLine like r"%://6%" or Process.CommandLine like r"%://7%" or Process.CommandLine like r"%://8%" or Process.CommandLine like r"%://9%") and not Process.CommandLine like r"%://7-%" +Annotation = {"mitre_attack": ["T1055"], "author": "David Burkett, @signalblur"} +Query = Process.CommandLine like r"%svchost.exe" and Process.Path like r"%\\svchost.exe" and not (Parent.Path like r"%\\rpcnet.exe" or Parent.Path like r"%\\rpcnetp.exe" or isnull(Process.CommandLine)) +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) -# Author: Florian Roth (Nextron Systems) -RuleId = 1012f107-b8f1-4271-af30-5aed2de89b39 -RuleName = Terminal Service Process Spawn -EventType = Process.Start -Tag = proc-start-terminal-service-process-spawn +# Detects Azure Hybrid Connection Manager services querying the Azure service bus service +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = 7bd3902d-8b8b-4dd4-838a-c6862d40150d +RuleName = DNS HybridConnectionManager Service Bus +EventType = Dns.Query +Tag = dns-hybridconnectionmanager-service-bus RiskScore = 75 -Annotation = {"mitre_attack": ["T1190", "T1210"], "author": "Florian Roth (Nextron Systems)"} -Query = Parent.CommandLine like r"%\\svchost.exe%" and Parent.CommandLine like r"%termsvcs%" and not (Process.Path like r"%\\rdpclip.exe" or Process.Path like r"%:\\Windows\\System32\\csrss.exe" or Process.Path like r"%:\\Windows\\System32\\wininit.exe" or Process.Path like r"%:\\Windows\\System32\\winlogon.exe" or isnull(Process.Path)) -GenericProperty1 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1554"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = Dns.QueryRequest like r"%servicebus.windows.net%" and Process.Path like r"%HybridConnectionManager%" +GenericProperty1 = Dns.QueryRequest [ThreatDetectionRule platform=Windows] -# Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. -# Author: Luca Di Bartolomeo (CrimpSec) -RuleId = 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d -RuleName = HackTool - SharpMove Tool Execution -EventType = Process.Start -Tag = proc-start-hacktool-sharpmove-tool-execution +# Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +# Author: Christian Burkard (Nextron Systems) +RuleId = 5f9db380-ea57-4d1e-beab-8a2d33397e93 +RuleName = UAC Bypass Using Windows Media Player - Registry +EventType = Reg.Any +Tag = uac-bypass-using-windows-media-player-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1021.002"], "author": "Luca Di Bartolomeo (CrimpSec)"} -Query = Process.Path like r"%\\SharpMove.exe" or Process.Name == "SharpMove.exe" or Process.CommandLine like r"%computername=%" and (Process.CommandLine like r"%action=create%" or Process.CommandLine like r"%action=dcom%" or Process.CommandLine like r"%action=executevbs%" or Process.CommandLine like r"%action=hijackdcom%" or Process.CommandLine like r"%action=modschtask%" or Process.CommandLine like r"%action=modsvc%" or Process.CommandLine like r"%action=query%" or Process.CommandLine like r"%action=scm%" or Process.CommandLine like r"%action=startservice%" or Process.CommandLine like r"%action=taskscheduler%") +Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe" and Reg.Value.Data == "Binary Data" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files -# Author: Sreeman, Florian Roth (Nextron Systems) -RuleId = 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e -RuleName = File Download with Headless Browser +# Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). +# Author: X__Junior (Nextron Systems) +RuleId = 1c526788-0abe-4713-862f-b520da5e5316 +RuleName = Chromium Browser Headless Execution To Mockbin Like Site EventType = Process.Start -Tag = proc-start-file-download-with-headless-browser +Tag = proc-start-chromium-browser-headless-execution-to-mockbin-like-site RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "Sreeman, Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\brave.exe" or Process.Path like r"%\\chrome.exe" or Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\opera.exe" or Process.Path like r"%\\vivaldi.exe") and Process.CommandLine like r"%--headless%" and Process.CommandLine like r"%dump-dom%" and Process.CommandLine like r"%http%" +Annotation = {"author": "X__Junior (Nextron Systems)"} +Query = (Process.Path like r"%\\brave.exe" or Process.Path like r"%\\chrome.exe" or Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\opera.exe" or Process.Path like r"%\\vivaldi.exe") and Process.CommandLine like r"%--headless%" and (Process.CommandLine like r"%://run.mocky%" or Process.CommandLine like r"%://mockbin%") [ThreatDetectionRule platform=Windows] -# Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location -# Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on -# Instead they modify the task after creation to include their malicious payload -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b -RuleName = Suspicious Modification Of Scheduled Tasks +# Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. +# Author: Florian Roth (Nextron Systems) +RuleId = 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 +RuleName = Potentially Suspicious Regsvr32 HTTP IP Pattern EventType = Process.Start -Tag = proc-start-suspicious-modification-of-scheduled-tasks +Tag = proc-start-potentially-suspicious-regsvr32-http-ip-pattern RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /Change %" and Process.CommandLine like r"% /TN %" and (Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\AppData\\Roaming\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\WINDOWS\\Temp\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\Perflogs\\%" or Process.CommandLine like r"%\%ProgramData\%%" or Process.CommandLine like r"%\%appdata\%%" or Process.CommandLine like r"%\%comspec\%%" or Process.CommandLine like r"%\%localappdata\%%") and (Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd /k %" or Process.CommandLine like r"%cmd /r %" or Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd.exe /r %" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%certutil%" or Process.CommandLine like r"%bitsadmin%" or Process.CommandLine like r"%bash.exe%" or Process.CommandLine like r"%bash %" or Process.CommandLine like r"%scrcons%" or Process.CommandLine like r"%wmic %" or Process.CommandLine like r"%wmic.exe%" or Process.CommandLine like r"%forfiles%" or Process.CommandLine like r"%scriptrunner%" or Process.CommandLine like r"%hh.exe%" or Process.CommandLine like r"%hh %") +Annotation = {"mitre_attack": ["T1218.010"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\regsvr32.exe" or Process.Name == "REGSVR32.EXE") and (Process.CommandLine like r"% /i:http://1%" or Process.CommandLine like r"% /i:http://2%" or Process.CommandLine like r"% /i:http://3%" or Process.CommandLine like r"% /i:http://4%" or Process.CommandLine like r"% /i:http://5%" or Process.CommandLine like r"% /i:http://6%" or Process.CommandLine like r"% /i:http://7%" or Process.CommandLine like r"% /i:http://8%" or Process.CommandLine like r"% /i:http://9%" or Process.CommandLine like r"% /i:https://1%" or Process.CommandLine like r"% /i:https://2%" or Process.CommandLine like r"% /i:https://3%" or Process.CommandLine like r"% /i:https://4%" or Process.CommandLine like r"% /i:https://5%" or Process.CommandLine like r"% /i:https://6%" or Process.CommandLine like r"% /i:https://7%" or Process.CommandLine like r"% /i:https://8%" or Process.CommandLine like r"% /i:https://9%" or Process.CommandLine like r"% -i:http://1%" or Process.CommandLine like r"% -i:http://2%" or Process.CommandLine like r"% -i:http://3%" or Process.CommandLine like r"% -i:http://4%" or Process.CommandLine like r"% -i:http://5%" or Process.CommandLine like r"% -i:http://6%" or Process.CommandLine like r"% -i:http://7%" or Process.CommandLine like r"% -i:http://8%" or Process.CommandLine like r"% -i:http://9%" or Process.CommandLine like r"% -i:https://1%" or Process.CommandLine like r"% -i:https://2%" or Process.CommandLine like r"% -i:https://3%" or Process.CommandLine like r"% -i:https://4%" or Process.CommandLine like r"% -i:https://5%" or Process.CommandLine like r"% -i:https://6%" or Process.CommandLine like r"% -i:https://7%" or Process.CommandLine like r"% -i:https://8%" or Process.CommandLine like r"% -i:https://9%") [ThreatDetectionRule platform=Windows] -# load malicious registered COM objects -# Author: frack113 -RuleId = f1edd233-30b5-4823-9e6a-c4171b24d316 -RuleName = Rundll32 Registered COM Objects +# Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation +# Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) +RuleId = 8202070f-edeb-4d31-a010-a26c72ac5600 +RuleName = Suspicious Process By Web Server Process EventType = Process.Start -Tag = proc-start-rundll32-registered-com-objects +Tag = proc-start-suspicious-process-by-web-server-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.015"], "author": "frack113"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and (Process.CommandLine like r"%-sta %" or Process.CommandLine like r"%-localserver %") and Process.CommandLine like r"%{%" and Process.CommandLine like r"%}%" +Annotation = {"mitre_attack": ["T1505.003", "T1190"], "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\php.exe" or Parent.Path like r"%\\tomcat.exe" or Parent.Path like r"%\\UMWorkerProcess.exe" or Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\ws\_TomcatService.exe" or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%") or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.CommandLine like r"%CATALINA\_HOME%" or Parent.CommandLine like r"%catalina.home%" or Parent.CommandLine like r"%catalina.jar%")) and (Process.Path like r"%\\arp.exe" or Process.Path like r"%\\at.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\dsget.exe" or Process.Path like r"%\\hostname.exe" or Process.Path like r"%\\nbtstat.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\netdom.exe" or Process.Path like r"%\\netsh.exe" or Process.Path like r"%\\nltest.exe" or Process.Path like r"%\\ntdsutil.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\qprocess.exe" or Process.Path like r"%\\query.exe" or Process.Path like r"%\\qwinsta.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\sc.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\wusa.exe") and not (Parent.Path like r"%\\java.exe" and Process.CommandLine like r"%Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt" or Parent.Path like r"%\\java.exe" and Process.CommandLine like r"%sc query%" and Process.CommandLine like r"%ADManager Plus%") +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4 -RuleName = Potentially Suspicious ODBC Driver Registered -EventType = Reg.Any -Tag = potentially-suspicious-odbc-driver-registered +# Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag +# Author: frack113, Florian Roth +RuleId = 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 +RuleName = Mavinject Inject DLL Into Running Process +EventType = Process.Start +Tag = proc-start-mavinject-inject-dll-into-running-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\ODBC\\ODBCINST.INI\\%" and (Reg.TargetObject like r"%\\Driver" or Reg.TargetObject like r"%\\Setup") and (Reg.Value.Data like r"%:\\PerfLogs\\%" or Reg.Value.Data like r"%:\\ProgramData\\%" or Reg.Value.Data like r"%:\\Temp\\%" or Reg.Value.Data like r"%:\\Users\\Public\\%" or Reg.Value.Data like r"%:\\Windows\\Registration\\CRMLog%" or Reg.Value.Data like r"%:\\Windows\\System32\\com\\dmp\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\FxsTmp\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\spool\\drivers\\color\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\spool\\PRINTERS\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\spool\\SERVERS\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\Tasks\_Migrated\\%" or Reg.Value.Data like r"%:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Reg.Value.Data like r"%:\\Windows\\SysWOW64\\com\\dmp\\%" or Reg.Value.Data like r"%:\\Windows\\SysWOW64\\FxsTmp\\%" or Reg.Value.Data like r"%:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\%" or Reg.Value.Data like r"%:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Reg.Value.Data like r"%:\\Windows\\Tasks\\%" or Reg.Value.Data like r"%:\\Windows\\Temp\\%" or Reg.Value.Data like r"%:\\Windows\\Tracing\\%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Roaming\\%") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1055.001", "T1218.013"], "author": "frack113, Florian Roth"} +Query = Process.CommandLine like r"% /INJECTRUNNING %" and not Parent.Path == "C:\\Windows\\System32\\AppVClient.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 -RuleName = Suspicious Process Created Via Wmic.EXE +# Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys +# Author: frack113, Nasreddine Bencherchali (Nextron Systems) +RuleId = b7e2a8d4-74bb-4b78-adc9-3f92af2d4829 +RuleName = Reg Add Suspicious Paths EventType = Process.Start -Tag = proc-start-suspicious-process-created-via-wmic.exe +Tag = proc-start-reg-add-suspicious-paths RiskScore = 75 -Annotation = {"mitre_attack": ["T1047"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%process %" and Process.CommandLine like r"%call %" and Process.CommandLine like r"%create %" and (Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%bitsadmin%" or Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd.exe /r %" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd /k %" or Process.CommandLine like r"%cmd /r %" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%pwsh%" or Process.CommandLine like r"%certutil%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Local\\%" or Process.CommandLine like r"%\%temp\%%" or Process.CommandLine like r"%\%tmp\%%" or Process.CommandLine like r"%\%ProgramData\%%" or Process.CommandLine like r"%\%appdata\%%" or Process.CommandLine like r"%\%comspec\%%" or Process.CommandLine like r"%\%localappdata\%%") +Annotation = {"mitre_attack": ["T1112", "T1562.001"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and (Process.CommandLine like r"%\\AppDataLow\\Software\\Microsoft\\%" or Process.CommandLine like r"%\\Policies\\Microsoft\\Windows\\OOBE%" or Process.CommandLine like r"%\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon%" or Process.CommandLine like r"%\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon%" or Process.CommandLine like r"%\\CurrentControlSet\\Control\\SecurityProviders\\WDigest%" or Process.CommandLine like r"%\\Microsoft\\Windows Defender\\%") [ThreatDetectionRule platform=Windows] -# Detects the installation of a new shim database where the file is located in a non-default location -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 6b6976a3-b0e6-4723-ac24-ae38a737af41 -RuleName = Potential Persistence Via Shim Database In Uncommon Location -EventType = Reg.Any -Tag = potential-persistence-via-shim-database-in-uncommon-location +# Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords +# Author: Tim Rauch, Janantha Marasinghe, Elastic (original idea) +RuleId = 2d3cdeec-c0db-45b4-aa86-082f7eb75701 +RuleName = Microsoft IIS Service Account Password Dumped +EventType = Process.Start +Tag = proc-start-microsoft-iis-service-account-password-dumped RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.011"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\%" and Reg.TargetObject like r"%\\DatabasePath%" and not Reg.Value.Data like r"%:\\Windows\\AppPatch\\Custom%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1003"], "author": "Tim Rauch, Janantha Marasinghe, Elastic (original idea)"} +Query = (Process.Path like r"%\\appcmd.exe" or Process.Name == "appcmd.exe") and Process.CommandLine like r"%list %" and (Process.CommandLine like r"% /config%" or Process.CommandLine like r"% /xml%" or Process.CommandLine like r"% -config%" or Process.CommandLine like r"% -xml%" or (Process.CommandLine like r"% /@t%" or Process.CommandLine like r"% /text%" or Process.CommandLine like r"% /show%" or Process.CommandLine like r"% -@t%" or Process.CommandLine like r"% -text%" or Process.CommandLine like r"% -show%") and (Process.CommandLine like r"%:*%" or Process.CommandLine like r"%password%")) [ThreatDetectionRule platform=Windows] -# Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs -# Author: Florian Roth (Nextron Systems) -RuleId = 49329257-089d-46e6-af37-4afce4290685 -RuleName = HackTool - SharpEvtMute DLL Load -EventType = Image.Load -Tag = hacktool-sharpevtmute-dll-load +# Detects DNS queries to an ".onion" address related to Tor routing networks +# Author: frack113 +RuleId = b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 +RuleName = DNS Query Tor .Onion Address - Sysmon +EventType = Dns.Query +Tag = dns-query-tor-.onion-address-sysmon RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.002"], "author": "Florian Roth (Nextron Systems)"} -Query = Image.Hashes like r"%IMPHASH=330768A4F172E10ACB6287B87289D83B%" -GenericProperty1 = Image.Hashes +Annotation = {"mitre_attack": ["T1090.003"], "author": "frack113"} +Query = Dns.QueryRequest like r"%.onion%" +GenericProperty1 = Dns.QueryRequest [ThreatDetectionRule platform=Windows] -# Detects programs on a Windows system that should not write scripts to disk -# Author: frack113, Florian Roth (Nextron Systems) -RuleId = 7d604714-e071-49ff-8726-edeb95a70679 -RuleName = Legitimate Application Dropped Script -EventType = File.Create -Tag = legitimate-application-dropped-script +# Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. +# Involved domains are bin.equinox.io for download and *.ngrok.io for connections. +# Author: Florian Roth (Nextron Systems) +RuleId = ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 +RuleName = PUA - Ngrok Execution +EventType = Process.Start +Tag = proc-start-pua-ngrok-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "frack113, Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\eqnedt32.exe" or Process.Path like r"%\\wordpad.exe" or Process.Path like r"%\\wordview.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\certoc.exe" or Process.Path like r"%\\CertReq.exe" or Process.Path like r"%\\Desktopimgdownldr.exe" or Process.Path like r"%\\esentutl.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\AcroRd32.exe" or Process.Path like r"%\\RdrCEF.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\finger.exe") and (File.Path like r"%.ps1" or File.Path like r"%.bat" or File.Path like r"%.vbs" or File.Path like r"%.scf" or File.Path like r"%.wsf" or File.Path like r"%.wsh") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1572"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"% tcp 139%" or Process.CommandLine like r"% tcp 445%" or Process.CommandLine like r"% tcp 3389%" or Process.CommandLine like r"% tcp 5985%" or Process.CommandLine like r"% tcp 5986%" or Process.CommandLine like r"% start %" and Process.CommandLine like r"%--all%" and Process.CommandLine like r"%--config%" and Process.CommandLine like r"%.yml%" or Process.Path like r"%ngrok.exe" and (Process.CommandLine like r"% tcp %" or Process.CommandLine like r"% http %" or Process.CommandLine like r"% authtoken %") or Process.CommandLine like r"%.exe authtoken %" or Process.CommandLine like r"%.exe start --all%" [ThreatDetectionRule platform=Windows] -# Detects tampering with attachment manager settings policies attachments (See reference for more information) +# detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a -RuleName = Potential Attachment Manager Settings Attachments Tamper -EventType = Reg.Any -Tag = potential-attachment-manager-settings-attachments-tamper +RuleId = ee5e119b-1f75-4b34-add8-3be976961e39 +RuleName = Conhost.exe CommandLine Path Traversal +EventType = Process.Start +Tag = proc-start-conhost.exe-commandline-path-traversal RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\%" and (Reg.TargetObject like r"%\\HideZoneInfoOnProperties" and Reg.Value.Data == "DWORD (0x00000001)" or Reg.TargetObject like r"%\\SaveZoneInformation" and Reg.Value.Data == "DWORD (0x00000002)" or Reg.TargetObject like r"%\\ScanWithAntiVirus" and Reg.Value.Data == "DWORD (0x00000001)") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1059.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.CommandLine like r"%conhost%" and Process.CommandLine like r"%/../../%" +GenericProperty1 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects a suspicious process pattern which could be a sign of an exploited Serv-U service -# Author: Florian Roth (Nextron Systems) -RuleId = 58f4ea09-0fc2-4520-ba18-b85c540b0eaf -RuleName = Suspicious Serv-U Process Pattern +# Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = ea0cdc3e-2239-4f26-a947-4e8f8224e464 +RuleName = Suspicious File Encoded To Base64 Via Certutil.EXE EventType = Process.Start -Tag = proc-start-suspicious-serv-u-process-pattern +Tag = proc-start-suspicious-file-encoded-to-base64-via-certutil.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1555"], "author": "Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\Serv-U.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1027"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\certutil.exe" or Process.Name == "CertUtil.exe") and (Process.CommandLine like r"%-encode%" or Process.CommandLine like r"%/encode%" or Process.CommandLine like r"%–encode%" or Process.CommandLine like r"%—encode%" or Process.CommandLine like r"%―encode%") and (Process.CommandLine like r"%.acl%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.mp3%" or Process.CommandLine like r"%.pdf%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.ppt%" or Process.CommandLine like r"%.tmp%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.xml%") [ThreatDetectionRule platform=Windows] -# Detects a suspicious child process of Script Event Consumer (scrcons.exe). -# Author: Sittikorn S -RuleId = f6d1dd2f-b8ce-40ca-bc23-062efb686b34 -RuleName = Script Event Consumer Spawning Process +# Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 811f459f-9231-45d4-959a-0266c6311987 +RuleName = Suspicious Child Process Of BgInfo.EXE EventType = Process.Start -Tag = proc-start-script-event-consumer-spawning-process +Tag = proc-start-suspicious-child-process-of-bginfo.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1047"], "author": "Sittikorn S"} -Query = Parent.Path like r"%\\scrcons.exe" and (Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\msbuild.exe") +Annotation = {"mitre_attack": ["T1059.005", "T1218", "T1202"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Parent.Path like r"%\\bginfo.exe" or Parent.Path like r"%\\bginfo64.exe") and (Process.Path like r"%\\calc.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\AppData\\Local\\%" or Process.Path like r"%\\AppData\\Roaming\\%" or Process.Path like r"%:\\Users\\Public\\%" or Process.Path like r"%:\\Temp\\%" or Process.Path like r"%:\\Windows\\Temp\\%" or Process.Path like r"%:\\PerfLogs\\%") GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious process patterns used in NTDS.DIT exfiltration -# Author: Florian Roth (Nextron Systems) -RuleId = 8bc64091-6875-4881-aaf9-7bd25b5dda08 -RuleName = Suspicious Process Patterns NTDS.DIT Exfil +# Detects the execution of a renamed version of the Plink binary +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 1c12727d-02bf-45ff-a9f3-d49806a3cf43 +RuleName = Renamed Plink Execution EventType = Process.Start -Tag = proc-start-suspicious-process-patterns-ntds.dit-exfil +Tag = proc-start-renamed-plink-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.003"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\NTDSDump.exe" or Process.Path like r"%\\NTDSDumpEx.exe" or Process.CommandLine like r"%ntds.dit%" and Process.CommandLine like r"%system.hiv%" or Process.CommandLine like r"%NTDSgrab.ps1%" or Process.CommandLine like r"%ac i ntds%" and Process.CommandLine like r"%create full%" or Process.CommandLine like r"%/c copy %" and Process.CommandLine like r"%\\windows\\ntds\\ntds.dit%" or Process.CommandLine like r"%activate instance ntds%" and Process.CommandLine like r"%create full%" or Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%ntds.dit%" or Process.CommandLine like r"%ntds.dit%" and (Parent.Path like r"%\\apache%" or Parent.Path like r"%\\tomcat%" or Parent.Path like r"%\\AppData\\%" or Parent.Path like r"%\\Temp\\%" or Parent.Path like r"%\\Public\\%" or Parent.Path like r"%\\PerfLogs\\%" or Process.Path like r"%\\apache%" or Process.Path like r"%\\tomcat%" or Process.Path like r"%\\AppData\\%" or Process.Path like r"%\\Temp\\%" or Process.Path like r"%\\Public\\%" or Process.Path like r"%\\PerfLogs\\%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1036"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name == "Plink" or Process.CommandLine like r"% -l forward%" and Process.CommandLine like r"% -P %" and Process.CommandLine like r"% -R %") and not Process.Path like r"%\\plink.exe" [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations -# Author: X__Junior (Nextron Systems) -RuleId = 799a5f48-0ac1-4e0f-9152-71d137d48c2a -RuleName = Abusable DLL Potential Sideloading From Suspicious Location +# Detects cmstp loading "dll" or "ocx" files from suspicious locations +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 75e508f7-932d-4ebc-af77-269237a84ce1 +RuleName = DLL Loaded From Suspicious Location Via Cmspt.EXE EventType = Image.Load -Tag = abusable-dll-potential-sideloading-from-suspicious-location +Tag = dll-loaded-from-suspicious-location-via-cmspt.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "X__Junior (Nextron Systems)"} -Query = (Image.Path like r"%\\coreclr.dll" or Image.Path like r"%\\facesdk.dll" or Image.Path like r"%\\HPCustPartUI.dll" or Image.Path like r"%\\libcef.dll" or Image.Path like r"%\\ZIPDLL.dll") and (Image.Path like r"%:\\Perflogs\\%" or Image.Path like r"%:\\Users\\Public\\%" or Image.Path like r"%\\Temporary Internet%" or Image.Path like r"%\\Windows\\Temp\\%" or Image.Path like r"%:\\Users\\%" and Image.Path like r"%\\Favorites\\%" or Image.Path like r"%:\\Users\\%" and Image.Path like r"%\\Favourites\\%" or Image.Path like r"%:\\Users\\%" and Image.Path like r"%\\Contacts\\%" or Image.Path like r"%:\\Users\\%" and Image.Path like r"%\\Pictures\\%") +Annotation = {"mitre_attack": ["T1218.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\cmstp.exe" and (Image.Path like r"%\\PerfLogs\\%" or Image.Path like r"%\\ProgramData\\%" or Image.Path like r"%\\Users\\%" or Image.Path like r"%\\Windows\\Temp\\%" or Image.Path like r"%C:\\Temp\\%") and (Image.Path like r"%.dll" or Image.Path like r"%.ocx") GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension -# Author: Aedan Russell, frack113, X__Junior (Nextron Systems) -RuleId = 27ba3207-dd30-4812-abbf-5d20c57d474e -RuleName = Suspicious Chromium Browser Instance Executed With Custom Extension -EventType = Process.Start -Tag = proc-start-suspicious-chromium-browser-instance-executed-with-custom-extension +# Detects files dropped by Winnti as described in RedMimicry Winnti playbook +# Author: Alexander Rausch +RuleId = 130c9e58-28ac-4f83-8574-0a4cc913b97e +RuleName = Potential Winnti Dropper Activity +EventType = File.Create +Tag = potential-winnti-dropper-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1176"], "author": "Aedan Russell, frack113, X__Junior (Nextron Systems)"} -Query = (Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\regsvr32.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\wscript.exe") and (Process.Path like r"%\\brave.exe" or Process.Path like r"%\\chrome.exe" or Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\opera.exe" or Process.Path like r"%\\vivaldi.exe") and Process.CommandLine like r"%--load-extension=%" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1027"], "author": "Alexander Rausch"} +Query = File.Path like r"%\\gthread-3.6.dll" or File.Path like r"%\\sigcmm-2.4.dll" or File.Path like r"%\\Windows\\Temp\\tmp.bat" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 +# Detects commands that temporarily turn off Volume Snapshots # Author: Florian Roth (Nextron Systems) -RuleId = 7124aebe-4cd7-4ccb-8df0-6d6b93c96795 -RuleName = Suspicious Kernel Dump Using Dtrace +RuleId = dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a +RuleName = Disabled Volume Snapshots EventType = Process.Start -Tag = proc-start-suspicious-kernel-dump-using-dtrace +Tag = proc-start-disabled-volume-snapshots RiskScore = 75 -Annotation = {"mitre_attack": ["T1082"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\dtrace.exe" and Process.CommandLine like r"%lkd(0)%" or Process.CommandLine like r"%syscall:::return%" and Process.CommandLine like r"%lkd(%" +Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%\\Services\\VSS\\Diag%" and Process.CommandLine like r"%/d Disabled%" [ThreatDetectionRule platform=Windows] -# Detects potential arbitrary file download using a Microsoft Office application -# Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community -RuleId = 4ae3e30b-b03f-43aa-87e3-b622f4048eed -RuleName = Potential Arbitrary File Download Using Office Application +# Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 2f869d59-7f6a-4931-992c-cce556ff2d53 +RuleName = Potential Adplus.EXE Abuse EventType = Process.Start -Tag = proc-start-potential-arbitrary-file-download-using-office-application +Tag = proc-start-potential-adplus.exe-abuse RiskScore = 75 -Annotation = {"mitre_attack": ["T1202"], "author": "Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community"} -Query = (Process.Path like r"%\\EXCEL.EXE" or Process.Path like r"%\\POWERPNT.EXE" or Process.Path like r"%\\WINWORD.exe" or Process.Name in ["Excel.exe", "POWERPNT.EXE", "WinWord.exe"]) and (Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%") +Annotation = {"mitre_attack": ["T1003.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\adplus.exe" or Process.Name == "Adplus.exe") and (Process.CommandLine like r"% -hang %" or Process.CommandLine like r"% -pn %" or Process.CommandLine like r"% -pmn %" or Process.CommandLine like r"% -p %" or Process.CommandLine like r"% -po %" or Process.CommandLine like r"% -c %" or Process.CommandLine like r"% -sc %") [ThreatDetectionRule platform=Windows] -# Detect creation of suspicious executable file names. -# Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. -# Author: frack113 -RuleId = 74babdd6-a758-4549-9632-26535279e654 -RuleName = Suspicious Executable File Creation -EventType = File.Create -Tag = suspicious-executable-file-creation +# Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe +# Author: Florian Roth (Nextron Systems) +RuleId = bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2 +RuleName = NtdllPipe Like Activity Execution +EventType = Process.Start +Tag = proc-start-ntdllpipe-like-activity-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1564"], "author": "frack113"} -Query = File.Path like r"%:\\$Recycle.Bin.exe" or File.Path like r"%:\\Documents and Settings.exe" or File.Path like r"%:\\MSOCache.exe" or File.Path like r"%:\\PerfLogs.exe" or File.Path like r"%:\\Recovery.exe" or File.Path like r"%.bat.exe" or File.Path like r"%.sys.exe" -GenericProperty1 = File.Path +Annotation = {"author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%type \%windir\%\\system32\\ntdll.dll%" or Process.CommandLine like r"%type \%systemroot\%\\system32\\ntdll.dll%" or Process.CommandLine like r"%type c:\\windows\\system32\\ntdll.dll%" or Process.CommandLine like r"%\\ntdll.dll > \\\\.\\pipe\\%" [ThreatDetectionRule platform=Windows] -# Detects PowerShell execution to set the ACL of a file or a folder -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = bdeb2cff-af74-4094-8426-724dc937f20a -RuleName = PowerShell Script Change Permission Via Set-Acl +# Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) +# Author: Florian Roth (Nextron Systems) +RuleId = e6c54d94-498c-4562-a37c-b469d8e9a275 +RuleName = Suspicious PowerShell Download and Execute Pattern EventType = Process.Start -Tag = proc-start-powershell-script-change-permission-via-set-acl +Tag = proc-start-suspicious-powershell-download-and-execute-pattern RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name in ["PowerShell.EXE", "pwsh.dll"] or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Set-Acl %" and Process.CommandLine like r"%-AclObject %" and Process.CommandLine like r"%-Path %" +Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%IEX ((New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"%IEX (New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"%IEX((New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"%IEX(New-Object Net.WebClient).DownloadString%" or Process.CommandLine like r"% -command (New-Object System.Net.WebClient).DownloadFile(%" or Process.CommandLine like r"% -c (New-Object System.Net.WebClient).DownloadFile(%" [ThreatDetectionRule platform=Windows] -# Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features -# Author: Florian Roth (Nextron Systems) -RuleId = fb50eb7a-5ab1-43ae-bcc9-091818cb8424 -RuleName = Disabled IE Security Features +# Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. +# Author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) +RuleId = ffa6861c-4461-4f59-8a41-578c39f3f23e +RuleName = LSASS Dump Keyword In CommandLine EventType = Process.Start -Tag = proc-start-disabled-ie-security-features +Tag = proc-start-lsass-dump-keyword-in-commandline RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"% -name IEHarden %" and Process.CommandLine like r"% -value 0 %" or Process.CommandLine like r"% -name DEPOff %" and Process.CommandLine like r"% -value 1 %" or Process.CommandLine like r"% -name DisableFirstRunCustomize %" and Process.CommandLine like r"% -value 2 %" +Annotation = {"mitre_attack": ["T1003.001"], "author": "E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%lsass.dmp%" or Process.CommandLine like r"%lsass.zip%" or Process.CommandLine like r"%lsass.rar%" or Process.CommandLine like r"%Andrew.dmp%" or Process.CommandLine like r"%Coredump.dmp%" or Process.CommandLine like r"%NotLSASS.zip%" or Process.CommandLine like r"%lsass\_2%" or Process.CommandLine like r"%lsassdump%" or Process.CommandLine like r"%lsassdmp%" or Process.CommandLine like r"%lsass%" and Process.CommandLine like r"%.dmp%" or Process.CommandLine like r"%SQLDmpr%" and Process.CommandLine like r"%.mdmp%" or Process.CommandLine like r"%nanodump%" and Process.CommandLine like r"%.dmp%" [ThreatDetectionRule platform=Windows] -# Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 07e3cb2c-0608-410d-be4b-1511cb1a0448 -RuleName = Tamper Windows Defender Remove-MpPreference +# Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. +# Author: frack113 +RuleId = 91a2c315-9ee6-4052-a853-6f6a8238f90d +RuleName = Findstr GPP Passwords EventType = Process.Start -Tag = proc-start-tamper-windows-defender-remove-mppreference +Tag = proc-start-findstr-gpp-passwords RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%Remove-MpPreference%" and (Process.CommandLine like r"%-ControlledFolderAccessProtectedFolders %" or Process.CommandLine like r"%-AttackSurfaceReductionRules\_Ids %" or Process.CommandLine like r"%-AttackSurfaceReductionRules\_Actions %" or Process.CommandLine like r"%-CheckForSignaturesBeforeRunningScan %") +Annotation = {"mitre_attack": ["T1552.006"], "author": "frack113"} +Query = (Process.Path like r"%\\find.exe" or Process.Path like r"%\\findstr.exe" or Process.Name in ["FIND.EXE", "FINDSTR.EXE"]) and Process.CommandLine like r"%cpassword%" and Process.CommandLine like r"%\\sysvol\\%" and Process.CommandLine like r"%.xml%" [ThreatDetectionRule platform=Windows] -# Detects the execution of CSharp interactive console by PowerShell -# Author: Michael R. (@nahamike01) -RuleId = a9e416a8-e613-4f8b-88b8-a7d1d1af2f61 -RuleName = Suspicious Use of CSharp Interactive Console +# Detects the execution of malicious OneNote documents that contain embedded scripts. +# When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories. +# Author: @kostastsale +RuleId = 84b1706c-932a-44c4-ae28-892b28a25b94 +RuleName = OneNote.EXE Execution of Malicious Embedded Scripts EventType = Process.Start -Tag = proc-start-suspicious-use-of-csharp-interactive-console +Tag = proc-start-onenote.exe-execution-of-malicious-embedded-scripts RiskScore = 75 -Annotation = {"mitre_attack": ["T1127"], "author": "Michael R. (@nahamike01)"} -Query = Process.Path like r"%\\csi.exe" and (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\powershell\_ise.exe") and Process.Name == "csi.exe" +Annotation = {"mitre_attack": ["T1218.001"], "author": "@kostastsale"} +Query = Parent.Path like r"%\\onenote.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe") and (Process.CommandLine like r"%\\exported\\%" or Process.CommandLine like r"%\\onenoteofflinecache\_files\\%") GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the modification of the registry to disable a system restore on the computer -# Author: frack113 -RuleId = 5de03871-5d46-4539-a82d-3aa992a69a83 -RuleName = Registry Disable System Restore +# Sysmon registry detection of a local hidden user account. +# Author: Christian Burkard (Nextron Systems) +RuleId = 460479f3-80b7-42da-9c43-2cc1d54dbccd +RuleName = Creation of a Local Hidden User Account by Registry EventType = Reg.Any -Tag = registry-disable-system-restore +Tag = creation-of-a-local-hidden-user-account-by-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1490"], "author": "frack113"} -Query = (Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows NT\\SystemRestore%" or Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore%") and (Reg.TargetObject like r"%DisableConfig" or Reg.TargetObject like r"%DisableSR") and Reg.Value.Data == "DWORD (0x00000001)" +Annotation = {"mitre_attack": ["T1136.001"], "author": "Christian Burkard (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SAM\\SAM\\Domains\\Account\\Users\\Names\\%" and Reg.TargetObject like r"%$" and Process.Path like r"%\\lsass.exe" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 8834e2f7-6b4b-4f09-8906-d2276470ee23 -RuleName = PsExec/PAExec Escalation to LOCAL SYSTEM -EventType = Process.Start -Tag = proc-start-psexec/paexec-escalation-to-local-system +# Detects potential DLL sideloading of "edputil.dll" +# Author: X__Junior (Nextron Systems) +RuleId = e4903324-1a10-4ed3-981b-f6fe3be3a2c2 +RuleName = Potential Edputil.DLL Sideloading +EventType = Image.Load +Tag = potential-edputil.dll-sideloading RiskScore = 75 -Annotation = {"mitre_attack": ["T1587.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.CommandLine like r"% -s cmd%" or Process.CommandLine like r"% /s cmd%" or Process.CommandLine like r"% –s cmd%" or Process.CommandLine like r"% —s cmd%" or Process.CommandLine like r"% ―s cmd%" or Process.CommandLine like r"% -s -i cmd%" or Process.CommandLine like r"% -s /i cmd%" or Process.CommandLine like r"% -s –i cmd%" or Process.CommandLine like r"% -s —i cmd%" or Process.CommandLine like r"% -s ―i cmd%" or Process.CommandLine like r"% /s -i cmd%" or Process.CommandLine like r"% /s /i cmd%" or Process.CommandLine like r"% /s –i cmd%" or Process.CommandLine like r"% /s —i cmd%" or Process.CommandLine like r"% /s ―i cmd%" or Process.CommandLine like r"% –s -i cmd%" or Process.CommandLine like r"% –s /i cmd%" or Process.CommandLine like r"% –s –i cmd%" or Process.CommandLine like r"% –s —i cmd%" or Process.CommandLine like r"% –s ―i cmd%" or Process.CommandLine like r"% —s -i cmd%" or Process.CommandLine like r"% —s /i cmd%" or Process.CommandLine like r"% —s –i cmd%" or Process.CommandLine like r"% —s —i cmd%" or Process.CommandLine like r"% —s ―i cmd%" or Process.CommandLine like r"% ―s -i cmd%" or Process.CommandLine like r"% ―s /i cmd%" or Process.CommandLine like r"% ―s –i cmd%" or Process.CommandLine like r"% ―s —i cmd%" or Process.CommandLine like r"% ―s ―i cmd%" or Process.CommandLine like r"% -i -s cmd%" or Process.CommandLine like r"% -i /s cmd%" or Process.CommandLine like r"% -i –s cmd%" or Process.CommandLine like r"% -i —s cmd%" or Process.CommandLine like r"% -i ―s cmd%" or Process.CommandLine like r"% /i -s cmd%" or Process.CommandLine like r"% /i /s cmd%" or Process.CommandLine like r"% /i –s cmd%" or Process.CommandLine like r"% /i —s cmd%" or Process.CommandLine like r"% /i ―s cmd%" or Process.CommandLine like r"% –i -s cmd%" or Process.CommandLine like r"% –i /s cmd%" or Process.CommandLine like r"% –i –s cmd%" or Process.CommandLine like r"% –i —s cmd%" or Process.CommandLine like r"% –i ―s cmd%" or Process.CommandLine like r"% —i -s cmd%" or Process.CommandLine like r"% —i /s cmd%" or Process.CommandLine like r"% —i –s cmd%" or Process.CommandLine like r"% —i —s cmd%" or Process.CommandLine like r"% —i ―s cmd%" or Process.CommandLine like r"% ―i -s cmd%" or Process.CommandLine like r"% ―i /s cmd%" or Process.CommandLine like r"% ―i –s cmd%" or Process.CommandLine like r"% ―i —s cmd%" or Process.CommandLine like r"% ―i ―s cmd%" or Process.CommandLine like r"% -s pwsh%" or Process.CommandLine like r"% /s pwsh%" or Process.CommandLine like r"% –s pwsh%" or Process.CommandLine like r"% —s pwsh%" or Process.CommandLine like r"% ―s pwsh%" or Process.CommandLine like r"% -s -i pwsh%" or Process.CommandLine like r"% -s /i pwsh%" or Process.CommandLine like r"% -s –i pwsh%" or Process.CommandLine like r"% -s —i pwsh%" or Process.CommandLine like r"% -s ―i pwsh%" or Process.CommandLine like r"% /s -i pwsh%" or Process.CommandLine like r"% /s /i pwsh%" or Process.CommandLine like r"% /s –i pwsh%" or Process.CommandLine like r"% /s —i pwsh%" or Process.CommandLine like r"% /s ―i pwsh%" or Process.CommandLine like r"% –s -i pwsh%" or Process.CommandLine like r"% –s /i pwsh%" or Process.CommandLine like r"% –s –i pwsh%" or Process.CommandLine like r"% –s —i pwsh%" or Process.CommandLine like r"% –s ―i pwsh%" or Process.CommandLine like r"% —s -i pwsh%" or Process.CommandLine like r"% —s /i pwsh%" or Process.CommandLine like r"% —s –i pwsh%" or Process.CommandLine like r"% —s —i pwsh%" or Process.CommandLine like r"% —s ―i pwsh%" or Process.CommandLine like r"% ―s -i pwsh%" or Process.CommandLine like r"% ―s /i pwsh%" or Process.CommandLine like r"% ―s –i pwsh%" or Process.CommandLine like r"% ―s —i pwsh%" or Process.CommandLine like r"% ―s ―i pwsh%" or Process.CommandLine like r"% -i -s pwsh%" or Process.CommandLine like r"% -i /s pwsh%" or Process.CommandLine like r"% -i –s pwsh%" or Process.CommandLine like r"% -i —s pwsh%" or Process.CommandLine like r"% -i ―s pwsh%" or Process.CommandLine like r"% /i -s pwsh%" or Process.CommandLine like r"% /i /s pwsh%" or Process.CommandLine like r"% /i –s pwsh%" or Process.CommandLine like r"% /i —s pwsh%" or Process.CommandLine like r"% /i ―s pwsh%" or Process.CommandLine like r"% –i -s pwsh%" or Process.CommandLine like r"% –i /s pwsh%" or Process.CommandLine like r"% –i –s pwsh%" or Process.CommandLine like r"% –i —s pwsh%" or Process.CommandLine like r"% –i ―s pwsh%" or Process.CommandLine like r"% —i -s pwsh%" or Process.CommandLine like r"% —i /s pwsh%" or Process.CommandLine like r"% —i –s pwsh%" or Process.CommandLine like r"% —i —s pwsh%" or Process.CommandLine like r"% —i ―s pwsh%" or Process.CommandLine like r"% ―i -s pwsh%" or Process.CommandLine like r"% ―i /s pwsh%" or Process.CommandLine like r"% ―i –s pwsh%" or Process.CommandLine like r"% ―i —s pwsh%" or Process.CommandLine like r"% ―i ―s pwsh%" or Process.CommandLine like r"% -s powershell%" or Process.CommandLine like r"% /s powershell%" or Process.CommandLine like r"% –s powershell%" or Process.CommandLine like r"% —s powershell%" or Process.CommandLine like r"% ―s powershell%" or Process.CommandLine like r"% -s -i powershell%" or Process.CommandLine like r"% -s /i powershell%" or Process.CommandLine like r"% -s –i powershell%" or Process.CommandLine like r"% -s —i powershell%" or Process.CommandLine like r"% -s ―i powershell%" or Process.CommandLine like r"% /s -i powershell%" or Process.CommandLine like r"% /s /i powershell%" or Process.CommandLine like r"% /s –i powershell%" or Process.CommandLine like r"% /s —i powershell%" or Process.CommandLine like r"% /s ―i powershell%" or Process.CommandLine like r"% –s -i powershell%" or Process.CommandLine like r"% –s /i powershell%" or Process.CommandLine like r"% –s –i powershell%" or Process.CommandLine like r"% –s —i powershell%" or Process.CommandLine like r"% –s ―i powershell%" or Process.CommandLine like r"% —s -i powershell%" or Process.CommandLine like r"% —s /i powershell%" or Process.CommandLine like r"% —s –i powershell%" or Process.CommandLine like r"% —s —i powershell%" or Process.CommandLine like r"% —s ―i powershell%" or Process.CommandLine like r"% ―s -i powershell%" or Process.CommandLine like r"% ―s /i powershell%" or Process.CommandLine like r"% ―s –i powershell%" or Process.CommandLine like r"% ―s —i powershell%" or Process.CommandLine like r"% ―s ―i powershell%" or Process.CommandLine like r"% -i -s powershell%" or Process.CommandLine like r"% -i /s powershell%" or Process.CommandLine like r"% -i –s powershell%" or Process.CommandLine like r"% -i —s powershell%" or Process.CommandLine like r"% -i ―s powershell%" or Process.CommandLine like r"% /i -s powershell%" or Process.CommandLine like r"% /i /s powershell%" or Process.CommandLine like r"% /i –s powershell%" or Process.CommandLine like r"% /i —s powershell%" or Process.CommandLine like r"% /i ―s powershell%" or Process.CommandLine like r"% –i -s powershell%" or Process.CommandLine like r"% –i /s powershell%" or Process.CommandLine like r"% –i –s powershell%" or Process.CommandLine like r"% –i —s powershell%" or Process.CommandLine like r"% –i ―s powershell%" or Process.CommandLine like r"% —i -s powershell%" or Process.CommandLine like r"% —i /s powershell%" or Process.CommandLine like r"% —i –s powershell%" or Process.CommandLine like r"% —i —s powershell%" or Process.CommandLine like r"% —i ―s powershell%" or Process.CommandLine like r"% ―i -s powershell%" or Process.CommandLine like r"% ―i /s powershell%" or Process.CommandLine like r"% ―i –s powershell%" or Process.CommandLine like r"% ―i —s powershell%" or Process.CommandLine like r"% ―i ―s powershell%") and (Process.CommandLine like r"%psexec%" or Process.CommandLine like r"%paexec%" or Process.CommandLine like r"%accepteula%") +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} +Query = Image.Path like r"%\\edputil.dll" and not (Image.Path like r"C:\\Windows\\System32\\%" or Image.Path like r"C:\\Windows\\SysWOW64\\%" or Image.Path like r"C\\Windows\\WinSxS\\%") +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious Splwow64.exe process without any command line parameters -# Author: Florian Roth (Nextron Systems) -RuleId = 1f1a8509-2cbb-44f5-8751-8e1571518ce2 -RuleName = Suspicious Splwow64 Without Params -EventType = Process.Start -Tag = proc-start-suspicious-splwow64-without-params +# Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. +# Author: iwillkeepwatch +RuleId = eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc +RuleName = Security Support Provider (SSP) Added to LSA Configuration +EventType = Reg.Any +Tag = security-support-provider-(ssp)-added-to-lsa-configuration RiskScore = 75 -Annotation = {"mitre_attack": ["T1202"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\splwow64.exe" and Process.CommandLine like r"%splwow64.exe" +Annotation = {"mitre_attack": ["T1547.005"], "author": "iwillkeepwatch"} +Query = (Reg.TargetObject like r"%\\Control\\Lsa\\Security Packages" or Reg.TargetObject like r"%\\Control\\Lsa\\OSConfig\\Security Packages") and not (Process.Path in ["C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\syswow64\\MsiExec.exe"]) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 82a6714f-4899-4f16-9c1e-9a333544d4c3 -RuleName = File In Suspicious Location Encoded To Base64 Via Certutil.EXE -EventType = Process.Start -Tag = proc-start-file-in-suspicious-location-encoded-to-base64-via-certutil.exe +# Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil". +# Author: X__Junior +RuleId = ba226dcf-d390-4642-b9af-b534872f1156 +RuleName = Windows Event Log Access Tampering Via Registry +EventType = Reg.Any +Tag = windows-event-log-access-tampering-via-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1027"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\certutil.exe" or Process.Name == "CertUtil.exe") and (Process.CommandLine like r"%-encode%" or Process.CommandLine like r"%/encode%" or Process.CommandLine like r"%–encode%" or Process.CommandLine like r"%—encode%" or Process.CommandLine like r"%―encode%") and (Process.CommandLine like r"%\\AppData\\Roaming\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Local\\Temp\\%" or Process.CommandLine like r"%\\PerfLogs\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%" or Process.CommandLine like r"%$Recycle.Bin%") +Annotation = {"mitre_attack": ["T1547.001", "T1112"], "author": "X__Junior"} +Query = (Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\%" and Reg.TargetObject like r"%\\CustomSD" or (Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows\\EventLog\\%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels%") and Reg.TargetObject like r"%\\ChannelAccess") and (Reg.Value.Data like r"%D:(D;%" or Reg.Value.Data like r"%D:(%" and Reg.Value.Data like r"%)(D;%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects Obfuscated use of Environment Variables to execute PowerShell -# Author: Jonathan Cheong, oscd.community -RuleId = 27aec9c9-dbb0-4939-8422-1742242471d0 -RuleName = Invoke-Obfuscation VAR+ Launcher +# Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory +# Author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +RuleId = edadb1e5-5919-4e4c-8462-a9e643b02c4b +RuleName = Process Memory Dump via RdrLeakDiag.EXE EventType = Process.Start -Tag = proc-start-invoke-obfuscation-var+-launcher +Tag = proc-start-process-memory-dump-via-rdrleakdiag.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Jonathan Cheong, oscd.community"} -Query = Process.CommandLine regex "cmd.{0,5}(?:/c|/r)(?:\\s|)\\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\\"" +Annotation = {"mitre_attack": ["T1003.001"], "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\rdrleakdiag.exe" or Process.Name == "RdrLeakDiag.exe") and (Process.CommandLine like r"%-memdmp%" or Process.CommandLine like r"%/memdmp%" or Process.CommandLine like r"%–memdmp%" or Process.CommandLine like r"%—memdmp%" or Process.CommandLine like r"%―memdmp%" or Process.CommandLine like r"%fullmemdmp%") and (Process.CommandLine like r"% -o %" or Process.CommandLine like r"% /o %" or Process.CommandLine like r"% –o %" or Process.CommandLine like r"% —o %" or Process.CommandLine like r"% ―o %" or Process.CommandLine like r"% -p %" or Process.CommandLine like r"% /p %" or Process.CommandLine like r"% –p %" or Process.CommandLine like r"% —p %" or Process.CommandLine like r"% ―p %") [ThreatDetectionRule platform=Windows] -# Detects the malicious use of a control panel item -# Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) -RuleId = 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4 -RuleName = Control Panel Items -EventType = Process.Start -Tag = proc-start-control-panel-items +# Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) +# Author: X__Junior (Nextron Systems) +RuleId = 4c21b805-4dd7-469f-b47d-7383a8fcb437 +RuleName = Potential Iviewers.DLL Sideloading +EventType = Image.Load +Tag = potential-iviewers.dll-sideloading RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.002", "T1546"], "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)"} -Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"%add%" and Process.CommandLine like r"%CurrentVersion\\Control Panel\\CPLs%" or Process.CommandLine like r"%.cpl" and not (Process.CommandLine like r"%\\System32\\%" or Process.CommandLine like r"%\%System\%%" or Process.CommandLine like r"%|C:\\Windows\\system32|%" or Process.CommandLine like r"%regsvr32 %" and Process.CommandLine like r"% /s %" and Process.CommandLine like r"%igfxCPL.cpl%") +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} +Query = Image.Path like r"%\\iviewers.dll" and not (Image.Path like r"C:\\Program Files (x86)\\Windows Kits\\%" or Image.Path like r"C:\\Program Files\\Windows Kits\\%") +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. +# Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 220457c1-1c9f-4c2e-afe6-9598926222c1 -RuleName = Delete All Scheduled Tasks +RuleId = 44143844-0631-49ab-97a0-96387d6b2d7c +RuleName = File Download Using Notepad++ GUP Utility EventType = Process.Start -Tag = proc-start-delete-all-scheduled-tasks +Tag = proc-start-file-download-using-notepad++-gup-utility RiskScore = 75 -Annotation = {"mitre_attack": ["T1489"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /delete %" and Process.CommandLine like r"%/tn *%" and Process.CommandLine like r"% /f%" +Annotation = {"mitre_attack": ["T1105"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\GUP.exe" or Process.Name == "gup.exe") and Process.CommandLine like r"% -unzipTo %" and Process.CommandLine like r"%http%" and not Parent.Path like r"%\\notepad++.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects a phishing attack which expands a ZIP file containing a malicious shortcut. -# If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. -# Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. -# Author: Greg (rule) -RuleId = a6976974-ea6f-4e97-818e-ea08625c52cb -RuleName = Potential RipZip Attack on Startup Folder -EventType = File.Create -Tag = potential-ripzip-attack-on-startup-folder +# Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = ac8866c7-ce44-46fd-8c17-b24acff96ca8 +RuleName = HybridConnectionManager Service Installation - Registry +EventType = Reg.Any +Tag = hybridconnectionmanager-service-installation-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1547"], "author": "Greg (rule)"} -Query = File.Path like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup%" and File.Path like r"%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%" and Process.Path like r"%\\explorer.exe" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1608"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = Reg.TargetObject like r"%\\Services\\HybridConnectionManager%" or Reg.EventType == "SetValue" and Reg.Value.Data like r"%Microsoft.HybridConnectionManager.Listener.exe%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data +GenericProperty3 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) -# Author: Christian Burkard (Nextron Systems) -RuleId = 62ed5b55-f991-406a-85d9-e8e8fdf18789 -RuleName = UAC Bypass Using Consent and Comctl32 - File -EventType = File.Create -Tag = uac-bypass-using-consent-and-comctl32-file +# Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) +# Author: Max Altgelt (Nextron Systems) +RuleId = 71158e3f-df67-472b-930e-7d287acaa3e1 +RuleName = Execution Of Non-Existing File +EventType = Process.Start +Tag = proc-start-execution-of-non-existing-file RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} -Query = File.Path like r"C:\\Windows\\System32\\consent.exe.@%" and File.Path like r"%\\comctl32.dll" -GenericProperty1 = File.Path +Annotation = {"author": "Max Altgelt (Nextron Systems)"} +Query = not Process.Path like r"%\\%" and not (isnull(Process.Path) or Process.Path in ["-", ""] or Process.Path in ["System", "Registry", "MemCompression", "vmmem"] or Process.CommandLine in ["Registry", "MemCompression", "vmmem"]) [ThreatDetectionRule platform=Windows] -# Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. -# Author: Bhabesh Raj -RuleId = 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 -RuleName = Potential Mpclient.DLL Sideloading Via Defender Binaries -EventType = Process.Start -Tag = proc-start-potential-mpclient.dll-sideloading-via-defender-binaries +# Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. +# Author: SecurityAura +RuleId = 6e2a900a-ced9-4e4a-a9c2-13e706f9518a +RuleName = HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump +EventType = File.Create +Tag = hacktool-potential-remote-credential-dumping-activity-via-crackmapexec-or-impacket-secretsdump RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "Bhabesh Raj"} -Query = (Process.Path like r"%\\MpCmdRun.exe" or Process.Path like r"%\\NisSrv.exe") and not (Process.Path like r"C:\\Program Files (x86)\\Windows Defender\\%" or Process.Path like r"C:\\Program Files\\Microsoft Security Client\\%" or Process.Path like r"C:\\Program Files\\Windows Defender\\%" or Process.Path like r"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%") +Annotation = {"mitre_attack": ["T1003"], "author": "SecurityAura"} +Query = Process.Path like r"%\\svchost.exe" and File.Path regex "\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the import of a alternate datastream to the registry with regedit.exe. -# Author: Oddvar Moe, Sander Wiebing, oscd.community -RuleId = 0b80ade5-6997-4b1d-99a1-71701778ea61 -RuleName = Imports Registry Key From an ADS -EventType = Process.Start -Tag = proc-start-imports-registry-key-from-an-ads +# Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys +# Author: Karneades, Jonhnathan Ribeiro, Florian Roth +RuleId = 36803969-5421-41ec-b92f-8500f79c23b0 +RuleName = Potential Persistence Via GlobalFlags +EventType = Reg.Any +Tag = potential-persistence-via-globalflags RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Oddvar Moe, Sander Wiebing, oscd.community"} -Query = (Process.Path like r"%\\regedit.exe" or Process.Name == "REGEDIT.EXE") and (Process.CommandLine like r"% /i %" or Process.CommandLine like r"%.reg%") and Process.CommandLine regex ":[^ \\\\]" and not (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% /e %" or Process.CommandLine like r"% –e %" or Process.CommandLine like r"% —e %" or Process.CommandLine like r"% ―e %" or Process.CommandLine like r"% -a %" or Process.CommandLine like r"% /a %" or Process.CommandLine like r"% –a %" or Process.CommandLine like r"% —a %" or Process.CommandLine like r"% ―a %" or Process.CommandLine like r"% -c %" or Process.CommandLine like r"% /c %" or Process.CommandLine like r"% –c %" or Process.CommandLine like r"% —c %" or Process.CommandLine like r"% ―c %") +Annotation = {"mitre_attack": ["T1546.012"], "author": "Karneades, Jonhnathan Ribeiro, Florian Roth"} +Query = Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\%" and Reg.TargetObject like r"%\\Image File Execution Options\\%" and Reg.TargetObject like r"%\\GlobalFlag%" or Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\%" and Reg.TargetObject like r"%\\SilentProcessExit\\%" and (Reg.TargetObject like r"%\\ReportingMode%" or Reg.TargetObject like r"%\\MonitorProcess%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects the execution of a renamed "cloudflared" binary. +# Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = e0c69ebd-b54f-4aed-8ae3-e3467843f3f0 -RuleName = Renamed Cloudflared.EXE Execution -EventType = Process.Start -Tag = proc-start-renamed-cloudflared.exe-execution +RuleId = a55349d8-9588-4c5a-8e3b-1925fe2a4ffe +RuleName = Exchange PowerShell Cmdlet History Deleted +EventType = File.Delete +Tag = exchange-powershell-cmdlet-history-deleted RiskScore = 75 -Annotation = {"mitre_attack": ["T1090.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.CommandLine like r"% tunnel %" and Process.CommandLine like r"%cleanup %" and (Process.CommandLine like r"%-config %" or Process.CommandLine like r"%-connector-id %") or Process.CommandLine like r"% tunnel %" and Process.CommandLine like r"% run %" and (Process.CommandLine like r"%-config %" or Process.CommandLine like r"%-credentials-contents %" or Process.CommandLine like r"%-credentials-file %" or Process.CommandLine like r"%-token %") or Process.CommandLine like r"%-url%" and Process.CommandLine like r"%tunnel%" or Process.Hashes like r"%SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29%" or Process.Hashes like r"%SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8%" or Process.Hashes like r"%SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039%" or Process.Hashes like r"%SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28%" or Process.Hashes like r"%SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7%" or Process.Hashes like r"%SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373%" or Process.Hashes like r"%SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670%" or Process.Hashes like r"%SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a%" or Process.Hashes like r"%SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0%" or Process.Hashes like r"%SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1%" or Process.Hashes like r"%SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2%" or Process.Hashes like r"%SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac%" or Process.Hashes like r"%SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f%" or Process.Hashes like r"%SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d%" or Process.Hashes like r"%SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499%" or Process.Hashes like r"%SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b%" or Process.Hashes like r"%SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f%" or Process.Hashes like r"%SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032%" or Process.Hashes like r"%SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234%" or Process.Hashes like r"%SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f%" or Process.Hashes like r"%SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058%" or Process.Hashes like r"%SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c%" or Process.Hashes like r"%SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f%" or Process.Hashes like r"%SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5%" or Process.Hashes like r"%SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3%" or Process.Hashes like r"%SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4%" or Process.Hashes like r"%SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c%" or Process.Hashes like r"%SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4%" or Process.Hashes like r"%SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f%" or Process.Hashes like r"%SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad%" or Process.Hashes like r"%SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7%" or Process.Hashes like r"%SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75%" or Process.Hashes like r"%SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6%" or Process.Hashes like r"%SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688%" or Process.Hashes like r"%SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f%" or Process.Hashes like r"%SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663%" or Process.Hashes like r"%SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77%" or Process.Hashes like r"%SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078%") and not (Process.Path like r"%\\cloudflared.exe" or Process.Path like r"%\\cloudflared-windows-386.exe" or Process.Path like r"%\\cloudflared-windows-amd64.exe") -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1070"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"\\Logging\\CmdletInfra\\LocalPowerShell\\Cmdlet\\%" and File.Path like r"%\_Cmdlet\_%" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader -# Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) -RuleId = b66474aa-bd92-4333-a16c-298155b120df -RuleName = Potential Persistence Via Powershell Search Order Hijacking - Task +# Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. +# Author: Florian Roth (Nextron Systems) +RuleId = a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc +RuleName = Raccine Uninstall EventType = Process.Start -Tag = proc-start-potential-persistence-via-powershell-search-order-hijacking-task -RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005", "T1059.001"], "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)"} -Query = Parent.Path == "C:\\WINDOWS\\System32\\svchost.exe" and Parent.CommandLine like r"%-k netsvcs%" and Parent.CommandLine like r"%-s Schedule%" and (Process.CommandLine like r"% -windowstyle hidden" or Process.CommandLine like r"% -w hidden" or Process.CommandLine like r"% -ep bypass" or Process.CommandLine like r"% -noni") -GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine - - -[ThreatDetectionRule platform=Windows] -# Detects NetNTLM downgrade attack -# Author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT) -RuleId = d67572a0-e2ec-45d6-b8db-c100d14b8ef2 -RuleName = NetNTLM Downgrade Attack - Registry -EventType = Reg.Any -Tag = netntlm-downgrade-attack-registry +Tag = proc-start-raccine-uninstall RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001", "T1112"], "author": "Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)"} -Query = Reg.TargetObject like r"%SYSTEM\\%" and Reg.TargetObject like r"%ControlSet%" and Reg.TargetObject like r"%\\Control\\Lsa%" and (Reg.TargetObject like r"%\\lmcompatibilitylevel" and (Reg.Value.Data in ["DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)"]) or Reg.TargetObject like r"%\\NtlmMinClientSec" and (Reg.Value.Data in ["DWORD (0x00000000)", "DWORD (0x00000010)", "DWORD (0x00000020)", "DWORD (0x00000030)"]) or Reg.TargetObject like r"%\\RestrictSendingNTLMTraffic") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%taskkill %" and Process.CommandLine like r"%RaccineSettings.exe%" or Process.CommandLine like r"%reg.exe%" and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%Raccine Tray%" or Process.CommandLine like r"%schtasks%" and Process.CommandLine like r"%/DELETE%" and Process.CommandLine like r"%Raccine Rules Updater%" [ThreatDetectionRule platform=Windows] -# Detects requests to disable Microsoft Defender features using PowerShell commands -# Author: Florian Roth (Nextron Systems) -RuleId = 1ec65a5f-9473-4f12-97da-622044d6df21 -RuleName = Powershell Defender Disable Scan Feature -EventType = Process.Start -Tag = proc-start-powershell-defender-disable-scan-feature +# Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location +# Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +RuleId = 829a3bdf-34da-4051-9cf4-8ed221a8ae4f +RuleName = Microsoft Office DLL Sideload +EventType = Image.Load +Tag = microsoft-office-dll-sideload RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"%Add-MpPreference %" or Process.CommandLine like r"%Set-MpPreference %") and (Process.CommandLine like r"%DisableArchiveScanning %" or Process.CommandLine like r"%DisableRealtimeMonitoring %" or Process.CommandLine like r"%DisableIOAVProtection %" or Process.CommandLine like r"%DisableBehaviorMonitoring %" or Process.CommandLine like r"%DisableBlockAtFirstSeen %" or Process.CommandLine like r"%DisableCatchupFullScan %" or Process.CommandLine like r"%DisableCatchupQuickScan %") and (Process.CommandLine like r"%$true%" or Process.CommandLine like r"% 1 %") or Process.CommandLine like r"%ZGlzYWJsZWFyY2hpdmVzY2FubmluZy%" or Process.CommandLine like r"%Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg%" or Process.CommandLine like r"%kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI%" or Process.CommandLine like r"%RGlzYWJsZUFyY2hpdmVTY2FubmluZy%" or Process.CommandLine like r"%Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg%" or Process.CommandLine like r"%EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI%" or Process.CommandLine like r"%ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg%" or Process.CommandLine like r"%kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI%" or Process.CommandLine like r"%RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg%" or Process.CommandLine like r"%EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI%" or Process.CommandLine like r"%ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g%" or Process.CommandLine like r"%Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI%" or Process.CommandLine like r"%kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi%" or Process.CommandLine like r"%RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g%" or Process.CommandLine like r"%Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI%" or Process.CommandLine like r"%EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi%" or Process.CommandLine like r"%ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi%" or Process.CommandLine like r"%Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g%" or Process.CommandLine like r"%kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI%" or Process.CommandLine like r"%RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi%" or Process.CommandLine like r"%Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g%" or Process.CommandLine like r"%EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI%" or Process.CommandLine like r"%ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g%" or Process.CommandLine like r"%Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI%" or Process.CommandLine like r"%kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi%" or Process.CommandLine like r"%RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g%" or Process.CommandLine like r"%Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI%" or Process.CommandLine like r"%EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi%" or Process.CommandLine like r"%ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI%" or Process.CommandLine like r"%Rpc2FibGVpb2F2cHJvdGVjdGlvbi%" or Process.CommandLine like r"%kaXNhYmxlaW9hdnByb3RlY3Rpb24g%" or Process.CommandLine like r"%RGlzYWJsZUlPQVZQcm90ZWN0aW9uI%" or Process.CommandLine like r"%Rpc2FibGVJT0FWUHJvdGVjdGlvbi%" or Process.CommandLine like r"%EaXNhYmxlSU9BVlByb3RlY3Rpb24g%" or Process.CommandLine like r"%ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg%" or Process.CommandLine like r"%kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI%" or Process.CommandLine like r"%RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg%" or Process.CommandLine like r"%EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA%" +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)"} +Query = Image.Path like r"%\\outllib.dll" and not (Image.Path like r"C:\\Program Files\\Microsoft Office\\OFFICE%" or Image.Path like r"C:\\Program Files (x86)\\Microsoft Office\\OFFICE%" or Image.Path like r"C:\\Program Files\\Microsoft Office\\Root\\OFFICE%" or Image.Path like r"C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE%") +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) -# Author: Dimitrios Slamaris -RuleId = 9d3436ef-9476-4c43-acca-90ce06bdf33a -RuleName = DHCP Callout DLL Installation +# Detects potential persistence activity via outlook today page. +# An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl". +# Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand +RuleId = 487bb375-12ef-41f6-baae-c6a1572b4dd1 +RuleName = Potential Persistence Via Outlook Today Page EventType = Reg.Any -Tag = dhcp-callout-dll-installation +Tag = potential-persistence-via-outlook-today-page RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002", "T1112"], "author": "Dimitrios Slamaris"} -Query = Reg.TargetObject like r"%\\Services\\DHCPServer\\Parameters\\CalloutDlls" or Reg.TargetObject like r"%\\Services\\DHCPServer\\Parameters\\CalloutEnabled" +Annotation = {"mitre_attack": ["T1112"], "author": "Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand"} +Query = Reg.TargetObject like r"%Software\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Outlook\\Today\\%" and (Reg.TargetObject like r"%\\Stamp" and Reg.Value.Data == "DWORD (0x00000001)" or Reg.TargetObject like r"%\\URL" or Reg.TargetObject like r"%\\UserDefinedUrl") and not ((Process.Path like r"C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\%" or Process.Path like r"C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\%") and Process.Path like r"%\\OfficeClickToRun.exe") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service -# Author: Elastic (idea), Tobias Michalski (Nextron Systems) -RuleId = bb76d96b-821c-47cf-944b-7ce377864492 -RuleName = Suspicious NTLM Authentication on the Printer Spooler Service -EventType = Process.Start -Tag = proc-start-suspicious-ntlm-authentication-on-the-printer-spooler-service +# Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity +# Author: Timon Hackenjos +RuleId = 77564cc2-7382-438b-a7f6-395c2ae53b9a +RuleName = Remote Thread Created In KeePass.EXE +EventType = Process.CreateRemoteThread +Tag = remote-thread-created-in-keepass.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1212"], "author": "Elastic (idea), Tobias Michalski (Nextron Systems)"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and Process.CommandLine like r"%C:\\windows\\system32\\davclnt.dll,DavSetCookie%" and Process.CommandLine like r"%http%" and (Process.CommandLine like r"%spoolss%" or Process.CommandLine like r"%srvsvc%" or Process.CommandLine like r"%/print/pipe/%") +Annotation = {"mitre_attack": ["T1555.005"], "author": "Timon Hackenjos"} +Query = Process.Path like r"%\\KeePass.exe" [ThreatDetectionRule platform=Windows] -# Detects RDP session hijacking by using MSTSC shadowing -# Author: Florian Roth (Nextron Systems) -RuleId = 6ba5a05f-b095-4f0a-8654-b825f4f16334 -RuleName = Potential MSTSC Shadowing Activity +# Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall +# Author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +RuleId = a35f5a72-f347-4e36-8895-9869b0d5fc6d +RuleName = Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE EventType = Process.Start -Tag = proc-start-potential-mstsc-shadowing-activity +Tag = proc-start-suspicious-program-location-whitelisted-in-firewall-via-netsh.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1563.002"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%noconsentprompt%" and Process.CommandLine like r"%shadow:%" +Annotation = {"mitre_attack": ["T1562.004"], "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community"} +Query = (Process.Path like r"%\\netsh.exe" or Process.Name == "netsh.exe") and (Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%allowedprogram%" or Process.CommandLine like r"%advfirewall%" and Process.CommandLine like r"%firewall%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%rule%" and Process.CommandLine like r"%action=allow%" and Process.CommandLine like r"%program=%") and (Process.CommandLine like r"%:\\$Recycle.bin\\%" or Process.CommandLine like r"%:\\RECYCLER.BIN\\%" or Process.CommandLine like r"%:\\RECYCLERS.BIN\\%" or Process.CommandLine like r"%:\\SystemVolumeInformation\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Users\\Default\\%" or Process.CommandLine like r"%:\\Users\\Desktop\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\addins\\%" or Process.CommandLine like r"%:\\Windows\\cursors\\%" or Process.CommandLine like r"%:\\Windows\\debug\\%" or Process.CommandLine like r"%:\\Windows\\drivers\\%" or Process.CommandLine like r"%:\\Windows\\fonts\\%" or Process.CommandLine like r"%:\\Windows\\help\\%" or Process.CommandLine like r"%:\\Windows\\system32\\tasks\\%" or Process.CommandLine like r"%:\\Windows\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Local Settings\\Temporary Internet Files\\%" or Process.CommandLine like r"%\\Temporary Internet Files\\Content.Outlook\\%" or Process.CommandLine like r"%\%Public\%\\%" or Process.CommandLine like r"%\%TEMP\%%" or Process.CommandLine like r"%\%TMP\%%") [ThreatDetectionRule platform=Windows] -# Detects dump of credentials in VeeamBackup dbo -# Author: frack113 -RuleId = b57ba453-b384-4ab9-9f40-1038086b4e53 -RuleName = VeeamBackup Database Credentials Dump Via Sqlcmd.EXE +# Detects suspicious ways to run Invoke-Execution using IEX alias +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 09576804-7a05-458e-a817-eb718ca91f54 +RuleName = Suspicious PowerShell IEX Execution Patterns EventType = Process.Start -Tag = proc-start-veeambackup-database-credentials-dump-via-sqlcmd.exe +Tag = proc-start-suspicious-powershell-iex-execution-patterns RiskScore = 75 -Annotation = {"mitre_attack": ["T1005"], "author": "frack113"} -Query = Process.Path like r"%\\sqlcmd.exe" and Process.CommandLine like r"%SELECT%" and Process.CommandLine like r"%TOP%" and Process.CommandLine like r"%[VeeamBackup].[dbo].[Credentials]%" +Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"% | iex;%" or Process.CommandLine like r"% | iex %" or Process.CommandLine like r"% | iex}%" or Process.CommandLine like r"% | IEX ;%" or Process.CommandLine like r"% | IEX -Error%" or Process.CommandLine like r"% | IEX (new%" or Process.CommandLine like r"%);IEX %") and (Process.CommandLine like r"%::FromBase64String%" or Process.CommandLine like r"%.GetString([System.Convert]::%") or Process.CommandLine like r"%)|iex;$%" or Process.CommandLine like r"%);iex($%" or Process.CommandLine like r"%);iex $%" or Process.CommandLine like r"% | IEX | %" or Process.CommandLine like r"% | iex\\\"%" [ThreatDetectionRule platform=Windows] -# Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity -# Author: Florian Roth (Nextron Systems) -RuleId = b2815d0d-7481-4bf0-9b6c-a4c48a94b349 -RuleName = PowerShell Get-Process LSASS -EventType = Process.Start -Tag = proc-start-powershell-get-process-lsass +# Detects initiated network connections to crypto mining pools +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = fa5b1358-b040-4403-9868-15f7d9ab6329 +RuleName = Network Communication With Crypto Mining Pool +EventType = Net.Any +Tag = network-communication-with-crypto-mining-pool RiskScore = 75 -Annotation = {"mitre_attack": ["T1552.004"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%Get-Process lsas%" or Process.CommandLine like r"%ps lsas%" or Process.CommandLine like r"%gps lsas%" +Annotation = {"mitre_attack": ["T1496"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = Net.Target.Name in ["alimabi.cn", "ap.luckpool.net", "bcn.pool.minergate.com", "bcn.vip.pool.minergate.com", "bohemianpool.com", "ca-aipg.miningocean.org", "ca-dynex.miningocean.org", "ca-neurai.miningocean.org", "ca-qrl.miningocean.org", "ca-upx.miningocean.org", "ca-zephyr.miningocean.org", "ca.minexmr.com", "ca.monero.herominers.com", "cbd.monerpool.org", "cbdv2.monerpool.org", "cryptmonero.com", "crypto-pool.fr", "crypto-pool.info", "cryptonight-hub.miningpoolhub.com", "d1pool.ddns.net", "d5pool.us", "daili01.monerpool.org", "de-aipg.miningocean.org", "de-dynex.miningocean.org", "de-zephyr.miningocean.org", "de.minexmr.com", "dl.nbminer.com", "donate.graef.in", "donate.ssl.xmrig.com", "donate.v2.xmrig.com", "donate.xmrig.com", "donate2.graef.in", "drill.moneroworld.com", "dwarfpool.com", "emercoin.com", "emercoin.net", "emergate.net", "ethereumpool.co", "eu.luckpool.net", "eu.minerpool.pw", "fcn-xmr.pool.minergate.com", "fee.xmrig.com", "fr-aipg.miningocean.org", "fr-dynex.miningocean.org", "fr-neurai.miningocean.org", "fr-qrl.miningocean.org", "fr-upx.miningocean.org", "fr-zephyr.miningocean.org", "fr.minexmr.com", "hellominer.com", "herominers.com", "hk-aipg.miningocean.org", "hk-dynex.miningocean.org", "hk-neurai.miningocean.org", "hk-qrl.miningocean.org", "hk-upx.miningocean.org", "hk-zephyr.miningocean.org", "huadong1-aeon.ppxxmr.com", "iwanttoearn.money", "jw-js1.ppxxmr.com", "koto-pool.work", "lhr.nbminer.com", "lhr3.nbminer.com", "linux.monerpool.org", "lokiturtle.herominers.com", "luckpool.net", "masari.miner.rocks", "mine.c3pool.com", "mine.moneropool.com", "mine.ppxxmr.com", "mine.zpool.ca", "mine1.ppxxmr.com", "minemonero.gq", "miner.ppxxmr.com", "miner.rocks", "minercircle.com", "minergate.com", "minerpool.pw", "minerrocks.com", "miners.pro", "minerxmr.ru", "minexmr.cn", "minexmr.com", "mining-help.ru", "miningpoolhub.com", "mixpools.org", "moner.monerpool.org", "moner1min.monerpool.org", "monero-master.crypto-pool.fr", "monero.crypto-pool.fr", "monero.hashvault.pro", "monero.herominers.com", "monero.lindon-pool.win", "monero.miners.pro", "monero.riefly.id", "monero.us.to", "monerocean.stream", "monerogb.com", "monerohash.com", "moneroocean.stream", "moneropool.com", "moneropool.nl", "monerorx.com", "monerpool.org", "moriaxmr.com", "mro.pool.minergate.com", "multipool.us", "myxmr.pw", "na.luckpool.net", "nanopool.org", "nbminer.com", "node3.luckpool.net", "noobxmr.com", "pangolinminer.comgandalph3000.com", "pool.4i7i.com", "pool.armornetwork.org", "pool.cortins.tk", "pool.gntl.co.uk", "pool.hashvault.pro", "pool.minergate.com", "pool.minexmr.com", "pool.monero.hashvault.pro", "pool.ppxxmr.com", "pool.somec.cc", "pool.support", "pool.supportxmr.com", "pool.usa-138.com", "pool.xmr.pt", "pool.xmrfast.com", "pool2.armornetwork.org", "poolchange.ppxxmr.com", "pooldd.com", "poolmining.org", "poolto.be", "ppxvip1.ppxxmr.com", "ppxxmr.com", "prohash.net", "r.twotouchauthentication.online", "randomx.xmrig.com", "ratchetmining.com", "seed.emercoin.com", "seed.emercoin.net", "seed.emergate.net", "seed1.joulecoin.org", "seed2.joulecoin.org", "seed3.joulecoin.org", "seed4.joulecoin.org", "seed5.joulecoin.org", "seed6.joulecoin.org", "seed7.joulecoin.org", "seed8.joulecoin.org", "sg-aipg.miningocean.org", "sg-dynex.miningocean.org", "sg-neurai.miningocean.org", "sg-qrl.miningocean.org", "sg-upx.miningocean.org", "sg-zephyr.miningocean.org", "sg.minexmr.com", "sheepman.mine.bz", "siamining.com", "sumokoin.minerrocks.com", "supportxmr.com", "suprnova.cc", "teracycle.net", "trtl.cnpool.cc", "trtl.pool.mine2gether.com", "turtle.miner.rocks", "us-aipg.miningocean.org", "us-dynex.miningocean.org", "us-neurai.miningocean.org", "us-west.minexmr.com", "us-zephyr.miningocean.org", "usxmrpool.com", "viaxmr.com", "webservicepag.webhop.net", "xiazai.monerpool.org", "xiazai1.monerpool.org", "xmc.pool.minergate.com", "xmo.pool.minergate.com", "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-us.suprnova.cc", "xmr-usa.dwarfpool.com", "xmr.2miners.com", "xmr.5b6b7b.ru", "xmr.alimabi.cn", "xmr.bohemianpool.com", "xmr.crypto-pool.fr", "xmr.crypto-pool.info", "xmr.f2pool.com", "xmr.hashcity.org", "xmr.hex7e4.ru", "xmr.ip28.net", "xmr.monerpool.org", "xmr.mypool.online", "xmr.nanopool.org", "xmr.pool.gntl.co.uk", "xmr.pool.minergate.com", "xmr.poolto.be", "xmr.ppxxmr.com", "xmr.prohash.net", "xmr.simka.pw", "xmr.somec.cc", "xmr.suprnova.cc", "xmr.usa-138.com", "xmr.vip.pool.minergate.com", "xmr1min.monerpool.org", "xmrf.520fjh.org", "xmrf.fjhan.club", "xmrfast.com", "xmrigcc.graef.in", "xmrminer.cc", "xmrpool.de", "xmrpool.eu", "xmrpool.me", "xmrpool.net", "xmrpool.xyz", "xx11m.monerpool.org", "xx11mv2.monerpool.org", "xxx.hex7e4.ru", "zarabotaibitok.ru", "zer0day.ru"] +GenericProperty1 = Net.Target.Name [ThreatDetectionRule platform=Windows] -# Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary -# Author: Florian Roth (Nextron Systems) -RuleId = 729ce0ea-5d8f-4769-9762-e35de441586d -RuleName = MpiExec Lolbin +# Detects the execution of Rundll32.exe with DLL files masquerading as image files +# Author: Hieu Tran +RuleId = 4aa6040b-3f28-44e3-a769-9208e5feb5ec +RuleName = Suspicious Rundll32 Execution With Image Extension EventType = Process.Start -Tag = proc-start-mpiexec-lolbin +Tag = proc-start-suspicious-rundll32-execution-with-image-extension RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\mpiexec.exe" or Process.Hashes like r"%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%") and (Process.CommandLine like r"% /n 1 %" or Process.CommandLine like r"% -n 1 %") -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1218.011"], "author": "Hieu Tran"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.exe") and (Process.CommandLine like r"%.bmp%" or Process.CommandLine like r"%.cr2%" or Process.CommandLine like r"%.eps%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.ico%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.nef%" or Process.CommandLine like r"%.orf%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.raw%" or Process.CommandLine like r"%.sr2%" or Process.CommandLine like r"%.tif%" or Process.CommandLine like r"%.tiff%") [ThreatDetectionRule platform=Windows] -# Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. -# Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. -# Author: frack113 -RuleId = bbf59793-6efb-4fa1-95ca-a7d288e52c88 -RuleName = Winlogon Notify Key Logon Persistence -EventType = Reg.Any -Tag = winlogon-notify-key-logon-persistence +# Detects the execution of a renamed ProcDump executable. +# This often done by attackers or malware in order to evade defensive mechanisms. +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 +RuleName = Renamed ProcDump Execution +EventType = Process.Start +Tag = proc-start-renamed-procdump-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.004"], "author": "frack113"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\logon" and Reg.Value.Data like r"%.dll" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1036.003"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name == "procdump" or (Process.CommandLine like r"% -ma %" or Process.CommandLine like r"% /ma %" or Process.CommandLine like r"% –ma %" or Process.CommandLine like r"% —ma %" or Process.CommandLine like r"% ―ma %" or Process.CommandLine like r"% -mp %" or Process.CommandLine like r"% /mp %" or Process.CommandLine like r"% –mp %" or Process.CommandLine like r"% —mp %" or Process.CommandLine like r"% ―mp %") and (Process.CommandLine like r"% -accepteula%" or Process.CommandLine like r"% /accepteula%" or Process.CommandLine like r"% –accepteula%" or Process.CommandLine like r"% —accepteula%" or Process.CommandLine like r"% ―accepteula%")) and not (Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe") [ThreatDetectionRule platform=Windows] -# Detects changes to the NGenAssemblyUsageLog registry key. -# .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). -# By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. -# Author: frack113 -RuleId = 28036918-04d3-423d-91c0-55ecf99fb892 -RuleName = NET NGenAssemblyUsageLog Registry Key Tamper -EventType = Reg.Any -Tag = net-ngenassemblyusagelog-registry-key-tamper +# Detects potentially suspicious file downloads directly from IP addresses using curl.exe +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 5cb299fc-5fb1-4d07-b989-0644c68b6043 +RuleName = Suspicious File Download From IP Via Curl.EXE +EventType = Process.Start +Tag = proc-start-suspicious-file-download-from-ip-via-curl.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "frack113"} -Query = Reg.TargetObject like r"%SOFTWARE\\Microsoft\\.NETFramework\\NGenAssemblyUsageLog" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\curl.exe" or Process.Name == "curl.exe") and Process.CommandLine regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and Process.CommandLine like r"%http%" and (Process.CommandLine like r"% -O%" or Process.CommandLine like r"%--remote-name%" or Process.CommandLine like r"%--output%") and (Process.CommandLine like r"%.bat" or Process.CommandLine like r"%.bat\"" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.dat\"" or Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.dll\"" or Process.CommandLine like r"%.exe" or Process.CommandLine like r"%.exe\"" or Process.CommandLine like r"%.gif" or Process.CommandLine like r"%.gif\"" or Process.CommandLine like r"%.hta" or Process.CommandLine like r"%.hta\"" or Process.CommandLine like r"%.jpeg" or Process.CommandLine like r"%.jpeg\"" or Process.CommandLine like r"%.log" or Process.CommandLine like r"%.log\"" or Process.CommandLine like r"%.msi" or Process.CommandLine like r"%.msi\"" or Process.CommandLine like r"%.png" or Process.CommandLine like r"%.png\"" or Process.CommandLine like r"%.ps1" or Process.CommandLine like r"%.ps1\"" or Process.CommandLine like r"%.psm1" or Process.CommandLine like r"%.psm1\"" or Process.CommandLine like r"%.vbe" or Process.CommandLine like r"%.vbe\"" or Process.CommandLine like r"%.vbs" or Process.CommandLine like r"%.vbs\"" or Process.CommandLine like r"%.bat'" or Process.CommandLine like r"%.dat'" or Process.CommandLine like r"%.dll'" or Process.CommandLine like r"%.exe'" or Process.CommandLine like r"%.gif'" or Process.CommandLine like r"%.hta'" or Process.CommandLine like r"%.jpeg'" or Process.CommandLine like r"%.log'" or Process.CommandLine like r"%.msi'" or Process.CommandLine like r"%.png'" or Process.CommandLine like r"%.ps1'" or Process.CommandLine like r"%.psm1'" or Process.CommandLine like r"%.vbe'" or Process.CommandLine like r"%.vbs'") [ThreatDetectionRule platform=Windows] -# Bypasses User Account Control using a fileless method -# Author: frack113 -RuleId = 46dd5308-4572-4d12-aa43-8938f0184d4f -RuleName = Bypass UAC Using DelegateExecute -EventType = Reg.Any -Tag = bypass-uac-using-delegateexecute +# Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. +# Author: Florian Roth (Nextron Systems) +RuleId = 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60 +RuleName = Uncommon FileSystem Load Attempt By Format.com +EventType = Process.Start +Tag = proc-start-uncommon-filesystem-load-attempt-by-format.com RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "frack113"} -Query = Reg.TargetObject like r"%\\open\\command\\DelegateExecute" and Reg.Value.Data == "(Empty)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\format.com" and Process.CommandLine like r"%/fs:%" and not (Process.CommandLine like r"%/fs:exFAT%" or Process.CommandLine like r"%/fs:FAT%" or Process.CommandLine like r"%/fs:NTFS%" or Process.CommandLine like r"%/fs:ReFS%" or Process.CommandLine like r"%/fs:UDF%") [ThreatDetectionRule platform=Windows] -# Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. -# RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. -# This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise -# Author: frack113 -RuleId = 28ac00d6-22d9-4a3c-927f-bbd770104573 -RuleName = RestrictedAdminMode Registry Value Tampering - ProcCreation +# Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt +# Author: Florian Roth (Nextron Systems) +RuleId = be344333-921d-4c4d-8bb8-e584cf584780 +RuleName = Potentially Suspicious Event Viewer Child Process EventType = Process.Start -Tag = proc-start-restrictedadminmode-registry-value-tampering-proccreation +Tag = proc-start-potentially-suspicious-event-viewer-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "frack113"} -Query = Process.CommandLine like r"%\\System\\CurrentControlSet\\Control\\Lsa\\%" and Process.CommandLine like r"%DisableRestrictedAdmin%" +Annotation = {"mitre_attack": ["T1548.002"], "author": "Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\eventvwr.exe" and not (Process.Path like r"%:\\Windows\\System32\\mmc.exe" or Process.Path like r"%:\\Windows\\System32\\WerFault.exe" or Process.Path like r"%:\\Windows\\SysWOW64\\WerFault.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects REGSVR32.exe to execute DLL hosted on remote shares -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 88a87a10-384b-4ad7-8871-2f9bf9259ce5 -RuleName = Suspicious Regsvr32 Execution From Remote Share +# Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. +# Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati +RuleId = f53714ec-5077-420e-ad20-907ff9bb2958 +RuleName = Forfiles.EXE Child Process Masquerading EventType = Process.Start -Tag = proc-start-suspicious-regsvr32-execution-from-remote-share +Tag = proc-start-forfiles.exe-child-process-masquerading RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.010"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\regsvr32.exe" or Process.Name == "\\REGSVR32.EXE") and Process.CommandLine like r"% \\\\%" +Annotation = {"mitre_attack": ["T1036"], "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati"} +Query = (Parent.CommandLine like r"%.exe" or Parent.CommandLine like r"%.exe\"") and Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"/c echo \"%" and not ((Parent.Path like r"%:\\Windows\\System32\\%" or Parent.Path like r"%:\\Windows\\SysWOW64\\%") and Parent.Path like r"%\\forfiles.exe" and (Process.Path like r"%:\\Windows\\System32\\%" or Process.Path like r"%:\\Windows\\SysWOW64\\%") and Process.Path like r"%\\cmd.exe") +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 00d49ed5-4491-4271-a8db-650a4ef6f8c1 -RuleName = Suspicious Download from Office Domain +# Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. +# Author: Swachchhanda Shrawan Poudel +RuleId = d557dc06-62e8-4468-a8e8-7984124908ce +RuleName = HackTool - WinPwn Execution EventType = Process.Start -Tag = proc-start-suspicious-download-from-office-domain +Tag = proc-start-hacktool-winpwn-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1105", "T1608"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\curl.exe" or Process.Path like r"%\\wget.exe" or Process.CommandLine like r"%Invoke-WebRequest%" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%curl %" or Process.CommandLine like r"%wget %" or Process.CommandLine like r"%Start-BitsTransfer%" or Process.CommandLine like r"%.DownloadFile(%" or Process.CommandLine like r"%.DownloadString(%") and (Process.CommandLine like r"%https://attachment.outlook.live.net/owa/%" or Process.CommandLine like r"%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%") +Annotation = {"mitre_attack": ["T1046", "T1082", "T1106", "T1518", "T1548.002", "T1552.001", "T1555", "T1555.003"], "author": "Swachchhanda Shrawan Poudel"} +Query = Process.CommandLine like r"%Offline\_Winpwn%" or Process.CommandLine like r"%WinPwn %" or Process.CommandLine like r"%WinPwn.exe%" or Process.CommandLine like r"%WinPwn.ps1%" [ThreatDetectionRule platform=Windows] -# Detects Obfuscated use of Clip.exe to execute PowerShell -# Author: Jonathan Cheong, oscd.community -RuleId = b222df08-0e07-11eb-adc1-0242ac120002 -RuleName = Invoke-Obfuscation CLIP+ Launcher +# Detects when a program changes the default file association of any extension to an executable. +# When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = ae6f14e6-14de-45b0-9f44-c0986f50dc89 +RuleName = Change Default File Association To Executable Via Assoc EventType = Process.Start -Tag = proc-start-invoke-obfuscation-clip+-launcher +Tag = proc-start-change-default-file-association-to-executable-via-assoc RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Jonathan Cheong, oscd.community"} -Query = Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%&&%" and Process.CommandLine like r"%clipboard]::%" and Process.CommandLine like r"%-f%" and (Process.CommandLine like r"%/c%" or Process.CommandLine like r"%/r%") +Annotation = {"mitre_attack": ["T1546.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%assoc %" and Process.CommandLine like r"%exefile%" and not Process.CommandLine like r"%.exe=exefile%" [ThreatDetectionRule platform=Windows] -# Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. +# Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry +# Author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali +RuleId = e1aa95de-610a-427d-b9e7-9b46cfafbe6a +RuleName = Windows Defender Service Disabled - Registry +EventType = Reg.Any +Tag = windows-defender-service-disabled-registry +RiskScore = 75 +Annotation = {"mitre_attack": ["T1562.001"], "author": "J\u00e1n Tren\u010dansk\u00fd, frack113, AlertIQ, Nasreddine Bencherchali"} +Query = Reg.TargetObject like r"%\\Services\\WinDefend\\Start" and Reg.Value.Data == "DWORD (0x00000004)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data + + +[ThreatDetectionRule platform=Windows] +# Detects Commandlet names from well-known PowerShell exploitation frameworks # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 6b65c28e-11f3-46cb-902a-68f2cafaf474 -RuleName = Odbcconf.EXE Suspicious DLL Location +RuleId = 02030f2f-6199-49ec-b258-ea71b07e03dc +RuleName = Malicious PowerShell Commandlets - ProcessCreation EventType = Process.Start -Tag = proc-start-odbcconf.exe-suspicious-dll-location +Tag = proc-start-malicious-powershell-commandlets-processcreation RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.008"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\odbcconf.exe" or Process.Name == "odbcconf.exe") and (Process.CommandLine like r"%:\\PerfLogs\\%" or Process.CommandLine like r"%:\\ProgramData\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\Registration\\CRMLog%" or Process.CommandLine like r"%:\\Windows\\System32\\com\\dmp\\%" or Process.CommandLine like r"%:\\Windows\\System32\\FxsTmp\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\%" or Process.CommandLine like r"%:\\Windows\\System32\\spool\\drivers\\color\\%" or Process.CommandLine like r"%:\\Windows\\System32\\spool\\PRINTERS\\%" or Process.CommandLine like r"%:\\Windows\\System32\\spool\\SERVERS\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\_Migrated\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Process.CommandLine like r"%:\\Windows\\SysWOW64\\com\\dmp\\%" or Process.CommandLine like r"%:\\Windows\\SysWOW64\\FxsTmp\\%" or Process.CommandLine like r"%:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\%" or Process.CommandLine like r"%:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Process.CommandLine like r"%:\\Windows\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\Tracing\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Roaming\\%") +Annotation = {"mitre_attack": ["T1482", "T1087", "T1087.001", "T1087.002", "T1069.001", "T1069.002", "T1069", "T1059.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%Add-Exfiltration%" or Process.CommandLine like r"%Add-Persistence%" or Process.CommandLine like r"%Add-RegBackdoor%" or Process.CommandLine like r"%Add-RemoteRegBackdoor%" or Process.CommandLine like r"%Add-ScrnSaveBackdoor%" or Process.CommandLine like r"%Check-VM%" or Process.CommandLine like r"%ConvertTo-Rc4ByteStream%" or Process.CommandLine like r"%Decrypt-Hash%" or Process.CommandLine like r"%Disable-ADIDNSNode%" or Process.CommandLine like r"%Disable-MachineAccount%" or Process.CommandLine like r"%Do-Exfiltration%" or Process.CommandLine like r"%Enable-ADIDNSNode%" or Process.CommandLine like r"%Enable-MachineAccount%" or Process.CommandLine like r"%Enabled-DuplicateToken%" or Process.CommandLine like r"%Exploit-Jboss%" or Process.CommandLine like r"%Export-ADR%" or Process.CommandLine like r"%Export-ADRCSV%" or Process.CommandLine like r"%Export-ADRExcel%" or Process.CommandLine like r"%Export-ADRHTML%" or Process.CommandLine like r"%Export-ADRJSON%" or Process.CommandLine like r"%Export-ADRXML%" or Process.CommandLine like r"%Find-Fruit%" or Process.CommandLine like r"%Find-GPOLocation%" or Process.CommandLine like r"%Find-TrustedDocuments%" or Process.CommandLine like r"%Get-ADIDNS%" or Process.CommandLine like r"%Get-ApplicationHost%" or Process.CommandLine like r"%Get-ChromeDump%" or Process.CommandLine like r"%Get-ClipboardContents%" or Process.CommandLine like r"%Get-FoxDump%" or Process.CommandLine like r"%Get-GPPPassword%" or Process.CommandLine like r"%Get-IndexedItem%" or Process.CommandLine like r"%Get-KerberosAESKey%" or Process.CommandLine like r"%Get-Keystrokes%" or Process.CommandLine like r"%Get-LSASecret%" or Process.CommandLine like r"%Get-MachineAccountAttribute%" or Process.CommandLine like r"%Get-MachineAccountCreator%" or Process.CommandLine like r"%Get-PassHashes%" or Process.CommandLine like r"%Get-RegAlwaysInstallElevated%" or Process.CommandLine like r"%Get-RegAutoLogon%" or Process.CommandLine like r"%Get-RemoteBootKey%" or Process.CommandLine like r"%Get-RemoteCachedCredential%" or Process.CommandLine like r"%Get-RemoteLocalAccountHash%" or Process.CommandLine like r"%Get-RemoteLSAKey%" or Process.CommandLine like r"%Get-RemoteMachineAccountHash%" or Process.CommandLine like r"%Get-RemoteNLKMKey%" or Process.CommandLine like r"%Get-RickAstley%" or Process.CommandLine like r"%Get-Screenshot%" or Process.CommandLine like r"%Get-SecurityPackages%" or Process.CommandLine like r"%Get-ServiceFilePermission%" or Process.CommandLine like r"%Get-ServicePermission%" or Process.CommandLine like r"%Get-ServiceUnquoted%" or Process.CommandLine like r"%Get-SiteListPassword%" or Process.CommandLine like r"%Get-System%" or Process.CommandLine like r"%Get-TimedScreenshot%" or Process.CommandLine like r"%Get-UnattendedInstallFile%" or Process.CommandLine like r"%Get-Unconstrained%" or Process.CommandLine like r"%Get-USBKeystrokes%" or Process.CommandLine like r"%Get-VaultCredential%" or Process.CommandLine like r"%Get-VulnAutoRun%" or Process.CommandLine like r"%Get-VulnSchTask%" or Process.CommandLine like r"%Grant-ADIDNSPermission%" or Process.CommandLine like r"%Gupt-Backdoor%" or Process.CommandLine like r"%HTTP-Login%" or Process.CommandLine like r"%Install-ServiceBinary%" or Process.CommandLine like r"%Install-SSP%" or Process.CommandLine like r"%Invoke-ACLScanner%" or Process.CommandLine like r"%Invoke-ADRecon%" or Process.CommandLine like r"%Invoke-ADSBackdoor%" or Process.CommandLine like r"%Invoke-AgentSmith%" or Process.CommandLine like r"%Invoke-AllChecks%" or Process.CommandLine like r"%Invoke-ARPScan%" or Process.CommandLine like r"%Invoke-AzureHound%" or Process.CommandLine like r"%Invoke-BackdoorLNK%" or Process.CommandLine like r"%Invoke-BadPotato%" or Process.CommandLine like r"%Invoke-BetterSafetyKatz%" or Process.CommandLine like r"%Invoke-BypassUAC%" or Process.CommandLine like r"%Invoke-Carbuncle%" or Process.CommandLine like r"%Invoke-Certify%" or Process.CommandLine like r"%Invoke-ConPtyShell%" or Process.CommandLine like r"%Invoke-CredentialInjection%" or Process.CommandLine like r"%Invoke-DAFT%" or Process.CommandLine like r"%Invoke-DCSync%" or Process.CommandLine like r"%Invoke-DinvokeKatz%" or Process.CommandLine like r"%Invoke-DllInjection%" or Process.CommandLine like r"%Invoke-DNSUpdate%" or Process.CommandLine like r"%Invoke-DomainPasswordSpray%" or Process.CommandLine like r"%Invoke-DowngradeAccount%" or Process.CommandLine like r"%Invoke-EgressCheck%" or Process.CommandLine like r"%Invoke-Eyewitness%" or Process.CommandLine like r"%Invoke-FakeLogonScreen%" or Process.CommandLine like r"%Invoke-Farmer%" or Process.CommandLine like r"%Invoke-Get-RBCD-Threaded%" or Process.CommandLine like r"%Invoke-Gopher%" or Process.CommandLine like r"%Invoke-Grouper%" or Process.CommandLine like r"%Invoke-HandleKatz%" or Process.CommandLine like r"%Invoke-ImpersonatedProcess%" or Process.CommandLine like r"%Invoke-ImpersonateSystem%" or Process.CommandLine like r"%Invoke-InteractiveSystemPowerShell%" or Process.CommandLine like r"%Invoke-Internalmonologue%" or Process.CommandLine like r"%Invoke-Inveigh%" or Process.CommandLine like r"%Invoke-InveighRelay%" or Process.CommandLine like r"%Invoke-KrbRelay%" or Process.CommandLine like r"%Invoke-LdapSignCheck%" or Process.CommandLine like r"%Invoke-Lockless%" or Process.CommandLine like r"%Invoke-MalSCCM%" or Process.CommandLine like r"%Invoke-Mimikatz%" or Process.CommandLine like r"%Invoke-Mimikittenz%" or Process.CommandLine like r"%Invoke-MITM6%" or Process.CommandLine like r"%Invoke-NanoDump%" or Process.CommandLine like r"%Invoke-NetRipper%" or Process.CommandLine like r"%Invoke-Nightmare%" or Process.CommandLine like r"%Invoke-NinjaCopy%" or Process.CommandLine like r"%Invoke-OfficeScrape%" or Process.CommandLine like r"%Invoke-OxidResolver%" or Process.CommandLine like r"%Invoke-P0wnedshell%" or Process.CommandLine like r"%Invoke-Paranoia%" or Process.CommandLine like r"%Invoke-PortScan%" or Process.CommandLine like r"%Invoke-PoshRatHttp%" or Process.CommandLine like r"%Invoke-PostExfil%" or Process.CommandLine like r"%Invoke-PowerDump%" or Process.CommandLine like r"%Invoke-PowerShellTCP%" or Process.CommandLine like r"%Invoke-PowerShellWMI%" or Process.CommandLine like r"%Invoke-PPLDump%" or Process.CommandLine like r"%Invoke-PsExec%" or Process.CommandLine like r"%Invoke-PSInject%" or Process.CommandLine like r"%Invoke-PsUaCme%" or Process.CommandLine like r"%Invoke-ReflectivePEInjection%" or Process.CommandLine like r"%Invoke-ReverseDNSLookup%" or Process.CommandLine like r"%Invoke-Rubeus%" or Process.CommandLine like r"%Invoke-RunAs%" or Process.CommandLine like r"%Invoke-SafetyKatz%" or Process.CommandLine like r"%Invoke-SauronEye%" or Process.CommandLine like r"%Invoke-SCShell%" or Process.CommandLine like r"%Invoke-Seatbelt%" or Process.CommandLine like r"%Invoke-ServiceAbuse%" or Process.CommandLine like r"%Invoke-ShadowSpray%" or Process.CommandLine like r"%Invoke-Sharp%" or Process.CommandLine like r"%Invoke-Shellcode%" or Process.CommandLine like r"%Invoke-SMBScanner%" or Process.CommandLine like r"%Invoke-Snaffler%" or Process.CommandLine like r"%Invoke-Spoolsample%" or Process.CommandLine like r"%Invoke-SpraySinglePassword%" or Process.CommandLine like r"%Invoke-SSHCommand%" or Process.CommandLine like r"%Invoke-StandIn%" or Process.CommandLine like r"%Invoke-StickyNotesExtract%" or Process.CommandLine like r"%Invoke-SystemCommand%" or Process.CommandLine like r"%Invoke-Tasksbackdoor%" or Process.CommandLine like r"%Invoke-Tater%" or Process.CommandLine like r"%Invoke-Thunderfox%" or Process.CommandLine like r"%Invoke-ThunderStruck%" or Process.CommandLine like r"%Invoke-TokenManipulation%" or Process.CommandLine like r"%Invoke-Tokenvator%" or Process.CommandLine like r"%Invoke-TotalExec%" or Process.CommandLine like r"%Invoke-UrbanBishop%" or Process.CommandLine like r"%Invoke-UserHunter%" or Process.CommandLine like r"%Invoke-VoiceTroll%" or Process.CommandLine like r"%Invoke-Whisker%" or Process.CommandLine like r"%Invoke-WinEnum%" or Process.CommandLine like r"%Invoke-winPEAS%" or Process.CommandLine like r"%Invoke-WireTap%" or Process.CommandLine like r"%Invoke-WmiCommand%" or Process.CommandLine like r"%Invoke-WMIExec%" or Process.CommandLine like r"%Invoke-WScriptBypassUAC%" or Process.CommandLine like r"%Invoke-Zerologon%" or Process.CommandLine like r"%MailRaider%" or Process.CommandLine like r"%New-ADIDNSNode%" or Process.CommandLine like r"%New-DNSRecordArray%" or Process.CommandLine like r"%New-HoneyHash%" or Process.CommandLine like r"%New-InMemoryModule%" or Process.CommandLine like r"%New-MachineAccount%" or Process.CommandLine like r"%New-SOASerialNumberArray%" or Process.CommandLine like r"%Out-Minidump%" or Process.CommandLine like r"%Port-Scan%" or Process.CommandLine like r"%PowerBreach%" or Process.CommandLine like r"%powercat %" or Process.CommandLine like r"%PowerUp%" or Process.CommandLine like r"%PowerView%" or Process.CommandLine like r"%Remove-ADIDNSNode%" or Process.CommandLine like r"%Remove-MachineAccount%" or Process.CommandLine like r"%Remove-Update%" or Process.CommandLine like r"%Rename-ADIDNSNode%" or Process.CommandLine like r"%Revoke-ADIDNSPermission%" or Process.CommandLine like r"%Set-ADIDNSNode%" or Process.CommandLine like r"%Set-MacAttribute%" or Process.CommandLine like r"%Set-MachineAccountAttribute%" or Process.CommandLine like r"%Set-Wallpaper%" or Process.CommandLine like r"%Show-TargetScreen%" or Process.CommandLine like r"%Start-CaptureServer%" or Process.CommandLine like r"%Start-Dnscat2%" or Process.CommandLine like r"%Start-WebcamRecorder%" or Process.CommandLine like r"%VolumeShadowCopyTools%" [ThreatDetectionRule platform=Windows] -# Detects potential process patterns related to Cobalt Strike beacon activity -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = f35c5d71-b489-4e22-a115-f003df287317 -RuleName = Potential CobaltStrike Process Patterns +# Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". +# This technique were seen used by threat actors and ransomware strains in order to evade defenses. +# Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 +RuleId = cc36992a-4671-4f21-a91d-6c2b72a2edf5 +RuleName = Suspicious Eventlog Clearing or Configuration Change Activity EventType = Process.Start -Tag = proc-start-potential-cobaltstrike-process-patterns +Tag = proc-start-suspicious-eventlog-clearing-or-configuration-change-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%cmd.exe /C whoami" and Parent.Path like r"C:\\Temp\\%" or (Parent.Path like r"%\\runonce.exe" or Parent.Path like r"%\\dllhost.exe") and Process.CommandLine like r"%cmd.exe /c echo%" and Process.CommandLine like r"%> \\\\.\\pipe%" or Parent.CommandLine like r"%cmd.exe /C echo%" and Parent.CommandLine like r"% > \\\\.\\pipe%" and Process.CommandLine like r"%conhost.exe 0xffffffff -ForceV1" or Parent.CommandLine like r"%/C whoami" and Process.CommandLine like r"%conhost.exe 0xffffffff -ForceV1" +Annotation = {"mitre_attack": ["T1070.001", "T1562.002"], "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105"} +Query = (Process.Path like r"%\\wevtutil.exe" and (Process.CommandLine like r"%clear-log %" or Process.CommandLine like r"% cl %" or Process.CommandLine like r"%set-log %" or Process.CommandLine like r"% sl %" or Process.CommandLine like r"%lfn:%") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%Clear-EventLog %" or Process.CommandLine like r"%Remove-EventLog %" or Process.CommandLine like r"%Limit-EventLog %" or Process.CommandLine like r"%Clear-WinEvent %") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wmic.exe") and Process.CommandLine like r"%ClearEventLog%") and not ((Parent.Path in ["C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"]) and Process.CommandLine like r"% sl %") GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f57c58b3-ee69-4ef5-9041-455bf39aaa89 -RuleName = Remote CHM File Download/Execution Via HH.EXE +# Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. +# Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 1816994b-42e1-4fb1-afd2-134d88184f71 +RuleName = PowerShell Base64 Encoded WMI Classes EventType = Process.Start -Tag = proc-start-remote-chm-file-download/execution-via-hh.exe +Tag = proc-start-powershell-base64-encoded-wmi-classes RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name == "HH.exe" or Process.Path like r"%\\hh.exe") and (Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%" or Process.CommandLine like r"%\\\\%") +Annotation = {"mitre_attack": ["T1059.001", "T1027"], "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%" or Process.CommandLine like r"%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%" or Process.CommandLine like r"%V2luMzJfU2hhZG93Y29we%" or Process.CommandLine like r"%dpbjMyX1NoYWRvd2NvcH%" or Process.CommandLine like r"%XaW4zMl9TaGFkb3djb3B5%" or Process.CommandLine like r"%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%" or Process.CommandLine like r"%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%" or Process.CommandLine like r"%V2luMzJfU2NoZWR1bGVkSm9i%" or Process.CommandLine like r"%dpbjMyX1NjaGVkdWxlZEpvY%" or Process.CommandLine like r"%XaW4zMl9TY2hlZHVsZWRKb2%" or Process.CommandLine like r"%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%" or Process.CommandLine like r"%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%" or Process.CommandLine like r"%V2luMzJfUHJvY2Vzc%" or Process.CommandLine like r"%dpbjMyX1Byb2Nlc3%" or Process.CommandLine like r"%XaW4zMl9Qcm9jZXNz%" or Process.CommandLine like r"%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%" or Process.CommandLine like r"%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%" or Process.CommandLine like r"%V2luMzJfVXNlckFjY291bn%" or Process.CommandLine like r"%dpbjMyX1VzZXJBY2NvdW50%" or Process.CommandLine like r"%XaW4zMl9Vc2VyQWNjb3Vud%" or Process.CommandLine like r"%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%" or Process.CommandLine like r"%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%" or Process.CommandLine like r"%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%" or Process.CommandLine like r"%V2luMzJfTG9nZ2VkT25Vc2Vy%" or Process.CommandLine like r"%dpbjMyX0xvZ2dlZE9uVXNlc%" or Process.CommandLine like r"%XaW4zMl9Mb2dnZWRPblVzZX%") [ThreatDetectionRule platform=Windows] -# Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys -# Author: Karneades, Jonhnathan Ribeiro, Florian Roth -RuleId = 36803969-5421-41ec-b92f-8500f79c23b0 -RuleName = Potential Persistence Via GlobalFlags -EventType = Reg.Any -Tag = potential-persistence-via-globalflags +# Detects usage of "IMEWDBLD.exe" to download arbitrary files +# Author: Swachchhanda Shrawan Poudel +RuleId = 863218bd-c7d0-4c52-80cd-0a96c09f54af +RuleName = Arbitrary File Download Via IMEWDBLD.EXE +EventType = Process.Start +Tag = proc-start-arbitrary-file-download-via-imewdbld.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.012"], "author": "Karneades, Jonhnathan Ribeiro, Florian Roth"} -Query = Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\%" and Reg.TargetObject like r"%\\Image File Execution Options\\%" and Reg.TargetObject like r"%\\GlobalFlag%" or Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\%" and Reg.TargetObject like r"%\\SilentProcessExit\\%" and (Reg.TargetObject like r"%\\ReportingMode%" or Reg.TargetObject like r"%\\MonitorProcess%") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1218"], "author": "Swachchhanda Shrawan Poudel"} +Query = (Process.Path like r"%\\IMEWDBLD.exe" or Process.Name == "imewdbld.exe") and (Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%") [ThreatDetectionRule platform=Windows] -# Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 11b1ed55-154d-4e82-8ad7-83739298f720 -RuleName = NTDS.DIT Creation By Uncommon Process +# Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +# Author: Christian Burkard (Nextron Systems) +RuleId = 68578b43-65df-4f81-9a9b-92f32711a951 +RuleName = UAC Bypass Using Windows Media Player - File EventType = File.Create -Tag = ntds.dit-creation-by-uncommon-process +Tag = uac-bypass-using-windows-media-player-file RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.002", "T1003.003"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"%\\ntds.dit" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\wsl.exe" or Process.Path like r"%\\wt.exe" or Process.Path like r"%\\AppData\\%" or Process.Path like r"%\\Temp\\%" or Process.Path like r"%\\Public\\%" or Process.Path like r"%\\PerfLogs\\%") +Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} +Query = File.Path like r"C:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Temp\\OskSupport.dll" or Process.Path == "C:\\Windows\\system32\\DllHost.exe" and File.Path == "C:\\Program Files\\Windows Media Player\\osk.exe" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil -# Author: Tim Rauch, Elastic (idea) -RuleId = 21ff4ca9-f13a-41ad-b828-0077b2af2e40 -RuleName = Deletion of Volume Shadow Copies via WMI with PowerShell +# Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) +# Author: Florian Roth (Nextron Systems) +RuleId = c1d867fe-8d95-4487-aab4-e53f2d339f90 +RuleName = Renamed Sysinternals Sdelete Execution EventType = Process.Start -Tag = proc-start-deletion-of-volume-shadow-copies-via-wmi-with-powershell +Tag = proc-start-renamed-sysinternals-sdelete-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1490"], "author": "Tim Rauch, Elastic (idea)"} -Query = (Process.CommandLine like r"%Get-WmiObject%" or Process.CommandLine like r"%gwmi%" or Process.CommandLine like r"%Get-CimInstance%" or Process.CommandLine like r"%gcim%") and Process.CommandLine like r"%Win32\_ShadowCopy%" and (Process.CommandLine like r"%.Delete()%" or Process.CommandLine like r"%Remove-WmiObject%" or Process.CommandLine like r"%rwmi%" or Process.CommandLine like r"%Remove-CimInstance%" or Process.CommandLine like r"%rcim%") +Annotation = {"mitre_attack": ["T1485"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Name == "sdelete.exe" and not (Process.Path like r"%\\sdelete.exe" or Process.Path like r"%\\sdelete64.exe") [ThreatDetectionRule platform=Windows] -# Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library -# Author: Greg (rule) -RuleId = ec8c4047-fad9-416a-8c81-0f479353d7f6 -RuleName = Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE -EventType = Image.Load -Tag = diagnostic-library-sdiageng.dll-loaded-by-msdt.exe +# Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation +# Author: Florian Roth (Nextron Systems) +RuleId = 1a42dfa6-6cb2-4df9-9b48-295be477e835 +RuleName = Vulnerable WinRing0 Driver Load +EventType = Driver.Load +Tag = vulnerable-winring0-driver-load RiskScore = 75 -Annotation = {"mitre_attack": ["T1202"], "author": "Greg (rule)"} -Query = Process.Path like r"%\\msdt.exe" and Image.Path like r"%\\sdiageng.dll" +Annotation = {"mitre_attack": ["T1543.003"], "author": "Florian Roth (Nextron Systems)"} +Query = Image.Hashes like r"%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%" or Image.Path like r"%\\WinRing0x64.sys" or Image.Path like r"%\\WinRing0.sys" or Image.Path like r"%\\WinRing0.dll" or Image.Path like r"%\\WinRing0x64.dll" or Image.Path like r"%\\winring00x64.sys" GenericProperty1 = Image.Path +GenericProperty2 = Image.Hashes [ThreatDetectionRule platform=Windows] -# Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe -# Author: Tim Shelton -RuleId = 002bdb95-0cf1-46a6-9e08-d38c128a6127 -RuleName = WScript or CScript Dropper - File -EventType = File.Create -Tag = wscript-or-cscript-dropper-file +# Detects tampering of RDP Terminal Service/Server sensitive settings. +# Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc +# Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali +RuleId = 3f6b7b62-61aa-45db-96bd-9c31b36b653c +RuleName = RDP Sensitive Settings Changed +EventType = Reg.Any +Tag = rdp-sensitive-settings-changed RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.005", "T1059.007"], "author": "Tim Shelton"} -Query = (Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (File.Path like r"C:\\Users\\%" or File.Path like r"C:\\ProgramData%") and (File.Path like r"%.jse" or File.Path like r"%.vbe" or File.Path like r"%.js" or File.Path like r"%.vba" or File.Path like r"%.vbs") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1112"], "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali"} +Query = (Reg.TargetObject like r"%\\Control\\Terminal Server\\%" or Reg.TargetObject like r"%\\Windows NT\\Terminal Services\\%") and Reg.TargetObject like r"%\\Shadow" and (Reg.Value.Data in ["DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)"]) or (Reg.TargetObject like r"%\\Control\\Terminal Server\\%" or Reg.TargetObject like r"%\\Windows NT\\Terminal Services\\%") and (Reg.TargetObject like r"%\\DisableRemoteDesktopAntiAlias" or Reg.TargetObject like r"%\\DisableSecuritySettings" or Reg.TargetObject like r"%\\fAllowUnsolicited" or Reg.TargetObject like r"%\\fAllowUnsolicitedFullControl") and Reg.Value.Data == "DWORD (0x00000001)" or Reg.TargetObject like r"%\\Control\\Terminal Server\\InitialProgram%" or Reg.TargetObject like r"%\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram%" or Reg.TargetObject like r"%\\services\\TermService\\Parameters\\ServiceDll%" or Reg.TargetObject like r"%\\Windows NT\\Terminal Services\\InitialProgram%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 2f869d59-7f6a-4931-992c-cce556ff2d53 -RuleName = Potential Adplus.EXE Abuse +# Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). +# Usually this technique is used to achieve UAC bypass or privilege escalation. +# Author: Nasreddine Bencherchali (Nextron Systems), SBousseaden +RuleId = 6b98b92b-4f00-4f62-b4fe-4d1920215771 +RuleName = Potential DLL Sideloading Of Non-Existent DLLs From System Folders +EventType = Image.Load +Tag = potential-dll-sideloading-of-non-existent-dlls-from-system-folders +RiskScore = 75 +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems), SBousseaden"} +Query = (Image.Path like r"%:\\Windows\\System32\\TSMSISrv.dll" or Image.Path like r"%:\\Windows\\System32\\TSVIPSrv.dll" or Image.Path like r"%:\\Windows\\System32\\wbem\\wbemcomn.dll" or Image.Path like r"%:\\Windows\\System32\\WLBSCTRL.dll" or Image.Path like r"%:\\Windows\\System32\\wow64log.dll" or Image.Path like r"%:\\Windows\\System32\\WptsExtensions.dll") and not (Image.IsSigned == "true" and Image.SignatureStatus == "Valid" and Image.Signature == "Microsoft Windows") +GenericProperty1 = Image.Path +GenericProperty2 = Image.IsSigned +GenericProperty3 = Image.Signature +GenericProperty4 = Image.SignatureStatus + + +[ThreatDetectionRule platform=Windows] +# Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember". +# Author: Florian Roth (Nextron Systems) +RuleId = ffa28e60-bdb1-46e0-9f82-05f7a61cc06e +RuleName = User Added to Remote Desktop Users Group EventType = Process.Start -Tag = proc-start-potential-adplus.exe-abuse +Tag = proc-start-user-added-to-remote-desktop-users-group RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\adplus.exe" or Process.Name == "Adplus.exe") and (Process.CommandLine like r"% -hang %" or Process.CommandLine like r"% -pn %" or Process.CommandLine like r"% -pmn %" or Process.CommandLine like r"% -p %" or Process.CommandLine like r"% -po %" or Process.CommandLine like r"% -c %" or Process.CommandLine like r"% -sc %") +Annotation = {"mitre_attack": ["T1133", "T1136.001", "T1021.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"%localgroup %" and Process.CommandLine like r"% /add%" or Process.CommandLine like r"%Add-LocalGroupMember %" and Process.CommandLine like r"% -Group %") and (Process.CommandLine like r"%Remote Desktop Users%" or Process.CommandLine like r"%Utilisateurs du Bureau à distance%" or Process.CommandLine like r"%Usuarios de escritorio remoto%") [ThreatDetectionRule platform=Windows] -# Detects files dropped by Winnti as described in RedMimicry Winnti playbook +# Detects actions caused by the RedMimicry Winnti playbook # Author: Alexander Rausch -RuleId = 130c9e58-28ac-4f83-8574-0a4cc913b97e -RuleName = Potential Winnti Dropper Activity -EventType = File.Create -Tag = potential-winnti-dropper-activity +RuleId = 5b175490-b652-4b02-b1de-5b5b4083c5f8 +RuleName = RedMimicry Winnti Playbook Registry Manipulation +EventType = Reg.Any +Tag = redmimicry-winnti-playbook-registry-manipulation RiskScore = 75 -Annotation = {"mitre_attack": ["T1027"], "author": "Alexander Rausch"} -Query = File.Path like r"%\\gthread-3.6.dll" or File.Path like r"%\\sigcmm-2.4.dll" or File.Path like r"%\\Windows\\Temp\\tmp.bat" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1112"], "author": "Alexander Rausch"} +Query = Reg.TargetObject like r"%HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects base64 encoded strings used in hidden malicious PowerShell command lines -# Author: John Lambert (rule) -RuleId = f26c6093-6f14-4b12-800f-0fcb46f5ffd0 -RuleName = Malicious Base64 Encoded PowerShell Keywords in Command Lines -EventType = Process.Start -Tag = proc-start-malicious-base64-encoded-powershell-keywords-in-command-lines +# Running Chrome VPN Extensions via the Registry install 2 vpn extension +# Author: frack113 +RuleId = b64a026b-8deb-4c1d-92fd-98893209dff1 +RuleName = Running Chrome VPN Extensions via the Registry 2 VPN Extension +EventType = Reg.Any +Tag = running-chrome-vpn-extensions-via-the-registry-2-vpn-extension RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "John Lambert (rule)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and Process.CommandLine like r"% hidden %" and (Process.CommandLine like r"%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%" or Process.CommandLine like r"%aXRzYWRtaW4gL3RyYW5zZmVy%" or Process.CommandLine like r"%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%" or Process.CommandLine like r"%JpdHNhZG1pbiAvdHJhbnNmZX%" or Process.CommandLine like r"%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%" or Process.CommandLine like r"%Yml0c2FkbWluIC90cmFuc2Zlc%" or Process.CommandLine like r"%AGMAaAB1AG4AawBfAHMAaQB6AGUA%" or Process.CommandLine like r"%JABjAGgAdQBuAGsAXwBzAGkAegBlA%" or Process.CommandLine like r"%JGNodW5rX3Npem%" or Process.CommandLine like r"%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%" or Process.CommandLine like r"%RjaHVua19zaXpl%" or Process.CommandLine like r"%Y2h1bmtfc2l6Z%" or Process.CommandLine like r"%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%" or Process.CommandLine like r"%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%" or Process.CommandLine like r"%lPLkNvbXByZXNzaW9u%" or Process.CommandLine like r"%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%" or Process.CommandLine like r"%SU8uQ29tcHJlc3Npb2%" or Process.CommandLine like r"%Ty5Db21wcmVzc2lvb%" or Process.CommandLine like r"%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%" or Process.CommandLine like r"%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%" or Process.CommandLine like r"%lPLk1lbW9yeVN0cmVhb%" or Process.CommandLine like r"%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%" or Process.CommandLine like r"%SU8uTWVtb3J5U3RyZWFt%" or Process.CommandLine like r"%Ty5NZW1vcnlTdHJlYW%" or Process.CommandLine like r"%4ARwBlAHQAQwBoAHUAbgBrA%" or Process.CommandLine like r"%5HZXRDaHVua%" or Process.CommandLine like r"%AEcAZQB0AEMAaAB1AG4Aaw%" or Process.CommandLine like r"%LgBHAGUAdABDAGgAdQBuAGsA%" or Process.CommandLine like r"%LkdldENodW5r%" or Process.CommandLine like r"%R2V0Q2h1bm%" or Process.CommandLine like r"%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%" or Process.CommandLine like r"%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%" or Process.CommandLine like r"%RIUkVBRF9JTkZPNj%" or Process.CommandLine like r"%SFJFQURfSU5GTzY0%" or Process.CommandLine like r"%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%" or Process.CommandLine like r"%VEhSRUFEX0lORk82N%" or Process.CommandLine like r"%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%" or Process.CommandLine like r"%cmVhdGVSZW1vdGVUaHJlYW%" or Process.CommandLine like r"%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%" or Process.CommandLine like r"%NyZWF0ZVJlbW90ZVRocmVhZ%" or Process.CommandLine like r"%Q3JlYXRlUmVtb3RlVGhyZWFk%" or Process.CommandLine like r"%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%" or Process.CommandLine like r"%0AZQBtAG0AbwB2AGUA%" or Process.CommandLine like r"%1lbW1vdm%" or Process.CommandLine like r"%AGUAbQBtAG8AdgBlA%" or Process.CommandLine like r"%bQBlAG0AbQBvAHYAZQ%" or Process.CommandLine like r"%bWVtbW92Z%" or Process.CommandLine like r"%ZW1tb3Zl%") +Annotation = {"mitre_attack": ["T1133"], "author": "frack113"} +Query = Reg.TargetObject like r"%Software\\Wow6432Node\\Google\\Chrome\\Extensions%" and Reg.TargetObject like r"%update\_url" and (Reg.TargetObject like r"%fdcgdnkidjaadafnichfpabhfomcebme%" or Reg.TargetObject like r"%fcfhplploccackoneaefokcmbjfbkenj%" or Reg.TargetObject like r"%bihmplhobchoageeokmgbdihknkjbknd%" or Reg.TargetObject like r"%gkojfkhlekighikafcpjkiklfbnlmeio%" or Reg.TargetObject like r"%jajilbjjinjmgcibalaakngmkilboobh%" or Reg.TargetObject like r"%gjknjjomckknofjidppipffbpoekiipm%" or Reg.TargetObject like r"%nabbmpekekjknlbkgpodfndbodhijjem%" or Reg.TargetObject like r"%kpiecbcckbofpmkkkdibbllpinceiihk%" or Reg.TargetObject like r"%nlbejmccbhkncgokjcmghpfloaajcffj%" or Reg.TargetObject like r"%omghfjlpggmjjaagoclmmobgdodcjboh%" or Reg.TargetObject like r"%bibjcjfmgapbfoljiojpipaooddpkpai%" or Reg.TargetObject like r"%mpcaainmfjjigeicjnlkdfajbioopjko%" or Reg.TargetObject like r"%jljopmgdobloagejpohpldgkiellmfnc%" or Reg.TargetObject like r"%lochiccbgeohimldjooaakjllnafhaid%" or Reg.TargetObject like r"%nhnfcgpcbfclhfafjlooihdfghaeinfc%" or Reg.TargetObject like r"%ookhnhpkphagefgdiemllfajmkdkcaim%" or Reg.TargetObject like r"%namfblliamklmeodpcelkokjbffgmeoo%" or Reg.TargetObject like r"%nbcojefnccbanplpoffopkoepjmhgdgh%" or Reg.TargetObject like r"%majdfhpaihoncoakbjgbdhglocklcgno%" or Reg.TargetObject like r"%lnfdmdhmfbimhhpaeocncdlhiodoblbd%" or Reg.TargetObject like r"%eppiocemhmnlbhjplcgkofciiegomcon%" or Reg.TargetObject like r"%cocfojppfigjeefejbpfmedgjbpchcng%" or Reg.TargetObject like r"%foiopecknacmiihiocgdjgbjokkpkohc%" or Reg.TargetObject like r"%hhdobjgopfphlmjbmnpglhfcgppchgje%" or Reg.TargetObject like r"%jgbaghohigdbgbolncodkdlpenhcmcge%" or Reg.TargetObject like r"%inligpkjkhbpifecbdjhmdpcfhnlelja%" or Reg.TargetObject like r"%higioemojdadgdbhbbbkfbebbdlfjbip%" or Reg.TargetObject like r"%hipncndjamdcmphkgngojegjblibadbe%" or Reg.TargetObject like r"%iolonopooapdagdemdoaihahlfkncfgg%" or Reg.TargetObject like r"%nhfjkakglbnnpkpldhjmpmmfefifedcj%" or Reg.TargetObject like r"%jpgljfpmoofbmlieejglhonfofmahini%" or Reg.TargetObject like r"%fgddmllnllkalaagkghckoinaemmogpe%" or Reg.TargetObject like r"%ejkaocphofnobjdedneohbbiilggdlbi%" or Reg.TargetObject like r"%keodbianoliadkoelloecbhllnpiocoi%" or Reg.TargetObject like r"%hoapmlpnmpaehilehggglehfdlnoegck%" or Reg.TargetObject like r"%poeojclicodamonabcabmapamjkkmnnk%" or Reg.TargetObject like r"%dfkdflfgjdajbhocmfjolpjbebdkcjog%" or Reg.TargetObject like r"%kcdahmgmaagjhocpipbodaokikjkampi%" or Reg.TargetObject like r"%klnkiajpmpkkkgpgbogmcgfjhdoljacg%" or Reg.TargetObject like r"%lneaocagcijjdpkcabeanfpdbmapcjjg%" or Reg.TargetObject like r"%pgfpignfckbloagkfnamnolkeaecfgfh%" or Reg.TargetObject like r"%jplnlifepflhkbkgonidnobkakhmpnmh%" or Reg.TargetObject like r"%jliodmnojccaloajphkingdnpljdhdok%" or Reg.TargetObject like r"%hnmpcagpplmpfojmgmnngilcnanddlhb%" or Reg.TargetObject like r"%ffbkglfijbcbgblgflchnbphjdllaogb%" or Reg.TargetObject like r"%kcndmbbelllkmioekdagahekgimemejo%" or Reg.TargetObject like r"%jdgilggpfmjpbodmhndmhojklgfdlhob%" or Reg.TargetObject like r"%bihhflimonbpcfagfadcnbbdngpopnjb%" or Reg.TargetObject like r"%ppajinakbfocjfnijggfndbdmjggcmde%" or Reg.TargetObject like r"%oofgbpoabipfcfjapgnbbjjaenockbdp%" or Reg.TargetObject like r"%bhnhkdgoefpmekcgnccpnhjfdgicfebm%" or Reg.TargetObject like r"%knmmpciebaoojcpjjoeonlcjacjopcpf%" or Reg.TargetObject like r"%dhadilbmmjiooceioladdphemaliiobo%" or Reg.TargetObject like r"%jedieiamjmoflcknjdjhpieklepfglin%" or Reg.TargetObject like r"%mhngpdlhojliikfknhfaglpnddniijfh%" or Reg.TargetObject like r"%omdakjcmkglenbhjadbccaookpfjihpa%" or Reg.TargetObject like r"%npgimkapccfidfkfoklhpkgmhgfejhbj%" or Reg.TargetObject like r"%akeehkgglkmpapdnanoochpfmeghfdln%" or Reg.TargetObject like r"%gbmdmipapolaohpinhblmcnpmmlgfgje%" or Reg.TargetObject like r"%aigmfoeogfnljhnofglledbhhfegannp%" or Reg.TargetObject like r"%cgojmfochfikphincbhokimmmjenhhgk%" or Reg.TargetObject like r"%ficajfeojakddincjafebjmfiefcmanc%" or Reg.TargetObject like r"%ifnaibldjfdmaipaddffmgcmekjhiloa%" or Reg.TargetObject like r"%jbnmpdkcfkochpanomnkhnafobppmccn%" or Reg.TargetObject like r"%apcfdffemoinopelidncddjbhkiblecc%" or Reg.TargetObject like r"%mjolnodfokkkaichkcjipfgblbfgojpa%" or Reg.TargetObject like r"%oifjbnnafapeiknapihcmpeodaeblbkn%" or Reg.TargetObject like r"%plpmggfglncceinmilojdkiijhmajkjh%" or Reg.TargetObject like r"%mjnbclmflcpookeapghfhapeffmpodij%" or Reg.TargetObject like r"%bblcccknbdbplgmdjnnikffefhdlobhp%" or Reg.TargetObject like r"%aojlhgbkmkahabcmcpifbolnoichfeep%" or Reg.TargetObject like r"%lcmammnjlbmlbcaniggmlejfjpjagiia%" or Reg.TargetObject like r"%knajdeaocbpmfghhmijicidfcmdgbdpm%" or Reg.TargetObject like r"%bdlcnpceagnkjnjlbbbcepohejbheilk%" or Reg.TargetObject like r"%edknjdjielmpdlnllkdmaghlbpnmjmgb%" or Reg.TargetObject like r"%eidnihaadmmancegllknfbliaijfmkgo%" or Reg.TargetObject like r"%ckiahbcmlmkpfiijecbpflfahoimklke%" or Reg.TargetObject like r"%macdlemfnignjhclfcfichcdhiomgjjb%" or Reg.TargetObject like r"%chioafkonnhbpajpengbalkececleldf%" or Reg.TargetObject like r"%amnoibeflfphhplmckdbiajkjaoomgnj%" or Reg.TargetObject like r"%llbhddikeonkpbhpncnhialfbpnilcnc%" or Reg.TargetObject like r"%pcienlhnoficegnepejpfiklggkioccm%" or Reg.TargetObject like r"%iocnglnmfkgfedpcemdflhkchokkfeii%" or Reg.TargetObject like r"%igahhbkcppaollcjeaaoapkijbnphfhb%" or Reg.TargetObject like r"%njpmifchgidinihmijhcfpbdmglecdlb%" or Reg.TargetObject like r"%ggackgngljinccllcmbgnpgpllcjepgc%" or Reg.TargetObject like r"%kchocjcihdgkoplngjemhpplmmloanja%" or Reg.TargetObject like r"%bnijmipndnicefcdbhgcjoognndbgkep%" or Reg.TargetObject like r"%lklekjodgannjcccdlbicoamibgbdnmi%" or Reg.TargetObject like r"%dbdbnchagbkhknegmhgikkleoogjcfge%" or Reg.TargetObject like r"%egblhcjfjmbjajhjhpmnlekffgaemgfh%" or Reg.TargetObject like r"%ehbhfpfdkmhcpaehaooegfdflljcnfec%" or Reg.TargetObject like r"%bkkgdjpomdnfemhhkalfkogckjdkcjkg%" or Reg.TargetObject like r"%almalgbpmcfpdaopimbdchdliminoign%" or Reg.TargetObject like r"%akkbkhnikoeojlhiiomohpdnkhbkhieh%" or Reg.TargetObject like r"%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%" or Reg.TargetObject like r"%bniikohfmajhdcffljgfeiklcbgffppl%" or Reg.TargetObject like r"%lejgfmmlngaigdmmikblappdafcmkndb%" or Reg.TargetObject like r"%ffhhkmlgedgcliajaedapkdfigdobcif%" or Reg.TargetObject like r"%gcknhkkoolaabfmlnjonogaaifnjlfnp%" or Reg.TargetObject like r"%pooljnboifbodgifngpppfklhifechoe%" or Reg.TargetObject like r"%fjoaledfpmneenckfbpdfhkmimnjocfa%" or Reg.TargetObject like r"%aakchaleigkohafkfjfjbblobjifikek%" or Reg.TargetObject like r"%dpplabbmogkhghncfbfdeeokoefdjegm%" or Reg.TargetObject like r"%padekgcemlokbadohgkifijomclgjgif%" or Reg.TargetObject like r"%bfidboloedlamgdmenmlbipfnccokknp%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. -# Author: Aaron Stratton -RuleId = 551d9c1f-816c-445b-a7a6-7a3864720d60 -RuleName = Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp +# Detects potential malicious modification of the property value of IsCredGuardEnabled from +# HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. +# This is usually used with UseLogonCredential to manipulate the caching credentials. +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = 1a2d6c47-75b0-45bd-b133-2c0be75349fd +RuleName = Wdigest CredGuard Registry Modification +EventType = Reg.Any +Tag = wdigest-credguard-registry-modification +RiskScore = 75 +Annotation = {"mitre_attack": ["T1112"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = Reg.TargetObject like r"%\\IsCredGuardEnabled" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject + + +[ThreatDetectionRule platform=Windows] +# Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system +# Author: Florian Roth (Nextron Systems) +RuleId = 4ebc877f-4612-45cb-b3a5-8e3834db36c9 +RuleName = Webshell Hacking Activity Patterns EventType = Process.Start -Tag = proc-start-potential-excel.exe-dcom-lateral-movement-via-activatemicrosoftapp +Tag = proc-start-webshell-hacking-activity-patterns RiskScore = 75 -Annotation = {"mitre_attack": ["T1021.003"], "author": "Aaron Stratton"} -Query = Parent.Path like r"%\\excel.exe" and (Process.Name in ["foxprow.exe", "schdplus.exe", "winproj.exe"] or Process.Path like r"%\\foxprow.exe" or Process.Path like r"%\\schdplus.exe" or Process.Path like r"%\\winproj.exe") +Annotation = {"mitre_attack": ["T1505.003", "T1018", "T1033", "T1087"], "author": "Florian Roth (Nextron Systems)"} +Query = (Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\ws\_tomcatservice.exe" or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%") or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Process.CommandLine like r"%catalina.jar%" or Process.CommandLine like r"%CATALINA\_HOME%")) and (Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%comsvcs%" or Process.CommandLine like r"% -hp%" and Process.CommandLine like r"% a %" and Process.CommandLine like r"% -m%" or Process.CommandLine like r"%net%" and Process.CommandLine like r"% user %" and Process.CommandLine like r"% /add%" or Process.CommandLine like r"%net%" and Process.CommandLine like r"% localgroup %" and Process.CommandLine like r"% administrators %" and Process.CommandLine like r"%/add%" or Process.Path like r"%\\ntdsutil.exe" or Process.Path like r"%\\ldifde.exe" or Process.Path like r"%\\adfind.exe" or Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\Nanodump.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\fsutil.exe" or Process.CommandLine like r"% -decode %" or Process.CommandLine like r"% -NoP %" or Process.CommandLine like r"% -W Hidden %" or Process.CommandLine like r"% /decode %" or Process.CommandLine like r"% /ticket:%" or Process.CommandLine like r"% sekurlsa%" or Process.CommandLine like r"%.dmp full%" or Process.CommandLine like r"%.downloadfile(%" or Process.CommandLine like r"%.downloadstring(%" or Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"%process call create%" or Process.CommandLine like r"%reg save %" or Process.CommandLine like r"%whoami /priv%") GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. -# Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges. -# Author: X__Junior (Nextron Systems) -RuleId = ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99 -RuleName = Wusa.EXE Executed By Parent Process Located In Suspicious Location +# Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +# Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community +RuleId = 7f741dcf-fc22-4759-87b4-9ae8376676a2 +RuleName = Bypass UAC via Fodhelper.exe EventType = Process.Start -Tag = proc-start-wusa.exe-executed-by-parent-process-located-in-suspicious-location +Tag = proc-start-bypass-uac-via-fodhelper.exe RiskScore = 75 -Annotation = {"author": "X__Junior (Nextron Systems)"} -Query = Process.Path like r"%\\wusa.exe" and (Parent.Path like r"%:\\Perflogs\\%" or Parent.Path like r"%:\\Users\\Public\\%" or Parent.Path like r"%:\\Windows\\Temp\\%" or Parent.Path like r"%\\Appdata\\Local\\Temp\\%" or Parent.Path like r"%\\Temporary Internet%" or Parent.Path like r"%:\\Users\\%" and Parent.Path like r"%\\Favorites\\%" or Parent.Path like r"%:\\Users\\%" and Parent.Path like r"%\\Favourites\\%" or Parent.Path like r"%:\\Users\\%" and Parent.Path like r"%\\Contacts\\%" or Parent.Path like r"%:\\Users\\%" and Parent.Path like r"%\\Pictures\\%") and not Process.CommandLine like r"%.msu%" +Annotation = {"mitre_attack": ["T1548.002"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community"} +Query = Parent.Path like r"%\\fodhelper.exe" GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging -# Author: frack113 -RuleId = fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 -RuleName = PowerShell Logging Disabled Via Registry Key Tampering -EventType = Reg.Any -Tag = powershell-logging-disabled-via-registry-key-tampering +# Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab) +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 9c8c7000-3065-44a8-a555-79bcba5d9955 +RuleName = Execute MSDT Via Answer File +EventType = Process.Start +Tag = proc-start-execute-msdt-via-answer-file RiskScore = 75 -Annotation = {"mitre_attack": ["T1564.001"], "author": "frack113"} -Query = (Reg.TargetObject like r"%\\Microsoft\\Windows\\PowerShell\\%" or Reg.TargetObject like r"%\\Microsoft\\PowerShellCore\\%") and (Reg.TargetObject like r"%\\ModuleLogging\\EnableModuleLogging" or Reg.TargetObject like r"%\\ScriptBlockLogging\\EnableScriptBlockLogging" or Reg.TargetObject like r"%\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging" or Reg.TargetObject like r"%\\Transcription\\EnableTranscripting" or Reg.TargetObject like r"%\\Transcription\\EnableInvocationHeader" or Reg.TargetObject like r"%\\EnableScripts") and Reg.Value.Data == "DWORD (0x00000000)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\msdt.exe" and Process.CommandLine like r"%\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml%" and (Process.CommandLine like r"% -af %" or Process.CommandLine like r"% /af %") and not Parent.Path like r"%\\pcwrun.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of a renamed "Msdt.exe" binary -# Author: pH-T (Nextron Systems) -RuleId = bd1c6866-65fc-44b2-be51-5588fcff82b9 -RuleName = Renamed Msdt.EXE Execution +# Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation +# Author: Florian Roth (Nextron Systems) +RuleId = 023394c4-29d5-46ab-92b8-6a534c6f447b +RuleName = Suspicious HWP Sub Processes EventType = Process.Start -Tag = proc-start-renamed-msdt.exe-execution +Tag = proc-start-suspicious-hwp-sub-processes RiskScore = 75 -Annotation = {"mitre_attack": ["T1036.003"], "author": "pH-T (Nextron Systems)"} -Query = Process.Name == "msdt.exe" and not Process.Path like r"%\\msdt.exe" +Annotation = {"mitre_attack": ["T1566.001", "T1203", "T1059.003"], "author": "Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\Hwp.exe" and Process.Path like r"%\\gbb.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious command lines used in Covenant luanchers -# Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -RuleId = c260b6db-48ba-4b4a-a76f-2f67644e99d2 -RuleName = HackTool - Covenant PowerShell Launcher +# Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. +# RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. +# This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise +# Author: frack113 +RuleId = 28ac00d6-22d9-4a3c-927f-bbd770104573 +RuleName = RestrictedAdminMode Registry Value Tampering - ProcCreation EventType = Process.Start -Tag = proc-start-hacktool-covenant-powershell-launcher +Tag = proc-start-restrictedadminmode-registry-value-tampering-proccreation RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001", "T1564.003"], "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community"} -Query = Process.CommandLine like r"%-Sta%" and Process.CommandLine like r"%-Nop%" and Process.CommandLine like r"%-Window%" and Process.CommandLine like r"%Hidden%" and (Process.CommandLine like r"%-Command%" or Process.CommandLine like r"%-EncodedCommand%") or Process.CommandLine like r"%sv o (New-Object IO.MemorySteam);sv d %" or Process.CommandLine like r"%mshta file.hta%" or Process.CommandLine like r"%GruntHTTP%" or Process.CommandLine like r"%-EncodedCommand cwB2ACAAbwAgA%" +Annotation = {"mitre_attack": ["T1112"], "author": "frack113"} +Query = Process.CommandLine like r"%\\System\\CurrentControlSet\\Control\\Lsa\\%" and Process.CommandLine like r"%DisableRestrictedAdmin%" [ThreatDetectionRule platform=Windows] -# Execution of plink to perform data exfiltration and tunneling -# Author: Florian Roth (Nextron Systems) -RuleId = f38ce0b9-5e97-4b47-a211-7dc8d8b871da -RuleName = Potential RDP Tunneling Via Plink -EventType = Process.Start -Tag = proc-start-potential-rdp-tunneling-via-plink +# Detects the installation of a new shim database where the file is located in a non-default location +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 6b6976a3-b0e6-4723-ac24-ae38a737af41 +RuleName = Potential Persistence Via Shim Database In Uncommon Location +EventType = Reg.Any +Tag = potential-persistence-via-shim-database-in-uncommon-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1572"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\plink.exe" and Process.CommandLine like r"%:127.0.0.1:3389%" or Process.Path like r"%\\plink.exe" and Process.CommandLine like r"%:3389%" and (Process.CommandLine like r"% -P 443%" or Process.CommandLine like r"% -P 22%") +Annotation = {"mitre_attack": ["T1546.011"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\%" and Reg.TargetObject like r"%\\DatabasePath%" and not Reg.Value.Data like r"%:\\Windows\\AppPatch\\Custom%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Well-known DNS Exfiltration tools execution -# Author: Daniil Yugoslavskiy, oscd.community -RuleId = 98a96a5a-64a0-4c42-92c5-489da3866cb0 -RuleName = DNS Exfiltration and Tunneling Tools Execution +# Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. +# Author: Sittikorn S +RuleId = 643bdcac-8b82-49f4-9fd9-25a90b929f3b +RuleName = Renamed MegaSync Execution EventType = Process.Start -Tag = proc-start-dns-exfiltration-and-tunneling-tools-execution +Tag = proc-start-renamed-megasync-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1048.001", "T1071.004", "T1132.001"], "author": "Daniil Yugoslavskiy, oscd.community"} -Query = Process.Path like r"%\\iodine.exe" or Process.Path like r"%\\dnscat2%" +Annotation = {"mitre_attack": ["T1218"], "author": "Sittikorn S"} +Query = Process.Name == "megasync.exe" and not Process.Path like r"%\\megasync.exe" [ThreatDetectionRule platform=Windows] -# Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM +# Detects requests to disable Microsoft Defender features using PowerShell commands # Author: Florian Roth (Nextron Systems) -RuleId = 9fff585c-c33e-4a86-b3cd-39312079a65f -RuleName = Taskmgr as LOCAL_SYSTEM +RuleId = 1ec65a5f-9473-4f12-97da-622044d6df21 +RuleName = Powershell Defender Disable Scan Feature EventType = Process.Start -Tag = proc-start-taskmgr-as-local_system +Tag = proc-start-powershell-defender-disable-scan-feature RiskScore = 75 -Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") and Process.Path like r"%\\taskmgr.exe" -GenericProperty1 = Process.User +Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"%Add-MpPreference %" or Process.CommandLine like r"%Set-MpPreference %") and (Process.CommandLine like r"%DisableArchiveScanning %" or Process.CommandLine like r"%DisableRealtimeMonitoring %" or Process.CommandLine like r"%DisableIOAVProtection %" or Process.CommandLine like r"%DisableBehaviorMonitoring %" or Process.CommandLine like r"%DisableBlockAtFirstSeen %" or Process.CommandLine like r"%DisableCatchupFullScan %" or Process.CommandLine like r"%DisableCatchupQuickScan %") and (Process.CommandLine like r"%$true%" or Process.CommandLine like r"% 1 %") or Process.CommandLine like r"%ZGlzYWJsZWFyY2hpdmVzY2FubmluZy%" or Process.CommandLine like r"%Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg%" or Process.CommandLine like r"%kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI%" or Process.CommandLine like r"%RGlzYWJsZUFyY2hpdmVTY2FubmluZy%" or Process.CommandLine like r"%Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg%" or Process.CommandLine like r"%EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI%" or Process.CommandLine like r"%ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg%" or Process.CommandLine like r"%kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI%" or Process.CommandLine like r"%RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg%" or Process.CommandLine like r"%EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI%" or Process.CommandLine like r"%ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g%" or Process.CommandLine like r"%Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI%" or Process.CommandLine like r"%kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi%" or Process.CommandLine like r"%RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g%" or Process.CommandLine like r"%Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI%" or Process.CommandLine like r"%EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi%" or Process.CommandLine like r"%ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi%" or Process.CommandLine like r"%Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g%" or Process.CommandLine like r"%kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI%" or Process.CommandLine like r"%RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi%" or Process.CommandLine like r"%Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g%" or Process.CommandLine like r"%EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI%" or Process.CommandLine like r"%ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g%" or Process.CommandLine like r"%Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI%" or Process.CommandLine like r"%kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi%" or Process.CommandLine like r"%RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g%" or Process.CommandLine like r"%Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI%" or Process.CommandLine like r"%EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi%" or Process.CommandLine like r"%ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI%" or Process.CommandLine like r"%Rpc2FibGVpb2F2cHJvdGVjdGlvbi%" or Process.CommandLine like r"%kaXNhYmxlaW9hdnByb3RlY3Rpb24g%" or Process.CommandLine like r"%RGlzYWJsZUlPQVZQcm90ZWN0aW9uI%" or Process.CommandLine like r"%Rpc2FibGVJT0FWUHJvdGVjdGlvbi%" or Process.CommandLine like r"%EaXNhYmxlSU9BVlByb3RlY3Rpb24g%" or Process.CommandLine like r"%ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg%" or Process.CommandLine like r"%kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI%" or Process.CommandLine like r"%RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy%" or Process.CommandLine like r"%Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg%" or Process.CommandLine like r"%EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA%" or Process.CommandLine like r"%EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA%" or Process.CommandLine like r"%ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA%" or Process.CommandLine like r"%QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA%" or Process.CommandLine like r"%kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA%" or Process.CommandLine like r"%RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA%" [ThreatDetectionRule platform=Windows] -# Detects the use of CoercedPotato, a tool for privilege escalation +# Detects driver load of the Process Hacker tool # Author: Florian Roth (Nextron Systems) -RuleId = e8d34729-86a4-4140-adfd-0a29c2106307 -RuleName = HackTool - CoercedPotato Execution -EventType = Process.Start -Tag = proc-start-hacktool-coercedpotato-execution +RuleId = 67add051-9ee7-4ad3-93ba-42935615ae8d +RuleName = PUA - Process Hacker Driver Load +EventType = Driver.Load +Tag = pua-process-hacker-driver-load RiskScore = 75 -Annotation = {"mitre_attack": ["T1055"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\CoercedPotato.exe" or Process.CommandLine like r"% --exploitId %" or Process.Hashes like r"%IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6%" or Process.Hashes like r"%IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9%" or Process.Hashes like r"%IMPHASH=14C81850A079A87E83D50CA41C709A15%" -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1543"], "author": "Florian Roth (Nextron Systems)"} +Query = Image.Path like r"%\\kprocesshacker.sys" or Image.Hashes like r"%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%" or Image.Hashes like r"%IMPHASH=F86759BB4DE4320918615DC06E998A39%" or Image.Hashes like r"%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%" or Image.Hashes like r"%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%" +GenericProperty1 = Image.Path +GenericProperty2 = Image.Hashes [ThreatDetectionRule platform=Windows] -# Detects potential persistence activity via outlook today page. -# An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl". -# Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand -RuleId = 487bb375-12ef-41f6-baae-c6a1572b4dd1 -RuleName = Potential Persistence Via Outlook Today Page -EventType = Reg.Any -Tag = potential-persistence-via-outlook-today-page +# Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) +# Author: Florian Roth (Nextron Systems) +RuleId = fcdf69e5-a3d3-452a-9724-26f2308bf2b1 +RuleName = Phishing Pattern ISO in Archive +EventType = Process.Start +Tag = proc-start-phishing-pattern-iso-in-archive RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand"} -Query = Reg.TargetObject like r"%Software\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Outlook\\Today\\%" and (Reg.TargetObject like r"%\\Stamp" and Reg.Value.Data == "DWORD (0x00000001)" or Reg.TargetObject like r"%\\URL" or Reg.TargetObject like r"%\\UserDefinedUrl") and not ((Process.Path like r"C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\%" or Process.Path like r"C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\%") and Process.Path like r"%\\OfficeClickToRun.exe") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1566"], "author": "Florian Roth (Nextron Systems)"} +Query = (Parent.Path like r"%\\Winrar.exe" or Parent.Path like r"%\\7zFM.exe" or Parent.Path like r"%\\peazip.exe") and (Process.Path like r"%\\isoburn.exe" or Process.Path like r"%\\PowerISO.exe" or Process.Path like r"%\\ImgBurn.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = d7662ff6-9e97-4596-a61d-9839e32dee8d -RuleName = Add SafeBoot Keys Via Reg Utility +# Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). +# Might be used by ransomwares during the attack (seen by NotPetya and others). +# Author: Ecco, E.M. Anhaus, oscd.community +RuleId = add64136-62e5-48ea-807e-88638d02df1e +RuleName = Fsutil Suspicious Invocation EventType = Process.Start -Tag = proc-start-add-safeboot-keys-via-reg-utility +Tag = proc-start-fsutil-suspicious-invocation RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"%\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot%" and (Process.CommandLine like r"% copy %" or Process.CommandLine like r"% add %") +Annotation = {"mitre_attack": ["T1070", "T1485"], "author": "Ecco, E.M. Anhaus, oscd.community"} +Query = (Process.Path like r"%\\fsutil.exe" or Process.Name == "fsutil.exe") and (Process.CommandLine like r"%deletejournal%" or Process.CommandLine like r"%createjournal%" or Process.CommandLine like r"%setZeroData%") [ThreatDetectionRule platform=Windows] -# Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes -# Author: pH-T (Nextron Systems) -RuleId = 065cceea-77ec-4030-9052-fc0affea7110 -RuleName = DNS Query for Anonfiles.com Domain - Sysmon -EventType = Dns.Query -Tag = dns-query-for-anonfiles.com-domain-sysmon +# Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 +RuleName = Suspicious Response File Execution Via Odbcconf.EXE +EventType = Process.Start +Tag = proc-start-suspicious-response-file-execution-via-odbcconf.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1567.002"], "author": "pH-T (Nextron Systems)"} -Query = Dns.QueryRequest like r"%.anonfiles.com%" -GenericProperty1 = Dns.QueryRequest +Annotation = {"mitre_attack": ["T1218.008"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\odbcconf.exe" or Process.Name == "odbcconf.exe") and (Process.CommandLine like r"% -f %" or Process.CommandLine like r"% /f %" or Process.CommandLine like r"% –f %" or Process.CommandLine like r"% —f %" or Process.CommandLine like r"% ―f %") and not (Process.CommandLine like r"%.rsp%" or Parent.Path == "C:\\Windows\\System32\\runonce.exe" and Process.Path == "C:\\Windows\\System32\\odbcconf.exe" and Process.CommandLine like r"%.exe /E /F \"C:\\WINDOWS\\system32\\odbcconf.tmp\"%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects python spawning a pretty tty -# Author: Nextron Systems -RuleId = 480e7e51-e797-47e3-8d72-ebfce65b6d8d -RuleName = Python Spawning Pretty TTY on Windows +# Detects a suspicious process spawning from an Outlook process. +# Author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team +RuleId = 208748f7-881d-47ac-a29c-07ea84bf691d +RuleName = Suspicious Outlook Child Process EventType = Process.Start -Tag = proc-start-python-spawning-pretty-tty-on-windows +Tag = proc-start-suspicious-outlook-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Nextron Systems"} -Query = (Process.Path like r"%python.exe" or Process.Path like r"%python3.exe" or Process.Path like r"%python2.exe") and (Process.CommandLine like r"%import pty%" and Process.CommandLine like r"%.spawn(%" or Process.CommandLine like r"%from pty import spawn%") +Annotation = {"mitre_attack": ["T1204.002"], "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team"} +Query = Parent.Path like r"%\\OUTLOOK.EXE" and (Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\msbuild.exe" or Process.Path like r"%\\msdt.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ebea773c-a8f1-42ad-a856-00cb221966e8 -RuleName = DLL Sideloading by VMware Xfer Utility +# Detects using WorkFolders.exe to execute an arbitrary control.exe +# Author: Maxime Thiebaut (@0xThiebaut) +RuleId = 0bbc6369-43e3-453d-9944-cae58821c173 +RuleName = Execution via WorkFolders.exe EventType = Process.Start -Tag = proc-start-dll-sideloading-by-vmware-xfer-utility +Tag = proc-start-execution-via-workfolders.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\VMwareXferlogs.exe" and not Process.Path like r"C:\\Program Files\\VMware\\%" +Annotation = {"mitre_attack": ["T1218"], "author": "Maxime Thiebaut (@0xThiebaut)"} +Query = Process.Path like r"%\\control.exe" and Parent.Path like r"%\\WorkFolders.exe" and not Process.Path == "C:\\Windows\\System32\\control.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder -# Author: Max Altgelt (Nextron Systems) -RuleId = fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4 -RuleName = Execution of Powershell Script in Public Folder +# Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. +# Author: frack113 +RuleId = cafeeba3-01da-4ab4-b6c4-a31b1d9730c7 +RuleName = PrintBrm ZIP Creation of Extraction EventType = Process.Start -Tag = proc-start-execution-of-powershell-script-in-public-folder +Tag = proc-start-printbrm-zip-creation-of-extraction RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Max Altgelt (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%-f C:\\Users\\Public%" or Process.CommandLine like r"%-f \"C:\\Users\\Public%" or Process.CommandLine like r"%-f \%Public\%%" or Process.CommandLine like r"%-fi C:\\Users\\Public%" or Process.CommandLine like r"%-fi \"C:\\Users\\Public%" or Process.CommandLine like r"%-fi \%Public\%%" or Process.CommandLine like r"%-fil C:\\Users\\Public%" or Process.CommandLine like r"%-fil \"C:\\Users\\Public%" or Process.CommandLine like r"%-fil \%Public\%%" or Process.CommandLine like r"%-file C:\\Users\\Public%" or Process.CommandLine like r"%-file \"C:\\Users\\Public%" or Process.CommandLine like r"%-file \%Public\%%") +Annotation = {"mitre_attack": ["T1105", "T1564.004"], "author": "frack113"} +Query = Process.Path like r"%\\PrintBrm.exe" and Process.CommandLine like r"% -f%" and Process.CommandLine like r"%.zip%" [ThreatDetectionRule platform=Windows] -# Shadow Copies deletion using operating systems utilities -# Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) -RuleId = c947b146-0abc-4c87-9c64-b17e9d7274a2 -RuleName = Shadow Copies Deletion Using Operating Systems Utilities +# Detects Obfuscated Powershell via use Clip.exe in Scripts +# Author: Nikita Nazarov, oscd.community +RuleId = e1561947-b4e3-4a74-9bdd-83baed21bdb5 +RuleName = Invoke-Obfuscation Via Use Clip EventType = Process.Start -Tag = proc-start-shadow-copies-deletion-using-operating-systems-utilities +Tag = proc-start-invoke-obfuscation-via-use-clip RiskScore = 75 -Annotation = {"mitre_attack": ["T1070", "T1490"], "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\vssadmin.exe" or Process.Path like r"%\\diskshadow.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe"]) and Process.CommandLine like r"%shadow%" and Process.CommandLine like r"%delete%" or (Process.Path like r"%\\wbadmin.exe" or Process.Name == "WBADMIN.EXE") and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%catalog%" and Process.CommandLine like r"%quiet%" or (Process.Path like r"%\\vssadmin.exe" or Process.Name == "VSSADMIN.EXE") and Process.CommandLine like r"%resize%" and Process.CommandLine like r"%shadowstorage%" and (Process.CommandLine like r"%unbounded%" or Process.CommandLine like r"%/MaxSize=%") +Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Nikita Nazarov, oscd.community"} +Query = Process.CommandLine regex "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)" [ThreatDetectionRule platform=Windows] -# The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. -# Author: Thomas Patzke -RuleId = 6f8b3439-a203-45dc-a88b-abf57ea15ccf -RuleName = HackTool - CrackMapExec PowerShell Obfuscation +# Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. +# This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = c6c56ada-612b-42d1-9a29-adad3c5c2c1e +RuleName = Audit Policy Tampering Via NT Resource Kit Auditpol EventType = Process.Start -Tag = proc-start-hacktool-crackmapexec-powershell-obfuscation +Tag = proc-start-audit-policy-tampering-via-nt-resource-kit-auditpol RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001", "T1027.005"], "author": "Thomas Patzke"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%join%split%" or Process.CommandLine like r"%( $ShellId[1]+$ShellId[13]+'x')%" or Process.CommandLine like r"%( $PSHome[%]+$PSHOME[%]+%" or Process.CommandLine like r"%( $env:Public[13]+$env:Public[5]+'x')%" or Process.CommandLine like r"%( $env:ComSpec[4,%,25]-Join'')%" or Process.CommandLine like r"%[1,3]+'x'-Join'')%") +Annotation = {"mitre_attack": ["T1562.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%/logon:none%" or Process.CommandLine like r"%/system:none%" or Process.CommandLine like r"%/sam:none%" or Process.CommandLine like r"%/privilege:none%" or Process.CommandLine like r"%/object:none%" or Process.CommandLine like r"%/process:none%" or Process.CommandLine like r"%/policy:none%" [ThreatDetectionRule platform=Windows] -# Detects changes in Sysmon driver altitude value. -# If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. -# Author: B.Talebi -RuleId = 4916a35e-bfc4-47d0-8e25-a003d7067061 -RuleName = Sysmon Driver Altitude Change -EventType = Reg.Any -Tag = sysmon-driver-altitude-change +# Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 00d49ed5-4491-4271-a8db-650a4ef6f8c1 +RuleName = Suspicious Download from Office Domain +EventType = Process.Start +Tag = proc-start-suspicious-download-from-office-domain RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "B.Talebi"} -Query = Reg.TargetObject like r"%\\Services\\%" and Reg.TargetObject like r"%\\Instances\\Sysmon Instance\\Altitude" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1105", "T1608"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\curl.exe" or Process.Path like r"%\\wget.exe" or Process.CommandLine like r"%Invoke-WebRequest%" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%curl %" or Process.CommandLine like r"%wget %" or Process.CommandLine like r"%Start-BitsTransfer%" or Process.CommandLine like r"%.DownloadFile(%" or Process.CommandLine like r"%.DownloadString(%") and (Process.CommandLine like r"%https://attachment.outlook.live.net/owa/%" or Process.CommandLine like r"%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%") [ThreatDetectionRule platform=Windows] -# Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections -# Author: Florian Roth (Nextron Systems) -RuleId = fcddca7c-b9c0-4ddf-98da-e1e2d18b0157 -RuleName = Disabled Windows Defender Eventlog -EventType = Reg.Any -Tag = disabled-windows-defender-eventlog +# Detects one of the possible scenarios for disabling Symantec Endpoint Protection. +# Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. +# As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. +# Author: Ilya Krestinichev, Florian Roth (Nextron Systems) +RuleId = 4a6713f6-3331-11ed-a261-0242ac120002 +RuleName = Taskkill Symantec Endpoint Protection +EventType = Process.Start +Tag = proc-start-taskkill-symantec-endpoint-protection RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled%" and Reg.Value.Data == "DWORD (0x00000000)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1562.001"], "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%taskkill%" and Process.CommandLine like r"% /F %" and Process.CommandLine like r"% /IM %" and Process.CommandLine like r"%ccSvcHst.exe%" [ThreatDetectionRule platform=Windows] -# Detects a service binary running in a suspicious directory +# Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools # Author: Florian Roth (Nextron Systems) -RuleId = 883faa95-175a-4e22-8181-e5761aeb373c -RuleName = Suspicious Service Binary Directory +RuleId = efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6 +RuleName = Suspicious Program Names EventType = Process.Start -Tag = proc-start-suspicious-service-binary-directory -RiskScore = 75 -Annotation = {"mitre_attack": ["T1202"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\$Recycle.bin%" or Process.Path like r"%\\Users\\All Users\\%" or Process.Path like r"%\\Users\\Default\\%" or Process.Path like r"%\\Users\\Contacts\\%" or Process.Path like r"%\\Users\\Searches\\%" or Process.Path like r"%C:\\Perflogs\\%" or Process.Path like r"%\\config\\systemprofile\\%" or Process.Path like r"%\\Windows\\Fonts\\%" or Process.Path like r"%\\Windows\\IME\\%" or Process.Path like r"%\\Windows\\addins\\%") and (Parent.Path like r"%\\services.exe" or Parent.Path like r"%\\svchost.exe") -GenericProperty1 = Parent.Path - - -[ThreatDetectionRule platform=Windows] -# Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 8023f872-3f1d-4301-a384-801889917ab4 -RuleName = Usage of Renamed Sysinternals Tools - RegistrySet -EventType = Reg.Any -Tag = usage-of-renamed-sysinternals-tools-registryset +Tag = proc-start-suspicious-program-names RiskScore = 75 -Annotation = {"mitre_attack": ["T1588.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Reg.TargetObject like r"%\\PsExec%" or Reg.TargetObject like r"%\\ProcDump%" or Reg.TargetObject like r"%\\Handle%" or Reg.TargetObject like r"%\\LiveKd%" or Reg.TargetObject like r"%\\Process Explorer%" or Reg.TargetObject like r"%\\PsLoglist%" or Reg.TargetObject like r"%\\PsPasswd%" or Reg.TargetObject like r"%\\Active Directory Explorer%") and Reg.TargetObject like r"%\\EulaAccepted" and not (Process.Path like r"%\\PsExec.exe" or Process.Path like r"%\\PsExec64.exe" or Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe" or Process.Path like r"%\\handle.exe" or Process.Path like r"%\\handle64.exe" or Process.Path like r"%\\livekd.exe" or Process.Path like r"%\\livekd64.exe" or Process.Path like r"%\\procexp.exe" or Process.Path like r"%\\procexp64.exe" or Process.Path like r"%\\psloglist.exe" or Process.Path like r"%\\psloglist64.exe" or Process.Path like r"%\\pspasswd.exe" or Process.Path like r"%\\pspasswd64.exe" or Process.Path like r"%\\ADExplorer.exe" or Process.Path like r"%\\ADExplorer64.exe") and not isnull(Process.Path) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\CVE-202%" or Process.Path like r"%\\CVE202%" or Process.Path like r"%\\poc.exe" or Process.Path like r"%\\artifact.exe" or Process.Path like r"%\\artifact64.exe" or Process.Path like r"%\\artifact\_protected.exe" or Process.Path like r"%\\artifact32.exe" or Process.Path like r"%\\artifact32big.exe" or Process.Path like r"%obfuscated.exe" or Process.Path like r"%obfusc.exe" or Process.Path like r"%\\meterpreter" or Process.CommandLine like r"%inject.ps1%" or Process.CommandLine like r"%Invoke-CVE%" or Process.CommandLine like r"%pupy.ps1%" or Process.CommandLine like r"%payload.ps1%" or Process.CommandLine like r"%beacon.ps1%" or Process.CommandLine like r"%PowerView.ps1%" or Process.CommandLine like r"%bypass.ps1%" or Process.CommandLine like r"%obfuscated.ps1%" or Process.CommandLine like r"%obfusc.ps1%" or Process.CommandLine like r"%obfus.ps1%" or Process.CommandLine like r"%obfs.ps1%" or Process.CommandLine like r"%evil.ps1%" or Process.CommandLine like r"%MiniDogz.ps1%" or Process.CommandLine like r"%\_enc.ps1%" or Process.CommandLine like r"%\\shell.ps1%" or Process.CommandLine like r"%\\rshell.ps1%" or Process.CommandLine like r"%revshell.ps1%" or Process.CommandLine like r"%\\av.ps1%" or Process.CommandLine like r"%\\av\_test.ps1%" or Process.CommandLine like r"%adrecon.ps1%" or Process.CommandLine like r"%mimikatz.ps1%" or Process.CommandLine like r"%\\PowerUp\_%" or Process.CommandLine like r"%powerup.ps1%" or Process.CommandLine like r"%\\Temp\\a.ps1%" or Process.CommandLine like r"%\\Temp\\p.ps1%" or Process.CommandLine like r"%\\Temp\\1.ps1%" or Process.CommandLine like r"%Hound.ps1%" or Process.CommandLine like r"%encode.ps1%" or Process.CommandLine like r"%powercat.ps1%" [ThreatDetectionRule platform=Windows] -# Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros. -# Author: Antonlovesdnb -RuleId = e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 -RuleName = VBA DLL Loaded Via Office Application -EventType = Image.Load -Tag = vba-dll-loaded-via-office-application +# Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls +# Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t +RuleId = 6385697e-9f1b-40bd-8817-f4a91f40508e +RuleName = PowerShell Base64 Encoded Invoke Keyword +EventType = Process.Start +Tag = proc-start-powershell-base64-encoded-invoke-keyword RiskScore = 75 -Annotation = {"mitre_attack": ["T1204.002"], "author": "Antonlovesdnb"} -Query = (Process.Path like r"%\\excel.exe" or Process.Path like r"%\\mspub.exe" or Process.Path like r"%\\onenote.exe" or Process.Path like r"%\\onenoteim.exe" or Process.Path like r"%\\outlook.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\winword.exe") and (Image.Path like r"%\\VBE7.DLL" or Image.Path like r"%\\VBEUI.DLL" or Image.Path like r"%\\VBE7INTL.DLL") -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1059.001", "T1027"], "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and Process.CommandLine like r"% -e%" and (Process.CommandLine like r"%SQBuAHYAbwBrAGUALQ%" or Process.CommandLine like r"%kAbgB2AG8AawBlAC0A%" or Process.CommandLine like r"%JAG4AdgBvAGsAZQAtA%" or Process.CommandLine like r"%SW52b2tlL%" or Process.CommandLine like r"%ludm9rZS%" or Process.CommandLine like r"%JbnZva2Ut%") [ThreatDetectionRule platform=Windows] -# Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples +# Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 6bd75993-9888-4f91-9404-e1e4e4e34b77 -RuleName = HackTool - LocalPotato Execution -EventType = Process.Start -Tag = proc-start-hacktool-localpotato-execution +RuleId = 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4 +RuleName = PSEXEC Remote Execution File Artefact +EventType = File.Create +Tag = psexec-remote-execution-file-artefact RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\LocalPotato.exe" or Process.CommandLine like r"%.exe -i C:\\%" and Process.CommandLine like r"%-o Windows\\%" or Process.Hashes like r"%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%" or Process.Hashes like r"%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%" -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1136.002", "T1543.003", "T1570"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"C:\\Windows\\PSEXEC-%" and File.Path like r"%.key" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting -# Author: Teymur Kheirkhabarov, Ecco, Florian Roth -RuleId = 15619216-e993-4721-b590-4c520615a67d -RuleName = Potential Meterpreter/CobaltStrike Activity +# Execution of plink to perform data exfiltration and tunneling +# Author: Florian Roth (Nextron Systems) +RuleId = f38ce0b9-5e97-4b47-a211-7dc8d8b871da +RuleName = Potential RDP Tunneling Via Plink EventType = Process.Start -Tag = proc-start-potential-meterpreter/cobaltstrike-activity +Tag = proc-start-potential-rdp-tunneling-via-plink RiskScore = 75 -Annotation = {"mitre_attack": ["T1134.001", "T1134.002"], "author": "Teymur Kheirkhabarov, Ecco, Florian Roth"} -Query = Parent.Path like r"%\\services.exe" and (Process.CommandLine like r"%/c%" and Process.CommandLine like r"%echo%" and Process.CommandLine like r"%\\pipe\\%" and (Process.CommandLine like r"%cmd%" or Process.CommandLine like r"%\%COMSPEC\%%") or Process.CommandLine like r"%rundll32%" and Process.CommandLine like r"%.dll,a%" and Process.CommandLine like r"%/p:%") and not Process.CommandLine like r"%MpCmdRun%" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1572"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\plink.exe" and Process.CommandLine like r"%:127.0.0.1:3389%" or Process.Path like r"%\\plink.exe" and Process.CommandLine like r"%:3389%" and (Process.CommandLine like r"% -P 443%" or Process.CommandLine like r"% -P 22%") [ThreatDetectionRule platform=Windows] -# Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. -# Author: Sittikorn S -RuleId = 643bdcac-8b82-49f4-9fd9-25a90b929f3b -RuleName = Renamed MegaSync Execution +# Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. +# Author: frack113 +RuleId = 69ca006d-b9a9-47f5-80ff-ecd4d25d481a +RuleName = HackTool - TruffleSnout Execution EventType = Process.Start -Tag = proc-start-renamed-megasync-execution +Tag = proc-start-hacktool-trufflesnout-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Sittikorn S"} -Query = Process.Name == "megasync.exe" and not Process.Path like r"%\\megasync.exe" +Annotation = {"mitre_attack": ["T1482"], "author": "frack113"} +Query = Process.Name == "TruffleSnout.exe" or Process.Path like r"%\\TruffleSnout.exe" [ThreatDetectionRule platform=Windows] -# Detects potential malicious modification of the property value of IsCredGuardEnabled from -# HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. -# This is usually used with UseLogonCredential to manipulate the caching credentials. -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = 1a2d6c47-75b0-45bd-b133-2c0be75349fd -RuleName = Wdigest CredGuard Registry Modification -EventType = Reg.Any -Tag = wdigest-credguard-registry-modification +# Detects potentially suspicious child processes of "GoogleUpdate.exe" +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 84b1ecf9-6eff-4004-bafb-bae5c0e251b2 +RuleName = Potentially Suspicious GoogleUpdate Child Process +EventType = Process.Start +Tag = proc-start-potentially-suspicious-googleupdate-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = Reg.TargetObject like r"%\\IsCredGuardEnabled" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.Path like r"%\\GoogleUpdate.exe" and not (Process.Path like r"%\\Google%" or Process.Path like r"%\\setup.exe" or Process.Path like r"%chrome\_updater.exe" or Process.Path like r"%chrome\_installer.exe" or isnull(Process.Path)) +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects an executable initiating a network connection to "ngrok" tunneling domains. -# Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. -# While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. +# Detects Windows shells and scripting applications that write files to suspicious folders # Author: Florian Roth (Nextron Systems) -RuleId = 1d08ac94-400d-4469-a82f-daee9a908849 -RuleName = Communication To Ngrok Tunneling Service Initiated -EventType = Net.Any -Tag = communication-to-ngrok-tunneling-service-initiated -RiskScore = 75 -Annotation = {"mitre_attack": ["T1567", "T1568.002", "T1572", "T1090", "T1102"], "author": "Florian Roth (Nextron Systems)"} -Query = Net.Target.Name like r"%tunnel.us.ngrok.com%" or Net.Target.Name like r"%tunnel.eu.ngrok.com%" or Net.Target.Name like r"%tunnel.ap.ngrok.com%" or Net.Target.Name like r"%tunnel.au.ngrok.com%" or Net.Target.Name like r"%tunnel.sa.ngrok.com%" or Net.Target.Name like r"%tunnel.jp.ngrok.com%" or Net.Target.Name like r"%tunnel.in.ngrok.com%" -GenericProperty1 = Net.Target.Name - - -[ThreatDetectionRule platform=Windows] -# Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = a55349d8-9588-4c5a-8e3b-1925fe2a4ffe -RuleName = Exchange PowerShell Cmdlet History Deleted -EventType = File.Delete -Tag = exchange-powershell-cmdlet-history-deleted +RuleId = 1277f594-a7d1-4f28-a2d3-73af5cbeab43 +RuleName = Windows Shell/Scripting Application File Write to Suspicious Folder +EventType = File.Create +Tag = windows-shell/scripting-application-file-write-to-suspicious-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1070"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"\\Logging\\CmdletInfra\\LocalPowerShell\\Cmdlet\\%" and File.Path like r"%\_Cmdlet\_%" +Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\bash.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\msbuild.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\wscript.exe") and (File.Path like r"C:\\PerfLogs\\%" or File.Path like r"C:\\Users\\Public\\%") or (Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\wmic.exe") and (File.Path like r"%C:\\PerfLogs\\%" or File.Path like r"%C:\\Users\\Public\\%" or File.Path like r"%C:\\Windows\\Temp\\%") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. -# This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. -# It could also be used for anti-analysis purposes by shut downing specific processes. -# Author: Luc Génaux -RuleId = b48492dc-c5ef-4572-8dff-32bc241c15c8 -RuleName = Load Of RstrtMgr.DLL By A Suspicious Process +# Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". +# Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe". +# Author: Swachchhanda Shrawan Poudel +RuleId = d2451be2-b582-4e15-8701-4196ac180260 +RuleName = Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE EventType = Image.Load -Tag = load-of-rstrtmgr.dll-by-a-suspicious-process +Tag = potential-dll-sideloading-of-keyscramblerie.dll-via-keyscrambler.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1486", "T1562.001"], "author": "Luc G\u00e9naux"} -Query = (Image.Path like r"%\\RstrtMgr.dll" or Process.Name == "RstrtMgr.dll") and (Process.Path like r"%:\\Perflogs\\%" or Process.Path like r"%:\\Users\\Public\\%" or Process.Path like r"%\\Temporary Internet%" or Process.Path like r"%:\\Users\\%" and Process.Path like r"%\\Favorites\\%" or Process.Path like r"%:\\Users\\%" and Process.Path like r"%\\Favourites\\%" or Process.Path like r"%:\\Users\\%" and Process.Path like r"%\\Contacts\\%") +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Swachchhanda Shrawan Poudel"} +Query = (Process.Path like r"%\\KeyScrambler.exe" or Process.Path like r"%\\KeyScramblerLogon.exe") and Image.Path like r"%\\KeyScramblerIE.dll" and not ((Process.Path like r"%C:\\Program Files (x86)\\KeyScrambler\\%" or Process.Path like r"%C:\\Program Files\\KeyScrambler\\%") and (Image.Path like r"%C:\\Program Files (x86)\\KeyScrambler\\%" or Image.Path like r"%C:\\Program Files\\KeyScrambler\\%") or Image.Signature == "QFX Software Corporation" and Image.SignatureStatus == "Valid") GenericProperty1 = Image.Path +GenericProperty2 = Image.Signature +GenericProperty3 = Image.SignatureStatus [ThreatDetectionRule platform=Windows] -# Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc -RuleName = Suspicious Invoke-WebRequest Execution -EventType = Process.Start -Tag = proc-start-suspicious-invoke-webrequest-execution +# Detects NetNTLM downgrade attack +# Author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT) +RuleId = d67572a0-e2ec-45d6-b8db-c100d14b8ef2 +RuleName = NetNTLM Downgrade Attack - Registry +EventType = Reg.Any +Tag = netntlm-downgrade-attack-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%curl %" or Process.CommandLine like r"%Invoke-WebRequest%" or Process.CommandLine like r"%iwr %" or Process.CommandLine like r"%wget %") and (Process.CommandLine like r"% -ur%" or Process.CommandLine like r"% -o%") and (Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Temp\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\%AppData\%%" or Process.CommandLine like r"%\%Public\%%" or Process.CommandLine like r"%\%Temp\%%" or Process.CommandLine like r"%\%tmp\%%" or Process.CommandLine like r"%:\\Windows\\%") +Annotation = {"mitre_attack": ["T1562.001", "T1112"], "author": "Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)"} +Query = Reg.TargetObject like r"%SYSTEM\\%" and Reg.TargetObject like r"%ControlSet%" and Reg.TargetObject like r"%\\Control\\Lsa%" and (Reg.TargetObject like r"%\\lmcompatibilitylevel" and (Reg.Value.Data in ["DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)"]) or Reg.TargetObject like r"%\\NtlmMinClientSec" and (Reg.Value.Data in ["DWORD (0x00000000)", "DWORD (0x00000010)", "DWORD (0x00000020)", "DWORD (0x00000030)"]) or Reg.TargetObject like r"%\\RestrictSendingNTLMTraffic") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line -# Author: Florian Roth (Nextron Systems) -RuleId = fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c -RuleName = PowerShell Base64 Encoded FromBase64String Cmdlet +# Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder. +# Author: @Kostastsale +RuleId = c3d76afc-93df-461e-8e67-9b2bad3f2ac4 +RuleName = File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell EventType = Process.Start -Tag = proc-start-powershell-base64-encoded-frombase64string-cmdlet +Tag = proc-start-file-explorer-folder-opened-using-explorer-folder-shortcut-via-shell RiskScore = 75 -Annotation = {"mitre_attack": ["T1140", "T1059.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%OjpGcm9tQmFzZTY0U3RyaW5n%" or Process.CommandLine like r"%o6RnJvbUJhc2U2NFN0cmluZ%" or Process.CommandLine like r"%6OkZyb21CYXNlNjRTdHJpbm%" or Process.CommandLine like r"%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%" or Process.CommandLine like r"%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%" or Process.CommandLine like r"%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%" +Annotation = {"mitre_attack": ["T1135"], "author": "@Kostastsale"} +Query = (Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and Process.Path like r"%\\explorer.exe" and Process.CommandLine like r"%shell:mycomputerfolder%" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). -# Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -RuleId = ae215552-081e-44c7-805f-be16f975c8a2 -RuleName = Suspicious Debugger Registration Cmdline -EventType = Process.Start -Tag = proc-start-suspicious-debugger-registration-cmdline +# Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. +# This can be used to detect spear-phishing campaigns that use RDP files as attachments. +# Author: Florian Roth +RuleId = f748c45a-f8d3-4e6f-b617-fe176f695b8f +RuleName = .RDP File Created by Outlook Process +EventType = File.Create +Tag = .rdp-file-created-by-outlook-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.008"], "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro"} -Query = Process.CommandLine like r"%\\CurrentVersion\\Image File Execution Options\\%" and (Process.CommandLine like r"%sethc.exe%" or Process.CommandLine like r"%utilman.exe%" or Process.CommandLine like r"%osk.exe%" or Process.CommandLine like r"%magnify.exe%" or Process.CommandLine like r"%narrator.exe%" or Process.CommandLine like r"%displayswitch.exe%" or Process.CommandLine like r"%atbroker.exe%" or Process.CommandLine like r"%HelpPane.exe%") +Annotation = {"author": "Florian Roth"} +Query = File.Path like r"%.rdp" and (File.Path like r"%\\AppData\\Local\\Packages\\Microsoft.Outlook\_%" or File.Path like r"%\\AppData\\Local\\Microsoft\\Olk\\Attachments\\%" or File.Path like r"%\\AppData\\Local\\Microsoft\\Windows\\%" and File.Path like r"%\\Content.Outlook\\%") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 -# Author: Florian Roth (Nextron Systems) -RuleId = 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd -RuleName = Suspicious Rundll32 Invoking Inline VBScript -EventType = Process.Start -Tag = proc-start-suspicious-rundll32-invoking-inline-vbscript +# Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) +# but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack +# Author: frack113, Nasreddine Bencherchali (Nextron Systems) +RuleId = b6f91281-20aa-446a-b986-38a92813a18f +RuleName = DLL Search Order Hijackig Via Additional Space in Path +EventType = File.Create +Tag = dll-search-order-hijackig-via-additional-space-in-path RiskScore = 75 -Annotation = {"mitre_attack": ["T1055"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%rundll32.exe%" and Process.CommandLine like r"%Execute%" and Process.CommandLine like r"%RegRead%" and Process.CommandLine like r"%window.close%" +Annotation = {"mitre_attack": ["T1574.002"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} +Query = (File.Path like r"C:\\Windows \\%" or File.Path like r"C:\\Program Files \\%" or File.Path like r"C:\\Program Files (x86) \\%") and File.Path like r"%.dll" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls -# Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t -RuleId = 6385697e-9f1b-40bd-8817-f4a91f40508e -RuleName = PowerShell Base64 Encoded Invoke Keyword +# Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 82a6714f-4899-4f16-9c1e-9a333544d4c3 +RuleName = File In Suspicious Location Encoded To Base64 Via Certutil.EXE EventType = Process.Start -Tag = proc-start-powershell-base64-encoded-invoke-keyword +Tag = proc-start-file-in-suspicious-location-encoded-to-base64-via-certutil.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001", "T1027"], "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and Process.CommandLine like r"% -e%" and (Process.CommandLine like r"%SQBuAHYAbwBrAGUALQ%" or Process.CommandLine like r"%kAbgB2AG8AawBlAC0A%" or Process.CommandLine like r"%JAG4AdgBvAGsAZQAtA%" or Process.CommandLine like r"%SW52b2tlL%" or Process.CommandLine like r"%ludm9rZS%" or Process.CommandLine like r"%JbnZva2Ut%") +Annotation = {"mitre_attack": ["T1027"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\certutil.exe" or Process.Name == "CertUtil.exe") and (Process.CommandLine like r"%-encode%" or Process.CommandLine like r"%/encode%" or Process.CommandLine like r"%–encode%" or Process.CommandLine like r"%—encode%" or Process.CommandLine like r"%―encode%") and (Process.CommandLine like r"%\\AppData\\Roaming\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Local\\Temp\\%" or Process.CommandLine like r"%\\PerfLogs\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%" or Process.CommandLine like r"%$Recycle.Bin%") [ThreatDetectionRule platform=Windows] -# Detects one of the possible scenarios for disabling Symantec Endpoint Protection. -# Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. -# As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. -# Author: Ilya Krestinichev, Florian Roth (Nextron Systems) -RuleId = 4a6713f6-3331-11ed-a261-0242ac120002 -RuleName = Taskkill Symantec Endpoint Protection -EventType = Process.Start -Tag = proc-start-taskkill-symantec-endpoint-protection +# Detects rundll32 loading a renamed comsvcs.dll to dump process memory +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 8cde342c-ba48-4b74-b615-172c330f2e93 +RuleName = Suspicious Renamed Comsvcs DLL Loaded By Rundll32 +EventType = Image.Load +Tag = suspicious-renamed-comsvcs-dll-loaded-by-rundll32 RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%taskkill%" and Process.CommandLine like r"% /F %" and Process.CommandLine like r"% /IM %" and Process.CommandLine like r"%ccSvcHst.exe%" +Annotation = {"mitre_attack": ["T1003.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\rundll32.exe" and (Image.Hashes like r"%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%" or Image.Hashes like r"%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%" or Image.Hashes like r"%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%" or Image.Hashes like r"%IMPHASH=407ca0f7b523319d758a40d7c0193699%" or Image.Hashes like r"%IMPHASH=281d618f4e6271e527e6386ea6f748de%") and not Image.Path like r"%\\comsvcs.dll" +GenericProperty1 = Image.Path +GenericProperty2 = Image.Hashes [ThreatDetectionRule platform=Windows] -# Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits -# Author: Florian Roth (Nextron Systems) -RuleId = d7eb979b-c2b5-4a6f-a3a7-c87ce6763819 -RuleName = Suspicious Control Panel DLL Load +# Detects execution of javascript code using "mshta.exe". +# Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +RuleId = 67f113fa-e23d-4271-befa-30113b3e08b1 +RuleName = Suspicious JavaScript Execution Via Mshta.EXE EventType = Process.Start -Tag = proc-start-suspicious-control-panel-dll-load +Tag = proc-start-suspicious-javascript-execution-via-mshta.exe +RiskScore = 75 +Annotation = {"mitre_attack": ["T1218.005"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community"} +Query = (Process.Path like r"%\\mshta.exe" or Process.Name == "MSHTA.EXE") and Process.CommandLine like r"%javascript%" + + +[ThreatDetectionRule platform=Windows] +# Detect the creation of a service with a service binary located in a suspicious directory +# Author: Florian Roth (Nextron Systems), frack113 +RuleId = a07f0359-4c90-4dc4-a681-8ffea40b4f47 +RuleName = Service Binary in Suspicious Folder +EventType = Reg.Any +Tag = service-binary-in-suspicious-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.011"], "author": "Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\System32\\control.exe" and (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and not Process.CommandLine like r"%Shell32.dll%" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1112"], "author": "Florian Roth (Nextron Systems), frack113"} +Query = (Reg.TargetObject like r"HKLM\\System\\CurrentControlSet\\Services\\%" and Reg.TargetObject like r"%\\Start" and (Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\Perflogs\\%" or Process.Path like r"%\\ADMIN$\\%" or Process.Path like r"%\\Temp\\%") and (Reg.Value.Data in ["DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)"]) or Reg.TargetObject like r"HKLM\\System\\CurrentControlSet\\Services\\%" and Reg.TargetObject like r"%\\ImagePath" and (Reg.Value.Data like r"%\\Users\\Public\\%" or Reg.Value.Data like r"%\\Perflogs\\%" or Reg.Value.Data like r"%\\ADMIN$\\%" or Reg.Value.Data like r"%\\Temp\\%")) and not (Process.Path like r"%\\Common Files\\%" and Process.Path like r"%\\Temp\\%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects shell32.dll executing a DLL in a suspicious directory +# Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) # Author: Christian Burkard (Nextron Systems) -RuleId = 32b96012-7892-429e-b26c-ac2bf46066ff -RuleName = Shell32 DLL Execution in Suspicious Directory -EventType = Process.Start -Tag = proc-start-shell32-dll-execution-in-suspicious-directory +RuleId = 155dbf56-e0a4-4dd0-8905-8a98705045e8 +RuleName = UAC Bypass Abusing Winsat Path Parsing - File +EventType = File.Create +Tag = uac-bypass-abusing-winsat-path-parsing-file RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.011"], "author": "Christian Burkard (Nextron Systems)"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and Process.CommandLine like r"%shell32.dll%" and Process.CommandLine like r"%Control\_RunDLL%" and (Process.CommandLine like r"%\%AppData\%%" or Process.CommandLine like r"%\%LocalAppData\%%" or Process.CommandLine like r"%\%Temp\%%" or Process.CommandLine like r"%\%tmp\%%" or Process.CommandLine like r"%\\AppData\\%" or Process.CommandLine like r"%\\Temp\\%" or Process.CommandLine like r"%\\Users\\Public\\%") +Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} +Query = File.Path like r"C:\\Users\\%" and (File.Path like r"%\\AppData\\Local\\Temp\\system32\\winsat.exe" or File.Path like r"%\\AppData\\Local\\Temp\\system32\\winmm.dll") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = cb0fe7c5-f3a3-484d-aa25-d350a7912729 -RuleName = Suspicious Driver/DLL Installation Via Odbcconf.EXE +# Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string +# Author: Florian Roth (Nextron Systems) +RuleId = e32d4572-9826-4738-b651-95fa63747e8a +RuleName = Base64 Encoded PowerShell Command Detected EventType = Process.Start -Tag = proc-start-suspicious-driver/dll-installation-via-odbcconf.exe +Tag = proc-start-base64-encoded-powershell-command-detected RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.008"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\odbcconf.exe" or Process.Name == "odbcconf.exe") and Process.CommandLine like r"%INSTALLDRIVER %" and not Process.CommandLine like r"%.dll%" +Annotation = {"mitre_attack": ["T1027", "T1140", "T1059.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%::FromBase64String(%" [ThreatDetectionRule platform=Windows] -# Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. -# Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -RuleId = 7b10f171-7f04-47c7-9fa2-5be43c76e535 -RuleName = Visual Basic Command Line Compiler Usage +# Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) +# Author: Florian Roth (Nextron Systems) +RuleId = f63b56ee-3f79-4b8a-97fb-5c48007e8573 +RuleName = New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE EventType = Process.Start -Tag = proc-start-visual-basic-command-line-compiler-usage +Tag = proc-start-new-dns-serverlevelplugindll-installed-via-dnscmd.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1027.004"], "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative"} -Query = Parent.Path like r"%\\vbc.exe" and Process.Path like r"%\\cvtres.exe" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1574.002", "T1112"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\dnscmd.exe" and Process.CommandLine like r"%/config%" and Process.CommandLine like r"%/serverlevelplugindll%" [ThreatDetectionRule platform=Windows] -# Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 -RuleName = Potentially Suspicious ASP.NET Compilation Via AspNetCompiler +# Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line +# Author: Florian Roth (Nextron Systems) +RuleId = 8f70ac5f-1f6f-4f8e-b454-db19561216c5 +RuleName = PowerShell DownloadFile EventType = Process.Start -Tag = proc-start-potentially-suspicious-asp.net-compilation-via-aspnetcompiler +Tag = proc-start-powershell-downloadfile RiskScore = 75 -Annotation = {"mitre_attack": ["T1127"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%C:\\Windows\\Microsoft.NET\\Framework\\%" or Process.Path like r"%C:\\Windows\\Microsoft.NET\\Framework64\\%") and Process.Path like r"%\\aspnet\_compiler.exe" and (Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Local\\Roaming\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Tasks\\%") +Annotation = {"mitre_attack": ["T1059.001", "T1104", "T1105"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%powershell%" and Process.CommandLine like r"%.DownloadFile%" and Process.CommandLine like r"%System.Net.WebClient%" [ThreatDetectionRule platform=Windows] -# Detects potentially suspicious file downloads directly from IP addresses using curl.exe -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 5cb299fc-5fb1-4d07-b989-0644c68b6043 -RuleName = Suspicious File Download From IP Via Curl.EXE -EventType = Process.Start -Tag = proc-start-suspicious-file-download-from-ip-via-curl.exe +# Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive". +# Author: @kostastsale, Nasreddine Bencherchali (Nextron Systems) +RuleId = 31e124fb-5dc4-42a0-83b3-44a69c77b271 +RuleName = Antivirus Filter Driver Disallowed On Dev Drive - Registry +EventType = Reg.Any +Tag = antivirus-filter-driver-disallowed-on-dev-drive-registry RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\curl.exe" or Process.Name == "curl.exe") and Process.CommandLine regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and Process.CommandLine like r"%http%" and (Process.CommandLine like r"% -O%" or Process.CommandLine like r"%--remote-name%" or Process.CommandLine like r"%--output%") and (Process.CommandLine like r"%.bat" or Process.CommandLine like r"%.bat\"" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.dat\"" or Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.dll\"" or Process.CommandLine like r"%.exe" or Process.CommandLine like r"%.exe\"" or Process.CommandLine like r"%.gif" or Process.CommandLine like r"%.gif\"" or Process.CommandLine like r"%.hta" or Process.CommandLine like r"%.hta\"" or Process.CommandLine like r"%.jpeg" or Process.CommandLine like r"%.jpeg\"" or Process.CommandLine like r"%.log" or Process.CommandLine like r"%.log\"" or Process.CommandLine like r"%.msi" or Process.CommandLine like r"%.msi\"" or Process.CommandLine like r"%.png" or Process.CommandLine like r"%.png\"" or Process.CommandLine like r"%.ps1" or Process.CommandLine like r"%.ps1\"" or Process.CommandLine like r"%.psm1" or Process.CommandLine like r"%.psm1\"" or Process.CommandLine like r"%.vbe" or Process.CommandLine like r"%.vbe\"" or Process.CommandLine like r"%.vbs" or Process.CommandLine like r"%.vbs\"" or Process.CommandLine like r"%.bat'" or Process.CommandLine like r"%.dat'" or Process.CommandLine like r"%.dll'" or Process.CommandLine like r"%.exe'" or Process.CommandLine like r"%.gif'" or Process.CommandLine like r"%.hta'" or Process.CommandLine like r"%.jpeg'" or Process.CommandLine like r"%.log'" or Process.CommandLine like r"%.msi'" or Process.CommandLine like r"%.png'" or Process.CommandLine like r"%.ps1'" or Process.CommandLine like r"%.psm1'" or Process.CommandLine like r"%.vbe'" or Process.CommandLine like r"%.vbs'") +Annotation = {"mitre_attack": ["T1562.001"], "author": "@kostastsale, Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\FilterManager\\FltmgrDevDriveAllowAntivirusFilter" and Reg.Value.Data == "DWORD (0x00000000)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 6c8fbee5-dee8-49bc-851d-c3142d02aa47 -RuleName = Allow Service Access Using Security Descriptor Tampering Via Sc.EXE +# Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files +# Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +RuleId = e66779cc-383e-4224-a3a4-267eeb585c40 +RuleName = Bypass UAC via CMSTP EventType = Process.Start -Tag = proc-start-allow-service-access-using-security-descriptor-tampering-via-sc.exe +Tag = proc-start-bypass-uac-via-cmstp RiskScore = 75 -Annotation = {"mitre_attack": ["T1543.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and Process.CommandLine like r"%sdset%" and Process.CommandLine like r"%A;%" and (Process.CommandLine like r"%;IU%" or Process.CommandLine like r"%;SU%" or Process.CommandLine like r"%;BA%" or Process.CommandLine like r"%;SY%" or Process.CommandLine like r"%;WD%") +Annotation = {"mitre_attack": ["T1548.002", "T1218.003"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community"} +Query = (Process.Path like r"%\\cmstp.exe" or Process.Name == "CMSTP.EXE") and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%-s%" or Process.CommandLine like r"%/au%" or Process.CommandLine like r"%-au%" or Process.CommandLine like r"%/ni%" or Process.CommandLine like r"%-ni%") [ThreatDetectionRule platform=Windows] -# Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = a7664b14-75fb-4a50-a223-cb9bc0afbacf -RuleName = HackTool - RemoteKrbRelay Execution +# Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection +# Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +RuleId = 452bce90-6fb0-43cc-97a5-affc283139b3 +RuleName = Suspicious Windows Defender Registry Key Tampering Via Reg.EXE EventType = Process.Start -Tag = proc-start-hacktool-remotekrbrelay-execution +Tag = proc-start-suspicious-windows-defender-registry-key-tampering-via-reg.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1558.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\RemoteKrbRelay.exe" or Process.Name == "RemoteKrbRelay.exe" or Process.CommandLine like r"% -clsid %" and Process.CommandLine like r"% -target %" and Process.CommandLine like r"% -victim %" or Process.CommandLine like r"%-rbcd %" and (Process.CommandLine like r"%-cn %" or Process.CommandLine like r"%--computername %") or Process.CommandLine like r"%-chp %" and Process.CommandLine like r"%-chpPass %" and Process.CommandLine like r"%-chpUser %" or Process.CommandLine like r"%-addgroupmember %" and Process.CommandLine like r"%-group %" and Process.CommandLine like r"%-groupuser %" or Process.CommandLine like r"%-smb %" and Process.CommandLine like r"%--smbkeyword %" and (Process.CommandLine like r"%interactive%" or Process.CommandLine like r"%secrets%" or Process.CommandLine like r"%service-add%") +Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and (Process.CommandLine like r"%SOFTWARE\\Microsoft\\Windows Defender\\%" or Process.CommandLine like r"%SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center%" or Process.CommandLine like r"%SOFTWARE\\Policies\\Microsoft\\Windows Defender\\%") and (Process.CommandLine like r"% add %" and Process.CommandLine like r"%d 0%" and (Process.CommandLine like r"%DisallowExploitProtectionOverride%" or Process.CommandLine like r"%EnableControlledFolderAccess%" or Process.CommandLine like r"%MpEnablePus%" or Process.CommandLine like r"%PUAProtection%" or Process.CommandLine like r"%SpynetReporting%" or Process.CommandLine like r"%SubmitSamplesConsent%" or Process.CommandLine like r"%TamperProtection%") or Process.CommandLine like r"% add %" and Process.CommandLine like r"%d 1%" and (Process.CommandLine like r"%DisableAntiSpyware%" or Process.CommandLine like r"%DisableAntiSpywareRealtimeProtection%" or Process.CommandLine like r"%DisableAntiVirus%" or Process.CommandLine like r"%DisableArchiveScanning%" or Process.CommandLine like r"%DisableBehaviorMonitoring%" or Process.CommandLine like r"%DisableBlockAtFirstSeen%" or Process.CommandLine like r"%DisableConfig%" or Process.CommandLine like r"%DisableEnhancedNotifications%" or Process.CommandLine like r"%DisableIntrusionPreventionSystem%" or Process.CommandLine like r"%DisableIOAVProtection%" or Process.CommandLine like r"%DisableOnAccessProtection%" or Process.CommandLine like r"%DisablePrivacyMode%" or Process.CommandLine like r"%DisableRealtimeMonitoring%" or Process.CommandLine like r"%DisableRoutinelyTakingAction%" or Process.CommandLine like r"%DisableScanOnRealtimeEnable%" or Process.CommandLine like r"%DisableScriptScanning%" or Process.CommandLine like r"%Notification\_Suppress%" or Process.CommandLine like r"%SignatureDisableUpdateOnStartupWithoutEngine%")) [ThreatDetectionRule platform=Windows] -# Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. -# Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -RuleId = e4a6b256-3e47-40fc-89d2-7a477edd6915 -RuleName = System File Execution Location Anomaly +# Detects scheduled task creations or modification on a suspicious schedule type +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 24c8392b-aa3c-46b7-a545-43f71657fe98 +RuleName = Suspicious Schtasks Schedule Types EventType = Process.Start -Tag = proc-start-system-file-execution-location-anomaly +Tag = proc-start-suspicious-schtasks-schedule-types RiskScore = 75 -Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\atbroker.exe" or Process.Path like r"%\\audiodg.exe" or Process.Path like r"%\\bcdedit.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certreq.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\conhost.exe" or Process.Path like r"%\\consent.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\dashost.exe" or Process.Path like r"%\\defrag.exe" or Process.Path like r"%\\dfrgui.exe" or Process.Path like r"%\\dism.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\dllhst3g.exe" or Process.Path like r"%\\dwm.exe" or Process.Path like r"%\\eventvwr.exe" or Process.Path like r"%\\logonui.exe" or Process.Path like r"%\\LsaIso.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\lsm.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\ntoskrnl.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\runonce.exe" or Process.Path like r"%\\RuntimeBroker.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\services.exe" or Process.Path like r"%\\sihost.exe" or Process.Path like r"%\\smartscreen.exe" or Process.Path like r"%\\smss.exe" or Process.Path like r"%\\spoolsv.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\taskhost.exe" or Process.Path like r"%\\Taskmgr.exe" or Process.Path like r"%\\userinit.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\winlogon.exe" or Process.Path like r"%\\winver.exe" or Process.Path like r"%\\wlanext.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\wsl.exe" or Process.Path like r"%\\wsmprovhost.exe") and not (Process.Path like r"C:\\$WINDOWS.~BT\\%" or Process.Path like r"C:\\$WinREAgent\\%" or Process.Path like r"C:\\Windows\\SoftwareDistribution\\%" or Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SystemTemp\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\uus\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path in ["C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe"] or Process.Path like r"C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux%" and Process.Path like r"%\\wsl.exe") and not Process.Path like r"%\\SystemRoot\\System32\\%" +Annotation = {"mitre_attack": ["T1053.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\schtasks.exe" or Process.Name == "schtasks.exe") and (Process.CommandLine like r"% ONLOGON %" or Process.CommandLine like r"% ONSTART %" or Process.CommandLine like r"% ONCE %" or Process.CommandLine like r"% ONIDLE %") and not (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM%" or Process.CommandLine like r"%HIGHEST%") [ThreatDetectionRule platform=Windows] -# Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers -# Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -RuleId = b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 -RuleName = Potential PowerShell Obfuscation Via Reversed Commands +# Detects the use of NSudo tool for command execution +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +RuleId = 771d1eb5-9587-4568-95fb-9ec44153a012 +RuleName = PUA - NSudo Execution EventType = Process.Start -Tag = proc-start-potential-powershell-obfuscation-via-reversed-commands +Tag = proc-start-pua-nsudo-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%hctac%" or Process.CommandLine like r"%kaerb%" or Process.CommandLine like r"%dnammoc%" or Process.CommandLine like r"%ekovn%" or Process.CommandLine like r"%eliFd%" or Process.CommandLine like r"%rahc%" or Process.CommandLine like r"%etirw%" or Process.CommandLine like r"%golon%" or Process.CommandLine like r"%tninon%" or Process.CommandLine like r"%eddih%" or Process.CommandLine like r"%tpircS%" or Process.CommandLine like r"%ssecorp%" or Process.CommandLine like r"%llehsrewop%" or Process.CommandLine like r"%esnopser%" or Process.CommandLine like r"%daolnwod%" or Process.CommandLine like r"%tneilCbeW%" or Process.CommandLine like r"%tneilc%" or Process.CommandLine like r"%ptth%" or Process.CommandLine like r"%elifotevas%" or Process.CommandLine like r"%46esab%" or Process.CommandLine like r"%htaPpmeTteG%" or Process.CommandLine like r"%tcejbO%" or Process.CommandLine like r"%maerts%" or Process.CommandLine like r"%hcaerof%" or Process.CommandLine like r"%retupmoc%") and not (Process.CommandLine like r"% -EncodedCommand %" or Process.CommandLine like r"% -enc %") +Annotation = {"mitre_attack": ["T1569.002"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali"} +Query = (Process.Path like r"%\\NSudo.exe" or Process.Path like r"%\\NSudoLC.exe" or Process.Path like r"%\\NSudoLG.exe" or Process.Name in ["NSudo.exe", "NSudoLC.exe", "NSudoLG.exe"]) and (Process.CommandLine like r"%-U:S %" or Process.CommandLine like r"%-U:T %" or Process.CommandLine like r"%-U:E %" or Process.CommandLine like r"%-P:E %" or Process.CommandLine like r"%-M:S %" or Process.CommandLine like r"%-M:H %" or Process.CommandLine like r"%-U=S %" or Process.CommandLine like r"%-U=T %" or Process.CommandLine like r"%-U=E %" or Process.CommandLine like r"%-P=E %" or Process.CommandLine like r"%-M=S %" or Process.CommandLine like r"%-M=H %" or Process.CommandLine like r"%-ShowWindowMode:Hide%") [ThreatDetectionRule platform=Windows] -# Detects when attackers or tools disable Windows Defender functionalities via the Windows registry -# Author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel -RuleId = 0eb46774-f1ab-4a74-8238-1155855f2263 -RuleName = Disable Windows Defender Functionalities Via Registry Keys +# Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. +# Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) +RuleId = 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf +RuleName = Trust Access Disable For VBApplications EventType = Reg.Any -Tag = disable-windows-defender-functionalities-via-registry-keys +Tag = trust-access-disable-for-vbapplications RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel"} -Query = (Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows Defender\\%" or Reg.TargetObject like r"%\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\%" or Reg.TargetObject like r"%\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\%") and ((Reg.TargetObject like r"%\\DisableAntiSpyware" or Reg.TargetObject like r"%\\DisableAntiVirus" or Reg.TargetObject like r"%\\DisableBehaviorMonitoring" or Reg.TargetObject like r"%\\DisableBlockAtFirstSeen" or Reg.TargetObject like r"%\\DisableEnhancedNotifications" or Reg.TargetObject like r"%\\DisableIntrusionPreventionSystem" or Reg.TargetObject like r"%\\DisableIOAVProtection" or Reg.TargetObject like r"%\\DisableOnAccessProtection" or Reg.TargetObject like r"%\\DisableRealtimeMonitoring" or Reg.TargetObject like r"%\\DisableScanOnRealtimeEnable" or Reg.TargetObject like r"%\\DisableScriptScanning") and Reg.Value.Data == "DWORD (0x00000001)" or (Reg.TargetObject like r"%\\DisallowExploitProtectionOverride" or Reg.TargetObject like r"%\\Features\\TamperProtection" or Reg.TargetObject like r"%\\MpEngine\\MpEnablePus" or Reg.TargetObject like r"%\\PUAProtection" or Reg.TargetObject like r"%\\Signature Update\\ForceUpdateFromMU" or Reg.TargetObject like r"%\\SpyNet\\SpynetReporting" or Reg.TargetObject like r"%\\SpyNet\\SubmitSamplesConsent" or Reg.TargetObject like r"%\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess") and Reg.Value.Data == "DWORD (0x00000000)") and not (Process.Path like r"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\%" and Process.Path like r"%\\sepWscSvc64.exe") +Annotation = {"mitre_attack": ["T1112"], "author": "Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Security\\AccessVBOM" and Reg.Value.Data == "DWORD (0x00000001)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects a Windows command line executable started from MMC -# Author: Karneades, Swisscom CSIRT -RuleId = 05a2ab7e-ce11-4b63-86db-ab32e763e11d -RuleName = MMC Spawning Windows Shell -EventType = Process.Start -Tag = proc-start-mmc-spawning-windows-shell -RiskScore = 75 -Annotation = {"mitre_attack": ["T1021.003"], "author": "Karneades, Swisscom CSIRT"} -Query = Parent.Path like r"%\\mmc.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\BITSADMIN%") -GenericProperty1 = Parent.Path - - -[ThreatDetectionRule platform=Windows] -# Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0 -RuleName = HackTool - Wmiexec Default Powershell Command +# Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag +# Author: frack113, Florian Roth +RuleId = e6474a1b-5390-49cd-ab41-8d88655f7394 +RuleName = Renamed Mavinject.EXE Execution EventType = Process.Start -Tag = proc-start-hacktool-wmiexec-default-powershell-command +Tag = proc-start-renamed-mavinject.exe-execution RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%" +Annotation = {"mitre_attack": ["T1055.001", "T1218.013"], "author": "frack113, Florian Roth"} +Query = (Process.Name in ["mavinject32.exe", "mavinject64.exe"]) and not (Process.Path like r"%\\mavinject32.exe" or Process.Path like r"%\\mavinject64.exe") [ThreatDetectionRule platform=Windows] -# Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 44143844-0631-49ab-97a0-96387d6b2d7c -RuleName = File Download Using Notepad++ GUP Utility +# Detects suspicious use of XORDump process memory dumping utility +# Author: Florian Roth (Nextron Systems) +RuleId = 66e563f9-1cbd-4a22-a957-d8b7c0f44372 +RuleName = HackTool - XORDump Execution EventType = Process.Start -Tag = proc-start-file-download-using-notepad++-gup-utility +Tag = proc-start-hacktool-xordump-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\GUP.exe" or Process.Name == "gup.exe") and Process.CommandLine like r"% -unzipTo %" and Process.CommandLine like r"%http%" and not Parent.Path like r"%\\notepad++.exe" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\xordump.exe" or Process.CommandLine like r"% -process lsass.exe %" or Process.CommandLine like r"% -m comsvcs %" or Process.CommandLine like r"% -m dbghelp %" or Process.CommandLine like r"% -m dbgcore %" [ThreatDetectionRule platform=Windows] -# Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. -# Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) -RuleId = c27515df-97a9-4162-8a60-dc0eeb51b775 -RuleName = Suspicious Microsoft OneNote Child Process +# Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM +# Author: Florian Roth (Nextron Systems) +RuleId = 9fff585c-c33e-4a86-b3cd-39312079a65f +RuleName = Taskmgr as LOCAL_SYSTEM EventType = Process.Start -Tag = proc-start-suspicious-microsoft-onenote-child-process +Tag = proc-start-taskmgr-as-local_system RiskScore = 75 -Annotation = {"mitre_attack": ["T1566", "T1566.001"], "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)"} -Query = Parent.Path like r"%\\onenote.exe" and (Process.Name in ["bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe"] or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certoc.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\control.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\curl.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\ieexec.exe" or Process.Path like r"%\\installutil.exe" or Process.Path like r"%\\javaw.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\Microsoft.Workflow.Compiler.exe" or Process.Path like r"%\\msbuild.exe" or Process.Path like r"%\\msdt.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msidb.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\msxsl.exe" or Process.Path like r"%\\odbcconf.exe" or Process.Path like r"%\\pcalua.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regasm.exe" or Process.Path like r"%\\regsvcs.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\verclsid.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\workfolders.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\explorer.exe" and (Process.CommandLine like r"%.hta%" or Process.CommandLine like r"%.vb%" or Process.CommandLine like r"%.wsh%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.ps%" or Process.CommandLine like r"%.scr%" or Process.CommandLine like r"%.pif%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.cmd%") or Process.Path like r"%\\AppData\\%" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\ProgramData\\%" or Process.Path like r"%\\Windows\\Tasks\\%" or Process.Path like r"%\\Windows\\Temp\\%" or Process.Path like r"%\\Windows\\System32\\Tasks\\%") and not (Process.Path like r"%\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" and Process.CommandLine like r"%-Embedding" or Process.Path like r"%\\AppData\\Local\\Microsoft\\OneDrive\\%" and Process.Path like r"%\\FileCoAuth.exe" and Process.CommandLine like r"%-Embedding") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") and Process.Path like r"%\\taskmgr.exe" +GenericProperty1 = Process.User [ThreatDetectionRule platform=Windows] -# Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8 -RuleName = Suspicious New Service Creation +# Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network +# Author: frack113, Florian Roth (Nextron Systems) +RuleId = e31033fc-33f0-4020-9a16-faf9b31cbf08 +RuleName = PUA - Netcat Suspicious Execution EventType = Process.Start -Tag = proc-start-suspicious-new-service-creation +Tag = proc-start-pua-netcat-suspicious-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1543.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%binPath=%" or Process.CommandLine like r"%New-Service%" and Process.CommandLine like r"%-BinaryPathName%") and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%wscript%" or Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%svchost%" or Process.CommandLine like r"%dllhost%" or Process.CommandLine like r"%cmd %" or Process.CommandLine like r"%cmd.exe /c%" or Process.CommandLine like r"%cmd.exe /k%" or Process.CommandLine like r"%cmd.exe /r%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%C:\\Users\\Public%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%" or Process.CommandLine like r"%C:\\Windows\\TEMP\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%") +Annotation = {"mitre_attack": ["T1095"], "author": "frack113, Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\nc.exe" or Process.Path like r"%\\ncat.exe" or Process.Path like r"%\\netcat.exe" or Process.CommandLine like r"% -lvp %" or Process.CommandLine like r"% -lvnp%" or Process.CommandLine like r"% -l -v -p %" or Process.CommandLine like r"% -lv -p %" or Process.CommandLine like r"% -l --proxy-type http %" or Process.CommandLine like r"% -vnl --exec %" or Process.CommandLine like r"% -vnl -e %" or Process.CommandLine like r"% --lua-exec %" or Process.CommandLine like r"% --sh-exec %" [ThreatDetectionRule platform=Windows] -# Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence -# Author: Tom Ueltschi (@c_APT_ure) -RuleId = 21d856f9-9281-4ded-9377-51a1a6e2a432 -RuleName = Potential Persistence Via Logon Scripts - CommandLine +# Detects RDP session hijacking by using MSTSC shadowing +# Author: Florian Roth (Nextron Systems) +RuleId = 6ba5a05f-b095-4f0a-8654-b825f4f16334 +RuleName = Potential MSTSC Shadowing Activity EventType = Process.Start -Tag = proc-start-potential-persistence-via-logon-scripts-commandline +Tag = proc-start-potential-mstsc-shadowing-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1037.001"], "author": "Tom Ueltschi (@c_APT_ure)"} -Query = Process.CommandLine like r"%UserInitMprLogonScript%" +Annotation = {"mitre_attack": ["T1563.002"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%noconsentprompt%" and Process.CommandLine like r"%shadow:%" [ThreatDetectionRule platform=Windows] -# Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. -# Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) -RuleId = 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf -RuleName = Trust Access Disable For VBApplications +# Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = f37b4bce-49d0-4087-9f5b-58bffda77316 +RuleName = Potential AutoLogger Sessions Tampering EventType = Reg.Any -Tag = trust-access-disable-for-vbapplications +Tag = potential-autologger-sessions-tampering RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Security\\AccessVBOM" and Reg.Value.Data == "DWORD (0x00000001)" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\%" and (Reg.TargetObject like r"%\\EventLog-%" or Reg.TargetObject like r"%\\Defender%") and (Reg.TargetObject like r"%\\Enable" or Reg.TargetObject like r"%\\Start") and Reg.Value.Data == "DWORD (0x00000000)" and not Process.Path == "C:\\Windows\\system32\\wevtutil.exe" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string -# Author: Florian Roth (Nextron Systems) -RuleId = e32d4572-9826-4738-b651-95fa63747e8a -RuleName = Base64 Encoded PowerShell Command Detected +# Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. +# Author: Ensar Şamil, @sblmsrsn, @oscd_initiative +RuleId = 7b10f171-7f04-47c7-9fa2-5be43c76e535 +RuleName = Visual Basic Command Line Compiler Usage EventType = Process.Start -Tag = proc-start-base64-encoded-powershell-command-detected +Tag = proc-start-visual-basic-command-line-compiler-usage RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1140", "T1059.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%::FromBase64String(%" +Annotation = {"mitre_attack": ["T1027.004"], "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative"} +Query = Parent.Path like r"%\\vbc.exe" and Process.Path like r"%\\cvtres.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of Xwizard tool from a non-default directory. -# When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll". -# Author: Christian Burkard (Nextron Systems) -RuleId = 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1 -RuleName = Xwizard.EXE Execution From Non-Default Location +# Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files +# Author: pH-T (Nextron Systems) +RuleId = f0507c0f-a3a2-40f5-acc6-7f543c334993 +RuleName = Suspicious File Execution From Internet Hosted WebDav Share EventType = Process.Start -Tag = proc-start-xwizard.exe-execution-from-non-default-location +Tag = proc-start-suspicious-file-execution-from-internet-hosted-webdav-share RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "Christian Burkard (Nextron Systems)"} -Query = (Process.Path like r"%\\xwizard.exe" or Process.Name == "xwizard.exe") and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%") +Annotation = {"mitre_attack": ["T1059.001"], "author": "pH-T (Nextron Systems)"} +Query = (Process.Path like r"%\\cmd.exe%" or Process.Name == "Cmd.EXE") and Process.CommandLine like r"% net use http%" and Process.CommandLine like r"%& start /b %" and Process.CommandLine like r"%\\DavWWWRoot\\%" and (Process.CommandLine like r"%.exe %" or Process.CommandLine like r"%.dll %" or Process.CommandLine like r"%.bat %" or Process.CommandLine like r"%.vbs %" or Process.CommandLine like r"%.ps1 %") [ThreatDetectionRule platform=Windows] -# Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = caf201a9-c2ce-4a26-9c3a-2b9525413711 -RuleName = Potentially Suspicious Call To Win32_NTEventlogFile Class -EventType = Process.Start -Tag = proc-start-potentially-suspicious-call-to-win32_nteventlogfile-class +# Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) +# Author: Tim Rauch (Nextron Systems), Elastic (idea) +RuleId = 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 +RuleName = Unusual File Deletion by Dns.exe +EventType = File.Delete +Tag = unusual-file-deletion-by-dns.exe RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%Win32\_NTEventlogFile%" and (Process.CommandLine like r"%.BackupEventlog(%" or Process.CommandLine like r"%.ChangeSecurityPermissions(%" or Process.CommandLine like r"%.ChangeSecurityPermissionsEx(%" or Process.CommandLine like r"%.ClearEventLog(%" or Process.CommandLine like r"%.Delete(%" or Process.CommandLine like r"%.DeleteEx(%" or Process.CommandLine like r"%.Rename(%" or Process.CommandLine like r"%.TakeOwnerShip(%" or Process.CommandLine like r"%.TakeOwnerShipEx(%") +Annotation = {"mitre_attack": ["T1133"], "author": "Tim Rauch (Nextron Systems), Elastic (idea)"} +Query = Process.Path like r"%\\dns.exe" and not File.Path like r"%\\dns.log" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. -# Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. -# Author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 129966c9-de17-4334-a123-8b58172e664d -RuleName = Potential Windows Defender AV Bypass Via Dump64.EXE Rename +# Detects when an internet hosted webdav share is mounted using the "net.exe" utility +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 7e6237fe-3ddb-438f-9381-9bf9de5af8d0 +RuleName = Windows Internet Hosted WebDav Share Mount Via Net.EXE EventType = Process.Start -Tag = proc-start-potential-windows-defender-av-bypass-via-dump64.exe-rename +Tag = proc-start-windows-internet-hosted-webdav-share-mount-via-net.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r":\\Program Files%" and Process.Path like r"%\\Microsoft Visual Studio\\%" and Process.Path like r"%\\dump64.exe" and (Process.Name == "procdump" or Process.CommandLine like r"% -ma %" or Process.CommandLine like r"% -mp %") +Annotation = {"mitre_attack": ["T1021.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and Process.CommandLine like r"% use %" and Process.CommandLine like r"% http%" [ThreatDetectionRule platform=Windows] -# Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = e7888eb1-13b0-4616-bd99-4bc0c2b054b9 -RuleName = Dllhost.EXE Execution Anomaly +# Detects potential arbitrary file download using a Microsoft Office application +# Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community +RuleId = 4ae3e30b-b03f-43aa-87e3-b622f4048eed +RuleName = Potential Arbitrary File Download Using Office Application EventType = Process.Start -Tag = proc-start-dllhost.exe-execution-anomaly +Tag = proc-start-potential-arbitrary-file-download-using-office-application RiskScore = 75 -Annotation = {"mitre_attack": ["T1055"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\dllhost.exe" and (Process.CommandLine in ["dllhost.exe", "dllhost"]) and not isnull(Process.CommandLine) +Annotation = {"mitre_attack": ["T1202"], "author": "Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community"} +Query = (Process.Path like r"%\\EXCEL.EXE" or Process.Path like r"%\\POWERPNT.EXE" or Process.Path like r"%\\WINWORD.exe" or Process.Name in ["Excel.exe", "POWERPNT.EXE", "WinWord.exe"]) and (Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%") [ThreatDetectionRule platform=Windows] -# Detects a registry key used by IceID in a campaign that distributes malicious OneNote files -# Author: Hieu Tran -RuleId = 1c8e96cd-2bed-487d-9de0-b46c90cade56 -RuleName = Potential Qakbot Registry Activity +# Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. +# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +RuleId = 5aad0995-46ab-41bd-a9ff-724f41114971 +RuleName = Esentutl Volume Shadow Copy Service Keys EventType = Reg.Any -Tag = potential-qakbot-registry-activity +Tag = esentutl-volume-shadow-copy-service-keys RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Hieu Tran"} -Query = Reg.TargetObject like r"%\\Software\\firm\\soft\\Name" +Annotation = {"mitre_attack": ["T1003.002"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} +Query = Reg.TargetObject like r"%System\\CurrentControlSet\\Services\\VSS%" and Process.Path like r"%esentutl.exe" and not Reg.TargetObject like r"%System\\CurrentControlSet\\Services\\VSS\\Start%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools -# Author: Florian Roth (Nextron Systems) -RuleId = efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6 -RuleName = Suspicious Program Names -EventType = Process.Start -Tag = proc-start-suspicious-program-names -RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\CVE-202%" or Process.Path like r"%\\CVE202%" or Process.Path like r"%\\poc.exe" or Process.Path like r"%\\artifact.exe" or Process.Path like r"%\\artifact64.exe" or Process.Path like r"%\\artifact\_protected.exe" or Process.Path like r"%\\artifact32.exe" or Process.Path like r"%\\artifact32big.exe" or Process.Path like r"%obfuscated.exe" or Process.Path like r"%obfusc.exe" or Process.Path like r"%\\meterpreter" or Process.CommandLine like r"%inject.ps1%" or Process.CommandLine like r"%Invoke-CVE%" or Process.CommandLine like r"%pupy.ps1%" or Process.CommandLine like r"%payload.ps1%" or Process.CommandLine like r"%beacon.ps1%" or Process.CommandLine like r"%PowerView.ps1%" or Process.CommandLine like r"%bypass.ps1%" or Process.CommandLine like r"%obfuscated.ps1%" or Process.CommandLine like r"%obfusc.ps1%" or Process.CommandLine like r"%obfus.ps1%" or Process.CommandLine like r"%obfs.ps1%" or Process.CommandLine like r"%evil.ps1%" or Process.CommandLine like r"%MiniDogz.ps1%" or Process.CommandLine like r"%\_enc.ps1%" or Process.CommandLine like r"%\\shell.ps1%" or Process.CommandLine like r"%\\rshell.ps1%" or Process.CommandLine like r"%revshell.ps1%" or Process.CommandLine like r"%\\av.ps1%" or Process.CommandLine like r"%\\av\_test.ps1%" or Process.CommandLine like r"%adrecon.ps1%" or Process.CommandLine like r"%mimikatz.ps1%" or Process.CommandLine like r"%\\PowerUp\_%" or Process.CommandLine like r"%powerup.ps1%" or Process.CommandLine like r"%\\Temp\\a.ps1%" or Process.CommandLine like r"%\\Temp\\p.ps1%" or Process.CommandLine like r"%\\Temp\\1.ps1%" or Process.CommandLine like r"%Hound.ps1%" or Process.CommandLine like r"%encode.ps1%" or Process.CommandLine like r"%powercat.ps1%" - - -[ThreatDetectionRule platform=Windows] -# Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt -# Author: Florian Roth (Nextron Systems) -RuleId = be344333-921d-4c4d-8bb8-e584cf584780 -RuleName = Potentially Suspicious Event Viewer Child Process -EventType = Process.Start -Tag = proc-start-potentially-suspicious-event-viewer-child-process +# Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. +# This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. +# Author: Ahmed Farouk, Nasreddine Bencherchali +RuleId = a7df0e9e-91a5-459a-a003-4cde67c2ff5d +RuleName = Potentially Suspicious Command Executed Via Run Dialog Box - Registry +EventType = Reg.Any +Tag = potentially-suspicious-command-executed-via-run-dialog-box-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\eventvwr.exe" and not (Process.Path like r"%:\\Windows\\System32\\mmc.exe" or Process.Path like r"%:\\Windows\\System32\\WerFault.exe" or Process.Path like r"%:\\Windows\\SysWOW64\\WerFault.exe") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1059.001"], "author": "Ahmed Farouk, Nasreddine Bencherchali"} +Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU%" and ((Reg.Value.Data like r"%powershell%" or Reg.Value.Data like r"%pwsh%") and (Reg.Value.Data like r"% -e %" or Reg.Value.Data like r"% -ec %" or Reg.Value.Data like r"% -en %" or Reg.Value.Data like r"% -enc %" or Reg.Value.Data like r"% -enco%" or Reg.Value.Data like r"%ftp%" or Reg.Value.Data like r"%Hidden%" or Reg.Value.Data like r"%http%" or Reg.Value.Data like r"%iex%" or Reg.Value.Data like r"%Invoke-%") or Reg.Value.Data like r"%wmic%" and (Reg.Value.Data like r"%shadowcopy%" or Reg.Value.Data like r"%process call create%")) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects Commandlet names from well-known PowerShell exploitation frameworks -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 02030f2f-6199-49ec-b258-ea71b07e03dc -RuleName = Malicious PowerShell Commandlets - ProcessCreation +# Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. +# Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine. +# Author: Swachchhanda Shrawan Poudel +RuleId = 8823e85d-31d8-473e-b7f4-92da070f0fc6 +RuleName = Suspicious ShellExec_RunDLL Call Via Ordinal EventType = Process.Start -Tag = proc-start-malicious-powershell-commandlets-processcreation +Tag = proc-start-suspicious-shellexec_rundll-call-via-ordinal RiskScore = 75 -Annotation = {"mitre_attack": ["T1482", "T1087", "T1087.001", "T1087.002", "T1069.001", "T1069.002", "T1069", "T1059.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%Add-Exfiltration%" or Process.CommandLine like r"%Add-Persistence%" or Process.CommandLine like r"%Add-RegBackdoor%" or Process.CommandLine like r"%Add-RemoteRegBackdoor%" or Process.CommandLine like r"%Add-ScrnSaveBackdoor%" or Process.CommandLine like r"%Check-VM%" or Process.CommandLine like r"%ConvertTo-Rc4ByteStream%" or Process.CommandLine like r"%Decrypt-Hash%" or Process.CommandLine like r"%Disable-ADIDNSNode%" or Process.CommandLine like r"%Disable-MachineAccount%" or Process.CommandLine like r"%Do-Exfiltration%" or Process.CommandLine like r"%Enable-ADIDNSNode%" or Process.CommandLine like r"%Enable-MachineAccount%" or Process.CommandLine like r"%Enabled-DuplicateToken%" or Process.CommandLine like r"%Exploit-Jboss%" or Process.CommandLine like r"%Export-ADR%" or Process.CommandLine like r"%Export-ADRCSV%" or Process.CommandLine like r"%Export-ADRExcel%" or Process.CommandLine like r"%Export-ADRHTML%" or Process.CommandLine like r"%Export-ADRJSON%" or Process.CommandLine like r"%Export-ADRXML%" or Process.CommandLine like r"%Find-Fruit%" or Process.CommandLine like r"%Find-GPOLocation%" or Process.CommandLine like r"%Find-TrustedDocuments%" or Process.CommandLine like r"%Get-ADIDNS%" or Process.CommandLine like r"%Get-ApplicationHost%" or Process.CommandLine like r"%Get-ChromeDump%" or Process.CommandLine like r"%Get-ClipboardContents%" or Process.CommandLine like r"%Get-FoxDump%" or Process.CommandLine like r"%Get-GPPPassword%" or Process.CommandLine like r"%Get-IndexedItem%" or Process.CommandLine like r"%Get-KerberosAESKey%" or Process.CommandLine like r"%Get-Keystrokes%" or Process.CommandLine like r"%Get-LSASecret%" or Process.CommandLine like r"%Get-MachineAccountAttribute%" or Process.CommandLine like r"%Get-MachineAccountCreator%" or Process.CommandLine like r"%Get-PassHashes%" or Process.CommandLine like r"%Get-RegAlwaysInstallElevated%" or Process.CommandLine like r"%Get-RegAutoLogon%" or Process.CommandLine like r"%Get-RemoteBootKey%" or Process.CommandLine like r"%Get-RemoteCachedCredential%" or Process.CommandLine like r"%Get-RemoteLocalAccountHash%" or Process.CommandLine like r"%Get-RemoteLSAKey%" or Process.CommandLine like r"%Get-RemoteMachineAccountHash%" or Process.CommandLine like r"%Get-RemoteNLKMKey%" or Process.CommandLine like r"%Get-RickAstley%" or Process.CommandLine like r"%Get-Screenshot%" or Process.CommandLine like r"%Get-SecurityPackages%" or Process.CommandLine like r"%Get-ServiceFilePermission%" or Process.CommandLine like r"%Get-ServicePermission%" or Process.CommandLine like r"%Get-ServiceUnquoted%" or Process.CommandLine like r"%Get-SiteListPassword%" or Process.CommandLine like r"%Get-System%" or Process.CommandLine like r"%Get-TimedScreenshot%" or Process.CommandLine like r"%Get-UnattendedInstallFile%" or Process.CommandLine like r"%Get-Unconstrained%" or Process.CommandLine like r"%Get-USBKeystrokes%" or Process.CommandLine like r"%Get-VaultCredential%" or Process.CommandLine like r"%Get-VulnAutoRun%" or Process.CommandLine like r"%Get-VulnSchTask%" or Process.CommandLine like r"%Grant-ADIDNSPermission%" or Process.CommandLine like r"%Gupt-Backdoor%" or Process.CommandLine like r"%HTTP-Login%" or Process.CommandLine like r"%Install-ServiceBinary%" or Process.CommandLine like r"%Install-SSP%" or Process.CommandLine like r"%Invoke-ACLScanner%" or Process.CommandLine like r"%Invoke-ADRecon%" or Process.CommandLine like r"%Invoke-ADSBackdoor%" or Process.CommandLine like r"%Invoke-AgentSmith%" or Process.CommandLine like r"%Invoke-AllChecks%" or Process.CommandLine like r"%Invoke-ARPScan%" or Process.CommandLine like r"%Invoke-AzureHound%" or Process.CommandLine like r"%Invoke-BackdoorLNK%" or Process.CommandLine like r"%Invoke-BadPotato%" or Process.CommandLine like r"%Invoke-BetterSafetyKatz%" or Process.CommandLine like r"%Invoke-BypassUAC%" or Process.CommandLine like r"%Invoke-Carbuncle%" or Process.CommandLine like r"%Invoke-Certify%" or Process.CommandLine like r"%Invoke-ConPtyShell%" or Process.CommandLine like r"%Invoke-CredentialInjection%" or Process.CommandLine like r"%Invoke-DAFT%" or Process.CommandLine like r"%Invoke-DCSync%" or Process.CommandLine like r"%Invoke-DinvokeKatz%" or Process.CommandLine like r"%Invoke-DllInjection%" or Process.CommandLine like r"%Invoke-DNSUpdate%" or Process.CommandLine like r"%Invoke-DomainPasswordSpray%" or Process.CommandLine like r"%Invoke-DowngradeAccount%" or Process.CommandLine like r"%Invoke-EgressCheck%" or Process.CommandLine like r"%Invoke-Eyewitness%" or Process.CommandLine like r"%Invoke-FakeLogonScreen%" or Process.CommandLine like r"%Invoke-Farmer%" or Process.CommandLine like r"%Invoke-Get-RBCD-Threaded%" or Process.CommandLine like r"%Invoke-Gopher%" or Process.CommandLine like r"%Invoke-Grouper%" or Process.CommandLine like r"%Invoke-HandleKatz%" or Process.CommandLine like r"%Invoke-ImpersonatedProcess%" or Process.CommandLine like r"%Invoke-ImpersonateSystem%" or Process.CommandLine like r"%Invoke-InteractiveSystemPowerShell%" or Process.CommandLine like r"%Invoke-Internalmonologue%" or Process.CommandLine like r"%Invoke-Inveigh%" or Process.CommandLine like r"%Invoke-InveighRelay%" or Process.CommandLine like r"%Invoke-KrbRelay%" or Process.CommandLine like r"%Invoke-LdapSignCheck%" or Process.CommandLine like r"%Invoke-Lockless%" or Process.CommandLine like r"%Invoke-MalSCCM%" or Process.CommandLine like r"%Invoke-Mimikatz%" or Process.CommandLine like r"%Invoke-Mimikittenz%" or Process.CommandLine like r"%Invoke-MITM6%" or Process.CommandLine like r"%Invoke-NanoDump%" or Process.CommandLine like r"%Invoke-NetRipper%" or Process.CommandLine like r"%Invoke-Nightmare%" or Process.CommandLine like r"%Invoke-NinjaCopy%" or Process.CommandLine like r"%Invoke-OfficeScrape%" or Process.CommandLine like r"%Invoke-OxidResolver%" or Process.CommandLine like r"%Invoke-P0wnedshell%" or Process.CommandLine like r"%Invoke-Paranoia%" or Process.CommandLine like r"%Invoke-PortScan%" or Process.CommandLine like r"%Invoke-PoshRatHttp%" or Process.CommandLine like r"%Invoke-PostExfil%" or Process.CommandLine like r"%Invoke-PowerDump%" or Process.CommandLine like r"%Invoke-PowerShellTCP%" or Process.CommandLine like r"%Invoke-PowerShellWMI%" or Process.CommandLine like r"%Invoke-PPLDump%" or Process.CommandLine like r"%Invoke-PsExec%" or Process.CommandLine like r"%Invoke-PSInject%" or Process.CommandLine like r"%Invoke-PsUaCme%" or Process.CommandLine like r"%Invoke-ReflectivePEInjection%" or Process.CommandLine like r"%Invoke-ReverseDNSLookup%" or Process.CommandLine like r"%Invoke-Rubeus%" or Process.CommandLine like r"%Invoke-RunAs%" or Process.CommandLine like r"%Invoke-SafetyKatz%" or Process.CommandLine like r"%Invoke-SauronEye%" or Process.CommandLine like r"%Invoke-SCShell%" or Process.CommandLine like r"%Invoke-Seatbelt%" or Process.CommandLine like r"%Invoke-ServiceAbuse%" or Process.CommandLine like r"%Invoke-ShadowSpray%" or Process.CommandLine like r"%Invoke-Sharp%" or Process.CommandLine like r"%Invoke-Shellcode%" or Process.CommandLine like r"%Invoke-SMBScanner%" or Process.CommandLine like r"%Invoke-Snaffler%" or Process.CommandLine like r"%Invoke-Spoolsample%" or Process.CommandLine like r"%Invoke-SpraySinglePassword%" or Process.CommandLine like r"%Invoke-SSHCommand%" or Process.CommandLine like r"%Invoke-StandIn%" or Process.CommandLine like r"%Invoke-StickyNotesExtract%" or Process.CommandLine like r"%Invoke-SystemCommand%" or Process.CommandLine like r"%Invoke-Tasksbackdoor%" or Process.CommandLine like r"%Invoke-Tater%" or Process.CommandLine like r"%Invoke-Thunderfox%" or Process.CommandLine like r"%Invoke-ThunderStruck%" or Process.CommandLine like r"%Invoke-TokenManipulation%" or Process.CommandLine like r"%Invoke-Tokenvator%" or Process.CommandLine like r"%Invoke-TotalExec%" or Process.CommandLine like r"%Invoke-UrbanBishop%" or Process.CommandLine like r"%Invoke-UserHunter%" or Process.CommandLine like r"%Invoke-VoiceTroll%" or Process.CommandLine like r"%Invoke-Whisker%" or Process.CommandLine like r"%Invoke-WinEnum%" or Process.CommandLine like r"%Invoke-winPEAS%" or Process.CommandLine like r"%Invoke-WireTap%" or Process.CommandLine like r"%Invoke-WmiCommand%" or Process.CommandLine like r"%Invoke-WMIExec%" or Process.CommandLine like r"%Invoke-WScriptBypassUAC%" or Process.CommandLine like r"%Invoke-Zerologon%" or Process.CommandLine like r"%MailRaider%" or Process.CommandLine like r"%New-ADIDNSNode%" or Process.CommandLine like r"%New-DNSRecordArray%" or Process.CommandLine like r"%New-HoneyHash%" or Process.CommandLine like r"%New-InMemoryModule%" or Process.CommandLine like r"%New-MachineAccount%" or Process.CommandLine like r"%New-SOASerialNumberArray%" or Process.CommandLine like r"%Out-Minidump%" or Process.CommandLine like r"%Port-Scan%" or Process.CommandLine like r"%PowerBreach%" or Process.CommandLine like r"%powercat %" or Process.CommandLine like r"%PowerUp%" or Process.CommandLine like r"%PowerView%" or Process.CommandLine like r"%Remove-ADIDNSNode%" or Process.CommandLine like r"%Remove-MachineAccount%" or Process.CommandLine like r"%Remove-Update%" or Process.CommandLine like r"%Rename-ADIDNSNode%" or Process.CommandLine like r"%Revoke-ADIDNSPermission%" or Process.CommandLine like r"%Set-ADIDNSNode%" or Process.CommandLine like r"%Set-MacAttribute%" or Process.CommandLine like r"%Set-MachineAccountAttribute%" or Process.CommandLine like r"%Set-Wallpaper%" or Process.CommandLine like r"%Show-TargetScreen%" or Process.CommandLine like r"%Start-CaptureServer%" or Process.CommandLine like r"%Start-Dnscat2%" or Process.CommandLine like r"%Start-WebcamRecorder%" or Process.CommandLine like r"%VolumeShadowCopyTools%" +Annotation = {"mitre_attack": ["T1218.011"], "author": "Swachchhanda Shrawan Poudel"} +Query = Parent.CommandLine like r"%SHELL32.DLL%" and (Parent.CommandLine like r"%#568%" or Parent.CommandLine like r"%#570%" or Parent.CommandLine like r"%#572%" or Parent.CommandLine like r"%#576%") and (Parent.CommandLine like r"%comspec%" or Parent.CommandLine like r"%iex%" or Parent.CommandLine like r"%Invoke-%" or Parent.CommandLine like r"%msiexec%" or Parent.CommandLine like r"%odbcconf%" or Parent.CommandLine like r"%regsvr32%" or Parent.CommandLine like r"%\\Desktop\\%" or Parent.CommandLine like r"%\\ProgramData\\%" or Parent.CommandLine like r"%\\Temp\\%" or Parent.CommandLine like r"%\\Users\\Public\\%" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\curl.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\msxsl.exe" or Process.Path like r"%\\odbcconf.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") +GenericProperty1 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. -# Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) -RuleId = c86500e9-a645-4680-98d7-f882c70c1ea3 -RuleName = AADInternals PowerShell Cmdlets Execution - ProccessCreation +# load malicious registered COM objects +# Author: frack113 +RuleId = f1edd233-30b5-4823-9e6a-c4171b24d316 +RuleName = Rundll32 Registered COM Objects EventType = Process.Start -Tag = proc-start-aadinternals-powershell-cmdlets-execution-proccesscreation +Tag = proc-start-rundll32-registered-com-objects RiskScore = 75 -Annotation = {"author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.Exe", "pwsh.dll"]) and (Process.CommandLine like r"%Add-AADInt%" or Process.CommandLine like r"%ConvertTo-AADInt%" or Process.CommandLine like r"%Disable-AADInt%" or Process.CommandLine like r"%Enable-AADInt%" or Process.CommandLine like r"%Export-AADInt%" or Process.CommandLine like r"%Find-AADInt%" or Process.CommandLine like r"%Get-AADInt%" or Process.CommandLine like r"%Grant-AADInt%" or Process.CommandLine like r"%Initialize-AADInt%" or Process.CommandLine like r"%Install-AADInt%" or Process.CommandLine like r"%Invoke-AADInt%" or Process.CommandLine like r"%Join-AADInt%" or Process.CommandLine like r"%New-AADInt%" or Process.CommandLine like r"%Open-AADInt%" or Process.CommandLine like r"%Read-AADInt%" or Process.CommandLine like r"%Register-AADInt%" or Process.CommandLine like r"%Remove-AADInt%" or Process.CommandLine like r"%Reset-AADInt%" or Process.CommandLine like r"%Resolve-AADInt%" or Process.CommandLine like r"%Restore-AADInt%" or Process.CommandLine like r"%Save-AADInt%" or Process.CommandLine like r"%Search-AADInt%" or Process.CommandLine like r"%Send-AADInt%" or Process.CommandLine like r"%Set-AADInt%" or Process.CommandLine like r"%Start-AADInt%" or Process.CommandLine like r"%Unprotect-AADInt%" or Process.CommandLine like r"%Update-AADInt%") +Annotation = {"mitre_attack": ["T1546.015"], "author": "frack113"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and (Process.CommandLine like r"%-sta %" or Process.CommandLine like r"%-localserver %") and Process.CommandLine like r"%{%" and Process.CommandLine like r"%}%" [ThreatDetectionRule platform=Windows] -# Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows -# Author: Florian Roth (Nextron Systems) -RuleId = 679085d5-f427-4484-9f58-1dc30a7c426d -RuleName = WinDivert Driver Load -EventType = Driver.Load -Tag = windivert-driver-load +# Detects PowerShell writing startup shortcuts. +# This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. +# Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. +# In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" +# Author: Christopher Peacock '@securepeacock', SCYTHE +RuleId = 92fa78e7-4d39-45f1-91a3-8b23f3f1088d +RuleName = Potential Startup Shortcut Persistence Via PowerShell.EXE +EventType = File.Create +Tag = potential-startup-shortcut-persistence-via-powershell.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1599.001", "T1557.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Image.Path like r"%\\WinDivert.sys%" or Image.Path like r"%\\WinDivert64.sys%" or Image.Path like r"%\\NordDivert.sys%" or Image.Path like r"%\\lingtiwfp.sys%" or Image.Path like r"%\\eswfp.sys%" or Image.Hashes like r"%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%" or Image.Hashes like r"%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%" or Image.Hashes like r"%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%" or Image.Hashes like r"%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%" or Image.Hashes like r"%IMPHASH=58623490691babe8330adc81cd04a663%" or Image.Hashes like r"%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%" or Image.Hashes like r"%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%" or Image.Hashes like r"%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%" or Image.Hashes like r"%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%" or Image.Hashes like r"%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%" or Image.Hashes like r"%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%" or Image.Hashes like r"%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%" or Image.Hashes like r"%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%" or Image.Hashes like r"%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%" or Image.Hashes like r"%IMPHASH=a74929edfc3289895e3f2885278947ae%" or Image.Hashes like r"%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%" or Image.Hashes like r"%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%" or Image.Hashes like r"%IMPHASH=c28cd6ccd83179e79dac132a553693d9%" -GenericProperty1 = Image.Path -GenericProperty2 = Image.Hashes +Annotation = {"mitre_attack": ["T1547.001"], "author": "Christopher Peacock '@securepeacock', SCYTHE"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and File.Path like r"%\\start menu\\programs\\startup\\%" and File.Path like r"%.lnk" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) -# Author: Florian Roth (Nextron Systems) -RuleId = fcdf69e5-a3d3-452a-9724-26f2308bf2b1 -RuleName = Phishing Pattern ISO in Archive +# Detects potentially suspicious child processes of "aspnet_compiler.exe". +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 9ccba514-7cb6-4c5c-b377-700758f2f120 +RuleName = Suspicious Child Process of AspNetCompiler EventType = Process.Start -Tag = proc-start-phishing-pattern-iso-in-archive +Tag = proc-start-suspicious-child-process-of-aspnetcompiler RiskScore = 75 -Annotation = {"mitre_attack": ["T1566"], "author": "Florian Roth (Nextron Systems)"} -Query = (Parent.Path like r"%\\Winrar.exe" or Parent.Path like r"%\\7zFM.exe" or Parent.Path like r"%\\peazip.exe") and (Process.Path like r"%\\isoburn.exe" or Process.Path like r"%\\PowerISO.exe" or Process.Path like r"%\\ImgBurn.exe") +Annotation = {"mitre_attack": ["T1127"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.Path like r"%\\aspnet\_compiler.exe" and (Process.Path like r"%\\calc.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\AppData\\Local\\Temp\\%" or Process.Path like r"%\\AppData\\Local\\Roaming\\%" or Process.Path like r"%:\\Temp\\%" or Process.Path like r"%:\\Windows\\Temp\\%" or Process.Path like r"%:\\Windows\\System32\\Tasks\\%" or Process.Path like r"%:\\Windows\\Tasks\\%") GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects when an attacker register a new SIP provider for persistence and defense evasion -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 92772523-d9c1-4c93-9547-b0ca500baba3 -RuleName = Potential Persistence Via Mpnotify +# Detects changes to the NGenAssemblyUsageLog registry key. +# .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). +# By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. +# Author: frack113 +RuleId = 28036918-04d3-423d-91c0-55ecf99fb892 +RuleName = NET NGenAssemblyUsageLog Registry Key Tamper EventType = Reg.Any -Tag = potential-persistence-via-mpnotify +Tag = net-ngenassemblyusagelog-registry-key-tamper RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify%" +Annotation = {"mitre_attack": ["T1112"], "author": "frack113"} +Query = Reg.TargetObject like r"%SOFTWARE\\Microsoft\\.NETFramework\\NGenAssemblyUsageLog" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects potentially suspicious file downloads from file sharing domains using wget.exe -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = a0d7e4d2-bede-4141-8896-bc6e237e977c -RuleName = Suspicious File Download From File Sharing Domain Via Wget.EXE +# Detects suspicious Splwow64.exe process without any command line parameters +# Author: Florian Roth (Nextron Systems) +RuleId = 1f1a8509-2cbb-44f5-8751-8e1571518ce2 +RuleName = Suspicious Splwow64 Without Params EventType = Process.Start -Tag = proc-start-suspicious-file-download-from-file-sharing-domain-via-wget.exe +Tag = proc-start-suspicious-splwow64-without-params RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\wget.exe" or Process.Name == "wget.exe") and (Process.CommandLine like r"%.githubusercontent.com%" or Process.CommandLine like r"%anonfiles.com%" or Process.CommandLine like r"%cdn.discordapp.com%" or Process.CommandLine like r"%ddns.net%" or Process.CommandLine like r"%dl.dropboxusercontent.com%" or Process.CommandLine like r"%ghostbin.co%" or Process.CommandLine like r"%glitch.me%" or Process.CommandLine like r"%gofile.io%" or Process.CommandLine like r"%hastebin.com%" or Process.CommandLine like r"%mediafire.com%" or Process.CommandLine like r"%mega.nz%" or Process.CommandLine like r"%onrender.com%" or Process.CommandLine like r"%pages.dev%" or Process.CommandLine like r"%paste.ee%" or Process.CommandLine like r"%pastebin.com%" or Process.CommandLine like r"%pastebin.pl%" or Process.CommandLine like r"%pastetext.net%" or Process.CommandLine like r"%pixeldrain.com%" or Process.CommandLine like r"%privatlab.com%" or Process.CommandLine like r"%privatlab.net%" or Process.CommandLine like r"%send.exploit.in%" or Process.CommandLine like r"%sendspace.com%" or Process.CommandLine like r"%storage.googleapis.com%" or Process.CommandLine like r"%storjshare.io%" or Process.CommandLine like r"%supabase.co%" or Process.CommandLine like r"%temp.sh%" or Process.CommandLine like r"%transfer.sh%" or Process.CommandLine like r"%trycloudflare.com%" or Process.CommandLine like r"%ufile.io%" or Process.CommandLine like r"%w3spaces.com%" or Process.CommandLine like r"%workers.dev%") and Process.CommandLine like r"%http%" and (Process.CommandLine regex "\\s-O\\s" or Process.CommandLine like r"%--output-document%") and (Process.CommandLine like r"%.ps1" or Process.CommandLine like r"%.ps1'" or Process.CommandLine like r"%.ps1\"" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.dat'" or Process.CommandLine like r"%.dat\"" or Process.CommandLine like r"%.msi" or Process.CommandLine like r"%.msi'" or Process.CommandLine like r"%.msi\"" or Process.CommandLine like r"%.bat" or Process.CommandLine like r"%.bat'" or Process.CommandLine like r"%.bat\"" or Process.CommandLine like r"%.exe" or Process.CommandLine like r"%.exe'" or Process.CommandLine like r"%.exe\"" or Process.CommandLine like r"%.vbs" or Process.CommandLine like r"%.vbs'" or Process.CommandLine like r"%.vbs\"" or Process.CommandLine like r"%.vbe" or Process.CommandLine like r"%.vbe'" or Process.CommandLine like r"%.vbe\"" or Process.CommandLine like r"%.hta" or Process.CommandLine like r"%.hta'" or Process.CommandLine like r"%.hta\"" or Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.dll'" or Process.CommandLine like r"%.dll\"" or Process.CommandLine like r"%.psm1" or Process.CommandLine like r"%.psm1'" or Process.CommandLine like r"%.psm1\"") +Annotation = {"mitre_attack": ["T1202"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\splwow64.exe" and Process.CommandLine like r"%splwow64.exe" [ThreatDetectionRule platform=Windows] -# Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet -# Author: Florian Roth (Nextron Systems) -RuleId = bb58aa4a-b80b-415a-a2c0-2f65a4c81009 -RuleName = Suspicious Desktopimgdownldr Command +# Detects various indicators of Microsoft Connection Manager Profile Installer execution +# Author: Nik Seetharaman +RuleId = 7d4cdc5a-0076-40ca-aac8-f7e714570e47 +RuleName = CMSTP Execution Process Creation EventType = Process.Start -Tag = proc-start-suspicious-desktopimgdownldr-command +Tag = proc-start-cmstp-execution-process-creation RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"% /lockscreenurl:%" and not (Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.png%") or Process.CommandLine like r"%reg delete%" and Process.CommandLine like r"%\\PersonalizationCSP%" +Annotation = {"mitre_attack": ["T1218.003"], "author": "Nik Seetharaman"} +Query = Parent.Path like r"%\\cmstp.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) -# Author: Max Altgelt (Nextron Systems) -RuleId = 8a4519e8-e64a-40b6-ae85-ba8ad2177559 -RuleName = Renamed BrowserCore.EXE Execution +# Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. +# Author: omkar72, oscd.community +RuleId = 4508a70e-97ef-4300-b62b-ff27992990ea +RuleName = DotNet CLR DLL Loaded By Scripting Applications +EventType = Image.Load +Tag = dotnet-clr-dll-loaded-by-scripting-applications +RiskScore = 75 +Annotation = {"mitre_attack": ["T1055"], "author": "omkar72, oscd.community"} +Query = (Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msxsl.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") and (Image.Path like r"%\\clr.dll" or Image.Path like r"%\\mscoree.dll" or Image.Path like r"%\\mscorlib.dll") +GenericProperty1 = Image.Path + + +[ThreatDetectionRule platform=Windows] +# Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. +# Author: Sreeman, Nasreddine Bencherchali (Nextron Systems) +RuleId = 21dd6d38-2b18-4453-9404-a0fe4a0cc288 +RuleName = Curl Download And Execute Combination EventType = Process.Start -Tag = proc-start-renamed-browsercore.exe-execution +Tag = proc-start-curl-download-and-execute-combination RiskScore = 75 -Annotation = {"mitre_attack": ["T1528", "T1036.003"], "author": "Max Altgelt (Nextron Systems)"} -Query = Process.Name == "BrowserCore.exe" and not Process.Path like r"%\\BrowserCore.exe" +Annotation = {"mitre_attack": ["T1218", "T1105"], "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.CommandLine like r"% -c %" or Process.CommandLine like r"% /c %" or Process.CommandLine like r"% –c %" or Process.CommandLine like r"% —c %" or Process.CommandLine like r"% ―c %") and Process.CommandLine like r"%curl %" and Process.CommandLine like r"%http%" and Process.CommandLine like r"%-o%" and Process.CommandLine like r"%&%" [ThreatDetectionRule platform=Windows] -# Detects initiated network connections to crypto mining pools +# Detects uninstallation or termination of security products using the WMIC utility # Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = fa5b1358-b040-4403-9868-15f7d9ab6329 -RuleName = Network Communication With Crypto Mining Pool -EventType = Net.Any -Tag = network-communication-with-crypto-mining-pool +RuleId = 847d5ff3-8a31-4737-a970-aeae8fe21765 +RuleName = Potential Tampering With Security Products Via WMIC +EventType = Process.Start +Tag = proc-start-potential-tampering-with-security-products-via-wmic RiskScore = 75 -Annotation = {"mitre_attack": ["T1496"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = Net.Target.Name in ["alimabi.cn", "ap.luckpool.net", "bcn.pool.minergate.com", "bcn.vip.pool.minergate.com", "bohemianpool.com", "ca-aipg.miningocean.org", "ca-dynex.miningocean.org", "ca-neurai.miningocean.org", "ca-qrl.miningocean.org", "ca-upx.miningocean.org", "ca-zephyr.miningocean.org", "ca.minexmr.com", "ca.monero.herominers.com", "cbd.monerpool.org", "cbdv2.monerpool.org", "cryptmonero.com", "crypto-pool.fr", "crypto-pool.info", "cryptonight-hub.miningpoolhub.com", "d1pool.ddns.net", "d5pool.us", "daili01.monerpool.org", "de-aipg.miningocean.org", "de-dynex.miningocean.org", "de-zephyr.miningocean.org", "de.minexmr.com", "dl.nbminer.com", "donate.graef.in", "donate.ssl.xmrig.com", "donate.v2.xmrig.com", "donate.xmrig.com", "donate2.graef.in", "drill.moneroworld.com", "dwarfpool.com", "emercoin.com", "emercoin.net", "emergate.net", "ethereumpool.co", "eu.luckpool.net", "eu.minerpool.pw", "fcn-xmr.pool.minergate.com", "fee.xmrig.com", "fr-aipg.miningocean.org", "fr-dynex.miningocean.org", "fr-neurai.miningocean.org", "fr-qrl.miningocean.org", "fr-upx.miningocean.org", "fr-zephyr.miningocean.org", "fr.minexmr.com", "hellominer.com", "herominers.com", "hk-aipg.miningocean.org", "hk-dynex.miningocean.org", "hk-neurai.miningocean.org", "hk-qrl.miningocean.org", "hk-upx.miningocean.org", "hk-zephyr.miningocean.org", "huadong1-aeon.ppxxmr.com", "iwanttoearn.money", "jw-js1.ppxxmr.com", "koto-pool.work", "lhr.nbminer.com", "lhr3.nbminer.com", "linux.monerpool.org", "lokiturtle.herominers.com", "luckpool.net", "masari.miner.rocks", "mine.c3pool.com", "mine.moneropool.com", "mine.ppxxmr.com", "mine.zpool.ca", "mine1.ppxxmr.com", "minemonero.gq", "miner.ppxxmr.com", "miner.rocks", "minercircle.com", "minergate.com", "minerpool.pw", "minerrocks.com", "miners.pro", "minerxmr.ru", "minexmr.cn", "minexmr.com", "mining-help.ru", "miningpoolhub.com", "mixpools.org", "moner.monerpool.org", "moner1min.monerpool.org", "monero-master.crypto-pool.fr", "monero.crypto-pool.fr", "monero.hashvault.pro", "monero.herominers.com", "monero.lindon-pool.win", "monero.miners.pro", "monero.riefly.id", "monero.us.to", "monerocean.stream", "monerogb.com", "monerohash.com", "moneroocean.stream", "moneropool.com", "moneropool.nl", "monerorx.com", "monerpool.org", "moriaxmr.com", "mro.pool.minergate.com", "multipool.us", "myxmr.pw", "na.luckpool.net", "nanopool.org", "nbminer.com", "node3.luckpool.net", "noobxmr.com", "pangolinminer.comgandalph3000.com", "pool.4i7i.com", "pool.armornetwork.org", "pool.cortins.tk", "pool.gntl.co.uk", "pool.hashvault.pro", "pool.minergate.com", "pool.minexmr.com", "pool.monero.hashvault.pro", "pool.ppxxmr.com", "pool.somec.cc", "pool.support", "pool.supportxmr.com", "pool.usa-138.com", "pool.xmr.pt", "pool.xmrfast.com", "pool2.armornetwork.org", "poolchange.ppxxmr.com", "pooldd.com", "poolmining.org", "poolto.be", "ppxvip1.ppxxmr.com", "ppxxmr.com", "prohash.net", "r.twotouchauthentication.online", "randomx.xmrig.com", "ratchetmining.com", "seed.emercoin.com", "seed.emercoin.net", "seed.emergate.net", "seed1.joulecoin.org", "seed2.joulecoin.org", "seed3.joulecoin.org", "seed4.joulecoin.org", "seed5.joulecoin.org", "seed6.joulecoin.org", "seed7.joulecoin.org", "seed8.joulecoin.org", "sg-aipg.miningocean.org", "sg-dynex.miningocean.org", "sg-neurai.miningocean.org", "sg-qrl.miningocean.org", "sg-upx.miningocean.org", "sg-zephyr.miningocean.org", "sg.minexmr.com", "sheepman.mine.bz", "siamining.com", "sumokoin.minerrocks.com", "supportxmr.com", "suprnova.cc", "teracycle.net", "trtl.cnpool.cc", "trtl.pool.mine2gether.com", "turtle.miner.rocks", "us-aipg.miningocean.org", "us-dynex.miningocean.org", "us-neurai.miningocean.org", "us-west.minexmr.com", "us-zephyr.miningocean.org", "usxmrpool.com", "viaxmr.com", "webservicepag.webhop.net", "xiazai.monerpool.org", "xiazai1.monerpool.org", "xmc.pool.minergate.com", "xmo.pool.minergate.com", "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-us.suprnova.cc", "xmr-usa.dwarfpool.com", "xmr.2miners.com", "xmr.5b6b7b.ru", "xmr.alimabi.cn", "xmr.bohemianpool.com", "xmr.crypto-pool.fr", "xmr.crypto-pool.info", "xmr.f2pool.com", "xmr.hashcity.org", "xmr.hex7e4.ru", "xmr.ip28.net", "xmr.monerpool.org", "xmr.mypool.online", "xmr.nanopool.org", "xmr.pool.gntl.co.uk", "xmr.pool.minergate.com", "xmr.poolto.be", "xmr.ppxxmr.com", "xmr.prohash.net", "xmr.simka.pw", "xmr.somec.cc", "xmr.suprnova.cc", "xmr.usa-138.com", "xmr.vip.pool.minergate.com", "xmr1min.monerpool.org", "xmrf.520fjh.org", "xmrf.fjhan.club", "xmrfast.com", "xmrigcc.graef.in", "xmrminer.cc", "xmrpool.de", "xmrpool.eu", "xmrpool.me", "xmrpool.net", "xmrpool.xyz", "xx11m.monerpool.org", "xx11mv2.monerpool.org", "xxx.hex7e4.ru", "zarabotaibitok.ru", "zer0day.ru"] -GenericProperty1 = Net.Target.Name +Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.CommandLine like r"%wmic%" and Process.CommandLine like r"%product where %" and Process.CommandLine like r"%call%" and Process.CommandLine like r"%uninstall%" and Process.CommandLine like r"%/nointeractive%" or Process.CommandLine like r"%wmic%" and Process.CommandLine like r"%caption like %" and (Process.CommandLine like r"%call delete%" or Process.CommandLine like r"%call terminate%") or Process.CommandLine like r"%process %" and Process.CommandLine like r"%where %" and Process.CommandLine like r"%delete%") and (Process.CommandLine like r"%\%carbon\%%" or Process.CommandLine like r"%\%cylance\%%" or Process.CommandLine like r"%\%endpoint\%%" or Process.CommandLine like r"%\%eset\%%" or Process.CommandLine like r"%\%malware\%%" or Process.CommandLine like r"%\%Sophos\%%" or Process.CommandLine like r"%\%symantec\%%" or Process.CommandLine like r"%Antivirus%" or Process.CommandLine like r"%AVG %" or Process.CommandLine like r"%Carbon Black%" or Process.CommandLine like r"%CarbonBlack%" or Process.CommandLine like r"%Cb Defense Sensor 64-bit%" or Process.CommandLine like r"%Crowdstrike Sensor%" or Process.CommandLine like r"%Cylance %" or Process.CommandLine like r"%Dell Threat Defense%" or Process.CommandLine like r"%DLP Endpoint%" or Process.CommandLine like r"%Endpoint Detection%" or Process.CommandLine like r"%Endpoint Protection%" or Process.CommandLine like r"%Endpoint Security%" or Process.CommandLine like r"%Endpoint Sensor%" or Process.CommandLine like r"%ESET File Security%" or Process.CommandLine like r"%LogRhythm System Monitor Service%" or Process.CommandLine like r"%Malwarebytes%" or Process.CommandLine like r"%McAfee Agent%" or Process.CommandLine like r"%Microsoft Security Client%" or Process.CommandLine like r"%Sophos Anti-Virus%" or Process.CommandLine like r"%Sophos AutoUpdate%" or Process.CommandLine like r"%Sophos Credential Store%" or Process.CommandLine like r"%Sophos Management Console%" or Process.CommandLine like r"%Sophos Management Database%" or Process.CommandLine like r"%Sophos Management Server%" or Process.CommandLine like r"%Sophos Remote Management System%" or Process.CommandLine like r"%Sophos Update Manager%" or Process.CommandLine like r"%Threat Protection%" or Process.CommandLine like r"%VirusScan%" or Process.CommandLine like r"%Webroot SecureAnywhere%" or Process.CommandLine like r"%Windows Defender%") [ThreatDetectionRule platform=Windows] -# Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation -# Author: Florian Roth (Nextron Systems) -RuleId = 023394c4-29d5-46ab-92b8-6a534c6f447b -RuleName = Suspicious HWP Sub Processes +# Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. +# Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges. +# Author: X__Junior (Nextron Systems) +RuleId = ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99 +RuleName = Wusa.EXE Executed By Parent Process Located In Suspicious Location EventType = Process.Start -Tag = proc-start-suspicious-hwp-sub-processes +Tag = proc-start-wusa.exe-executed-by-parent-process-located-in-suspicious-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1566.001", "T1203", "T1059.003"], "author": "Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\Hwp.exe" and Process.Path like r"%\\gbb.exe" +Annotation = {"author": "X__Junior (Nextron Systems)"} +Query = Process.Path like r"%\\wusa.exe" and (Parent.Path like r"%:\\Perflogs\\%" or Parent.Path like r"%:\\Users\\Public\\%" or Parent.Path like r"%:\\Windows\\Temp\\%" or Parent.Path like r"%\\Appdata\\Local\\Temp\\%" or Parent.Path like r"%\\Temporary Internet%" or Parent.Path like r"%:\\Users\\%" and Parent.Path like r"%\\Favorites\\%" or Parent.Path like r"%:\\Users\\%" and Parent.Path like r"%\\Favourites\\%" or Parent.Path like r"%:\\Users\\%" and Parent.Path like r"%\\Contacts\\%" or Parent.Path like r"%:\\Users\\%" and Parent.Path like r"%\\Pictures\\%") and not Process.CommandLine like r"%.msu%" GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors +# Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. +# Author: @pbssubhash +RuleId = 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 +RuleName = Lsass Full Dump Request Via DumpType Registry Settings +EventType = Reg.Any +Tag = lsass-full-dump-request-via-dumptype-registry-settings +RiskScore = 75 +Annotation = {"mitre_attack": ["T1003.001"], "author": "@pbssubhash"} +Query = (Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType%" or Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\lsass.exe\\DumpType%") and Reg.Value.Data == "DWORD (0x00000002)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data + + +[ThreatDetectionRule platform=Windows] +# Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains # Author: Florian Roth (Nextron Systems) -RuleId = f14e169e-9978-4c69-acb3-1cff8200bc36 -RuleName = Suspicious GrpConv Execution +RuleId = b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c +RuleName = Suspicious PowerShell Encoded Command Patterns EventType = Process.Start -Tag = proc-start-suspicious-grpconv-execution +Tag = proc-start-suspicious-powershell-encoded-command-patterns RiskScore = 75 -Annotation = {"mitre_attack": ["T1547"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%grpconv.exe -o%" or Process.CommandLine like r"%grpconv -o%" +Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.Exe", "pwsh.dll"]) and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"% -en %" or Process.CommandLine like r"% -enc %" or Process.CommandLine like r"% -enco%") and (Process.CommandLine like r"% JAB%" or Process.CommandLine like r"% SUVYI%" or Process.CommandLine like r"% SQBFAFgA%" or Process.CommandLine like r"% aWV4I%" or Process.CommandLine like r"% IAB%" or Process.CommandLine like r"% PAA%" or Process.CommandLine like r"% aQBlAHgA%") and not (Parent.Path like r"%C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\%" or Parent.Path like r"%\\gc\_worker.exe%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) -# Author: Christian Burkard (Nextron Systems) -RuleId = 68578b43-65df-4f81-9a9b-92f32711a951 -RuleName = UAC Bypass Using Windows Media Player - File +# Detects AnyDesk writing binary files to disk other than "gcapi.dll". +# According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, +# which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 2d367498-5112-4ae5-a06a-96e7bc33a211 +RuleName = Suspicious Binary Writes Via AnyDesk EventType = File.Create -Tag = uac-bypass-using-windows-media-player-file +Tag = suspicious-binary-writes-via-anydesk RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} -Query = File.Path like r"C:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Temp\\OskSupport.dll" or Process.Path == "C:\\Windows\\system32\\DllHost.exe" and File.Path == "C:\\Program Files\\Windows Media Player\\osk.exe" +Annotation = {"mitre_attack": ["T1219"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\anydesk.exe" and (File.Path like r"%.dll" or File.Path like r"%.exe") and not File.Path like r"%\\gcapi.dll" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -# Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -RuleId = e76c8240-d68f-4773-8880-5c6f63595aaf -RuleName = Time Travel Debugging Utility Usage - Image -EventType = Image.Load -Tag = time-travel-debugging-utility-usage-image +# Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism +# Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) +RuleId = cc7abbd0-762b-41e3-8a26-57ad50d2eea3 +RuleName = MSHTA Suspicious Execution 01 +EventType = Process.Start +Tag = proc-start-mshta-suspicious-execution-01 RiskScore = 75 -Annotation = {"mitre_attack": ["T1218", "T1003.001"], "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative"} -Query = Image.Path like r"%\\ttdrecord.dll" or Image.Path like r"%\\ttdwriter.dll" or Image.Path like r"%\\ttdloader.dll" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1140", "T1218.005", "T1059.007"], "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)"} +Query = Process.Path like r"%\\mshta.exe" and (Process.CommandLine like r"%vbscript%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.lnk%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.zip%" or Process.CommandLine like r"%.dll%") [ThreatDetectionRule platform=Windows] -# Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). -# Author: frack113 -RuleId = 37db85d1-b089-490a-a59a-c7b6f984f480 -RuleName = Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE +# This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder +# Author: Max Altgelt (Nextron Systems) +RuleId = fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4 +RuleName = Execution of Powershell Script in Public Folder EventType = Process.Start -Tag = proc-start-sysmon-discovery-via-default-driver-altitude-using-findstr.exe +Tag = proc-start-execution-of-powershell-script-in-public-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1518.001"], "author": "frack113"} -Query = (Process.Path like r"%\\find.exe" or Process.Path like r"%\\findstr.exe" or Process.Name in ["FIND.EXE", "FINDSTR.EXE"]) and Process.CommandLine like r"% 385201%" +Annotation = {"mitre_attack": ["T1059.001"], "author": "Max Altgelt (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%-f C:\\Users\\Public%" or Process.CommandLine like r"%-f \"C:\\Users\\Public%" or Process.CommandLine like r"%-f \%Public\%%" or Process.CommandLine like r"%-fi C:\\Users\\Public%" or Process.CommandLine like r"%-fi \"C:\\Users\\Public%" or Process.CommandLine like r"%-fi \%Public\%%" or Process.CommandLine like r"%-fil C:\\Users\\Public%" or Process.CommandLine like r"%-fil \"C:\\Users\\Public%" or Process.CommandLine like r"%-fil \%Public\%%" or Process.CommandLine like r"%-file C:\\Users\\Public%" or Process.CommandLine like r"%-file \"C:\\Users\\Public%" or Process.CommandLine like r"%-file \%Public\%%") [ThreatDetectionRule platform=Windows] -# Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. -# This behavior has been observed in-the-wild by different threat actors. -# Author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) -RuleId = b2b048b0-7857-4380-b0fb-d3f0ab820b71 -RuleName = Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location +# Detect execution of suspicious double extension files in ParentCommandLine +# Author: frack113, Nasreddine Bencherchali (Nextron Systems) +RuleId = 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c +RuleName = Suspicious Parent Double Extension File Execution EventType = Process.Start -Tag = proc-start-self-extracting-package-creation-via-iexpress.exe-from-potentially-suspicious-location +Tag = proc-start-suspicious-parent-double-extension-file-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1218"], "author": "Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\iexpress.exe" or Process.Name == "IEXPRESS.exe") and (Process.CommandLine like r"% -n %" or Process.CommandLine like r"% /n %" or Process.CommandLine like r"% –n %" or Process.CommandLine like r"% —n %" or Process.CommandLine like r"% ―n %") and (Process.CommandLine like r"%:\\ProgramData\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%") +Annotation = {"mitre_attack": ["T1036.007"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.Path like r"%.doc.lnk" or Parent.Path like r"%.docx.lnk" or Parent.Path like r"%.xls.lnk" or Parent.Path like r"%.xlsx.lnk" or Parent.Path like r"%.ppt.lnk" or Parent.Path like r"%.pptx.lnk" or Parent.Path like r"%.rtf.lnk" or Parent.Path like r"%.pdf.lnk" or Parent.Path like r"%.txt.lnk" or Parent.Path like r"%.doc.js" or Parent.Path like r"%.docx.js" or Parent.Path like r"%.xls.js" or Parent.Path like r"%.xlsx.js" or Parent.Path like r"%.ppt.js" or Parent.Path like r"%.pptx.js" or Parent.Path like r"%.rtf.js" or Parent.Path like r"%.pdf.js" or Parent.Path like r"%.txt.js" or Parent.CommandLine like r"%.doc.lnk%" or Parent.CommandLine like r"%.docx.lnk%" or Parent.CommandLine like r"%.xls.lnk%" or Parent.CommandLine like r"%.xlsx.lnk%" or Parent.CommandLine like r"%.ppt.lnk%" or Parent.CommandLine like r"%.pptx.lnk%" or Parent.CommandLine like r"%.rtf.lnk%" or Parent.CommandLine like r"%.pdf.lnk%" or Parent.CommandLine like r"%.txt.lnk%" or Parent.CommandLine like r"%.doc.js%" or Parent.CommandLine like r"%.docx.js%" or Parent.CommandLine like r"%.xls.js%" or Parent.CommandLine like r"%.xlsx.js%" or Parent.CommandLine like r"%.ppt.js%" or Parent.CommandLine like r"%.pptx.js%" or Parent.CommandLine like r"%.rtf.js%" or Parent.CommandLine like r"%.pdf.js%" or Parent.CommandLine like r"%.txt.js%" +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f50f3c09-557d-492d-81db-9064a8d4e211 -RuleName = Suspicious Execution Of Renamed Sysinternals Tools - Registry +# Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. +# Author: oscd.community, Dmitry Uchakin +RuleId = 6ea3bf32-9680-422d-9f50-e90716b12a66 +RuleName = UAC Bypass Via Wsreset EventType = Reg.Any -Tag = suspicious-execution-of-renamed-sysinternals-tools-registry +Tag = uac-bypass-via-wsreset RiskScore = 75 -Annotation = {"mitre_attack": ["T1588.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.EventType == "CreateKey" and (Reg.TargetObject like r"%\\Active Directory Explorer%" or Reg.TargetObject like r"%\\Handle%" or Reg.TargetObject like r"%\\LiveKd%" or Reg.TargetObject like r"%\\ProcDump%" or Reg.TargetObject like r"%\\Process Explorer%" or Reg.TargetObject like r"%\\PsExec%" or Reg.TargetObject like r"%\\PsLoggedon%" or Reg.TargetObject like r"%\\PsLoglist%" or Reg.TargetObject like r"%\\PsPasswd%" or Reg.TargetObject like r"%\\PsPing%" or Reg.TargetObject like r"%\\PsService%" or Reg.TargetObject like r"%\\SDelete%") and Reg.TargetObject like r"%\\EulaAccepted" and not (Process.Path like r"%\\ADExplorer.exe" or Process.Path like r"%\\ADExplorer64.exe" or Process.Path like r"%\\handle.exe" or Process.Path like r"%\\handle64.exe" or Process.Path like r"%\\livekd.exe" or Process.Path like r"%\\livekd64.exe" or Process.Path like r"%\\procdump.exe" or Process.Path like r"%\\procdump64.exe" or Process.Path like r"%\\procexp.exe" or Process.Path like r"%\\procexp64.exe" or Process.Path like r"%\\PsExec.exe" or Process.Path like r"%\\PsExec64.exe" or Process.Path like r"%\\PsLoggedon.exe" or Process.Path like r"%\\PsLoggedon64.exe" or Process.Path like r"%\\psloglist.exe" or Process.Path like r"%\\psloglist64.exe" or Process.Path like r"%\\pspasswd.exe" or Process.Path like r"%\\pspasswd64.exe" or Process.Path like r"%\\PsPing.exe" or Process.Path like r"%\\PsPing64.exe" or Process.Path like r"%\\PsService.exe" or Process.Path like r"%\\PsService64.exe" or Process.Path like r"%\\sdelete.exe") +Annotation = {"mitre_attack": ["T1548.002"], "author": "oscd.community, Dmitry Uchakin"} +Query = Reg.TargetObject like r"%\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) +# Detects potentially suspicious file downloads directly from IP addresses using Wget.exe # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 -RuleName = Potential Persistence Via MyComputer Registry Keys -EventType = Reg.Any -Tag = potential-persistence-via-mycomputer-registry-keys +RuleId = 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 +RuleName = Suspicious File Download From IP Via Wget.EXE +EventType = Process.Start +Tag = proc-start-suspicious-file-download-from-ip-via-wget.exe RiskScore = 75 Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer%" and Reg.TargetObject like r"%(Default)" +Query = (Process.Path like r"%\\wget.exe" or Process.Name == "wget.exe") and Process.CommandLine regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and Process.CommandLine like r"%http%" and (Process.CommandLine regex "\\s-O\\s" or Process.CommandLine like r"%--output-document%") and (Process.CommandLine like r"%.ps1" or Process.CommandLine like r"%.ps1'" or Process.CommandLine like r"%.ps1\"" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.dat'" or Process.CommandLine like r"%.dat\"" or Process.CommandLine like r"%.msi" or Process.CommandLine like r"%.msi'" or Process.CommandLine like r"%.msi\"" or Process.CommandLine like r"%.bat" or Process.CommandLine like r"%.bat'" or Process.CommandLine like r"%.bat\"" or Process.CommandLine like r"%.exe" or Process.CommandLine like r"%.exe'" or Process.CommandLine like r"%.exe\"" or Process.CommandLine like r"%.vbs" or Process.CommandLine like r"%.vbs'" or Process.CommandLine like r"%.vbs\"" or Process.CommandLine like r"%.vbe" or Process.CommandLine like r"%.vbe'" or Process.CommandLine like r"%.vbe\"" or Process.CommandLine like r"%.hta" or Process.CommandLine like r"%.hta'" or Process.CommandLine like r"%.hta\"" or Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.dll'" or Process.CommandLine like r"%.dll\"" or Process.CommandLine like r"%.psm1" or Process.CommandLine like r"%.psm1'" or Process.CommandLine like r"%.psm1\"") + + +[ThreatDetectionRule platform=Windows] +# Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 48ea844d-19b1-4642-944e-fe39c2cc1fec +RuleName = UAC Bypass Using IDiagnostic Profile - File +EventType = File.Create +Tag = uac-bypass-using-idiagnostic-profile-file +RiskScore = 75 +Annotation = {"mitre_attack": ["T1548.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\DllHost.exe" and File.Path like r"C:\\Windows\\System32\\%" and File.Path like r"%.dll" +GenericProperty1 = File.Path + + +[ThreatDetectionRule platform=Windows] +# Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel +# Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati +RuleId = 8b7273a4-ba5d-4d8a-b04f-11f2900d043a +RuleName = Hypervisor Enforced Code Integrity Disabled +EventType = Reg.Any +Tag = hypervisor-enforced-code-integrity-disabled +RiskScore = 75 +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati"} +Query = (Reg.TargetObject like r"%\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or Reg.TargetObject like r"%\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or Reg.TargetObject like r"%\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled") and Reg.Value.Data == "DWORD (0x00000000)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. -# Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ee4c5d06-3abc-48cc-8885-77f1c20f4451 -RuleName = DLL Sideloading Of ShellChromeAPI.DLL -EventType = Image.Load -Tag = dll-sideloading-of-shellchromeapi.dll +# Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV +# Author: Florian Roth (Nextron Systems) +RuleId = c6fb44c6-71f5-49e6-9462-1425d328aee3 +RuleName = Powershell Base64 Encoded MpPreference Cmdlet +EventType = Process.Start +Tag = proc-start-powershell-base64-encoded-mppreference-cmdlet RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Image.Path like r"%\\ShellChromeAPI.dll" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%QWRkLU1wUHJlZmVyZW5jZS%" or Process.CommandLine like r"%FkZC1NcFByZWZlcmVuY2Ug%" or Process.CommandLine like r"%BZGQtTXBQcmVmZXJlbmNlI%" or Process.CommandLine like r"%U2V0LU1wUHJlZmVyZW5jZS%" or Process.CommandLine like r"%NldC1NcFByZWZlcmVuY2Ug%" or Process.CommandLine like r"%TZXQtTXBQcmVmZXJlbmNlI%" or Process.CommandLine like r"%YWRkLW1wcHJlZmVyZW5jZS%" or Process.CommandLine like r"%FkZC1tcHByZWZlcmVuY2Ug%" or Process.CommandLine like r"%hZGQtbXBwcmVmZXJlbmNlI%" or Process.CommandLine like r"%c2V0LW1wcHJlZmVyZW5jZS%" or Process.CommandLine like r"%NldC1tcHByZWZlcmVuY2Ug%" or Process.CommandLine like r"%zZXQtbXBwcmVmZXJlbmNlI%" or Process.CommandLine like r"%QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA%" or Process.CommandLine like r"%UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA%" or Process.CommandLine like r"%YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA%" or Process.CommandLine like r"%cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA%" or Process.CommandLine like r"%MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA%" or Process.CommandLine like r"%zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA%" [ThreatDetectionRule platform=Windows] -# Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. -# This detection assumes that PowerShell commands are passed via the CommandLine. -# Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -RuleId = 6812a10b-60ea-420c-832f-dfcc33b646ba -RuleName = Potential PowerShell Execution Via DLL +# Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = f5d19838-41b5-476c-98d8-ba8af4929ee2 +RuleName = LOL-Binary Copied From System Directory EventType = Process.Start -Tag = proc-start-potential-powershell-execution-via-dll +Tag = proc-start-lol-binary-copied-from-system-directory RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.011"], "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\InstallUtil.exe" or Process.Path like r"%\\RegAsm.exe" or Process.Path like r"%\\RegSvcs.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Name in ["InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.EXE", "RUNDLL32.EXE"]) and (Process.CommandLine like r"%Default.GetString%" or Process.CommandLine like r"%DownloadString%" or Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"%ICM %" or Process.CommandLine like r"%IEX %" or Process.CommandLine like r"%Invoke-Command%" or Process.CommandLine like r"%Invoke-Expression%") +Annotation = {"mitre_attack": ["T1036.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%copy %" or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%copy-item%" or Process.CommandLine like r"% copy %" or Process.CommandLine like r"%cpi %" or Process.CommandLine like r"% cp %") or Process.Path like r"%\\robocopy.exe" or Process.Path like r"%\\xcopy.exe" or Process.Name in ["robocopy.exe", "XCOPY.EXE"]) and (Process.CommandLine like r"%\\System32%" or Process.CommandLine like r"%\\SysWOW64%" or Process.CommandLine like r"%\\WinSxS%") and (Process.CommandLine like r"%\\bitsadmin.exe%" or Process.CommandLine like r"%\\calc.exe%" or Process.CommandLine like r"%\\certutil.exe%" or Process.CommandLine like r"%\\cmdl32.exe%" or Process.CommandLine like r"%\\cscript.exe%" or Process.CommandLine like r"%\\mshta.exe%" or Process.CommandLine like r"%\\rundll32.exe%" or Process.CommandLine like r"%\\wscript.exe%") [ThreatDetectionRule platform=Windows] -# Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation -# Author: Nextron Systems -RuleId = 7a74da6b-ea76-47db-92cc-874ad90df734 -RuleName = Suspicious MSDT Parent Process +# Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. +# Author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 +RuleId = fd877b94-9bb5-4191-bb25-d79cbd93c167 +RuleName = Dumping of Sensitive Hives Via Reg.EXE EventType = Process.Start -Tag = proc-start-suspicious-msdt-parent-process +Tag = proc-start-dumping-of-sensitive-hives-via-reg.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1036", "T1218"], "author": "Nextron Systems"} -Query = (Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\regsvr32.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\schtasks.exe" or Parent.Path like r"%\\wmic.exe" or Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\wsl.exe") and (Process.Path like r"%\\msdt.exe" or Process.Name == "msdt.exe") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1003.002", "T1003.004", "T1003.005"], "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113"} +Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and (Process.CommandLine like r"% save %" or Process.CommandLine like r"% export %" or Process.CommandLine like r"% ˢave %" or Process.CommandLine like r"% eˣport %") and (Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hk˪m%" or Process.CommandLine like r"%hkey\_local\_machine%" or Process.CommandLine like r"%hkey\_˪ocal\_machine%" or Process.CommandLine like r"%hkey\_loca˪\_machine%" or Process.CommandLine like r"%hkey\_˪oca˪\_machine%") and (Process.CommandLine like r"%\\system%" or Process.CommandLine like r"%\\sam%" or Process.CommandLine like r"%\\security%" or Process.CommandLine like r"%\\ˢystem%" or Process.CommandLine like r"%\\syˢtem%" or Process.CommandLine like r"%\\ˢyˢtem%" or Process.CommandLine like r"%\\ˢam%" or Process.CommandLine like r"%\\ˢecurity%") + + +[ThreatDetectionRule platform=Windows] +# Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default. +# Author: Nasreddine Bencherchali (Nextron Systems), frack113 +RuleId = b4926b47-a9d7-434c-b3a0-adc3fa0bd13e +RuleName = Suspicious Double Extension Files +EventType = File.Create +Tag = suspicious-double-extension-files +RiskScore = 75 +Annotation = {"mitre_attack": ["T1036.007"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113"} +Query = (File.Path like r"%.exe" or File.Path like r"%.iso" or File.Path like r"%.rar" or File.Path like r"%.zip") and (File.Path like r"%.doc.%" or File.Path like r"%.docx.%" or File.Path like r"%.jpg.%" or File.Path like r"%.pdf.%" or File.Path like r"%.ppt.%" or File.Path like r"%.pptx.%" or File.Path like r"%.xls.%" or File.Path like r"%.xlsx.%") or File.Path like r"%.rar.exe" or File.Path like r"%.zip.exe" +GenericProperty1 = File.Path + + +[ThreatDetectionRule platform=Windows] +# Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 +# Author: Bhabesh Raj +RuleId = 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf +RuleName = Potential PrintNightmare Exploitation Attempt +EventType = File.Delete +Tag = potential-printnightmare-exploitation-attempt +RiskScore = 75 +Annotation = {"mitre_attack": ["T1574"], "author": "Bhabesh Raj"} +Query = Process.Path like r"%\\spoolsv.exe" and File.Path like r"%C:\\Windows\\System32\\spool\\drivers\\x64\\3\\%" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files -# Author: pH-T (Nextron Systems) -RuleId = f0507c0f-a3a2-40f5-acc6-7f543c334993 -RuleName = Suspicious File Execution From Internet Hosted WebDav Share -EventType = Process.Start -Tag = proc-start-suspicious-file-execution-from-internet-hosted-webdav-share +# Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. +# Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. +# IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. +# Author: X__Junior (Nextron Systems) +RuleId = b888e3f2-224d-4435-b00b-9dd66e9ea1f1 +RuleName = Uncommon Extension In Keyboard Layout IME File Registry Value +EventType = Reg.Any +Tag = uncommon-extension-in-keyboard-layout-ime-file-registry-value RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "pH-T (Nextron Systems)"} -Query = (Process.Path like r"%\\cmd.exe%" or Process.Name == "Cmd.EXE") and Process.CommandLine like r"% net use http%" and Process.CommandLine like r"%& start /b %" and Process.CommandLine like r"%\\DavWWWRoot\\%" and (Process.CommandLine like r"%.exe %" or Process.CommandLine like r"%.dll %" or Process.CommandLine like r"%.bat %" or Process.CommandLine like r"%.vbs %" or Process.CommandLine like r"%.ps1 %") +Annotation = {"mitre_attack": ["T1562.001"], "author": "X__Junior (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Control\\Keyboard Layouts\\%" and Reg.TargetObject like r"%Ime File%" and not Reg.Value.Data like r"%.ime" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) -# Author: Omer Yampel, Christian Burkard (Nextron Systems) -RuleId = 5b872a46-3b90-45c1-8419-f675db8053aa -RuleName = UAC Bypass via Sdclt +# Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. +# Adversaries may abuse time providers to execute DLLs when the system boots. +# The Windows Time service (W32Time) enables time synchronization across and within domains. +# Author: frack113 +RuleId = e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 +RuleName = New TimeProviders Registered With Uncommon DLL Name EventType = Reg.Any -Tag = uac-bypass-via-sdclt +Tag = new-timeproviders-registered-with-uncommon-dll-name RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Omer Yampel, Christian Burkard (Nextron Systems)"} -Query = Reg.TargetObject like r"%Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" or Reg.TargetObject like r"%Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue" and Reg.Value.Data regex "-1[0-9]{3}\\\\Software\\\\Classes\\\\" +Annotation = {"mitre_attack": ["T1547.003"], "author": "frack113"} +Query = Reg.TargetObject like r"%\\Services\\W32Time\\TimeProviders%" and Reg.TargetObject like r"%\\DllName" and not (Reg.Value.Data in ["\%SystemRoot\%\\System32\\vmictimeprovider.dll", "\%systemroot\%\\system32\\w32time.dll", "C:\\Windows\\SYSTEM32\\w32time.DLL"]) Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the creation of tasks from processes executed from suspicious locations -# Author: Florian Roth (Nextron Systems) -RuleId = 80e1f67a-4596-4351-98f5-a9c3efabac95 -RuleName = Suspicious Scheduled Task Write to System32 Tasks -EventType = File.Create -Tag = suspicious-scheduled-task-write-to-system32-tasks +# Detects tampering with attachment manager settings policies attachments (See reference for more information) +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a +RuleName = Potential Attachment Manager Settings Attachments Tamper +EventType = Reg.Any +Tag = potential-attachment-manager-settings-attachments-tamper RiskScore = 75 -Annotation = {"mitre_attack": ["T1053"], "author": "Florian Roth (Nextron Systems)"} -Query = File.Path like r"%\\Windows\\System32\\Tasks%" and (Process.Path like r"%\\AppData\\%" or Process.Path like r"%C:\\PerfLogs%" or Process.Path like r"%\\Windows\\System32\\config\\systemprofile%") -GenericProperty1 = File.Path +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\%" and (Reg.TargetObject like r"%\\HideZoneInfoOnProperties" and Reg.Value.Data == "DWORD (0x00000001)" or Reg.TargetObject like r"%\\SaveZoneInformation" and Reg.Value.Data == "DWORD (0x00000002)" or Reg.TargetObject like r"%\\ScanWithAntiVirus" and Reg.Value.Data == "DWORD (0x00000001)") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) -# Author: Max Altgelt (Nextron Systems) -RuleId = 71158e3f-df67-472b-930e-7d287acaa3e1 -RuleName = Execution Of Non-Existing File +# Detects a suspicious script execution in temporary folders or folders accessible by environment variables +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 1228c958-e64e-4e71-92ad-7d429f4138ba +RuleName = Script Interpreter Execution From Suspicious Folder EventType = Process.Start -Tag = proc-start-execution-of-non-existing-file +Tag = proc-start-script-interpreter-execution-from-suspicious-folder RiskScore = 75 -Annotation = {"author": "Max Altgelt (Nextron Systems)"} -Query = not Process.Path like r"%\\%" and not (isnull(Process.Path) or Process.Path in ["-", ""] or Process.Path in ["System", "Registry", "MemCompression", "vmmem"] or Process.CommandLine in ["Registry", "MemCompression", "vmmem"]) +Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\wscript.exe" or Process.CommandLine like r"% -ep bypass %" or Process.CommandLine like r"% -ExecutionPolicy bypass %" or Process.CommandLine like r"% -w hidden %" or Process.CommandLine like r"%/e:javascript %" or Process.CommandLine like r"%/e:Jscript %" or Process.CommandLine like r"%/e:vbscript %" or Process.Name in ["cscript.exe", "mshta.exe", "wscript.exe"]) and (Process.CommandLine like r"%:\\Perflogs\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\AppData\\Roaming\\Temp%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%\\Windows\\Temp%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Favorites\\%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Favourites\\%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Contacts\\%") [ThreatDetectionRule platform=Windows] -# Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. -# Author: FPT.EagleEye Team, wagga -RuleId = 869b9ca7-9ea2-4a5a-8325-e80e62f75445 -RuleName = Suspicious Child Process Of SQL Server +# Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = c74c0390-3e20-41fd-a69a-128f0275a5ea +RuleName = Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths EventType = Process.Start -Tag = proc-start-suspicious-child-process-of-sql-server +Tag = proc-start-cab-file-extraction-via-wusa.exe-from-potentially-suspicious-paths RiskScore = 75 -Annotation = {"mitre_attack": ["T1505.003", "T1190"], "author": "FPT.EagleEye Team, wagga"} -Query = Parent.Path like r"%\\sqlservr.exe" and (Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\nltest.exe" or Process.Path like r"%\\ping.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\tasklist.exe" or Process.Path like r"%\\wsl.exe") and not (Parent.Path like r"C:\\Program Files\\Microsoft SQL Server\\%" and Parent.Path like r"%DATEV\_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and Process.Path == "C:\\Windows\\System32\\cmd.exe" and Process.CommandLine like r"\"C:\\Windows\\system32\\cmd.exe\" %") -GenericProperty1 = Parent.Path +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\wusa.exe" and Process.CommandLine like r"%/extract:%" and (Process.CommandLine like r"%:\\PerfLogs\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\Appdata\\Local\\Temp\\%") [ThreatDetectionRule platform=Windows] -# Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -# Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -RuleId = 7f741dcf-fc22-4759-87b4-9ae8376676a2 -RuleName = Bypass UAC via Fodhelper.exe +# Detects Obfuscated use of stdin to execute PowerShell +# Author: Jonathan Cheong, oscd.community +RuleId = 6c96fc76-0eb1-11eb-adc1-0242ac120002 +RuleName = Invoke-Obfuscation STDIN+ Launcher EventType = Process.Start -Tag = proc-start-bypass-uac-via-fodhelper.exe +Tag = proc-start-invoke-obfuscation-stdin+-launcher RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community"} -Query = Parent.Path like r"%\\fodhelper.exe" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Jonathan Cheong, oscd.community"} +Query = Process.CommandLine regex "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\\"" [ThreatDetectionRule platform=Windows] -# Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) -# Author: Andreas Hunkeler (@Karneades), Florian Roth -RuleId = 0d34ed8b-1c12-4ff2-828c-16fc860b766d -RuleName = Suspicious Processes Spawned by Java.EXE -EventType = Process.Start -Tag = proc-start-suspicious-processes-spawned-by-java.exe +# Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. +# Author: @pbssubhash +RuleId = 6902955a-01b7-432c-b32a-6f5f81d8f625 +RuleName = LSASS Process Dump Artefact In CrashDumps Folder +EventType = File.Create +Tag = lsass-process-dump-artefact-in-crashdumps-folder RiskScore = 75 -Annotation = {"author": "Andreas Hunkeler (@Karneades), Florian Roth"} -Query = Parent.Path like r"%\\java.exe" and (Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\curl.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\query.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1003.001"], "author": "@pbssubhash"} +Query = File.Path like r"C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\%" and File.Path like r"%lsass.exe.%" and File.Path like r"%.dmp" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. -# Author: David Burkett, @signalblur -RuleId = 16c37b52-b141-42a5-a3ea-bbe098444397 -RuleName = Suspect Svchost Activity +# Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution +# Author: Michael Haag +RuleId = 03cc0c25-389f-4bf8-b48d-11878079f1ca +RuleName = Suspicious MSHTA Child Process EventType = Process.Start -Tag = proc-start-suspect-svchost-activity +Tag = proc-start-suspicious-mshta-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1055"], "author": "David Burkett, @signalblur"} -Query = Process.CommandLine like r"%svchost.exe" and Process.Path like r"%\\svchost.exe" and not (Parent.Path like r"%\\rpcnet.exe" or Parent.Path like r"%\\rpcnetp.exe" or isnull(Process.CommandLine)) +Annotation = {"mitre_attack": ["T1218.005"], "author": "Michael Haag"} +Query = Parent.Path like r"%\\mshta.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Name in ["Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe", "cscript.exe", "Bash.exe", "reg.exe", "REGSVR32.EXE", "bitsadmin.exe"]) GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects command line parameters used by Hydra password guessing hack tool -# Author: Vasiliy Burov -RuleId = aaafa146-074c-11eb-adc1-0242ac120002 -RuleName = HackTool - Hydra Password Bruteforce Execution +# Detects PowerShell script execution via input stream redirect +# Author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community +RuleId = c83bf4b5-cdf0-437c-90fa-43d734f7c476 +RuleName = Run PowerShell Script from Redirected Input Stream EventType = Process.Start -Tag = proc-start-hacktool-hydra-password-bruteforce-execution -RiskScore = 75 -Annotation = {"mitre_attack": ["T1110", "T1110.001"], "author": "Vasiliy Burov"} -Query = Process.CommandLine like r"%-u %" and Process.CommandLine like r"%-p %" and (Process.CommandLine like r"%^USER^%" or Process.CommandLine like r"%^PASS^%") - - -[ThreatDetectionRule platform=Windows] -# Detects WMI command line event consumers -# Author: Thomas Patzke -RuleId = 05936ce2-ee05-4dae-9d03-9a391cf2d2c6 -RuleName = WMI Persistence - Command Line Event Consumer -EventType = Image.Load -Tag = wmi-persistence-command-line-event-consumer -RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.003"], "author": "Thomas Patzke"} -Query = Process.Path == "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and Image.Path like r"%\\wbemcons.dll" -GenericProperty1 = Image.Path - - -[ThreatDetectionRule platform=Windows] -# Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. -# Author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk -RuleId = 243380fa-11eb-4141-af92-e14925e77c1b -RuleName = Potential PSFactoryBuffer COM Hijacking -EventType = Reg.Any -Tag = potential-psfactorybuffer-com-hijacking +Tag = proc-start-run-powershell-script-from-redirected-input-stream RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.015"], "author": "BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk"} -Query = Reg.TargetObject like r"%\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" and not (Reg.Value.Data in ["\%windir\%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll"]) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1059"], "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine regex "\\s-\\s*<" [ThreatDetectionRule platform=Windows] -# Detects a tscon.exe start as LOCAL SYSTEM -# Author: Florian Roth (Nextron Systems) -RuleId = 9847f263-4a81-424f-970c-875dab15b79b -RuleName = Suspicious TSCON Start as SYSTEM +# Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) +# Author: frack113 +RuleId = e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e +RuleName = Disable Windows IIS HTTP Logging EventType = Process.Start -Tag = proc-start-suspicious-tscon-start-as-system +Tag = proc-start-disable-windows-iis-http-logging RiskScore = 75 -Annotation = {"mitre_attack": ["T1219"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") and Process.Path like r"%\\tscon.exe" -GenericProperty1 = Process.User +Annotation = {"mitre_attack": ["T1562.002"], "author": "frack113"} +Query = (Process.Path like r"%\\appcmd.exe" or Process.Name == "appcmd.exe") and Process.CommandLine like r"%set%" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%section:httplogging%" and Process.CommandLine like r"%dontLog:true%" [ThreatDetectionRule platform=Windows] -# Detects the creation of files with an executable or script extension by an Office application. -# Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) -RuleId = c7a74c80-ba5a-486e-9974-ab9e682bc5e4 -RuleName = File With Uncommon Extension Created By An Office Application -EventType = File.Create -Tag = file-with-uncommon-extension-created-by-an-office-application +# Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. +# Author: Ján Trenčanský +RuleId = 114e7f1c-f137-48c8-8f54-3088c24ce4b9 +RuleName = Remote Access Tool - AnyDesk Silent Installation +EventType = Process.Start +Tag = proc-start-remote-access-tool-anydesk-silent-installation RiskScore = 75 -Annotation = {"mitre_attack": ["T1204.002"], "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\excel.exe" or Process.Path like r"%\\msaccess.exe" or Process.Path like r"%\\mspub.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\visio.exe" or Process.Path like r"%\\winword.exe") and (File.Path like r"%.bat" or File.Path like r"%.cmd" or File.Path like r"%.com" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.hta" or File.Path like r"%.ocx" or File.Path like r"%.proj" or File.Path like r"%.ps1" or File.Path like r"%.scf" or File.Path like r"%.scr" or File.Path like r"%.sys" or File.Path like r"%.vbe" or File.Path like r"%.vbs" or File.Path like r"%.wsf" or File.Path like r"%.wsh") and not (File.Path like r"%\\AppData\\Local\\assembly\\tmp\\%" and File.Path like r"%.dll") and not (File.Path like r"%C:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Microsoft\\Office\\%" and File.Path like r"%\\WebServiceCache\\AllUsers%" and File.Path like r"%.com" or Process.Path like r"%\\winword.exe" and File.Path like r"%\\AppData\\Local\\Temp\\webexdelta\\%" and (File.Path like r"%.dll" or File.Path like r"%.exe")) -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1219"], "author": "J\u00e1n Tren\u010dansk\u00fd"} +Query = Process.CommandLine like r"%--install%" and Process.CommandLine like r"%--start-with-win%" and Process.CommandLine like r"%--silent%" [ThreatDetectionRule platform=Windows] -# Detects the creation of files with scripting or executable extensions by Mysql daemon. -# Which could be an indicator of "User Defined Functions" abuse to download malware. -# Author: Joseph Kamau -RuleId = c61daa90-3c1e-4f18-af62-8f288b5c9aaf -RuleName = Uncommon File Creation By Mysql Daemon Process -EventType = File.Create -Tag = uncommon-file-creation-by-mysql-daemon-process +# Detects rundll32 execution where the DLL is located on a remote location (share) +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 5cdb711b-5740-4fb2-ba88-f7945027afac +RuleName = Rundll32 UNC Path Execution +EventType = Process.Start +Tag = proc-start-rundll32-unc-path-execution RiskScore = 75 -Annotation = {"author": "Joseph Kamau"} -Query = (Process.Path like r"%\\mysqld.exe" or Process.Path like r"%\\mysqld-nt.exe") and (File.Path like r"%.bat" or File.Path like r"%.dat" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.ps1" or File.Path like r"%.psm1" or File.Path like r"%.vbe" or File.Path like r"%.vbs") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1021.002", "T1218.011"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE" or Process.CommandLine like r"%rundll32%") and Process.CommandLine like r"% \\\\%" [ThreatDetectionRule platform=Windows] -# Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. -# Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. -# IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. -# Author: X__Junior (Nextron Systems) -RuleId = b888e3f2-224d-4435-b00b-9dd66e9ea1f1 -RuleName = Uncommon Extension In Keyboard Layout IME File Registry Value -EventType = Reg.Any -Tag = uncommon-extension-in-keyboard-layout-ime-file-registry-value +# Detects a suspicious script executions from temporary folder +# Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton +RuleId = a6a39bdb-935c-4f0a-ab77-35f4bbf44d33 +RuleName = Suspicious Script Execution From Temp Folder +EventType = Process.Start +Tag = proc-start-suspicious-script-execution-from-temp-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "X__Junior (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Control\\Keyboard Layouts\\%" and Reg.TargetObject like r"%Ime File%" and not Reg.Value.Data like r"%.ime" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%\\Windows\\Temp%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\AppData\\Roaming\\Temp%" or Process.CommandLine like r"%\%TEMP\%%" or Process.CommandLine like r"%\%TMP\%%" or Process.CommandLine like r"%\%LocalAppData\%\\Temp%") and not (Process.CommandLine like r"% >%" or Process.CommandLine like r"%Out-File%" or Process.CommandLine like r"%ConvertTo-Json%" or Process.CommandLine like r"%-WindowStyle hidden -Verb runAs%" or Process.CommandLine like r"%\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\Amazon\\EC2-Windows\\%") [ThreatDetectionRule platform=Windows] -# Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. -# Author: @Kostastsale, @TheDFIRReport -RuleId = 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259 -RuleName = Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 +# Detects potential web shell execution from the ScreenConnect server process. +# Author: Jason Rathbun (Blackpoint Cyber) +RuleId = b19146a3-25d4-41b4-928b-1e2a92641b1b +RuleName = Remote Access Tool - ScreenConnect Server Web Shell Execution EventType = Process.Start -Tag = proc-start-potential-defense-evasion-activity-via-emoji-usage-in-commandline-1 +Tag = proc-start-remote-access-tool-screenconnect-server-web-shell-execution RiskScore = 75 -Annotation = {"author": "@Kostastsale, @TheDFIRReport"} -Query = Process.CommandLine like r"%😀%" or Process.CommandLine like r"%😃%" or Process.CommandLine like r"%😄%" or Process.CommandLine like r"%😁%" or Process.CommandLine like r"%😆%" or Process.CommandLine like r"%😅%" or Process.CommandLine like r"%😂%" or Process.CommandLine like r"%🤣%" or Process.CommandLine like r"%🥲%" or Process.CommandLine like r"%🥹%" or Process.CommandLine like r"%☺️%" or Process.CommandLine like r"%😊%" or Process.CommandLine like r"%😇%" or Process.CommandLine like r"%🙂%" or Process.CommandLine like r"%🙃%" or Process.CommandLine like r"%😉%" or Process.CommandLine like r"%😌%" or Process.CommandLine like r"%😍%" or Process.CommandLine like r"%🥰%" or Process.CommandLine like r"%😘%" or Process.CommandLine like r"%😗%" or Process.CommandLine like r"%😙%" or Process.CommandLine like r"%😚%" or Process.CommandLine like r"%😋%" or Process.CommandLine like r"%😛%" or Process.CommandLine like r"%😝%" or Process.CommandLine like r"%😜%" or Process.CommandLine like r"%🤪%" or Process.CommandLine like r"%🤨%" or Process.CommandLine like r"%🧐%" or Process.CommandLine like r"%🤓%" or Process.CommandLine like r"%😎%" or Process.CommandLine like r"%🥸%" or Process.CommandLine like r"%🤩%" or Process.CommandLine like r"%🥳%" or Process.CommandLine like r"%😏%" or Process.CommandLine like r"%😒%" or Process.CommandLine like r"%😞%" or Process.CommandLine like r"%😔%" or Process.CommandLine like r"%😟%" or Process.CommandLine like r"%😕%" or Process.CommandLine like r"%🙁%" or Process.CommandLine like r"%☹️%" or Process.CommandLine like r"%😣%" or Process.CommandLine like r"%😖%" or Process.CommandLine like r"%😫%" or Process.CommandLine like r"%😩%" or Process.CommandLine like r"%🥺%" or Process.CommandLine like r"%😢%" or Process.CommandLine like r"%😭%" or Process.CommandLine like r"%😮‍💨%" or Process.CommandLine like r"%😤%" or Process.CommandLine like r"%😠%" or Process.CommandLine like r"%😡%" or Process.CommandLine like r"%🤬%" or Process.CommandLine like r"%🤯%" or Process.CommandLine like r"%😳%" or Process.CommandLine like r"%🥵%" or Process.CommandLine like r"%🥶%" or Process.CommandLine like r"%😱%" or Process.CommandLine like r"%😨%" or Process.CommandLine like r"%😰%" or Process.CommandLine like r"%😥%" or Process.CommandLine like r"%😓%" or Process.CommandLine like r"%🫣%" or Process.CommandLine like r"%🤗%" or Process.CommandLine like r"%🫡%" or Process.CommandLine like r"%🤔%" or Process.CommandLine like r"%🫢%" or Process.CommandLine like r"%🤭%" or Process.CommandLine like r"%🤫%" or Process.CommandLine like r"%🤥%" or Process.CommandLine like r"%😶%" or Process.CommandLine like r"%😶‍🌫️%" or Process.CommandLine like r"%😐%" or Process.CommandLine like r"%😑%" or Process.CommandLine like r"%😬%" or Process.CommandLine like r"%🫠%" or Process.CommandLine like r"%🙄%" or Process.CommandLine like r"%😯%" or Process.CommandLine like r"%😦%" or Process.CommandLine like r"%😧%" or Process.CommandLine like r"%😮%" or Process.CommandLine like r"%😲%" or Process.CommandLine like r"%🥱%" or Process.CommandLine like r"%😴%" or Process.CommandLine like r"%🤤%" or Process.CommandLine like r"%😪%" or Process.CommandLine like r"%😵%" or Process.CommandLine like r"%😵‍💫%" or Process.CommandLine like r"%🫥%" or Process.CommandLine like r"%🤐%" or Process.CommandLine like r"%🥴%" or Process.CommandLine like r"%🤢%" or Process.CommandLine like r"%🤮%" or Process.CommandLine like r"%🤧%" or Process.CommandLine like r"%😷%" or Process.CommandLine like r"%🤒%" or Process.CommandLine like r"%🤕%" or Process.CommandLine like r"%🤑%" or Process.CommandLine like r"%🤠%" or Process.CommandLine like r"%😈%" or Process.CommandLine like r"%👿%" or Process.CommandLine like r"%👹%" or Process.CommandLine like r"%👺%" or Process.CommandLine like r"%🤡%" or Process.CommandLine like r"%💩%" or Process.CommandLine like r"%👻%" or Process.CommandLine like r"%💀%" or Process.CommandLine like r"%☠️%" or Process.CommandLine like r"%👽%" or Process.CommandLine like r"%👾%" or Process.CommandLine like r"%🤖%" or Process.CommandLine like r"%🎃%" or Process.CommandLine like r"%😺%" or Process.CommandLine like r"%😸%" or Process.CommandLine like r"%😹%" or Process.CommandLine like r"%😻%" or Process.CommandLine like r"%😼%" or Process.CommandLine like r"%😽%" or Process.CommandLine like r"%🙀%" or Process.CommandLine like r"%😿%" or Process.CommandLine like r"%😾%" or Process.CommandLine like r"%👋%" or Process.CommandLine like r"%🤚%" or Process.CommandLine like r"%🖐%" or Process.CommandLine like r"%✋%" or Process.CommandLine like r"%🖖%" or Process.CommandLine like r"%👌%" or Process.CommandLine like r"%🤌%" or Process.CommandLine like r"%🤏%" or Process.CommandLine like r"%✌️%" or Process.CommandLine like r"%🤞%" or Process.CommandLine like r"%🫰%" or Process.CommandLine like r"%🤟%" or Process.CommandLine like r"%🤘%" or Process.CommandLine like r"%🤙%" or Process.CommandLine like r"%🫵%" or Process.CommandLine like r"%🫱%" or Process.CommandLine like r"%🫲%" or Process.CommandLine like r"%🫳%" or Process.CommandLine like r"%🫴%" or Process.CommandLine like r"%👈%" or Process.CommandLine like r"%👉%" or Process.CommandLine like r"%👆%" or Process.CommandLine like r"%🖕%" or Process.CommandLine like r"%👇%" or Process.CommandLine like r"%☝️%" or Process.CommandLine like r"%👍%" or Process.CommandLine like r"%👎%" or Process.CommandLine like r"%✊%" or Process.CommandLine like r"%👊%" or Process.CommandLine like r"%🤛%" or Process.CommandLine like r"%🤜%" or Process.CommandLine like r"%👏%" or Process.CommandLine like r"%🫶%" or Process.CommandLine like r"%🙌%" or Process.CommandLine like r"%👐%" or Process.CommandLine like r"%🤲%" or Process.CommandLine like r"%🤝%" or Process.CommandLine like r"%🙏%" or Process.CommandLine like r"%✍️%" or Process.CommandLine like r"%💪%" or Process.CommandLine like r"%🦾%" or Process.CommandLine like r"%🦵%" or Process.CommandLine like r"%🦿%" or Process.CommandLine like r"%🦶%" or Process.CommandLine like r"%👣%" or Process.CommandLine like r"%👂%" or Process.CommandLine like r"%🦻%" or Process.CommandLine like r"%👃%" or Process.CommandLine like r"%🫀%" or Process.CommandLine like r"%🫁%" or Process.CommandLine like r"%🧠%" or Process.CommandLine like r"%🦷%" or Process.CommandLine like r"%🦴%" or Process.CommandLine like r"%👀%" or Process.CommandLine like r"%👁%" or Process.CommandLine like r"%👅%" or Process.CommandLine like r"%👄%" or Process.CommandLine like r"%🫦%" or Process.CommandLine like r"%💋%" or Process.CommandLine like r"%🩸%" or Process.CommandLine like r"%👶%" or Process.CommandLine like r"%👧%" or Process.CommandLine like r"%🧒%" or Process.CommandLine like r"%👦%" or Process.CommandLine like r"%👩%" or Process.CommandLine like r"%🧑%" or Process.CommandLine like r"%👨%" or Process.CommandLine like r"%👩‍🦱%" or Process.CommandLine like r"%🧑‍🦱%" or Process.CommandLine like r"%👨‍🦱%" or Process.CommandLine like r"%👩‍🦰%" or Process.CommandLine like r"%🧑‍🦰%" or Process.CommandLine like r"%👨‍🦰%" or Process.CommandLine like r"%👱‍♀️%" or Process.CommandLine like r"%👱%" or Process.CommandLine like r"%👱‍♂️%" or Process.CommandLine like r"%👩‍🦳%" or Process.CommandLine like r"%🧑‍🦳%" or Process.CommandLine like r"%👨‍🦳%" or Process.CommandLine like r"%👩‍🦲%" or Process.CommandLine like r"%🧑‍🦲%" or Process.CommandLine like r"%👨‍🦲%" or Process.CommandLine like r"%🧔‍♀️%" or Process.CommandLine like r"%🧔%" or Process.CommandLine like r"%🧔‍♂️%" or Process.CommandLine like r"%👵%" or Process.CommandLine like r"%🧓%" or Process.CommandLine like r"%👴%" or Process.CommandLine like r"%👲%" or Process.CommandLine like r"%👳‍♀️%" or Process.CommandLine like r"%👳%" or Process.CommandLine like r"%👳‍♂️%" or Process.CommandLine like r"%🧕%" or Process.CommandLine like r"%👮‍♀️%" or Process.CommandLine like r"%👮%" or Process.CommandLine like r"%👮‍♂️%" or Process.CommandLine like r"%👷‍♀️%" or Process.CommandLine like r"%👷%" or Process.CommandLine like r"%👷‍♂️%" or Process.CommandLine like r"%💂‍♀️%" or Process.CommandLine like r"%💂%" or Process.CommandLine like r"%💂‍♂️%" or Process.CommandLine like r"%🕵️‍♀️%" or Process.CommandLine like r"%🕵️%" or Process.CommandLine like r"%🕵️‍♂️%" or Process.CommandLine like r"%👩‍⚕️%" or Process.CommandLine like r"%🧑‍⚕️%" or Process.CommandLine like r"%👨‍⚕️%" or Process.CommandLine like r"%👩‍🌾%" or Process.CommandLine like r"%🧑‍🌾%" or Process.CommandLine like r"%👨‍🌾%" or Process.CommandLine like r"%👩‍🍳%" or Process.CommandLine like r"%🧑‍🍳%" or Process.CommandLine like r"%👨‍🍳%" or Process.CommandLine like r"%👩‍🎓%" or Process.CommandLine like r"%🧑‍🎓%" or Process.CommandLine like r"%👨‍🎓%" or Process.CommandLine like r"%👩‍🎤%" or Process.CommandLine like r"%🧑‍🎤%" or Process.CommandLine like r"%👨‍🎤%" or Process.CommandLine like r"%👩‍🏫%" or Process.CommandLine like r"%🧑‍🏫%" or Process.CommandLine like r"%👨‍🏫%" or Process.CommandLine like r"%👩‍🏭%" or Process.CommandLine like r"%🧑‍🏭%" or Process.CommandLine like r"%👨‍🏭%" or Process.CommandLine like r"%👩‍💻%" or Process.CommandLine like r"%🧑‍💻%" or Process.CommandLine like r"%👨‍💻%" or Process.CommandLine like r"%👩‍💼%" or Process.CommandLine like r"%🧑‍💼%" or Process.CommandLine like r"%👨‍💼%" or Process.CommandLine like r"%👩‍🔧%" or Process.CommandLine like r"%🧑‍🔧%" or Process.CommandLine like r"%👨‍🔧%" or Process.CommandLine like r"%👩‍🔬%" or Process.CommandLine like r"%🧑‍🔬%" or Process.CommandLine like r"%👨‍🔬%" or Process.CommandLine like r"%👩‍🎨%" or Process.CommandLine like r"%🧑‍🎨%" or Process.CommandLine like r"%👨‍🎨%" or Process.CommandLine like r"%👩‍🚒%" or Process.CommandLine like r"%🧑‍🚒%" or Process.CommandLine like r"%👨‍🚒%" or Process.CommandLine like r"%👩‍✈️%" or Process.CommandLine like r"%🧑‍✈️%" or Process.CommandLine like r"%👨‍✈️%" or Process.CommandLine like r"%👩‍🚀%" or Process.CommandLine like r"%🧑‍🚀%" or Process.CommandLine like r"%👨‍🚀%" or Process.CommandLine like r"%👩‍⚖️%" or Process.CommandLine like r"%🧑‍⚖️%" or Process.CommandLine like r"%👨‍⚖️%" or Process.CommandLine like r"%👰‍♀️%" or Process.CommandLine like r"%👰%" or Process.CommandLine like r"%👰‍♂️%" or Process.CommandLine like r"%🤵‍♀️%" or Process.CommandLine like r"%🤵%" or Process.CommandLine like r"%🤵‍♂️%" or Process.CommandLine like r"%👸%" or Process.CommandLine like r"%🫅%" or Process.CommandLine like r"%🤴%" or Process.CommandLine like r"%🥷%" or Process.CommandLine like r"%🦸‍♀️%" or Process.CommandLine like r"%🦸%" or Process.CommandLine like r"%🦸‍♂️%" or Process.CommandLine like r"%🦹‍♀️%" or Process.CommandLine like r"%🦹%" or Process.CommandLine like r"%🦹‍♂️%" or Process.CommandLine like r"%🤶%" or Process.CommandLine like r"%🧑‍🎄%" or Process.CommandLine like r"%🎅%" or Process.CommandLine like r"%🧙‍♀️%" or Process.CommandLine like r"%🧙%" or Process.CommandLine like r"%🧙‍♂️%" or Process.CommandLine like r"%🧝‍♀️%" or Process.CommandLine like r"%🧝%" or Process.CommandLine like r"%🧝‍♂️%" or Process.CommandLine like r"%🧛‍♀️%" or Process.CommandLine like r"%🧛%" or Process.CommandLine like r"%🧛‍♂️%" or Process.CommandLine like r"%🧟‍♀️%" or Process.CommandLine like r"%🧟%" or Process.CommandLine like r"%🧟‍♂️%" or Process.CommandLine like r"%🧞‍♀️%" or Process.CommandLine like r"%🧞%" or Process.CommandLine like r"%🧞‍♂️%" or Process.CommandLine like r"%🧜‍♀️%" or Process.CommandLine like r"%🧜%" or Process.CommandLine like r"%🧜‍♂️%" or Process.CommandLine like r"%🧚‍♀️%" or Process.CommandLine like r"%🧚%" or Process.CommandLine like r"%🧚‍♂️%" or Process.CommandLine like r"%🧌%" or Process.CommandLine like r"%👼%" or Process.CommandLine like r"%🤰%" or Process.CommandLine like r"%🫄%" or Process.CommandLine like r"%🫃%" or Process.CommandLine like r"%🤱%" or Process.CommandLine like r"%👩‍🍼%" or Process.CommandLine like r"%🧑‍🍼%" or Process.CommandLine like r"%👨‍🍼%" or Process.CommandLine like r"%🙇‍♀️%" or Process.CommandLine like r"%🙇%" or Process.CommandLine like r"%🙇‍♂️%" or Process.CommandLine like r"%💁‍♀️%" or Process.CommandLine like r"%💁%" or Process.CommandLine like r"%💁‍♂️%" or Process.CommandLine like r"%🙅‍♀️%" or Process.CommandLine like r"%🙅%" or Process.CommandLine like r"%🙅‍♂️%" or Process.CommandLine like r"%🙆‍♀️%" or Process.CommandLine like r"%🙆%" or Process.CommandLine like r"%🙆‍♂️%" or Process.CommandLine like r"%🙋‍♀️%" or Process.CommandLine like r"%🙋%" or Process.CommandLine like r"%🙋‍♂️%" or Process.CommandLine like r"%🧏‍♀️%" or Process.CommandLine like r"%🧏%" or Process.CommandLine like r"%🧏‍♂️%" or Process.CommandLine like r"%🤦‍♀️%" or Process.CommandLine like r"%🤦%" or Process.CommandLine like r"%🤦‍♂️%" or Process.CommandLine like r"%🤷‍♀️%" or Process.CommandLine like r"%🤷%" or Process.CommandLine like r"%🤷‍♂️%" or Process.CommandLine like r"%🙎‍♀️%" or Process.CommandLine like r"%🙎%" or Process.CommandLine like r"%🙎‍♂️%" or Process.CommandLine like r"%🙍‍♀️%" or Process.CommandLine like r"%🙍%" or Process.CommandLine like r"%🙍‍♂️%" or Process.CommandLine like r"%💇‍♀️%" or Process.CommandLine like r"%💇%" or Process.CommandLine like r"%💇‍♂️%" or Process.CommandLine like r"%💆‍♀️%" or Process.CommandLine like r"%💆%" or Process.CommandLine like r"%💆‍♂️%" or Process.CommandLine like r"%🧖‍♀️%" or Process.CommandLine like r"%🧖%" or Process.CommandLine like r"%🧖‍♂️%" or Process.CommandLine like r"%💅%" or Process.CommandLine like r"%💃%" or Process.CommandLine like r"%🕺%" or Process.CommandLine like r"%👯‍♀️%" or Process.CommandLine like r"%👯%" or Process.CommandLine like r"%👯‍♂️%" or Process.CommandLine like r"%🕴%" or Process.CommandLine like r"%👩‍🦽%" or Process.CommandLine like r"%🧑‍🦽%" or Process.CommandLine like r"%👨‍🦽%" or Process.CommandLine like r"%👩‍🦼%" or Process.CommandLine like r"%🧑‍🦼%" or Process.CommandLine like r"%👨‍🦼%" or Process.CommandLine like r"%🚶‍♀️%" or Process.CommandLine like r"%🚶%" or Process.CommandLine like r"%🚶‍♂️%" or Process.CommandLine like r"%👩‍🦯%" or Process.CommandLine like r"%🧑‍🦯%" or Process.CommandLine like r"%👨‍🦯%" or Process.CommandLine like r"%🧎‍♀️%" or Process.CommandLine like r"%🧎%" or Process.CommandLine like r"%🧎‍♂️%" or Process.CommandLine like r"%🏃‍♀️%" or Process.CommandLine like r"%🏃%" or Process.CommandLine like r"%🏃‍♂️%" or Process.CommandLine like r"%🧍‍♀️%" or Process.CommandLine like r"%🧍%" or Process.CommandLine like r"%🧍‍♂️%" or Process.CommandLine like r"%👭%" or Process.CommandLine like r"%🧑‍🤝‍🧑%" or Process.CommandLine like r"%👬%" or Process.CommandLine like r"%👫%" or Process.CommandLine like r"%👩‍❤️‍👩%" or Process.CommandLine like r"%💑%" or Process.CommandLine like r"%👨‍❤️‍👨%" or Process.CommandLine like r"%👩‍❤️‍👨%" or Process.CommandLine like r"%👩‍❤️‍💋‍👩%" or Process.CommandLine like r"%💏%" or Process.CommandLine like r"%👨‍❤️‍💋‍👨%" or Process.CommandLine like r"%👩‍❤️‍💋‍👨%" or Process.CommandLine like r"%👪%" or Process.CommandLine like r"%👨‍👩‍👦%" or Process.CommandLine like r"%👨‍👩‍👧%" or Process.CommandLine like r"%👨‍👩‍👧‍👦%" or Process.CommandLine like r"%👨‍👩‍👦‍👦%" or Process.CommandLine like r"%👨‍👩‍👧‍👧%" or Process.CommandLine like r"%👨‍👨‍👦%" or Process.CommandLine like r"%👨‍👨‍👧%" or Process.CommandLine like r"%👨‍👨‍👧‍👦%" or Process.CommandLine like r"%👨‍👨‍👦‍👦%" or Process.CommandLine like r"%👨‍👨‍👧‍👧%" or Process.CommandLine like r"%👩‍👩‍👦%" or Process.CommandLine like r"%👩‍👩‍👧%" or Process.CommandLine like r"%👩‍👩‍👧‍👦%" or Process.CommandLine like r"%👩‍👩‍👦‍👦%" or Process.CommandLine like r"%👩‍👩‍👧‍👧%" or Process.CommandLine like r"%👨‍👦%" or Process.CommandLine like r"%👨‍👦‍👦%" or Process.CommandLine like r"%👨‍👧%" or Process.CommandLine like r"%👨‍👧‍👦%" or Process.CommandLine like r"%👨‍👧‍👧%" or Process.CommandLine like r"%👩‍👦%" or Process.CommandLine like r"%👩‍👦‍👦%" or Process.CommandLine like r"%👩‍👧%" or Process.CommandLine like r"%👩‍👧‍👦%" or Process.CommandLine like r"%👩‍👧‍👧%" or Process.CommandLine like r"%🗣%" or Process.CommandLine like r"%👤%" or Process.CommandLine like r"%👥%" or Process.CommandLine like r"%🫂%" or Process.CommandLine like r"%🧳%" or Process.CommandLine like r"%🌂%" or Process.CommandLine like r"%☂️%" or Process.CommandLine like r"%🧵%" or Process.CommandLine like r"%🪡%" or Process.CommandLine like r"%🪢%" or Process.CommandLine like r"%🧶%" or Process.CommandLine like r"%👓%" or Process.CommandLine like r"%🕶%" or Process.CommandLine like r"%🥽%" or Process.CommandLine like r"%🥼%" or Process.CommandLine like r"%🦺%" or Process.CommandLine like r"%👔%" or Process.CommandLine like r"%👕%" or Process.CommandLine like r"%👖%" or Process.CommandLine like r"%🧣%" or Process.CommandLine like r"%🧤%" or Process.CommandLine like r"%🧥%" or Process.CommandLine like r"%🧦%" or Process.CommandLine like r"%👗%" or Process.CommandLine like r"%👘%" or Process.CommandLine like r"%🥻%" or Process.CommandLine like r"%🩴%" or Process.CommandLine like r"%🩱%" or Process.CommandLine like r"%🩲%" or Process.CommandLine like r"%🩳%" or Process.CommandLine like r"%👙%" or Process.CommandLine like r"%👚%" or Process.CommandLine like r"%👛%" or Process.CommandLine like r"%👜%" or Process.CommandLine like r"%👝%" or Process.CommandLine like r"%🎒%" or Process.CommandLine like r"%👞%" or Process.CommandLine like r"%👟%" or Process.CommandLine like r"%🥾%" or Process.CommandLine like r"%🥿%" or Process.CommandLine like r"%👠%" or Process.CommandLine like r"%👡%" or Process.CommandLine like r"%🩰%" or Process.CommandLine like r"%👢%" or Process.CommandLine like r"%👑%" or Process.CommandLine like r"%👒%" or Process.CommandLine like r"%🎩%" or Process.CommandLine like r"%🎓%" or Process.CommandLine like r"%🧢%" or Process.CommandLine like r"%⛑%" or Process.CommandLine like r"%🪖%" or Process.CommandLine like r"%💄%" or Process.CommandLine like r"%💍%" or Process.CommandLine like r"%💼%" or Process.CommandLine like r"%👋🏻%" or Process.CommandLine like r"%🤚🏻%" or Process.CommandLine like r"%🖐🏻%" or Process.CommandLine like r"%✋🏻%" or Process.CommandLine like r"%🖖🏻%" or Process.CommandLine like r"%👌🏻%" or Process.CommandLine like r"%🤌🏻%" or Process.CommandLine like r"%🤏🏻%" or Process.CommandLine like r"%✌🏻%" or Process.CommandLine like r"%🤞🏻%" or Process.CommandLine like r"%🫰🏻%" or Process.CommandLine like r"%🤟🏻%" or Process.CommandLine like r"%🤘🏻%" or Process.CommandLine like r"%🤙🏻%" or Process.CommandLine like r"%🫵🏻%" or Process.CommandLine like r"%🫱🏻%" or Process.CommandLine like r"%🫲🏻%" or Process.CommandLine like r"%🫳🏻%" or Process.CommandLine like r"%🫴🏻%" or Process.CommandLine like r"%👈🏻%" or Process.CommandLine like r"%👉🏻%" or Process.CommandLine like r"%👆🏻%" or Process.CommandLine like r"%🖕🏻%" or Process.CommandLine like r"%👇🏻%" or Process.CommandLine like r"%☝🏻%" or Process.CommandLine like r"%👍🏻%" or Process.CommandLine like r"%👎🏻%" or Process.CommandLine like r"%✊🏻%" or Process.CommandLine like r"%👊🏻%" or Process.CommandLine like r"%🤛🏻%" or Process.CommandLine like r"%🤜🏻%" or Process.CommandLine like r"%👏🏻%" or Process.CommandLine like r"%🫶🏻%" or Process.CommandLine like r"%🙌🏻%" or Process.CommandLine like r"%👐🏻%" or Process.CommandLine like r"%🤲🏻%" or Process.CommandLine like r"%🙏🏻%" or Process.CommandLine like r"%✍🏻%" or Process.CommandLine like r"%💪🏻%" or Process.CommandLine like r"%🦵🏻%" or Process.CommandLine like r"%🦶🏻%" or Process.CommandLine like r"%👂🏻%" or Process.CommandLine like r"%🦻🏻%" or Process.CommandLine like r"%👃🏻%" or Process.CommandLine like r"%👶🏻%" or Process.CommandLine like r"%👧🏻%" or Process.CommandLine like r"%🧒🏻%" or Process.CommandLine like r"%👦🏻%" or Process.CommandLine like r"%👩🏻%" or Process.CommandLine like r"%🧑🏻%" or Process.CommandLine like r"%👨🏻%" or Process.CommandLine like r"%👩🏻‍🦱%" or Process.CommandLine like r"%🧑🏻‍🦱%" or Process.CommandLine like r"%👨🏻‍🦱%" or Process.CommandLine like r"%👩🏻‍🦰%" or Process.CommandLine like r"%🧑🏻‍🦰%" or Process.CommandLine like r"%👨🏻‍🦰%" or Process.CommandLine like r"%👱🏻‍♀️%" or Process.CommandLine like r"%👱🏻%" or Process.CommandLine like r"%👱🏻‍♂️%" or Process.CommandLine like r"%👩🏻‍🦳%" or Process.CommandLine like r"%🧑🏻‍🦳%" or Process.CommandLine like r"%👨🏻‍🦳%" or Process.CommandLine like r"%👩🏻‍🦲%" or Process.CommandLine like r"%🧑🏻‍🦲%" or Process.CommandLine like r"%👨🏻‍🦲%" or Process.CommandLine like r"%🧔🏻‍♀️%" or Process.CommandLine like r"%🧔🏻%" or Process.CommandLine like r"%🧔🏻‍♂️%" or Process.CommandLine like r"%👵🏻%" or Process.CommandLine like r"%🧓🏻%" or Process.CommandLine like r"%👴🏻%" or Process.CommandLine like r"%👲🏻%" or Process.CommandLine like r"%👳🏻‍♀️%" or Process.CommandLine like r"%👳🏻%" or Process.CommandLine like r"%👳🏻‍♂️%" or Process.CommandLine like r"%🧕🏻%" or Process.CommandLine like r"%👮🏻‍♀️%" or Process.CommandLine like r"%👮🏻%" or Process.CommandLine like r"%👮🏻‍♂️%" or Process.CommandLine like r"%👷🏻‍♀️%" or Process.CommandLine like r"%👷🏻%" or Process.CommandLine like r"%👷🏻‍♂️%" or Process.CommandLine like r"%💂🏻‍♀️%" or Process.CommandLine like r"%💂🏻%" or Process.CommandLine like r"%💂🏻‍♂️%" or Process.CommandLine like r"%🕵🏻‍♀️%" or Process.CommandLine like r"%🕵🏻%" or Process.CommandLine like r"%🕵🏻‍♂️%" or Process.CommandLine like r"%👩🏻‍⚕️%" or Process.CommandLine like r"%🧑🏻‍⚕️%" or Process.CommandLine like r"%👨🏻‍⚕️%" or Process.CommandLine like r"%👩🏻‍🌾%" or Process.CommandLine like r"%🧑🏻‍🌾%" or Process.CommandLine like r"%👨🏻‍🌾%" or Process.CommandLine like r"%👩🏻‍🍳%" or Process.CommandLine like r"%🧑🏻‍🍳%" or Process.CommandLine like r"%👨🏻‍🍳%" or Process.CommandLine like r"%👩🏻‍🎓%" or Process.CommandLine like r"%🧑🏻‍🎓%" or Process.CommandLine like r"%👨🏻‍🎓%" or Process.CommandLine like r"%👩🏻‍🎤%" or Process.CommandLine like r"%🧑🏻‍🎤%" or Process.CommandLine like r"%👨🏻‍🎤%" or Process.CommandLine like r"%👩🏻‍🏫%" or Process.CommandLine like r"%🧑🏻‍🏫%" or Process.CommandLine like r"%👨🏻‍🏫%" or Process.CommandLine like r"%👩🏻‍🏭%" or Process.CommandLine like r"%🧑🏻‍🏭%" or Process.CommandLine like r"%👨🏻‍🏭%" or Process.CommandLine like r"%👩🏻‍💻%" or Process.CommandLine like r"%🧑🏻‍💻%" or Process.CommandLine like r"%👨🏻‍💻%" or Process.CommandLine like r"%👩🏻‍💼%" or Process.CommandLine like r"%🧑🏻‍💼%" or Process.CommandLine like r"%👨🏻‍💼%" or Process.CommandLine like r"%👩🏻‍🔧%" or Process.CommandLine like r"%🧑🏻‍🔧%" or Process.CommandLine like r"%👨🏻‍🔧%" or Process.CommandLine like r"%👩🏻‍🔬%" or Process.CommandLine like r"%🧑🏻‍🔬%" or Process.CommandLine like r"%👨🏻‍🔬%" or Process.CommandLine like r"%👩🏻‍🎨%" or Process.CommandLine like r"%🧑🏻‍🎨%" or Process.CommandLine like r"%👨🏻‍🎨%" or Process.CommandLine like r"%👩🏻‍🚒%" or Process.CommandLine like r"%🧑🏻‍🚒%" or Process.CommandLine like r"%👨🏻‍🚒%" or Process.CommandLine like r"%👩🏻‍✈️%" or Process.CommandLine like r"%🧑🏻‍✈️%" or Process.CommandLine like r"%👨🏻‍✈️%" or Process.CommandLine like r"%👩🏻‍🚀%" or Process.CommandLine like r"%🧑🏻‍🚀%" or Process.CommandLine like r"%👨🏻‍🚀%" or Process.CommandLine like r"%👩🏻‍⚖️%" or Process.CommandLine like r"%🧑🏻‍⚖️%" or Process.CommandLine like r"%👨🏻‍⚖️%" or Process.CommandLine like r"%👰🏻‍♀️%" or Process.CommandLine like r"%👰🏻%" or Process.CommandLine like r"%👰🏻‍♂️%" or Process.CommandLine like r"%🤵🏻‍♀️%" or Process.CommandLine like r"%🤵🏻%" or Process.CommandLine like r"%🤵🏻‍♂️%" or Process.CommandLine like r"%👸🏻%" or Process.CommandLine like r"%🫅🏻%" or Process.CommandLine like r"%🤴🏻%" or Process.CommandLine like r"%🥷🏻%" or Process.CommandLine like r"%🦸🏻‍♀️%" or Process.CommandLine like r"%🦸🏻%" or Process.CommandLine like r"%🦸🏻‍♂️%" or Process.CommandLine like r"%🦹🏻‍♀️%" or Process.CommandLine like r"%🦹🏻%" or Process.CommandLine like r"%🦹🏻‍♂️%" or Process.CommandLine like r"%🤶🏻%" or Process.CommandLine like r"%🧑🏻‍🎄%" or Process.CommandLine like r"%🎅🏻%" or Process.CommandLine like r"%🧙🏻‍♀️%" or Process.CommandLine like r"%🧙🏻%" or Process.CommandLine like r"%🧙🏻‍♂️%" or Process.CommandLine like r"%🧝🏻‍♀️%" or Process.CommandLine like r"%🧝🏻%" or Process.CommandLine like r"%🧝🏻‍♂️%" or Process.CommandLine like r"%🧛🏻‍♀️%" or Process.CommandLine like r"%🧛🏻%" or Process.CommandLine like r"%🧛🏻‍♂️%" or Process.CommandLine like r"%🧜🏻‍♀️%" or Process.CommandLine like r"%🧜🏻%" or Process.CommandLine like r"%🧜🏻‍♂️%" or Process.CommandLine like r"%🧚🏻‍♀️%" or Process.CommandLine like r"%🧚🏻%" or Process.CommandLine like r"%🧚🏻‍♂️%" or Process.CommandLine like r"%👼🏻%" or Process.CommandLine like r"%🤰🏻%" or Process.CommandLine like r"%🫄🏻%" or Process.CommandLine like r"%🫃🏻%" or Process.CommandLine like r"%🤱🏻%" or Process.CommandLine like r"%👩🏻‍🍼%" or Process.CommandLine like r"%🧑🏻‍🍼%" or Process.CommandLine like r"%👨🏻‍🍼%" or Process.CommandLine like r"%🙇🏻‍♀️%" or Process.CommandLine like r"%🙇🏻%" or Process.CommandLine like r"%🙇🏻‍♂️%" or Process.CommandLine like r"%💁🏻‍♀️%" or Process.CommandLine like r"%💁🏻%" or Process.CommandLine like r"%💁🏻‍♂️%" or Process.CommandLine like r"%🙅🏻‍♀️%" or Process.CommandLine like r"%🙅🏻%" or Process.CommandLine like r"%🙅🏻‍♂️%" or Process.CommandLine like r"%🙆🏻‍♀️%" or Process.CommandLine like r"%🙆🏻%" or Process.CommandLine like r"%🙆🏻‍♂️%" or Process.CommandLine like r"%🙋🏻‍♀️%" or Process.CommandLine like r"%🙋🏻%" or Process.CommandLine like r"%🙋🏻‍♂️%" or Process.CommandLine like r"%🧏🏻‍♀️%" or Process.CommandLine like r"%🧏🏻%" or Process.CommandLine like r"%🧏🏻‍♂️%" or Process.CommandLine like r"%🤦🏻‍♀️%" or Process.CommandLine like r"%🤦🏻%" or Process.CommandLine like r"%🤦🏻‍♂️%" or Process.CommandLine like r"%🤷🏻‍♀️%" or Process.CommandLine like r"%🤷🏻%" or Process.CommandLine like r"%🤷🏻‍♂️%" or Process.CommandLine like r"%🙎🏻‍♀️%" or Process.CommandLine like r"%🙎🏻%" or Process.CommandLine like r"%🙎🏻‍♂️%" or Process.CommandLine like r"%🙍🏻‍♀️%" or Process.CommandLine like r"%🙍🏻%" or Process.CommandLine like r"%🙍🏻‍♂️%" or Process.CommandLine like r"%💇🏻‍♀️%" or Process.CommandLine like r"%💇🏻%" or Process.CommandLine like r"%💇🏻‍♂️%" or Process.CommandLine like r"%💆🏻‍♀️%" or Process.CommandLine like r"%💆🏻%" or Process.CommandLine like r"%💆🏻‍♂️%" or Process.CommandLine like r"%🧖🏻‍♀️%" or Process.CommandLine like r"%🧖🏻%" or Process.CommandLine like r"%🧖🏻‍♂️%" or Process.CommandLine like r"%💃🏻%" or Process.CommandLine like r"%🕺🏻%" or Process.CommandLine like r"%🕴🏻%" or Process.CommandLine like r"%👩🏻‍🦽%" or Process.CommandLine like r"%🧑🏻‍🦽%" or Process.CommandLine like r"%👨🏻‍🦽%" or Process.CommandLine like r"%👩🏻‍🦼%" or Process.CommandLine like r"%🧑🏻‍🦼%" or Process.CommandLine like r"%👨🏻‍🦼%" or Process.CommandLine like r"%🚶🏻‍♀️%" or Process.CommandLine like r"%🚶🏻%" or Process.CommandLine like r"%🚶🏻‍♂️%" or Process.CommandLine like r"%👩🏻‍🦯%" or Process.CommandLine like r"%🧑🏻‍🦯%" or Process.CommandLine like r"%👨🏻‍🦯%" or Process.CommandLine like r"%🧎🏻‍♀️%" or Process.CommandLine like r"%🧎🏻%" or Process.CommandLine like r"%🧎🏻‍♂️%" or Process.CommandLine like r"%🏃🏻‍♀️%" or Process.CommandLine like r"%🏃🏻%" or Process.CommandLine like r"%🏃🏻‍♂️%" or Process.CommandLine like r"%🧍🏻‍♀️%" or Process.CommandLine like r"%🧍🏻%" or Process.CommandLine like r"%🧍🏻‍♂️%" or Process.CommandLine like r"%👭🏻%" or Process.CommandLine like r"%🧑🏻‍🤝‍🧑🏻%" or Process.CommandLine like r"%👬🏻%" or Process.CommandLine like r"%👫🏻%" or Process.CommandLine like r"%🧗🏻‍♀️%" or Process.CommandLine like r"%🧗🏻%" or Process.CommandLine like r"%🧗🏻‍♂️%" or Process.CommandLine like r"%🏇🏻%" or Process.CommandLine like r"%🏂🏻%" or Process.CommandLine like r"%🏌🏻‍♀️%" or Process.CommandLine like r"%🏌🏻%" or Process.CommandLine like r"%🏌🏻‍♂️%" or Process.CommandLine like r"%🏄🏻‍♀️%" or Process.CommandLine like r"%🏄🏻%" or Process.CommandLine like r"%🏄🏻‍♂️%" or Process.CommandLine like r"%🚣🏻‍♀️%" or Process.CommandLine like r"%🚣🏻%" or Process.CommandLine like r"%🚣🏻‍♂️%" or Process.CommandLine like r"%🏊🏻‍♀️%" or Process.CommandLine like r"%🏊🏻%" or Process.CommandLine like r"%🏊🏻‍♂️%" or Process.CommandLine like r"%⛹🏻‍♀️%" or Process.CommandLine like r"%⛹🏻%" or Process.CommandLine like r"%⛹🏻‍♂️%" or Process.CommandLine like r"%🏋🏻‍♀️%" or Process.CommandLine like r"%🏋🏻%" or Process.CommandLine like r"%🏋🏻‍♂️%" or Process.CommandLine like r"%🚴🏻‍♀️%" or Process.CommandLine like r"%🚴🏻%" or Process.CommandLine like r"%🚴🏻‍♂️%" or Process.CommandLine like r"%🚵🏻‍♀️%" or Process.CommandLine like r"%🚵🏻%" or Process.CommandLine like r"%🚵🏻‍♂️%" or Process.CommandLine like r"%🤸🏻‍♀️%" or Process.CommandLine like r"%🤸🏻%" or Process.CommandLine like r"%🤸🏻‍♂️%" or Process.CommandLine like r"%🤽🏻‍♀️%" or Process.CommandLine like r"%🤽🏻%" or Process.CommandLine like r"%🤽🏻‍♂️%" or Process.CommandLine like r"%🤾🏻‍♀️%" or Process.CommandLine like r"%🤾🏻%" or Process.CommandLine like r"%🤾🏻‍♂️%" or Process.CommandLine like r"%🤹🏻‍♀️%" or Process.CommandLine like r"%🤹🏻%" or Process.CommandLine like r"%🤹🏻‍♂️%" or Process.CommandLine like r"%🧘🏻‍♀️%" or Process.CommandLine like r"%🧘🏻%" or Process.CommandLine like r"%🧘🏻‍♂️%" or Process.CommandLine like r"%🛀🏻%" or Process.CommandLine like r"%🛌🏻%" or Process.CommandLine like r"%👋🏼%" or Process.CommandLine like r"%🤚🏼%" or Process.CommandLine like r"%🖐🏼%" or Process.CommandLine like r"%✋🏼%" or Process.CommandLine like r"%🖖🏼%" or Process.CommandLine like r"%👌🏼%" or Process.CommandLine like r"%🤌🏼%" or Process.CommandLine like r"%🤏🏼%" or Process.CommandLine like r"%✌🏼%" or Process.CommandLine like r"%🤞🏼%" or Process.CommandLine like r"%🫰🏼%" or Process.CommandLine like r"%🤟🏼%" or Process.CommandLine like r"%🤘🏼%" or Process.CommandLine like r"%🤙🏼%" or Process.CommandLine like r"%🫵🏼%" or Process.CommandLine like r"%🫱🏼%" or Process.CommandLine like r"%🫲🏼%" or Process.CommandLine like r"%🫳🏼%" or Process.CommandLine like r"%🫴🏼%" or Process.CommandLine like r"%👈🏼%" or Process.CommandLine like r"%👉🏼%" or Process.CommandLine like r"%👆🏼%" or Process.CommandLine like r"%🖕🏼%" or Process.CommandLine like r"%👇🏼%" or Process.CommandLine like r"%☝🏼%" or Process.CommandLine like r"%👍🏼%" or Process.CommandLine like r"%👎🏼%" or Process.CommandLine like r"%✊🏼%" or Process.CommandLine like r"%👊🏼%" or Process.CommandLine like r"%🤛🏼%" or Process.CommandLine like r"%🤜🏼%" or Process.CommandLine like r"%👏🏼%" or Process.CommandLine like r"%🫶🏼%" or Process.CommandLine like r"%🙌🏼%" or Process.CommandLine like r"%👐🏼%" or Process.CommandLine like r"%🤲🏼%" or Process.CommandLine like r"%🙏🏼%" or Process.CommandLine like r"%✍🏼%" or Process.CommandLine like r"%💪🏼%" or Process.CommandLine like r"%🦵🏼%" or Process.CommandLine like r"%🦶🏼%" or Process.CommandLine like r"%👂🏼%" or Process.CommandLine like r"%🦻🏼%" or Process.CommandLine like r"%👃🏼%" or Process.CommandLine like r"%👶🏼%" or Process.CommandLine like r"%👧🏼%" or Process.CommandLine like r"%🧒🏼%" or Process.CommandLine like r"%👦🏼%" or Process.CommandLine like r"%👩🏼%" or Process.CommandLine like r"%🧑🏼%" or Process.CommandLine like r"%👨🏼%" or Process.CommandLine like r"%👩🏼‍🦱%" or Process.CommandLine like r"%🧑🏼‍🦱%" or Process.CommandLine like r"%👨🏼‍🦱%" or Process.CommandLine like r"%👩🏼‍🦰%" or Process.CommandLine like r"%🧑🏼‍🦰%" or Process.CommandLine like r"%👨🏼‍🦰%" or Process.CommandLine like r"%👱🏼‍♀️%" or Process.CommandLine like r"%👱🏼%" or Process.CommandLine like r"%👱🏼‍♂️%" or Process.CommandLine like r"%👩🏼‍🦳%" or Process.CommandLine like r"%🧑🏼‍🦳%" or Process.CommandLine like r"%👨🏼‍🦳%" or Process.CommandLine like r"%👩🏼‍🦲%" or Process.CommandLine like r"%🧑🏼‍🦲%" or Process.CommandLine like r"%👨🏼‍🦲%" or Process.CommandLine like r"%🧔🏼‍♀️%" or Process.CommandLine like r"%🧔🏼%" or Process.CommandLine like r"%🧔🏼‍♂️%" or Process.CommandLine like r"%👵🏼%" or Process.CommandLine like r"%🧓🏼%" or Process.CommandLine like r"%👴🏼%" or Process.CommandLine like r"%👲🏼%" or Process.CommandLine like r"%👳🏼‍♀️%" or Process.CommandLine like r"%👳🏼%" or Process.CommandLine like r"%👳🏼‍♂️%" or Process.CommandLine like r"%🧕🏼%" or Process.CommandLine like r"%👮🏼‍♀️%" or Process.CommandLine like r"%👮🏼%" or Process.CommandLine like r"%👮🏼‍♂️%" or Process.CommandLine like r"%👷🏼‍♀️%" or Process.CommandLine like r"%👷🏼%" or Process.CommandLine like r"%👷🏼‍♂️%" or Process.CommandLine like r"%💂🏼‍♀️%" or Process.CommandLine like r"%💂🏼%" or Process.CommandLine like r"%💂🏼‍♂️%" or Process.CommandLine like r"%🕵🏼‍♀️%" or Process.CommandLine like r"%🕵🏼%" or Process.CommandLine like r"%🕵🏼‍♂️%" or Process.CommandLine like r"%👩🏼‍⚕️%" or Process.CommandLine like r"%🧑🏼‍⚕️%" or Process.CommandLine like r"%👨🏼‍⚕️%" or Process.CommandLine like r"%👩🏼‍🌾%" or Process.CommandLine like r"%🧑🏼‍🌾%" or Process.CommandLine like r"%👨🏼‍🌾%" or Process.CommandLine like r"%👩🏼‍🍳%" or Process.CommandLine like r"%🧑🏼‍🍳%" or Process.CommandLine like r"%👨🏼‍🍳%" or Process.CommandLine like r"%👩🏼‍🎓%" or Process.CommandLine like r"%🧑🏼‍🎓%" or Process.CommandLine like r"%👨🏼‍🎓%" or Process.CommandLine like r"%👩🏼‍🎤%" or Process.CommandLine like r"%🧑🏼‍🎤%" or Process.CommandLine like r"%👨🏼‍🎤%" or Process.CommandLine like r"%👩🏼‍🏫%" or Process.CommandLine like r"%🧑🏼‍🏫%" or Process.CommandLine like r"%👨🏼‍🏫%" or Process.CommandLine like r"%👩🏼‍🏭%" or Process.CommandLine like r"%🧑🏼‍🏭%" or Process.CommandLine like r"%👨🏼‍🏭%" or Process.CommandLine like r"%👩🏼‍💻%" or Process.CommandLine like r"%🧑🏼‍💻%" or Process.CommandLine like r"%👨🏼‍💻%" or Process.CommandLine like r"%👩🏼‍💼%" or Process.CommandLine like r"%🧑🏼‍💼%" or Process.CommandLine like r"%👨🏼‍💼%" or Process.CommandLine like r"%👩🏼‍🔧%" or Process.CommandLine like r"%🧑🏼‍🔧%" or Process.CommandLine like r"%👨🏼‍🔧%" or Process.CommandLine like r"%👩🏼‍🔬%" or Process.CommandLine like r"%🧑🏼‍🔬%" or Process.CommandLine like r"%👨🏼‍🔬%" or Process.CommandLine like r"%👩🏼‍🎨%" or Process.CommandLine like r"%🧑🏼‍🎨%" or Process.CommandLine like r"%👨🏼‍🎨%" or Process.CommandLine like r"%👩🏼‍🚒%" or Process.CommandLine like r"%🧑🏼‍🚒%" or Process.CommandLine like r"%👨🏼‍🚒%" or Process.CommandLine like r"%👩🏼‍✈️%" or Process.CommandLine like r"%🧑🏼‍✈️%" or Process.CommandLine like r"%👨🏼‍✈️%" or Process.CommandLine like r"%👩🏼‍🚀%" or Process.CommandLine like r"%🧑🏼‍🚀%" or Process.CommandLine like r"%👨🏼‍🚀%" or Process.CommandLine like r"%👩🏼‍⚖️%" or Process.CommandLine like r"%🧑🏼‍⚖️%" or Process.CommandLine like r"%👨🏼‍⚖️%" or Process.CommandLine like r"%👰🏼‍♀️%" or Process.CommandLine like r"%👰🏼%" or Process.CommandLine like r"%👰🏼‍♂️%" or Process.CommandLine like r"%🤵🏼‍♀️%" or Process.CommandLine like r"%🤵🏼%" or Process.CommandLine like r"%🤵🏼‍♂️%" or Process.CommandLine like r"%👸🏼%" or Process.CommandLine like r"%🫅🏼%" or Process.CommandLine like r"%🤴🏼%" or Process.CommandLine like r"%🥷🏼%" or Process.CommandLine like r"%🦸🏼‍♀️%" or Process.CommandLine like r"%🦸🏼%" or Process.CommandLine like r"%🦸🏼‍♂️%" or Process.CommandLine like r"%🦹🏼‍♀️%" or Process.CommandLine like r"%🦹🏼%" or Process.CommandLine like r"%🦹🏼‍♂️%" or Process.CommandLine like r"%🤶🏼%" or Process.CommandLine like r"%🧑🏼‍🎄%" or Process.CommandLine like r"%🎅🏼%" or Process.CommandLine like r"%🧙🏼‍♀️%" or Process.CommandLine like r"%🧙🏼%" or Process.CommandLine like r"%🧙🏼‍♂️%" or Process.CommandLine like r"%🧝🏼‍♀️%" or Process.CommandLine like r"%🧝🏼%" or Process.CommandLine like r"%🧝🏼‍♂️%" or Process.CommandLine like r"%🧛🏼‍♀️%" or Process.CommandLine like r"%🧛🏼%" or Process.CommandLine like r"%🧛🏼‍♂️%" or Process.CommandLine like r"%🧜🏼‍♀️%" or Process.CommandLine like r"%🧜🏼%" or Process.CommandLine like r"%🧜🏼‍♂️%" or Process.CommandLine like r"%🧚🏼‍♀️%" or Process.CommandLine like r"%🧚🏼%" or Process.CommandLine like r"%🧚🏼‍♂️%" or Process.CommandLine like r"%👼🏼%" or Process.CommandLine like r"%🤰🏼%" or Process.CommandLine like r"%🫄🏼%" or Process.CommandLine like r"%🫃🏼%" or Process.CommandLine like r"%🤱🏼%" or Process.CommandLine like r"%👩🏼‍🍼%" or Process.CommandLine like r"%🧑🏼‍🍼%" or Process.CommandLine like r"%👨🏼‍🍼%" or Process.CommandLine like r"%🙇🏼‍♀️%" or Process.CommandLine like r"%🙇🏼%" or Process.CommandLine like r"%🙇🏼‍♂️%" or Process.CommandLine like r"%💁🏼‍♀️%" or Process.CommandLine like r"%💁🏼%" or Process.CommandLine like r"%💁🏼‍♂️%" or Process.CommandLine like r"%🙅🏼‍♀️%" or Process.CommandLine like r"%🙅🏼%" or Process.CommandLine like r"%🙅🏼‍♂️%" or Process.CommandLine like r"%🙆🏼‍♀️%" or Process.CommandLine like r"%🙆🏼%" or Process.CommandLine like r"%🙆🏼‍♂️%" or Process.CommandLine like r"%🙋🏼‍♀️%" or Process.CommandLine like r"%🙋🏼%" or Process.CommandLine like r"%🙋🏼‍♂️%" or Process.CommandLine like r"%🧏🏼‍♀️%" or Process.CommandLine like r"%🧏🏼%" or Process.CommandLine like r"%🧏🏼‍♂️%" or Process.CommandLine like r"%🤦🏼‍♀️%" or Process.CommandLine like r"%🤦🏼%" or Process.CommandLine like r"%🤦🏼‍♂️%" or Process.CommandLine like r"%🤷🏼‍♀️%" +Annotation = {"mitre_attack": ["T1190"], "author": "Jason Rathbun (Blackpoint Cyber)"} +Query = Parent.Path like r"%\\ScreenConnect.Service.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\csc.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. -# Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -RuleId = a238b5d0-ce2d-4414-a676-7a531b3d13d6 -RuleName = ETW Trace Evasion Activity +# Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" +# Author: pH-T (Nextron Systems) +RuleId = 9c0295ce-d60d-40bd-bd74-84673b7592b1 +RuleName = Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call EventType = Process.Start -Tag = proc-start-etw-trace-evasion-activity +Tag = proc-start-suspicious-encoded-and-obfuscated-reflection-assembly-load-function-call RiskScore = 75 -Annotation = {"mitre_attack": ["T1070", "T1562.006"], "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community"} -Query = Process.CommandLine like r"%cl%" and Process.CommandLine like r"%/Trace%" or Process.CommandLine like r"%clear-log%" and Process.CommandLine like r"%/Trace%" or Process.CommandLine like r"%sl%" and Process.CommandLine like r"%/e:false%" or Process.CommandLine like r"%set-log%" and Process.CommandLine like r"%/e:false%" or Process.CommandLine like r"%logman%" and Process.CommandLine like r"%update%" and Process.CommandLine like r"%trace%" and Process.CommandLine like r"%--p%" and Process.CommandLine like r"%-ets%" or Process.CommandLine like r"%Remove-EtwTraceProvider%" or Process.CommandLine like r"%Set-EtwTraceProvider%" and Process.CommandLine like r"%0x11%" +Annotation = {"mitre_attack": ["T1059.001", "T1027"], "author": "pH-T (Nextron Systems)"} +Query = Process.CommandLine like r"%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%" or Process.CommandLine like r"%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%" or Process.CommandLine like r"%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%" or Process.CommandLine like r"%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%" or Process.CommandLine like r"%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%" or Process.CommandLine like r"%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%" or Process.CommandLine like r"%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%" or Process.CommandLine like r"%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%" or Process.CommandLine like r"%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%" or Process.CommandLine like r"%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%" or Process.CommandLine like r"%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%" or Process.CommandLine like r"%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%" or Process.CommandLine like r"%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%" or Process.CommandLine like r"%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%" or Process.CommandLine like r"%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%" or Process.CommandLine like r"%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%" or Process.CommandLine like r"%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%" or Process.CommandLine like r"%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%" [ThreatDetectionRule platform=Windows] -# Detects actions caused by the RedMimicry Winnti playbook -# Author: Alexander Rausch -RuleId = 5b175490-b652-4b02-b1de-5b5b4083c5f8 -RuleName = RedMimicry Winnti Playbook Registry Manipulation +# Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. +# The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 41f6531d-af6e-4c6e-918f-b946f2b85a36 +RuleName = Potential Persistence Via LSA Extensions EventType = Reg.Any -Tag = redmimicry-winnti-playbook-registry-manipulation +Tag = potential-persistence-via-lsa-extensions RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Alexander Rausch"} -Query = Reg.TargetObject like r"%HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data%" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects Obfuscated Powershell via use Clip.exe in Scripts -# Author: Nikita Nazarov, oscd.community -RuleId = e1561947-b4e3-4a74-9bdd-83baed21bdb5 -RuleName = Invoke-Obfuscation Via Use Clip +# Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 13e6fe51-d478-4c7e-b0f2-6da9b400a829 +RuleName = Suspicious File Downloaded From Direct IP Via Certutil.EXE EventType = Process.Start -Tag = proc-start-invoke-obfuscation-via-use-clip -RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Nikita Nazarov, oscd.community"} -Query = Process.CommandLine regex "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)" - - -[ThreatDetectionRule platform=Windows] -# Detects a network connection that is initiated by the "notepad.exe" process. -# This might be a sign of process injection from a beacon process or something similar. -# Notepad rarely initiates a network communication except when printing documents for example. -# Author: EagleEye Team -RuleId = e81528db-fc02-45e8-8e98-4e84aba1f10b -RuleName = Network Connection Initiated Via Notepad.EXE -EventType = Net.Any -Tag = network-connection-initiated-via-notepad.exe +Tag = proc-start-suspicious-file-downloaded-from-direct-ip-via-certutil.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1055"], "author": "EagleEye Team"} -Query = Process.Path like r"%\\notepad.exe" and not Net.Target.Port == 9100 -GenericProperty1 = Net.Target.Port +Annotation = {"mitre_attack": ["T1027"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\certutil.exe" or Process.Name == "CertUtil.exe") and (Process.CommandLine like r"%urlcache %" or Process.CommandLine like r"%verifyctl %") and (Process.CommandLine like r"%://1%" or Process.CommandLine like r"%://2%" or Process.CommandLine like r"%://3%" or Process.CommandLine like r"%://4%" or Process.CommandLine like r"%://5%" or Process.CommandLine like r"%://6%" or Process.CommandLine like r"%://7%" or Process.CommandLine like r"%://8%" or Process.CommandLine like r"%://9%") and not Process.CommandLine like r"%://7-%" [ThreatDetectionRule platform=Windows] -# Detects Obfuscated Powershell via VAR++ LAUNCHER -# Author: Timur Zinniatullin, oscd.community -RuleId = e9f55347-2928-4c06-88e5-1a7f8169942e -RuleName = Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -EventType = Process.Start -Tag = proc-start-invoke-obfuscation-var++-launcher-obfuscation +# Detects the creation of a new Outlook form which can contain malicious code +# Author: Tobias Michalski (Nextron Systems) +RuleId = c3edc6a5-d9d4-48d8-930e-aab518390917 +RuleName = Potential Persistence Via Outlook Form +EventType = File.Create +Tag = potential-persistence-via-outlook-form RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Timur Zinniatullin, oscd.community"} -Query = Process.CommandLine like r"%&&set%" and Process.CommandLine like r"%cmd%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%-f%" and (Process.CommandLine like r"%{0}%" or Process.CommandLine like r"%{1}%" or Process.CommandLine like r"%{2}%" or Process.CommandLine like r"%{3}%" or Process.CommandLine like r"%{4}%" or Process.CommandLine like r"%{5}%") +Annotation = {"mitre_attack": ["T1137.003"], "author": "Tobias Michalski (Nextron Systems)"} +Query = Process.Path like r"%\\outlook.exe" and (File.Path like r"%\\AppData\\Local\\Microsoft\\FORMS\\IPM%" or File.Path like r"%\\Local Settings\\Application Data\\Microsoft\\Forms%") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil". -# Author: X__Junior -RuleId = ba226dcf-d390-4642-b9af-b534872f1156 -RuleName = Windows Event Log Access Tampering Via Registry +# Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 42205c73-75c8-4a63-9db1-e3782e06fda0 +RuleName = Suspicious Application Allowed Through Exploit Guard EventType = Reg.Any -Tag = windows-event-log-access-tampering-via-registry +Tag = suspicious-application-allowed-through-exploit-guard RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001", "T1112"], "author": "X__Junior"} -Query = (Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\%" and Reg.TargetObject like r"%\\CustomSD" or (Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows\\EventLog\\%" or Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels%") and Reg.TargetObject like r"%\\ChannelAccess") and (Reg.Value.Data like r"%D:(D;%" or Reg.Value.Data like r"%D:(%" and Reg.Value.Data like r"%)(D;%") +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications%" and (Reg.TargetObject like r"%\\Users\\Public\\%" or Reg.TargetObject like r"%\\AppData\\Local\\Temp\\%" or Reg.TargetObject like r"%\\Desktop\\%" or Reg.TargetObject like r"%\\PerfLogs\\%" or Reg.TargetObject like r"%\\Windows\\Temp\\%") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the creation of known offensive powershell scripts used for exploitation -# Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein -RuleId = f331aa1f-8c53-4fc3-b083-cc159bc971cb -RuleName = Malicious PowerShell Scripts - FileCreation -EventType = File.Create -Tag = malicious-powershell-scripts-filecreation +# Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 40aa399c-7b02-4715-8e5f-73572b493f33 +RuleName = Suspicious File Download From IP Via Wget.EXE - Paths +EventType = Process.Start +Tag = proc-start-suspicious-file-download-from-ip-via-wget.exe-paths RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein"} -Query = File.Path like r"%\\Add-ConstrainedDelegationBackdoor.ps1" or File.Path like r"%\\Add-Exfiltration.ps1" or File.Path like r"%\\Add-Persistence.ps1" or File.Path like r"%\\Add-RegBackdoor.ps1" or File.Path like r"%\\Add-RemoteRegBackdoor.ps1" or File.Path like r"%\\Add-ScrnSaveBackdoor.ps1" or File.Path like r"%\\ADRecon.ps1" or File.Path like r"%\\AzureADRecon.ps1" or File.Path like r"%\\Check-VM.ps1" or File.Path like r"%\\ConvertTo-ROT13.ps1" or File.Path like r"%\\Copy-VSS.ps1" or File.Path like r"%\\Create-MultipleSessions.ps1" or File.Path like r"%\\DNS\_TXT\_Pwnage.ps1" or File.Path like r"%\\dnscat2.ps1" or File.Path like r"%\\Do-Exfiltration.ps1" or File.Path like r"%\\DomainPasswordSpray.ps1" or File.Path like r"%\\Download\_Execute.ps1" or File.Path like r"%\\Download-Execute-PS.ps1" or File.Path like r"%\\Enable-DuplicateToken.ps1" or File.Path like r"%\\Enabled-DuplicateToken.ps1" or File.Path like r"%\\Execute-Command-MSSQL.ps1" or File.Path like r"%\\Execute-DNSTXT-Code.ps1" or File.Path like r"%\\Execute-OnTime.ps1" or File.Path like r"%\\ExetoText.ps1" or File.Path like r"%\\Exploit-Jboss.ps1" or File.Path like r"%\\Find-AVSignature.ps1" or File.Path like r"%\\Find-Fruit.ps1" or File.Path like r"%\\Find-GPOLocation.ps1" or File.Path like r"%\\Find-TrustedDocuments.ps1" or File.Path like r"%\\FireBuster.ps1" or File.Path like r"%\\FireListener.ps1" or File.Path like r"%\\Get-ApplicationHost.ps1" or File.Path like r"%\\Get-ChromeDump.ps1" or File.Path like r"%\\Get-ClipboardContents.ps1" or File.Path like r"%\\Get-ComputerDetail.ps1" or File.Path like r"%\\Get-FoxDump.ps1" or File.Path like r"%\\Get-GPPAutologon.ps1" or File.Path like r"%\\Get-GPPPassword.ps1" or File.Path like r"%\\Get-IndexedItem.ps1" or File.Path like r"%\\Get-Keystrokes.ps1" or File.Path like r"%\\Get-LSASecret.ps1" or File.Path like r"%\\Get-MicrophoneAudio.ps1" or File.Path like r"%\\Get-PassHashes.ps1" or File.Path like r"%\\Get-PassHints.ps1" or File.Path like r"%\\Get-RegAlwaysInstallElevated.ps1" or File.Path like r"%\\Get-RegAutoLogon.ps1" or File.Path like r"%\\Get-RickAstley.ps1" or File.Path like r"%\\Get-Screenshot.ps1" or File.Path like r"%\\Get-SecurityPackages.ps1" or File.Path like r"%\\Get-ServiceFilePermission.ps1" or File.Path like r"%\\Get-ServicePermission.ps1" or File.Path like r"%\\Get-ServiceUnquoted.ps1" or File.Path like r"%\\Get-SiteListPassword.ps1" or File.Path like r"%\\Get-System.ps1" or File.Path like r"%\\Get-TimedScreenshot.ps1" or File.Path like r"%\\Get-UnattendedInstallFile.ps1" or File.Path like r"%\\Get-Unconstrained.ps1" or File.Path like r"%\\Get-USBKeystrokes.ps1" or File.Path like r"%\\Get-VaultCredential.ps1" or File.Path like r"%\\Get-VulnAutoRun.ps1" or File.Path like r"%\\Get-VulnSchTask.ps1" or File.Path like r"%\\Get-WebConfig.ps1" or File.Path like r"%\\Get-WebCredentials.ps1" or File.Path like r"%\\Get-WLAN-Keys.ps1" or File.Path like r"%\\Gupt-Backdoor.ps1" or File.Path like r"%\\HTTP-Backdoor.ps1" or File.Path like r"%\\HTTP-Login.ps1" or File.Path like r"%\\Install-ServiceBinary.ps1" or File.Path like r"%\\Install-SSP.ps1" or File.Path like r"%\\Invoke-ACLScanner.ps1" or File.Path like r"%\\Invoke-ADSBackdoor.ps1" or File.Path like r"%\\Invoke-AmsiBypass.ps1" or File.Path like r"%\\Invoke-ARPScan.ps1" or File.Path like r"%\\Invoke-BackdoorLNK.ps1" or File.Path like r"%\\Invoke-BadPotato.ps1" or File.Path like r"%\\Invoke-BetterSafetyKatz.ps1" or File.Path like r"%\\Invoke-BruteForce.ps1" or File.Path like r"%\\Invoke-BypassUAC.ps1" or File.Path like r"%\\Invoke-Carbuncle.ps1" or File.Path like r"%\\Invoke-Certify.ps1" or File.Path like r"%\\Invoke-ConPtyShell.ps1" or File.Path like r"%\\Invoke-CredentialInjection.ps1" or File.Path like r"%\\Invoke-CredentialsPhish.ps1" or File.Path like r"%\\Invoke-DAFT.ps1" or File.Path like r"%\\Invoke-DCSync.ps1" or File.Path like r"%\\Invoke-Decode.ps1" or File.Path like r"%\\Invoke-DinvokeKatz.ps1" or File.Path like r"%\\Invoke-DllInjection.ps1" or File.Path like r"%\\Invoke-DNSUpdate.ps1" or File.Path like r"%\\Invoke-DowngradeAccount.ps1" or File.Path like r"%\\Invoke-EgressCheck.ps1" or File.Path like r"%\\Invoke-Encode.ps1" or File.Path like r"%\\Invoke-EventViewer.ps1" or File.Path like r"%\\Invoke-Eyewitness.ps1" or File.Path like r"%\\Invoke-FakeLogonScreen.ps1" or File.Path like r"%\\Invoke-Farmer.ps1" or File.Path like r"%\\Invoke-Get-RBCD-Threaded.ps1" or File.Path like r"%\\Invoke-Gopher.ps1" or File.Path like r"%\\Invoke-Grouper2.ps1" or File.Path like r"%\\Invoke-Grouper3.ps1" or File.Path like r"%\\Invoke-HandleKatz.ps1" or File.Path like r"%\\Invoke-Interceptor.ps1" or File.Path like r"%\\Invoke-Internalmonologue.ps1" or File.Path like r"%\\Invoke-Inveigh.ps1" or File.Path like r"%\\Invoke-InveighRelay.ps1" or File.Path like r"%\\Invoke-JSRatRegsvr.ps1" or File.Path like r"%\\Invoke-JSRatRundll.ps1" or File.Path like r"%\\Invoke-KrbRelay.ps1" or File.Path like r"%\\Invoke-KrbRelayUp.ps1" or File.Path like r"%\\Invoke-LdapSignCheck.ps1" or File.Path like r"%\\Invoke-Lockless.ps1" or File.Path like r"%\\Invoke-MalSCCM.ps1" or File.Path like r"%\\Invoke-Mimikatz.ps1" or File.Path like r"%\\Invoke-MimikatzWDigestDowngrade.ps1" or File.Path like r"%\\Invoke-Mimikittenz.ps1" or File.Path like r"%\\Invoke-MITM6.ps1" or File.Path like r"%\\Invoke-NanoDump.ps1" or File.Path like r"%\\Invoke-NetRipper.ps1" or File.Path like r"%\\Invoke-NetworkRelay.ps1" or File.Path like r"%\\Invoke-NinjaCopy.ps1" or File.Path like r"%\\Invoke-OxidResolver.ps1" or File.Path like r"%\\Invoke-P0wnedshell.ps1" or File.Path like r"%\\Invoke-P0wnedshellx86.ps1" or File.Path like r"%\\Invoke-Paranoia.ps1" or File.Path like r"%\\Invoke-PortScan.ps1" or File.Path like r"%\\Invoke-PoshRatHttp.ps1" or File.Path like r"%\\Invoke-PoshRatHttps.ps1" or File.Path like r"%\\Invoke-PostExfil.ps1" or File.Path like r"%\\Invoke-PowerDump.ps1" or File.Path like r"%\\Invoke-PowerShellIcmp.ps1" or File.Path like r"%\\Invoke-PowerShellTCP.ps1" or File.Path like r"%\\Invoke-PowerShellTcpOneLine.ps1" or File.Path like r"%\\Invoke-PowerShellTcpOneLineBind.ps1" or File.Path like r"%\\Invoke-PowerShellUdp.ps1" or File.Path like r"%\\Invoke-PowerShellUdpOneLine.ps1" or File.Path like r"%\\Invoke-PowerShellWMI.ps1" or File.Path like r"%\\Invoke-PowerThIEf.ps1" or File.Path like r"%\\Invoke-PPLDump.ps1" or File.Path like r"%\\Invoke-Prasadhak.ps1" or File.Path like r"%\\Invoke-PsExec.ps1" or File.Path like r"%\\Invoke-PsGcat.ps1" or File.Path like r"%\\Invoke-PsGcatAgent.ps1" or File.Path like r"%\\Invoke-PSInject.ps1" or File.Path like r"%\\Invoke-PsUaCme.ps1" or File.Path like r"%\\Invoke-ReflectivePEInjection.ps1" or File.Path like r"%\\Invoke-ReverseDNSLookup.ps1" or File.Path like r"%\\Invoke-Rubeus.ps1" or File.Path like r"%\\Invoke-RunAs.ps1" or File.Path like r"%\\Invoke-SafetyKatz.ps1" or File.Path like r"%\\Invoke-SauronEye.ps1" or File.Path like r"%\\Invoke-SCShell.ps1" or File.Path like r"%\\Invoke-Seatbelt.ps1" or File.Path like r"%\\Invoke-ServiceAbuse.ps1" or File.Path like r"%\\Invoke-SessionGopher.ps1" or File.Path like r"%\\Invoke-ShellCode.ps1" or File.Path like r"%\\Invoke-SMBScanner.ps1" or File.Path like r"%\\Invoke-Snaffler.ps1" or File.Path like r"%\\Invoke-Spoolsample.ps1" or File.Path like r"%\\Invoke-SSHCommand.ps1" or File.Path like r"%\\Invoke-SSIDExfil.ps1" or File.Path like r"%\\Invoke-StandIn.ps1" or File.Path like r"%\\Invoke-StickyNotesExtract.ps1" or File.Path like r"%\\Invoke-Tater.ps1" or File.Path like r"%\\Invoke-Thunderfox.ps1" or File.Path like r"%\\Invoke-ThunderStruck.ps1" or File.Path like r"%\\Invoke-TokenManipulation.ps1" or File.Path like r"%\\Invoke-Tokenvator.ps1" or File.Path like r"%\\Invoke-TotalExec.ps1" or File.Path like r"%\\Invoke-UrbanBishop.ps1" or File.Path like r"%\\Invoke-UserHunter.ps1" or File.Path like r"%\\Invoke-VoiceTroll.ps1" or File.Path like r"%\\Invoke-Whisker.ps1" or File.Path like r"%\\Invoke-WinEnum.ps1" or File.Path like r"%\\Invoke-winPEAS.ps1" or File.Path like r"%\\Invoke-WireTap.ps1" or File.Path like r"%\\Invoke-WmiCommand.ps1" or File.Path like r"%\\Invoke-WScriptBypassUAC.ps1" or File.Path like r"%\\Invoke-Zerologon.ps1" or File.Path like r"%\\Keylogger.ps1" or File.Path like r"%\\MailRaider.ps1" or File.Path like r"%\\New-HoneyHash.ps1" or File.Path like r"%\\OfficeMemScraper.ps1" or File.Path like r"%\\Offline\_Winpwn.ps1" or File.Path like r"%\\Out-CHM.ps1" or File.Path like r"%\\Out-DnsTxt.ps1" or File.Path like r"%\\Out-Excel.ps1" or File.Path like r"%\\Out-HTA.ps1" or File.Path like r"%\\Out-Java.ps1" or File.Path like r"%\\Out-JS.ps1" or File.Path like r"%\\Out-Minidump.ps1" or File.Path like r"%\\Out-RundllCommand.ps1" or File.Path like r"%\\Out-SCF.ps1" or File.Path like r"%\\Out-SCT.ps1" or File.Path like r"%\\Out-Shortcut.ps1" or File.Path like r"%\\Out-WebQuery.ps1" or File.Path like r"%\\Out-Word.ps1" or File.Path like r"%\\Parse\_Keys.ps1" or File.Path like r"%\\Port-Scan.ps1" or File.Path like r"%\\PowerBreach.ps1" or File.Path like r"%\\powercat.ps1" or File.Path like r"%\\Powermad.ps1" or File.Path like r"%\\PowerRunAsSystem.psm1" or File.Path like r"%\\PowerSharpPack.ps1" or File.Path like r"%\\PowerUp.ps1" or File.Path like r"%\\PowerUpSQL.ps1" or File.Path like r"%\\PowerView.ps1" or File.Path like r"%\\PSAsyncShell.ps1" or File.Path like r"%\\RemoteHashRetrieval.ps1" or File.Path like r"%\\Remove-Persistence.ps1" or File.Path like r"%\\Remove-PoshRat.ps1" or File.Path like r"%\\Remove-Update.ps1" or File.Path like r"%\\Run-EXEonRemote.ps1" or File.Path like r"%\\Schtasks-Backdoor.ps1" or File.Path like r"%\\Set-DCShadowPermissions.ps1" or File.Path like r"%\\Set-MacAttribute.ps1" or File.Path like r"%\\Set-RemotePSRemoting.ps1" or File.Path like r"%\\Set-RemoteWMI.ps1" or File.Path like r"%\\Set-Wallpaper.ps1" or File.Path like r"%\\Show-TargetScreen.ps1" or File.Path like r"%\\Speak.ps1" or File.Path like r"%\\Start-CaptureServer.ps1" or File.Path like r"%\\Start-WebcamRecorder.ps1" or File.Path like r"%\\StringToBase64.ps1" or File.Path like r"%\\TexttoExe.ps1" or File.Path like r"%\\VolumeShadowCopyTools.ps1" or File.Path like r"%\\WinPwn.ps1" or File.Path like r"%\\WSUSpendu.ps1" or File.Path like r"%Invoke-Sharp%" and File.Path like r"%.ps1" -GenericProperty1 = File.Path +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\wget.exe" or Process.Name == "wget.exe") and Process.CommandLine regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and Process.CommandLine like r"%http%" and (Process.CommandLine regex "\\s-O\\s" or Process.CommandLine like r"%--output-document%") and (Process.CommandLine like r"%:\\PerfLogs\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\Help\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\Temporary Internet%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Favorites\\%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Favourites\\%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Contacts\\%" or Process.CommandLine like r"%:\\Users\\%" and Process.CommandLine like r"%\\Pictures\\%") [ThreatDetectionRule platform=Windows] -# Detects a suspicious process spawning from an Outlook process. -# Author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team -RuleId = 208748f7-881d-47ac-a29c-07ea84bf691d -RuleName = Suspicious Outlook Child Process +# Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation +# Author: Nextron Systems +RuleId = 7a74da6b-ea76-47db-92cc-874ad90df734 +RuleName = Suspicious MSDT Parent Process EventType = Process.Start -Tag = proc-start-suspicious-outlook-child-process +Tag = proc-start-suspicious-msdt-parent-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1204.002"], "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team"} -Query = Parent.Path like r"%\\OUTLOOK.EXE" and (Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\msbuild.exe" or Process.Path like r"%\\msdt.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") +Annotation = {"mitre_attack": ["T1036", "T1218"], "author": "Nextron Systems"} +Query = (Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\regsvr32.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\schtasks.exe" or Parent.Path like r"%\\wmic.exe" or Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\wsl.exe") and (Process.Path like r"%\\msdt.exe" or Process.Name == "msdt.exe") GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. -# Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati -RuleId = f53714ec-5077-420e-ad20-907ff9bb2958 -RuleName = Forfiles.EXE Child Process Masquerading +# Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +RuleId = b730a276-6b63-41b8-bcf8-55930c8fc6ee +RuleName = Csc.EXE Execution Form Potentially Suspicious Parent EventType = Process.Start -Tag = proc-start-forfiles.exe-child-process-masquerading +Tag = proc-start-csc.exe-execution-form-potentially-suspicious-parent RiskScore = 75 -Annotation = {"mitre_attack": ["T1036"], "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati"} -Query = (Parent.CommandLine like r"%.exe" or Parent.CommandLine like r"%.exe\"") and Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"/c echo \"%" and not ((Parent.Path like r"%:\\Windows\\System32\\%" or Parent.Path like r"%:\\Windows\\SysWOW64\\%") and Parent.Path like r"%\\forfiles.exe" and (Process.Path like r"%:\\Windows\\System32\\%" or Process.Path like r"%:\\Windows\\SysWOW64\\%") and Process.Path like r"%\\cmd.exe") +Annotation = {"mitre_attack": ["T1059.005", "T1059.007", "T1218.005", "T1027.004"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)"} +Query = (Process.Path like r"%\\csc.exe" or Process.Name == "csc.exe") and (Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\excel.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\onenote.exe" or Parent.Path like r"%\\outlook.exe" or Parent.Path like r"%\\powerpnt.exe" or Parent.Path like r"%\\winword.exe" or Parent.Path like r"%\\wscript.exe" or (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and (Parent.CommandLine like r"%-Encoded %" or Parent.CommandLine like r"%FromBase64String%") or Parent.CommandLine regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$" or Parent.CommandLine like r"%:\\PerfLogs\\%" or Parent.CommandLine like r"%:\\Users\\Public\\%" or Parent.CommandLine like r"%:\\Windows\\Temp\\%" or Parent.CommandLine like r"%\\Temporary Internet%" or Parent.CommandLine like r"%:\\Users\\%" and Parent.CommandLine like r"%\\Favorites\\%" or Parent.CommandLine like r"%:\\Users\\%" and Parent.CommandLine like r"%\\Favourites\\%" or Parent.CommandLine like r"%:\\Users\\%" and Parent.CommandLine like r"%\\Contacts\\%" or Parent.CommandLine like r"%:\\Users\\%" and Parent.CommandLine like r"%\\Pictures\\%") and not (Parent.Path like r"C:\\Program Files (x86)\\%" or Parent.Path like r"C:\\Program Files\\%" or Parent.Path == "C:\\Windows\\System32\\sdiagnhost.exe" or Parent.Path == "C:\\Windows\\System32\\inetsrv\\w3wp.exe") and not (Parent.Path == "C:\\ProgramData\\chocolatey\\choco.exe" or Parent.CommandLine like r"%\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection%" or Parent.CommandLine like r"%JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw%" or Parent.CommandLine like r"%cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA%" or Parent.CommandLine like r"%nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA%") GenericProperty1 = Parent.Path GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects suspicious PowerShell scripts accessing SAM hives -# Author: Florian Roth (Nextron Systems) -RuleId = 1af57a4b-460a-4738-9034-db68b880c665 -RuleName = PowerShell SAM Copy +# The Devtoolslauncher.exe executes other binary +# Author: Beyu Denis, oscd.community (rule), @_felamos (idea) +RuleId = cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6 +RuleName = Devtoolslauncher.exe Executes Specified Binary EventType = Process.Start -Tag = proc-start-powershell-sam-copy +Tag = proc-start-devtoolslauncher.exe-executes-specified-binary RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.002"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%\\HarddiskVolumeShadowCopy%" and Process.CommandLine like r"%System32\\config\\sam%" and (Process.CommandLine like r"%Copy-Item%" or Process.CommandLine like r"%cp $\_.%" or Process.CommandLine like r"%cpi $\_.%" or Process.CommandLine like r"%copy $\_.%" or Process.CommandLine like r"%.File]::Copy(%") +Annotation = {"mitre_attack": ["T1218"], "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)"} +Query = Process.Path like r"%\\devtoolslauncher.exe" and Process.CommandLine like r"%LaunchForDeploy%" [ThreatDetectionRule platform=Windows] -# Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f -RuleName = UEFI Persistence Via Wpbbin - FileCreation +# Detects a phishing attack which expands a ZIP file containing a malicious shortcut. +# If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. +# Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. +# Author: Greg (rule) +RuleId = a6976974-ea6f-4e97-818e-ea08625c52cb +RuleName = Potential RipZip Attack on Startup Folder EventType = File.Create -Tag = uefi-persistence-via-wpbbin-filecreation +Tag = potential-ripzip-attack-on-startup-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1542.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path == "C:\\Windows\\System32\\wpbbin.exe" +Annotation = {"mitre_attack": ["T1547"], "author": "Greg (rule)"} +Query = File.Path like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup%" and File.Path like r"%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%" and Process.Path like r"%\\explorer.exe" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). -# Author: X__Junior (Nextron Systems) -RuleId = 1c526788-0abe-4713-862f-b520da5e5316 -RuleName = Chromium Browser Headless Execution To Mockbin Like Site +# Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. +# Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. +# Author: @Kostastsale, Nasreddine Bencherchali (Nextron Systems) +RuleId = b0ce780f-10bd-496d-9067-066d23dc3aa5 +RuleName = HackTool - SharpWSUS/WSUSpendu Execution EventType = Process.Start -Tag = proc-start-chromium-browser-headless-execution-to-mockbin-like-site +Tag = proc-start-hacktool-sharpwsus/wsuspendu-execution RiskScore = 75 -Annotation = {"author": "X__Junior (Nextron Systems)"} -Query = (Process.Path like r"%\\brave.exe" or Process.Path like r"%\\chrome.exe" or Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\opera.exe" or Process.Path like r"%\\vivaldi.exe") and Process.CommandLine like r"%--headless%" and (Process.CommandLine like r"%://run.mocky%" or Process.CommandLine like r"%://mockbin%") +Annotation = {"mitre_attack": ["T1210"], "author": "@Kostastsale, Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"% -Inject %" and (Process.CommandLine like r"% -PayloadArgs %" or Process.CommandLine like r"% -PayloadFile %") or (Process.CommandLine like r"% approve %" or Process.CommandLine like r"% create %" or Process.CommandLine like r"% check %" or Process.CommandLine like r"% delete %") and (Process.CommandLine like r"% /payload:%" or Process.CommandLine like r"% /payload=%" or Process.CommandLine like r"% /updateid:%" or Process.CommandLine like r"% /updateid=%") [ThreatDetectionRule platform=Windows] -# Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. -# Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. -# Author: Nasreddine Bencherchali (Nextron Systems), frack113 -RuleId = 84972c80-251c-4c3a-9079-4f00aad93938 -RuleName = Sensitive File Recovery From Backup Via Wbadmin.EXE -EventType = Process.Start -Tag = proc-start-sensitive-file-recovery-from-backup-via-wbadmin.exe +# Detects registry changes to Office trust records where the path is located in a potentially suspicious location +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd +RuleName = Macro Enabled In A Potentially Suspicious Document +EventType = Reg.Any +Tag = macro-enabled-in-a-potentially-suspicious-document RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.003"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113"} -Query = (Process.Path like r"%\\wbadmin.exe" or Process.Name == "WBADMIN.EXE") and Process.CommandLine like r"% recovery%" and Process.CommandLine like r"%recoveryTarget%" and Process.CommandLine like r"%itemtype:File%" and (Process.CommandLine like r"%\\config\\SAM%" or Process.CommandLine like r"%\\config\\SECURITY%" or Process.CommandLine like r"%\\config\\SYSTEM%" or Process.CommandLine like r"%\\Windows\\NTDS\\NTDS.dit%") +Annotation = {"mitre_attack": ["T1112"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Security\\Trusted Documents\\TrustRecords%" and (Reg.TargetObject like r"%/AppData/Local/Microsoft/Windows/INetCache/%" or Reg.TargetObject like r"%/AppData/Local/Temp/%" or Reg.TargetObject like r"%/PerfLogs/%" or Reg.TargetObject like r"%C:/Users/Public/%" or Reg.TargetObject like r"%file:///D:/%" or Reg.TargetObject like r"%file:///E:/%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros +# Detects tamper attempts to sophos av functionality via registry key modification # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ab871450-37dc-4a3a-997f-6662aa8ae0f1 -RuleName = Disable Macro Runtime Scan Scope +RuleId = 9f4662ac-17ca-43aa-8f12-5d7b989d0101 +RuleName = Tamper With Sophos AV Registry Keys EventType = Reg.Any -Tag = disable-macro-runtime-scan-scope +Tag = tamper-with-sophos-av-registry-keys RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\%" and Reg.TargetObject like r"%\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Common\\Security%" and Reg.TargetObject like r"%\\MacroRuntimeScanScope" and Reg.Value.Data == "DWORD (0x00000000)" +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Reg.TargetObject like r"%\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled%" or Reg.TargetObject like r"%\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled%" or Reg.TargetObject like r"%\\Sophos\\SAVService\\TamperProtection\\Enabled%") and Reg.Value.Data == "DWORD (0x00000000)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network -# Author: frack113, Florian Roth (Nextron Systems) -RuleId = e31033fc-33f0-4020-9a16-faf9b31cbf08 -RuleName = PUA - Netcat Suspicious Execution -EventType = Process.Start -Tag = proc-start-pua-netcat-suspicious-execution +# Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates. +# Author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) +RuleId = 7892ec59-c5bb-496d-8968-e5d210ca3ac4 +RuleName = DPAPI Backup Keys And Certificate Export Activity IOC +EventType = File.Create +Tag = dpapi-backup-keys-and-certificate-export-activity-ioc RiskScore = 75 -Annotation = {"mitre_attack": ["T1095"], "author": "frack113, Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\nc.exe" or Process.Path like r"%\\ncat.exe" or Process.Path like r"%\\netcat.exe" or Process.CommandLine like r"% -lvp %" or Process.CommandLine like r"% -lvnp%" or Process.CommandLine like r"% -l -v -p %" or Process.CommandLine like r"% -lv -p %" or Process.CommandLine like r"% -l --proxy-type http %" or Process.CommandLine like r"% -vnl --exec %" or Process.CommandLine like r"% -vnl -e %" or Process.CommandLine like r"% --lua-exec %" or Process.CommandLine like r"% --sh-exec %" +Annotation = {"mitre_attack": ["T1555", "T1552.004"], "author": "Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)"} +Query = (File.Path like r"%ntds\_capi\_%" or File.Path like r"%ntds\_legacy\_%" or File.Path like r"%ntds\_unknown\_%") and (File.Path like r"%.cer" or File.Path like r"%.key" or File.Path like r"%.pfx" or File.Path like r"%.pvk") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022. -# Author: @sam0x90 -RuleId = 2f9356ae-bf43-41b8-b858-4496d83b2acb -RuleName = ISO File Created Within Temp Folders -EventType = File.Create -Tag = iso-file-created-within-temp-folders +# Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. +# Author: frack113 +RuleId = 7d9263bd-dc47-4a58-bc92-5474abab390c +RuleName = Change Winevt Channel Access Permission Via Registry +EventType = Reg.Any +Tag = change-winevt-channel-access-permission-via-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1566.001"], "author": "@sam0x90"} -Query = File.Path like r"%\\AppData\\Local\\Temp\\%" and File.Path like r"%.zip\\%" and File.Path like r"%.iso" or File.Path like r"%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\%" and File.Path like r"%.iso" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1562.002"], "author": "frack113"} +Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\%" and Reg.TargetObject like r"%\\ChannelAccess" and (Reg.Value.Data like r"%(A;;0x1;;;LA)%" or Reg.Value.Data like r"%(A;;0x1;;;SY)%" or Reg.Value.Data like r"%(A;;0x5;;;BA)%") and not (Process.Path == "C:\\Windows\\servicing\\TrustedInstaller.exe" or Process.Path like r"C:\\Windows\\WinSxS\\%" and Process.Path like r"%\\TiWorker.exe") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects suspicious ways to use the "DumpMinitool.exe" binary +# Detects a suspicious process pattern which could be a sign of an exploited Serv-U service # Author: Florian Roth (Nextron Systems) -RuleId = eb1c4225-1c23-4241-8dd4-051389fde4ce -RuleName = Suspicious DumpMinitool Execution +RuleId = 58f4ea09-0fc2-4520-ba18-b85c540b0eaf +RuleName = Suspicious Serv-U Process Pattern EventType = Process.Start -Tag = proc-start-suspicious-dumpminitool-execution +Tag = proc-start-suspicious-serv-u-process-pattern RiskScore = 75 -Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\DumpMinitool.exe" or Process.Path like r"%\\DumpMinitool.x86.exe" or Process.Path like r"%\\DumpMinitool.arm64.exe" or Process.Name in ["DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe"]) and (not (Process.Path like r"%\\Microsoft Visual Studio\\%" or Process.Path like r"%\\Extensions\\%") or Process.CommandLine like r"%.txt%" or (Process.CommandLine like r"% Full%" or Process.CommandLine like r"% Mini%" or Process.CommandLine like r"% WithHeap%") and not Process.CommandLine like r"%--dumpType%") +Annotation = {"mitre_attack": ["T1555"], "author": "Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\Serv-U.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 07aa184a-870d-413d-893a-157f317f6f58 -RuleName = Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS +# Detects potential tampering with Windows Defender settings such as adding exclusion using wmic +# Author: frack113 +RuleId = 51cbac1e-eee3-4a90-b1b7-358efb81fa0a +RuleName = Potential Windows Defender Tampering Via Wmic.EXE EventType = Process.Start -Tag = proc-start-suspicious-reconnaissance-activity-via-gathernetworkinfo.vbs +Tag = proc-start-potential-windows-defender-tampering-via-wmic.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1615", "T1059.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%gatherNetworkInfo.vbs%" and not (Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\wscript.exe") +Annotation = {"mitre_attack": ["T1546.008"], "author": "frack113"} +Query = (Process.Name == "wmic.exe" or Process.Path like r"%\\WMIC.exe") and Process.CommandLine like r"%/Namespace:\\\\root\\Microsoft\\Windows\\Defender%" [ThreatDetectionRule platform=Windows] -# Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% +# Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 9ed5959a-c43c-4c59-84e3-d28628429456 -RuleName = UAC Bypass Using Iscsicpl - ImageLoad -EventType = Image.Load -Tag = uac-bypass-using-iscsicpl-imageload -RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path == "C:\\Windows\\SysWOW64\\iscsicpl.exe" and Image.Path like r"%\\iscsiexe.dll" and not (Image.Path like r"%C:\\Windows\\%" and Image.Path like r"%iscsiexe.dll%") -GenericProperty1 = Image.Path - - -[ThreatDetectionRule platform=Windows] -# Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories -# Author: Florian Roth (Nextron Systems) -RuleId = 9c5037d1-c568-49b3-88c7-9846a5bdc2be -RuleName = Suspicious Run Key from Download +RuleId = b110ebaf-697f-4da1-afd5-b536fa27a2c1 +RuleName = Potential Signing Bypass Via Windows Developer Features - Registry EventType = Reg.Any -Tag = suspicious-run-key-from-download +Tag = potential-signing-bypass-via-windows-developer-features-registry RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\Downloads\\%" or Process.Path like r"%\\Temporary Internet Files\\Content.Outlook\\%" or Process.Path like r"%\\Local Settings\\Temporary Internet Files\\%") and Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\%" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock%" or Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows\\Appx\\%") and (Reg.TargetObject like r"%\\AllowAllTrustedApps" or Reg.TargetObject like r"%\\AllowDevelopmentWithoutDevLicense") and Reg.Value.Data == "DWORD (0x00000001)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. -# SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. +# Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = c7d33b50-f690-4b51-8cfb-0fb912a31e57 -RuleName = HackTool - SharpDPAPI Execution -EventType = Process.Start -Tag = proc-start-hacktool-sharpdpapi-execution +RuleId = d102b8f5-61dc-4e68-bd83-9a3187c67377 +RuleName = Renamed VsCode Code Tunnel Execution - File Indicator +EventType = File.Create +Tag = renamed-vscode-code-tunnel-execution-file-indicator RiskScore = 75 -Annotation = {"mitre_attack": ["T1134.001", "T1134.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\SharpDPAPI.exe" or Process.Name == "SharpDPAPI.exe" or (Process.CommandLine like r"% backupkey %" or Process.CommandLine like r"% blob %" or Process.CommandLine like r"% certificates %" or Process.CommandLine like r"% credentials %" or Process.CommandLine like r"% keepass %" or Process.CommandLine like r"% masterkeys %" or Process.CommandLine like r"% rdg %" or Process.CommandLine like r"% vaults %") and (Process.CommandLine like r"% {%" and Process.CommandLine like r"%}:%" or Process.CommandLine like r"% /file:%" or Process.CommandLine like r"% /machine%" or Process.CommandLine like r"% /mkfile:%" or Process.CommandLine like r"% /password:%" or Process.CommandLine like r"% /pvk:%" or Process.CommandLine like r"% /server:%" or Process.CommandLine like r"% /target:%" or Process.CommandLine like r"% /unprotect%") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"%\\code\_tunnel.json" and not (Process.Path like r"%\\code-tunnel.exe" or Process.Path like r"%\\code.exe") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) -# Author: Christian Burkard (Nextron Systems) -RuleId = 41bb431f-56d8-4691-bb56-ed34e390906f -RuleName = UAC Bypass Using MSConfig Token Modification - File +# Detects Octopus Scanner Malware. +# Author: NVISO +RuleId = 805c55d9-31e6-4846-9878-c34c75054fe9 +RuleName = Octopus Scanner Malware EventType = File.Create -Tag = uac-bypass-using-msconfig-token-modification-file +Tag = octopus-scanner-malware RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Christian Burkard (Nextron Systems)"} -Query = File.Path like r"C:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Temp\\pkgmgr.exe" +Annotation = {"mitre_attack": ["T1195", "T1195.001"], "author": "NVISO"} +Query = File.Path like r"%\\AppData\\Local\\Microsoft\\Cache134.dat" or File.Path like r"%\\AppData\\Local\\Microsoft\\ExplorerSync.db" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = d102b8f5-61dc-4e68-bd83-9a3187c67377 -RuleName = Renamed VsCode Code Tunnel Execution - File Indicator -EventType = File.Create -Tag = renamed-vscode-code-tunnel-execution-file-indicator +# Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. +# Author: Wojciech Lesicki +RuleId = 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 +RuleName = Potential CobaltStrike Service Installations - Registry +EventType = Reg.Any +Tag = potential-cobaltstrike-service-installations-registry RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"%\\code\_tunnel.json" and not (Process.Path like r"%\\code-tunnel.exe" or Process.Path like r"%\\code.exe") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1021.002", "T1543.003", "T1569.002"], "author": "Wojciech Lesicki"} +Query = (Reg.TargetObject like r"%\\System\\CurrentControlSet\\Services%" or Reg.TargetObject like r"%\\System\\ControlSet%" and Reg.TargetObject like r"%\\Services%") and (Reg.Value.Data like r"%ADMIN$%" and Reg.Value.Data like r"%.exe%" or Reg.Value.Data like r"%\%COMSPEC\%%" and Reg.Value.Data like r"%start%" and Reg.Value.Data like r"%powershell%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Running Chrome VPN Extensions via the Registry install 2 vpn extension -# Author: frack113 -RuleId = b64a026b-8deb-4c1d-92fd-98893209dff1 -RuleName = Running Chrome VPN Extensions via the Registry 2 VPN Extension +# Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories +# Author: Florian Roth (Nextron Systems) +RuleId = 9c5037d1-c568-49b3-88c7-9846a5bdc2be +RuleName = Suspicious Run Key from Download EventType = Reg.Any -Tag = running-chrome-vpn-extensions-via-the-registry-2-vpn-extension +Tag = suspicious-run-key-from-download RiskScore = 75 -Annotation = {"mitre_attack": ["T1133"], "author": "frack113"} -Query = Reg.TargetObject like r"%Software\\Wow6432Node\\Google\\Chrome\\Extensions%" and Reg.TargetObject like r"%update\_url" and (Reg.TargetObject like r"%fdcgdnkidjaadafnichfpabhfomcebme%" or Reg.TargetObject like r"%fcfhplploccackoneaefokcmbjfbkenj%" or Reg.TargetObject like r"%bihmplhobchoageeokmgbdihknkjbknd%" or Reg.TargetObject like r"%gkojfkhlekighikafcpjkiklfbnlmeio%" or Reg.TargetObject like r"%jajilbjjinjmgcibalaakngmkilboobh%" or Reg.TargetObject like r"%gjknjjomckknofjidppipffbpoekiipm%" or Reg.TargetObject like r"%nabbmpekekjknlbkgpodfndbodhijjem%" or Reg.TargetObject like r"%kpiecbcckbofpmkkkdibbllpinceiihk%" or Reg.TargetObject like r"%nlbejmccbhkncgokjcmghpfloaajcffj%" or Reg.TargetObject like r"%omghfjlpggmjjaagoclmmobgdodcjboh%" or Reg.TargetObject like r"%bibjcjfmgapbfoljiojpipaooddpkpai%" or Reg.TargetObject like r"%mpcaainmfjjigeicjnlkdfajbioopjko%" or Reg.TargetObject like r"%jljopmgdobloagejpohpldgkiellmfnc%" or Reg.TargetObject like r"%lochiccbgeohimldjooaakjllnafhaid%" or Reg.TargetObject like r"%nhnfcgpcbfclhfafjlooihdfghaeinfc%" or Reg.TargetObject like r"%ookhnhpkphagefgdiemllfajmkdkcaim%" or Reg.TargetObject like r"%namfblliamklmeodpcelkokjbffgmeoo%" or Reg.TargetObject like r"%nbcojefnccbanplpoffopkoepjmhgdgh%" or Reg.TargetObject like r"%majdfhpaihoncoakbjgbdhglocklcgno%" or Reg.TargetObject like r"%lnfdmdhmfbimhhpaeocncdlhiodoblbd%" or Reg.TargetObject like r"%eppiocemhmnlbhjplcgkofciiegomcon%" or Reg.TargetObject like r"%cocfojppfigjeefejbpfmedgjbpchcng%" or Reg.TargetObject like r"%foiopecknacmiihiocgdjgbjokkpkohc%" or Reg.TargetObject like r"%hhdobjgopfphlmjbmnpglhfcgppchgje%" or Reg.TargetObject like r"%jgbaghohigdbgbolncodkdlpenhcmcge%" or Reg.TargetObject like r"%inligpkjkhbpifecbdjhmdpcfhnlelja%" or Reg.TargetObject like r"%higioemojdadgdbhbbbkfbebbdlfjbip%" or Reg.TargetObject like r"%hipncndjamdcmphkgngojegjblibadbe%" or Reg.TargetObject like r"%iolonopooapdagdemdoaihahlfkncfgg%" or Reg.TargetObject like r"%nhfjkakglbnnpkpldhjmpmmfefifedcj%" or Reg.TargetObject like r"%jpgljfpmoofbmlieejglhonfofmahini%" or Reg.TargetObject like r"%fgddmllnllkalaagkghckoinaemmogpe%" or Reg.TargetObject like r"%ejkaocphofnobjdedneohbbiilggdlbi%" or Reg.TargetObject like r"%keodbianoliadkoelloecbhllnpiocoi%" or Reg.TargetObject like r"%hoapmlpnmpaehilehggglehfdlnoegck%" or Reg.TargetObject like r"%poeojclicodamonabcabmapamjkkmnnk%" or Reg.TargetObject like r"%dfkdflfgjdajbhocmfjolpjbebdkcjog%" or Reg.TargetObject like r"%kcdahmgmaagjhocpipbodaokikjkampi%" or Reg.TargetObject like r"%klnkiajpmpkkkgpgbogmcgfjhdoljacg%" or Reg.TargetObject like r"%lneaocagcijjdpkcabeanfpdbmapcjjg%" or Reg.TargetObject like r"%pgfpignfckbloagkfnamnolkeaecfgfh%" or Reg.TargetObject like r"%jplnlifepflhkbkgonidnobkakhmpnmh%" or Reg.TargetObject like r"%jliodmnojccaloajphkingdnpljdhdok%" or Reg.TargetObject like r"%hnmpcagpplmpfojmgmnngilcnanddlhb%" or Reg.TargetObject like r"%ffbkglfijbcbgblgflchnbphjdllaogb%" or Reg.TargetObject like r"%kcndmbbelllkmioekdagahekgimemejo%" or Reg.TargetObject like r"%jdgilggpfmjpbodmhndmhojklgfdlhob%" or Reg.TargetObject like r"%bihhflimonbpcfagfadcnbbdngpopnjb%" or Reg.TargetObject like r"%ppajinakbfocjfnijggfndbdmjggcmde%" or Reg.TargetObject like r"%oofgbpoabipfcfjapgnbbjjaenockbdp%" or Reg.TargetObject like r"%bhnhkdgoefpmekcgnccpnhjfdgicfebm%" or Reg.TargetObject like r"%knmmpciebaoojcpjjoeonlcjacjopcpf%" or Reg.TargetObject like r"%dhadilbmmjiooceioladdphemaliiobo%" or Reg.TargetObject like r"%jedieiamjmoflcknjdjhpieklepfglin%" or Reg.TargetObject like r"%mhngpdlhojliikfknhfaglpnddniijfh%" or Reg.TargetObject like r"%omdakjcmkglenbhjadbccaookpfjihpa%" or Reg.TargetObject like r"%npgimkapccfidfkfoklhpkgmhgfejhbj%" or Reg.TargetObject like r"%akeehkgglkmpapdnanoochpfmeghfdln%" or Reg.TargetObject like r"%gbmdmipapolaohpinhblmcnpmmlgfgje%" or Reg.TargetObject like r"%aigmfoeogfnljhnofglledbhhfegannp%" or Reg.TargetObject like r"%cgojmfochfikphincbhokimmmjenhhgk%" or Reg.TargetObject like r"%ficajfeojakddincjafebjmfiefcmanc%" or Reg.TargetObject like r"%ifnaibldjfdmaipaddffmgcmekjhiloa%" or Reg.TargetObject like r"%jbnmpdkcfkochpanomnkhnafobppmccn%" or Reg.TargetObject like r"%apcfdffemoinopelidncddjbhkiblecc%" or Reg.TargetObject like r"%mjolnodfokkkaichkcjipfgblbfgojpa%" or Reg.TargetObject like r"%oifjbnnafapeiknapihcmpeodaeblbkn%" or Reg.TargetObject like r"%plpmggfglncceinmilojdkiijhmajkjh%" or Reg.TargetObject like r"%mjnbclmflcpookeapghfhapeffmpodij%" or Reg.TargetObject like r"%bblcccknbdbplgmdjnnikffefhdlobhp%" or Reg.TargetObject like r"%aojlhgbkmkahabcmcpifbolnoichfeep%" or Reg.TargetObject like r"%lcmammnjlbmlbcaniggmlejfjpjagiia%" or Reg.TargetObject like r"%knajdeaocbpmfghhmijicidfcmdgbdpm%" or Reg.TargetObject like r"%bdlcnpceagnkjnjlbbbcepohejbheilk%" or Reg.TargetObject like r"%edknjdjielmpdlnllkdmaghlbpnmjmgb%" or Reg.TargetObject like r"%eidnihaadmmancegllknfbliaijfmkgo%" or Reg.TargetObject like r"%ckiahbcmlmkpfiijecbpflfahoimklke%" or Reg.TargetObject like r"%macdlemfnignjhclfcfichcdhiomgjjb%" or Reg.TargetObject like r"%chioafkonnhbpajpengbalkececleldf%" or Reg.TargetObject like r"%amnoibeflfphhplmckdbiajkjaoomgnj%" or Reg.TargetObject like r"%llbhddikeonkpbhpncnhialfbpnilcnc%" or Reg.TargetObject like r"%pcienlhnoficegnepejpfiklggkioccm%" or Reg.TargetObject like r"%iocnglnmfkgfedpcemdflhkchokkfeii%" or Reg.TargetObject like r"%igahhbkcppaollcjeaaoapkijbnphfhb%" or Reg.TargetObject like r"%njpmifchgidinihmijhcfpbdmglecdlb%" or Reg.TargetObject like r"%ggackgngljinccllcmbgnpgpllcjepgc%" or Reg.TargetObject like r"%kchocjcihdgkoplngjemhpplmmloanja%" or Reg.TargetObject like r"%bnijmipndnicefcdbhgcjoognndbgkep%" or Reg.TargetObject like r"%lklekjodgannjcccdlbicoamibgbdnmi%" or Reg.TargetObject like r"%dbdbnchagbkhknegmhgikkleoogjcfge%" or Reg.TargetObject like r"%egblhcjfjmbjajhjhpmnlekffgaemgfh%" or Reg.TargetObject like r"%ehbhfpfdkmhcpaehaooegfdflljcnfec%" or Reg.TargetObject like r"%bkkgdjpomdnfemhhkalfkogckjdkcjkg%" or Reg.TargetObject like r"%almalgbpmcfpdaopimbdchdliminoign%" or Reg.TargetObject like r"%akkbkhnikoeojlhiiomohpdnkhbkhieh%" or Reg.TargetObject like r"%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%" or Reg.TargetObject like r"%bniikohfmajhdcffljgfeiklcbgffppl%" or Reg.TargetObject like r"%lejgfmmlngaigdmmikblappdafcmkndb%" or Reg.TargetObject like r"%ffhhkmlgedgcliajaedapkdfigdobcif%" or Reg.TargetObject like r"%gcknhkkoolaabfmlnjonogaaifnjlfnp%" or Reg.TargetObject like r"%pooljnboifbodgifngpppfklhifechoe%" or Reg.TargetObject like r"%fjoaledfpmneenckfbpdfhkmimnjocfa%" or Reg.TargetObject like r"%aakchaleigkohafkfjfjbblobjifikek%" or Reg.TargetObject like r"%dpplabbmogkhghncfbfdeeokoefdjegm%" or Reg.TargetObject like r"%padekgcemlokbadohgkifijomclgjgif%" or Reg.TargetObject like r"%bfidboloedlamgdmenmlbipfnccokknp%") +Annotation = {"mitre_attack": ["T1547.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\Downloads\\%" or Process.Path like r"%\\Temporary Internet Files\\Content.Outlook\\%" or Process.Path like r"%\\Local Settings\\Temporary Internet Files\\%") and Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\%" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. -# In it's default mode, it builds a self deleting .bat file which executes malicious command. -# The detection rule relies on creation of the malicious bat file (debug.bat by default). -# Author: Subhash Popuri (@pbssubhash) -RuleId = 602a1f13-c640-4d73-b053-be9a2fa58b96 -RuleName = HackTool - Powerup Write Hijack DLL -EventType = File.Create -Tag = hacktool-powerup-write-hijack-dll +# Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. +# Author: Tom Ueltschi (@c_APT_ure), Tim Shelton +RuleId = 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 +RuleName = Uncommon Userinit Child Process +EventType = Process.Start +Tag = proc-start-uncommon-userinit-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001"], "author": "Subhash Popuri (@pbssubhash)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and File.Path like r"%.bat" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1037.001"], "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton"} +Query = Parent.Path like r"%\\userinit.exe" and not Process.Path like r"%:\\WINDOWS\\explorer.exe" and not (Process.CommandLine like r"%netlogon.bat%" or Process.CommandLine like r"%UsrLogon.cmd%" or Process.CommandLine == "PowerShell.exe" or Process.Path like r"%:\\Windows\\System32\\proquota.exe" or Process.Path like r"%:\\Windows\\SysWOW64\\proquota.exe" or Process.Path like r"%:\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe" or Process.Path like r"%:\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe" or Process.Path like r"%:\\Program Files (x86)\\Citrix\\System32\\icast.exe" or Process.Path like r"%:\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe" or Process.Path like r"%:\\Program Files\\Citrix\\HDX\\bin\\icast.exe" or Process.Path like r"%:\\Program Files\\Citrix\\System32\\icast.exe" or isnull(Process.Path)) +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects file writes of WMI script event consumer -# Author: Thomas Patzke -RuleId = 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 -RuleName = WMI Persistence - Script Event Consumer File Write -EventType = File.Create -Tag = wmi-persistence-script-event-consumer-file-write +# Detects the use of CoercedPotato, a tool for privilege escalation +# Author: Florian Roth (Nextron Systems) +RuleId = e8d34729-86a4-4140-adfd-0a29c2106307 +RuleName = HackTool - CoercedPotato Execution +EventType = Process.Start +Tag = proc-start-hacktool-coercedpotato-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.003"], "author": "Thomas Patzke"} -Query = Process.Path == "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" +Annotation = {"mitre_attack": ["T1055"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\CoercedPotato.exe" or Process.CommandLine like r"% --exploitId %" or Process.Hashes like r"%IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6%" or Process.Hashes like r"%IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9%" or Process.Hashes like r"%IMPHASH=14C81850A079A87E83D50CA41C709A15%" +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects Octopus Scanner Malware. -# Author: NVISO -RuleId = 805c55d9-31e6-4846-9878-c34c75054fe9 -RuleName = Octopus Scanner Malware -EventType = File.Create -Tag = octopus-scanner-malware +# Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. +# This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. +# It could also be used for anti-analysis purposes by shut downing specific processes. +# Author: Luc Génaux +RuleId = b48492dc-c5ef-4572-8dff-32bc241c15c8 +RuleName = Load Of RstrtMgr.DLL By A Suspicious Process +EventType = Image.Load +Tag = load-of-rstrtmgr.dll-by-a-suspicious-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1195", "T1195.001"], "author": "NVISO"} -Query = File.Path like r"%\\AppData\\Local\\Microsoft\\Cache134.dat" or File.Path like r"%\\AppData\\Local\\Microsoft\\ExplorerSync.db" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1486", "T1562.001"], "author": "Luc G\u00e9naux"} +Query = (Image.Path like r"%\\RstrtMgr.dll" or Process.Name == "RstrtMgr.dll") and (Process.Path like r"%:\\Perflogs\\%" or Process.Path like r"%:\\Users\\Public\\%" or Process.Path like r"%\\Temporary Internet%" or Process.Path like r"%:\\Users\\%" and Process.Path like r"%\\Favorites\\%" or Process.Path like r"%:\\Users\\%" and Process.Path like r"%\\Favourites\\%" or Process.Path like r"%:\\Users\\%" and Process.Path like r"%\\Contacts\\%") +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects a suspicious printer driver installation with an empty Manufacturer value +# Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits # Author: Florian Roth (Nextron Systems) -RuleId = e0813366-0407-449a-9869-a2db1119dc41 -RuleName = Suspicious Printer Driver Empty Manufacturer -EventType = Reg.Any -Tag = suspicious-printer-driver-empty-manufacturer +RuleId = d7eb979b-c2b5-4a6f-a3a7-c87ce6763819 +RuleName = Suspicious Control Panel DLL Load +EventType = Process.Start +Tag = proc-start-suspicious-control-panel-dll-load RiskScore = 75 -Annotation = {"mitre_attack": ["T1574"], "author": "Florian Roth (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Control\\Print\\Environments\\Windows x64\\Drivers%" and Reg.TargetObject like r"%\\Manufacturer%" and Reg.Value.Data == "(Empty)" and not (Reg.TargetObject like r"%\\CutePDF Writer v4.0\\%" or Reg.TargetObject like r"%\\VNC Printer (PS)\\%" or Reg.TargetObject like r"%\\VNC Printer (UD)\\%" or Reg.TargetObject like r"%\\Version-3\\PDF24\\%") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1218.011"], "author": "Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\System32\\control.exe" and (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and not Process.CommandLine like r"%Shell32.dll%" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects when an internet hosted webdav share is mounted using the "net.exe" utility +# Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 7e6237fe-3ddb-438f-9381-9bf9de5af8d0 -RuleName = Windows Internet Hosted WebDav Share Mount Via Net.EXE +RuleId = 99b7460d-c9f1-40d7-a316-1f36f61d52ee +RuleName = Cscript/Wscript Uncommon Script Extension Execution EventType = Process.Start -Tag = proc-start-windows-internet-hosted-webdav-share-mount-via-net.exe +Tag = proc-start-cscript/wscript-uncommon-script-extension-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1021.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and Process.CommandLine like r"% use %" and Process.CommandLine like r"% http%" +Annotation = {"mitre_attack": ["T1059.005", "T1059.007"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name in ["wscript.exe", "cscript.exe"] or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe") and (Process.CommandLine like r"%.csv%" or Process.CommandLine like r"%.dat%" or Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.ppt%" or Process.CommandLine like r"%.txt%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.xml%") [ThreatDetectionRule platform=Windows] -# Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. -# Author: frack113 -RuleId = cafeeba3-01da-4ab4-b6c4-a31b1d9730c7 -RuleName = PrintBrm ZIP Creation of Extraction +# Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 9ed5959a-c43c-4c59-84e3-d28628429456 +RuleName = UAC Bypass Using Iscsicpl - ImageLoad +EventType = Image.Load +Tag = uac-bypass-using-iscsicpl-imageload +RiskScore = 75 +Annotation = {"mitre_attack": ["T1548.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path == "C:\\Windows\\SysWOW64\\iscsicpl.exe" and Image.Path like r"%\\iscsiexe.dll" and not (Image.Path like r"%C:\\Windows\\%" and Image.Path like r"%iscsiexe.dll%") +GenericProperty1 = Image.Path + + +[ThreatDetectionRule platform=Windows] +# Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = f57c58b3-ee69-4ef5-9041-455bf39aaa89 +RuleName = Remote CHM File Download/Execution Via HH.EXE EventType = Process.Start -Tag = proc-start-printbrm-zip-creation-of-extraction +Tag = proc-start-remote-chm-file-download/execution-via-hh.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1105", "T1564.004"], "author": "frack113"} -Query = Process.Path like r"%\\PrintBrm.exe" and Process.CommandLine like r"% -f%" and Process.CommandLine like r"%.zip%" +Annotation = {"mitre_attack": ["T1218.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name == "HH.exe" or Process.Path like r"%\\hh.exe") and (Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%" or Process.CommandLine like r"%\\\\%") [ThreatDetectionRule platform=Windows] -# Detects the use of IOX - a tool for port forwarding and intranet proxy purposes -# Author: Florian Roth (Nextron Systems) -RuleId = d7654f02-e04b-4934-9838-65c46f187ebc -RuleName = PUA- IOX Tunneling Tool Execution +# Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = f99abdf0-6283-4e71-bd2b-b5c048a94743 +RuleName = Potentially Suspicious Office Document Executed From Trusted Location EventType = Process.Start -Tag = proc-start-pua-iox-tunneling-tool-execution +Tag = proc-start-potentially-suspicious-office-document-executed-from-trusted-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1090"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\iox.exe" or Process.CommandLine like r"%.exe fwd -l %" or Process.CommandLine like r"%.exe fwd -r %" or Process.CommandLine like r"%.exe proxy -l %" or Process.CommandLine like r"%.exe proxy -r %" or Process.Hashes like r"%MD5=9DB2D314DD3F704A02051EF5EA210993%" or Process.Hashes like r"%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%" or Process.Hashes like r"%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%" -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1202"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Parent.Path like r"%\\explorer.exe" or Parent.Path like r"%\\dopus.exe") and (Process.Path like r"%\\EXCEL.EXE" or Process.Path like r"%\\POWERPNT.EXE" or Process.Path like r"%\\WINWORD.exe" or Process.Name in ["Excel.exe", "POWERPNT.EXE", "WinWord.exe"]) and (Process.CommandLine like r"%\\AppData\\Roaming\\Microsoft\\Templates%" or Process.CommandLine like r"%\\AppData\\Roaming\\Microsoft\\Word\\Startup\\%" or Process.CommandLine like r"%\\Microsoft Office\\root\\Templates\\%" or Process.CommandLine like r"%\\Microsoft Office\\Templates\\%") and not (Process.CommandLine like r"%.dotx" or Process.CommandLine like r"%.xltx" or Process.CommandLine like r"%.potx") +GenericProperty1 = Parent.Path + + +[ThreatDetectionRule platform=Windows] +# Detects the image load of vss_ps.dll by uncommon executables +# Author: Markus Neis, @markus_neis +RuleId = 333cdbe8-27bb-4246-bf82-b41a0dca4b70 +RuleName = Suspicious Volume Shadow Copy VSS_PS.dll Load +EventType = Image.Load +Tag = suspicious-volume-shadow-copy-vss_ps.dll-load +RiskScore = 75 +Annotation = {"mitre_attack": ["T1490"], "author": "Markus Neis, @markus_neis"} +Query = Image.Path like r"%\\vss\_ps.dll" and not (Process.Path like r"C:\\Windows\\%" and (Process.Path like r"%\\clussvc.exe" or Process.Path like r"%\\dismhost.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\inetsrv\\appcmd.exe" or Process.Path like r"%\\inetsrv\\iissetup.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\searchindexer.exe" or Process.Path like r"%\\srtasks.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\System32\\SystemPropertiesAdvanced.exe" or Process.Path like r"%\\taskhostw.exe" or Process.Path like r"%\\thor.exe" or Process.Path like r"%\\thor64.exe" or Process.Path like r"%\\tiworker.exe" or Process.Path like r"%\\vssvc.exe" or Process.Path like r"%\\WmiPrvSE.exe" or Process.Path like r"%\\wsmprovhost.exe") or Process.Path like r"C:\\Program Files\\%" or Process.Path like r"C:\\Program Files (x86)\\%" or Process.CommandLine like r"C:\\$WinREAgent\\Scratch\\%" and Process.CommandLine like r"%\\dismhost.exe {%" or isnull(Process.Path)) +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 236d8e89-ed95-4789-a982-36f4643738ba -RuleName = Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script +# Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. +# Author: frack113 +RuleId = a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 +RuleName = RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses EventType = Process.Start -Tag = proc-start-suspicious-persistence-via-vmwaretoolboxcmd.exe-vm-state-change-script +Tag = proc-start-remotefxvgpudisablement-abuse-via-atomictestharnesses RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\VMwareToolBoxCmd.exe" or Process.Name == "toolbox-cmd.exe") and Process.CommandLine like r"% script %" and Process.CommandLine like r"% set %" and (Process.CommandLine like r"%:\\PerfLogs\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%") +Annotation = {"mitre_attack": ["T1218"], "author": "frack113"} +Query = Process.CommandLine like r"%Invoke-ATHRemoteFXvGPUDisablementCommand%" or Process.CommandLine like r"%Invoke-ATHRemoteFXvGPUDisableme%" [ThreatDetectionRule platform=Windows] -# Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors -# Author: Florian Roth (Nextron Systems), Microsoft (idea) -RuleId = 043c4b8b-3a54-4780-9682-081cb6b8185c -RuleName = Suspicious IIS Module Registration +# Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) +# Author: Andreas Hunkeler (@Karneades) +RuleId = 90fb5e62-ca1f-4e22-b42e-cc521874c938 +RuleName = Suspicious Shells Spawn by Java Utility Keytool EventType = Process.Start -Tag = proc-start-suspicious-iis-module-registration +Tag = proc-start-suspicious-shells-spawn-by-java-utility-keytool RiskScore = 75 -Annotation = {"mitre_attack": ["T1505.004"], "author": "Florian Roth (Nextron Systems), Microsoft (idea)"} -Query = Parent.Path like r"%\\w3wp.exe" and (Process.CommandLine like r"%appcmd.exe add module%" or Process.CommandLine like r"% system.enterpriseservices.internal.publish%" and Process.Path like r"%\\powershell.exe" or Process.CommandLine like r"%gacutil%" and Process.CommandLine like r"% /I%") +Annotation = {"author": "Andreas Hunkeler (@Karneades)"} +Query = Parent.Path like r"%\\keytool.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\query.exe") GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the creation of a new Outlook form which can contain malicious code -# Author: Tobias Michalski (Nextron Systems) -RuleId = c3edc6a5-d9d4-48d8-930e-aab518390917 -RuleName = Potential Persistence Via Outlook Form +# Detects the creation of a macro file for Outlook. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 117d3d3a-755c-4a61-b23e-9171146d094c +RuleName = Suspicious Outlook Macro Created EventType = File.Create -Tag = potential-persistence-via-outlook-form +Tag = suspicious-outlook-macro-created RiskScore = 75 -Annotation = {"mitre_attack": ["T1137.003"], "author": "Tobias Michalski (Nextron Systems)"} -Query = Process.Path like r"%\\outlook.exe" and (File.Path like r"%\\AppData\\Local\\Microsoft\\FORMS\\IPM%" or File.Path like r"%\\Local Settings\\Application Data\\Microsoft\\Forms%") +Annotation = {"mitre_attack": ["T1137", "T1008", "T1546"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"%\\Microsoft\\Outlook\\VbaProject.OTM" and not Process.Path like r"%\\outlook.exe" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects using SettingSyncHost.exe to run hijacked binary -# Author: Anton Kutepov, oscd.community -RuleId = b2ddd389-f676-4ac4-845a-e00781a48e5f -RuleName = Using SettingSyncHost.exe as LOLBin -EventType = Process.Start -Tag = proc-start-using-settingsynchost.exe-as-lolbin +# Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials +# Author: Florian Roth (Nextron Systems) +RuleId = c3e76af5-4ce0-4a14-9c9a-25ceb8fda182 +RuleName = WerFault LSASS Process Memory Dump +EventType = File.Create +Tag = werfault-lsass-process-memory-dump RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.008"], "author": "Anton Kutepov, oscd.community"} -Query = not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%") and Parent.CommandLine like r"%cmd.exe /c%" and Parent.CommandLine like r"%RoamDiag.cmd%" and Parent.CommandLine like r"%-outputpath%" -GenericProperty1 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path == "C:\\WINDOWS\\system32\\WerFault.exe" and (File.Path like r"%\\lsass%" or File.Path like r"%lsass.exe%") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems -# Author: frack113 -RuleId = b2317cfa-4a47-4ead-b3ff-297438c0bc2d -RuleName = HackTool - SharpView Execution -EventType = Process.Start -Tag = proc-start-hacktool-sharpview-execution +# Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +# Author: Ensar Şamil, @sblmsrsn, @oscd_initiative +RuleId = e76c8240-d68f-4773-8880-5c6f63595aaf +RuleName = Time Travel Debugging Utility Usage - Image +EventType = Image.Load +Tag = time-travel-debugging-utility-usage-image RiskScore = 75 -Annotation = {"mitre_attack": ["T1049", "T1069.002", "T1482", "T1135", "T1033"], "author": "frack113"} -Query = Process.Name == "SharpView.exe" or Process.Path like r"%\\SharpView.exe" or Process.CommandLine like r"%Add-RemoteConnection%" or Process.CommandLine like r"%Convert-ADName%" or Process.CommandLine like r"%ConvertFrom-SID%" or Process.CommandLine like r"%ConvertFrom-UACValue%" or Process.CommandLine like r"%Convert-SidToName%" or Process.CommandLine like r"%Export-PowerViewCSV%" or Process.CommandLine like r"%Find-DomainObjectPropertyOutlier%" or Process.CommandLine like r"%Find-DomainProcess%" or Process.CommandLine like r"%Find-DomainShare%" or Process.CommandLine like r"%Find-DomainUserEvent%" or Process.CommandLine like r"%Find-DomainUserLocation%" or Process.CommandLine like r"%Find-ForeignGroup%" or Process.CommandLine like r"%Find-ForeignUser%" or Process.CommandLine like r"%Find-GPOComputerAdmin%" or Process.CommandLine like r"%Find-GPOLocation%" or Process.CommandLine like r"%Find-Interesting%" or Process.CommandLine like r"%Find-LocalAdminAccess%" or Process.CommandLine like r"%Find-ManagedSecurityGroups%" or Process.CommandLine like r"%Get-CachedRDPConnection%" or Process.CommandLine like r"%Get-DFSshare%" or Process.CommandLine like r"%Get-DomainComputer%" or Process.CommandLine like r"%Get-DomainController%" or Process.CommandLine like r"%Get-DomainDFSShare%" or Process.CommandLine like r"%Get-DomainDNSRecord%" or Process.CommandLine like r"%Get-DomainFileServer%" or Process.CommandLine like r"%Get-DomainForeign%" or Process.CommandLine like r"%Get-DomainGPO%" or Process.CommandLine like r"%Get-DomainGroup%" or Process.CommandLine like r"%Get-DomainGUIDMap%" or Process.CommandLine like r"%Get-DomainManagedSecurityGroup%" or Process.CommandLine like r"%Get-DomainObject%" or Process.CommandLine like r"%Get-DomainOU%" or Process.CommandLine like r"%Get-DomainPolicy%" or Process.CommandLine like r"%Get-DomainSID%" or Process.CommandLine like r"%Get-DomainSite%" or Process.CommandLine like r"%Get-DomainSPNTicket%" or Process.CommandLine like r"%Get-DomainSubnet%" or Process.CommandLine like r"%Get-DomainTrust%" or Process.CommandLine like r"%Get-DomainUserEvent%" or Process.CommandLine like r"%Get-ForestDomain%" or Process.CommandLine like r"%Get-ForestGlobalCatalog%" or Process.CommandLine like r"%Get-ForestTrust%" or Process.CommandLine like r"%Get-GptTmpl%" or Process.CommandLine like r"%Get-GroupsXML%" or Process.CommandLine like r"%Get-LastLoggedOn%" or Process.CommandLine like r"%Get-LoggedOnLocal%" or Process.CommandLine like r"%Get-NetComputer%" or Process.CommandLine like r"%Get-NetDomain%" or Process.CommandLine like r"%Get-NetFileServer%" or Process.CommandLine like r"%Get-NetForest%" or Process.CommandLine like r"%Get-NetGPO%" or Process.CommandLine like r"%Get-NetGroupMember%" or Process.CommandLine like r"%Get-NetLocalGroup%" or Process.CommandLine like r"%Get-NetLoggedon%" or Process.CommandLine like r"%Get-NetOU%" or Process.CommandLine like r"%Get-NetProcess%" or Process.CommandLine like r"%Get-NetRDPSession%" or Process.CommandLine like r"%Get-NetSession%" or Process.CommandLine like r"%Get-NetShare%" or Process.CommandLine like r"%Get-NetSite%" or Process.CommandLine like r"%Get-NetSubnet%" or Process.CommandLine like r"%Get-NetUser%" or Process.CommandLine like r"%Get-PathAcl%" or Process.CommandLine like r"%Get-PrincipalContext%" or Process.CommandLine like r"%Get-RegistryMountedDrive%" or Process.CommandLine like r"%Get-RegLoggedOn%" or Process.CommandLine like r"%Get-WMIRegCachedRDPConnection%" or Process.CommandLine like r"%Get-WMIRegLastLoggedOn%" or Process.CommandLine like r"%Get-WMIRegMountedDrive%" or Process.CommandLine like r"%Get-WMIRegProxy%" or Process.CommandLine like r"%Invoke-ACLScanner%" or Process.CommandLine like r"%Invoke-CheckLocalAdminAccess%" or Process.CommandLine like r"%Invoke-Kerberoast%" or Process.CommandLine like r"%Invoke-MapDomainTrust%" or Process.CommandLine like r"%Invoke-RevertToSelf%" or Process.CommandLine like r"%Invoke-Sharefinder%" or Process.CommandLine like r"%Invoke-UserImpersonation%" or Process.CommandLine like r"%Remove-DomainObjectAcl%" or Process.CommandLine like r"%Remove-RemoteConnection%" or Process.CommandLine like r"%Request-SPNTicket%" or Process.CommandLine like r"%Set-DomainObject%" or Process.CommandLine like r"%Test-AdminAccess%" +Annotation = {"mitre_attack": ["T1218", "T1003.001"], "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative"} +Query = Image.Path like r"%\\ttdrecord.dll" or Image.Path like r"%\\ttdwriter.dll" or Image.Path like r"%\\ttdloader.dll" +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) -# Author: Andreas Hunkeler (@Karneades) -RuleId = 90fb5e62-ca1f-4e22-b42e-cc521874c938 -RuleName = Suspicious Shells Spawn by Java Utility Keytool +# Detects PowerShell execution to set the ACL of a file or a folder +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = bdeb2cff-af74-4094-8426-724dc937f20a +RuleName = PowerShell Script Change Permission Via Set-Acl EventType = Process.Start -Tag = proc-start-suspicious-shells-spawn-by-java-utility-keytool +Tag = proc-start-powershell-script-change-permission-via-set-acl RiskScore = 75 -Annotation = {"author": "Andreas Hunkeler (@Karneades)"} -Query = Parent.Path like r"%\\keytool.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\query.exe") -GenericProperty1 = Parent.Path +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name in ["PowerShell.EXE", "pwsh.dll"] or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Set-Acl %" and Process.CommandLine like r"%-AclObject %" and Process.CommandLine like r"%-Path %" [ThreatDetectionRule platform=Windows] -# Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). -# Might be used by ransomwares during the attack (seen by NotPetya and others). -# Author: Ecco, E.M. Anhaus, oscd.community -RuleId = add64136-62e5-48ea-807e-88638d02df1e -RuleName = Fsutil Suspicious Invocation +# Detects Obfuscated Powershell via use MSHTA in Scripts +# Author: Nikita Nazarov, oscd.community +RuleId = ac20ae82-8758-4f38-958e-b44a3140ca88 +RuleName = Invoke-Obfuscation Via Use MSHTA EventType = Process.Start -Tag = proc-start-fsutil-suspicious-invocation +Tag = proc-start-invoke-obfuscation-via-use-mshta RiskScore = 75 -Annotation = {"mitre_attack": ["T1070", "T1485"], "author": "Ecco, E.M. Anhaus, oscd.community"} -Query = (Process.Path like r"%\\fsutil.exe" or Process.Name == "fsutil.exe") and (Process.CommandLine like r"%deletejournal%" or Process.CommandLine like r"%createjournal%" or Process.CommandLine like r"%setZeroData%") +Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Nikita Nazarov, oscd.community"} +Query = Process.CommandLine like r"%set%" and Process.CommandLine like r"%&&%" and Process.CommandLine like r"%mshta%" and Process.CommandLine like r"%vbscript:createobject%" and Process.CommandLine like r"%.run%" and Process.CommandLine like r"%(window.close)%" [ThreatDetectionRule platform=Windows] -# Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values -# Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport -RuleId = 0d5675be-bc88-4172-86d3-1e96a4476536 -RuleName = Potential Tampering With RDP Related Registry Keys Via Reg.EXE -EventType = Process.Start -Tag = proc-start-potential-tampering-with-rdp-related-registry-keys-via-reg.exe +# Detects the modification of the registry to disable a system restore on the computer +# Author: frack113 +RuleId = 5de03871-5d46-4539-a82d-3aa992a69a83 +RuleName = Registry Disable System Restore +EventType = Reg.Any +Tag = registry-disable-system-restore RiskScore = 75 -Annotation = {"mitre_attack": ["T1021.001", "T1112"], "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport"} -Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"% add %" and Process.CommandLine like r"%\\CurrentControlSet\\Control\\Terminal Server%" and Process.CommandLine like r"%REG\_DWORD%" and Process.CommandLine like r"% /f%" and (Process.CommandLine like r"%Licensing Core%" and Process.CommandLine like r"%EnableConcurrentSessions%" or Process.CommandLine like r"%WinStations\\RDP-Tcp%" or Process.CommandLine like r"%MaxInstanceCount%" or Process.CommandLine like r"%fEnableWinStation%" or Process.CommandLine like r"%TSUserEnabled%" or Process.CommandLine like r"%TSEnabled%" or Process.CommandLine like r"%TSAppCompat%" or Process.CommandLine like r"%IdleWinStationPoolCount%" or Process.CommandLine like r"%TSAdvertise%" or Process.CommandLine like r"%AllowTSConnections%" or Process.CommandLine like r"%fSingleSessionPerUser%" or Process.CommandLine like r"%fDenyTSConnections%") +Annotation = {"mitre_attack": ["T1490"], "author": "frack113"} +Query = (Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows NT\\SystemRestore%" or Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore%") and (Reg.TargetObject like r"%DisableConfig" or Reg.TargetObject like r"%DisableSR") and Reg.Value.Data == "DWORD (0x00000001)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". -# This technique were seen used by threat actors and ransomware strains in order to evade defenses. -# Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 -RuleId = cc36992a-4671-4f21-a91d-6c2b72a2edf5 -RuleName = Suspicious Eventlog Clearing or Configuration Change Activity +# Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity +# Author: Florian Roth (Nextron Systems) +RuleId = b2815d0d-7481-4bf0-9b6c-a4c48a94b349 +RuleName = PowerShell Get-Process LSASS EventType = Process.Start -Tag = proc-start-suspicious-eventlog-clearing-or-configuration-change-activity +Tag = proc-start-powershell-get-process-lsass RiskScore = 75 -Annotation = {"mitre_attack": ["T1070.001", "T1562.002"], "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105"} -Query = (Process.Path like r"%\\wevtutil.exe" and (Process.CommandLine like r"%clear-log %" or Process.CommandLine like r"% cl %" or Process.CommandLine like r"%set-log %" or Process.CommandLine like r"% sl %" or Process.CommandLine like r"%lfn:%") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%Clear-EventLog %" or Process.CommandLine like r"%Remove-EventLog %" or Process.CommandLine like r"%Limit-EventLog %" or Process.CommandLine like r"%Clear-WinEvent %") or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wmic.exe") and Process.CommandLine like r"%ClearEventLog%") and not ((Parent.Path in ["C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"]) and Process.CommandLine like r"% sl %") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1552.004"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%Get-Process lsas%" or Process.CommandLine like r"%ps lsas%" or Process.CommandLine like r"%gps lsas%" [ThreatDetectionRule platform=Windows] -# WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz -# Author: Georg Lauenstein (sure[secure]) -RuleId = 98b53e78-ebaf-46f8-be06-421aafd176d9 -RuleName = HackTool - winPEAS Execution +# Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = a95b9b42-1308-4735-a1af-abb1c5e6f5ac +RuleName = Suspicious Service DACL Modification Via Set-Service Cmdlet EventType = Process.Start -Tag = proc-start-hacktool-winpeas-execution +Tag = proc-start-suspicious-service-dacl-modification-via-set-service-cmdlet RiskScore = 75 -Annotation = {"mitre_attack": ["T1082", "T1087", "T1046"], "author": "Georg Lauenstein (sure[secure])"} -Query = Process.Name == "winPEAS.exe" or Process.Path like r"%\\winPEASany\_ofs.exe" or Process.Path like r"%\\winPEASany.exe" or Process.Path like r"%\\winPEASx64\_ofs.exe" or Process.Path like r"%\\winPEASx64.exe" or Process.Path like r"%\\winPEASx86\_ofs.exe" or Process.Path like r"%\\winPEASx86.exe" or Process.CommandLine like r"% applicationsinfo%" or Process.CommandLine like r"% browserinfo%" or Process.CommandLine like r"% eventsinfo%" or Process.CommandLine like r"% fileanalysis%" or Process.CommandLine like r"% filesinfo%" or Process.CommandLine like r"% processinfo%" or Process.CommandLine like r"% servicesinfo%" or Process.CommandLine like r"% windowscreds%" or Process.CommandLine like r"%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%" or Parent.CommandLine like r"% -linpeas" or Process.CommandLine like r"% -linpeas" -GenericProperty1 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1543.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\pwsh.exe" or Process.Name == "pwsh.dll") and (Process.CommandLine like r"%-SecurityDescriptorSddl %" or Process.CommandLine like r"%-sd %") and Process.CommandLine like r"%Set-Service %" and Process.CommandLine like r"%D;;%" and (Process.CommandLine like r"%;;;IU%" or Process.CommandLine like r"%;;;SU%" or Process.CommandLine like r"%;;;BA%" or Process.CommandLine like r"%;;;SY%" or Process.CommandLine like r"%;;;WD%") [ThreatDetectionRule platform=Windows] -# Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same -# Author: Florian Roth (Nextron Systems) -RuleId = ca621ba5-54ab-4035-9942-d378e6fcde3c -RuleName = HackTool - HandleKatz LSASS Dumper Execution +# Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) +# Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io +RuleId = 438025f9-5856-4663-83f7-52f878a70a50 +RuleName = Suspicious Microsoft Office Child Process EventType = Process.Start -Tag = proc-start-hacktool-handlekatz-lsass-dumper-execution +Tag = proc-start-suspicious-microsoft-office-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\loader.exe" and Process.CommandLine like r"%--pid:%" or Process.Hashes like r"%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%" or Process.Hashes like r"%IMPHASH=0E2216679CA6E1094D63322E3412D650%" or Process.CommandLine like r"%--pid:%" and Process.CommandLine like r"%--outfile:%" and (Process.CommandLine like r"%.dmp%" or Process.CommandLine like r"%lsass%" or Process.CommandLine like r"%.obf%" or Process.CommandLine like r"%dump%") -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1047", "T1204.002", "T1218.010"], "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io"} +Query = (Parent.Path like r"%\\EQNEDT32.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\MSACCESS.EXE" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\ONENOTE.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\wordpad.exe" or Parent.Path like r"%\\wordview.exe") and (Process.Name in ["bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe"] or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certoc.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\control.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\curl.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\ieexec.exe" or Process.Path like r"%\\installutil.exe" or Process.Path like r"%\\javaw.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\Microsoft.Workflow.Compiler.exe" or Process.Path like r"%\\msbuild.exe" or Process.Path like r"%\\msdt.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msidb.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\msxsl.exe" or Process.Path like r"%\\odbcconf.exe" or Process.Path like r"%\\pcalua.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regasm.exe" or Process.Path like r"%\\regsvcs.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\verclsid.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\workfolders.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\AppData\\%" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\ProgramData\\%" or Process.Path like r"%\\Windows\\Tasks\\%" or Process.Path like r"%\\Windows\\Temp\\%" or Process.Path like r"%\\Windows\\System32\\Tasks\\%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Files with well-known filenames (parts of credential dump software or files produced by them) creation -# Author: Teymur Kheirkhabarov, oscd.community -RuleId = 8fbf3271-1ef6-4e94-8210-03c2317947f6 -RuleName = Cred Dump Tools Dropped Files +# Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes +# Author: pH-T (Nextron Systems) +RuleId = 065cceea-77ec-4030-9052-fc0affea7110 +RuleName = DNS Query for Anonfiles.com Domain - Sysmon +EventType = Dns.Query +Tag = dns-query-for-anonfiles.com-domain-sysmon +RiskScore = 75 +Annotation = {"mitre_attack": ["T1567.002"], "author": "pH-T (Nextron Systems)"} +Query = Dns.QueryRequest like r"%.anonfiles.com%" +GenericProperty1 = Dns.QueryRequest + + +[ThreatDetectionRule platform=Windows] +# Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder +# Author: Florian Roth (Nextron Systems), MSTI (query, idea) +RuleId = bd1212e5-78da-431e-95fa-c58e3237a8e6 +RuleName = Suspicious ASPX File Drop by Exchange EventType = File.Create -Tag = cred-dump-tools-dropped-files +Tag = suspicious-aspx-file-drop-by-exchange RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005"], "author": "Teymur Kheirkhabarov, oscd.community"} -Query = File.Path like r"%\\fgdump-log%" or File.Path like r"%\\kirbi%" or File.Path like r"%\\pwdump%" or File.Path like r"%\\pwhashes%" or File.Path like r"%\\wce\_ccache%" or File.Path like r"%\\wce\_krbtkts%" or File.Path like r"%\\cachedump.exe" or File.Path like r"%\\cachedump64.exe" or File.Path like r"%\\DumpExt.dll" or File.Path like r"%\\DumpSvc.exe" or File.Path like r"%\\Dumpy.exe" or File.Path like r"%\\fgexec.exe" or File.Path like r"%\\lsremora.dll" or File.Path like r"%\\lsremora64.dll" or File.Path like r"%\\NTDS.out" or File.Path like r"%\\procdump64.exe" or File.Path like r"%\\pstgdump.exe" or File.Path like r"%\\pwdump.exe" or File.Path like r"%\\SAM.out" or File.Path like r"%\\SECURITY.out" or File.Path like r"%\\servpw.exe" or File.Path like r"%\\servpw64.exe" or File.Path like r"%\\SYSTEM.out" or File.Path like r"%\\test.pwd" or File.Path like r"%\\wceaux.dll" +Annotation = {"mitre_attack": ["T1505.003"], "author": "Florian Roth (Nextron Systems), MSTI (query, idea)"} +Query = Process.Path like r"%\\w3wp.exe" and Process.CommandLine like r"%MSExchange%" and (File.Path like r"%FrontEnd\\HttpProxy\\%" or File.Path like r"%\\inetpub\\wwwroot\\aspnet\_client\\%") and (File.Path like r"%.aspx" or File.Path like r"%.asp" or File.Path like r"%.ashx") GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. -# This binary can be abused for DLL injection, arbitrary command and process execution. -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 340a090b-c4e9-412e-bb36-b4b16fe96f9b -RuleName = Renamed ZOHO Dctask64 Execution -EventType = Process.Start -Tag = proc-start-renamed-zoho-dctask64-execution +# Detects potential DLL sideloading of "EACore.dll" +# Author: X__Junior (Nextron Systems) +RuleId = edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5 +RuleName = Potential EACore.DLL Sideloading +EventType = Image.Load +Tag = potential-eacore.dll-sideloading RiskScore = 75 -Annotation = {"mitre_attack": ["T1036", "T1055.001", "T1202", "T1218"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Hashes like r"%IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD%" or Process.Hashes like r"%IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA%" or Process.Hashes like r"%IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3%" or Process.Hashes like r"%IMPHASH=F1039CED4B91572AB7847D26032E6BBF%") and not Process.Path like r"%\\dctask64.exe" -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} +Query = Image.Path like r"%\\EACore.dll" and not (Process.Path like r"%C:\\Program Files\\Electronic Arts\\EA Desktop\\%" and Process.Path like r"%\\EACoreServer.exe%" and Image.Path like r"C:\\Program Files\\Electronic Arts\\EA Desktop\\%") +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) -# Author: frack113 -RuleId = e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e -RuleName = Disable Windows IIS HTTP Logging -EventType = Process.Start -Tag = proc-start-disable-windows-iis-http-logging +# Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. +# By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = c420410f-c2d8-4010-856b-dffe21866437 +RuleName = Enable LM Hash Storage +EventType = Reg.Any +Tag = enable-lm-hash-storage RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.002"], "author": "frack113"} -Query = (Process.Path like r"%\\appcmd.exe" or Process.Name == "appcmd.exe") and Process.CommandLine like r"%set%" and Process.CommandLine like r"%config%" and Process.CommandLine like r"%section:httplogging%" and Process.CommandLine like r"%dontLog:true%" +Annotation = {"mitre_attack": ["T1112"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" and Reg.Value.Data == "DWORD (0x00000000)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Execution of ssh.exe to perform data exfiltration and tunneling through RDP -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f7d7ebd5-a016-46e2-9c54-f9932f2d386d -RuleName = Potential RDP Tunneling Via SSH +# Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet +# Author: Florian Roth (Nextron Systems) +RuleId = bb58aa4a-b80b-415a-a2c0-2f65a4c81009 +RuleName = Suspicious Desktopimgdownldr Command EventType = Process.Start -Tag = proc-start-potential-rdp-tunneling-via-ssh +Tag = proc-start-suspicious-desktopimgdownldr-command RiskScore = 75 -Annotation = {"mitre_attack": ["T1572"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\ssh.exe" and Process.CommandLine like r"%:3389%" +Annotation = {"mitre_attack": ["T1105"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"% /lockscreenurl:%" and not (Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.png%") or Process.CommandLine like r"%reg delete%" and Process.CommandLine like r"%\\PersonalizationCSP%" [ThreatDetectionRule platform=Windows] -# Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning -# Author: Markus Neis, @Kostastsale -RuleId = 30edb182-aa75-42c0-b0a9-e998bb29067c -RuleName = Potential AMSI Bypass Via .NET Reflection -EventType = Process.Start -Tag = proc-start-potential-amsi-bypass-via-.net-reflection +# Detects any GAC DLL being loaded by an Office Product +# Author: Antonlovesdnb +RuleId = 90217a70-13fc-48e4-b3db-0d836c5824ac +RuleName = GAC DLL Loaded Via Office Applications +EventType = Image.Load +Tag = gac-dll-loaded-via-office-applications RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Markus Neis, @Kostastsale"} -Query = Process.CommandLine like r"%System.Management.Automation.AmsiUtils%" and Process.CommandLine like r"%amsiInitFailed%" or Process.CommandLine like r"%[Ref].Assembly.GetType%" and Process.CommandLine like r"%SetValue($null,$true)%" and Process.CommandLine like r"%NonPublic,Static%" +Annotation = {"mitre_attack": ["T1204.002"], "author": "Antonlovesdnb"} +Query = (Process.Path like r"%\\excel.exe" or Process.Path like r"%\\mspub.exe" or Process.Path like r"%\\onenote.exe" or Process.Path like r"%\\onenoteim.exe" or Process.Path like r"%\\outlook.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\winword.exe") and Image.Path like r"C:\\Windows\\Microsoft.NET\\assembly\\GAC\_MSIL%" +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 63d1ccc0-2a43-4f4b-9289-361b308991ff -RuleName = Wab/Wabmig Unusual Parent Or Child Processes +# Detects AdFind execution with common flags seen used during attacks +# Author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community +RuleId = 9a132afa-654e-11eb-ae93-0242ac130002 +RuleName = PUA - AdFind Suspicious Execution EventType = Process.Start -Tag = proc-start-wab/wabmig-unusual-parent-or-child-processes +Tag = proc-start-pua-adfind-suspicious-execution RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Parent.Path like r"%\\WmiPrvSE.exe" or Parent.Path like r"%\\svchost.exe" or Parent.Path like r"%\\dllhost.exe") and (Process.Path like r"%\\wab.exe" or Process.Path like r"%\\wabmig.exe") or Parent.Path like r"%\\wab.exe" or Parent.Path like r"%\\wabmig.exe" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1018", "T1087.002", "T1482", "T1069.002"], "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community"} +Query = Process.CommandLine like r"%domainlist%" or Process.CommandLine like r"%trustdmp%" or Process.CommandLine like r"%dcmodes%" or Process.CommandLine like r"%adinfo%" or Process.CommandLine like r"% dclist %" or Process.CommandLine like r"%computer\_pwdnotreqd%" or Process.CommandLine like r"%objectcategory=%" or Process.CommandLine like r"%-subnets -f%" or Process.CommandLine like r"%name=\"Domain Admins\"%" or Process.CommandLine like r"%-sc u:%" or Process.CommandLine like r"%domainncs%" or Process.CommandLine like r"%dompol%" or Process.CommandLine like r"% oudmp %" or Process.CommandLine like r"%subnetdmp%" or Process.CommandLine like r"%gpodmp%" or Process.CommandLine like r"%fspdmp%" or Process.CommandLine like r"%users\_noexpire%" or Process.CommandLine like r"%computers\_active%" or Process.CommandLine like r"%computers\_pwdnotreqd%" [ThreatDetectionRule platform=Windows] -# Detect execution of suspicious double extension files in ParentCommandLine -# Author: frack113, Nasreddine Bencherchali (Nextron Systems) -RuleId = 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c -RuleName = Suspicious Parent Double Extension File Execution +# Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks +# Author: Florian Roth (Nextron Systems) +RuleId = 534f2ef7-e8a2-4433-816d-c91bccde289b +RuleName = Explorer NOUACCHECK Flag EventType = Process.Start -Tag = proc-start-suspicious-parent-double-extension-file-execution +Tag = proc-start-explorer-nouaccheck-flag RiskScore = 75 -Annotation = {"mitre_attack": ["T1036.007"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.Path like r"%.doc.lnk" or Parent.Path like r"%.docx.lnk" or Parent.Path like r"%.xls.lnk" or Parent.Path like r"%.xlsx.lnk" or Parent.Path like r"%.ppt.lnk" or Parent.Path like r"%.pptx.lnk" or Parent.Path like r"%.rtf.lnk" or Parent.Path like r"%.pdf.lnk" or Parent.Path like r"%.txt.lnk" or Parent.Path like r"%.doc.js" or Parent.Path like r"%.docx.js" or Parent.Path like r"%.xls.js" or Parent.Path like r"%.xlsx.js" or Parent.Path like r"%.ppt.js" or Parent.Path like r"%.pptx.js" or Parent.Path like r"%.rtf.js" or Parent.Path like r"%.pdf.js" or Parent.Path like r"%.txt.js" or Parent.CommandLine like r"%.doc.lnk%" or Parent.CommandLine like r"%.docx.lnk%" or Parent.CommandLine like r"%.xls.lnk%" or Parent.CommandLine like r"%.xlsx.lnk%" or Parent.CommandLine like r"%.ppt.lnk%" or Parent.CommandLine like r"%.pptx.lnk%" or Parent.CommandLine like r"%.rtf.lnk%" or Parent.CommandLine like r"%.pdf.lnk%" or Parent.CommandLine like r"%.txt.lnk%" or Parent.CommandLine like r"%.doc.js%" or Parent.CommandLine like r"%.docx.js%" or Parent.CommandLine like r"%.xls.js%" or Parent.CommandLine like r"%.xlsx.js%" or Parent.CommandLine like r"%.ppt.js%" or Parent.CommandLine like r"%.pptx.js%" or Parent.CommandLine like r"%.rtf.js%" or Parent.CommandLine like r"%.pdf.js%" or Parent.CommandLine like r"%.txt.js%" +Annotation = {"mitre_attack": ["T1548.002"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\explorer.exe" and Process.CommandLine like r"%/NOUACCHECK%" and not (Parent.CommandLine == "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" or Parent.Path == "C:\\Windows\\System32\\svchost.exe") GenericProperty1 = Parent.Path GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects Cobalt Strike module/commands accidentally entered in CMD shell -# Author: _pete_0, TheDFIRReport -RuleId = 4f154fb6-27d1-4813-a759-78b93e0b9c48 -RuleName = Operator Bloopers Cobalt Strike Modules +# Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 +# Author: Florian Roth (Nextron Systems) +RuleId = 7124aebe-4cd7-4ccb-8df0-6d6b93c96795 +RuleName = Suspicious Kernel Dump Using Dtrace EventType = Process.Start -Tag = proc-start-operator-bloopers-cobalt-strike-modules +Tag = proc-start-suspicious-kernel-dump-using-dtrace RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.003"], "author": "_pete_0, TheDFIRReport"} -Query = (Process.Name == "Cmd.Exe" or Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"%Invoke-UserHunter%" or Process.CommandLine like r"%Invoke-ShareFinder%" or Process.CommandLine like r"%Invoke-Kerberoast%" or Process.CommandLine like r"%Invoke-SMBAutoBrute%" or Process.CommandLine like r"%Invoke-Nightmare%" or Process.CommandLine like r"%zerologon%" or Process.CommandLine like r"%av\_query%") +Annotation = {"mitre_attack": ["T1082"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\dtrace.exe" and Process.CommandLine like r"%lkd(0)%" or Process.CommandLine like r"%syscall:::return%" and Process.CommandLine like r"%lkd(%" [ThreatDetectionRule platform=Windows] -# Detects javaw.exe in AppData folder as used by Adwind / JRAT -# Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community -RuleId = 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 -RuleName = Adwind RAT / JRAT File Artifact -EventType = File.Create -Tag = adwind-rat-/-jrat-file-artifact +# Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = e6fe26ee-d063-4f5b-b007-39e90aaf50e3 +RuleName = Potential Persistence Via AutodialDLL +EventType = Reg.Any +Tag = potential-persistence-via-autodialdll RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.005", "T1059.007"], "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community"} -Query = File.Path like r"%\\AppData\\Roaming\\Oracle\\bin\\java%" and File.Path like r"%.exe%" or File.Path like r"%\\Retrive%" and File.Path like r"%.vbs%" -GenericProperty1 = File.Path +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Services\\WinSock2\\Parameters\\AutodialDLL%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands -# Author: Cian Heasley, Florian Roth (Nextron Systems) -RuleId = f64e5c19-879c-4bae-b471-6d84c8339677 -RuleName = Webshell Tool Reconnaissance Activity +# Detects a tscon.exe start as LOCAL SYSTEM +# Author: Florian Roth (Nextron Systems) +RuleId = 9847f263-4a81-424f-970c-875dab15b79b +RuleName = Suspicious TSCON Start as SYSTEM EventType = Process.Start -Tag = proc-start-webshell-tool-reconnaissance-activity +Tag = proc-start-suspicious-tscon-start-as-system RiskScore = 75 -Annotation = {"mitre_attack": ["T1505.003"], "author": "Cian Heasley, Florian Roth (Nextron Systems)"} -Query = (Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\ws\_tomcatservice.exe" or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%") or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Process.CommandLine like r"%CATALINA\_HOME%" or Process.CommandLine like r"%catalina.jar%")) and (Process.CommandLine like r"%perl --help%" or Process.CommandLine like r"%perl -h%" or Process.CommandLine like r"%python --help%" or Process.CommandLine like r"%python -h%" or Process.CommandLine like r"%python3 --help%" or Process.CommandLine like r"%python3 -h%" or Process.CommandLine like r"%wget --help%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1219"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") and Process.Path like r"%\\tscon.exe" +GenericProperty1 = Process.User [ThreatDetectionRule platform=Windows] -# Detects driver load of the Process Hacker tool -# Author: Florian Roth (Nextron Systems) -RuleId = 67add051-9ee7-4ad3-93ba-42935615ae8d -RuleName = PUA - Process Hacker Driver Load -EventType = Driver.Load -Tag = pua-process-hacker-driver-load +# Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence +# The entries found under App Paths are used primarily for the following purposes. +# First, to map an application's executable file name to that file's fully qualified path. +# Second, to prepend information to the PATH environment variable on a per-application, per-process basis. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 707e097c-e20f-4f67-8807-1f72ff4500d6 +RuleName = Potential Persistence Via App Paths Default Property +EventType = Reg.Any +Tag = potential-persistence-via-app-paths-default-property RiskScore = 75 -Annotation = {"mitre_attack": ["T1543"], "author": "Florian Roth (Nextron Systems)"} -Query = Image.Path like r"%\\kprocesshacker.sys" or Image.Hashes like r"%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%" or Image.Hashes like r"%IMPHASH=F86759BB4DE4320918615DC06E998A39%" or Image.Hashes like r"%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%" or Image.Hashes like r"%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%" -GenericProperty1 = Image.Path -GenericProperty2 = Image.Hashes +Annotation = {"mitre_attack": ["T1546.012"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths%" and (Reg.TargetObject like r"%(Default)" or Reg.TargetObject like r"%Path") and (Reg.Value.Data like r"%\\Users\\Public%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%\\Windows\\Temp\\%" or Reg.Value.Data like r"%\\Desktop\\%" or Reg.Value.Data like r"%\\Downloads\\%" or Reg.Value.Data like r"%\%temp\%%" or Reg.Value.Data like r"%\%tmp\%%" or Reg.Value.Data like r"%iex%" or Reg.Value.Data like r"%Invoke-%" or Reg.Value.Data like r"%rundll32%" or Reg.Value.Data like r"%regsvr32%" or Reg.Value.Data like r"%mshta%" or Reg.Value.Data like r"%cscript%" or Reg.Value.Data like r"%wscript%" or Reg.Value.Data like r"%.bat%" or Reg.Value.Data like r"%.hta%" or Reg.Value.Data like r"%.dll%" or Reg.Value.Data like r"%.ps1%") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects PowerShell scripts to set the ACL to a file in the Windows folder +# Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. +# The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. +# Attackers abuse this utility to install malicious MOF scripts # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 0944e002-e3f6-4eb5-bf69-3a3067b53d73 -RuleName = PowerShell Set-Acl On Windows Folder +RuleId = 1dd05363-104e-4b4a-b963-196a534b03a1 +RuleName = Potential Suspicious Mofcomp Execution EventType = Process.Start -Tag = proc-start-powershell-set-acl-on-windows-folder +Tag = proc-start-potential-suspicious-mofcomp-execution RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name in ["PowerShell.EXE", "pwsh.dll"] or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Set-Acl %" and Process.CommandLine like r"%-AclObject %" and (Process.CommandLine like r"%-Path \"C:\\Windows%" or Process.CommandLine like r"%-Path 'C:\\Windows%" or Process.CommandLine like r"%-Path \%windir\%%" or Process.CommandLine like r"%-Path $env:windir%") and (Process.CommandLine like r"%FullControl%" or Process.CommandLine like r"%Allow%") +Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\mofcomp.exe" or Process.Name == "mofcomp.exe") and (Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe" or Parent.Path like r"%\\wsl.exe" or Parent.Path like r"%\\wscript.exe" or Parent.Path like r"%\\cscript.exe" or Process.CommandLine like r"%\\AppData\\Local\\Temp%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\WINDOWS\\Temp\\%" or Process.CommandLine like r"%\%temp\%%" or Process.CommandLine like r"%\%tmp\%%" or Process.CommandLine like r"%\%appdata\%%") and not (Parent.Path == "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and Process.CommandLine like r"%C:\\Windows\\TEMP\\%" and Process.CommandLine like r"%.mof") and not (Process.CommandLine like r"%C:\\Windows\\TEMP\\%" and Process.CommandLine like r"%.mof") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. -# This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +# Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = c6c56ada-612b-42d1-9a29-adad3c5c2c1e -RuleName = Audit Policy Tampering Via NT Resource Kit Auditpol +RuleId = cf2e938e-9a3e-4fe8-a347-411642b28a9f +RuleName = Potential PowerShell Execution Policy Tampering - ProcCreation EventType = Process.Start -Tag = proc-start-audit-policy-tampering-via-nt-resource-kit-auditpol -RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%/logon:none%" or Process.CommandLine like r"%/system:none%" or Process.CommandLine like r"%/sam:none%" or Process.CommandLine like r"%/privilege:none%" or Process.CommandLine like r"%/object:none%" or Process.CommandLine like r"%/process:none%" or Process.CommandLine like r"%/policy:none%" - - -[ThreatDetectionRule platform=Windows] -# Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel). -# Author: NVISO -RuleId = 8e1cb247-6cf6-42fa-b440-3f27d57e9936 -RuleName = Potential Persistence Via Microsoft Office Add-In -EventType = File.Create -Tag = potential-persistence-via-microsoft-office-add-in +Tag = proc-start-potential-powershell-execution-policy-tampering-proccreation RiskScore = 75 -Annotation = {"mitre_attack": ["T1137.006"], "author": "NVISO"} -Query = File.Path like r"%\\Microsoft\\Word\\Startup\\%" and File.Path like r"%.wll" or File.Path like r"%\\Microsoft\\Excel\\Startup\\%" and File.Path like r"%.xll" or File.Path like r"%Microsoft\\Excel\\XLSTART\\%" and File.Path like r"%.xlam" or File.Path like r"%\\Microsoft\\Addins\\%" and (File.Path like r"%.xlam" or File.Path like r"%.xla" or File.Path like r"%.ppam") -GenericProperty1 = File.Path +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.CommandLine like r"%\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy%" or Process.CommandLine like r"%\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy%") and (Process.CommandLine like r"%Bypass%" or Process.CommandLine like r"%RemoteSigned%" or Process.CommandLine like r"%Unrestricted%") [ThreatDetectionRule platform=Windows] -# Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel -# Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati -RuleId = 8b7273a4-ba5d-4d8a-b04f-11f2900d043a -RuleName = Hypervisor Enforced Code Integrity Disabled +# Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 966315ef-c5e1-4767-ba25-fce9c8de3660 +RuleName = Suspicious Environment Variable Has Been Registered EventType = Reg.Any -Tag = hypervisor-enforced-code-integrity-disabled +Tag = suspicious-environment-variable-has-been-registered RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems), Anish Bogati"} -Query = (Reg.TargetObject like r"%\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or Reg.TargetObject like r"%\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or Reg.TargetObject like r"%\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled") and Reg.Value.Data == "DWORD (0x00000000)" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Environment\\%" and (Reg.Value.Data in ["powershell", "pwsh"] or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%C:\\Users\\Public\\%" or Reg.Value.Data like r"%TVqQAAMAAAAEAAAA%" or Reg.Value.Data like r"%TVpQAAIAAAAEAA8A%" or Reg.Value.Data like r"%TVqAAAEAAAAEABAA%" or Reg.Value.Data like r"%TVoAAAAAAAAAAAAA%" or Reg.Value.Data like r"%TVpTAQEAAAAEAAAA%" or Reg.Value.Data like r"%SW52b2tlL%" or Reg.Value.Data like r"%ludm9rZS%" or Reg.Value.Data like r"%JbnZva2Ut%" or Reg.Value.Data like r"%SQBuAHYAbwBrAGUALQ%" or Reg.Value.Data like r"%kAbgB2AG8AawBlAC0A%" or Reg.Value.Data like r"%JAG4AdgBvAGsAZQAtA%" or Reg.Value.Data like r"SUVY%" or Reg.Value.Data like r"SQBFAF%" or Reg.Value.Data like r"SQBuAH%" or Reg.Value.Data like r"cwBhA%" or Reg.Value.Data like r"aWV4%" or Reg.Value.Data like r"aQBlA%" or Reg.Value.Data like r"R2V0%" or Reg.Value.Data like r"dmFy%" or Reg.Value.Data like r"dgBhA%" or Reg.Value.Data like r"dXNpbm%" or Reg.Value.Data like r"H4sIA%" or Reg.Value.Data like r"Y21k%" or Reg.Value.Data like r"cABhAH%" or Reg.Value.Data like r"Qzpc%" or Reg.Value.Data like r"Yzpc%") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 9313dc13-d04c-46d8-af4a-a930cc55d93b -RuleName = Potential DLL Sideloading Via VMware Xfer -EventType = Image.Load -Tag = potential-dll-sideloading-via-vmware-xfer +# Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. +# Author: Eli Salem, Sander Wiebing, oscd.community +RuleId = 77946e79-97f1-45a2-84b4-f37b5c0d8682 +RuleName = Suspicious Registry Modification From ADS Via Regini.EXE +EventType = Process.Start +Tag = proc-start-suspicious-registry-modification-from-ads-via-regini.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\VMwareXferlogs.exe" and Image.Path like r"%\\glib-2.0.dll" and not Image.Path like r"C:\\Program Files\\VMware\\%" -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1112"], "author": "Eli Salem, Sander Wiebing, oscd.community"} +Query = (Process.Path like r"%\\regini.exe" or Process.Name == "REGINI.EXE") and Process.CommandLine regex ":[^ \\\\]" [ThreatDetectionRule platform=Windows] -# Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. -# Author: Swachchhanda Shrawan Poudel -RuleId = 69ca12af-119d-44ed-b50f-a47af0ebc364 -RuleName = LSASS Process Memory Dump Creation Via Taskmgr.EXE -EventType = File.Create -Tag = lsass-process-memory-dump-creation-via-taskmgr.exe +# Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = a7664b14-75fb-4a50-a223-cb9bc0afbacf +RuleName = HackTool - RemoteKrbRelay Execution +EventType = Process.Start +Tag = proc-start-hacktool-remotekrbrelay-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Swachchhanda Shrawan Poudel"} -Query = (Process.Path like r"%:\\Windows\\system32\\taskmgr.exe" or Process.Path like r"%:\\Windows\\SysWOW64\\taskmgr.exe") and File.Path like r"%\\AppData\\Local\\Temp\\%" and File.Path like r"%\\lsass%" and File.Path like r"%.DMP%" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1558.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\RemoteKrbRelay.exe" or Process.Name == "RemoteKrbRelay.exe" or Process.CommandLine like r"% -clsid %" and Process.CommandLine like r"% -target %" and Process.CommandLine like r"% -victim %" or Process.CommandLine like r"%-rbcd %" and (Process.CommandLine like r"%-cn %" or Process.CommandLine like r"%--computername %") or Process.CommandLine like r"%-chp %" and Process.CommandLine like r"%-chpPass %" and Process.CommandLine like r"%-chpUser %" or Process.CommandLine like r"%-addgroupmember %" and Process.CommandLine like r"%-group %" and Process.CommandLine like r"%-groupuser %" or Process.CommandLine like r"%-smb %" and Process.CommandLine like r"%--smbkeyword %" and (Process.CommandLine like r"%interactive%" or Process.CommandLine like r"%secrets%" or Process.CommandLine like r"%service-add%") [ThreatDetectionRule platform=Windows] -# Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration. -# Author: Florian Roth (Nextron Systems) -RuleId = 3a8da4e0-36c1-40d2-8b29-b3e890d5172a -RuleName = NTDS Exfiltration Filename Patterns -EventType = File.Create -Tag = ntds-exfiltration-filename-patterns +# Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus +# Author: X__Junior (Nextron Systems) +RuleId = 24b6cf51-6122-469e-861a-22974e9c1e5b +RuleName = Potential SmadHook.DLL Sideloading +EventType = Image.Load +Tag = potential-smadhook.dll-sideloading RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.003"], "author": "Florian Roth (Nextron Systems)"} -Query = File.Path like r"%\\All.cab" or File.Path like r"%.ntds.cleartext" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} +Query = (Image.Path like r"%\\SmadHook32c.dll" or Image.Path like r"%\\SmadHook64c.dll") and not ((Process.Path in ["C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe"]) and (Image.Path like r"C:\\Program Files (x86)\\SMADAV\\%" or Image.Path like r"C:\\Program Files\\SMADAV\\%")) +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag -# Author: frack113, Florian Roth -RuleId = e6474a1b-5390-49cd-ab41-8d88655f7394 -RuleName = Renamed Mavinject.EXE Execution +# Detects attackers using tooling with bad opsec defaults. +# E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. +# One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. +# Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) +RuleId = a7c3d773-caef-227e-a7e7-c2f13c622329 +RuleName = Bad Opsec Defaults Sacrificial Processes With Improper Arguments EventType = Process.Start -Tag = proc-start-renamed-mavinject.exe-execution +Tag = proc-start-bad-opsec-defaults-sacrificial-processes-with-improper-arguments RiskScore = 75 -Annotation = {"mitre_attack": ["T1055.001", "T1218.013"], "author": "frack113, Florian Roth"} -Query = (Process.Name in ["mavinject32.exe", "mavinject64.exe"]) and not (Process.Path like r"%\\mavinject32.exe" or Process.Path like r"%\\mavinject64.exe") +Annotation = {"mitre_attack": ["T1218.011"], "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)"} +Query = (Process.Path like r"%\\WerFault.exe" and Process.CommandLine like r"%WerFault.exe" or Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%rundll32.exe" or Process.Path like r"%\\regsvcs.exe" and Process.CommandLine like r"%regsvcs.exe" or Process.Path like r"%\\regasm.exe" and Process.CommandLine like r"%regasm.exe" or Process.Path like r"%\\regsvr32.exe" and Process.CommandLine like r"%regsvr32.exe") and not (Parent.Path like r"%\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{%" and Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%rundll32.exe" or (Parent.Path like r"%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\%" or Parent.Path like r"%\\AppData\\Local\\Google\\Chrome\\Application\\%") and Parent.Path like r"%\\Installer\\setup.exe" and Parent.CommandLine like r"%--uninstall %" and Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%rundll32.exe") +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects Obfuscated Powershell via Stdin in Scripts -# Author: Nikita Nazarov, oscd.community -RuleId = 9c14c9fa-1a63-4a64-8e57-d19280559490 -RuleName = Invoke-Obfuscation Via Stdin +# Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = ea011323-7045-460b-b2d7-0f7442ea6b38 +RuleName = Potential PsExec Remote Execution EventType = Process.Start -Tag = proc-start-invoke-obfuscation-via-stdin +Tag = proc-start-potential-psexec-remote-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Nikita Nazarov, oscd.community"} -Query = Process.CommandLine regex "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"" +Annotation = {"mitre_attack": ["T1587.001"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%accepteula%" and Process.CommandLine like r"% -u %" and Process.CommandLine like r"% -p %" and Process.CommandLine like r"% \\\\%" [ThreatDetectionRule platform=Windows] -# Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location -# Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -RuleId = 829a3bdf-34da-4051-9cf4-8ed221a8ae4f -RuleName = Microsoft Office DLL Sideload -EventType = Image.Load -Tag = microsoft-office-dll-sideload +# Detects a suspicious child process of a Microsoft HTML Help (HH.exe) +# Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) +RuleId = 52cad028-0ff0-4854-8f67-d25dfcbc78b4 +RuleName = HTML Help HH.EXE Suspicious Child Process +EventType = Process.Start +Tag = proc-start-html-help-hh.exe-suspicious-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)"} -Query = Image.Path like r"%\\outllib.dll" and not (Image.Path like r"C:\\Program Files\\Microsoft Office\\OFFICE%" or Image.Path like r"C:\\Program Files (x86)\\Microsoft Office\\OFFICE%" or Image.Path like r"C:\\Program Files\\Microsoft Office\\Root\\OFFICE%" or Image.Path like r"C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE%") -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1047", "T1059.001", "T1059.003", "T1059.005", "T1059.007", "T1218", "T1218.001", "T1218.010", "T1218.011", "T1566", "T1566.001"], "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.Path like r"%\\hh.exe" and (Process.Path like r"%\\CertReq.exe" or Process.Path like r"%\\CertUtil.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\installutil.exe" or Process.Path like r"%\\MSbuild.exe" or Process.Path like r"%\\MSHTA.EXE" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects execution of regsvr32 where the DLL is located in a highly suspicious locations +# Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 327ff235-94eb-4f06-b9de-aaee571324be -RuleName = Regsvr32 Execution From Highly Suspicious Location +RuleId = 220457c1-1c9f-4c2e-afe6-9598926222c1 +RuleName = Delete All Scheduled Tasks EventType = Process.Start -Tag = proc-start-regsvr32-execution-from-highly-suspicious-location +Tag = proc-start-delete-all-scheduled-tasks RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.010"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\regsvr32.exe" or Process.Name == "REGSVR32.EXE") and (Process.CommandLine like r"%:\\PerfLogs\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%\\Windows\\Registration\\CRMLog%" or Process.CommandLine like r"%\\Windows\\System32\\com\\dmp\\%" or Process.CommandLine like r"%\\Windows\\System32\\FxsTmp\\%" or Process.CommandLine like r"%\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\%" or Process.CommandLine like r"%\\Windows\\System32\\spool\\drivers\\color\\%" or Process.CommandLine like r"%\\Windows\\System32\\spool\\PRINTERS\\%" or Process.CommandLine like r"%\\Windows\\System32\\spool\\SERVERS\\%" or Process.CommandLine like r"%\\Windows\\System32\\Tasks\_Migrated\\%" or Process.CommandLine like r"%\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Process.CommandLine like r"%\\Windows\\SysWOW64\\com\\dmp\\%" or Process.CommandLine like r"%\\Windows\\SysWOW64\\FxsTmp\\%" or Process.CommandLine like r"%\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\%" or Process.CommandLine like r"%\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Process.CommandLine like r"%\\Windows\\Tasks\\%" or Process.CommandLine like r"%\\Windows\\Tracing\\%" or (Process.CommandLine like r"% \"C:\\%" or Process.CommandLine like r"% C:\\%" or Process.CommandLine like r"% 'C:\\%" or Process.CommandLine like r"%D:\\%") and not (Process.CommandLine like r"%C:\\Program Files (x86)\\%" or Process.CommandLine like r"%C:\\Program Files\\%" or Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\Users\\%" or Process.CommandLine like r"% C:\\Windows\\%" or Process.CommandLine like r"% \"C:\\Windows\\%" or Process.CommandLine like r"% 'C:\\Windows\\%")) and not (Process.CommandLine == "" or isnull(Process.CommandLine)) +Annotation = {"mitre_attack": ["T1489"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /delete %" and Process.CommandLine like r"%/tn *%" and Process.CommandLine like r"% /f%" [ThreatDetectionRule platform=Windows] -# Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags -# Author: Florian Roth (Nextron Systems) -RuleId = 52d097e2-063e-4c9c-8fbb-855c8948d135 -RuleName = Suspicious Windows Update Agent Empty Cmdline +# Detects the PowerShell command lines with special characters +# Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) +RuleId = d7bcd677-645d-4691-a8d4-7a5602b780d1 +RuleName = Potential PowerShell Command Line Obfuscation EventType = Process.Start -Tag = proc-start-suspicious-windows-update-agent-empty-cmdline +Tag = proc-start-potential-powershell-command-line-obfuscation RiskScore = 75 -Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\Wuauclt.exe" or Process.Name == "Wuauclt.exe") and (Process.CommandLine like r"%Wuauclt" or Process.CommandLine like r"%Wuauclt.exe") +Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine regex "\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+" or Process.CommandLine regex "\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{" or Process.CommandLine regex "\\^.*\\^.*\\^.*\\^.*\\^" or Process.CommandLine regex "`.*`.*`.*`.*`") and not (Parent.Path == "C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe" or Process.CommandLine like r"%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%" or Process.CommandLine like r"%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects renamed vmnat.exe or portable version that can be used for DLL side-loading -# Author: elhoim -RuleId = 7b4f794b-590a-4ad4-ba18-7964a2832205 -RuleName = Renamed Vmnat.exe Execution -EventType = Process.Start -Tag = proc-start-renamed-vmnat.exe-execution +# Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any +# anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json +# Author: frack113 +RuleId = 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d +RuleName = Lolbas OneDriveStandaloneUpdater.exe Proxy Download +EventType = Reg.Any +Tag = lolbas-onedrivestandaloneupdater.exe-proxy-download RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "elhoim"} -Query = Process.Name == "vmnat.exe" and not Process.Path like r"%vmnat.exe" +Annotation = {"mitre_attack": ["T1105"], "author": "frack113"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. -# Author: Wojciech Lesicki -RuleId = 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 -RuleName = Potential CobaltStrike Service Installations - Registry -EventType = Reg.Any -Tag = potential-cobaltstrike-service-installations-registry +# Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 +RuleName = Potential Credential Dumping Attempt Using New NetworkProvider - CLI +EventType = Process.Start +Tag = proc-start-potential-credential-dumping-attempt-using-new-networkprovider-cli RiskScore = 75 -Annotation = {"mitre_attack": ["T1021.002", "T1543.003", "T1569.002"], "author": "Wojciech Lesicki"} -Query = (Reg.TargetObject like r"%\\System\\CurrentControlSet\\Services%" or Reg.TargetObject like r"%\\System\\ControlSet%" and Reg.TargetObject like r"%\\Services%") and (Reg.Value.Data like r"%ADMIN$%" and Reg.Value.Data like r"%.exe%" or Reg.Value.Data like r"%\%COMSPEC\%%" and Reg.Value.Data like r"%start%" and Reg.Value.Data like r"%powershell%") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%\\System\\CurrentControlSet\\Services\\%" and Process.CommandLine like r"%\\NetworkProvider%" [ThreatDetectionRule platform=Windows] -# Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 -# Author: Bhabesh Raj -RuleId = 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf -RuleName = Potential PrintNightmare Exploitation Attempt -EventType = File.Delete -Tag = potential-printnightmare-exploitation-attempt +# Detects a driver load from a temporary directory +# Author: Florian Roth (Nextron Systems) +RuleId = 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 +RuleName = Driver Load From A Temporary Directory +EventType = Driver.Load +Tag = driver-load-from-a-temporary-directory RiskScore = 75 -Annotation = {"mitre_attack": ["T1574"], "author": "Bhabesh Raj"} -Query = Process.Path like r"%\\spoolsv.exe" and File.Path like r"%C:\\Windows\\System32\\spool\\drivers\\x64\\3\\%" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1543.003"], "author": "Florian Roth (Nextron Systems)"} +Query = Image.Path like r"%\\Temp\\%" +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility -# Author: Alexander Rausch -RuleId = 95022b85-ff2a-49fa-939a-d7b8f56eeb9b -RuleName = HackTool - RedMimicry Winnti Playbook Execution -EventType = Process.Start -Tag = proc-start-hacktool-redmimicry-winnti-playbook-execution +# Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. +# Author: X__Junior (Nextron Systems) +RuleId = 0e0bc253-07ed-43f1-816d-e1b220fe8971 +RuleName = Potential RjvPlatform.DLL Sideloading From Non-Default Location +EventType = Image.Load +Tag = potential-rjvplatform.dll-sideloading-from-non-default-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1106", "T1059.003", "T1218.011"], "author": "Alexander Rausch"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"%gthread-3.6.dll%" or Process.CommandLine like r"%\\Windows\\Temp\\tmp.bat%" or Process.CommandLine like r"%sigcmm-2.4.dll%") +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} +Query = Image.Path like r"%\\RjvPlatform.dll" and Process.Path == "\\SystemResetPlatform.exe" and not Process.Path like r"C:\\Windows\\System32\\SystemResetPlatform\\%" +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects scheduled task creations that have suspicious action command and folder combinations +# Detects suspicious parent processes that should not have any children or should only have a single possible child program # Author: Florian Roth (Nextron Systems) -RuleId = 8a8379b8-780b-4dbf-b1e9-31c8d112fefb -RuleName = Schtasks From Suspicious Folders +RuleId = cbec226f-63d9-4eca-9f52-dfb6652f24df +RuleName = Suspicious Process Parents EventType = Process.Start -Tag = proc-start-schtasks-from-suspicious-folders +Tag = proc-start-suspicious-process-parents RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\schtasks.exe" or Process.Name == "schtasks.exe") and Process.CommandLine like r"% /create %" and (Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%pwsh%" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd /k %" or Process.CommandLine like r"%cmd /r %" or Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd.exe /r %") and (Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%\%ProgramData\%%") +Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\minesweeper.exe" or Parent.Path like r"%\\winver.exe" or Parent.Path like r"%\\bitsadmin.exe" or (Parent.Path like r"%\\csrss.exe" or Parent.Path like r"%\\certutil.exe" or Parent.Path like r"%\\eventvwr.exe" or Parent.Path like r"%\\calc.exe" or Parent.Path like r"%\\notepad.exe") and not (Process.Path like r"%\\WerFault.exe" or Process.Path like r"%\\wermgr.exe" or Process.Path like r"%\\conhost.exe" or Process.Path like r"%\\mmc.exe" or Process.Path like r"%\\win32calc.exe" or Process.Path like r"%\\notepad.exe" or isnull(Process.Path)) +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the deletion of registry keys containing the MSTSC connection history -# Author: Christian Burkard (Nextron Systems) -RuleId = 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d -RuleName = Terminal Server Client Connection History Cleared - Registry -EventType = Reg.Any -Tag = terminal-server-client-connection-history-cleared-registry +# Detects loading of known malicious drivers via their hash. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 05296024-fe8a-4baf-8f3d-9a5f5624ceb2 +RuleName = Malicious Driver Load +EventType = Driver.Load +Tag = malicious-driver-load RiskScore = 75 -Annotation = {"mitre_attack": ["T1070", "T1112"], "author": "Christian Burkard (Nextron Systems)"} -Query = Reg.EventType == "DeleteValue" and Reg.TargetObject like r"%\\Microsoft\\Terminal Server Client\\Default\\MRU%" or Reg.EventType == "DeleteKey" and Reg.TargetObject like r"%\\Microsoft\\Terminal Server Client\\Servers\\%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.EventType +Annotation = {"mitre_attack": ["T1543.003", "T1068"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Image.Hashes like r"%MD5=5be61a24f50eb4c94d98b8a82ef58dcf%" or Image.Hashes like r"%MD5=d70a80fc73dd43469934a7b1cc623c76%" or Image.Hashes like r"%MD5=3b71eab204a5f7ed77811e41fed73105%" or Image.Hashes like r"%MD5=528ce5ce19eb34f401ef024de7ddf222%" or Image.Hashes like r"%MD5=ae548418b491cd3f31618eb9e5730973%" or Image.Hashes like r"%MD5=72f53f55898548767e0276c472be41e8%" or Image.Hashes like r"%MD5=508faa4647f305a97ed7167abc4d1330%" or Image.Hashes like r"%MD5=ed2b653d55c03f0bffa250372d682b75%" or Image.Hashes like r"%MD5=0d2ba47286f1c68e87622b3a16bf9d92%" or Image.Hashes like r"%MD5=3164bd6c12dd0fe1bdf3b833d56323b9%" or Image.Hashes like r"%MD5=70fd7209ce5c013a1f9e699b5cc86cdc%" or Image.Hashes like r"%MD5=c71be7b112059d2dc84c0f952e04e6cc%" or Image.Hashes like r"%MD5=acac842a46f3501fe407b1db1b247a0b%" or Image.Hashes like r"%MD5=01c2e4d8234258451083d6ce4e8910b7%" or Image.Hashes like r"%MD5=c8541a9cef64589593e999968a0385b9%" or Image.Hashes like r"%MD5=e172a38ade3aa0a2bc1bf9604a54a3b5%" or Image.Hashes like r"%MD5=6fcf56f6ca3210ec397e55f727353c4a%" or Image.Hashes like r"%MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16%" or Image.Hashes like r"%MD5=07056573d464b0f5284f7e3acedd4a3f%" or Image.Hashes like r"%MD5=c7b7f1edb9bbef174e6506885561d85d%" or Image.Hashes like r"%MD5=d5918d735a23f746f0e83f724c4f26e5%" or Image.Hashes like r"%MD5=84763d8ca9fe5c3bff9667b2adf667de%" or Image.Hashes like r"%MD5=fb593b1f1f80d20fc7f4b818065c64b6%" or Image.Hashes like r"%MD5=909f3fc221acbe999483c87d9ead024a%" or Image.Hashes like r"%MD5=e29f6311ae87542b3d693c1f38e4e3ad%" or Image.Hashes like r"%MD5=aeb0801f22d71c7494e884d914446751%" or Image.Hashes like r"%MD5=3f11a94f1ac5efdd19767c6976da9ba4%" or Image.Hashes like r"%MD5=be6318413160e589080df02bb3ca6e6a%" or Image.Hashes like r"%MD5=0b311af53d2f4f77d30f1aed709db257%" or Image.Hashes like r"%MD5=d075d56dfce6b9b13484152b1ef40f93%" or Image.Hashes like r"%MD5=27384ec4c634701012a2962c30badad2%" or Image.Hashes like r"%MD5=5eb2c576597dd21a6b44557c237cf896%" or Image.Hashes like r"%MD5=f56db4eba3829c0918413b5c0b42f00f%" or Image.Hashes like r"%MD5=e27b2486aa5c256b662812b465b6036c%" or Image.Hashes like r"%MD5=db86dfd7aefbb5be6728a63461b0f5f3%" or Image.Hashes like r"%MD5=04a88f5974caa621cee18f34300fc08a%" or Image.Hashes like r"%MD5=5129d8fd53d6a4aba81657ab2aa5d243%" or Image.Hashes like r"%MD5=cd2c641788d5d125c316ed739c69bb59%" or Image.Hashes like r"%MD5=7073cd0085fcba1cd7d3568f9e6d652c%" or Image.Hashes like r"%MD5=24f0f2b4b3cdae11de1b81c537df41c7%" or Image.Hashes like r"%MD5=88bea56ae9257b40063785cf47546024%" or Image.Hashes like r"%MD5=63060b756377fce2ce4ab9d079ca732f%" or Image.Hashes like r"%MD5=50b39072d0ee9af5ef4824eca34be6e3%" or Image.Hashes like r"%MD5=57c18a8f5d1ba6d015e4d5bc698e3624%" or Image.Hashes like r"%MD5=7d26985a5048bad57d9c223362f3d55c%" or Image.Hashes like r"%MD5=ba54a0dbe2685e66e21d41b4529b3528%" or Image.Hashes like r"%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%" or Image.Hashes like r"%MD5=b52f51bbe6b49d0b475d943c29c4d4cb%" or Image.Hashes like r"%MD5=a837302307dace2a00d07202b661bce2%" or Image.Hashes like r"%MD5=78a122d926ccc371d60c861600c310f3%" or Image.Hashes like r"%MD5=bdb305aa0806f8b38b7ce43c927fe919%" or Image.Hashes like r"%MD5=27053e964667318e1b370150cbca9138%" or Image.Hashes like r"%MD5=6a4fbcfb44717eae2145c761c1c99b6a%" or Image.Hashes like r"%MD5=d13c1b76b4a1ca3ff5ab63678b51df6d%" or Image.Hashes like r"%MD5=6a066d2be83cf83f343d0550b0b8f206%" or Image.Hashes like r"%MD5=7108b0d4021af4c41de2c223319cd4c1%" or Image.Hashes like r"%MD5=1cd158a64f3d886357535382a6fdad75%" or Image.Hashes like r"%MD5=e939448b28a4edc81f1f974cebf6e7d2%" or Image.Hashes like r"%MD5=4198d3db44d7c4b3ba9072d258a4fc2d%" or Image.Hashes like r"%MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20%" or Image.Hashes like r"%MD5=30ca3cc19f001a8f12c619daa8c6b6e3%" or Image.Hashes like r"%MD5=fe9004353b25640f6a879e57f07122d7%" or Image.Hashes like r"%MD5=06c7fcf3523235cf52b3eee083ec07b2%" or Image.Hashes like r"%MD5=364605ad21b9275681cffef607fac273%" or Image.Hashes like r"%MD5=968ddb06af90ef83c5f20fbdd4eee62e%" or Image.Hashes like r"%MD5=ba50bd645d7c81416bb26a9d39998296%" or Image.Hashes like r"%MD5=29e03f4811b64969e48a99300978f58c%" or Image.Hashes like r"%MD5=b0770094c3c64250167b55e4db850c04%" or Image.Hashes like r"%MD5=40b968ecdbe9e967d92c5da51c390eee%" or Image.Hashes like r"%MD5=b6b530dd25c5eb66499968ec82e8791e%" or Image.Hashes like r"%MD5=f209cb0e468ca0b76d879859d5c8c54e%" or Image.Hashes like r"%MD5=76f8607fc4fb9e828d613a7214436b66%" or Image.Hashes like r"%MD5=4b058945c9f2b8d8ebc485add1101ba5%" or Image.Hashes like r"%MD5=faae7f5f69fde12303dd1c0c816b72b7%" or Image.Hashes like r"%MD5=89d294ef7fefcdf1a6ca0ab96a856f57%" or Image.Hashes like r"%MD5=ef0e1725aaf0c6c972593f860531a2ea%" or Image.Hashes like r"%MD5=bbdbffebfc753b11897de2da7c9912a5%" or Image.Hashes like r"%MD5=5ebfc0af031130ba9de1d5d3275734b3%" or Image.Hashes like r"%MD5=22949977ce5cd96ba674b403a9c81285%" or Image.Hashes like r"%MD5=77cfd3943cc34d9f5279c330cd8940bc%" or Image.Hashes like r"%MD5=311de109df18e485d4a626b5dbe19bc6%" or Image.Hashes like r"%MD5=2730cc25ad385acc7213a1261b21c12d%" or Image.Hashes like r"%MD5=87dc81ebe85f20c1a7970e495a778e60%" or Image.Hashes like r"%MD5=154b45f072fe844676e6970612fd39c7%" or Image.Hashes like r"%MD5=5a4fe297c7d42539303137b6d75b150d%" or Image.Hashes like r"%MD5=d6a1dd7b2c06f058b408b3613c13d413%" or Image.Hashes like r"%MD5=a6e9d6505f6d2326a8a9214667c61c67%" or Image.Hashes like r"%MD5=7fad9f2ef803496f482ce4728578a57a%" or Image.Hashes like r"%MD5=5076fba3d90e346fd17f78db0a4aa12c%" or Image.Hashes like r"%MD5=79df0eabbf2895e4e2dae15a4772868c%" or Image.Hashes like r"%MD5=14580bd59c55185115fd3abe73b016a2%" or Image.Hashes like r"%MD5=1f2888e57fdd6aee466962c25ba7d62d%" or Image.Hashes like r"%MD5=5e9231e85cecfc6141e3644fda12a734%" or Image.Hashes like r"%MD5=dc564bac7258e16627b9de0ce39fae25%" or Image.Hashes like r"%MD5=4e4c068c06331130334f23957fca9e3c%" or Image.Hashes like r"%MD5=1ee9f6326649cd23381eb9d7dfdeddf7%" or Image.Hashes like r"%MD5=4e1f656001af3677856f664e96282a6f%" or Image.Hashes like r"%MD5=36f44643178c505ea0384e0fb241e904%" or Image.Hashes like r"%MD5=6b480fac7caca2f85be9a0cfe79aedfc%" or Image.Hashes like r"%MD5=c1ab425977d467b64f437a6c5ad82b44%" or Image.Hashes like r"%MD5=fe508caa54ffeb2285d9f00df547fe4a%" or Image.Hashes like r"%MD5=d3af70287de8757cebc6f8d45bb21a20%" or Image.Hashes like r"%MD5=990b949894b7dc82a8cf1131b063cb1a%" or Image.Hashes like r"%MD5=c62209b8a5daf3f32ad876ad6cefda1b%" or Image.Hashes like r"%MD5=c159fb0f345a8771e56aab8e16927361%" or Image.Hashes like r"%MD5=19b15eeccab0752c6793f782ca665a45%" or Image.Hashes like r"%MD5=1d51029dfbd616bf121b40a0d1efeb10%" or Image.Hashes like r"%MD5=157a22689629ec876337f5f9409918d5%" or Image.Hashes like r"%MD5=3dd829fb27353622eff34be1eabb8f18%" or Image.Hashes like r"%MD5=8636fe3724f2bcba9399daffd6ef3c7e%" or Image.Hashes like r"%MD5=3d0b3e19262099ade884b75ba86ca7e8%" or Image.Hashes like r"%MD5=97539c78d6e2b5356ce79e40bcd4d570%" or Image.Hashes like r"%MD5=0308b6888e0f197db6704ca20203eee4%" or Image.Hashes like r"%MD5=091a6bd4880048514c5dd3bede15eba5%" or Image.Hashes like r"%MD5=7e92f98b809430622b04e88441b2eb04%" or Image.Hashes like r"%MD5=bb5bda8889d8d27ef984dbd6ad82c946%" or Image.Hashes like r"%MD5=b76aee508f68b5b6dccd6e1f66f4cf8b%" or Image.Hashes like r"%MD5=a822b9e6eedf69211013e192967bf523%" or Image.Hashes like r"%MD5=df52f8a85eb64bc69039243d9680d8e4%" or Image.Hashes like r"%MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a%" or Image.Hashes like r"%MD5=44857ca402a15ab51dc5afe47abdfa44%" or Image.Hashes like r"%MD5=f9844524fb0009e5b784c21c7bad4220%" or Image.Hashes like r"%MD5=d34b218c386bfe8b1f9c941e374418d7%" or Image.Hashes like r"%MD5=0ca010a32a9b0aeae1e46d666b83b659%" or Image.Hashes like r"%MD5=93496a436c5546156a69deb255a9fed0%" or Image.Hashes like r"%MD5=1cd5e231064e03c596e819b6ff48daf9%" or Image.Hashes like r"%MD5=70a71fe86df717ac59dbf856d7ac5789%" or Image.Hashes like r"%MD5=a33089d4e50f7d2ea8b52ca95d26ebf3%" or Image.Hashes like r"%MD5=e0cc9b415d884f85c45be145872892b8%" or Image.Hashes like r"%MD5=a42249a046182aaaf3a7a7db98bfa69d%" or Image.Hashes like r"%MD5=c5ae6ca044bd03c3506c132b033be1dc%" or Image.Hashes like r"%MD5=7ebe606acd81abf1f8cb0767c974164b%" or Image.Hashes like r"%MD5=b5dcc869a91efcc6e8ea0c3c07605d63%" or Image.Hashes like r"%MD5=62c18d61ed324088f963510bae43b831%" or Image.Hashes like r"%MD5=093a2a635c3a27aac50efd6463f4efa1%" or Image.Hashes like r"%MD5=28102acca39ad0199f262ba9958be3f4%" or Image.Hashes like r"%MD5=650ef9dd70cb192027e536754d6e0f63%" or Image.Hashes like r"%MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44%" or Image.Hashes like r"%MD5=6771b13a53b9c7449d4891e427735ea2%" or Image.Hashes like r"%MD5=072ba2309b825ce1dba37d8d924ea8ed%" or Image.Hashes like r"%MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb%" or Image.Hashes like r"%MD5=1325ec39e98225e487b40043faee8052%" or Image.Hashes like r"%MD5=4484f4007de2c3ee4581a2cff77ca3b4%" or Image.Hashes like r"%MD5=a236e7d654cd932b7d11cb604629a2d0%" or Image.Hashes like r"%MD5=17509f0a98dc5c5d52c3f9ac1428a21b%" or Image.Hashes like r"%MD5=840a5edf2534dd23a082cf7b28cbfc4d%" or Image.Hashes like r"%MD5=77a7ed4798d02ef6636cd0fd07fc382a%" or Image.Hashes like r"%MD5=a9df5964635ef8bd567ae487c3d214c4%" or Image.Hashes like r"%MD5=8b75047199825c8e62fdcc1c915db8bd%" or Image.Hashes like r"%MD5=d416494232c4197cb36a914df2e17677%" or Image.Hashes like r"%MD5=4cf14a96485a1270fed97bb8000e4f86%" or Image.Hashes like r"%MD5=35e512f9bedc89dca5ce81f35820714c%" or Image.Hashes like r"%MD5=40f35792e7565aa047796758a3ce1b77%" or Image.Hashes like r"%MD5=f7f31bccc9b7b2964ac85106831022b1%" or Image.Hashes like r"%MD5=26aedc10d4215ba997495d3a68355f4a%" or Image.Hashes like r"%MD5=10f3679384a03cb487bda9621ceb5f90%" or Image.Hashes like r"%MD5=80219fb6b5954c33e16bac5ecdac651b%" or Image.Hashes like r"%MD5=cee36b5c6362993fa921435979bfbe4a%" or Image.Hashes like r"%MD5=e37a08f516b8a7ca64163f5d9e68fe5a%" or Image.Hashes like r"%MD5=49518f7375a5f995ebe9423d8f19cfe4%" or Image.Hashes like r"%MD5=920df6e42cf91bbe19707f5a86e3c5c5%" or Image.Hashes like r"%MD5=2ec877e425bd7eddb663627216e3491e%" or Image.Hashes like r"%MD5=550b7991d93534bc510bc4f237155a7a%" or Image.Hashes like r"%MD5=98d53f6b3bec0a3417a04fbb9e17fa06%" or Image.Hashes like r"%MD5=13a57a4ef721440c7c9208b51f7c05de%" or Image.Hashes like r"%MD5=c5fc3605194e033bdf3781ff2adaeb61%" or Image.Hashes like r"%MD5=6e625ec04c20a9dbd48c7060efbf5e92%" or Image.Hashes like r"%MD5=0b9b78d1281c7d4ab50497cf6ea7452a%" or Image.Hashes like r"%MD5=4e906fcb13e2793c98f47291fd69391b%" or Image.Hashes like r"%MD5=2bb353891d65c9e267eb98a3a2b694c3%" or Image.Hashes like r"%MD5=7d86cdda7f49f91fdb69901a002b34e7%" or Image.Hashes like r"%MD5=f69b06ca7c34d16f26ea1c6861edf62a%" or Image.Hashes like r"%MD5=ee6b1a79cb6641aa44c762ee90786fe0%" or Image.Hashes like r"%MD5=1fc7aeeff3ab19004d2e53eae8160ab1%" or Image.Hashes like r"%MD5=24d3ea54f25e32832ac20335a1ce1062%" or Image.Hashes like r"%MD5=c94f405c5929cfcccc8ad00b42c95083%" or Image.Hashes like r"%MD5=b164daf106566f444dfb280d743bc2f7%" or Image.Hashes like r"%MD5=93130909e562925597110a617f05e2a9%" or Image.Hashes like r"%MD5=f589d4bf547c140b6ec8a511ea47c658%" or Image.Hashes like r"%MD5=bf445ac375977ecf551bc2a912c58e8a%" or Image.Hashes like r"%MD5=629ee55e4b5a225d048fbcd5f0a1d18b%" or Image.Hashes like r"%MD5=0023ca0ca16a62d93ef51f3df98b2f94%" or Image.Hashes like r"%MD5=a3d69c7e24300389b56782aa63b0e357%" or Image.Hashes like r"%MD5=cbd8d370462503508e44dba023bdf9bc%" or Image.Hashes like r"%MD5=67daa04716803a15fc11c9e353d77c2f%" or Image.Hashes like r"%MD5=c9d4214c850e0cedf033dc8f0cd3aace%" or Image.Hashes like r"%MD5=bd5b0514f3b40f139d8079138d01b5f6%" or Image.Hashes like r"%MD5=19bdd9b799e3c2c54c0d7fff68b31c20%" or Image.Hashes like r"%MD5=f242cffd9926c0ccf94af3bf16b6e527%" or Image.Hashes like r"%MD5=5aeab9427d85951def146b4c0a44fc63%" or Image.Hashes like r"%MD5=40170485cca576adb5266cf5b0d3b0bd%" or Image.Hashes like r"%MD5=c277c4386a78fae1b7e17eaecf4f472b%" or Image.Hashes like r"%MD5=58c37866cbc3d1338e4fc58ada924ffe%" or Image.Hashes like r"%MD5=0f16a43f7989034641fd2de3eb268bf1%" or Image.Hashes like r"%MD5=0ae30291c6cbfa7be39320badd6e8de0%" or Image.Hashes like r"%MD5=05dd59bd4f175304480affd8f1305c37%" or Image.Hashes like r"%MD5=f838f4eb36f1e7036238776c7a70f0b0%" or Image.Hashes like r"%MD5=85093bb9f027027c2c61aee50796de30%" or Image.Hashes like r"%MD5=ae338d91d1b05a72559b7f6ed717362d%" or Image.Hashes like r"%MD5=bd91787b5dcb2189b856804e85dfa1d9%" or Image.Hashes like r"%MD5=6b3c1511e12f4d27a4ea3b18020d7b84%" or Image.Hashes like r"%MD5=97264fd62d4907bdac917917a07b3b7a%" or Image.Hashes like r"%MD5=6ececf26ff8b03ed7ffbddadec9a9dab%" or Image.Hashes like r"%MD5=47e6ac52431ca47da17248d80bf71389%" or Image.Hashes like r"%MD5=eb57f03b7603f0b235af62e8cd5be8c2%" or Image.Hashes like r"%MD5=e1a9aa4c14669b1fb1f67a7266f87e82%" or Image.Hashes like r"%MD5=29047f0b7790e524b09a06852d31a117%" or Image.Hashes like r"%MD5=4dd6250eb2d368f500949952eb013964%" or Image.Hashes like r"%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%" or Image.Hashes like r"%MD5=844af8c877f5da723c1b82cf6e213fc1%" or Image.Hashes like r"%MD5=e39152eadd76751b1d7485231b280948%" or Image.Hashes like r"%MD5=ac6e29f535b2c42999c50d2fc32f2c9c%" or Image.Hashes like r"%MD5=2406ea37152d2154be3fef6d69ada2c6%" or Image.Hashes like r"%MD5=0ea8389589c603a8b05146bd06020597%" or Image.Hashes like r"%MD5=754e21482baf18b8b0ed0f4be462ba03%" or Image.Hashes like r"%MD5=c4a517a02ba9f6eac5cf06e3629cc076%" or Image.Hashes like r"%MD5=32282e07db321e8d7849f2287bb6a14f%" or Image.Hashes like r"%MD5=32b67a6cd6dd998b9f563ed13d54a8bc%" or Image.Hashes like r"%MD5=3359e1d4244a7d724949c63e89689ef8%" or Image.Hashes like r"%MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0%" or Image.Hashes like r"%MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6%" or Image.Hashes like r"%MD5=a90236e4962620949b720f647a91f101%" or Image.Hashes like r"%MD5=ccde8c94439f9fc9c42761e4b9a23d97%" or Image.Hashes like r"%MD5=68caf620ef8deaf06819cf8c80d3367b%" or Image.Hashes like r"%MD5=5fec28e8f4f76e5ede24beb32a32b9d7%" or Image.Hashes like r"%MD5=e8eac6642b882a6196555539149c73f2%" or Image.Hashes like r"%MD5=aa98b95f5cbae8260122de06a215ee10%" or Image.Hashes like r"%MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80%" or Image.Hashes like r"%MD5=abc168fdca7169bf9dc40cec9761018d%" or Image.Hashes like r"%MD5=7f9309f5e4defec132b622fadbcad511%" or Image.Hashes like r"%MD5=4748696211bd56c2d93c21cab91e82a5%" or Image.Hashes like r"%MD5=48394dce30bb8da5ae089cb8f41b86dc%" or Image.Hashes like r"%MD5=65f800e1112864bf41eb815649f428d5%" or Image.Hashes like r"%MD5=bd25be845c151370ff177509d95d5add%" or Image.Hashes like r"%MD5=a37ed7663073319d02f2513575a22995%" or Image.Hashes like r"%MD5=2c39f6172fbc967844cac12d7ab2fa55%" or Image.Hashes like r"%MD5=491aec2249ad8e2020f9f9b559ab68a8%" or Image.Hashes like r"%MD5=1e0eb80347e723fa31fce2abb0301d44%" or Image.Hashes like r"%MD5=a26363e7b02b13f2b8d697abb90cd5c3%" or Image.Hashes like r"%MD5=4118b86e490aed091b1a219dba45f332%" or Image.Hashes like r"%MD5=6d131a7462e568213b44ef69156f10a5%" or Image.Hashes like r"%MD5=10c2ea775c9e76e7774ab89e38f38287%" or Image.Hashes like r"%SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79%" or Image.Hashes like r"%SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23%" or Image.Hashes like r"%SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe%" or Image.Hashes like r"%SHA1=af42afda54d150810a60baa7987f9f09d49d1317%" or Image.Hashes like r"%SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7%" or Image.Hashes like r"%SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462%" or Image.Hashes like r"%SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7%" or Image.Hashes like r"%SHA1=e730eb971ecb493b69de2308b6412836303f733a%" or Image.Hashes like r"%SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca%" or Image.Hashes like r"%SHA1=5fef884a901e81ac173d63ade3f5c51694decf74%" or Image.Hashes like r"%SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc%" or Image.Hashes like r"%SHA1=6451522b1fb428e549976d0742df5034f8124b17%" or Image.Hashes like r"%SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a%" or Image.Hashes like r"%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%" or Image.Hashes like r"%SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166%" or Image.Hashes like r"%SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a%" or Image.Hashes like r"%SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3%" or Image.Hashes like r"%SHA1=c42178977bd7bbefe084da0129ed808cb7266204%" or Image.Hashes like r"%SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333%" or Image.Hashes like r"%SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee%" or Image.Hashes like r"%SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837%" or Image.Hashes like r"%SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf%" or Image.Hashes like r"%SHA1=7638c048af5beae44352764390deea597cc3e7b1%" or Image.Hashes like r"%SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5%" or Image.Hashes like r"%SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2%" or Image.Hashes like r"%SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87%" or Image.Hashes like r"%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%" or Image.Hashes like r"%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%" or Image.Hashes like r"%SHA1=505546d82aab56889a923004654b9afdec54efe6%" or Image.Hashes like r"%SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a%" or Image.Hashes like r"%SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383%" or Image.Hashes like r"%SHA1=844d7bcd1a928d340255ff42971cca6244a459bf%" or Image.Hashes like r"%SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f%" or Image.Hashes like r"%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%" or Image.Hashes like r"%SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e%" or Image.Hashes like r"%SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84%" or Image.Hashes like r"%SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285%" or Image.Hashes like r"%SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6%" or Image.Hashes like r"%SHA1=607387cc90b93d58d6c9a432340261fde846b1d9%" or Image.Hashes like r"%SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07%" or Image.Hashes like r"%SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6%" or Image.Hashes like r"%SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6%" or Image.Hashes like r"%SHA1=b8b123a413b7bccfa8433deba4f88669c969b543%" or Image.Hashes like r"%SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509%" or Image.Hashes like r"%SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22%" or Image.Hashes like r"%SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d%" or Image.Hashes like r"%SHA1=a111dc6ae5575977feba71ee69b790e056846a02%" or Image.Hashes like r"%SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3%" or Image.Hashes like r"%SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2%" or Image.Hashes like r"%SHA1=0de86ec7d7f16a3680df89256548301eed970393%" or Image.Hashes like r"%SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2%" or Image.Hashes like r"%SHA1=0883a9c54e8442a551994989db6fc694f1086d41%" or Image.Hashes like r"%SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16%" or Image.Hashes like r"%SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10%" or Image.Hashes like r"%SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09%" or Image.Hashes like r"%SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c%" or Image.Hashes like r"%SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39%" or Image.Hashes like r"%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%" or Image.Hashes like r"%SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f%" or Image.Hashes like r"%SHA1=994dc79255aeb662a672a1814280de73d405617a%" or Image.Hashes like r"%SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1%" or Image.Hashes like r"%SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5%" or Image.Hashes like r"%SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b%" or Image.Hashes like r"%SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61%" or Image.Hashes like r"%SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9%" or Image.Hashes like r"%SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7%" or Image.Hashes like r"%SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b%" or Image.Hashes like r"%SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd%" or Image.Hashes like r"%SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2%" or Image.Hashes like r"%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%" or Image.Hashes like r"%SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3%" or Image.Hashes like r"%SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a%" or Image.Hashes like r"%SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048%" or Image.Hashes like r"%SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f%" or Image.Hashes like r"%SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b%" or Image.Hashes like r"%SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527%" or Image.Hashes like r"%SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130%" or Image.Hashes like r"%SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d%" or Image.Hashes like r"%SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1%" or Image.Hashes like r"%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%" or Image.Hashes like r"%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%" or Image.Hashes like r"%SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec%" or Image.Hashes like r"%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%" or Image.Hashes like r"%SHA1=9382981b05b1fb950245313992444bfa0db5f881%" or Image.Hashes like r"%SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3%" or Image.Hashes like r"%SHA1=9c36600c2640007d3410dea8017573a113374873%" or Image.Hashes like r"%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%" or Image.Hashes like r"%SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7%" or Image.Hashes like r"%SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab%" or Image.Hashes like r"%SHA1=cb25a5125fb353496b59b910263209f273f3552d%" or Image.Hashes like r"%SHA1=a5f1b56615bdaabf803219613f43671233f2001c%" or Image.Hashes like r"%SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38%" or Image.Hashes like r"%SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7%" or Image.Hashes like r"%SHA1=632c80a3c95cf589b03812539dea59594eaefae0%" or Image.Hashes like r"%SHA1=e6966e360038be3b9d8c9b2582eba4e263796084%" or Image.Hashes like r"%SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab%" or Image.Hashes like r"%SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51%" or Image.Hashes like r"%SHA1=80e4808a7fe752cac444676dbbee174367fa2083%" or Image.Hashes like r"%SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0%" or Image.Hashes like r"%SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2%" or Image.Hashes like r"%SHA1=3825ebb0b0664b5f0789371240f65231693be37d%" or Image.Hashes like r"%SHA1=de9469a5d01fb84afd41d176f363a66e410d46da%" or Image.Hashes like r"%SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b%" or Image.Hashes like r"%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%" or Image.Hashes like r"%SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5%" or Image.Hashes like r"%SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358%" or Image.Hashes like r"%SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405%" or Image.Hashes like r"%SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8%" or Image.Hashes like r"%SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2%" or Image.Hashes like r"%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%" or Image.Hashes like r"%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%" or Image.Hashes like r"%SHA1=9481cd590c69544c197b4ee055056302978a7191%" or Image.Hashes like r"%SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da%" or Image.Hashes like r"%SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b%" or Image.Hashes like r"%SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5%" or Image.Hashes like r"%SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4%" or Image.Hashes like r"%SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25%" or Image.Hashes like r"%SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc%" or Image.Hashes like r"%SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457%" or Image.Hashes like r"%SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d%" or Image.Hashes like r"%SHA1=f6793243ad20359d8be40d3accac168a15a327fb%" or Image.Hashes like r"%SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1%" or Image.Hashes like r"%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%" or Image.Hashes like r"%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%" or Image.Hashes like r"%SHA1=161bae224cf184ed6c09c77fae866d42412c6d25%" or Image.Hashes like r"%SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82%" or Image.Hashes like r"%SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d%" or Image.Hashes like r"%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%" or Image.Hashes like r"%SHA1=2a202830db58d5e942e4f6609228b14095ed2cab%" or Image.Hashes like r"%SHA1=0167259abd9231c29bec32e6106ca93a13999f90%" or Image.Hashes like r"%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%" or Image.Hashes like r"%SHA1=613a9df389ad612a5187632d679da11d60f6046a%" or Image.Hashes like r"%SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514%" or Image.Hashes like r"%SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86%" or Image.Hashes like r"%SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d%" or Image.Hashes like r"%SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb%" or Image.Hashes like r"%SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812%" or Image.Hashes like r"%SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528%" or Image.Hashes like r"%SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3%" or Image.Hashes like r"%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%" or Image.Hashes like r"%SHA1=552730553a1dea0290710465fb8189bdd0eaad42%" or Image.Hashes like r"%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%" or Image.Hashes like r"%SHA1=07f282db28771838d0e75d6618f70d76acfe6082%" or Image.Hashes like r"%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%" or Image.Hashes like r"%SHA1=22c9da04847c26188226c3a345e2126ef00aa19e%" or Image.Hashes like r"%SHA1=43501832ce50ccaba2706be852813d51de5a900f%" or Image.Hashes like r"%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%" or Image.Hashes like r"%SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde%" or Image.Hashes like r"%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%" or Image.Hashes like r"%SHA1=928b5971a0f7525209d599e2ef15c31717047022%" or Image.Hashes like r"%SHA1=b5696e2183d9387776820ef3afa388200f08f5a6%" or Image.Hashes like r"%SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2%" or Image.Hashes like r"%SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3%" or Image.Hashes like r"%SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774%" or Image.Hashes like r"%SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945%" or Image.Hashes like r"%SHA1=064de88dbbea67c149e779aac05228e5405985c7%" or Image.Hashes like r"%SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7%" or Image.Hashes like r"%SHA1=98130128685c8640a8a8391cb4718e98dd8fe542%" or Image.Hashes like r"%SHA1=a5914161f8a885702427cf75443fb08d28d904f0%" or Image.Hashes like r"%SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad%" or Image.Hashes like r"%SHA1=fff4f28287677caabc60c8ab36786c370226588d%" or Image.Hashes like r"%SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5%" or Image.Hashes like r"%SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2%" or Image.Hashes like r"%SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda%" or Image.Hashes like r"%SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4%" or Image.Hashes like r"%SHA1=87e20486e804bfff393cc9ad9659858e130402a2%" or Image.Hashes like r"%SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c%" or Image.Hashes like r"%SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9%" or Image.Hashes like r"%SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a%" or Image.Hashes like r"%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%" or Image.Hashes like r"%SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b%" or Image.Hashes like r"%SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6%" or Image.Hashes like r"%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%" or Image.Hashes like r"%SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c%" or Image.Hashes like r"%SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a%" or Image.Hashes like r"%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%" or Image.Hashes like r"%SHA1=76568d987f8603339b8d1958f76de2b957811f66%" or Image.Hashes like r"%SHA1=e841c8494b715b27b33be6f800ca290628507aba%" or Image.Hashes like r"%SHA1=b555aad38df7605985462f3899572931ee126259%" or Image.Hashes like r"%SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1%" or Image.Hashes like r"%SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327%" or Image.Hashes like r"%SHA1=bb6ef5518df35d9508673d5011138add8c30fc27%" or Image.Hashes like r"%SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b%" or Image.Hashes like r"%SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307%" or Image.Hashes like r"%SHA1=34b677fba9dcab9a9016332b3332ce57f5796860%" or Image.Hashes like r"%SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d%" or Image.Hashes like r"%SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e%" or Image.Hashes like r"%SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2%" or Image.Hashes like r"%SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72%" or Image.Hashes like r"%SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5%" or Image.Hashes like r"%SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a%" or Image.Hashes like r"%SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef%" or Image.Hashes like r"%SHA1=18693de1487c55e374b46a7728b5bf43300d4f69%" or Image.Hashes like r"%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%" or Image.Hashes like r"%SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c%" or Image.Hashes like r"%SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5%" or Image.Hashes like r"%SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8%" or Image.Hashes like r"%SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c%" or Image.Hashes like r"%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%" or Image.Hashes like r"%SHA1=e42bd2f585c00a1d6557df405246081f89542d15%" or Image.Hashes like r"%SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9%" or Image.Hashes like r"%SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd%" or Image.Hashes like r"%SHA1=948368fe309652e8d88088d23e1df39e9c2b6649%" or Image.Hashes like r"%SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d%" or Image.Hashes like r"%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%" or Image.Hashes like r"%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%" or Image.Hashes like r"%SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d%" or Image.Hashes like r"%SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09%" or Image.Hashes like r"%SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f%" or Image.Hashes like r"%SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652%" or Image.Hashes like r"%SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad%" or Image.Hashes like r"%SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c%" or Image.Hashes like r"%SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a%" or Image.Hashes like r"%SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b%" or Image.Hashes like r"%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%" or Image.Hashes like r"%SHA1=4da007dd298723f920e194501bb49bab769dfb14%" or Image.Hashes like r"%SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a%" or Image.Hashes like r"%SHA1=221717a48ee8e2d19470579c987674f661869e17%" or Image.Hashes like r"%SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa%" or Image.Hashes like r"%SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56%" or Image.Hashes like r"%SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375%" or Image.Hashes like r"%SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3%" or Image.Hashes like r"%SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe%" or Image.Hashes like r"%SHA1=6d09d826581baa1817be6fbd44426db9b05f1909%" or Image.Hashes like r"%SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e%" or Image.Hashes like r"%SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631%" or Image.Hashes like r"%SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997%" or Image.Hashes like r"%SHA1=0320534df24a37a245a0b09679a5adb27018fb5f%" or Image.Hashes like r"%SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0%" or Image.Hashes like r"%SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef%" or Image.Hashes like r"%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%" or Image.Hashes like r"%SHA1=062457182ab08594c631a3f897aeb03c6097eb77%" or Image.Hashes like r"%SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25%" or Image.Hashes like r"%SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670%" or Image.Hashes like r"%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%" or Image.Hashes like r"%SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5%" or Image.Hashes like r"%SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b%" or Image.Hashes like r"%SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739%" or Image.Hashes like r"%SHA1=020580278d74d0fe741b0f786d8dca7554359997%" or Image.Hashes like r"%SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677%" or Image.Hashes like r"%SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4%" or Image.Hashes like r"%SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7%" or Image.Hashes like r"%SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d%" or Image.Hashes like r"%SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f%" or Image.Hashes like r"%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%" or Image.Hashes like r"%SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49%" or Image.Hashes like r"%SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e%" or Image.Hashes like r"%SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c%" or Image.Hashes like r"%SHA1=86f34eaea117f629297218a4d196b5729e72d7b9%" or Image.Hashes like r"%SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0%" or Image.Hashes like r"%SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7%" or Image.Hashes like r"%SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8%" or Image.Hashes like r"%SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb%" or Image.Hashes like r"%SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a%" or Image.Hashes like r"%SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb%" or Image.Hashes like r"%SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d%" or Image.Hashes like r"%SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2%" or Image.Hashes like r"%SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a%" or Image.Hashes like r"%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%" or Image.Hashes like r"%SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b%" or Image.Hashes like r"%SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac%" or Image.Hashes like r"%SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1%" or Image.Hashes like r"%SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76%" or Image.Hashes like r"%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%" or Image.Hashes like r"%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%" or Image.Hashes like r"%SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47%" or Image.Hashes like r"%SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03%" or Image.Hashes like r"%SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c%" or Image.Hashes like r"%SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553%" or Image.Hashes like r"%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%" or Image.Hashes like r"%SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330%" or Image.Hashes like r"%SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852%" or Image.Hashes like r"%SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304%" or Image.Hashes like r"%SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931%" or Image.Hashes like r"%SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d%" or Image.Hashes like r"%SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c%" or Image.Hashes like r"%SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736%" or Image.Hashes like r"%SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830%" or Image.Hashes like r"%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%" or Image.Hashes like r"%SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a%" or Image.Hashes like r"%SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a%" or Image.Hashes like r"%SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a%" or Image.Hashes like r"%SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0%" or Image.Hashes like r"%SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392%" or Image.Hashes like r"%SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd%" or Image.Hashes like r"%SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee%" or Image.Hashes like r"%SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01%" or Image.Hashes like r"%SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254%" or Image.Hashes like r"%SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231%" or Image.Hashes like r"%SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39%" or Image.Hashes like r"%SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d%" or Image.Hashes like r"%SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1%" or Image.Hashes like r"%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%" or Image.Hashes like r"%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%" or Image.Hashes like r"%SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50%" or Image.Hashes like r"%SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9%" or Image.Hashes like r"%SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212%" or Image.Hashes like r"%SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25%" or Image.Hashes like r"%SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09%" or Image.Hashes like r"%SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1%" or Image.Hashes like r"%SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99%" or Image.Hashes like r"%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%" or Image.Hashes like r"%SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475%" or Image.Hashes like r"%SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2%" or Image.Hashes like r"%SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c%" or Image.Hashes like r"%SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb%" or Image.Hashes like r"%SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db%" or Image.Hashes like r"%SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2%" or Image.Hashes like r"%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%" or Image.Hashes like r"%SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b%" or Image.Hashes like r"%SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c%" or Image.Hashes like r"%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%" or Image.Hashes like r"%SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597%" or Image.Hashes like r"%SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37%" or Image.Hashes like r"%SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4%" or Image.Hashes like r"%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%" or Image.Hashes like r"%SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a%" or Image.Hashes like r"%SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e%" or Image.Hashes like r"%SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a%" or Image.Hashes like r"%SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25%" or Image.Hashes like r"%SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be%" or Image.Hashes like r"%SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7%" or Image.Hashes like r"%SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a%" or Image.Hashes like r"%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%" or Image.Hashes like r"%SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987%" or Image.Hashes like r"%SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f%" or Image.Hashes like r"%SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad%" or Image.Hashes like r"%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%" or Image.Hashes like r"%SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5%" or Image.Hashes like r"%SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b%" or Image.Hashes like r"%SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa%" or Image.Hashes like r"%SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972%" or Image.Hashes like r"%SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a%" or Image.Hashes like r"%SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46%" or Image.Hashes like r"%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%" or Image.Hashes like r"%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%" or Image.Hashes like r"%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%" or Image.Hashes like r"%SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6%" or Image.Hashes like r"%SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21%" or Image.Hashes like r"%SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894%" or Image.Hashes like r"%SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd%" or Image.Hashes like r"%SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62%" or Image.Hashes like r"%SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e%" or Image.Hashes like r"%SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff%" or Image.Hashes like r"%SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b%" or Image.Hashes like r"%SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870%" or Image.Hashes like r"%SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640%" or Image.Hashes like r"%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%" or Image.Hashes like r"%SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd%" or Image.Hashes like r"%SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550%" or Image.Hashes like r"%SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9%" or Image.Hashes like r"%SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b%" or Image.Hashes like r"%SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c%" or Image.Hashes like r"%SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988%" or Image.Hashes like r"%SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875%" or Image.Hashes like r"%SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263%" or Image.Hashes like r"%SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4%" or Image.Hashes like r"%SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280%" or Image.Hashes like r"%SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9%" or Image.Hashes like r"%SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12%" or Image.Hashes like r"%SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe%" or Image.Hashes like r"%SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b%" or Image.Hashes like r"%SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f%" or Image.Hashes like r"%SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a%" or Image.Hashes like r"%SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719%" or Image.Hashes like r"%SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908%" or Image.Hashes like r"%SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de%" or Image.Hashes like r"%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%" or Image.Hashes like r"%SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a%" or Image.Hashes like r"%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%" or Image.Hashes like r"%SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653%" or Image.Hashes like r"%SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919%" or Image.Hashes like r"%SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad%" or Image.Hashes like r"%SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920%" or Image.Hashes like r"%SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77%" or Image.Hashes like r"%SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e%" or Image.Hashes like r"%SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105%" or Image.Hashes like r"%SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2%" or Image.Hashes like r"%SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa%" or Image.Hashes like r"%SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112%" or Image.Hashes like r"%SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4%" or Image.Hashes like r"%SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff%" or Image.Hashes like r"%SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3%" or Image.Hashes like r"%SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925%" or Image.Hashes like r"%SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6%" or Image.Hashes like r"%SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878%" or Image.Hashes like r"%SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59%" or Image.Hashes like r"%SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66%" or Image.Hashes like r"%SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280%" or Image.Hashes like r"%SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7%" or Image.Hashes like r"%SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167%" or Image.Hashes like r"%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%" or Image.Hashes like r"%SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7%" or Image.Hashes like r"%SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec%" or Image.Hashes like r"%SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620%" or Image.Hashes like r"%SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f%" or Image.Hashes like r"%SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905%" or Image.Hashes like r"%SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3%" or Image.Hashes like r"%SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b%" or Image.Hashes like r"%SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab%" or Image.Hashes like r"%SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc%" or Image.Hashes like r"%SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968%" or Image.Hashes like r"%SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28%" or Image.Hashes like r"%SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0%" or Image.Hashes like r"%SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93%" or Image.Hashes like r"%SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12%" or Image.Hashes like r"%SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8%" or Image.Hashes like r"%SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895%" or Image.Hashes like r"%SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3%" or Image.Hashes like r"%SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f%" or Image.Hashes like r"%SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be%" or Image.Hashes like r"%SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8%" or Image.Hashes like r"%SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f%" or Image.Hashes like r"%SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe%" or Image.Hashes like r"%SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4%" or Image.Hashes like r"%SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5%" or Image.Hashes like r"%SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af%" or Image.Hashes like r"%SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40%" or Image.Hashes like r"%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%" or Image.Hashes like r"%SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d%" or Image.Hashes like r"%SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a%" or Image.Hashes like r"%SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96%" or Image.Hashes like r"%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%" or Image.Hashes like r"%SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2%" or Image.Hashes like r"%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%" or Image.Hashes like r"%SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96%" or Image.Hashes like r"%SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576%" or Image.Hashes like r"%SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80%" or Image.Hashes like r"%SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266%" or Image.Hashes like r"%SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724%" or Image.Hashes like r"%SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee%" or Image.Hashes like r"%SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b%" or Image.Hashes like r"%SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f%" or Image.Hashes like r"%SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e%" or Image.Hashes like r"%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%" or Image.Hashes like r"%SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952%" or Image.Hashes like r"%SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da%" or Image.Hashes like r"%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%" or Image.Hashes like r"%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%" or Image.Hashes like r"%SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7%" or Image.Hashes like r"%SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0%" or Image.Hashes like r"%SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1%" or Image.Hashes like r"%SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9%" or Image.Hashes like r"%SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a%" or Image.Hashes like r"%SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85%" or Image.Hashes like r"%SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac%" or Image.Hashes like r"%SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873%" or Image.Hashes like r"%SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7%" or Image.Hashes like r"%SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38%" or Image.Hashes like r"%SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c%" or Image.Hashes like r"%SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c%" or Image.Hashes like r"%SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524%" or Image.Hashes like r"%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%" or Image.Hashes like r"%SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df%" or Image.Hashes like r"%SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601%" or Image.Hashes like r"%SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7%" or Image.Hashes like r"%SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3%" or Image.Hashes like r"%SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19%" or Image.Hashes like r"%SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55%" or Image.Hashes like r"%SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe%" or Image.Hashes like r"%SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85%" or Image.Hashes like r"%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%" or Image.Hashes like r"%SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06%" or Image.Hashes like r"%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%" or Image.Hashes like r"%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%" or Image.Hashes like r"%SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55%" or Image.Hashes like r"%SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778%" or Image.Hashes like r"%SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6%" or Image.Hashes like r"%SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6%" or Image.Hashes like r"%SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43%" or Image.Hashes like r"%SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3%" or Image.Hashes like r"%SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7%" or Image.Hashes like r"%SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715%" or Image.Hashes like r"%SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434%" or Image.Hashes like r"%SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0%" or Image.Hashes like r"%SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f%" or Image.Hashes like r"%SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327%" or Image.Hashes like r"%SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d%" or Image.Hashes like r"%SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021%" or Image.Hashes like r"%SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4%" or Image.Hashes like r"%SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15%" or Image.Hashes like r"%SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f%" or Image.Hashes like r"%SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2%" or Image.Hashes like r"%SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677%" or Image.Hashes like r"%SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d%" or Image.Hashes like r"%SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d%" or Image.Hashes like r"%SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f%" or Image.Hashes like r"%SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57%" or Image.Hashes like r"%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%" or Image.Hashes like r"%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%" or Image.Hashes like r"%SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35%" or Image.Hashes like r"%SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440%" or Image.Hashes like r"%IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7%" or Image.Hashes like r"%IMPHASH=7641a0c227f0a3a45b80bb8af43cd152%" or Image.Hashes like r"%IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c%" or Image.Hashes like r"%IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d%" or Image.Hashes like r"%IMPHASH=beceab354c66949088c9e5ed1f1ff2a4%" or Image.Hashes like r"%IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626%" or Image.Hashes like r"%IMPHASH=420625b024fba72a24025defdf95b303%" or Image.Hashes like r"%IMPHASH=65ccc2c578a984c31880b6c5e65257d3%" or Image.Hashes like r"%IMPHASH=e717abe060bc5c34925fe3120ac22f45%" or Image.Hashes like r"%IMPHASH=41113a3a832353963112b94f4635a383%" or Image.Hashes like r"%IMPHASH=3866dd9fe63de457bdbf893bf7050ddf%" or Image.Hashes like r"%IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4%" or Image.Hashes like r"%IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca%" or Image.Hashes like r"%IMPHASH=c9a6e83d931286d1604d1add8403e1e5%" or Image.Hashes like r"%IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372%" or Image.Hashes like r"%IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f%" or Image.Hashes like r"%IMPHASH=8e35c9460537092672b3c7c14bccc7e0%" or Image.Hashes like r"%IMPHASH=7bf14377888c429897eb10a85f70266c%" or Image.Hashes like r"%IMPHASH=b351627263648b1d220bb488e7ec7202%" or Image.Hashes like r"%IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a%" or Image.Hashes like r"%IMPHASH=a7bd820fa5b895fab06f20739c9f24b8%" or Image.Hashes like r"%IMPHASH=be0dd8b8e045356d600ee55a64d9d197%" or Image.Hashes like r"%IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8%" or Image.Hashes like r"%IMPHASH=6c8d5c79a850eecc2fb0291cebda618d%" or Image.Hashes like r"%IMPHASH=c32d9a9af7f702814e1368c689877f3a%" or Image.Hashes like r"%IMPHASH=6b387c029257f024a43a73f38afb2629%" or Image.Hashes like r"%IMPHASH=df43355c636583e56e92142dcc69cc58%" or Image.Hashes like r"%IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd%" or Image.Hashes like r"%IMPHASH=c214aac08575c139e48d04f5aee21585%" or Image.Hashes like r"%IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7%" or Image.Hashes like r"%IMPHASH=059c6bd84285f4960e767f032b33f19b%" or Image.Hashes like r"%IMPHASH=a09170ef09c55cdca9472c02cb1f2647%" or Image.Hashes like r"%IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a%" or Image.Hashes like r"%IMPHASH=0262d4147f21d681f8519ab2af79283f%" or Image.Hashes like r"%IMPHASH=832219eb71b8bdb771f1d29d27b0acf4%" or Image.Hashes like r"%IMPHASH=514298d18002920ee5a917fc34426417%" or Image.Hashes like r"%IMPHASH=26ceec6572c630bdad60c984e51b7da4%" or Image.Hashes like r"%IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90%" or Image.Hashes like r"%IMPHASH=4b47f6031c558106eee17655f8f8a32f%" or Image.Hashes like r"%IMPHASH=a6c4a7369500900fc172f9557cff22cf%" or Image.Hashes like r"%IMPHASH=3b49942ec6cef1898e97f741b2b5df8a%" or Image.Hashes like r"%IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511%" or Image.Hashes like r"%IMPHASH=27f6dc8a247a22308dd1beba5086b302%" or Image.Hashes like r"%IMPHASH=7d017945bf90936a6c40f73f91ed02c2%" or Image.Hashes like r"%IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97%" or Image.Hashes like r"%IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e%" or Image.Hashes like r"%IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9%" or Image.Hashes like r"%IMPHASH=87fd2b54ed568e2294300e164b8c46f7%" or Image.Hashes like r"%IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a%" or Image.Hashes like r"%IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff%" or Image.Hashes like r"%IMPHASH=2a008187d4a73284ddcc43f1b727b513%" or Image.Hashes like r"%IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127%" or Image.Hashes like r"%IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4%" or Image.Hashes like r"%IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4%" or Image.Hashes like r"%IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771%" +GenericProperty1 = Image.Hashes [ThreatDetectionRule platform=Windows] -# Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced -# Author: Florian Roth (Nextron Systems) -RuleId = 12827a56-61a4-476a-a9cb-f3068f191073 -RuleName = HackTool - KrbRelayUp Execution -EventType = Process.Start -Tag = proc-start-hacktool-krbrelayup-execution +# Detects potential DLL sideloading of "appverifUI.dll" +# Author: X__Junior (Nextron Systems) +RuleId = ee6cea48-c5b6-4304-a332-10fc6446f484 +RuleName = Potential appverifUI.DLL Sideloading +EventType = Image.Load +Tag = potential-appverifui.dll-sideloading RiskScore = 75 -Annotation = {"mitre_attack": ["T1558.003", "T1550.003"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\KrbRelayUp.exe" or Process.Name == "KrbRelayUp.exe" or Process.CommandLine like r"% relay %" and Process.CommandLine like r"% -Domain %" and Process.CommandLine like r"% -ComputerName %" or Process.CommandLine like r"% krbscm %" and Process.CommandLine like r"% -sc %" or Process.CommandLine like r"% spawn %" and Process.CommandLine like r"% -d %" and Process.CommandLine like r"% -cn %" and Process.CommandLine like r"% -cp %" +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} +Query = Image.Path like r"%\\appverifUI.dll" and not ((Process.Path in ["C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe"]) and (Image.Path like r"C:\\Windows\\System32\\%" or Image.Path like r"C:\\Windows\\SysWOW64\\%" or Image.Path like r"C:\\Windows\\WinSxS\\%")) +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f5d19838-41b5-476c-98d8-ba8af4929ee2 -RuleName = LOL-Binary Copied From System Directory +# Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts +# Author: Florian Roth (Nextron Systems) +RuleId = 93199800-b52a-4dec-b762-75212c196542 +RuleName = PUA - RunXCmd Execution EventType = Process.Start -Tag = proc-start-lol-binary-copied-from-system-directory +Tag = proc-start-pua-runxcmd-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1036.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"%copy %" or (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"%copy-item%" or Process.CommandLine like r"% copy %" or Process.CommandLine like r"%cpi %" or Process.CommandLine like r"% cp %") or Process.Path like r"%\\robocopy.exe" or Process.Path like r"%\\xcopy.exe" or Process.Name in ["robocopy.exe", "XCOPY.EXE"]) and (Process.CommandLine like r"%\\System32%" or Process.CommandLine like r"%\\SysWOW64%" or Process.CommandLine like r"%\\WinSxS%") and (Process.CommandLine like r"%\\bitsadmin.exe%" or Process.CommandLine like r"%\\calc.exe%" or Process.CommandLine like r"%\\certutil.exe%" or Process.CommandLine like r"%\\cmdl32.exe%" or Process.CommandLine like r"%\\cscript.exe%" or Process.CommandLine like r"%\\mshta.exe%" or Process.CommandLine like r"%\\rundll32.exe%" or Process.CommandLine like r"%\\wscript.exe%") +Annotation = {"mitre_attack": ["T1569.002"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"% /account=system %" or Process.CommandLine like r"% /account=ti %") and Process.CommandLine like r"%/exec=%" [ThreatDetectionRule platform=Windows] -# Detects suspicious process patterns found in logs when CrackMapExec is used +# Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary # Author: Florian Roth (Nextron Systems) -RuleId = f26307d8-14cd-47e3-a26b-4b4769f24af6 -RuleName = HackTool - CrackMapExec Process Patterns +RuleId = 729ce0ea-5d8f-4769-9762-e35de441586d +RuleName = MpiExec Lolbin EventType = Process.Start -Tag = proc-start-hacktool-crackmapexec-process-patterns +Tag = proc-start-mpiexec-lolbin RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%tasklist /fi %" and Process.CommandLine like r"%Imagename eq lsass.exe%" and (Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd.exe /r %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd /r %" or Process.CommandLine like r"%cmd /k %") and (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") or Process.CommandLine like r"%do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump%" and Process.CommandLine like r"%\\Windows\\Temp\\%" and Process.CommandLine like r"% full%" and Process.CommandLine like r"%\%\%B%" or Process.CommandLine like r"%tasklist /v /fo csv%" and Process.CommandLine like r"%findstr /i \"lsass\"%" -GenericProperty1 = Process.User +Annotation = {"mitre_attack": ["T1218"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.Path like r"%\\mpiexec.exe" or Process.Hashes like r"%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%") and (Process.CommandLine like r"% /n 1 %" or Process.CommandLine like r"% -n 1 %") +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory -# Author: Florian Roth (Nextron Systems) -RuleId = 4c0aaedc-154c-4427-ada0-d80ef9c9deb6 -RuleName = Process Access via TrolleyExpress Exclusion +# Detects a suspicious execution of a Microsoft HTML Help (HH.exe) +# Author: Maxim Pavlunin +RuleId = e8a95b5e-c891-46e2-b33a-93937d3abc31 +RuleName = Suspicious HH.EXE Execution EventType = Process.Start -Tag = proc-start-process-access-via-trolleyexpress-exclusion +Tag = proc-start-suspicious-hh.exe-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.011", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%\\TrolleyExpress 7%" or Process.CommandLine like r"%\\TrolleyExpress 8%" or Process.CommandLine like r"%\\TrolleyExpress 9%" or Process.CommandLine like r"%\\TrolleyExpress.exe 7%" or Process.CommandLine like r"%\\TrolleyExpress.exe 8%" or Process.CommandLine like r"%\\TrolleyExpress.exe 9%" or Process.CommandLine like r"%\\TrolleyExpress.exe -ma %" or Process.Path like r"%\\TrolleyExpress.exe" and not (Process.Name like r"%CtxInstall%" or isnull(Process.Name)) +Annotation = {"mitre_attack": ["T1047", "T1059.001", "T1059.003", "T1059.005", "T1059.007", "T1218", "T1218.001", "T1218.010", "T1218.011", "T1566", "T1566.001"], "author": "Maxim Pavlunin"} +Query = (Process.Name == "HH.exe" or Process.Path like r"%\\hh.exe") and (Process.CommandLine like r"%.application%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\Content.Outlook\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%") [ThreatDetectionRule platform=Windows] -# Detects the creation of a schtask via PowerSploit or Empire Default Configuration. -# Author: Markus Neis, @Karneades -RuleId = 56c217c3-2de2-479b-990f-5c109ba8458f -RuleName = HackTool - Default PowerSploit/Empire Scheduled Task Creation -EventType = Process.Start -Tag = proc-start-hacktool-default-powersploit/empire-scheduled-task-creation +# The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. +# Author: NVISO +RuleId = 828af599-4c53-4ed2-ba4a-a9f835c434ea +RuleName = Fax Service DLL Search Order Hijack +EventType = Image.Load +Tag = fax-service-dll-search-order-hijack RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005", "T1059.001"], "author": "Markus Neis, @Karneades"} -Query = (Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Create%" and Process.CommandLine like r"%powershell.exe -NonI%" and Process.CommandLine like r"%/TN Updater /TR%" and (Process.CommandLine like r"%/SC ONLOGON%" or Process.CommandLine like r"%/SC DAILY /ST%" or Process.CommandLine like r"%/SC ONIDLE%" or Process.CommandLine like r"%/SC HOURLY%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "NVISO"} +Query = Process.Path like r"%\\fxssvc.exe" and Image.Path like r"%ualapi.dll" and not Image.Path like r"C:\\Windows\\WinSxS\\%" +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects file creation events with filename patterns used by CrackMapExec. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a -RuleName = HackTool - CrackMapExec File Indicators -EventType = File.Create -Tag = hacktool-crackmapexec-file-indicators +# Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 +# Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +RuleId = 982e9f2d-1a85-4d5b-aea4-31f5e97c6555 +RuleName = Suspicious WebDav Client Execution Via Rundll32.EXE +EventType = Process.Start +Tag = proc-start-suspicious-webdav-client-execution-via-rundll32.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"C:\\Windows\\Temp\\%" and (File.Path like r"%\\temp.ps1" or File.Path like r"%\\msol.ps1" or File.Path regex "\\\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\\.txt$" or File.Path regex "\\\\[a-zA-Z]{8}\\.tmp$") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1048.003"], "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\svchost.exe" and Parent.CommandLine like r"%-s WebClient%" and Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%C:\\windows\\system32\\davclnt.dll,DavSetCookie%" and Process.CommandLine regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" and not (Process.CommandLine like r"%://10.%" or Process.CommandLine like r"%://192.168.%" or Process.CommandLine like r"%://172.16.%" or Process.CommandLine like r"%://172.17.%" or Process.CommandLine like r"%://172.18.%" or Process.CommandLine like r"%://172.19.%" or Process.CommandLine like r"%://172.20.%" or Process.CommandLine like r"%://172.21.%" or Process.CommandLine like r"%://172.22.%" or Process.CommandLine like r"%://172.23.%" or Process.CommandLine like r"%://172.24.%" or Process.CommandLine like r"%://172.25.%" or Process.CommandLine like r"%://172.26.%" or Process.CommandLine like r"%://172.27.%" or Process.CommandLine like r"%://172.28.%" or Process.CommandLine like r"%://172.29.%" or Process.CommandLine like r"%://172.30.%" or Process.CommandLine like r"%://172.31.%" or Process.CommandLine like r"%://127.%" or Process.CommandLine like r"%://169.254.%") +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example -# Author: Ilya Krestinichev -RuleId = 54786ddc-5b8a-11ed-9b6a-0242ac120002 -RuleName = Suspicious Ping/Del Command Combination +# Detects creation of local users via the net.exe command with the option "never expire" +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = b9f0e6f5-09b4-4358-bae4-08408705bd5c +RuleName = New User Created Via Net.EXE With Never Expire Option EventType = Process.Start -Tag = proc-start-suspicious-ping/del-command-combination +Tag = proc-start-new-user-created-via-net.exe-with-never-expire-option RiskScore = 75 -Annotation = {"mitre_attack": ["T1070.004"], "author": "Ilya Krestinichev"} -Query = (Process.CommandLine like r"% -n %" or Process.CommandLine like r"% /n %" or Process.CommandLine like r"% –n %" or Process.CommandLine like r"% —n %" or Process.CommandLine like r"% ―n %") and Process.CommandLine like r"%Nul%" and (Process.CommandLine like r"% -f %" or Process.CommandLine like r"% /f %" or Process.CommandLine like r"% –f %" or Process.CommandLine like r"% —f %" or Process.CommandLine like r"% ―f %" or Process.CommandLine like r"% -q %" or Process.CommandLine like r"% /q %" or Process.CommandLine like r"% –q %" or Process.CommandLine like r"% —q %" or Process.CommandLine like r"% ―q %") and Process.CommandLine like r"%ping%" and Process.CommandLine like r"%del %" +Annotation = {"mitre_attack": ["T1136.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and Process.CommandLine like r"%user%" and Process.CommandLine like r"%add%" and Process.CommandLine like r"%expires:never%" [ThreatDetectionRule platform=Windows] -# Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" -# Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) -RuleId = 07a99744-56ac-40d2-97b7-2095967b0e03 -RuleName = Potential Privilege Escalation Attempt Via .Exe.Local Technique -EventType = File.Create -Tag = potential-privilege-escalation-attempt-via-.exe.local-technique +# Detects a suspicious RDP session redirect using tscon.exe +# Author: Florian Roth (Nextron Systems) +RuleId = f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb +RuleName = Suspicious RDP Redirect Using TSCON +EventType = Process.Start +Tag = proc-start-suspicious-rdp-redirect-using-tscon RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)"} -Query = (File.Path like r"C:\\Windows\\System32\\logonUI.exe.local%" or File.Path like r"C:\\Windows\\System32\\werFault.exe.local%" or File.Path like r"C:\\Windows\\System32\\consent.exe.local%" or File.Path like r"C:\\Windows\\System32\\narrator.exe.local%" or File.Path like r"C:\\Windows\\System32\\wermgr.exe.local%") and File.Path like r"%\\comctl32.dll" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1563.002", "T1021.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"% /dest:rdp-tcp#%" [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of "edputil.dll" -# Author: X__Junior (Nextron Systems) -RuleId = e4903324-1a10-4ed3-981b-f6fe3be3a2c2 -RuleName = Potential Edputil.DLL Sideloading -EventType = Image.Load -Tag = potential-edputil.dll-sideloading +# Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = f9999590-1f94-4a34-a91e-951e47bedefd +RuleName = Suspicious Provlaunch.EXE Child Process +EventType = Process.Start +Tag = proc-start-suspicious-provlaunch.exe-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} -Query = Image.Path like r"%\\edputil.dll" and not (Image.Path like r"C:\\Windows\\System32\\%" or Image.Path like r"C:\\Windows\\SysWOW64\\%" or Image.Path like r"C\\Windows\\WinSxS\\%") -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.Path like r"%\\provlaunch.exe" and (Process.Path like r"%\\calc.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\notepad.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%:\\PerfLogs\\%" or Process.Path like r"%:\\Temp\\%" or Process.Path like r"%:\\Users\\Public\\%" or Process.Path like r"%\\AppData\\Temp\\%" or Process.Path like r"%\\Windows\\System32\\Tasks\\%" or Process.Path like r"%\\Windows\\Tasks\\%" or Process.Path like r"%\\Windows\\Temp\\%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f37b4bce-49d0-4087-9f5b-58bffda77316 -RuleName = Potential AutoLogger Sessions Tampering +# Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) +# Author: Omer Yampel, Christian Burkard (Nextron Systems) +RuleId = 5b872a46-3b90-45c1-8419-f675db8053aa +RuleName = UAC Bypass via Sdclt EventType = Reg.Any -Tag = potential-autologger-sessions-tampering +Tag = uac-bypass-via-sdclt RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\%" and (Reg.TargetObject like r"%\\EventLog-%" or Reg.TargetObject like r"%\\Defender%") and (Reg.TargetObject like r"%\\Enable" or Reg.TargetObject like r"%\\Start") and Reg.Value.Data == "DWORD (0x00000000)" and not Process.Path == "C:\\Windows\\system32\\wevtutil.exe" +Annotation = {"mitre_attack": ["T1548.002"], "author": "Omer Yampel, Christian Burkard (Nextron Systems)"} +Query = Reg.TargetObject like r"%Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" or Reg.TargetObject like r"%Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue" and Reg.Value.Data regex "-1[0-9]{3}\\\\Software\\\\Classes\\\\" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. -# The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 41f6531d-af6e-4c6e-918f-b946f2b85a36 -RuleName = Potential Persistence Via LSA Extensions -EventType = Reg.Any -Tag = potential-persistence-via-lsa-extensions +# Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware +# Author: Sander Wiebing +RuleId = 01aeb693-138d-49d2-9403-c4f52d7d3d62 +RuleName = RDP Connection Allowed Via Netsh.EXE +EventType = Process.Start +Tag = proc-start-rdp-connection-allowed-via-netsh.exe RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1562.004"], "author": "Sander Wiebing"} +Query = (Process.Path like r"%\\netsh.exe" or Process.Name == "netsh.exe") and Process.CommandLine like r"%firewall %" and Process.CommandLine like r"%add %" and Process.CommandLine like r"%tcp %" and Process.CommandLine like r"%3389%" and (Process.CommandLine like r"%portopening%" or Process.CommandLine like r"%allow%") [ThreatDetectionRule platform=Windows] -# Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. -# Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 -RuleName = Scheduled Task Executing Encoded Payload from Registry +# Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts +# Author: Florian Roth (Nextron Systems) +RuleId = fa00b701-44c6-4679-994d-5a18afa8a707 +RuleName = PUA - AdvancedRun Suspicious Execution EventType = Process.Start -Tag = proc-start-scheduled-task-executing-encoded-payload-from-registry +Tag = proc-start-pua-advancedrun-suspicious-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1053.005", "T1059.001"], "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\schtasks.exe" or Process.Name == "schtasks.exe") and Process.CommandLine like r"%/Create%" and (Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"%encodedcommand%") and (Process.CommandLine like r"%Get-ItemProperty%" or Process.CommandLine like r"% gp %") and (Process.CommandLine like r"%HKCU:%" or Process.CommandLine like r"%HKLM:%" or Process.CommandLine like r"%registry::%" or Process.CommandLine like r"%HKEY\_%") +Annotation = {"mitre_attack": ["T1134.002"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"%/EXEFilename%" or Process.CommandLine like r"%/CommandLine%") and (Process.CommandLine like r"% /RunAs 8 %" or Process.CommandLine like r"% /RunAs 4 %" or Process.CommandLine like r"% /RunAs 10 %" or Process.CommandLine like r"% /RunAs 11 %" or Process.CommandLine like r"%/RunAs 8" or Process.CommandLine like r"%/RunAs 4" or Process.CommandLine like r"%/RunAs 10" or Process.CommandLine like r"%/RunAs 11") [ThreatDetectionRule platform=Windows] -# Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control +# Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 -RuleName = Potential Data Stealing Via Chromium Headless Debugging +RuleId = 6004abd0-afa4-4557-ba90-49d172e0a299 +RuleName = Execute Pcwrun.EXE To Leverage Follina EventType = Process.Start -Tag = proc-start-potential-data-stealing-via-chromium-headless-debugging +Tag = proc-start-execute-pcwrun.exe-to-leverage-follina RiskScore = 75 -Annotation = {"mitre_attack": ["T1185"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.CommandLine like r"%--remote-debugging-%" and Process.CommandLine like r"%--user-data-dir%" and Process.CommandLine like r"%--headless%" +Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\pcwrun.exe" and Process.CommandLine like r"%../%" [ThreatDetectionRule platform=Windows] -# Detects the deletion of all backups or system state backups via "wbadmin.exe". -# This technique is used by numerous ransomware families and actors. -# This may only be successful on server platforms that have Windows Backup enabled. -# Author: frack113, Nasreddine Bencherchali (Nextron Systems) -RuleId = 639c9081-f482-47d3-a0bd-ddee3d4ecd76 -RuleName = All Backups Deleted Via Wbadmin.EXE +# Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). +# Author: Harjot Singh, '@cyb3rjy0t' +RuleId = 9248c7e1-2bf3-4661-a22c-600a8040b446 +RuleName = Potential Rundll32 Execution With DLL Stored In ADS EventType = Process.Start -Tag = proc-start-all-backups-deleted-via-wbadmin.exe +Tag = proc-start-potential-rundll32-execution-with-dll-stored-in-ads RiskScore = 75 -Annotation = {"mitre_attack": ["T1490"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\wbadmin.exe" or Process.Name == "WBADMIN.EXE") and Process.CommandLine like r"%delete%" and Process.CommandLine like r"%backup%" and Process.CommandLine like r"%keepVersions:0%" +Annotation = {"mitre_attack": ["T1564.004"], "author": "Harjot Singh, '@cyb3rjy0t'"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.EXE") and Process.CommandLine regex "[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:" [ThreatDetectionRule platform=Windows] -# Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library +# Detects execution of the IEExec utility to download and execute files # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = e6fe26ee-d063-4f5b-b007-39e90aaf50e3 -RuleName = Potential Persistence Via AutodialDLL -EventType = Reg.Any -Tag = potential-persistence-via-autodialdll +RuleId = 9801abb8-e297-4dbf-9fbd-57dde0e830ad +RuleName = File Download And Execution Via IEExec.EXE +EventType = Process.Start +Tag = proc-start-file-download-and-execution-via-ieexec.exe RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Services\\WinSock2\\Parameters\\AutodialDLL%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1105"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\IEExec.exe" or Process.Name == "IEExec.exe") and (Process.CommandLine like r"%http://%" or Process.CommandLine like r"%https://%") [ThreatDetectionRule platform=Windows] -# Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. -# Author: frack113, Nasreddine Bencherchali (Nextron Systems) -RuleId = a5c7a43f-6009-4a8c-80c5-32abf1c53ecc -RuleName = Microsoft Office Protected View Disabled -EventType = Reg.Any -Tag = microsoft-office-protected-view-disabled +# Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 07e3cb2c-0608-410d-be4b-1511cb1a0448 +RuleName = Tamper Windows Defender Remove-MpPreference +EventType = Process.Start +Tag = proc-start-tamper-windows-defender-remove-mppreference RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Office\\%" and Reg.TargetObject like r"%\\Security\\ProtectedView\\%" and (Reg.Value.Data == "DWORD (0x00000001)" and (Reg.TargetObject like r"%\\DisableAttachementsInPV" or Reg.TargetObject like r"%\\DisableInternetFilesInPV" or Reg.TargetObject like r"%\\DisableIntranetCheck" or Reg.TargetObject like r"%\\DisableUnsafeLocationsInPV") or Reg.Value.Data == "DWORD (0x00000000)" and (Reg.TargetObject like r"%\\enabledatabasefileprotectedview" or Reg.TargetObject like r"%\\enableforeigntextfileprotectedview")) -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%Remove-MpPreference%" and (Process.CommandLine like r"%-ControlledFolderAccessProtectedFolders %" or Process.CommandLine like r"%-AttackSurfaceReductionRules\_Ids %" or Process.CommandLine like r"%-AttackSurfaceReductionRules\_Actions %" or Process.CommandLine like r"%-CheckForSignaturesBeforeRunningScan %") [ThreatDetectionRule platform=Windows] -# Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = a95b9b42-1308-4735-a1af-abb1c5e6f5ac -RuleName = Suspicious Service DACL Modification Via Set-Service Cmdlet +# Detects an interactive AT job, which may be used as a form of privilege escalation. +# Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +RuleId = 60fc936d-2eb0-4543-8a13-911c750a1dfc +RuleName = Interactive AT Job EventType = Process.Start -Tag = proc-start-suspicious-service-dacl-modification-via-set-service-cmdlet +Tag = proc-start-interactive-at-job RiskScore = 75 -Annotation = {"mitre_attack": ["T1543.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\pwsh.exe" or Process.Name == "pwsh.dll") and (Process.CommandLine like r"%-SecurityDescriptorSddl %" or Process.CommandLine like r"%-sd %") and Process.CommandLine like r"%Set-Service %" and Process.CommandLine like r"%D;;%" and (Process.CommandLine like r"%;;;IU%" or Process.CommandLine like r"%;;;SU%" or Process.CommandLine like r"%;;;BA%" or Process.CommandLine like r"%;;;SY%" or Process.CommandLine like r"%;;;WD%") +Annotation = {"mitre_attack": ["T1053.002"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community"} +Query = Process.Path like r"%\\at.exe" and Process.CommandLine like r"%interactive%" [ThreatDetectionRule platform=Windows] -# Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ -# Author: frack113 -RuleId = e15b518d-b4ce-4410-a9cd-501f23ce4a18 -RuleName = Suspicious Creation with Colorcpl -EventType = File.Create -Tag = suspicious-creation-with-colorcpl +# Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 89ca78fd-b37c-4310-b3d3-81a023f83936 +RuleName = Schtasks Creation Or Modification With SYSTEM Privileges +EventType = Process.Start +Tag = proc-start-schtasks-creation-or-modification-with-system-privileges RiskScore = 75 -Annotation = {"mitre_attack": ["T1564"], "author": "frack113"} -Query = Process.Path like r"%\\colorcpl.exe" and not (File.Path like r"%.icm" or File.Path like r"%.gmmp" or File.Path like r"%.cdmp" or File.Path like r"%.camp") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1053.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\schtasks.exe" and (Process.CommandLine like r"% /change %" or Process.CommandLine like r"% /create %") and Process.CommandLine like r"%/ru %" and (Process.CommandLine like r"%NT AUT%" or Process.CommandLine like r"% SYSTEM %") and not (Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/TN TVInstallRestore%" and Process.CommandLine like r"%\\TeamViewer\_.exe%" or Process.CommandLine like r"%Subscription Heartbeat%" and Process.CommandLine like r"%\\HeartbeatConfig.xml%" and Process.CommandLine like r"%\\Microsoft Shared\\OFFICE%" or Process.CommandLine like r"%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %" or Process.CommandLine like r"%:\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira\_speedup\_setup.exe%" or Process.CommandLine like r"%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%") [ThreatDetectionRule platform=Windows] -# Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. -# Author: Florian Roth (Nextron Systems) -RuleId = 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 -RuleName = Suspicious Execution Location Of Wermgr.EXE +# Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products +# Author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton +RuleId = fc0e89b5-adb0-43c1-b749-c12a10ec37de +RuleName = SafeBoot Registry Key Deleted Via Reg.EXE EventType = Process.Start -Tag = proc-start-suspicious-execution-location-of-wermgr.exe +Tag = proc-start-safeboot-registry-key-deleted-via-reg.exe RiskScore = 75 -Annotation = {"author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\wermgr.exe" and not (Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\WinSxS\\%") +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton"} +Query = (Process.Path like r"%reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"% delete %" and Process.CommandLine like r"%\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot%" [ThreatDetectionRule platform=Windows] -# Detects tampering of RDP Terminal Service/Server sensitive settings. -# Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc -# Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -RuleId = 3f6b7b62-61aa-45db-96bd-9c31b36b653c -RuleName = RDP Sensitive Settings Changed -EventType = Reg.Any -Tag = rdp-sensitive-settings-changed +# Detects the pattern of UAC Bypass using Event Viewer RecentViews +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 30fc8de7-d833-40c4-96b6-28319fbc4f6c +RuleName = UAC Bypass Using Event Viewer RecentViews +EventType = Process.Start +Tag = proc-start-uac-bypass-using-event-viewer-recentviews RiskScore = 75 -Annotation = {"mitre_attack": ["T1112"], "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali"} -Query = (Reg.TargetObject like r"%\\Control\\Terminal Server\\%" or Reg.TargetObject like r"%\\Windows NT\\Terminal Services\\%") and Reg.TargetObject like r"%\\Shadow" and (Reg.Value.Data in ["DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)"]) or (Reg.TargetObject like r"%\\Control\\Terminal Server\\%" or Reg.TargetObject like r"%\\Windows NT\\Terminal Services\\%") and (Reg.TargetObject like r"%\\DisableRemoteDesktopAntiAlias" or Reg.TargetObject like r"%\\DisableSecuritySettings" or Reg.TargetObject like r"%\\fAllowUnsolicited" or Reg.TargetObject like r"%\\fAllowUnsolicitedFullControl") and Reg.Value.Data == "DWORD (0x00000001)" or Reg.TargetObject like r"%\\Control\\Terminal Server\\InitialProgram%" or Reg.TargetObject like r"%\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram%" or Reg.TargetObject like r"%\\services\\TermService\\Parameters\\ServiceDll%" or Reg.TargetObject like r"%\\Windows NT\\Terminal Services\\InitialProgram%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.CommandLine like r"%\\Event Viewer\\RecentViews%" or Process.CommandLine like r"%\\EventV~1\\RecentViews%") and Process.CommandLine like r"%>%" [ThreatDetectionRule platform=Windows] -# Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. -# Author: Florian Roth (Nextron Systems) -RuleId = 97a80ec7-0e2f-4d05-9ef4-65760e634f6b -RuleName = Security Privileges Enumeration Via Whoami.EXE +# Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 6c8fbee5-dee8-49bc-851d-c3142d02aa47 +RuleName = Allow Service Access Using Security Descriptor Tampering Via Sc.EXE EventType = Process.Start -Tag = proc-start-security-privileges-enumeration-via-whoami.exe +Tag = proc-start-allow-service-access-using-security-descriptor-tampering-via-sc.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1033"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\whoami.exe" or Process.Name == "whoami.exe") and (Process.CommandLine like r"% /priv%" or Process.CommandLine like r"% -priv%") +Annotation = {"mitre_attack": ["T1543.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and Process.CommandLine like r"%sdset%" and Process.CommandLine like r"%A;%" and (Process.CommandLine like r"%;IU%" or Process.CommandLine like r"%;SU%" or Process.CommandLine like r"%;BA%" or Process.CommandLine like r"%;SY%" or Process.CommandLine like r"%;WD%") [ThreatDetectionRule platform=Windows] -# Detects execution of the "finger.exe" utility. -# Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. -# Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating. -# Author: Florian Roth (Nextron Systems), omkar72, oscd.community -RuleId = af491bca-e752-4b44-9c86-df5680533dbc -RuleName = Finger.EXE Execution +# Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. +# Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. +# Author: Nasreddine Bencherchali (Nextron Systems), frack113 +RuleId = 8b93a509-1cb8-42e1-97aa-ee24224cdc15 +RuleName = Sensitive File Dump Via Wbadmin.EXE EventType = Process.Start -Tag = proc-start-finger.exe-execution +Tag = proc-start-sensitive-file-dump-via-wbadmin.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1105"], "author": "Florian Roth (Nextron Systems), omkar72, oscd.community"} -Query = Process.Name == "finger.exe" or Process.Path like r"%\\finger.exe" +Annotation = {"mitre_attack": ["T1003.003"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113"} +Query = (Process.Path like r"%\\wbadmin.exe" or Process.Name == "WBADMIN.EXE") and (Process.CommandLine like r"%start%" or Process.CommandLine like r"%backup%") and (Process.CommandLine like r"%\\config\\SAM%" or Process.CommandLine like r"%\\config\\SECURITY%" or Process.CommandLine like r"%\\config\\SYSTEM%" or Process.CommandLine like r"%\\Windows\\NTDS\\NTDS.dit%") [ThreatDetectionRule platform=Windows] -# Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism -# Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) -RuleId = cc7abbd0-762b-41e3-8a26-57ad50d2eea3 -RuleName = MSHTA Suspicious Execution 01 +# Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name +# Author: Florian Roth (Nextron Systems) +RuleId = 79b06761-465f-4f88-9ef2-150e24d3d737 +RuleName = Potential SysInternals ProcDump Evasion EventType = Process.Start -Tag = proc-start-mshta-suspicious-execution-01 +Tag = proc-start-potential-sysinternals-procdump-evasion RiskScore = 75 -Annotation = {"mitre_attack": ["T1140", "T1218.005", "T1059.007"], "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)"} -Query = Process.Path like r"%\\mshta.exe" and (Process.CommandLine like r"%vbscript%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.lnk%" or Process.CommandLine like r"%.xls%" or Process.CommandLine like r"%.doc%" or Process.CommandLine like r"%.zip%" or Process.CommandLine like r"%.dll%") +Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%copy procdump%" or Process.CommandLine like r"%move procdump%" or Process.CommandLine like r"%copy %" and Process.CommandLine like r"%.dmp %" and (Process.CommandLine like r"%2.dmp%" or Process.CommandLine like r"%lsass%" or Process.CommandLine like r"%out.dmp%") or Process.CommandLine like r"%copy lsass.exe\_%" or Process.CommandLine like r"%move lsass.exe\_%" [ThreatDetectionRule platform=Windows] -# Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. +# Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f44800ac-38ec-471f-936e-3fa7d9c53100 -RuleName = PUA - CleanWipe Execution -EventType = Process.Start -Tag = proc-start-pua-cleanwipe-execution +RuleId = a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47 +RuleName = Potential Attachment Manager Settings Associations Tamper +EventType = Reg.Any +Tag = potential-attachment-manager-settings-associations-tamper RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\SepRemovalToolNative\_x64.exe" or Process.Path like r"%\\CATClean.exe" and Process.CommandLine like r"%--uninstall%" or Process.Path like r"%\\NetInstaller.exe" and Process.CommandLine like r"%-r%" or Process.Path like r"%\\WFPUnins.exe" and Process.CommandLine like r"%/uninstall%" and Process.CommandLine like r"%/enterprise%" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations\\%" and (Reg.TargetObject like r"%\\DefaultFileTypeRisk" and Reg.Value.Data == "DWORD (0x00006152)" or Reg.TargetObject like r"%\\LowRiskFileTypes" and (Reg.Value.Data like r"%.zip;%" or Reg.Value.Data like r"%.rar;%" or Reg.Value.Data like r"%.exe;%" or Reg.Value.Data like r"%.bat;%" or Reg.Value.Data like r"%.com;%" or Reg.Value.Data like r"%.cmd;%" or Reg.Value.Data like r"%.reg;%" or Reg.Value.Data like r"%.msi;%" or Reg.Value.Data like r"%.htm;%" or Reg.Value.Data like r"%.html;%")) +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the execution of Rundll32.exe with DLL files masquerading as image files -# Author: Hieu Tran -RuleId = 4aa6040b-3f28-44e3-a769-9208e5feb5ec -RuleName = Suspicious Rundll32 Execution With Image Extension +# Detects suspicious and uncommon child processes of WmiPrvSE +# Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) +RuleId = 8a582fe2-0882-4b89-a82a-da6b2dc32937 +RuleName = Suspicious WmiPrvSE Child Process EventType = Process.Start -Tag = proc-start-suspicious-rundll32-execution-with-image-extension +Tag = proc-start-suspicious-wmiprvse-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.011"], "author": "Hieu Tran"} -Query = (Process.Path like r"%\\rundll32.exe" or Process.Name == "RUNDLL32.exe") and (Process.CommandLine like r"%.bmp%" or Process.CommandLine like r"%.cr2%" or Process.CommandLine like r"%.eps%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.ico%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.nef%" or Process.CommandLine like r"%.orf%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.raw%" or Process.CommandLine like r"%.sr2%" or Process.CommandLine like r"%.tif%" or Process.CommandLine like r"%.tiff%") +Annotation = {"mitre_attack": ["T1047", "T1204.002", "T1218.010"], "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\wbem\\WmiPrvSE.exe" and (Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\verclsid.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cmd.exe" and (Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%pwsh%" or Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%wscript%")) and not (Process.Path like r"%\\WerFault.exe" or Process.Path like r"%\\WmiPrvSE.exe" or Process.Path like r"%\\msiexec.exe" and Process.CommandLine like r"%/i %") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6 -RuleName = Mstsc.EXE Execution From Uncommon Parent -EventType = Process.Start -Tag = proc-start-mstsc.exe-execution-from-uncommon-parent +# Detects registry keys related to NetWire RAT +# Author: Christopher Peacock +RuleId = 1d218616-71b0-4c40-855b-9dbe75510f7f +RuleName = Potential NetWire RAT Activity - Registry +EventType = Reg.Any +Tag = potential-netwire-rat-activity-registry RiskScore = 75 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Parent.Path like r"%\\brave.exe" or Parent.Path like r"%\\CCleanerBrowser.exe" or Parent.Path like r"%\\chrome.exe" or Parent.Path like r"%\\chromium.exe" or Parent.Path like r"%\\firefox.exe" or Parent.Path like r"%\\iexplore.exe" or Parent.Path like r"%\\microsoftedge.exe" or Parent.Path like r"%\\msedge.exe" or Parent.Path like r"%\\opera.exe" or Parent.Path like r"%\\vivaldi.exe" or Parent.Path like r"%\\whale.exe" or Parent.Path like r"%\\outlook.exe") and (Process.Path like r"%\\mstsc.exe" or Process.Name == "mstsc.exe") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1112"], "author": "Christopher Peacock"} +Query = Reg.EventType == "CreateKey" and Reg.TargetObject like r"%\\software\\NetWire%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder -# Author: Samir Bousseaden -RuleId = 52753ea4-b3a0-4365-910d-36cff487b789 -RuleName = Hijack Legit RDP Session to Move Laterally -EventType = File.Create -Tag = hijack-legit-rdp-session-to-move-laterally +# Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 7f2954d2-99c2-4d42-a065-ca36740f187b +RuleName = Hypervisor Enforced Paging Translation Disabled +EventType = Reg.Any +Tag = hypervisor-enforced-paging-translation-disabled RiskScore = 75 -Annotation = {"mitre_attack": ["T1219"], "author": "Samir Bousseaden"} -Query = Process.Path like r"%\\mstsc.exe" and File.Path like r"%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\DisableHypervisorEnforcedPagingTranslation" and Reg.Value.Data == "DWORD (0x00000001)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block -# Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -RuleId = 4bf943c6-5146-4273-98dd-e958fd1e3abf -RuleName = Invoke-Obfuscation Obfuscated IEX Invocation +# Detects usage of bitsadmin downloading a file to a suspicious target folder +# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +RuleId = 2ddef153-167b-4e89-86b6-757a9e65dcac +RuleName = File Download Via Bitsadmin To A Suspicious Target Folder EventType = Process.Start -Tag = proc-start-invoke-obfuscation-obfuscated-iex-invocation +Tag = proc-start-file-download-via-bitsadmin-to-a-suspicious-target-folder RiskScore = 75 -Annotation = {"mitre_attack": ["T1027", "T1059.001"], "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community"} -Query = Process.CommandLine regex "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or Process.CommandLine regex "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or Process.CommandLine regex "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or Process.CommandLine regex "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or Process.CommandLine regex "\\*mdr\\*\\W\\s*\\)\\.Name" or Process.CommandLine regex "\\$VerbosePreference\\.ToString\\(" or Process.CommandLine regex "\\[String\\]\\s*\\$VerbosePreference" +Annotation = {"mitre_attack": ["T1197", "T1036.003"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\bitsadmin.exe" or Process.Name == "bitsadmin.exe") and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%:\\Perflogs%" or Process.CommandLine like r"%:\\ProgramData\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Roaming\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\%ProgramData\%%" or Process.CommandLine like r"%\%public\%%") [ThreatDetectionRule platform=Windows] -# Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 -# Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -RuleId = 982e9f2d-1a85-4d5b-aea4-31f5e97c6555 -RuleName = Suspicious WebDav Client Execution Via Rundll32.EXE +# Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. +# This detection assumes that PowerShell commands are passed via the CommandLine. +# Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +RuleId = 6812a10b-60ea-420c-832f-dfcc33b646ba +RuleName = Potential PowerShell Execution Via DLL EventType = Process.Start -Tag = proc-start-suspicious-webdav-client-execution-via-rundll32.exe +Tag = proc-start-potential-powershell-execution-via-dll RiskScore = 75 -Annotation = {"mitre_attack": ["T1048.003"], "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\svchost.exe" and Parent.CommandLine like r"%-s WebClient%" and Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%C:\\windows\\system32\\davclnt.dll,DavSetCookie%" and Process.CommandLine regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" and not (Process.CommandLine like r"%://10.%" or Process.CommandLine like r"%://192.168.%" or Process.CommandLine like r"%://172.16.%" or Process.CommandLine like r"%://172.17.%" or Process.CommandLine like r"%://172.18.%" or Process.CommandLine like r"%://172.19.%" or Process.CommandLine like r"%://172.20.%" or Process.CommandLine like r"%://172.21.%" or Process.CommandLine like r"%://172.22.%" or Process.CommandLine like r"%://172.23.%" or Process.CommandLine like r"%://172.24.%" or Process.CommandLine like r"%://172.25.%" or Process.CommandLine like r"%://172.26.%" or Process.CommandLine like r"%://172.27.%" or Process.CommandLine like r"%://172.28.%" or Process.CommandLine like r"%://172.29.%" or Process.CommandLine like r"%://172.30.%" or Process.CommandLine like r"%://172.31.%" or Process.CommandLine like r"%://127.%" or Process.CommandLine like r"%://169.254.%") -GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1218.011"], "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\InstallUtil.exe" or Process.Path like r"%\\RegAsm.exe" or Process.Path like r"%\\RegSvcs.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Name in ["InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.EXE", "RUNDLL32.EXE"]) and (Process.CommandLine like r"%Default.GetString%" or Process.CommandLine like r"%DownloadString%" or Process.CommandLine like r"%FromBase64String%" or Process.CommandLine like r"%ICM %" or Process.CommandLine like r"%IEX %" or Process.CommandLine like r"%Invoke-Command%" or Process.CommandLine like r"%Invoke-Expression%") [ThreatDetectionRule platform=Windows] -# Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. -# Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -RuleId = 1444443e-6757-43e4-9ea4-c8fc705f79a2 -RuleName = Boot Configuration Tampering Via Bcdedit.EXE +# Detects suspicious processes including shells spawnd from WinRM host process +# Author: Andreas Hunkeler (@Karneades), Markus Neis +RuleId = 5cc2cda8-f261-4d88-a2de-e9e193c86716 +RuleName = Suspicious Processes Spawned by WinRM EventType = Process.Start -Tag = proc-start-boot-configuration-tampering-via-bcdedit.exe +Tag = proc-start-suspicious-processes-spawned-by-winrm RiskScore = 75 -Annotation = {"mitre_attack": ["T1490"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community"} -Query = (Process.Path like r"%\\bcdedit.exe" or Process.Name == "bcdedit.exe") and Process.CommandLine like r"%set%" and (Process.CommandLine like r"%bootstatuspolicy%" and Process.CommandLine like r"%ignoreallfailures%" or Process.CommandLine like r"%recoveryenabled%" and Process.CommandLine like r"%no%") +Annotation = {"mitre_attack": ["T1190"], "author": "Andreas Hunkeler (@Karneades), Markus Neis"} +Query = Parent.Path like r"%\\wsmprovhost.exe" and (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\wsl.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\bitsadmin.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. -# This could be a sign of obfuscation of a fat finger problem (typo by the developer). +# Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. +# Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. # Author: Florian Roth (Nextron Systems) -RuleId = a16980c2-0c56-4de0-9a79-17971979efdd -RuleName = Cmd.EXE Missing Space Characters Execution Anomaly -EventType = Process.Start -Tag = proc-start-cmd.exe-missing-space-characters-execution-anomaly +RuleId = de46c52b-0bf8-4936-a327-aace94f94ac6 +RuleName = Process Explorer Driver Creation By Non-Sysinternals Binary +EventType = File.Create +Tag = process-explorer-driver-creation-by-non-sysinternals-binary RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"%cmd.exe/c%" or Process.CommandLine like r"%\\cmd/c%" or Process.CommandLine like r"%\"cmd/c%" or Process.CommandLine like r"%cmd.exe/k%" or Process.CommandLine like r"%\\cmd/k%" or Process.CommandLine like r"%\"cmd/k%" or Process.CommandLine like r"%cmd.exe/r%" or Process.CommandLine like r"%\\cmd/r%" or Process.CommandLine like r"%\"cmd/r%" or Process.CommandLine like r"%/cwhoami%" or Process.CommandLine like r"%/cpowershell%" or Process.CommandLine like r"%/cschtasks%" or Process.CommandLine like r"%/cbitsadmin%" or Process.CommandLine like r"%/ccertutil%" or Process.CommandLine like r"%/kwhoami%" or Process.CommandLine like r"%/kpowershell%" or Process.CommandLine like r"%/kschtasks%" or Process.CommandLine like r"%/kbitsadmin%" or Process.CommandLine like r"%/kcertutil%" or Process.CommandLine like r"%cmd.exe /c%" or Process.CommandLine like r"%cmd /c%" or Process.CommandLine like r"%cmd.exe /k%" or Process.CommandLine like r"%cmd /k%" or Process.CommandLine like r"%cmd.exe /r%" or Process.CommandLine like r"%cmd /r%") and not (Process.CommandLine like r"%cmd.exe /c %" or Process.CommandLine like r"%cmd /c %" or Process.CommandLine like r"%cmd.exe /k %" or Process.CommandLine like r"%cmd /k %" or Process.CommandLine like r"%cmd.exe /r %" or Process.CommandLine like r"%cmd /r %" or Process.CommandLine like r"%AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node\_modules%" or Process.CommandLine like r"%cmd.exe/c ." or Process.CommandLine == "cmd.exe /c") +Annotation = {"mitre_attack": ["T1068"], "author": "Florian Roth (Nextron Systems)"} +Query = File.Path like r"%\\PROCEXP%" and File.Path like r"%.sys" and not (Process.Path like r"%\\procexp.exe" or Process.Path like r"%\\procexp64.exe") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities -# Author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior -RuleId = 9ac94dc8-9042-493c-ba45-3b5e7c86b980 -RuleName = Disable Important Scheduled Task -EventType = Process.Start -Tag = proc-start-disable-important-scheduled-task +# Detects loading of known vulnerable drivers via their hash. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8 +RuleName = Vulnerable Driver Load +EventType = Driver.Load +Tag = vulnerable-driver-load RiskScore = 75 -Annotation = {"mitre_attack": ["T1489"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior"} -Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Change%" and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%/disable%" and (Process.CommandLine like r"%\\Windows\\BitLocker%" or Process.CommandLine like r"%\\Windows\\ExploitGuard%" or Process.CommandLine like r"%\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh%" or Process.CommandLine like r"%\\Windows\\SystemRestore\\SR%" or Process.CommandLine like r"%\\Windows\\UpdateOrchestrator\\%" or Process.CommandLine like r"%\\Windows\\Windows Defender\\%" or Process.CommandLine like r"%\\Windows\\WindowsBackup\\%" or Process.CommandLine like r"%\\Windows\\WindowsUpdate\\%") +Annotation = {"mitre_attack": ["T1543.003", "T1068"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Image.Hashes like r"%MD5=c996d7971c49252c582171d9380360f2%" or Image.Hashes like r"%MD5=da7e98b23b49b7293ee06713032c74f6%" or Image.Hashes like r"%MD5=9496585198d726000ea505abc39dbfe9%" or Image.Hashes like r"%MD5=649ff59b8e571c1fc6535b31662407aa%" or Image.Hashes like r"%MD5=4429f85e2415742c7cf8c9f54905c4b9%" or Image.Hashes like r"%MD5=a610cd4c762b5af8575285dafb9baa8f%" or Image.Hashes like r"%MD5=d5e76d125d624f8025d534f49e3c4162%" or Image.Hashes like r"%MD5=9c8fffef24fc480917236f9a20b80a47%" or Image.Hashes like r"%MD5=65b979bcab915c3922578fe77953d789%" or Image.Hashes like r"%MD5=598f8fb2317350e5f90b7bd16baf5738%" or Image.Hashes like r"%MD5=6691e873354f1914692df104718eebad%" or Image.Hashes like r"%MD5=4814205270caa80d35569eee8081838e%" or Image.Hashes like r"%MD5=7f9128654c3def08c28e0e13efff0fee%" or Image.Hashes like r"%MD5=ce952204558ea66ec1a9632dcbdde8bd%" or Image.Hashes like r"%MD5=0c0195c48b6b8582fa6f6373032118da%" or Image.Hashes like r"%MD5=370a4ca29a7cf1d6bc0744afc12b236c%" or Image.Hashes like r"%MD5=67e03f83c503c3f11843942df32efe5a%" or Image.Hashes like r"%MD5=8a70921638ff82bb924456deadcd20e6%" or Image.Hashes like r"%MD5=8a212a246b3c41f3ddce5888aaaaacd6%" or Image.Hashes like r"%MD5=a346417e9ae2c17a8fbf73302eeb611d%" or Image.Hashes like r"%MD5=d4f7c14e92b36c341c41ae93159407dd%" or Image.Hashes like r"%MD5=748cf64b95ca83abc35762ad2c25458f%" or Image.Hashes like r"%MD5=79ab228766c76cfdf42a64722821711e%" or Image.Hashes like r"%MD5=ce67e51b8c0370d1bfe421b79fa8b656%" or Image.Hashes like r"%MD5=25190f667f31318dd9a2e36383d5709f%" or Image.Hashes like r"%MD5=1f263a57c5ef46c8577744ecb32c9548%" or Image.Hashes like r"%MD5=c6cfa2d6e4c443e673c2c12417ea3001%" or Image.Hashes like r"%MD5=cceb3a7e3bd0203c807168b393a65a74%" or Image.Hashes like r"%MD5=56b54823a79a53747cbe11f8c4db7b1e%" or Image.Hashes like r"%MD5=988dabdcf990b134b0ac1e00512c30c4%" or Image.Hashes like r"%MD5=09e77d71d626574e6142894caca6e6dd%" or Image.Hashes like r"%MD5=c832a4313ff082258240b61b88efa025%" or Image.Hashes like r"%MD5=44499d3cab387aa78a4a6eca2ac181fb%" or Image.Hashes like r"%MD5=6ff59faea912903af0ba8e80e58612bc%" or Image.Hashes like r"%MD5=7461f0f9b931044a9d5f1d44eb4e8e09%" or Image.Hashes like r"%MD5=08bac71557df8a9b1381c8c165f64520%" or Image.Hashes like r"%MD5=fea9319d67177ed6f36438d2bd9392fb%" or Image.Hashes like r"%MD5=6dd82d91f981893be57ff90101a7f7f1%" or Image.Hashes like r"%MD5=d4119a5cb07ce945c6549eae74e39731%" or Image.Hashes like r"%MD5=cf1113723e3c1c71af80d228f040c198%" or Image.Hashes like r"%MD5=0e625b7a7c3f75524e307b160f8db337%" or Image.Hashes like r"%MD5=6e1faeee0ebfcb384208772410fe1e86%" or Image.Hashes like r"%MD5=58a92520dda53166e322118ee0503364%" or Image.Hashes like r"%MD5=916ba55fc004b85939ee0cc86a5191c5%" or Image.Hashes like r"%MD5=f16b44cca74d3c3645e4c0a6bb5c0cb9%" or Image.Hashes like r"%MD5=db2fc89098ac722dabe3c37ed23de340%" or Image.Hashes like r"%MD5=6f5cf7feb9bb8108b68f169b8e625ffe%" or Image.Hashes like r"%MD5=d2588631d8aae2a3e54410eaf54f0679%" or Image.Hashes like r"%MD5=72acbdd8fac58b71b301980eab3ebfc8%" or Image.Hashes like r"%MD5=9cc757a18b86408efc1ce3ed20cbcdac%" or Image.Hashes like r"%MD5=230fd3749904ca045ea5ec0aa14006e9%" or Image.Hashes like r"%MD5=79329e2917623181888605bc5b302711%" or Image.Hashes like r"%MD5=3e4a1384a27013ab7b767a88b8a1bd34%" or Image.Hashes like r"%MD5=bafd6bad121e42f940a0b8abc587eadf%" or Image.Hashes like r"%MD5=02a1d77ef13bd41cad04abcce896d0b9%" or Image.Hashes like r"%MD5=de331f863627dc489f547725d7292bbd%" or Image.Hashes like r"%MD5=29122f970a9e766ef01a73e0616d68b3%" or Image.Hashes like r"%MD5=2b8814cff6351c2b775387770053bdec%" or Image.Hashes like r"%MD5=332db70d2c5c332768ab063ba6ac8433%" or Image.Hashes like r"%MD5=40f39a98fb513411dacdfc5b2d972206%" or Image.Hashes like r"%MD5=644d687c9f96c82ea2974ccacd8cd549%" or Image.Hashes like r"%MD5=825703c494e0d270f797f1ecf070f698%" or Image.Hashes like r"%MD5=afae2a21e36158f5cf4f76f896649c75%" or Image.Hashes like r"%MD5=dd050e79c515e4a6d1ae36cac5545025%" or Image.Hashes like r"%MD5=6133e1008f8c6fc32d4b1a60941bab85%" or Image.Hashes like r"%MD5=0e2fc7e7f85c980eb698b9e468c20366%" or Image.Hashes like r"%MD5=94c80490b02cc655d2d80597c3aef08f%" or Image.Hashes like r"%MD5=4d487f77be4471900d6ccbc47242cc25%" or Image.Hashes like r"%MD5=2e3dbb01b282a526bdc3031e0663c41c%" or Image.Hashes like r"%MD5=93a23503e26773c27ed1da06bb79e7a4%" or Image.Hashes like r"%MD5=ffd0c87d9bf894af26823fbde94c71b6%" or Image.Hashes like r"%MD5=a86150f2e29b35369afa2cafd7aa9764%" or Image.Hashes like r"%MD5=6126065af2fc2639473d12ee3c0c198e%" or Image.Hashes like r"%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%" or Image.Hashes like r"%MD5=f0db5af13c457a299a64cf524c64b042%" or Image.Hashes like r"%MD5=e5e8ecb20bc5630414707295327d755e%" or Image.Hashes like r"%MD5=659a59d7e26b7730361244e12201378e%" or Image.Hashes like r"%MD5=8f47af49c330c9fcf3451ad2252b9e04%" or Image.Hashes like r"%MD5=dd9596c18818288845423c68f3f39800%" or Image.Hashes like r"%MD5=a7d3ebfb3843ee28d9ca18b496bd0eb2%" or Image.Hashes like r"%MD5=20125794b807116617d43f02b616e092%" or Image.Hashes like r"%MD5=46cae59443ae41f4dbb42e050a9b501a%" or Image.Hashes like r"%MD5=21e13f2cb269defeae5e1d09887d47bb%" or Image.Hashes like r"%MD5=5bab40019419a2713298a5c9173e5d30%" or Image.Hashes like r"%MD5=7314c2bc19c6608d511ef36e17a12c98%" or Image.Hashes like r"%MD5=24061b0958874c1cb2a5a8e9d25482d4%" or Image.Hashes like r"%MD5=31a4631d77b2357ac9618e2a60021f11%" or Image.Hashes like r"%MD5=130c5aec46bdec8d534df7222d160fdb%" or Image.Hashes like r"%MD5=592065b29131af32aa18a9e546be9617%" or Image.Hashes like r"%MD5=2d64d681d79e0d26650928259530c075%" or Image.Hashes like r"%MD5=1ce19950e23c975f677b80ff59d04fae%" or Image.Hashes like r"%MD5=318e309e11199ec69d8928c46a4d901b%" or Image.Hashes like r"%MD5=d78a29306f42d42cd48ad6bc6c6a7602%" or Image.Hashes like r"%MD5=6a094d8e4b00dd1d93eb494099e98478%" or Image.Hashes like r"%MD5=0be80db5d9368fdb29fe9d9bfdd02e7c%" or Image.Hashes like r"%MD5=ba23266992ad964eff6d358d946b76bd%" or Image.Hashes like r"%MD5=560069dc51d3cc7f9cf1f4e940f93cae%" or Image.Hashes like r"%MD5=a785b3bc4309d2eb111911c1b55e793f%" or Image.Hashes like r"%MD5=ac591a3b4df82a589edbb236263ec70a%" or Image.Hashes like r"%MD5=a664904f69756834049e9e272abb6fea%" or Image.Hashes like r"%MD5=19f32bf24b725f103f49dc3fa2f4f0bd%" or Image.Hashes like r"%MD5=2509a71a02296aa65a3428ddfac22180%" or Image.Hashes like r"%MD5=9988fc825675d4d3e2298537fc78e303%" or Image.Hashes like r"%MD5=dab9142dc12480bb39f25c9911df6c6c%" or Image.Hashes like r"%MD5=2c47725db0c5eb5c2ecc32ff208bceb6%" or Image.Hashes like r"%MD5=bdfe1f0346c066971e1f3d96f7fdaa2c%" or Image.Hashes like r"%MD5=7644bed8b74dc294ac77bf406df8ad77%" or Image.Hashes like r"%MD5=9ade14e58996a6abbfe2409d6cddba6a%" or Image.Hashes like r"%MD5=5212e0957468d3f94d90fa7a0f06b58f%" or Image.Hashes like r"%MD5=96e10a2904fff9491762a4fb549ad580%" or Image.Hashes like r"%MD5=0c55128c301921ce71991a6d546756ad%" or Image.Hashes like r"%MD5=97e90c869b5b0f493b833710931c39ed%" or Image.Hashes like r"%MD5=f36b8094c2fbf57f99870bfaeeacb25c%" or Image.Hashes like r"%MD5=b3d6378185356326fd8ee4329b0b7698%" or Image.Hashes like r"%MD5=9321a61a25c7961d9f36852ecaa86f55%" or Image.Hashes like r"%MD5=f758e7d53184faab5bc51f751937fa36%" or Image.Hashes like r"%MD5=1f7b2a00fe0c55d17d1b04c5e0507970%" or Image.Hashes like r"%MD5=239224202ccdea1f09813a70be8413ee%" or Image.Hashes like r"%MD5=996ded363410dfd38af50c76bd5b4fbc%" or Image.Hashes like r"%MD5=0fc2653b1c45f08ca0abd1eb7772e3c0%" or Image.Hashes like r"%MD5=79b8119b012352d255961e76605567d6%" or Image.Hashes like r"%MD5=2e1f8a2a80221deb93496a861693c565%" or Image.Hashes like r"%MD5=697bbd86ee1d386ae1e99759b1e38919%" or Image.Hashes like r"%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%" or Image.Hashes like r"%MD5=2971d4ee95f640d2818e38d8877c8984%" or Image.Hashes like r"%MD5=962a33a191dbe56915fd196e3a868cf0%" or Image.Hashes like r"%MD5=7575b35fee4ec8dbd0a61dbca3b972e3%" or Image.Hashes like r"%MD5=2d7f1c02b94d6f0f3e10107e5ea8e141%" or Image.Hashes like r"%MD5=057ec65bac5e786affeb97c0a0d1db15%" or Image.Hashes like r"%MD5=483abeee17e4e30a760ec8c0d6d31d6d%" or Image.Hashes like r"%MD5=f23b2adcfab58e33872e5c2d0041ad88%" or Image.Hashes like r"%MD5=2601cf769ad6ffee727997679693f774%" or Image.Hashes like r"%MD5=b4598c05d5440250633e25933fff42b0%" or Image.Hashes like r"%MD5=2e5f016ff9378be41fe98fa62f99b12d%" or Image.Hashes like r"%MD5=75d6c3469347de1cdfa3b1b9f1544208%" or Image.Hashes like r"%MD5=828bb9cb1dd449cd65a29b18ec46055f%" or Image.Hashes like r"%MD5=1bd38ac06ef8709ad23af666622609c9%" or Image.Hashes like r"%MD5=e747f164fc89566f934f9ec5627cd8c3%" or Image.Hashes like r"%MD5=a01c412699b6f21645b2885c2bae4454%" or Image.Hashes like r"%MD5=a216803d691d92acc44ac77d981aa767%" or Image.Hashes like r"%MD5=112b4a6d8c205c1287c66ad0009c3226%" or Image.Hashes like r"%MD5=68dde686d6999ad2e5d182b20403240b%" or Image.Hashes like r"%MD5=2d854c6772f0daa8d1fde4168d26c36b%" or Image.Hashes like r"%MD5=9a9dbf5107848c254381be67a4c1b1dd%" or Image.Hashes like r"%MD5=3ecd3ca61ffc54b0d93f8b19161b83da%" or Image.Hashes like r"%MD5=1ad400766530669d14a077514599e7f3%" or Image.Hashes like r"%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%" or Image.Hashes like r"%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%" or Image.Hashes like r"%MD5=043d5a1fc66662a3f91b8a9c027f9be9%" or Image.Hashes like r"%MD5=a0e2223868b6133c5712ba5ed20c3e8a%" or Image.Hashes like r"%MD5=2b3e0db4f00d4b3d0b4d178234b02e72%" or Image.Hashes like r"%MD5=1610342659cb8eb4a0361dbc047a2221%" or Image.Hashes like r"%MD5=c842827d4704a5ef53a809463254e1cc%" or Image.Hashes like r"%MD5=bf2a954160cb155df0df433929e9102b%" or Image.Hashes like r"%MD5=81b72492d45982cd7a4a138676329fd6%" or Image.Hashes like r"%MD5=2a2867e1f323320fdeef40c1da578a9a%" or Image.Hashes like r"%MD5=b3f132ce34207b7be899f4978276b66d%" or Image.Hashes like r"%MD5=3247014ba35d406475311a2eab0c4657%" or Image.Hashes like r"%MD5=88d5fc86f0dd3a8b42463f8d5503a570%" or Image.Hashes like r"%MD5=0be5c6476dd58072c93af4fca62ee4b3%" or Image.Hashes like r"%MD5=3cf7a55ec897cc938aebb8161cb8e74f%" or Image.Hashes like r"%MD5=931d4f01b5a88027ef86437f1b862000%" or Image.Hashes like r"%MD5=d253c19194a18030296ae62a10821640%" or Image.Hashes like r"%MD5=c5f5d109f11aadebae94c77b27cb026f%" or Image.Hashes like r"%MD5=15dd3ef7df34f9b464e9b38c2deb0793%" or Image.Hashes like r"%MD5=e913a51f66e380837ffe8da6707d4cc4%" or Image.Hashes like r"%MD5=c552dae8eaadd708a38704e8d62cf64d%" or Image.Hashes like r"%MD5=1f8a9619ab644728ce4cf86f3ad879ea%" or Image.Hashes like r"%MD5=f7edd110de10f9a50c2922f1450819aa%" or Image.Hashes like r"%MD5=be17a598e0f5314748ade0871ad343e7%" or Image.Hashes like r"%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%" or Image.Hashes like r"%MD5=880686bceaf66bfde3c80569eb1ebfa7%" or Image.Hashes like r"%MD5=bc1eeb4993a601e6f7776233028ac095%" or Image.Hashes like r"%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%" or Image.Hashes like r"%MD5=3a1ba5cd653a9ddce30c58e7c8ae28ae%" or Image.Hashes like r"%MD5=5054083cf29649a76c94658ba7ff5bce%" or Image.Hashes like r"%MD5=dedd07993780d973c22c93e77ab69fa3%" or Image.Hashes like r"%MD5=3aacaa62758fa6d178043d78ba89bebc%" or Image.Hashes like r"%MD5=f1a203406a680cc7e4017844b129dcbf%" or Image.Hashes like r"%MD5=2399e6f7f868d05623be03a616b4811e%" or Image.Hashes like r"%MD5=0d5774527af6e30905317839686b449d%" or Image.Hashes like r"%MD5=5bbe4e52bd33f1cdd4cf38c7c65f80ae%" or Image.Hashes like r"%MD5=047c06d4d38ea443c9af23a501c4480d%" or Image.Hashes like r"%MD5=a72e10ecea2fdeb8b9d4f45d0294086b%" or Image.Hashes like r"%MD5=c9c25778efe890baa4087e32937016a0%" or Image.Hashes like r"%MD5=0ba6afe0ea182236f98365bd977adfdf%" or Image.Hashes like r"%MD5=e626956c883c7ff3aeb0414570135a58%" or Image.Hashes like r"%MD5=3e796eb95aca7e620d6a0c2118d6871b%" or Image.Hashes like r"%MD5=f3f5c518bc3715492cb0b7c59e94c357%" or Image.Hashes like r"%MD5=4e92f1c677e08fd09b57032c5b47ca46%" or Image.Hashes like r"%MD5=f22740ba54a400fd2be7690bb204aa08%" or Image.Hashes like r"%MD5=3467b0d996251dc56a72fc51a536dd6b%" or Image.Hashes like r"%MD5=198b723e13a270bb664dcb9fb6ed42e6%" or Image.Hashes like r"%MD5=bdc3b6b83dde7111d5d6b9a2aadf233f%" or Image.Hashes like r"%MD5=3651a6990fe38711ebb285143f867a43%" or Image.Hashes like r"%MD5=7db75077d53a63531ef2742d98ca6acc%" or Image.Hashes like r"%MD5=55c36d43dd930069148008902f431ea5%" or Image.Hashes like r"%MD5=f026460a7a720d0b8394f28a1f9203dc%" or Image.Hashes like r"%MD5=cb22776d06f1e81cc87faeb0245acde8%" or Image.Hashes like r"%MD5=b994110f069d197222508a724d8afdac%" or Image.Hashes like r"%MD5=e6eaee1b3e41f404c289e22df66ef66b%" or Image.Hashes like r"%MD5=29872c7376c42e2a64fa838dad98aa11%" or Image.Hashes like r"%MD5=d21fba3d09e5b060bd08796916166218%" or Image.Hashes like r"%MD5=880611326b768c4922e9da8a8effc582%" or Image.Hashes like r"%MD5=9c3c250646e11052b1e38500ee0e467b%" or Image.Hashes like r"%MD5=178cc9403816c082d22a1d47fa1f9c85%" or Image.Hashes like r"%MD5=2c1045bb133b7c9f5115e7f2b20c267a%" or Image.Hashes like r"%MD5=707ab1170389eba44ffd4cfad01b5969%" or Image.Hashes like r"%MD5=ddf2655068467d981242ea96e3b88614%" or Image.Hashes like r"%MD5=7907e14f9bcf3a4689c9a74a1a873cb6%" or Image.Hashes like r"%MD5=b3424a229d845a88340045c29327c529%" or Image.Hashes like r"%MD5=0b0447072ada1636a14087574a512c82%" or Image.Hashes like r"%MD5=0be4a11bc261f3cd8b4dbfebee88c209%" or Image.Hashes like r"%MD5=7dd538bcaa98d6c063ead8606066333f%" or Image.Hashes like r"%MD5=8a108158431e9a7d08e330fd7a46d175%" or Image.Hashes like r"%MD5=e6ea0e8d2edcc6cad3c414a889d17ac4%" or Image.Hashes like r"%MD5=288471f132c7249f598032d03575f083%" or Image.Hashes like r"%MD5=11fb599312cb1cf43ca5e879ed6fb71e%" or Image.Hashes like r"%MD5=2348508499406dec3b508f349949cb51%" or Image.Hashes like r"%MD5=fe820a5f99b092c3660762c6fc6c64e0%" or Image.Hashes like r"%MD5=c508d28487121828c3a1c2b57acb05be%" or Image.Hashes like r"%MD5=91755cc5c3ccf97313dc2bece813b4d9%" or Image.Hashes like r"%MD5=2f8653034a35526df88ea0c62b035a42%" or Image.Hashes like r"%MD5=3dbf69f935ea48571ea6b0f5a2878896%" or Image.Hashes like r"%MD5=7e3a6f880486a4782b896e6dbd9cc26f%" or Image.Hashes like r"%MD5=2850608430dd089f24386f3336c84729%" or Image.Hashes like r"%MD5=a711e6ab17802fabf2e69e0cd57c54cd%" or Image.Hashes like r"%MD5=2eec12c17d6b8deeeac485f47131d150%" or Image.Hashes like r"%MD5=e7ab83a655b0cd934a19d94ac81e4eec%" or Image.Hashes like r"%MD5=a91a1bc393971a662a3210dac8c17dfd%" or Image.Hashes like r"%MD5=2fed983ec44d1e7cffb0d516407746f2%" or Image.Hashes like r"%MD5=18439fe2aaeddfd355ef88091cb6c15f%" or Image.Hashes like r"%MD5=592756f68ab8ae590662b0c4212a3bb9%" or Image.Hashes like r"%MD5=d63c9c1a427a134461258b7b8742858f%" or Image.Hashes like r"%MD5=6e25148bb384469f3d5386dc5217548a%" or Image.Hashes like r"%MD5=700d6a0331befd4ed9cfbb3234b335e7%" or Image.Hashes like r"%MD5=e68972cd9f28f0be0f9df7207aba9d1d%" or Image.Hashes like r"%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%" or Image.Hashes like r"%MD5=c796a92a66ec725b7b7febbdc13dc69b%" or Image.Hashes like r"%MD5=5b6c21e8366220f7511e6904ffeeced9%" or Image.Hashes like r"%MD5=8741e6df191c805028b92cec44b1ba88%" or Image.Hashes like r"%MD5=b47dee29b5e6e1939567a926c7a3e6a4%" or Image.Hashes like r"%MD5=dff6c75c9754a6be61a47a273364cdf7%" or Image.Hashes like r"%MD5=d86269ba823c9ecf49a145540cd0b3df%" or Image.Hashes like r"%MD5=3c55092900343d3d28564e2d34e7be2c%" or Image.Hashes like r"%MD5=fef9dd9ea587f8886ade43c1befbdafe%" or Image.Hashes like r"%MD5=96c5900331bd17344f338d006888bae5%" or Image.Hashes like r"%MD5=7e7e3f5532b6af24dcc252ac4b240311%" or Image.Hashes like r"%MD5=c6f8983dd3d75640c072a8459b8fa55a%" or Image.Hashes like r"%MD5=1caf5070493459ba029d988dbb2c7422%" or Image.Hashes like r"%MD5=2b653950483196f0d175ba6bc35f1125%" or Image.Hashes like r"%MD5=15814b675e9d08953f2c64e4e5ccb4f4%" or Image.Hashes like r"%MD5=de4001f89ed139d1ed6ae5586d48997a%" or Image.Hashes like r"%MD5=dc943bf367ae77016ae399df8e71d38a%" or Image.Hashes like r"%MD5=524cd77f4c100cf20af4004f740b0268%" or Image.Hashes like r"%MD5=e5f8fcdfb52155ed4dffd8a205b3d091%" or Image.Hashes like r"%MD5=925ee3f3227c3b63e141ba16bd83f024%" or Image.Hashes like r"%MD5=fbf729350ca08a7673b115ce9c9eb7e5%" or Image.Hashes like r"%MD5=eb0a8eeb444033ebf9b4b304f114f2c8%" or Image.Hashes like r"%MD5=c7a57cd4bea07dadba2e2fb914379910%" or Image.Hashes like r"%MD5=384370c812acb7181f972d57dc77c324%" or Image.Hashes like r"%MD5=d43dcba796b40234267ad2862fa52600%" or Image.Hashes like r"%MD5=b0954711c133d284a171dd560c8f492a%" or Image.Hashes like r"%MD5=262969a3fab32b9e17e63e2d17a57744%" or Image.Hashes like r"%MD5=05a6f843c43d75fbce8e885bb8656aa4%" or Image.Hashes like r"%MD5=992ded5b623be3c228f32edb4ca3f2d2%" or Image.Hashes like r"%MD5=13a0d3f9d5f39adaca0a8d3bb327eb31%" or Image.Hashes like r"%MD5=f5051c756035ef5de9c4c48bacb0612b%" or Image.Hashes like r"%MD5=1276f735d22cf04676a719edc6b0df18%" or Image.Hashes like r"%MD5=d4a299c595d35264b5cfd12490a138dc%" or Image.Hashes like r"%MD5=f4e1997192d5a95a38965c9e15c687fc%" or Image.Hashes like r"%MD5=05369fa594a033e48b7921018b3263fb%" or Image.Hashes like r"%MD5=ed07f1a8038596574184e09211dfc30f%" or Image.Hashes like r"%MD5=e1ebc6c5257a277115a7e61ee3e5e42f%" or Image.Hashes like r"%MD5=821adf5ba68fd8cc7f4f1bc915fe47de%" or Image.Hashes like r"%MD5=b12d1630fd50b2a21fd91e45d522ba3a%" or Image.Hashes like r"%MD5=729dd4df669dc96e74f4180c6ee2a64b%" or Image.Hashes like r"%MD5=c6b5a3ae07b165a6e5fff7e31ff91016%" or Image.Hashes like r"%MD5=e36f6f7401ae11e11f69d744703914db%" or Image.Hashes like r"%MD5=9ba7c30177d2897bb3f7b3dc2f95ae0a%" or Image.Hashes like r"%MD5=b5326548762bfaae7a42d5b0898dfeac%" or Image.Hashes like r"%MD5=f2f728d2f69765f5dfda913d407783d2%" or Image.Hashes like r"%MD5=637cf50b06bc53deae846b252d56bbdc%" or Image.Hashes like r"%MD5=c37b575c3a96b9788c26cefcf43f3542%" or Image.Hashes like r"%MD5=e4266262a77fffdea2584283f6c4f51d%" or Image.Hashes like r"%MD5=054299e09cea38df2b84e6b29348b418%" or Image.Hashes like r"%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%" or Image.Hashes like r"%MD5=d717f8de642b65f029829c34fbd13a45%" or Image.Hashes like r"%MD5=e79c91c27df3eaf82fb7bd1280172517%" or Image.Hashes like r"%MD5=fd7de498a72b2daf89f321d23948c3c4%" or Image.Hashes like r"%MD5=6682176866d6bd6b4ea3c8e398bd3aae%" or Image.Hashes like r"%MD5=eb525d99a31eb4fff09814e83593a494%" or Image.Hashes like r"%MD5=e323413de3caec7f7730b43c551f26a0%" or Image.Hashes like r"%MD5=353e5d424668d785f13c904fde3bac84%" or Image.Hashes like r"%MD5=3b9698a9ee85f0b4edf150deef790ccd%" or Image.Hashes like r"%MD5=3f8cdaf7413000d34d6a1a1d5341a11b%" or Image.Hashes like r"%MD5=dcd966874b4c8c952662d2d16ddb4d7c%" or Image.Hashes like r"%MD5=3fda3d414c31ad73efd8ccceeaa3bdc2%" or Image.Hashes like r"%MD5=ca6931fcbc1492d7283aa9dc0149032e%" or Image.Hashes like r"%MD5=084bd27e151fef55b5d80025c3114d35%" or Image.Hashes like r"%MD5=7c887f2b1a56b84d86828529604957db%" or Image.Hashes like r"%MD5=c24800c382b38707e556af957e9e94fd%" or Image.Hashes like r"%MD5=f84da507b3067f019c340b737cd68d32%" or Image.Hashes like r"%MD5=d3026938514218766cb6d3b36ccfa322%" or Image.Hashes like r"%MD5=6917ef5d483ed30be14f8085eaef521b%" or Image.Hashes like r"%MD5=945ef111161bae49075107e5bc11a23f%" or Image.Hashes like r"%MD5=44a3b9cc0a8e89c11544932b295ea113%" or Image.Hashes like r"%MD5=6cc3c3be2de12310a35a6ab2aed141d6%" or Image.Hashes like r"%MD5=085d3423f3c12a17119920f1a293ab4d%" or Image.Hashes like r"%MD5=547971da89a47b6ad6459cd7d7854e12%" or Image.Hashes like r"%MD5=aa5dd4beca6f67733e04d9d050ecd523%" or Image.Hashes like r"%MD5=903c149851e9929ec45daefc544fcd99%" or Image.Hashes like r"%MD5=ba5f0f6347780c2ed911bbf888e75bef%" or Image.Hashes like r"%MD5=1873a2ce2df273d409c47094bc269285%" or Image.Hashes like r"%MD5=97e3a44ec4ae58c8cc38eefc613e950e%" or Image.Hashes like r"%MD5=1cb26adeca26aefb5a61065e990402da%" or Image.Hashes like r"%MD5=17fe96af33f1fe475957689aeb5f816e%" or Image.Hashes like r"%MD5=c5b8e612360277ac70aa328432a99fd6%" or Image.Hashes like r"%MD5=62f8d7f884366df6100c7e892e3d70bf%" or Image.Hashes like r"%MD5=a5deee418b7b580ca89db8a871dc1645%" or Image.Hashes like r"%MD5=5f44a01ccc530b34051b9d0ccb5bb842%" or Image.Hashes like r"%MD5=25ede0fd525a30d31998ea62876961ec%" or Image.Hashes like r"%MD5=1c61eb82f1269d8d6be8de2411133811%" or Image.Hashes like r"%MD5=338a98e1c27bc76f09331fcd7ae413a5%" or Image.Hashes like r"%MD5=f66b96aa7ae430b56289409241645099%" or Image.Hashes like r"%MD5=8ea94766cd7890483449dc193d267993%" or Image.Hashes like r"%MD5=75fa19142531cbf490770c2988a7db64%" or Image.Hashes like r"%MD5=ee3b74cdfed959782dff84153e3d5a6e%" or Image.Hashes like r"%MD5=fdf975524d4cdb4f127d79aac571ae9e%" or Image.Hashes like r"%MD5=688a10e87af9bcf0e40277d927923a00%" or Image.Hashes like r"%MD5=62792c30836ae7861c3ca2409cd35c02%" or Image.Hashes like r"%MD5=b62e2371158a082e239f5883bd6000d1%" or Image.Hashes like r"%MD5=1f01257d9730f805b2a1d69099ef891d%" or Image.Hashes like r"%MD5=b934322c68c30dceca96c0274a51f7b0%" or Image.Hashes like r"%MD5=76355d5eafdfa3e9b7580b9153de1f30%" or Image.Hashes like r"%MD5=9fdcd543574a712a80d62da8bfd8331c%" or Image.Hashes like r"%MD5=1440c0da81c700bd61142bc569477d81%" or Image.Hashes like r"%MD5=4c76554d9a72653c6156ca0024d21a8e%" or Image.Hashes like r"%MD5=148bd10da8c8d64928a213c7bf1f2fca%" or Image.Hashes like r"%MD5=95e4c7b0384da89dce8ea6f31c3613d9%" or Image.Hashes like r"%MD5=e6cb1728c50bd020e531d19a14904e1c%" or Image.Hashes like r"%MD5=62f02339fe267dc7438f603bfb5431a1%" or Image.Hashes like r"%MD5=0a4e6bd5cc2e9172e461408be47c3149%" or Image.Hashes like r"%MD5=28cb0b64134ad62c2acf77db8501a619%" or Image.Hashes like r"%MD5=4ecfb46fcdce95623f994bd29bbe59cb%" or Image.Hashes like r"%MD5=7ee0c884e7d282958c5b3a9e47f23e13%" or Image.Hashes like r"%MD5=dbc415304403be25ac83047c170b0ec2%" or Image.Hashes like r"%MD5=0c7f66cd219817eaab41f36d4bc0d4cd%" or Image.Hashes like r"%MD5=3c9c537167923723429c86ab38743e7d%" or Image.Hashes like r"%MD5=a57b47489febc552515778dd0fd1e51c%" or Image.Hashes like r"%MD5=680dcb5c39c1ec40ac3897bb3e9f27b9%" or Image.Hashes like r"%MD5=5f9785e7535f8f602cb294a54962c9e7%" or Image.Hashes like r"%MD5=e4ea7ebfa142d20a92fbe468a77eafa6%" or Image.Hashes like r"%MD5=32365e3e64d28cc94756ac9a09b67f06%" or Image.Hashes like r"%MD5=be9eeea2a8cac5f6cd92c97f234e2fe1%" or Image.Hashes like r"%MD5=5bd30b502168013c9ea03a5c2f1c9776%" or Image.Hashes like r"%MD5=ba21bfa3d05661ba216873a9ef66a6e2%" or Image.Hashes like r"%MD5=dad8f40626ed4702e0e8502562d93d7c%" or Image.Hashes like r"%MD5=8fbb1ffc6f13f9d5ee8480b36baffc52%" or Image.Hashes like r"%MD5=bedc99bbcedaf89e2ee1aa574c5a2fa4%" or Image.Hashes like r"%MD5=9dd414590e695ea208139c23db8a5aa3%" or Image.Hashes like r"%MD5=270052c61f4de95ebfbf3a49fb39235f%" or Image.Hashes like r"%MD5=19c0c18384d6a6d65462be891692df9c%" or Image.Hashes like r"%MD5=a26e600652c33dd054731b4693bf5b01%" or Image.Hashes like r"%MD5=8b779fe1d71839ad361226f66f1b3fe5%" or Image.Hashes like r"%MD5=8ad9dfc971df71cd43788ade6acf8e7d%" or Image.Hashes like r"%MD5=2dbc09c853c4bf2e058d29aaa21fa803%" or Image.Hashes like r"%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%" or Image.Hashes like r"%MD5=fef60a37301e1f5a3020fa3487fb2cd7%" or Image.Hashes like r"%MD5=4353b713487a2945b823423bbbf709bd%" or Image.Hashes like r"%MD5=875c44411674b75feb07592aeffa09c1%" or Image.Hashes like r"%MD5=b971b79bdca77e8755e615909a1c7a9f%" or Image.Hashes like r"%MD5=ad03f225247b58a57584b40a4d1746d3%" or Image.Hashes like r"%MD5=2229d5a9a92b62df4df9cf51f48436f7%" or Image.Hashes like r"%MD5=5bb840db439eb281927588dbce5f5418%" or Image.Hashes like r"%MD5=fd80c3d38669b302de4b4b736941c0d1%" or Image.Hashes like r"%MD5=d1440503d1528c55fdc569678a663667%" or Image.Hashes like r"%MD5=d1e57c74bafa56e8e2641290d153f4d2%" or Image.Hashes like r"%MD5=c9b046a6961957cc6c93a5192d3e61e3%" or Image.Hashes like r"%MD5=ff795e4f387c3e22291083b7d6b92ffb%" or Image.Hashes like r"%MD5=782f165b1d2db23f78e82fee0127cc14%" or Image.Hashes like r"%MD5=002a58b90a589913a07012253662c98c%" or Image.Hashes like r"%MD5=0211ab46b73a2623b86c1cfcb30579ab%" or Image.Hashes like r"%MD5=d0a5b98788e480c12afc65ad3e6d4478%" or Image.Hashes like r"%MD5=d6cc5709aca6a6b868962a6506d48abc%" or Image.Hashes like r"%MD5=08001b0cdb0946433366032827d7a187%" or Image.Hashes like r"%MD5=8fc6cafd4e63a3271edf6a1897a892ae%" or Image.Hashes like r"%MD5=0e207ef80361b3d047a2358d0e2206b4%" or Image.Hashes like r"%MD5=b10b210c5944965d0dc85e70a0b19a42%" or Image.Hashes like r"%MD5=006d9d615cdcc105f642ab599b66f94e%" or Image.Hashes like r"%MD5=b32497762d916dba6c827e31205b67dd%" or Image.Hashes like r"%MD5=f766a9bb7cd46ba8c871484058f908f0%" or Image.Hashes like r"%MD5=546db985012d988e4482acfae4a935a8%" or Image.Hashes like r"%MD5=700e9902b0a28979724582f116288bad%" or Image.Hashes like r"%MD5=0395b4e0eb21693590ad1cfdf7044b8b%" or Image.Hashes like r"%MD5=d95c9a241e52b4f967fa4cdb7b99fc80%" or Image.Hashes like r"%MD5=ee91da973bebe6442527b3d1abcc3c80%" or Image.Hashes like r"%MD5=1a234f4643f5658bab07bfa611282267%" or Image.Hashes like r"%MD5=1898ceda3247213c084f43637ef163b3%" or Image.Hashes like r"%MD5=1b5c3c458e31bede55145d0644e88d75%" or Image.Hashes like r"%MD5=42132c7a755064f94314b01afb80e73c%" or Image.Hashes like r"%MD5=1b76363059fef4f7da752eb0dfb0c1e1%" or Image.Hashes like r"%MD5=cc8855fe30a9cdef895177a4cf1a3dad%" or Image.Hashes like r"%MD5=6d4159694e1754f262e326b52a3b305a%" or Image.Hashes like r"%MD5=b7ca4c32c844df9b61634052ae276387%" or Image.Hashes like r"%MD5=361a598d8bb92c13b18abb7cac850b01%" or Image.Hashes like r"%MD5=27bcbeec8a466178a6057b64bef66512%" or Image.Hashes like r"%MD5=f310b453ac562f2c53d30aa6e35506bb%" or Image.Hashes like r"%MD5=14add4f16d80595e6e816abf038141e5%" or Image.Hashes like r"%MD5=ab53d07f18a9697139ddc825b466f696%" or Image.Hashes like r"%MD5=278761b706276f9b49e1e2fd21b9cb07%" or Image.Hashes like r"%MD5=60e84516c6ec6dfdae7b422d1f7cab06%" or Image.Hashes like r"%MD5=20afd54ca260e2bf6589fac72935fecf%" or Image.Hashes like r"%MD5=3ad7b36a584504b3c70b5f552ba33015%" or Image.Hashes like r"%MD5=9f3b5de6fe46429bed794813c6ae8421%" or Image.Hashes like r"%MD5=7b9717c608a5f5a1c816128a609e9575%" or Image.Hashes like r"%MD5=798de15f187c1f013095bbbeb6fb6197%" or Image.Hashes like r"%MD5=66066d9852bc65988fb4777f0ff3fbb4%" or Image.Hashes like r"%MD5=13dda15ef67eb265869fc371c72d6ef0%" or Image.Hashes like r"%MD5=63e333d64a8716e1ae59f914cb686ae8%" or Image.Hashes like r"%MD5=3411fdf098aa20193eee5ffa36ba43b2%" or Image.Hashes like r"%MD5=ad6d5177656dfc5b43def5d13d32f9f6%" or Image.Hashes like r"%MD5=97221e16e7a99a00592ca278c49ffbfc%" or Image.Hashes like r"%MD5=010c0e5ac584e3ab97a2daf84cf436f5%" or Image.Hashes like r"%MD5=29b1ddc69e89b160cc3722e5e0738fd8%" or Image.Hashes like r"%MD5=aad4fb47cb39a9ab4159662a29e1ee88%" or Image.Hashes like r"%MD5=4e093256b034925ecd6b29473ff16858%" or Image.Hashes like r"%MD5=51c233297c3aa16c4222e35ded1139b6%" or Image.Hashes like r"%MD5=9945823e9846724c70d2f8d66a403300%" or Image.Hashes like r"%MD5=aa2ef08d48b66bd814280976614468a7%" or Image.Hashes like r"%MD5=33fc573c0e8bedfe3614e17219273429%" or Image.Hashes like r"%MD5=c08063f052308b6f5882482615387f30%" or Image.Hashes like r"%MD5=c8c6fadcb7cb85f197ab77e6a7b67aa9%" or Image.Hashes like r"%MD5=3f29f651a3c4ff5ce16d61deccf46618%" or Image.Hashes like r"%MD5=08c1bce6627764c9f8c79439555c5636%" or Image.Hashes like r"%MD5=1da1cfe6aa15325c9ecf8f8c9b2cd12d%" or Image.Hashes like r"%MD5=c1d063c9422a19944cdaa6714623f2ec%" or Image.Hashes like r"%MD5=b0809d8adc254c52f9d06362489ce474%" or Image.Hashes like r"%MD5=a22626febc924eb219a953f1ee2b9600%" or Image.Hashes like r"%MD5=5a615f4641287e5e88968f5455627d45%" or Image.Hashes like r"%MD5=de2aac9468158c73880e31509924d7e0%" or Image.Hashes like r"%MD5=dd38cc344d2a0da1c03e92eb4b89a193%" or Image.Hashes like r"%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%" or Image.Hashes like r"%MD5=0634299fc837b47b531e4762d946b2ae%" or Image.Hashes like r"%MD5=e4ff4edce076f21f5f8d082a62c9db8b%" or Image.Hashes like r"%MD5=43ed1d08c19626688db34f63e55114fb%" or Image.Hashes like r"%MD5=6c28461e78f8d908ca9a66bad2e212f7%" or Image.Hashes like r"%MD5=8aa9d47ec9a0713c56b6dec3d601d105%" or Image.Hashes like r"%MD5=c9390a8f3ca511c1306a039ca5d80997%" or Image.Hashes like r"%MD5=c60a4bc4fec820d88113afb1da6e4db3%" or Image.Hashes like r"%MD5=6b3abe55c4d39e305a11b4d1091dfaac%" or Image.Hashes like r"%MD5=f4a31e08f89e5f002ef3cf7b1224af5f%" or Image.Hashes like r"%MD5=d7cf689e6c63d37bc071499f687300dd%" or Image.Hashes like r"%MD5=7c0b186d1912686cfcb8cd9cdebabe58%" or Image.Hashes like r"%MD5=8cb2ffb8bb0bbf8cd0dd685611854637%" or Image.Hashes like r"%MD5=9b359b722ac80c4e0a5235264e1e0156%" or Image.Hashes like r"%MD5=09927915aba84c8acd91efdaac674b86%" or Image.Hashes like r"%MD5=e4b50e44d1f12a47e18259b41074f126%" or Image.Hashes like r"%MD5=0ec361f2fba49c73260af351c39ff9cb%" or Image.Hashes like r"%MD5=65ad6a7c43f8d566afd5676f9447b6c1%" or Image.Hashes like r"%MD5=ddb7da975d90b2a9c9c58e1af55f0285%" or Image.Hashes like r"%MD5=8291dcbcbccc2ce28195d04ac616a1b5%" or Image.Hashes like r"%MD5=2da269863ed99be7b6b8ec2adc710648%" or Image.Hashes like r"%MD5=2ab9f5a66d75adb01171bb04ab4380f2%" or Image.Hashes like r"%MD5=3a7c69293fcd5688cc398691093ec06a%" or Image.Hashes like r"%MD5=13a2b915f6d93e52505656773d53096f%" or Image.Hashes like r"%MD5=7bd840ff7f15df79a9a71fec7db1243e%" or Image.Hashes like r"%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%" or Image.Hashes like r"%MD5=a1547e8b2ca0516d0d9191a55b8536c0%" or Image.Hashes like r"%MD5=e04ff937f6fd273b774f23aed5dd8c13%" or Image.Hashes like r"%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%" or Image.Hashes like r"%MD5=cb31f1b637056a3d374e22865c41e6d9%" or Image.Hashes like r"%MD5=c69c292e0b76b25a5fa0e16136770e11%" or Image.Hashes like r"%MD5=cebf532d1e3c109418687cb9207516ad%" or Image.Hashes like r"%MD5=eeb8e039f6d942538eb4b0252117899a%" or Image.Hashes like r"%MD5=4d99d02f49e027332a0a9c31c674e13b%" or Image.Hashes like r"%MD5=e9a30edef1105b8a64218f892b2e56ed%" or Image.Hashes like r"%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%" or Image.Hashes like r"%MD5=70196d88c03f2ea557281b24dad85de5%" or Image.Hashes like r"%MD5=708ac9f7b12b6ca4553fd8d0c7299296%" or Image.Hashes like r"%MD5=cafbf85b902f189ba35f3d7823aad195%" or Image.Hashes like r"%MD5=d48f681f70e19d2fa521df63bc72ab9e%" or Image.Hashes like r"%MD5=6ae9d25e02b54367a4e93c2492b8b02e%" or Image.Hashes like r"%MD5=f14359ceb3705d77353b244bb795b552%" or Image.Hashes like r"%MD5=0d992b69029d1f23a872ff5a3352fb5b%" or Image.Hashes like r"%MD5=9993a2a45c745bb0139bf3e8decd626c%" or Image.Hashes like r"%MD5=6d67da13cf84f15f6797ed929dd8cf5d%" or Image.Hashes like r"%MD5=c2eb4539a4f6ab6edd01bdc191619975%" or Image.Hashes like r"%MD5=349fa788a4a7b57e37e426aca9b736d5%" or Image.Hashes like r"%MD5=4c016fd76ed5c05e84ca8cab77993961%" or Image.Hashes like r"%MD5=ea14899d1bfba397bc731770765768d1%" or Image.Hashes like r"%MD5=4ec08e0bcdf3e880e7f5a7d78a73440c%" or Image.Hashes like r"%MD5=e65fa439efa9e5ad1d2c9aee40c7238e%" or Image.Hashes like r"%MD5=0898af0888d8f7a9544ef56e5e16354e%" or Image.Hashes like r"%MD5=10e681ce84afdd642e59ddfdb28284e9%" or Image.Hashes like r"%MD5=b5f96dd5cc7d14a9860ab99d161bf171%" or Image.Hashes like r"%MD5=37c3a9fef349d13685ec9c2acaaeafce%" or Image.Hashes like r"%MD5=027e10a5048b135862d638b9085d1402%" or Image.Hashes like r"%MD5=b0baac4d6cbac384a633c71858b35a2e%" or Image.Hashes like r"%MD5=d0a5f9ace1f0c459cef714156db1de02%" or Image.Hashes like r"%MD5=b34361d151c793415ef92ee5d368c053%" or Image.Hashes like r"%MD5=f0fdfdf3303e2f7c141aa3a24d523af1%" or Image.Hashes like r"%MD5=d424f369f7e010249619f0ecbe5f3805%" or Image.Hashes like r"%MD5=639252292bb40b3f10f8a6842aee3cd4%" or Image.Hashes like r"%MD5=7e6e2ed880c7ab115fca68136051f9ce%" or Image.Hashes like r"%MD5=f8dce1eb0f9fcaf07f68fe290aa629e4%" or Image.Hashes like r"%MD5=fa222bed731713904320723b9c085b11%" or Image.Hashes like r"%MD5=aa69b4255e786d968adbd75ba5cf3e93%" or Image.Hashes like r"%MD5=06ffbb2cbf5ac9ef95773b4f5c4c896a%" or Image.Hashes like r"%MD5=00685003005b0b437af929f0499545e4%" or Image.Hashes like r"%MD5=85e606523ce390f7fcd8370d5f4b812a%" or Image.Hashes like r"%MD5=23cf3da010497eb2bf39a5c5a57e437c%" or Image.Hashes like r"%MD5=dc9be271f403e2278071d6ece408ff28%" or Image.Hashes like r"%MD5=6b16512bffe88146a7915f749bd81641%" or Image.Hashes like r"%MD5=c2585e2696e21e25c05122e37e75a947%" or Image.Hashes like r"%MD5=165178829b5587a628977bfca6fd6900%" or Image.Hashes like r"%MD5=24156523b923fd9dcfdd0ac684dcdb20%" or Image.Hashes like r"%MD5=750d1f07ea9d10b38a33636036c30cca%" or Image.Hashes like r"%MD5=fc90bcc43daa48882be359a17b71abf7%" or Image.Hashes like r"%MD5=09672532194b4bff5e0f7a7d782c7bf2%" or Image.Hashes like r"%MD5=212bfd1ef00e199a365aeb74a8182609%" or Image.Hashes like r"%MD5=e3d290406de40c32095bd76dc88179fb%" or Image.Hashes like r"%MD5=715572dfe6fb10b16f980bfa242f3fa5%" or Image.Hashes like r"%MD5=c8f88ca47b393da6acf87fa190e81333%" or Image.Hashes like r"%MD5=d0c2caa17c7b6d2200e1b5aa9d07135e%" or Image.Hashes like r"%MD5=16a8e8437b94d6207af2f25fd4801b6d%" or Image.Hashes like r"%MD5=7bdf418a65ec33ec8ff47e7de705a4e1%" or Image.Hashes like r"%MD5=31f34de4374a6ed0e70a022a0efa2570%" or Image.Hashes like r"%MD5=cfad9185ffcf5850b5810c28b24d5fc8%" or Image.Hashes like r"%MD5=6ba221afb17342a3c81245a4958516a2%" or Image.Hashes like r"%MD5=f44f6ec546850ceb796a2cb528928a91%" or Image.Hashes like r"%MD5=34a7fab63a4ed5a0b61eb204828e08e5%" or Image.Hashes like r"%MD5=a92bf3c219a5fa82087b6c31bdf36ff3%" or Image.Hashes like r"%MD5=fa0d1fca7c5b44ce3b799389434fcaa5%" or Image.Hashes like r"%MD5=affe4764d880e78b2afb2643b15b8d41%" or Image.Hashes like r"%MD5=f80ceb0dbb889663f0bee058b109ce0e%" or Image.Hashes like r"%MD5=25ebe6f757129adbe78ec312a5f1800b%" or Image.Hashes like r"%MD5=7f7b8cde26c4943c9465e412adbb790f%" or Image.Hashes like r"%MD5=bfe96411cf67edb3cee2b9894b910cd5%" or Image.Hashes like r"%MD5=6e2178dc5f9e37e6b4b6cbdaef1b12b1%" or Image.Hashes like r"%MD5=0420fa6704fd0590c5ce7176fdada650%" or Image.Hashes like r"%MD5=7ed6030f14e66e743241f2c1fa783e69%" or Image.Hashes like r"%MD5=61e8367fb57297a949c9a80c2e0e5a38%" or Image.Hashes like r"%MD5=7951fa3096c99295d681acb0742506bf%" or Image.Hashes like r"%MD5=bcd60bf152fdec05cd40562b466be252%" or Image.Hashes like r"%MD5=376b1e8957227a3639ec1482900d9b97%" or Image.Hashes like r"%MD5=7331720a5522d5cd972623326cf87a3f%" or Image.Hashes like r"%MD5=8e78ab9b9709bafb11695a0a6eddeff9%" or Image.Hashes like r"%MD5=8abbb12e61045984eda19e2dc77b235e%" or Image.Hashes like r"%MD5=0199a59af05d9986842ecbdee3884f0c%" or Image.Hashes like r"%MD5=729afa54490443da66c2685bd77cb1f0%" or Image.Hashes like r"%MD5=95c88d25e211a4d52a82c53e5d93e634%" or Image.Hashes like r"%MD5=aa55dd14064cb808613d09195e3ba749%" or Image.Hashes like r"%MD5=ef1afb3a5ddad6795721f824690b4a69%" or Image.Hashes like r"%MD5=db46c56849bbce9a55a03283efc8c280%" or Image.Hashes like r"%MD5=991230087394738976dbd44f92516cae%" or Image.Hashes like r"%MD5=3af19d325f9dcdf360276ae5e7c136ea%" or Image.Hashes like r"%MD5=98763a3dee3cf03de334f00f95fc071a%" or Image.Hashes like r"%MD5=4b194021d6bd6650cbd1aed9370b2329%" or Image.Hashes like r"%MD5=517d484bdbad4637188ec7a908335b86%" or Image.Hashes like r"%MD5=2ddd3c0e23bc0fd63702910c597298b4%" or Image.Hashes like r"%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%" or Image.Hashes like r"%MD5=6bada94085b6709694f8327c211d12e1%" or Image.Hashes like r"%MD5=5c5f1c2dc6c2479bafec7c010c41c6ec%" or Image.Hashes like r"%MD5=ab81264493c218a0e875a0d50104ac9f%" or Image.Hashes like r"%MD5=ea2ff60fcce3b9ffe0bd77658b88512d%" or Image.Hashes like r"%MD5=76d1d4d285f74059f32b8ad19a146d0c%" or Image.Hashes like r"%MD5=b9cf3294c13cdea624ab95ca3e2e483f%" or Image.Hashes like r"%MD5=0cd0fe9d16b62415b116686a2f414f8c%" or Image.Hashes like r"%MD5=2503c4cf31588f0b011eb992ca3ee7ff%" or Image.Hashes like r"%MD5=f0470f82ba58bc4309f83a0f2aefa4d5%" or Image.Hashes like r"%MD5=db72def618cbc3c5f9aa82f091b54250%" or Image.Hashes like r"%MD5=2ff629de3667fcd606a0693951f1c1a9%" or Image.Hashes like r"%MD5=119f0656ab4bb872f79ee5d421e2b9f9%" or Image.Hashes like r"%MD5=55a7c51dc2aa959c41e391db8f6b8b4f%" or Image.Hashes like r"%MD5=009876ab9cf3a3d4e3fc3afe13ae839e%" or Image.Hashes like r"%MD5=f8a13d4413a93dd005fad116cbd6b6f7%" or Image.Hashes like r"%MD5=5093f38d597532d59d4df9018056f0d1%" or Image.Hashes like r"%MD5=00f887e74faad40e6e97d9d0e9c71370%" or Image.Hashes like r"%MD5=0215d0681979987fe908fb19dab83399%" or Image.Hashes like r"%MD5=7962d91b1f53ce55c7338788bd4eb378%" or Image.Hashes like r"%MD5=1bca427ab8e67a9db833eb8f0ff92196%" or Image.Hashes like r"%MD5=a730b97ab977aa444fa261902822a905%" or Image.Hashes like r"%MD5=a453083b8f4ca7cb60cac327e97edbe2%" or Image.Hashes like r"%MD5=afc2448b4080f695e76e059a96958cab%" or Image.Hashes like r"%MD5=4f963d716a60737e5b59299f00daf285%" or Image.Hashes like r"%MD5=ee59b64ae296a87bf7a6aee38ad09617%" or Image.Hashes like r"%MD5=1c9d2a993e99054050b596d88b307d95%" or Image.Hashes like r"%MD5=5cd0ec261c8c2a39d9105fbbcad4e5b9%" or Image.Hashes like r"%MD5=4c6d311e0b13c4f469f717db4ab4d0e7%" or Image.Hashes like r"%MD5=84fb76ee319073e77fb364bbbbff5461%" or Image.Hashes like r"%MD5=d660fc7255646d5014d45c3bca9c6e20%" or Image.Hashes like r"%MD5=ecccbf1e7c727f923c9d709707800e6c%" or Image.Hashes like r"%MD5=94ccef76fda12ab0b8270f9b2980552b%" or Image.Hashes like r"%MD5=f853abe0dc162601e66e4a346faed854%" or Image.Hashes like r"%MD5=154fd286c96665946d55a7d49923ad7e%" or Image.Hashes like r"%MD5=a5afd20e34bcd634ebd25b3ab2ff3403%" or Image.Hashes like r"%MD5=c9c7113f5e15f70fcc576e835c859d56%" or Image.Hashes like r"%MD5=ad22a7b010de6f9c6f39c350a471a440%" or Image.Hashes like r"%MD5=7a6a6d6921cd1a4e1d61f9672a4560d6%" or Image.Hashes like r"%MD5=9af5ae780b6a9ea485fa15f28ddb20a7%" or Image.Hashes like r"%MD5=1f15a513abc039533ca996552ba27e51%" or Image.Hashes like r"%MD5=d1bac75205c389d6d5d6418f0457c29b%" or Image.Hashes like r"%MD5=36527fdb70ed6f74b70a98129f82ad62%" or Image.Hashes like r"%MD5=3d5164e85d740bce0391e2b81d49d308%" or Image.Hashes like r"%MD5=30550db8f400b1e11593dffd644abb67%" or Image.Hashes like r"%MD5=b17fb1ad5e880467cf7e61b1ee8e3448%" or Image.Hashes like r"%MD5=6f5d54ab483659ac78672440422ae3f1%" or Image.Hashes like r"%MD5=f042e8318cf20957c2339d96690c3186%" or Image.Hashes like r"%MD5=5158f786afa19945d19bee9179065e4d%" or Image.Hashes like r"%MD5=328a2cb2da464b0c2beb898ff9ae9f3a%" or Image.Hashes like r"%MD5=e7273e17ac85dc4272c4c4400091a19e%" or Image.Hashes like r"%MD5=d74d202646e5a6d0d2c4207e1f949826%" or Image.Hashes like r"%MD5=9ce1b0e5cfa8223cec3be1c7616e9f63%" or Image.Hashes like r"%MD5=55cd6b46ac25bbe01245f2270a0d6cb8%" or Image.Hashes like r"%MD5=b8b6686324f7aa77f570bc019ec214e6%" or Image.Hashes like r"%MD5=d104621c93213942b7b43d65b5d8d33e%" or Image.Hashes like r"%MD5=8cc5a4045a80a822cbc1e9eadff8e533%" or Image.Hashes like r"%MD5=ef18d594c862d6d3704b777fa3445ac2%" or Image.Hashes like r"%MD5=b941c8364308990ee4cc6eadf7214e0f%" or Image.Hashes like r"%MD5=2ca1044a04cb2f0ce5bd0a5832981e04%" or Image.Hashes like r"%MD5=f8fe655b7d63dbdc53b0983a0d143028%" or Image.Hashes like r"%MD5=cd9f0fcecf1664facb3671c0130dc8bb%" or Image.Hashes like r"%MD5=3e9ee8418f22a8ae0e2bf6ff293988fa%" or Image.Hashes like r"%MD5=3bf217f8ef018ca5ea20947bfdfc0a4d%" or Image.Hashes like r"%MD5=778b7feea3c750d44745d3bf294bd4ce%" or Image.Hashes like r"%MD5=4514a0e8bcab7de4cff55999cdf00cd1%" or Image.Hashes like r"%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%" or Image.Hashes like r"%MD5=159f89d9870e208abd8b912c3d1d3ae9%" or Image.Hashes like r"%MD5=e425c66663c96d5a9f030b0ad4d219a8%" or Image.Hashes like r"%MD5=85b756463ab0c000f816260d49923cde%" or Image.Hashes like r"%MD5=acd221ff7cf10b6117fd609929cde395%" or Image.Hashes like r"%MD5=a87689b1067edacc48fddf90020dee23%" or Image.Hashes like r"%MD5=0d123be07e2dfd2b2ade49ad2a905a5b%" or Image.Hashes like r"%MD5=3ae11bde32cdbd8637124ada866a5a7e%" or Image.Hashes like r"%MD5=cc35379f0421b907004a9099611ee2cd%" or Image.Hashes like r"%MD5=23b807c09b9b6ea85ed5c508aab200b7%" or Image.Hashes like r"%MD5=26d973d6d9a0d133dfda7d8c1adc04b7%" or Image.Hashes like r"%MD5=eba6b88bc7bca21658bda9533f0bbff8%" or Image.Hashes like r"%MD5=9eb524c5f92e5b80374b8261292fdeb5%" or Image.Hashes like r"%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%" or Image.Hashes like r"%MD5=c61876aaca6ce822be18adb9d9bd4260%" or Image.Hashes like r"%MD5=aae268c4b593156bdae25af5a2a4af21%" or Image.Hashes like r"%MD5=de711decdd763a73098372f752bf5a1c%" or Image.Hashes like r"%MD5=1b32c54b95121ab1683c7b83b2db4b96%" or Image.Hashes like r"%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%" or Image.Hashes like r"%MD5=07493c774aa406478005e8fe52c788b2%" or Image.Hashes like r"%MD5=9b9d367cb53df0a2e0850760c840d016%" or Image.Hashes like r"%MD5=70c2c29643ee1edd3bbcd2ef1ffc9a73%" or Image.Hashes like r"%MD5=766f9ea38918827df59a6aed204d2b09%" or Image.Hashes like r"%MD5=f670d1570c75ab1d8e870c1c6e3baba1%" or Image.Hashes like r"%MD5=34edf3464c3f5605c1ca3a071f12e28c%" or Image.Hashes like r"%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%" or Image.Hashes like r"%MD5=31469f1313871690e8dc2e8ee4799b22%" or Image.Hashes like r"%MD5=79483cb29a0c428e1362ec8642109eee%" or Image.Hashes like r"%MD5=c607c37af638fa4eac751976a6afbaa6%" or Image.Hashes like r"%MD5=fb7637cfe8562095937f4d6cff420784%" or Image.Hashes like r"%MD5=d98d2f80b94f70780b46d1f079a38d93%" or Image.Hashes like r"%MD5=35fbc4c04c31c1a40e666be6529c6321%" or Image.Hashes like r"%MD5=969f1d19449dc5c2535dd5786093f651%" or Image.Hashes like r"%MD5=986f083e5fd01eea4ec3b2575a110a95%" or Image.Hashes like r"%MD5=ccf523b951afaa0147f22e2a7aae4976%" or Image.Hashes like r"%MD5=978cd6d9666627842340ef774fd9e2ac%" or Image.Hashes like r"%MD5=9d8cb58b9a9e177ddd599791a58a654d%" or Image.Hashes like r"%MD5=e3fda6120dfa016a76d975fdab7954f6%" or Image.Hashes like r"%MD5=e99e86480d4206beb898dda82b71ca44%" or Image.Hashes like r"%MD5=a2be99e4904264baa5649c4d4cd13a17%" or Image.Hashes like r"%MD5=563b33cfc3c815feff659caaa94edc33%" or Image.Hashes like r"%MD5=18b4bbeae6b07d2e21729b8698bbd25a%" or Image.Hashes like r"%MD5=f51065667fb127cf6de984daea2f6b24%" or Image.Hashes like r"%MD5=35c8fdf881909fa28c92b1c2741ac60b%" or Image.Hashes like r"%MD5=477e02a8e31cde2e76a8fb020df095c2%" or Image.Hashes like r"%MD5=6b6dfb6d952a2e36efd4a387fdb94637%" or Image.Hashes like r"%MD5=f7d963c14a691a022301afa31de9ecef%" or Image.Hashes like r"%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%" or Image.Hashes like r"%MD5=2e48c3b8042fdcef0ed435562407bd21%" or Image.Hashes like r"%MD5=ada5f19423f91795c0372ff39d745acf%" or Image.Hashes like r"%MD5=702d5606cf2199e0edea6f0e0d27cd10%" or Image.Hashes like r"%MD5=0809f48fd30845d983d569b847fa83cf%" or Image.Hashes like r"%MD5=743c403d20a89db5ed84c874768b7119%" or Image.Hashes like r"%MD5=ed6348707f177629739df73b97ba1b6e%" or Image.Hashes like r"%MD5=f33c3f08536f988aac84d72d83b139a6%" or Image.Hashes like r"%MD5=34686a4b10f239d781772e9e94486c1a%" or Image.Hashes like r"%MD5=d77fb9fb256b0c2ec0258c39b80dc513%" or Image.Hashes like r"%MD5=b2e4e588ce7b993cc31c18a0721d904d%" or Image.Hashes like r"%MD5=eda6e97b453388bb51ce84b8a11d9d13%" or Image.Hashes like r"%MD5=d90cdd8f2826e5ea3faf8e258f20dc40%" or Image.Hashes like r"%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%" or Image.Hashes like r"%MD5=b5ada7fd226d20ec6634fc24768f9e22%" or Image.Hashes like r"%MD5=843e39865b29bb3df825bd273f195a98%" or Image.Hashes like r"%MD5=7671bbf15b7a8c8f59a0c42a1765136a%" or Image.Hashes like r"%MD5=6c5e50ef2069896f408cdaaddd307893%" or Image.Hashes like r"%MD5=67b5b8607234bf63ce1e6a52b4a05f87%" or Image.Hashes like r"%MD5=24589081b827989b52d954dcd88035d0%" or Image.Hashes like r"%MD5=8fcf90cb5f9cb7205c075c662720f762%" or Image.Hashes like r"%MD5=812e960977116bf6d6c1ccf8b5dd351f%" or Image.Hashes like r"%MD5=a4fda97f452b8f8705695a729f5969f7%" or Image.Hashes like r"%MD5=6f7125540e5e90957ba5f8d755a8d570%" or Image.Hashes like r"%MD5=5a1ee9e6a177f305765f09b0ae6ac1c5%" or Image.Hashes like r"%MD5=4b42a7a6327827a8dbdecf367832c0cd%" or Image.Hashes like r"%MD5=663f2fb92608073824ee3106886120f3%" or Image.Hashes like r"%MD5=d6c4baecff632d6ad63c45fc39e04b2f%" or Image.Hashes like r"%MD5=4ae55080ec8aed49343e40d08370195c%" or Image.Hashes like r"%MD5=21be10f66bb65c1d406407faa0b9ba95%" or Image.Hashes like r"%MD5=e9ccb6bac8715918a2ac35d8f0b4e1e6%" or Image.Hashes like r"%MD5=a223f8584bcb978c003dd451b1439f8d%" or Image.Hashes like r"%MD5=f30db62d02a69c36ccb01ac9d41dc085%" or Image.Hashes like r"%MD5=d396332f9d7b71c10b3b83da030690f0%" or Image.Hashes like r"%MD5=715ac0756234a203cb7ce8524b6ddc0d%" or Image.Hashes like r"%MD5=b94ffce20e36b2930eb3ac72f72c00d6%" or Image.Hashes like r"%MD5=efb4ed2040b9b3d408aab8dc15df5a06%" or Image.Hashes like r"%MD5=8f1255efd2ed0d3b03a02c6b236c06d6%" or Image.Hashes like r"%MD5=530feb1e37831302f58b7c219be6b844%" or Image.Hashes like r"%MD5=2e219df70fccb79351f0452cba86623e%" or Image.Hashes like r"%MD5=99c131567c10c25589e741e69a8f8aa3%" or Image.Hashes like r"%MD5=6fb3d42a4f07d8115d59eb2ea6504de5%" or Image.Hashes like r"%MD5=839cbbc86453960e9eb6db814b776a40%" or Image.Hashes like r"%MD5=3c1f92a1386fa6cf1ba51bae5e9a98dd%" or Image.Hashes like r"%MD5=46edb648c1b5c3abd76bd5e912dac026%" or Image.Hashes like r"%MD5=bd067efb8cafd971142bc964b4f85df1%" or Image.Hashes like r"%MD5=3db2afc15e7cc78bd11f4c726060db5c%" or Image.Hashes like r"%MD5=01f092be2a36a5574005e25368426ad2%" or Image.Hashes like r"%MD5=65c069af3875494ec686afbb0c3da399%" or Image.Hashes like r"%MD5=ce65b7adcf954eb36df62ea3d4a628c7%" or Image.Hashes like r"%MD5=ae5eb2759305402821aeddc52ba9a6d6%" or Image.Hashes like r"%MD5=048549f7e9978aff602a24dea98ee48a%" or Image.Hashes like r"%MD5=da8437200af5f3f790e301b9958993d2%" or Image.Hashes like r"%MD5=590875a0b2eeb171403fc7d0f5110cb2%" or Image.Hashes like r"%MD5=bc71da7c055e3172226090ba5d8e2248%" or Image.Hashes like r"%MD5=d76b56b79b1c95e8dcd7ee88cb0d25ab%" or Image.Hashes like r"%MD5=14eead4d42728e9340ec8399a225c124%" or Image.Hashes like r"%MD5=1b2e3b7f2966f2f6e6a1bb89f97228e5%" or Image.Hashes like r"%MD5=5e9d5c59ba1f1060f53909c129df3355%" or Image.Hashes like r"%MD5=0ac31915ec9a6b7d4d4bba8fe6d60ff7%" or Image.Hashes like r"%MD5=6909b5e86e00b4033fedfca1775b0e33%" or Image.Hashes like r"%MD5=2b4e66fac6503494a2c6f32bb6ab3826%" or Image.Hashes like r"%MD5=a125390293d50091b643cfa096c2148c%" or Image.Hashes like r"%MD5=79bfbeb4e8cfdd0cb1d73612360bd811%" or Image.Hashes like r"%MD5=389823db299b350f2ee830d47376eeac%" or Image.Hashes like r"%MD5=a17c403c4b74d4fa920c3887066daeb2%" or Image.Hashes like r"%MD5=1793e1d4247b29313325d1462dec81e2%" or Image.Hashes like r"%MD5=c31610f4c383204a1fc105c54b7403c9%" or Image.Hashes like r"%MD5=0ec31f45e2e698a83131b4443f9a6dd7%" or Image.Hashes like r"%MD5=4885e1bf1971c8fa9e7686fd5199f500%" or Image.Hashes like r"%MD5=f83c61adbb154d46dd8f77923aa7e9c3%" or Image.Hashes like r"%MD5=5cc5c26fc99175997d84fe95c61ab2c2%" or Image.Hashes like r"%MD5=49832b4f726cdff825257bee33ad8451%" or Image.Hashes like r"%MD5=1493d342e7a36553c56b2adea150949e%" or Image.Hashes like r"%MD5=df9953fa93e1793456a8d428ba7e5700%" or Image.Hashes like r"%MD5=40bc58b7615d00eb55ad9ba700c340c1%" or Image.Hashes like r"%MD5=ba2c0fa201c74621cddd8638497b3c70%" or Image.Hashes like r"%MD5=3c9f9c1b802f66cf03cbe82dec2bd454%" or Image.Hashes like r"%MD5=7d84a4ed0fcca3d098881a3f3283724b%" or Image.Hashes like r"%MD5=0e14b69dcf67c20343f85f9fdb5b9300%" or Image.Hashes like r"%MD5=17b97fbe2e8834d7ad30211635e1b271%" or Image.Hashes like r"%MD5=7fbd3b4488a12eab56c54e7bb91516f3%" or Image.Hashes like r"%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%" or Image.Hashes like r"%MD5=260eef181a9bf2849bfec54c1736613b%" or Image.Hashes like r"%MD5=dbde0572d702d0a05c0d509d5624a4d7%" or Image.Hashes like r"%MD5=5c5973d2caf86e96311f6399513ab8df%" or Image.Hashes like r"%MD5=0703c1e07186cb98837a2ae76f50d42e%" or Image.Hashes like r"%MD5=5970e8de1b337ca665114511b9d10806%" or Image.Hashes like r"%MD5=2580fb4131353ec417b0df59811f705c%" or Image.Hashes like r"%MD5=fa63a634189bd4d6570964e2161426b0%" or Image.Hashes like r"%MD5=ee57cbe6ec6a703678eaa6c59542ff57%" or Image.Hashes like r"%MD5=e140cb81bd27434fc4fd9080b7551922%" or Image.Hashes like r"%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%" or Image.Hashes like r"%MD5=a3af4a4fa6cba27284f8289436c2f074%" or Image.Hashes like r"%MD5=192519661fe6d132f233d0355c3f4a6d%" or Image.Hashes like r"%MD5=394e290aff9d4e78e504cedfb2d99350%" or Image.Hashes like r"%MD5=2e7d824a49d731da9fc96262a29c85ce%" or Image.Hashes like r"%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%" or Image.Hashes like r"%MD5=2d8e4f38b36c334d0a32a7324832501d%" or Image.Hashes like r"%MD5=443689645455987cb347154b391f734d%" or Image.Hashes like r"%MD5=9258e3cb20e24a93d4afdee9f5a0299c%" or Image.Hashes like r"%MD5=0067c788e1cb174f008c325ebde56c22%" or Image.Hashes like r"%MD5=79f7e6f98a5d3ab6601622be4471027f%" or Image.Hashes like r"%MD5=1c31d4e9ad2d2b5600ae9d0c0969fe59%" or Image.Hashes like r"%MD5=2f1ebc14bd8a29b89896737ca4076002%" or Image.Hashes like r"%MD5=43830326cd5fae66f5508e27cbec39a0%" or Image.Hashes like r"%MD5=df5f8e118a97d1b38833fcdf7127ab29%" or Image.Hashes like r"%MD5=8de7dcade65a1f51605a076c1d2b3456%" or Image.Hashes like r"%MD5=fadf9c1365981066c39489397840f848%" or Image.Hashes like r"%MD5=2c957aa79231fad8e221e035db6d0d81%" or Image.Hashes like r"%MD5=fd81af62964f5dd5eb4a828543a33dcf%" or Image.Hashes like r"%MD5=045ef7a39288ba1f4b8d6eca43def44f%" or Image.Hashes like r"%MD5=90f8c1b76f786814d03ef4c51d4abb6d%" or Image.Hashes like r"%MD5=17719a7f571d4cd08223f0b30f71b8b8%" or Image.Hashes like r"%MD5=bdd8dc8880dfbc19d729ca51071de288%" or Image.Hashes like r"%MD5=d79b8b7bed8d30387c22663b24e8c191%" or Image.Hashes like r"%MD5=57cd52ed992b634e74d2ddf9853a73b3%" or Image.Hashes like r"%MD5=1c294146fc77565030603878fd0106f9%" or Image.Hashes like r"%MD5=b7946feaeae34d51f045c4f986fa62ce%" or Image.Hashes like r"%MD5=86fd54c56dcafe2de918c36f8dfda67e%" or Image.Hashes like r"%MD5=adc1e141b57505fd011bc1efb1ae6967%" or Image.Hashes like r"%MD5=6822566b28be75b2a76446a57064369f%" or Image.Hashes like r"%MD5=d9ce18960c23f38706ae9c6584d9ac90%" or Image.Hashes like r"%MD5=935a7df222f19ac532e831e6bf9e8e45%" or Image.Hashes like r"%MD5=664ad9cf500916c94fc2c0020660ac4e%" or Image.Hashes like r"%MD5=356bda2bf0f6899a2c08b2da3ec69f13%" or Image.Hashes like r"%MD5=dacb62578b3ea191ea37486d15f4f83c%" or Image.Hashes like r"%MD5=89c7bd12495e29413038224cb61db02e%" or Image.Hashes like r"%MD5=f60a9b88c6ff07d4990d8653d0025683%" or Image.Hashes like r"%MD5=710b290a00598fbb1bcc49b30174b2c9%" or Image.Hashes like r"%MD5=5c9f240e0b83df758993837d18859cbe%" or Image.Hashes like r"%MD5=cb0c5d3639fcd810cde94b7b990aa51c%" or Image.Hashes like r"%MD5=4d17b32be70ef39eae5d5edeb5e89877%" or Image.Hashes like r"%MD5=0d4306983e694c1f34920bae12d887e6%" or Image.Hashes like r"%MD5=2751c7fd7f09479fa2b15168695adebc%" or Image.Hashes like r"%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%" or Image.Hashes like r"%MD5=0a653d9d0594b152ca835d0b2593269f%" or Image.Hashes like r"%MD5=02198692732722681f246c1b33f7a9d9%" or Image.Hashes like r"%MD5=9d884ecd3b6c3f2509851ea15ffefbef%" or Image.Hashes like r"%MD5=3473faea65fba5d4fbe54c0898a3c044%" or Image.Hashes like r"%MD5=013719e840e955c2e4cd9d18c94a2625%" or Image.Hashes like r"%MD5=5e71c0814287763d529822d0a022e693%" or Image.Hashes like r"%MD5=9f94028cbcf6789103cb5bb6fcef355d%" or Image.Hashes like r"%MD5=0d8daf471d871deb90225d2953c0eb95%" or Image.Hashes like r"%MD5=ad612a7eb913b5f7d25703cd44953c35%" or Image.Hashes like r"%MD5=fe3fb6719e86481a3514ab9e00a55bcf%" or Image.Hashes like r"%MD5=3e87e3346441539d3a90278a120766df%" or Image.Hashes like r"%MD5=fa173832dca1b1faeba095e5c82a1559%" or Image.Hashes like r"%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%" or Image.Hashes like r"%MD5=803a371a78d528a44ef8777f67443b16%" or Image.Hashes like r"%MD5=257483d5d8b268d0d679956c7acdf02d%" or Image.Hashes like r"%MD5=02fc655279b8ea3ef37237c488b675cc%" or Image.Hashes like r"%MD5=94999245e9580c6228b22ac44c66044c%" or Image.Hashes like r"%MD5=88aada8325a3659736b3a7201c825664%" or Image.Hashes like r"%MD5=92927c47d6ff139c9b19674c9d0088f6%" or Image.Hashes like r"%MD5=05bf59560656c8a9a3191812b0e1235b%" or Image.Hashes like r"%MD5=c098f8aeb67eeb2262dbf681690a9306%" or Image.Hashes like r"%MD5=eb61616a7bc58e3f5b8cf855d04808c3%" or Image.Hashes like r"%MD5=e3aaa0c1c3a5e99eb9970ebe4b5a3183%" or Image.Hashes like r"%MD5=5efbbfcc6adac121c8e2fe76641ed329%" or Image.Hashes like r"%MD5=4eb4069c230a5dc40cd5d60d2cb3e0d0%" or Image.Hashes like r"%MD5=e0528f756bbb2ab83c60f9fd6f541e42%" or Image.Hashes like r"%MD5=eb4de413782193e824773723d790cfc4%" or Image.Hashes like r"%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%" or Image.Hashes like r"%MD5=97580157f65612f765f39af594b86697%" or Image.Hashes like r"%MD5=21e72a43aedefcd70ca8999cc353b51b%" or Image.Hashes like r"%MD5=d6b259b2dfe80bdf4d026063accd752c%" or Image.Hashes like r"%MD5=ca7b41ce335051bf9dd7fa4a55581296%" or Image.Hashes like r"%MD5=084a13f18856d610d44d3109a9d2acde%" or Image.Hashes like r"%MD5=a5f637d61719d37a5b4868c385e363c0%" or Image.Hashes like r"%MD5=1392b92179b07b672720763d9b1028a5%" or Image.Hashes like r"%MD5=1a5a95d6bedbe29e5acf5eb6a727c634%" or Image.Hashes like r"%MD5=a71020c6d6d42c5000e9993425247e06%" or Image.Hashes like r"%MD5=a9f220b1507a3c9a327a99995ff99c82%" or Image.Hashes like r"%MD5=7c40ec9ed020cc9404de8fe3a5361a09%" or Image.Hashes like r"%MD5=fe937e1ed4c8f1d4eac12b065093ae63%" or Image.Hashes like r"%MD5=4ca0dba9e224473d664c25e411f5a3bd%" or Image.Hashes like r"%MD5=2a8662e91a51d8e04a94fa580c7d3828%" or Image.Hashes like r"%MD5=942c6a8332d5dd06d8f4b2a9cb386ff4%" or Image.Hashes like r"%MD5=0283b43c6bc965175a1c92b255d39556%" or Image.Hashes like r"%MD5=2d91d45cd09dfc3f8e89da1c261fd1ac%" or Image.Hashes like r"%MD5=187ddca26d119573223cf0a32ba55a61%" or Image.Hashes like r"%MD5=1549e6cbce408acaddeb4d24796f2eaf%" or Image.Hashes like r"%MD5=6beb1d8146f5a4aaa2f7b8c0c9bced30%" or Image.Hashes like r"%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%" or Image.Hashes like r"%MD5=e0fb44aba5e7798f2dc637c6d1f6ca84%" or Image.Hashes like r"%MD5=de1cc5c266140bff9d964fab87a29421%" or Image.Hashes like r"%MD5=66e0db8a5b0425459d0430547ecbb3db%" or Image.Hashes like r"%MD5=03ca3b1cff154ab8855043abadd07956%" or Image.Hashes like r"%MD5=2a5fb925125af951bd76c00579d61666%" or Image.Hashes like r"%MD5=a2c5f994e9b4a74b2f5b51c7a44c4401%" or Image.Hashes like r"%MD5=5c55fcfe39336de769bfa258ab4c901d%" or Image.Hashes like r"%MD5=aa12c1cb47c443c6108bfe7fc1a34d98%" or Image.Hashes like r"%MD5=8407ddfab85ae664e507c30314090385%" or Image.Hashes like r"%MD5=be54aabf09c3fa4671b6efacafa389e3%" or Image.Hashes like r"%MD5=296bde4d0ed32c6069eb90c502187d0d%" or Image.Hashes like r"%MD5=1d768959aaa194d60e4524ce47708377%" or Image.Hashes like r"%MD5=dca1c62c793f84bb2d8e41ca50efbff1%" or Image.Hashes like r"%MD5=2a5ccd95292f03f0dd4899d18b55b428%" or Image.Hashes like r"%MD5=1f950cfd5ed8dd9de3de004f5416fe20%" or Image.Hashes like r"%MD5=35493772986f610753be29121cd68234%" or Image.Hashes like r"%MD5=6212832f13b296ddbc85b24e22edb5ec%" or Image.Hashes like r"%MD5=9b157f1261a8a42e4ef5ec23dd4cda9e%" or Image.Hashes like r"%MD5=b89b097b8b8aecb8341d05136f334ebb%" or Image.Hashes like r"%MD5=8942e9fa2459b1e179a6535ca16a2fb4%" or Image.Hashes like r"%MD5=64efbffaa153b0d53dc1bccda4279299%" or Image.Hashes like r"%MD5=70dcd07d38017b43f710061f37cb4a91%" or Image.Hashes like r"%MD5=537e2c3020b1d48b125da593e66508ec%" or Image.Hashes like r"%MD5=05b4463677e2566414ad53434ad9e7e5%" or Image.Hashes like r"%MD5=7be3a7a743f2013c3e90355219626c2c%" or Image.Hashes like r"%MD5=7f258c0161e9edca8e7f85ac0dd68e46%" or Image.Hashes like r"%MD5=81df475ab8d37343f0ad2a55b1397a8f%" or Image.Hashes like r"%MD5=f0aeb731d83f7ab6008c92c97faf6233%" or Image.Hashes like r"%MD5=507a649eb585d8d0447eab0532ef0c73%" or Image.Hashes like r"%MD5=5c5e3c7ca39d9472099ea81c329b7d75%" or Image.Hashes like r"%MD5=a31246180e61140ad7ff9dd7edf1f6a1%" or Image.Hashes like r"%MD5=9226339848e359f5e4cd519bef7dcd39%" or Image.Hashes like r"%MD5=f544f9925cab71786e57241c10e08633%" or Image.Hashes like r"%MD5=88d2143ae62878dada3aa0a6d8f7cea8%" or Image.Hashes like r"%MD5=c06dda757b92e79540551efd00b99d4b%" or Image.Hashes like r"%MD5=41ce6b172542a9a227e34a45881e1d2a%" or Image.Hashes like r"%MD5=9bcb97a1697a70f59405786759af63b8%" or Image.Hashes like r"%MD5=17c7bcae7ebabb95af2f7c91b19c361c%" or Image.Hashes like r"%MD5=aaa8999a169e39fb8b48ae49cd6ac30a%" or Image.Hashes like r"%MD5=9a5a35112c4f8016abcc6363b44d3385%" or Image.Hashes like r"%MD5=6b2df08bacf640cc2ac6f20c76af07ee%" or Image.Hashes like r"%MD5=ab4656d1ec4d4cc83c76f639a5340e84%" or Image.Hashes like r"%MD5=697f698b59f32f66cd8166e43a5c49c7%" or Image.Hashes like r"%MD5=4e90cd77509738d30d3181a4d0880bfa%" or Image.Hashes like r"%MD5=e3bdb307b32b13b8f7e621e8d5cc8cd3%" or Image.Hashes like r"%MD5=16472fca75ab4b5647c99de608949cde%" or Image.Hashes like r"%MD5=24fe18891c173a7c76426d08d2b0630e%" or Image.Hashes like r"%MD5=2faa725dd9bb22b2100e3010f8a72182%" or Image.Hashes like r"%MD5=251e1ce4e8e9b9418830ed3dc8edd5e3%" or Image.Hashes like r"%MD5=1f3522c5db7b9dcdd7729148f105018e%" or Image.Hashes like r"%MD5=d5a642329cce4df94b8dc1ba9660ae34%" or Image.Hashes like r"%MD5=b2600502a5b962b8cdfac2ead24b17b4%" or Image.Hashes like r"%MD5=c9cb486b4f652c9cfb8411803f8ed5f0%" or Image.Hashes like r"%MD5=73c98438ac64a68e88b7b0afd11ba140%" or Image.Hashes like r"%MD5=ab7b28b532beba6a6c0217bc406b80ee%" or Image.Hashes like r"%MD5=75dbd5db9892d7451d0429bec1aabe1a%" or Image.Hashes like r"%MD5=d4a10447fdaff7a001715191c1f914b6%" or Image.Hashes like r"%MD5=31eca8c0b32135850d5a50aee11fec87%" or Image.Hashes like r"%MD5=2cc65e805757cfc4f87889cdceb546cd%" or Image.Hashes like r"%MD5=96b463b6fa426ae42c414177af550ba2%" or Image.Hashes like r"%MD5=ef5ba21690c2f4ba7e62bf022b2df1f7%" or Image.Hashes like r"%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%" or Image.Hashes like r"%MD5=1ed043249c21ab201edccb37f1d40af9%" or Image.Hashes like r"%MD5=86635fdc8e28957e6c01fc483fe7b020%" or Image.Hashes like r"%MD5=520c18f50d3cb2ce162767c4c1998b86%" or Image.Hashes like r"%MD5=569676d3d45b0964ac6dd0815be8ff8c%" or Image.Hashes like r"%MD5=3f39f013168428c8e505a7b9e6cba8a2%" or Image.Hashes like r"%MD5=68726474c69b738eac3a62e06b33addc%" or Image.Hashes like r"%MD5=c04a5cdcb446dc708d9302be4e91e46d%" or Image.Hashes like r"%MD5=a179c4093d05a3e1ee73f6ff07f994aa%" or Image.Hashes like r"%MD5=1a22a85489a94db6ff68cd624ef43bad%" or Image.Hashes like r"%MD5=4ad30223df1361726ff64417f8515272%" or Image.Hashes like r"%MD5=4cee9945f9a3e8f2433f5aa8c58671fb%" or Image.Hashes like r"%MD5=f56f30ac68c35dd4680054cdfd8f3f00%" or Image.Hashes like r"%MD5=31a331a88c6280555859455518a95c35%" or Image.Hashes like r"%MD5=650f6531db6fb0ed25d7fc70be35a4da%" or Image.Hashes like r"%MD5=82854a57630059d1ce2870159dc2f86b%" or Image.Hashes like r"%MD5=d556cb79967e92b5cc69686d16c1d846%" or Image.Hashes like r"%MD5=5b1e1a9dade81f1e80fdc0a2d3f9006e%" or Image.Hashes like r"%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%" or Image.Hashes like r"%MD5=a60c9173563b940203cf4ad38ccf2082%" or Image.Hashes like r"%MD5=95a95e28cf5ee4ece6ffbaf169358192%" or Image.Hashes like r"%MD5=397580c24c544d477688fcfca9c9b542%" or Image.Hashes like r"%MD5=c5d1f8ed329ebb86ddd01e414a6a1718%" or Image.Hashes like r"%MD5=ab4ee84e09b09012ac86d3a875af9d43%" or Image.Hashes like r"%MD5=c9a293762319d73c8ee84bcaaf81b7b3%" or Image.Hashes like r"%MD5=a641e3dccba765a10718c9cb0da7879e%" or Image.Hashes like r"%MD5=dd39a86852b498b891672ffbcd071c03%" or Image.Hashes like r"%MD5=715f8efab1d1c660e4188055c4b28eed%" or Image.Hashes like r"%MD5=c046ca4da48db1524ddf3a49a8d02b65%" or Image.Hashes like r"%MD5=f5e6ef0dcbb3d4a608e9e0bba4d80d0a%" or Image.Hashes like r"%MD5=bf581e9eb91bace0b02a2c5a54bf1419%" or Image.Hashes like r"%MD5=d6c2e061b21c32c585aca5f38335c21c%" or Image.Hashes like r"%MD5=7aa34cd9ea5649c24a814e292b270b6f%" or Image.Hashes like r"%MD5=5eabc87416f59e894adfde065d0405fa%" or Image.Hashes like r"%MD5=7ffdd78d63ca7307a96843cfe806799e%" or Image.Hashes like r"%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%" or Image.Hashes like r"%MD5=113056ec5c679b6f74c9556339ebf962%" or Image.Hashes like r"%MD5=f7745b42882dec947f6629ab9b7c39b7%" or Image.Hashes like r"%MD5=4b60ef388071e0baf299496e3d6590ae%" or Image.Hashes like r"%MD5=c006d1844f20b91d0ea52bf32d611f30%" or Image.Hashes like r"%MD5=a0074303fe697a36d9397c0122e04973%" or Image.Hashes like r"%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%" or Image.Hashes like r"%MD5=2e887e52e45bba3c47ccd0e75fc5266f%" or Image.Hashes like r"%MD5=7eeb4c0cb786a409b94066986addf315%" or Image.Hashes like r"%MD5=e28ce623e3e5fa1d2fe16c721efad4c2%" or Image.Hashes like r"%MD5=0eb3dfeffb49d32310d96f3aa3e8ca61%" or Image.Hashes like r"%MD5=a15235fcec1c9b65d736661d4bec0d38%" or Image.Hashes like r"%MD5=0ad87bba19f0b71ccb2d32239abd49ec%" or Image.Hashes like r"%MD5=1c9001dcd34b4db414f0c54242fedf49%" or Image.Hashes like r"%MD5=490b1f404c4f31f4538b36736c990136%" or Image.Hashes like r"%MD5=1dc94a6a82697c62a04e461d7a94d0b0%" or Image.Hashes like r"%MD5=555446a3ca8d9237403471d4744e39f4%" or Image.Hashes like r"%MD5=100fe0bc0c183d16e1f08d1a2ad624a8%" or Image.Hashes like r"%MD5=37086ae5244442ba552803984a11d6cb%" or Image.Hashes like r"%MD5=5d4df0bac74e9ac62af6bc99440b050b%" or Image.Hashes like r"%MD5=94cdf2cf363be5a8749670bea4db65cd%" or Image.Hashes like r"%MD5=3a48f0e4297947663fbb11702aa1d728%" or Image.Hashes like r"%MD5=98583b2f2efe12d2a167217a3838c498%" or Image.Hashes like r"%MD5=7437d4070b5c018e05354c179f1d5e2a%" or Image.Hashes like r"%MD5=7d46d0ddaf8c7e1776a70c220bf47524%" or Image.Hashes like r"%MD5=3c4154866f3d483fdc9f4f64ef868888%" or Image.Hashes like r"%MD5=91203acddac81511d17a68a030d063a8%" or Image.Hashes like r"%MD5=7d87a9c54e49943bf18574c6f02788ee%" or Image.Hashes like r"%MD5=8d63e1a9ff4cafee1af179c0c544365c%" or Image.Hashes like r"%MD5=34069a15ae3aa0e879cd0d81708e4bcc%" or Image.Hashes like r"%MD5=e4788e5b3e5f0a0bbb318a9c426c2812%" or Image.Hashes like r"%MD5=1c591efa8660d4d36a75db9b82474174%" or Image.Hashes like r"%MD5=e9e786bdba458b8b4f9e93d034f73d00%" or Image.Hashes like r"%MD5=d5db81974ffda566fa821400419f59be%" or Image.Hashes like r"%MD5=a926b64be7c27ccb96e687a3924de298%" or Image.Hashes like r"%MD5=1c4acf27317a2b5eaedff3ce6094794d%" or Image.Hashes like r"%MD5=cd1c8a66e885b7a8b464094395566a46%" or Image.Hashes like r"%MD5=edfa69e9132a56778d6363cd41843893%" or Image.Hashes like r"%MD5=1ed08a6264c5c92099d6d1dae5e8f530%" or Image.Hashes like r"%MD5=f690bfc0799e51a626ba3931960c3173%" or Image.Hashes like r"%MD5=7c983b4e66c4697ad3ce7efc9166b505%" or Image.Hashes like r"%MD5=4a06bcd96ef0b90a1753a805b4235f28%" or Image.Hashes like r"%MD5=c28b4a60ebd4b8c12861829cc13aa6ff%" or Image.Hashes like r"%MD5=e700a820f117f65e813b216fccbf78c9%" or Image.Hashes like r"%MD5=515c75d77c64909690c18c08ef3fc310%" or Image.Hashes like r"%MD5=7056549baa6da18910151b08121e2c94%" or Image.Hashes like r"%MD5=61b068b10abfa0776f3b96a208d75bf9%" or Image.Hashes like r"%MD5=c901887f28bbb55a10eb934755b47227%" or Image.Hashes like r"%MD5=0761c357aed5f591142edaefdf0c89c8%" or Image.Hashes like r"%MD5=f141db170bb4c6e088f30ddc58404ad3%" or Image.Hashes like r"%MD5=6d97ee5b3300d0f7fa359f2712834c40%" or Image.Hashes like r"%MD5=53f103e490bc11624ef6a51a6d3bdc05%" or Image.Hashes like r"%MD5=3482acba11c71e45026747dbe366a7d9%" or Image.Hashes like r"%MD5=7475bfea6ea1cd54029208ed59b96c6b%" or Image.Hashes like r"%MD5=d011d5fecdc94754bf02014cb229d6bc%" or Image.Hashes like r"%MD5=42f7cc4be348c3efd98b0f1233cf2d69%" or Image.Hashes like r"%MD5=45c2d133d41d2732f3653ed615a745c8%" or Image.Hashes like r"%MD5=71fffc05cff351a6f26f78441cfebe26%" or Image.Hashes like r"%MD5=da6f7407c4656a2dbaf16a407aff1a38%" or Image.Hashes like r"%MD5=5dd25029499cd5656927e9c559955b07%" or Image.Hashes like r"%MD5=a82c01606dc27d05d9d3bfb6bb807e32%" or Image.Hashes like r"%MD5=8a973be665923e9708974e72228f9805%" or Image.Hashes like r"%MD5=312e31851e0fc2072dbf9a128557d6ef%" or Image.Hashes like r"%MD5=4ff880566f22919ed94ffae215d39da5%" or Image.Hashes like r"%MD5=fcc5de75c1837b631ed77ea4638704b9%" or Image.Hashes like r"%MD5=279f3b94c2b9ab5911515bc3e0ecf175%" or Image.Hashes like r"%MD5=61d6b1c71ad94f8485e966bebc36d092%" or Image.Hashes like r"%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%" or Image.Hashes like r"%MD5=4a829b8cf1f8fdb69e1d58ae04e6106e%" or Image.Hashes like r"%MD5=e4d4a22cbf94e6b0a92fc36d46741f56%" or Image.Hashes like r"%MD5=e4a0bba88605d4c07b58a2cc3fac0fe9%" or Image.Hashes like r"%MD5=272446de15c63095940a3dad0b426f21%" or Image.Hashes like r"%MD5=f160ecce1500a5a5877c123584e86b17%" or Image.Hashes like r"%MD5=0a2ec9e3e236698185978a5fc76e74e6%" or Image.Hashes like r"%MD5=21ca6a013a75fcf6f930d4b08803973a%" or Image.Hashes like r"%MD5=e432956d19714c65723f9c407ffea0c5%" or Image.Hashes like r"%MD5=4e4b9bdcc6b8d97828ae1972d750a08d%" or Image.Hashes like r"%MD5=67e3b720cee8184c714585a85f8058a0%" or Image.Hashes like r"%MD5=03c9d5f24fd65ad57de2d8a2c7960a70%" or Image.Hashes like r"%MD5=f65e545771fd922693f0ec68b2141012%" or Image.Hashes like r"%MD5=7a16fca3d56c6038c692ec75b2bfee15%" or Image.Hashes like r"%MD5=5adebdb94abb4c76dad2b7ecb1384a9d%" or Image.Hashes like r"%MD5=003dc41d148ec3286dc7df404ba3f2aa%" or Image.Hashes like r"%MD5=0490f5961e0980792f5cb5aedf081dd7%" or Image.Hashes like r"%MD5=d3e40644a91327da2b1a7241606fe559%" or Image.Hashes like r"%MD5=49938383844ceec33dba794fb751c9a5%" or Image.Hashes like r"%MD5=f7393fb917aed182e4cbef25ce8af950%" or Image.Hashes like r"%MD5=549e5148be5e7be17f9d416d8a0e333e%" or Image.Hashes like r"%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%" or Image.Hashes like r"%MD5=96fb2101f85fa81871256107bdd25169%" or Image.Hashes like r"%MD5=aa9adcf64008e13d7e68b56fdd307ead%" or Image.Hashes like r"%MD5=62eed4173c566a248531fb6f20a5900d%" or Image.Hashes like r"%MD5=87982977500b93330df08bf372435641%" or Image.Hashes like r"%MD5=9e0af1fe4d6dd2ca4721810ed1c930d6%" or Image.Hashes like r"%MD5=9b5533c4af38759d167d5399e83b475f%" or Image.Hashes like r"%MD5=bd5d4d07ae09e9f418d6b4ac6d9f2ed5%" or Image.Hashes like r"%MD5=22ca5fe8fb0e5e22e6fb0848108c03f4%" or Image.Hashes like r"%MD5=7b43dfd84de5e81162ebcfafb764b769%" or Image.Hashes like r"%MD5=ccb09eb78e047c931708149992c2e435%" or Image.Hashes like r"%MD5=8c1d181480796d7d3366a9381fd7782d%" or Image.Hashes like r"%MD5=b5192270857c1f17f7290acbaadf097d%" or Image.Hashes like r"%MD5=fe71c99a5830f94d77a8792741d6e6c7%" or Image.Hashes like r"%MD5=238769fd8379ec476c1114bd2bd28ca6%" or Image.Hashes like r"%MD5=cf7aeedd674417b648fc334d179c94ae%" or Image.Hashes like r"%MD5=52b7cd123f6d1b9ed76b08f2ee7d9433%" or Image.Hashes like r"%MD5=8d14b013fc2b555e404b1c3301150c34%" or Image.Hashes like r"%MD5=2e492f14a1087374368562d01cd609aa%" or Image.Hashes like r"%MD5=65e6718a547495c692e090d7887d247b%" or Image.Hashes like r"%MD5=51e7b58f6e9b776568ffbd4dd9972a60%" or Image.Hashes like r"%MD5=84c4d8ae023ca9bb60694fa467141247%" or Image.Hashes like r"%MD5=69ac6165912cb263a656497cc70155e6%" or Image.Hashes like r"%MD5=30efb7d485fc9c28fe82a97deac29626%" or Image.Hashes like r"%MD5=f4b2580cf0477493908b7ed81e4482f8%" or Image.Hashes like r"%MD5=fc6dadb97bd3b7a61d06f20d0d2e1bac%" or Image.Hashes like r"%MD5=595363661db3e50acc4de05b0215cc6f%" or Image.Hashes like r"%MD5=cec257dcac9e708cefb17f8984dd0a70%" or Image.Hashes like r"%MD5=0e51d96a3b878b396708535f49a6d7cb%" or Image.Hashes like r"%MD5=f34489c0f0d0a16b4db8a17281b57eba%" or Image.Hashes like r"%MD5=80b4041695810f98e1c71ff0cf420b6d%" or Image.Hashes like r"%MD5=7978d858168fadd05c17779da5f4695a%" or Image.Hashes like r"%MD5=557fd33ee99db6fe263cfcb82b7866b3%" or Image.Hashes like r"%MD5=7b9e1e5e8ff4f18f84108bb9f7b5d108%" or Image.Hashes like r"%MD5=9b91a44a488e4d539f2e55476b216024%" or Image.Hashes like r"%MD5=3b23808de1403961205352e94b8f2f9b%" or Image.Hashes like r"%MD5=13bd61916343d94ebefc9a7911d7bf88%" or Image.Hashes like r"%MD5=936729b8dc2282037bc1504c2680e3ad%" or Image.Hashes like r"%MD5=9f70cd5edcc4efc48ae21e04fb03be9d%" or Image.Hashes like r"%MD5=75e50ae2e0f783e0caf912f45e15248a%" or Image.Hashes like r"%MD5=444f538daa9f7b340cfd43974ed43690%" or Image.Hashes like r"%MD5=8b47c5580b130dd3f580af09323bc949%" or Image.Hashes like r"%MD5=daf11013cf4c879a54ed6a86a05bee3c%" or Image.Hashes like r"%MD5=eff3a9cc3e99ef3ddae57df72807f0c7%" or Image.Hashes like r"%MD5=9982da703f13140997e137b1e745a2e3%" or Image.Hashes like r"%MD5=f778489c7105a63e9e789a02412aaa5f%" or Image.Hashes like r"%MD5=723381977ce7df57ec623db52b84f426%" or Image.Hashes like r"%MD5=1db988eb9ac5f99756c33b91830a9cf6%" or Image.Hashes like r"%MD5=c02f70960fa934b8defa16a03d7f6556%" or Image.Hashes like r"%MD5=5e35c049bc8076406910da36edf9212d%" or Image.Hashes like r"%MD5=241a095631570a9cef4f126c87605c60%" or Image.Hashes like r"%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%" or Image.Hashes like r"%MD5=b418293e25632c5f377bf034bb450e57%" or Image.Hashes like r"%MD5=4f191abc652d8f7442ca2636725e1ed6%" or Image.Hashes like r"%MD5=34e55ccceec34a8567c8b95d662ba886%" or Image.Hashes like r"%MD5=4f5ca81806098204c4dea0927a8fec66%" or Image.Hashes like r"%MD5=8b287636041792f640f92e77e560725e%" or Image.Hashes like r"%MD5=56a515173b211832e20fbc64e5a0447c%" or Image.Hashes like r"%MD5=2315a8919cfb167e718d8c788ed3ceca%" or Image.Hashes like r"%MD5=2d465b4487dc81effaa84f122b71c24f%" or Image.Hashes like r"%MD5=29ccff428e5eb70ae429c3da8968e1ec%" or Image.Hashes like r"%MD5=28d6b138adc174a86c0f6248d8a88275%" or Image.Hashes like r"%MD5=9beecfb3146f19400880da61476ef940%" or Image.Hashes like r"%MD5=d5556c54c474cf0bff25804bfbe788d3%" or Image.Hashes like r"%MD5=f7a09ac4a91a6390f8d00bf09f53ae37%" or Image.Hashes like r"%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%" or Image.Hashes like r"%MD5=06897b431c07886454e0681723dd53e6%" or Image.Hashes like r"%MD5=c533d6d64b474ffc3169a0e0fc0a701a%" or Image.Hashes like r"%MD5=c52dce2bee8ec88748411e470ff531f6%" or Image.Hashes like r"%MD5=71858fa117e6f3309606d5cdb57e6e09%" or Image.Hashes like r"%MD5=259381daae0357fbfefe1d92188c496a%" or Image.Hashes like r"%MD5=ceac1347acae9ad9496d4b0593256522%" or Image.Hashes like r"%MD5=4124de3cb72f5dfd7288389862b03f2a%" or Image.Hashes like r"%MD5=edbf206c27c3aa7d1890899dffcc03ec%" or Image.Hashes like r"%MD5=a5ff71e189b462d2b1f0e9e8c4668d79%" or Image.Hashes like r"%MD5=c49a1956a6a25ffc25ad97d6762b0989%" or Image.Hashes like r"%MD5=c475c7d0f2d934f150b6c32c01479134%" or Image.Hashes like r"%MD5=eb7f6d01c97783013115ad1a2833401a%" or Image.Hashes like r"%MD5=e98f4cc2cbf9ec23fd84da30c0625884%" or Image.Hashes like r"%MD5=bf74d0706f5ab9c34067192260f4efb0%" or Image.Hashes like r"%MD5=0752f113d983030939b4ab98b0812cf0%" or Image.Hashes like r"%MD5=7c22b7686c75a2bb7409b3c392cc791a%" or Image.Hashes like r"%MD5=07efb8259b42975d502a058db8a3fd21%" or Image.Hashes like r"%MD5=def0da6c95d14f7020e533028224250e%" or Image.Hashes like r"%MD5=d4a9f80ecb448da510e5bf82c4a699ee%" or Image.Hashes like r"%MD5=c5e7e8ca0d76a13a568901b6b304c3ba%" or Image.Hashes like r"%MD5=59f6320772a2e6b0b3587536be4cc022%" or Image.Hashes like r"%MD5=0cd2504a2e0a8ad81d9a3a6a1fad7306%" or Image.Hashes like r"%MD5=0ccc4e9396e0be9c4639faec53715831%" or Image.Hashes like r"%MD5=c15eb30e806ad5e771b23423fd2040b0%" or Image.Hashes like r"%MD5=f3d14fcdb86db8d75416ce173c6061af%" or Image.Hashes like r"%MD5=637f2708da54e792c27f1141d5bb09cd%" or Image.Hashes like r"%MD5=779af226b7b72ff9d78ce1f03d4a3389%" or Image.Hashes like r"%MD5=a17c58c0582ee560c72f60764ed63224%" or Image.Hashes like r"%MD5=c2c1b8c00b99e913d992a870ed478a24%" or Image.Hashes like r"%MD5=2b6a17ec50d3a21e030ed78f7acbd2af%" or Image.Hashes like r"%MD5=76bb1a4332666222a8e3e1339e267179%" or Image.Hashes like r"%MD5=0ef05030abd55ba6b02faa2c0970f67f%" or Image.Hashes like r"%MD5=56a9e9b5334f8698a0ede27c64140982%" or Image.Hashes like r"%MD5=9e0659d443a2b9d1afc75a160f500605%" or Image.Hashes like r"%MD5=bc6ff00fb3a14437c94b37ac9a2101d4%" or Image.Hashes like r"%MD5=2da209dde8188076a9579bd256dc90d0%" or Image.Hashes like r"%MD5=11dc5523bb559f8d2ce637f6a2b70dea%" or Image.Hashes like r"%MD5=12908c285b9d68ee1f39186110df0f1e%" or Image.Hashes like r"%MD5=73a40e29f61e5d142c8f42b28a351190%" or Image.Hashes like r"%MD5=0797bb21d7a0210fedf4f3533ee82494%" or Image.Hashes like r"%MD5=6846c2035b4c56b488d2ce2c69a57261%" or Image.Hashes like r"%MD5=dbf11f3fad1db3eb08e2ee24b5ebfb95%" or Image.Hashes like r"%MD5=41339c852c6e8e4c94323f500c87a79c%" or Image.Hashes like r"%MD5=ce57844fb185d0cdd9d3ce9e5b6a891d%" or Image.Hashes like r"%MD5=3ab94fba7196e84a97e83b15f7bcb270%" or Image.Hashes like r"%MD5=0291ced808eafe406d3d9b56d2fc0c26%" or Image.Hashes like r"%MD5=3836e2db9034543f63943cdbb52a691a%" or Image.Hashes like r"%MD5=0dff47f3b14fb1c1bad47cc517f0581a%" or Image.Hashes like r"%MD5=e8ebba56ea799e1e62748c59e1a4c586%" or Image.Hashes like r"%MD5=2c54859a67306e20bfdc8887b537de72%" or Image.Hashes like r"%MD5=4e67277648c63b79563360dac22b5492%" or Image.Hashes like r"%MD5=26ce59f9fc8639fd7fed53ce3b785015%" or Image.Hashes like r"%MD5=2927eac51c46944ab69ba81462fb9045%" or Image.Hashes like r"%MD5=1a6e12c2d11e208bdf72a8962120fae7%" or Image.Hashes like r"%MD5=daf800da15b33bf1a84ee7afc59f0656%" or Image.Hashes like r"%MD5=9cbdb5fb6dc63cb13f10b6333407cbb9%" or Image.Hashes like r"%MD5=9650db2ef0a44984845841ab24972ced%" or Image.Hashes like r"%MD5=96a8b535b5e14b582ca5679a3e2a5946%" or Image.Hashes like r"%MD5=33b3842172f21ba22982bfb6bffbda27%" or Image.Hashes like r"%MD5=2391fb461b061d0e5fccb050d4af7941%" or Image.Hashes like r"%MD5=8bf290b5eda99fc2697373a87f4e1927%" or Image.Hashes like r"%MD5=5fade7137c14a94b323f3b7886fba2a9%" or Image.Hashes like r"%MD5=a89ca92145fc330adced0dd005421183%" or Image.Hashes like r"%MD5=96421b56dbda73e9b965f027a3bda7ba%" or Image.Hashes like r"%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%" or Image.Hashes like r"%MD5=6fa271b6816affaef640808fc51ac8af%" or Image.Hashes like r"%MD5=94d45bb36b13f4e936badb382fc133fe%" or Image.Hashes like r"%MD5=e027daa2f81961d09aef88093e107d93%" or Image.Hashes like r"%MD5=b1b8e6b85dd03c7f1290b1a071fc79c1%" or Image.Hashes like r"%MD5=07fc1e043654fdde56da98d93523635c%" or Image.Hashes like r"%MD5=118f3fdba730094d17aa1b259586aef6%" or Image.Hashes like r"%MD5=2714c93eb240375a2893ed7f8818004f%" or Image.Hashes like r"%MD5=641243746597fbd650e5000d95811ea3%" or Image.Hashes like r"%MD5=449bb1c656fa30de7702f17e35b11cd3%" or Image.Hashes like r"%MD5=96c850e53caca0469e1c4604e6c1aad1%" or Image.Hashes like r"%MD5=12cecc3c14160f32b21279c1a36b8338%" or Image.Hashes like r"%MD5=949ef0df929a71d6cc77494dfcb1ddeb%" or Image.Hashes like r"%MD5=8065a7659562005127673ac52898675f%" or Image.Hashes like r"%MD5=1033f0849180aac4b101a914bc8c53b4%" or Image.Hashes like r"%MD5=8f73c1c48ffddfca7d1a98faf83d18ff%" or Image.Hashes like r"%MD5=648adec580746afbbf59904c1e150c73%" or Image.Hashes like r"%MD5=e84605c8e290de6b92ce81d2f6a175d2%" or Image.Hashes like r"%MD5=300d6ac47a146eb8eb159f51bc13f7cf%" or Image.Hashes like r"%MD5=392d7180653b0ca77a78bdf15953d865%" or Image.Hashes like r"%MD5=f0e21ababe63668fb3fbd02e90cd1fa9%" or Image.Hashes like r"%MD5=e0bfbdf3793ea2742c03f5a82cb305a5%" or Image.Hashes like r"%MD5=00143c457c8885fd935fc5d5a6ba07a4%" or Image.Hashes like r"%MD5=c8d3784a3ab7a04ad34ea0aba32289ca%" or Image.Hashes like r"%MD5=9532893c1d358188d66b0d7b0784bb6b%" or Image.Hashes like r"%MD5=564d84a799db39b381a582a0b2f738c4%" or Image.Hashes like r"%MD5=fd3b7234419fafc9bdd533f48896ed73%" or Image.Hashes like r"%MD5=be5f46fd1056f02a7a241e052fa5888f%" or Image.Hashes like r"%MD5=2128e6c044ee86f822d952a261af0b48%" or Image.Hashes like r"%MD5=4b817d0e7714b9d43db43ae4a22a161e%" or Image.Hashes like r"%MD5=eaec88a63db9cf9cee53471263afe6fb%" or Image.Hashes like r"%MD5=ecdc79141b7002b246770d01606504f2%" or Image.Hashes like r"%MD5=ad866d83b4f0391aecceb4e507011831%" or Image.Hashes like r"%MD5=88a6d84f4f1cc188741271ac1999a4e9%" or Image.Hashes like r"%MD5=8580165a2803591e007380db9097bbcc%" or Image.Hashes like r"%MD5=5c4df33951d20253a98aa7b5e78e571a%" or Image.Hashes like r"%MD5=27d21eeff199ed555a29ca0ea4453cfb%" or Image.Hashes like r"%MD5=43bfc857406191963f4f3d9f1b76a7bf%" or Image.Hashes like r"%MD5=0fbf893691a376b168d8cdf427b89945%" or Image.Hashes like r"%MD5=1762105b28eb90d19e9ab3acde16ead6%" or Image.Hashes like r"%MD5=b41dcdb2e710dffba2d8ea1defb0f087%" or Image.Hashes like r"%MD5=c42caa9cdcc50c01cb2fed985a03fe23%" or Image.Hashes like r"%MD5=c516acb873c7f8c24a0431df8287756e%" or Image.Hashes like r"%MD5=343ada10d948db29251f2d9c809af204%" or Image.Hashes like r"%MD5=790ccca8341919bb8bb49262a21fca0e%" or Image.Hashes like r"%MD5=51207adb8dab983332d6b22c29fe8129%" or Image.Hashes like r"%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%" or Image.Hashes like r"%MD5=7c4e513702a0322b0e3bce29dea9e3e9%" or Image.Hashes like r"%MD5=8ac6d458abbe4f5280996eb90235377c%" or Image.Hashes like r"%MD5=6a1ff4806c1a6e897208f48a1f5b062f%" or Image.Hashes like r"%MD5=a4531040276080441974d9e00d8d4cfa%" or Image.Hashes like r"%MD5=d1f9ffe5569642c8f8c10ed7ee5d9391%" or Image.Hashes like r"%MD5=09b3d078ffa3b4ed0ad2e477a2ee341f%" or Image.Hashes like r"%MD5=83601bbe5563d92c1fdb4e960d84dc77%" or Image.Hashes like r"%MD5=1414629b1ee93d2652ff49b2eb829940%" or Image.Hashes like r"%MD5=84b17daba8715089542641990c1ea3c2%" or Image.Hashes like r"%MD5=6ae4dec687ac6d1b635a4e351dddf73e%" or Image.Hashes like r"%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%" or Image.Hashes like r"%MD5=1e1a3d43bd598b231207ff3e70f78454%" or Image.Hashes like r"%MD5=07f83829e7429e60298440cd1e601a6a%" or Image.Hashes like r"%MD5=7c72a7e1d42b0790773efd8700e24952%" or Image.Hashes like r"%MD5=f41eea88057d3dd1a56027c4174eed22%" or Image.Hashes like r"%MD5=f53fa44c7b591a2be105344790543369%" or Image.Hashes like r"%MD5=08e06b839499cb4b752347399db41b57%" or Image.Hashes like r"%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%" or Image.Hashes like r"%MD5=785045f8b25cd2e937ddc6b09debe01a%" or Image.Hashes like r"%MD5=53bb10742e10991af4ad280fcb134151%" or Image.Hashes like r"%MD5=76c643ab29d497317085e5db8c799960%" or Image.Hashes like r"%MD5=bce7f34912ff59a3926216b206deb09f%" or Image.Hashes like r"%MD5=c4f5619ce04d4bee38024d08513c77fd%" or Image.Hashes like r"%MD5=2a3ce41bb2a7894d939fbd1b20dae5a0%" or Image.Hashes like r"%MD5=86bec99cd121b0386a5acc1c368a9d49%" or Image.Hashes like r"%MD5=e076dadf37dd43a6b36aeed957abee9e%" or Image.Hashes like r"%MD5=4a85754636c694572ca9f440d254f5ce%" or Image.Hashes like r"%MD5=f4b7b84a6828d2f9205b55cf8cfc7742%" or Image.Hashes like r"%MD5=8f5b84350bfc4fe3a65d921b4bd0e737%" or Image.Hashes like r"%MD5=f9d04e99e4cab90973226a4555bc6d57%" or Image.Hashes like r"%MD5=bc5366760098dc14ec00ae36c359f42b%" or Image.Hashes like r"%MD5=b79475c4783efdd8122694c6b5669a79%" or Image.Hashes like r"%MD5=5f4a232d92480a1bebbe025ef64dc760%" or Image.Hashes like r"%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%" or Image.Hashes like r"%MD5=69ba501a268f09f694ff0e8e208aa20e%" or Image.Hashes like r"%MD5=030c8432981e4d41b191624b3e07afe2%" or Image.Hashes like r"%MD5=c56a9ed0192c5a2b39691e54f2132a2f%" or Image.Hashes like r"%SHA1=38a863bcd37c9c56d53274753d5b0e614ba6c8bb%" or Image.Hashes like r"%SHA1=87d2b638e5dfab1e37961d27ca734b83ece02804%" or Image.Hashes like r"%SHA1=1a56614ea7d335c844b7fc6edd5feb59b8df7b55%" or Image.Hashes like r"%SHA1=f02af84393e9627ba808d4159841854a6601cf80%" or Image.Hashes like r"%SHA1=75649b228a22ce1e2a306844e0d48f714fb03f28%" or Image.Hashes like r"%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%" or Image.Hashes like r"%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%" or Image.Hashes like r"%SHA1=388068adc9ec46a0bbc8173bcb0d5f9cf8af6ea5%" or Image.Hashes like r"%SHA1=fce3a95b222c810c56e7ed5a3d7fb059eb693682%" or Image.Hashes like r"%SHA1=f4728f490d741b04b611164a7d997e34458e3a5e%" or Image.Hashes like r"%SHA1=4d516b1c9b7a81de2836ab24ba6b880c11807255%" or Image.Hashes like r"%SHA1=bda26e533ef971d501095950010081b772920afc%" or Image.Hashes like r"%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%" or Image.Hashes like r"%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%" or Image.Hashes like r"%SHA1=b82c034e41d463f4e68b0a7d334f2d7611049bcb%" or Image.Hashes like r"%SHA1=8795df6494b724d9f279f007db33c24c27a91d08%" or Image.Hashes like r"%SHA1=b8d19cd28788ce4570623a5433b091a5fbd4c26d%" or Image.Hashes like r"%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%" or Image.Hashes like r"%SHA1=72f16e6a18ba87248dd72f52445c916ad2e4edc2%" or Image.Hashes like r"%SHA1=c0568bcdf57db1fa43cdee5a2a12b768a0064622%" or Image.Hashes like r"%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%" or Image.Hashes like r"%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%" or Image.Hashes like r"%SHA1=0edf51a0fac3b90f6961c2b20bbaeb4ccfc1ea84%" or Image.Hashes like r"%SHA1=6102b73489e1d319c0db7b84cb2c426c5f680120%" or Image.Hashes like r"%SHA1=c16d7b2fbe69a28ccbcf87348903277f22805bf3%" or Image.Hashes like r"%SHA1=c21510569fd84a5fe04508aa28e3cf9c8cc45b7a%" or Image.Hashes like r"%SHA1=2207cdee7deaba1492ae2349392864f19eb4dfaf%" or Image.Hashes like r"%SHA1=2f86a4828ba86034f0c043db3e3db33aa2cf5da5%" or Image.Hashes like r"%SHA1=569f4605c65c2a217b28aefeb8570f9ea663e4b7%" or Image.Hashes like r"%SHA1=cd828ee0725f6185861fd0a9d3bd78f1d96e55bf%" or Image.Hashes like r"%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%" or Image.Hashes like r"%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%" or Image.Hashes like r"%SHA1=7877bd7da617ec92a5c47f0da1f0abcf6484d905%" or Image.Hashes like r"%SHA1=3adea4a3a91504dc2e3c5e9247c6427cd5c73bab%" or Image.Hashes like r"%SHA1=55015f64783ddd148674a74d8137bcd6ccd6231d%" or Image.Hashes like r"%SHA1=f8d7369527cc6976283cc73cd761f93bd1cec49d%" or Image.Hashes like r"%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%" or Image.Hashes like r"%SHA1=091df975fa983e4ad44435ca092dbf84911f28a5%" or Image.Hashes like r"%SHA1=928d26cce64ad458e1f602cc2aea848e0b04eaaf%" or Image.Hashes like r"%SHA1=a7baff6666fc2d259c22f986b8a153c7b1d1d8be%" or Image.Hashes like r"%SHA1=90d73db752eac6ffc53555281fc5aa92297285ec%" or Image.Hashes like r"%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%" or Image.Hashes like r"%SHA1=a0bf00e4ef2b1a79ccf2361c6b303688641ed94c%" or Image.Hashes like r"%SHA1=4a2bb97d395634b67194856d79a1ee5209aa06a7%" or Image.Hashes like r"%SHA1=e0ee5ea6693c26f21b143ef9b133f53efe443b1e%" or Image.Hashes like r"%SHA1=c70989ed7a6ad9d7cd40ae970e90f3c3f2f84860%" or Image.Hashes like r"%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%" or Image.Hashes like r"%SHA1=c05df2e56e05b97e3ca8c6a61865cae722ed3066%" or Image.Hashes like r"%SHA1=dbf6e72c08824fe49c29b7660c9965c37d983e93%" or Image.Hashes like r"%SHA1=bed323603a33fa8b2fc7568149345184690f0390%" or Image.Hashes like r"%SHA1=2365a66c1eddfcf8385d9ff38ba8bd5f6f2e4fc2%" or Image.Hashes like r"%SHA1=59b0b8e3478f3d21213a8afda84181c4ed0a79a7%" or Image.Hashes like r"%SHA1=297fdf58e60d54bcddf2694c21ceb9da9ec17915%" or Image.Hashes like r"%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%" or Image.Hashes like r"%SHA1=adf9328e60c714ff0b98083bcf2f4ee2d58b960b%" or Image.Hashes like r"%SHA1=78834ff75e2ff8b7456e85114802e58bc9fda457%" or Image.Hashes like r"%SHA1=0a5ef5b72e621a639860c03f1cac499567082f39%" or Image.Hashes like r"%SHA1=aadaec4c31d661c249e4cf455ec752fffa3e5cfc%" or Image.Hashes like r"%SHA1=492a47426b04f00c0d5b711ad8c872aad3aa3a1d%" or Image.Hashes like r"%SHA1=064847af77afca8a879a9bf34cb87b64b5e69165%" or Image.Hashes like r"%SHA1=468cc011807704c04892ed209cf81d7896a12a0c%" or Image.Hashes like r"%SHA1=1013d5a0fd6074a8c40dbf3a88e3e06fbf3bcf41%" or Image.Hashes like r"%SHA1=fc62b746e0e726537bf848b48212f46db585af6d%" or Image.Hashes like r"%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%" or Image.Hashes like r"%SHA1=eceb51233f013e04406da11482324d45e70281c7%" or Image.Hashes like r"%SHA1=ff9887cfd695916a06319b3a96f7ab2e6343a20e%" or Image.Hashes like r"%SHA1=67e87ca093da64a23cf0fc0be2b35e03d1bf1543%" or Image.Hashes like r"%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%" or Image.Hashes like r"%SHA1=62244c704b0f227444d3a515ea0dc1003418a028%" or Image.Hashes like r"%SHA1=4d6e532830058fadd861ff9eac16de8cfc6974ce%" or Image.Hashes like r"%SHA1=ebced350ea447df8e10ebb080e3a3e5b32aca348%" or Image.Hashes like r"%SHA1=6de3d5c2e33d91eef975a30bc07b0e53a68e77b8%" or Image.Hashes like r"%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%" or Image.Hashes like r"%SHA1=0be77bb3720283c9a970a97dab25d2a312e86110%" or Image.Hashes like r"%SHA1=213ba055863d4226da26a759e8a254062ea77814%" or Image.Hashes like r"%SHA1=9099482b26e9ba8e1d303418afc9111a3bffd6b3%" or Image.Hashes like r"%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%" or Image.Hashes like r"%SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8%" or Image.Hashes like r"%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%" or Image.Hashes like r"%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%" or Image.Hashes like r"%SHA1=f6d826d73bf819dbc9a058f2b55c88d6d4b634e3%" or Image.Hashes like r"%SHA1=8278db134d3b505c735306393fdf104d014fb3bf%" or Image.Hashes like r"%SHA1=22c909898f5babe37cc421b4f5ed0522196f8127%" or Image.Hashes like r"%SHA1=e8311ba74bc6b35b1171b81056d0148913b1d61c%" or Image.Hashes like r"%SHA1=3eea0f5fb180c6f865fc83ac75ef3ad5b1376775%" or Image.Hashes like r"%SHA1=8e2511ae90643584ceb0d98f0f780cd6b7290604%" or Image.Hashes like r"%SHA1=8a922499f7a1b978555b46c30f90de1339760c74%" or Image.Hashes like r"%SHA1=2540205480ea3d59e4031de3c6632e3ce2596459%" or Image.Hashes like r"%SHA1=8edcd4b35f5ae88d14e83252390659c6fc79eae3%" or Image.Hashes like r"%SHA1=aaffdc89befa42e375f822366bbded8c245baf94%" or Image.Hashes like r"%SHA1=1d9fd846e12104ae31fd6f6040b93fc689abf047%" or Image.Hashes like r"%SHA1=3d3b42d7b0af68da01019274e341b03d7c54f752%" or Image.Hashes like r"%SHA1=88811e1a542f33431b9f8b74cb8bf27209b27f17%" or Image.Hashes like r"%SHA1=67b45c1e204d44824cd7858455e1acedbd7ffbb3%" or Image.Hashes like r"%SHA1=fff7ee0febb8c93539220ca49d4206616e15c666%" or Image.Hashes like r"%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%" or Image.Hashes like r"%SHA1=d302ae7f016299af323a3542d840004888ab91ff%" or Image.Hashes like r"%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%" or Image.Hashes like r"%SHA1=228b1ff5cd519faa15d9c2f8cfefd7e683bc3f2b%" or Image.Hashes like r"%SHA1=63cf021c8662fa23ce3e4075a4f849431e473058%" or Image.Hashes like r"%SHA1=ca4d2bd6022f71e1a48b08728c0ac83c68e91281%" or Image.Hashes like r"%SHA1=d43b2ac1221f2eaf2c170788280255cfef3edd72%" or Image.Hashes like r"%SHA1=db3ce886a47027c09bb668c7049362ab86c82ceb%" or Image.Hashes like r"%SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1%" or Image.Hashes like r"%SHA1=745bad097052134548fe159f158c04be5616afc2%" or Image.Hashes like r"%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%" or Image.Hashes like r"%SHA1=0e47bd9b67500a67ce18c24328d6d0db8ae2c493%" or Image.Hashes like r"%SHA1=ef95f500b60c49f40ed6ce3014ffdb294b301e95%" or Image.Hashes like r"%SHA1=2ee7b3f6bcc9e95a9ae60bcb9bbc483b0400077d%" or Image.Hashes like r"%SHA1=b3f5185d7824ea2c2d931c292f4d8f77903a4d2a%" or Image.Hashes like r"%SHA1=029c678674f482ababe8bbfdb93152392457109d%" or Image.Hashes like r"%SHA1=aadebbcbde0e7edd35e29d98871289a75e744aad%" or Image.Hashes like r"%SHA1=a88546fb61a2fa7dab978a9cb678469e8f0ed475%" or Image.Hashes like r"%SHA1=90abd7670c84c47e6ffc45c67d676db8c12b1939%" or Image.Hashes like r"%SHA1=4fe873544c34243826489997a5ff14ed39dd090d%" or Image.Hashes like r"%SHA1=d06d119579156b1ec732c50f0f64358762eb631a%" or Image.Hashes like r"%SHA1=27eab595ec403580236e04101172247c4f5d5426%" or Image.Hashes like r"%SHA1=d1670bd08cfd376fc2b70c6193f3099078f1d72f%" or Image.Hashes like r"%SHA1=7ee675f0106e36d9159c5507b96c3237fb9348cd%" or Image.Hashes like r"%SHA1=fde6ab389a6e0a9b2ef1713df9d43cca5f1f3da8%" or Image.Hashes like r"%SHA1=d61acd857242185a56e101642d15b9b5f0558c26%" or Image.Hashes like r"%SHA1=9d44260558807daff61a0cc0c6a8719c3adacd2d%" or Image.Hashes like r"%SHA1=3f17ff83dc8a5f875fb1b3a5d3b9fcbe407a99f0%" or Image.Hashes like r"%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%" or Image.Hashes like r"%SHA1=a951953e3c1bb08653ed7b0daec38be7b0169c27%" or Image.Hashes like r"%SHA1=35f803d483af51762bee3ec130de6a03362ce920%" or Image.Hashes like r"%SHA1=ed3f11383a47710fa840e13a7a9286227fa1474c%" or Image.Hashes like r"%SHA1=004d9353f334e42c79a12c3a31785a96f330bbef%" or Image.Hashes like r"%SHA1=0b77242d4e920f2fcb2b506502cfe3985381defc%" or Image.Hashes like r"%SHA1=8146ed4a9c9a2f7e7aeae0a0539610c3c1cd3563%" or Image.Hashes like r"%SHA1=2261198385d62d2117f50f631652eded0ecc71db%" or Image.Hashes like r"%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%" or Image.Hashes like r"%SHA1=ef0504dd90eb451f51d2c4f987fb7833c91c755b%" or Image.Hashes like r"%SHA1=34b2986f1ff5146f7145433f1ef5dfe6210131d0%" or Image.Hashes like r"%SHA1=472cc191937349a712aabcbc4d118c1c982ab7c9%" or Image.Hashes like r"%SHA1=7c43d43d95232e37aa09c5e2bcd3a7699d6b7479%" or Image.Hashes like r"%SHA1=de2c073c8b4db6ffd11a99784d307f880444e5d3%" or Image.Hashes like r"%SHA1=e88259de797573fa515603ad3354aed0bce572f1%" or Image.Hashes like r"%SHA1=f70eb454c0e9ea67a18c625faf7a666665801035%" or Image.Hashes like r"%SHA1=4a2e034d2702aba6bca5d9405ba533ed1274ff0c%" or Image.Hashes like r"%SHA1=8788f4b39cbf037270904bdb8118c8b037ee6562%" or Image.Hashes like r"%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%" or Image.Hashes like r"%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%" or Image.Hashes like r"%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%" or Image.Hashes like r"%SHA1=5b866f522bcdf80e6a9fda71b385f917317f6551%" or Image.Hashes like r"%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%" or Image.Hashes like r"%SHA1=517504aaf8afc9748d6aec657d46a6f7bbc60c09%" or Image.Hashes like r"%SHA1=f0d6b0bcd5f47b41d3c3192e244314d99d1df409%" or Image.Hashes like r"%SHA1=3f43412c563889a5f5350f415f7040a71cc25221%" or Image.Hashes like r"%SHA1=8031ecbff95f299b53113ccd105582defad38d7b%" or Image.Hashes like r"%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%" or Image.Hashes like r"%SHA1=55c64235d223baeb8577a2445fdaa6bedcde23db%" or Image.Hashes like r"%SHA1=12154f58b68902a40a7165035d37974128deb902%" or Image.Hashes like r"%SHA1=fa60a89980aad30db3a358fb1c1536a4d31dff6c%" or Image.Hashes like r"%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%" or Image.Hashes like r"%SHA1=9310239b75394b75a963336fbd154038fc13c4e3%" or Image.Hashes like r"%SHA1=7673cebd15488cbbb4ca65209f92faab3f933205%" or Image.Hashes like r"%SHA1=3a3342f4ca8cc45c6b86f64b1a7d7659020b429f%" or Image.Hashes like r"%SHA1=190c20e130a9156442eebcf913746c69b9485eec%" or Image.Hashes like r"%SHA1=3c9c86c0b215ecbab0eeb4479c204dba65258b8e%" or Image.Hashes like r"%SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89%" or Image.Hashes like r"%SHA1=c00ad2a252b53cf2d0dc74b53d1af987982e1ad1%" or Image.Hashes like r"%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%" or Image.Hashes like r"%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%" or Image.Hashes like r"%SHA1=7cd4aea9c1f82111bf7f9d4934be95e9bb6f8ae0%" or Image.Hashes like r"%SHA1=d32408c3b79b1f007331d2a3c78b1a7e96f37f79%" or Image.Hashes like r"%SHA1=a6a71fb4f91080aff2a3a42811b4bd86fb22168d%" or Image.Hashes like r"%SHA1=a0c7c913d7b5724a46581b6e00dd72c26c37794d%" or Image.Hashes like r"%SHA1=6f8b0e1c7d7bd7beed853e0d51ca03f143e5b703%" or Image.Hashes like r"%SHA1=91ee32b464f6385fc8c44b867ca3dec665cbe886%" or Image.Hashes like r"%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%" or Image.Hashes like r"%SHA1=75dd52e28c40cd22e38ae2a74b52eb0cddfcb2c4%" or Image.Hashes like r"%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%" or Image.Hashes like r"%SHA1=f9cced7ccdc1f149ad8ad13a264c4425aee89b8e%" or Image.Hashes like r"%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%" or Image.Hashes like r"%SHA1=e4e40032376279e29487afc18527804dce792883%" or Image.Hashes like r"%SHA1=bebf97411946749b9050989d9c40352dbe8269ea%" or Image.Hashes like r"%SHA1=cfcecf6207d16aeb0af29aac8a4a2f104483018e%" or Image.Hashes like r"%SHA1=b21cba198d721737aabd882ada6c91295a5975ed%" or Image.Hashes like r"%SHA1=8f540936f2484d020e270e41529624407b7e107e%" or Image.Hashes like r"%SHA1=32888d789edc91095da2e0a5d6c564c2aebcee68%" or Image.Hashes like r"%SHA1=10fc6933deb7de9813e07d864ce03334a4f489d9%" or Image.Hashes like r"%SHA1=09d3ff3c57f5154735e676f2c0a10b5e51336bb3%" or Image.Hashes like r"%SHA1=d022f5e3c1bba43871af254a16ab0e378ea66184%" or Image.Hashes like r"%SHA1=6c445ceb38d5b1212ce2e7498888dd9562a57875%" or Image.Hashes like r"%SHA1=cf9b4d606467108e4b845ecb8ede2f5865bd6c33%" or Image.Hashes like r"%SHA1=c4ce0bb8a939c4f4cff955d9b3cdd9eb52746cc9%" or Image.Hashes like r"%SHA1=8325e8d7fd2edc126dcf1089dee8da64e79fb12e%" or Image.Hashes like r"%SHA1=2bb68b195f66f53f90f17b364928929d5b2883b5%" or Image.Hashes like r"%SHA1=d3a6f86245212e1ef9e0e906818027ec14a239cb%" or Image.Hashes like r"%SHA1=5672e2212c3b427c1aef83fcd725b587a3d3f979%" or Image.Hashes like r"%SHA1=7cee31d3aaee8771c872626feedeeb5d09db008c%" or Image.Hashes like r"%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%" or Image.Hashes like r"%SHA1=4f0d9122f57f4f8df41f3c3950359eb1284b9ab5%" or Image.Hashes like r"%SHA1=59c4960851af9240dded4173c4f823727af19512%" or Image.Hashes like r"%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%" or Image.Hashes like r"%SHA1=9393698058ce1187eb87e8c148cfe4804761142d%" or Image.Hashes like r"%SHA1=ed219d966a6e74275895cc0b975b79397760ea9f%" or Image.Hashes like r"%SHA1=4dba2ac32ed58ead57dd36b18d1cb30cc1c7b9aa%" or Image.Hashes like r"%SHA1=d2be76e79741454b4611675b58446e10fc3d0c6c%" or Image.Hashes like r"%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%" or Image.Hashes like r"%SHA1=6b54b8f7edca5fb25a8ef1a1d31e14b9738db579%" or Image.Hashes like r"%SHA1=52d9bbe41eea0b60507c469f7810d80343c03c2b%" or Image.Hashes like r"%SHA1=f7330a6a4d9df2f35ab93a28c8ee1eb14a74be6e%" or Image.Hashes like r"%SHA1=589a7d4df869395601ba7538a65afae8c4616385%" or Image.Hashes like r"%SHA1=61d44c9a1ef992bc29502f725d1672d551b9bc3f%" or Image.Hashes like r"%SHA1=da689e8e0e3fc4c7114b44d185eef4c768e15946%" or Image.Hashes like r"%SHA1=170a50139f95ad1ec94d51fdd94c1966dbed0e47%" or Image.Hashes like r"%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%" or Image.Hashes like r"%SHA1=bfff0073c936b9a7e2ad6848deb6f9bf03205488%" or Image.Hashes like r"%SHA1=1586f121d38cc42e5d04fe2f56091e91c6cdd8fa%" or Image.Hashes like r"%SHA1=96ec8c16f6a54b48e9a7f0d0416a529f4bf9ac11%" or Image.Hashes like r"%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%" or Image.Hashes like r"%SHA1=4d4535c111c7b568cb8a3bece27a97d738512a6b%" or Image.Hashes like r"%SHA1=258f1cdc79bd20c2e6630a0865abfe60473b98d5%" or Image.Hashes like r"%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%" or Image.Hashes like r"%SHA1=2c2fc258871499b206963c0f933583cedcdf9ea2%" or Image.Hashes like r"%SHA1=6a2912c8e2aa4373852585bc1134b83c637bc9fd%" or Image.Hashes like r"%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%" or Image.Hashes like r"%SHA1=1951ae94c6ee63fa801208771b5784f021c70c60%" or Image.Hashes like r"%SHA1=8b53284fb23d34ca144544b19f8fba63700830d8%" or Image.Hashes like r"%SHA1=6bfeac43be3ebd8d95a5eba963e18d97d76d2b05%" or Image.Hashes like r"%SHA1=2ae1456bb0fa5a016954b03967878fb6db4d81eb%" or Image.Hashes like r"%SHA1=63f9ee1e7aefd961cf36eeffd455977f1b940f6c%" or Image.Hashes like r"%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%" or Image.Hashes like r"%SHA1=baa94f0f816d7a41a63e7f1aa9dd3d64a9450ed0%" or Image.Hashes like r"%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%" or Image.Hashes like r"%SHA1=bff4c3696d81002c56f473a8ab353ef0e45854c0%" or Image.Hashes like r"%SHA1=64df813dc0774ef57d21141dcb38d08059fd8660%" or Image.Hashes like r"%SHA1=bdfb1a2b08d823009c912808425b357d22480ecc%" or Image.Hashes like r"%SHA1=470633a3a1e1b1f13c3f6c5192ce881efd206d7c%" or Image.Hashes like r"%SHA1=65f6a4a23846277914d90ba6c12742eecf1be22d%" or Image.Hashes like r"%SHA1=ed40c1f7da98634869b415530e250f4a665a8c48%" or Image.Hashes like r"%SHA1=1ab702c495cb7832d4cc1ff896277fa56ed8f30d%" or Image.Hashes like r"%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%" or Image.Hashes like r"%SHA1=b3b523504af5228c49060ec8dea9f8adce05e117%" or Image.Hashes like r"%SHA1=108575d8f0b98fed29514a54052f7bf5a8cb3ff0%" or Image.Hashes like r"%SHA1=8fafd70bae94bbc22786c9328ee9126fed54dbae%" or Image.Hashes like r"%SHA1=d3b23a0b70d6d279abd8db109f08a8b0721ce327%" or Image.Hashes like r"%SHA1=190ec384e6eb1dafca80df05055ead620b2502ba%" or Image.Hashes like r"%SHA1=6b25acbcb41a593aca6314885572fc22d16582a2%" or Image.Hashes like r"%SHA1=341225961c15a969c62de38b4ec1938f65fda178%" or Image.Hashes like r"%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%" or Image.Hashes like r"%SHA1=5812387783d61c6ab5702213bb968590a18065e3%" or Image.Hashes like r"%SHA1=e700fcfae0582275dbaee740f4f44b081703d20d%" or Image.Hashes like r"%SHA1=a2167b723dfb24bf8565cbe2de0ecce77307fb9e%" or Image.Hashes like r"%SHA1=7cf7644e38746c9be4537b395285888d5572ae1b%" or Image.Hashes like r"%SHA1=3b8ddf860861cc4040dea2d2d09f80582547d105%" or Image.Hashes like r"%SHA1=1a17cc64e47d3db7085a4dc365049a2d4552dc8a%" or Image.Hashes like r"%SHA1=9b3f57693f0f69d3729762d59a10439e738b9031%" or Image.Hashes like r"%SHA1=63bb17160115f16b3fca1f028b13033af4e468c6%" or Image.Hashes like r"%SHA1=631fdd1ef2d6f2d98e36f8fc7adbf90fbfb0a1e8%" or Image.Hashes like r"%SHA1=06ec56736c2fc070066079bb628c17b089b58f6c%" or Image.Hashes like r"%SHA1=d1ba4c95697a25ec265a3908acbff269e29e760c%" or Image.Hashes like r"%SHA1=e40182c106f6f09fd79494686329b95477d6beb5%" or Image.Hashes like r"%SHA1=c74f6293be68533995e4b95469e6dddedd1c3905%" or Image.Hashes like r"%SHA1=ec457a53ea03287cbbd1edcd5f27835a518ef144%" or Image.Hashes like r"%SHA1=1a01f3bdbfae4f8111674068a001aaf3363f21ea%" or Image.Hashes like r"%SHA1=ce1d0ebaeaa4fe3ecb49242f1e80bc7a4e43fd8c%" or Image.Hashes like r"%SHA1=f77413ec3bd9ed3f31fc53a4c755dc4123e0068f%" or Image.Hashes like r"%SHA1=17614fdee3b89272e99758983b99111cbb1b312c%" or Image.Hashes like r"%SHA1=8b63eb0f5dbb844ee5f6682f0badef872ae569bf%" or Image.Hashes like r"%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%" or Image.Hashes like r"%SHA1=c8674fe95460a37819e06d9df304254931033ca7%" or Image.Hashes like r"%SHA1=273634ac170d1a6abd32e0db597376a6f62eb59e%" or Image.Hashes like r"%SHA1=dd4cd182192b43d4105786ba87f55a036ec45ef2%" or Image.Hashes like r"%SHA1=f9eb4c942a89b4ba39d2bdbfd23716937ccb9925%" or Image.Hashes like r"%SHA1=94144619920bd086028bb5647b1649a35438028c%" or Image.Hashes like r"%SHA1=2871a631f36cd1ea2fd268036087d28070ef2c52%" or Image.Hashes like r"%SHA1=57cf65b024d9e2831729def42db2362d7c90dcfa%" or Image.Hashes like r"%SHA1=d3daa971580b9f94002f7257de44fcef13bb1673%" or Image.Hashes like r"%SHA1=8ac5703e67c3e6e0585cb8dbb86d196c5362f9bb%" or Image.Hashes like r"%SHA1=756fd2b82bf92538786b1bd283c6ef2f9794761e%" or Image.Hashes like r"%SHA1=c775ca665ed4858acc3f7e75e025cbbda1f8c687%" or Image.Hashes like r"%SHA1=a8be6203c5a87ecc3ae1c452b7b6dbdf3a9f82ae%" or Image.Hashes like r"%SHA1=085c0ea6980cb93a3afa076764b7866467ac987c%" or Image.Hashes like r"%SHA1=09f117d83f2f206ee37f1eb19eea576a0ac9bdcc%" or Image.Hashes like r"%SHA1=c41ff2067634a1cce6b8ec657cdfd87e7f6974e3%" or Image.Hashes like r"%SHA1=ddec18909571a9d5992f93636628756b7aa9b9a2%" or Image.Hashes like r"%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%" or Image.Hashes like r"%SHA1=06ec62c590ca0f1f2575300c151c84640d2523c0%" or Image.Hashes like r"%SHA1=f95b59cab63408343ecbdb0e71db34e83f75b503%" or Image.Hashes like r"%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%" or Image.Hashes like r"%SHA1=9360774a37906e3b3c9fab39721cb9400dd31c46%" or Image.Hashes like r"%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%" or Image.Hashes like r"%SHA1=dc393d30453daa1f853f47797e48c142ac77a37b%" or Image.Hashes like r"%SHA1=b70321d078f2e9c9826303bdc87ba9b7be290807%" or Image.Hashes like r"%SHA1=4cd5bf02edf6883a08dfed7702267612e21ed56e%" or Image.Hashes like r"%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%" or Image.Hashes like r"%SHA1=296757d5663290f172e99e60b9059f989cba4c4e%" or Image.Hashes like r"%SHA1=0caf4e86b14aaab7e10815389fcd635988bc6637%" or Image.Hashes like r"%SHA1=449ff4f5ce2fdddac05a6c82e45a7e802b1c1305%" or Image.Hashes like r"%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%" or Image.Hashes like r"%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%" or Image.Hashes like r"%SHA1=4818d7517054d5cba38b679bdf7f8495fd152729%" or Image.Hashes like r"%SHA1=47df454cb030c1f4f7002d46b1308a32b03148e7%" or Image.Hashes like r"%SHA1=28fa0e9429af24197134306b6c7189263e939136%" or Image.Hashes like r"%SHA1=186b6523e8e2fa121d6d3b8cb106e9a5b918af4f%" or Image.Hashes like r"%SHA1=9dbd255ee29be0e552f7f5f30d6ffb97e6cd0b0d%" or Image.Hashes like r"%SHA1=76a756cc61653abcadd63db4a74c48d92607a861%" or Image.Hashes like r"%SHA1=15df139494d2c40a645fb010908551185c27f3c5%" or Image.Hashes like r"%SHA1=64879accdb4dbbaac55d91185c82f2b193f0c869%" or Image.Hashes like r"%SHA1=55777e18eb95b6c9c3e6df903f0ac36056fa83da%" or Image.Hashes like r"%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%" or Image.Hashes like r"%SHA1=135b261eb03e830c57b1729e3a4653f9c27c7522%" or Image.Hashes like r"%SHA1=deaf7d0c934cc428981ffa5bf528ca920bc692dc%" or Image.Hashes like r"%SHA1=309a799f1a00868ab05cdbb851b3297db34d9b0d%" or Image.Hashes like r"%SHA1=d5beca70469e0dcb099ba35979155e7c91876fd2%" or Image.Hashes like r"%SHA1=376d59d0b19905ebb9b89913a5bdfacde1bd5a1e%" or Image.Hashes like r"%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%" or Image.Hashes like r"%SHA1=dfd801b6c2715f5525f8ffb38e3396a5ad9b831d%" or Image.Hashes like r"%SHA1=92befb8b3d17bd3f510d09d464ec0131f8a43b8f%" or Image.Hashes like r"%SHA1=b671677079bf7c660579bee08b8875a48ff61896%" or Image.Hashes like r"%SHA1=0d6fb0cb9566b4e4ca4586f26fe0631ffa847f2c%" or Image.Hashes like r"%SHA1=bca4bbe4388ebeb834688e97fac281c09b0f3ac1%" or Image.Hashes like r"%SHA1=0b3836d5d98bc8862a380aae19caa3e77a2d93ef%" or Image.Hashes like r"%SHA1=b394f84e093cb144568e18aaf5b857dff77091fa%" or Image.Hashes like r"%SHA1=7329bb4a7ca98556fa6b05bd4f9b236186e845d1%" or Image.Hashes like r"%SHA1=0307d76750dd98d707c699aee3b626643afb6936%" or Image.Hashes like r"%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%" or Image.Hashes like r"%SHA1=2740cd167a9ccb81c8e8719ce0d2ae31babc631c%" or Image.Hashes like r"%SHA1=77a011b5d5d5aaf421a543fcee22cb7979807c60%" or Image.Hashes like r"%SHA1=a197a02025946aca96d6e74746f84774df31249e%" or Image.Hashes like r"%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%" or Image.Hashes like r"%SHA1=c71597c89bd8e937886e3390bc8ac4f17cdeae7c%" or Image.Hashes like r"%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%" or Image.Hashes like r"%SHA1=e71caa502d0fe3a7383ce26285a6022e63acda97%" or Image.Hashes like r"%SHA1=446130c61555e5c9224197963d32e108cd899ea0%" or Image.Hashes like r"%SHA1=218e4bbdd5ce810c48b938307d01501c442b75f4%" or Image.Hashes like r"%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%" or Image.Hashes like r"%SHA1=0cb14c1049c0e81c8655ab7ee7d698c11758ea06%" or Image.Hashes like r"%SHA1=f3c20ce4282587c920e9ff5da2150fac7858172e%" or Image.Hashes like r"%SHA1=dd49a71f158c879fb8d607cc558b507c7c8bc5b9%" or Image.Hashes like r"%SHA1=7d34bb240cb5dec51ffcc7bf062c8d613819ac30%" or Image.Hashes like r"%SHA1=0b01c4c1f18d72eb622be2553114f32edfe7b7aa%" or Image.Hashes like r"%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%" or Image.Hashes like r"%SHA1=4186ac693003f92fdf1efbd27fb8f6473a7cc53e%" or Image.Hashes like r"%SHA1=01b95ae502aa09aabc69a0482fcc8198f7765950%" or Image.Hashes like r"%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%" or Image.Hashes like r"%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%" or Image.Hashes like r"%SHA1=c614ab686e844c7a7d2b20bc7061ab15290e2cfd%" or Image.Hashes like r"%SHA1=2cf75df00c69d907cfe683cb25077015d05be65d%" or Image.Hashes like r"%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%" or Image.Hashes like r"%SHA1=a528cdeed550844ca7d31c9e231a700b4185d0da%" or Image.Hashes like r"%SHA1=8ec28d7da81cf202f03761842738d740c0bb2fed%" or Image.Hashes like r"%SHA1=e606282505af817698206672db632332e8c3d3ff%" or Image.Hashes like r"%SHA1=47830d6d3ee2d2a643abf46a72738d77f14114bc%" or Image.Hashes like r"%SHA1=57ea07ab767f11c81c6468b1f8a3d5f4618b800b%" or Image.Hashes like r"%SHA1=34b0f1b2038a1572ee6381022a24333357b033c4%" or Image.Hashes like r"%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%" or Image.Hashes like r"%SHA1=a14d96b65d3968181d57b57ee60c533cb621b707%" or Image.Hashes like r"%SHA1=cd248648eafca6ef77c1b76237a6482f449f13be%" or Image.Hashes like r"%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%" or Image.Hashes like r"%SHA1=64ff172bafc33f14ca5f2e35f9753d41e239a5e4%" or Image.Hashes like r"%SHA1=74bf2ec32cb881424a79e99709071870148d242d%" or Image.Hashes like r"%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%" or Image.Hashes like r"%SHA1=3c81cdfd99d91c7c9de7921607be12233ed0dfd8%" or Image.Hashes like r"%SHA1=c1a5aacf05c00080e04d692a99c46ab445bf8b6e%" or Image.Hashes like r"%SHA1=1768fb2b4796f624fa52b95dfdfbfb922ac21019%" or Image.Hashes like r"%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%" or Image.Hashes like r"%SHA1=6df6d5b30d04b9adb9d2c99de18ed108b011d52b%" or Image.Hashes like r"%SHA1=8589a284f1a087ad5b548fb1a933289781b4cedc%" or Image.Hashes like r"%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%" or Image.Hashes like r"%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%" or Image.Hashes like r"%SHA1=f5bafebfbfb67a022452870289ac7849e9ee1f61%" or Image.Hashes like r"%SHA1=5965ca5462cd9f24c67a1a1c4ef277fab8ea81d3%" or Image.Hashes like r"%SHA1=804013a12f2f6ba2e55c4542cbdc50ca01761905%" or Image.Hashes like r"%SHA1=30c6e1da8745c3d53df696af407ef095a8398273%" or Image.Hashes like r"%SHA1=2fed7eddd63f10ed4649d9425b94f86140f91385%" or Image.Hashes like r"%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%" or Image.Hashes like r"%SHA1=5ce273aa80ed3b0394e593a999059096682736ae%" or Image.Hashes like r"%SHA1=36397c6879978223ba52acd97da99e8067ab7f05%" or Image.Hashes like r"%SHA1=8a23735d9a143ad526bf73c6553e36e8a8d2e561%" or Image.Hashes like r"%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%" or Image.Hashes like r"%SHA1=f2ce790bf47b01a7e1ef5291d8fa341d5f66883a%" or Image.Hashes like r"%SHA1=f52c2d897fa00910d5566503dd5a297970f13dc6%" or Image.Hashes like r"%SHA1=256d285347acd715ed8920e41e5ec928ae9201a8%" or Image.Hashes like r"%SHA1=58fe23f1bb9d4bcc1b07b102222a7d776cc90f6c%" or Image.Hashes like r"%SHA1=55d84fd3e5db4bdbd3fb6c56a84b6b8a320c7c58%" or Image.Hashes like r"%SHA1=a71c17bfeefd76a9f89e74a52a2b6fdd3efbabe2%" or Image.Hashes like r"%SHA1=83b5e60943a92050fccb8acef7aa464c8f81d38e%" or Image.Hashes like r"%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%" or Image.Hashes like r"%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%" or Image.Hashes like r"%SHA1=9db1585c0fab6a9feb411c39267ac4ad29171696%" or Image.Hashes like r"%SHA1=2eddb10eecef740ec2f9158fa39410ec32262fc3%" or Image.Hashes like r"%SHA1=ad60e40a148accec0950d8d13bf7182c2bd5dfef%" or Image.Hashes like r"%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%" or Image.Hashes like r"%SHA1=5a7bcb1864d1e8ecde0b58d21b98518ca4b2f1f2%" or Image.Hashes like r"%SHA1=d6de8983dbd9c4c83f514f4edf1ac7be7f68632f%" or Image.Hashes like r"%SHA1=07f60b2b0e56cb15aad3ca8a96d9fe3a91491329%" or Image.Hashes like r"%SHA1=6b90a6eeef66bb9302665081e30bf9802ca956cc%" or Image.Hashes like r"%SHA1=634b1e9d0aafac1ec4373291cefb52c121e8d265%" or Image.Hashes like r"%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%" or Image.Hashes like r"%SHA1=ec04d8c814f6884c009a7b51c452e73895794e64%" or Image.Hashes like r"%SHA1=fdf4a0af89f0c8276ad6d540c75beece380703ab%" or Image.Hashes like r"%SHA1=76046978d8e4409e53d8126a8dcfc3bf8602c37f%" or Image.Hashes like r"%SHA1=13df48ab4cd412651b2604829ce9b61d39a791bb%" or Image.Hashes like r"%SHA1=cb25d537f4e2872e5fcbd893da8ce3807137df80%" or Image.Hashes like r"%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%" or Image.Hashes like r"%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%" or Image.Hashes like r"%SHA1=c1fe7870e202733123715cacae9b02c29494d94d%" or Image.Hashes like r"%SHA1=9c256edd10823ca76c0443a330e523027b70522d%" or Image.Hashes like r"%SHA1=079627e0f5b1ad1fb3fe64038a09bc6e8b8d289d%" or Image.Hashes like r"%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%" or Image.Hashes like r"%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%" or Image.Hashes like r"%SHA1=3f338ab65bac9550b8749bb1208edb0f7d7bcb81%" or Image.Hashes like r"%SHA1=723fd9dd0957403ed131c72340e1996648f77a48%" or Image.Hashes like r"%SHA1=e0d83953a9efef81ba0fa9de1e3446b6f0a23cc6%" or Image.Hashes like r"%SHA1=1d5d2c5853619c25518ba0c55fd7477050e708fb%" or Image.Hashes like r"%SHA1=838823f25436cadc9a145ddac076dce3e0b84d96%" or Image.Hashes like r"%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%" or Image.Hashes like r"%SHA1=363068731e87bcee19ad5cb802e14f9248465d31%" or Image.Hashes like r"%SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4%" or Image.Hashes like r"%SHA1=0d8a832b9383fcdc23e83487b188ddd30963ca82%" or Image.Hashes like r"%SHA1=db6170ee2ee0a3292deceb2fc88ef26d938ebf2d%" or Image.Hashes like r"%SHA1=a9ea84ee976c66977bb7497aa374bba4f0dd2b27%" or Image.Hashes like r"%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%" or Image.Hashes like r"%SHA1=e067024ec42b556fb1e89ca52ef6719aa09cdf89%" or Image.Hashes like r"%SHA1=0ed0c4d6c3b6b478cbfd7fb0bd1e1b5457a757cc%" or Image.Hashes like r"%SHA1=54a4772212da2025bd8fb2dc913e1c4490e7a0cd%" or Image.Hashes like r"%SHA1=68ca9c27131aa35c7f433dc914da74f4b3d8793f%" or Image.Hashes like r"%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%" or Image.Hashes like r"%SHA1=cc3e5e45aca5b670035dfb008f0a88cecfd91cf7%" or Image.Hashes like r"%SHA1=8d676504c2680cf71c0c91afb18af40ea83b6c22%" or Image.Hashes like r"%SHA1=ba5b4eaa7cab012b71a8a973899eeee47a12becc%" or Image.Hashes like r"%SHA1=1901467b6f04a93b35d3ca0727c8a14f3ce3ed52%" or Image.Hashes like r"%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%" or Image.Hashes like r"%SHA1=116679c4b2cca6ec69453309d9d85d3793cbe05f%" or Image.Hashes like r"%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%" or Image.Hashes like r"%SHA1=e702221d059b86d49ed11395adffa82ef32a1bce%" or Image.Hashes like r"%SHA1=dd085542683898a680311a0d1095ea2dffe865e2%" or Image.Hashes like r"%SHA1=69849d68d1857c83b09e1956a46fe879260d2aab%" or Image.Hashes like r"%SHA1=a23a0627297a71a4414193e12a8c074e7bbb8a2e%" or Image.Hashes like r"%SHA1=91530e1e1fb25a26f3e0d6587200ddbaecb45c74%" or Image.Hashes like r"%SHA1=247065af09fc6fd56b07d3f5c26f555a5ccbfda4%" or Image.Hashes like r"%SHA1=e840904ce12cc2f94eb1ec16b0b89e2822c24805%" or Image.Hashes like r"%SHA1=e5bfb18f63fcfb7dc09b0292602112ea7837ef7a%" or Image.Hashes like r"%SHA1=dc6e62dbde5869a6adc92253fff6326b6af5c8d4%" or Image.Hashes like r"%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%" or Image.Hashes like r"%SHA1=40dba13a059679401fcaf7d4dbe80db03c9d265c%" or Image.Hashes like r"%SHA1=acb5d7e182a108ee02c5cb879fc94e0d6db7dd68%" or Image.Hashes like r"%SHA1=543933cce83f2e75d1b6a8abdb41199ddef8406c%" or Image.Hashes like r"%SHA1=0f2fdfb249c260c892334e62ab77ac88fcb8b5e4%" or Image.Hashes like r"%SHA1=81a319685d0b6112edee4bc25d14d6236f4e12da%" or Image.Hashes like r"%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%" or Image.Hashes like r"%SHA1=488b20ed53c2060c41b9a0cac1efb39a888df7c5%" or Image.Hashes like r"%SHA1=e1069365cb580e3525090f2fa28efd4127223588%" or Image.Hashes like r"%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%" or Image.Hashes like r"%SHA1=67dfd415c729705396ce54166bd70faf09ac7f10%" or Image.Hashes like r"%SHA1=c8ec23066a50800d42913d5e439700c5cd6a2287%" or Image.Hashes like r"%SHA1=07f62d9b6321bed0008e106e9ce4240cb3f76da2%" or Image.Hashes like r"%SHA1=a57eefa0c653b49bd60b6f46d7c441a78063b682%" or Image.Hashes like r"%SHA1=a4ae87b7802c82dfb6a4d26ab52788410af98532%" or Image.Hashes like r"%SHA1=bc949bc040333fdc9140b897b0066ef125343ef6%" or Image.Hashes like r"%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%" or Image.Hashes like r"%SHA1=6bb68e1894bfbc1ac86bcdc048f7fe7743de2f92%" or Image.Hashes like r"%SHA1=a54ae1793e9d77e61416e0d9fb81269a4bc8f8a2%" or Image.Hashes like r"%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%" or Image.Hashes like r"%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%" or Image.Hashes like r"%SHA1=844d2345bde50bf8ee7e86117cf7b8c6e6f00be4%" or Image.Hashes like r"%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%" or Image.Hashes like r"%SHA1=d0452363b41385f6a6778f970f3744dde4701d8f%" or Image.Hashes like r"%SHA1=d72de7e8f0118153dd5cf784f724e725865fc523%" or Image.Hashes like r"%SHA1=340ce5d8859f923222bea5917f40c4259cce1bbc%" or Image.Hashes like r"%SHA1=e1bf5dd17f84bce3b2891dffa855d81a21914418%" or Image.Hashes like r"%SHA1=e4cbb48aa1aff6cf4ea94ef3b7afb6c245ac47e8%" or Image.Hashes like r"%SHA1=0e1df95042081fa2408782f14ce483f0db19d5ab%" or Image.Hashes like r"%SHA1=d2fb46277c36498e87d0f47415b7980440d40e3d%" or Image.Hashes like r"%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%" or Image.Hashes like r"%SHA1=4a887ae6b773000864f9228800aab75e6ff34240%" or Image.Hashes like r"%SHA1=283c7dc5b029dbc41027df16716ec12761a53df8%" or Image.Hashes like r"%SHA1=dcdc9b2bc8e79d44846086d0d482cb7c589f09b8%" or Image.Hashes like r"%SHA1=ec8c0b2f49756b8784b3523e70cd8821b05b95eb%" or Image.Hashes like r"%SHA1=16c6bcef489f190a48e9d3b1f35972db89516479%" or Image.Hashes like r"%SHA1=ffabdf33635bdc1ed1714bc8bbfd7b73ef78a37c%" or Image.Hashes like r"%SHA1=7c625de858710d3673f6cb0cd8d0643d5422c688%" or Image.Hashes like r"%SHA1=faa61346430aedc952d820f7b16b973c9bf133c3%" or Image.Hashes like r"%SHA1=1e959d6ae22c4d9fa5613c3a9d3b6e1b472be05d%" or Image.Hashes like r"%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%" or Image.Hashes like r"%SHA1=1de9f25d189faa294468517b15947a523538ce9d%" or Image.Hashes like r"%SHA1=d8e8dcc8531b8d07f8dabc9e79c19aac6eeca793%" or Image.Hashes like r"%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%" or Image.Hashes like r"%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%" or Image.Hashes like r"%SHA1=4786253daac6c60ffc0d2871fdd68023ec93dfb3%" or Image.Hashes like r"%SHA1=ea58d72db03df85b04d1412a9b90d88ba68ab43d%" or Image.Hashes like r"%SHA1=48a09ca5fdbc214e675083c2259e051b0629457b%" or Image.Hashes like r"%SHA1=ea63567ea8d168cb6e9aae705b80a09f927b2f77%" or Image.Hashes like r"%SHA1=8347487b32b993da87275e3d44ff3683c8130d33%" or Image.Hashes like r"%SHA1=4471935df0e68fe149425703b66f1efca3d82168%" or Image.Hashes like r"%SHA1=eaddeefe13bca118369faf95eee85b0a2a553221%" or Image.Hashes like r"%SHA1=98600e919b8579d89e232a253d7277355b652750%" or Image.Hashes like r"%SHA1=444a2b778e2fc26067c49dde0aff0dcfb85f2b64%" or Image.Hashes like r"%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%" or Image.Hashes like r"%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%" or Image.Hashes like r"%SHA1=6210dabb908cc750379cc7563beb884b3895e046%" or Image.Hashes like r"%SHA1=22c08d67bf687bf7ddd57056e274cbbbdb647561%" or Image.Hashes like r"%SHA1=1a8b737dff81aa9e338b1fce0dc96ee7ee467bd5%" or Image.Hashes like r"%SHA1=a9b8d7afa2e4685280aebbeb162600cfce4e48c8%" or Image.Hashes like r"%SHA1=8800a33a37c640922ce6a2996cd822ed4603b8bb%" or Image.Hashes like r"%SHA1=4f94789cffb23c301f93d6913b594748684abf6a%" or Image.Hashes like r"%SHA1=511b06898770337609ee065547dbf14ce3de5a95%" or Image.Hashes like r"%SHA1=c32e6cddc7731408c747fd47af3d62861719fd7b%" or Image.Hashes like r"%SHA1=a93197c8c1897a95c4fb0367d7451019ae9f3054%" or Image.Hashes like r"%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%" or Image.Hashes like r"%SHA1=a59006308c4b5d33bb8f34ac6fb16701814fb8dc%" or Image.Hashes like r"%SHA1=3e917f0986802d47c0ffe4d6f5944998987c4160%" or Image.Hashes like r"%SHA1=b406920634361f4b7d7c1ec3b11bb40872d85105%" or Image.Hashes like r"%SHA1=9ec6f54c74bcc48e355226c26513a7240fd9462d%" or Image.Hashes like r"%SHA1=79f1a6f5486523e6d8dcfef696bc949fc767613d%" or Image.Hashes like r"%SHA1=dce4322406004fc884d91ed9a88a36daca7ae19a%" or Image.Hashes like r"%SHA1=dbe26c67a4cabba16d339a1b256ca008effcf6c8%" or Image.Hashes like r"%SHA1=9f5453c36aa03760d935e062ac9e1f548d14e894%" or Image.Hashes like r"%SHA1=da361c56c18ea98e1c442aac7c322ff20f64486b%" or Image.Hashes like r"%SHA1=14c9cd9e2cf2b0aae56c46ff9ad1c89a8a980050%" or Image.Hashes like r"%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%" or Image.Hashes like r"%SHA1=ef80da613442047697bec35ea228cde477c09a3d%" or Image.Hashes like r"%SHA1=c834c4931b074665d56ccab437dfcc326649d612%" or Image.Hashes like r"%SHA1=aa2ea973bb248b18973e57339307cfb8d309f687%" or Image.Hashes like r"%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%" or Image.Hashes like r"%SHA1=977fd907b6a2509019d8ef4f6213039f2523f2b5%" or Image.Hashes like r"%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%" or Image.Hashes like r"%SHA1=a45687965357036df17b8ff380e3a43a8fbb2ca9%" or Image.Hashes like r"%SHA1=59aead65b240a163ad47b2d1cf33cdb330608317%" or Image.Hashes like r"%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%" or Image.Hashes like r"%SHA1=ddd36f96f5a509855f55eed9eb4cba9758d6339a%" or Image.Hashes like r"%SHA1=a838303cda908530ef124f8d6f7fb69938b613bc%" or Image.Hashes like r"%SHA1=84d44e166072bccf1f8e1e9eb51880ffa065a274%" or Image.Hashes like r"%SHA1=88d00eff21221f95a0307da229bc9fe1afb6861b%" or Image.Hashes like r"%SHA1=9ca90642cff9ca71c7022c0f9dfd87da2b6a0bff%" or Image.Hashes like r"%SHA1=a98734cd388f5b4b3caca5ce61cb03b05a8ad570%" or Image.Hashes like r"%SHA1=bad84fca57ab0ef0af9230a93e0cc3d149f9ccd0%" or Image.Hashes like r"%SHA1=ce5681896e7631b6e83cccb7aa056a33e72a1bbe%" or Image.Hashes like r"%SHA1=0634878c3f6048a38ec82869d7c6df2f69f3e210%" or Image.Hashes like r"%SHA1=eacfc73f5f45f229867ee8b2eb1f9649b5dd422e%" or Image.Hashes like r"%SHA1=dc8fa4648c674e3a7148dd8e8c35f668a3701a52%" or Image.Hashes like r"%SHA1=02316decf9e5165b431c599643f6856e86b95e7c%" or Image.Hashes like r"%SHA1=cc3186debacb98e0b0fb40ad82816bea10741099%" or Image.Hashes like r"%SHA1=87f313fc30ec8759b391e9d6c08f79b02f3ecebd%" or Image.Hashes like r"%SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e%" or Image.Hashes like r"%SHA1=62fdb0b43c56530a6a0ba434037d131f236d1266%" or Image.Hashes like r"%SHA1=5088c71a740ef7c4156dcaa31e543052fe226e1c%" or Image.Hashes like r"%SHA1=64d0447cbb0d6a45010b94eb9d5b0b90296edcbf%" or Image.Hashes like r"%SHA1=0aecdc0b8208b81b0c37eef3b0eaea8d8ebef42e%" or Image.Hashes like r"%SHA1=2fe874274bac6842819c1e9fe9477e6d5240944d%" or Image.Hashes like r"%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%" or Image.Hashes like r"%SHA1=ba0938512d7abab23a72279b914d0ea0fb46e498%" or Image.Hashes like r"%SHA1=3d8cc9123be74b31c597b0014c2a72090f0c44ef%" or Image.Hashes like r"%SHA1=1f1ce28c10453acbc9d3844b4604c59c0ab0ad46%" or Image.Hashes like r"%SHA1=724dde837df2ff92b3ea7026fe8a0c4e5773898f%" or Image.Hashes like r"%SHA1=8ab7e9ba3c26bcd5d6d0646c6d2b2693e22aac1c%" or Image.Hashes like r"%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%" or Image.Hashes like r"%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%" or Image.Hashes like r"%SHA1=bea745b598dd957924d3465ebc04c5b830d5724f%" or Image.Hashes like r"%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%" or Image.Hashes like r"%SHA1=99bd8c1f5eeedd9f6a9252df5dbd0e42ef5999a4%" or Image.Hashes like r"%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%" or Image.Hashes like r"%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%" or Image.Hashes like r"%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%" or Image.Hashes like r"%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%" or Image.Hashes like r"%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%" or Image.Hashes like r"%SHA1=43f53a739eda1e58f470e8e9ff9aa1437e5d9546%" or Image.Hashes like r"%SHA1=879e92a7427bdbcc051a18bbb3727ac68154e825%" or Image.Hashes like r"%SHA1=be270d94744b62b0d36bef905ef6296165ffcee9%" or Image.Hashes like r"%SHA1=108439a4c4508e8dca659905128a4633d8851fd9%" or Image.Hashes like r"%SHA1=fe0afc6dd03a9bd7f6e673cc6b4af2266737e3d1%" or Image.Hashes like r"%SHA1=343ec3073fc84968e40a145dc9260a403966bcb4%" or Image.Hashes like r"%SHA1=0d9c77aca860a43cca87a0c00f69e2ab07ab0b67%" or Image.Hashes like r"%SHA1=c60cf6dea446e4a52c6b1cfc2a76e9aadd954dab%" or Image.Hashes like r"%SHA1=bd3e1d5aacac6406a7bcea3b471bbfa863efbc3d%" or Image.Hashes like r"%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%" or Image.Hashes like r"%SHA1=53a194e1a30ed9b2d3acd87c2752cfa6645eea76%" or Image.Hashes like r"%SHA1=06ecf73790f0277b8e27c8138e2c9ad0fc876438%" or Image.Hashes like r"%SHA1=a22c111045b4358f8279190e50851c443534fc24%" or Image.Hashes like r"%SHA1=d2c7aa9b424015f970fe7506ae5d1c69a8ac11f6%" or Image.Hashes like r"%SHA1=2eeab9786dac3f5f69e642f6e29f4e4819038551%" or Image.Hashes like r"%SHA1=8ea50d7d13ff2d1306fed30a2d136dd6245eb3bc%" or Image.Hashes like r"%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%" or Image.Hashes like r"%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%" or Image.Hashes like r"%SHA1=66e95daee3d1244a029d7f3d91915f1f233d1916%" or Image.Hashes like r"%SHA1=175fb76c7cd8f0aeb916f4acb3b03f8b2d51846a%" or Image.Hashes like r"%SHA1=0536c9f15094ca8ddeef6dec75d93dc35366d8a9%" or Image.Hashes like r"%SHA1=65886384708d5a6c86f3c4c16a7e7cdbf68de92a%" or Image.Hashes like r"%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%" or Image.Hashes like r"%SHA1=25d812a5ece19ea375178ef9d60415841087726e%" or Image.Hashes like r"%SHA1=24b47ba7179755e3b12a59d55ae6b2c3d2bd1505%" or Image.Hashes like r"%SHA1=a547c5b1543a4c3a4f91208d377a2b513088f4a4%" or Image.Hashes like r"%SHA1=604870e76e55078dfb8055d49ae8565ed6177f7c%" or Image.Hashes like r"%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%" or Image.Hashes like r"%SHA1=962e2ac84c28ed5e373d4d4ccb434eceee011974%" or Image.Hashes like r"%SHA1=94b014123412fbe8709b58ec72594f8053037ae9%" or Image.Hashes like r"%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%" or Image.Hashes like r"%SHA1=6dac7a8fa9589caae0db9d6775361d26011c80b2%" or Image.Hashes like r"%SHA1=cd7b0c6b6ef809e7fb1f68ba36150eceabe500f7%" or Image.Hashes like r"%SHA1=1d2ab091d5c0b6e5977f7fa5c4a7bfb8ea302dc7%" or Image.Hashes like r"%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%" or Image.Hashes like r"%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%" or Image.Hashes like r"%SHA1=59c0fa0d61576d9eb839c9c7e15d57047ee7fe29%" or Image.Hashes like r"%SHA1=48be0ec2e8cb90cac2be49ef71e44390a0f648ce%" or Image.Hashes like r"%SHA1=0e030cf5e5996f0778452567e144f75936dc278f%" or Image.Hashes like r"%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%" or Image.Hashes like r"%SHA1=6cc28df318a9420b49a252d6e8aaeda0330dc67d%" or Image.Hashes like r"%SHA1=59e6effdb23644ca03e60618095dc172a28f846e%" or Image.Hashes like r"%SHA1=df177a0c8c1113449f008f8e833105344b419834%" or Image.Hashes like r"%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%" or Image.Hashes like r"%SHA1=c0a8e45e57bb6d82524417d6fb7e955ab95621c0%" or Image.Hashes like r"%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%" or Image.Hashes like r"%SHA1=363b907c3b4f37968e9c8e1b7eeca5a5c5d530f8%" or Image.Hashes like r"%SHA1=53f7a84a8cebe0e3f84894c6b9119466d1a8ddaf%" or Image.Hashes like r"%SHA1=7ee65bedaf7967c752831c83e26540e65358175e%" or Image.Hashes like r"%SHA1=e525f54b762c10703c975132e8fc21b6cd88d39b%" or Image.Hashes like r"%SHA1=3a1f19b7a269723e244756dac1fc27c793276fe7%" or Image.Hashes like r"%SHA1=d6b61c685cfaa36c85f1672ac95844f8293c70d0%" or Image.Hashes like r"%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%" or Image.Hashes like r"%SHA1=96523f72e4283f9816d3da8f2270690dd1dd263e%" or Image.Hashes like r"%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%" or Image.Hashes like r"%SHA1=b3c111d7192cfa8824e5c9b7c0660c37978025d6%" or Image.Hashes like r"%SHA1=49b1e6a922a8d2cb2101c48155dfc08c17d09341%" or Image.Hashes like r"%SHA1=282fca60f0c37eb6d76400bca24567945e43c6d8%" or Image.Hashes like r"%SHA1=2a06006e54c62a2e8bdf14313f90f0ab5d2f8de8%" or Image.Hashes like r"%SHA1=4692730f6b56eeb0399460c72ade8a15ddd43a62%" or Image.Hashes like r"%SHA1=fe10018af723986db50701c8532df5ed98b17c39%" or Image.Hashes like r"%SHA1=b34fc245d561905c06a8058753d25244aaecbb61%" or Image.Hashes like r"%SHA1=2ade3347df84d6707f39d9b821890440bcfdb5e9%" or Image.Hashes like r"%SHA1=5e9538d76b75f87f94ca5409ae3ddc363e8aba7f%" or Image.Hashes like r"%SHA1=5a69d921926ef0abf03757edf22c0d8d30c15d4b%" or Image.Hashes like r"%SHA1=986c1fdfe7c9731f4de15680a475a72cf2245121%" or Image.Hashes like r"%SHA1=42eb220fdfb76c6e0649a3e36acccbdf36e287f1%" or Image.Hashes like r"%SHA1=7192e22e0f8343058ec29fb7b8065e09ce389a5b%" or Image.Hashes like r"%SHA1=b2b01c728e0e8ef7b2e9040d6db9828bd4a5b48d%" or Image.Hashes like r"%SHA1=b99a5396094b6b20cea72fbf0c0083030155f74e%" or Image.Hashes like r"%SHA1=628e63caf72c29042e162f5f7570105d2108e3c2%" or Image.Hashes like r"%SHA1=1fb12c5db2acad8849677e97d7ce860d2bb2329e%" or Image.Hashes like r"%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%" or Image.Hashes like r"%SHA1=46be4e6cd8117ac13531bff30edcf564f39bcc52%" or Image.Hashes like r"%SHA1=377f7e7382908690189aede31fcdd532baa186b5%" or Image.Hashes like r"%SHA1=5b4619596c89ed17ccbe92fd5c0a823033f2f1e1%" or Image.Hashes like r"%SHA1=bda102afbc60f3f3c5bcbd5390ffbbbb89170b9c%" or Image.Hashes like r"%SHA1=ca33c88cd74e00ece898dca32a24bdfcacc3f756%" or Image.Hashes like r"%SHA1=7d1ff4096a75f9fcc67c7c9c810d99874c096b6b%" or Image.Hashes like r"%SHA1=1a83c8b63d675c940aaec10f70c0c7698e9b0165%" or Image.Hashes like r"%SHA1=f8e88630dae53e0b54edefdefa36d96c3dcbd776%" or Image.Hashes like r"%SHA1=e33eac9d3b9b5c0db3db096332f059bf315a2343%" or Image.Hashes like r"%SHA1=5635bb2478929010693bc3b23f8b7fe5fdbc3aed%" or Image.Hashes like r"%SHA1=3fd7fda9c7dfdb2a845c39971572bd090bee3b1d%" or Image.Hashes like r"%SHA1=3e790c4e893513566916c76a677b0f98bd7334dd%" or Image.Hashes like r"%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%" or Image.Hashes like r"%SHA1=5ca6a52230507b1dffab7acd501540bc10f1ab81%" or Image.Hashes like r"%SHA1=820d339fd3dbb632a790d6506ddf6aee925fcffe%" or Image.Hashes like r"%SHA1=0ac0c21ca05161eaa6a042f347391a2a2fc78c96%" or Image.Hashes like r"%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%" or Image.Hashes like r"%SHA1=4f077a95908b154ea12faa95de711cb44359c162%" or Image.Hashes like r"%SHA1=29a190727140f40cea9514a6420f5a195e36386b%" or Image.Hashes like r"%SHA1=dbf3abdc85d6a0801c4af4cd1b77c44d5f57b03e%" or Image.Hashes like r"%SHA1=de0c16e3812924212f04e15caa09763ae4770403%" or Image.Hashes like r"%SHA1=3b1f1e96fc8a7eb93b14b1213f797f164a313cee%" or Image.Hashes like r"%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%" or Image.Hashes like r"%SHA1=4c021c4a5592c07d4d415ab11b23a70ba419174b%" or Image.Hashes like r"%SHA1=9d191bee98f0af4969a26113098e3ea85483ae2d%" or Image.Hashes like r"%SHA1=ac31d15851c0af14d60cfce23f00c4b7887d3cb7%" or Image.Hashes like r"%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%" or Image.Hashes like r"%SHA1=5f8ae70b25b664433c6942d5963acadf2042cfe8%" or Image.Hashes like r"%SHA1=a37616f0575a683bd81a0f49fadbbc87e1525eba%" or Image.Hashes like r"%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%" or Image.Hashes like r"%SHA1=c22c28a32a5e43a76514faf4fac14d135e0d4ffd%" or Image.Hashes like r"%SHA1=7c996d9ef7e47a3b197ff69798333dc29a04cc8a%" or Image.Hashes like r"%SHA1=cb0bc86d437ab78c1fbefdaf1af965522ebdd65d%" or Image.Hashes like r"%SHA1=4a1a499857accc04b4d586df3f0e0c2b3546e825%" or Image.Hashes like r"%SHA1=c3a893680cd33706546a7a3e8fbcc4bd063ce07e%" or Image.Hashes like r"%SHA1=df58f9b193c6916aaec7606c0de5eba70c8ec665%" or Image.Hashes like r"%SHA1=fc69138b9365fa60e21243369940c8dcfcca5db1%" or Image.Hashes like r"%SHA1=3fbe337b6ed1a1a63ae8b4240c01bd68ed531674%" or Image.Hashes like r"%SHA1=07c244739803f60a75d60347c17edc02d5d10b5d%" or Image.Hashes like r"%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%" or Image.Hashes like r"%SHA1=6e191d72b980c8f08a0f60efa01f0b5bf3b34afb%" or Image.Hashes like r"%SHA1=d697a3f4993e7cb15efdeda3b1a798ae25a2d0e9%" or Image.Hashes like r"%SHA1=5cfec6aa4842e5bafff23937f5efca71f21cf7ca%" or Image.Hashes like r"%SHA1=def86c7dee1f788c717ac1917f1b5bbfada25a95%" or Image.Hashes like r"%SHA1=c22dc62e10378191840285814838fe9ed1af55d7%" or Image.Hashes like r"%SHA1=58b31fb2b623bd2c5d5c8c49b657a14a674664a4%" or Image.Hashes like r"%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%" or Image.Hashes like r"%SHA1=b62c5bae9c6541620379115a7ba0036ecfa19537%" or Image.Hashes like r"%SHA1=585df373a9c56072ab6074afee8f1ec3778d70f8%" or Image.Hashes like r"%SHA1=64ab599d34c26f53afe076a84c54db7ba1a53def%" or Image.Hashes like r"%SHA1=f130e82524d8f5af403c3b0e0ffa4b64fedeec92%" or Image.Hashes like r"%SHA1=bd87aecc0ac1d1c2ab72be1090d39fab657f7cc6%" or Image.Hashes like r"%SHA1=5499f1bca93a3613428e8c18ac93a93b9a7249fb%" or Image.Hashes like r"%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%" or Image.Hashes like r"%SHA1=2f9b0cd96d961e49d5d3b416028fd3a0e43d6a28%" or Image.Hashes like r"%SHA1=1da0c712ff42bd9112ac6afadb7c4d3ae2f20fb7%" or Image.Hashes like r"%SHA1=ef8de780cfe839ecf6dc0dc161ae645bff9b853c%" or Image.Hashes like r"%SHA1=feb8e6e7419713a2993c48b9758c039bd322b699%" or Image.Hashes like r"%SHA1=d9b05c5ffc5eddf65186ba802bb1ece0249cab05%" or Image.Hashes like r"%SHA1=08596732304351b311970ff96b21f451f23b1e25%" or Image.Hashes like r"%SHA1=687b8962febbbea4cf6b3c11181fd76acb7dfd5a%" or Image.Hashes like r"%SHA1=9d0b824892fbfb0b943911326f95cd0264c60f7d%" or Image.Hashes like r"%SHA1=2ed4b51429b0a3303a645effc84022512f829836%" or Image.Hashes like r"%SHA1=1a40773dc430d7cb102710812b8c61fc51dfb79b%" or Image.Hashes like r"%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%" or Image.Hashes like r"%SHA1=983a8d4b1cb68140740a7680f929d493463e32e3%" or Image.Hashes like r"%SHA1=c4b6e2351a72311a6e8f71186b218951a27fb97f%" or Image.Hashes like r"%SHA1=6b090c558b877b6abb0d1051610cadbc6335ecbb%" or Image.Hashes like r"%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%" or Image.Hashes like r"%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%" or Image.Hashes like r"%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%" or Image.Hashes like r"%SHA1=27aa3f1b4baccd70d95ea75a0a3e54e735728aa2%" or Image.Hashes like r"%SHA1=005ac9213a8a4a6c421787a7b25c0bc7b9f3b309%" or Image.Hashes like r"%SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162%" or Image.Hashes like r"%SHA1=c1777fcb7005b707f8c86b2370f3278a8ccd729f%" or Image.Hashes like r"%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%" or Image.Hashes like r"%SHA1=cfa85a19d9a2f7f687b0decdc4a5480b6e30cb8c%" or Image.Hashes like r"%SHA1=0e60414750c48676d7aa9c9ec81c0a3b3a4d53d0%" or Image.Hashes like r"%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%" or Image.Hashes like r"%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%" or Image.Hashes like r"%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%" or Image.Hashes like r"%SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af%" or Image.Hashes like r"%SHA1=19bf65bdd9d77f54f1e8ccf189dc114e752344b0%" or Image.Hashes like r"%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%" or Image.Hashes like r"%SHA1=9f22ebcd2915471e7526f30aa53c24b557a689f5%" or Image.Hashes like r"%SHA1=562368c390b0dadf2356b8b3c747357ecef2dfc8%" or Image.Hashes like r"%SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d%" or Image.Hashes like r"%SHA1=03a56369b8b143049a6ec9f6cc4ef91ac2775863%" or Image.Hashes like r"%SHA1=82034032b30bbb78d634d6f52c7d7770a73b1b3c%" or Image.Hashes like r"%SHA1=3059bc49e027a79ff61f0147edbc5cd56ad5fc2d%" or Image.Hashes like r"%SHA1=af5f642b105d86f82ba6d5e7a55d6404bfb50875%" or Image.Hashes like r"%SHA1=f86ae53eb61d3c7c316effe86395a4c0376b06db%" or Image.Hashes like r"%SHA1=3fd55927d5997d33f5449e9a355eb5c0452e0de3%" or Image.Hashes like r"%SHA1=d942dac4033dcd681161181d50ce3661d1e12b96%" or Image.Hashes like r"%SHA1=dd55015f5406f0051853fd7cca3ab0406b5a2d52%" or Image.Hashes like r"%SHA1=336ed563ef96c40eece92a4d13de9f9b69991c8a%" or Image.Hashes like r"%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%" or Image.Hashes like r"%SHA1=ada23b709cb2bef8bedd612dc345db2e2fdbfaca%" or Image.Hashes like r"%SHA1=bd421ffdcc074ecca954d9b2c2fbce9301e9a36c%" or Image.Hashes like r"%SHA1=42f6bfcf558ef6da9254ed263a89abf4e909b5d5%" or Image.Hashes like r"%SHA1=9eef72e0c4d5055f6ae5fe49f7f812de29afbf37%" or Image.Hashes like r"%SHA1=007b2c7d72a5a89b424095dbb7f67ff2aeddb277%" or Image.Hashes like r"%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%" or Image.Hashes like r"%SHA1=35a817d949b2eab012506bed0a3b4628dd884471%" or Image.Hashes like r"%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%" or Image.Hashes like r"%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%" or Image.Hashes like r"%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%" or Image.Hashes like r"%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%" or Image.Hashes like r"%SHA1=34ec04159d2c653a583a73285e6e2ac3c7b416dd%" or Image.Hashes like r"%SHA1=4f30f64b5dfcdc889f4a5e25b039c93dd8551c71%" or Image.Hashes like r"%SHA1=13572d36428ef32cfed3af7a8bb011ee756302b0%" or Image.Hashes like r"%SHA1=17d28a90ef4d3dbb083371f99943ff938f3b39f6%" or Image.Hashes like r"%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%" or Image.Hashes like r"%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%" or Image.Hashes like r"%SHA1=c8a4a64b412fd8ef079661db4a4a7cd7394514ca%" or Image.Hashes like r"%SHA1=24343ec4dfec11796a8800a3059b630e8be89070%" or Image.Hashes like r"%SHA1=a55b709cec2288384b12eafa8be4930e7c075ec9%" or Image.Hashes like r"%SHA1=5853e44ea0b6b4e9844651aa57d631193c1ed0f0%" or Image.Hashes like r"%SHA1=e3266b046d278194ade4d8f677772d0cb4ecfaf1%" or Image.Hashes like r"%SHA1=717669a1e2380cb61cc4e34618e118cc9cabbcd0%" or Image.Hashes like r"%SHA1=0adc1320421f02f2324e764aa344018758514436%" or Image.Hashes like r"%SHA1=7e900b0370a1d3cb8a3ea5394d7d094f95ec5dc0%" or Image.Hashes like r"%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%" or Image.Hashes like r"%SHA1=68b97bfaf61294743ba15ef36357cdb8e963b56e%" or Image.Hashes like r"%SHA1=e0d12e44db3f57ee7ea723683a6fd346dacf2e3e%" or Image.Hashes like r"%SHA1=31529d0e73f7fbfbe8c28367466c404c0e3e1d5a%" or Image.Hashes like r"%SHA1=04967bfd248d30183992c6c9fd2d9e07ae8d68ad%" or Image.Hashes like r"%SHA1=4d14d25b540bf8623d09c06107b8ca7bb7625c30%" or Image.Hashes like r"%SHA1=01779ee53f999464465ed690d823d160f73f10e7%" or Image.Hashes like r"%SHA1=e83fc2331ae1ea792b6cff7e970f607fee7346be%" or Image.Hashes like r"%SHA1=c8864c0c66ea45011c1c4e79328a3a1acf7e84a9%" or Image.Hashes like r"%SHA1=a92207062fb72e6e173b2ffdb12c76834455f5d3%" or Image.Hashes like r"%SHA1=6e58421e37c022410455b1c7b01f1e3c949df1cd%" or Image.Hashes like r"%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%" or Image.Hashes like r"%SHA1=4885cd221fa1ea330b9e4c1702be955d68bd3f6a%" or Image.Hashes like r"%SHA1=f7413250e7e8ad83c350092d78f0f75fcca9f474%" or Image.Hashes like r"%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%" or Image.Hashes like r"%SHA1=970af806aa5e9a57d42298ab5ffa6e0d0e46deda%" or Image.Hashes like r"%SHA1=fe02ae340dc7fe08e4ad26dab9de418924e21603%" or Image.Hashes like r"%SHA1=85941b94524da181be8aad290127aa18fc71895c%" or Image.Hashes like r"%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%" or Image.Hashes like r"%SHA1=9cc694dcb532e94554a2a1ef7c6ced3e2f86ef5a%" or Image.Hashes like r"%SHA1=398e8209e5c5fdcb6c287c5f9561e91887caca7d%" or Image.Hashes like r"%SHA1=4e56e0b1d12664c05615c69697a2f5c5d893058a%" or Image.Hashes like r"%SHA1=ee877b496777763e853dd81fefd0924509bc5be0%" or Image.Hashes like r"%SHA1=3f347117d21cd8229dd99fa03d6c92601067c604%" or Image.Hashes like r"%SHA1=61f5904e9ff0d7e83ad89f0e7a3741e7f2fbf799%" or Image.Hashes like r"%SHA1=7ce978092fadbef44441a5f8dcb434df2464f193%" or Image.Hashes like r"%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%" or Image.Hashes like r"%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%" or Image.Hashes like r"%SHA1=91d026cd98de124d281fd6a8e7c54ddf6b913804%" or Image.Hashes like r"%SHA1=db006fa522142a197686c01116a6cf60e0001ef7%" or Image.Hashes like r"%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%" or Image.Hashes like r"%SHA1=089411e052ea17d66033155f77ae683c50147018%" or Image.Hashes like r"%SHA1=263181bc8c2c6af06b9a06d994e4b651c3ab1849%" or Image.Hashes like r"%SHA1=30e7258a5816a6db19cdda2b2603a8c3276f05c2%" or Image.Hashes like r"%SHA1=96047b280e0d6ddde9df1c79ca5f561219a0370d%" or Image.Hashes like r"%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%" or Image.Hashes like r"%SHA1=4c6ec22bc10947d089167b19d83a26bdd69f0dd1%" or Image.Hashes like r"%SHA1=ccd547ef957189eddb6ee213e5e0136e980186f9%" or Image.Hashes like r"%SHA1=8d3be83cf3bb36dbce974654b5330adb38792c2d%" or Image.Hashes like r"%SHA1=d0216ebc81618c22d9d51f2f702c739625f40037%" or Image.Hashes like r"%SHA1=18f34a0005e82a9a1556ba40b997b0eae554d5fd%" or Image.Hashes like r"%SHA1=3784d1b09a515c8824e05e9ea422c935e693080c%" or Image.Hashes like r"%SHA1=5c94c8894799f02f19e45fcab44ee33e653a4d17%" or Image.Hashes like r"%SHA1=88839168e50a4739dd4193f2d8f93a30cd1f14d8%" or Image.Hashes like r"%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%" or Image.Hashes like r"%SHA1=5742ad3d30bd34c0c26c466ac6475a2b832ad59e%" or Image.Hashes like r"%SHA1=d452fc8541ed5e97a6cbc93d08892c82991cdaad%" or Image.Hashes like r"%SHA1=eac1b9e1848dc455ed780292f20cd6a0c38a3406%" or Image.Hashes like r"%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%" or Image.Hashes like r"%SHA1=d48757b74eff02255f74614f35aa27abbe3f72c7%" or Image.Hashes like r"%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%" or Image.Hashes like r"%SHA1=08efd5e24b5ebfef63b5e488144dc9fb6524eaf1%" or Image.Hashes like r"%SHA1=cb212a826324909fdedd2b572a59a5be877f1d7d%" or Image.Hashes like r"%SHA1=b0aede5a66e13469c46acbc3b01ccf038acf222c%" or Image.Hashes like r"%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%" or Image.Hashes like r"%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%" or Image.Hashes like r"%SHA1=75d0b9bdfa79e5d43ec8b4c0996f559075723de7%" or Image.Hashes like r"%SHA1=1bd4ae9a406bf010e34cdd38e823f732972b18e3%" or Image.Hashes like r"%SHA1=b74338c91c6effabc02ae0ced180428ab1024c7d%" or Image.Hashes like r"%SHA1=6679cb0907ade366cf577d55be07eabc9fb83861%" or Image.Hashes like r"%SHA1=6ce0094a9aacdc050ff568935014607b8f23ff00%" or Image.Hashes like r"%SHA1=f7b3457a6fd008656e7216b1f09db2ff062f1ca4%" or Image.Hashes like r"%SHA1=89656051126c3e97477a9985d363fbdde0bc159e%" or Image.Hashes like r"%SHA1=1ecb7b9658eb819a80b8ebdaa2e69f0d84162622%" or Image.Hashes like r"%SHA1=aaaf565fa30834aba3f29a97fc58d15e372500b5%" or Image.Hashes like r"%SHA1=b49ac8fefc6d1274d84fef44c1e5183cc7accba1%" or Image.Hashes like r"%SHA1=9f2b550c58c71d407898594b110a9320d5b15793%" or Image.Hashes like r"%SHA1=3f6a997b04d2299ba0e9f505803e8d60d0755f44%" or Image.Hashes like r"%SHA1=ec0c3c61a293a90f36db5f8ed91cbf33c2b14a19%" or Image.Hashes like r"%SHA1=d73dabcb3f55935b701542fd26875006217ebbbe%" or Image.Hashes like r"%SHA1=dda8c7e852fe07d67c110dab163354a2a85f44a5%" or Image.Hashes like r"%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%" or Image.Hashes like r"%SHA1=9e8a87401dc7cc56b3a628b554ba395b1868520f%" or Image.Hashes like r"%SHA1=35b28b15835aa0775b57f460d8a03e53dc1fb30f%" or Image.Hashes like r"%SHA1=09c567b8dd7c7f93884c2e6b71a7149fc0a7a1b5%" or Image.Hashes like r"%SHA1=9f6883e59fd6c136cfc556b7b388a4c363dc0516%" or Image.Hashes like r"%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%" or Image.Hashes like r"%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%" or Image.Hashes like r"%SHA1=5abffd08f4939a0dee81a5d95cf1c02e2e14218c%" or Image.Hashes like r"%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%" or Image.Hashes like r"%SHA1=5eb693c9cc49c7d6a03f7960ddcfd8f468e5656b%" or Image.Hashes like r"%SHA1=4518758452af35d593e0cae80d9841a86af6d3de%" or Image.Hashes like r"%SHA1=da42cefde56d673850f5ef69e7934d39a6de3025%" or Image.Hashes like r"%SHA1=c32dfdb0ee859de618484f3ab7a43ee1d9a25d1c%" or Image.Hashes like r"%SHA1=471ca4b5bb5fe68543264dd52acb99fddd7b3c6d%" or Image.Hashes like r"%SHA1=290d6376658cf0f8182de0fae40b503098fa09fd%" or Image.Hashes like r"%SHA1=2bc9047f08a664ade481d0bbf554d3a0b49424ca%" or Image.Hashes like r"%SHA1=1f84d89dd0ae5008c827ce274848d551aff3fc33%" or Image.Hashes like r"%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%" or Image.Hashes like r"%SHA1=cb5229acdf87493e45d54886e6371fc59fc09ee5%" or Image.Hashes like r"%SHA1=2db49bdf8029fdcda0a2f722219ae744eae918b0%" or Image.Hashes like r"%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%" or Image.Hashes like r"%SHA1=24f6e827984cca5d9aa3e4c6f3c0c5603977795a%" or Image.Hashes like r"%SHA1=db3debacd5f6152abd7a457d7910a0ec4457c0d7%" or Image.Hashes like r"%SHA1=96323381a98790b8ffac1654cb65e12dbbe6aff1%" or Image.Hashes like r"%SHA1=7241b25c3a3ee9f36b52de3db2fc27db7065af37%" or Image.Hashes like r"%SHA1=3c956b524e73586195d704b874e36d49fe42cb6a%" or Image.Hashes like r"%SHA1=fb25e6886d98fe044d0eb7bd42d24a93286266e0%" or Image.Hashes like r"%SHA1=caa0cb48368542a54949be18475d45b342fb76e5%" or Image.Hashes like r"%SHA1=4c16dcc7e6d7dd29a5f6600e50fc01a272c940e1%" or Image.Hashes like r"%SHA1=1f3a9265963b660392c4053329eb9436deeed339%" or Image.Hashes like r"%SHA1=b0c7ec472abf544c5524b644a7114cba0505951e%" or Image.Hashes like r"%SHA1=622e7bffda8c80997e149ac11492625572e386e0%" or Image.Hashes like r"%SHA1=4ffa89f8dbdade28813e12db035cf9bd8665ef72%" or Image.Hashes like r"%SHA1=5fece994f2409810a0ad050b3ca9b633c93919e4%" or Image.Hashes like r"%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%" or Image.Hashes like r"%SHA1=2fa92d3739735bc9ac4dc38f42d909d97cc5c2a8%" or Image.Hashes like r"%SHA1=fece30b9b862bf99ae6a41e49f524fe6f32e215e%" or Image.Hashes like r"%SHA1=ae344c123ef6d206235f2a8448d07f86433db5a6%" or Image.Hashes like r"%SHA1=ad1616ea6dc17c91d983e829aa8a6706e81a3d27%" or Image.Hashes like r"%SHA1=c127c4d0917f54cee13a61c6c0029c95ae0746cf%" or Image.Hashes like r"%SHA1=84341ed15d645c4daedcdd39863998761e4cb0e3%" or Image.Hashes like r"%SHA1=fb4ce6de14f2be00a137e8dde2c68bb5b137ab9c%" or Image.Hashes like r"%SHA1=22c905fcdd7964726b4be5e8b5a9781322687a45%" or Image.Hashes like r"%SHA1=4927d843577bada119a17b249ff4e7f5e9983a92%" or Image.Hashes like r"%SHA1=d083e69055556a36df7c6e02115cbbf90726f35c%" or Image.Hashes like r"%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%" or Image.Hashes like r"%SHA1=86e59b17272a3e7d9976c980ded939bf8bf75069%" or Image.Hashes like r"%SHA1=eb0021e29488c97a0e42a084a4fe5a0695eccb7b%" or Image.Hashes like r"%SHA1=388819a7048179848425441c60b3a8390ad04a69%" or Image.Hashes like r"%SHA1=611411538b2bc9045d29bbd07e6845e918343e3c%" or Image.Hashes like r"%SHA1=43011eb72be4775fec37aa436753c4d6827395d1%" or Image.Hashes like r"%SHA1=18938e0d924ee7c0febdbf2676a099e828182c1c%" or Image.Hashes like r"%SHA1=1743b073cccf44368dc83ed3659057eb5f644b06%" or Image.Hashes like r"%SHA1=fb1570b4865083dfce1fcff2bd72e9e1b03cead5%" or Image.Hashes like r"%SHA1=96c2e1d7c9a8ad242f8f478e871f645895d3e451%" or Image.Hashes like r"%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%" or Image.Hashes like r"%SHA1=70258117b5efe65476f85143fd14fa0b7f148adb%" or Image.Hashes like r"%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%" or Image.Hashes like r"%SHA1=24b3f962587b0062ac9a1ec71bcc3836b12306d2%" or Image.Hashes like r"%SHA1=663803d7ab5aff28be37c2e7e8c7b98b91c5733e%" or Image.Hashes like r"%SHA1=2739c2cfa8306e6f78c335c55639566b3d450644%" or Image.Hashes like r"%SHA1=2027e5e8f2cfdfbd9081f99b65af4921626d77f9%" or Image.Hashes like r"%SHA1=eb44a05f8bba3d15e38454bd92999a856e6574eb%" or Image.Hashes like r"%SHA1=d7597d27eeb2658a7c7362193f4e5c813c5013e5%" or Image.Hashes like r"%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%" or Image.Hashes like r"%SHA1=1e6c2763f97e4275bba581de880124d64666a2fe%" or Image.Hashes like r"%SHA1=19977d45e98b48c901596fb0a49a7623cee4c782%" or Image.Hashes like r"%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%" or Image.Hashes like r"%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%" or Image.Hashes like r"%SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba%" or Image.Hashes like r"%SHA1=8d0f33d073720597164f7321603578cd13346d1f%" or Image.Hashes like r"%SHA1=229716e61f74db821d5065bac533469efb54867b%" or Image.Hashes like r"%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%" or Image.Hashes like r"%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%" or Image.Hashes like r"%SHA1=469c04cb7841eedd43227facaf60a6d55cf21fd7%" or Image.Hashes like r"%SHA1=722aa0fa468b63c5d7ea308d77230ae3169d5f83%" or Image.Hashes like r"%SHA1=bfd8568f19d4273a1288726342d7620cc9070ae5%" or Image.Hashes like r"%SHA1=17b3163aecd1f512f1603548ef6eb4947fbec95e%" or Image.Hashes like r"%SHA1=ce549714a11bd43b52be709581c6e144957136ec%" or Image.Hashes like r"%SHA1=a3224815aedc14bb46f09535e9b8ca7eaa4963bf%" or Image.Hashes like r"%SHA1=ba0d6c596b78a1fc166747d7523ca6316ef87e9f%" or Image.Hashes like r"%SHA1=f85f5e5d747433b274e53c8377bf24fbc08758b6%" or Image.Hashes like r"%SHA1=2e9466d5a814c20403be7c7a5811039ca833bd5d%" or Image.Hashes like r"%SHA1=3bb1dddb4157b6b8175fc6e1e7c33bef7870c500%" or Image.Hashes like r"%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%" or Image.Hashes like r"%SHA1=a958734d25865cbc6bcbc11090ab9d6b72799143%" or Image.Hashes like r"%SHA1=11fcaeda49848474cee9989a00d8f29cb727acb7%" or Image.Hashes like r"%SHA1=45328110873640d8fed9fc72f7d2eadd3d17ceae%" or Image.Hashes like r"%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%" or Image.Hashes like r"%SHA1=3fd5cd30085450a509eaa6367af26f6c4b9741b6%" or Image.Hashes like r"%SHA1=f1b3bdc3beb2dca19940d53eb5a0aed85b807e30%" or Image.Hashes like r"%SHA1=948fa3149742f73bf3089893407df1b20f78a563%" or Image.Hashes like r"%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%" or Image.Hashes like r"%SHA1=5eed0ce6487d0b8d0a6989044c4fcab1bd845d9e%" or Image.Hashes like r"%SHA1=ce31292b05c0ae1dc639a6ee95bb3bc7350f2aaf%" or Image.Hashes like r"%SHA1=1a53902327bac3ab323ee63ed215234b735c64da%" or Image.Hashes like r"%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%" or Image.Hashes like r"%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%" or Image.Hashes like r"%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%" or Image.Hashes like r"%SHA1=ba3faca988ff56f4850dede2587d5a3eff7c6677%" or Image.Hashes like r"%SHA1=8f266edf9f536c7fc5bb3797a1cf9039fde8e97c%" or Image.Hashes like r"%SHA1=d57c732050d7160161e096a8b238cb05d89d1bb2%" or Image.Hashes like r"%SHA1=7480c7f7346ce1f86a7429d9728235f03a11f227%" or Image.Hashes like r"%SHA1=40abf7edb4c76fb3f22418f03198151c5363f1cb%" or Image.Hashes like r"%SHA1=43b61039f415d14189d578012b6cb1bd2303d304%" or Image.Hashes like r"%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%" or Image.Hashes like r"%SHA1=a809831166a70700b59076e0dbc8975f57b14398%" or Image.Hashes like r"%SHA1=22c9cd0f5986e91b733fbd5eda377720fd76c86d%" or Image.Hashes like r"%SHA1=d7b20ac695002334f804ffc67705ce6ac5732f91%" or Image.Hashes like r"%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%" or Image.Hashes like r"%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%" or Image.Hashes like r"%SHA1=72a5ac213ec1681d173bee4f1807c70a77b41bf6%" or Image.Hashes like r"%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%" or Image.Hashes like r"%SHA1=891c8d482e23222498022845a6b349fe1a186bcc%" or Image.Hashes like r"%SHA1=6a60c5dc7d881ddb5d6fe954f10b8aa10d214e72%" or Image.Hashes like r"%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%" or Image.Hashes like r"%SHA1=e40ea8d498328b90c4afbb0bb0e8b91b826f688e%" or Image.Hashes like r"%SHA1=356172a2e12fd3d54e758aaa4ff0759074259144%" or Image.Hashes like r"%SHA1=7115929de6fc6b9f09142a878d1a1bf358af5f24%" or Image.Hashes like r"%SHA1=1b84abffd814b9f4595296b3e5ede0c44e630967%" or Image.Hashes like r"%SHA1=40d29aa7b3fafd27c8b27c7ca7a3089ccb88d69b%" or Image.Hashes like r"%SHA1=1c3f2579310ddd7ae09ce9ca1cc537a771b83c9f%" or Image.Hashes like r"%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%" or Image.Hashes like r"%SHA1=879fcc6795cebe67718388228e715c470de87dca%" or Image.Hashes like r"%SHA1=b33b99ae2653b4e675beb7d9eb2c925a1f105bd4%" or Image.Hashes like r"%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%" or Image.Hashes like r"%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%" or Image.Hashes like r"%SHA1=c31049605f028a56ce939cd2f97c2e56c12d99f8%" or Image.Hashes like r"%SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962%" or Image.Hashes like r"%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%" or Image.Hashes like r"%SHA1=3048f3422b2b31b74eace0dab3f5c4440bdc7bb2%" or Image.Hashes like r"%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%" or Image.Hashes like r"%SHA1=0ff2ad8941fbb80cbccb6db7db1990c01c2869b1%" or Image.Hashes like r"%SHA1=6d3c760251d6e6ea7ff4f4fcac14876fac829cf9%" or Image.Hashes like r"%SHA1=20cf02c95e329cf2fd4563cddcbd434aad81ccb4%" or Image.Hashes like r"%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%" or Image.Hashes like r"%SHA1=e835776e0dc68c994dd18e8628454520156c93e3%" or Image.Hashes like r"%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%" or Image.Hashes like r"%SHA1=97bc298a1d12a493bf14e6523e4ff48d64832954%" or Image.Hashes like r"%SHA1=fb349c3cde212ef33a11a9d58a622dc58dff3f74%" or Image.Hashes like r"%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%" or Image.Hashes like r"%SHA1=b0a684474eb746876faa617a28824bee93ba24f0%" or Image.Hashes like r"%SHA1=a01c42a5be7950adbc7228a9612255ac3a06b904%" or Image.Hashes like r"%SHA1=a22dead5cdf05bd2f79a4d0066ffcf01c7d303ec%" or Image.Hashes like r"%SHA1=f7ce71891738a976cd8d4b516c8d7a8e2f6b0ad6%" or Image.Hashes like r"%SHA1=441f87633ee6fbea5dee1268d1b9b936a596464d%" or Image.Hashes like r"%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%" or Image.Hashes like r"%SHA1=32f27451c377c8b5ea66be5475c2f2733cffe306%" or Image.Hashes like r"%SHA1=58ebfb7de214ee09f6bf71c8cc9c139dd4c8b016%" or Image.Hashes like r"%SHA1=f5293ac70d75cdfe580ff6a9edcc83236012eaf1%" or Image.Hashes like r"%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%" or Image.Hashes like r"%SHA1=0b63e76fad88ac48dbfc7cf227890332fcd994a5%" or Image.Hashes like r"%SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f%" or Image.Hashes like r"%SHA1=160a237295a9e5cbb64ca686a84e47553a14f71d%" or Image.Hashes like r"%SHA1=f5d58452620b55c2931cba75eb701f4cde90a9e4%" or Image.Hashes like r"%SHA1=a24840e32071e0f64e1dff8ca540604896811587%" or Image.Hashes like r"%SHA1=fad8e308f6d2e6a9cfaf9e6189335126a3c69acb%" or Image.Hashes like r"%SHA1=6da2dd8a0b4c0e09a04613bbabfc07c0b848ec77%" or Image.Hashes like r"%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%" or Image.Hashes like r"%SHA1=f049e68720a5f377a5c529ca82d1147fe21b4c33%" or Image.Hashes like r"%SHA1=c4454a3a4a95e6772acb8a3d998b78a329259566%" or Image.Hashes like r"%SHA1=5291b17205accf847433388fe17553e96ad434ec%" or Image.Hashes like r"%SHA1=8b037d7a7cb612eabd8e20a9ce93afd92a6db2c2%" or Image.Hashes like r"%SHA1=0cca79962d9af574169f5dec12b1f4ca8e5e1868%" or Image.Hashes like r"%SHA1=87d47340d1940eaeb788523606804855818569e3%" or Image.Hashes like r"%SHA1=272ffcda920a8e2440eb0d31dcd05485e0d597ad%" or Image.Hashes like r"%SHA1=e28b754d4d332ea57349110c019d841cf4d27356%" or Image.Hashes like r"%SHA1=d1c38145addfed1bcd1b400334ff5a5e2ef9a5c6%" or Image.Hashes like r"%SHA1=c201d5d0ab945095c3b1a356b3b228af1aa652fc%" or Image.Hashes like r"%SHA1=39e57a0bb3b349c70ad5f11592f9282860bbcc0a%" or Image.Hashes like r"%SHA1=5622caf22032e5cbef52f48077cfbcbbbe85e961%" or Image.Hashes like r"%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%" or Image.Hashes like r"%SHA1=da03799bb0025a476e3e15cc5f426e5412aeef02%" or Image.Hashes like r"%SHA1=b5dfa3396136236cc9a5c91f06514fa717508ef5%" or Image.Hashes like r"%SHA1=ba63502aaf8c5a7c2464e83295948447e938a844%" or Image.Hashes like r"%SHA1=21ce232de0f306a162d6407fe1826aff435b2a04%" or Image.Hashes like r"%SHA1=36a6f75f05ac348af357fdecbabe1a184fe8d315%" or Image.Hashes like r"%SHA1=03257294ee74f69881002c4bf764b9cb83b759d6%" or Image.Hashes like r"%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%" or Image.Hashes like r"%SHA1=1045c63eccb54c8aee9fd83ffe48306dc7fe272c%" or Image.Hashes like r"%SHA1=8f4b79b8026da7f966d38a8ba494c113c5e3894b%" or Image.Hashes like r"%SHA1=f736ccbb44c4de97cf9e9022e1379a4f58f5a5b8%" or Image.Hashes like r"%SHA1=d612165251d5f1dcfb1f1a762c88d956f49ce344%" or Image.Hashes like r"%SHA1=fac870d438bf62ecd5d5c8c58cc9bfda6f246b8b%" or Image.Hashes like r"%SHA1=86b1186a4e282341daf2088204ab9ff2d0402d28%" or Image.Hashes like r"%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%" or Image.Hashes like r"%SHA1=0cac0dbaa7adb7bba6e92c7cd2d514be7e86a914%" or Image.Hashes like r"%SHA1=1b25fbab2dbee5504dc94fbcc298cd8669c097a8%" or Image.Hashes like r"%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%" or Image.Hashes like r"%SHA1=8d6d6745a2adc9e5aa025c38875554ae6440d1ad%" or Image.Hashes like r"%SHA1=f42aa04b69a2e2241958b972ef24b65f91c3af12%" or Image.Hashes like r"%SHA1=44a3a00394a6d233a27189482852babf070ffebe%" or Image.Hashes like r"%SHA1=3e406325a717d7163ca31e81beae822d03cbe3d8%" or Image.Hashes like r"%SHA1=fc154983af4a5be15ae1e4b54e2050530b8bc057%" or Image.Hashes like r"%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%" or Image.Hashes like r"%SHA1=f9c916d163b85057414300ca214ebdf751172ecf%" or Image.Hashes like r"%SHA1=195b91a1a43de8bfb52a4869fbf53d7a226a6559%" or Image.Hashes like r"%SHA1=d62fa51e520022483bdc5847141658de689c0c29%" or Image.Hashes like r"%SHA1=9329a0ce2749a3a6bea2028ce7562d74c417db64%" or Image.Hashes like r"%SHA1=cfdb2085eaf729c7967f5d4efe16da3d50d07a23%" or Image.Hashes like r"%SHA1=184729ec2ffd0928a408255a23b3f532ffb3db3d%" or Image.Hashes like r"%SHA1=45a9f95a7a018925148152b888d09d478d56bbf5%" or Image.Hashes like r"%SHA1=a5f9aef55c64722ff2db96039af3b9c7dd8163e3%" or Image.Hashes like r"%SHA1=483e58ed495e4067a7c42ca48e8a5f600b14e018%" or Image.Hashes like r"%SHA1=b9b72a5be3871ddc0446bae35548ea176c4ea613%" or Image.Hashes like r"%SHA1=18f09ec53f0b7d2b1ab64949157e0e84628d0f0a%" or Image.Hashes like r"%SHA1=de2b56ef7a30a4697e9c4cdcae0fc215d45d061d%" or Image.Hashes like r"%SHA1=e2e7a2b2550b889235aafd9ffd1966ccd20badfe%" or Image.Hashes like r"%SHA1=016aa643fbd8e10484741436bcacc0d9eee483c8%" or Image.Hashes like r"%SHA1=5c88d9fcc491c7f1078c224e1d6c9f5bda8f3d8a%" or Image.Hashes like r"%SHA1=86e893e59352fcb220768fb758fcc5bbd91dd39e%" or Image.Hashes like r"%SHA1=1568117f691b41f989f10562f354ee574a6abc2d%" or Image.Hashes like r"%SHA1=5c2262f9e160047b9f4dee53bbfd958ec27ec22e%" or Image.Hashes like r"%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%" or Image.Hashes like r"%SHA1=8db4376a86bd2164513c178a578a0bf8d90e7292%" or Image.Hashes like r"%SHA1=4a04596acf79115f15add3921ce30a96f594d7ce%" or Image.Hashes like r"%SHA1=16a091bfd1fd616d4607cac367782b1d2ab07491%" or Image.Hashes like r"%SHA1=cf664e30f8bd548444458eef6d56d5c2e2713e2a%" or Image.Hashes like r"%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%" or Image.Hashes like r"%SHA1=f544f25104fe997ec873f5cec64c7aa722263fb4%" or Image.Hashes like r"%SHA1=be797c91768ac854bd3b82a093e55db83da0cb11%" or Image.Hashes like r"%SHA1=cea540a2864ece0a868d841ab27680ff841fcbe6%" or Image.Hashes like r"%SHA1=b4f1877156bf3157bff1170ba878848b2f22d2d5%" or Image.Hashes like r"%SHA1=55cffb0ef56e52686b0c407b94bbea3701d6eccd%" or Image.Hashes like r"%SHA1=b6543d006cb2579fb768205c479524e432c04204%" or Image.Hashes like r"%SHA1=879b32fcf78044cbc74b57717ab3ae18e77bc2fb%" or Image.Hashes like r"%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%" or Image.Hashes like r"%SHA1=4a7324ca485973d514fd087699f6d759ff32743b%" or Image.Hashes like r"%SHA1=e41808b022656befb7dc42bbeceaf867e2fec6b2%" or Image.Hashes like r"%SHA1=1e09f3dd6ba9386fa9126f0116e49c2371401e01%" or Image.Hashes like r"%SHA1=5bdd44eb321557c5d3ab056959397f0048ac90e6%" or Image.Hashes like r"%SHA1=42bb38b0b93d83b62fe2604b154ada9314c98df7%" or Image.Hashes like r"%SHA1=c47b890dda9882f9f37eccc27d58d6a774a2901f%" or Image.Hashes like r"%SHA1=2cc70b772b42e0208f345c7c70d78f7536812f99%" or Image.Hashes like r"%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%" or Image.Hashes like r"%SHA1=b7a2f2760f9819cb242b2e4f5b7bab0a65944c81%" or Image.Hashes like r"%SHA1=7a1689cde189378e7db84456212b0e438f9bf90a%" or Image.Hashes like r"%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%" or Image.Hashes like r"%SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0%" or Image.Hashes like r"%SHA1=0a6e0f9f3d7179a99345d40e409895c12919195b%" or Image.Hashes like r"%SHA1=2dd916cb8a9973b5890829361c1f9c0d532ba5d6%" or Image.Hashes like r"%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%" or Image.Hashes like r"%SHA1=dcfeca5e883a084e89ecd734c4528b922a1099b9%" or Image.Hashes like r"%SHA1=f56fec3f2012cd7fc4528626debc590909ed74b6%" or Image.Hashes like r"%SHA1=d126c6974a21e9c5fdd7ff1ca60bcc37c9353b47%" or Image.Hashes like r"%SHA1=a6aa7926aa46beaf9882a93053536b75ef2c7536%" or Image.Hashes like r"%SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6%" or Image.Hashes like r"%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%" or Image.Hashes like r"%SHA1=7ba4607763c6fef1b2562b72044a20ca2a0303e2%" or Image.Hashes like r"%SHA1=bec66e0a4842048c25732f7ea2bbe989ea400abf%" or Image.Hashes like r"%SHA1=fd87b70f94674b02d62bb01ae6e62d75c618f5c8%" or Image.Hashes like r"%SHA1=d17656f11b899d58dca7b6c3dd6eef3d65ae88e2%" or Image.Hashes like r"%SHA1=c1c869deee6293eee3d0d84b6706d90fab8f8558%" or Image.Hashes like r"%SHA1=f56186b6a7aa3dd7832c9d821f9d2d93bc2a9360%" or Image.Hashes like r"%SHA1=e9d7d7d42fd534abf52da23c0d6ec238cefde071%" or Image.Hashes like r"%SHA1=8d0ae69fbe0c6575b6f8caf3983dd3ddc65aadb5%" or Image.Hashes like r"%SHA1=b67945815e40b1cd90708c57c57dab12ed29da83%" or Image.Hashes like r"%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%" or Image.Hashes like r"%SHA1=a4e2e227f984f344d48f4bf088ca9d020c63db4e%" or Image.Hashes like r"%SHA1=a34adabde63514e1916713a588905c4019f83efb%" or Image.Hashes like r"%SHA1=3270720a066492b046d7180ca6e60602c764cac7%" or Image.Hashes like r"%SHA1=2bcb81f1b643071180e8ed8f7e42f49606669976%" or Image.Hashes like r"%SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a%" or Image.Hashes like r"%SHA1=bb1f9cc94e83c59c90b055fe13bb4604b2c624df%" or Image.Hashes like r"%SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d%" or Image.Hashes like r"%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%" or Image.Hashes like r"%SHA1=6ecfc7ccc4843812bfccfb7e91594c018f0a0ff9%" or Image.Hashes like r"%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%" or Image.Hashes like r"%SHA1=c520a368c472869c3dc356a7bcfa88046352e4d9%" or Image.Hashes like r"%SHA1=254dce914e13b90003b0ae72d8705d92fe7c8dd0%" or Image.Hashes like r"%SHA1=e9f576137181c261dc3b23871d1d822731d54a12%" or Image.Hashes like r"%SHA1=ec1eafb87340b18c7ef3bc349fed1ddd5d3678f6%" or Image.Hashes like r"%SHA1=1c537fd17836283364349475c6138e6667cf1164%" or Image.Hashes like r"%SHA1=cfdf9c9125755f4e81fa7cc5410d7740fdfea4ed%" or Image.Hashes like r"%SHA1=252157ab2e33eed7aa112d1c93c720cadcee31ae%" or Image.Hashes like r"%SHA1=97f668aa01ebbbf2f5f93419d146e6608d203efd%" or Image.Hashes like r"%SHA1=9feacc95d30107ce3e1e9a491e2c12d73eef2979%" or Image.Hashes like r"%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%" or Image.Hashes like r"%SHA1=0f78974194b604122b1cd4e82768155f946f6d24%" or Image.Hashes like r"%SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c%" or Image.Hashes like r"%SHA1=d363011d6991219d7f152609164aba63c266b740%" or Image.Hashes like r"%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%" or Image.Hashes like r"%SHA1=db3538f324f9e52defaba7be1ab991008e43d012%" or Image.Hashes like r"%SHA1=008a292f71f49be1fb538f876de6556ce7b5603a%" or Image.Hashes like r"%SHA1=e35969966769e7760094cbcffb294d0d04a09db6%" or Image.Hashes like r"%SHA1=5236728c7562b047a9371403137a6e169e2026a6%" or Image.Hashes like r"%SHA1=862387e84baaf506c10080620cc46df2bda03eea%" or Image.Hashes like r"%SHA1=c0100f8a8697a240604b3ea88848dd94947c7fd3%" or Image.Hashes like r"%SHA1=ad05bff5fe45df9e08252717fc2bc2af57bf026f%" or Image.Hashes like r"%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%" or Image.Hashes like r"%SHA1=637d0de7fa2a06e462dad40a575cb0fa4a38d377%" or Image.Hashes like r"%SHA1=0904b8fa4654197eefd6380c81bbb2149ffe0634%" or Image.Hashes like r"%SHA1=928b9b180ff5deb9f9dd3a38c4758bcf09298c47%" or Image.Hashes like r"%SHA1=432fa24e0ce4b3673113c90b34d6e52dc7bac471%" or Image.Hashes like r"%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%" or Image.Hashes like r"%SHA1=444f96d8943aec21d26f665203f3fb80b9a2a260%" or Image.Hashes like r"%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%" or Image.Hashes like r"%SHA1=eba5483bb47ec6ff51d91a9bdf1eee3b6344493d%" or Image.Hashes like r"%SHA1=e3048cd05573dc1d30b1088859bc728ef67aaad0%" or Image.Hashes like r"%SHA1=537923c633d8fc94d9ae45ad9d89e5346f581f17%" or Image.Hashes like r"%SHA1=022f7aa4d0f04d594588ae9fa65c90bcc4bda833%" or Image.Hashes like r"%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%" or Image.Hashes like r"%SHA1=7a107291a9fad0d298a606eb34798d423c4a5683%" or Image.Hashes like r"%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%" or Image.Hashes like r"%SHA1=0fd700fee341148661616ecd8af8eca5e9fa60e3%" or Image.Hashes like r"%SHA1=3aba6dd15260875eb290e9d67992066141aa0bb0%" or Image.Hashes like r"%SHA1=a5596d4d329add26b9ca9fa7005302148dfacfd8%" or Image.Hashes like r"%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%" or Image.Hashes like r"%SHA1=22fc833e07dd163315095d32ebcd3b3e377c33a4%" or Image.Hashes like r"%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%" or Image.Hashes like r"%SHA1=c9522cf7f6d6637aaff096b4b16b0d81f6ee1c37%" or Image.Hashes like r"%SHA1=d11659145d6627f3d93975528d92fb6814171f91%" or Image.Hashes like r"%SHA1=d3d2fe8080f0b18465520785f3a955e1a24ae462%" or Image.Hashes like r"%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%" or Image.Hashes like r"%SHA1=ea37a4241fa4d92c168d052c4e095ccd22a83080%" or Image.Hashes like r"%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%" or Image.Hashes like r"%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%" or Image.Hashes like r"%SHA1=dc69a6cdf048e2c4a370d4b5cafd717d236374ea%" or Image.Hashes like r"%SHA1=24daa825adedcbbb1d098cbe9d68c40389901b64%" or Image.Hashes like r"%SHA1=2bf6b88b84d27cdf0699d6d18b08a1b36310cdd1%" or Image.Hashes like r"%SHA1=dc55217b6043d819eadebd423ff07704ee103231%" or Image.Hashes like r"%SHA1=2ba0db7465cf4ffb272f803a9d77292b79c1e6df%" or Image.Hashes like r"%SHA1=52ea274e399df8706067fdc5ac52af0480461887%" or Image.Hashes like r"%SHA1=d8adf4f02513367c2b273abb0bc02f7eb3a5ef19%" or Image.Hashes like r"%SHA1=6887668eb41637bbbab285d41a36093c6b17a8fa%" or Image.Hashes like r"%SHA1=d6b1b3311263bfb170f2091d22f373c2215051b7%" or Image.Hashes like r"%SHA1=fad014ec98529644b5db5388d96bc4f9b77dcdc3%" or Image.Hashes like r"%SHA1=a714a2a045fa8f46d0165b78fe3eecf129c1de3a%" or Image.Hashes like r"%SHA1=a09334489fb18443c8793cb0395860518193cc3c%" or Image.Hashes like r"%SHA1=49d58f7565bacf10539bc63f1d2fe342b3c3d85a%" or Image.Hashes like r"%SHA1=e4fcb363cfe9de0e32096fa5be94a41577a89bb0%" or Image.Hashes like r"%SHA1=6a60f5fa0dfc6c1fa55b24a29df7464ee01a9717%" or Image.Hashes like r"%SHA1=8b86c99328e4eb542663164685c6926e7e54ac20%" or Image.Hashes like r"%SHA1=431550db5c160b56e801f220ceeb515dc16e68d2%" or Image.Hashes like r"%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%" or Image.Hashes like r"%SHA1=dd893cd3520b2015790f7f48023d833f8fe81374%" or Image.Hashes like r"%SHA1=7626036baf98ddcb492a8ec34e58c022ebd70a80%" or Image.Hashes like r"%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%" or Image.Hashes like r"%SHA1=c01caaa74439af49ca81cb5b200a167e7d32343c%" or Image.Hashes like r"%SHA1=26a8ab6ea80ab64d5736b9b72a39d90121156e76%" or Image.Hashes like r"%SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f%" or Image.Hashes like r"%SHA1=f6f7b5776001149496092a95fb10218dea5d6a6b%" or Image.Hashes like r"%SHA1=166759fd511613414d3213942fe2575b926a6226%" or Image.Hashes like r"%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%" or Image.Hashes like r"%SHA1=0a89a6f6f40213356487bfcfb0b129e4f6375180%" or Image.Hashes like r"%SHA1=f640c94e71921479cc48d06b59aba41ffa50a769%" or Image.Hashes like r"%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%" or Image.Hashes like r"%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%" or Image.Hashes like r"%SHA1=3ca51b23f8562485820883e894b448413891183a%" or Image.Hashes like r"%SHA1=8275977e4b586e485e9025222d0a582fcb9e1e8f%" or Image.Hashes like r"%SHA1=30846313e3387298f1f81c694102133568d6d48d%" or Image.Hashes like r"%SHA1=b52886433e608926a0b6e623217009e4071b107e%" or Image.Hashes like r"%SHA1=d19d1d3aa30391922989f4c6e3f7dc4937dcefbf%" or Image.Hashes like r"%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%" or Image.Hashes like r"%SHA1=091a039f5f2ae1bb0fa0f83660f4c178fd3a5a10%" or Image.Hashes like r"%SHA1=6293ff11805cd33bccbcca9f0132bff3ae2e2534%" or Image.Hashes like r"%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%" or Image.Hashes like r"%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%" or Image.Hashes like r"%SHA1=1479717fab67d98bbc3665f6b12adddfca74e0ef%" or Image.Hashes like r"%SHA1=fc8fbd92f6e64682360885c188d1bdfbc14ca579%" or Image.Hashes like r"%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%" or Image.Hashes like r"%SHA1=6df42ea7c0e6ee02062bf9ca2aa4aa5cd3775274%" or Image.Hashes like r"%SHA1=c40ff3ebf6b5579108165be63250634823db32ec%" or Image.Hashes like r"%SHA1=cef5a329f7a36c76a546d9528e57245127f37246%" or Image.Hashes like r"%SHA1=7c46ecc5ce8e5f6e236a3b169fb46bb357ac3546%" or Image.Hashes like r"%SHA1=a32232a426c552667f710d2dcbd2fb9f9c50331d%" or Image.Hashes like r"%SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327%" or Image.Hashes like r"%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%" or Image.Hashes like r"%SHA1=d496a8d3e71eaacd873ccef1d1f6801e54959713%" or Image.Hashes like r"%SHA1=437b56dc106d2e649d2c243c86729b6e6461d535%" or Image.Hashes like r"%SHA1=f10ec1b88c3a383c2a0c03362d31960836e3fb5f%" or Image.Hashes like r"%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%" or Image.Hashes like r"%SHA1=7503a1ed7f6fbd068f8c900dd5ddb291417e3464%" or Image.Hashes like r"%SHA1=24aafe3c727c6a3bd1942db78327ada8fcb8c084%" or Image.Hashes like r"%SHA1=8453fc3198349cf0561c87efc329c81e7240c3da%" or Image.Hashes like r"%SHA1=51b9867c391be3ce56ba7e1c3cba8c76777245b2%" or Image.Hashes like r"%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%" or Image.Hashes like r"%SHA1=eb2496304073727564b513efd6387a77ce395443%" or Image.Hashes like r"%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%" or Image.Hashes like r"%SHA1=736531c76b8d9c56e26561bf430e10ecabff0186%" or Image.Hashes like r"%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%" or Image.Hashes like r"%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%" or Image.Hashes like r"%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%" or Image.Hashes like r"%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%" or Image.Hashes like r"%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%" or Image.Hashes like r"%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%" or Image.Hashes like r"%SHA1=80ea425e193bd0e05161e8e1dc34fb0eae5f9017%" or Image.Hashes like r"%SHA1=2e546d86d3b1e4eaa92b6ec4768de79f70eb922f%" or Image.Hashes like r"%SHA1=b91c34bb846fd5b2f13f627b7da16c78e3ee7b0f%" or Image.Hashes like r"%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%" or Image.Hashes like r"%SHA1=c02cb8256dfb37f690f2698473fe5428d17bc178%" or Image.Hashes like r"%SHA1=c2d18ce26ce2435845f534146d7f353b662ad2b9%" or Image.Hashes like r"%SHA1=05eff2001f595f9e2894c6b5eee756ae72379a6d%" or Image.Hashes like r"%SHA1=0a19a9c4c9185b80188da529ec9c9f45cbe73186%" or Image.Hashes like r"%SHA1=e7d8fc86b90f75864b7e2415235e17df4d85ee31%" or Image.Hashes like r"%SHA1=8e64c32bcfd70361956674f45964a8b0c8aa6388%" or Image.Hashes like r"%SHA1=97941faf575e43e59fe8ee167de457c2cf75c9eb%" or Image.Hashes like r"%SHA1=7e8efd93a1dad02385ec56c8f3b1cfd23aa47977%" or Image.Hashes like r"%SHA1=850d7df29256b4f537eddafe95cfea59fb118fe2%" or Image.Hashes like r"%SHA1=e2f40590b404a24e775f781525d8ed01f1b1156d%" or Image.Hashes like r"%SHA1=ff9048c451644c9c5ff2ba1408b194a0970b49e6%" or Image.Hashes like r"%SHA1=53f7fc4feb66af748f2ab295394bf4de62ae9fcc%" or Image.Hashes like r"%SHA1=3def50587309440e3b9e595bdbe4dde8d69a64e7%" or Image.Hashes like r"%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%" or Image.Hashes like r"%SHA1=f3029dba668285aac04117273599ac12a94a3564%" or Image.Hashes like r"%SHA1=adab368ed3c17b8f2dc0b2173076668b6153e03a%" or Image.Hashes like r"%SHA1=c45d03076fa6e66c1b8b74b020ad84712755e3df%" or Image.Hashes like r"%SHA1=0d27a3166575ec5983ec58de2591552cfa90ef92%" or Image.Hashes like r"%SHA1=d28b604b9bb608979cc0eab1e9e93e11c721aa3d%" or Image.Hashes like r"%SHA1=70bb3b831880e058524735b14f2a0f1a72916a4c%" or Image.Hashes like r"%SHA1=5a55c227ca13e9373b87f1ef6534533c7ce1f4fb%" or Image.Hashes like r"%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%" or Image.Hashes like r"%SHA1=4075de7d7d2169d650c5ccede8251463913511e6%" or Image.Hashes like r"%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%" or Image.Hashes like r"%SHA1=619413b5a6d6aeb4d58c409d54fe4a981dd7e4d9%" or Image.Hashes like r"%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%" or Image.Hashes like r"%SHA1=d9c1913a6c76b883568910094dfa1d67aad80c84%" or Image.Hashes like r"%SHA1=49174d56cce618c77ae4013fe28861c80bf5ba97%" or Image.Hashes like r"%SHA1=e11f48631c6e0277e21a8bdf9be513651305f0d5%" or Image.Hashes like r"%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%" or Image.Hashes like r"%SHA1=d5326fea00bcde2ef7155acf3285c245c9fb4ece%" or Image.Hashes like r"%SHA1=e8234c44f3b7e4c510ef868e8c080e00e2832b07%" or Image.Hashes like r"%SHA1=9449f211c3c47821b638513d239e5f2c778dc523%" or Image.Hashes like r"%SHA1=456a1acacaa02664517c2f2fb854216e8e967f9d%" or Image.Hashes like r"%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%" or Image.Hashes like r"%SHA1=b314742af197a786218c6dd704b438469445eefa%" or Image.Hashes like r"%SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371%" or Image.Hashes like r"%SHA1=fbfabf309680fbf7c0f6f14c5a0e4840c894e393%" or Image.Hashes like r"%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%" or Image.Hashes like r"%SHA1=6ed5c2313eecd97b78aa5dcdb442dd47345c9e43%" or Image.Hashes like r"%SHA1=1f26424eaf046dbf800ae2ac52d9bb38494d061a%" or Image.Hashes like r"%SHA1=b7fa8278ab7bc485727d075e761a72042c4595f7%" or Image.Hashes like r"%SHA1=10b9ae9286837b3bf6a00771c7e81adbdea3cbfe%" or Image.Hashes like r"%SHA1=850f15fd67d9177a50f3efef07a805b9613f50d6%" or Image.Hashes like r"%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%" or Image.Hashes like r"%SHA1=164c899638bc83099c0379ea76485194564c956c%" or Image.Hashes like r"%SHA1=15f16fe63105b8f9cc0ef2bc8f97cfa5deb40662%" or Image.Hashes like r"%SHA1=b304cb10c88ddd8461bad429ebfd2fd1b809ac2b%" or Image.Hashes like r"%SHA1=a95a126b539989e29e68969bfab16df291e7fa8a%" or Image.Hashes like r"%SHA1=4f02fb7387ca0bc598c3bcb66c5065d08dbb3f73%" or Image.Hashes like r"%SHA1=1e8bccbd74f194db6411011017716c8c6b730d03%" or Image.Hashes like r"%SHA1=0cc60a56e245e70f664906b7b67dfe1b4a08a5b7%" or Image.Hashes like r"%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%" or Image.Hashes like r"%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%" or Image.Hashes like r"%SHA1=879e327292616c56bd4aafc279fbda6cc393b74d%" or Image.Hashes like r"%SHA1=45e8f87afa41143e0c5850f9e054d18ec9c8a6c0%" or Image.Hashes like r"%SHA1=b53c360b35174bd89f97f681bf7c17f40e519eb6%" or Image.Hashes like r"%SHA1=c3be2bbd9b3f696bc9d51d5973cc00ca059fb172%" or Image.Hashes like r"%SHA1=5bb2d46ba666c03c56c326f0bbc85cc48a87dfa3%" or Image.Hashes like r"%SHA1=9b8c7eda28bfad07ffe5f84a892299bc7e118442%" or Image.Hashes like r"%SHA1=762a5b4c7beb2af675617dca6dcd6afd36ce0afd%" or Image.Hashes like r"%SHA1=6d9e22a275a5477ea446e6c56ee45671fbcbb5f6%" or Image.Hashes like r"%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%" or Image.Hashes like r"%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%" or Image.Hashes like r"%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%" or Image.Hashes like r"%SHA1=f61e56359c663a769073782a0a3ffd3679c2694a%" or Image.Hashes like r"%SHA1=dd2b90c9796237036ac7136a172d96274dea14c8%" or Image.Hashes like r"%SHA1=af5b7556706e09ee9e74ee2e87eab5c0a49d2d35%" or Image.Hashes like r"%SHA1=57cc324326ab6c4239f8c10d2d1ce8862b2ce4d5%" or Image.Hashes like r"%SHA1=bed5bad7f405aa828a146c7f71d09c31d0c32051%" or Image.Hashes like r"%SHA1=34a07ae39b232cc3dbbe657b34660e692ff2043a%" or Image.Hashes like r"%SHA1=3f67a43ae174a715795e49f72bc350302de83323%" or Image.Hashes like r"%SHA1=a3d612a5ea3439ba72157bd96e390070bdddbbf3%" or Image.Hashes like r"%SHA1=655a9487d7a935322e19bb92d2465849055d029d%" or Image.Hashes like r"%SHA1=f70989f8b17971f13d45ee537e4ce98e93acbbaf%" or Image.Hashes like r"%SHA1=4044e5da1f16441fe7eb27cff7a76887a1aa7fec%" or Image.Hashes like r"%SHA1=7b4c922415e13deaf54bb2771f2ae30814ee1d14%" or Image.Hashes like r"%SHA1=8c11430372889bae1f91e8d068e2b2ad56dfc6bf%" or Image.Hashes like r"%SHA1=4f376b1d1439477a426ef3c52e8c1c69c2cb5305%" or Image.Hashes like r"%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%" or Image.Hashes like r"%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%" or Image.Hashes like r"%SHA1=7fb52290883a6b69a96d480f2867643396727e83%" or Image.Hashes like r"%SHA1=82dbac75b73ff4b92bdcbf6977a6683e1dcfe995%" or Image.Hashes like r"%SHA1=5b83c61178afb87ef7d58fd786808effcaaae861%" or Image.Hashes like r"%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%" or Image.Hashes like r"%SHA1=ebafebe5e94fdf12bd2159ed66d73268576bc7d9%" or Image.Hashes like r"%SHA1=5e4b93591f905854fb870011464291c3508aff44%" or Image.Hashes like r"%SHA1=a38aac44ee232fb50a6abf145e8dd921ca3e7d78%" or Image.Hashes like r"%SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b%" or Image.Hashes like r"%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%" or Image.Hashes like r"%SHA256=66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796%" or Image.Hashes like r"%SHA256=e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994%" or Image.Hashes like r"%SHA256=5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea%" or Image.Hashes like r"%SHA256=b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a%" or Image.Hashes like r"%SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4%" or Image.Hashes like r"%SHA256=c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547%" or Image.Hashes like r"%SHA256=506f56996fbcd34ff8a27e6948a2e2e21e6dbf42dab6e3a6438402000b969fd1%" or Image.Hashes like r"%SHA256=4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61%" or Image.Hashes like r"%SHA256=9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504%" or Image.Hashes like r"%SHA256=5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa%" or Image.Hashes like r"%SHA256=a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f%" or Image.Hashes like r"%SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675%" or Image.Hashes like r"%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%" or Image.Hashes like r"%SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb%" or Image.Hashes like r"%SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c%" or Image.Hashes like r"%SHA256=247aadaf17ed894fcacf3fc4e109b005540e3659fd0249190eb33725d3d3082f%" or Image.Hashes like r"%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%" or Image.Hashes like r"%SHA256=dfe57c6a4ef4d2491be325d67428698a61d9c5d2a24dbada10043d313be2c8cc%" or Image.Hashes like r"%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%" or Image.Hashes like r"%SHA256=46cf46e1073b7c99142964b7c4bef1e5285fabcf2c6dbe5be99000a393d9f474%" or Image.Hashes like r"%SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a%" or Image.Hashes like r"%SHA256=4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba%" or Image.Hashes like r"%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%" or Image.Hashes like r"%SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2%" or Image.Hashes like r"%SHA256=a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00%" or Image.Hashes like r"%SHA256=e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16%" or Image.Hashes like r"%SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712%" or Image.Hashes like r"%SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f%" or Image.Hashes like r"%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%" or Image.Hashes like r"%SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763%" or Image.Hashes like r"%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%" or Image.Hashes like r"%SHA256=5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879%" or Image.Hashes like r"%SHA256=68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248%" or Image.Hashes like r"%SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75%" or Image.Hashes like r"%SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d%" or Image.Hashes like r"%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%" or Image.Hashes like r"%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%" or Image.Hashes like r"%SHA256=b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e%" or Image.Hashes like r"%SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1%" or Image.Hashes like r"%SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439%" or Image.Hashes like r"%SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de%" or Image.Hashes like r"%SHA256=d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee%" or Image.Hashes like r"%SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a%" or Image.Hashes like r"%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%" or Image.Hashes like r"%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%" or Image.Hashes like r"%SHA256=a6f8aa3de5b4aea58eddd45807d722c864d4bc4a38ad573174af864e21f0d526%" or Image.Hashes like r"%SHA256=0c018eaa293c03febe2aef1e868fca782a06b49d7d2f9f388ae5fb57604c5250%" or Image.Hashes like r"%SHA256=223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1%" or Image.Hashes like r"%SHA256=18047c2d45758a43d6b7e56bcd4aa90354c899795baf944f037850c48d8e892a%" or Image.Hashes like r"%SHA256=442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243%" or Image.Hashes like r"%SHA256=7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8%" or Image.Hashes like r"%SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47%" or Image.Hashes like r"%SHA256=0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2%" or Image.Hashes like r"%SHA256=9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c%" or Image.Hashes like r"%SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3%" or Image.Hashes like r"%SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6%" or Image.Hashes like r"%SHA256=a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce%" or Image.Hashes like r"%SHA256=d3b5fd13a53eee5c468c8bfde4bfa7b968c761f9b781bb80ccd5637ee052ee7d%" or Image.Hashes like r"%SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59%" or Image.Hashes like r"%SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1%" or Image.Hashes like r"%SHA256=16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c%" or Image.Hashes like r"%SHA256=0bd164da36bd637bb76ca66602d732af912bd9299cb3d520d26db528cb54826d%" or Image.Hashes like r"%SHA256=c3d479d7efd0f6b502d6829b893711bdd51aac07d66326b41ef5451bafdfcb29%" or Image.Hashes like r"%SHA256=4eb1b9f3fe3c79f20c9cdeba92f6d6eb9b9ed15b546851e1f5338c0b7d36364b%" or Image.Hashes like r"%SHA256=fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70%" or Image.Hashes like r"%SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8%" or Image.Hashes like r"%SHA256=7149fbd191d7e4941a32a3118ab017426b551d5d369f20c94c4f36ae4ef54f26%" or Image.Hashes like r"%SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f%" or Image.Hashes like r"%SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa%" or Image.Hashes like r"%SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed%" or Image.Hashes like r"%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%" or Image.Hashes like r"%SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36%" or Image.Hashes like r"%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%" or Image.Hashes like r"%SHA256=cbd4f66ae09797fcd1dc943261a526710acc8dd4b24e6f67ed4a1fce8b0ae31c%" or Image.Hashes like r"%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%" or Image.Hashes like r"%SHA256=b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1%" or Image.Hashes like r"%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%" or Image.Hashes like r"%SHA256=a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e%" or Image.Hashes like r"%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%" or Image.Hashes like r"%SHA256=4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158%" or Image.Hashes like r"%SHA256=d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8%" or Image.Hashes like r"%SHA256=f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672%" or Image.Hashes like r"%SHA256=f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2%" or Image.Hashes like r"%SHA256=3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284%" or Image.Hashes like r"%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%" or Image.Hashes like r"%SHA256=1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd%" or Image.Hashes like r"%SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b%" or Image.Hashes like r"%SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0%" or Image.Hashes like r"%SHA256=bac7e75745d0cb8819de738b73edded02a07111587c4531383dccd4562922b65%" or Image.Hashes like r"%SHA256=8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750%" or Image.Hashes like r"%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%" or Image.Hashes like r"%SHA256=03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d%" or Image.Hashes like r"%SHA256=af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1%" or Image.Hashes like r"%SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173%" or Image.Hashes like r"%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%" or Image.Hashes like r"%SHA256=38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8%" or Image.Hashes like r"%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%" or Image.Hashes like r"%SHA256=ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156%" or Image.Hashes like r"%SHA256=a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f%" or Image.Hashes like r"%SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6%" or Image.Hashes like r"%SHA256=d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6%" or Image.Hashes like r"%SHA256=f9bc6b2d5822c5b3a7b1023adceb25b47b41e664347860be4603ee81b644590e%" or Image.Hashes like r"%SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677%" or Image.Hashes like r"%SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3%" or Image.Hashes like r"%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%" or Image.Hashes like r"%SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea%" or Image.Hashes like r"%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%" or Image.Hashes like r"%SHA256=45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271%" or Image.Hashes like r"%SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91%" or Image.Hashes like r"%SHA256=ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498%" or Image.Hashes like r"%SHA256=3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486%" or Image.Hashes like r"%SHA256=e6a2b1937fa277526a1e0ca9f9b32f85ab9cb7cb1a32250dd9c607e93fc2924f%" or Image.Hashes like r"%SHA256=f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229%" or Image.Hashes like r"%SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8%" or Image.Hashes like r"%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%" or Image.Hashes like r"%SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf%" or Image.Hashes like r"%SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190%" or Image.Hashes like r"%SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb%" or Image.Hashes like r"%SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135%" or Image.Hashes like r"%SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d%" or Image.Hashes like r"%SHA256=ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9%" or Image.Hashes like r"%SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f%" or Image.Hashes like r"%SHA256=eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd%" or Image.Hashes like r"%SHA256=a10b4ed33a13c08804da8b46fd1b7bd653a6f2bb65668e82086de1940c5bb5d1%" or Image.Hashes like r"%SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e%" or Image.Hashes like r"%SHA256=9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340%" or Image.Hashes like r"%SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775%" or Image.Hashes like r"%SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba%" or Image.Hashes like r"%SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf%" or Image.Hashes like r"%SHA256=7c933f5d07ccb4bd715666cd6eb35a774b266ddd8d212849535a54192a44f667%" or Image.Hashes like r"%SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb%" or Image.Hashes like r"%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%" or Image.Hashes like r"%SHA256=c0ae3349ebaac9a99c47ec55d5f7de00dc03bd7c5cd15799bc00646d642aa8de%" or Image.Hashes like r"%SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a%" or Image.Hashes like r"%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%" or Image.Hashes like r"%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%" or Image.Hashes like r"%SHA256=c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad%" or Image.Hashes like r"%SHA256=e8b51ab681714e491ab1a59a7c9419db39db04b0dd7be11293f3a0951afe740e%" or Image.Hashes like r"%SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef%" or Image.Hashes like r"%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%" or Image.Hashes like r"%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%" or Image.Hashes like r"%SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8%" or Image.Hashes like r"%SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3%" or Image.Hashes like r"%SHA256=42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180%" or Image.Hashes like r"%SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c%" or Image.Hashes like r"%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%" or Image.Hashes like r"%SHA256=67e9d1f6f7ed58d86b025d3578cb7a3f3c389b9dd425b7f46bb1056e83bffc78%" or Image.Hashes like r"%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%" or Image.Hashes like r"%SHA256=0aca4447ee54d635f76b941f6100b829dc8b2e0df27bdf584acb90f15f12fbda%" or Image.Hashes like r"%SHA256=49ae47b6b4d5e1b791b89e0395659d42a29a79c3e6ec52cbfcb9f9cef857a9dd%" or Image.Hashes like r"%SHA256=0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c%" or Image.Hashes like r"%SHA256=e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21%" or Image.Hashes like r"%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%" or Image.Hashes like r"%SHA256=41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f%" or Image.Hashes like r"%SHA256=d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c%" or Image.Hashes like r"%SHA256=b617a072c578cea38c460e2851f3d122ba1b7cfa1f5ee3e9f5927663ac37af61%" or Image.Hashes like r"%SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f%" or Image.Hashes like r"%SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb%" or Image.Hashes like r"%SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d%" or Image.Hashes like r"%SHA256=c9c60f560440ff16ad3c767ff5b7658d5bda61ea1166efe9b7f450447557136e%" or Image.Hashes like r"%SHA256=7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5%" or Image.Hashes like r"%SHA256=680ddece32fe99f056e770cb08641f5b585550798dfdf723441a11364637c7e6%" or Image.Hashes like r"%SHA256=1c425793a8ce87be916969d6d7e9dd0687b181565c3b483ce53ad1ec6fb72a17%" or Image.Hashes like r"%SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad%" or Image.Hashes like r"%SHA256=4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb%" or Image.Hashes like r"%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%" or Image.Hashes like r"%SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970%" or Image.Hashes like r"%SHA256=0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec%" or Image.Hashes like r"%SHA256=5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00%" or Image.Hashes like r"%SHA256=3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928%" or Image.Hashes like r"%SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f%" or Image.Hashes like r"%SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833%" or Image.Hashes like r"%SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c%" or Image.Hashes like r"%SHA256=38e6d7c2787b6289629c72b1ec87655392267044b4e4b830c0232243657ee8f9%" or Image.Hashes like r"%SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0%" or Image.Hashes like r"%SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa%" or Image.Hashes like r"%SHA256=0b8887921e4a22e24fd058ba5ac40061b4bb569ac7207b9548168af9d6995e7c%" or Image.Hashes like r"%SHA256=8a982eed9cbc724d50a9ddf4f74ecbcd67b4fdcd9c2bb1795bc88c2d9caf7506%" or Image.Hashes like r"%SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293%" or Image.Hashes like r"%SHA256=e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce%" or Image.Hashes like r"%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%" or Image.Hashes like r"%SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039%" or Image.Hashes like r"%SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683%" or Image.Hashes like r"%SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418%" or Image.Hashes like r"%SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5%" or Image.Hashes like r"%SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b%" or Image.Hashes like r"%SHA256=33bc9a17a0909e32a3ae7e6f089b7f050591dd6f3f7a8172575606bec01889ef%" or Image.Hashes like r"%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%" or Image.Hashes like r"%SHA256=53b9e423baf946983d03ce309ec5e006ba18c9956dcd97c68a8b714d18c8ffcf%" or Image.Hashes like r"%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%" or Image.Hashes like r"%SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e%" or Image.Hashes like r"%SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe%" or Image.Hashes like r"%SHA256=76940e313c27c7ff692051fbf1fbdec19c8c31a6723a9de7e15c3c1bec8186f6%" or Image.Hashes like r"%SHA256=eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed%" or Image.Hashes like r"%SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf%" or Image.Hashes like r"%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%" or Image.Hashes like r"%SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af%" or Image.Hashes like r"%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%" or Image.Hashes like r"%SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9%" or Image.Hashes like r"%SHA256=67cd6166d791bdf74453e19c015b2cb1e85e41892c04580034b65f9f03fe2e79%" or Image.Hashes like r"%SHA256=71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713%" or Image.Hashes like r"%SHA256=8ae383546761069b26826dfbf2ac0233169d155bca6a94160488092b4e70b222%" or Image.Hashes like r"%SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7%" or Image.Hashes like r"%SHA256=a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641%" or Image.Hashes like r"%SHA256=29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36%" or Image.Hashes like r"%SHA256=7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3%" or Image.Hashes like r"%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%" or Image.Hashes like r"%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%" or Image.Hashes like r"%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%" or Image.Hashes like r"%SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456%" or Image.Hashes like r"%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%" or Image.Hashes like r"%SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1%" or Image.Hashes like r"%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%" or Image.Hashes like r"%SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60%" or Image.Hashes like r"%SHA256=4737750788c72d2fc9cf95681c622357263075d65b23e54c4dc3f31446cad37b%" or Image.Hashes like r"%SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c%" or Image.Hashes like r"%SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c%" or Image.Hashes like r"%SHA256=3b2ad08123e8ed2516548240cfcdf5eefd89293f31070a6cd3949ee1b66fed14%" or Image.Hashes like r"%SHA256=edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5%" or Image.Hashes like r"%SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b%" or Image.Hashes like r"%SHA256=39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d%" or Image.Hashes like r"%SHA256=0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502%" or Image.Hashes like r"%SHA256=5da0ffe33987f8d5fb9c151f0eff29b99f42233b27efcad596add27bdc5c88ff%" or Image.Hashes like r"%SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9%" or Image.Hashes like r"%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%" or Image.Hashes like r"%SHA256=bceaf970b60b4457eca3c181f649a1c67f4602778171e53d9bdc9b97a09603ca%" or Image.Hashes like r"%SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b%" or Image.Hashes like r"%SHA256=db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7%" or Image.Hashes like r"%SHA256=32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e%" or Image.Hashes like r"%SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c%" or Image.Hashes like r"%SHA256=bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042%" or Image.Hashes like r"%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%" or Image.Hashes like r"%SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145%" or Image.Hashes like r"%SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478%" or Image.Hashes like r"%SHA256=b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5%" or Image.Hashes like r"%SHA256=edfc38f91b5e198f3bf80ef6dcaebb5e86963936bcd2e5280088ca90d6998b8c%" or Image.Hashes like r"%SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48%" or Image.Hashes like r"%SHA256=0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7%" or Image.Hashes like r"%SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f%" or Image.Hashes like r"%SHA256=b3a191ccd1df19cdf17fe6637d48266ac84c4310b013ad6973d8cb336b06ff69%" or Image.Hashes like r"%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%" or Image.Hashes like r"%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%" or Image.Hashes like r"%SHA256=c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778%" or Image.Hashes like r"%SHA256=0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75%" or Image.Hashes like r"%SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c%" or Image.Hashes like r"%SHA256=bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c%" or Image.Hashes like r"%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%" or Image.Hashes like r"%SHA256=00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c%" or Image.Hashes like r"%SHA256=7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca%" or Image.Hashes like r"%SHA256=3b19a7207a55d752db1b366b1dea2fd2c7620a825a3f0dcffca10af76611118c%" or Image.Hashes like r"%SHA256=fe2fb5d6cfcd64aeb62e6bf5b71fd2b2a87886eb97ab59e5353ba740da9f5db5%" or Image.Hashes like r"%SHA256=7fd90500b57f9ac959c87f713fe9ca59e669e6e1512f77fccb6a75cdc0dfee8e%" or Image.Hashes like r"%SHA256=0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901%" or Image.Hashes like r"%SHA256=e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc%" or Image.Hashes like r"%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%" or Image.Hashes like r"%SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1%" or Image.Hashes like r"%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%" or Image.Hashes like r"%SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b%" or Image.Hashes like r"%SHA256=65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d%" or Image.Hashes like r"%SHA256=0e10d3c73596e359462dc6bfcb886768486ff59e158f0f872d23c5e9a2f7c168%" or Image.Hashes like r"%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%" or Image.Hashes like r"%SHA256=060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f%" or Image.Hashes like r"%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%" or Image.Hashes like r"%SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486%" or Image.Hashes like r"%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%" or Image.Hashes like r"%SHA256=642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54%" or Image.Hashes like r"%SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9%" or Image.Hashes like r"%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%" or Image.Hashes like r"%SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac%" or Image.Hashes like r"%SHA256=6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d%" or Image.Hashes like r"%SHA256=1ce9e4600859293c59d884ea721e9b20b2410f6ef80699f8a78a6b9fad505dfc%" or Image.Hashes like r"%SHA256=33d7046a5d41f4010ad5df632577154ed223dac2ab0ca2da57dbf1724db45a57%" or Image.Hashes like r"%SHA256=653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d%" or Image.Hashes like r"%SHA256=20dd9542d30174585f2623642c7fbbda84e2347e4365e804e3f3d81f530c4ece%" or Image.Hashes like r"%SHA256=3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2%" or Image.Hashes like r"%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%" or Image.Hashes like r"%SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512%" or Image.Hashes like r"%SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743%" or Image.Hashes like r"%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%" or Image.Hashes like r"%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%" or Image.Hashes like r"%SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5%" or Image.Hashes like r"%SHA256=613d6cc154586c21b330018142a89eac4504e185f0be7f86af975e5b6c046c55%" or Image.Hashes like r"%SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298%" or Image.Hashes like r"%SHA256=b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c%" or Image.Hashes like r"%SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab%" or Image.Hashes like r"%SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd%" or Image.Hashes like r"%SHA256=854bc946b557ed78c7d40547eb39e293e83942a693c94d0e798d1c4fbde7efa9%" or Image.Hashes like r"%SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc%" or Image.Hashes like r"%SHA256=aa0c52cebd64a0115c0e7faf4316a52208f738f66a54b4871bd4162eb83dc41a%" or Image.Hashes like r"%SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade%" or Image.Hashes like r"%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%" or Image.Hashes like r"%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%" or Image.Hashes like r"%SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9%" or Image.Hashes like r"%SHA256=69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce%" or Image.Hashes like r"%SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761%" or Image.Hashes like r"%SHA256=16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23%" or Image.Hashes like r"%SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0%" or Image.Hashes like r"%SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c%" or Image.Hashes like r"%SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2%" or Image.Hashes like r"%SHA256=f2ed6c1906663016123559d9f3407bc67f64e0d235fa6f10810a3fa7bb322967%" or Image.Hashes like r"%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%" or Image.Hashes like r"%SHA256=c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a%" or Image.Hashes like r"%SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48%" or Image.Hashes like r"%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%" or Image.Hashes like r"%SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f%" or Image.Hashes like r"%SHA256=d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd%" or Image.Hashes like r"%SHA256=636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220%" or Image.Hashes like r"%SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22%" or Image.Hashes like r"%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%" or Image.Hashes like r"%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%" or Image.Hashes like r"%SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408%" or Image.Hashes like r"%SHA256=4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f%" or Image.Hashes like r"%SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2%" or Image.Hashes like r"%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%" or Image.Hashes like r"%SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5%" or Image.Hashes like r"%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%" or Image.Hashes like r"%SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6%" or Image.Hashes like r"%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%" or Image.Hashes like r"%SHA256=9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01%" or Image.Hashes like r"%SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258%" or Image.Hashes like r"%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%" or Image.Hashes like r"%SHA256=d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b%" or Image.Hashes like r"%SHA256=c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65%" or Image.Hashes like r"%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%" or Image.Hashes like r"%SHA256=f583cfb8aab7d084dc052dbd0b9d56693308cbb26bd1b607c2aedf8ee2b25e44%" or Image.Hashes like r"%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%" or Image.Hashes like r"%SHA256=bac1cd96ba242cdf29f8feac501110739f1524f0db1c8fcad59409e77b8928ba%" or Image.Hashes like r"%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%" or Image.Hashes like r"%SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc%" or Image.Hashes like r"%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%" or Image.Hashes like r"%SHA256=73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061%" or Image.Hashes like r"%SHA256=ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1%" or Image.Hashes like r"%SHA256=c181ce9a57e8d763db89ba7c45702a8cf66ef1bb58e3f21874cf0265711f886b%" or Image.Hashes like r"%SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02%" or Image.Hashes like r"%SHA256=51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb%" or Image.Hashes like r"%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%" or Image.Hashes like r"%SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a%" or Image.Hashes like r"%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%" or Image.Hashes like r"%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%" or Image.Hashes like r"%SHA256=83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc%" or Image.Hashes like r"%SHA256=8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250%" or Image.Hashes like r"%SHA256=61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874%" or Image.Hashes like r"%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%" or Image.Hashes like r"%SHA256=a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af%" or Image.Hashes like r"%SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff%" or Image.Hashes like r"%SHA256=6297556f66cd6619057f3a5b216b314f8a27eebb5fa575ee07a1944aca71ae80%" or Image.Hashes like r"%SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184%" or Image.Hashes like r"%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%" or Image.Hashes like r"%SHA256=3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1%" or Image.Hashes like r"%SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e%" or Image.Hashes like r"%SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587%" or Image.Hashes like r"%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%" or Image.Hashes like r"%SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89%" or Image.Hashes like r"%SHA256=72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35%" or Image.Hashes like r"%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%" or Image.Hashes like r"%SHA256=b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027%" or Image.Hashes like r"%SHA256=0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d%" or Image.Hashes like r"%SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924%" or Image.Hashes like r"%SHA256=5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c%" or Image.Hashes like r"%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%" or Image.Hashes like r"%SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4%" or Image.Hashes like r"%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%" or Image.Hashes like r"%SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131%" or Image.Hashes like r"%SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f%" or Image.Hashes like r"%SHA256=8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881%" or Image.Hashes like r"%SHA256=9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3%" or Image.Hashes like r"%SHA256=dd2c1aa4e14c825f3715891bfa2b6264650a794f366d5f73ed1ef1d79ff0dbf9%" or Image.Hashes like r"%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%" or Image.Hashes like r"%SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7%" or Image.Hashes like r"%SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2%" or Image.Hashes like r"%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%" or Image.Hashes like r"%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%" or Image.Hashes like r"%SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0%" or Image.Hashes like r"%SHA256=1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3%" or Image.Hashes like r"%SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0%" or Image.Hashes like r"%SHA256=87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b%" or Image.Hashes like r"%SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92%" or Image.Hashes like r"%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%" or Image.Hashes like r"%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%" or Image.Hashes like r"%SHA256=837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2%" or Image.Hashes like r"%SHA256=db73b0fa032be22405fa0b52fbfe3b30e56ac4787e620e4854c32668ae43bc33%" or Image.Hashes like r"%SHA256=773999db2f07c50aad70e50c1983fa95804369d25a5b4f10bd610f864c27f2fc%" or Image.Hashes like r"%SHA256=f64a78b1294e6837f12f171a663d8831f232b1012fd8bae3c2c6368fbf71219b%" or Image.Hashes like r"%SHA256=733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e%" or Image.Hashes like r"%SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21%" or Image.Hashes like r"%SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194%" or Image.Hashes like r"%SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48%" or Image.Hashes like r"%SHA256=747a4dc50915053649c499a508853a42d9e325a5eec22e586571e338c6d32465%" or Image.Hashes like r"%SHA256=903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b%" or Image.Hashes like r"%SHA256=6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259%" or Image.Hashes like r"%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%" or Image.Hashes like r"%SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5%" or Image.Hashes like r"%SHA256=55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03%" or Image.Hashes like r"%SHA256=f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686%" or Image.Hashes like r"%SHA256=4ba224af60a50cad10d0091c89134c72fc021da8d34a6f25c4827184dc6ca5c7%" or Image.Hashes like r"%SHA256=40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554%" or Image.Hashes like r"%SHA256=1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b%" or Image.Hashes like r"%SHA256=53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b%" or Image.Hashes like r"%SHA256=7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6%" or Image.Hashes like r"%SHA256=6e76764d750ebd835aa4bb055830d278df530303585614c1dc743f8d5adf97d7%" or Image.Hashes like r"%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%" or Image.Hashes like r"%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%" or Image.Hashes like r"%SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b%" or Image.Hashes like r"%SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20%" or Image.Hashes like r"%SHA256=00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03%" or Image.Hashes like r"%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%" or Image.Hashes like r"%SHA256=d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c%" or Image.Hashes like r"%SHA256=6ef0b34649186fb98a7431b606e77ee35e755894b038755ba98e577bd51b2c72%" or Image.Hashes like r"%SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98%" or Image.Hashes like r"%SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa%" or Image.Hashes like r"%SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d%" or Image.Hashes like r"%SHA256=3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb%" or Image.Hashes like r"%SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f%" or Image.Hashes like r"%SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e%" or Image.Hashes like r"%SHA256=760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510%" or Image.Hashes like r"%SHA256=b749566057dee0439f54b0d38935e5939b5cb011c46d7022530f748ebc63efe5%" or Image.Hashes like r"%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%" or Image.Hashes like r"%SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf%" or Image.Hashes like r"%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%" or Image.Hashes like r"%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%" or Image.Hashes like r"%SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248%" or Image.Hashes like r"%SHA256=ac26150bc98ee0419a8b23e4cda3566e0eba94718ba8059346a9696401e9793d%" or Image.Hashes like r"%SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0%" or Image.Hashes like r"%SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa%" or Image.Hashes like r"%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%" or Image.Hashes like r"%SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c%" or Image.Hashes like r"%SHA256=0a9b608461d55815e99700607a52fbdb7d598f968126d38e10cc4293ac4b1ad8%" or Image.Hashes like r"%SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3%" or Image.Hashes like r"%SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e%" or Image.Hashes like r"%SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5%" or Image.Hashes like r"%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%" or Image.Hashes like r"%SHA256=2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f%" or Image.Hashes like r"%SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1%" or Image.Hashes like r"%SHA256=8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c%" or Image.Hashes like r"%SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8%" or Image.Hashes like r"%SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3%" or Image.Hashes like r"%SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1%" or Image.Hashes like r"%SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1%" or Image.Hashes like r"%SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775%" or Image.Hashes like r"%SHA256=ad0309c2d225d8540a47250e3773876e05ce6a47a7767511e2f68645562c0686%" or Image.Hashes like r"%SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0%" or Image.Hashes like r"%SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa%" or Image.Hashes like r"%SHA256=3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9%" or Image.Hashes like r"%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%" or Image.Hashes like r"%SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c%" or Image.Hashes like r"%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%" or Image.Hashes like r"%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%" or Image.Hashes like r"%SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2%" or Image.Hashes like r"%SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9%" or Image.Hashes like r"%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%" or Image.Hashes like r"%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%" or Image.Hashes like r"%SHA256=c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa%" or Image.Hashes like r"%SHA256=11208bbba148736309a8d2a4ab9ab6b8f22f2297547b100d8bdfd7d413fe98b2%" or Image.Hashes like r"%SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504%" or Image.Hashes like r"%SHA256=d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b%" or Image.Hashes like r"%SHA256=c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b%" or Image.Hashes like r"%SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126%" or Image.Hashes like r"%SHA256=81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05%" or Image.Hashes like r"%SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9%" or Image.Hashes like r"%SHA256=828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2%" or Image.Hashes like r"%SHA256=182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714%" or Image.Hashes like r"%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%" or Image.Hashes like r"%SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d%" or Image.Hashes like r"%SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185%" or Image.Hashes like r"%SHA256=f1fbec90c60ee4daba1b35932db9f3556633b2777b1039163841a91cf997938e%" or Image.Hashes like r"%SHA256=9917144b7240b1ce0cadb1210fd26182744fbbdf145943037c4b93e44aced207%" or Image.Hashes like r"%SHA256=c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1%" or Image.Hashes like r"%SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1%" or Image.Hashes like r"%SHA256=ad215185dc833c54d523350ef3dbc10b3357a88fc4dde00281d9af81ea0764d5%" or Image.Hashes like r"%SHA256=e2d6cdc3d8960a50d9f292bb337b3235956a61e4e8b16cf158cb979b777f42aa%" or Image.Hashes like r"%SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d%" or Image.Hashes like r"%SHA256=dbebf6d463c2dbf61836b3eba09b643e1d79a02652a32482ca58894703b9addb%" or Image.Hashes like r"%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%" or Image.Hashes like r"%SHA256=e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5%" or Image.Hashes like r"%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%" or Image.Hashes like r"%SHA256=70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7%" or Image.Hashes like r"%SHA256=909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77%" or Image.Hashes like r"%SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918%" or Image.Hashes like r"%SHA256=90574d2c406b9738aae8fc629c3983c5e47a6282a43b052f38b5dd313380c30a%" or Image.Hashes like r"%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%" or Image.Hashes like r"%SHA256=5daa8fa3b5db2e6225a2effea41af95fe7ffc579550c4081c8028ed33bc023b8%" or Image.Hashes like r"%SHA256=115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406%" or Image.Hashes like r"%SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4%" or Image.Hashes like r"%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%" or Image.Hashes like r"%SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25%" or Image.Hashes like r"%SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501%" or Image.Hashes like r"%SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c%" or Image.Hashes like r"%SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f%" or Image.Hashes like r"%SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b%" or Image.Hashes like r"%SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26%" or Image.Hashes like r"%SHA256=b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c%" or Image.Hashes like r"%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%" or Image.Hashes like r"%SHA256=f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2%" or Image.Hashes like r"%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%" or Image.Hashes like r"%SHA256=4c807bacfcf5c30686e26812ec8d5581a824b82fee7434260c27c33eee2dfbe2%" or Image.Hashes like r"%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%" or Image.Hashes like r"%SHA256=700b9839fde53e91f0847053b4d2eb8d9bd3aca098844510f1fa3bab6a37eb24%" or Image.Hashes like r"%SHA256=d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e%" or Image.Hashes like r"%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%" or Image.Hashes like r"%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%" or Image.Hashes like r"%SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d%" or Image.Hashes like r"%SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85%" or Image.Hashes like r"%SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512%" or Image.Hashes like r"%SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df%" or Image.Hashes like r"%SHA256=ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8%" or Image.Hashes like r"%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%" or Image.Hashes like r"%SHA256=5d7bfe05792189eaf7193bee85f0c792c33315cfcb40b2e62cc7baef6cafbc5c%" or Image.Hashes like r"%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%" or Image.Hashes like r"%SHA256=4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0%" or Image.Hashes like r"%SHA256=7ef8949637cb947f1a4e1d4e68d31d1385a600d1b1054b53e7417767461fafa7%" or Image.Hashes like r"%SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0%" or Image.Hashes like r"%SHA256=4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4%" or Image.Hashes like r"%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%" or Image.Hashes like r"%SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d%" or Image.Hashes like r"%SHA256=da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb%" or Image.Hashes like r"%SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90%" or Image.Hashes like r"%SHA256=cf66fcbcb8b2ea7fb4398f398b7480c50f6a451b51367718c36330182c1bb496%" or Image.Hashes like r"%SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463%" or Image.Hashes like r"%SHA256=1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d%" or Image.Hashes like r"%SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467%" or Image.Hashes like r"%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%" or Image.Hashes like r"%SHA256=b78eb7f12ba718183313cf336655996756411b7dcc8648157aaa4c891ca9dbee%" or Image.Hashes like r"%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%" or Image.Hashes like r"%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%" or Image.Hashes like r"%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%" or Image.Hashes like r"%SHA256=5ab48bf8c099611b217cc9f78af2f92e9aaeedf1cea4c95d5dd562f51e9f0d09%" or Image.Hashes like r"%SHA256=274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab%" or Image.Hashes like r"%SHA256=89bc3cb4522f9b0bf467a93a4123ef623c28244e25a9c34d4aae11f705d187e7%" or Image.Hashes like r"%SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd%" or Image.Hashes like r"%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%" or Image.Hashes like r"%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%" or Image.Hashes like r"%SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5%" or Image.Hashes like r"%SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb%" or Image.Hashes like r"%SHA256=afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3%" or Image.Hashes like r"%SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2%" or Image.Hashes like r"%SHA256=9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91%" or Image.Hashes like r"%SHA256=97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c%" or Image.Hashes like r"%SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850%" or Image.Hashes like r"%SHA256=065a34b786b0ccf6f88c136408943c3d2bd3da14357ee1e55e81e05d67a4c9bc%" or Image.Hashes like r"%SHA256=3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d%" or Image.Hashes like r"%SHA256=c188b36f258f38193ace21a7d254f0aec36b59ad7e3f9bcb9c2958108effebad%" or Image.Hashes like r"%SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c%" or Image.Hashes like r"%SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c%" or Image.Hashes like r"%SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88%" or Image.Hashes like r"%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%" or Image.Hashes like r"%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%" or Image.Hashes like r"%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%" or Image.Hashes like r"%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%" or Image.Hashes like r"%SHA256=a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e%" or Image.Hashes like r"%SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b%" or Image.Hashes like r"%SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882%" or Image.Hashes like r"%SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae%" or Image.Hashes like r"%SHA256=5be106b92424b12865338b3f541b3c244dce9693fe15f763316f0c6d6fc073ee%" or Image.Hashes like r"%SHA256=b84dc9b885193ced6a1b6842a365a4f18d1683951bb11a5c780ab737ffa06684%" or Image.Hashes like r"%SHA256=dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d%" or Image.Hashes like r"%SHA256=3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb%" or Image.Hashes like r"%SHA256=f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1%" or Image.Hashes like r"%SHA256=8bf01cd6d55502838853851703eb297ec71361fa9a0b088a30c2434f4d2bf9c6%" or Image.Hashes like r"%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%" or Image.Hashes like r"%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%" or Image.Hashes like r"%SHA256=1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43%" or Image.Hashes like r"%SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad%" or Image.Hashes like r"%SHA256=a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c%" or Image.Hashes like r"%SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed%" or Image.Hashes like r"%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%" or Image.Hashes like r"%SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a%" or Image.Hashes like r"%SHA256=70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505%" or Image.Hashes like r"%SHA256=76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb%" or Image.Hashes like r"%SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c%" or Image.Hashes like r"%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%" or Image.Hashes like r"%SHA256=1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a%" or Image.Hashes like r"%SHA256=ef438a754fd940d145cc5d658ddac666a06871d71652b258946c21efe4b7e517%" or Image.Hashes like r"%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%" or Image.Hashes like r"%SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee%" or Image.Hashes like r"%SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5%" or Image.Hashes like r"%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%" or Image.Hashes like r"%SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285%" or Image.Hashes like r"%SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb%" or Image.Hashes like r"%SHA256=d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e%" or Image.Hashes like r"%SHA256=b531f0a11ca481d5125c93c977325e135a04058019f939169ce3cdedaddd422d%" or Image.Hashes like r"%SHA256=fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a%" or Image.Hashes like r"%SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc%" or Image.Hashes like r"%SHA256=5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3%" or Image.Hashes like r"%SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a%" or Image.Hashes like r"%SHA256=b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f%" or Image.Hashes like r"%SHA256=786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc%" or Image.Hashes like r"%SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca%" or Image.Hashes like r"%SHA256=212c05b487cd4e64de2a1077b789e47e9ac3361efa24d9aab3cc6ad4bd3bd76a%" or Image.Hashes like r"%SHA256=5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab%" or Image.Hashes like r"%SHA256=79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd%" or Image.Hashes like r"%SHA256=9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95%" or Image.Hashes like r"%SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada%" or Image.Hashes like r"%SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26%" or Image.Hashes like r"%SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036%" or Image.Hashes like r"%SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7%" or Image.Hashes like r"%SHA256=ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc%" or Image.Hashes like r"%SHA256=b2bc7514201727d773c09a1cfcfae793fcdbad98024251ccb510df0c269b04e6%" or Image.Hashes like r"%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%" or Image.Hashes like r"%SHA256=eef68fdc5df91660410fb9bed005ed08c258c44d66349192faf5bb5f09f5fa90%" or Image.Hashes like r"%SHA256=582b62ffbcbcdd62c0fc624cdf106545af71078f1edfe1129401d64f3eefaa3a%" or Image.Hashes like r"%SHA256=326b53365f8486c78608139cac84619eff90be361f7ade9db70f9867dd94dcc9%" or Image.Hashes like r"%SHA256=9bd8b0289955a6eb791f45c3203f08a64cbd457fd1b9d598a6fbbca5d0372e36%" or Image.Hashes like r"%SHA256=655110646bff890c448c0951e11132dc3592bda6e080696341b930d090224723%" or Image.Hashes like r"%SHA256=8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f%" or Image.Hashes like r"%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%" or Image.Hashes like r"%SHA256=f2a4ddc38e68efd2eac27b2562529926f5ade93575a82e8d3e0abb2b37347257%" or Image.Hashes like r"%SHA256=e89afd283d5789b8064d5487e04b97e2cd3fc0c711a8cec230543ebdf9ffc534%" or Image.Hashes like r"%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%" or Image.Hashes like r"%SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572%" or Image.Hashes like r"%SHA256=81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d%" or Image.Hashes like r"%SHA256=2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9%" or Image.Hashes like r"%SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7%" or Image.Hashes like r"%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%" or Image.Hashes like r"%SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289%" or Image.Hashes like r"%SHA256=71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5%" or Image.Hashes like r"%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%" or Image.Hashes like r"%SHA256=848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891%" or Image.Hashes like r"%SHA256=14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c%" or Image.Hashes like r"%SHA256=49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94%" or Image.Hashes like r"%SHA256=a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53%" or Image.Hashes like r"%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%" or Image.Hashes like r"%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%" or Image.Hashes like r"%SHA256=c8ff7c9f510f7a2ed88d9b336d8c9339698d5e1ee14bfb91aa89703ec06dce42%" or Image.Hashes like r"%SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917%" or Image.Hashes like r"%SHA256=348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1%" or Image.Hashes like r"%SHA256=f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad%" or Image.Hashes like r"%SHA256=5fbfd7c4ea3db1197ad38d5a945acf6f2f42cb350380cf8ae276bc80b0dedb77%" or Image.Hashes like r"%SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c%" or Image.Hashes like r"%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%" or Image.Hashes like r"%SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a%" or Image.Hashes like r"%SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d%" or Image.Hashes like r"%SHA256=7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc%" or Image.Hashes like r"%SHA256=7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f%" or Image.Hashes like r"%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%" or Image.Hashes like r"%SHA256=39f137083e6c0200543e1f8d3c074f857d141bdb8c8f09338d48520537b881aa%" or Image.Hashes like r"%SHA256=0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182%" or Image.Hashes like r"%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%" or Image.Hashes like r"%SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c%" or Image.Hashes like r"%SHA256=a0dd3d43ab891777b11d4fdcb3b7f246b80bc66d12f7810cf268a5f6f4f8eb7b%" or Image.Hashes like r"%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%" or Image.Hashes like r"%SHA256=e9919d1546c7dfef62ff01b87f739812de0a57463611c12012013ae689023ce1%" or Image.Hashes like r"%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%" or Image.Hashes like r"%SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f%" or Image.Hashes like r"%SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28%" or Image.Hashes like r"%SHA256=b9ed73af3aef69dc1fb91731d6d0a649e93f83d0f07ddb9729d71c2d00ed0801%" or Image.Hashes like r"%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%" or Image.Hashes like r"%SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148%" or Image.Hashes like r"%SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6%" or Image.Hashes like r"%SHA256=5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4%" or Image.Hashes like r"%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%" or Image.Hashes like r"%SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e%" or Image.Hashes like r"%SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d%" or Image.Hashes like r"%SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9%" or Image.Hashes like r"%SHA256=648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f%" or Image.Hashes like r"%SHA256=6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440%" or Image.Hashes like r"%SHA256=b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25%" or Image.Hashes like r"%SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b%" or Image.Hashes like r"%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%" or Image.Hashes like r"%SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6%" or Image.Hashes like r"%SHA256=22e125c284a55eb730f03ec27b87ab84cf897f9d046b91c76bea2b5809fd51c5%" or Image.Hashes like r"%SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289%" or Image.Hashes like r"%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%" or Image.Hashes like r"%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%" or Image.Hashes like r"%SHA256=b7bba82777c9912e6a728c3e873c5a8fd3546982e0d5fa88e64b3e2122f9bc3b%" or Image.Hashes like r"%SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399%" or Image.Hashes like r"%SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085%" or Image.Hashes like r"%SHA256=f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585%" or Image.Hashes like r"%SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135%" or Image.Hashes like r"%SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396%" or Image.Hashes like r"%SHA256=d21aba58222930cb75946a0fb72b4adc96de583d3f7d8dc13829b804eb877257%" or Image.Hashes like r"%SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354%" or Image.Hashes like r"%SHA256=2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266%" or Image.Hashes like r"%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%" or Image.Hashes like r"%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%" or Image.Hashes like r"%SHA256=0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57%" or Image.Hashes like r"%SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae%" or Image.Hashes like r"%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%" or Image.Hashes like r"%SHA256=cb59a641adb623a65a9b5af1db2ffd921fd1ca1bc046a6df85d5f2e00fd0b5a5%" or Image.Hashes like r"%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%" or Image.Hashes like r"%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%" or Image.Hashes like r"%SHA256=51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292%" or Image.Hashes like r"%SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30%" or Image.Hashes like r"%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%" or Image.Hashes like r"%SHA256=83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c%" or Image.Hashes like r"%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%" or Image.Hashes like r"%SHA256=51f002ee44e46889cf5b99a724dd10cc2bd3e22545e2a2cb3bd6b1dd3af5ba11%" or Image.Hashes like r"%SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd%" or Image.Hashes like r"%SHA256=e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717%" or Image.Hashes like r"%SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a%" or Image.Hashes like r"%SHA256=b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890%" or Image.Hashes like r"%SHA256=bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091%" or Image.Hashes like r"%SHA256=6575ea9b319beb3845d43ce2c70ea55f0414da2055fa82eec324c4cebdefe893%" or Image.Hashes like r"%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%" or Image.Hashes like r"%SHA256=63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e%" or Image.Hashes like r"%SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2%" or Image.Hashes like r"%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%" or Image.Hashes like r"%SHA256=26d69e677d30bb53c7ac7f3fce76291fe2c44720ef17ee386f95f08ec5175288%" or Image.Hashes like r"%SHA256=b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71%" or Image.Hashes like r"%SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305%" or Image.Hashes like r"%SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4%" or Image.Hashes like r"%SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69%" or Image.Hashes like r"%SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1%" or Image.Hashes like r"%SHA256=d7a61c671eab1dfaa62fe1088a85f6d52fb11f2f32a53822a49521ca2c16585e%" or Image.Hashes like r"%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%" or Image.Hashes like r"%SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4%" or Image.Hashes like r"%SHA256=478bcb750017cb6541f3dd0d08a47370f3c92eec998bc3825b5d8e08ee831b70%" or Image.Hashes like r"%SHA256=1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7%" or Image.Hashes like r"%SHA256=e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21%" or Image.Hashes like r"%SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f%" or Image.Hashes like r"%SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e%" or Image.Hashes like r"%SHA256=4ace6dded819e87f3686af2006cb415ed75554881a28c54de606975c41975112%" or Image.Hashes like r"%SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a%" or Image.Hashes like r"%SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f%" or Image.Hashes like r"%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%" or Image.Hashes like r"%SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524%" or Image.Hashes like r"%SHA256=202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213%" or Image.Hashes like r"%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%" or Image.Hashes like r"%SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd%" or Image.Hashes like r"%SHA256=00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922%" or Image.Hashes like r"%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%" or Image.Hashes like r"%SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5%" or Image.Hashes like r"%SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8%" or Image.Hashes like r"%SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867%" or Image.Hashes like r"%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%" or Image.Hashes like r"%SHA256=c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b%" or Image.Hashes like r"%SHA256=c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038%" or Image.Hashes like r"%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%" or Image.Hashes like r"%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%" or Image.Hashes like r"%SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3%" or Image.Hashes like r"%SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14%" or Image.Hashes like r"%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%" or Image.Hashes like r"%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%" or Image.Hashes like r"%SHA256=405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1%" or Image.Hashes like r"%SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229%" or Image.Hashes like r"%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%" or Image.Hashes like r"%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%" or Image.Hashes like r"%SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687%" or Image.Hashes like r"%SHA256=ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d%" or Image.Hashes like r"%SHA256=b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c%" or Image.Hashes like r"%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%" or Image.Hashes like r"%SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9%" or Image.Hashes like r"%SHA256=11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f%" or Image.Hashes like r"%SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c%" or Image.Hashes like r"%SHA256=2a11b4f125d8537e69af7b684494e49ef2a30a219634988e278177fa36c934eb%" or Image.Hashes like r"%SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f%" or Image.Hashes like r"%SHA256=37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20%" or Image.Hashes like r"%SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b%" or Image.Hashes like r"%SHA256=c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0%" or Image.Hashes like r"%SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc%" or Image.Hashes like r"%SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2%" or Image.Hashes like r"%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%" or Image.Hashes like r"%SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba%" or Image.Hashes like r"%SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e%" or Image.Hashes like r"%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%" or Image.Hashes like r"%SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b%" or Image.Hashes like r"%SHA256=ffd03584246730397e231eb8d16c1449aef2c3bc79bf9da3ebf8400a21b20ae7%" or Image.Hashes like r"%SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646%" or Image.Hashes like r"%SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7%" or Image.Hashes like r"%SHA256=c640930c29ea3610a3a5cebee573235ec70267ed223b79b9fa45a80081e686a4%" or Image.Hashes like r"%SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc%" or Image.Hashes like r"%SHA256=16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1%" or Image.Hashes like r"%SHA256=24e70c87d58fa5771f02b9ddf0d8870cba6b26e35c6455a2c77f482e2080d3e9%" or Image.Hashes like r"%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%" or Image.Hashes like r"%SHA256=8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c%" or Image.Hashes like r"%SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4%" or Image.Hashes like r"%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%" or Image.Hashes like r"%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%" or Image.Hashes like r"%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%" or Image.Hashes like r"%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%" or Image.Hashes like r"%SHA256=d9a2bf0f5ba185170441f003dc46fbb570e1c9fdf2132ab7de28b87ba7ad1a0c%" or Image.Hashes like r"%SHA256=0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180%" or Image.Hashes like r"%SHA256=b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763%" or Image.Hashes like r"%SHA256=bfc121e93fcbf9bd42736cfe7675ae2cc805be9a58f1a0d8cc3aa5b42e49a13f%" or Image.Hashes like r"%SHA256=b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b%" or Image.Hashes like r"%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%" or Image.Hashes like r"%SHA256=5bdba1561ec5b23b1d56ea8cee411147d1526595f03a9281166a563b3641fa2a%" or Image.Hashes like r"%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%" or Image.Hashes like r"%SHA256=66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e%" or Image.Hashes like r"%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%" or Image.Hashes like r"%SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961%" or Image.Hashes like r"%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%" or Image.Hashes like r"%SHA256=9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be%" or Image.Hashes like r"%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%" or Image.Hashes like r"%SHA256=fc3e8554602c476e2edfa92ba4f6fb2e5ba0db433b9fbd7d8be1036e454d2584%" or Image.Hashes like r"%SHA256=bef87650c29faf421e7ad666bf47d7a78a45f291b438c8d1c4b6a66e5b54c6fc%" or Image.Hashes like r"%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%" or Image.Hashes like r"%SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c%" or Image.Hashes like r"%SHA256=4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d%" or Image.Hashes like r"%SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879%" or Image.Hashes like r"%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%" or Image.Hashes like r"%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%" or Image.Hashes like r"%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%" or Image.Hashes like r"%SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3%" or Image.Hashes like r"%SHA256=f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de%" or Image.Hashes like r"%SHA256=567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270%" or Image.Hashes like r"%SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba%" or Image.Hashes like r"%SHA256=b074caef2fbf7e1dc8870edccb65254858d95836f466b4e9e6ca398bf7a27aa3%" or Image.Hashes like r"%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%" or Image.Hashes like r"%SHA256=8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409%" or Image.Hashes like r"%SHA256=f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d%" or Image.Hashes like r"%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%" or Image.Hashes like r"%SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa%" or Image.Hashes like r"%SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa%" or Image.Hashes like r"%SHA256=9e2622d8e7a0ec136ba1fff639833f05137f8a1ff03e7a93b9a4aea25e7abb8d%" or Image.Hashes like r"%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%" or Image.Hashes like r"%SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7%" or Image.Hashes like r"%SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2%" or Image.Hashes like r"%SHA256=3ac8e54be2804f5fa60d0d23a11ba323fba078a942c96279425aabad935b8236%" or Image.Hashes like r"%SHA256=468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5%" or Image.Hashes like r"%SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b%" or Image.Hashes like r"%SHA256=ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4%" or Image.Hashes like r"%SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441%" or Image.Hashes like r"%SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989%" or Image.Hashes like r"%SHA256=0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7%" or Image.Hashes like r"%SHA256=daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5%" or Image.Hashes like r"%SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa%" or Image.Hashes like r"%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%" or Image.Hashes like r"%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%" or Image.Hashes like r"%SHA256=7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0%" or Image.Hashes like r"%SHA256=f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6%" or Image.Hashes like r"%SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d%" or Image.Hashes like r"%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%" or Image.Hashes like r"%SHA256=0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664%" or Image.Hashes like r"%SHA256=dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53%" or Image.Hashes like r"%SHA256=f48f31bf9c6abbd44124b66bce2ab1200176e31ef1e901733761f2b5ceb60fb2%" or Image.Hashes like r"%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%" or Image.Hashes like r"%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%" or Image.Hashes like r"%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%" or Image.Hashes like r"%SHA256=3678ba63d62efd3b706d1b661d631ded801485c08b5eb9a3ef38380c6cff319a%" or Image.Hashes like r"%SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd%" or Image.Hashes like r"%SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd%" or Image.Hashes like r"%SHA256=3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5%" or Image.Hashes like r"%SHA256=f13f6a4bf7711216c9e911f18dfa2735222551fb1f8c1a645a8674c1983ccea6%" or Image.Hashes like r"%SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0%" or Image.Hashes like r"%SHA256=898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289%" or Image.Hashes like r"%SHA256=834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78%" or Image.Hashes like r"%SHA256=d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4%" or Image.Hashes like r"%SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c%" or Image.Hashes like r"%SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7%" or Image.Hashes like r"%SHA256=8001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258%" or Image.Hashes like r"%SHA256=4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51%" or Image.Hashes like r"%SHA256=1336469ec0711736e742b730d356af23f8139da6038979cfe4de282de1365d3b%" or Image.Hashes like r"%SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75%" or Image.Hashes like r"%SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9%" or Image.Hashes like r"%SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d%" or Image.Hashes like r"%SHA256=85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3%" or Image.Hashes like r"%SHA256=31e2e5c3290989e8624820cf5af886fd778ee8187fed593f33a6178f65103f37%" or Image.Hashes like r"%SHA256=1deae340bf619319adce00701de887f7434deab4d5547a1742aeedb5634d23c6%" or Image.Hashes like r"%SHA256=442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c%" or Image.Hashes like r"%SHA256=ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1%" or Image.Hashes like r"%SHA256=53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6%" or Image.Hashes like r"%SHA256=f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65%" or Image.Hashes like r"%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%" or Image.Hashes like r"%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%" or Image.Hashes like r"%SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094%" or Image.Hashes like r"%SHA256=87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5%" or Image.Hashes like r"%SHA256=c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633%" or Image.Hashes like r"%SHA256=78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663%" or Image.Hashes like r"%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%" or Image.Hashes like r"%SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc%" or Image.Hashes like r"%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%" or Image.Hashes like r"%SHA256=be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0%" or Image.Hashes like r"%SHA256=7108613244f16c2279c3c917aa49cef8acf0b92fdaa9ace19bf5cf634360d727%" or Image.Hashes like r"%SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f%" or Image.Hashes like r"%SHA256=20e52e0d7f579dc6884cc6e80266fddceda69ea5fdd0b095c0874b0d877e48a2%" or Image.Hashes like r"%SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a%" or Image.Hashes like r"%SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566%" or Image.Hashes like r"%SHA256=b3e645e8817696fa5d5e2255f9328f3b6a2e5fce91737f4d654ff155dc9851e5%" or Image.Hashes like r"%SHA256=3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458%" or Image.Hashes like r"%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%" or Image.Hashes like r"%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%" or Image.Hashes like r"%SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192%" or Image.Hashes like r"%SHA256=d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7%" or Image.Hashes like r"%SHA256=e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb%" or Image.Hashes like r"%SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356%" or Image.Hashes like r"%SHA256=d330ab003206ce5e9828607562790aa8dd0453f6b7452f5c6053e3c6b6761d25%" or Image.Hashes like r"%SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058%" or Image.Hashes like r"%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%" or Image.Hashes like r"%SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c%" or Image.Hashes like r"%SHA256=5fe5a6f88fbbc85be9efe81204eee11dff1a683b426019d330b1276a3b5424f4%" or Image.Hashes like r"%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%" or Image.Hashes like r"%SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d%" or Image.Hashes like r"%SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d%" or Image.Hashes like r"%SHA256=af298d940b186f922464d2ef19ccfc129c77126a4f337ecf357b4fe5162a477c%" or Image.Hashes like r"%SHA256=6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097%" or Image.Hashes like r"%SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01%" or Image.Hashes like r"%SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63%" or Image.Hashes like r"%SHA256=be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7%" or Image.Hashes like r"%SHA256=2288c418ddadd5a1db4e58c118d8455b01fd33728664408ce23b9346ae0ca057%" or Image.Hashes like r"%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%" or Image.Hashes like r"%SHA256=64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5%" or Image.Hashes like r"%SHA256=7de1ce434f957df7bbdf6578dd0bf06ed1269f3cc182802d5c499f5570a85b3a%" or Image.Hashes like r"%SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2%" or Image.Hashes like r"%SHA256=ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9%" or Image.Hashes like r"%SHA256=f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114%" or Image.Hashes like r"%SHA256=8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047%" or Image.Hashes like r"%SHA256=0584520b4b3bdad1d177329bd9952c0589b2a99eb9676cb324d1fce46dad0b9a%" or Image.Hashes like r"%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%" or Image.Hashes like r"%SHA256=4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4%" or Image.Hashes like r"%SHA256=a0e583bd88eb198558442f69a8bbfc96f4c5c297befea295138cfd2070f745c5%" or Image.Hashes like r"%SHA256=9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91%" or Image.Hashes like r"%SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7%" or Image.Hashes like r"%SHA256=d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e%" or Image.Hashes like r"%SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a%" or Image.Hashes like r"%SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c%" or Image.Hashes like r"%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%" or Image.Hashes like r"%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%" or Image.Hashes like r"%SHA256=1e9ec6b3e83055ae90f3664a083c46885c506d33de5e2a49f5f1189e89fa9f0a%" or Image.Hashes like r"%SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df%" or Image.Hashes like r"%SHA256=2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958%" or Image.Hashes like r"%SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0%" or Image.Hashes like r"%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%" or Image.Hashes like r"%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%" or Image.Hashes like r"%SHA256=d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565%" or Image.Hashes like r"%SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1%" or Image.Hashes like r"%SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad%" or Image.Hashes like r"%SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9%" or Image.Hashes like r"%SHA256=a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67%" or Image.Hashes like r"%SHA256=d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2%" or Image.Hashes like r"%SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc%" or Image.Hashes like r"%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%" or Image.Hashes like r"%SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2%" or Image.Hashes like r"%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%" or Image.Hashes like r"%SHA256=d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4%" or Image.Hashes like r"%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%" or Image.Hashes like r"%SHA256=c35f3a9da8e81e75642af20103240618b641d39724f9df438bf0f361122876b0%" or Image.Hashes like r"%SHA256=ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3%" or Image.Hashes like r"%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%" or Image.Hashes like r"%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%" or Image.Hashes like r"%SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853%" or Image.Hashes like r"%SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38%" or Image.Hashes like r"%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%" or Image.Hashes like r"%SHA256=3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f%" or Image.Hashes like r"%SHA256=7fc01f25c4c18a6c539cda38fdbf34b2ff02a15ffd1d93a7215e1f48f76fb3be%" or Image.Hashes like r"%SHA256=6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7%" or Image.Hashes like r"%SHA256=18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7%" or Image.Hashes like r"%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%" or Image.Hashes like r"%SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7%" or Image.Hashes like r"%SHA256=88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3%" or Image.Hashes like r"%SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba%" or Image.Hashes like r"%SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961%" or Image.Hashes like r"%SHA256=46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28%" or Image.Hashes like r"%SHA256=73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a%" or Image.Hashes like r"%SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc%" or Image.Hashes like r"%SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63%" or Image.Hashes like r"%SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d%" or Image.Hashes like r"%SHA256=922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832%" or Image.Hashes like r"%SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a%" or Image.Hashes like r"%SHA256=bb0742036c82709e02f25f98a9ff37c36a8c228bcaa98e40629fac8cde95b421%" or Image.Hashes like r"%SHA256=7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96%" or Image.Hashes like r"%SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8%" or Image.Hashes like r"%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%" or Image.Hashes like r"%SHA256=1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718%" or Image.Hashes like r"%SHA256=11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768%" or Image.Hashes like r"%SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf%" or Image.Hashes like r"%SHA256=5449e4dd1b75a7d52922c30baeca0ca8e32fe2210d1e72af2a2f314a5c2268fb%" or Image.Hashes like r"%SHA256=54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876%" or Image.Hashes like r"%SHA256=98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e%" or Image.Hashes like r"%SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3%" or Image.Hashes like r"%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%" or Image.Hashes like r"%SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c%" or Image.Hashes like r"%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%" or Image.Hashes like r"%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%" or Image.Hashes like r"%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%" or Image.Hashes like r"%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%" or Image.Hashes like r"%SHA256=1cedd5815bb6e20d3697103cfc0275f5015f469e6007e8cac16892c97731c695%" or Image.Hashes like r"%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%" or Image.Hashes like r"%SHA256=b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f%" or Image.Hashes like r"%SHA256=7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25%" or Image.Hashes like r"%SHA256=6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0%" or Image.Hashes like r"%SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496%" or Image.Hashes like r"%SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b%" or Image.Hashes like r"%SHA256=0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3%" or Image.Hashes like r"%SHA256=ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7%" or Image.Hashes like r"%SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6%" or Image.Hashes like r"%SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae%" or Image.Hashes like r"%SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704%" or Image.Hashes like r"%SHA256=63af3fdb1e85949c8adccb43f09ca4556ae258b363a99ae599e1e834d34c8670%" or Image.Hashes like r"%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%" or Image.Hashes like r"%SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134%" or Image.Hashes like r"%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%" or Image.Hashes like r"%SHA256=e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef%" or Image.Hashes like r"%SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9%" or Image.Hashes like r"%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%" or Image.Hashes like r"%SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605%" or Image.Hashes like r"%SHA256=ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d%" or Image.Hashes like r"%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%" or Image.Hashes like r"%SHA256=0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02%" or Image.Hashes like r"%SHA256=c8926e31be2d1355e542793af8ff9ccc4d1d60cae40c9564b2400dd4e1090bda%" or Image.Hashes like r"%SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de%" or Image.Hashes like r"%SHA256=0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c%" or Image.Hashes like r"%SHA256=dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233%" or Image.Hashes like r"%SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0%" or Image.Hashes like r"%SHA256=423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18%" or Image.Hashes like r"%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%" or Image.Hashes like r"%SHA256=ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7%" or Image.Hashes like r"%SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4%" or Image.Hashes like r"%SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc%" or Image.Hashes like r"%SHA256=a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6%" or Image.Hashes like r"%SHA256=d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757%" or Image.Hashes like r"%SHA256=11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359%" or Image.Hashes like r"%SHA256=1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67%" or Image.Hashes like r"%SHA256=2695390a8a7448390fe383beb1eee06d582202683f0273d6e72ef39a8cf709e1%" or Image.Hashes like r"%SHA256=ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18%" or Image.Hashes like r"%SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22%" or Image.Hashes like r"%SHA256=b9e0c2a569ab02742fa3a37846310a1d4e46ba2bfd4f80e16f00865fc62690cb%" or Image.Hashes like r"%SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758%" or Image.Hashes like r"%SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5%" or Image.Hashes like r"%SHA256=a188760f1bf36584a2720014ca982252c6bcd824e7619a98580e28be6090dccc%" or Image.Hashes like r"%SHA256=442f12adebf7cb166b19e8aead2b0440450fd1f33f5db384a39776bb2656474a%" or Image.Hashes like r"%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%" or Image.Hashes like r"%SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0%" or Image.Hashes like r"%SHA256=0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0%" or Image.Hashes like r"%SHA256=94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915%" or Image.Hashes like r"%SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347%" or Image.Hashes like r"%SHA256=47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d%" or Image.Hashes like r"%SHA256=a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e%" or Image.Hashes like r"%SHA256=c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413%" or Image.Hashes like r"%SHA256=082d4d4d4ba1bda5e1599bd24e930ae9f000e7d12b00f7021cca90a4600ea470%" or Image.Hashes like r"%SHA256=84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451%" or Image.Hashes like r"%SHA256=64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66%" or Image.Hashes like r"%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%" or Image.Hashes like r"%SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8%" or Image.Hashes like r"%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%" or Image.Hashes like r"%SHA256=9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727%" or Image.Hashes like r"%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%" or Image.Hashes like r"%SHA256=96df0b01eeba3e6e50759d400df380db27f0d0e34812d0374d22ac1758230452%" or Image.Hashes like r"%SHA256=df4c02beb039d15ff0c691bbc3595c9edfc1d24e783c8538a859bc5ea537188d%" or Image.Hashes like r"%SHA256=3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50%" or Image.Hashes like r"%SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280%" or Image.Hashes like r"%SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c%" or Image.Hashes like r"%SHA256=0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5%" or Image.Hashes like r"%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%" or Image.Hashes like r"%SHA256=41765151df57125286b398cc107ff8007972f4653527f876d133dac1548865d6%" or Image.Hashes like r"%SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54%" or Image.Hashes like r"%SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3%" or Image.Hashes like r"%SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233%" or Image.Hashes like r"%SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230%" or Image.Hashes like r"%SHA256=39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0%" or Image.Hashes like r"%SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c%" or Image.Hashes like r"%SHA256=6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d%" or Image.Hashes like r"%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%" or Image.Hashes like r"%SHA256=05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686%" or Image.Hashes like r"%SHA256=a6c05b10a5c090b743a61fa225b09e390e2dd2bd6cb4fd96b987f1e0d3f2124a%" or Image.Hashes like r"%SHA256=ce231637422709d927fb6fa0c4f2215b9c0e3ebbd951fb2fa97b8e64da479b96%" or Image.Hashes like r"%SHA256=26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd%" or Image.Hashes like r"%SHA256=ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613%" or Image.Hashes like r"%SHA256=fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17%" or Image.Hashes like r"%SHA256=37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60%" or Image.Hashes like r"%SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1%" or Image.Hashes like r"%SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668%" or Image.Hashes like r"%SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4%" or Image.Hashes like r"%SHA256=b1e4455499c6a90ba9a861120a015a6b6f17e64479462b869ad0f05edf6552de%" or Image.Hashes like r"%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%" or Image.Hashes like r"%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%" or Image.Hashes like r"%SHA256=50aa2b3a762abb1306fa003c60de3c78e89ea5d29aab8a9c6479792d2be3c2d7%" or Image.Hashes like r"%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%" or Image.Hashes like r"%SHA256=6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943%" or Image.Hashes like r"%SHA256=61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629%" or Image.Hashes like r"%SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e%" or Image.Hashes like r"%SHA256=d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd%" or Image.Hashes like r"%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%" or Image.Hashes like r"%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%" or Image.Hashes like r"%SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8%" or Image.Hashes like r"%SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6%" or Image.Hashes like r"%SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06%" or Image.Hashes like r"%SHA256=ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91%" or Image.Hashes like r"%SHA256=0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0%" or Image.Hashes like r"%SHA256=b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe%" or Image.Hashes like r"%SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7%" or Image.Hashes like r"%SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee%" or Image.Hashes like r"%SHA256=48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548%" or Image.Hashes like r"%SHA256=87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b%" or Image.Hashes like r"%SHA256=54bf602a6f1baaec5809a630a5c33f76f1c3147e4b05cecf17b96a93b1d41dca%" or Image.Hashes like r"%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%" or Image.Hashes like r"%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%" or Image.Hashes like r"%SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15%" or Image.Hashes like r"%SHA256=fded693528f7e6ac1af253e0bd2726607308fdaa904f1e7242ed44e1c0b29ae8%" or Image.Hashes like r"%SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef%" or Image.Hashes like r"%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%" or Image.Hashes like r"%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%" or Image.Hashes like r"%SHA256=8edab185e765f9806fa57153db1ede00e68270d2351443ee1de30674eca8d9b6%" or Image.Hashes like r"%SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15%" or Image.Hashes like r"%SHA256=8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7%" or Image.Hashes like r"%SHA256=c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746%" or Image.Hashes like r"%SHA256=77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f%" or Image.Hashes like r"%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%" or Image.Hashes like r"%SHA256=3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8%" or Image.Hashes like r"%SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9%" or Image.Hashes like r"%SHA256=5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9%" or Image.Hashes like r"%SHA256=c7079033659ac9459b3b7ab2510805832db2e2a70fe9beb1a6e13c1f51890d88%" or Image.Hashes like r"%SHA256=bbbeb5020b58e6942ec7dec0d1d518e95fc12ddae43f54ef0829d3393c6afd63%" or Image.Hashes like r"%SHA256=38535a0e9fc0684308eb5d6aa6284669bc9743f11cb605b79883b8c13ef906ad%" or Image.Hashes like r"%SHA256=65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377%" or Image.Hashes like r"%SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35%" or Image.Hashes like r"%SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24%" or Image.Hashes like r"%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%" or Image.Hashes like r"%SHA256=bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e%" or Image.Hashes like r"%SHA256=df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858%" or Image.Hashes like r"%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%" or Image.Hashes like r"%SHA256=159dcf37dc723d6db2bad46ed6a1b0e31d72390ec298a5413c7be318aef4a241%" or Image.Hashes like r"%SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476%" or Image.Hashes like r"%SHA256=cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183%" or Image.Hashes like r"%SHA256=2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b%" or Image.Hashes like r"%SHA256=033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7%" or Image.Hashes like r"%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%" or Image.Hashes like r"%SHA256=1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a%" or Image.Hashes like r"%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%" or Image.Hashes like r"%SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471%" or Image.Hashes like r"%SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109%" or Image.Hashes like r"%SHA256=368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1%" or Image.Hashes like r"%SHA256=070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103%" or Image.Hashes like r"%SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10%" or Image.Hashes like r"%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%" or Image.Hashes like r"%SHA256=f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e%" or Image.Hashes like r"%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%" or Image.Hashes like r"%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%" or Image.Hashes like r"%SHA256=5bf3985644308662ebfa2fbcc11fb4d3e2a0c817ad3da1a791020f8c8589ebc8%" or Image.Hashes like r"%SHA256=a19fc837ca342d2db43ee8ad7290df48a1b8b85996c58a19ca3530101862a804%" or Image.Hashes like r"%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%" or Image.Hashes like r"%SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272%" or Image.Hashes like r"%SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39%" or Image.Hashes like r"%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%" or Image.Hashes like r"%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%" or Image.Hashes like r"%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%" or Image.Hashes like r"%SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db%" or Image.Hashes like r"%SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797%" or Image.Hashes like r"%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%" or Image.Hashes like r"%SHA256=6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402%" or Image.Hashes like r"%SHA256=2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e%" or Image.Hashes like r"%SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf%" or Image.Hashes like r"%SHA256=767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b%" or Image.Hashes like r"%SHA256=dba8db472e51edd59f0bbaf4e09df71613d4dd26fd05f14a9bc7e3fc217a78aa%" or Image.Hashes like r"%SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573%" or Image.Hashes like r"%SHA256=797c1f883d90d25e7fd553624bb16bfd5db24c2658aa0c3c51c715d5833c10fd%" or Image.Hashes like r"%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%" or Image.Hashes like r"%SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b%" or Image.Hashes like r"%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%" or Image.Hashes like r"%SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00%" or Image.Hashes like r"%SHA256=d9a3dc47699949c8ec0c704346fb2ee86ff9010daa0dbac953cfa5f76b52fcd1%" or Image.Hashes like r"%SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9%" or Image.Hashes like r"%SHA256=572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4%" or Image.Hashes like r"%SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9%" or Image.Hashes like r"%SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a%" or Image.Hashes like r"%SHA256=91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4%" or Image.Hashes like r"%SHA256=5de78cf5f0b1b09e7145db84e91a2223c3ed4d83cceb3ef073c068cf88b9d444%" or Image.Hashes like r"%SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b%" or Image.Hashes like r"%SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47%" or Image.Hashes like r"%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%" or Image.Hashes like r"%SHA256=40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59%" or Image.Hashes like r"%SHA256=7277130afa0b1506998d7bc58567b0d83f52a27175f4c7c4a7186347095fceed%" or Image.Hashes like r"%SHA256=6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388%" or Image.Hashes like r"%SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015%" or Image.Hashes like r"%SHA256=775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9%" or Image.Hashes like r"%SHA256=125e4475a5437634cab529da9ea2ef0f4f65f89fb25a06349d731f283c27d9fe%" or Image.Hashes like r"%SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c%" or Image.Hashes like r"%SHA256=08828990218ebb4415c1bb33fa2b0a009efd0784b18b3f7ecd3bc078343f7208%" or Image.Hashes like r"%SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0%" or Image.Hashes like r"%SHA256=e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc%" or Image.Hashes like r"%SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43%" or Image.Hashes like r"%SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578%" or Image.Hashes like r"%SHA256=1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441%" or Image.Hashes like r"%SHA256=dd0bd7b8fae8e8835ba09118a02a06a51e111fccbe16916414844aab91cfeed4%" or Image.Hashes like r"%SHA256=17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d%" or Image.Hashes like r"%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%" or Image.Hashes like r"%SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2%" or Image.Hashes like r"%SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880%" or Image.Hashes like r"%SHA256=db0d425708ba908aedf5f8762d6fdca7636ae3a537372889446176c0237a2836%" or Image.Hashes like r"%SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282%" or Image.Hashes like r"%SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e%" or Image.Hashes like r"%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%" or Image.Hashes like r"%SHA256=7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0%" or Image.Hashes like r"%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%" or Image.Hashes like r"%SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0%" or Image.Hashes like r"%SHA256=3d8cfc9abea6d83dfea6da03260ff81be3b7b304321274f696ff0fdb9920c645%" or Image.Hashes like r"%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%" or Image.Hashes like r"%SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf%" or Image.Hashes like r"%SHA256=07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88%" or Image.Hashes like r"%SHA256=423d58265b22504f512a84faf787c1af17c44445ae68f7adcaa68b6f970e7bd5%" or Image.Hashes like r"%SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b%" or Image.Hashes like r"%SHA256=ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33%" or Image.Hashes like r"%SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a%" or Image.Hashes like r"%SHA256=270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc%" or Image.Hashes like r"%SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab%" or Image.Hashes like r"%SHA256=fa21e3d2bfb9fafddec0488852377fbb2dbdd6c066ca05bb5c4b6aa840fb7879%" or Image.Hashes like r"%SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe%" or Image.Hashes like r"%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%" or Image.Hashes like r"%SHA256=7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f%" or Image.Hashes like r"%SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9%" or Image.Hashes like r"%SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c%" or Image.Hashes like r"%SHA256=d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8%" or Image.Hashes like r"%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%" or Image.Hashes like r"%SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3%" or Image.Hashes like r"%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%" or Image.Hashes like r"%SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097%" or Image.Hashes like r"%SHA256=4ec7af309a9359c332d300861655faeceb68bb1cd836dd66d10dd4fac9c01a28%" or Image.Hashes like r"%SHA256=1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590%" or Image.Hashes like r"%SHA256=defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd%" or Image.Hashes like r"%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%" or Image.Hashes like r"%SHA256=d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb%" or Image.Hashes like r"%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%" or Image.Hashes like r"%SHA256=e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe%" or Image.Hashes like r"%SHA256=a6c11d3bec2a94c40933ec1d3604cfe87617ba828b14f4cded6cfe85656debc0%" or Image.Hashes like r"%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%" or Image.Hashes like r"%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%" or Image.Hashes like r"%SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7%" or Image.Hashes like r"%SHA256=bd3cf8b9af255b5d4735782d3653be38578ff5be18846b13d05867a6159aaa53%" or Image.Hashes like r"%SHA256=84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51%" or Image.Hashes like r"%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%" or Image.Hashes like r"%SHA256=e34afe0a8c5459d13e7a11f20d62c7762b2a55613aaf6dbeb887e014b5f19295%" or Image.Hashes like r"%SHA256=d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e%" or Image.Hashes like r"%SHA256=0e9072759433abf3304667b332354e0c635964ff930de034294bf13d40da2a6f%" or Image.Hashes like r"%SHA256=0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49%" or Image.Hashes like r"%SHA256=13ae4d9dcacba8133d8189e59d9352272e15629e6bca580c32aff9810bd96e44%" or Image.Hashes like r"%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%" or Image.Hashes like r"%SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805%" or Image.Hashes like r"%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%" or Image.Hashes like r"%SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c%" or Image.Hashes like r"%SHA256=c6db7f2750e7438196ec906cc9eba540ef49ceca6dbd981038cef1dc50662a73%" or Image.Hashes like r"%SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38%" or Image.Hashes like r"%SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0%" or Image.Hashes like r"%SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506%" or Image.Hashes like r"%SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3%" or Image.Hashes like r"%SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3%" or Image.Hashes like r"%SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921%" or Image.Hashes like r"%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%" or Image.Hashes like r"%SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a%" or Image.Hashes like r"%SHA256=e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65%" or Image.Hashes like r"%SHA256=8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65%" or Image.Hashes like r"%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%" or Image.Hashes like r"%SHA256=eba14a2b4cefd74edaf38d963775352dc3618977e30261aab52be682a76b536f%" or Image.Hashes like r"%SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2%" or Image.Hashes like r"%SHA256=bae4372a9284db52dedc1c1100cefa758b3ec8d9d4f0e5588a8db34ded5edb1f%" or Image.Hashes like r"%SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2%" or Image.Hashes like r"%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%" or Image.Hashes like r"%SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445%" or Image.Hashes like r"%SHA256=31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5%" or Image.Hashes like r"%SHA256=e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f%" or Image.Hashes like r"%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%" or Image.Hashes like r"%SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8%" or Image.Hashes like r"%SHA256=66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea%" or Image.Hashes like r"%SHA256=d3eaf041ce5f3fd59885ead2cb4ce5c61ac9d83d41f626512942a50e3da7b75a%" or Image.Hashes like r"%SHA256=a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec%" or Image.Hashes like r"%SHA256=8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040%" or Image.Hashes like r"%SHA256=748ccadb6bf6cdf4c5a5a1bb9950ee167d8b27c5817da71d38e2bc922ffce73d%" or Image.Hashes like r"%SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56%" or Image.Hashes like r"%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%" or Image.Hashes like r"%SHA256=1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f%" or Image.Hashes like r"%SHA256=d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4%" or Image.Hashes like r"%SHA256=019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f%" or Image.Hashes like r"%SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782%" or Image.Hashes like r"%SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56%" or Image.Hashes like r"%SHA256=cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461%" or Image.Hashes like r"%SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb%" or Image.Hashes like r"%SHA256=07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8%" or Image.Hashes like r"%SHA256=43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee%" or Image.Hashes like r"%SHA256=dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b%" or Image.Hashes like r"%SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280%" or Image.Hashes like r"%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%" or Image.Hashes like r"%SHA256=a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1%" or Image.Hashes like r"%SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e%" or Image.Hashes like r"%SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461%" or Image.Hashes like r"%SHA256=13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9%" or Image.Hashes like r"%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%" or Image.Hashes like r"%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%" or Image.Hashes like r"%SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5%" or Image.Hashes like r"%SHA256=9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a%" or Image.Hashes like r"%SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247%" or Image.Hashes like r"%SHA256=d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3%" or Image.Hashes like r"%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%" or Image.Hashes like r"%SHA256=1076504a145810dfe331324007569b95d0310ac1e08951077ac3baf668b2a486%" or Image.Hashes like r"%SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4%" or Image.Hashes like r"%SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f%" or Image.Hashes like r"%SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1%" or Image.Hashes like r"%SHA256=386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8%" or Image.Hashes like r"%SHA256=163912dfa4ad141e689e1625e994ab7c1f335410ebff0ade86bda3b7cdf6e065%" or Image.Hashes like r"%SHA256=e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822%" or Image.Hashes like r"%SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06%" or Image.Hashes like r"%SHA256=003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4%" or Image.Hashes like r"%SHA256=d2e843d9729da9b19d6085edf69b90b057c890a74142f5202707057ee9c0b568%" or Image.Hashes like r"%SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40%" or Image.Hashes like r"%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%" or Image.Hashes like r"%SHA256=d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23%" or Image.Hashes like r"%SHA256=3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76%" or Image.Hashes like r"%SHA256=e26a21e1b79ecaee7033e05edb0bd72aca463c23bd6fdf5835916ce2dfdf1a63%" or Image.Hashes like r"%SHA256=00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd%" or Image.Hashes like r"%SHA256=707b4b5f5c4585156d8a4d8c39cf26729f5ad05d7f77b17f48e670e808e3e6a0%" or Image.Hashes like r"%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%" or Image.Hashes like r"%SHA256=b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44%" or Image.Hashes like r"%SHA256=b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d%" or Image.Hashes like r"%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%" or Image.Hashes like r"%SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def%" or Image.Hashes like r"%SHA256=793a26c5c4c154a40f84c3d3165deb807062b26796acaae94b72f453e95230d5%" or Image.Hashes like r"%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%" or Image.Hashes like r"%SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40%" or Image.Hashes like r"%SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe%" or Image.Hashes like r"%SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b%" or Image.Hashes like r"%SHA256=7c830ed39c9de8fe711632bf44846615f84b10db383f47b7d7c9db29a2bd829a%" or Image.Hashes like r"%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%" or Image.Hashes like r"%SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036%" or Image.Hashes like r"%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%" or Image.Hashes like r"%IMPHASH=88e21ed9e717781eaf87209acbdbb567%" or Image.Hashes like r"%IMPHASH=481d7bb63a8e5eaba756137e6ef22e54%" or Image.Hashes like r"%IMPHASH=cef6a450f196b28e634aa3c0655d8eda%" or Image.Hashes like r"%IMPHASH=0e0722c16a5ded199f64b26fccd2115a%" or Image.Hashes like r"%IMPHASH=f0cd7cce1d03cf9df1b8266701f92b46%" or Image.Hashes like r"%IMPHASH=cc88330f6dca52a40e258f689d3e2db4%" or Image.Hashes like r"%IMPHASH=835e364e2175338d970c2aaee365f3dc%" or Image.Hashes like r"%IMPHASH=82e75304c5b7ed87121b8b89c82f2389%" or Image.Hashes like r"%IMPHASH=9470f56376e665fb981a35b303436041%" or Image.Hashes like r"%IMPHASH=37b1eada43ad08093dfa4de7a411d15f%" or Image.Hashes like r"%IMPHASH=a2d936fa82b7340d28a697fb344046d8%" or Image.Hashes like r"%IMPHASH=16b23f4c6ea47d01340a2cce4bf613f7%" or Image.Hashes like r"%IMPHASH=32b632f6379bfaac9f4f3a030a694f55%" or Image.Hashes like r"%IMPHASH=052280a42374b8d779c10cd0d8118691%" or Image.Hashes like r"%IMPHASH=540992ba6f31301ba27604515a78ad79%" or Image.Hashes like r"%IMPHASH=a5fd3b0143c8db98017ec1b2b2528360%" or Image.Hashes like r"%IMPHASH=1e13511288689b63b2e1348bf5eb567b%" or Image.Hashes like r"%IMPHASH=dd406d43857d7f5ad1b0aec04fdb7e5f%" or Image.Hashes like r"%IMPHASH=cf1a39b9408348cddaa4a2827283534c%" or Image.Hashes like r"%IMPHASH=0dcd262801389f839ce909cb173448e2%" or Image.Hashes like r"%IMPHASH=9e15ce38f071c916bea830247f1241bb%" or Image.Hashes like r"%IMPHASH=5716c52252afe18d09f6c1bc6e5ef3ef%" or Image.Hashes like r"%IMPHASH=ecf8495ba751a7e38d6be4c5c80f2bef%" or Image.Hashes like r"%IMPHASH=f475387e3959dbea86854d61602db136%" or Image.Hashes like r"%IMPHASH=98dc1b41bda471f7eabdce8a5d16c09d%" or Image.Hashes like r"%IMPHASH=8b7e7c20da6ca9ac4bdb3927fe2b266a%" or Image.Hashes like r"%IMPHASH=14075e605bff546182d682f41afefea2%" or Image.Hashes like r"%IMPHASH=b8302791cd2edfe6dd562c4854ea495f%" or Image.Hashes like r"%IMPHASH=a1d29a3af6402793ec9d23883512938a%" or Image.Hashes like r"%IMPHASH=aa01c534155ce919d797860feb531eae%" or Image.Hashes like r"%IMPHASH=ebb99842fa08915eb8b7f67d8dc7a13a%" or Image.Hashes like r"%IMPHASH=89f3f52b23bdf03bd2bb7eb3cfab8817%" or Image.Hashes like r"%IMPHASH=8605f70bcc472025c2e78082388ed00b%" or Image.Hashes like r"%IMPHASH=27365d8741d23e179699f1f11a619c7d%" or Image.Hashes like r"%IMPHASH=dc0a0f2d424a59b4d17033f58f01b027%" or Image.Hashes like r"%IMPHASH=48e2ef3c2d32ecca62510d90e12b6632%" or Image.Hashes like r"%IMPHASH=a793af44219650b4dd07d8a19ede33f1%" or Image.Hashes like r"%IMPHASH=5f4063ab963abff76d0d83d239697e36%" or Image.Hashes like r"%IMPHASH=7716b766e630388f64de1961719be3d4%" or Image.Hashes like r"%IMPHASH=8ed3fbdefcc1982cd7decc40ace9d2e7%" or Image.Hashes like r"%IMPHASH=6e796fd10b55f58fd0ec9f122a14e918%" or Image.Hashes like r"%IMPHASH=2d7766896629499b1484227afaf43dd7%" or Image.Hashes like r"%IMPHASH=0579e15c488a56c544e8fac130d826ba%" or Image.Hashes like r"%IMPHASH=e1d88d0526dfa369c3661355dbd8773d%" or Image.Hashes like r"%IMPHASH=8ec78cf864273fd81203678b61c41f04%" or Image.Hashes like r"%IMPHASH=ff605557fd515d7ab30ff41dbd8bd24a%" or Image.Hashes like r"%IMPHASH=234f0978e7f2aa0beb9501ff53d94e5b%" or Image.Hashes like r"%IMPHASH=77d6a7153b3015318622b793227fb394%" or Image.Hashes like r"%IMPHASH=6c42ea981bc29a7e2ed56d297e0b56dc%" or Image.Hashes like r"%IMPHASH=23eb5ffc060c6c52546d38e2b63019bd%" or Image.Hashes like r"%IMPHASH=ee9cc2f584c2f06fbff67d484adcf426%" or Image.Hashes like r"%IMPHASH=d6dc99d60798b2647006ddba21671160%" or Image.Hashes like r"%IMPHASH=1427c5f0f4fb100e26a3911f8209504b%" or Image.Hashes like r"%IMPHASH=a095f31019d7a32d0a0507879a1822b1%" or Image.Hashes like r"%IMPHASH=b8a35d469bc164d86ac7c64e93b0037b%" or Image.Hashes like r"%IMPHASH=0e9dfd08346bbe128159bff440d13389%" or Image.Hashes like r"%IMPHASH=bd607d71fdc1444aa96dc431591c5c44%" or Image.Hashes like r"%IMPHASH=f4b8d579fbdb32eabd01954394f5bf3a%" or Image.Hashes like r"%IMPHASH=edc2197e927392567cf09f7de410b5bb%" or Image.Hashes like r"%IMPHASH=7fb9382c0d754d5aac897d7a3e72b10c%" or Image.Hashes like r"%IMPHASH=1422b8d354b95d9cd880c8726df45dfc%" or Image.Hashes like r"%IMPHASH=0c959096cf4b3180530cc7865ef29157%" or Image.Hashes like r"%IMPHASH=aca7bbc6be02770c50b07eb6f94d1d78%" or Image.Hashes like r"%IMPHASH=3f4c9025125027e307b7e52dd577303b%" or Image.Hashes like r"%IMPHASH=68062e8b9d3c1e6cc62a9cae16a12b81%" or Image.Hashes like r"%IMPHASH=228bac53e82887d1ed92f51a667a8231%" or Image.Hashes like r"%IMPHASH=8919b7bae28d98c4a9e5967c9c55ce70%" or Image.Hashes like r"%IMPHASH=7e798c3abcbd0f1cfa8b2b9688e01936%" or Image.Hashes like r"%IMPHASH=8add42784f4693f421d85a2bcbadc620%" or Image.Hashes like r"%IMPHASH=fbcdb079e9c13a82f98b79bb6ce86175%" or Image.Hashes like r"%IMPHASH=a94892b77a6474429b9f692d9952a9d5%" or Image.Hashes like r"%IMPHASH=aa03d5a319bc221875846e19e01276f7%" or Image.Hashes like r"%IMPHASH=26150d69f50aa9247c3f3f17521d18a2%" or Image.Hashes like r"%IMPHASH=beb40a1e9d5c89308d1c56958ddac27d%" or Image.Hashes like r"%IMPHASH=59b3f3fa2775e407721c2491ddb2890b%" or Image.Hashes like r"%IMPHASH=c314c92b5c25c6f4323e3efaf8bde47a%" or Image.Hashes like r"%IMPHASH=d8752c1d5954bea175ac00df5acebb09%" or Image.Hashes like r"%IMPHASH=54e54063abbf1edaa9cf9ed8a18916d6%" or Image.Hashes like r"%IMPHASH=4aaef0105216f062a5f3ee071a72770c%" or Image.Hashes like r"%IMPHASH=67f975f0734a5b0598223fbe00b3367e%" or Image.Hashes like r"%IMPHASH=175c5711f3c49a0d929e9e2314b21c6b%" or Image.Hashes like r"%IMPHASH=12befc0a82dcb0585359d335ed47af19%" or Image.Hashes like r"%IMPHASH=24b344cd341f8b20003ac85be08df979%" or Image.Hashes like r"%IMPHASH=08c7f29f5cb29ba70e49879da2e8ddce%" or Image.Hashes like r"%IMPHASH=fc9c0ba924e7f104eda5254aaeacc5e8%" or Image.Hashes like r"%IMPHASH=5192bc7311bdeb1f3977bdc0d2e943e4%" or Image.Hashes like r"%IMPHASH=7363079b9aae7d58bd33c691a613c83c%" or Image.Hashes like r"%IMPHASH=e2c63196ed5368f03dabed73b1ff3409%" or Image.Hashes like r"%IMPHASH=8211bd4f00a3d9928a11a6ac3329fc46%" or Image.Hashes like r"%IMPHASH=2699b7ae36fcadd71425ebafd231d0d1%" or Image.Hashes like r"%IMPHASH=8d2a933d039e8b8134ef41236d5ea843%" or Image.Hashes like r"%IMPHASH=cc335217d6f7ab7a53dcfa55cbda5fb0%" or Image.Hashes like r"%IMPHASH=f9141c3df8f7ec7b3f2d46265a3b5528%" or Image.Hashes like r"%IMPHASH=e0813a780309a0af84b605d95bd194e4%" or Image.Hashes like r"%IMPHASH=e5fd4339e7b94543b16624a27ba1c872%" or Image.Hashes like r"%IMPHASH=fffbca93e6322995552b841c7d65b033%" or Image.Hashes like r"%IMPHASH=105b74485670215ab231a942c9101ccf%" or Image.Hashes like r"%IMPHASH=74081c86ad3e9771011f162c107927de%" or Image.Hashes like r"%IMPHASH=2df11474daf362b1b2fa3d3a89b6acbe%" or Image.Hashes like r"%IMPHASH=22a9d7a42282b48c566b4423363d3a3e%" or Image.Hashes like r"%IMPHASH=4fbdc03e4487f98fb59360ea5b3e640d%" or Image.Hashes like r"%IMPHASH=b262e8d078ede007ebd0aa71b9152863%" or Image.Hashes like r"%IMPHASH=abbab73b191d90dc642cbbc1f31d750d%" or Image.Hashes like r"%IMPHASH=a5b3ea8c2012c517c472ad6befd37134%" or Image.Hashes like r"%IMPHASH=9d7183c1d8107495354c4fad9dae3452%" or Image.Hashes like r"%IMPHASH=7d004bbe0f546a91c93562d324307fa7%" or Image.Hashes like r"%IMPHASH=b84820037d6a51ba108e0e81ce01db0b%" or Image.Hashes like r"%IMPHASH=68b717fa2ab9431cd176776363359d48%" or Image.Hashes like r"%IMPHASH=b0356152212dc6e33752847235064fb0%" or Image.Hashes like r"%IMPHASH=baa420e9d4e3baf0d65d4fc2bf497708%" or Image.Hashes like r"%IMPHASH=85fd19df117fbc21efbcb1d587063e12%" or Image.Hashes like r"%IMPHASH=8122311437457ccae22578e301c6a17d%" or Image.Hashes like r"%IMPHASH=f939ef0b7f792672866386600f82aa04%" or Image.Hashes like r"%IMPHASH=d7de998e454f947f62d4a6b66490563b%" or Image.Hashes like r"%IMPHASH=17a9b50297a2334d8e9dfc3411bbe8ab%" or Image.Hashes like r"%IMPHASH=6816dabcee7b7d027bfbb93a16297afa%" or Image.Hashes like r"%IMPHASH=6723b1d5bd0f1fc13216cb44541e619e%" or Image.Hashes like r"%IMPHASH=71e84092e69114f0792419cb8b2b0fd1%" or Image.Hashes like r"%IMPHASH=9c8c681f74950997cd571fd838a847b8%" or Image.Hashes like r"%IMPHASH=95fe5e937e5acf9bea948fe0256e46ae%" or Image.Hashes like r"%IMPHASH=fc789f89340a45f1ab6c49e61b1f6b40%" or Image.Hashes like r"%IMPHASH=b8d0a36d2b14d79dfa08fb2e121f0920%" or Image.Hashes like r"%IMPHASH=6ce93eab57a73915ecd5c202a339f6ce%" or Image.Hashes like r"%IMPHASH=59b168c8ba0db46cb70d1d5a103e6c41%" or Image.Hashes like r"%IMPHASH=3edc60bda68569cac7ad7604728ff40d%" or Image.Hashes like r"%IMPHASH=3e8e7e5e779c7064e6bab177167e9e7a%" or Image.Hashes like r"%IMPHASH=b05ee5c816a30bc52378c759486af0b9%" or Image.Hashes like r"%IMPHASH=f7d07bcaa23837d219dcb64e76290252%" or Image.Hashes like r"%IMPHASH=d658b06ec1ce39670b02a2dd83e29d03%" or Image.Hashes like r"%IMPHASH=11bfcbdb0787ef461d442f973c392cf6%" or Image.Hashes like r"%IMPHASH=f531646e31cc12dfaac5b8352653c384%" or Image.Hashes like r"%IMPHASH=9b3ad85a76080f989d24cd89da90175a%" or Image.Hashes like r"%IMPHASH=5f6fd4ffba177389f414dd1a6ded24b4%" or Image.Hashes like r"%IMPHASH=4b0b017b23567cf8b9e1268957acd032%" or Image.Hashes like r"%IMPHASH=b4a71a1265f5f82cf383af17e229acb5%" or Image.Hashes like r"%IMPHASH=0ebf1214948a636eba076b14cd8f72d5%" or Image.Hashes like r"%IMPHASH=c05e71aad32edcbe71ae0ef1621f8693%" or Image.Hashes like r"%IMPHASH=427cd9c70cca88ca1db61a5ddc3b8450%" or Image.Hashes like r"%IMPHASH=236bc37dff7a92a4d25d807cf038e674%" or Image.Hashes like r"%IMPHASH=e38cca61999fb8a0308c0eb798b07989%" or Image.Hashes like r"%IMPHASH=3815f9107b799b863cd905178e6e07d0%" or Image.Hashes like r"%IMPHASH=3c91d549b68e320924bcde3856993e87%" or Image.Hashes like r"%IMPHASH=bb56f25a810b329868a0ff8e94080bad%" or Image.Hashes like r"%IMPHASH=f5030145594c486434040aa2636a5dde%" or Image.Hashes like r"%IMPHASH=d8101af81fd826b492ced1994ebd3268%" or Image.Hashes like r"%IMPHASH=b5967a61e1a4e1d57b3d8ffefc5721ed%" or Image.Hashes like r"%IMPHASH=799c9c020c6fcfd11a4172bc861f74af%" or Image.Hashes like r"%IMPHASH=2b9471e7bb8c05dc55d0a2ff0591ea98%" or Image.Hashes like r"%IMPHASH=6a47c957830ccce7ef43ed96aacf7c2c%" or Image.Hashes like r"%IMPHASH=b1e749ba779687a5127817da3d47af2c%" or Image.Hashes like r"%IMPHASH=202a0f2f992ec379e2876776ae9de661%" or Image.Hashes like r"%IMPHASH=f5df2479285c7b593b3630b8357032e3%" or Image.Hashes like r"%IMPHASH=32204eaf2afa5b348ab17de07362885c%" or Image.Hashes like r"%IMPHASH=1de2e6e58f6b19c4ec9ad6ca9fce5c14%" or Image.Hashes like r"%IMPHASH=64d934652c680b7759f6e75d05ee3072%" or Image.Hashes like r"%IMPHASH=176d8e75a27a45e2c6f5d4cceca4d869%" or Image.Hashes like r"%IMPHASH=f0820e8f674e44e5c2a3f899ec561c1d%" or Image.Hashes like r"%IMPHASH=f4fa225abfb5a5263241a01a2c3f2b8f%" or Image.Hashes like r"%IMPHASH=a18b467c3b43f334ca455c495a3ef70d%" or Image.Hashes like r"%IMPHASH=a8633e68c2ad9f3dc83775d8d5b21c5b%" or Image.Hashes like r"%IMPHASH=9d5a58052468c8e07ff3d5bd730e5d00%" or Image.Hashes like r"%IMPHASH=69260cce3156aa2dc0540fb78f5fe826%" or Image.Hashes like r"%IMPHASH=b1336b0cb67918ed39f1f88c354910d0%" or Image.Hashes like r"%IMPHASH=f119bff607049d431d0968fbaf6532f3%" or Image.Hashes like r"%IMPHASH=c91146dfe120f6e8fbed2150d9e020ca%" or Image.Hashes like r"%IMPHASH=1e6875beefe8571686d3e8530f8c4bfb%" or Image.Hashes like r"%IMPHASH=acdf419d1d03923be256205b9c33eec8%" or Image.Hashes like r"%IMPHASH=756adaea6a3f9f0cdaff73d1a49ca201%" or Image.Hashes like r"%IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511%" or Image.Hashes like r"%IMPHASH=6e7cd05c0da9f82449a8b3795418ee00%" or Image.Hashes like r"%IMPHASH=8c3af6c25ab40c4daefb4f836d12e1c8%" or Image.Hashes like r"%IMPHASH=4792bcb395d06f9efb72e8020c4af5e6%" or Image.Hashes like r"%IMPHASH=d5bc15465b63888cc8b98ecc63a81517%" or Image.Hashes like r"%IMPHASH=7f53340c91c108efedb5b8678c5207b3%" or Image.Hashes like r"%IMPHASH=3f4a90b2976641ad2c0164792b24d322%" or Image.Hashes like r"%IMPHASH=d221afaadf43ceedb581e665435c56c7%" or Image.Hashes like r"%IMPHASH=f212bbc758bb52fc661839b1d194b76e%" or Image.Hashes like r"%IMPHASH=e938b727f5a033818337f7ba0584500f%" or Image.Hashes like r"%IMPHASH=3ac083b0ee2b752436a8a1532179f032%" or Image.Hashes like r"%IMPHASH=2e9ef79ea88178e29516dfa435a58900%" or Image.Hashes like r"%IMPHASH=24c3d3be20e794c17844d030be03fd2f%" or Image.Hashes like r"%IMPHASH=700a9350ac8b218ab9fc62cf25337ad3%" or Image.Hashes like r"%IMPHASH=e586fd1c5af87b43696b9d29b09bf1b1%" or Image.Hashes like r"%IMPHASH=2233472cee6457ad207017803048aaff%" or Image.Hashes like r"%IMPHASH=f046e37fa7914491dc25a6f7718da341%" or Image.Hashes like r"%IMPHASH=683bc425e3d8c21f9473a238a0645a4e%" or Image.Hashes like r"%IMPHASH=f08e2ac6ca73cd2a924ed25dc6813638%" or Image.Hashes like r"%IMPHASH=e2306e26abfd90a5ce4dad0e266b3905%" or Image.Hashes like r"%IMPHASH=10917aa77669c6ae714f074d89be9ab8%" or Image.Hashes like r"%IMPHASH=db62897eb9d2098e988f830159c04c82%" or Image.Hashes like r"%IMPHASH=51780bba04121d6be13f69de08721445%" or Image.Hashes like r"%IMPHASH=29a2e15ac1622a3daf7da5a78f0cef08%" or Image.Hashes like r"%IMPHASH=5988ec9f159fefbdf89d893aa634dd92%" or Image.Hashes like r"%IMPHASH=05d3de62beab8e88de1dafd3b24a16f6%" or Image.Hashes like r"%IMPHASH=88380fdfc880da4da407c38f34fe8a3c%" or Image.Hashes like r"%IMPHASH=8a424cd36ae3eab0d11332ce3b982a02%" or Image.Hashes like r"%IMPHASH=60a2fba979aaa0d0ccd09c12ca3d9e57%" or Image.Hashes like r"%IMPHASH=85f86c7c8ce81a78e84efa545d7edc65%" or Image.Hashes like r"%IMPHASH=9523103b30fb194643b97ccc3ab7abb0%" or Image.Hashes like r"%IMPHASH=0c2219c9c5eab786fa876f74356eea20%" or Image.Hashes like r"%IMPHASH=7abb0911ca4cc4697ee1e9897932d3ac%" or Image.Hashes like r"%IMPHASH=c6a0f65ba653ee78255cc9e314abc442%" or Image.Hashes like r"%IMPHASH=44e6f2f64092b48f8eb926c36ebd1d56%" or Image.Hashes like r"%IMPHASH=13300d56528646611f26704266713952%" or Image.Hashes like r"%IMPHASH=095c0cdb9c0421da216371c1f4e8790e%" or Image.Hashes like r"%IMPHASH=45f8f347e3fb919f3164a4a3278f1c71%" or Image.Hashes like r"%IMPHASH=0e4f5481813eeec4e5dd96e36020135f%" or Image.Hashes like r"%IMPHASH=1d05fb30a58133da2e9dbdfcf51b80fd%" or Image.Hashes like r"%IMPHASH=2561727ac42d399030b3c46477c428f4%" or Image.Hashes like r"%IMPHASH=be69e763a6a858c3e7e1ea6e3af12691%" or Image.Hashes like r"%IMPHASH=7fba20994f76fb31b9f5a2b3f0c00055%" or Image.Hashes like r"%IMPHASH=1d9cdf46ff335712634c292180c06755%" or Image.Hashes like r"%IMPHASH=ad4586d21c9469bf636b5e8660e9d702%" or Image.Hashes like r"%IMPHASH=958dd67f866ae27cf716e30a025b266f%" or Image.Hashes like r"%IMPHASH=1dd3b83f2b007f862a1d8de4a1d3303f%" or Image.Hashes like r"%IMPHASH=b4c562c2c654abd2cc71658646314976%" or Image.Hashes like r"%IMPHASH=679eba16ab2d51543b7007708838ef7c%" or Image.Hashes like r"%IMPHASH=a1603fe7f02448c6b33687ddb9304c7f%" or Image.Hashes like r"%IMPHASH=9e2cf28fe320bbf74972509536569c8e%" or Image.Hashes like r"%IMPHASH=f233a65b937c69b447824889fb7425ff%" or Image.Hashes like r"%IMPHASH=b3204707f6e489cd5a2484881eaf78ca%" or Image.Hashes like r"%IMPHASH=c61a46ffe79d3f7d6307c0d2ae5f391e%" or Image.Hashes like r"%IMPHASH=28c5045218461018dbde27212ab0f227%" or Image.Hashes like r"%IMPHASH=af34db96db910a3fa7a56f2fac8ed5e1%" or Image.Hashes like r"%IMPHASH=e80eeed7225a880bbde0d038a5fe1af4%" or Image.Hashes like r"%IMPHASH=62473b41d695f075ad96abc4a408de5b%" or Image.Hashes like r"%IMPHASH=56307b5227183c002e4231320a72b961%" or Image.Hashes like r"%IMPHASH=dd7c5c0c762169d40ee01280e4ac74fc%" or Image.Hashes like r"%IMPHASH=9915439d37f385dbffc72bf835f3ee02%" or Image.Hashes like r"%IMPHASH=4199ed50502e00f57d9b66e9305450f5%" or Image.Hashes like r"%IMPHASH=71c580daf556775f690f0af3db12506f%" or Image.Hashes like r"%IMPHASH=c1ab6741cd29de98a138f2bd639f620a%" or Image.Hashes like r"%IMPHASH=32247962aa01af8ad5dca696260a05ab%" or Image.Hashes like r"%IMPHASH=1d774a94ad511efe5ebfe70acc6f8c85%" or Image.Hashes like r"%IMPHASH=690a0fb27a0c47c785d6bbbfc2e56501%" or Image.Hashes like r"%IMPHASH=78727a5fac8bd281903014ee00dcd553%" or Image.Hashes like r"%IMPHASH=f5ebade1d3a6d3bde264b0c7f9f639e7%" or Image.Hashes like r"%IMPHASH=4343c9c0b78ee21e895f10d929c240d4%" or Image.Hashes like r"%IMPHASH=f510a429c6ce5c8d414550518b3823d2%" or Image.Hashes like r"%IMPHASH=45acfe4a83f61d872fb904a1f08ef991%" or Image.Hashes like r"%IMPHASH=cbf26c6e8cf7e294bda273e7026a2789%" or Image.Hashes like r"%IMPHASH=84d83741445d9f5a6717b874fed3d8f3%" or Image.Hashes like r"%IMPHASH=0b40636205c64cacfd2e4f407518ad58%" or Image.Hashes like r"%IMPHASH=b4627789883457d50964a248104cb4c2%" or Image.Hashes like r"%IMPHASH=a7ff164c1ee5113a0a09e66b2cd03544%" or Image.Hashes like r"%IMPHASH=a0a13575e37906924a0b79043b4005c6%" or Image.Hashes like r"%IMPHASH=955e7b12a8fa06444c68e54026c45de1%" or Image.Hashes like r"%IMPHASH=8f52e36711c80bb9d7e30995e0092e83%" or Image.Hashes like r"%IMPHASH=05fbe4619edf747787879d9323951439%" or Image.Hashes like r"%IMPHASH=865c945f842a3f5f5453fb90d12f6765%" or Image.Hashes like r"%IMPHASH=89f925b54b95944513671d79eba5fe07%" or Image.Hashes like r"%IMPHASH=f4c5b0399665885a7dd34f7cdbbc586f%" or Image.Hashes like r"%IMPHASH=2ece23bdef16ee294bd905c7ba1be589%" or Image.Hashes like r"%IMPHASH=e800cd3299d4cda0d9e02255acc3b7dd%" or Image.Hashes like r"%IMPHASH=a86fb9a41955bda815ab902fb58baa27%" or Image.Hashes like r"%IMPHASH=2f7ea575cf15da16c8f117eee37046d8%" or Image.Hashes like r"%IMPHASH=223a76f59831e1a59980b603f81c271d%" or Image.Hashes like r"%IMPHASH=c17c0bd619c1e188ffe27bd328dd7d08%" or Image.Hashes like r"%IMPHASH=1429d5c551f71d3ce6a7cc54c9348e95%" or Image.Hashes like r"%IMPHASH=3552d8a0022e7f3136b667e6d1e402f2%" or Image.Hashes like r"%IMPHASH=67d92a28cd2923a923adf7fd958905d8%" or Image.Hashes like r"%IMPHASH=3c9af2347198d96c8ab5b189b4e3db37%" or Image.Hashes like r"%IMPHASH=f43aa654b4bfb882a0af098ad3f899e9%" or Image.Hashes like r"%IMPHASH=518e77c070ae21af7c558962cd1854a3%" or Image.Hashes like r"%IMPHASH=8e96d1a56746c6f6f30f1a0963ce2f26%" or Image.Hashes like r"%IMPHASH=b19743993dc7f1d48b2a86fe9b9c91e3%" or Image.Hashes like r"%IMPHASH=acd1b0130287133223d26c91f27f6899%" or Image.Hashes like r"%IMPHASH=82942c060f79cefd3bf1acdf5c207561%" or Image.Hashes like r"%IMPHASH=bc5c06a7fa9555f3f34043d828d9b123%" or Image.Hashes like r"%IMPHASH=ccdeab2a83fbf2fef2e418cccd133ec1%" or Image.Hashes like r"%IMPHASH=2424cf613f90884493009dd6bee95693%" or Image.Hashes like r"%IMPHASH=5c77661ac2951da388949d9a834eb694%" or Image.Hashes like r"%IMPHASH=2a20cc9578bb34a4bb10b87b49b24982%" or Image.Hashes like r"%IMPHASH=3ee1cb6085fbe05e46e2b88493426848%" or Image.Hashes like r"%IMPHASH=cb876abd8c6ca8a47d50aec4a520a020%" or Image.Hashes like r"%IMPHASH=80ae2342fd6c7f5e1c642918e33dafb1%" or Image.Hashes like r"%IMPHASH=aa274f6b4b15691fd725d7044f98bf36%" or Image.Hashes like r"%IMPHASH=5e4c9e685f9b7d77c90ff710972bb7dd%" or Image.Hashes like r"%IMPHASH=4fb06df8cb54846e42943f0d3ae96e2f%" or Image.Hashes like r"%IMPHASH=74cc5d779ee7dbc9f389bab9dcccac50%" or Image.Hashes like r"%IMPHASH=0707fe3c02c8d2a4d6219bd0596d76f3%" or Image.Hashes like r"%IMPHASH=7863a0f25a0647ed7d52641222bd709a%" or Image.Hashes like r"%IMPHASH=75018719e85e67b75e73c57d682dbcbf%" or Image.Hashes like r"%IMPHASH=e08b2d7c450761f01ec9ed4ef0ca56a4%" or Image.Hashes like r"%IMPHASH=2263350df91a5a4f5e10e68b3b822029%" or Image.Hashes like r"%IMPHASH=6f0b9814da4da038669c47e77c2f268f%" or Image.Hashes like r"%IMPHASH=9fb64527ca6d4541cc256b1abd1e4101%" or Image.Hashes like r"%IMPHASH=27db67ffa112f866f1d34c32226e09cf%" or Image.Hashes like r"%IMPHASH=5bb79a6caa12076a6d140085cb53892e%" or Image.Hashes like r"%IMPHASH=d169b0949781ca2a6efea5a106266a02%" or Image.Hashes like r"%IMPHASH=5a50a9a44f5d36af5df1bde995d22e42%" or Image.Hashes like r"%IMPHASH=626c8ecbc636968157d73f18ac315926%" or Image.Hashes like r"%IMPHASH=f12ae9073d95c22ed89247253d59f500%" or Image.Hashes like r"%IMPHASH=44cbd2ee295f1a35795eb4cd7cdd0864%" or Image.Hashes like r"%IMPHASH=840e656bdb2987fa422092ec9d588895%" or Image.Hashes like r"%IMPHASH=d57ef6278dcd7049063e8fb6ade9effc%" or Image.Hashes like r"%IMPHASH=392aa6863da8d7c14ad7386026e93b58%" or Image.Hashes like r"%IMPHASH=5662b51943d85b7ca47a99cac81af985%" or Image.Hashes like r"%IMPHASH=8418ac0d7aaa9015794e55ea54733342%" or Image.Hashes like r"%IMPHASH=163436e69f8e582bdc1c1e6f735de23b%" or Image.Hashes like r"%IMPHASH=24e4c876bb5db0b0e0a4e92f0a3d3a48%" or Image.Hashes like r"%IMPHASH=3198fc43051f03c6c71587dbf232f75c%" or Image.Hashes like r"%IMPHASH=9321f9c47129fbc728ead2710e22f1a5%" or Image.Hashes like r"%IMPHASH=1a0d0d460994cfde55ee908d62330ee0%" or Image.Hashes like r"%IMPHASH=82f5b92ccd99d13f4dd6ed6aaf0441bc%" or Image.Hashes like r"%IMPHASH=634f3c43b014dc8845b086c9328a678c%" or Image.Hashes like r"%IMPHASH=81acb4bb89ef49c4e7f30513b4750e53%" or Image.Hashes like r"%IMPHASH=d61d30746681d0fda9bfd9e8af061b2a%" or Image.Hashes like r"%IMPHASH=7453e39bd87c63550451ba2fa354dd8e%" or Image.Hashes like r"%IMPHASH=bb437241f56020db0fcbf8f8629bdb07%" or Image.Hashes like r"%IMPHASH=1e8ee6407390a2d52051bec21c771fdb%" or Image.Hashes like r"%IMPHASH=7c24141cdcfc23f5eb0e2b6792d80740%" or Image.Hashes like r"%IMPHASH=a7f2c2e8e9d6c90e28819d1a3ab84bc8%" or Image.Hashes like r"%IMPHASH=1b0788bb68804273159b8ace9cba7ea3%" or Image.Hashes like r"%IMPHASH=9521d8684357766840dbcac2b4cee67d%" or Image.Hashes like r"%IMPHASH=b4c2607b2af5376910bf80b561e9a18a%" or Image.Hashes like r"%IMPHASH=f138fdbc6c7fbf73e135717c7d7eac27%" or Image.Hashes like r"%IMPHASH=82525a4a571f0f8d4e4f42ec6bb3900e%" or Image.Hashes like r"%IMPHASH=8bbc742eaed888736a715757f0584fb6%" or Image.Hashes like r"%IMPHASH=be527e5f470fbc661f914c81bfc9af38%" or Image.Hashes like r"%IMPHASH=ad374977f06fefefbb9c77155f7a0733%" or Image.Hashes like r"%IMPHASH=111e6d92e02f02f737654c5b1cfe9f6f%" or Image.Hashes like r"%IMPHASH=31907ffcac211e27136b14bb2f442070%" or Image.Hashes like r"%IMPHASH=60e068470635cf20cc19b7f8e8cbfc5f%" or Image.Hashes like r"%IMPHASH=8a5edbe5251fe141ea0262d5d572178b%" or Image.Hashes like r"%IMPHASH=0265c50548889ffd5c2d3a2539885efe%" or Image.Hashes like r"%IMPHASH=9376f1c4ab79240cc948b77bf9e8814b%" or Image.Hashes like r"%IMPHASH=82b2288ac7f842e42de15c5bc96f1772%" or Image.Hashes like r"%IMPHASH=317f02ddc9809d608a9bf63ce24e9550%" or Image.Hashes like r"%IMPHASH=65abf5c92cc2239f2dc9d589458569c9%" or Image.Hashes like r"%IMPHASH=12fef92a55cb5e1533b89d8e6a5892b2%" or Image.Hashes like r"%IMPHASH=fd133033a24971502ff0b2f189215c56%" or Image.Hashes like r"%IMPHASH=050d389675730da0d9d75367659cd53b%" or Image.Hashes like r"%IMPHASH=c590cbf2d6cbf206a2e47e8ed91dd944%" or Image.Hashes like r"%IMPHASH=505e0a016962137ca6169bce64ba2f53%" or Image.Hashes like r"%IMPHASH=02a27dc9a48b694b7df4b821eb65178c%" or Image.Hashes like r"%IMPHASH=bfe13c695e41d3eee414d3929b1bd523%" or Image.Hashes like r"%IMPHASH=5095ddaed3abc22c1510a141d72735cc%" or Image.Hashes like r"%IMPHASH=8f96c3ef5dda3fe697d4a4d6326dbe37%" or Image.Hashes like r"%IMPHASH=e1ecbd956bd016618b07e7dddcaf6e60%" or Image.Hashes like r"%IMPHASH=07a42e80559d960b176c0fc8fd309bfe%" or Image.Hashes like r"%IMPHASH=f86759bb4de4320918615dc06e998a39%" or Image.Hashes like r"%IMPHASH=c9f08d92efe88afb2545eb82a8870233%" or Image.Hashes like r"%IMPHASH=6b867dee14a77d0ada8ccad99b16291e%" or Image.Hashes like r"%IMPHASH=744af2b62301859b4ccdffba53551b15%" or Image.Hashes like r"%IMPHASH=ec5ee9a38e54ed3d4a6e6545672cb651%" or Image.Hashes like r"%IMPHASH=c3c9e6c0c33bad17eb055ec795fc113e%" or Image.Hashes like r"%IMPHASH=31a3c2c72c9a565dc4ba75ef26677569%" or Image.Hashes like r"%IMPHASH=7bc998aaa9fe4b4fd5e133554f42d913%" or Image.Hashes like r"%IMPHASH=bb981f82c2bfc3c22471df92d9d0fb89%" or Image.Hashes like r"%IMPHASH=ad34ea17f90a34f6f84a399a96383ada%" or Image.Hashes like r"%IMPHASH=30c0ed518c03fa46fa0bfe76f2db0e42%" or Image.Hashes like r"%IMPHASH=587191d77c08023e6e95463153e45463%" or Image.Hashes like r"%IMPHASH=c83f076c00d2b0a6ba9dc82f56a97631%" or Image.Hashes like r"%IMPHASH=cb8db41ab8c06472574e58b9466f4070%" or Image.Hashes like r"%IMPHASH=391ffad95759bc4bac2b737d0d0eaa84%" or Image.Hashes like r"%IMPHASH=c52384bc825d2414de3195672971339e%" or Image.Hashes like r"%IMPHASH=b0e74761cced2dde5173ae05ec562085%" or Image.Hashes like r"%IMPHASH=4bd0bd7710a7f71d38f056241c8ce0a7%" or Image.Hashes like r"%IMPHASH=ad0cdf3bab32983050527655bce40f96%" or Image.Hashes like r"%IMPHASH=e1a5435877b427be967867a25b1d263e%" or Image.Hashes like r"%IMPHASH=61b719638eacc2c5ca299805d4819e69%" or Image.Hashes like r"%IMPHASH=7687d0eba49315582228ef660f61b471%" or Image.Hashes like r"%IMPHASH=e7cbb1ce75bfc69f53855066a936042d%" or Image.Hashes like r"%IMPHASH=bc44fdc145156a15d0a803d18877b218%" or Image.Hashes like r"%IMPHASH=d5e7fc56a905088dbc79b8e27b98faea%" or Image.Hashes like r"%IMPHASH=3702511999371bac8982d01820dd70f2%" or Image.Hashes like r"%IMPHASH=d14ea0e632fc8485d77e7eba3c4d4537%" or Image.Hashes like r"%IMPHASH=2e7d3b001306473cbff3d0dc11a6fcbc%" or Image.Hashes like r"%IMPHASH=e717a2158439123c6fca79b6b2c0ba49%" or Image.Hashes like r"%IMPHASH=6736c04d5ff512e5e2eb608414276513%" or Image.Hashes like r"%IMPHASH=225e24ee3c4081a16ef32831b70bf8ef%" or Image.Hashes like r"%IMPHASH=48028b3b694466c1c0eb1d91ef5c02cb%" or Image.Hashes like r"%IMPHASH=37f7c6238c9ce110408e01ae1bc45635%" or Image.Hashes like r"%IMPHASH=b95bc1a99081d695b1c0b37b90a4a0be%" or Image.Hashes like r"%IMPHASH=78eaf4d62617f6b614d318cc70c6548a%" or Image.Hashes like r"%IMPHASH=55db306bc2be3ff71a6b91fd9db051b8%" or Image.Hashes like r"%IMPHASH=021fd02a8adad420116496b6f2759960%" or Image.Hashes like r"%IMPHASH=b3e26c5e0de2d01597dca208ef27cc38%" or Image.Hashes like r"%IMPHASH=67affe6126c1d4a774b2504061c96a2e%" or Image.Hashes like r"%IMPHASH=656ad5c2eac95f75d3fe6d5ca59e0d8d%" or Image.Hashes like r"%IMPHASH=5ea78a193212fe61ac722f45f0b0eab9%" or Image.Hashes like r"%IMPHASH=77ec8b2c372741f12098f084a13a56a8%" or Image.Hashes like r"%IMPHASH=f27327907e57c0c2c9fddc68eab2eb7b%" or Image.Hashes like r"%IMPHASH=b679ac08daf4b4ce8a58d85a8e0904ac%" or Image.Hashes like r"%IMPHASH=f2c2ee1ff03c54f384f4eee8c2533107%" or Image.Hashes like r"%IMPHASH=c12f7aec6ebe84a8390c82720adfc237%" or Image.Hashes like r"%IMPHASH=0a8eeabf5981efb2116244785cb03900%" or Image.Hashes like r"%IMPHASH=7f8c74638fcf297f8216aa5b184f61d6%" or Image.Hashes like r"%IMPHASH=d41fa95d4642dc981f10de36f4dc8cd7%" or Image.Hashes like r"%IMPHASH=8d616e68080def2200312de80392efa7%" or Image.Hashes like r"%IMPHASH=cde9174249f04dad0f79890c976c0792%" or Image.Hashes like r"%IMPHASH=858ceae385cdcfcbc7814644564c23e6%" or Image.Hashes like r"%IMPHASH=d232ae5bad7ce02f4eece90ef370c7a0%" or Image.Hashes like r"%IMPHASH=c7f08aed5725fe6a53a62ebe354ff135%" or Image.Hashes like r"%IMPHASH=cc81a908891587ccac8059435eda4c66%" or Image.Hashes like r"%IMPHASH=bd4f9a93da2bb4b5f6e90d4f9381661c%" or Image.Hashes like r"%IMPHASH=01aa65221a48929f0a34a27c4e3011b1%" or Image.Hashes like r"%IMPHASH=409d2ab916237fb129c57aacbb7cb4fe%" or Image.Hashes like r"%IMPHASH=65181bc89a1c2b5854548236269846c1%" or Image.Hashes like r"%IMPHASH=787e32b3fd816479fb93f9af0b6d0da3%" or Image.Hashes like r"%IMPHASH=8e89024d2c0ef0451c12b956a2b55b91%" or Image.Hashes like r"%IMPHASH=0cba56fa162378bc4ee09e94a4e2fe33%" or Image.Hashes like r"%IMPHASH=b7a0100fe60d7a8263da64820f7d0120%" or Image.Hashes like r"%IMPHASH=d16f507665603095c26147a7adcb93b8%" or Image.Hashes like r"%IMPHASH=0b663530751cc11f34273fee7921c431%" or Image.Hashes like r"%IMPHASH=604b5bd94f1892fd9e9025ef7a2bbe54%" or Image.Hashes like r"%IMPHASH=cb8397a3262c80b558aff93ab75b6a7b%" or Image.Hashes like r"%IMPHASH=d6c920c10d4d0f92f0ac14c3fefed233%" or Image.Hashes like r"%IMPHASH=9fd359d308a1e93106189b4ebd945855%" or Image.Hashes like r"%IMPHASH=c94e5ad0f33374535392364a5a193253%" or Image.Hashes like r"%IMPHASH=751c6b5c201f8c52f5512350cad88ddc%" or Image.Hashes like r"%IMPHASH=eac62dd0c27ed557fa4b641fa4050d04%" or Image.Hashes like r"%IMPHASH=506a31d768aec26b297c45b50026c820%" or Image.Hashes like r"%IMPHASH=60805da513b95c3d18a93b988bdfb58f%" or Image.Hashes like r"%IMPHASH=3aa0ceb8fcd07cf2514d1cb0b9bccf4b%" or Image.Hashes like r"%IMPHASH=c1579e4266fbdc47a5abc493a2d9d597%" or Image.Hashes like r"%IMPHASH=adfd4c0b031598afecb6f3f585f5f581%" or Image.Hashes like r"%IMPHASH=7a286ef4179598007a8afe9e5af95a48%" or Image.Hashes like r"%IMPHASH=c7912c850407aa93c979d95c4f593507%" or Image.Hashes like r"%IMPHASH=bec5dc89f030df7a96d19483fad4cc0a%" or Image.Hashes like r"%IMPHASH=b91054cdc4c8b3169cfe6c157f6d9f07%" or Image.Hashes like r"%IMPHASH=d67b7c7501e5261df5e66b3219fa52ee%" or Image.Hashes like r"%IMPHASH=b142d772a67c40535c8d8fabb6861748%" or Image.Hashes like r"%IMPHASH=1957e33acbc826c69f452ae1d1b89ac9%" or Image.Hashes like r"%IMPHASH=7a4a0df0bde1f8da6547a580d5bee7c3%" or Image.Hashes like r"%IMPHASH=085a78615099ffefa2df0a31da3058d8%" or Image.Hashes like r"%IMPHASH=e804d4ee2c20f3eb1d3c955e38a2fe11%" or Image.Hashes like r"%IMPHASH=6f2d756d22c285a46206de3bfde6c79d%" or Image.Hashes like r"%IMPHASH=071356ee9d8c7f91cbe8fa3c448286a2%" or Image.Hashes like r"%IMPHASH=ebf30b4cd57a4f4548a03eab0f6c418c%" or Image.Hashes like r"%IMPHASH=08ab07a2bc35aea02cd6d1efbb954cb3%" or Image.Hashes like r"%IMPHASH=cb15f8046e159c17b0510738fa18f758%" or Image.Hashes like r"%IMPHASH=07a513d1599c93bd34f01323b1ef7430%" or Image.Hashes like r"%IMPHASH=2430f988dcdc3828f6079e1e2cc71dc8%" or Image.Hashes like r"%IMPHASH=8b41eacbfbe5f5348579e27d30767e74%" or Image.Hashes like r"%IMPHASH=afee876e89b51e2cc7c91353fb588fe6%" or Image.Hashes like r"%IMPHASH=e11e41c95c1872ac3ebbd7768b16cf9e%" or Image.Hashes like r"%IMPHASH=e9077c03c44a511c2c8eaf5bad9ab90b%" or Image.Hashes like r"%IMPHASH=d6d76f43ccc3872b879b0df583364c78%" or Image.Hashes like r"%IMPHASH=62dbb90b4be9282d52aff9ae1a101d6b%" or Image.Hashes like r"%IMPHASH=3ec1e7e215efad2711248558465da9ad%" or Image.Hashes like r"%IMPHASH=96f270be3f73ec3fc2f2237fe84efca0%" or Image.Hashes like r"%IMPHASH=9ad5f7496f8c918d6c0536751d3accae%" or Image.Hashes like r"%IMPHASH=b1ed268dfdf4f39960971eb5822a4755%" or Image.Hashes like r"%IMPHASH=4c0161f638d5acafe23fcee3c5e86f15%" or Image.Hashes like r"%IMPHASH=9928d53dbe860aba1b7c891831680629%" or Image.Hashes like r"%IMPHASH=d122c1eaa50839be14c31876d0d4e0be%" or Image.Hashes like r"%IMPHASH=8f4588156ea7d9af8e4c162ce4c3ff23%" or Image.Hashes like r"%IMPHASH=abdaca21ab5c831000b0aa4b8f357716%" or Image.Hashes like r"%IMPHASH=0555907292d07d9f78205416eb1924d3%" or Image.Hashes like r"%IMPHASH=832f0fb3579a07b1c4bec82b4478306b%" or Image.Hashes like r"%IMPHASH=340e874a1ca966e45fc2a314ef228cce%" or Image.Hashes like r"%IMPHASH=b35d1d3faa6c97b106b343823d5df867%" or Image.Hashes like r"%IMPHASH=7e1327419d10a7eeece5579526f75d9f%" or Image.Hashes like r"%IMPHASH=084b99aebda8a13e4f774a2ced272e85%" or Image.Hashes like r"%IMPHASH=81ba5280406320ce6f03a9817d7d6035%" or Image.Hashes like r"%IMPHASH=e4f1a9234e4ea105321909d4c0e597ae%" or Image.Hashes like r"%IMPHASH=68a12eb3f32f7e193bd0d722ea6be4ab%" or Image.Hashes like r"%IMPHASH=c3fd2e688276a184b2528ee590054e5a%" or Image.Hashes like r"%IMPHASH=531d2392dbdd314fb1d9318fe9e5c4d2%" or Image.Hashes like r"%IMPHASH=29a1da8841f5363423dcba1a9773809a%" or Image.Hashes like r"%IMPHASH=9fc4a96d982ebfd6b9d87c0f3ebef681%" or Image.Hashes like r"%IMPHASH=304c4fcf70cfc8299a3b6eed8e7bbb31%" or Image.Hashes like r"%IMPHASH=3415f704b3149ea9a3d3a54036b208dd%" or Image.Hashes like r"%IMPHASH=7cf815757705e26b809574488ed56d0e%" or Image.Hashes like r"%IMPHASH=28d780857f0f6616f938aca3a38b5072%" or Image.Hashes like r"%IMPHASH=235102691b04f562ae8aa7ece38d8bc9%" or Image.Hashes like r"%IMPHASH=262d8fbbf1f514399bb3f230cddc12af%" or Image.Hashes like r"%IMPHASH=0f3ddbe229201f6fa9a3dbbaf842a556%" or Image.Hashes like r"%IMPHASH=bd093a7d5ba5632ee52f3466a688ee55%" or Image.Hashes like r"%IMPHASH=a9e22f5e8f4965960716d94ba7639c9f%" or Image.Hashes like r"%IMPHASH=528ac7a1e034801d1f20238971c6ec19%" or Image.Hashes like r"%IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4%" or Image.Hashes like r"%IMPHASH=7c8c655791b5c853e45aa174e5cc1333%" or Image.Hashes like r"%IMPHASH=a53b095a8d7366075d445892070cde51%" or Image.Hashes like r"%IMPHASH=f079f8637a1d4fe2fb93af2a267b68ef%" or Image.Hashes like r"%IMPHASH=0ebd5902a82ddfef8ed96678c1573a7b%" or Image.Hashes like r"%IMPHASH=9a970527986cd03e5a25d18b372624a1%" or Image.Hashes like r"%IMPHASH=87fde0c3f8e7dff7ab0d718d6b1252c8%" or Image.Hashes like r"%IMPHASH=959dce366573a7aae10b74a08931722a%" or Image.Hashes like r"%IMPHASH=fce118020e70919e5c8c629687f89e56%" or Image.Hashes like r"%IMPHASH=86682585c620fa85096a7bedaf990cd1%" or Image.Hashes like r"%IMPHASH=5f9cf5b0511f3c1129b467d273b921f2%" or Image.Hashes like r"%IMPHASH=543f80399f79401471523d335ea61642%" or Image.Hashes like r"%IMPHASH=3ca448454c33a5c72ad5e774de47930a%" or Image.Hashes like r"%IMPHASH=51ecd9b363fde1f003f4b4f20c874b1b%" or Image.Hashes like r"%IMPHASH=1f2627fc453dc35031a9502372bd3549%" or Image.Hashes like r"%IMPHASH=2cf48a541dc193e91bb2a831adcf278e%" or Image.Hashes like r"%IMPHASH=805e4a267f9495e7c0c430d92b78f8bd%" or Image.Hashes like r"%IMPHASH=92caaf6ebb43bbe61f3da8526172f776%" or Image.Hashes like r"%IMPHASH=421730c2b3fa3a7d78c2eda3da1be6a8%" or Image.Hashes like r"%IMPHASH=aa54fa0523f677e56d6d8199e5e18732%" or Image.Hashes like r"%IMPHASH=8ee2435c62b02fe0372cde028be489cb%" or Image.Hashes like r"%IMPHASH=50b6a9c4df6d0c9f517c804ad1307d7c%" or Image.Hashes like r"%IMPHASH=037b9d19995faadf69a2ce134473e346%" or Image.Hashes like r"%IMPHASH=2c19472843b56c67efb80d8c447f3cfe%" or Image.Hashes like r"%IMPHASH=a74f61fdcea718cb9579907b2caf54ab%" or Image.Hashes like r"%IMPHASH=84d45ee8df6f63b5af419d89003a97bc%" or Image.Hashes like r"%IMPHASH=69dbb4c8bbe4d8c2e1493f82170b93c4%" or Image.Hashes like r"%IMPHASH=6903b92e7760c5d7f7c181b64eb13176%" or Image.Hashes like r"%IMPHASH=d6f977640d4810a784d152e4d3c63a6b%" or Image.Hashes like r"%IMPHASH=473c3773ca11aa7371dbf350919c5724%" or Image.Hashes like r"%IMPHASH=87842ffa59724bda8389394bcaeb5d73%" or Image.Hashes like r"%IMPHASH=18502b56d9ea5dea7f9d31ef85db31d5%" or Image.Hashes like r"%IMPHASH=b6f67458e30912358144df4adf5264fd%" or Image.Hashes like r"%IMPHASH=a49a51d7f2ae972483961eb64d17888e%" or Image.Hashes like r"%IMPHASH=81e2eb25e24938b90806de865630a2b2%" or Image.Hashes like r"%IMPHASH=96861132665e8d66c0a91e6c02cc6639%" or Image.Hashes like r"%IMPHASH=69163e5596280d3319375c9bcd4b5da1%" or Image.Hashes like r"%IMPHASH=4946030efb34ab167180563899d5eb27%" or Image.Hashes like r"%IMPHASH=4c304943af1b07b15a5efa80f17d9b89%" or Image.Hashes like r"%IMPHASH=821d74031d3f625bcbd0df08b70f1e77%" or Image.Hashes like r"%IMPHASH=1bef18e9dda6f1e7bbf7eb76e9ccf16b%" or Image.Hashes like r"%IMPHASH=21f58b1f2de6ad0e9c019da7a4e7317b%" or Image.Hashes like r"%IMPHASH=91387ac37086b9b519f945b58095f38d%" or Image.Hashes like r"%IMPHASH=dcd41632f0ad9683e5c9c7cc083f78f7%" or Image.Hashes like r"%IMPHASH=ced7ea67fdf3d89a48849e0062278f7d%" or Image.Hashes like r"%IMPHASH=5713a0c2b363c49706fa0e60151511a8%" or Image.Hashes like r"%IMPHASH=089e8a8f2bb007852c63b64e66430293%" or Image.Hashes like r"%IMPHASH=383be1d728b0be96be1b810a131705ee%" or Image.Hashes like r"%IMPHASH=3d42ff70269b824dd9d4a8cb905669f9%" or Image.Hashes like r"%IMPHASH=363922cc73591e60f2af113182414230%" or Image.Hashes like r"%IMPHASH=fa084cdc36f03f1aeddaa3450e2781b1%" or Image.Hashes like r"%IMPHASH=3c61f9a38aaa7650fcd33b46e794d1bb%" or Image.Hashes like r"%IMPHASH=42e3f2ffa29901e572f2df03cb872159%" or Image.Hashes like r"%IMPHASH=4c5fc4519f1417f0630c3343aab7c9d2%" or Image.Hashes like r"%IMPHASH=d5d40497d82daf7e44255ede810ce7a6%" or Image.Hashes like r"%IMPHASH=91ee149529956a79a91eeb8c48f00b3d%" or Image.Hashes like r"%IMPHASH=a387f215b4964a3ca2e3c92f235a6d1b%" or Image.Hashes like r"%IMPHASH=ca6e77f472ebd5b2ade876e7c773bb57%" or Image.Hashes like r"%IMPHASH=67bace81ce26ddf73732dd75cbd0c0f2%" or Image.Hashes like r"%IMPHASH=18b8de84bd7aa83fec79d2c6aaf0a4f5%" or Image.Hashes like r"%IMPHASH=519cf5394541bf5e2869edeec81521e1%" or Image.Hashes like r"%IMPHASH=cae90f82e91b9a60af9a0e36c1f73be4%" or Image.Hashes like r"%IMPHASH=643f4d79f35dddc9bb5cc04a0f0c18d3%" or Image.Hashes like r"%IMPHASH=6b7d4c6283b9b951b7b2f47a0c5be8c7%" or Image.Hashes like r"%IMPHASH=b4c857bd3a7b1d8125c0f62aec45401e%" or Image.Hashes like r"%IMPHASH=49a12b06131d938e9dc40c693b88ba7f%" or Image.Hashes like r"%IMPHASH=f74aa24adc713dbb957ccb18f3c16a71%" or Image.Hashes like r"%IMPHASH=6faad89adbfc9d5448bb1bd12e7714cd%" or Image.Hashes like r"%IMPHASH=5759d90322a7311eaccf4f0ab2c2a7c4%" or Image.Hashes like r"%IMPHASH=8b6c1a09e11200591663b880a94a8d18%" or Image.Hashes like r"%IMPHASH=eade2a2576f329e4971bf5044ab24ac7%" or Image.Hashes like r"%IMPHASH=8b47d6faba90b5c89e27f7119c987e1a%" or Image.Hashes like r"%IMPHASH=4433528b0f664177546dd3e229f0daa5%" or Image.Hashes like r"%IMPHASH=c0f234205c50cc713673353c9653eea1%" or Image.Hashes like r"%IMPHASH=b4b90c1b054ebe273bff4b2fd6927990%" or Image.Hashes like r"%IMPHASH=f2dc136141066311fddef65f7f417c44%" or Image.Hashes like r"%IMPHASH=12a08688ec92616a8b639d85cc13a3ed%" or Image.Hashes like r"%IMPHASH=296afaa5ea70bbd17135afcd04758148%" or Image.Hashes like r"%IMPHASH=8232d2f79ce126e84cc044543ad82790%" or Image.Hashes like r"%IMPHASH=e10e743d152cf62f219a7e9192fb533d%" or Image.Hashes like r"%IMPHASH=e5af2438da6df2aa9750aa632c80cfa4%" or Image.Hashes like r"%IMPHASH=3a4e0bc46866ca54459753f62c879b62%" or Image.Hashes like r"%IMPHASH=10cb3185e13390f8931a50a131448cdf%" or Image.Hashes like r"%IMPHASH=4fb27d2712ef4afdb67e0921d64a5f1e%" or Image.Hashes like r"%IMPHASH=a96a02cf5f7896a9a9f045d1986bd83c%" or Image.Hashes like r"%IMPHASH=fd894d394a8ca9abd74f7210ed931682%" or Image.Hashes like r"%IMPHASH=ca07de87d444c1d2d10e16e9dcc2dc19%" or Image.Hashes like r"%IMPHASH=1aa10b05dee9268d7ce87f5f56ea9ded%" or Image.Hashes like r"%IMPHASH=485f7e86663d49c68c8b5f705d310f50%" or Image.Hashes like r"%IMPHASH=5899e93373114ca9e458e906675132b7%" or Image.Hashes like r"%IMPHASH=be2d638c3933fc3f5a96e539f9910c5f%" or Image.Hashes like r"%IMPHASH=fbfa302bf7eb5d615d0968541ee49ce4%" or Image.Hashes like r"%IMPHASH=f9b9487f25a2c1e08c02f391387c5323%" or Image.Hashes like r"%IMPHASH=ef102e058f6b88af0d66d26236257706%" or Image.Hashes like r"%IMPHASH=0f371a913e9fa3ba3a923718e489debb%" +GenericProperty1 = Image.Hashes [ThreatDetectionRule platform=Windows] -# Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface -# Author: Florian Roth (Nextron Systems), Elastic (idea) -RuleId = 49f2f17b-b4c8-4172-a68b-d5bf95d05130 -RuleName = UAC Bypass via ICMLuaUtil +# Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. +# Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection. +# Author: Swachchhanda Shrawan Poudel +RuleId = be58d2e2-06c8-4f58-b666-b99f6dc3b6cd +RuleName = Suspicious Process Masquerading As SvcHost.EXE EventType = Process.Start -Tag = proc-start-uac-bypass-via-icmluautil +Tag = proc-start-suspicious-process-masquerading-as-svchost.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1548.002"], "author": "Florian Roth (Nextron Systems), Elastic (idea)"} -Query = Parent.Path like r"%\\dllhost.exe" and (Parent.CommandLine like r"%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%" or Parent.CommandLine like r"%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%") and not (Process.Path like r"%\\WerFault.exe" or Process.Name == "WerFault.exe") -GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1036.005"], "author": "Swachchhanda Shrawan Poudel"} +Query = Process.Path like r"%\\svchost.exe" and not (Process.Path in ["C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe"] or Process.Name == "svchost.exe") [ThreatDetectionRule platform=Windows] -# When configured with suitable command line arguments, w32tm can act as a delay mechanism -# Author: frack113 -RuleId = 6da2c9f5-7c53-401b-aacb-92c040ce1215 -RuleName = Use of W32tm as Timer -EventType = Process.Start -Tag = proc-start-use-of-w32tm-as-timer +# Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context. +# Author: frack113, omkar72, oscd.community, Wojciech Lesicki +RuleId = e0b06658-7d1d-4cd3-bf15-03467507ff7c +RuleName = Suspicious DotNET CLR Usage Log Artifact +EventType = File.Create +Tag = suspicious-dotnet-clr-usage-log-artifact RiskScore = 75 -Annotation = {"mitre_attack": ["T1124"], "author": "frack113"} -Query = (Process.Path like r"%\\w32tm.exe" or Process.Name == "w32time.dll") and Process.CommandLine like r"%/stripchart%" and Process.CommandLine like r"%/computer:%" and Process.CommandLine like r"%/period:%" and Process.CommandLine like r"%/dataonly%" and Process.CommandLine like r"%/samples:%" +Annotation = {"mitre_attack": ["T1218"], "author": "frack113, omkar72, oscd.community, Wojciech Lesicki"} +Query = (File.Path like r"%\\UsageLogs\\cmstp.exe.log" or File.Path like r"%\\UsageLogs\\cscript.exe.log" or File.Path like r"%\\UsageLogs\\mshta.exe.log" or File.Path like r"%\\UsageLogs\\msxsl.exe.log" or File.Path like r"%\\UsageLogs\\regsvr32.exe.log" or File.Path like r"%\\UsageLogs\\rundll32.exe.log" or File.Path like r"%\\UsageLogs\\svchost.exe.log" or File.Path like r"%\\UsageLogs\\wscript.exe.log" or File.Path like r"%\\UsageLogs\\wmic.exe.log") and not (Parent.Path like r"%\\MsiExec.exe" and Parent.CommandLine like r"% -Embedding%" and Process.Path like r"%\\rundll32.exe" and Process.CommandLine like r"%Temp%" and Process.CommandLine like r"%zzzzInvokeManagedCustomActionOutOfProc%") +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine +GenericProperty3 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) +# Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) # Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -RuleId = c73124a7-3e89-44a3-bdc1-25fe4df754b1 -RuleName = Copy From VolumeShadowCopy Via Cmd.EXE +RuleId = f57f8d16-1f39-4dcb-a604-6c73d9b54b3d +RuleName = Sensitive File Access Via Volume Shadow Copy Backup EventType = Process.Start -Tag = proc-start-copy-from-volumeshadowcopy-via-cmd.exe +Tag = proc-start-sensitive-file-access-via-volume-shadow-copy-backup RiskScore = 75 Annotation = {"mitre_attack": ["T1490"], "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)"} -Query = Process.CommandLine like r"%copy %" and Process.CommandLine like r"%\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy%" +Query = Process.CommandLine like r"%\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy%" and (Process.CommandLine like r"%\\NTDS.dit%" or Process.CommandLine like r"%\\SYSTEM%" or Process.CommandLine like r"%\\SECURITY%") [ThreatDetectionRule platform=Windows] -# Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. -# Author: Ilyas Ochkov, oscd.community -RuleId = 919f2ef0-be2d-4a7a-b635-eb2b41fde044 -RuleName = Disable Security Events Logging Adding Reg Key MiniNt -EventType = Reg.Any -Tag = disable-security-events-logging-adding-reg-key-minint +# Detects network connections from the Equation Editor process "eqnedt32.exe". +# Author: Max Altgelt (Nextron Systems) +RuleId = a66bc059-c370-472c-a0d7-f8fd1bf9d583 +RuleName = Network Connection Initiated By Eqnedt32.EXE +EventType = Net.Any +Tag = network-connection-initiated-by-eqnedt32.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001", "T1112"], "author": "Ilyas Ochkov, oscd.community"} -Query = Reg.TargetObject == "HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" and Reg.EventType == "CreateKey" or Reg.Key.Path.New == "HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" -Hive = HKLM,HKU -GenericProperty1 = Reg.Key.Path.New -GenericProperty2 = Reg.TargetObject -GenericProperty3 = Reg.EventType +Annotation = {"mitre_attack": ["T1203"], "author": "Max Altgelt (Nextron Systems)"} +Query = Process.Path like r"%\\eqnedt32.exe" [ThreatDetectionRule platform=Windows] -# Detects suspicious powershell command line parameters used in Empire -# Author: Florian Roth (Nextron Systems) -RuleId = 79f4ede3-402e-41c8-bc3e-ebbf5f162581 -RuleName = HackTool - Empire PowerShell Launch Parameters +# Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. +# Author: Jonhnathan Ribeiro, oscd.community +RuleId = 99cf1e02-00fb-4c0d-8375-563f978dfd37 +RuleName = Deny Service Access Using Security Descriptor Tampering Via Sc.EXE EventType = Process.Start -Tag = proc-start-hacktool-empire-powershell-launch-parameters +Tag = proc-start-deny-service-access-using-security-descriptor-tampering-via-sc.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"% -NoP -sta -NonI -W Hidden -Enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc %" or Process.CommandLine like r"% -NoP -NonI -W Hidden -enc %" or Process.CommandLine like r"% -noP -sta -w 1 -enc%" or Process.CommandLine like r"% -enc SQB%" or Process.CommandLine like r"% -nop -exec bypass -EncodedCommand %" +Annotation = {"mitre_attack": ["T1543.003"], "author": "Jonhnathan Ribeiro, oscd.community"} +Query = (Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and Process.CommandLine like r"%sdset%" and Process.CommandLine like r"%D;%" and (Process.CommandLine like r"%;IU%" or Process.CommandLine like r"%;SU%" or Process.CommandLine like r"%;BA%" or Process.CommandLine like r"%;SY%" or Process.CommandLine like r"%;WD%") [ThreatDetectionRule platform=Windows] -# Detects PowerShell download and execution cradles. -# Author: Florian Roth (Nextron Systems) -RuleId = 85b0b087-eddf-4a2b-b033-d771fa2b9775 -RuleName = PowerShell Download and Execution Cradles -EventType = Process.Start -Tag = proc-start-powershell-download-and-execution-cradles +# Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. +# Author: X__Junior +RuleId = 0cf2e1c6-8d10-4273-8059-738778f981ad +RuleName = Potential WerFault ReflectDebugger Registry Value Abuse +EventType = Reg.Any +Tag = potential-werfault-reflectdebugger-registry-value-abuse RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"%.DownloadString(%" or Process.CommandLine like r"%.DownloadFile(%" or Process.CommandLine like r"%Invoke-WebRequest %" or Process.CommandLine like r"%iwr %") and (Process.CommandLine like r"%;iex $%" or Process.CommandLine like r"%| IEX%" or Process.CommandLine like r"%|IEX %" or Process.CommandLine like r"%I`E`X%" or Process.CommandLine like r"%I`EX%" or Process.CommandLine like r"%IE`X%" or Process.CommandLine like r"%iex %" or Process.CommandLine like r"%IEX (%" or Process.CommandLine like r"%IEX(%" or Process.CommandLine like r"%Invoke-Expression%") +Annotation = {"mitre_attack": ["T1036.003"], "author": "X__Junior"} +Query = Reg.EventType == "SetValue" and Reg.TargetObject like r"%\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects potential tampering with Windows Defender settings such as adding exclusion using wmic -# Author: frack113 -RuleId = 51cbac1e-eee3-4a90-b1b7-358efb81fa0a -RuleName = Potential Windows Defender Tampering Via Wmic.EXE +# Detects uncommon child process of Setres.EXE. +# Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. +# It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path. +# Author: @gott_cyber, Nasreddine Bencherchali (Nextron Systems) +RuleId = 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 +RuleName = Uncommon Child Process Of Setres.EXE EventType = Process.Start -Tag = proc-start-potential-windows-defender-tampering-via-wmic.exe +Tag = proc-start-uncommon-child-process-of-setres.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.008"], "author": "frack113"} -Query = (Process.Name == "wmic.exe" or Process.Path like r"%\\WMIC.exe") and Process.CommandLine like r"%/Namespace:\\\\root\\Microsoft\\Windows\\Defender%" +Annotation = {"mitre_attack": ["T1218", "T1202"], "author": "@gott_cyber, Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.Path like r"%\\setres.exe" and Process.Path like r"%\\choice%" and not (Process.Path like r"%C:\\Windows\\System32\\choice.exe" or Process.Path like r"%C:\\Windows\\SysWOW64\\choice.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine -# Author: Florian Roth (Nextron Systems) -RuleId = 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d -RuleName = HackTool - CreateMiniDump Execution +# Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. +# Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) +RuleId = c27515df-97a9-4162-8a60-dc0eeb51b775 +RuleName = Suspicious Microsoft OneNote Child Process EventType = Process.Start -Tag = proc-start-hacktool-createminidump-execution +Tag = proc-start-suspicious-microsoft-onenote-child-process RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\CreateMiniDump.exe" or Process.Hashes like r"%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%" -GenericProperty1 = Process.Hashes +Annotation = {"mitre_attack": ["T1566", "T1566.001"], "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)"} +Query = Parent.Path like r"%\\onenote.exe" and (Process.Name in ["bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe"] or Process.Path like r"%\\AppVLP.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certoc.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cmstp.exe" or Process.Path like r"%\\control.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\curl.exe" or Process.Path like r"%\\forfiles.exe" or Process.Path like r"%\\hh.exe" or Process.Path like r"%\\ieexec.exe" or Process.Path like r"%\\installutil.exe" or Process.Path like r"%\\javaw.exe" or Process.Path like r"%\\mftrace.exe" or Process.Path like r"%\\Microsoft.Workflow.Compiler.exe" or Process.Path like r"%\\msbuild.exe" or Process.Path like r"%\\msdt.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msidb.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\msxsl.exe" or Process.Path like r"%\\odbcconf.exe" or Process.Path like r"%\\pcalua.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\regasm.exe" or Process.Path like r"%\\regsvcs.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\scrcons.exe" or Process.Path like r"%\\scriptrunner.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\verclsid.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\workfolders.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\explorer.exe" and (Process.CommandLine like r"%.hta%" or Process.CommandLine like r"%.vb%" or Process.CommandLine like r"%.wsh%" or Process.CommandLine like r"%.js%" or Process.CommandLine like r"%.ps%" or Process.CommandLine like r"%.scr%" or Process.CommandLine like r"%.pif%" or Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.cmd%") or Process.Path like r"%\\AppData\\%" or Process.Path like r"%\\Users\\Public\\%" or Process.Path like r"%\\ProgramData\\%" or Process.Path like r"%\\Windows\\Tasks\\%" or Process.Path like r"%\\Windows\\Temp\\%" or Process.Path like r"%\\Windows\\System32\\Tasks\\%") and not (Process.Path like r"%\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" and Process.CommandLine like r"%-Embedding" or Process.Path like r"%\\AppData\\Local\\Microsoft\\OneDrive\\%" and Process.Path like r"%\\FileCoAuth.exe" and Process.CommandLine like r"%-Embedding") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Shadow Copies storage symbolic link creation using operating systems utilities -# Author: Teymur Kheirkhabarov, oscd.community -RuleId = 40b19fa6-d835-400c-b301-41f3a2baacaf -RuleName = VolumeShadowCopy Symlink Creation Via Mklink +# Detects usage of a base64 encoded "IEX" cmdlet in a process command line +# Author: Florian Roth (Nextron Systems) +RuleId = 88f680b8-070e-402c-ae11-d2914f2257f1 +RuleName = PowerShell Base64 Encoded IEX Cmdlet EventType = Process.Start -Tag = proc-start-volumeshadowcopy-symlink-creation-via-mklink +Tag = proc-start-powershell-base64-encoded-iex-cmdlet RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.002", "T1003.003"], "author": "Teymur Kheirkhabarov, oscd.community"} -Query = Process.CommandLine like r"%mklink%" and Process.CommandLine like r"%HarddiskVolumeShadowCopy%" +Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.CommandLine like r"%SUVYIChb%" or Process.CommandLine like r"%lFWCAoW%" or Process.CommandLine like r"%JRVggKF%" or Process.CommandLine like r"%aWV4IChb%" or Process.CommandLine like r"%lleCAoW%" or Process.CommandLine like r"%pZXggKF%" or Process.CommandLine like r"%aWV4IChOZX%" or Process.CommandLine like r"%lleCAoTmV3%" or Process.CommandLine like r"%pZXggKE5ld%" or Process.CommandLine like r"%SUVYIChOZX%" or Process.CommandLine like r"%lFWCAoTmV3%" or Process.CommandLine like r"%JRVggKE5ld%" or Process.CommandLine like r"%SUVYKF%" or Process.CommandLine like r"%lFWChb%" or Process.CommandLine like r"%JRVgoW%" or Process.CommandLine like r"%aWV4KF%" or Process.CommandLine like r"%lleChb%" or Process.CommandLine like r"%pZXgoW%" or Process.CommandLine like r"%aWV4KE5ld%" or Process.CommandLine like r"%lleChOZX%" or Process.CommandLine like r"%pZXgoTmV3%" or Process.CommandLine like r"%SUVYKE5ld%" or Process.CommandLine like r"%lFWChOZX%" or Process.CommandLine like r"%JRVgoTmV3%" or Process.CommandLine like r"%SUVYKCgn%" or Process.CommandLine like r"%lFWCgoJ%" or Process.CommandLine like r"%JRVgoKC%" or Process.CommandLine like r"%aWV4KCgn%" or Process.CommandLine like r"%lleCgoJ%" or Process.CommandLine like r"%pZXgoKC%" or Process.CommandLine like r"%SQBFAFgAIAAoAFsA%" or Process.CommandLine like r"%kARQBYACAAKABbA%" or Process.CommandLine like r"%JAEUAWAAgACgAWw%" or Process.CommandLine like r"%aQBlAHgAIAAoAFsA%" or Process.CommandLine like r"%kAZQB4ACAAKABbA%" or Process.CommandLine like r"%pAGUAeAAgACgAWw%" or Process.CommandLine like r"%aQBlAHgAIAAoAE4AZQB3A%" or Process.CommandLine like r"%kAZQB4ACAAKABOAGUAdw%" or Process.CommandLine like r"%pAGUAeAAgACgATgBlAHcA%" or Process.CommandLine like r"%SQBFAFgAIAAoAE4AZQB3A%" or Process.CommandLine like r"%kARQBYACAAKABOAGUAdw%" or Process.CommandLine like r"%JAEUAWAAgACgATgBlAHcA%" [ThreatDetectionRule platform=Windows] -# Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. -# Author: X__Junior (Nextron Systems) -RuleId = 264982dc-dbad-4dce-b707-1e0d3e0f73d9 -RuleName = Renamed NirCmd.EXE Execution -EventType = Process.Start -Tag = proc-start-renamed-nircmd.exe-execution +# Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification +# Author: frack113 +RuleId = 674202d0-b22a-4af4-ae5f-2eda1f3da1af +RuleName = Bypass UAC Using Event Viewer +EventType = Reg.Any +Tag = bypass-uac-using-event-viewer RiskScore = 75 -Annotation = {"mitre_attack": ["T1059", "T1202"], "author": "X__Junior (Nextron Systems)"} -Query = Process.Name == "NirCmd.exe" and not (Process.Path like r"%\\nircmd.exe" or Process.Path like r"%\\nircmdc.exe") +Annotation = {"mitre_attack": ["T1547.010"], "author": "frack113"} +Query = Reg.TargetObject like r"%\_Classes\\mscfile\\shell\\open\\command\\(Default)" and not Reg.Value.Data like r"\%SystemRoot\%\\system32\\mmc.exe \"\%1\" \%%" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects network connections from the Equation Editor process "eqnedt32.exe". -# Author: Max Altgelt (Nextron Systems) -RuleId = a66bc059-c370-472c-a0d7-f8fd1bf9d583 -RuleName = Network Connection Initiated By Eqnedt32.EXE -EventType = Net.Any -Tag = network-connection-initiated-by-eqnedt32.exe +# Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 6b65c28e-11f3-46cb-902a-68f2cafaf474 +RuleName = Odbcconf.EXE Suspicious DLL Location +EventType = Process.Start +Tag = proc-start-odbcconf.exe-suspicious-dll-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1203"], "author": "Max Altgelt (Nextron Systems)"} -Query = Process.Path like r"%\\eqnedt32.exe" +Annotation = {"mitre_attack": ["T1218.008"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\odbcconf.exe" or Process.Name == "odbcconf.exe") and (Process.CommandLine like r"%:\\PerfLogs\\%" or Process.CommandLine like r"%:\\ProgramData\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\Registration\\CRMLog%" or Process.CommandLine like r"%:\\Windows\\System32\\com\\dmp\\%" or Process.CommandLine like r"%:\\Windows\\System32\\FxsTmp\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\%" or Process.CommandLine like r"%:\\Windows\\System32\\spool\\drivers\\color\\%" or Process.CommandLine like r"%:\\Windows\\System32\\spool\\PRINTERS\\%" or Process.CommandLine like r"%:\\Windows\\System32\\spool\\SERVERS\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\_Migrated\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Process.CommandLine like r"%:\\Windows\\SysWOW64\\com\\dmp\\%" or Process.CommandLine like r"%:\\Windows\\SysWOW64\\FxsTmp\\%" or Process.CommandLine like r"%:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\%" or Process.CommandLine like r"%:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Process.CommandLine like r"%:\\Windows\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\Tracing\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Roaming\\%") [ThreatDetectionRule platform=Windows] -# Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity +# Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections # Author: Florian Roth (Nextron Systems) -RuleId = 1775e15e-b61b-4d14-a1a3-80981298085a -RuleName = Rundll32 Execution Without CommandLine Parameters -EventType = Process.Start -Tag = proc-start-rundll32-execution-without-commandline-parameters +RuleId = fcddca7c-b9c0-4ddf-98da-e1e2d18b0157 +RuleName = Disabled Windows Defender Eventlog +EventType = Reg.Any +Tag = disabled-windows-defender-eventlog RiskScore = 75 -Annotation = {"mitre_attack": ["T1202"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"%\\rundll32.exe" or Process.CommandLine like r"%\\rundll32.exe\"" or Process.CommandLine like r"%\\rundll32") and not (Parent.Path like r"%\\AppData\\Local\\%" or Parent.Path like r"%\\Microsoft\\Edge\\%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1562.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled%" and Reg.Value.Data == "DWORD (0x00000000)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process +# Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs # Author: Florian Roth (Nextron Systems) -RuleId = 8c0eca51-0f88-4db2-9183-fdfb10c703f9 -RuleName = LSA PPL Protection Disabled Via Reg.EXE -EventType = Process.Start -Tag = proc-start-lsa-ppl-protection-disabled-via-reg.exe +RuleId = 49329257-089d-46e6-af37-4afce4290685 +RuleName = HackTool - SharpEvtMute DLL Load +EventType = Image.Load +Tag = hacktool-sharpevtmute-dll-load RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.010"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and Process.CommandLine like r"%SYSTEM\\CurrentControlSet\\Control\\Lsa%" and Process.CommandLine like r"% add %" and Process.CommandLine like r"% /d 0%" and Process.CommandLine like r"% /v RunAsPPL %" +Annotation = {"mitre_attack": ["T1562.002"], "author": "Florian Roth (Nextron Systems)"} +Query = Image.Hashes like r"%IMPHASH=330768A4F172E10ACB6287B87289D83B%" +GenericProperty1 = Image.Hashes [ThreatDetectionRule platform=Windows] -# Detects processes creating temp files related to PCRE.NET package -# Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -RuleId = 6e90ae7a-7cd3-473f-a035-4ebb72d961da -RuleName = PCRE.NET Package Temp Files +# Detect creation of suspicious executable file names. +# Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. +# Author: frack113 +RuleId = 74babdd6-a758-4549-9632-26535279e654 +RuleName = Suspicious Executable File Creation EventType = File.Create -Tag = pcre.net-package-temp-files +Tag = suspicious-executable-file-creation RiskScore = 75 -Annotation = {"mitre_attack": ["T1059"], "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)"} -Query = File.Path like r"%\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\%" +Annotation = {"mitre_attack": ["T1564"], "author": "frack113"} +Query = File.Path like r"%:\\$Recycle.Bin.exe" or File.Path like r"%:\\Documents and Settings.exe" or File.Path like r"%:\\MSOCache.exe" or File.Path like r"%:\\PerfLogs.exe" or File.Path like r"%:\\Recovery.exe" or File.Path like r"%.bat.exe" or File.Path like r"%.sys.exe" GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) -# Author: Tim Rauch, Elastic (idea) -RuleId = a4e3d776-f12e-42c2-8510-9e6ed1f43ec3 -RuleName = Unusual Child Process of dns.exe +# Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) +# Author: Jason Lynch +RuleId = aa3a6f94-890e-4e22-b634-ffdfd54792cc +RuleName = Suspicious Binary In User Directory Spawned From Office Application EventType = Process.Start -Tag = proc-start-unusual-child-process-of-dns.exe +Tag = proc-start-suspicious-binary-in-user-directory-spawned-from-office-application RiskScore = 75 -Annotation = {"mitre_attack": ["T1133"], "author": "Tim Rauch, Elastic (idea)"} -Query = Parent.Path like r"%\\dns.exe" and not Process.Path like r"%\\conhost.exe" +Annotation = {"mitre_attack": ["T1204.002"], "author": "Jason Lynch"} +Query = (Parent.Path like r"%\\WINWORD.EXE" or Parent.Path like r"%\\EXCEL.EXE" or Parent.Path like r"%\\POWERPNT.exe" or Parent.Path like r"%\\MSPUB.exe" or Parent.Path like r"%\\VISIO.exe" or Parent.Path like r"%\\MSACCESS.exe" or Parent.Path like r"%\\EQNEDT32.exe") and Process.Path like r"C:\\users\\%" and Process.Path like r"%.exe" and not Process.Path like r"%\\Teams.exe" GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects execution of javascript code using "mshta.exe". -# Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -RuleId = 67f113fa-e23d-4271-befa-30113b3e08b1 -RuleName = Suspicious JavaScript Execution Via Mshta.EXE +# Execution of ssh.exe to perform data exfiltration and tunneling through RDP +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = f7d7ebd5-a016-46e2-9c54-f9932f2d386d +RuleName = Potential RDP Tunneling Via SSH EventType = Process.Start -Tag = proc-start-suspicious-javascript-execution-via-mshta.exe +Tag = proc-start-potential-rdp-tunneling-via-ssh RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.005"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community"} -Query = (Process.Path like r"%\\mshta.exe" or Process.Name == "MSHTA.EXE") and Process.CommandLine like r"%javascript%" +Annotation = {"mitre_attack": ["T1572"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\ssh.exe" and Process.CommandLine like r"%:3389%" [ThreatDetectionRule platform=Windows] -# Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation -# Author: frack113 -RuleId = deb9b646-a508-44ee-b7c9-d8965921c6b6 -RuleName = Powershell Token Obfuscation - Process Creation +# Detects the execution GMER tool based on image and hash fields. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 9082ff1f-88ab-4678-a3cc-5bcff99fc74d +RuleName = HackTool - GMER Rootkit Detector and Remover Execution EventType = Process.Start -Tag = proc-start-powershell-token-obfuscation-process-creation +Tag = proc-start-hacktool-gmer-rootkit-detector-and-remover-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1027.009"], "author": "frack113"} -Query = (Process.CommandLine regex "\\w+`(\\w+|-|.)`[\\w+|\\s]" or Process.CommandLine regex "\"(\\{\\d\\})+\"\\s*-f" or Process.CommandLine regex "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and not Process.CommandLine like r"%${env:path}%" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\gmer.exe" or Process.Hashes like r"%MD5=E9DC058440D321AA17D0600B3CA0AB04%" or Process.Hashes like r"%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%" or Process.Hashes like r"%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%" +GenericProperty1 = Process.Hashes [ThreatDetectionRule platform=Windows] -# Detects process execution from a fake recycle bin folder, often used to avoid security solution. -# Author: X__Junior (Nextron Systems) -RuleId = 5ce0f04e-3efc-42af-839d-5b3a543b76c0 -RuleName = Suspicious Process Execution From Fake Recycle.Bin Folder -EventType = Process.Start -Tag = proc-start-suspicious-process-execution-from-fake-recycle.bin-folder +# Detects the image load of VSS DLL by uncommon executables +# Author: frack113 +RuleId = 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 +RuleName = Suspicious Volume Shadow Copy Vssapi.dll Load +EventType = Image.Load +Tag = suspicious-volume-shadow-copy-vssapi.dll-load RiskScore = 75 -Annotation = {"author": "X__Junior (Nextron Systems)"} -Query = Process.Path like r"%RECYCLERS.BIN\\%" or Process.Path like r"%RECYCLER.BIN\\%" +Annotation = {"mitre_attack": ["T1490"], "author": "frack113"} +Query = Image.Path like r"%\\vssapi.dll" and not (Process.Path in ["C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe"] or Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%" or Process.Path like r"C:\\Windows\\Temp\\{%" or Process.Path like r"C:\\Windows\\WinSxS\\%" or Process.Path like r"C:\\Program Files\\%" or Process.Path like r"C:\\Program Files (x86)\\%" or Process.Path like r"C:\\ProgramData\\Package Cache\\%") +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious parent processes that should not have any children or should only have a single possible child program -# Author: Florian Roth (Nextron Systems) -RuleId = cbec226f-63d9-4eca-9f52-dfb6652f24df -RuleName = Suspicious Process Parents -EventType = Process.Start -Tag = proc-start-suspicious-process-parents +# Detects when a file with a suspicious extension is created in the startup folder +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 28208707-fe31-437f-9a7f-4b1108b94d2e +RuleName = Suspicious Startup Folder Persistence +EventType = File.Create +Tag = suspicious-startup-folder-persistence RiskScore = 75 -Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\minesweeper.exe" or Parent.Path like r"%\\winver.exe" or Parent.Path like r"%\\bitsadmin.exe" or (Parent.Path like r"%\\csrss.exe" or Parent.Path like r"%\\certutil.exe" or Parent.Path like r"%\\eventvwr.exe" or Parent.Path like r"%\\calc.exe" or Parent.Path like r"%\\notepad.exe") and not (Process.Path like r"%\\WerFault.exe" or Process.Path like r"%\\wermgr.exe" or Process.Path like r"%\\conhost.exe" or Process.Path like r"%\\mmc.exe" or Process.Path like r"%\\win32calc.exe" or Process.Path like r"%\\notepad.exe" or isnull(Process.Path)) -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1547.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"%\\Windows\\Start Menu\\Programs\\Startup\\%" and (File.Path like r"%.vbs" or File.Path like r"%.vbe" or File.Path like r"%.bat" or File.Path like r"%.ps1" or File.Path like r"%.hta" or File.Path like r"%.dll" or File.Path like r"%.jar" or File.Path like r"%.msi" or File.Path like r"%.scr" or File.Path like r"%.cmd") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = e7b18879-676e-4a0e-ae18-27039185a8e7 -RuleName = New Netsh Helper DLL Registered From A Suspicious Location +# Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) +# Author: Dimitrios Slamaris +RuleId = 9d3436ef-9476-4c43-acca-90ce06bdf33a +RuleName = DHCP Callout DLL Installation EventType = Reg.Any -Tag = new-netsh-helper-dll-registered-from-a-suspicious-location +Tag = dhcp-callout-dll-installation RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.007"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\NetSh%" and (Reg.Value.Data like r"%:\\Perflogs\\%" or Reg.Value.Data like r"%:\\Users\\Public\\%" or Reg.Value.Data like r"%:\\Windows\\Temp\\%" or Reg.Value.Data like r"%\\AppData\\Local\\Temp\\%" or Reg.Value.Data like r"%\\Temporary Internet%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favorites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Favourites\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Contacts\\%" or Reg.Value.Data like r"%:\\Users\\%" and Reg.Value.Data like r"%\\Pictures\\%") +Annotation = {"mitre_attack": ["T1574.002", "T1112"], "author": "Dimitrios Slamaris"} +Query = Reg.TargetObject like r"%\\Services\\DHCPServer\\Parameters\\CalloutDlls" or Reg.TargetObject like r"%\\Services\\DHCPServer\\Parameters\\CalloutEnabled" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus -# Author: X__Junior (Nextron Systems) -RuleId = 24b6cf51-6122-469e-861a-22974e9c1e5b -RuleName = Potential SmadHook.DLL Sideloading -EventType = Image.Load -Tag = potential-smadhook.dll-sideloading +# Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against +# Author: frack113 +RuleId = 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf +RuleName = HackTool - Hashcat Password Cracker Execution +EventType = Process.Start +Tag = proc-start-hacktool-hashcat-password-cracker-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior (Nextron Systems)"} -Query = (Image.Path like r"%\\SmadHook32c.dll" or Image.Path like r"%\\SmadHook64c.dll") and not ((Process.Path in ["C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe"]) and (Image.Path like r"C:\\Program Files (x86)\\SMADAV\\%" or Image.Path like r"C:\\Program Files\\SMADAV\\%")) -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1110.002"], "author": "frack113"} +Query = Process.Path like r"%\\hashcat.exe" or Process.CommandLine like r"%-a %" and Process.CommandLine like r"%-m 1000 %" and Process.CommandLine like r"%-r %" [ThreatDetectionRule platform=Windows] -# Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious -# Author: Syed Hasan (@syedhasan009) -RuleId = 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d -RuleName = Scheduled TaskCache Change by Uncommon Program +# Detects a method to load DLL via LSASS process using an undocumented Registry key +# Author: Florian Roth (Nextron Systems) +RuleId = b3503044-60ce-4bf4-bbcb-e3db98788823 +RuleName = DLL Load via LSASS EventType = Reg.Any -Tag = scheduled-taskcache-change-by-uncommon-program +Tag = dll-load-via-lsass RiskScore = 75 -Annotation = {"mitre_attack": ["T1053", "T1053.005"], "author": "Syed Hasan (@syedhasan009)"} -Query = Reg.TargetObject like r"%SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\%" and not (Reg.TargetObject like r"%Microsoft\\Windows\\UpdateOrchestrator%" or Reg.TargetObject like r"%Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\\Index%" or Reg.TargetObject like r"%Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache\\Index%" or Process.Path like r"C:\\Windows\\%" and Process.Path like r"%\\TiWorker.exe" or Process.Path == "C:\\WINDOWS\\system32\\svchost.exe" or Process.Path like r"C:\\Windows\\Microsoft.NET\\Framework%" and Process.Path like r"%\\ngen.exe" and (Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%" or Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN%") or Process.Path in ["C:\\Program Files\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\Integration\\Integrator.exe"] or Process.Path == "C:\\Windows\\System32\\msiexec.exe" or Process.Path in ["C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe", "C:\\Program Files\\Dropbox\\Update\\DropboxUpdate.exe"] or Process.Path == "C:\\Windows\\explorer.exe" and Reg.TargetObject like r"%\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\\%" or Process.Path == "System") +Annotation = {"mitre_attack": ["T1547.008"], "author": "Florian Roth (Nextron Systems)"} +Query = (Reg.TargetObject like r"%\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt%" or Reg.TargetObject like r"%\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt%") and not (Process.Path == "C:\\Windows\\system32\\lsass.exe" and (Reg.Value.Data in ["\%\%systemroot\%\%\\system32\\ntdsa.dll", "\%\%systemroot\%\%\\system32\\lsadb.dll"])) Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects a ping command that uses a hex encoded IP address -# Author: Florian Roth (Nextron Systems) -RuleId = 1a0d4aba-7668-4365-9ce4-6d79ab088dfd -RuleName = Ping Hex IP +# Well-known DNS Exfiltration tools execution +# Author: Daniil Yugoslavskiy, oscd.community +RuleId = 98a96a5a-64a0-4c42-92c5-489da3866cb0 +RuleName = DNS Exfiltration and Tunneling Tools Execution EventType = Process.Start -Tag = proc-start-ping-hex-ip +Tag = proc-start-dns-exfiltration-and-tunneling-tools-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1140", "T1027"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\ping.exe" and Process.CommandLine like r"%0x%" +Annotation = {"mitre_attack": ["T1048.001", "T1071.004", "T1132.001"], "author": "Daniil Yugoslavskiy, oscd.community"} +Query = Process.Path like r"%\\iodine.exe" or Process.Path like r"%\\dnscat2%" [ThreatDetectionRule platform=Windows] -# Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. -# The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. -# Author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri -RuleId = 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e -RuleName = DSInternals Suspicious PowerShell Cmdlets -EventType = Process.Start -Tag = proc-start-dsinternals-suspicious-powershell-cmdlets +# Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f +RuleName = UEFI Persistence Via Wpbbin - FileCreation +EventType = File.Create +Tag = uefi-persistence-via-wpbbin-filecreation RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri"} -Query = Process.CommandLine like r"%Add-ADDBSidHistory%" or Process.CommandLine like r"%Add-ADNgcKey%" or Process.CommandLine like r"%Add-ADReplNgcKey%" or Process.CommandLine like r"%ConvertFrom-ADManagedPasswordBlob%" or Process.CommandLine like r"%ConvertFrom-GPPrefPassword%" or Process.CommandLine like r"%ConvertFrom-ManagedPasswordBlob%" or Process.CommandLine like r"%ConvertFrom-UnattendXmlPassword%" or Process.CommandLine like r"%ConvertFrom-UnicodePassword%" or Process.CommandLine like r"%ConvertTo-AADHash%" or Process.CommandLine like r"%ConvertTo-GPPrefPassword%" or Process.CommandLine like r"%ConvertTo-KerberosKey%" or Process.CommandLine like r"%ConvertTo-LMHash%" or Process.CommandLine like r"%ConvertTo-MsoPasswordHash%" or Process.CommandLine like r"%ConvertTo-NTHash%" or Process.CommandLine like r"%ConvertTo-OrgIdHash%" or Process.CommandLine like r"%ConvertTo-UnicodePassword%" or Process.CommandLine like r"%Disable-ADDBAccount%" or Process.CommandLine like r"%Enable-ADDBAccount%" or Process.CommandLine like r"%Get-ADDBAccount%" or Process.CommandLine like r"%Get-ADDBBackupKey%" or Process.CommandLine like r"%Get-ADDBDomainController%" or Process.CommandLine like r"%Get-ADDBGroupManagedServiceAccount%" or Process.CommandLine like r"%Get-ADDBKdsRootKey%" or Process.CommandLine like r"%Get-ADDBSchemaAttribute%" or Process.CommandLine like r"%Get-ADDBServiceAccount%" or Process.CommandLine like r"%Get-ADDefaultPasswordPolicy%" or Process.CommandLine like r"%Get-ADKeyCredential%" or Process.CommandLine like r"%Get-ADPasswordPolicy%" or Process.CommandLine like r"%Get-ADReplAccount%" or Process.CommandLine like r"%Get-ADReplBackupKey%" or Process.CommandLine like r"%Get-ADReplicationAccount%" or Process.CommandLine like r"%Get-ADSIAccount%" or Process.CommandLine like r"%Get-AzureADUserEx%" or Process.CommandLine like r"%Get-BootKey%" or Process.CommandLine like r"%Get-KeyCredential%" or Process.CommandLine like r"%Get-LsaBackupKey%" or Process.CommandLine like r"%Get-LsaPolicy%" or Process.CommandLine like r"%Get-SamPasswordPolicy%" or Process.CommandLine like r"%Get-SysKey%" or Process.CommandLine like r"%Get-SystemKey%" or Process.CommandLine like r"%New-ADDBRestoreFromMediaScript%" or Process.CommandLine like r"%New-ADKeyCredential%" or Process.CommandLine like r"%New-ADNgcKey%" or Process.CommandLine like r"%New-NTHashSet%" or Process.CommandLine like r"%Remove-ADDBObject%" or Process.CommandLine like r"%Save-DPAPIBlob%" or Process.CommandLine like r"%Set-ADAccountPasswordHash%" or Process.CommandLine like r"%Set-ADDBAccountPassword%" or Process.CommandLine like r"%Set-ADDBBootKey%" or Process.CommandLine like r"%Set-ADDBDomainController%" or Process.CommandLine like r"%Set-ADDBPrimaryGroup%" or Process.CommandLine like r"%Set-ADDBSysKey%" or Process.CommandLine like r"%Set-AzureADUserEx%" or Process.CommandLine like r"%Set-LsaPolicy%" or Process.CommandLine like r"%Set-SamAccountPasswordHash%" or Process.CommandLine like r"%Set-WinUserPasswordHash%" or Process.CommandLine like r"%Test-ADDBPasswordQuality%" or Process.CommandLine like r"%Test-ADPasswordQuality%" or Process.CommandLine like r"%Test-ADReplPasswordQuality%" or Process.CommandLine like r"%Test-PasswordQuality%" or Process.CommandLine like r"%Unlock-ADDBAccount%" or Process.CommandLine like r"%Write-ADNgcKey%" or Process.CommandLine like r"%Write-ADReplNgcKey%" +Annotation = {"mitre_attack": ["T1542.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path == "C:\\Windows\\System32\\wpbbin.exe" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects usage of a base64 encoded "IEX" cmdlet in a process command line -# Author: Florian Roth (Nextron Systems) -RuleId = 88f680b8-070e-402c-ae11-d2914f2257f1 -RuleName = PowerShell Base64 Encoded IEX Cmdlet +# Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument +# Author: Nasreddine Bencherchali (Nextron Systems), memory-shards +RuleId = c0b40568-b1e9-4b03-8d6c-b096da6da9ab +RuleName = Suspicious AgentExecutor PowerShell Execution EventType = Process.Start -Tag = proc-start-powershell-base64-encoded-iex-cmdlet +Tag = proc-start-suspicious-agentexecutor-powershell-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%SUVYIChb%" or Process.CommandLine like r"%lFWCAoW%" or Process.CommandLine like r"%JRVggKF%" or Process.CommandLine like r"%aWV4IChb%" or Process.CommandLine like r"%lleCAoW%" or Process.CommandLine like r"%pZXggKF%" or Process.CommandLine like r"%aWV4IChOZX%" or Process.CommandLine like r"%lleCAoTmV3%" or Process.CommandLine like r"%pZXggKE5ld%" or Process.CommandLine like r"%SUVYIChOZX%" or Process.CommandLine like r"%lFWCAoTmV3%" or Process.CommandLine like r"%JRVggKE5ld%" or Process.CommandLine like r"%SUVYKF%" or Process.CommandLine like r"%lFWChb%" or Process.CommandLine like r"%JRVgoW%" or Process.CommandLine like r"%aWV4KF%" or Process.CommandLine like r"%lleChb%" or Process.CommandLine like r"%pZXgoW%" or Process.CommandLine like r"%aWV4KE5ld%" or Process.CommandLine like r"%lleChOZX%" or Process.CommandLine like r"%pZXgoTmV3%" or Process.CommandLine like r"%SUVYKE5ld%" or Process.CommandLine like r"%lFWChOZX%" or Process.CommandLine like r"%JRVgoTmV3%" or Process.CommandLine like r"%SUVYKCgn%" or Process.CommandLine like r"%lFWCgoJ%" or Process.CommandLine like r"%JRVgoKC%" or Process.CommandLine like r"%aWV4KCgn%" or Process.CommandLine like r"%lleCgoJ%" or Process.CommandLine like r"%pZXgoKC%" or Process.CommandLine like r"%SQBFAFgAIAAoAFsA%" or Process.CommandLine like r"%kARQBYACAAKABbA%" or Process.CommandLine like r"%JAEUAWAAgACgAWw%" or Process.CommandLine like r"%aQBlAHgAIAAoAFsA%" or Process.CommandLine like r"%kAZQB4ACAAKABbA%" or Process.CommandLine like r"%pAGUAeAAgACgAWw%" or Process.CommandLine like r"%aQBlAHgAIAAoAE4AZQB3A%" or Process.CommandLine like r"%kAZQB4ACAAKABOAGUAdw%" or Process.CommandLine like r"%pAGUAeAAgACgATgBlAHcA%" or Process.CommandLine like r"%SQBFAFgAIAAoAE4AZQB3A%" or Process.CommandLine like r"%kARQBYACAAKABOAGUAdw%" or Process.CommandLine like r"%JAEUAWAAgACgATgBlAHcA%" +Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards"} +Query = (Process.Path like r"%\\AgentExecutor.exe" or Process.Name == "AgentExecutor.exe") and (Process.CommandLine like r"% -powershell%" or Process.CommandLine like r"% -remediationScript%") and not (Process.CommandLine like r"%C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\%" or Process.CommandLine like r"%C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\%" or Parent.Path like r"%\\Microsoft.Management.Services.IntuneWindowsAgent.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file -# Author: Florian Roth (Nextron Systems) -RuleId = cad1fe90-2406-44dc-bd03-59d0b58fe722 -RuleName = HackTool - NPPSpy Hacktool Usage +# Detects file writes of WMI script event consumer +# Author: Thomas Patzke +RuleId = 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 +RuleName = WMI Persistence - Script Event Consumer File Write EventType = File.Create -Tag = hacktool-nppspy-hacktool-usage +Tag = wmi-persistence-script-event-consumer-file-write RiskScore = 75 -Annotation = {"author": "Florian Roth (Nextron Systems)"} -Query = File.Path like r"%\\NPPSpy.txt" or File.Path like r"%\\NPPSpy.dll" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1546.003"], "author": "Thomas Patzke"} +Query = Process.Path == "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" [ThreatDetectionRule platform=Windows] -# Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts -# Author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior -RuleId = ce72ef99-22f1-43d4-8695-419dcb5d9330 -RuleName = Suspicious Windows Service Tampering +# Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 236d8e89-ed95-4789-a982-36f4643738ba +RuleName = Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script EventType = Process.Start -Tag = proc-start-suspicious-windows-service-tampering +Tag = proc-start-suspicious-persistence-via-vmwaretoolboxcmd.exe-vm-state-change-script RiskScore = 75 -Annotation = {"mitre_attack": ["T1489", "T1562.001"], "author": "Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior"} -Query = (Process.Name in ["net.exe", "net1.exe", "PowerShell.EXE", "psservice.exe", "pwsh.dll", "sc.exe"] or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\PsService.exe" or Process.Path like r"%\\PsService64.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\sc.exe") and (Process.CommandLine like r"% delete %" or Process.CommandLine like r"% pause %" or Process.CommandLine like r"% stop %" or Process.CommandLine like r"%Stop-Service %" or Process.CommandLine like r"%Remove-Service %" or Process.CommandLine like r"%config%" and Process.CommandLine like r"%start=disabled%") and (Process.CommandLine like r"%143Svc%" or Process.CommandLine like r"%Acronis VSS Provider%" or Process.CommandLine like r"%AcronisAgent%" or Process.CommandLine like r"%AcrSch2Svc%" or Process.CommandLine like r"%AdobeARMservice%" or Process.CommandLine like r"%AHS Service%" or Process.CommandLine like r"%Antivirus%" or Process.CommandLine like r"%Apache4%" or Process.CommandLine like r"%ARSM%" or Process.CommandLine like r"%aswBcc%" or Process.CommandLine like r"%AteraAgent%" or Process.CommandLine like r"%Avast Business Console Client Antivirus Service%" or Process.CommandLine like r"%avast! Antivirus%" or Process.CommandLine like r"%AVG Antivirus%" or Process.CommandLine like r"%avgAdminClient%" or Process.CommandLine like r"%AvgAdminServer%" or Process.CommandLine like r"%AVP1%" or Process.CommandLine like r"%BackupExec%" or Process.CommandLine like r"%bedbg%" or Process.CommandLine like r"%BITS%" or Process.CommandLine like r"%BrokerInfrastructure%" or Process.CommandLine like r"%CASLicenceServer%" or Process.CommandLine like r"%CASWebServer%" or Process.CommandLine like r"%Client Agent 7.60%" or Process.CommandLine like r"%Core Browsing Protection%" or Process.CommandLine like r"%Core Mail Protection%" or Process.CommandLine like r"%Core Scanning Server%" or Process.CommandLine like r"%DCAgent%" or Process.CommandLine like r"%dwmrcs%" or Process.CommandLine like r"%EhttpSr%" or Process.CommandLine like r"%ekrn%" or Process.CommandLine like r"%Enterprise Client Service%" or Process.CommandLine like r"%epag%" or Process.CommandLine like r"%EPIntegrationService%" or Process.CommandLine like r"%EPProtectedService%" or Process.CommandLine like r"%EPRedline%" or Process.CommandLine like r"%EPSecurityService%" or Process.CommandLine like r"%EPUpdateService%" or Process.CommandLine like r"%EraserSvc11710%" or Process.CommandLine like r"%EsgShKernel%" or Process.CommandLine like r"%ESHASRV%" or Process.CommandLine like r"%FA\_Scheduler%" or Process.CommandLine like r"%FirebirdGuardianDefaultInstance%" or Process.CommandLine like r"%FirebirdServerDefaultInstance%" or Process.CommandLine like r"%FontCache3.0.0.0%" or Process.CommandLine like r"%HealthTLService%" or Process.CommandLine like r"%hmpalertsvc%" or Process.CommandLine like r"%HMS%" or Process.CommandLine like r"%HostControllerService%" or Process.CommandLine like r"%hvdsvc%" or Process.CommandLine like r"%IAStorDataMgrSvc%" or Process.CommandLine like r"%IBMHPS%" or Process.CommandLine like r"%ibmspsvc%" or Process.CommandLine like r"%IISAdmin%" or Process.CommandLine like r"%IMANSVC%" or Process.CommandLine like r"%IMAP4Svc%" or Process.CommandLine like r"%instance2%" or Process.CommandLine like r"%KAVFS%" or Process.CommandLine like r"%KAVFSGT%" or Process.CommandLine like r"%kavfsslp%" or Process.CommandLine like r"%KeyIso%" or Process.CommandLine like r"%klbackupdisk%" or Process.CommandLine like r"%klbackupflt%" or Process.CommandLine like r"%klflt%" or Process.CommandLine like r"%klhk%" or Process.CommandLine like r"%KLIF%" or Process.CommandLine like r"%klim6%" or Process.CommandLine like r"%klkbdflt%" or Process.CommandLine like r"%klmouflt%" or Process.CommandLine like r"%klnagent%" or Process.CommandLine like r"%klpd%" or Process.CommandLine like r"%kltap%" or Process.CommandLine like r"%KSDE1.0.0%" or Process.CommandLine like r"%LogProcessorService%" or Process.CommandLine like r"%M8EndpointAgent%" or Process.CommandLine like r"%macmnsvc%" or Process.CommandLine like r"%masvc%" or Process.CommandLine like r"%MBAMService%" or Process.CommandLine like r"%MBCloudEA%" or Process.CommandLine like r"%MBEndpointAgent%" or Process.CommandLine like r"%McAfeeDLPAgentService%" or Process.CommandLine like r"%McAfeeEngineService%" or Process.CommandLine like r"%MCAFEEEVENTPARSERSRV%" or Process.CommandLine like r"%McAfeeFramework%" or Process.CommandLine like r"%MCAFEETOMCATSRV530%" or Process.CommandLine like r"%McShield%" or Process.CommandLine like r"%McTaskManager%" or Process.CommandLine like r"%mfefire%" or Process.CommandLine like r"%mfemms%" or Process.CommandLine like r"%mfevto%" or Process.CommandLine like r"%mfevtp%" or Process.CommandLine like r"%mfewc%" or Process.CommandLine like r"%MMS%" or Process.CommandLine like r"%mozyprobackup%" or Process.CommandLine like r"%mpssvc%" or Process.CommandLine like r"%MSComplianceAudit%" or Process.CommandLine like r"%MSDTC%" or Process.CommandLine like r"%MsDtsServer%" or Process.CommandLine like r"%MSExchange%" or Process.CommandLine like r"%msftesq1SPROO%" or Process.CommandLine like r"%msftesql$PROD%" or Process.CommandLine like r"%msftesql$SQLEXPRESS%" or Process.CommandLine like r"%MSOLAP$SQL\_2008%" or Process.CommandLine like r"%MSOLAP$SYSTEM\_BGC%" or Process.CommandLine like r"%MSOLAP$TPS%" or Process.CommandLine like r"%MSOLAP$TPSAMA%" or Process.CommandLine like r"%MSOLAPSTPS%" or Process.CommandLine like r"%MSOLAPSTPSAMA%" or Process.CommandLine like r"%mssecflt%" or Process.CommandLine like r"%MSSQ!I.SPROFXENGAGEMEHT%" or Process.CommandLine like r"%MSSQ0SHAREPOINT%" or Process.CommandLine like r"%MSSQ0SOPHOS%" or Process.CommandLine like r"%MSSQL%" or Process.CommandLine like r"%MSSQLFDLauncher$%" or Process.CommandLine like r"%MySQL%" or Process.CommandLine like r"%NanoServiceMain%" or Process.CommandLine like r"%NetMsmqActivator%" or Process.CommandLine like r"%NetPipeActivator%" or Process.CommandLine like r"%netprofm%" or Process.CommandLine like r"%NetTcpActivator%" or Process.CommandLine like r"%NetTcpPortSharing%" or Process.CommandLine like r"%ntrtscan%" or Process.CommandLine like r"%nvspwmi%" or Process.CommandLine like r"%ofcservice%" or Process.CommandLine like r"%Online Protection System%" or Process.CommandLine like r"%OracleClientCache80%" or Process.CommandLine like r"%OracleDBConsole%" or Process.CommandLine like r"%OracleMTSRecoveryService%" or Process.CommandLine like r"%OracleOraDb11g\_home1%" or Process.CommandLine like r"%OracleService%" or Process.CommandLine like r"%OracleVssWriter%" or Process.CommandLine like r"%osppsvc%" or Process.CommandLine like r"%PandaAetherAgent%" or Process.CommandLine like r"%PccNTUpd%" or Process.CommandLine like r"%PDVFSService%" or Process.CommandLine like r"%POP3Svc%" or Process.CommandLine like r"%postgresql-x64-9.4%" or Process.CommandLine like r"%POVFSService%" or Process.CommandLine like r"%PSUAService%" or Process.CommandLine like r"%Quick Update Service%" or Process.CommandLine like r"%RepairService%" or Process.CommandLine like r"%ReportServer%" or Process.CommandLine like r"%ReportServer$%" or Process.CommandLine like r"%RESvc%" or Process.CommandLine like r"%RpcEptMapper%" or Process.CommandLine like r"%sacsvr%" or Process.CommandLine like r"%SamSs%" or Process.CommandLine like r"%SAVAdminService%" or Process.CommandLine like r"%SAVService%" or Process.CommandLine like r"%ScSecSvc%" or Process.CommandLine like r"%SDRSVC%" or Process.CommandLine like r"%SearchExchangeTracing%" or Process.CommandLine like r"%sense%" or Process.CommandLine like r"%SentinelAgent%" or Process.CommandLine like r"%SentinelHelperService%" or Process.CommandLine like r"%SepMasterService%" or Process.CommandLine like r"%ShMonitor%" or Process.CommandLine like r"%Smcinst%" or Process.CommandLine like r"%SmcService%" or Process.CommandLine like r"%SMTPSvc%" or Process.CommandLine like r"%SNAC%" or Process.CommandLine like r"%SntpService%" or Process.CommandLine like r"%Sophos%" or Process.CommandLine like r"%SQ1SafeOLRService%" or Process.CommandLine like r"%SQL Backups%" or Process.CommandLine like r"%SQL Server%" or Process.CommandLine like r"%SQLAgent%" or Process.CommandLine like r"%SQLANYs\_Sage\_FAS\_Fixed\_Assets%" or Process.CommandLine like r"%SQLBrowser%" or Process.CommandLine like r"%SQLsafe%" or Process.CommandLine like r"%SQLSERVERAGENT%" or Process.CommandLine like r"%SQLTELEMETRY%" or Process.CommandLine like r"%SQLWriter%" or Process.CommandLine like r"%SSISTELEMETRY130%" or Process.CommandLine like r"%SstpSvc%" or Process.CommandLine like r"%storflt%" or Process.CommandLine like r"%svcGenericHost%" or Process.CommandLine like r"%swc\_service%" or Process.CommandLine like r"%swi\_filter%" or Process.CommandLine like r"%swi\_service%" or Process.CommandLine like r"%swi\_update%" or Process.CommandLine like r"%Symantec%" or Process.CommandLine like r"%sysmon%" or Process.CommandLine like r"%TeamViewer%" or Process.CommandLine like r"%Telemetryserver%" or Process.CommandLine like r"%ThreatLockerService%" or Process.CommandLine like r"%TMBMServer%" or Process.CommandLine like r"%TmCCSF%" or Process.CommandLine like r"%TmFilter%" or Process.CommandLine like r"%TMiCRCScanService%" or Process.CommandLine like r"%tmlisten%" or Process.CommandLine like r"%TMLWCSService%" or Process.CommandLine like r"%TmPfw%" or Process.CommandLine like r"%TmPreFilter%" or Process.CommandLine like r"%TmProxy%" or Process.CommandLine like r"%TMSmartRelayService%" or Process.CommandLine like r"%tmusa%" or Process.CommandLine like r"%Tomcat%" or Process.CommandLine like r"%Trend Micro Deep Security Manager%" or Process.CommandLine like r"%TrueKey%" or Process.CommandLine like r"%UFNet%" or Process.CommandLine like r"%UI0Detect%" or Process.CommandLine like r"%UniFi%" or Process.CommandLine like r"%UTODetect%" or Process.CommandLine like r"%vds%" or Process.CommandLine like r"%Veeam%" or Process.CommandLine like r"%VeeamDeploySvc%" or Process.CommandLine like r"%Veritas System Recovery%" or Process.CommandLine like r"%vmic%" or Process.CommandLine like r"%VMTools%" or Process.CommandLine like r"%vmvss%" or Process.CommandLine like r"%VSApiNt%" or Process.CommandLine like r"%VSS%" or Process.CommandLine like r"%W3Svc%" or Process.CommandLine like r"%wbengine%" or Process.CommandLine like r"%WdNisSvc%" or Process.CommandLine like r"%WeanClOudSve%" or Process.CommandLine like r"%Weems JY%" or Process.CommandLine like r"%WinDefend%" or Process.CommandLine like r"%wmms%" or Process.CommandLine like r"%wozyprobackup%" or Process.CommandLine like r"%WPFFontCache\_v0400%" or Process.CommandLine like r"%WRSVC%" or Process.CommandLine like r"%wsbexchange%" or Process.CommandLine like r"%WSearch%" or Process.CommandLine like r"%wscsvc%" or Process.CommandLine like r"%Zoolz 2 Service%") +Annotation = {"mitre_attack": ["T1059"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\VMwareToolBoxCmd.exe" or Process.Name == "toolbox-cmd.exe") and Process.CommandLine like r"% script %" and Process.CommandLine like r"% set %" and (Process.CommandLine like r"%:\\PerfLogs\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Windows\\System32\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Tasks\\%" or Process.CommandLine like r"%:\\Windows\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp%") [ThreatDetectionRule platform=Windows] -# Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) -# Author: Florian Roth (Nextron Systems) -RuleId = e9142d84-fbe0-401d-ac50-3e519fb00c89 -RuleName = WhoAmI as Parameter -EventType = Process.Start -Tag = proc-start-whoami-as-parameter +# Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 814ddeca-3d31-4265-8e07-8cc54fb44903 +RuleName = LiveKD Kernel Memory Dump File Created +EventType = File.Create +Tag = livekd-kernel-memory-dump-file-created RiskScore = 75 -Annotation = {"mitre_attack": ["T1033"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.CommandLine like r"%.exe whoami%" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path == "C:\\Windows\\livekd.dmp" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. -# Author: Jonhnathan Ribeiro, oscd.community -RuleId = 99cf1e02-00fb-4c0d-8375-563f978dfd37 -RuleName = Deny Service Access Using Security Descriptor Tampering Via Sc.EXE -EventType = Process.Start -Tag = proc-start-deny-service-access-using-security-descriptor-tampering-via-sc.exe +# Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = bf344fea-d947-4ef4-9192-34d008315d3a +RuleName = Suspicious Shim Database Patching Activity +EventType = Reg.Any +Tag = suspicious-shim-database-patching-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1543.003"], "author": "Jonhnathan Ribeiro, oscd.community"} -Query = (Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and Process.CommandLine like r"%sdset%" and Process.CommandLine like r"%D;%" and (Process.CommandLine like r"%;IU%" or Process.CommandLine like r"%;SU%" or Process.CommandLine like r"%;BA%" or Process.CommandLine like r"%;SY%" or Process.CommandLine like r"%;WD%") +Annotation = {"mitre_attack": ["T1546.011"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\%" and (Reg.TargetObject like r"%\\csrss.exe" or Reg.TargetObject like r"%\\dllhost.exe" or Reg.TargetObject like r"%\\explorer.exe" or Reg.TargetObject like r"%\\RuntimeBroker.exe" or Reg.TargetObject like r"%\\services.exe" or Reg.TargetObject like r"%\\sihost.exe" or Reg.TargetObject like r"%\\svchost.exe" or Reg.TargetObject like r"%\\taskhostw.exe" or Reg.TargetObject like r"%\\winlogon.exe" or Reg.TargetObject like r"%\\WmiPrvSe.exe") +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation -# Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -RuleId = 8202070f-edeb-4d31-a010-a26c72ac5600 -RuleName = Suspicious Process By Web Server Process +# Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. +# Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. +# Author: @Kostastsale +RuleId = 023c654f-8f16-44d9-bb2b-00ff36a62af9 +RuleName = Python Function Execution Security Warning Disabled In Excel EventType = Process.Start -Tag = proc-start-suspicious-process-by-web-server-process +Tag = proc-start-python-function-execution-security-warning-disabled-in-excel RiskScore = 75 -Annotation = {"mitre_attack": ["T1505.003", "T1190"], "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\php.exe" or Parent.Path like r"%\\tomcat.exe" or Parent.Path like r"%\\UMWorkerProcess.exe" or Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\ws\_TomcatService.exe" or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%") or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.CommandLine like r"%CATALINA\_HOME%" or Parent.CommandLine like r"%catalina.home%" or Parent.CommandLine like r"%catalina.jar%")) and (Process.Path like r"%\\arp.exe" or Process.Path like r"%\\at.exe" or Process.Path like r"%\\bash.exe" or Process.Path like r"%\\bitsadmin.exe" or Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\dsget.exe" or Process.Path like r"%\\hostname.exe" or Process.Path like r"%\\nbtstat.exe" or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Path like r"%\\netdom.exe" or Process.Path like r"%\\netsh.exe" or Process.Path like r"%\\nltest.exe" or Process.Path like r"%\\ntdsutil.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Path like r"%\\qprocess.exe" or Process.Path like r"%\\query.exe" or Process.Path like r"%\\qwinsta.exe" or Process.Path like r"%\\reg.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\sc.exe" or Process.Path like r"%\\sh.exe" or Process.Path like r"%\\wmic.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\wusa.exe") and not (Parent.Path like r"%\\java.exe" and Process.CommandLine like r"%Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt" or Parent.Path like r"%\\java.exe" and Process.CommandLine like r"%sc query%" and Process.CommandLine like r"%ADManager Plus%") -GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1562.001"], "author": "@Kostastsale"} +Query = Process.CommandLine like r"%\\Microsoft\\Office\\%" and Process.CommandLine like r"%\\Excel\\Security%" and Process.CommandLine like r"%PythonFunctionWarnings%" and Process.CommandLine like r"% 0%" [ThreatDetectionRule platform=Windows] -# Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys -# Author: frack113, Nasreddine Bencherchali (Nextron Systems) -RuleId = b7e2a8d4-74bb-4b78-adc9-3f92af2d4829 -RuleName = Reg Add Suspicious Paths +# Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators +# Author: Florian Roth (Nextron Systems) +RuleId = 51ae86a2-e2e1-4097-ad85-c46cb6851de4 +RuleName = Renamed PsExec Service Execution EventType = Process.Start -Tag = proc-start-reg-add-suspicious-paths +Tag = proc-start-renamed-psexec-service-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1112", "T1562.001"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\reg.exe" or Process.Name == "reg.exe") and (Process.CommandLine like r"%\\AppDataLow\\Software\\Microsoft\\%" or Process.CommandLine like r"%\\Policies\\Microsoft\\Windows\\OOBE%" or Process.CommandLine like r"%\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon%" or Process.CommandLine like r"%\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon%" or Process.CommandLine like r"%\\CurrentControlSet\\Control\\SecurityProviders\\WDigest%" or Process.CommandLine like r"%\\Microsoft\\Windows Defender\\%") +Annotation = {"author": "Florian Roth (Nextron Systems)"} +Query = Process.Name == "psexesvc.exe" and not Process.Path == "C:\\Windows\\PSEXESVC.exe" [ThreatDetectionRule platform=Windows] -# Detect modification of the startup key to a path where a payload could be stored to be launched during startup -# Author: frack113 -RuleId = 9c226817-8dc9-46c2-a58d-66655aafd7dc -RuleName = Modify User Shell Folders Startup Value +# Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = f742bde7-9528-42e5-bd82-84f51a8387d2 +RuleName = Uncommon Microsoft Office Trusted Location Added EventType = Reg.Any -Tag = modify-user-shell-folders-startup-value +Tag = uncommon-microsoft-office-trusted-location-added RiskScore = 75 -Annotation = {"mitre_attack": ["T1547.001"], "author": "frack113"} -Query = Reg.TargetObject like r"%SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders%" and Reg.TargetObject like r"%Startup" +Annotation = {"mitre_attack": ["T1112"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%Security\\Trusted Locations\\Location%" and Reg.TargetObject like r"%\\Path" and not (Process.Path like r"%:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\%" and Process.Path like r"%\\OfficeClickToRun.exe" or Process.Path like r"%:\\Program Files\\Microsoft Office\\%" or Process.Path like r"%:\\Program Files (x86)\\Microsoft Office\\%") and not (Reg.Value.Data like r"%\%APPDATA\%\\Microsoft\\Templates%" or Reg.Value.Data like r"%\%\%APPDATA\%\%\\Microsoft\\Templates%" or Reg.Value.Data like r"%\%APPDATA\%\\Microsoft\\Word\\Startup%" or Reg.Value.Data like r"%\%\%APPDATA\%\%\\Microsoft\\Word\\Startup%" or Reg.Value.Data like r"%:\\Program Files (x86)\\Microsoft Office\\root\\Templates\\%" or Reg.Value.Data like r"%:\\Program Files\\Microsoft Office (x86)\\Templates%" or Reg.Value.Data like r"%:\\Program Files\\Microsoft Office\\root\\Templates\\%" or Reg.Value.Data like r"%:\\Program Files\\Microsoft Office\\Templates\\%") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects certain command line parameters often used during reconnaissance activity via web shells -# Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson -RuleId = bed2a484-9348-4143-8a8a-b801c979301c -RuleName = Webshell Detection With Command Line Keywords +# Detects execution of regsvr32 where the DLL is located in a highly suspicious locations +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 327ff235-94eb-4f06-b9de-aaee571324be +RuleName = Regsvr32 Execution From Highly Suspicious Location EventType = Process.Start -Tag = proc-start-webshell-detection-with-command-line-keywords +Tag = proc-start-regsvr32-execution-from-highly-suspicious-location RiskScore = 75 -Annotation = {"mitre_attack": ["T1505.003", "T1018", "T1033", "T1087"], "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson"} -Query = (Parent.Path like r"%\\w3wp.exe" or Parent.Path like r"%\\php-cgi.exe" or Parent.Path like r"%\\nginx.exe" or Parent.Path like r"%\\httpd.exe" or Parent.Path like r"%\\caddy.exe" or Parent.Path like r"%\\ws\_tomcatservice.exe" or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Parent.Path like r"%-tomcat-%" or Parent.Path like r"%\\tomcat%") or (Parent.Path like r"%\\java.exe" or Parent.Path like r"%\\javaw.exe") and (Process.CommandLine like r"%catalina.jar%" or Process.CommandLine like r"%CATALINA\_HOME%")) and ((Process.Name in ["net.exe", "net1.exe"]) and (Process.CommandLine like r"% user %" or Process.CommandLine like r"% use %" or Process.CommandLine like r"% group %") or Process.Name == "ping.exe" and Process.CommandLine like r"% -n %" or Process.CommandLine like r"%&cd&echo%" or Process.CommandLine like r"%cd /d %" or Process.Name == "wmic.exe" and Process.CommandLine like r"% /node:%" or (Process.Path like r"%\\cmd.exe" or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (Process.CommandLine like r"% -enc %" or Process.CommandLine like r"% -EncodedCommand %" or Process.CommandLine like r"% -w hidden %" or Process.CommandLine like r"% -windowstyle hidden%" or Process.CommandLine like r"%.WebClient).Download%") or Process.Path like r"%\\dsquery.exe" or Process.Path like r"%\\find.exe" or Process.Path like r"%\\findstr.exe" or Process.Path like r"%\\ipconfig.exe" or Process.Path like r"%\\netstat.exe" or Process.Path like r"%\\nslookup.exe" or Process.Path like r"%\\pathping.exe" or Process.Path like r"%\\quser.exe" or Process.Path like r"%\\schtasks.exe" or Process.Path like r"%\\systeminfo.exe" or Process.Path like r"%\\tasklist.exe" or Process.Path like r"%\\tracert.exe" or Process.Path like r"%\\ver.exe" or Process.Path like r"%\\wevtutil.exe" or Process.Path like r"%\\whoami.exe" or Process.Name in ["dsquery.exe", "find.exe", "findstr.exe", "ipconfig.exe", "netstat.exe", "nslookup.exe", "pathping.exe", "quser.exe", "schtasks.exe", "sysinfo.exe", "tasklist.exe", "tracert.exe", "ver.exe", "VSSADMIN.EXE", "wevtutil.exe", "whoami.exe"] or Process.CommandLine like r"% Test-NetConnection %" or Process.CommandLine like r"%dir \\%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1218.010"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\regsvr32.exe" or Process.Name == "REGSVR32.EXE") and (Process.CommandLine like r"%:\\PerfLogs\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%\\Windows\\Registration\\CRMLog%" or Process.CommandLine like r"%\\Windows\\System32\\com\\dmp\\%" or Process.CommandLine like r"%\\Windows\\System32\\FxsTmp\\%" or Process.CommandLine like r"%\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\%" or Process.CommandLine like r"%\\Windows\\System32\\spool\\drivers\\color\\%" or Process.CommandLine like r"%\\Windows\\System32\\spool\\PRINTERS\\%" or Process.CommandLine like r"%\\Windows\\System32\\spool\\SERVERS\\%" or Process.CommandLine like r"%\\Windows\\System32\\Tasks\_Migrated\\%" or Process.CommandLine like r"%\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Process.CommandLine like r"%\\Windows\\SysWOW64\\com\\dmp\\%" or Process.CommandLine like r"%\\Windows\\SysWOW64\\FxsTmp\\%" or Process.CommandLine like r"%\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\%" or Process.CommandLine like r"%\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\%" or Process.CommandLine like r"%\\Windows\\Tasks\\%" or Process.CommandLine like r"%\\Windows\\Tracing\\%" or (Process.CommandLine like r"% \"C:\\%" or Process.CommandLine like r"% C:\\%" or Process.CommandLine like r"% 'C:\\%" or Process.CommandLine like r"%D:\\%") and not (Process.CommandLine like r"%C:\\Program Files (x86)\\%" or Process.CommandLine like r"%C:\\Program Files\\%" or Process.CommandLine like r"%C:\\ProgramData\\%" or Process.CommandLine like r"%C:\\Users\\%" or Process.CommandLine like r"% C:\\Windows\\%" or Process.CommandLine like r"% \"C:\\Windows\\%" or Process.CommandLine like r"% 'C:\\Windows\\%")) and not (Process.CommandLine == "" or isnull(Process.CommandLine)) [ThreatDetectionRule platform=Windows] -# Detects the creation of a office macro file from a a suspicious process -# Author: frack113, Nasreddine Bencherchali (Nextron Systems) -RuleId = b1c50487-1967-4315-a026-6491686d860e -RuleName = Office Macro File Creation From Suspicious Process +# Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. +# Author: Florian Roth (Nextron Systems) +RuleId = df55196f-f105-44d3-a675-e9dfb6cc2f2b +RuleName = Renamed AdFind Execution +EventType = Process.Start +Tag = proc-start-renamed-adfind-execution +RiskScore = 75 +Annotation = {"mitre_attack": ["T1018", "T1087.002", "T1482", "T1069.002"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"%domainlist%" or Process.CommandLine like r"%trustdmp%" or Process.CommandLine like r"%dcmodes%" or Process.CommandLine like r"%adinfo%" or Process.CommandLine like r"% dclist %" or Process.CommandLine like r"%computer\_pwdnotreqd%" or Process.CommandLine like r"%objectcategory=%" or Process.CommandLine like r"%-subnets -f%" or Process.CommandLine like r"%name=\"Domain Admins\"%" or Process.CommandLine like r"%-sc u:%" or Process.CommandLine like r"%domainncs%" or Process.CommandLine like r"%dompol%" or Process.CommandLine like r"% oudmp %" or Process.CommandLine like r"%subnetdmp%" or Process.CommandLine like r"%gpodmp%" or Process.CommandLine like r"%fspdmp%" or Process.CommandLine like r"%users\_noexpire%" or Process.CommandLine like r"%computers\_active%" or Process.CommandLine like r"%computers\_pwdnotreqd%" or Process.Hashes like r"%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%" or Process.Hashes like r"%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%" or Process.Name == "AdFind.exe") and not Process.Path like r"%\\AdFind.exe" +GenericProperty1 = Process.Hashes + + +[ThreatDetectionRule platform=Windows] +# Detects the creation of files with an executable or script extension by an Office application. +# Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) +RuleId = c7a74c80-ba5a-486e-9974-ab9e682bc5e4 +RuleName = File With Uncommon Extension Created By An Office Application EventType = File.Create -Tag = office-macro-file-creation-from-suspicious-process +Tag = file-with-uncommon-extension-created-by-an-office-application RiskScore = 75 -Annotation = {"mitre_attack": ["T1566.001"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\wscript.exe" or Parent.Path like r"%\\cscript.exe" or Parent.Path like r"%\\mshta.exe" or Parent.Path like r"%\\regsvr32.exe" or Parent.Path like r"%\\rundll32.exe" or Parent.Path like r"%\\wscript.exe") and (File.Path like r"%.docm" or File.Path like r"%.dotm" or File.Path like r"%.xlsm" or File.Path like r"%.xltm" or File.Path like r"%.potm" or File.Path like r"%.pptm") -GenericProperty1 = Parent.Path -GenericProperty2 = File.Path +Annotation = {"mitre_attack": ["T1204.002"], "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\excel.exe" or Process.Path like r"%\\msaccess.exe" or Process.Path like r"%\\mspub.exe" or Process.Path like r"%\\powerpnt.exe" or Process.Path like r"%\\visio.exe" or Process.Path like r"%\\winword.exe") and (File.Path like r"%.bat" or File.Path like r"%.cmd" or File.Path like r"%.com" or File.Path like r"%.dll" or File.Path like r"%.exe" or File.Path like r"%.hta" or File.Path like r"%.ocx" or File.Path like r"%.proj" or File.Path like r"%.ps1" or File.Path like r"%.scf" or File.Path like r"%.scr" or File.Path like r"%.sys" or File.Path like r"%.vbe" or File.Path like r"%.vbs" or File.Path like r"%.wsf" or File.Path like r"%.wsh") and not (File.Path like r"%\\AppData\\Local\\assembly\\tmp\\%" and File.Path like r"%.dll") and not (File.Path like r"%C:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Microsoft\\Office\\%" and File.Path like r"%\\WebServiceCache\\AllUsers%" and File.Path like r"%.com" or Process.Path like r"%\\winword.exe" and File.Path like r"%\\AppData\\Local\\Temp\\webexdelta\\%" and (File.Path like r"%.dll" or File.Path like r"%.exe")) +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of a renamed version of the Plink binary -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 1c12727d-02bf-45ff-a9f3-d49806a3cf43 -RuleName = Renamed Plink Execution +# Detects various execution patterns of the CrackMapExec pentesting framework +# Author: Thomas Patzke +RuleId = 058f4380-962d-40a5-afce-50207d36d7e2 +RuleName = HackTool - CrackMapExec Execution Patterns EventType = Process.Start -Tag = proc-start-renamed-plink-execution +Tag = proc-start-hacktool-crackmapexec-execution-patterns RiskScore = 75 -Annotation = {"mitre_attack": ["T1036"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name == "Plink" or Process.CommandLine like r"% -l forward%" and Process.CommandLine like r"% -P %" and Process.CommandLine like r"% -R %") and not Process.Path like r"%\\plink.exe" +Annotation = {"mitre_attack": ["T1047", "T1053", "T1059.003", "T1059.001"], "author": "Thomas Patzke"} +Query = Process.CommandLine like r"%cmd.exe /Q /c % 1> \\\\%\\%\\% 2>&1%" or Process.CommandLine like r"%cmd.exe /C % > \\\\%\\%\\% 2>&1%" or Process.CommandLine like r"%cmd.exe /C % > %\\Temp\\% 2>&1%" or Process.CommandLine like r"%powershell.exe -exec bypass -noni -nop -w 1 -C \"%" or Process.CommandLine like r"%powershell.exe -noni -nop -w 1 -enc %" [ThreatDetectionRule platform=Windows] -# Detects suspicious and uncommon child processes of WmiPrvSE -# Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) -RuleId = 8a582fe2-0882-4b89-a82a-da6b2dc32937 -RuleName = Suspicious WmiPrvSE Child Process +# Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = efec536f-72e8-4656-8960-5e85d091345b +RuleName = Set Suspicious Files as System Files Using Attrib.EXE EventType = Process.Start -Tag = proc-start-suspicious-wmiprvse-child-process +Tag = proc-start-set-suspicious-files-as-system-files-using-attrib.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1047", "T1204.002", "T1218.010"], "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\wbem\\WmiPrvSE.exe" and (Process.Path like r"%\\certutil.exe" or Process.Path like r"%\\cscript.exe" or Process.Path like r"%\\mshta.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\regsvr32.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\verclsid.exe" or Process.Path like r"%\\wscript.exe" or Process.Path like r"%\\cmd.exe" and (Process.CommandLine like r"%cscript%" or Process.CommandLine like r"%mshta%" or Process.CommandLine like r"%powershell%" or Process.CommandLine like r"%pwsh%" or Process.CommandLine like r"%regsvr32%" or Process.CommandLine like r"%rundll32%" or Process.CommandLine like r"%wscript%")) and not (Process.Path like r"%\\WerFault.exe" or Process.Path like r"%\\WmiPrvSE.exe" or Process.Path like r"%\\msiexec.exe" and Process.CommandLine like r"%/i %") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1564.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\attrib.exe" or Process.Name == "ATTRIB.EXE") and Process.CommandLine like r"% +s%" and (Process.CommandLine like r"% \%%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\AppData\\Local\\%" or Process.CommandLine like r"%\\ProgramData\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%") and (Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.exe%" or Process.CommandLine like r"%.hta%" or Process.CommandLine like r"%.ps1%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.vbs%") and not (Process.CommandLine like r"%\\Windows\\TEMP\\%" and Process.CommandLine like r"%.exe%") [ThreatDetectionRule platform=Windows] -# Detects usage of bitsadmin downloading a file to a suspicious target folder -# Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -RuleId = 2ddef153-167b-4e89-86b6-757a9e65dcac -RuleName = File Download Via Bitsadmin To A Suspicious Target Folder +# The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. +# Author: Thomas Patzke +RuleId = 6f8b3439-a203-45dc-a88b-abf57ea15ccf +RuleName = HackTool - CrackMapExec PowerShell Obfuscation EventType = Process.Start -Tag = proc-start-file-download-via-bitsadmin-to-a-suspicious-target-folder +Tag = proc-start-hacktool-crackmapexec-powershell-obfuscation RiskScore = 75 -Annotation = {"mitre_attack": ["T1197", "T1036.003"], "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\bitsadmin.exe" or Process.Name == "bitsadmin.exe") and (Process.CommandLine like r"% /transfer %" or Process.CommandLine like r"% /create %" or Process.CommandLine like r"% /addfile %") and (Process.CommandLine like r"%:\\Perflogs%" or Process.CommandLine like r"%:\\ProgramData\\%" or Process.CommandLine like r"%:\\Temp\\%" or Process.CommandLine like r"%:\\Users\\Public\\%" or Process.CommandLine like r"%:\\Windows\\%" or Process.CommandLine like r"%\\AppData\\Local\\Temp\\%" or Process.CommandLine like r"%\\AppData\\Roaming\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\%ProgramData\%%" or Process.CommandLine like r"%\%public\%%") +Annotation = {"mitre_attack": ["T1059.001", "T1027.005"], "author": "Thomas Patzke"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and (Process.CommandLine like r"%join%split%" or Process.CommandLine like r"%( $ShellId[1]+$ShellId[13]+'x')%" or Process.CommandLine like r"%( $PSHome[%]+$PSHOME[%]+%" or Process.CommandLine like r"%( $env:Public[13]+$env:Public[5]+'x')%" or Process.CommandLine like r"%( $env:ComSpec[4,%,25]-Join'')%" or Process.CommandLine like r"%[1,3]+'x'-Join'')%") [ThreatDetectionRule platform=Windows] -# Files with well-known filenames (sensitive files with credential data) copying -# Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -RuleId = e7be6119-fc37-43f0-ad4f-1f3f99be2f9f -RuleName = Copying Sensitive Files with Credential Data +# Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. +# Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +RuleId = c86500e9-a645-4680-98d7-f882c70c1ea3 +RuleName = AADInternals PowerShell Cmdlets Execution - ProccessCreation EventType = Process.Start -Tag = proc-start-copying-sensitive-files-with-credential-data +Tag = proc-start-aadinternals-powershell-cmdlets-execution-proccesscreation RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.002", "T1003.003"], "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community"} -Query = (Process.Path like r"%\\esentutl.exe" or Process.Name == "\\esentutl.exe") and (Process.CommandLine like r"%vss%" or Process.CommandLine like r"% -m %" or Process.CommandLine like r"% /m %" or Process.CommandLine like r"% –m %" or Process.CommandLine like r"% —m %" or Process.CommandLine like r"% ―m %" or Process.CommandLine like r"% -y %" or Process.CommandLine like r"% /y %" or Process.CommandLine like r"% –y %" or Process.CommandLine like r"% —y %" or Process.CommandLine like r"% ―y %") or Process.CommandLine like r"%\\config\\RegBack\\sam%" or Process.CommandLine like r"%\\config\\RegBack\\security%" or Process.CommandLine like r"%\\config\\RegBack\\system%" or Process.CommandLine like r"%\\config\\sam%" or Process.CommandLine like r"%\\config\\security%" or Process.CommandLine like r"%\\config\\system %" or Process.CommandLine like r"%\\repair\\sam%" or Process.CommandLine like r"%\\repair\\security%" or Process.CommandLine like r"%\\repair\\system%" or Process.CommandLine like r"%\\windows\\ntds\\ntds.dit%" +Annotation = {"author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\powershell\_ise.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.Exe", "pwsh.dll"]) and (Process.CommandLine like r"%Add-AADInt%" or Process.CommandLine like r"%ConvertTo-AADInt%" or Process.CommandLine like r"%Disable-AADInt%" or Process.CommandLine like r"%Enable-AADInt%" or Process.CommandLine like r"%Export-AADInt%" or Process.CommandLine like r"%Find-AADInt%" or Process.CommandLine like r"%Get-AADInt%" or Process.CommandLine like r"%Grant-AADInt%" or Process.CommandLine like r"%Initialize-AADInt%" or Process.CommandLine like r"%Install-AADInt%" or Process.CommandLine like r"%Invoke-AADInt%" or Process.CommandLine like r"%Join-AADInt%" or Process.CommandLine like r"%New-AADInt%" or Process.CommandLine like r"%Open-AADInt%" or Process.CommandLine like r"%Read-AADInt%" or Process.CommandLine like r"%Register-AADInt%" or Process.CommandLine like r"%Remove-AADInt%" or Process.CommandLine like r"%Reset-AADInt%" or Process.CommandLine like r"%Resolve-AADInt%" or Process.CommandLine like r"%Restore-AADInt%" or Process.CommandLine like r"%Save-AADInt%" or Process.CommandLine like r"%Search-AADInt%" or Process.CommandLine like r"%Send-AADInt%" or Process.CommandLine like r"%Set-AADInt%" or Process.CommandLine like r"%Start-AADInt%" or Process.CommandLine like r"%Unprotect-AADInt%" or Process.CommandLine like r"%Update-AADInt%") [ThreatDetectionRule platform=Windows] -# Detects potentially suspicious file downloads directly from IP addresses using Wget.exe +# Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 -RuleName = Suspicious File Download From IP Via Wget.EXE +RuleId = f11f2808-adb4-46c0-802a-8660db50fa99 +RuleName = ImagingDevices Unusual Parent/Child Processes EventType = Process.Start -Tag = proc-start-suspicious-file-download-from-ip-via-wget.exe +Tag = proc-start-imagingdevices-unusual-parent/child-processes RiskScore = 75 Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\wget.exe" or Process.Name == "wget.exe") and Process.CommandLine regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and Process.CommandLine like r"%http%" and (Process.CommandLine regex "\\s-O\\s" or Process.CommandLine like r"%--output-document%") and (Process.CommandLine like r"%.ps1" or Process.CommandLine like r"%.ps1'" or Process.CommandLine like r"%.ps1\"" or Process.CommandLine like r"%.dat" or Process.CommandLine like r"%.dat'" or Process.CommandLine like r"%.dat\"" or Process.CommandLine like r"%.msi" or Process.CommandLine like r"%.msi'" or Process.CommandLine like r"%.msi\"" or Process.CommandLine like r"%.bat" or Process.CommandLine like r"%.bat'" or Process.CommandLine like r"%.bat\"" or Process.CommandLine like r"%.exe" or Process.CommandLine like r"%.exe'" or Process.CommandLine like r"%.exe\"" or Process.CommandLine like r"%.vbs" or Process.CommandLine like r"%.vbs'" or Process.CommandLine like r"%.vbs\"" or Process.CommandLine like r"%.vbe" or Process.CommandLine like r"%.vbe'" or Process.CommandLine like r"%.vbe\"" or Process.CommandLine like r"%.hta" or Process.CommandLine like r"%.hta'" or Process.CommandLine like r"%.hta\"" or Process.CommandLine like r"%.dll" or Process.CommandLine like r"%.dll'" or Process.CommandLine like r"%.dll\"" or Process.CommandLine like r"%.psm1" or Process.CommandLine like r"%.psm1'" or Process.CommandLine like r"%.psm1\"") +Query = (Parent.Path like r"%\\WmiPrvSE.exe" or Parent.Path like r"%\\svchost.exe" or Parent.Path like r"%\\dllhost.exe") and Process.Path like r"%\\ImagingDevices.exe" or Parent.Path like r"%\\ImagingDevices.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects when a program changes the default file association of any extension to an executable. -# When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +# Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = ae6f14e6-14de-45b0-9f44-c0986f50dc89 -RuleName = Change Default File Association To Executable Via Assoc +RuleId = caf201a9-c2ce-4a26-9c3a-2b9525413711 +RuleName = Potentially Suspicious Call To Win32_NTEventlogFile Class EventType = Process.Start -Tag = proc-start-change-default-file-association-to-executable-via-assoc +Tag = proc-start-potentially-suspicious-call-to-win32_nteventlogfile-class RiskScore = 75 -Annotation = {"mitre_attack": ["T1546.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%assoc %" and Process.CommandLine like r"%exefile%" and not Process.CommandLine like r"%.exe=exefile%" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.CommandLine like r"%Win32\_NTEventlogFile%" and (Process.CommandLine like r"%.BackupEventlog(%" or Process.CommandLine like r"%.ChangeSecurityPermissions(%" or Process.CommandLine like r"%.ChangeSecurityPermissionsEx(%" or Process.CommandLine like r"%.ClearEventLog(%" or Process.CommandLine like r"%.Delete(%" or Process.CommandLine like r"%.DeleteEx(%" or Process.CommandLine like r"%.Rename(%" or Process.CommandLine like r"%.TakeOwnerShip(%" or Process.CommandLine like r"%.TakeOwnerShipEx(%") [ThreatDetectionRule platform=Windows] -# Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. -# Author: Florian Roth (Nextron Systems) -RuleId = a5a2d357-1ab8-4675-a967-ef9990a59391 -RuleName = LSASS Process Memory Dump Files -EventType = File.Create -Tag = lsass-process-memory-dump-files +# Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities +# Author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior +RuleId = 9ac94dc8-9042-493c-ba45-3b5e7c86b980 +RuleName = Disable Important Scheduled Task +EventType = Process.Start +Tag = proc-start-disable-important-scheduled-task RiskScore = 75 -Annotation = {"mitre_attack": ["T1003.001"], "author": "Florian Roth (Nextron Systems)"} -Query = File.Path like r"%\\Andrew.dmp" or File.Path like r"%\\Coredump.dmp" or File.Path like r"%\\lsass.dmp" or File.Path like r"%\\lsass.rar" or File.Path like r"%\\lsass.zip" or File.Path like r"%\\NotLSASS.zip" or File.Path like r"%\\PPLBlade.dmp" or File.Path like r"%\\rustive.dmp" or File.Path like r"%\\lsass\_2%" or File.Path like r"%\\lsassdmp%" or File.Path like r"%\\lsassdump%" or File.Path like r"%\\lsass%" and File.Path like r"%.dmp%" or File.Path like r"%SQLDmpr%" and File.Path like r"%.mdmp" or (File.Path like r"%\\nanodump%" or File.Path like r"%\\proc\_%") and File.Path like r"%.dmp" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1489"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior"} +Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/Change%" and Process.CommandLine like r"%/TN%" and Process.CommandLine like r"%/disable%" and (Process.CommandLine like r"%\\Windows\\BitLocker%" or Process.CommandLine like r"%\\Windows\\ExploitGuard%" or Process.CommandLine like r"%\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh%" or Process.CommandLine like r"%\\Windows\\SystemRestore\\SR%" or Process.CommandLine like r"%\\Windows\\UpdateOrchestrator\\%" or Process.CommandLine like r"%\\Windows\\Windows Defender\\%" or Process.CommandLine like r"%\\Windows\\WindowsBackup\\%" or Process.CommandLine like r"%\\Windows\\WindowsUpdate\\%") [ThreatDetectionRule platform=Windows] -# Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder. -# Author: @Kostastsale -RuleId = c3d76afc-93df-461e-8e67-9b2bad3f2ac4 -RuleName = File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell +# Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility +# Author: Alexander Rausch +RuleId = 95022b85-ff2a-49fa-939a-d7b8f56eeb9b +RuleName = HackTool - RedMimicry Winnti Playbook Execution EventType = Process.Start -Tag = proc-start-file-explorer-folder-opened-using-explorer-folder-shortcut-via-shell +Tag = proc-start-hacktool-redmimicry-winnti-playbook-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1135"], "author": "@Kostastsale"} -Query = (Parent.Path like r"%\\cmd.exe" or Parent.Path like r"%\\powershell.exe" or Parent.Path like r"%\\pwsh.exe") and Process.Path like r"%\\explorer.exe" and Process.CommandLine like r"%shell:mycomputerfolder%" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1106", "T1059.003", "T1218.011"], "author": "Alexander Rausch"} +Query = (Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\cmd.exe") and (Process.CommandLine like r"%gthread-3.6.dll%" or Process.CommandLine like r"%\\Windows\\Temp\\tmp.bat%" or Process.CommandLine like r"%sigcmm-2.4.dll%") [ThreatDetectionRule platform=Windows] -# Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = efec536f-72e8-4656-8960-5e85d091345b -RuleName = Set Suspicious Files as System Files Using Attrib.EXE +# Detects suspicious command lines used in Covenant luanchers +# Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +RuleId = c260b6db-48ba-4b4a-a76f-2f67644e99d2 +RuleName = HackTool - Covenant PowerShell Launcher EventType = Process.Start -Tag = proc-start-set-suspicious-files-as-system-files-using-attrib.exe +Tag = proc-start-hacktool-covenant-powershell-launcher RiskScore = 75 -Annotation = {"mitre_attack": ["T1564.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\attrib.exe" or Process.Name == "ATTRIB.EXE") and Process.CommandLine like r"% +s%" and (Process.CommandLine like r"% \%%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%\\AppData\\Local\\%" or Process.CommandLine like r"%\\ProgramData\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Windows\\Temp\\%") and (Process.CommandLine like r"%.bat%" or Process.CommandLine like r"%.dll%" or Process.CommandLine like r"%.exe%" or Process.CommandLine like r"%.hta%" or Process.CommandLine like r"%.ps1%" or Process.CommandLine like r"%.vbe%" or Process.CommandLine like r"%.vbs%") and not (Process.CommandLine like r"%\\Windows\\TEMP\\%" and Process.CommandLine like r"%.exe%") +Annotation = {"mitre_attack": ["T1059.001", "T1564.003"], "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community"} +Query = Process.CommandLine like r"%-Sta%" and Process.CommandLine like r"%-Nop%" and Process.CommandLine like r"%-Window%" and Process.CommandLine like r"%Hidden%" and (Process.CommandLine like r"%-Command%" or Process.CommandLine like r"%-EncodedCommand%") or Process.CommandLine like r"%sv o (New-Object IO.MemorySteam);sv d %" or Process.CommandLine like r"%mshta file.hta%" or Process.CommandLine like r"%GruntHTTP%" or Process.CommandLine like r"%-EncodedCommand cwB2ACAAbwAgA%" [ThreatDetectionRule platform=Windows] -# Detects command line parameters used by Koadic hack tool -# Author: wagga, Jonhnathan Ribeiro, oscd.community -RuleId = 5cddf373-ef00-4112-ad72-960ac29bac34 -RuleName = HackTool - Koadic Execution +# Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. +# RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. +# This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise +# Author: frack113 +RuleId = d6ce7ebd-260b-4323-9768-a9631c8d4db2 +RuleName = RestrictedAdminMode Registry Value Tampering +EventType = Reg.Any +Tag = restrictedadminmode-registry-value-tampering +RiskScore = 75 +Annotation = {"mitre_attack": ["T1112"], "author": "frack113"} +Query = Reg.TargetObject like r"%System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject + + +[ThreatDetectionRule platform=Windows] +# Shadow Copies storage symbolic link creation using operating systems utilities +# Author: Teymur Kheirkhabarov, oscd.community +RuleId = 40b19fa6-d835-400c-b301-41f3a2baacaf +RuleName = VolumeShadowCopy Symlink Creation Via Mklink EventType = Process.Start -Tag = proc-start-hacktool-koadic-execution +Tag = proc-start-volumeshadowcopy-symlink-creation-via-mklink RiskScore = 75 -Annotation = {"mitre_attack": ["T1059.003", "T1059.005", "T1059.007"], "author": "wagga, Jonhnathan Ribeiro, oscd.community"} -Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%/q%" and Process.CommandLine like r"%/c%" and Process.CommandLine like r"%chcp%" +Annotation = {"mitre_attack": ["T1003.002", "T1003.003"], "author": "Teymur Kheirkhabarov, oscd.community"} +Query = Process.CommandLine like r"%mklink%" and Process.CommandLine like r"%HarddiskVolumeShadowCopy%" [ThreatDetectionRule platform=Windows] -# Detects creation of a malicious DLL file in the location where the OneDrive or Team applications -# Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded -# Author: frack113 -RuleId = 1908fcc1-1b92-4272-8214-0fbaf2fa5163 -RuleName = Malicious DLL File Dropped in the Teams or OneDrive Folder -EventType = File.Create -Tag = malicious-dll-file-dropped-in-the-teams-or-onedrive-folder +# Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) +# Author: Florian Roth (Nextron Systems) +RuleId = 4627c6ae-6899-46e2-aa0c-6ebcb1becd19 +RuleName = HackTool - Impacket Tools Execution +EventType = Process.Start +Tag = proc-start-hacktool-impacket-tools-execution RiskScore = 75 -Annotation = {"mitre_attack": ["T1574.002"], "author": "frack113"} -Query = File.Path like r"%iphlpapi.dll%" and File.Path like r"%\\AppData\\Local\\Microsoft%" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1557.001"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\goldenPac%" or Process.Path like r"%\\karmaSMB%" or Process.Path like r"%\\kintercept%" or Process.Path like r"%\\ntlmrelayx%" or Process.Path like r"%\\rpcdump%" or Process.Path like r"%\\samrdump%" or Process.Path like r"%\\secretsdump%" or Process.Path like r"%\\smbexec%" or Process.Path like r"%\\smbrelayx%" or Process.Path like r"%\\wmiexec%" or Process.Path like r"%\\wmipersist%" or Process.Path like r"%\\atexec\_windows.exe" or Process.Path like r"%\\dcomexec\_windows.exe" or Process.Path like r"%\\dpapi\_windows.exe" or Process.Path like r"%\\findDelegation\_windows.exe" or Process.Path like r"%\\GetADUsers\_windows.exe" or Process.Path like r"%\\GetNPUsers\_windows.exe" or Process.Path like r"%\\getPac\_windows.exe" or Process.Path like r"%\\getST\_windows.exe" or Process.Path like r"%\\getTGT\_windows.exe" or Process.Path like r"%\\GetUserSPNs\_windows.exe" or Process.Path like r"%\\ifmap\_windows.exe" or Process.Path like r"%\\mimikatz\_windows.exe" or Process.Path like r"%\\netview\_windows.exe" or Process.Path like r"%\\nmapAnswerMachine\_windows.exe" or Process.Path like r"%\\opdump\_windows.exe" or Process.Path like r"%\\psexec\_windows.exe" or Process.Path like r"%\\rdp\_check\_windows.exe" or Process.Path like r"%\\sambaPipe\_windows.exe" or Process.Path like r"%\\smbclient\_windows.exe" or Process.Path like r"%\\smbserver\_windows.exe" or Process.Path like r"%\\sniff\_windows.exe" or Process.Path like r"%\\sniffer\_windows.exe" or Process.Path like r"%\\split\_windows.exe" or Process.Path like r"%\\ticketer\_windows.exe" [ThreatDetectionRule platform=Windows] -# Detects the image load of vss_ps.dll by uncommon executables -# Author: Markus Neis, @markus_neis -RuleId = 333cdbe8-27bb-4246-bf82-b41a0dca4b70 -RuleName = Suspicious Volume Shadow Copy VSS_PS.dll Load +# Detects potential DLL sideloading using comctl32.dll to obtain system privileges +# Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) +RuleId = 6360757a-d460-456c-8b13-74cf0e60cceb +RuleName = Potential DLL Sideloading Via comctl32.dll EventType = Image.Load -Tag = suspicious-volume-shadow-copy-vss_ps.dll-load +Tag = potential-dll-sideloading-via-comctl32.dll RiskScore = 75 -Annotation = {"mitre_attack": ["T1490"], "author": "Markus Neis, @markus_neis"} -Query = Image.Path like r"%\\vss\_ps.dll" and not (Process.Path like r"C:\\Windows\\%" and (Process.Path like r"%\\clussvc.exe" or Process.Path like r"%\\dismhost.exe" or Process.Path like r"%\\dllhost.exe" or Process.Path like r"%\\inetsrv\\appcmd.exe" or Process.Path like r"%\\inetsrv\\iissetup.exe" or Process.Path like r"%\\msiexec.exe" or Process.Path like r"%\\rundll32.exe" or Process.Path like r"%\\searchindexer.exe" or Process.Path like r"%\\srtasks.exe" or Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\System32\\SystemPropertiesAdvanced.exe" or Process.Path like r"%\\taskhostw.exe" or Process.Path like r"%\\thor.exe" or Process.Path like r"%\\thor64.exe" or Process.Path like r"%\\tiworker.exe" or Process.Path like r"%\\vssvc.exe" or Process.Path like r"%\\WmiPrvSE.exe" or Process.Path like r"%\\wsmprovhost.exe") or Process.Path like r"C:\\Program Files\\%" or Process.Path like r"C:\\Program Files (x86)\\%" or Process.CommandLine like r"C:\\$WinREAgent\\Scratch\\%" and Process.CommandLine like r"%\\dismhost.exe {%" or isnull(Process.Path)) +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)"} +Query = (Image.Path like r"C:\\Windows\\System32\\logonUI.exe.local\\%" or Image.Path like r"C:\\Windows\\System32\\werFault.exe.local\\%" or Image.Path like r"C:\\Windows\\System32\\consent.exe.local\\%" or Image.Path like r"C:\\Windows\\System32\\narrator.exe.local\\%" or Image.Path like r"C:\\windows\\system32\\wermgr.exe.local\\%") and Image.Path like r"%\\comctl32.dll" GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities +# Detects when a user installs certificates by using CertOC.exe to load the target DLL file. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 -RuleName = Delete Important Scheduled Task +RuleId = 84232095-ecca-4015-b0d7-7726507ee793 +RuleName = Suspicious DLL Loaded via CertOC.EXE EventType = Process.Start -Tag = proc-start-delete-important-scheduled-task -RiskScore = 75 -Annotation = {"mitre_attack": ["T1489"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"%/delete%" and Process.CommandLine like r"%/tn%" and (Process.CommandLine like r"%\\Windows\\BitLocker%" or Process.CommandLine like r"%\\Windows\\ExploitGuard%" or Process.CommandLine like r"%\\Windows\\SystemRestore\\SR%" or Process.CommandLine like r"%\\Windows\\UpdateOrchestrator\\%" or Process.CommandLine like r"%\\Windows\\Windows Defender\\%" or Process.CommandLine like r"%\\Windows\\WindowsBackup\\%" or Process.CommandLine like r"%\\Windows\\WindowsUpdate\\%") - - -[ThreatDetectionRule platform=Windows] -# Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. -# Author: frack113 -RuleId = 7d9263bd-dc47-4a58-bc92-5474abab390c -RuleName = Change Winevt Channel Access Permission Via Registry -EventType = Reg.Any -Tag = change-winevt-channel-access-permission-via-registry +Tag = proc-start-suspicious-dll-loaded-via-certoc.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.002"], "author": "frack113"} -Query = Reg.TargetObject like r"%\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\%" and Reg.TargetObject like r"%\\ChannelAccess" and (Reg.Value.Data like r"%(A;;0x1;;;LA)%" or Reg.Value.Data like r"%(A;;0x1;;;SY)%" or Reg.Value.Data like r"%(A;;0x5;;;BA)%") and not (Process.Path == "C:\\Windows\\servicing\\TrustedInstaller.exe" or Process.Path like r"C:\\Windows\\WinSxS\\%" and Process.Path like r"%\\TiWorker.exe") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1218"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\certoc.exe" or Process.Name == "CertOC.exe") and (Process.CommandLine like r"% -LoadDLL %" or Process.CommandLine like r"% /LoadDLL %" or Process.CommandLine like r"% –LoadDLL %" or Process.CommandLine like r"% —LoadDLL %" or Process.CommandLine like r"% ―LoadDLL %") and (Process.CommandLine like r"%\\Appdata\\Local\\Temp\\%" or Process.CommandLine like r"%\\Desktop\\%" or Process.CommandLine like r"%\\Downloads\\%" or Process.CommandLine like r"%\\Users\\Public\\%" or Process.CommandLine like r"%C:\\Windows\\Tasks\\%" or Process.CommandLine like r"%C:\\Windows\\Temp\\%") [ThreatDetectionRule platform=Windows] -# Detects command line parameters or strings often used by crypto miners -# Author: Florian Roth (Nextron Systems) -RuleId = 66c3b204-9f88-4d0a-a7f7-8a57d521ca55 -RuleName = Potential Crypto Mining Activity +# Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 044ba588-dff4-4918-9808-3f95e8160606 +RuleName = Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE EventType = Process.Start -Tag = proc-start-potential-crypto-mining-activity +Tag = proc-start-copy-.dmp/.dump-files-from-remote-share-via-cmd.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1496"], "author": "Florian Roth (Nextron Systems)"} -Query = (Process.CommandLine like r"% --cpu-priority=%" or Process.CommandLine like r"%--donate-level=0%" or Process.CommandLine like r"% -o pool.%" or Process.CommandLine like r"% --nicehash%" or Process.CommandLine like r"% --algo=rx/0 %" or Process.CommandLine like r"%stratum+tcp://%" or Process.CommandLine like r"%stratum+udp://%" or Process.CommandLine like r"%LS1kb25hdGUtbGV2ZWw9%" or Process.CommandLine like r"%0tZG9uYXRlLWxldmVsP%" or Process.CommandLine like r"%tLWRvbmF0ZS1sZXZlbD%" or Process.CommandLine like r"%c3RyYXR1bSt0Y3A6Ly%" or Process.CommandLine like r"%N0cmF0dW0rdGNwOi8v%" or Process.CommandLine like r"%zdHJhdHVtK3RjcDovL%" or Process.CommandLine like r"%c3RyYXR1bSt1ZHA6Ly%" or Process.CommandLine like r"%N0cmF0dW0rdWRwOi8v%" or Process.CommandLine like r"%zdHJhdHVtK3VkcDovL%") and not (Process.CommandLine like r"% pool.c %" or Process.CommandLine like r"% pool.o %" or Process.CommandLine like r"%gcc -%") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%copy %" and Process.CommandLine like r"% \\\\%" and (Process.CommandLine like r"%.dmp%" or Process.CommandLine like r"%.dump%" or Process.CommandLine like r"%.hdmp%") [ThreatDetectionRule platform=Windows] @@ -9641,57 +9631,67 @@ Query = Process.CommandLine like r"%\\System\\CurrentControlSet\\Control\\Lsa%" [ThreatDetectionRule platform=Windows] -# Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. -# Author: frack113 -RuleId = 41d1058a-aea7-4952-9293-29eaaf516465 -RuleName = Removal Of AMSI Provider Registry Keys +# Detects a registry key used by IceID in a campaign that distributes malicious OneNote files +# Author: Hieu Tran +RuleId = 1c8e96cd-2bed-487d-9de0-b46c90cade56 +RuleName = Potential Qakbot Registry Activity EventType = Reg.Any -Tag = removal-of-amsi-provider-registry-keys +Tag = potential-qakbot-registry-activity RiskScore = 75 -Annotation = {"mitre_attack": ["T1562.001"], "author": "frack113"} -Query = Reg.EventType == "DeleteKey" and (Reg.TargetObject like r"%{2781761E-28E0-4109-99FE-B9D127C57AFE}" or Reg.TargetObject like r"%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}") +Annotation = {"mitre_attack": ["T1112"], "author": "Hieu Tran"} +Query = Reg.TargetObject like r"%\\Software\\firm\\soft\\Name" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects Processes accessing the camera and microphone from suspicious folder -# Author: Den Iuzvyk -RuleId = 62120148-6b7a-42be-8b91-271c04e281a3 -RuleName = Suspicious Camera and Microphone Access +# Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging +# Author: frack113 +RuleId = fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 +RuleName = PowerShell Logging Disabled Via Registry Key Tampering EventType = Reg.Any -Tag = suspicious-camera-and-microphone-access +Tag = powershell-logging-disabled-via-registry-key-tampering RiskScore = 75 -Annotation = {"mitre_attack": ["T1125", "T1123"], "author": "Den Iuzvyk"} -Query = Reg.TargetObject like r"%\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\%" and Reg.TargetObject like r"%\\NonPackaged%" and (Reg.TargetObject like r"%microphone%" or Reg.TargetObject like r"%webcam%") and (Reg.TargetObject like r"%:#Windows#Temp#%" or Reg.TargetObject like r"%:#$Recycle.bin#%" or Reg.TargetObject like r"%:#Temp#%" or Reg.TargetObject like r"%:#Users#Public#%" or Reg.TargetObject like r"%:#Users#Default#%" or Reg.TargetObject like r"%:#Users#Desktop#%") +Annotation = {"mitre_attack": ["T1564.001"], "author": "frack113"} +Query = (Reg.TargetObject like r"%\\Microsoft\\Windows\\PowerShell\\%" or Reg.TargetObject like r"%\\Microsoft\\PowerShellCore\\%") and (Reg.TargetObject like r"%\\ModuleLogging\\EnableModuleLogging" or Reg.TargetObject like r"%\\ScriptBlockLogging\\EnableScriptBlockLogging" or Reg.TargetObject like r"%\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging" or Reg.TargetObject like r"%\\Transcription\\EnableTranscripting" or Reg.TargetObject like r"%\\Transcription\\EnableInvocationHeader" or Reg.TargetObject like r"%\\EnableScripts") and Reg.Value.Data == "DWORD (0x00000000)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects loading of known malicious drivers via their hash. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 05296024-fe8a-4baf-8f3d-9a5f5624ceb2 -RuleName = Malicious Driver Load -EventType = Driver.Load -Tag = malicious-driver-load +# Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. +# This way we are also able to catch cases in which the attacker has renamed the procdump executable. +# Author: Florian Roth (Nextron Systems) +RuleId = 5afee48e-67dd-4e03-a783-f74259dcf998 +RuleName = Potential LSASS Process Dump Via Procdump +EventType = Process.Start +Tag = proc-start-potential-lsass-process-dump-via-procdump RiskScore = 75 -Annotation = {"mitre_attack": ["T1543.003", "T1068"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Image.Hashes like r"%MD5=5be61a24f50eb4c94d98b8a82ef58dcf%" or Image.Hashes like r"%MD5=d70a80fc73dd43469934a7b1cc623c76%" or Image.Hashes like r"%MD5=3b71eab204a5f7ed77811e41fed73105%" or Image.Hashes like r"%MD5=528ce5ce19eb34f401ef024de7ddf222%" or Image.Hashes like r"%MD5=ae548418b491cd3f31618eb9e5730973%" or Image.Hashes like r"%MD5=72f53f55898548767e0276c472be41e8%" or Image.Hashes like r"%MD5=508faa4647f305a97ed7167abc4d1330%" or Image.Hashes like r"%MD5=ed2b653d55c03f0bffa250372d682b75%" or Image.Hashes like r"%MD5=0d2ba47286f1c68e87622b3a16bf9d92%" or Image.Hashes like r"%MD5=3164bd6c12dd0fe1bdf3b833d56323b9%" or Image.Hashes like r"%MD5=70fd7209ce5c013a1f9e699b5cc86cdc%" or Image.Hashes like r"%MD5=c71be7b112059d2dc84c0f952e04e6cc%" or Image.Hashes like r"%MD5=acac842a46f3501fe407b1db1b247a0b%" or Image.Hashes like r"%MD5=01c2e4d8234258451083d6ce4e8910b7%" or Image.Hashes like r"%MD5=c8541a9cef64589593e999968a0385b9%" or Image.Hashes like r"%MD5=e172a38ade3aa0a2bc1bf9604a54a3b5%" or Image.Hashes like r"%MD5=6fcf56f6ca3210ec397e55f727353c4a%" or Image.Hashes like r"%MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16%" or Image.Hashes like r"%MD5=07056573d464b0f5284f7e3acedd4a3f%" or Image.Hashes like r"%MD5=c7b7f1edb9bbef174e6506885561d85d%" or Image.Hashes like r"%MD5=d5918d735a23f746f0e83f724c4f26e5%" or Image.Hashes like r"%MD5=84763d8ca9fe5c3bff9667b2adf667de%" or Image.Hashes like r"%MD5=fb593b1f1f80d20fc7f4b818065c64b6%" or Image.Hashes like r"%MD5=909f3fc221acbe999483c87d9ead024a%" or Image.Hashes like r"%MD5=e29f6311ae87542b3d693c1f38e4e3ad%" or Image.Hashes like r"%MD5=aeb0801f22d71c7494e884d914446751%" or Image.Hashes like r"%MD5=3f11a94f1ac5efdd19767c6976da9ba4%" or Image.Hashes like r"%MD5=be6318413160e589080df02bb3ca6e6a%" or Image.Hashes like r"%MD5=0b311af53d2f4f77d30f1aed709db257%" or Image.Hashes like r"%MD5=d075d56dfce6b9b13484152b1ef40f93%" or Image.Hashes like r"%MD5=27384ec4c634701012a2962c30badad2%" or Image.Hashes like r"%MD5=5eb2c576597dd21a6b44557c237cf896%" or Image.Hashes like r"%MD5=f56db4eba3829c0918413b5c0b42f00f%" or Image.Hashes like r"%MD5=e27b2486aa5c256b662812b465b6036c%" or Image.Hashes like r"%MD5=db86dfd7aefbb5be6728a63461b0f5f3%" or Image.Hashes like r"%MD5=04a88f5974caa621cee18f34300fc08a%" or Image.Hashes like r"%MD5=5129d8fd53d6a4aba81657ab2aa5d243%" or Image.Hashes like r"%MD5=cd2c641788d5d125c316ed739c69bb59%" or Image.Hashes like r"%MD5=7073cd0085fcba1cd7d3568f9e6d652c%" or Image.Hashes like r"%MD5=24f0f2b4b3cdae11de1b81c537df41c7%" or Image.Hashes like r"%MD5=88bea56ae9257b40063785cf47546024%" or Image.Hashes like r"%MD5=63060b756377fce2ce4ab9d079ca732f%" or Image.Hashes like r"%MD5=50b39072d0ee9af5ef4824eca34be6e3%" or Image.Hashes like r"%MD5=57c18a8f5d1ba6d015e4d5bc698e3624%" or Image.Hashes like r"%MD5=7d26985a5048bad57d9c223362f3d55c%" or Image.Hashes like r"%MD5=ba54a0dbe2685e66e21d41b4529b3528%" or Image.Hashes like r"%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%" or Image.Hashes like r"%MD5=b52f51bbe6b49d0b475d943c29c4d4cb%" or Image.Hashes like r"%MD5=a837302307dace2a00d07202b661bce2%" or Image.Hashes like r"%MD5=78a122d926ccc371d60c861600c310f3%" or Image.Hashes like r"%MD5=bdb305aa0806f8b38b7ce43c927fe919%" or Image.Hashes like r"%MD5=27053e964667318e1b370150cbca9138%" or Image.Hashes like r"%MD5=6a4fbcfb44717eae2145c761c1c99b6a%" or Image.Hashes like r"%MD5=d13c1b76b4a1ca3ff5ab63678b51df6d%" or Image.Hashes like r"%MD5=6a066d2be83cf83f343d0550b0b8f206%" or Image.Hashes like r"%MD5=7108b0d4021af4c41de2c223319cd4c1%" or Image.Hashes like r"%MD5=1cd158a64f3d886357535382a6fdad75%" or Image.Hashes like r"%MD5=e939448b28a4edc81f1f974cebf6e7d2%" or Image.Hashes like r"%MD5=4198d3db44d7c4b3ba9072d258a4fc2d%" or Image.Hashes like r"%MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20%" or Image.Hashes like r"%MD5=30ca3cc19f001a8f12c619daa8c6b6e3%" or Image.Hashes like r"%MD5=fe9004353b25640f6a879e57f07122d7%" or Image.Hashes like r"%MD5=06c7fcf3523235cf52b3eee083ec07b2%" or Image.Hashes like r"%MD5=364605ad21b9275681cffef607fac273%" or Image.Hashes like r"%MD5=968ddb06af90ef83c5f20fbdd4eee62e%" or Image.Hashes like r"%MD5=ba50bd645d7c81416bb26a9d39998296%" or Image.Hashes like r"%MD5=29e03f4811b64969e48a99300978f58c%" or Image.Hashes like r"%MD5=b0770094c3c64250167b55e4db850c04%" or Image.Hashes like r"%MD5=40b968ecdbe9e967d92c5da51c390eee%" or Image.Hashes like r"%MD5=b6b530dd25c5eb66499968ec82e8791e%" or Image.Hashes like r"%MD5=f209cb0e468ca0b76d879859d5c8c54e%" or Image.Hashes like r"%MD5=76f8607fc4fb9e828d613a7214436b66%" or Image.Hashes like r"%MD5=4b058945c9f2b8d8ebc485add1101ba5%" or Image.Hashes like r"%MD5=faae7f5f69fde12303dd1c0c816b72b7%" or Image.Hashes like r"%MD5=89d294ef7fefcdf1a6ca0ab96a856f57%" or Image.Hashes like r"%MD5=ef0e1725aaf0c6c972593f860531a2ea%" or Image.Hashes like r"%MD5=bbdbffebfc753b11897de2da7c9912a5%" or Image.Hashes like r"%MD5=5ebfc0af031130ba9de1d5d3275734b3%" or Image.Hashes like r"%MD5=22949977ce5cd96ba674b403a9c81285%" or Image.Hashes like r"%MD5=77cfd3943cc34d9f5279c330cd8940bc%" or Image.Hashes like r"%MD5=311de109df18e485d4a626b5dbe19bc6%" or Image.Hashes like r"%MD5=2730cc25ad385acc7213a1261b21c12d%" or Image.Hashes like r"%MD5=87dc81ebe85f20c1a7970e495a778e60%" or Image.Hashes like r"%MD5=154b45f072fe844676e6970612fd39c7%" or Image.Hashes like r"%MD5=5a4fe297c7d42539303137b6d75b150d%" or Image.Hashes like r"%MD5=d6a1dd7b2c06f058b408b3613c13d413%" or Image.Hashes like r"%MD5=a6e9d6505f6d2326a8a9214667c61c67%" or Image.Hashes like r"%MD5=7fad9f2ef803496f482ce4728578a57a%" or Image.Hashes like r"%MD5=5076fba3d90e346fd17f78db0a4aa12c%" or Image.Hashes like r"%MD5=79df0eabbf2895e4e2dae15a4772868c%" or Image.Hashes like r"%MD5=14580bd59c55185115fd3abe73b016a2%" or Image.Hashes like r"%MD5=1f2888e57fdd6aee466962c25ba7d62d%" or Image.Hashes like r"%MD5=5e9231e85cecfc6141e3644fda12a734%" or Image.Hashes like r"%MD5=dc564bac7258e16627b9de0ce39fae25%" or Image.Hashes like r"%MD5=4e4c068c06331130334f23957fca9e3c%" or Image.Hashes like r"%MD5=1ee9f6326649cd23381eb9d7dfdeddf7%" or Image.Hashes like r"%MD5=4e1f656001af3677856f664e96282a6f%" or Image.Hashes like r"%MD5=36f44643178c505ea0384e0fb241e904%" or Image.Hashes like r"%MD5=6b480fac7caca2f85be9a0cfe79aedfc%" or Image.Hashes like r"%MD5=c1ab425977d467b64f437a6c5ad82b44%" or Image.Hashes like r"%MD5=fe508caa54ffeb2285d9f00df547fe4a%" or Image.Hashes like r"%MD5=d3af70287de8757cebc6f8d45bb21a20%" or Image.Hashes like r"%MD5=990b949894b7dc82a8cf1131b063cb1a%" or Image.Hashes like r"%MD5=c62209b8a5daf3f32ad876ad6cefda1b%" or Image.Hashes like r"%MD5=c159fb0f345a8771e56aab8e16927361%" or Image.Hashes like r"%MD5=19b15eeccab0752c6793f782ca665a45%" or Image.Hashes like r"%MD5=1d51029dfbd616bf121b40a0d1efeb10%" or Image.Hashes like r"%MD5=157a22689629ec876337f5f9409918d5%" or Image.Hashes like r"%MD5=3dd829fb27353622eff34be1eabb8f18%" or Image.Hashes like r"%MD5=8636fe3724f2bcba9399daffd6ef3c7e%" or Image.Hashes like r"%MD5=3d0b3e19262099ade884b75ba86ca7e8%" or Image.Hashes like r"%MD5=97539c78d6e2b5356ce79e40bcd4d570%" or Image.Hashes like r"%MD5=0308b6888e0f197db6704ca20203eee4%" or Image.Hashes like r"%MD5=091a6bd4880048514c5dd3bede15eba5%" or Image.Hashes like r"%MD5=7e92f98b809430622b04e88441b2eb04%" or Image.Hashes like r"%MD5=bb5bda8889d8d27ef984dbd6ad82c946%" or Image.Hashes like r"%MD5=b76aee508f68b5b6dccd6e1f66f4cf8b%" or Image.Hashes like r"%MD5=a822b9e6eedf69211013e192967bf523%" or Image.Hashes like r"%MD5=df52f8a85eb64bc69039243d9680d8e4%" or Image.Hashes like r"%MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a%" or Image.Hashes like r"%MD5=44857ca402a15ab51dc5afe47abdfa44%" or Image.Hashes like r"%MD5=f9844524fb0009e5b784c21c7bad4220%" or Image.Hashes like r"%MD5=d34b218c386bfe8b1f9c941e374418d7%" or Image.Hashes like r"%MD5=0ca010a32a9b0aeae1e46d666b83b659%" or Image.Hashes like r"%MD5=93496a436c5546156a69deb255a9fed0%" or Image.Hashes like r"%MD5=1cd5e231064e03c596e819b6ff48daf9%" or Image.Hashes like r"%MD5=70a71fe86df717ac59dbf856d7ac5789%" or Image.Hashes like r"%MD5=a33089d4e50f7d2ea8b52ca95d26ebf3%" or Image.Hashes like r"%MD5=e0cc9b415d884f85c45be145872892b8%" or Image.Hashes like r"%MD5=a42249a046182aaaf3a7a7db98bfa69d%" or Image.Hashes like r"%MD5=c5ae6ca044bd03c3506c132b033be1dc%" or Image.Hashes like r"%MD5=7ebe606acd81abf1f8cb0767c974164b%" or Image.Hashes like r"%MD5=b5dcc869a91efcc6e8ea0c3c07605d63%" or Image.Hashes like r"%MD5=62c18d61ed324088f963510bae43b831%" or Image.Hashes like r"%MD5=093a2a635c3a27aac50efd6463f4efa1%" or Image.Hashes like r"%MD5=28102acca39ad0199f262ba9958be3f4%" or Image.Hashes like r"%MD5=650ef9dd70cb192027e536754d6e0f63%" or Image.Hashes like r"%MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44%" or Image.Hashes like r"%MD5=6771b13a53b9c7449d4891e427735ea2%" or Image.Hashes like r"%MD5=072ba2309b825ce1dba37d8d924ea8ed%" or Image.Hashes like r"%MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb%" or Image.Hashes like r"%MD5=1325ec39e98225e487b40043faee8052%" or Image.Hashes like r"%MD5=4484f4007de2c3ee4581a2cff77ca3b4%" or Image.Hashes like r"%MD5=a236e7d654cd932b7d11cb604629a2d0%" or Image.Hashes like r"%MD5=17509f0a98dc5c5d52c3f9ac1428a21b%" or Image.Hashes like r"%MD5=840a5edf2534dd23a082cf7b28cbfc4d%" or Image.Hashes like r"%MD5=77a7ed4798d02ef6636cd0fd07fc382a%" or Image.Hashes like r"%MD5=a9df5964635ef8bd567ae487c3d214c4%" or Image.Hashes like r"%MD5=8b75047199825c8e62fdcc1c915db8bd%" or Image.Hashes like r"%MD5=d416494232c4197cb36a914df2e17677%" or Image.Hashes like r"%MD5=4cf14a96485a1270fed97bb8000e4f86%" or Image.Hashes like r"%MD5=35e512f9bedc89dca5ce81f35820714c%" or Image.Hashes like r"%MD5=40f35792e7565aa047796758a3ce1b77%" or Image.Hashes like r"%MD5=f7f31bccc9b7b2964ac85106831022b1%" or Image.Hashes like r"%MD5=26aedc10d4215ba997495d3a68355f4a%" or Image.Hashes like r"%MD5=10f3679384a03cb487bda9621ceb5f90%" or Image.Hashes like r"%MD5=80219fb6b5954c33e16bac5ecdac651b%" or Image.Hashes like r"%MD5=cee36b5c6362993fa921435979bfbe4a%" or Image.Hashes like r"%MD5=e37a08f516b8a7ca64163f5d9e68fe5a%" or Image.Hashes like r"%MD5=49518f7375a5f995ebe9423d8f19cfe4%" or Image.Hashes like r"%MD5=920df6e42cf91bbe19707f5a86e3c5c5%" or Image.Hashes like r"%MD5=2ec877e425bd7eddb663627216e3491e%" or Image.Hashes like r"%MD5=550b7991d93534bc510bc4f237155a7a%" or Image.Hashes like r"%MD5=98d53f6b3bec0a3417a04fbb9e17fa06%" or Image.Hashes like r"%MD5=13a57a4ef721440c7c9208b51f7c05de%" or Image.Hashes like r"%MD5=c5fc3605194e033bdf3781ff2adaeb61%" or Image.Hashes like r"%MD5=6e625ec04c20a9dbd48c7060efbf5e92%" or Image.Hashes like r"%MD5=0b9b78d1281c7d4ab50497cf6ea7452a%" or Image.Hashes like r"%MD5=4e906fcb13e2793c98f47291fd69391b%" or Image.Hashes like r"%MD5=2bb353891d65c9e267eb98a3a2b694c3%" or Image.Hashes like r"%MD5=7d86cdda7f49f91fdb69901a002b34e7%" or Image.Hashes like r"%MD5=f69b06ca7c34d16f26ea1c6861edf62a%" or Image.Hashes like r"%MD5=ee6b1a79cb6641aa44c762ee90786fe0%" or Image.Hashes like r"%MD5=1fc7aeeff3ab19004d2e53eae8160ab1%" or Image.Hashes like r"%MD5=24d3ea54f25e32832ac20335a1ce1062%" or Image.Hashes like r"%MD5=c94f405c5929cfcccc8ad00b42c95083%" or Image.Hashes like r"%MD5=b164daf106566f444dfb280d743bc2f7%" or Image.Hashes like r"%MD5=93130909e562925597110a617f05e2a9%" or Image.Hashes like r"%MD5=f589d4bf547c140b6ec8a511ea47c658%" or Image.Hashes like r"%MD5=bf445ac375977ecf551bc2a912c58e8a%" or Image.Hashes like r"%MD5=629ee55e4b5a225d048fbcd5f0a1d18b%" or Image.Hashes like r"%MD5=0023ca0ca16a62d93ef51f3df98b2f94%" or Image.Hashes like r"%MD5=a3d69c7e24300389b56782aa63b0e357%" or Image.Hashes like r"%MD5=cbd8d370462503508e44dba023bdf9bc%" or Image.Hashes like r"%MD5=67daa04716803a15fc11c9e353d77c2f%" or Image.Hashes like r"%MD5=c9d4214c850e0cedf033dc8f0cd3aace%" or Image.Hashes like r"%MD5=bd5b0514f3b40f139d8079138d01b5f6%" or Image.Hashes like r"%MD5=19bdd9b799e3c2c54c0d7fff68b31c20%" or Image.Hashes like r"%MD5=f242cffd9926c0ccf94af3bf16b6e527%" or Image.Hashes like r"%MD5=5aeab9427d85951def146b4c0a44fc63%" or Image.Hashes like r"%MD5=40170485cca576adb5266cf5b0d3b0bd%" or Image.Hashes like r"%MD5=c277c4386a78fae1b7e17eaecf4f472b%" or Image.Hashes like r"%MD5=58c37866cbc3d1338e4fc58ada924ffe%" or Image.Hashes like r"%MD5=0f16a43f7989034641fd2de3eb268bf1%" or Image.Hashes like r"%MD5=0ae30291c6cbfa7be39320badd6e8de0%" or Image.Hashes like r"%MD5=05dd59bd4f175304480affd8f1305c37%" or Image.Hashes like r"%MD5=f838f4eb36f1e7036238776c7a70f0b0%" or Image.Hashes like r"%MD5=85093bb9f027027c2c61aee50796de30%" or Image.Hashes like r"%MD5=ae338d91d1b05a72559b7f6ed717362d%" or Image.Hashes like r"%MD5=bd91787b5dcb2189b856804e85dfa1d9%" or Image.Hashes like r"%MD5=6b3c1511e12f4d27a4ea3b18020d7b84%" or Image.Hashes like r"%MD5=97264fd62d4907bdac917917a07b3b7a%" or Image.Hashes like r"%MD5=6ececf26ff8b03ed7ffbddadec9a9dab%" or Image.Hashes like r"%MD5=47e6ac52431ca47da17248d80bf71389%" or Image.Hashes like r"%MD5=eb57f03b7603f0b235af62e8cd5be8c2%" or Image.Hashes like r"%MD5=e1a9aa4c14669b1fb1f67a7266f87e82%" or Image.Hashes like r"%MD5=29047f0b7790e524b09a06852d31a117%" or Image.Hashes like r"%MD5=4dd6250eb2d368f500949952eb013964%" or Image.Hashes like r"%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%" or Image.Hashes like r"%MD5=844af8c877f5da723c1b82cf6e213fc1%" or Image.Hashes like r"%MD5=e39152eadd76751b1d7485231b280948%" or Image.Hashes like r"%MD5=ac6e29f535b2c42999c50d2fc32f2c9c%" or Image.Hashes like r"%MD5=2406ea37152d2154be3fef6d69ada2c6%" or Image.Hashes like r"%MD5=0ea8389589c603a8b05146bd06020597%" or Image.Hashes like r"%MD5=754e21482baf18b8b0ed0f4be462ba03%" or Image.Hashes like r"%MD5=c4a517a02ba9f6eac5cf06e3629cc076%" or Image.Hashes like r"%MD5=32282e07db321e8d7849f2287bb6a14f%" or Image.Hashes like r"%MD5=32b67a6cd6dd998b9f563ed13d54a8bc%" or Image.Hashes like r"%MD5=3359e1d4244a7d724949c63e89689ef8%" or Image.Hashes like r"%MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0%" or Image.Hashes like r"%MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6%" or Image.Hashes like r"%MD5=a90236e4962620949b720f647a91f101%" or Image.Hashes like r"%MD5=ccde8c94439f9fc9c42761e4b9a23d97%" or Image.Hashes like r"%MD5=68caf620ef8deaf06819cf8c80d3367b%" or Image.Hashes like r"%MD5=5fec28e8f4f76e5ede24beb32a32b9d7%" or Image.Hashes like r"%MD5=e8eac6642b882a6196555539149c73f2%" or Image.Hashes like r"%MD5=aa98b95f5cbae8260122de06a215ee10%" or Image.Hashes like r"%MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80%" or Image.Hashes like r"%MD5=abc168fdca7169bf9dc40cec9761018d%" or Image.Hashes like r"%MD5=7f9309f5e4defec132b622fadbcad511%" or Image.Hashes like r"%MD5=4748696211bd56c2d93c21cab91e82a5%" or Image.Hashes like r"%MD5=48394dce30bb8da5ae089cb8f41b86dc%" or Image.Hashes like r"%MD5=65f800e1112864bf41eb815649f428d5%" or Image.Hashes like r"%MD5=bd25be845c151370ff177509d95d5add%" or Image.Hashes like r"%MD5=a37ed7663073319d02f2513575a22995%" or Image.Hashes like r"%MD5=2c39f6172fbc967844cac12d7ab2fa55%" or Image.Hashes like r"%MD5=491aec2249ad8e2020f9f9b559ab68a8%" or Image.Hashes like r"%MD5=1e0eb80347e723fa31fce2abb0301d44%" or Image.Hashes like r"%MD5=a26363e7b02b13f2b8d697abb90cd5c3%" or Image.Hashes like r"%MD5=4118b86e490aed091b1a219dba45f332%" or Image.Hashes like r"%MD5=6d131a7462e568213b44ef69156f10a5%" or Image.Hashes like r"%MD5=10c2ea775c9e76e7774ab89e38f38287%" or Image.Hashes like r"%SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79%" or Image.Hashes like r"%SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23%" or Image.Hashes like r"%SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe%" or Image.Hashes like r"%SHA1=af42afda54d150810a60baa7987f9f09d49d1317%" or Image.Hashes like r"%SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7%" or Image.Hashes like r"%SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462%" or Image.Hashes like r"%SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7%" or Image.Hashes like r"%SHA1=e730eb971ecb493b69de2308b6412836303f733a%" or Image.Hashes like r"%SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca%" or Image.Hashes like r"%SHA1=5fef884a901e81ac173d63ade3f5c51694decf74%" or Image.Hashes like r"%SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc%" or Image.Hashes like r"%SHA1=6451522b1fb428e549976d0742df5034f8124b17%" or Image.Hashes like r"%SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a%" or Image.Hashes like r"%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%" or Image.Hashes like r"%SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166%" or Image.Hashes like r"%SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a%" or Image.Hashes like r"%SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3%" or Image.Hashes like r"%SHA1=c42178977bd7bbefe084da0129ed808cb7266204%" or Image.Hashes like r"%SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333%" or Image.Hashes like r"%SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee%" or Image.Hashes like r"%SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837%" or Image.Hashes like r"%SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf%" or Image.Hashes like r"%SHA1=7638c048af5beae44352764390deea597cc3e7b1%" or Image.Hashes like r"%SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5%" or Image.Hashes like r"%SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2%" or Image.Hashes like r"%SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87%" or Image.Hashes like r"%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%" or Image.Hashes like r"%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%" or Image.Hashes like r"%SHA1=505546d82aab56889a923004654b9afdec54efe6%" or Image.Hashes like r"%SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a%" or Image.Hashes like r"%SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383%" or Image.Hashes like r"%SHA1=844d7bcd1a928d340255ff42971cca6244a459bf%" or Image.Hashes like r"%SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f%" or Image.Hashes like r"%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%" or Image.Hashes like r"%SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e%" or Image.Hashes like r"%SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84%" or Image.Hashes like r"%SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285%" or Image.Hashes like r"%SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6%" or Image.Hashes like r"%SHA1=607387cc90b93d58d6c9a432340261fde846b1d9%" or Image.Hashes like r"%SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07%" or Image.Hashes like r"%SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6%" or Image.Hashes like r"%SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6%" or Image.Hashes like r"%SHA1=b8b123a413b7bccfa8433deba4f88669c969b543%" or Image.Hashes like r"%SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509%" or Image.Hashes like r"%SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22%" or Image.Hashes like r"%SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d%" or Image.Hashes like r"%SHA1=a111dc6ae5575977feba71ee69b790e056846a02%" or Image.Hashes like r"%SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3%" or Image.Hashes like r"%SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2%" or Image.Hashes like r"%SHA1=0de86ec7d7f16a3680df89256548301eed970393%" or Image.Hashes like r"%SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2%" or Image.Hashes like r"%SHA1=0883a9c54e8442a551994989db6fc694f1086d41%" or Image.Hashes like r"%SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16%" or Image.Hashes like r"%SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10%" or Image.Hashes like r"%SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09%" or Image.Hashes like r"%SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c%" or Image.Hashes like r"%SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39%" or Image.Hashes like r"%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%" or Image.Hashes like r"%SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f%" or Image.Hashes like r"%SHA1=994dc79255aeb662a672a1814280de73d405617a%" or Image.Hashes like r"%SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1%" or Image.Hashes like r"%SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5%" or Image.Hashes like r"%SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b%" or Image.Hashes like r"%SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61%" or Image.Hashes like r"%SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9%" or Image.Hashes like r"%SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7%" or Image.Hashes like r"%SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b%" or Image.Hashes like r"%SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd%" or Image.Hashes like r"%SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2%" or Image.Hashes like r"%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%" or Image.Hashes like r"%SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3%" or Image.Hashes like r"%SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a%" or Image.Hashes like r"%SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048%" or Image.Hashes like r"%SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f%" or Image.Hashes like r"%SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b%" or Image.Hashes like r"%SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527%" or Image.Hashes like r"%SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130%" or Image.Hashes like r"%SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d%" or Image.Hashes like r"%SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1%" or Image.Hashes like r"%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%" or Image.Hashes like r"%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%" or Image.Hashes like r"%SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec%" or Image.Hashes like r"%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%" or Image.Hashes like r"%SHA1=9382981b05b1fb950245313992444bfa0db5f881%" or Image.Hashes like r"%SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3%" or Image.Hashes like r"%SHA1=9c36600c2640007d3410dea8017573a113374873%" or Image.Hashes like r"%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%" or Image.Hashes like r"%SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7%" or Image.Hashes like r"%SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab%" or Image.Hashes like r"%SHA1=cb25a5125fb353496b59b910263209f273f3552d%" or Image.Hashes like r"%SHA1=a5f1b56615bdaabf803219613f43671233f2001c%" or Image.Hashes like r"%SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38%" or Image.Hashes like r"%SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7%" or Image.Hashes like r"%SHA1=632c80a3c95cf589b03812539dea59594eaefae0%" or Image.Hashes like r"%SHA1=e6966e360038be3b9d8c9b2582eba4e263796084%" or Image.Hashes like r"%SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab%" or Image.Hashes like r"%SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51%" or Image.Hashes like r"%SHA1=80e4808a7fe752cac444676dbbee174367fa2083%" or Image.Hashes like r"%SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0%" or Image.Hashes like r"%SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2%" or Image.Hashes like r"%SHA1=3825ebb0b0664b5f0789371240f65231693be37d%" or Image.Hashes like r"%SHA1=de9469a5d01fb84afd41d176f363a66e410d46da%" or Image.Hashes like r"%SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b%" or Image.Hashes like r"%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%" or Image.Hashes like r"%SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5%" or Image.Hashes like r"%SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358%" or Image.Hashes like r"%SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405%" or Image.Hashes like r"%SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8%" or Image.Hashes like r"%SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2%" or Image.Hashes like r"%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%" or Image.Hashes like r"%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%" or Image.Hashes like r"%SHA1=9481cd590c69544c197b4ee055056302978a7191%" or Image.Hashes like r"%SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da%" or Image.Hashes like r"%SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b%" or Image.Hashes like r"%SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5%" or Image.Hashes like r"%SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4%" or Image.Hashes like r"%SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25%" or Image.Hashes like r"%SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc%" or Image.Hashes like r"%SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457%" or Image.Hashes like r"%SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d%" or Image.Hashes like r"%SHA1=f6793243ad20359d8be40d3accac168a15a327fb%" or Image.Hashes like r"%SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1%" or Image.Hashes like r"%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%" or Image.Hashes like r"%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%" or Image.Hashes like r"%SHA1=161bae224cf184ed6c09c77fae866d42412c6d25%" or Image.Hashes like r"%SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82%" or Image.Hashes like r"%SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d%" or Image.Hashes like r"%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%" or Image.Hashes like r"%SHA1=2a202830db58d5e942e4f6609228b14095ed2cab%" or Image.Hashes like r"%SHA1=0167259abd9231c29bec32e6106ca93a13999f90%" or Image.Hashes like r"%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%" or Image.Hashes like r"%SHA1=613a9df389ad612a5187632d679da11d60f6046a%" or Image.Hashes like r"%SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514%" or Image.Hashes like r"%SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86%" or Image.Hashes like r"%SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d%" or Image.Hashes like r"%SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb%" or Image.Hashes like r"%SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812%" or Image.Hashes like r"%SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528%" or Image.Hashes like r"%SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3%" or Image.Hashes like r"%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%" or Image.Hashes like r"%SHA1=552730553a1dea0290710465fb8189bdd0eaad42%" or Image.Hashes like r"%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%" or Image.Hashes like r"%SHA1=07f282db28771838d0e75d6618f70d76acfe6082%" or Image.Hashes like r"%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%" or Image.Hashes like r"%SHA1=22c9da04847c26188226c3a345e2126ef00aa19e%" or Image.Hashes like r"%SHA1=43501832ce50ccaba2706be852813d51de5a900f%" or Image.Hashes like r"%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%" or Image.Hashes like r"%SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde%" or Image.Hashes like r"%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%" or Image.Hashes like r"%SHA1=928b5971a0f7525209d599e2ef15c31717047022%" or Image.Hashes like r"%SHA1=b5696e2183d9387776820ef3afa388200f08f5a6%" or Image.Hashes like r"%SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2%" or Image.Hashes like r"%SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3%" or Image.Hashes like r"%SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774%" or Image.Hashes like r"%SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945%" or Image.Hashes like r"%SHA1=064de88dbbea67c149e779aac05228e5405985c7%" or Image.Hashes like r"%SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7%" or Image.Hashes like r"%SHA1=98130128685c8640a8a8391cb4718e98dd8fe542%" or Image.Hashes like r"%SHA1=a5914161f8a885702427cf75443fb08d28d904f0%" or Image.Hashes like r"%SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad%" or Image.Hashes like r"%SHA1=fff4f28287677caabc60c8ab36786c370226588d%" or Image.Hashes like r"%SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5%" or Image.Hashes like r"%SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2%" or Image.Hashes like r"%SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda%" or Image.Hashes like r"%SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4%" or Image.Hashes like r"%SHA1=87e20486e804bfff393cc9ad9659858e130402a2%" or Image.Hashes like r"%SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c%" or Image.Hashes like r"%SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9%" or Image.Hashes like r"%SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a%" or Image.Hashes like r"%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%" or Image.Hashes like r"%SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b%" or Image.Hashes like r"%SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6%" or Image.Hashes like r"%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%" or Image.Hashes like r"%SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c%" or Image.Hashes like r"%SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a%" or Image.Hashes like r"%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%" or Image.Hashes like r"%SHA1=76568d987f8603339b8d1958f76de2b957811f66%" or Image.Hashes like r"%SHA1=e841c8494b715b27b33be6f800ca290628507aba%" or Image.Hashes like r"%SHA1=b555aad38df7605985462f3899572931ee126259%" or Image.Hashes like r"%SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1%" or Image.Hashes like r"%SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327%" or Image.Hashes like r"%SHA1=bb6ef5518df35d9508673d5011138add8c30fc27%" or Image.Hashes like r"%SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b%" or Image.Hashes like r"%SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307%" or Image.Hashes like r"%SHA1=34b677fba9dcab9a9016332b3332ce57f5796860%" or Image.Hashes like r"%SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d%" or Image.Hashes like r"%SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e%" or Image.Hashes like r"%SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2%" or Image.Hashes like r"%SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72%" or Image.Hashes like r"%SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5%" or Image.Hashes like r"%SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a%" or Image.Hashes like r"%SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef%" or Image.Hashes like r"%SHA1=18693de1487c55e374b46a7728b5bf43300d4f69%" or Image.Hashes like r"%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%" or Image.Hashes like r"%SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c%" or Image.Hashes like r"%SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5%" or Image.Hashes like r"%SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8%" or Image.Hashes like r"%SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c%" or Image.Hashes like r"%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%" or Image.Hashes like r"%SHA1=e42bd2f585c00a1d6557df405246081f89542d15%" or Image.Hashes like r"%SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9%" or Image.Hashes like r"%SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd%" or Image.Hashes like r"%SHA1=948368fe309652e8d88088d23e1df39e9c2b6649%" or Image.Hashes like r"%SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d%" or Image.Hashes like r"%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%" or Image.Hashes like r"%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%" or Image.Hashes like r"%SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d%" or Image.Hashes like r"%SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09%" or Image.Hashes like r"%SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f%" or Image.Hashes like r"%SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652%" or Image.Hashes like r"%SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad%" or Image.Hashes like r"%SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c%" or Image.Hashes like r"%SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a%" or Image.Hashes like r"%SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b%" or Image.Hashes like r"%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%" or Image.Hashes like r"%SHA1=4da007dd298723f920e194501bb49bab769dfb14%" or Image.Hashes like r"%SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a%" or Image.Hashes like r"%SHA1=221717a48ee8e2d19470579c987674f661869e17%" or Image.Hashes like r"%SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa%" or Image.Hashes like r"%SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56%" or Image.Hashes like r"%SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375%" or Image.Hashes like r"%SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3%" or Image.Hashes like r"%SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe%" or Image.Hashes like r"%SHA1=6d09d826581baa1817be6fbd44426db9b05f1909%" or Image.Hashes like r"%SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e%" or Image.Hashes like r"%SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631%" or Image.Hashes like r"%SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997%" or Image.Hashes like r"%SHA1=0320534df24a37a245a0b09679a5adb27018fb5f%" or Image.Hashes like r"%SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0%" or Image.Hashes like r"%SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef%" or Image.Hashes like r"%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%" or Image.Hashes like r"%SHA1=062457182ab08594c631a3f897aeb03c6097eb77%" or Image.Hashes like r"%SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25%" or Image.Hashes like r"%SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670%" or Image.Hashes like r"%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%" or Image.Hashes like r"%SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5%" or Image.Hashes like r"%SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b%" or Image.Hashes like r"%SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739%" or Image.Hashes like r"%SHA1=020580278d74d0fe741b0f786d8dca7554359997%" or Image.Hashes like r"%SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677%" or Image.Hashes like r"%SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4%" or Image.Hashes like r"%SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7%" or Image.Hashes like r"%SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d%" or Image.Hashes like r"%SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f%" or Image.Hashes like r"%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%" or Image.Hashes like r"%SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49%" or Image.Hashes like r"%SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e%" or Image.Hashes like r"%SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c%" or Image.Hashes like r"%SHA1=86f34eaea117f629297218a4d196b5729e72d7b9%" or Image.Hashes like r"%SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0%" or Image.Hashes like r"%SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7%" or Image.Hashes like r"%SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8%" or Image.Hashes like r"%SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb%" or Image.Hashes like r"%SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a%" or Image.Hashes like r"%SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb%" or Image.Hashes like r"%SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d%" or Image.Hashes like r"%SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2%" or Image.Hashes like r"%SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a%" or Image.Hashes like r"%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%" or Image.Hashes like r"%SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b%" or Image.Hashes like r"%SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac%" or Image.Hashes like r"%SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1%" or Image.Hashes like r"%SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76%" or Image.Hashes like r"%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%" or Image.Hashes like r"%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%" or Image.Hashes like r"%SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47%" or Image.Hashes like r"%SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03%" or Image.Hashes like r"%SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c%" or Image.Hashes like r"%SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553%" or Image.Hashes like r"%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%" or Image.Hashes like r"%SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330%" or Image.Hashes like r"%SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852%" or Image.Hashes like r"%SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304%" or Image.Hashes like r"%SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931%" or Image.Hashes like r"%SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d%" or Image.Hashes like r"%SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c%" or Image.Hashes like r"%SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736%" or Image.Hashes like r"%SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830%" or Image.Hashes like r"%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%" or Image.Hashes like r"%SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a%" or Image.Hashes like r"%SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a%" or Image.Hashes like r"%SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a%" or Image.Hashes like r"%SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0%" or Image.Hashes like r"%SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392%" or Image.Hashes like r"%SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd%" or Image.Hashes like r"%SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee%" or Image.Hashes like r"%SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01%" or Image.Hashes like r"%SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254%" or Image.Hashes like r"%SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231%" or Image.Hashes like r"%SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39%" or Image.Hashes like r"%SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d%" or Image.Hashes like r"%SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1%" or Image.Hashes like r"%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%" or Image.Hashes like r"%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%" or Image.Hashes like r"%SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50%" or Image.Hashes like r"%SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9%" or Image.Hashes like r"%SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212%" or Image.Hashes like r"%SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25%" or Image.Hashes like r"%SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09%" or Image.Hashes like r"%SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1%" or Image.Hashes like r"%SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99%" or Image.Hashes like r"%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%" or Image.Hashes like r"%SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475%" or Image.Hashes like r"%SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2%" or Image.Hashes like r"%SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c%" or Image.Hashes like r"%SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb%" or Image.Hashes like r"%SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db%" or Image.Hashes like r"%SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2%" or Image.Hashes like r"%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%" or Image.Hashes like r"%SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b%" or Image.Hashes like r"%SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c%" or Image.Hashes like r"%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%" or Image.Hashes like r"%SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597%" or Image.Hashes like r"%SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37%" or Image.Hashes like r"%SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4%" or Image.Hashes like r"%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%" or Image.Hashes like r"%SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a%" or Image.Hashes like r"%SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e%" or Image.Hashes like r"%SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a%" or Image.Hashes like r"%SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25%" or Image.Hashes like r"%SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be%" or Image.Hashes like r"%SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7%" or Image.Hashes like r"%SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a%" or Image.Hashes like r"%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%" or Image.Hashes like r"%SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987%" or Image.Hashes like r"%SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f%" or Image.Hashes like r"%SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad%" or Image.Hashes like r"%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%" or Image.Hashes like r"%SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5%" or Image.Hashes like r"%SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b%" or Image.Hashes like r"%SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa%" or Image.Hashes like r"%SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972%" or Image.Hashes like r"%SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a%" or Image.Hashes like r"%SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46%" or Image.Hashes like r"%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%" or Image.Hashes like r"%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%" or Image.Hashes like r"%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%" or Image.Hashes like r"%SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6%" or Image.Hashes like r"%SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21%" or Image.Hashes like r"%SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894%" or Image.Hashes like r"%SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd%" or Image.Hashes like r"%SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62%" or Image.Hashes like r"%SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e%" or Image.Hashes like r"%SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff%" or Image.Hashes like r"%SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b%" or Image.Hashes like r"%SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870%" or Image.Hashes like r"%SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640%" or Image.Hashes like r"%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%" or Image.Hashes like r"%SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd%" or Image.Hashes like r"%SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550%" or Image.Hashes like r"%SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9%" or Image.Hashes like r"%SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b%" or Image.Hashes like r"%SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c%" or Image.Hashes like r"%SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988%" or Image.Hashes like r"%SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875%" or Image.Hashes like r"%SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263%" or Image.Hashes like r"%SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4%" or Image.Hashes like r"%SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280%" or Image.Hashes like r"%SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9%" or Image.Hashes like r"%SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12%" or Image.Hashes like r"%SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe%" or Image.Hashes like r"%SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b%" or Image.Hashes like r"%SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f%" or Image.Hashes like r"%SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a%" or Image.Hashes like r"%SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719%" or Image.Hashes like r"%SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908%" or Image.Hashes like r"%SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de%" or Image.Hashes like r"%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%" or Image.Hashes like r"%SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a%" or Image.Hashes like r"%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%" or Image.Hashes like r"%SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653%" or Image.Hashes like r"%SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919%" or Image.Hashes like r"%SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad%" or Image.Hashes like r"%SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920%" or Image.Hashes like r"%SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77%" or Image.Hashes like r"%SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e%" or Image.Hashes like r"%SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105%" or Image.Hashes like r"%SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2%" or Image.Hashes like r"%SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa%" or Image.Hashes like r"%SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112%" or Image.Hashes like r"%SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4%" or Image.Hashes like r"%SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff%" or Image.Hashes like r"%SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3%" or Image.Hashes like r"%SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925%" or Image.Hashes like r"%SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6%" or Image.Hashes like r"%SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878%" or Image.Hashes like r"%SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59%" or Image.Hashes like r"%SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66%" or Image.Hashes like r"%SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280%" or Image.Hashes like r"%SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7%" or Image.Hashes like r"%SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167%" or Image.Hashes like r"%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%" or Image.Hashes like r"%SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7%" or Image.Hashes like r"%SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec%" or Image.Hashes like r"%SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620%" or Image.Hashes like r"%SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f%" or Image.Hashes like r"%SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905%" or Image.Hashes like r"%SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3%" or Image.Hashes like r"%SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b%" or Image.Hashes like r"%SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab%" or Image.Hashes like r"%SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc%" or Image.Hashes like r"%SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968%" or Image.Hashes like r"%SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28%" or Image.Hashes like r"%SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0%" or Image.Hashes like r"%SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93%" or Image.Hashes like r"%SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12%" or Image.Hashes like r"%SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8%" or Image.Hashes like r"%SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895%" or Image.Hashes like r"%SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3%" or Image.Hashes like r"%SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f%" or Image.Hashes like r"%SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be%" or Image.Hashes like r"%SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8%" or Image.Hashes like r"%SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f%" or Image.Hashes like r"%SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe%" or Image.Hashes like r"%SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4%" or Image.Hashes like r"%SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5%" or Image.Hashes like r"%SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af%" or Image.Hashes like r"%SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40%" or Image.Hashes like r"%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%" or Image.Hashes like r"%SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d%" or Image.Hashes like r"%SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a%" or Image.Hashes like r"%SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96%" or Image.Hashes like r"%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%" or Image.Hashes like r"%SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2%" or Image.Hashes like r"%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%" or Image.Hashes like r"%SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96%" or Image.Hashes like r"%SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576%" or Image.Hashes like r"%SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80%" or Image.Hashes like r"%SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266%" or Image.Hashes like r"%SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724%" or Image.Hashes like r"%SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee%" or Image.Hashes like r"%SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b%" or Image.Hashes like r"%SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f%" or Image.Hashes like r"%SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e%" or Image.Hashes like r"%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%" or Image.Hashes like r"%SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952%" or Image.Hashes like r"%SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da%" or Image.Hashes like r"%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%" or Image.Hashes like r"%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%" or Image.Hashes like r"%SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7%" or Image.Hashes like r"%SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0%" or Image.Hashes like r"%SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1%" or Image.Hashes like r"%SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9%" or Image.Hashes like r"%SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a%" or Image.Hashes like r"%SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85%" or Image.Hashes like r"%SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac%" or Image.Hashes like r"%SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873%" or Image.Hashes like r"%SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7%" or Image.Hashes like r"%SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38%" or Image.Hashes like r"%SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c%" or Image.Hashes like r"%SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c%" or Image.Hashes like r"%SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524%" or Image.Hashes like r"%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%" or Image.Hashes like r"%SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df%" or Image.Hashes like r"%SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601%" or Image.Hashes like r"%SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7%" or Image.Hashes like r"%SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3%" or Image.Hashes like r"%SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19%" or Image.Hashes like r"%SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55%" or Image.Hashes like r"%SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe%" or Image.Hashes like r"%SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85%" or Image.Hashes like r"%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%" or Image.Hashes like r"%SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06%" or Image.Hashes like r"%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%" or Image.Hashes like r"%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%" or Image.Hashes like r"%SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55%" or Image.Hashes like r"%SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778%" or Image.Hashes like r"%SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6%" or Image.Hashes like r"%SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6%" or Image.Hashes like r"%SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43%" or Image.Hashes like r"%SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3%" or Image.Hashes like r"%SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7%" or Image.Hashes like r"%SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715%" or Image.Hashes like r"%SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434%" or Image.Hashes like r"%SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0%" or Image.Hashes like r"%SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f%" or Image.Hashes like r"%SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327%" or Image.Hashes like r"%SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d%" or Image.Hashes like r"%SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021%" or Image.Hashes like r"%SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4%" or Image.Hashes like r"%SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15%" or Image.Hashes like r"%SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f%" or Image.Hashes like r"%SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2%" or Image.Hashes like r"%SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677%" or Image.Hashes like r"%SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d%" or Image.Hashes like r"%SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d%" or Image.Hashes like r"%SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f%" or Image.Hashes like r"%SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57%" or Image.Hashes like r"%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%" or Image.Hashes like r"%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%" or Image.Hashes like r"%SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35%" or Image.Hashes like r"%SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440%" or Image.Hashes like r"%IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7%" or Image.Hashes like r"%IMPHASH=7641a0c227f0a3a45b80bb8af43cd152%" or Image.Hashes like r"%IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c%" or Image.Hashes like r"%IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d%" or Image.Hashes like r"%IMPHASH=beceab354c66949088c9e5ed1f1ff2a4%" or Image.Hashes like r"%IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626%" or Image.Hashes like r"%IMPHASH=420625b024fba72a24025defdf95b303%" or Image.Hashes like r"%IMPHASH=65ccc2c578a984c31880b6c5e65257d3%" or Image.Hashes like r"%IMPHASH=e717abe060bc5c34925fe3120ac22f45%" or Image.Hashes like r"%IMPHASH=41113a3a832353963112b94f4635a383%" or Image.Hashes like r"%IMPHASH=3866dd9fe63de457bdbf893bf7050ddf%" or Image.Hashes like r"%IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4%" or Image.Hashes like r"%IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca%" or Image.Hashes like r"%IMPHASH=c9a6e83d931286d1604d1add8403e1e5%" or Image.Hashes like r"%IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372%" or Image.Hashes like r"%IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f%" or Image.Hashes like r"%IMPHASH=8e35c9460537092672b3c7c14bccc7e0%" or Image.Hashes like r"%IMPHASH=7bf14377888c429897eb10a85f70266c%" or Image.Hashes like r"%IMPHASH=b351627263648b1d220bb488e7ec7202%" or Image.Hashes like r"%IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a%" or Image.Hashes like r"%IMPHASH=a7bd820fa5b895fab06f20739c9f24b8%" or Image.Hashes like r"%IMPHASH=be0dd8b8e045356d600ee55a64d9d197%" or Image.Hashes like r"%IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8%" or Image.Hashes like r"%IMPHASH=6c8d5c79a850eecc2fb0291cebda618d%" or Image.Hashes like r"%IMPHASH=c32d9a9af7f702814e1368c689877f3a%" or Image.Hashes like r"%IMPHASH=6b387c029257f024a43a73f38afb2629%" or Image.Hashes like r"%IMPHASH=df43355c636583e56e92142dcc69cc58%" or Image.Hashes like r"%IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd%" or Image.Hashes like r"%IMPHASH=c214aac08575c139e48d04f5aee21585%" or Image.Hashes like r"%IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7%" or Image.Hashes like r"%IMPHASH=059c6bd84285f4960e767f032b33f19b%" or Image.Hashes like r"%IMPHASH=a09170ef09c55cdca9472c02cb1f2647%" or Image.Hashes like r"%IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a%" or Image.Hashes like r"%IMPHASH=0262d4147f21d681f8519ab2af79283f%" or Image.Hashes like r"%IMPHASH=832219eb71b8bdb771f1d29d27b0acf4%" or Image.Hashes like r"%IMPHASH=514298d18002920ee5a917fc34426417%" or Image.Hashes like r"%IMPHASH=26ceec6572c630bdad60c984e51b7da4%" or Image.Hashes like r"%IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90%" or Image.Hashes like r"%IMPHASH=4b47f6031c558106eee17655f8f8a32f%" or Image.Hashes like r"%IMPHASH=a6c4a7369500900fc172f9557cff22cf%" or Image.Hashes like r"%IMPHASH=3b49942ec6cef1898e97f741b2b5df8a%" or Image.Hashes like r"%IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511%" or Image.Hashes like r"%IMPHASH=27f6dc8a247a22308dd1beba5086b302%" or Image.Hashes like r"%IMPHASH=7d017945bf90936a6c40f73f91ed02c2%" or Image.Hashes like r"%IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97%" or Image.Hashes like r"%IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e%" or Image.Hashes like r"%IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9%" or Image.Hashes like r"%IMPHASH=87fd2b54ed568e2294300e164b8c46f7%" or Image.Hashes like r"%IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a%" or Image.Hashes like r"%IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff%" or Image.Hashes like r"%IMPHASH=2a008187d4a73284ddcc43f1b727b513%" or Image.Hashes like r"%IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127%" or Image.Hashes like r"%IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4%" or Image.Hashes like r"%IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4%" or Image.Hashes like r"%IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771%" -GenericProperty1 = Image.Hashes +Annotation = {"mitre_attack": ["T1036", "T1003.001"], "author": "Florian Roth (Nextron Systems)"} +Query = (Process.CommandLine like r"% -ma %" or Process.CommandLine like r"% /ma %" or Process.CommandLine like r"% –ma %" or Process.CommandLine like r"% —ma %" or Process.CommandLine like r"% ―ma %") and Process.CommandLine like r"% ls%" [ThreatDetectionRule platform=Windows] -# Detects various indicators of Microsoft Connection Manager Profile Installer execution -# Author: Nik Seetharaman -RuleId = b6d235fc-1d38-4b12-adbe-325f06728f37 -RuleName = CMSTP Execution Registry Event -EventType = Reg.Any -Tag = cmstp-execution-registry-event +# Detects active directory enumeration activity using known AdFind CLI flags +# Author: frack113 +RuleId = 455b9d50-15a1-4b99-853f-8d37655a4c1b +RuleName = PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE +EventType = Process.Start +Tag = proc-start-pua-suspicious-activedirectory-enumeration-via-adfind.exe RiskScore = 75 -Annotation = {"mitre_attack": ["T1218.003"], "author": "Nik Seetharaman"} -Query = Reg.TargetObject like r"%\\cmmgr32.exe%" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1087.002"], "author": "frack113"} +Query = Process.CommandLine like r"%lockoutduration%" or Process.CommandLine like r"%lockoutthreshold%" or Process.CommandLine like r"%lockoutobservationwindow%" or Process.CommandLine like r"%maxpwdage%" or Process.CommandLine like r"%minpwdage%" or Process.CommandLine like r"%minpwdlength%" or Process.CommandLine like r"%pwdhistorylength%" or Process.CommandLine like r"%pwdproperties%" or Process.CommandLine like r"%-sc admincountdmp%" or Process.CommandLine like r"%-sc exchaddresses%" + + +[ThreatDetectionRule platform=Windows] +# Detects REGSVR32.exe to execute DLL hosted on remote shares +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 88a87a10-384b-4ad7-8871-2f9bf9259ce5 +RuleName = Suspicious Regsvr32 Execution From Remote Share +EventType = Process.Start +Tag = proc-start-suspicious-regsvr32-execution-from-remote-share +RiskScore = 75 +Annotation = {"mitre_attack": ["T1218.010"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\regsvr32.exe" or Process.Name == "\\REGSVR32.EXE") and Process.CommandLine like r"% \\\\%" diff --git a/config/uberAgent-ESA-am-sigma-informational-macos.conf b/config/uberAgent-ESA-am-sigma-informational-macos.conf index 702d1fb6..9c6fe0c5 100644 --- a/config/uberAgent-ESA-am-sigma-informational-macos.conf +++ b/config/uberAgent-ESA-am-sigma-informational-macos.conf @@ -7,6 +7,18 @@ # sigma convert -s -f conf -p uberagent-7.3.0 -O backend_version=7.3.0 -t uberagent /home/runner/work/uberAgent-config/uberAgent-config/build/sigma-informational-macos >> uberAgent-ESA-am-sigma-informational-macos.conf # +[ThreatDetectionRule platform=MacOS] +# Detects usage of system utilities to discover files and directories +# Author: Daniil Yugoslavskiy, oscd.community +RuleId = 089dbdf6-b960-4bcc-90e3-ffc3480c20f6 +RuleName = File and Directory Discovery - MacOS +EventType = Process.Start +Tag = proc-start-file-and-directory-discovery-macos +RiskScore = 1 +Annotation = {"mitre_attack": ["T1083"], "author": "Daniil Yugoslavskiy, oscd.community"} +Query = Process.Path == "/usr/bin/file" and Process.CommandLine regex "(.){200,}" or Process.Path == "/bin/ls" and Process.CommandLine like r"%-R%" or Process.Path == "/usr/bin/find" or Process.Path == "/usr/bin/mdfind" or Process.Path == "/tree" + + [ThreatDetectionRule platform=MacOS] # Detects enumeration of local system groups # Author: Ömer Günal, Alejandro Ortuno, oscd.community @@ -19,6 +31,18 @@ Annotation = {"mitre_attack": ["T1069.001"], "author": "\u00d6mer G\u00fcnal, Al Query = Process.Path like r"%/dscacheutil" and Process.CommandLine like r"%-q%" and Process.CommandLine like r"%group%" or Process.Path like r"%/cat" and Process.CommandLine like r"%/etc/group%" or Process.Path like r"%/dscl" and Process.CommandLine like r"%-list%" and Process.CommandLine like r"%/groups%" +[ThreatDetectionRule platform=MacOS] +# Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. +# Author: Igor Fits, Mikhail Larin, oscd.community +RuleId = 40b1fbe2-18ea-4ee7-be47-0294285811de +RuleName = System Shutdown/Reboot - MacOs +EventType = Process.Start +Tag = proc-start-system-shutdown/reboot-macos +RiskScore = 1 +Annotation = {"mitre_attack": ["T1529"], "author": "Igor Fits, Mikhail Larin, oscd.community"} +Query = Process.Path like r"%/shutdown" or Process.Path like r"%/reboot" or Process.Path like r"%/halt" + + [ThreatDetectionRule platform=MacOS] # Detects the enumeration of other remote systems. # Author: Alejandro Ortuno, oscd.community @@ -32,15 +56,16 @@ Query = Process.Path like r"%/arp" and Process.CommandLine like r"%-a%" or Proce [ThreatDetectionRule platform=MacOS] -# Detects usage of system utilities to discover files and directories -# Author: Daniil Yugoslavskiy, oscd.community -RuleId = 089dbdf6-b960-4bcc-90e3-ffc3480c20f6 -RuleName = File and Directory Discovery - MacOS +# Detects enumeration of local network configuration +# Author: remotephone, oscd.community +RuleId = 58800443-f9fc-4d55-ae0c-98a3966dfb97 +RuleName = System Network Discovery - macOS EventType = Process.Start -Tag = proc-start-file-and-directory-discovery-macos +Tag = proc-start-system-network-discovery-macos RiskScore = 1 -Annotation = {"mitre_attack": ["T1083"], "author": "Daniil Yugoslavskiy, oscd.community"} -Query = Process.Path == "/usr/bin/file" and Process.CommandLine regex "(.){200,}" or Process.Path == "/bin/ls" and Process.CommandLine like r"%-R%" or Process.Path == "/usr/bin/find" or Process.Path == "/usr/bin/mdfind" or Process.Path == "/tree" +Annotation = {"mitre_attack": ["T1016"], "author": "remotephone, oscd.community"} +Query = (Process.Path like r"%/arp" or Process.Path like r"%/ifconfig" or Process.Path like r"%/netstat" or Process.Path like r"%/networksetup" or Process.Path like r"%/socketfilterfw" or Process.Path == "/usr/bin/defaults" and Process.CommandLine like r"%/Library/Preferences/com.apple.alf%" and Process.CommandLine like r"%read%") and not Parent.Path like r"%/wifivelocityd" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=MacOS] @@ -56,19 +81,6 @@ Annotation = {"mitre_attack": ["T1040"], "author": "Alejandro Ortuno, oscd.commu Query = Process.Path like r"%/tcpdump" or Process.Path like r"%/tshark" -[ThreatDetectionRule platform=MacOS] -# Detects enumeration of local network configuration -# Author: remotephone, oscd.community -RuleId = 58800443-f9fc-4d55-ae0c-98a3966dfb97 -RuleName = System Network Discovery - macOS -EventType = Process.Start -Tag = proc-start-system-network-discovery-macos -RiskScore = 1 -Annotation = {"mitre_attack": ["T1016"], "author": "remotephone, oscd.community"} -Query = (Process.Path like r"%/arp" or Process.Path like r"%/ifconfig" or Process.Path like r"%/netstat" or Process.Path like r"%/networksetup" or Process.Path like r"%/socketfilterfw" or Process.Path == "/usr/bin/defaults" and Process.CommandLine like r"%/Library/Preferences/com.apple.alf%" and Process.CommandLine like r"%read%") and not Parent.Path like r"%/wifivelocityd" -GenericProperty1 = Parent.Path - - [ThreatDetectionRule platform=MacOS] # Detects usage of system utilities to discover system network connections # Author: Daniil Yugoslavskiy, oscd.community @@ -80,15 +92,3 @@ RiskScore = 1 Annotation = {"mitre_attack": ["T1049"], "author": "Daniil Yugoslavskiy, oscd.community"} Query = Process.Path like r"%/who" or Process.Path like r"%/w" or Process.Path like r"%/last" or Process.Path like r"%/lsof" or Process.Path like r"%/netstat" - -[ThreatDetectionRule platform=MacOS] -# Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. -# Author: Igor Fits, Mikhail Larin, oscd.community -RuleId = 40b1fbe2-18ea-4ee7-be47-0294285811de -RuleName = System Shutdown/Reboot - MacOs -EventType = Process.Start -Tag = proc-start-system-shutdown/reboot-macos -RiskScore = 1 -Annotation = {"mitre_attack": ["T1529"], "author": "Igor Fits, Mikhail Larin, oscd.community"} -Query = Process.Path like r"%/shutdown" or Process.Path like r"%/reboot" or Process.Path like r"%/halt" - diff --git a/config/uberAgent-ESA-am-sigma-informational-windows.conf b/config/uberAgent-ESA-am-sigma-informational-windows.conf index e7677bdb..29a72a20 100644 --- a/config/uberAgent-ESA-am-sigma-informational-windows.conf +++ b/config/uberAgent-ESA-am-sigma-informational-windows.conf @@ -7,19 +7,6 @@ # sigma convert -s -f conf -p uberagent-7.3.0 -O backend_version=7.3.0 -t uberagent /home/runner/work/uberAgent-config/uberAgent-config/build/sigma-informational-windows >> uberAgent-ESA-am-sigma-informational-windows.conf # -[ThreatDetectionRule platform=Windows] -# Detect DLL Load from Spooler Service backup folder -# Author: FPT.EagleEye, Thomas Patzke (improvements) -RuleId = 02fb90de-c321-4e63-a6b9-25f4b03dfd14 -RuleName = Windows Spooler Service Suspicious Binary Load -EventType = Image.Load -Tag = windows-spooler-service-suspicious-binary-load -RiskScore = 1 -Annotation = {"mitre_attack": ["T1574"], "author": "FPT.EagleEye, Thomas Patzke (improvements)"} -Query = Process.Path like r"%\\spoolsv.exe" and (Image.Path like r"%\\Windows\\System32\\spool\\drivers\\x64\\3\\%" or Image.Path like r"%\\Windows\\System32\\spool\\drivers\\x64\\4\\%") and Image.Path like r"%.dll" -GenericProperty1 = Image.Path - - [ThreatDetectionRule platform=Windows] # A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. # Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) @@ -33,3 +20,16 @@ Query = Reg.TargetObject like r"%\\AppCompatFlags\\Compatibility Assistant\\Stor Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject + +[ThreatDetectionRule platform=Windows] +# Detect DLL Load from Spooler Service backup folder +# Author: FPT.EagleEye, Thomas Patzke (improvements) +RuleId = 02fb90de-c321-4e63-a6b9-25f4b03dfd14 +RuleName = Windows Spooler Service Suspicious Binary Load +EventType = Image.Load +Tag = windows-spooler-service-suspicious-binary-load +RiskScore = 1 +Annotation = {"mitre_attack": ["T1574"], "author": "FPT.EagleEye, Thomas Patzke (improvements)"} +Query = Process.Path like r"%\\spoolsv.exe" and (Image.Path like r"%\\Windows\\System32\\spool\\drivers\\x64\\3\\%" or Image.Path like r"%\\Windows\\System32\\spool\\drivers\\x64\\4\\%") and Image.Path like r"%.dll" +GenericProperty1 = Image.Path + diff --git a/config/uberAgent-ESA-am-sigma-low-macos.conf b/config/uberAgent-ESA-am-sigma-low-macos.conf index 9deb16b2..8bf44fef 100644 --- a/config/uberAgent-ESA-am-sigma-low-macos.conf +++ b/config/uberAgent-ESA-am-sigma-low-macos.conf @@ -7,33 +7,6 @@ # sigma convert -s -f conf -p uberagent-7.3.0 -O backend_version=7.3.0 -t uberagent /home/runner/work/uberAgent-config/uberAgent-config/build/sigma-low-macos >> uberAgent-ESA-am-sigma-low-macos.conf # -[ThreatDetectionRule platform=MacOS] -# Detection use of the command "split" to split files into parts and possible transfer. -# Author: Igor Fits, Mikhail Larin, oscd.community -RuleId = 7f2bb9d5-6395-4de5-969c-70c11fbe6b12 -RuleName = Split A File Into Pieces -EventType = Process.Start -Tag = proc-start-split-a-file-into-pieces -RiskScore = 25 -Annotation = {"mitre_attack": ["T1030"], "author": "Igor Fits, Mikhail Larin, oscd.community"} -Query = Process.Path like r"%/split" - - -[ThreatDetectionRule platform=MacOS] -# Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. -# Adversaries may use startup items automatically executed at boot initialization to establish persistence. -# Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. -# Author: Alejandro Ortuno, oscd.community -RuleId = dfe8b941-4e54-4242-b674-6b613d521962 -RuleName = Startup Item File Created - MacOS -EventType = File.Create -Tag = startup-item-file-created-macos -RiskScore = 25 -Annotation = {"mitre_attack": ["T1037.005"], "author": "Alejandro Ortuno, oscd.community"} -Query = (File.Path like r"/Library/StartupItems/%" or File.Path like r"/System/Library/StartupItems%") and File.Path like r"%.plist" -GenericProperty1 = File.Path - - [ThreatDetectionRule platform=MacOS] # Detects usage of base64 utility to decode arbitrary base64-encoded text # Author: Daniil Yugoslavskiy, oscd.community @@ -47,27 +20,41 @@ Query = Process.Path == "/usr/bin/base64" and Process.CommandLine like r"%-d%" [ThreatDetectionRule platform=MacOS] -# Detects attempts to use system dialog prompts to capture user credentials -# Author: remotephone, oscd.community -RuleId = 60f1ce20-484e-41bd-85f4-ac4afec2c541 -RuleName = GUI Input Capture - macOS +# Detects the command line executed when TeamViewer starts a session started by a remote host. +# Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. +# Author: Josh Nickels, Qi Nan +RuleId = f459ccb4-9805-41ea-b5b2-55e279e2424a +RuleName = Remote Access Tool - Team Viewer Session Started On MacOS Host EventType = Process.Start -Tag = proc-start-gui-input-capture-macos +Tag = proc-start-remote-access-tool-team-viewer-session-started-on-macos-host RiskScore = 25 -Annotation = {"mitre_attack": ["T1056.002"], "author": "remotephone, oscd.community"} -Query = Process.Path == "/usr/sbin/osascript" and Process.CommandLine like r"%-e%" and Process.CommandLine like r"%display%" and Process.CommandLine like r"%dialog%" and Process.CommandLine like r"%answer%" and (Process.CommandLine like r"%admin%" or Process.CommandLine like r"%administrator%" or Process.CommandLine like r"%authenticate%" or Process.CommandLine like r"%authentication%" or Process.CommandLine like r"%credentials%" or Process.CommandLine like r"%pass%" or Process.CommandLine like r"%password%" or Process.CommandLine like r"%unlock%") +Annotation = {"mitre_attack": ["T1133"], "author": "Josh Nickels, Qi Nan"} +Query = Parent.Path like r"%/TeamViewer\_Service" and Process.Path like r"%/TeamViewer\_Desktop" and Process.CommandLine like r"%/TeamViewer\_Desktop --IPCport 5939 --Module 1" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=MacOS] -# Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. -# Author: Alejandro Ortuno, oscd.community -RuleId = 51719bf5-e4fd-4e44-8ba8-b830e7ac0731 -RuleName = Creation Of A Local User Account +# Detects attempts to masquerade as legitimate files by adding a space to the end of the filename. +# Author: remotephone +RuleId = b6e2a2e3-2d30-43b1-a4ea-071e36595690 +RuleName = Space After Filename - macOS EventType = Process.Start -Tag = proc-start-creation-of-a-local-user-account +Tag = proc-start-space-after-filename-macos RiskScore = 25 -Annotation = {"mitre_attack": ["T1136.001"], "author": "Alejandro Ortuno, oscd.community"} -Query = Process.Path like r"%/dscl" and Process.CommandLine like r"%create%" or Process.Path like r"%/sysadminctl" and Process.CommandLine like r"%addUser%" +Annotation = {"mitre_attack": ["T1036.006"], "author": "remotephone"} +Query = Process.CommandLine like r"% " or Process.Path like r"% " + + +[ThreatDetectionRule platform=MacOS] +# Detects macOS Gatekeeper bypass via xattr utility +# Author: Daniil Yugoslavskiy, oscd.community +RuleId = f5141b6d-9f42-41c6-a7bf-2a780678b29b +RuleName = Gatekeeper Bypass via Xattr +EventType = Process.Start +Tag = proc-start-gatekeeper-bypass-via-xattr +RiskScore = 25 +Annotation = {"mitre_attack": ["T1553.001"], "author": "Daniil Yugoslavskiy, oscd.community"} +Query = Process.Path like r"%/xattr" and Process.CommandLine like r"%-d%" and Process.CommandLine like r"%com.apple.quarantine%" [ThreatDetectionRule platform=MacOS] @@ -83,51 +70,78 @@ Query = Process.Path like r"%/jamf" and (Process.CommandLine like r"%createAccou [ThreatDetectionRule platform=MacOS] -# Detects enumeration of local systeam accounts on MacOS -# Author: Alejandro Ortuno, oscd.community -RuleId = ddf36b67-e872-4507-ab2e-46bda21b842c -RuleName = Local System Accounts Discovery - MacOs +# Detection use of the command "split" to split files into parts and possible transfer. +# Author: Igor Fits, Mikhail Larin, oscd.community +RuleId = 7f2bb9d5-6395-4de5-969c-70c11fbe6b12 +RuleName = Split A File Into Pieces EventType = Process.Start -Tag = proc-start-local-system-accounts-discovery-macos +Tag = proc-start-split-a-file-into-pieces RiskScore = 25 -Annotation = {"mitre_attack": ["T1087.001"], "author": "Alejandro Ortuno, oscd.community"} -Query = Process.Path like r"%/dscl" and Process.CommandLine like r"%list%" and Process.CommandLine like r"%/users%" or Process.Path like r"%/dscacheutil" and Process.CommandLine like r"%-q%" and Process.CommandLine like r"%user%" or Process.CommandLine like r"%'x:0:'%" or Process.Path like r"%/cat" and (Process.CommandLine like r"%/etc/passwd%" or Process.CommandLine like r"%/etc/sudoers%") or Process.Path like r"%/id" or Process.Path like r"%/lsof" and Process.CommandLine like r"%-u%" +Annotation = {"mitre_attack": ["T1030"], "author": "Igor Fits, Mikhail Larin, oscd.community"} +Query = Process.Path like r"%/split" [ThreatDetectionRule platform=MacOS] -# Detects enumeration of local or remote network services. +# Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. # Author: Alejandro Ortuno, oscd.community -RuleId = 84bae5d4-b518-4ae0-b331-6d4afd34d00f -RuleName = MacOS Network Service Scanning +RuleId = 51719bf5-e4fd-4e44-8ba8-b830e7ac0731 +RuleName = Creation Of A Local User Account EventType = Process.Start -Tag = proc-start-macos-network-service-scanning +Tag = proc-start-creation-of-a-local-user-account RiskScore = 25 -Annotation = {"mitre_attack": ["T1046"], "author": "Alejandro Ortuno, oscd.community"} -Query = (Process.Path like r"%/nc" or Process.Path like r"%/netcat") and not Process.CommandLine like r"%l%" or Process.Path like r"%/nmap" or Process.Path like r"%/telnet" +Annotation = {"mitre_attack": ["T1136.001"], "author": "Alejandro Ortuno, oscd.community"} +Query = Process.Path like r"%/dscl" and Process.CommandLine like r"%create%" or Process.Path like r"%/sysadminctl" and Process.CommandLine like r"%addUser%" [ThreatDetectionRule platform=MacOS] -# Detects macOS Gatekeeper bypass via xattr utility -# Author: Daniil Yugoslavskiy, oscd.community -RuleId = f5141b6d-9f42-41c6-a7bf-2a780678b29b -RuleName = Gatekeeper Bypass via Xattr +# Detects attempts to use screencapture to collect macOS screenshots +# Author: remotephone, oscd.community +RuleId = 0877ed01-da46-4c49-8476-d49cdd80dfa7 +RuleName = Screen Capture - macOS EventType = Process.Start -Tag = proc-start-gatekeeper-bypass-via-xattr +Tag = proc-start-screen-capture-macos RiskScore = 25 -Annotation = {"mitre_attack": ["T1553.001"], "author": "Daniil Yugoslavskiy, oscd.community"} -Query = Process.Path like r"%/xattr" and Process.CommandLine like r"%-d%" and Process.CommandLine like r"%com.apple.quarantine%" +Annotation = {"mitre_attack": ["T1113"], "author": "remotephone, oscd.community"} +Query = Process.Path == "/usr/sbin/screencapture" [ThreatDetectionRule platform=MacOS] -# Detects attempts to masquerade as legitimate files by adding a space to the end of the filename. -# Author: remotephone -RuleId = b6e2a2e3-2d30-43b1-a4ea-071e36595690 -RuleName = Space After Filename - macOS +# Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. +# Adversaries may use startup items automatically executed at boot initialization to establish persistence. +# Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. +# Author: Alejandro Ortuno, oscd.community +RuleId = dfe8b941-4e54-4242-b674-6b613d521962 +RuleName = Startup Item File Created - MacOS +EventType = File.Create +Tag = startup-item-file-created-macos +RiskScore = 25 +Annotation = {"mitre_attack": ["T1037.005"], "author": "Alejandro Ortuno, oscd.community"} +Query = (File.Path like r"/Library/StartupItems/%" or File.Path like r"/System/Library/StartupItems%") and File.Path like r"%.plist" +GenericProperty1 = File.Path + + +[ThreatDetectionRule platform=MacOS] +# Detects attempts to enable the guest account using the sysadminctl utility +# Author: Sohan G (D4rkCiph3r) +RuleId = d7329412-13bd-44ba-a072-3387f804a106 +RuleName = Guest Account Enabled Via Sysadminctl EventType = Process.Start -Tag = proc-start-space-after-filename-macos +Tag = proc-start-guest-account-enabled-via-sysadminctl RiskScore = 25 -Annotation = {"mitre_attack": ["T1036.006"], "author": "remotephone"} -Query = Process.CommandLine like r"% " or Process.Path like r"% " +Annotation = {"mitre_attack": ["T1078", "T1078.001"], "author": "Sohan G (D4rkCiph3r)"} +Query = Process.Path like r"%/sysadminctl" and Process.CommandLine like r"% -guestAccount%" and Process.CommandLine like r"% on%" + + +[ThreatDetectionRule platform=MacOS] +# Detects enumeration of local or remote network services. +# Author: Alejandro Ortuno, oscd.community +RuleId = 84bae5d4-b518-4ae0-b331-6d4afd34d00f +RuleName = MacOS Network Service Scanning +EventType = Process.Start +Tag = proc-start-macos-network-service-scanning +RiskScore = 25 +Annotation = {"mitre_attack": ["T1046"], "author": "Alejandro Ortuno, oscd.community"} +Query = (Process.Path like r"%/nc" or Process.Path like r"%/netcat") and not Process.CommandLine like r"%l%" or Process.Path like r"%/nmap" or Process.Path like r"%/telnet" [ThreatDetectionRule platform=MacOS] @@ -143,39 +157,25 @@ Query = Process.Path like r"%/csrutil" and Process.CommandLine like r"%status%" [ThreatDetectionRule platform=MacOS] -# Detects attempts to use screencapture to collect macOS screenshots +# Detects attempts to use system dialog prompts to capture user credentials # Author: remotephone, oscd.community -RuleId = 0877ed01-da46-4c49-8476-d49cdd80dfa7 -RuleName = Screen Capture - macOS -EventType = Process.Start -Tag = proc-start-screen-capture-macos -RiskScore = 25 -Annotation = {"mitre_attack": ["T1113"], "author": "remotephone, oscd.community"} -Query = Process.Path == "/usr/sbin/screencapture" - - -[ThreatDetectionRule platform=MacOS] -# Detects attempts to enable the guest account using the sysadminctl utility -# Author: Sohan G (D4rkCiph3r) -RuleId = d7329412-13bd-44ba-a072-3387f804a106 -RuleName = Guest Account Enabled Via Sysadminctl +RuleId = 60f1ce20-484e-41bd-85f4-ac4afec2c541 +RuleName = GUI Input Capture - macOS EventType = Process.Start -Tag = proc-start-guest-account-enabled-via-sysadminctl +Tag = proc-start-gui-input-capture-macos RiskScore = 25 -Annotation = {"mitre_attack": ["T1078", "T1078.001"], "author": "Sohan G (D4rkCiph3r)"} -Query = Process.Path like r"%/sysadminctl" and Process.CommandLine like r"% -guestAccount%" and Process.CommandLine like r"% on%" +Annotation = {"mitre_attack": ["T1056.002"], "author": "remotephone, oscd.community"} +Query = Process.Path == "/usr/sbin/osascript" and Process.CommandLine like r"%-e%" and Process.CommandLine like r"%display%" and Process.CommandLine like r"%dialog%" and Process.CommandLine like r"%answer%" and (Process.CommandLine like r"%admin%" or Process.CommandLine like r"%administrator%" or Process.CommandLine like r"%authenticate%" or Process.CommandLine like r"%authentication%" or Process.CommandLine like r"%credentials%" or Process.CommandLine like r"%pass%" or Process.CommandLine like r"%password%" or Process.CommandLine like r"%unlock%") [ThreatDetectionRule platform=MacOS] -# Detects the command line executed when TeamViewer starts a session started by a remote host. -# Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. -# Author: Josh Nickels, Qi Nan -RuleId = f459ccb4-9805-41ea-b5b2-55e279e2424a -RuleName = Remote Access Tool - Team Viewer Session Started On MacOS Host +# Detects enumeration of local systeam accounts on MacOS +# Author: Alejandro Ortuno, oscd.community +RuleId = ddf36b67-e872-4507-ab2e-46bda21b842c +RuleName = Local System Accounts Discovery - MacOs EventType = Process.Start -Tag = proc-start-remote-access-tool-team-viewer-session-started-on-macos-host +Tag = proc-start-local-system-accounts-discovery-macos RiskScore = 25 -Annotation = {"mitre_attack": ["T1133"], "author": "Josh Nickels, Qi Nan"} -Query = Parent.Path like r"%/TeamViewer\_Service" and Process.Path like r"%/TeamViewer\_Desktop" and Process.CommandLine like r"%/TeamViewer\_Desktop --IPCport 5939 --Module 1" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1087.001"], "author": "Alejandro Ortuno, oscd.community"} +Query = Process.Path like r"%/dscl" and Process.CommandLine like r"%list%" and Process.CommandLine like r"%/users%" or Process.Path like r"%/dscacheutil" and Process.CommandLine like r"%-q%" and Process.CommandLine like r"%user%" or Process.CommandLine like r"%'x:0:'%" or Process.Path like r"%/cat" and (Process.CommandLine like r"%/etc/passwd%" or Process.CommandLine like r"%/etc/sudoers%") or Process.Path like r"%/id" or Process.Path like r"%/lsof" and Process.CommandLine like r"%-u%" diff --git a/config/uberAgent-ESA-am-sigma-low-windows.conf b/config/uberAgent-ESA-am-sigma-low-windows.conf index 22c32abc..137f8c62 100644 --- a/config/uberAgent-ESA-am-sigma-low-windows.conf +++ b/config/uberAgent-ESA-am-sigma-low-windows.conf @@ -7,6 +7,31 @@ # sigma convert -s -f conf -p uberagent-7.3.0 -O backend_version=7.3.0 -t uberagent /home/runner/work/uberAgent-config/uberAgent-config/build/sigma-low-windows >> uberAgent-ESA-am-sigma-low-windows.conf # +[ThreatDetectionRule platform=Windows] +# Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence +# Author: frack113 +RuleId = b1decb61-ed83-4339-8e95-53ea51901720 +RuleName = TeamViewer Log File Deleted +EventType = File.Delete +Tag = teamviewer-log-file-deleted +RiskScore = 25 +Annotation = {"mitre_attack": ["T1070.004"], "author": "frack113"} +Query = File.Path like r"%\\TeamViewer\_%" and File.Path like r"%.log" and not Process.Path == "C:\\Windows\\system32\\svchost.exe" +GenericProperty1 = File.Path + + +[ThreatDetectionRule platform=Windows] +# Detects the creation of a new service using the "sc.exe" utility. +# Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +RuleId = 85ff530b-261d-48c6-a441-facaa2e81e48 +RuleName = New Service Creation Using Sc.EXE +EventType = Process.Start +Tag = proc-start-new-service-creation-using-sc.exe +RiskScore = 25 +Annotation = {"mitre_attack": ["T1543.003"], "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community"} +Query = Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%binPath%" + + [ThreatDetectionRule platform=Windows] # Detects specific combinations of encoding methods in PowerShell via the commandline # Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton @@ -20,159 +45,210 @@ Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.e [ThreatDetectionRule platform=Windows] -# Detects the execution of the "jsc.exe" (JScript Compiler). -# Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting. +# Use of reg to get MachineGuid information # Author: frack113 -RuleId = 52788a70-f1da-40dd-8fbd-73b5865d6568 -RuleName = JScript Compiler Execution +RuleId = f5240972-3938-4e56-8e4b-e33893176c1f +RuleName = Suspicious Query of MachineGUID EventType = Process.Start -Tag = proc-start-jscript-compiler-execution +Tag = proc-start-suspicious-query-of-machineguid RiskScore = 25 -Annotation = {"mitre_attack": ["T1127"], "author": "frack113"} -Query = Process.Path like r"%\\jsc.exe" or Process.Name == "jsc.exe" +Annotation = {"mitre_attack": ["T1082"], "author": "frack113"} +Query = Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%SOFTWARE\\Microsoft\\Cryptography%" and Process.CommandLine like r"%/v %" and Process.CommandLine like r"%MachineGuid%" [ThreatDetectionRule platform=Windows] -# Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. -# Author: frack113 -RuleId = 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 -RuleName = File And SubFolder Enumeration Via Dir Command +# Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. +# Author: Muhammad Faisal (@faisalusuf) +RuleId = e20b5b14-ce93-4230-88af-981983ef6e74 +RuleName = QuickAssist Execution EventType = Process.Start -Tag = proc-start-file-and-subfolder-enumeration-via-dir-command +Tag = proc-start-quickassist-execution RiskScore = 25 -Annotation = {"mitre_attack": ["T1217"], "author": "frack113"} -Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and (Process.CommandLine like r"%dir%-s%" or Process.CommandLine like r"%dir%/s%" or Process.CommandLine like r"%dir%–s%" or Process.CommandLine like r"%dir%—s%" or Process.CommandLine like r"%dir%―s%") +Annotation = {"mitre_attack": ["T1219"], "author": "Muhammad Faisal (@faisalusuf)"} +Query = Process.Path like r"%\\QuickAssist.exe" [ThreatDetectionRule platform=Windows] -# Detects the stopping of a Windows service via the "net" utility. -# Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -RuleId = 88872991-7445-4a22-90b2-a3adadb0e827 -RuleName = Stop Windows Service Via Net.EXE +# Detects when a share is mounted using the "net.exe" utility +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = f117933c-980c-4f78-b384-e3d838111165 +RuleName = Windows Share Mount Via Net.EXE EventType = Process.Start -Tag = proc-start-stop-windows-service-via-net.exe +Tag = proc-start-windows-share-mount-via-net.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1489"], "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name in ["net.exe", "net1.exe"] or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"% stop %" +Annotation = {"mitre_attack": ["T1021.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and (Process.CommandLine like r"% use %" or Process.CommandLine like r"% \\\\%") [ThreatDetectionRule platform=Windows] -# Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems -# Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -RuleId = 0e4164da-94bc-450d-a7be-a4b176179f1f -RuleName = Firewall Configuration Discovery Via Netsh.EXE -EventType = Process.Start -Tag = proc-start-firewall-configuration-discovery-via-netsh.exe +# Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" +# Author: Gavin Knapp +RuleId = 7e9cf7b6-e827-11ed-a05b-15959c120003 +RuleName = Potentially Suspicious Network Connection To Notion API +EventType = Net.Any +Tag = potentially-suspicious-network-connection-to-notion-api RiskScore = 25 -Annotation = {"mitre_attack": ["T1016"], "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'"} -Query = (Process.Path like r"%\\netsh.exe" or Process.Name == "netsh.exe") and Process.CommandLine like r"%netsh %" and Process.CommandLine like r"%show %" and Process.CommandLine like r"%firewall %" and (Process.CommandLine like r"%config %" or Process.CommandLine like r"%state %" or Process.CommandLine like r"%rule %" or Process.CommandLine like r"%name=all%") +Annotation = {"mitre_attack": ["T1102"], "author": "Gavin Knapp"} +Query = Net.Target.Name like r"%api.notion.com%" and not (Process.Path like r"%\\AppData\\Local\\Programs\\Notion\\Notion.exe" or Process.Path like r"%\\brave.exe" or Process.Path in ["C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"] or Process.Path in ["C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"] or Process.Path in ["C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe"] or Process.Path like r"%\\maxthon.exe" or Process.Path like r"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\%" or Process.Path like r"%\\WindowsApps\\MicrosoftEdge.exe" or Process.Path in ["C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"] or (Process.Path like r"C:\\Program Files (x86)\\Microsoft\\EdgeCore\\%" or Process.Path like r"C:\\Program Files\\Microsoft\\EdgeCore\\%") and (Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\msedgewebview2.exe") or Process.Path like r"%\\opera.exe" or Process.Path like r"%\\safari.exe" or Process.Path like r"%\\seamonkey.exe" or Process.Path like r"%\\vivaldi.exe" or Process.Path like r"%\\whale.exe") +GenericProperty1 = Net.Target.Name [ThreatDetectionRule platform=Windows] -# Detects file association changes using the builtin "assoc" command. -# When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. -# Author: Timur Zinniatullin, oscd.community -RuleId = 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 -RuleName = Change Default File Association Via Assoc +# Adversaries may enumerate browser bookmarks to learn more about compromised hosts. +# Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about +# internal network resources such as servers, tools/dashboards, or other related infrastructure. +# Author: frack113, Nasreddine Bencherchali (Nextron Systems) +RuleId = 725a9768-0f5e-4cb3-aec2-bc5719c6831a +RuleName = Suspicious Where Execution EventType = Process.Start -Tag = proc-start-change-default-file-association-via-assoc +Tag = proc-start-suspicious-where-execution RiskScore = 25 -Annotation = {"mitre_attack": ["T1546.001"], "author": "Timur Zinniatullin, oscd.community"} -Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%assoc%" +Annotation = {"mitre_attack": ["T1217"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\where.exe" or Process.Name == "where.exe") and (Process.CommandLine like r"%places.sqlite%" or Process.CommandLine like r"%cookies.sqlite%" or Process.CommandLine like r"%formhistory.sqlite%" or Process.CommandLine like r"%logins.json%" or Process.CommandLine like r"%key4.db%" or Process.CommandLine like r"%key3.db%" or Process.CommandLine like r"%sessionstore.jsonlz4%" or Process.CommandLine like r"%History%" or Process.CommandLine like r"%Bookmarks%" or Process.CommandLine like r"%Cookies%" or Process.CommandLine like r"%Login Data%") [ThreatDetectionRule platform=Windows] -# Detects the creation of files in a specific location by ScreenConnect RMM. -# ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. -# Author: Ali Alwashali -RuleId = 0afecb6e-6223-4a82-99fb-bf5b981e92a5 -RuleName = Remote Access Tool - ScreenConnect Temporary File -EventType = File.Create -Tag = remote-access-tool-screenconnect-temporary-file +# Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236 +RuleName = Winget Admin Settings Modification +EventType = Reg.Any +Tag = winget-admin-settings-modification RiskScore = 25 -Annotation = {"mitre_attack": ["T1059.003"], "author": "Ali Alwashali"} -Query = Process.Path like r"%\\ScreenConnect.WindowsClient.exe" and File.Path like r"%\\Documents\\ConnectWiseControl\\Temp\\%" -GenericProperty1 = File.Path +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%\\winget.exe" and Reg.TargetObject like r"\\REGISTRY\\A\\%" and Reg.TargetObject like r"%\\LocalState\\admin\_settings" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. -# Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) -RuleId = f4bbd493-b796-416e-bbf2-121235348529 -RuleName = Non Interactive PowerShell Process Spawned +# Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 4f281b83-0200-4b34-bf35-d24687ea57c2 +RuleName = ETW Logging Disabled For SCM +EventType = Reg.Any +Tag = etw-logging-disabled-for-scm +RiskScore = 25 +Annotation = {"mitre_attack": ["T1112", "T1562"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%Software\\Microsoft\\Windows NT\\CurrentVersion\\Tracing\\SCM\\Regular\\TracingDisabled" and Reg.Value.Data == "DWORD (0x00000001)" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.Value.Data + + +[ThreatDetectionRule platform=Windows] +# Attackers may leverage fsutil to enumerated connected drives. +# Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +RuleId = 63de06b9-a385-40b5-8b32-73f2b9ef84b6 +RuleName = Fsutil Drive Enumeration EventType = Process.Start -Tag = proc-start-non-interactive-powershell-process-spawned +Tag = proc-start-fsutil-drive-enumeration RiskScore = 25 -Annotation = {"mitre_attack": ["T1059.001"], "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and not (Parent.Path like r"%:\\Windows\\explorer.exe" or Parent.Path like r"%:\\Windows\\System32\\CompatTelRunner.exe" or Parent.Path like r"%:\\Windows\\SysWOW64\\explorer.exe" or Parent.Path == ":\\$WINDOWS.~BT\\Sources\\SetupHost.exe") and not (Parent.Path like r"%\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe" and Parent.CommandLine like r"% --ms-enable-electron-run-as-node %" or Parent.Path like r"%:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal\_%" and Parent.Path like r"%\\WindowsTerminal.exe") -GenericProperty1 = Parent.Path -GenericProperty2 = Parent.CommandLine +Annotation = {"mitre_attack": ["T1120"], "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'"} +Query = (Process.Path like r"%\\fsutil.exe" or Process.Name == "fsutil.exe") and Process.CommandLine like r"%drives%" [ThreatDetectionRule platform=Windows] -# Detects the command line executed when TeamViewer starts a session started by a remote host. -# Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. -# Author: Josh Nickels, Qi Nan -RuleId = ab70c354-d9ac-4e11-bbb6-ec8e3b153357 -RuleName = Remote Access Tool - Team Viewer Session Started On Windows Host +# Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session. +# Author: Muhammad Faisal (@faisalusuf) +RuleId = 882e858a-3233-4ba8-855e-2f3d3575803d +RuleName = DNS Query Request By QuickAssist.EXE +EventType = Dns.Query +Tag = dns-query-request-by-quickassist.exe +RiskScore = 25 +Annotation = {"mitre_attack": ["T1071.001", "T1210"], "author": "Muhammad Faisal (@faisalusuf)"} +Query = Process.Path like r"%\\QuickAssist.exe" and Dns.QueryRequest like r"%remoteassistance.support.services.microsoft.com" +GenericProperty1 = Dns.QueryRequest + + +[ThreatDetectionRule platform=Windows] +# Local accounts, System Owner/User discovery using operating systems utilities +# Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +RuleId = 502b42de-4306-40b4-9596-6f590c81f073 +RuleName = Local Accounts Discovery EventType = Process.Start -Tag = proc-start-remote-access-tool-team-viewer-session-started-on-windows-host +Tag = proc-start-local-accounts-discovery RiskScore = 25 -Annotation = {"mitre_attack": ["T1133"], "author": "Josh Nickels, Qi Nan"} -Query = Process.Path == "TeamViewer\_Desktop.exe" and Parent.Path == "TeamViewer\_Service.exe" and Process.CommandLine like r"%TeamViewer\_Desktop.exe --IPCport 5939 --Module 1" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1033", "T1087.001"], "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community"} +Query = Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"% /c%" and Process.CommandLine like r"%dir %" and Process.CommandLine like r"%\\Users\\%" and not Process.CommandLine like r"% rmdir %" or (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%user%" and not (Process.CommandLine like r"%/domain%" or Process.CommandLine like r"%/add%" or Process.CommandLine like r"%/delete%" or Process.CommandLine like r"%/active%" or Process.CommandLine like r"%/expires%" or Process.CommandLine like r"%/passwordreq%" or Process.CommandLine like r"%/scriptpath%" or Process.CommandLine like r"%/times%" or Process.CommandLine like r"%/workstations%") or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\quser.exe" or Process.Path like r"%\\qwinsta.exe" or Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%useraccount%" and Process.CommandLine like r"%get%" or Process.Path like r"%\\cmdkey.exe" and Process.CommandLine like r"% /l%" [ThreatDetectionRule platform=Windows] -# Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems -# Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -RuleId = a29c1813-ab1f-4dde-b489-330b952e91ae -RuleName = Suspicious Network Command +# Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" +# Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +RuleId = c49c5062-0966-4170-9efd-9968c913a6cf +RuleName = Stop Windows Service Via PowerShell Stop-Service EventType = Process.Start -Tag = proc-start-suspicious-network-command +Tag = proc-start-stop-windows-service-via-powershell-stop-service RiskScore = 25 -Annotation = {"mitre_attack": ["T1016"], "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'"} -Query = Process.CommandLine like r"%ipconfig /all%" or Process.CommandLine like r"%netsh interface show interface%" or Process.CommandLine like r"%arp -a%" or Process.CommandLine like r"%nbtstat -n%" or Process.CommandLine like r"%net config%" or Process.CommandLine like r"%route print%" +Annotation = {"mitre_attack": ["T1489"], "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name in ["PowerShell.EXE", "pwsh.dll"] or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Stop-Service %" [ThreatDetectionRule platform=Windows] -# Detects execution of "tar.exe" in order to create a compressed file. -# Adversaries may abuse various utilities to compress or encrypt data before exfiltration. -# Author: Nasreddine Bencherchali (Nextron Systems), AdmU3 -RuleId = 418a3163-3247-4b7b-9933-dcfcb7c52ea9 -RuleName = Compressed File Creation Via Tar.EXE +# Detects the execution of a system command via the ScreenConnect RMM service. +# Author: Ali Alwashali +RuleId = b1f73849-6329-4069-bc8f-78a604bb8b23 +RuleName = Remote Access Tool - ScreenConnect Remote Command Execution EventType = Process.Start -Tag = proc-start-compressed-file-creation-via-tar.exe +Tag = proc-start-remote-access-tool-screenconnect-remote-command-execution RiskScore = 25 -Annotation = {"mitre_attack": ["T1560", "T1560.001"], "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3"} -Query = (Process.Path like r"%\\tar.exe" or Process.Name == "bsdtar") and (Process.CommandLine like r"%-c%" or Process.CommandLine like r"%-r%" or Process.CommandLine like r"%-u%") +Annotation = {"mitre_attack": ["T1059.003"], "author": "Ali Alwashali"} +Query = Parent.Path like r"%\\ScreenConnect.ClientService.exe" and (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%\\TEMP\\ScreenConnect\\%" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the usage of the "net.exe" command to start a service using the "start" flag -# Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -RuleId = 2a072a96-a086-49fa-bcb5-15cc5a619093 -RuleName = Start Windows Service Via Net.EXE +# Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. +# Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +RuleId = 04936b66-3915-43ad-a8e5-809eadfd1141 +RuleName = Insensitive Subfolder Search Via Findstr.EXE EventType = Process.Start -Tag = proc-start-start-windows-service-via-net.exe +Tag = proc-start-insensitive-subfolder-search-via-findstr.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1569.002"], "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community"} -Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and Process.CommandLine like r"% start %" +Annotation = {"mitre_attack": ["T1218", "T1564.004", "T1552.001", "T1105"], "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.CommandLine like r"%findstr%" or Process.Path like r"%findstr.exe" or Process.Name == "FINDSTR.EXE") and (Process.CommandLine like r"% -s %" or Process.CommandLine like r"% /s %" or Process.CommandLine like r"% –s %" or Process.CommandLine like r"% —s %" or Process.CommandLine like r"% ―s %") and (Process.CommandLine like r"% -i %" or Process.CommandLine like r"% /i %" or Process.CommandLine like r"% –i %" or Process.CommandLine like r"% —i %" or Process.CommandLine like r"% ―i %") [ThreatDetectionRule platform=Windows] -# Detects the execution of "BitLockerToGo.EXE". -# BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. -# This is a rarely used application and usage of it at all is worth investigating. -# Malware such as Lumma stealer has been seen using this process as a target for process hollowing. -# Author: Josh Nickels, mttaggart -RuleId = 7f2376f9-42ee-4dfc-9360-fecff9a88fc8 -RuleName = BitLockerTogo.EXE Execution +# This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, +# Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP +# Author: frack113 +RuleId = 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160 +RuleName = PUA - Adidnsdump Execution EventType = Process.Start -Tag = proc-start-bitlockertogo.exe-execution +Tag = proc-start-pua-adidnsdump-execution RiskScore = 25 -Annotation = {"mitre_attack": ["T1218"], "author": "Josh Nickels, mttaggart"} -Query = Process.Path like r"%\\BitLockerToGo.exe" +Annotation = {"mitre_attack": ["T1018"], "author": "frack113"} +Query = Process.Path like r"%\\python.exe" and Process.CommandLine like r"%adidnsdump%" + + +[ThreatDetectionRule platform=Windows] +# Detects DNS server discovery via LDAP query requests from uncommon applications +# Author: frack113 +RuleId = a21bcd7e-38ec-49ad-b69a-9ea17e69509e +RuleName = DNS Server Discovery Via LDAP Query +EventType = Dns.Query +Tag = dns-server-discovery-via-ldap-query +RiskScore = 25 +Annotation = {"mitre_attack": ["T1482"], "author": "frack113"} +Query = Dns.QueryRequest like r"\_ldap.%" and not (Process.Path like r"%:\\Program Files\\%" or Process.Path like r"%:\\Program Files (x86)\\%" or Process.Path like r"%:\\Windows\\%" or Process.Path like r"%:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\%" and Process.Path like r"%\\MsMpEng.exe" or Process.Path == "" or isnull(Process.Path)) and not (Process.Path like r"C:\\WindowsAzure\\GuestAgent%" or Process.Path like r"%\\chrome.exe" or Process.Path like r"%\\firefox.exe" or Process.Path like r"%\\opera.exe") +GenericProperty1 = Dns.QueryRequest + + +[ThreatDetectionRule platform=Windows] +# Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. +# This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. +# It could also be used for anti-analysis purposes by shut downing specific processes. +# Author: Luc Génaux +RuleId = 3669afd2-9891-4534-a626-e5cf03810a61 +RuleName = Load Of RstrtMgr.DLL By An Uncommon Process +EventType = Image.Load +Tag = load-of-rstrtmgr.dll-by-an-uncommon-process +RiskScore = 25 +Annotation = {"mitre_attack": ["T1486", "T1562.001"], "author": "Luc G\u00e9naux"} +Query = (Image.Path like r"%\\RstrtMgr.dll" or Process.Name == "RstrtMgr.dll") and not (Process.Path like r"%:\\$WINDOWS.~BT\\%" or Process.Path like r"%:\\$WinREAgent\\%" or Process.Path like r"%:\\Program Files (x86)\\%" or Process.Path like r"%:\\Program Files\\%" or Process.Path like r"%:\\ProgramData\\%" or Process.Path like r"%:\\Windows\\explorer.exe%" or Process.Path like r"%:\\Windows\\SoftwareDistribution\\%" or Process.Path like r"%:\\Windows\\SysNative\\%" or Process.Path like r"%:\\Windows\\System32\\%" or Process.Path like r"%:\\Windows\\SysWOW64\\%" or Process.Path like r"%:\\Windows\\WinSxS\\%" or Process.Path like r"%:\\WUDownloadCache\\%" or Process.Path like r"%:\\Users\\%" and Process.Path like r"%\\AppData\\Local\\Temp\\is-%" and Process.Path like r"%.tmp\\%" and Process.Path like r"%.tmp" or Process.Path like r"%:\\Windows\\Temp\\%") +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] @@ -189,156 +265,180 @@ GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the creation of a new service using powershell. -# Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -RuleId = c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 -RuleName = New Service Creation Using PowerShell -EventType = Process.Start -Tag = proc-start-new-service-creation-using-powershell +# Detects default PsExec service filename which indicates PsExec service installation and execution +# Author: Thomas Patzke +RuleId = 259e5a6a-b8d2-4c38-86e2-26c5e651361d +RuleName = PsExec Service File Creation +EventType = File.Create +Tag = psexec-service-file-creation RiskScore = 25 -Annotation = {"mitre_attack": ["T1543.003"], "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community"} -Query = Process.CommandLine like r"%New-Service%" and Process.CommandLine like r"%-BinaryPathName%" +Annotation = {"mitre_attack": ["T1569.002"], "author": "Thomas Patzke"} +Query = File.Path like r"%\\PSEXESVC.exe" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC -# Author: Florian Roth (Nextron Systems) -RuleId = 3d7679bd-0c00-440c-97b0-3f204273e6c7 -RuleName = New Process Created Via Taskmgr.EXE +# Detects file association changes using the builtin "assoc" command. +# When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +# Author: Timur Zinniatullin, oscd.community +RuleId = 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 +RuleName = Change Default File Association Via Assoc EventType = Process.Start -Tag = proc-start-new-process-created-via-taskmgr.exe +Tag = proc-start-change-default-file-association-via-assoc RiskScore = 25 -Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems)"} -Query = Parent.Path like r"%\\taskmgr.exe" and not (Process.Path like r"%:\\Windows\\System32\\mmc.exe" or Process.Path like r"%:\\Windows\\System32\\resmon.exe" or Process.Path like r"%:\\Windows\\System32\\Taskmgr.exe") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1546.001"], "author": "Timur Zinniatullin, oscd.community"} +Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%assoc%" [ThreatDetectionRule platform=Windows] -# Detects the load of known vulnerable drivers via the file name of the drivers. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 72cd00d6-490c-4650-86ff-1d11f491daa1 -RuleName = Vulnerable Driver Load By Name -EventType = Driver.Load -Tag = vulnerable-driver-load-by-name +# Detects potential DLL sideloading of "7za.dll" +# Author: X__Junior +RuleId = 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 +RuleName = Potential 7za.DLL Sideloading +EventType = Image.Load +Tag = potential-7za.dll-sideloading RiskScore = 25 -Annotation = {"mitre_attack": ["T1543.003", "T1068"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Image.Path like r"%\\panmonfltx64.sys" or Image.Path like r"%\\dbutil.sys" or Image.Path like r"%\\fairplaykd.sys" or Image.Path like r"%\\nvaudio.sys" or Image.Path like r"%\\superbmc.sys" or Image.Path like r"%\\bsmi.sys" or Image.Path like r"%\\smarteio64.sys" or Image.Path like r"%\\bwrsh.sys" or Image.Path like r"%\\agent64.sys" or Image.Path like r"%\\asmmap64.sys" or Image.Path like r"%\\dellbios.sys" or Image.Path like r"%\\chaos-rootkit.sys" or Image.Path like r"%\\wcpu.sys" or Image.Path like r"%\\dh\_kernel.sys" or Image.Path like r"%\\sbiosio64.sys" or Image.Path like r"%\\bw.sys" or Image.Path like r"%\\asrdrv102.sys" or Image.Path like r"%\\nt6.sys" or Image.Path like r"%\\mhyprot3.sys" or Image.Path like r"%\\winio64c.sys" or Image.Path like r"%\\asupio64.sys" or Image.Path like r"%\\blackbonedrv10.sys" or Image.Path like r"%\\d.sys" or Image.Path like r"%\\driver7-x86.sys" or Image.Path like r"%\\sfdrvx32.sys" or Image.Path like r"%\\enetechio64.sys" or Image.Path like r"%\\gdrv.sys" or Image.Path like r"%\\sysinfodetectorx64.sys" or Image.Path like r"%\\fh-ethercat\_dio.sys" or Image.Path like r"%\\asromgdrv.sys" or Image.Path like r"%\\my.sys" or Image.Path like r"%\\dcprotect.sys" or Image.Path like r"%\\irec.sys" or Image.Path like r"%\\gedevdrv.sys" or Image.Path like r"%\\winio32a.sys" or Image.Path like r"%\\gvcidrv64.sys" or Image.Path like r"%\\winio32.sys" or Image.Path like r"%\\bs\_hwmio64.sys" or Image.Path like r"%\\nstr.sys" or Image.Path like r"%\\inpoutx64.sys" or Image.Path like r"%\\hw.sys" or Image.Path like r"%\\winio64.sys" or Image.Path like r"%\\hpportiox64.sys" or Image.Path like r"%\\iobitunlocker.sys" or Image.Path like r"%\\b1.sys" or Image.Path like r"%\\aoddriver.sys" or Image.Path like r"%\\elbycdio.sys" or Image.Path like r"%\\protects.sys" or Image.Path like r"%\\kprocesshacker.sys" or Image.Path like r"%\\speedfan.sys" or Image.Path like r"%\\radhwmgr.sys" or Image.Path like r"%\\iscflashx64.sys" or Image.Path like r"%\\black.sys" or Image.Path like r"%\\b4.sys" or Image.Path like r"%\\hwos2ec10x64.sys" or Image.Path like r"%\\winflash64.sys" or Image.Path like r"%\\corsairllaccess64.sys" or Image.Path like r"%\\bs\_i2cio.sys" or Image.Path like r"%\\d3.sys" or Image.Path like r"%\\windows-xp-64.sys" or Image.Path like r"%\\aswvmm.sys" or Image.Path like r"%\\bs\_i2c64.sys" or Image.Path like r"%\\1.sys" or Image.Path like r"%\\nchgbios2x64.sys" or Image.Path like r"%\\cpuz141.sys" or Image.Path like r"%\\segwindrvx64.sys" or Image.Path like r"%\\tdeio64.sys" or Image.Path like r"%\\ntiolib.sys" or Image.Path like r"%\\gtckmdfbs.sys" or Image.Path like r"%\\iomap64.sys" or Image.Path like r"%\\avalueio.sys" or Image.Path like r"%\\semav6msr.sys" or Image.Path like r"%\\lgdcatcher.sys" or Image.Path like r"%\\b.sys" or Image.Path like r"%\\hwdetectng.sys" or Image.Path like r"%\\nt4.sys" or Image.Path like r"%\\tgsafe.sys" or Image.Path like r"%\\mydrivers.sys" or Image.Path like r"%\\eneio64.sys" or Image.Path like r"%\\procexp.sys" or Image.Path like r"%\\viragt64.sys" or Image.Path like r"%\\fpcie2com.sys" or Image.Path like r"%\\lenovodiagnosticsdriver.sys" or Image.Path like r"%\\cp2x72c.sys" or Image.Path like r"%\\kerneld.amd64" or Image.Path like r"%\\bs\_def64.sys" or Image.Path like r"%\\piddrv.sys" or Image.Path like r"%\\amifldrv64.sys" or Image.Path like r"%\\cpuz\_x64.sys" or Image.Path like r"%\\proxy32.sys" or Image.Path like r"%\\wsdkd.sys" or Image.Path like r"%\\t8.sys" or Image.Path like r"%\\ucorew64.sys" or Image.Path like r"%\\atszio.sys" or Image.Path like r"%\\lmiinfo.sys" or Image.Path like r"%\\80.sys" or Image.Path like r"%\\nt3.sys" or Image.Path like r"%\\ngiodriver.sys" or Image.Path like r"%\\lv561av.sys" or Image.Path like r"%\\gpcidrv64.sys" or Image.Path like r"%\\fd3b7234419fafc9bdd533f48896ed73\_b816c5cd.sys" or Image.Path like r"%\\rtport.sys" or Image.Path like r"%\\full.sys" or Image.Path like r"%\\viragt.sys" or Image.Path like r"%\\fiddrv64.sys" or Image.Path like r"%\\cupfixerx64.sys" or Image.Path like r"%\\cpupress.sys" or Image.Path like r"%\\hwos2ec7x64.sys" or Image.Path like r"%\\driver7-x86-withoutdbg.sys" or Image.Path like r"%\\asrdrv10.sys" or Image.Path like r"%\\nvflsh64.sys" or Image.Path like r"%\\asrrapidstartdrv.sys" or Image.Path like r"%\\tmcomm.sys" or Image.Path like r"%\\wiseunlo.sys" or Image.Path like r"%\\rwdrv.sys" or Image.Path like r"%\\asio64.sys" or Image.Path like r"%\\nvoclock.sys" or Image.Path like r"%\\panio.sys" or Image.Path like r"%\\mtcbsv64.sys" or Image.Path like r"%\\amigendrv64.sys" or Image.Path like r"%\\capcom.sys" or Image.Path like r"%\\netflt.sys" or Image.Path like r"%\\phlashnt.sys" or Image.Path like r"%\\dbutil\_2\_3.sys" or Image.Path like r"%\\ni.sys" or Image.Path like r"%\\ntiolib\_x64.sys" or Image.Path like r"%\\atszio64.sys" or Image.Path like r"%\\lgcoretemp.sys" or Image.Path like r"%\\lha.sys" or Image.Path like r"%\\phymem64.sys" or Image.Path like r"%\\dbutildrv2.sys" or Image.Path like r"%\\asrdrv103.sys" or Image.Path like r"%\\rtcore64.sys" or Image.Path like r"%\\bs\_hwmio64\_w10.sys" or Image.Path like r"%\\ene.sys" or Image.Path like r"%\\winio64b.sys" or Image.Path like r"%\\piddrv64.sys" or Image.Path like r"%\\directio32.sys" or Image.Path like r"%\\monitor\_win10\_x64.sys" or Image.Path like r"%\\nt5.sys" or Image.Path like r"%\\asrsmartconnectdrv.sys" or Image.Path like r"%\\rtif.sys" or Image.Path like r"%\\atillk64.sys" or Image.Path like r"%\\directio.sys" or Image.Path like r"%\\asribdrv.sys" or Image.Path like r"%\\kfeco11x64.sys" or Image.Path like r"%\\citmdrv\_ia64.sys" or Image.Path like r"%\\sysdrv3s.sys" or Image.Path like r"%\\amp.sys" or Image.Path like r"%\\vboxdrv.sys" or Image.Path like r"%\\adv64drv.sys" or Image.Path like r"%\\hostnt.sys" or Image.Path like r"%\\phymem\_ext64.sys" or Image.Path like r"%\\echo\_driver.sys" or Image.Path like r"%\\winiodrv.sys" or Image.Path like r"%\\pdfwkrnl.sys" or Image.Path like r"%\\glckio2.sys" or Image.Path like r"%\\asrdrv106.sys" or Image.Path like r"%\\nscm.sys" or Image.Path like r"%\\bs\_rcio64.sys" or Image.Path like r"%\\ncpl.sys" or Image.Path like r"%\\sandra.sys" or Image.Path like r"%\\fiddrv.sys" or Image.Path like r"%\\hwrwdrv.sys" or Image.Path like r"%\\mhyprot.sys" or Image.Path like r"%\\asrsetupdrv103.sys" or Image.Path like r"%\\iqvw64.sys" or Image.Path like r"%\\b3.sys" or Image.Path like r"%\\ssport.sys" or Image.Path like r"%\\bs\_def.sys" or Image.Path like r"%\\computerz.sys" or Image.Path like r"%\\windows8-10-32.sys" or Image.Path like r"%\\nstrwsk.sys" or Image.Path like r"%\\lurker.sys" or Image.Path like r"%\\bsmemx64.sys" or Image.Path like r"%\\wyproxy64.sys" or Image.Path like r"%\\asio.sys" or Image.Path like r"%\\t3.sys" or Image.Path like r"%\\cpuz.sys" or Image.Path like r"%\\rtkio.sys" or Image.Path like r"%\\driver7-x64.sys" or Image.Path like r"%\\netfilterdrv.sys" or Image.Path like r"%\\ioaccess.sys" or Image.Path like r"%\\testbone.sys" or Image.Path like r"%\\gameink.sys" or Image.Path like r"%\\kevp64.sys" or Image.Path like r"%\\mhyprot2.sys" or Image.Path like r"%\\se64a.sys" or Image.Path like r"%\\vboxusb.sys" or Image.Path like r"%\\windows7-32.sys" or Image.Path like r"%\\vproeventmonitor.sys" or Image.Path like r"%\\winio64a.sys" or Image.Path like r"%\\asrdrv101.sys" or Image.Path like r"%\\netproxydriver.sys" or Image.Path like r"%\\elrawdsk.sys" or Image.Path like r"%\\zam64.sys" or Image.Path like r"%\\cg6kwin2k.sys" or Image.Path like r"%\\asupio.sys" or Image.Path like r"%\\stdcdrvws64.sys" or Image.Path like r"%\\81.sys" or Image.Path like r"%\\citmdrv\_amd64.sys" or Image.Path like r"%\\amdryzenmasterdriver.sys" or Image.Path like r"%\\vmdrv.sys" or Image.Path like r"%\\sysinfo.sys" or Image.Path like r"%\\alsysio64.sys" or Image.Path like r"%\\directio64.sys" or Image.Path like r"%\\rzpnk.sys" or Image.Path like r"%\\amdpowerprofiler.sys" or Image.Path like r"%\\truesight.sys" or Image.Path like r"%\\wirwadrv.sys" or Image.Path like r"%\\phymemx64.sys" or Image.Path like r"%\\msio64.sys" or Image.Path like r"%\\sepdrv3\_1.sys" or Image.Path like r"%\\gametersafe.sys" or Image.Path like r"%\\bs\_rcio.sys" or Image.Path like r"%\\d4.sys" or Image.Path like r"%\\t.sys" or Image.Path like r"%\\eio.sys" or Image.Path like r"%\\nt2.sys" or Image.Path like r"%\\winring0.sys" or Image.Path like r"%\\physmem.sys" or Image.Path like r"%\\libnicm.sys" or Image.Path like r"%\\msio32.sys" or Image.Path like r"%\\asrautochkupddrv.sys" or Image.Path like r"%\\asio32.sys" or Image.Path like r"%\\etdsupp.sys" or Image.Path like r"%\\smep\_namco.sys" or Image.Path like r"%\\bandai.sys" or Image.Path like r"%\\d2.sys" or Image.Path like r"%\\magdrvamd64.sys" or Image.Path like r"%\\nvflash.sys" or Image.Path like r"%\\goad.sys" or Image.Path like r"%\\proxy64.sys" or Image.Path like r"%\\amsdk.sys" or Image.Path like r"%\\kbdcap64.sys" or Image.Path like r"%\\vdbsv64.sys" or Image.Path like r"%\\pchunter.sys" or Image.Path like r"%\\sysconp.sys" or Image.Path like r"%\\dh\_kernel\_10.sys" or Image.Path like r"%\\msrhook.sys" or Image.Path like r"%\\bedaisy.sys" or Image.Path like r"%\\dcr.sys" or Image.Path like r"%\\panmonflt.sys" or Image.Path like r"%\\bsmixp64.sys" or Image.Path like r"%\\otipcibus.sys" or Image.Path like r"%\\fidpcidrv.sys" or Image.Path like r"%\\kfeco10x64.sys" or Image.Path like r"%\\asrdrv104.sys" or Image.Path like r"%\\c.sys" or Image.Path like r"%\\tdklib64.sys" or Image.Path like r"%\\bsmix64.sys" or Image.Path like r"%\\bs\_flash64.sys" or Image.Path like r"%\\stdcdrv64.sys" or Image.Path like r"%\\naldrv.sys" or Image.Path like r"%\\ctiio64.sys" or Image.Path like r"%\\bwrs.sys" or Image.Path like r"%\\nicm.sys" or Image.Path like r"%\\winio32b.sys" or Image.Path like r"%\\paniox64.sys" or Image.Path like r"%\\ecsiodriverx64.sys" or Image.Path like r"%\\iomem64.sys" or Image.Path like r"%\\fidpcidrv64.sys" or Image.Path like r"%\\aswarpot.sys" or Image.Path like r"%\\bs\_rciow1064.sys" or Image.Path like r"%\\asmio64.sys" or Image.Path like r"%\\openlibsys.sys" or Image.Path like r"%\\viraglt64.sys" or Image.Path like r"%\\dbk64.sys" or Image.Path like r"%\\t7.sys" or Image.Path like r"%\\atlaccess.sys" or Image.Path like r"%\\nbiolib\_x64.sys" or Image.Path like r"%\\smep\_capcom.sys" or Image.Path like r"%\\iqvw64e.sys" +Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior"} +Query = Image.Path like r"%\\7za.dll" and not ((Process.Path like r"C:\\Program Files (x86)\\%" or Process.Path like r"C:\\Program Files\\%") and (Image.Path like r"C:\\Program Files (x86)\\%" or Image.Path like r"C:\\Program Files\\%")) GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects the export of the target Registry key to a file. -# Author: Oddvar Moe, Sander Wiebing, oscd.community -RuleId = f0e53e89-8d22-46ea-9db5-9d4796ee2f8a -RuleName = Exports Registry Key To a File +# Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. +# Author: Eli Salem, Sander Wiebing, oscd.community +RuleId = 5f60740a-f57b-4e76-82a1-15b6ff2cb134 +RuleName = Registry Modification Via Regini.EXE EventType = Process.Start -Tag = proc-start-exports-registry-key-to-a-file +Tag = proc-start-registry-modification-via-regini.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1012"], "author": "Oddvar Moe, Sander Wiebing, oscd.community"} -Query = (Process.Path like r"%\\regedit.exe" or Process.Name == "REGEDIT.EXE") and (Process.CommandLine like r"% -E %" or Process.CommandLine like r"% /E %" or Process.CommandLine like r"% –E %" or Process.CommandLine like r"% —E %" or Process.CommandLine like r"% ―E %") and not ((Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security")) +Annotation = {"mitre_attack": ["T1112"], "author": "Eli Salem, Sander Wiebing, oscd.community"} +Query = (Process.Path like r"%\\regini.exe" or Process.Name == "REGINI.EXE") and not Process.CommandLine regex ":[^ \\\\]" [ThreatDetectionRule platform=Windows] -# Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools +# Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key # Author: Markus Neis -RuleId = 7cccd811-7ae9-4ebe-9afd-cb5c406b824b -RuleName = Potential Execution of Sysinternals Tools -EventType = Process.Start -Tag = proc-start-potential-execution-of-sysinternals-tools +RuleId = 25ffa65d-76d8-4da5-a832-3f2b0136e133 +RuleName = PUA - Sysinternal Tool Execution - Registry +EventType = Reg.Any +Tag = pua-sysinternal-tool-execution-registry RiskScore = 25 Annotation = {"mitre_attack": ["T1588.002"], "author": "Markus Neis"} -Query = Process.CommandLine like r"% -accepteula%" or Process.CommandLine like r"% /accepteula%" or Process.CommandLine like r"% –accepteula%" or Process.CommandLine like r"% —accepteula%" or Process.CommandLine like r"% ―accepteula%" +Query = Reg.EventType == "CreateKey" and Reg.TargetObject like r"%\\EulaAccepted" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject +GenericProperty2 = Reg.EventType [ThreatDetectionRule platform=Windows] -# Detects execution of "tar.exe" in order to extract compressed file. -# Adversaries may abuse various utilities in order to decompress data to avoid detection. -# Author: AdmU3 -RuleId = bf361876-6620-407a-812f-bfe11e51e924 -RuleName = Compressed File Extraction Via Tar.EXE -EventType = Process.Start -Tag = proc-start-compressed-file-extraction-via-tar.exe +# Detects the creation of a new office macro files on the systems +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 91174a41-dc8f-401b-be89-7bfc140612a0 +RuleName = Office Macro File Creation +EventType = File.Create +Tag = office-macro-file-creation RiskScore = 25 -Annotation = {"mitre_attack": ["T1560", "T1560.001"], "author": "AdmU3"} -Query = (Process.Path like r"%\\tar.exe" or Process.Name == "bsdtar") and Process.CommandLine like r"%-x%" +Annotation = {"mitre_attack": ["T1566.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"%.docm" or File.Path like r"%.dotm" or File.Path like r"%.xlsm" or File.Path like r"%.xltm" or File.Path like r"%.potm" or File.Path like r"%.pptm" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration -# Author: yatinwad, TheDFIRReport -RuleId = 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b -RuleName = DNS Query To Ufile.io -EventType = Dns.Query -Tag = dns-query-to-ufile.io +# Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. +# Author: frack113 +RuleId = 576426ad-0131-4001-ae01-be175da0c108 +RuleName = PowerShell Script Dropped Via PowerShell.EXE +EventType = File.Create +Tag = powershell-script-dropped-via-powershell.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1567.002"], "author": "yatinwad, TheDFIRReport"} -Query = Dns.QueryRequest like r"%ufile.io%" -GenericProperty1 = Dns.QueryRequest +Annotation = {"author": "frack113"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and File.Path like r"%.ps1" and not (File.Path like r"%\_\_PSScriptPolicyTest\_%" or File.Path like r"C:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Temp\\%" or File.Path like r"C:\\Windows\\Temp\\%") +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation -# Author: Florian Roth (Nextron Systems) -RuleId = e28a5a99-da44-436d-b7a0-2afc20a5f413 -RuleName = Whoami Utility Execution -EventType = Process.Start -Tag = proc-start-whoami-utility-execution +# Detects changes to the "MaxMpxCt" registry value. +# MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. +# Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 0e6a9e62-627e-496c-aef5-bfa39da29b5e +RuleName = MaxMpxCt Registry Value Changed +EventType = Reg.Any +Tag = maxmpxct-registry-value-changed RiskScore = 25 -Annotation = {"mitre_attack": ["T1033"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\whoami.exe" or Process.Name == "whoami.exe" +Annotation = {"mitre_attack": ["T1070.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\Services\\LanmanServer\\Parameters\\MaxMpxCt" +Hive = HKLM,HKU +GenericProperty1 = Reg.TargetObject [ThreatDetectionRule platform=Windows] -# Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session. -# Author: Muhammad Faisal (@faisalusuf) -RuleId = 882e858a-3233-4ba8-855e-2f3d3575803d -RuleName = DNS Query Request By QuickAssist.EXE -EventType = Dns.Query -Tag = dns-query-request-by-quickassist.exe +# Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = e36941d0-c0f0-443f-bc6f-cb2952eb69ea +RuleName = PowerShell Module File Created +EventType = File.Create +Tag = powershell-module-file-created RiskScore = 25 -Annotation = {"mitre_attack": ["T1071.001", "T1210"], "author": "Muhammad Faisal (@faisalusuf)"} -Query = Process.Path like r"%\\QuickAssist.exe" and Dns.QueryRequest like r"%remoteassistance.support.services.microsoft.com" -GenericProperty1 = Dns.QueryRequest +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (File.Path like r"%\\WindowsPowerShell\\Modules\\%" or File.Path like r"%\\PowerShell\\7\\Modules\\%") +GenericProperty1 = File.Path + + +[ThreatDetectionRule platform=Windows] +# Detects the execution of "wmic" with the "group" flag. +# Adversaries may attempt to find local system groups and permission settings. +# The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. +# Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. +# Author: frack113 +RuleId = 164eda96-11b2-430b-85ff-6a265c15bf32 +RuleName = Local Groups Reconnaissance Via Wmic.EXE +EventType = Process.Start +Tag = proc-start-local-groups-reconnaissance-via-wmic.exe +RiskScore = 25 +Annotation = {"mitre_attack": ["T1069.001"], "author": "frack113"} +Query = (Process.Path like r"%\\wmic.exe" or Process.Name == "wmic.exe") and Process.CommandLine like r"% group%" [ThreatDetectionRule platform=Windows] -# Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence -# Author: frack113 -RuleId = b1decb61-ed83-4339-8e95-53ea51901720 -RuleName = TeamViewer Log File Deleted -EventType = File.Delete -Tag = teamviewer-log-file-deleted +# Detects the command line executed when TeamViewer starts a session started by a remote host. +# Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. +# Author: Josh Nickels, Qi Nan +RuleId = ab70c354-d9ac-4e11-bbb6-ec8e3b153357 +RuleName = Remote Access Tool - Team Viewer Session Started On Windows Host +EventType = Process.Start +Tag = proc-start-remote-access-tool-team-viewer-session-started-on-windows-host RiskScore = 25 -Annotation = {"mitre_attack": ["T1070.004"], "author": "frack113"} -Query = File.Path like r"%\\TeamViewer\_%" and File.Path like r"%.log" and not Process.Path == "C:\\Windows\\system32\\svchost.exe" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1133"], "author": "Josh Nickels, Qi Nan"} +Query = Process.Path == "TeamViewer\_Desktop.exe" and Parent.Path == "TeamViewer\_Service.exe" and Process.CommandLine like r"%TeamViewer\_Desktop.exe --IPCport 5939 --Module 1" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the execution of "hh.exe" to open ".chm" files. -# Author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community -RuleId = 68c8acb4-1b60-4890-8e82-3ddf7a6dba84 -RuleName = HH.EXE Execution -EventType = Process.Start -Tag = proc-start-hh.exe-execution +# Detects the creation of files in a specific location by ScreenConnect RMM. +# ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. +# Author: Ali Alwashali +RuleId = 0afecb6e-6223-4a82-99fb-bf5b981e92a5 +RuleName = Remote Access Tool - ScreenConnect Temporary File +EventType = File.Create +Tag = remote-access-tool-screenconnect-temporary-file RiskScore = 25 -Annotation = {"mitre_attack": ["T1218.001"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community"} -Query = (Process.Name == "HH.exe" or Process.Path like r"%\\hh.exe") and Process.CommandLine like r"%.chm%" +Annotation = {"mitre_attack": ["T1059.003"], "author": "Ali Alwashali"} +Query = Process.Path like r"%\\ScreenConnect.WindowsClient.exe" and File.Path like r"%\\Documents\\ConnectWiseControl\\Temp\\%" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. -# Author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -RuleId = 8218c875-90b9-42e2-b60d-0b0069816d10 -RuleName = PowerShell Script Execution Policy Enabled -EventType = Reg.Any -Tag = powershell-script-execution-policy-enabled +# Detects execution of "tar.exe" in order to create a compressed file. +# Adversaries may abuse various utilities to compress or encrypt data before exfiltration. +# Author: Nasreddine Bencherchali (Nextron Systems), AdmU3 +RuleId = 418a3163-3247-4b7b-9933-dcfcb7c52ea9 +RuleName = Compressed File Creation Via Tar.EXE +EventType = Process.Start +Tag = proc-start-compressed-file-creation-via-tar.exe RiskScore = 25 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Thurein Oo"} -Query = Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts" and Reg.Value.Data == "DWORD (0x00000001)" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1560", "T1560.001"], "author": "Nasreddine Bencherchali (Nextron Systems), AdmU3"} +Query = (Process.Path like r"%\\tar.exe" or Process.Name == "bsdtar") and (Process.CommandLine like r"%-c%" or Process.CommandLine like r"%-r%" or Process.CommandLine like r"%-u%") [ThreatDetectionRule platform=Windows] @@ -372,303 +472,248 @@ GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. -# An attacker can use this to authenticate to Azure AD in a browser as that user. -# Author: Den Iuzvyk -RuleId = 50f852e6-af22-4c78-9ede-42ef36aa3453 -RuleName = Potential Azure Browser SSO Abuse -EventType = Image.Load -Tag = potential-azure-browser-sso-abuse -RiskScore = 25 -Annotation = {"mitre_attack": ["T1574.002"], "author": "Den Iuzvyk"} -Query = Image.Path == "C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%") and Process.Path like r"%\\BackgroundTaskHost.exe") and not ((Process.Path like r"C:\\Program Files\\Microsoft Visual Studio\\%" or Process.Path like r"C:\\Program Files (x86)\\Microsoft Visual Studio\\%") and Process.Path like r"%\\IDE\\devenv.exe" or Process.Path in ["C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe"] or Process.Path like r"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\%" or Process.Path like r"%\\WindowsApps\\MicrosoftEdge.exe" or Process.Path in ["C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"] or (Process.Path like r"C:\\Program Files (x86)\\Microsoft\\EdgeCore\\%" or Process.Path like r"C:\\Program Files\\Microsoft\\EdgeCore\\%") and (Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\msedgewebview2.exe") or Process.Path like r"%\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" or isnull(Process.Path)) -GenericProperty1 = Image.Path - - -[ThreatDetectionRule platform=Windows] -# Use of reg to get MachineGuid information +# Detects execution of the builtin "rmdir" command in order to delete directories. +# Adversaries may delete files left behind by the actions of their intrusion activity. +# Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. +# Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. # Author: frack113 -RuleId = f5240972-3938-4e56-8e4b-e33893176c1f -RuleName = Suspicious Query of MachineGUID +RuleId = 41ca393d-538c-408a-ac27-cf1e038be80c +RuleName = Directory Removal Via Rmdir EventType = Process.Start -Tag = proc-start-suspicious-query-of-machineguid +Tag = proc-start-directory-removal-via-rmdir RiskScore = 25 -Annotation = {"mitre_attack": ["T1082"], "author": "frack113"} -Query = Process.Path like r"%\\reg.exe" and Process.CommandLine like r"%SOFTWARE\\Microsoft\\Cryptography%" and Process.CommandLine like r"%/v %" and Process.CommandLine like r"%MachineGuid%" +Annotation = {"mitre_attack": ["T1070.004"], "author": "frack113"} +Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%rmdir%" and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%/q%") [ThreatDetectionRule platform=Windows] -# Detects usage of the "systeminfo" command to retrieve information -# Author: frack113 -RuleId = 0ef56343-059e-4cb6-adc1-4c3c967c5e46 -RuleName = Suspicious Execution of Systeminfo +# Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +# Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +RuleId = 0e4164da-94bc-450d-a7be-a4b176179f1f +RuleName = Firewall Configuration Discovery Via Netsh.EXE EventType = Process.Start -Tag = proc-start-suspicious-execution-of-systeminfo -RiskScore = 25 -Annotation = {"mitre_attack": ["T1082"], "author": "frack113"} -Query = Process.Path like r"%\\systeminfo.exe" or Process.Name == "sysinfo.exe" - - -[ThreatDetectionRule platform=Windows] -# Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. -# This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. -# It could also be used for anti-analysis purposes by shut downing specific processes. -# Author: Luc Génaux -RuleId = 3669afd2-9891-4534-a626-e5cf03810a61 -RuleName = Load Of RstrtMgr.DLL By An Uncommon Process -EventType = Image.Load -Tag = load-of-rstrtmgr.dll-by-an-uncommon-process +Tag = proc-start-firewall-configuration-discovery-via-netsh.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1486", "T1562.001"], "author": "Luc G\u00e9naux"} -Query = (Image.Path like r"%\\RstrtMgr.dll" or Process.Name == "RstrtMgr.dll") and not (Process.Path like r"%:\\$WINDOWS.~BT\\%" or Process.Path like r"%:\\$WinREAgent\\%" or Process.Path like r"%:\\Program Files (x86)\\%" or Process.Path like r"%:\\Program Files\\%" or Process.Path like r"%:\\ProgramData\\%" or Process.Path like r"%:\\Windows\\explorer.exe%" or Process.Path like r"%:\\Windows\\SoftwareDistribution\\%" or Process.Path like r"%:\\Windows\\SysNative\\%" or Process.Path like r"%:\\Windows\\System32\\%" or Process.Path like r"%:\\Windows\\SysWOW64\\%" or Process.Path like r"%:\\Windows\\WinSxS\\%" or Process.Path like r"%:\\WUDownloadCache\\%" or Process.Path like r"%:\\Users\\%" and Process.Path like r"%\\AppData\\Local\\Temp\\is-%" and Process.Path like r"%.tmp\\%" and Process.Path like r"%.tmp" or Process.Path like r"%:\\Windows\\Temp\\%") -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1016"], "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'"} +Query = (Process.Path like r"%\\netsh.exe" or Process.Name == "netsh.exe") and Process.CommandLine like r"%netsh %" and Process.CommandLine like r"%show %" and Process.CommandLine like r"%firewall %" and (Process.CommandLine like r"%config %" or Process.CommandLine like r"%state %" or Process.CommandLine like r"%rule %" or Process.CommandLine like r"%name=all%") [ThreatDetectionRule platform=Windows] -# This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, -# Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP -# Author: frack113 -RuleId = 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160 -RuleName = PUA - Adidnsdump Execution +# Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. +# Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +RuleId = b243b280-65fe-48df-ba07-6ddea7646427 +RuleName = Discovery of a System Time EventType = Process.Start -Tag = proc-start-pua-adidnsdump-execution +Tag = proc-start-discovery-of-a-system-time RiskScore = 25 -Annotation = {"mitre_attack": ["T1018"], "author": "frack113"} -Query = Process.Path like r"%\\python.exe" and Process.CommandLine like r"%adidnsdump%" +Annotation = {"mitre_attack": ["T1124"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community"} +Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%time%" or Process.Path like r"%\\w32tm.exe" and Process.CommandLine like r"%tz%" [ThreatDetectionRule platform=Windows] -# Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) +# Detects the registration of a new ODBC driver. # Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 4f281b83-0200-4b34-bf35-d24687ea57c2 -RuleName = ETW Logging Disabled For SCM +RuleId = 3390fbef-c98d-4bdd-a863-d65ed7c610dd +RuleName = New ODBC Driver Registered EventType = Reg.Any -Tag = etw-logging-disabled-for-scm +Tag = new-odbc-driver-registered RiskScore = 25 -Annotation = {"mitre_attack": ["T1112", "T1562"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%Software\\Microsoft\\Windows NT\\CurrentVersion\\Tracing\\SCM\\Regular\\TracingDisabled" and Reg.Value.Data == "DWORD (0x00000001)" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Reg.TargetObject like r"%\\SOFTWARE\\ODBC\\ODBCINST.INI\\%" and Reg.TargetObject like r"%\\Driver" and not (Reg.TargetObject like r"%\\SQL Server\\%" and Reg.Value.Data == "\%WINDIR\%\\System32\\SQLSRV32.dll") and not (Reg.TargetObject like r"%\\Microsoft Access %" and Reg.Value.Data like r"C:\\Progra%" and Reg.Value.Data like r"%\\ACEODBC.DLL" or Reg.TargetObject like r"%\\Microsoft Excel Driver%" and Reg.Value.Data like r"C:\\Progra%" and Reg.Value.Data like r"%\\ACEODBC.DLL") Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. -# Author: Endgame, JHasenbusch (ported for oscd.community) -RuleId = 62510e69-616b-4078-b371-847da438cc03 -RuleName = Share And Session Enumeration Using Net.EXE -EventType = Process.Start -Tag = proc-start-share-and-session-enumeration-using-net.exe -RiskScore = 25 -Annotation = {"mitre_attack": ["T1018"], "author": "Endgame, JHasenbusch (ported for oscd.community)"} -Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and Process.CommandLine like r"%view%" and not Process.CommandLine like r"%\\\\%" - - -[ThreatDetectionRule platform=Windows] -# Detects DNS server discovery via LDAP query requests from uncommon applications -# Author: frack113 -RuleId = a21bcd7e-38ec-49ad-b69a-9ea17e69509e -RuleName = DNS Server Discovery Via LDAP Query -EventType = Dns.Query -Tag = dns-server-discovery-via-ldap-query -RiskScore = 25 -Annotation = {"mitre_attack": ["T1482"], "author": "frack113"} -Query = Dns.QueryRequest like r"\_ldap.%" and not (Process.Path like r"%:\\Program Files\\%" or Process.Path like r"%:\\Program Files (x86)\\%" or Process.Path like r"%:\\Windows\\%" or Process.Path like r"%:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\%" and Process.Path like r"%\\MsMpEng.exe" or Process.Path == "" or isnull(Process.Path)) and not (Process.Path like r"C:\\WindowsAzure\\GuestAgent%" or Process.Path like r"%\\chrome.exe" or Process.Path like r"%\\firefox.exe" or Process.Path like r"%\\opera.exe") -GenericProperty1 = Dns.QueryRequest - - -[ThreatDetectionRule platform=Windows] -# Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. +# Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation # Author: Florian Roth (Nextron Systems) -RuleId = 92626ddd-662c-49e3-ac59-f6535f12d189 -RuleName = Scheduled Task Creation Via Schtasks.EXE +RuleId = e28a5a99-da44-436d-b7a0-2afc20a5f413 +RuleName = Whoami Utility Execution EventType = Process.Start -Tag = proc-start-scheduled-task-creation-via-schtasks.exe +Tag = proc-start-whoami-utility-execution RiskScore = 25 -Annotation = {"mitre_attack": ["T1053.005"], "author": "Florian Roth (Nextron Systems)"} -Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %" and not (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") -GenericProperty1 = Process.User +Annotation = {"mitre_attack": ["T1033"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\whoami.exe" or Process.Name == "whoami.exe" [ThreatDetectionRule platform=Windows] -# Local accounts, System Owner/User discovery using operating systems utilities -# Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -RuleId = 502b42de-4306-40b4-9596-6f590c81f073 -RuleName = Local Accounts Discovery +# Detects the export of the target Registry key to a file. +# Author: Oddvar Moe, Sander Wiebing, oscd.community +RuleId = f0e53e89-8d22-46ea-9db5-9d4796ee2f8a +RuleName = Exports Registry Key To a File EventType = Process.Start -Tag = proc-start-local-accounts-discovery +Tag = proc-start-exports-registry-key-to-a-file RiskScore = 25 -Annotation = {"mitre_attack": ["T1033", "T1087.001"], "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community"} -Query = Process.Path like r"%\\cmd.exe" and Process.CommandLine like r"% /c%" and Process.CommandLine like r"%dir %" and Process.CommandLine like r"%\\Users\\%" and not Process.CommandLine like r"% rmdir %" or (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%user%" and not (Process.CommandLine like r"%/domain%" or Process.CommandLine like r"%/add%" or Process.CommandLine like r"%/delete%" or Process.CommandLine like r"%/active%" or Process.CommandLine like r"%/expires%" or Process.CommandLine like r"%/passwordreq%" or Process.CommandLine like r"%/scriptpath%" or Process.CommandLine like r"%/times%" or Process.CommandLine like r"%/workstations%") or Process.Path like r"%\\whoami.exe" or Process.Path like r"%\\quser.exe" or Process.Path like r"%\\qwinsta.exe" or Process.Path like r"%\\wmic.exe" and Process.CommandLine like r"%useraccount%" and Process.CommandLine like r"%get%" or Process.Path like r"%\\cmdkey.exe" and Process.CommandLine like r"% /l%" +Annotation = {"mitre_attack": ["T1012"], "author": "Oddvar Moe, Sander Wiebing, oscd.community"} +Query = (Process.Path like r"%\\regedit.exe" or Process.Name == "REGEDIT.EXE") and (Process.CommandLine like r"% -E %" or Process.CommandLine like r"% /E %" or Process.CommandLine like r"% –E %" or Process.CommandLine like r"% —E %" or Process.CommandLine like r"% ―E %") and not ((Process.CommandLine like r"%hklm%" or Process.CommandLine like r"%hkey\_local\_machine%") and (Process.CommandLine like r"%\\system" or Process.CommandLine like r"%\\sam" or Process.CommandLine like r"%\\security")) [ThreatDetectionRule platform=Windows] -# Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" -# Author: Gavin Knapp -RuleId = 7e9cf7b6-e827-11ed-a05b-15959c120003 -RuleName = Potentially Suspicious Network Connection To Notion API -EventType = Net.Any -Tag = potentially-suspicious-network-connection-to-notion-api +# Detects creation of a file named "ntds.dit" (Active Directory Database) +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 0b8baa3f-575c-46ee-8715-d6f28cc7d33c +RuleName = NTDS.DIT Created +EventType = File.Create +Tag = ntds.dit-created RiskScore = 25 -Annotation = {"mitre_attack": ["T1102"], "author": "Gavin Knapp"} -Query = Net.Target.Name like r"%api.notion.com%" and not (Process.Path like r"%\\AppData\\Local\\Programs\\Notion\\Notion.exe" or Process.Path like r"%\\brave.exe" or Process.Path in ["C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"] or Process.Path in ["C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"] or Process.Path in ["C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe"] or Process.Path like r"%\\maxthon.exe" or Process.Path like r"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\%" or Process.Path like r"%\\WindowsApps\\MicrosoftEdge.exe" or Process.Path in ["C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"] or (Process.Path like r"C:\\Program Files (x86)\\Microsoft\\EdgeCore\\%" or Process.Path like r"C:\\Program Files\\Microsoft\\EdgeCore\\%") and (Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\msedgewebview2.exe") or Process.Path like r"%\\opera.exe" or Process.Path like r"%\\safari.exe" or Process.Path like r"%\\seamonkey.exe" or Process.Path like r"%\\vivaldi.exe" or Process.Path like r"%\\whale.exe") -GenericProperty1 = Net.Target.Name +Annotation = {"mitre_attack": ["T1003.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = File.Path like r"%ntds.dit" +GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Detect suspicious parent processes of well-known Windows processes -# Author: vburov -RuleId = 96036718-71cc-4027-a538-d1587e0006a7 -RuleName = Windows Processes Suspicious Parent Directory +# Detects the usage of the "net.exe" command to start a service using the "start" flag +# Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +RuleId = 2a072a96-a086-49fa-bcb5-15cc5a619093 +RuleName = Start Windows Service Via Net.EXE EventType = Process.Start -Tag = proc-start-windows-processes-suspicious-parent-directory +Tag = proc-start-start-windows-service-via-net.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1036.003", "T1036.005"], "author": "vburov"} -Query = (Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\taskhost.exe" or Process.Path like r"%\\lsm.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\services.exe" or Process.Path like r"%\\lsaiso.exe" or Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\winlogon.exe") and not (Parent.Path like r"%\\SavService.exe" or Parent.Path like r"%\\ngen.exe" or Parent.Path like r"%\\System32\\%" or Parent.Path like r"%\\SysWOW64\\%" or (Parent.Path like r"%\\Windows Defender\\%" or Parent.Path like r"%\\Microsoft Security Client\\%") and Parent.Path like r"%\\MsMpEng.exe" or isnull(Parent.Path) or Parent.Path == "-") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1569.002"], "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community"} +Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and Process.CommandLine like r"% start %" [ThreatDetectionRule platform=Windows] -# Adversaries may enumerate browser bookmarks to learn more about compromised hosts. -# Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about -# internal network resources such as servers, tools/dashboards, or other related infrastructure. -# Author: frack113, Nasreddine Bencherchali (Nextron Systems) -RuleId = 725a9768-0f5e-4cb3-aec2-bc5719c6831a -RuleName = Suspicious Where Execution +# Detects execution of the builtin "del"/"erase" commands in order to delete files. +# Adversaries may delete files left behind by the actions of their intrusion activity. +# Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. +# Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. +# Author: frack113 +RuleId = 379fa130-190e-4c3f-b7bc-6c8e834485f3 +RuleName = File Deletion Via Del EventType = Process.Start -Tag = proc-start-suspicious-where-execution +Tag = proc-start-file-deletion-via-del RiskScore = 25 -Annotation = {"mitre_attack": ["T1217"], "author": "frack113, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\where.exe" or Process.Name == "where.exe") and (Process.CommandLine like r"%places.sqlite%" or Process.CommandLine like r"%cookies.sqlite%" or Process.CommandLine like r"%formhistory.sqlite%" or Process.CommandLine like r"%logins.json%" or Process.CommandLine like r"%key4.db%" or Process.CommandLine like r"%key3.db%" or Process.CommandLine like r"%sessionstore.jsonlz4%" or Process.CommandLine like r"%History%" or Process.CommandLine like r"%Bookmarks%" or Process.CommandLine like r"%Cookies%" or Process.CommandLine like r"%Login Data%") +Annotation = {"mitre_attack": ["T1070.004"], "author": "frack113"} +Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and (Process.CommandLine like r"%del %" or Process.CommandLine like r"%erase %") and (Process.CommandLine like r"% -f%" or Process.CommandLine like r"% /f%" or Process.CommandLine like r"% –f%" or Process.CommandLine like r"% —f%" or Process.CommandLine like r"% ―f%" or Process.CommandLine like r"% -s%" or Process.CommandLine like r"% /s%" or Process.CommandLine like r"% –s%" or Process.CommandLine like r"% —s%" or Process.CommandLine like r"% ―s%" or Process.CommandLine like r"% -q%" or Process.CommandLine like r"% /q%" or Process.CommandLine like r"% –q%" or Process.CommandLine like r"% —q%" or Process.CommandLine like r"% ―q%") [ThreatDetectionRule platform=Windows] -# Detects potential DLL sideloading of "7za.dll" -# Author: X__Junior -RuleId = 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 -RuleName = Potential 7za.DLL Sideloading -EventType = Image.Load -Tag = potential-7za.dll-sideloading +# Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. +# Author: Timur Zinniatullin, E.M. Anhaus, oscd.community +RuleId = 6f3e2987-db24-4c78-a860-b4f4095a7095 +RuleName = Files Added To An Archive Using Rar.EXE +EventType = Process.Start +Tag = proc-start-files-added-to-an-archive-using-rar.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1574.001", "T1574.002"], "author": "X__Junior"} -Query = Image.Path like r"%\\7za.dll" and not ((Process.Path like r"C:\\Program Files (x86)\\%" or Process.Path like r"C:\\Program Files\\%") and (Image.Path like r"C:\\Program Files (x86)\\%" or Image.Path like r"C:\\Program Files\\%")) -GenericProperty1 = Image.Path +Annotation = {"mitre_attack": ["T1560.001"], "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community"} +Query = Process.Path like r"%\\rar.exe" and Process.CommandLine like r"% a %" [ThreatDetectionRule platform=Windows] -# Detects the creation of a new service using the "sc.exe" utility. -# Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -RuleId = 85ff530b-261d-48c6-a441-facaa2e81e48 -RuleName = New Service Creation Using Sc.EXE -EventType = Process.Start -Tag = proc-start-new-service-creation-using-sc.exe +# Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. +# When the OneLaunch application is installed it will attempt to get updates from this domain. +# Author: Josh Nickels +RuleId = df68f791-ad95-447f-a271-640a0dab9cf8 +RuleName = DNS Query Request To OneLaunch Update Service +EventType = Dns.Query +Tag = dns-query-request-to-onelaunch-update-service RiskScore = 25 -Annotation = {"mitre_attack": ["T1543.003"], "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community"} -Query = Process.Path like r"%\\sc.exe" and Process.CommandLine like r"%create%" and Process.CommandLine like r"%binPath%" +Annotation = {"mitre_attack": ["T1056"], "author": "Josh Nickels"} +Query = Dns.QueryRequest == "update.onelaunch.com" and Process.Path like r"%\\OneLaunch.exe" +GenericProperty1 = Dns.QueryRequest [ThreatDetectionRule platform=Windows] -# Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key -# Author: Markus Neis -RuleId = 25ffa65d-76d8-4da5-a832-3f2b0136e133 -RuleName = PUA - Sysinternal Tool Execution - Registry +# Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. +# Author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo +RuleId = 8218c875-90b9-42e2-b60d-0b0069816d10 +RuleName = PowerShell Script Execution Policy Enabled EventType = Reg.Any -Tag = pua-sysinternal-tool-execution-registry +Tag = powershell-script-execution-policy-enabled RiskScore = 25 -Annotation = {"mitre_attack": ["T1588.002"], "author": "Markus Neis"} -Query = Reg.EventType == "CreateKey" and Reg.TargetObject like r"%\\EulaAccepted" +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems), Thurein Oo"} +Query = Reg.TargetObject like r"%\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts" and Reg.Value.Data == "DWORD (0x00000001)" Hive = HKLM,HKU GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.EventType +GenericProperty2 = Reg.Value.Data [ThreatDetectionRule platform=Windows] -# Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. -# Author: Muhammad Faisal (@faisalusuf) -RuleId = e20b5b14-ce93-4230-88af-981983ef6e74 -RuleName = QuickAssist Execution +# Detects usage of the "systeminfo" command to retrieve information +# Author: frack113 +RuleId = 0ef56343-059e-4cb6-adc1-4c3c967c5e46 +RuleName = Suspicious Execution of Systeminfo EventType = Process.Start -Tag = proc-start-quickassist-execution +Tag = proc-start-suspicious-execution-of-systeminfo RiskScore = 25 -Annotation = {"mitre_attack": ["T1219"], "author": "Muhammad Faisal (@faisalusuf)"} -Query = Process.Path like r"%\\QuickAssist.exe" +Annotation = {"mitre_attack": ["T1082"], "author": "frack113"} +Query = Process.Path like r"%\\systeminfo.exe" or Process.Name == "sysinfo.exe" [ThreatDetectionRule platform=Windows] -# Detects the execution of a system command via the ScreenConnect RMM service. -# Author: Ali Alwashali -RuleId = b1f73849-6329-4069-bc8f-78a604bb8b23 -RuleName = Remote Access Tool - ScreenConnect Remote Command Execution +# Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. +# Author: frack113 +RuleId = b4dc61f5-6cce-468e-a608-b48b469feaa2 +RuleName = DirLister Execution EventType = Process.Start -Tag = proc-start-remote-access-tool-screenconnect-remote-command-execution +Tag = proc-start-dirlister-execution RiskScore = 25 -Annotation = {"mitre_attack": ["T1059.003"], "author": "Ali Alwashali"} -Query = Parent.Path like r"%\\ScreenConnect.ClientService.exe" and (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%\\TEMP\\ScreenConnect\\%" -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1083"], "author": "frack113"} +Query = Process.Name == "DirLister.exe" or Process.Path like r"%\\dirlister.exe" [ThreatDetectionRule platform=Windows] -# Detects execution of the builtin "del"/"erase" commands in order to delete files. -# Adversaries may delete files left behind by the actions of their intrusion activity. -# Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. -# Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. -# Author: frack113 -RuleId = 379fa130-190e-4c3f-b7bc-6c8e834485f3 -RuleName = File Deletion Via Del +# Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. +# Author: Endgame, JHasenbusch (ported for oscd.community) +RuleId = 62510e69-616b-4078-b371-847da438cc03 +RuleName = Share And Session Enumeration Using Net.EXE EventType = Process.Start -Tag = proc-start-file-deletion-via-del +Tag = proc-start-share-and-session-enumeration-using-net.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1070.004"], "author": "frack113"} -Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and (Process.CommandLine like r"%del %" or Process.CommandLine like r"%erase %") and (Process.CommandLine like r"% -f%" or Process.CommandLine like r"% /f%" or Process.CommandLine like r"% –f%" or Process.CommandLine like r"% —f%" or Process.CommandLine like r"% ―f%" or Process.CommandLine like r"% -s%" or Process.CommandLine like r"% /s%" or Process.CommandLine like r"% –s%" or Process.CommandLine like r"% —s%" or Process.CommandLine like r"% ―s%" or Process.CommandLine like r"% -q%" or Process.CommandLine like r"% /q%" or Process.CommandLine like r"% –q%" or Process.CommandLine like r"% —q%" or Process.CommandLine like r"% ―q%") +Annotation = {"mitre_attack": ["T1018"], "author": "Endgame, JHasenbusch (ported for oscd.community)"} +Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and Process.CommandLine like r"%view%" and not Process.CommandLine like r"%\\\\%" [ThreatDetectionRule platform=Windows] -# Detects creation of a file named "ntds.dit" (Active Directory Database) -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 0b8baa3f-575c-46ee-8715-d6f28cc7d33c -RuleName = NTDS.DIT Created -EventType = File.Create -Tag = ntds.dit-created +# Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. +# Author: frack113 +RuleId = 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 +RuleName = File And SubFolder Enumeration Via Dir Command +EventType = Process.Start +Tag = proc-start-file-and-subfolder-enumeration-via-dir-command RiskScore = 25 -Annotation = {"mitre_attack": ["T1003.003"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"%ntds.dit" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1217"], "author": "frack113"} +Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and (Process.CommandLine like r"%dir%-s%" or Process.CommandLine like r"%dir%/s%" or Process.CommandLine like r"%dir%–s%" or Process.CommandLine like r"%dir%—s%" or Process.CommandLine like r"%dir%―s%") [ThreatDetectionRule platform=Windows] -# Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" -# Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -RuleId = c49c5062-0966-4170-9efd-9968c913a6cf -RuleName = Stop Windows Service Via PowerShell Stop-Service +# Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC +# Author: Florian Roth (Nextron Systems) +RuleId = 3d7679bd-0c00-440c-97b0-3f204273e6c7 +RuleName = New Process Created Via Taskmgr.EXE EventType = Process.Start -Tag = proc-start-stop-windows-service-via-powershell-stop-service +Tag = proc-start-new-process-created-via-taskmgr.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1489"], "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name in ["PowerShell.EXE", "pwsh.dll"] or Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and Process.CommandLine like r"%Stop-Service %" +Annotation = {"mitre_attack": ["T1036"], "author": "Florian Roth (Nextron Systems)"} +Query = Parent.Path like r"%\\taskmgr.exe" and not (Process.Path like r"%:\\Windows\\System32\\mmc.exe" or Process.Path like r"%:\\Windows\\System32\\resmon.exe" or Process.Path like r"%:\\Windows\\System32\\Taskmgr.exe") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Attackers may leverage fsutil to enumerated connected drives. -# Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -RuleId = 63de06b9-a385-40b5-8b32-73f2b9ef84b6 -RuleName = Fsutil Drive Enumeration +# Detects nltest commands that can be used for information discovery +# Author: Arun Chauhan +RuleId = 903076ff-f442-475a-b667-4f246bcc203b +RuleName = Nltest.EXE Execution EventType = Process.Start -Tag = proc-start-fsutil-drive-enumeration +Tag = proc-start-nltest.exe-execution RiskScore = 25 -Annotation = {"mitre_attack": ["T1120"], "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'"} -Query = (Process.Path like r"%\\fsutil.exe" or Process.Name == "fsutil.exe") and Process.CommandLine like r"%drives%" +Annotation = {"mitre_attack": ["T1016", "T1018", "T1482"], "author": "Arun Chauhan"} +Query = Process.Path like r"%\\nltest.exe" or Process.Name == "nltestrk.exe" [ThreatDetectionRule platform=Windows] -# Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. -# Author: Eli Salem, Sander Wiebing, oscd.community -RuleId = 5f60740a-f57b-4e76-82a1-15b6ff2cb134 -RuleName = Registry Modification Via Regini.EXE +# Detects potential RDP connection via Mstsc using a local ".rdp" file +# Author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock +RuleId = 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af +RuleName = Mstsc.EXE Execution With Local RDP File EventType = Process.Start -Tag = proc-start-registry-modification-via-regini.exe +Tag = proc-start-mstsc.exe-execution-with-local-rdp-file RiskScore = 25 -Annotation = {"mitre_attack": ["T1112"], "author": "Eli Salem, Sander Wiebing, oscd.community"} -Query = (Process.Path like r"%\\regini.exe" or Process.Name == "REGINI.EXE") and not Process.CommandLine regex ":[^ \\\\]" +Annotation = {"mitre_attack": ["T1219"], "author": "Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock"} +Query = (Process.Path like r"%\\mstsc.exe" or Process.Name == "mstsc.exe") and (Process.CommandLine like r"%.rdp" or Process.CommandLine like r"%.rdp\"") and not (Parent.Path == "C:\\Windows\\System32\\lxss\\wslhost.exe" and Process.CommandLine like r"%C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] @@ -687,29 +732,15 @@ GenericProperty1 = File.Path [ThreatDetectionRule platform=Windows] -# Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces -# Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe -# Author: Agro (@agro_sev) oscd.community -RuleId = 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b -RuleName = Malicious Windows Script Components File Execution by TAEF Detection -EventType = Process.Start -Tag = proc-start-malicious-windows-script-components-file-execution-by-taef-detection -RiskScore = 25 -Annotation = {"mitre_attack": ["T1218"], "author": "Agro (@agro_sev) oscd.community"} -Query = Process.Path like r"%\\te.exe" or Parent.Path like r"%\\te.exe" or Process.Name == "\\te.exe" -GenericProperty1 = Parent.Path - - -[ThreatDetectionRule platform=Windows] -# Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. -# Author: Janantha Marasinghe -RuleId = bab049ca-7471-4828-9024-38279a4c04da -RuleName = Detect Virtualbox Driver Installation OR Starting Of VMs +# Detects the creation of a new service using powershell. +# Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +RuleId = c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 +RuleName = New Service Creation Using PowerShell EventType = Process.Start -Tag = proc-start-detect-virtualbox-driver-installation-or-starting-of-vms +Tag = proc-start-new-service-creation-using-powershell RiskScore = 25 -Annotation = {"mitre_attack": ["T1564.006", "T1564"], "author": "Janantha Marasinghe"} -Query = Process.CommandLine like r"%VBoxRT.dll,RTR3Init%" or Process.CommandLine like r"%VBoxC.dll%" or Process.CommandLine like r"%VBoxDrv.sys%" or Process.CommandLine like r"%startvm%" or Process.CommandLine like r"%controlvm%" +Annotation = {"mitre_attack": ["T1543.003"], "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community"} +Query = Process.CommandLine like r"%New-Service%" and Process.CommandLine like r"%-BinaryPathName%" [ThreatDetectionRule platform=Windows] @@ -724,22 +755,6 @@ Annotation = {"mitre_attack": ["T1082"], "author": "frack113"} Query = Process.Path like r"%\\HOSTNAME.EXE" -[ThreatDetectionRule platform=Windows] -# Detects changes to the "MaxMpxCt" registry value. -# MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. -# Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 0e6a9e62-627e-496c-aef5-bfa39da29b5e -RuleName = MaxMpxCt Registry Value Changed -EventType = Reg.Any -Tag = maxmpxct-registry-value-changed -RiskScore = 25 -Annotation = {"mitre_attack": ["T1070.005"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\Services\\LanmanServer\\Parameters\\MaxMpxCt" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject - - [ThreatDetectionRule platform=Windows] # Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation # Author: oscd.community, @redcanary, Zach Stanford @svch0st @@ -753,182 +768,157 @@ Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or [ThreatDetectionRule platform=Windows] -# Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. -# Author: Timur Zinniatullin, E.M. Anhaus, oscd.community -RuleId = 6f3e2987-db24-4c78-a860-b4f4095a7095 -RuleName = Files Added To An Archive Using Rar.EXE -EventType = Process.Start -Tag = proc-start-files-added-to-an-archive-using-rar.exe -RiskScore = 25 -Annotation = {"mitre_attack": ["T1560.001"], "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community"} -Query = Process.Path like r"%\\rar.exe" and Process.CommandLine like r"% a %" - - -[ThreatDetectionRule platform=Windows] -# Detects nltest commands that can be used for information discovery -# Author: Arun Chauhan -RuleId = 903076ff-f442-475a-b667-4f246bcc203b -RuleName = Nltest.EXE Execution +# Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools +# Author: Markus Neis +RuleId = 7cccd811-7ae9-4ebe-9afd-cb5c406b824b +RuleName = Potential Execution of Sysinternals Tools EventType = Process.Start -Tag = proc-start-nltest.exe-execution -RiskScore = 25 -Annotation = {"mitre_attack": ["T1016", "T1018", "T1482"], "author": "Arun Chauhan"} -Query = Process.Path like r"%\\nltest.exe" or Process.Name == "nltestrk.exe" - - -[ThreatDetectionRule platform=Windows] -# Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = e36941d0-c0f0-443f-bc6f-cb2952eb69ea -RuleName = PowerShell Module File Created -EventType = File.Create -Tag = powershell-module-file-created +Tag = proc-start-potential-execution-of-sysinternals-tools RiskScore = 25 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and (File.Path like r"%\\WindowsPowerShell\\Modules\\%" or File.Path like r"%\\PowerShell\\7\\Modules\\%") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1588.002"], "author": "Markus Neis"} +Query = Process.CommandLine like r"% -accepteula%" or Process.CommandLine like r"% /accepteula%" or Process.CommandLine like r"% –accepteula%" or Process.CommandLine like r"% —accepteula%" or Process.CommandLine like r"% ―accepteula%" [ThreatDetectionRule platform=Windows] -# Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. -# Author: frack113 -RuleId = b4dc61f5-6cce-468e-a608-b48b469feaa2 -RuleName = DirLister Execution -EventType = Process.Start -Tag = proc-start-dirlister-execution +# Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration +# Author: yatinwad, TheDFIRReport +RuleId = 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b +RuleName = DNS Query To Ufile.io +EventType = Dns.Query +Tag = dns-query-to-ufile.io RiskScore = 25 -Annotation = {"mitre_attack": ["T1083"], "author": "frack113"} -Query = Process.Name == "DirLister.exe" or Process.Path like r"%\\dirlister.exe" +Annotation = {"mitre_attack": ["T1567.002"], "author": "yatinwad, TheDFIRReport"} +Query = Dns.QueryRequest like r"%ufile.io%" +GenericProperty1 = Dns.QueryRequest [ThreatDetectionRule platform=Windows] -# Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. -# Author: frack113 -RuleId = ddeff553-5233-4ae9-bbab-d64d2bd634be -RuleName = Data Copied To Clipboard Via Clip.EXE -EventType = Process.Start -Tag = proc-start-data-copied-to-clipboard-via-clip.exe +# Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. +# An attacker can use this to authenticate to Azure AD in a browser as that user. +# Author: Den Iuzvyk +RuleId = 50f852e6-af22-4c78-9ede-42ef36aa3453 +RuleName = Potential Azure Browser SSO Abuse +EventType = Image.Load +Tag = potential-azure-browser-sso-abuse RiskScore = 25 -Annotation = {"mitre_attack": ["T1115"], "author": "frack113"} -Query = Process.Path like r"%\\clip.exe" or Process.Name == "clip.exe" +Annotation = {"mitre_attack": ["T1574.002"], "author": "Den Iuzvyk"} +Query = Image.Path == "C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and not ((Process.Path like r"C:\\Windows\\System32\\%" or Process.Path like r"C:\\Windows\\SysWOW64\\%") and Process.Path like r"%\\BackgroundTaskHost.exe") and not ((Process.Path like r"C:\\Program Files\\Microsoft Visual Studio\\%" or Process.Path like r"C:\\Program Files (x86)\\Microsoft Visual Studio\\%") and Process.Path like r"%\\IDE\\devenv.exe" or Process.Path in ["C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe"] or Process.Path like r"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\%" or Process.Path like r"%\\WindowsApps\\MicrosoftEdge.exe" or Process.Path in ["C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"] or (Process.Path like r"C:\\Program Files (x86)\\Microsoft\\EdgeCore\\%" or Process.Path like r"C:\\Program Files\\Microsoft\\EdgeCore\\%") and (Process.Path like r"%\\msedge.exe" or Process.Path like r"%\\msedgewebview2.exe") or Process.Path like r"%\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" or isnull(Process.Path)) +GenericProperty1 = Image.Path [ThreatDetectionRule platform=Windows] -# Detects potential RDP connection via Mstsc using a local ".rdp" file -# Author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock -RuleId = 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af -RuleName = Mstsc.EXE Execution With Local RDP File +# Detects execution of "tar.exe" in order to extract compressed file. +# Adversaries may abuse various utilities in order to decompress data to avoid detection. +# Author: AdmU3 +RuleId = bf361876-6620-407a-812f-bfe11e51e924 +RuleName = Compressed File Extraction Via Tar.EXE EventType = Process.Start -Tag = proc-start-mstsc.exe-execution-with-local-rdp-file +Tag = proc-start-compressed-file-extraction-via-tar.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1219"], "author": "Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock"} -Query = (Process.Path like r"%\\mstsc.exe" or Process.Name == "mstsc.exe") and (Process.CommandLine like r"%.rdp" or Process.CommandLine like r"%.rdp\"") and not (Parent.Path == "C:\\Windows\\System32\\lxss\\wslhost.exe" and Process.CommandLine like r"%C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1560", "T1560.001"], "author": "AdmU3"} +Query = (Process.Path like r"%\\tar.exe" or Process.Name == "bsdtar") and Process.CommandLine like r"%-x%" [ThreatDetectionRule platform=Windows] -# Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. -# When the OneLaunch application is installed it will attempt to get updates from this domain. -# Author: Josh Nickels -RuleId = df68f791-ad95-447f-a271-640a0dab9cf8 -RuleName = DNS Query Request To OneLaunch Update Service -EventType = Dns.Query -Tag = dns-query-request-to-onelaunch-update-service +# Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +# Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +RuleId = a29c1813-ab1f-4dde-b489-330b952e91ae +RuleName = Suspicious Network Command +EventType = Process.Start +Tag = proc-start-suspicious-network-command RiskScore = 25 -Annotation = {"mitre_attack": ["T1056"], "author": "Josh Nickels"} -Query = Dns.QueryRequest == "update.onelaunch.com" and Process.Path like r"%\\OneLaunch.exe" -GenericProperty1 = Dns.QueryRequest +Annotation = {"mitre_attack": ["T1016"], "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'"} +Query = Process.CommandLine like r"%ipconfig /all%" or Process.CommandLine like r"%netsh interface show interface%" or Process.CommandLine like r"%arp -a%" or Process.CommandLine like r"%nbtstat -n%" or Process.CommandLine like r"%net config%" or Process.CommandLine like r"%route print%" [ThreatDetectionRule platform=Windows] -# Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. -# Author: frack113 -RuleId = 1c67a717-32ba-409b-a45d-0fb704a73a81 -RuleName = System Network Connections Discovery Via Net.EXE +# Detects the execution of "hh.exe" to open ".chm" files. +# Author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community +RuleId = 68c8acb4-1b60-4890-8e82-3ddf7a6dba84 +RuleName = HH.EXE Execution EventType = Process.Start -Tag = proc-start-system-network-connections-discovery-via-net.exe +Tag = proc-start-hh.exe-execution RiskScore = 25 -Annotation = {"mitre_attack": ["T1049"], "author": "frack113"} -Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and (Process.CommandLine like r"% use" or Process.CommandLine like r"% sessions" or Process.CommandLine like r"% use %" or Process.CommandLine like r"% sessions %") +Annotation = {"mitre_attack": ["T1218.001"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community"} +Query = (Process.Name == "HH.exe" or Process.Path like r"%\\hh.exe") and Process.CommandLine like r"%.chm%" [ThreatDetectionRule platform=Windows] -# Detects the creation of a new office macro files on the systems -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 91174a41-dc8f-401b-be89-7bfc140612a0 -RuleName = Office Macro File Creation -EventType = File.Create -Tag = office-macro-file-creation +# Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces +# Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe +# Author: Agro (@agro_sev) oscd.community +RuleId = 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b +RuleName = Malicious Windows Script Components File Execution by TAEF Detection +EventType = Process.Start +Tag = proc-start-malicious-windows-script-components-file-execution-by-taef-detection RiskScore = 25 -Annotation = {"mitre_attack": ["T1566.001"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = File.Path like r"%.docm" or File.Path like r"%.dotm" or File.Path like r"%.xlsm" or File.Path like r"%.xltm" or File.Path like r"%.potm" or File.Path like r"%.pptm" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1218"], "author": "Agro (@agro_sev) oscd.community"} +Query = Process.Path like r"%\\te.exe" or Parent.Path like r"%\\te.exe" or Process.Name == "\\te.exe" +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] -# Detects the stopping of a Windows service via the "sc.exe" utility -# Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -RuleId = 81bcb81b-5b1f-474b-b373-52c871aaa7b1 -RuleName = Stop Windows Service Via Sc.EXE +# Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. +# Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) +RuleId = f4bbd493-b796-416e-bbf2-121235348529 +RuleName = Non Interactive PowerShell Process Spawned EventType = Process.Start -Tag = proc-start-stop-windows-service-via-sc.exe +Tag = proc-start-non-interactive-powershell-process-spawned RiskScore = 25 -Annotation = {"mitre_attack": ["T1489"], "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Name == "sc.exe" or Process.Path like r"%\\sc.exe") and Process.CommandLine like r"% stop %" +Annotation = {"mitre_attack": ["T1059.001"], "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)"} +Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe" or Process.Name in ["PowerShell.EXE", "pwsh.dll"]) and not (Parent.Path like r"%:\\Windows\\explorer.exe" or Parent.Path like r"%:\\Windows\\System32\\CompatTelRunner.exe" or Parent.Path like r"%:\\Windows\\SysWOW64\\explorer.exe" or Parent.Path == ":\\$WINDOWS.~BT\\Sources\\SetupHost.exe") and not (Parent.Path like r"%\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe" and Parent.CommandLine like r"% --ms-enable-electron-run-as-node %" or Parent.Path like r"%:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal\_%" and Parent.Path like r"%\\WindowsTerminal.exe") +GenericProperty1 = Parent.Path +GenericProperty2 = Parent.CommandLine [ThreatDetectionRule platform=Windows] -# Detects when a share is mounted using the "net.exe" utility -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = f117933c-980c-4f78-b384-e3d838111165 -RuleName = Windows Share Mount Via Net.EXE +# Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. +# Author: Janantha Marasinghe +RuleId = bab049ca-7471-4828-9024-38279a4c04da +RuleName = Detect Virtualbox Driver Installation OR Starting Of VMs EventType = Process.Start -Tag = proc-start-windows-share-mount-via-net.exe +Tag = proc-start-detect-virtualbox-driver-installation-or-starting-of-vms RiskScore = 25 -Annotation = {"mitre_attack": ["T1021.002"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and (Process.CommandLine like r"% use %" or Process.CommandLine like r"% \\\\%") +Annotation = {"mitre_attack": ["T1564.006", "T1564"], "author": "Janantha Marasinghe"} +Query = Process.CommandLine like r"%VBoxRT.dll,RTR3Init%" or Process.CommandLine like r"%VBoxC.dll%" or Process.CommandLine like r"%VBoxDrv.sys%" or Process.CommandLine like r"%startvm%" or Process.CommandLine like r"%controlvm%" [ThreatDetectionRule platform=Windows] -# Detects the registration of a new ODBC driver. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 3390fbef-c98d-4bdd-a863-d65ed7c610dd -RuleName = New ODBC Driver Registered -EventType = Reg.Any -Tag = new-odbc-driver-registered +# Detects the stopping of a Windows service via the "net" utility. +# Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +RuleId = 88872991-7445-4a22-90b2-a3adadb0e827 +RuleName = Stop Windows Service Via Net.EXE +EventType = Process.Start +Tag = proc-start-stop-windows-service-via-net.exe RiskScore = 25 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Reg.TargetObject like r"%\\SOFTWARE\\ODBC\\ODBCINST.INI\\%" and Reg.TargetObject like r"%\\Driver" and not (Reg.TargetObject like r"%\\SQL Server\\%" and Reg.Value.Data == "\%WINDIR\%\\System32\\SQLSRV32.dll") and not (Reg.TargetObject like r"%\\Microsoft Access %" and Reg.Value.Data like r"C:\\Progra%" and Reg.Value.Data like r"%\\ACEODBC.DLL" or Reg.TargetObject like r"%\\Microsoft Excel Driver%" and Reg.Value.Data like r"C:\\Progra%" and Reg.Value.Data like r"%\\ACEODBC.DLL") -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject -GenericProperty2 = Reg.Value.Data +Annotation = {"mitre_attack": ["T1489"], "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name in ["net.exe", "net1.exe"] or Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"% stop %" [ThreatDetectionRule platform=Windows] -# Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236 -RuleName = Winget Admin Settings Modification -EventType = Reg.Any -Tag = winget-admin-settings-modification +# Detects the execution of the "jsc.exe" (JScript Compiler). +# Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting. +# Author: frack113 +RuleId = 52788a70-f1da-40dd-8fbd-73b5865d6568 +RuleName = JScript Compiler Execution +EventType = Process.Start +Tag = proc-start-jscript-compiler-execution RiskScore = 25 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%\\winget.exe" and Reg.TargetObject like r"\\REGISTRY\\A\\%" and Reg.TargetObject like r"%\\LocalState\\admin\_settings" -Hive = HKLM,HKU -GenericProperty1 = Reg.TargetObject +Annotation = {"mitre_attack": ["T1127"], "author": "frack113"} +Query = Process.Path like r"%\\jsc.exe" or Process.Name == "jsc.exe" [ThreatDetectionRule platform=Windows] -# Detects default PsExec service filename which indicates PsExec service installation and execution -# Author: Thomas Patzke -RuleId = 259e5a6a-b8d2-4c38-86e2-26c5e651361d -RuleName = PsExec Service File Creation -EventType = File.Create -Tag = psexec-service-file-creation +# Detect suspicious parent processes of well-known Windows processes +# Author: vburov +RuleId = 96036718-71cc-4027-a538-d1587e0006a7 +RuleName = Windows Processes Suspicious Parent Directory +EventType = Process.Start +Tag = proc-start-windows-processes-suspicious-parent-directory RiskScore = 25 -Annotation = {"mitre_attack": ["T1569.002"], "author": "Thomas Patzke"} -Query = File.Path like r"%\\PSEXESVC.exe" -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1036.003", "T1036.005"], "author": "vburov"} +Query = (Process.Path like r"%\\svchost.exe" or Process.Path like r"%\\taskhost.exe" or Process.Path like r"%\\lsm.exe" or Process.Path like r"%\\lsass.exe" or Process.Path like r"%\\services.exe" or Process.Path like r"%\\lsaiso.exe" or Process.Path like r"%\\csrss.exe" or Process.Path like r"%\\wininit.exe" or Process.Path like r"%\\winlogon.exe") and not (Parent.Path like r"%\\SavService.exe" or Parent.Path like r"%\\ngen.exe" or Parent.Path like r"%\\System32\\%" or Parent.Path like r"%\\SysWOW64\\%" or (Parent.Path like r"%\\Windows Defender\\%" or Parent.Path like r"%\\Microsoft Security Client\\%") and Parent.Path like r"%\\MsMpEng.exe" or isnull(Parent.Path) or Parent.Path == "-") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=Windows] @@ -945,68 +935,78 @@ Query = (Process.Path like r"%\\sc.exe" or Process.Name == "sc.exe") and Process [ThreatDetectionRule platform=Windows] -# Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. -# Author: frack113 -RuleId = 576426ad-0131-4001-ae01-be175da0c108 -RuleName = PowerShell Script Dropped Via PowerShell.EXE -EventType = File.Create -Tag = powershell-script-dropped-via-powershell.exe +# Detects the execution of "BitLockerToGo.EXE". +# BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. +# This is a rarely used application and usage of it at all is worth investigating. +# Malware such as Lumma stealer has been seen using this process as a target for process hollowing. +# Author: Josh Nickels, mttaggart +RuleId = 7f2376f9-42ee-4dfc-9360-fecff9a88fc8 +RuleName = BitLockerTogo.EXE Execution +EventType = Process.Start +Tag = proc-start-bitlockertogo.exe-execution RiskScore = 25 -Annotation = {"author": "frack113"} -Query = (Process.Path like r"%\\powershell.exe" or Process.Path like r"%\\pwsh.exe") and File.Path like r"%.ps1" and not (File.Path like r"%\_\_PSScriptPolicyTest\_%" or File.Path like r"C:\\Users\\%" and File.Path like r"%\\AppData\\Local\\Temp\\%" or File.Path like r"C:\\Windows\\Temp\\%") -GenericProperty1 = File.Path +Annotation = {"mitre_attack": ["T1218"], "author": "Josh Nickels, mttaggart"} +Query = Process.Path like r"%\\BitLockerToGo.exe" [ThreatDetectionRule platform=Windows] -# Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. -# Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -RuleId = b243b280-65fe-48df-ba07-6ddea7646427 -RuleName = Discovery of a System Time +# Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. +# Author: Florian Roth (Nextron Systems) +RuleId = 92626ddd-662c-49e3-ac59-f6535f12d189 +RuleName = Scheduled Task Creation Via Schtasks.EXE EventType = Process.Start -Tag = proc-start-discovery-of-a-system-time +Tag = proc-start-scheduled-task-creation-via-schtasks.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1124"], "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community"} -Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe") and Process.CommandLine like r"%time%" or Process.Path like r"%\\w32tm.exe" and Process.CommandLine like r"%tz%" +Annotation = {"mitre_attack": ["T1053.005"], "author": "Florian Roth (Nextron Systems)"} +Query = Process.Path like r"%\\schtasks.exe" and Process.CommandLine like r"% /create %" and not (Process.User like r"%AUTHORI%" or Process.User like r"%AUTORI%") +GenericProperty1 = Process.User [ThreatDetectionRule platform=Windows] -# Detects the execution of "wmic" with the "group" flag. -# Adversaries may attempt to find local system groups and permission settings. -# The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. -# Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. +# Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. # Author: frack113 -RuleId = 164eda96-11b2-430b-85ff-6a265c15bf32 -RuleName = Local Groups Reconnaissance Via Wmic.EXE +RuleId = 1c67a717-32ba-409b-a45d-0fb704a73a81 +RuleName = System Network Connections Discovery Via Net.EXE EventType = Process.Start -Tag = proc-start-local-groups-reconnaissance-via-wmic.exe +Tag = proc-start-system-network-connections-discovery-via-net.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1069.001"], "author": "frack113"} -Query = (Process.Path like r"%\\wmic.exe" or Process.Name == "wmic.exe") and Process.CommandLine like r"% group%" +Annotation = {"mitre_attack": ["T1049"], "author": "frack113"} +Query = (Process.Path like r"%\\net.exe" or Process.Path like r"%\\net1.exe" or Process.Name in ["net.exe", "net1.exe"]) and (Process.CommandLine like r"% use" or Process.CommandLine like r"% sessions" or Process.CommandLine like r"% use %" or Process.CommandLine like r"% sessions %") [ThreatDetectionRule platform=Windows] -# Detects execution of the builtin "rmdir" command in order to delete directories. -# Adversaries may delete files left behind by the actions of their intrusion activity. -# Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. -# Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. +# Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. # Author: frack113 -RuleId = 41ca393d-538c-408a-ac27-cf1e038be80c -RuleName = Directory Removal Via Rmdir +RuleId = ddeff553-5233-4ae9-bbab-d64d2bd634be +RuleName = Data Copied To Clipboard Via Clip.EXE EventType = Process.Start -Tag = proc-start-directory-removal-via-rmdir +Tag = proc-start-data-copied-to-clipboard-via-clip.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1070.004"], "author": "frack113"} -Query = (Process.Path like r"%\\cmd.exe" or Process.Name == "Cmd.Exe") and Process.CommandLine like r"%rmdir%" and (Process.CommandLine like r"%/s%" or Process.CommandLine like r"%/q%") +Annotation = {"mitre_attack": ["T1115"], "author": "frack113"} +Query = Process.Path like r"%\\clip.exe" or Process.Name == "clip.exe" [ThreatDetectionRule platform=Windows] -# Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. -# Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -RuleId = 04936b66-3915-43ad-a8e5-809eadfd1141 -RuleName = Insensitive Subfolder Search Via Findstr.EXE +# Detects the load of known vulnerable drivers via the file name of the drivers. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 72cd00d6-490c-4650-86ff-1d11f491daa1 +RuleName = Vulnerable Driver Load By Name +EventType = Driver.Load +Tag = vulnerable-driver-load-by-name +RiskScore = 25 +Annotation = {"mitre_attack": ["T1543.003", "T1068"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Image.Path like r"%\\panmonfltx64.sys" or Image.Path like r"%\\dbutil.sys" or Image.Path like r"%\\fairplaykd.sys" or Image.Path like r"%\\nvaudio.sys" or Image.Path like r"%\\superbmc.sys" or Image.Path like r"%\\bsmi.sys" or Image.Path like r"%\\smarteio64.sys" or Image.Path like r"%\\bwrsh.sys" or Image.Path like r"%\\agent64.sys" or Image.Path like r"%\\asmmap64.sys" or Image.Path like r"%\\dellbios.sys" or Image.Path like r"%\\chaos-rootkit.sys" or Image.Path like r"%\\wcpu.sys" or Image.Path like r"%\\dh\_kernel.sys" or Image.Path like r"%\\sbiosio64.sys" or Image.Path like r"%\\bw.sys" or Image.Path like r"%\\asrdrv102.sys" or Image.Path like r"%\\nt6.sys" or Image.Path like r"%\\mhyprot3.sys" or Image.Path like r"%\\winio64c.sys" or Image.Path like r"%\\asupio64.sys" or Image.Path like r"%\\blackbonedrv10.sys" or Image.Path like r"%\\d.sys" or Image.Path like r"%\\driver7-x86.sys" or Image.Path like r"%\\sfdrvx32.sys" or Image.Path like r"%\\enetechio64.sys" or Image.Path like r"%\\gdrv.sys" or Image.Path like r"%\\sysinfodetectorx64.sys" or Image.Path like r"%\\fh-ethercat\_dio.sys" or Image.Path like r"%\\asromgdrv.sys" or Image.Path like r"%\\my.sys" or Image.Path like r"%\\dcprotect.sys" or Image.Path like r"%\\irec.sys" or Image.Path like r"%\\gedevdrv.sys" or Image.Path like r"%\\winio32a.sys" or Image.Path like r"%\\gvcidrv64.sys" or Image.Path like r"%\\winio32.sys" or Image.Path like r"%\\bs\_hwmio64.sys" or Image.Path like r"%\\nstr.sys" or Image.Path like r"%\\inpoutx64.sys" or Image.Path like r"%\\hw.sys" or Image.Path like r"%\\winio64.sys" or Image.Path like r"%\\hpportiox64.sys" or Image.Path like r"%\\iobitunlocker.sys" or Image.Path like r"%\\b1.sys" or Image.Path like r"%\\aoddriver.sys" or Image.Path like r"%\\elbycdio.sys" or Image.Path like r"%\\protects.sys" or Image.Path like r"%\\kprocesshacker.sys" or Image.Path like r"%\\speedfan.sys" or Image.Path like r"%\\radhwmgr.sys" or Image.Path like r"%\\iscflashx64.sys" or Image.Path like r"%\\black.sys" or Image.Path like r"%\\b4.sys" or Image.Path like r"%\\hwos2ec10x64.sys" or Image.Path like r"%\\winflash64.sys" or Image.Path like r"%\\corsairllaccess64.sys" or Image.Path like r"%\\bs\_i2cio.sys" or Image.Path like r"%\\d3.sys" or Image.Path like r"%\\windows-xp-64.sys" or Image.Path like r"%\\aswvmm.sys" or Image.Path like r"%\\bs\_i2c64.sys" or Image.Path like r"%\\1.sys" or Image.Path like r"%\\nchgbios2x64.sys" or Image.Path like r"%\\cpuz141.sys" or Image.Path like r"%\\segwindrvx64.sys" or Image.Path like r"%\\tdeio64.sys" or Image.Path like r"%\\ntiolib.sys" or Image.Path like r"%\\gtckmdfbs.sys" or Image.Path like r"%\\iomap64.sys" or Image.Path like r"%\\avalueio.sys" or Image.Path like r"%\\semav6msr.sys" or Image.Path like r"%\\lgdcatcher.sys" or Image.Path like r"%\\b.sys" or Image.Path like r"%\\hwdetectng.sys" or Image.Path like r"%\\nt4.sys" or Image.Path like r"%\\tgsafe.sys" or Image.Path like r"%\\mydrivers.sys" or Image.Path like r"%\\eneio64.sys" or Image.Path like r"%\\procexp.sys" or Image.Path like r"%\\viragt64.sys" or Image.Path like r"%\\fpcie2com.sys" or Image.Path like r"%\\lenovodiagnosticsdriver.sys" or Image.Path like r"%\\cp2x72c.sys" or Image.Path like r"%\\kerneld.amd64" or Image.Path like r"%\\bs\_def64.sys" or Image.Path like r"%\\piddrv.sys" or Image.Path like r"%\\amifldrv64.sys" or Image.Path like r"%\\cpuz\_x64.sys" or Image.Path like r"%\\proxy32.sys" or Image.Path like r"%\\wsdkd.sys" or Image.Path like r"%\\t8.sys" or Image.Path like r"%\\ucorew64.sys" or Image.Path like r"%\\atszio.sys" or Image.Path like r"%\\lmiinfo.sys" or Image.Path like r"%\\80.sys" or Image.Path like r"%\\nt3.sys" or Image.Path like r"%\\ngiodriver.sys" or Image.Path like r"%\\lv561av.sys" or Image.Path like r"%\\gpcidrv64.sys" or Image.Path like r"%\\fd3b7234419fafc9bdd533f48896ed73\_b816c5cd.sys" or Image.Path like r"%\\rtport.sys" or Image.Path like r"%\\full.sys" or Image.Path like r"%\\viragt.sys" or Image.Path like r"%\\fiddrv64.sys" or Image.Path like r"%\\cupfixerx64.sys" or Image.Path like r"%\\cpupress.sys" or Image.Path like r"%\\hwos2ec7x64.sys" or Image.Path like r"%\\driver7-x86-withoutdbg.sys" or Image.Path like r"%\\asrdrv10.sys" or Image.Path like r"%\\nvflsh64.sys" or Image.Path like r"%\\asrrapidstartdrv.sys" or Image.Path like r"%\\tmcomm.sys" or Image.Path like r"%\\wiseunlo.sys" or Image.Path like r"%\\rwdrv.sys" or Image.Path like r"%\\asio64.sys" or Image.Path like r"%\\nvoclock.sys" or Image.Path like r"%\\panio.sys" or Image.Path like r"%\\mtcbsv64.sys" or Image.Path like r"%\\amigendrv64.sys" or Image.Path like r"%\\capcom.sys" or Image.Path like r"%\\netflt.sys" or Image.Path like r"%\\phlashnt.sys" or Image.Path like r"%\\dbutil\_2\_3.sys" or Image.Path like r"%\\ni.sys" or Image.Path like r"%\\ntiolib\_x64.sys" or Image.Path like r"%\\atszio64.sys" or Image.Path like r"%\\lgcoretemp.sys" or Image.Path like r"%\\lha.sys" or Image.Path like r"%\\phymem64.sys" or Image.Path like r"%\\dbutildrv2.sys" or Image.Path like r"%\\asrdrv103.sys" or Image.Path like r"%\\rtcore64.sys" or Image.Path like r"%\\bs\_hwmio64\_w10.sys" or Image.Path like r"%\\ene.sys" or Image.Path like r"%\\winio64b.sys" or Image.Path like r"%\\piddrv64.sys" or Image.Path like r"%\\directio32.sys" or Image.Path like r"%\\monitor\_win10\_x64.sys" or Image.Path like r"%\\nt5.sys" or Image.Path like r"%\\asrsmartconnectdrv.sys" or Image.Path like r"%\\rtif.sys" or Image.Path like r"%\\atillk64.sys" or Image.Path like r"%\\directio.sys" or Image.Path like r"%\\asribdrv.sys" or Image.Path like r"%\\kfeco11x64.sys" or Image.Path like r"%\\citmdrv\_ia64.sys" or Image.Path like r"%\\sysdrv3s.sys" or Image.Path like r"%\\amp.sys" or Image.Path like r"%\\vboxdrv.sys" or Image.Path like r"%\\adv64drv.sys" or Image.Path like r"%\\hostnt.sys" or Image.Path like r"%\\phymem\_ext64.sys" or Image.Path like r"%\\echo\_driver.sys" or Image.Path like r"%\\winiodrv.sys" or Image.Path like r"%\\pdfwkrnl.sys" or Image.Path like r"%\\glckio2.sys" or Image.Path like r"%\\asrdrv106.sys" or Image.Path like r"%\\nscm.sys" or Image.Path like r"%\\bs\_rcio64.sys" or Image.Path like r"%\\ncpl.sys" or Image.Path like r"%\\sandra.sys" or Image.Path like r"%\\fiddrv.sys" or Image.Path like r"%\\hwrwdrv.sys" or Image.Path like r"%\\mhyprot.sys" or Image.Path like r"%\\asrsetupdrv103.sys" or Image.Path like r"%\\iqvw64.sys" or Image.Path like r"%\\b3.sys" or Image.Path like r"%\\ssport.sys" or Image.Path like r"%\\bs\_def.sys" or Image.Path like r"%\\computerz.sys" or Image.Path like r"%\\windows8-10-32.sys" or Image.Path like r"%\\nstrwsk.sys" or Image.Path like r"%\\lurker.sys" or Image.Path like r"%\\bsmemx64.sys" or Image.Path like r"%\\wyproxy64.sys" or Image.Path like r"%\\asio.sys" or Image.Path like r"%\\t3.sys" or Image.Path like r"%\\cpuz.sys" or Image.Path like r"%\\rtkio.sys" or Image.Path like r"%\\driver7-x64.sys" or Image.Path like r"%\\netfilterdrv.sys" or Image.Path like r"%\\ioaccess.sys" or Image.Path like r"%\\testbone.sys" or Image.Path like r"%\\gameink.sys" or Image.Path like r"%\\kevp64.sys" or Image.Path like r"%\\mhyprot2.sys" or Image.Path like r"%\\se64a.sys" or Image.Path like r"%\\vboxusb.sys" or Image.Path like r"%\\windows7-32.sys" or Image.Path like r"%\\vproeventmonitor.sys" or Image.Path like r"%\\winio64a.sys" or Image.Path like r"%\\asrdrv101.sys" or Image.Path like r"%\\netproxydriver.sys" or Image.Path like r"%\\elrawdsk.sys" or Image.Path like r"%\\zam64.sys" or Image.Path like r"%\\cg6kwin2k.sys" or Image.Path like r"%\\asupio.sys" or Image.Path like r"%\\stdcdrvws64.sys" or Image.Path like r"%\\81.sys" or Image.Path like r"%\\citmdrv\_amd64.sys" or Image.Path like r"%\\amdryzenmasterdriver.sys" or Image.Path like r"%\\vmdrv.sys" or Image.Path like r"%\\sysinfo.sys" or Image.Path like r"%\\alsysio64.sys" or Image.Path like r"%\\directio64.sys" or Image.Path like r"%\\rzpnk.sys" or Image.Path like r"%\\amdpowerprofiler.sys" or Image.Path like r"%\\truesight.sys" or Image.Path like r"%\\wirwadrv.sys" or Image.Path like r"%\\phymemx64.sys" or Image.Path like r"%\\msio64.sys" or Image.Path like r"%\\sepdrv3\_1.sys" or Image.Path like r"%\\gametersafe.sys" or Image.Path like r"%\\bs\_rcio.sys" or Image.Path like r"%\\d4.sys" or Image.Path like r"%\\t.sys" or Image.Path like r"%\\eio.sys" or Image.Path like r"%\\nt2.sys" or Image.Path like r"%\\winring0.sys" or Image.Path like r"%\\physmem.sys" or Image.Path like r"%\\libnicm.sys" or Image.Path like r"%\\msio32.sys" or Image.Path like r"%\\asrautochkupddrv.sys" or Image.Path like r"%\\asio32.sys" or Image.Path like r"%\\etdsupp.sys" or Image.Path like r"%\\smep\_namco.sys" or Image.Path like r"%\\bandai.sys" or Image.Path like r"%\\d2.sys" or Image.Path like r"%\\magdrvamd64.sys" or Image.Path like r"%\\nvflash.sys" or Image.Path like r"%\\goad.sys" or Image.Path like r"%\\proxy64.sys" or Image.Path like r"%\\amsdk.sys" or Image.Path like r"%\\kbdcap64.sys" or Image.Path like r"%\\vdbsv64.sys" or Image.Path like r"%\\pchunter.sys" or Image.Path like r"%\\sysconp.sys" or Image.Path like r"%\\dh\_kernel\_10.sys" or Image.Path like r"%\\msrhook.sys" or Image.Path like r"%\\bedaisy.sys" or Image.Path like r"%\\dcr.sys" or Image.Path like r"%\\panmonflt.sys" or Image.Path like r"%\\bsmixp64.sys" or Image.Path like r"%\\otipcibus.sys" or Image.Path like r"%\\fidpcidrv.sys" or Image.Path like r"%\\kfeco10x64.sys" or Image.Path like r"%\\asrdrv104.sys" or Image.Path like r"%\\c.sys" or Image.Path like r"%\\tdklib64.sys" or Image.Path like r"%\\bsmix64.sys" or Image.Path like r"%\\bs\_flash64.sys" or Image.Path like r"%\\stdcdrv64.sys" or Image.Path like r"%\\naldrv.sys" or Image.Path like r"%\\ctiio64.sys" or Image.Path like r"%\\bwrs.sys" or Image.Path like r"%\\nicm.sys" or Image.Path like r"%\\winio32b.sys" or Image.Path like r"%\\paniox64.sys" or Image.Path like r"%\\ecsiodriverx64.sys" or Image.Path like r"%\\iomem64.sys" or Image.Path like r"%\\fidpcidrv64.sys" or Image.Path like r"%\\aswarpot.sys" or Image.Path like r"%\\bs\_rciow1064.sys" or Image.Path like r"%\\asmio64.sys" or Image.Path like r"%\\openlibsys.sys" or Image.Path like r"%\\viraglt64.sys" or Image.Path like r"%\\dbk64.sys" or Image.Path like r"%\\t7.sys" or Image.Path like r"%\\atlaccess.sys" or Image.Path like r"%\\nbiolib\_x64.sys" or Image.Path like r"%\\smep\_capcom.sys" or Image.Path like r"%\\iqvw64e.sys" +GenericProperty1 = Image.Path + + +[ThreatDetectionRule platform=Windows] +# Detects the stopping of a Windows service via the "sc.exe" utility +# Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +RuleId = 81bcb81b-5b1f-474b-b373-52c871aaa7b1 +RuleName = Stop Windows Service Via Sc.EXE EventType = Process.Start -Tag = proc-start-insensitive-subfolder-search-via-findstr.exe +Tag = proc-start-stop-windows-service-via-sc.exe RiskScore = 25 -Annotation = {"mitre_attack": ["T1218", "T1564.004", "T1552.001", "T1105"], "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)"} -Query = (Process.CommandLine like r"%findstr%" or Process.Path like r"%findstr.exe" or Process.Name == "FINDSTR.EXE") and (Process.CommandLine like r"% -s %" or Process.CommandLine like r"% /s %" or Process.CommandLine like r"% –s %" or Process.CommandLine like r"% —s %" or Process.CommandLine like r"% ―s %") and (Process.CommandLine like r"% -i %" or Process.CommandLine like r"% /i %" or Process.CommandLine like r"% –i %" or Process.CommandLine like r"% —i %" or Process.CommandLine like r"% ―i %") +Annotation = {"mitre_attack": ["T1489"], "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)"} +Query = (Process.Name == "sc.exe" or Process.Path like r"%\\sc.exe") and Process.CommandLine like r"% stop %" diff --git a/config/uberAgent-ESA-am-sigma-medium-macos.conf b/config/uberAgent-ESA-am-sigma-medium-macos.conf index 61974f40..556d1190 100644 --- a/config/uberAgent-ESA-am-sigma-medium-macos.conf +++ b/config/uberAgent-ESA-am-sigma-medium-macos.conf @@ -8,116 +8,140 @@ # [ThreatDetectionRule platform=MacOS] -# Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. -# This process is primarily used to detect and avoid virtualization and analysis environments. -# Author: Pratinav Chandra -RuleId = 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c -RuleName = System Information Discovery Via Sysctl - MacOS +# Detects attempts to enable the root account via "dsenableroot" +# Author: Sohan G (D4rkCiph3r) +RuleId = 821bcf4d-46c7-4b87-bc57-9509d3ba7c11 +RuleName = Root Account Enable Via Dsenableroot EventType = Process.Start -Tag = proc-start-system-information-discovery-via-sysctl-macos +Tag = proc-start-root-account-enable-via-dsenableroot RiskScore = 50 -Annotation = {"mitre_attack": ["T1497.001", "T1082"], "author": "Pratinav Chandra"} -Query = (Process.Path like r"%/sysctl" or Process.CommandLine like r"%sysctl%") and (Process.CommandLine like r"%hw.%" or Process.CommandLine like r"%kern.%" or Process.CommandLine like r"%machdep.%") +Annotation = {"mitre_attack": ["T1078", "T1078.001", "T1078.003"], "author": "Sohan G (D4rkCiph3r)"} +Query = Process.Path like r"%/dsenableroot" and not Process.CommandLine like r"% -d %" [ThreatDetectionRule platform=MacOS] -# Detects the execution of the hdiutil utility in order to mount disk images. -# Author: Omar Khaled (@beacon_exe) -RuleId = bf241472-f014-4f01-a869-96f99330ca8c -RuleName = Disk Image Mounting Via Hdiutil - MacOS +# Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. +# Author: Alejandro Ortuno, oscd.community +RuleId = 23c43900-e732-45a4-8354-63e4a6c187ce +RuleName = MacOS Emond Launch Daemon +EventType = File.Create +Tag = macos-emond-launch-daemon +RiskScore = 50 +Annotation = {"mitre_attack": ["T1546.014"], "author": "Alejandro Ortuno, oscd.community"} +Query = File.Path like r"%/etc/emond.d/rules/%" and File.Path like r"%.plist" or File.Path like r"%/private/var/db/emondClients/%" +GenericProperty1 = File.Path + + +[ThreatDetectionRule platform=MacOS] +# Detects attempts to create and add an account to the admin group via "sysadminctl" +# Author: Sohan G (D4rkCiph3r) +RuleId = 652c098d-dc11-4ba6-8566-c20e89042f2b +RuleName = User Added To Admin Group Via Sysadminctl EventType = Process.Start -Tag = proc-start-disk-image-mounting-via-hdiutil-macos +Tag = proc-start-user-added-to-admin-group-via-sysadminctl RiskScore = 50 -Annotation = {"mitre_attack": ["T1566.001", "T1560.001"], "author": "Omar Khaled (@beacon_exe)"} -Query = Process.Path like r"%/hdiutil" and (Process.CommandLine like r"%attach %" or Process.CommandLine like r"%mount %") +Annotation = {"mitre_attack": ["T1078.003"], "author": "Sohan G (D4rkCiph3r)"} +Query = Process.Path like r"%/sysadminctl" and Process.CommandLine like r"% -addUser %" and Process.CommandLine like r"% -admin %" [ThreatDetectionRule platform=MacOS] -# Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent. -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 2316929c-01aa-438c-970f-099145ab1ee6 -RuleName = JAMF MDM Potential Suspicious Child Process +# Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. +# An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up. +# Author: Pratinav Chandra +RuleId = 9acf45ed-3a26-4062-bf08-56857613eb52 +RuleName = New File Exclusion Added To Time Machine Via Tmutil - MacOS EventType = Process.Start -Tag = proc-start-jamf-mdm-potential-suspicious-child-process +Tag = proc-start-new-file-exclusion-added-to-time-machine-via-tmutil-macos RiskScore = 50 -Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Parent.Path like r"%/jamf" and (Process.Path like r"%/bash" or Process.Path like r"%/sh") +Annotation = {"mitre_attack": ["T1490"], "author": "Pratinav Chandra"} +Query = (Process.Path like r"%/tmutil" or Process.CommandLine like r"%tmutil%") and Process.CommandLine like r"%addexclusion%" + + +[ThreatDetectionRule platform=MacOS] +# Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation. +# Author: Sohan G (D4rkCiph3r) +RuleId = 0250638a-2b28-4541-86fc-ea4c558fa0c6 +RuleName = Suspicious Browser Child Process - MacOS +EventType = Process.Start +Tag = proc-start-suspicious-browser-child-process-macos +RiskScore = 50 +Annotation = {"mitre_attack": ["T1189", "T1203", "T1059"], "author": "Sohan G (D4rkCiph3r)"} +Query = (Parent.Path like r"%com.apple.WebKit.WebContent%" or Parent.Path like r"%firefox%" or Parent.Path like r"%Google Chrome Helper%" or Parent.Path like r"%Google Chrome%" or Parent.Path like r"%Microsoft Edge%" or Parent.Path like r"%Opera%" or Parent.Path like r"%Safari%" or Parent.Path like r"%Tor Browser%") and (Process.Path like r"%/bash" or Process.Path like r"%/curl" or Process.Path like r"%/dash" or Process.Path like r"%/ksh" or Process.Path like r"%/osascript" or Process.Path like r"%/perl" or Process.Path like r"%/php" or Process.Path like r"%/pwsh" or Process.Path like r"%/python" or Process.Path like r"%/sh" or Process.Path like r"%/tcsh" or Process.Path like r"%/wget" or Process.Path like r"%/zsh") and not (Process.CommandLine like r"%--defaults-torrc%" or Process.CommandLine like r"%/Library/Application Support/Microsoft/MAU%/Microsoft AutoUpdate.app/Contents/MacOS/msupdate%" or (Parent.Path like r"%Google Chrome Helper%" or Parent.Path like r"%Google Chrome%") and (Process.CommandLine like r"%/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/%/Resources/install.sh%" or Process.CommandLine like r"%/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/%/Resources/keystone\_promote\_preflight.sh%" or Process.CommandLine like r"%/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/%/Resources/keystone\_promote\_postflight.sh%") or Parent.Path like r"%Microsoft Edge%" and (Process.CommandLine like r"%IOPlatformExpertDevice%" or Process.CommandLine like r"%hw.model%") or (Parent.Path like r"%Google Chrome Helper%" or Parent.Path like r"%Google Chrome%") and Process.CommandLine like r"%/Users/%" and Process.CommandLine like r"%/Library/Application Support/Google/Chrome/recovery/%" and Process.CommandLine like r"%/ChromeRecovery%") and not (isnull(Process.CommandLine) or Process.CommandLine == "") GenericProperty1 = Parent.Path [ThreatDetectionRule platform=MacOS] -# Detects execution of AppleScript of the macOS scripting language AppleScript. -# Author: Alejandro Ortuno, oscd.community -RuleId = 1bc2e6c5-0885-472b-bed6-be5ea8eace55 -RuleName = MacOS Scripting Interpreter AppleScript +# Detects deletion of local audit logs +# Author: remotephone, oscd.community +RuleId = acf61bd8-d814-4272-81f0-a7a269aa69aa +RuleName = Indicator Removal on Host - Clear Mac System Logs EventType = Process.Start -Tag = proc-start-macos-scripting-interpreter-applescript +Tag = proc-start-indicator-removal-on-host-clear-mac-system-logs RiskScore = 50 -Annotation = {"mitre_attack": ["T1059.002"], "author": "Alejandro Ortuno, oscd.community"} -Query = Process.Path like r"%/osascript" and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"%.scpt%" or Process.CommandLine like r"%.js%") +Annotation = {"mitre_attack": ["T1070.002"], "author": "remotephone, oscd.community"} +Query = (Process.Path like r"%/rm" or Process.Path like r"%/unlink" or Process.Path like r"%/shred") and (Process.CommandLine like r"%/var/log%" or Process.CommandLine like r"%/Users/%" and Process.CommandLine like r"%/Library/Logs/%") [ThreatDetectionRule platform=MacOS] -# Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters +# Detects attempts to create and add an account to the admin group via "dscl" # Author: Sohan G (D4rkCiph3r) -RuleId = e0cfaecd-602d-41af-988d-f6ccebb2af26 -RuleName = Suspicious Installer Package Child Process +RuleId = b743623c-2776-40e0-87b1-682b975d0ca5 +RuleName = User Added To Admin Group Via Dscl EventType = Process.Start -Tag = proc-start-suspicious-installer-package-child-process +Tag = proc-start-user-added-to-admin-group-via-dscl RiskScore = 50 -Annotation = {"mitre_attack": ["T1059", "T1059.007", "T1071", "T1071.001"], "author": "Sohan G (D4rkCiph3r)"} -Query = (Parent.Path like r"%/package\_script\_service" or Parent.Path like r"%/installer") and (Process.Path like r"%/sh" or Process.Path like r"%/bash" or Process.Path like r"%/dash" or Process.Path like r"%/python" or Process.Path like r"%/ruby" or Process.Path like r"%/perl" or Process.Path like r"%/php" or Process.Path like r"%/javascript" or Process.Path like r"%/osascript" or Process.Path like r"%/tclsh" or Process.Path like r"%/curl" or Process.Path like r"%/wget") and (Process.CommandLine like r"%preinstall%" or Process.CommandLine like r"%postinstall%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1078.003"], "author": "Sohan G (D4rkCiph3r)"} +Query = Process.Path like r"%/dscl" and Process.CommandLine like r"% -append %" and Process.CommandLine like r"% /Groups/admin %" and Process.CommandLine like r"% GroupMembership %" [ThreatDetectionRule platform=MacOS] -# Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware -# Author: Sohan G (D4rkCiph3r), Red Canary (idea) -RuleId = 13db8d2e-7723-4c2c-93c1-a4d36994f7ef -RuleName = Potential In-Memory Download And Compile Of Payloads +# Detects when the macOS Script Editor utility spawns an unusual child process. +# Author: Tim Rauch (rule), Elastic (idea) +RuleId = 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4 +RuleName = Suspicious Execution via macOS Script Editor EventType = Process.Start -Tag = proc-start-potential-in-memory-download-and-compile-of-payloads +Tag = proc-start-suspicious-execution-via-macos-script-editor RiskScore = 50 -Annotation = {"mitre_attack": ["T1059.007", "T1105"], "author": "Sohan G (D4rkCiph3r), Red Canary (idea)"} -Query = Process.CommandLine like r"%osacompile%" and Process.CommandLine like r"%curl%" +Annotation = {"mitre_attack": ["T1566", "T1566.002", "T1059", "T1059.002", "T1204", "T1204.001", "T1553"], "author": "Tim Rauch (rule), Elastic (idea)"} +Query = Parent.Path like r"%/Script Editor" and (Process.Path like r"%/curl" or Process.Path like r"%/bash" or Process.Path like r"%/sh" or Process.Path like r"%/zsh" or Process.Path like r"%/dash" or Process.Path like r"%/fish" or Process.Path like r"%/osascript" or Process.Path like r"%/mktemp" or Process.Path like r"%/chmod" or Process.Path like r"%/php" or Process.Path like r"%/nohup" or Process.Path like r"%/openssl" or Process.Path like r"%/plutil" or Process.Path like r"%/PlistBuddy" or Process.Path like r"%/xattr" or Process.Path like r"%/sqlite" or Process.Path like r"%/funzip" or Process.Path like r"%/popen" or Process.Path like r"%python%" or Process.Path like r"%perl%") +GenericProperty1 = Parent.Path [ThreatDetectionRule platform=MacOS] -# Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. -# When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers. -# Author: Omar Khaled (@beacon_exe) -RuleId = 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe -RuleName = Hidden Flag Set On File/Directory Via Chflags - MacOS +# Detects usage of system utilities (only grep for now) to discover security software discovery +# Author: Daniil Yugoslavskiy, oscd.community +RuleId = 0ed75b9c-c73b-424d-9e7d-496cd565fbe0 +RuleName = Security Software Discovery - MacOs EventType = Process.Start -Tag = proc-start-hidden-flag-set-on-file/directory-via-chflags-macos +Tag = proc-start-security-software-discovery-macos RiskScore = 50 -Annotation = {"mitre_attack": ["T1218", "T1564.004", "T1552.001", "T1105"], "author": "Omar Khaled (@beacon_exe)"} -Query = Process.Path like r"%/chflags" and Process.CommandLine like r"%hidden %" +Annotation = {"mitre_attack": ["T1518.001"], "author": "Daniil Yugoslavskiy, oscd.community"} +Query = Process.Path == "/usr/bin/grep" and (Process.CommandLine like r"%nessusd%" or Process.CommandLine like r"%santad%" or Process.CommandLine like r"%CbDefense%" or Process.CommandLine like r"%falcond%" or Process.CommandLine like r"%td-agent%" or Process.CommandLine like r"%packetbeat%" or Process.CommandLine like r"%filebeat%" or Process.CommandLine like r"%auditbeat%" or Process.CommandLine like r"%osqueryd%" or Process.CommandLine like r"%BlockBlock%" or Process.CommandLine like r"%LuLu%" or Process.CommandLine like r"%Little%" and Process.CommandLine like r"%Snitch%") [ThreatDetectionRule platform=MacOS] -# Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. -# Author: Alejandro Ortuno, oscd.community -RuleId = 7c3b43d8-d794-47d2-800a-d277715aa460 -RuleName = Scheduled Cron Task/Job - MacOs +# Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS. +# Author: Pratinav Chandra +RuleId = ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e +RuleName = Launch Agent/Daemon Execution Via Launchctl EventType = Process.Start -Tag = proc-start-scheduled-cron-task/job-macos +Tag = proc-start-launch-agent/daemon-execution-via-launchctl RiskScore = 50 -Annotation = {"mitre_attack": ["T1053.003"], "author": "Alejandro Ortuno, oscd.community"} -Query = Process.Path like r"%/crontab" and Process.CommandLine like r"%/tmp/%" +Annotation = {"mitre_attack": ["T1569.001", "T1543.001", "T1543.004"], "author": "Pratinav Chandra"} +Query = Process.Path like r"%/launchctl" and (Process.CommandLine like r"%submit%" or Process.CommandLine like r"%load%" or Process.CommandLine like r"%start%") [ThreatDetectionRule platform=MacOS] -# Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. -# An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up. +# Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". +# An attacker can use this to prevent backups from occurring. # Author: Pratinav Chandra -RuleId = 9acf45ed-3a26-4062-bf08-56857613eb52 -RuleName = New File Exclusion Added To Time Machine Via Tmutil - MacOS +RuleId = 2c95fa8a-8b8d-4787-afce-7117ceb8e3da +RuleName = Time Machine Backup Disabled Via Tmutil - MacOS EventType = Process.Start -Tag = proc-start-new-file-exclusion-added-to-time-machine-via-tmutil-macos +Tag = proc-start-time-machine-backup-disabled-via-tmutil-macos RiskScore = 50 Annotation = {"mitre_attack": ["T1490"], "author": "Pratinav Chandra"} -Query = (Process.Path like r"%/tmutil" or Process.CommandLine like r"%tmutil%") and Process.CommandLine like r"%addexclusion%" +Query = (Process.Path like r"%/tmutil" or Process.CommandLine like r"%tmutil%") and Process.CommandLine like r"%disable%" [ThreatDetectionRule platform=MacOS] @@ -133,6 +157,43 @@ Query = (Parent.Path like r"%/applet" or Parent.Path like r"%/osascript") and Pr GenericProperty1 = Parent.Path +[ThreatDetectionRule platform=MacOS] +# Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. +# Author: Sohan G (D4rkCiph3r) +RuleId = 5d0fdb62-f225-42fb-8402-3dfe64da468a +RuleName = User Added To Admin Group Via DseditGroup +EventType = Process.Start +Tag = proc-start-user-added-to-admin-group-via-dseditgroup +RiskScore = 50 +Annotation = {"mitre_attack": ["T1078.003"], "author": "Sohan G (D4rkCiph3r)"} +Query = Process.Path like r"%/dseditgroup" and Process.CommandLine like r"% -o edit %" and Process.CommandLine like r"% -a %" and Process.CommandLine like r"% -t user%" and Process.CommandLine like r"%admin%" + + +[ThreatDetectionRule platform=MacOS] +# Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. +# Author: Alejandro Ortuno, oscd.community +RuleId = 7c3b43d8-d794-47d2-800a-d277715aa460 +RuleName = Scheduled Cron Task/Job - MacOs +EventType = Process.Start +Tag = proc-start-scheduled-cron-task/job-macos +RiskScore = 50 +Annotation = {"mitre_attack": ["T1053.003"], "author": "Alejandro Ortuno, oscd.community"} +Query = Process.Path like r"%/crontab" and Process.CommandLine like r"%/tmp/%" + + +[ThreatDetectionRule platform=MacOS] +# Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters +# Author: Sohan G (D4rkCiph3r) +RuleId = e0cfaecd-602d-41af-988d-f6ccebb2af26 +RuleName = Suspicious Installer Package Child Process +EventType = Process.Start +Tag = proc-start-suspicious-installer-package-child-process +RiskScore = 50 +Annotation = {"mitre_attack": ["T1059", "T1059.007", "T1071", "T1071.001"], "author": "Sohan G (D4rkCiph3r)"} +Query = (Parent.Path like r"%/package\_script\_service" or Parent.Path like r"%/installer") and (Process.Path like r"%/sh" or Process.Path like r"%/bash" or Process.Path like r"%/dash" or Process.Path like r"%/python" or Process.Path like r"%/ruby" or Process.Path like r"%/perl" or Process.Path like r"%/php" or Process.Path like r"%/javascript" or Process.Path like r"%/osascript" or Process.Path like r"%/tclsh" or Process.Path like r"%/curl" or Process.Path like r"%/wget") and (Process.CommandLine like r"%preinstall%" or Process.CommandLine like r"%postinstall%") +GenericProperty1 = Parent.Path + + [ThreatDetectionRule platform=MacOS] # Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers. # Author: Austin Songer @austinsonger @@ -145,6 +206,18 @@ Annotation = {"author": "Austin Songer @austinsonger"} Query = Process.Path == "/usr/sbin/firmwarepasswd" and (Process.CommandLine like r"%setpasswd%" or Process.CommandLine like r"%full%" or Process.CommandLine like r"%delete%" or Process.CommandLine like r"%check%") +[ThreatDetectionRule platform=MacOS] +# Detect file time attribute change to hide new or changes to existing files +# Author: Igor Fits, Mikhail Larin, oscd.community +RuleId = 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0 +RuleName = File Time Attribute Change +EventType = Process.Start +Tag = proc-start-file-time-attribute-change +RiskScore = 50 +Annotation = {"mitre_attack": ["T1070.006"], "author": "Igor Fits, Mikhail Larin, oscd.community"} +Query = Process.Path like r"%/touch" and (Process.CommandLine like r"%-t%" or Process.CommandLine like r"%-acmr%" or Process.CommandLine like r"%-d%" or Process.CommandLine like r"%-r%") + + [ThreatDetectionRule platform=MacOS] # Detects the execution of the nscurl utility in order to download files. # Author: Daniel Cortez @@ -158,53 +231,64 @@ Query = Process.Path like r"%/nscurl" and (Process.CommandLine like r"%--downloa [ThreatDetectionRule platform=MacOS] -# Detect file time attribute change to hide new or changes to existing files -# Author: Igor Fits, Mikhail Larin, oscd.community -RuleId = 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0 -RuleName = File Time Attribute Change +# Detects commandline operations on shell history files +# Author: Mikhail Larin, oscd.community +RuleId = 508a9374-ad52-4789-b568-fc358def2c65 +RuleName = Suspicious History File Operations EventType = Process.Start -Tag = proc-start-file-time-attribute-change +Tag = proc-start-suspicious-history-file-operations RiskScore = 50 -Annotation = {"mitre_attack": ["T1070.006"], "author": "Igor Fits, Mikhail Larin, oscd.community"} -Query = Process.Path like r"%/touch" and (Process.CommandLine like r"%-t%" or Process.CommandLine like r"%-acmr%" or Process.CommandLine like r"%-d%" or Process.CommandLine like r"%-r%") +Annotation = {"mitre_attack": ["T1552.003"], "author": "Mikhail Larin, oscd.community"} +Query = Process.CommandLine like r"%.bash\_history%" or Process.CommandLine like r"%.zsh\_history%" or Process.CommandLine like r"%.zhistory%" or Process.CommandLine like r"%.history%" or Process.CommandLine like r"%.sh\_history%" or Process.CommandLine like r"%fish\_history%" [ThreatDetectionRule platform=MacOS] -# Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". -# An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files. -# Author: Pratinav Chandra -RuleId = 452df256-da78-427a-866f-49fa04417d74 -RuleName = Time Machine Backup Deletion Attempt Via Tmutil - MacOS +# Detects disabling security tools +# Author: Daniil Yugoslavskiy, oscd.community +RuleId = ff39f1a6-84ac-476f-a1af-37fcdf53d7c0 +RuleName = Disable Security Tools EventType = Process.Start -Tag = proc-start-time-machine-backup-deletion-attempt-via-tmutil-macos +Tag = proc-start-disable-security-tools RiskScore = 50 -Annotation = {"mitre_attack": ["T1490"], "author": "Pratinav Chandra"} -Query = (Process.Path like r"%/tmutil" or Process.CommandLine like r"%tmutil%") and Process.CommandLine like r"%delete%" +Annotation = {"mitre_attack": ["T1562.001"], "author": "Daniil Yugoslavskiy, oscd.community"} +Query = Process.Path == "/bin/launchctl" and Process.CommandLine like r"%unload%" and (Process.CommandLine like r"%com.objective-see.lulu.plist%" or Process.CommandLine like r"%com.objective-see.blockblock.plist%" or Process.CommandLine like r"%com.google.santad.plist%" or Process.CommandLine like r"%com.carbonblack.defense.daemon.plist%" or Process.CommandLine like r"%com.carbonblack.daemon.plist%" or Process.CommandLine like r"%at.obdev.littlesnitchd.plist%" or Process.CommandLine like r"%com.tenablesecurity.nessusagent.plist%" or Process.CommandLine like r"%com.opendns.osx.RoamingClientConfigUpdater.plist%" or Process.CommandLine like r"%com.crowdstrike.falcond.plist%" or Process.CommandLine like r"%com.crowdstrike.userdaemon.plist%" or Process.CommandLine like r"%osquery%" or Process.CommandLine like r"%filebeat%" or Process.CommandLine like r"%auditbeat%" or Process.CommandLine like r"%packetbeat%" or Process.CommandLine like r"%td-agent%") or Process.Path == "/usr/sbin/spctl" and Process.CommandLine like r"%disable%" [ThreatDetectionRule platform=MacOS] -# Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". -# An attacker can use this to prevent backups from occurring. +# Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. +# This process is primarily used to detect and avoid virtualization and analysis environments. # Author: Pratinav Chandra -RuleId = 2c95fa8a-8b8d-4787-afce-7117ceb8e3da -RuleName = Time Machine Backup Disabled Via Tmutil - MacOS +RuleId = 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c +RuleName = System Information Discovery Via Sysctl - MacOS EventType = Process.Start -Tag = proc-start-time-machine-backup-disabled-via-tmutil-macos +Tag = proc-start-system-information-discovery-via-sysctl-macos RiskScore = 50 -Annotation = {"mitre_attack": ["T1490"], "author": "Pratinav Chandra"} -Query = (Process.Path like r"%/tmutil" or Process.CommandLine like r"%tmutil%") and Process.CommandLine like r"%disable%" +Annotation = {"mitre_attack": ["T1497.001", "T1082"], "author": "Pratinav Chandra"} +Query = (Process.Path like r"%/sysctl" or Process.CommandLine like r"%sysctl%") and (Process.CommandLine like r"%hw.%" or Process.CommandLine like r"%kern.%" or Process.CommandLine like r"%machdep.%") [ThreatDetectionRule platform=MacOS] -# Detects attempts to create and add an account to the admin group via "sysadminctl" -# Author: Sohan G (D4rkCiph3r) -RuleId = 652c098d-dc11-4ba6-8566-c20e89042f2b -RuleName = User Added To Admin Group Via Sysadminctl +# Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer. +# Author: Tim Rauch (rule), Elastic (idea) +RuleId = 234dc5df-40b5-49d1-bf53-0d44ce778eca +RuleName = Payload Decoded and Decrypted via Built-in Utilities EventType = Process.Start -Tag = proc-start-user-added-to-admin-group-via-sysadminctl +Tag = proc-start-payload-decoded-and-decrypted-via-built-in-utilities RiskScore = 50 -Annotation = {"mitre_attack": ["T1078.003"], "author": "Sohan G (D4rkCiph3r)"} -Query = Process.Path like r"%/sysadminctl" and Process.CommandLine like r"% -addUser %" and Process.CommandLine like r"% -admin %" +Annotation = {"mitre_attack": ["T1059", "T1204", "T1140"], "author": "Tim Rauch (rule), Elastic (idea)"} +Query = Process.Path like r"%/openssl" and Process.CommandLine like r"%/Volumes/%" and Process.CommandLine like r"%enc%" and Process.CommandLine like r"%-base64%" and Process.CommandLine like r"% -d %" + + +[ThreatDetectionRule platform=MacOS] +# Detects execution of AppleScript of the macOS scripting language AppleScript. +# Author: Alejandro Ortuno, oscd.community +RuleId = 1bc2e6c5-0885-472b-bed6-be5ea8eace55 +RuleName = MacOS Scripting Interpreter AppleScript +EventType = Process.Start +Tag = proc-start-macos-scripting-interpreter-applescript +RiskScore = 50 +Annotation = {"mitre_attack": ["T1059.002"], "author": "Alejandro Ortuno, oscd.community"} +Query = Process.Path like r"%/osascript" and (Process.CommandLine like r"% -e %" or Process.CommandLine like r"%.scpt%" or Process.CommandLine like r"%.js%") [ThreatDetectionRule platform=MacOS] @@ -220,6 +304,30 @@ Query = Parent.Path like r"%/bash" and Process.Path like r"%/curl" and (Process. GenericProperty1 = Parent.Path +[ThreatDetectionRule platform=MacOS] +# Detects passwords dumps from Keychain +# Author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) +RuleId = b120b587-a4c2-4b94-875d-99c9807d6955 +RuleName = Credentials from Password Stores - Keychain +EventType = Process.Start +Tag = proc-start-credentials-from-password-stores-keychain +RiskScore = 50 +Annotation = {"mitre_attack": ["T1555.001"], "author": "Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)"} +Query = Process.Path == "/usr/bin/security" and (Process.CommandLine like r"%find-certificate%" or Process.CommandLine like r"% export %") or Process.CommandLine like r"% dump-keychain %" or Process.CommandLine like r"% login-keychain %" + + +[ThreatDetectionRule platform=MacOS] +# Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware +# Author: Sohan G (D4rkCiph3r), Red Canary (idea) +RuleId = 13db8d2e-7723-4c2c-93c1-a4d36994f7ef +RuleName = Potential In-Memory Download And Compile Of Payloads +EventType = Process.Start +Tag = proc-start-potential-in-memory-download-and-compile-of-payloads +RiskScore = 50 +Annotation = {"mitre_attack": ["T1059.007", "T1105"], "author": "Sohan G (D4rkCiph3r), Red Canary (idea)"} +Query = Process.CommandLine like r"%osacompile%" and Process.CommandLine like r"%curl%" + + [ThreatDetectionRule platform=MacOS] # Detects the execution of the hdiutil utility in order to create a disk image. # Author: Omar Khaled (@beacon_exe) @@ -233,16 +341,28 @@ Query = Process.Path like r"%/hdiutil" and Process.CommandLine like r"%create%" [ThreatDetectionRule platform=MacOS] -# Detects when the macOS Script Editor utility spawns an unusual child process. -# Author: Tim Rauch (rule), Elastic (idea) -RuleId = 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4 -RuleName = Suspicious Execution via macOS Script Editor +# Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. +# When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers. +# Author: Omar Khaled (@beacon_exe) +RuleId = 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe +RuleName = Hidden Flag Set On File/Directory Via Chflags - MacOS EventType = Process.Start -Tag = proc-start-suspicious-execution-via-macos-script-editor +Tag = proc-start-hidden-flag-set-on-file/directory-via-chflags-macos RiskScore = 50 -Annotation = {"mitre_attack": ["T1566", "T1566.002", "T1059", "T1059.002", "T1204", "T1204.001", "T1553"], "author": "Tim Rauch (rule), Elastic (idea)"} -Query = Parent.Path like r"%/Script Editor" and (Process.Path like r"%/curl" or Process.Path like r"%/bash" or Process.Path like r"%/sh" or Process.Path like r"%/zsh" or Process.Path like r"%/dash" or Process.Path like r"%/fish" or Process.Path like r"%/osascript" or Process.Path like r"%/mktemp" or Process.Path like r"%/chmod" or Process.Path like r"%/php" or Process.Path like r"%/nohup" or Process.Path like r"%/openssl" or Process.Path like r"%/plutil" or Process.Path like r"%/PlistBuddy" or Process.Path like r"%/xattr" or Process.Path like r"%/sqlite" or Process.Path like r"%/funzip" or Process.Path like r"%/popen" or Process.Path like r"%python%" or Process.Path like r"%perl%") -GenericProperty1 = Parent.Path +Annotation = {"mitre_attack": ["T1218", "T1564.004", "T1552.001", "T1105"], "author": "Omar Khaled (@beacon_exe)"} +Query = Process.Path like r"%/chflags" and Process.CommandLine like r"%hidden %" + + +[ThreatDetectionRule platform=MacOS] +# Detects usage of "find" binary in a suspicious manner to perform discovery +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 85de3a19-b675-4a51-bfc6-b11a5186c971 +RuleName = Potential Discovery Activity Using Find - MacOS +EventType = Process.Start +Tag = proc-start-potential-discovery-activity-using-find-macos +RiskScore = 50 +Annotation = {"mitre_attack": ["T1083"], "author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Process.Path like r"%/find" and (Process.CommandLine like r"%-perm -4000%" or Process.CommandLine like r"%-perm -2000%" or Process.CommandLine like r"%-perm 0777%" or Process.CommandLine like r"%-perm -222%" or Process.CommandLine like r"%-perm -o w%" or Process.CommandLine like r"%-perm -o x%" or Process.CommandLine like r"%-perm -u=s%" or Process.CommandLine like r"%-perm -g=s%") [ThreatDetectionRule platform=MacOS] @@ -257,20 +377,6 @@ Annotation = {"mitre_attack": ["T1518.001"], "author": "Joseliyo Sanchez, @Josel Query = Process.Path like r"%/csrutil" and Process.CommandLine like r"%disable%" -[ThreatDetectionRule platform=MacOS] -# Detects the use of "ioreg" which will show I/O Kit registry information. -# This process is used for system information discovery. -# It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings. -# Author: Joseliyo Sanchez, @Joseliyo_Jstnk -RuleId = 2d5e7a8b-f484-4a24-945d-7f0efd52eab0 -RuleName = System Information Discovery Using Ioreg -EventType = Process.Start -Tag = proc-start-system-information-discovery-using-ioreg -RiskScore = 50 -Annotation = {"mitre_attack": ["T1082"], "author": "Joseliyo Sanchez, @Joseliyo_Jstnk"} -Query = (Process.Path like r"%/ioreg" or Process.CommandLine like r"%ioreg%") and (Process.CommandLine like r"%-l%" or Process.CommandLine like r"%-c%") and (Process.CommandLine like r"%AppleAHCIDiskDriver%" or Process.CommandLine like r"%IOPlatformExpertDevice%" or Process.CommandLine like r"%Oracle%" or Process.CommandLine like r"%Parallels%" or Process.CommandLine like r"%USB Vendor Name%" or Process.CommandLine like r"%VirtualBox%" or Process.CommandLine like r"%VMware%") - - [ThreatDetectionRule platform=MacOS] # Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option # Author: Daniil Yugoslavskiy, oscd.community @@ -284,76 +390,54 @@ Query = Process.Path like r"%/dscl" and Process.CommandLine like r"%create%" and [ThreatDetectionRule platform=MacOS] -# Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. -# Author: Alejandro Ortuno, oscd.community -RuleId = 23c43900-e732-45a4-8354-63e4a6c187ce -RuleName = MacOS Emond Launch Daemon -EventType = File.Create -Tag = macos-emond-launch-daemon -RiskScore = 50 -Annotation = {"mitre_attack": ["T1546.014"], "author": "Alejandro Ortuno, oscd.community"} -Query = File.Path like r"%/etc/emond.d/rules/%" and File.Path like r"%.plist" or File.Path like r"%/private/var/db/emondClients/%" -GenericProperty1 = File.Path - - -[ThreatDetectionRule platform=MacOS] -# Detects commandline operations on shell history files -# Author: Mikhail Larin, oscd.community -RuleId = 508a9374-ad52-4789-b568-fc358def2c65 -RuleName = Suspicious History File Operations -EventType = Process.Start -Tag = proc-start-suspicious-history-file-operations -RiskScore = 50 -Annotation = {"mitre_attack": ["T1552.003"], "author": "Mikhail Larin, oscd.community"} -Query = Process.CommandLine like r"%.bash\_history%" or Process.CommandLine like r"%.zsh\_history%" or Process.CommandLine like r"%.zhistory%" or Process.CommandLine like r"%.history%" or Process.CommandLine like r"%.sh\_history%" or Process.CommandLine like r"%fish\_history%" - - -[ThreatDetectionRule platform=MacOS] -# Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. -# Author: Sohan G (D4rkCiph3r) -RuleId = 5d0fdb62-f225-42fb-8402-3dfe64da468a -RuleName = User Added To Admin Group Via DseditGroup +# Detects the use of "ioreg" which will show I/O Kit registry information. +# This process is used for system information discovery. +# It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings. +# Author: Joseliyo Sanchez, @Joseliyo_Jstnk +RuleId = 2d5e7a8b-f484-4a24-945d-7f0efd52eab0 +RuleName = System Information Discovery Using Ioreg EventType = Process.Start -Tag = proc-start-user-added-to-admin-group-via-dseditgroup +Tag = proc-start-system-information-discovery-using-ioreg RiskScore = 50 -Annotation = {"mitre_attack": ["T1078.003"], "author": "Sohan G (D4rkCiph3r)"} -Query = Process.Path like r"%/dseditgroup" and Process.CommandLine like r"% -o edit %" and Process.CommandLine like r"% -a %" and Process.CommandLine like r"% -t user%" and Process.CommandLine like r"%admin%" +Annotation = {"mitre_attack": ["T1082"], "author": "Joseliyo Sanchez, @Joseliyo_Jstnk"} +Query = (Process.Path like r"%/ioreg" or Process.CommandLine like r"%ioreg%") and (Process.CommandLine like r"%-l%" or Process.CommandLine like r"%-c%") and (Process.CommandLine like r"%AppleAHCIDiskDriver%" or Process.CommandLine like r"%IOPlatformExpertDevice%" or Process.CommandLine like r"%Oracle%" or Process.CommandLine like r"%Parallels%" or Process.CommandLine like r"%USB Vendor Name%" or Process.CommandLine like r"%VirtualBox%" or Process.CommandLine like r"%VMware%") [ThreatDetectionRule platform=MacOS] -# Detects usage of "find" binary in a suspicious manner to perform discovery -# Author: Nasreddine Bencherchali (Nextron Systems) -RuleId = 85de3a19-b675-4a51-bfc6-b11a5186c971 -RuleName = Potential Discovery Activity Using Find - MacOS +# Detects the use of "sw_vers" for system information discovery +# Author: Joseliyo Sanchez, @Joseliyo_Jstnk +RuleId = 5de06a6f-673a-4fc0-8d48-bcfe3837b033 +RuleName = System Information Discovery Using sw_vers EventType = Process.Start -Tag = proc-start-potential-discovery-activity-using-find-macos +Tag = proc-start-system-information-discovery-using-sw_vers RiskScore = 50 -Annotation = {"mitre_attack": ["T1083"], "author": "Nasreddine Bencherchali (Nextron Systems)"} -Query = Process.Path like r"%/find" and (Process.CommandLine like r"%-perm -4000%" or Process.CommandLine like r"%-perm -2000%" or Process.CommandLine like r"%-perm 0777%" or Process.CommandLine like r"%-perm -222%" or Process.CommandLine like r"%-perm -o w%" or Process.CommandLine like r"%-perm -o x%" or Process.CommandLine like r"%-perm -u=s%" or Process.CommandLine like r"%-perm -g=s%") +Annotation = {"mitre_attack": ["T1082"], "author": "Joseliyo Sanchez, @Joseliyo_Jstnk"} +Query = Process.Path like r"%/sw\_vers" and (Process.CommandLine like r"%-buildVersion%" or Process.CommandLine like r"%-productName%" or Process.CommandLine like r"%-productVersion%") [ThreatDetectionRule platform=MacOS] -# Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS. +# Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". +# An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files. # Author: Pratinav Chandra -RuleId = ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e -RuleName = Launch Agent/Daemon Execution Via Launchctl +RuleId = 452df256-da78-427a-866f-49fa04417d74 +RuleName = Time Machine Backup Deletion Attempt Via Tmutil - MacOS EventType = Process.Start -Tag = proc-start-launch-agent/daemon-execution-via-launchctl +Tag = proc-start-time-machine-backup-deletion-attempt-via-tmutil-macos RiskScore = 50 -Annotation = {"mitre_attack": ["T1569.001", "T1543.001", "T1543.004"], "author": "Pratinav Chandra"} -Query = Process.Path like r"%/launchctl" and (Process.CommandLine like r"%submit%" or Process.CommandLine like r"%load%" or Process.CommandLine like r"%start%") +Annotation = {"mitre_attack": ["T1490"], "author": "Pratinav Chandra"} +Query = (Process.Path like r"%/tmutil" or Process.CommandLine like r"%tmutil%") and Process.CommandLine like r"%delete%" [ThreatDetectionRule platform=MacOS] -# Detects attempts to create and add an account to the admin group via "dscl" -# Author: Sohan G (D4rkCiph3r) -RuleId = b743623c-2776-40e0-87b1-682b975d0ca5 -RuleName = User Added To Admin Group Via Dscl +# Detects the execution of the hdiutil utility in order to mount disk images. +# Author: Omar Khaled (@beacon_exe) +RuleId = bf241472-f014-4f01-a869-96f99330ca8c +RuleName = Disk Image Mounting Via Hdiutil - MacOS EventType = Process.Start -Tag = proc-start-user-added-to-admin-group-via-dscl +Tag = proc-start-disk-image-mounting-via-hdiutil-macos RiskScore = 50 -Annotation = {"mitre_attack": ["T1078.003"], "author": "Sohan G (D4rkCiph3r)"} -Query = Process.Path like r"%/dscl" and Process.CommandLine like r"% -append %" and Process.CommandLine like r"% /Groups/admin %" and Process.CommandLine like r"% GroupMembership %" +Annotation = {"mitre_attack": ["T1566.001", "T1560.001"], "author": "Omar Khaled (@beacon_exe)"} +Query = Process.Path like r"%/hdiutil" and (Process.CommandLine like r"%attach %" or Process.CommandLine like r"%mount %") [ThreatDetectionRule platform=MacOS] @@ -370,98 +454,14 @@ Query = (Process.Path like r"%/system\_profiler" or Process.CommandLine like r"% [ThreatDetectionRule platform=MacOS] -# Detects attempts to enable the root account via "dsenableroot" -# Author: Sohan G (D4rkCiph3r) -RuleId = 821bcf4d-46c7-4b87-bc57-9509d3ba7c11 -RuleName = Root Account Enable Via Dsenableroot -EventType = Process.Start -Tag = proc-start-root-account-enable-via-dsenableroot -RiskScore = 50 -Annotation = {"mitre_attack": ["T1078", "T1078.001", "T1078.003"], "author": "Sohan G (D4rkCiph3r)"} -Query = Process.Path like r"%/dsenableroot" and not Process.CommandLine like r"% -d %" - - -[ThreatDetectionRule platform=MacOS] -# Detects usage of system utilities (only grep for now) to discover security software discovery -# Author: Daniil Yugoslavskiy, oscd.community -RuleId = 0ed75b9c-c73b-424d-9e7d-496cd565fbe0 -RuleName = Security Software Discovery - MacOs -EventType = Process.Start -Tag = proc-start-security-software-discovery-macos -RiskScore = 50 -Annotation = {"mitre_attack": ["T1518.001"], "author": "Daniil Yugoslavskiy, oscd.community"} -Query = Process.Path == "/usr/bin/grep" and (Process.CommandLine like r"%nessusd%" or Process.CommandLine like r"%santad%" or Process.CommandLine like r"%CbDefense%" or Process.CommandLine like r"%falcond%" or Process.CommandLine like r"%td-agent%" or Process.CommandLine like r"%packetbeat%" or Process.CommandLine like r"%filebeat%" or Process.CommandLine like r"%auditbeat%" or Process.CommandLine like r"%osqueryd%" or Process.CommandLine like r"%BlockBlock%" or Process.CommandLine like r"%LuLu%" or Process.CommandLine like r"%Little%" and Process.CommandLine like r"%Snitch%") - - -[ThreatDetectionRule platform=MacOS] -# Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation. -# Author: Sohan G (D4rkCiph3r) -RuleId = 0250638a-2b28-4541-86fc-ea4c558fa0c6 -RuleName = Suspicious Browser Child Process - MacOS +# Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent. +# Author: Nasreddine Bencherchali (Nextron Systems) +RuleId = 2316929c-01aa-438c-970f-099145ab1ee6 +RuleName = JAMF MDM Potential Suspicious Child Process EventType = Process.Start -Tag = proc-start-suspicious-browser-child-process-macos +Tag = proc-start-jamf-mdm-potential-suspicious-child-process RiskScore = 50 -Annotation = {"mitre_attack": ["T1189", "T1203", "T1059"], "author": "Sohan G (D4rkCiph3r)"} -Query = (Parent.Path like r"%com.apple.WebKit.WebContent%" or Parent.Path like r"%firefox%" or Parent.Path like r"%Google Chrome Helper%" or Parent.Path like r"%Google Chrome%" or Parent.Path like r"%Microsoft Edge%" or Parent.Path like r"%Opera%" or Parent.Path like r"%Safari%" or Parent.Path like r"%Tor Browser%") and (Process.Path like r"%/bash" or Process.Path like r"%/curl" or Process.Path like r"%/dash" or Process.Path like r"%/ksh" or Process.Path like r"%/osascript" or Process.Path like r"%/perl" or Process.Path like r"%/php" or Process.Path like r"%/pwsh" or Process.Path like r"%/python" or Process.Path like r"%/sh" or Process.Path like r"%/tcsh" or Process.Path like r"%/wget" or Process.Path like r"%/zsh") and not (Process.CommandLine like r"%--defaults-torrc%" or Process.CommandLine like r"%/Library/Application Support/Microsoft/MAU%/Microsoft AutoUpdate.app/Contents/MacOS/msupdate%" or (Parent.Path like r"%Google Chrome Helper%" or Parent.Path like r"%Google Chrome%") and (Process.CommandLine like r"%/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/%/Resources/install.sh%" or Process.CommandLine like r"%/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/%/Resources/keystone\_promote\_preflight.sh%" or Process.CommandLine like r"%/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/%/Resources/keystone\_promote\_postflight.sh%") or Parent.Path like r"%Microsoft Edge%" and (Process.CommandLine like r"%IOPlatformExpertDevice%" or Process.CommandLine like r"%hw.model%") or (Parent.Path like r"%Google Chrome Helper%" or Parent.Path like r"%Google Chrome%") and Process.CommandLine like r"%/Users/%" and Process.CommandLine like r"%/Library/Application Support/Google/Chrome/recovery/%" and Process.CommandLine like r"%/ChromeRecovery%") and not (isnull(Process.CommandLine) or Process.CommandLine == "") +Annotation = {"author": "Nasreddine Bencherchali (Nextron Systems)"} +Query = Parent.Path like r"%/jamf" and (Process.Path like r"%/bash" or Process.Path like r"%/sh") GenericProperty1 = Parent.Path - -[ThreatDetectionRule platform=MacOS] -# Detects passwords dumps from Keychain -# Author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) -RuleId = b120b587-a4c2-4b94-875d-99c9807d6955 -RuleName = Credentials from Password Stores - Keychain -EventType = Process.Start -Tag = proc-start-credentials-from-password-stores-keychain -RiskScore = 50 -Annotation = {"mitre_attack": ["T1555.001"], "author": "Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)"} -Query = Process.Path == "/usr/bin/security" and (Process.CommandLine like r"%find-certificate%" or Process.CommandLine like r"% export %") or Process.CommandLine like r"% dump-keychain %" or Process.CommandLine like r"% login-keychain %" - - -[ThreatDetectionRule platform=MacOS] -# Detects disabling security tools -# Author: Daniil Yugoslavskiy, oscd.community -RuleId = ff39f1a6-84ac-476f-a1af-37fcdf53d7c0 -RuleName = Disable Security Tools -EventType = Process.Start -Tag = proc-start-disable-security-tools -RiskScore = 50 -Annotation = {"mitre_attack": ["T1562.001"], "author": "Daniil Yugoslavskiy, oscd.community"} -Query = Process.Path == "/bin/launchctl" and Process.CommandLine like r"%unload%" and (Process.CommandLine like r"%com.objective-see.lulu.plist%" or Process.CommandLine like r"%com.objective-see.blockblock.plist%" or Process.CommandLine like r"%com.google.santad.plist%" or Process.CommandLine like r"%com.carbonblack.defense.daemon.plist%" or Process.CommandLine like r"%com.carbonblack.daemon.plist%" or Process.CommandLine like r"%at.obdev.littlesnitchd.plist%" or Process.CommandLine like r"%com.tenablesecurity.nessusagent.plist%" or Process.CommandLine like r"%com.opendns.osx.RoamingClientConfigUpdater.plist%" or Process.CommandLine like r"%com.crowdstrike.falcond.plist%" or Process.CommandLine like r"%com.crowdstrike.userdaemon.plist%" or Process.CommandLine like r"%osquery%" or Process.CommandLine like r"%filebeat%" or Process.CommandLine like r"%auditbeat%" or Process.CommandLine like r"%packetbeat%" or Process.CommandLine like r"%td-agent%") or Process.Path == "/usr/sbin/spctl" and Process.CommandLine like r"%disable%" - - -[ThreatDetectionRule platform=MacOS] -# Detects the use of "sw_vers" for system information discovery -# Author: Joseliyo Sanchez, @Joseliyo_Jstnk -RuleId = 5de06a6f-673a-4fc0-8d48-bcfe3837b033 -RuleName = System Information Discovery Using sw_vers -EventType = Process.Start -Tag = proc-start-system-information-discovery-using-sw_vers -RiskScore = 50 -Annotation = {"mitre_attack": ["T1082"], "author": "Joseliyo Sanchez, @Joseliyo_Jstnk"} -Query = Process.Path like r"%/sw\_vers" and (Process.CommandLine like r"%-buildVersion%" or Process.CommandLine like r"%-productName%" or Process.CommandLine like r"%-productVersion%") - - -[ThreatDetectionRule platform=MacOS] -# Detects deletion of local audit logs -# Author: remotephone, oscd.community -RuleId = acf61bd8-d814-4272-81f0-a7a269aa69aa -RuleName = Indicator Removal on Host - Clear Mac System Logs -EventType = Process.Start -Tag = proc-start-indicator-removal-on-host-clear-mac-system-logs -RiskScore = 50 -Annotation = {"mitre_attack": ["T1070.002"], "author": "remotephone, oscd.community"} -Query = (Process.Path like r"%/rm" or Process.Path like r"%/unlink" or Process.Path like r"%/shred") and (Process.CommandLine like r"%/var/log%" or Process.CommandLine like r"%/Users/%" and Process.CommandLine like r"%/Library/Logs/%") - - -[ThreatDetectionRule platform=MacOS] -# Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer. -# Author: Tim Rauch (rule), Elastic (idea) -RuleId = 234dc5df-40b5-49d1-bf53-0d44ce778eca -RuleName = Payload Decoded and Decrypted via Built-in Utilities -EventType = Process.Start -Tag = proc-start-payload-decoded-and-decrypted-via-built-in-utilities -RiskScore = 50 -Annotation = {"mitre_attack": ["T1059", "T1204", "T1140"], "author": "Tim Rauch (rule), Elastic (idea)"} -Query = Process.Path like r"%/openssl" and Process.CommandLine like r"%/Volumes/%" and Process.CommandLine like r"%enc%" and Process.CommandLine like r"%-base64%" and Process.CommandLine like r"% -d %" -