diff --git a/clusters/atrm.json b/clusters/atrm.json index f6c4224..09218e4 100644 --- a/clusters/atrm.json +++ b/clusters/atrm.json @@ -11,7 +11,8 @@ "Ram Pliskin", "Nikhil Mittal", "MITRE ATT&CK", - "AlertIQ" + "AlertIQ", + "Craig Fretwell" ], "category": "atrm", "description": "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.", @@ -491,7 +492,7 @@ "value": "AZT404.2 - Logic Application" }, { - "description": "By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource.", + "description": "By utilizing a Function Application, an attacker can execute Azure operations on a given resource.", "meta": { "kill_chain": [ "ATRM-tactics:Privilege Escalation" @@ -1066,10 +1067,10 @@ "description": "By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701" ] }, "uuid": "9ca7b25c-643a-5e55-a210-684f49fe82d8", @@ -1079,10 +1080,10 @@ "description": "An adversary may create an SAS URI to download the disk attached to a virtual machine.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-1" ] }, "uuid": "8805d880-8887-52b6-a113-8c0f4fec4230", @@ -1092,10 +1093,10 @@ "description": "By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-2" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-2" ] }, "uuid": "aae55a3a-8e32-5a62-8d41-837b2ebb1e69", @@ -1105,23 +1106,23 @@ "description": "An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT702/AZT702-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT702/AZT702-1" ] }, "uuid": "dc6f9ee0-55b2-5197-87a5-7474cfc04d72", "value": "AZT702 - File Share Mounting" }, { - "description": "By setting up cross-tenant replication, an adversary may set up replication from one tenant's storage account to an external tenant's storage account.", + "description": "", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT703/AZT703-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT703/AZT703-1" ] }, "uuid": "ff4276bf-ab9e-5157-a171-5cdd4a3e6002", @@ -1131,10 +1132,10 @@ "description": "An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704" ] }, "uuid": "47ded49d-ef4c-57d4-8050-f66f884c4388", @@ -1144,10 +1145,10 @@ "description": "An adversary may recover a key vault object found in a 'soft deletion' state.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-1" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-1" ] }, "uuid": "d8fc76f2-6776-5a09-bfb3-57852ae1d786", @@ -1157,10 +1158,10 @@ "description": "An adversary may recover a storage account object found in a 'soft deletion' state.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-2" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-2" ] }, "uuid": "cd9f0082-b2c7-53f8-95a6-a4fe746f973e", @@ -1170,15 +1171,28 @@ "description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.", "meta": { "kill_chain": [ - "ATRM-tactics:Exfiltration" + "ATRM-tactics:Impact" ], "refs": [ - "https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-3" + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3" ] }, "uuid": "d333405e-af82-555c-a68f-e723878b5f55", "value": "AZT704.3 - Recovery Services Vault" + }, + { + "description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.", + "meta": { + "kill_chain": [ + "ATRM-tactics:Impact" + ], + "refs": [ + "https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3" + ] + }, + "uuid": "9d181c95-ccf7-5c94-8f4a-f6a2df62d760", + "value": "AZT705 - Azure Backup Delete" } ], - "version": 1 + "version": 2 } diff --git a/clusters/backdoor.json b/clusters/backdoor.json index bc0f686..e8af66f 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -374,7 +374,17 @@ ], "uuid": "f8444fcc-730e-4898-8ef5-6cc1976ff475", "value": "TROIBOMB" + }, + { + "description": "ZIPLINE makes use of extensive functionality to ensure the authentication of its custom protocol used to establish command and control (C2).", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ] + }, + "uuid": "14504cbe-8423-47aa-a947-a3ab5549a068", + "value": "ZIPLINE" } ], - "version": 17 + "version": 18 } diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 8dcd644..4e0ede8 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -1840,5 +1840,5 @@ "value": "Zigzag Hail" } ], - "version": 20 + "version": 21 } diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index 4fcbc17..e5c9fdc 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -170,6 +170,13 @@ { "dest-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", "type": "related-to" + }, + { + "dest-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", @@ -190,6 +197,13 @@ { "dest-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", "type": "related-to" + }, + { + "dest-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "286cc500-4291-45c2-99a1-e760db176402", @@ -210,6 +224,13 @@ { "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", "type": "related-to" + }, + { + "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "1a295f87-af63-4d94-b130-039d6221fb11", @@ -245,6 +266,13 @@ { "dest-uuid": "286cc500-4291-45c2-99a1-e760db176402", "type": "related-to" + }, + { + "dest-uuid": "286cc500-4291-45c2-99a1-e760db176402", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", @@ -265,6 +293,13 @@ { "dest-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", "type": "related-to" + }, + { + "dest-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", @@ -285,6 +320,13 @@ { "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", "type": "related-to" + }, + { + "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", @@ -306,6 +348,13 @@ { "dest-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", "type": "related-to" + }, + { + "dest-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", @@ -326,6 +375,13 @@ { "dest-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", "type": "related-to" + }, + { + "dest-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", @@ -358,6 +414,13 @@ { "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", "type": "revoked-by" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", @@ -405,6 +468,13 @@ { "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "type": "revoked-by" + }, + { + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a", @@ -573,6 +643,13 @@ { "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "type": "revoked-by" + }, + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df", @@ -1052,6 +1129,13 @@ { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "type": "revoked-by" + }, + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881", @@ -1159,6 +1243,13 @@ { "dest-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", "type": "related-to" + }, + { + "dest-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", @@ -1183,6 +1274,20 @@ { "dest-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", "type": "related-to" + }, + { + "dest-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", @@ -1207,6 +1312,13 @@ { "dest-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", "type": "related-to" + }, + { + "dest-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", @@ -1893,6 +2005,13 @@ { "dest-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", "type": "related-to" + }, + { + "dest-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", @@ -1914,6 +2033,13 @@ { "dest-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", "type": "related-to" + }, + { + "dest-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", @@ -1966,6 +2092,13 @@ { "dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", "type": "related-to" + }, + { + "dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", @@ -2018,6 +2151,13 @@ { "dest-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", "type": "related-to" + }, + { + "dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "0722cd65-0c83-4c89-9502-539198467ab1", @@ -2042,6 +2182,13 @@ { "dest-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", "type": "related-to" + }, + { + "dest-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "7718e92f-b011-4f88-b822-ae245a1de407", @@ -2066,6 +2213,13 @@ { "dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", "type": "related-to" + }, + { + "dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", @@ -2138,6 +2292,13 @@ { "dest-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", "type": "related-to" + }, + { + "dest-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", @@ -2323,6 +2484,13 @@ { "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", "type": "revoked-by" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2", @@ -2455,6 +2623,13 @@ { "dest-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", "type": "related-to" + }, + { + "dest-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", @@ -2555,6 +2730,20 @@ { "dest-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", "type": "related-to" + }, + { + "dest-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", @@ -2593,6 +2782,20 @@ { "dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", "type": "related-to" + }, + { + "dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", @@ -2668,6 +2871,13 @@ { "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", "type": "revoked-by" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2", @@ -5416,6 +5626,13 @@ { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "type": "revoked-by" + }, + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b", @@ -6467,6 +6684,13 @@ { "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "type": "revoked-by" + }, + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "b928b94a-4966-4e2a-9e61-36505b896ebc", @@ -7670,6 +7894,13 @@ { "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "type": "revoked-by" + }, + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "11bd699b-f2c2-4e48-bf46-fb3f8acd9799", @@ -14806,6 +15037,13 @@ { "dest-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", "type": "related-to" + }, + { + "dest-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", @@ -15038,6 +15276,13 @@ { "dest-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", "type": "related-to" + }, + { + "dest-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", @@ -15055,6 +15300,13 @@ { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "type": "revoked-by" + }, + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "e30cc912-7ea1-4683-9219-543b86cbdec9", @@ -15130,6 +15382,20 @@ { "dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", "type": "related-to" + }, + { + "dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "59369f72-3005-4e54-9095-3d00efcece73", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "78e41091-d10d-4001-b202-89612892b6ff", @@ -15183,6 +15449,13 @@ { "dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae", "type": "related-to" + }, + { + "dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", @@ -15336,6 +15609,13 @@ { "dest-uuid": "78e41091-d10d-4001-b202-89612892b6ff", "type": "related-to" + }, + { + "dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "59369f72-3005-4e54-9095-3d00efcece73", @@ -15403,6 +15683,13 @@ { "dest-uuid": "78e41091-d10d-4001-b202-89612892b6ff", "type": "related-to" + }, + { + "dest-uuid": "59369f72-3005-4e54-9095-3d00efcece73", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", @@ -15427,6 +15714,20 @@ { "dest-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", "type": "related-to" + }, + { + "dest-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "af358cad-eb71-4e91-a752-236edc237dae", @@ -15479,6 +15780,20 @@ { "dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae", "type": "related-to" + }, + { + "dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", @@ -15535,6 +15850,13 @@ { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "type": "revoked-by" + }, + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "831e3269-da49-48ac-94dc-948008e8fd16", @@ -15922,7 +16244,15 @@ "https://attack.mitre.org/techniques/T1454" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" + } + ], "uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d", "value": "Malicious SMS Message - T1454" }, @@ -16092,6 +16422,13 @@ { "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", "type": "revoked-by" + }, + { + "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "c91c304a-975d-4501-9789-0db1c57afd3f", @@ -16149,6 +16486,13 @@ { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "revoked-by" + }, + { + "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", @@ -24324,6 +24668,13 @@ { "dest-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", "type": "related-to" + }, + { + "dest-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", @@ -24452,6 +24803,13 @@ { "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "type": "revoked-by" + }, + { + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "revoked-by" } ], "uuid": "45dcbc83-4abc-4de1-b643-e528d1e9df09", @@ -24888,6 +25246,13 @@ { "dest-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", "type": "related-to" + }, + { + "dest-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", @@ -25387,6 +25752,13 @@ { "dest-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", "type": "related-to" + }, + { + "dest-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", @@ -26677,6 +27049,13 @@ { "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", "type": "related-to" + }, + { + "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index b6911cf..89220bc 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -22,7 +22,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a", "value": "Registry Run Keys / Startup Folder Mitigation - T1060" }, @@ -35,7 +43,15 @@ "https://attack.mitre.org/mitigations/T1041" ] }, - "related": [], + "related": [ + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8", "value": "Exfiltration Over Command and Control Channel Mitigation - T1041" }, @@ -404,7 +420,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd", "value": "Data from Network Shared Drive Mitigation - T1039" }, @@ -417,7 +441,15 @@ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259", "value": "Windows Management Instrumentation Event Subscription Mitigation - T1084" }, @@ -430,7 +462,15 @@ "https://attack.mitre.org/mitigations/T1094" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3", "value": "Custom Command and Control Protocol Mitigation - T1094" }, @@ -446,7 +486,15 @@ "https://attack.mitre.org/mitigations/T1183" ] }, - "related": [], + "related": [ + { + "dest-uuid": "62166220-e498-410f-a90a-19d4339d4e99", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "33f76731-b840-446f-bee0-53687dad24d9", "value": "Image File Execution Options Injection Mitigation - T1183" }, @@ -459,7 +507,15 @@ "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" ] }, - "related": [], + "related": [ + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ef273807-c465-4728-9cee-5823422f42ee", "value": "SIP and Trust Provider Hijacking Mitigation - T1198" }, @@ -472,7 +528,15 @@ "https://attack.mitre.org/mitigations/T1095" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "399d9038-b100-43ef-b28d-a5065106b935", "value": "Standard Non-Application Layer Protocol Mitigation - T1095" }, @@ -489,7 +553,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d01f473f-3cdc-4867-9e55-1de9cf1986f0", "value": "Deobfuscate/Decode Files or Information Mitigation - T1140" }, @@ -537,6 +609,13 @@ { "dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea", "type": "mitigates" + }, + { + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433", @@ -551,7 +630,15 @@ "https://attack.mitre.org/mitigations/T1030" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee", "value": "Data Transfer Size Limits Mitigation - T1030" }, @@ -568,7 +655,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd", "value": "Data from Local System Mitigation - T1005" }, @@ -585,7 +680,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "902286b2-96cc-4dd7-931f-e7340c9961da", "value": "File System Logical Offsets Mitigation - T1006" }, @@ -597,7 +700,15 @@ "https://attack.mitre.org/mitigations/M1007" ] }, - "related": [], + "related": [ + { + "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", "value": "Caution with Device Administrator Access - M1007" }, @@ -609,7 +720,15 @@ "https://attack.mitre.org/mitigations/T1070" ] }, - "related": [], + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0", "value": "Indicator Removal on Host Mitigation - T1070" }, @@ -624,7 +743,15 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "14b63e6b-7531-4476-9e60-02cc5db48b62", "value": "Exploitation of Remote Services Mitigation - T1210" }, @@ -641,7 +768,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40", "value": "System Network Configuration Discovery Mitigation - T1016" }, @@ -660,7 +795,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", "value": "Replication Through Removable Media Mitigation - T1091" }, @@ -913,7 +1056,15 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [], + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f2dcee22-c275-405e-87fd-48630a19dfba", "value": "Exploitation for Client Execution Mitigation - T1203" }, @@ -931,7 +1082,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "68c96494-1a50-403e-8844-69a6af278c68", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d7c49196-b40e-42bc-8eed-b803113692ed", "value": "Change Default File Association Mitigation - T1042" }, @@ -948,7 +1107,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "39706d54-0d06-4a25-816a-78cc43455100", "value": "Data from Removable Media Mitigation - T1025" }, @@ -962,7 +1129,15 @@ "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145", "value": "Exfiltration Over Physical Medium Mitigation - T1052" }, @@ -976,7 +1151,15 @@ "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "b8d57b16-d8e2-428c-a645-1083795b3445", "value": "Communication Through Removable Media Mitigation - T1092" }, @@ -993,7 +1176,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1", "value": "File and Directory Discovery Mitigation - T1083" }, @@ -1011,7 +1202,15 @@ "https://github.com/mattifestation/PowerSploit" ] }, - "related": [], + "related": [ + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04", "value": "DLL Search Order Hijacking Mitigation - T1038" }, @@ -1028,7 +1227,15 @@ "https://github.com/mattifestation/PowerSploit" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1022138b-497c-40e6-b53a-13351cbd4090", "value": "File System Permissions Weakness Mitigation - T1044" }, @@ -1045,7 +1252,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c1676218-c16a-41c9-8f7a-023779916e39", "value": "System Network Connections Discovery Mitigation - T1049" }, @@ -1060,7 +1275,15 @@ "https://attack.mitre.org/mitigations/T1058" ] }, - "related": [], + "related": [ + { + "dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9378f139-10ef-4e4b-b679-2255a0818902", "value": "Service Registry Permissions Weakness Mitigation - T1058" }, @@ -1077,7 +1300,15 @@ "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" ] }, - "related": [], + "related": [ + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271", "value": "Indicator Removal from Tools Mitigation - T1066" }, @@ -1092,7 +1323,15 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502", "value": "Exploitation for Privilege Escalation Mitigation - T1068" }, @@ -1105,7 +1344,15 @@ "https://github.com/hfiref0x/UACME" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f", "value": "Bypass User Account Control Mitigation - T1088" }, @@ -1120,7 +1367,15 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [], + "related": [ + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "37a3f3f5-76e6-43fe-b935-f1f494c95725", "value": "Exploitation for Defense Evasion Mitigation - T1211" }, @@ -1137,7 +1392,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cba5667e-e3c6-44a4-811c-266dbc00e440", "value": "Extra Window Memory Injection Mitigation - T1181" }, @@ -1152,7 +1415,15 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "06160d81-62be-46e5-aa37-4b9c645ffa31", "value": "Exploitation for Credential Access Mitigation - T1212" }, @@ -1169,7 +1440,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e", "value": "Component Object Model Hijacking Mitigation - T1122" }, @@ -1181,7 +1460,15 @@ "https://attack.mitre.org/mitigations/T1213" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "13cad982-35e3-4340-9095-7124b653df4b", "value": "Data from Information Repositories Mitigation - T1213" }, @@ -1196,7 +1483,15 @@ "https://patchwork.kernel.org/patch/8754821/" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "44155d14-ca75-4fdf-b033-ab3d732e2884", "value": "Kernel Modules and Extensions Mitigation - T1215" }, @@ -1213,7 +1508,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb", "value": "Network Share Connection Removal Mitigation - T1126" }, @@ -1225,7 +1528,15 @@ "https://attack.mitre.org/mitigations/T1216" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "51048ba0-a5aa-41e7-bf5d-993cd217dfb2", "value": "Signed Script Proxy Execution Mitigation - T1216" }, @@ -1237,7 +1548,15 @@ "https://attack.mitre.org/mitigations/T1129" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf", "value": "Execution through Module Load Mitigation - T1129" }, @@ -1254,7 +1573,15 @@ "https://technet.microsoft.com/library/cc771387.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "910482b1-6749-4934-abcb-3e34d58294fc", "value": "Distributed Component Object Model Mitigation - T1175" }, @@ -1266,7 +1593,15 @@ "https://attack.mitre.org/mitigations/T1185" ] }, - "related": [], + "related": [ + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "94f6b4f5-b528-4f50-91d5-f66457c2f8f7", "value": "Man in the Browser Mitigation - T1185" }, @@ -1278,7 +1613,15 @@ "https://attack.mitre.org/mitigations/T1158" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "84d633a4-dd93-40ca-8510-40238c021931", "value": "Hidden Files and Directories Mitigation - T1158" }, @@ -1334,7 +1677,15 @@ "https://attack.mitre.org/mitigations/T1190" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "65da1eb6-d35d-4853-b280-98a76c0aef53", "value": "Exploit Public-Facing Application Mitigation - T1190" }, @@ -1351,7 +1702,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e8d22ec6-2236-48de-954b-974d17492782", "value": "Two-Factor Authentication Interception Mitigation - T1111" }, @@ -1363,7 +1722,15 @@ "https://attack.mitre.org/mitigations/T1156" ] }, - "related": [], + "related": [ + { + "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4f170666-7edb-4489-85c2-9affa28a72e0", "value": ".bash_profile and .bashrc Mitigation - T1156" }, @@ -1380,7 +1747,22 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", "value": "System Owner/User Discovery Mitigation - T1033" }, @@ -1397,7 +1779,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b", "value": "Application Window Discovery Mitigation - T1010" }, @@ -1617,7 +2007,15 @@ "https://attack.mitre.org/mitigations/T1004" ] }, - "related": [], + "related": [ + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3", "value": "Winlogon Helper DLL Mitigation - T1004" }, @@ -1778,6 +2176,20 @@ { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "mitigates" + }, + { + "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", @@ -1796,7 +2208,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2", "value": "System Service Discovery Mitigation - T1007" }, @@ -1813,7 +2233,15 @@ "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" ] }, - "related": [], + "related": [ + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f0a42cad-9b1f-44da-a672-718f18381018", "value": "Taint Shared Content Mitigation - T1080" }, @@ -1827,7 +2255,15 @@ "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac", "value": "Security Support Provider Mitigation - T1101" }, @@ -1844,7 +2280,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f", "value": "Peripheral Device Discovery Mitigation - T1120" }, @@ -1857,7 +2301,15 @@ "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "49961e75-b493-423a-9ec7-ac2d6f55384a", "value": "Password Policy Discovery Mitigation - T1201" }, @@ -1871,7 +2323,15 @@ "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "23061b40-a7b6-454f-8950-95d5ff80331c", "value": "Install Root Certificate Mitigation - T1130" }, @@ -1887,7 +2347,15 @@ "https://github.com/mattifestation/PowerSploit" ] }, - "related": [], + "related": [ + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf", "value": "Modify Existing Service Mitigation - T1031" }, @@ -1900,7 +2368,15 @@ "https://attack.mitre.org/mitigations/T1105" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a", "value": "Remote File Copy Mitigation - T1105" }, @@ -1917,7 +2393,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d", "value": "Graphical User Interface Mitigation - T1061" }, @@ -1929,7 +2413,15 @@ "https://attack.mitre.org/mitigations/T1017" ] }, - "related": [], + "related": [ + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c88151a5-fe3f-4773-8147-d801587065a4", "value": "Application Deployment Software Mitigation - T1017" }, @@ -1942,7 +2434,15 @@ "https://attack.mitre.org/mitigations/T1081" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "0472af99-f25c-4abe-9fce-010fa3450e72", "value": "Credentials in Files Mitigation - T1081" }, @@ -1959,7 +2459,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2", "value": "Remote System Discovery Mitigation - T1018" }, @@ -1977,7 +2485,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1e614ba5-2fc5-4464-b512-2ceafb14d76d", "value": "Indirect Command Execution Mitigation - T1202" }, @@ -2002,7 +2518,15 @@ "https://attack.mitre.org/mitigations/T1032" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7", "value": "Standard Cryptographic Protocol Mitigation - T1032" }, @@ -2015,7 +2539,15 @@ "https://attack.mitre.org/mitigations/T1024" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", "value": "Custom Cryptographic Protocol Mitigation - T1024" }, @@ -2032,7 +2564,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67", "value": "System Information Discovery Mitigation - T1082" }, @@ -2045,7 +2585,15 @@ "https://attack.mitre.org/mitigations/T1028" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025", "value": "Windows Remote Management Mitigation - T1028" }, @@ -2058,7 +2606,15 @@ "https://attack.mitre.org/mitigations/T1043" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7c1796c7-9fc3-4c3e-9416-527295bf5d95", "value": "Commonly Used Port Mitigation - T1043" }, @@ -2075,7 +2631,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae", "value": "Security Software Discovery Mitigation - T1063" }, @@ -2092,7 +2656,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3", "value": "Network Service Scanning Mitigation - T1046" }, @@ -2188,7 +2760,15 @@ "https://attack.mitre.org/mitigations/T1065" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe", "value": "Uncommonly Used Port Mitigation - T1065" }, @@ -2201,7 +2781,15 @@ "https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e", "value": "Pass the Hash Mitigation - T1075" }, @@ -2215,7 +2803,15 @@ "https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "53b3b027-bed3-480c-9101-1247047d0fe6", "value": "Remote Desktop Protocol Mitigation - T1076" }, @@ -2235,7 +2831,15 @@ "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ac008435-af58-4f77-988a-c9b96c5920f5", "value": "NTFS File Attributes Mitigation - T1096" }, @@ -2252,7 +2856,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987", "value": "Permission Groups Discovery Mitigation - T1069" }, @@ -2269,7 +2881,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5", "value": "Windows Admin Shares Mitigation - T1077" }, @@ -2288,7 +2908,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d", "value": "Pass the Ticket Mitigation - T1097" }, @@ -2300,7 +2928,15 @@ "https://attack.mitre.org/mitigations/T1089" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8", "value": "Disabling Security Tools Mitigation - T1089" }, @@ -2312,7 +2948,15 @@ "https://attack.mitre.org/mitigations/T1151" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "02f0f92a-0a51-4c94-9bda-6437b9a93f22", "value": "Space after Filename Mitigation - T1151" }, @@ -2324,7 +2968,15 @@ "https://attack.mitre.org/mitigations/T1214" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4490fee2-5c70-4db3-8db5-8d88767dbd55", "value": "Credentials in Registry Mitigation - T1214" }, @@ -2341,7 +2993,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "82d8e990-c901-4aed-8596-cc002e7eb307", "value": "System Time Discovery Mitigation - T1124" }, @@ -2358,7 +3018,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1c0b39f9-a0c5-42b2-abd8-dc8f1eb74e67", "value": "Browser Bookmark Discovery Mitigation - T1217" }, @@ -2373,7 +3041,15 @@ "https://attack.mitre.org/mitigations/T1128" ] }, - "related": [], + "related": [ + { + "dest-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "624d063d-cda8-4616-b4e4-54c04e427aec", "value": "Netsh Helper DLL Mitigation - T1128" }, @@ -2385,7 +3061,15 @@ "https://attack.mitre.org/mitigations/T1219" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "af093bc8-7b59-4e2a-9da8-8e839b4c50c6", "value": "Remote Access Tools Mitigation - T1219" }, @@ -2397,7 +3081,15 @@ "https://attack.mitre.org/mitigations/T1133" ] }, - "related": [], + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2", "value": "External Remote Services Mitigation - T1133" }, @@ -2411,7 +3103,15 @@ "https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c61fee9f-16fb-4f8c-bbf0-869093fcd4a6", "value": "Access Token Manipulation Mitigation - T1134" }, @@ -2428,7 +3128,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1f34230d-b6ae-4dc7-8599-78c18820bd21", "value": "Network Share Discovery Mitigation - T1135" }, @@ -2447,7 +3155,15 @@ "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/" ] }, - "related": [], + "related": [ + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "80c91478-ac87-434f-bee7-11f37aec4d74", "value": "Dynamic Data Exchange Mitigation - T1173" }, @@ -2460,7 +3176,15 @@ "https://attack.mitre.org/mitigations/T1146" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "3e7018e9-7389-48e7-9208-0bdbcbba9483", "value": "Clear Command History Mitigation - T1146" }, @@ -2473,7 +3197,15 @@ "https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "00d7d21b-69d6-4797-88a2-c86f3fc97651", "value": "Password Filter DLL Mitigation - T1174" }, @@ -2485,7 +3217,15 @@ "https://attack.mitre.org/mitigations/T1194" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c861bcb1-946f-450d-ab75-d4e3c1103a56", "value": "Spearphishing via Service Mitigation - T1194" }, @@ -2500,7 +3240,15 @@ "https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "97d8eadb-0459-4c1d-bf1a-e053bd75df61", "value": "Supply Chain Compromise Mitigation - T1195" }, @@ -2512,7 +3260,15 @@ "https://attack.mitre.org/mitigations/T1166" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "073cc04d-ac46-4f5a-85d7-83a91ecd6a19", "value": "Setuid and Setgid Mitigation - T1166" }, @@ -2524,7 +3280,15 @@ "https://attack.mitre.org/mitigations/T1168" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c47a9b55-8f61-4b82-b833-1db6242c754e", "value": "Local Job Scheduling Mitigation - T1168" }, @@ -2540,7 +3304,15 @@ "https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef", "value": "Control Panel Items Mitigation - T1196" }, @@ -2640,7 +3412,15 @@ "https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10)" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22", "value": "LLMNR/NBT-NS Poisoning Mitigation - T1171" }, @@ -2762,7 +3542,15 @@ "https://attack.mitre.org/mitigations/T1104" ] }, - "related": [], + "related": [ + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52", "value": "Multi-Stage Channels Mitigation - T1104" }, @@ -2774,7 +3562,15 @@ "https://attack.mitre.org/mitigations/T1072" ] }, - "related": [], + "related": [ + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "160af6af-e733-4b6a-a04a-71c620ac0930", "value": "Third-party Software Mitigation - T1072" }, @@ -2786,7 +3582,15 @@ "https://attack.mitre.org/mitigations/T1073" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908", "value": "DLL Side-Loading Mitigation - T1073" }, @@ -2799,7 +3603,15 @@ "https://support.apple.com/en-us/HT204005" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "61d02387-351a-453e-a575-160a9abc3e04", "value": "Re-opened Applications Mitigation - T1164" }, @@ -2815,7 +3627,15 @@ "https://technet.microsoft.com/library/cc835085.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55", "value": "SID-History Injection Mitigation - T1178" }, @@ -2827,7 +3647,15 @@ "https://attack.mitre.org/mitigations/T1188" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "752db800-ea54-4e7a-b4c1-2a0292350ea7", "value": "Multi-hop Proxy Mitigation - T1188" }, @@ -2843,7 +3671,15 @@ "https://en.wikipedia.org/wiki/Control-flow_integrity" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7a4d0054-53cd-476f-88af-955dddc80ee0", "value": "Drive-by Compromise Mitigation - T1189" }, @@ -2856,7 +3692,15 @@ "https://attack.mitre.org/mitigations/T1001" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e", "value": "Data Obfuscation Mitigation - T1001" }, @@ -2869,7 +3713,15 @@ "https://www.us-cert.gov/ncas/alerts/TA15-314A" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "bcc91b8c-f104-4710-964e-1d5409666736", "value": "Web Shell Mitigation - T1100" }, @@ -2886,7 +3738,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "2497ac92-e751-4391-82c6-1b86e34d0294", "value": "Automated Exfiltration Mitigation - T1020" }, @@ -2899,7 +3759,15 @@ "https://en.wikipedia.org/wiki/IEEE_802.1X" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "54e8722d-2faf-4b1b-93b6-6cbf9551669f", "value": "Hardware Additions Mitigation - T1200" }, @@ -2916,7 +3784,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33", "value": "Data Compressed Mitigation - T1002" }, @@ -2940,7 +3816,15 @@ "https://technet.microsoft.com/library/jj865668.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a", "value": "Credential Dumping Mitigation - T1003" }, @@ -2980,6 +3864,13 @@ { "dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", "type": "mitigates" + }, + { + "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321", @@ -2998,7 +3889,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4", "value": "Network Sniffing Mitigation - T1040" }, @@ -3015,7 +3914,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab", "value": "New Service Mitigation - T1050" }, @@ -3028,7 +3935,15 @@ "https://attack.mitre.org/mitigations/T1008" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "515f6584-fa98-44fe-a4e8-e428c7188514", "value": "Fallback Channels Mitigation - T1008" }, @@ -3045,7 +3960,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "16a8ac85-a06f-460f-ad22-910167bd7332", "value": "Binary Padding Mitigation - T1009" }, @@ -3063,6 +3986,20 @@ { "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", "type": "mitigates" + }, + { + "dest-uuid": "393e8c12-a416-4575-ba90-19cc85656796", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", @@ -3077,7 +4014,15 @@ "https://pages.nist.gov/800-63-3/sp800-63b.html" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c", "value": "Brute Force Mitigation - T1110" }, @@ -3094,7 +4039,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b", "value": "Query Registry Mitigation - T1012" }, @@ -3107,7 +4060,15 @@ "https://attack.mitre.org/mitigations/T1102" ] }, - "related": [], + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4689b9fb-dca4-473e-831b-34717ad50c97", "value": "Web Service Mitigation - T1102" }, @@ -3187,6 +4148,13 @@ { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "mitigates" + }, + { + "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", @@ -3203,7 +4171,15 @@ "https://attack.mitre.org/mitigations/T1103" ] }, - "related": [], + "related": [ + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "10571bf2-8073-4edf-a71c-23bad225532e", "value": "AppInit DLLs Mitigation - T1103" }, @@ -3449,7 +4425,15 @@ "https://attack.mitre.org/mitigations/T1013" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b", "value": "Port Monitors Mitigation - T1013" }, @@ -3670,7 +4654,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8", "value": "Accessibility Features Mitigation - T1015" }, @@ -3682,7 +4674,15 @@ "https://attack.mitre.org/mitigations/T1150" ] }, - "related": [], + "related": [ + { + "dest-uuid": "06780952-177c-4247-b978-79c357fb311f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "2d704e56-e689-4011-b989-bf4e025a8727", "value": "Plist Modification Mitigation - T1150" }, @@ -3708,7 +4708,15 @@ "https://www.acunetix.com/websitesecurity/webserver-security/" ] }, - "related": [], + "related": [ + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5", "value": "Shared Webroot Mitigation - T1051" }, @@ -3720,7 +4728,15 @@ "https://attack.mitre.org/mitigations/T1160" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "402e92cd-5608-4f4b-9a34-a2c962e4bcd7", "value": "Launch Daemon Mitigation - T1160" }, @@ -3737,7 +4753,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d", "value": "File Deletion Mitigation - T1107" }, @@ -4160,7 +5184,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e", "value": "Redundant Access Mitigation - T1108" }, @@ -4185,7 +5217,15 @@ "https://attack.mitre.org/mitigations/T1019" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "25e53928-6f33-49b7-baee-8180578286f6", "value": "System Firmware Mitigation - T1019" }, @@ -4235,7 +5275,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b", "value": "Data Encrypted Mitigation - T1022" }, @@ -4253,7 +5301,15 @@ "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482" ] }, - "related": [], + "related": [ + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a13e35cc-8c90-4d77-a965-5461042c1612", "value": "Shortcut Modification Mitigation - T1023" }, @@ -4265,7 +5321,15 @@ "https://attack.mitre.org/mitigations/T1204" ] }, - "related": [], + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "548bf7ad-e19c-4d74-84bf-84ac4e57f505", "value": "User Execution Mitigation - T1204" }, @@ -4452,7 +5516,15 @@ "https://attack.mitre.org/mitigations/T1205" ] }, - "related": [], + "related": [ + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f6b7c116-0821-4eb7-9b24-62bd09b3e575", "value": "Port Knocking Mitigation - T1205" }, @@ -4906,7 +5978,15 @@ "https://attack.mitre.org/mitigations/T1026" ] }, - "related": [], + "related": [ + { + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "da987565-27b6-4b31-bbcd-74b909847116", "value": "Multiband Communication Mitigation - T1026" }, @@ -4918,7 +5998,15 @@ "https://attack.mitre.org/mitigations/T1206" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "dbf0186e-722d-4a0a-af6a-b3460f162f84", "value": "Sudo Caching Mitigation - T1206" }, @@ -5160,7 +6248,15 @@ "https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a1482e43-f3ff-4fbd-94de-ad1244738166", "value": "Time Providers Mitigation - T1209" }, @@ -5173,7 +6269,15 @@ "https://attack.mitre.org/mitigations/T1029" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824", "value": "Scheduled Transfer Mitigation - T1029" }, @@ -5307,7 +6411,15 @@ "https://skanthak.homepage.t-online.de/sentinel.html" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e0703d4f-3972-424a-8277-84004817e024", "value": "Path Interception Mitigation - T1034" }, @@ -5324,7 +6436,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64", "value": "Service Execution Mitigation - T1035" }, @@ -5344,7 +6464,15 @@ "https://technet.microsoft.com/library/jj852168.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd", "value": "Scheduled Task Mitigation - T1053" }, @@ -5573,7 +6701,15 @@ "https://attack.mitre.org/mitigations/T1037" ] }, - "related": [], + "related": [ + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", "value": "Logon Scripts Mitigation - T1037" }, @@ -5611,7 +6747,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43", "value": "Process Hollowing Mitigation - T1093" }, @@ -5666,7 +6810,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c95c8b5c-b431-43c9-9557-f494805e2502", "value": "Software Packing Mitigation - T1045" }, @@ -5678,7 +6830,15 @@ "https://attack.mitre.org/mitigations/T1074" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd", "value": "Data Staged Mitigation - T1074" }, @@ -5782,7 +6942,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b", "value": "Process Discovery Mitigation - T1057" }, @@ -5800,7 +6968,15 @@ "https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077" ] }, - "related": [], + "related": [ + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "5c49bc54-9929-48ca-b581-7018219b5a97", "value": "Account Discovery Mitigation - T1087" }, @@ -5816,7 +6992,15 @@ "https://www.us-cert.gov/ncas/alerts/TA13-175A" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf", "value": "Valid Accounts Mitigation - T1078" }, @@ -5829,7 +7013,15 @@ "https://attack.mitre.org/mitigations/T1079" ] }, - "related": [], + "related": [ + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec", "value": "Multilayer Encryption Mitigation - T1079" }, @@ -5846,7 +7038,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc", "value": "Modify Registry Mitigation - T1112" }, @@ -5860,7 +7060,15 @@ "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "943d370b-2054-44df-8be2-ab4139bde1c5", "value": "Authentication Package Mitigation - T1131" }, @@ -5877,7 +7085,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55", "value": "Screen Capture Mitigation - T1113" }, @@ -5894,7 +7110,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7", "value": "Email Collection Mitigation - T1114" }, @@ -5906,7 +7130,15 @@ "https://attack.mitre.org/mitigations/T1141" ] }, - "related": [], + "related": [ + { + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df", "value": "Input Prompt Mitigation - T1141" }, @@ -5923,7 +7155,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf", "value": "Clipboard Data Mitigation - T1115" }, @@ -5935,7 +7175,15 @@ "https://attack.mitre.org/mitigations/T1161" ] }, - "related": [], + "related": [ + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604", "value": "LC_LOAD_DYLIB Addition Mitigation - T1161" }, @@ -5950,7 +7198,15 @@ "https://technet.microsoft.com/en-us/library/cc733026.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08", "value": "Code Signing Mitigation - T1116" }, @@ -5967,7 +7223,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152", "value": "Automated Collection Mitigation - T1119" }, @@ -5998,7 +7262,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d", "value": "Audio Capture Mitigation - T1123" }, @@ -6011,7 +7283,15 @@ "https://attack.mitre.org/mitigations/T1132" ] }, - "related": [], + "related": [ + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b", "value": "Data Encoding Mitigation - T1132" }, @@ -6028,7 +7308,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d", "value": "Video Capture Mitigation - T1125" }, @@ -6041,7 +7329,15 @@ "https://support.apple.com/en-us/HT204005" ] }, - "related": [], + "related": [ + { + "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "06824aa2-94a5-474c-97f6-57c2e983d885", "value": "Login Item Mitigation - T1162" }, @@ -6055,7 +7351,15 @@ "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" ] }, - "related": [], + "related": [ + { + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "62ae52c9-7197-4f5b-be1d-10d2e1df2c96", "value": "Domain Fronting Mitigation - T1172" }, @@ -6070,7 +7374,15 @@ "https://attack.mitre.org/mitigations/T1182" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "95c29444-49f9-49f7-8b20-bcd68d8fcaa6", "value": "AppCert DLLs Mitigation - T1182" }, @@ -6082,7 +7394,15 @@ "https://attack.mitre.org/mitigations/T1192" ] }, - "related": [], + "related": [ + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ad7f983d-d5a8-4fce-a38c-b68eda61bf4e", "value": "Spearphishing Link Mitigation - T1192" }, @@ -6094,7 +7414,15 @@ "https://attack.mitre.org/mitigations/T1143" ] }, - "related": [], + "related": [ + { + "dest-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "fae44eea-caa7-42b7-a2e2-0c815ba81b9a", "value": "Hidden Window Mitigation - T1143" }, @@ -6106,7 +7434,15 @@ "https://attack.mitre.org/mitigations/T1136" ] }, - "related": [], + "related": [ + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9a5b7194-88e0-4579-b82f-e3c27b8cca80", "value": "Create Account Mitigation - T1136" }, @@ -6118,7 +7454,15 @@ "https://attack.mitre.org/mitigations/T1138" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cfc2d2fc-14ff-495f-bd99-585be47b804f", "value": "Application Shimming Mitigation - T1138" }, @@ -6130,7 +7474,15 @@ "https://attack.mitre.org/mitigations/T1193" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8f6b5ca6-263a-4ea9-98f3-afd2a3cd8119", "value": "Spearphishing Attachment Mitigation - T1193" }, @@ -6142,7 +7494,15 @@ "https://attack.mitre.org/mitigations/T1139" ] }, - "related": [], + "related": [ + { + "dest-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ace4daee-f914-4707-be75-843f16da2edf", "value": "Bash History Mitigation - T1139" }, @@ -6154,7 +7514,15 @@ "https://attack.mitre.org/mitigations/T1144" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158", "value": "Gatekeeper Bypass Mitigation - T1144" }, @@ -6166,7 +7534,15 @@ "https://attack.mitre.org/mitigations/T1145" ] }, - "related": [], + "related": [ + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f27ef4f2-71fe-48b6-b7f4-02dcac14320e", "value": "Private Keys Mitigation - T1145" }, @@ -6178,7 +7554,15 @@ "https://attack.mitre.org/mitigations/T1147" ] }, - "related": [], + "related": [ + { + "dest-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "12cba7de-0a22-4a56-b51e-c514c67c3b43", "value": "Hidden Users Mitigation - T1147" }, @@ -6191,7 +7575,15 @@ "https://www.symantec.com/connect/articles/ssh-and-ssh-agent" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "41cff8e9-fd05-408e-b3d5-d98c54c20bcf", "value": "SSH Hijacking Mitigation - T1184" }, @@ -6203,7 +7595,15 @@ "https://attack.mitre.org/mitigations/T1149" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "6e7db820-9735-4545-bc64-039bc4ce354b", "value": "LC_MAIN Hijacking Mitigation - T1149" }, @@ -6215,7 +7615,15 @@ "https://attack.mitre.org/mitigations/T1165" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "94927849-03e3-4a07-8f4c-9ee21b626719", "value": "Startup Items Mitigation - T1165" }, @@ -6227,7 +7635,15 @@ "https://attack.mitre.org/mitigations/T1157" ] }, - "related": [], + "related": [ + { + "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "dc43c2fe-355e-4a79-9570-3267b0992784", "value": "Dylib Hijacking Mitigation - T1157" }, @@ -6239,7 +7655,15 @@ "https://attack.mitre.org/mitigations/T1159" ] }, - "related": [], + "related": [ + { + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "121b2863-5b97-4538-acb3-f8aae070ec13", "value": "Launch Agent Mitigation - T1159" }, @@ -6252,7 +7676,15 @@ "https://attack.mitre.org/mitigations/T1176" ] }, - "related": [], + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8", "value": "Browser Extensions Mitigation - T1176" }, @@ -6269,7 +7701,15 @@ "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31", "value": "Process Doppelgänging Mitigation - T1186" }, @@ -6285,7 +7725,15 @@ "https://technet.microsoft.com/library/dn408187.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7a6e5ca3-562f-4185-a323-f3b62b5b2e6b", "value": "LSASS Driver Mitigation - T1177" }, @@ -6299,7 +7747,15 @@ "https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7009ba4d-83d4-4851-9fbb-e09e28497765", "value": "Forced Authentication Mitigation - T1187" }, @@ -6314,7 +7770,15 @@ "https://www.symantec.com/connect/blogs/malware-update-windows-update" ] }, - "related": [], + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cb825b86-3f3b-4686-ba99-44878f5d3173", "value": "BITS Jobs Mitigation - T1197" }, @@ -6326,7 +7790,15 @@ "https://attack.mitre.org/mitigations/T1199" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "797312d4-8a84-4daf-9c56-57da4133c322", "value": "Trusted Relationship Mitigation - T1199" }, @@ -6578,7 +8050,15 @@ "https://attack.mitre.org/mitigations/T1163" ] }, - "related": [], + "related": [ + { + "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482", "value": "Rc.common Mitigation - T1163" }, @@ -6619,7 +8099,15 @@ "https://attack.mitre.org/mitigations/T1121" ] }, - "related": [], + "related": [ + { + "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a", "value": "Regsvcs/Regasm Mitigation - T1121" }, @@ -6699,6 +8187,20 @@ { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "mitigates" + }, + { + "dest-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", @@ -6724,6 +8226,20 @@ { "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "type": "mitigates" + }, + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", @@ -6894,7 +8410,22 @@ "https://attack.mitre.org/mitigations/M1005" ] }, - "related": [], + "related": [ + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1553b156-6767-47f7-9eb4-2a692505666d", "value": "Application Vetting - M1005" }, @@ -7135,6 +8666,20 @@ { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "mitigates" + }, + { + "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6f86d346-f092-4abc-80df-8558a90c426a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", @@ -7216,6 +8761,27 @@ { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "mitigates" + }, + { + "dest-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", @@ -7238,6 +8804,20 @@ { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "mitigates" + }, + { + "dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "52651225-0b3a-482d-aa7e-10618fd063b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "e829ee51-1caf-4665-ba15-7f8979634124", @@ -7256,7 +8836,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f", "value": "Rootkit Mitigation - T1014" }, @@ -7442,7 +9030,15 @@ "https://attack.mitre.org/mitigations/T1170" ] }, - "related": [], + "related": [ + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2", "value": "Mshta Mitigation - T1170" }, @@ -7656,7 +9252,15 @@ "https://technet.microsoft.com/library/cc938799.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9da16278-c6c5-4410-8a6b-9c16ce8005b3", "value": "Screensaver Mitigation - T1180" }, @@ -7669,7 +9273,15 @@ "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, - "related": [], + "related": [ + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8c918d8a-11c5-4ffd-af10-e74bc06bdfae", "value": "Rundll32 Mitigation - T1085" }, @@ -7681,7 +9293,15 @@ "https://attack.mitre.org/mitigations/T1062" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4be89c7c-ace6-4876-9377-c8d54cef3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739", "value": "Hypervisor Mitigation - T1062" }, @@ -7693,7 +9313,15 @@ "https://attack.mitre.org/mitigations/T1207" ] }, - "related": [], + "related": [ + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "b70627f7-3b43-4c6f-8fc0-c918c41f8f72", "value": "DCShadow Mitigation - T1207" }, @@ -7895,7 +9523,15 @@ "https://attack.mitre.org/mitigations/T1208" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a3e12b04-8598-4909-8855-2c97c1e7d549", "value": "Kerberoasting Mitigation - T1208" }, @@ -7961,7 +9597,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae", "value": "Masquerading Mitigation - T1036" }, @@ -8519,7 +10163,15 @@ "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6", "value": "Scripting Mitigation - T1064" }, @@ -8533,7 +10185,15 @@ "https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process" ] }, - "related": [], + "related": [ + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751", "value": "Bootkit Mitigation - T1067" }, @@ -8546,7 +10206,15 @@ "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2", "value": "PowerShell Mitigation - T1086" }, @@ -8563,7 +10231,15 @@ "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, - "related": [], + "related": [ + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488", "value": "Timestomp Mitigation - T1099" }, @@ -8576,7 +10252,15 @@ "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, - "related": [], + "related": [ + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "12c13879-b7bd-4bc5-8def-aacec386d432", "value": "Regsvr32 Mitigation - T1117" }, @@ -8588,7 +10272,15 @@ "https://attack.mitre.org/mitigations/T1118" ] }, - "related": [], + "related": [ + { + "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ec418d1b-4963-439f-b055-f914737ef362", "value": "InstallUtil Mitigation - T1118" }, @@ -8601,7 +10293,15 @@ "https://msitpros.com/?p=3960" ] }, - "related": [], + "related": [ + { + "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "91816292-3686-4a6e-83c4-4c08513b9b57", "value": "CMSTP Mitigation - T1191" }, @@ -8613,7 +10313,15 @@ "https://attack.mitre.org/mitigations/T1142" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "56648de3-8947-4559-90c4-eda10acc0f5a", "value": "Keychain Mitigation - T1142" }, @@ -8625,7 +10333,15 @@ "https://attack.mitre.org/mitigations/T1152" ] }, - "related": [], + "related": [ + { + "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc", "value": "Launchctl Mitigation - T1152" }, @@ -8637,7 +10353,15 @@ "https://attack.mitre.org/mitigations/T1153" ] }, - "related": [], + "related": [ + { + "dest-uuid": "45d84c8b-c1e2-474d-a14d-69b5de0a2bc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "5391ece4-8866-415d-9b5e-8dc5944f612a", "value": "Source Mitigation - T1153" }, @@ -8649,7 +10373,15 @@ "https://attack.mitre.org/mitigations/T1154" ] }, - "related": [], + "related": [ + { + "dest-uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "809b79cd-be78-4597-88d1-5496d1d9993a", "value": "Trap Mitigation - T1154" }, @@ -8662,7 +10394,15 @@ "https://attack.mitre.org/mitigations/T1148" ] }, - "related": [], + "related": [ + { + "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330", "value": "HISTCONTROL Mitigation - T1148" }, @@ -8688,7 +10428,15 @@ "https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/" ] }, - "related": [], + "related": [ + { + "dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1e4ef2c7-ee96-4484-9baa-3b5777561301", "value": "AppleScript Mitigation - T1155" }, @@ -8700,7 +10448,15 @@ "https://attack.mitre.org/mitigations/T1169" ] }, - "related": [], + "related": [ + { + "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c", "value": "Sudo Mitigation - T1169" }, @@ -8712,7 +10468,15 @@ "https://attack.mitre.org/mitigations/T1179" ] }, - "related": [], + "related": [ + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf", "value": "Hooking Mitigation - T1179" }, @@ -9215,6 +10979,13 @@ { "dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea", "type": "mitigates" + }, + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c", diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index 722f885..f8dd4d3 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -478,6 +478,34 @@ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" + }, + { + "dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4af45fea-72d3-11e8-846c-d37699506c8d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", @@ -520,6 +548,13 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", @@ -585,6 +620,20 @@ { "dest-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "type": "uses" + }, + { + "dest-uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", @@ -830,6 +879,20 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" + }, + { + "dest-uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", @@ -1213,6 +1276,34 @@ { "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "type": "uses" + }, + { + "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", @@ -1718,6 +1809,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "9e71024e-817f-45b0-92a0-d886c30bc929", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ae41895a-243f-4a65-b99b-d85022326c31", @@ -1754,6 +1859,34 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", @@ -2938,6 +3071,27 @@ { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" + }, + { + "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", @@ -2997,6 +3151,20 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "0ca45163-e223-4167-b1af-f088ed14a93d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", @@ -3041,6 +3209,20 @@ { "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "type": "uses" + }, + { + "dest-uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", @@ -3097,6 +3279,20 @@ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" + }, + { + "dest-uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", @@ -3479,6 +3675,34 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", @@ -3567,6 +3791,20 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "894aab42-3371-47b1-8859-a4a074c804c8", @@ -3632,6 +3870,41 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", @@ -3877,6 +4150,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", @@ -4345,6 +4632,76 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", @@ -6428,6 +6785,20 @@ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" + }, + { + "dest-uuid": "6c74fda2-bb04-40bd-a166-8c2d4b952d33", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", @@ -6489,6 +6860,41 @@ { "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", "type": "uses" + }, + { + "dest-uuid": "48146604-6693-4db1-bd94-159744726514", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "48146604-6693-4db1-bd94-159744726514", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", @@ -6542,6 +6948,34 @@ { "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "type": "uses" + }, + { + "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", @@ -6750,6 +7184,41 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", @@ -6875,6 +7344,41 @@ { "dest-uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445", "type": "uses" + }, + { + "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", @@ -7418,6 +7922,27 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", @@ -7829,6 +8354,27 @@ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" + }, + { + "dest-uuid": "7e5a571f-dee2-4cae-a960-f8ab8a8fb1cf", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", @@ -8580,6 +9126,62 @@ { "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "type": "uses" + }, + { + "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", @@ -8613,6 +9215,13 @@ { "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", "type": "uses" + }, + { + "dest-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", @@ -8645,6 +9254,27 @@ { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" + }, + { + "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", @@ -8897,6 +9527,13 @@ { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", @@ -9025,6 +9662,153 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", @@ -9261,6 +10045,27 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" + }, + { + "dest-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", @@ -9350,6 +10155,27 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", @@ -9705,6 +10531,20 @@ { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" + }, + { + "dest-uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", @@ -9738,6 +10578,13 @@ { "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", "type": "uses" + }, + { + "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", @@ -9787,6 +10634,69 @@ { "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "type": "uses" + }, + { + "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "090242d7-73fc-4738-af68-20162f7a5aae", @@ -9898,6 +10808,34 @@ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" + }, + { + "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", @@ -10403,6 +11341,20 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", @@ -10616,6 +11568,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", @@ -10807,6 +11766,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", @@ -10907,6 +11880,20 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" + }, + { + "dest-uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", @@ -11624,6 +12611,20 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" + }, + { + "dest-uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", @@ -11758,7 +12759,15 @@ "Taidoor" ] }, - "related": [], + "related": [ + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46", "value": "Taidoor - G0015" }, @@ -11973,6 +12982,20 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fd19bd82-1b14-49a1-a176-6cdc46b8a826", @@ -12167,6 +13190,27 @@ { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" + }, + { + "dest-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", @@ -12512,6 +13556,34 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", @@ -12887,6 +13959,20 @@ { "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "type": "uses" + }, + { + "dest-uuid": "d144c83e-2302-4947-9e24-856fbf7949ae", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", @@ -13177,6 +14263,20 @@ { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" + }, + { + "dest-uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "62a64fd3-aaf7-4d09-a375-d6f8bb118481", @@ -13194,6 +14294,20 @@ "dest-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "type": "revoked-by" }, + { + "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", "tags": [ @@ -13274,6 +14388,20 @@ { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" + }, + { + "dest-uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", @@ -13503,6 +14631,27 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" + }, + { + "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", @@ -13520,6 +14669,20 @@ { "dest-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "type": "revoked-by" + }, + { + "dest-uuid": "73a521f6-3bc7-11e8-9e30-df7c90e50dda", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", @@ -13561,6 +14724,13 @@ { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", @@ -13648,6 +14818,13 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", @@ -13955,6 +15132,20 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", @@ -14165,6 +15356,27 @@ { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" + }, + { + "dest-uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", @@ -14404,6 +15616,20 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", @@ -14436,6 +15662,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f", @@ -14459,6 +15699,13 @@ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "da49b9f1-ca99-443f-9728-0a074db66850", @@ -15048,6 +16295,20 @@ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" + }, + { + "dest-uuid": "5abb12e7-5066-4f84-a109-49a037205c76", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", @@ -15439,6 +16700,20 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", @@ -15507,6 +16782,20 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" + }, + { + "dest-uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d1acfbb3-647b-4723-9154-800ec119006e", @@ -15811,6 +17100,27 @@ { "dest-uuid": "f74a5069-015d-4404-83ad-5ca01056c0dc", "type": "uses" + }, + { + "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", @@ -15901,6 +17211,13 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" + }, + { + "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", @@ -16682,6 +17999,34 @@ { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" + }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", @@ -16719,6 +18064,27 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "47b5007a-3fb1-466a-9578-629e6e735493", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "025bdaa9-897d-4bad-afa6-013ba5734653", @@ -16806,6 +18172,27 @@ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" + }, + { + "dest-uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "43894e2a-174e-4931-94a8-2296afe8f650", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c", @@ -17088,6 +18475,20 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e", @@ -17331,6 +18732,20 @@ { "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", "type": "uses" + }, + { + "dest-uuid": "da754aeb-a86d-4874-b388-d1d2028a56be", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484", @@ -17463,6 +18878,27 @@ { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" + }, + { + "dest-uuid": "154e97b5-47ef-415a-99a6-2157f1b50339", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f9c06633-dcff-48a1-8588-759e7cec5694", @@ -17798,6 +19234,20 @@ { "dest-uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5", "type": "uses" + }, + { + "dest-uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 5b14923..e48a0d4 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -29,6 +29,13 @@ { "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", @@ -72,6 +79,48 @@ { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" + }, + { + "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "56660521-6db4-4e5a-a927-464f22954b7c", @@ -422,6 +471,27 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" + }, + { + "dest-uuid": "9b3a4cff-1c5a-4fd6-b49c-27240b6d622c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", @@ -506,6 +576,34 @@ { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" + }, + { + "dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", @@ -646,6 +744,34 @@ { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "uses" + }, + { + "dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", @@ -910,6 +1036,20 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" + }, + { + "dest-uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", @@ -974,6 +1114,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", @@ -998,6 +1145,13 @@ { "dest-uuid": "d4b96d2c-1032-4b22-9235-2b5b649d0605", "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", @@ -1024,6 +1178,13 @@ { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", @@ -1076,6 +1237,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", @@ -1225,6 +1393,13 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" + }, + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", @@ -1382,6 +1557,20 @@ { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", @@ -1425,6 +1614,20 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "59fb0222-0e7d-4f5f-92ac-e68012fb927d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", @@ -1532,6 +1735,20 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "d8aad68d-a68f-42e1-b755-d5f383b73401", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", @@ -1664,6 +1881,20 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" + }, + { + "dest-uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", @@ -2190,6 +2421,13 @@ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", @@ -3075,6 +3313,13 @@ { "dest-uuid": "0042a9f5-f053-4769-b3ef-9ad018dfa298", "type": "uses" + }, + { + "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", @@ -3215,6 +3460,27 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "81f41bae-2ba9-4cec-9613-776be71645ca", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", @@ -4377,6 +4643,13 @@ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "28e39395-91e7-4f02-b694-5e079c964da9", @@ -4395,6 +4668,13 @@ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17", @@ -4413,6 +4693,13 @@ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d89c132d-7752-4c7f-9372-954a71522985", @@ -4505,6 +4792,13 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", @@ -4605,6 +4899,13 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", @@ -4668,6 +4969,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "d22a3e65-75e5-4970-b424-bdc06ec33dba", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", @@ -4686,6 +5001,13 @@ { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", @@ -4975,6 +5297,20 @@ { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" + }, + { + "dest-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", @@ -5091,6 +5427,13 @@ { "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "type": "uses" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", @@ -5123,6 +5466,20 @@ { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", @@ -5167,6 +5524,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", @@ -5261,6 +5625,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "d7183f66-59ec-4803-be20-237b442259fc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", @@ -5373,6 +5751,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", @@ -5735,6 +6120,20 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" + }, + { + "dest-uuid": "66575fb4-7f92-42d8-8c47-e68a26413081", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", @@ -5773,6 +6172,27 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "25cd01bc-1346-4415-8f8d-d3656309ef6b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", @@ -5824,6 +6244,20 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "2ae57534-6aac-4025-8d93-888dab112b45", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", @@ -5861,6 +6295,20 @@ { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" + }, + { + "dest-uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", @@ -5909,6 +6357,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", @@ -5927,6 +6382,13 @@ { "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", "type": "uses" + }, + { + "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", @@ -6029,6 +6491,20 @@ { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" + }, + { + "dest-uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", @@ -6064,6 +6540,20 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "91583583-95c0-444e-8175-483cbebc640b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", @@ -6123,6 +6613,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e2cc27a2-4146-4f08-8e80-114a99204cea", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", @@ -6267,6 +6771,13 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" + }, + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", @@ -6423,6 +6934,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "08e2c9ef-aa62-429f-a6e5-e901ff6883cd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", @@ -6460,6 +6985,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", @@ -6532,6 +7064,20 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" + }, + { + "dest-uuid": "06953055-92ed-4936-8ffd-d9d72ab6bef6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "95047f03-4811-4300-922e-1ba937d53a61", @@ -6622,6 +7168,20 @@ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" + }, + { + "dest-uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", @@ -6730,6 +7290,20 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "cda7d605-23d0-4f93-a585-1276f094c04a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", @@ -6770,6 +7344,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "b5be84b7-bf2c-40d0-85a9-14c040881a98", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1d808f62-cf63-4063-9727-ff6132514c22", @@ -6881,6 +7469,27 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "eff68b97-f36e-4827-ab1a-90523c16774c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "94379dec-5c87-49db-b36e-66abc0b81344", @@ -6981,6 +7590,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", @@ -7092,6 +7708,41 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b42378e0-f147-496f-992a-26a49705395b", @@ -7229,6 +7880,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", @@ -7313,6 +7971,20 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" + }, + { + "dest-uuid": "cd6c5f27-cf7e-4529-ae9c-ab5b85102bde", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", @@ -7372,6 +8044,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ea3a8c25-4adb-4538-bf11-55259bdba15f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e", @@ -7532,6 +8218,34 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" + }, + { + "dest-uuid": "663f8ef9-4c50-499a-b765-f377d23c1070", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f4b159ea-97e5-483b-854b-c48a78d562aa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", @@ -7832,6 +8546,20 @@ { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" + }, + { + "dest-uuid": "776b1849-8d5b-4762-8ba1-cbbaddb4ce3a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", @@ -7850,6 +8578,13 @@ { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "uses" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", @@ -7906,6 +8641,13 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", @@ -7965,6 +8707,27 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "6e45f758-7bd9-44b8-a21c-7309614ae176", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4df1b257-c242-46b0-b120-591430066b6f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", @@ -8045,6 +8808,13 @@ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", @@ -8186,6 +8956,13 @@ { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", @@ -8620,6 +9397,20 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" + }, + { + "dest-uuid": "f1e05a12-ca50-41ab-a963-d7df5bcb141d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", @@ -8731,6 +9522,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "19d89300-ff97-4281-ac42-76542e744092", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", @@ -8766,6 +9571,20 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" + }, + { + "dest-uuid": "12bb8f4f-af29-49a0-8c2c-d28468f28fd8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", @@ -8879,6 +9698,27 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "d70fd29d-590e-4ed5-b72f-6ce0142019c6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", @@ -9008,6 +9848,13 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", @@ -9120,6 +9967,27 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", @@ -9346,6 +10214,27 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" + }, + { + "dest-uuid": "36c0faf0-428e-4e7f-93c5-824bb0495ac9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", @@ -9424,6 +10313,27 @@ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" + }, + { + "dest-uuid": "0cf21558-1217-4d36-9536-2919cfd44825", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", @@ -9464,6 +10374,13 @@ { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5bcd5511-6756-4824-a692-e8bb109364af", @@ -9646,6 +10563,27 @@ { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" + }, + { + "dest-uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", @@ -9678,6 +10616,13 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", @@ -9805,6 +10750,41 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" + }, + { + "dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", @@ -9846,6 +10826,20 @@ { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" + }, + { + "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", @@ -9980,6 +10974,34 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" + }, + { + "dest-uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", @@ -10067,6 +11089,27 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ff00fa92-b32e-46b6-88ca-98357ebe3f54", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", @@ -10099,6 +11142,20 @@ { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", @@ -10175,6 +11232,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", @@ -10355,6 +11419,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", @@ -10505,6 +11576,27 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "15e969e6-f031-4441-a49b-f401332e4b00", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", @@ -10540,6 +11632,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e2c18713-0a95-4092-a0e9-76358512daad", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", @@ -10692,6 +11798,20 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", @@ -10804,6 +11924,20 @@ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" + }, + { + "dest-uuid": "170db76b-93f7-4fd1-97fc-55937c079b66", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", @@ -10836,6 +11970,20 @@ { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" + }, + { + "dest-uuid": "a379f09b-5cec-4bdb-9735-125cef2de073", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", @@ -10963,6 +12111,20 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" + }, + { + "dest-uuid": "eedcf785-d011-4e17-96c4-6ff39138ada0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", @@ -11309,6 +12471,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "039814a0-88de-46c5-a4fb-b293db21880a", @@ -11361,6 +12530,13 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", @@ -11491,6 +12667,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", @@ -11513,6 +12696,13 @@ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "552462b9-ae79-49dd-855c-5973014e157f", @@ -11539,6 +12729,13 @@ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", @@ -11619,6 +12816,13 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", @@ -11708,6 +12912,13 @@ { "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", @@ -11732,6 +12943,20 @@ { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "revoked-by" + }, + { + "dest-uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "310f437b-29e7-4844-848c-7220868d074a", @@ -11767,6 +12992,13 @@ { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "20d56cd6-8dff-4871-9889-d32d254816de", @@ -11789,6 +13021,20 @@ { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", @@ -11831,6 +13077,27 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "59b70721-6fed-4805-afa5-4ff2554bef81", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", @@ -11864,6 +13131,13 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", @@ -11935,6 +13209,20 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" + }, + { + "dest-uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", @@ -12125,6 +13413,13 @@ { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8b880b41-5139-4807-baa9-309690218719", @@ -12214,6 +13509,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", @@ -12477,6 +13786,13 @@ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", @@ -12531,6 +13847,20 @@ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" + }, + { + "dest-uuid": "4859330d-c6a5-4b9c-b45b-536ec983cd4a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", @@ -12862,6 +14192,13 @@ { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", @@ -12887,6 +14224,13 @@ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", @@ -13124,6 +14468,20 @@ { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" + }, + { + "dest-uuid": "809b54c3-dd6a-4ec9-8c3a-a27b9baa6732", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "68dca94f-c11d-421e-9287-7c501108e18c", @@ -13215,6 +14573,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", @@ -13250,6 +14622,20 @@ { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", @@ -13446,6 +14832,48 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" + }, + { + "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", @@ -13625,6 +15053,27 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "6374fc53-9a0d-41ba-b9cf-2a9765d69fbb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", @@ -13828,6 +15277,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", @@ -14091,6 +15547,13 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", @@ -14123,6 +15586,13 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", @@ -14546,6 +16016,34 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "3eca2d5f-41bf-4ad4-847f-df18befcdc44", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", @@ -14686,6 +16184,13 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", @@ -14737,6 +16242,20 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "6a28a648-30c0-4d1d-bd67-81a8dc6486ba", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", @@ -15059,6 +16578,20 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "5d2dd6ad-6bb2-45d3-b295-e125d3399c8d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8c553311-0baa-4146-997a-f79acef3d831", @@ -15755,6 +17288,20 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" + }, + { + "dest-uuid": "009db412-762d-4256-8df9-eb213be01ffd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", @@ -15882,6 +17429,20 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" + }, + { + "dest-uuid": "6a100902-7204-4f20-b838-545ed86d4428", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "22addc7b-b39f-483d-979a-1b35147da5de", @@ -16302,6 +17863,13 @@ { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "bb3c1098-d654-4620-bf40-694386d28921", @@ -16341,6 +17909,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", @@ -16544,6 +18126,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", @@ -16576,6 +18165,13 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", @@ -16625,6 +18221,13 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", @@ -16686,6 +18289,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", @@ -16726,6 +18336,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", @@ -16768,6 +18385,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", @@ -16835,6 +18459,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "3760920e-4d1a-40d8-9e60-508079499076", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", @@ -16970,6 +18608,27 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "5a22cad7-65fa-4b7a-a7aa-7915a6101efa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "82c644ab-550a-4a83-9b35-d545f4719069", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", @@ -17042,6 +18701,13 @@ { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", @@ -17114,6 +18780,13 @@ { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" + }, + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", @@ -17283,6 +18956,13 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", @@ -17353,6 +19033,13 @@ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", @@ -17540,6 +19227,20 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" + }, + { + "dest-uuid": "67ade442-63f2-4319-bdcd-d2564b963ed6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", @@ -17609,6 +19310,20 @@ { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "uses" + }, + { + "dest-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9", @@ -17712,6 +19427,13 @@ { "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", "type": "uses" + }, + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", @@ -17957,6 +19679,27 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" + }, + { + "dest-uuid": "2815a353-cd56-4ed0-8581-812b94f7a326", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "71ac10de-1103-40a7-b65b-f97dab9769bf", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", @@ -18116,6 +19859,34 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" + }, + { + "dest-uuid": "8d8efbc6-d1b7-4ec8-bab3-591edba337d0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "858edfb8-793a-430b-8acc-4310e7d2f0d3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a61fc694-a88a-484d-a648-db35b49932fd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", @@ -18499,6 +20270,20 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" + }, + { + "dest-uuid": "5930509b-7793-4db9-bdfc-4edda7709d0d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", @@ -18780,6 +20565,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", @@ -18925,6 +20724,27 @@ { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" + }, + { + "dest-uuid": "6d180bd7-3c77-4faf-b98b-dc2ab5f49101", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", @@ -19159,6 +20979,34 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e0bea149-2def-484f-b658-f782a4f94815", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", @@ -19192,6 +21040,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", @@ -19378,6 +21233,20 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" + }, + { + "dest-uuid": "becf81e5-f989-4093-a67d-d55a0483885f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", @@ -19528,6 +21397,27 @@ { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" + }, + { + "dest-uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", @@ -19647,6 +21537,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "a5e851b4-e046-43b6-bc6e-c6c008e3c5aa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", @@ -19782,6 +21686,13 @@ { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" + }, + { + "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f", @@ -19812,6 +21723,20 @@ { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" + }, + { + "dest-uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", @@ -19998,6 +21923,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "656cd201-d57a-4a2f-a201-531eb4922a72", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", @@ -20109,6 +22048,20 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" + }, + { + "dest-uuid": "9991ace8-1a62-498c-a9ef-19d474deb505", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", @@ -20253,6 +22206,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", @@ -20454,6 +22414,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "70ca8408-bc45-4d39-acd2-9190ba15ea97", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", @@ -20775,6 +22749,34 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "c542f369-f06d-4168-8c84-fdf5fc7f2a8d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", @@ -20921,6 +22923,20 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" + }, + { + "dest-uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", @@ -21198,6 +23214,34 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "9223bf17-7e32-4833-9574-9ffd8c929765", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "da079741-05e6-458c-b434-011263dc691c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", @@ -21249,6 +23293,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "fe97ace3-9a80-42af-9eae-1f9245927e5d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", @@ -21382,6 +23440,48 @@ { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" + }, + { + "dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f108215f-3487-489d-be8b-80e346d32518", @@ -21643,6 +23743,20 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" + }, + { + "dest-uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", @@ -21736,6 +23850,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "d909efe3-abc3-4be0-9640-e4727542fa2b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", @@ -21815,6 +23943,20 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "826c31ca-2617-47e4-b236-205da3881182", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", @@ -21932,6 +24074,13 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e9595678-d269-469e-ae6b-75e49259de63", @@ -21971,6 +24120,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "e5a9a2ec-348e-4a2f-98dd-16c3e8845576", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", @@ -22183,6 +24346,20 @@ { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" + }, + { + "dest-uuid": "541b64bc-87ec-4cc2-aaee-329355987853", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", @@ -22320,6 +24497,20 @@ { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" + }, + { + "dest-uuid": "49025073-4cd3-43b8-b893-e80a1d3adc04", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", @@ -22346,6 +24537,20 @@ { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", @@ -22512,6 +24717,13 @@ { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "936be60d-90eb-4c36-9247-4b31128432c4", @@ -22668,6 +24880,27 @@ { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" + }, + { + "dest-uuid": "837a295c-15ff-41c0-9b7e-5f2fb502b00a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", @@ -22735,6 +24968,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", @@ -23117,6 +25364,13 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", @@ -23218,6 +25472,20 @@ { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" + }, + { + "dest-uuid": "8269e779-db23-4c94-aafb-36ee94879417", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878", @@ -23519,6 +25787,41 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "90124cc8-1205-4e63-83ad-5c45a110b1e6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3df08e23-1d0b-41ed-b735-c4eca46ce48e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a70e93a7-3578-47e1-9926-0818979ed866", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", @@ -23706,6 +26009,20 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" + }, + { + "dest-uuid": "44909efb-7cd3-42e3-b225-9f3e96b5f362", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", @@ -23881,6 +26198,27 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "c3c20c4b-e12a-42e5-960a-eea4644014f4", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4af4e96f-c92d-4a45-9958-a88ad8deb38d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", @@ -24037,6 +26375,27 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", @@ -24061,6 +26420,13 @@ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", @@ -24256,6 +26622,20 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "6d1e2736-d363-49aa-9054-9c9e4ac0c520", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", @@ -24803,6 +27183,20 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" + }, + { + "dest-uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", @@ -25016,6 +27410,27 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "d71604d2-a17e-4b4e-82be-19cb54f93161", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", @@ -25361,6 +27776,34 @@ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" + }, + { + "dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", @@ -25656,6 +28099,34 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", @@ -26012,6 +28483,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", @@ -26401,6 +28886,20 @@ { "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", "type": "uses" + }, + { + "dest-uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", @@ -26600,6 +29099,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", @@ -26855,6 +29368,20 @@ { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" + }, + { + "dest-uuid": "e6952b4d-e96d-4641-a88f-60074776d553", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", @@ -27032,6 +29559,34 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" + }, + { + "dest-uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "76ec1827-68a1-488f-9899-2b788ea8db64", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", @@ -27283,6 +29838,20 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" + }, + { + "dest-uuid": "a89ed72c-202d-486b-9349-6ffc0a61e30a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", @@ -27721,6 +30290,20 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" + }, + { + "dest-uuid": "321e2bd3-2d98-41d6-8402-3949f514c548", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", @@ -27850,6 +30433,13 @@ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", @@ -28018,6 +30608,27 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f5ac89a7-e129-43b7-bd68-e3cb1e5a3ba2", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", @@ -28130,6 +30741,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0998045d-f96e-4284-95ce-3c8219707486", @@ -28162,6 +30780,20 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" + }, + { + "dest-uuid": "f9c6da03-8cb1-4383-9d52-a614c42082bf", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", @@ -28438,6 +31070,27 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "6a42aa10-5b7e-43b0-8c58-414cdaeda453", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "12b524b9-0d94-400f-904f-615f4f764aaf", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", @@ -28659,6 +31312,13 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", @@ -29134,6 +31794,13 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", @@ -29241,6 +31908,13 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", @@ -29454,6 +32128,20 @@ { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" + }, + { + "dest-uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", @@ -29552,6 +32240,20 @@ { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" + }, + { + "dest-uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", @@ -29754,6 +32456,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", @@ -29941,6 +32650,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", @@ -30131,6 +32854,20 @@ { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" + }, + { + "dest-uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", @@ -30250,6 +32987,13 @@ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", @@ -30284,6 +33028,13 @@ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", @@ -30464,6 +33215,13 @@ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", @@ -30732,6 +33490,13 @@ { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", @@ -30768,6 +33533,13 @@ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", @@ -30820,6 +33592,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", @@ -30849,6 +33635,13 @@ { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", @@ -30980,6 +33773,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", @@ -31012,6 +33812,27 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f5cacc72-f02a-42d1-a020-7a59650086bb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", @@ -31044,6 +33865,13 @@ { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035", @@ -31564,6 +34392,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "7abd6950-7a07-4d9e-ade1-62414fa50619", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", @@ -31661,6 +34503,27 @@ { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" + }, + { + "dest-uuid": "80447111-8085-40a4-a052-420926091ac6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", @@ -31742,6 +34605,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", @@ -31785,6 +34662,27 @@ { "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "type": "uses" + }, + { + "dest-uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", @@ -31841,6 +34739,13 @@ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501", @@ -33523,6 +36428,20 @@ { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", @@ -35078,6 +37997,27 @@ { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" + }, + { + "dest-uuid": "0c769e82-df28-4f65-97f5-7f3d88488f2e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", @@ -36103,6 +39043,13 @@ { "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", "type": "uses" + }, + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc", @@ -36275,6 +39222,20 @@ { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", @@ -37111,6 +40072,13 @@ { "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "type": "uses" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde", @@ -37619,6 +40587,20 @@ { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" + }, + { + "dest-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", @@ -37695,6 +40677,20 @@ { "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "type": "uses" + }, + { + "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", @@ -37797,6 +40793,20 @@ { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" + }, + { + "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", @@ -37815,6 +40825,13 @@ { "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", "type": "uses" + }, + { + "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe", diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index abd7adc..8bd8fc5 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -29,6 +29,13 @@ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "242f3da3-4425-4d11-8f5c-b842886da966", @@ -204,6 +211,13 @@ { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", @@ -381,6 +395,13 @@ { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", @@ -402,6 +423,13 @@ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", @@ -498,6 +526,20 @@ { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "type": "uses" + }, + { + "dest-uuid": "7f3a035d-d83a-45b8-8111-412aa8ade802", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", @@ -540,6 +582,20 @@ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" + }, + { + "dest-uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", @@ -624,6 +680,13 @@ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", @@ -659,6 +722,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "8410d208-7450-407d-b56c-e5c1ced19632", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", @@ -687,6 +764,13 @@ { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", @@ -705,6 +789,13 @@ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", @@ -729,6 +820,13 @@ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", @@ -751,6 +849,13 @@ { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b35068ec-107a-4266-bda8-eb7036267aea", @@ -769,6 +874,13 @@ { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", @@ -840,6 +952,13 @@ { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4664b683-f578-434f-919b-1c1aad2a1111", @@ -978,6 +1097,13 @@ { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", @@ -1026,6 +1152,13 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", @@ -1063,6 +1196,20 @@ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" + }, + { + "dest-uuid": "3e205e84-9f90-4b4b-8896-c82189936a15", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", @@ -1100,6 +1247,13 @@ { "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", @@ -1136,6 +1290,13 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", @@ -1314,6 +1475,20 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" + }, + { + "dest-uuid": "6dd05630-9bd8-11e8-a8b9-47ce338a4367", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", @@ -1396,6 +1571,13 @@ { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "03342581-f790-4f03-ba41-e82e67392e23", @@ -1569,6 +1751,13 @@ { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", @@ -1598,6 +1787,13 @@ { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", @@ -1722,6 +1918,13 @@ { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", @@ -1743,6 +1946,13 @@ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", @@ -1764,6 +1974,13 @@ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", @@ -1795,6 +2012,13 @@ { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "30489451-5886-4c46-90c9-0dff9adc5252", @@ -1820,6 +2044,13 @@ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c9703cd3-141c-43a0-a926-380082be5d04", @@ -1844,6 +2075,13 @@ { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", @@ -1869,6 +2107,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", @@ -1936,6 +2188,13 @@ { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", @@ -2066,6 +2325,20 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" + }, + { + "dest-uuid": "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", @@ -2084,6 +2357,13 @@ { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", @@ -2348,6 +2628,20 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "bdb420be-5882-41c8-b439-02bbef69d83f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", @@ -2445,6 +2739,13 @@ { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", @@ -2471,6 +2772,13 @@ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2", @@ -2536,6 +2844,13 @@ { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", @@ -2670,6 +2985,13 @@ { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", @@ -2695,6 +3017,13 @@ { "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", "type": "uses" + }, + { + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", @@ -2809,6 +3138,13 @@ { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", @@ -2907,6 +3243,13 @@ { "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", @@ -2925,6 +3268,13 @@ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", @@ -2943,6 +3293,13 @@ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", @@ -3087,6 +3444,13 @@ { "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", "type": "uses" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", @@ -3661,6 +4025,34 @@ { "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "type": "uses" + }, + { + "dest-uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", diff --git a/clusters/rat.json b/clusters/rat.json index 6ffa2d6..6dbcf8d 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3634,7 +3634,19 @@ }, "uuid": "b30cb6f4-1e0a-4a97-8d88-ca38f83b4422", "value": "STRRAT" + }, + { + "description": "Chinese FortiGate RAT. The COATHANGER malware is a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code./nThe COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades./nMIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies./nMIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.", + "meta": { + "refs": [ + "https://github.com/JSCU-NL/COATHANGER", + "https://www.ncsc.nl/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear", + "https://twitter.com/sehof/status/1754883344574103670" + ] + }, + "uuid": "c04e9738-de62-43e4-b645-2e308c1f77f7", + "value": "COATHANGER" } ], - "version": 44 + "version": 45 } diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index fdf0fd9..bc28035 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -76,51 +76,18 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], - "tags": "No established tags" + "tags": [ + "attack.credential_access" + ] }, "uuid": "d7fb8f0e-bd5f-45c2-b467-19571c490d7e", "value": "Cleartext Protocol Usage" }, - { - "description": "Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/04/15", - "falsepositive": [ - "Unknown" - ], - "filename": "net_firewall_apt_equationgroup_c2.yml", - "level": "high", - "logsource.category": "firewall", - "logsource.product": "No established product", - "refs": [ - "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", - "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.g0020", - "attack.t1041" - ] - }, - "related": [ - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "881834a4-6659-4773-821e-1c151789d873", - "value": "Equation Group C2 Communication" - }, { "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", "meta": { @@ -135,9 +102,9 @@ "logsource.product": "No established product", "refs": [ "https://core.telegram.org/bots/faq", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -396,6 +363,7 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ + "https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_discovery.yml" ], "tags": [ @@ -681,6 +649,9 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ + "https://blog.router-switch.com/2013/11/show-running-config/", + "https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" ], "tags": [ @@ -731,6 +702,7 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ + "https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_disable_logging.yml" ], "tags": [ @@ -884,6 +856,7 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml" ], "tags": [ @@ -925,6 +898,8 @@ "logsource.category": "No established category", "logsource.product": "cisco", "refs": [ + "https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609", + "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" ], "tags": [ @@ -1209,10 +1184,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1649,9 +1624,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -1726,12 +1701,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://github.com/corelight/CVE-2021-1675", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://github.com/corelight/CVE-2021-1675", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1758,6 +1733,7 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml" ], "tags": [ @@ -1864,9 +1840,9 @@ "logsource.product": "zeek", "refs": [ "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://twitter.com/neu5ron/status/1346245602502443009", "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -2007,8 +1983,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -2210,8 +2186,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" ], "tags": [ @@ -2277,10 +2253,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "http://edgeguides.rubyonrails.org/security.html", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "http://guides.rubyonrails.org/action_controller_overview.html", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "http://edgeguides.rubyonrails.org/security.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2376,8 +2352,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], @@ -2401,10 +2377,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -2438,8 +2414,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], @@ -2481,9 +2457,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], @@ -2542,8 +2518,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], @@ -2585,9 +2561,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -2629,8 +2605,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], @@ -2672,12 +2648,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2700,10 +2676,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2736,8 +2712,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], @@ -2762,8 +2738,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], @@ -2823,10 +2799,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2850,8 +2826,8 @@ "logsource.product": "rpc_firewall", "refs": [ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], @@ -2994,8 +2970,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -3073,8 +3049,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158", + "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml" ], "tags": [ @@ -3279,6 +3255,7 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://github.com/EmpireProject/PSInject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml" ], "tags": [ @@ -3353,10 +3330,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3390,8 +3367,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/spawn", "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -3433,10 +3410,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" ], @@ -3505,9 +3482,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/mrd0x/status/1460597833917251595", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" ], "tags": [ @@ -3618,8 +3595,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml" ], "tags": [ @@ -3653,8 +3630,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", + "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml" ], "tags": [ @@ -3688,9 +3665,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", - "https://github.com/codewhitesec/SysmonEnte/", "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", + "https://github.com/codewhitesec/SysmonEnte/", + "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml" ], "tags": [ @@ -3919,11 +3896,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/253", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://twitter.com/d4rksystem/status/1357010969264873472", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://github.com/SigmaHQ/sigma/issues/253", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -4023,8 +4000,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/zcgonvh/EfsPotato", + "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml" ], "tags": [ @@ -4119,7 +4096,8 @@ "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "creation_date": "2021/07/30", "falsepositive": [ - "Chrome instances using the exact same pipe name \"mojo.xxx\"" + "Chrome instances using the exact same pipe name \"mojo.xxx\"", + "Websense Endpoint using the pipe name \"DserNamePipe(R|W)\\d{1,5}\"" ], "filename": "pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml", "level": "high", @@ -4162,8 +4140,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/poweradminllc/PAExec", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", + "https://github.com/poweradminllc/PAExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml" ], "tags": [ @@ -4196,8 +4174,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml" ], "tags": [ @@ -4296,8 +4274,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/adfs/", "https://github.com/Azure/SimuLand", + "https://o365blog.com/post/adfs/", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml" ], @@ -4434,18 +4412,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml" ], "tags": [ @@ -4479,8 +4457,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/kavika13/RemCom", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml" ], "tags": [ @@ -4620,8 +4598,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml" ], "tags": [ @@ -4828,7 +4806,7 @@ "value": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" }, { - "description": "Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.", + "description": "Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.\n", "meta": { "author": "Patrick Bareiss", "creation_date": "2019/04/18", @@ -4984,9 +4962,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], @@ -5139,8 +5117,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -5174,6 +5152,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml" ], "tags": [ @@ -5238,8 +5218,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": [ @@ -5305,8 +5285,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -5339,8 +5319,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5407,8 +5387,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -5443,8 +5423,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_audit_log_cleared.yml" ], @@ -5512,11 +5492,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", "https://github.com/sensepost/ruler", "https://github.com/sensepost/ruler/issues/47", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -5574,9 +5554,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://awakesecurity.com/blog/threat-hunting-for-paexec/", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", - "https://awakesecurity.com/blog/threat-hunting-for-paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -5769,18 +5749,30 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], - "tags": "No established tags" + "tags": [ + "attack.impact", + "attack.t1531" + ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0badd08f-c6a3-4630-90d3-6875cca440be", "value": "User Logoff Event" }, { - "description": "Detects access to $ADMIN share", + "description": "Detects access to ADMIN$ network share", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/04", @@ -5792,6 +5784,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_share_access.yml" ], "tags": [ @@ -5809,7 +5802,7 @@ } ], "uuid": "098d7118-55bc-4912-a836-dc6483a8d150", - "value": "Access to ADMIN$ Share" + "value": "Access To ADMIN$ Network Share" }, { "description": "Detects renaming of file while deletion with SDelete tool.", @@ -5945,9 +5938,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -6072,9 +6065,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -6095,7 +6088,7 @@ "value": "AD Object WriteDAC Access" }, { - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "description": "Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/02/10", @@ -6107,6 +6100,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml" ], "tags": [ @@ -6430,8 +6424,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], @@ -6573,9 +6567,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "Live environment caused by malware", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -6715,8 +6709,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml" ], "tags": [ @@ -6793,8 +6787,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://twitter.com/menasec1/status/1111556090137903104", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -7123,8 +7117,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": [ @@ -7157,10 +7151,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/Flangvik/status/1283054508084473861", "https://twitter.com/SecurityJosh/status/1283027365770276866", - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/Flangvik/status/1283054508084473861", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7364,7 +7358,7 @@ "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" }, { - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "description": "Detects the creation of a user with the \"$\" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.\n", "meta": { "author": "Ilyas Ochkov, oscd.community", "creation_date": "2019/10/25", @@ -7372,10 +7366,11 @@ "Unknown" ], "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml", - "level": "high", + "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1387743867663958021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml" ], "tags": [ @@ -7393,7 +7388,7 @@ } ], "uuid": "cfeed607-6aa4-4bbd-9627-b637deb723c8", - "value": "New or Renamed User Account with '$' in Attribute 'SamAccountName'" + "value": "New or Renamed User Account with '$' Character" }, { "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", @@ -7429,18 +7424,19 @@ "value": "Windows Network Access Suspicious desktop.ini Action" }, { - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "description": "Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.\n", "meta": { "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "creation_date": "2019/10/24", "falsepositive": [ - "Legitimate OpenVPN TAP insntallation" + "Legitimate OpenVPN TAP installation" ], "filename": "win_security_tap_driver_installation.yml", - "level": "medium", + "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_tap_driver_installation.yml" ], "tags": [ @@ -7728,6 +7724,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml" ], "tags": [ @@ -7748,18 +7745,19 @@ "value": "Suspicious Access to Sensitive File Extensions" }, { - "description": "Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later", + "description": "Detects external disk drives or plugged-in USB devices.", "meta": { "author": "Keith Wright", "creation_date": "2019/11/20", "falsepositive": [ - "Legitimate administrative activity" + "Likely" ], "filename": "win_security_external_device.yml", "level": "low", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_external_device.yml" ], "tags": [ @@ -7786,7 +7784,7 @@ } ], "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", - "value": "External Disk Drive Or USB Storage Device" + "value": "External Disk Drive Or USB Storage Device Was Recognized By The System" }, { "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", @@ -7801,9 +7799,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], "tags": [ @@ -7910,9 +7908,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", "https://x.com/_st0pp3r_/status/1742203752361128162?s=20", "https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation", + "https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp", "https://github.com/deepinstinct/NoFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_nofilter.yml" ], @@ -8161,9 +8159,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -8225,6 +8223,39 @@ "uuid": "571498c8-908e-40b4-910b-d2369159a3da", "value": "Password Protected ZIP File Opened (Email Attachment)" }, + { + "description": "Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.\n", + "meta": { + "author": "Thodoris Polyzos (@SmoothDeploy)", + "creation_date": "2024/01/29", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_hktl_edr_silencer.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/netero1010/EDRSilencer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hktl_edr_silencer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "98054878-5eab-434c-85d4-72d4e5a3361b", + "value": "HackTool - EDRSilencer Execution - Filter Added" + }, { "description": "Detects locked workstation session events that occur automatically after a standard period of inactivity.", "meta": { @@ -8238,13 +8269,15 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], - "tags": "No established tags" + "tags": [ + "attack.impact" + ] }, "uuid": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", "value": "Locked Workstation" @@ -8262,16 +8295,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8475,8 +8508,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8576,8 +8609,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2053", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", + "https://adsecurity.org/?p=2053", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -8598,7 +8631,7 @@ "value": "Weak Encryption Enabled and Kerberoast" }, { - "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", + "description": "Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/03/14", @@ -8610,6 +8643,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" ], "tags": [ @@ -8636,7 +8671,7 @@ } ], "uuid": "c265cf08-3f99-46c1-8d59-328247057d57", - "value": "User Added to Local Administrators" + "value": "User Added to Local Administrator Group" }, { "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", @@ -8768,8 +8803,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -8802,8 +8837,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/topotam/PetitPotam", "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", + "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -8836,10 +8871,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -8872,9 +8907,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=3466", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -8907,9 +8942,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -8977,8 +9012,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], @@ -9030,6 +9065,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml" ], "tags": [ @@ -9047,7 +9083,7 @@ } ], "uuid": "0255a820-e564-4e40-af2b-6ac61160335c", - "value": "Addition of Domain Trusts" + "value": "A New Trust Was Created To A Domain" }, { "description": "Detects Mimikatz DC sync security events", @@ -9063,9 +9099,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], @@ -9100,8 +9136,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1101431884540710913", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://twitter.com/SBousseaden/status/1101431884540710913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -9127,7 +9163,7 @@ { "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", "meta": { - "author": "Tim Rauch (Nextron Systems), Elastic", + "author": "Tim Rauch (Nextron Systems), Elastic (idea)", "creation_date": "2022/09/15", "falsepositive": [ "Unknown" @@ -9137,9 +9173,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.x86matthew.com/view_post?id=create_svc_rpc", - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -9206,8 +9242,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1511760068743766026", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -9377,9 +9413,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -9510,7 +9546,7 @@ "value": "External Remote SMB Logon from Public IP" }, { - "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", + "description": "Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.", "meta": { "author": "NVISO", "creation_date": "2020/05/06", @@ -9523,6 +9559,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml" ], "tags": [ @@ -9606,11 +9643,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -9631,7 +9668,7 @@ "value": "A Security-Enabled Global Group Was Deleted" }, { - "description": "Detection of logins performed with WMI", + "description": "Detects successful logon attempts performed with WMI", "meta": { "author": "Thomas Patzke", "creation_date": "2019/12/04", @@ -9644,6 +9681,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml" ], "tags": [ @@ -9661,7 +9699,7 @@ } ], "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", - "value": "Login with WMI" + "value": "Successful Account Login Via WMI" }, { "description": "Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".", @@ -9712,10 +9750,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], @@ -9938,11 +9976,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -10218,11 +10256,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://www.youtube.com/watch?v=ebmW42YYveI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -10334,8 +10372,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/security/4022344", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml" ], "tags": [ @@ -10376,8 +10414,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/security/4022344", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml" ], "tags": [ @@ -10418,9 +10456,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -10453,8 +10491,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml" ], "tags": [ @@ -10487,8 +10525,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], @@ -10686,6 +10724,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/msi/event-logging", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml" ], "tags": [ @@ -10752,8 +10792,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -10777,8 +10817,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -10835,8 +10875,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -10882,9 +10922,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -10961,7 +11001,7 @@ "value": "Scheduled Task Executed From A Suspicious Location" }, { - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", + "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities\n", "meta": { "author": "frack113", "creation_date": "2023/01/13", @@ -10973,6 +11013,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml" ], "tags": [ @@ -11064,8 +11105,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ @@ -11089,8 +11130,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ @@ -11114,8 +11155,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ @@ -11138,10 +11179,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -11165,8 +11206,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ @@ -11190,8 +11231,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ @@ -11215,8 +11256,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ @@ -11239,8 +11280,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], @@ -11275,8 +11316,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ @@ -11310,8 +11351,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ @@ -11393,10 +11434,10 @@ "logsource.product": "windows", "refs": [ "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://winaero.com/enable-openssh-server-windows-10/", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://winaero.com/enable-openssh-server-windows-10/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -11429,9 +11470,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", - "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -11479,8 +11520,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -11582,9 +11623,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml" ], "tags": [ @@ -11618,8 +11659,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml" ], "tags": [ @@ -11719,9 +11760,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", - "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ @@ -11779,8 +11820,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml" ], "tags": [ @@ -11813,8 +11854,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml" ], "tags": [ @@ -11880,8 +11921,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -11980,8 +12021,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", "https://twitter.com/duff22b/status/1280166329660497920", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml" ], "tags": [ @@ -12160,10 +12201,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], "tags": [ @@ -12233,6 +12274,7 @@ "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], @@ -12300,8 +12342,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -12367,9 +12409,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -12390,7 +12432,7 @@ "value": "DNS Server Error Failed Loading the ServerLevelPluginDLL" }, { - "description": "Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KB aren't installed.", + "description": "Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.\n", "meta": { "author": "frack113", "creation_date": "2021/12/04", @@ -12402,6 +12444,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml" ], "tags": [ @@ -12423,51 +12466,20 @@ "value": "Windows Update Error" }, { - "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2018/01/27", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_susp_sam_dump.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "related": [ - { - "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "839dd1e8-eda8-4834-8145-01beeee33acd", - "value": "SAM Dump to AppData" - }, - { - "description": "Detects QuarksPwDump clearing access history in hive", + "description": "Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.\nThis occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).\nRegistry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2017/05/15", "falsepositive": [ "Unknown" ], - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml", - "level": "critical", + "filename": "win_system_susp_critical_hive_location_access_bits_cleared.yml", + "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_quarkspwdump_clearing_hive_access_history.yml" + "https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml" ], "tags": [ "attack.credential_access", @@ -12484,7 +12496,7 @@ } ], "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "value": "QuarksPwDump Clearing Access History" + "value": "Critical Hive In Suspicious Location Access Bits Cleared" }, { "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", @@ -12590,8 +12602,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1347900440000811010", "https://twitter.com/wdormann/status/1347958161609809921", + "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], @@ -12726,8 +12738,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296", - "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", + "https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml" ], "tags": [ @@ -13212,8 +13224,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], @@ -13265,6 +13277,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml" ], "tags": [ @@ -13526,8 +13539,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml" ], "tags": [ @@ -13677,6 +13690,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml" ], "tags": [ @@ -13766,7 +13780,7 @@ { "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", "meta": { - "author": "Tim Rauch (Nextron Systems), Elastic", + "author": "Tim Rauch (Nextron Systems), Elastic (idea)", "creation_date": "2022/09/15", "falsepositive": [ "Unknown" @@ -13868,8 +13882,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ @@ -13925,6 +13939,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml" ], "tags": [ @@ -14130,7 +14145,7 @@ "value": "Invoke-Obfuscation Via Use MSHTA - System" }, { - "description": "Detects uncommon service installation commands", + "description": "Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.\n", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/03/18", @@ -14142,6 +14157,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml" ], "tags": [ @@ -14161,7 +14177,7 @@ } ], "uuid": "26481afe-db26-4228-b264-25a29fe6efc7", - "value": "Uncommon Service Installation" + "value": "Uncommon Service Installation Image Path" }, { "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", @@ -14253,13 +14269,14 @@ "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "creation_date": "2019/10/24", "falsepositive": [ - "Legitimate OpenVPN TAP insntallation" + "Legitimate OpenVPN TAP installation" ], "filename": "win_system_service_install_tap_driver.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml" ], "tags": [ @@ -14292,6 +14309,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml" ], "tags": [ @@ -14419,8 +14437,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -14486,6 +14504,7 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml" ], "tags": [ @@ -14503,7 +14522,7 @@ } ], "uuid": "4d7f1827-1637-4def-8d8a-fd254f9454df", - "value": "Sysmon Crash" + "value": "Sysmon Application Crashed" }, { "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", @@ -14566,8 +14585,8 @@ "logsource.product": "windows", "refs": [ "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -14601,8 +14620,8 @@ "logsource.product": "windows", "refs": [ "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -14635,8 +14654,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" ], "tags": [ @@ -14759,8 +14778,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -14960,9 +14979,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -15035,9 +15054,9 @@ "refs": [ "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -15086,10 +15105,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -15112,10 +15131,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -15138,10 +15157,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -15164,10 +15183,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -15528,8 +15547,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://twitter.com/cyb3rops/status/1659175181695287297", + "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml" ], "tags": [ @@ -15552,8 +15571,9 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml" ], "tags": [ @@ -15587,17 +15607,17 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/antonioCoco/RoguePotato", - "https://github.com/ohpe/juicy-potato", - "https://github.com/topotam/PetitPotam", - "https://github.com/fortra/nanodump", - "https://github.com/wavestone-cdt/EDRSandblast", - "https://github.com/gentilkiwi/mimikatz", "https://github.com/codewhitesec/HandleKatz", - "https://github.com/xuanxuan0/DripLoader", - "https://github.com/outflanknl/Dumpert", "https://github.com/hfiref0x/UACME", "https://www.tarasco.org/security/pwdump_7/", + "https://github.com/wavestone-cdt/EDRSandblast", + "https://github.com/antonioCoco/RoguePotato", + "https://github.com/gentilkiwi/mimikatz", + "https://github.com/fortra/nanodump", + "https://github.com/xuanxuan0/DripLoader", + "https://github.com/ohpe/juicy-potato", + "https://github.com/outflanknl/Dumpert", + "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml" ], "tags": [ @@ -15655,9 +15675,10 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" ], "tags": [ @@ -15691,8 +15712,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -15924,9 +15945,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -15962,8 +15983,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", - "https://persistence-info.github.io/Data/recyclebin.html", "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", + "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -16031,8 +16052,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -16066,10 +16087,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://nvd.nist.gov/vuln/detail/cve-2021-34527", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://nvd.nist.gov/vuln/detail/cve-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], @@ -16139,8 +16160,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/inversecos/status/1494174785621819397", - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], "tags": [ @@ -16173,8 +16194,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -16207,8 +16228,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -16446,8 +16467,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -16480,8 +16501,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -16964,10 +16985,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/hfiref0x/UACME", - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -17076,8 +17097,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/MalwareJake/status/870349480356454401", "https://wikileaks.org/vault7/#Pandemic", + "https://twitter.com/MalwareJake/status/870349480356454401", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -17111,8 +17132,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -17186,8 +17207,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://seclists.org/fulldisclosure/2020/Mar/45", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -17287,10 +17308,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", - "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -17390,8 +17411,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ @@ -17448,11 +17469,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -17643,8 +17664,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml" ], "tags": [ @@ -17685,9 +17706,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", - "https://twitter.com/Hexacorn/status/991447379864932352", "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", + "https://twitter.com/Hexacorn/status/991447379864932352", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -17753,8 +17774,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -17867,8 +17888,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/rootm0s/WinPwnage", + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -17975,8 +17996,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -18076,11 +18097,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", - "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", + "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -18113,8 +18134,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -18138,8 +18159,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], @@ -18173,13 +18194,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -18271,8 +18292,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], @@ -18314,8 +18335,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://persistence-info.github.io/Data/wer_debugger.html", + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -18361,8 +18382,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://www.exploit-db.com/exploits/47696", + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -18589,9 +18610,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], @@ -18625,8 +18646,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -18692,9 +18713,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", - "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -18835,9 +18856,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/gtworek/PSBits/tree/master/SIP", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -18872,8 +18893,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], @@ -19007,8 +19028,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", "Internal Research", + "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml" ], "tags": [ @@ -19288,8 +19309,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -19330,8 +19351,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "Internal Research", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml" ], "tags": [ @@ -19468,8 +19489,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -19682,9 +19703,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], @@ -19825,13 +19846,16 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://blog.sekoia.io/darkgate-internals/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry", + "https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -19899,8 +19923,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], @@ -19935,8 +19959,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], @@ -20189,8 +20213,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], @@ -20214,8 +20238,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -20271,9 +20295,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -20307,8 +20331,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], @@ -20342,10 +20366,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", - "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", + "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", + "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -20378,8 +20402,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml" ], "tags": [ @@ -20460,9 +20484,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", - "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml" ], "tags": [ @@ -20561,10 +20585,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", - "https://twitter.com/M_haggis/status/1699056847154725107", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://twitter.com/M_haggis/status/1699056847154725107", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -20717,13 +20741,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -20823,8 +20847,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -20890,8 +20914,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -20926,8 +20950,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" ], "tags": [ @@ -20977,8 +21001,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://twitter.com/inversecos/status/1494174785621819397", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], @@ -21012,8 +21036,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/hhctrl.html", "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://persistence-info.github.io/Data/hhctrl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -21398,8 +21422,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], @@ -21458,8 +21482,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], @@ -21584,8 +21608,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], @@ -21686,9 +21710,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -21722,8 +21746,8 @@ "logsource.product": "windows", "refs": [ "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -21764,10 +21788,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -21800,12 +21824,12 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", - "https://www.attackiq.com/2023/09/20/emulating-rhysida/", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", + "https://www.attackiq.com/2023/09/20/emulating-rhysida/", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml" ], "tags": [ @@ -21881,9 +21905,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" ], "tags": [ @@ -21916,9 +21940,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -22017,10 +22041,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://www.sans.org/cyber-security-summit/archives", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", - "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -22281,8 +22305,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ @@ -22382,8 +22406,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://twitter.com/inversecos/status/1494174785621819397", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], @@ -22545,8 +22569,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -22579,8 +22603,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -22614,8 +22638,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/998627081360695297", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/VakninHai/status/1517027824984547329", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -22808,9 +22832,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], @@ -22877,8 +22901,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], @@ -22910,8 +22934,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -22940,9 +22964,9 @@ "value": "Adwind RAT / JRAT - Registry" }, { - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "description": "Detects the setting of the environement variable \"windir\" to a non default value.\nAttackers often abuse this variable in order to trigger a UAC bypass via the \"SilentCleanup\" task.\nThe SilentCleanup task located in %windir%\\system32\\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.\n", "meta": { - "author": "frack113", + "author": "frack113, Nextron Systems", "creation_date": "2022/01/06", "falsepositive": [ "Unknown" @@ -22952,8 +22976,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -22987,8 +23012,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior", + "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml" ], "tags": [ @@ -23079,10 +23104,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://github.com/elastic/detection-rules/issues/1371", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://github.com/elastic/detection-rules/issues/1371", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -23191,9 +23216,9 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", "https://twitter.com/nas_bench/status/1626648985824788480", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ @@ -23260,9 +23285,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -23285,17 +23310,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -23370,8 +23395,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], @@ -23405,8 +23430,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -23472,11 +23497,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -23543,10 +23568,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://persistence-info.github.io/Data/ifilters.html", "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -23627,8 +23652,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -23733,8 +23758,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/dez_/status/986614411711442944", - "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -23938,9 +23963,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -24020,9 +24045,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://github.com/bohops/WSMan-WinRM", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -24538,9 +24563,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", - "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", "https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql", + "https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true", + "https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_unsigned_dll.yml" ], "tags": [ @@ -24699,12 +24724,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -24790,8 +24815,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "Internal Research", + "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml" ], "tags": [ @@ -24856,8 +24881,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -24900,8 +24925,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/", "https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/", + "https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml" ], "tags": [ @@ -25009,8 +25034,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/gabe-k/themebleed", "Internal Research", + "https://github.com/gabe-k/themebleed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_remote_share_load.yml" ], "tags": [ @@ -25086,10 +25111,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], @@ -25720,8 +25745,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://www.py2exe.org/", + "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" ], "tags": [ @@ -25903,10 +25928,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://thewover.github.io/Introducing-Donut/", - "https://github.com/tyranid/DotNetToJScript", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://github.com/tyranid/DotNetToJScript", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -26061,9 +26086,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://twitter.com/WhichbufferArda/status/1658829954182774784", "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://securelist.com/apt-luminousmoth/103332/", - "https://twitter.com/WhichbufferArda/status/1658829954182774784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], "tags": [ @@ -26105,8 +26130,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml" ], "tags": [ @@ -26139,8 +26164,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/mattifestation/status/1196390321783025666", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], @@ -26270,9 +26295,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://twitter.com/StopMalvertisin/status/1648604148848549888", "https://www.roboform.com/", + "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ @@ -26664,8 +26689,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_shell_chrome_api.yml" ], "tags": [ @@ -27127,8 +27152,8 @@ "refs": [ "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/S12cybersecurity/RDPCredentialStealer", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ @@ -27204,6 +27229,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected", + "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" ], "tags": [ @@ -27271,9 +27299,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ + "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/besimorhino/powercat", - "https://nmap.org/ncat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -27493,8 +27521,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -27593,8 +27621,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" ], "tags": [ @@ -27693,8 +27721,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -27873,8 +27901,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", - "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -27899,8 +27927,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ @@ -28117,8 +28145,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -28226,24 +28254,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/besimorhino/powercat", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/calebstewart/CVE-2021-1675", - "https://adsecurity.org/?p=2921", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/samratashok/nishang", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://adsecurity.org/?p=2921", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/samratashok/nishang", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -28492,6 +28520,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" ], "tags": [ @@ -28598,7 +28628,7 @@ { "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", "meta": { - "author": "frack113, Nasreddine Bencherchali", + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/23", "falsepositive": [ "Unknown" @@ -28608,23 +28638,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/besimorhino/powercat", + "https://github.com/samratashok/nishang", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/samratashok/nishang", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -28657,6 +28687,7 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml" ], "tags": [ @@ -28806,6 +28837,7 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml" ], "tags": [ @@ -28872,8 +28904,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -28981,8 +29013,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" ], "tags": [ @@ -29048,8 +29080,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml" ], "tags": [ @@ -29139,8 +29171,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -29281,8 +29313,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -29381,8 +29413,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], @@ -29449,8 +29481,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], @@ -29484,8 +29516,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", + "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -29603,8 +29635,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://adsecurity.org/?p=2277", "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://adsecurity.org/?p=2277", "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], @@ -29714,8 +29746,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", - "https://www.ietf.org/rfc/rfc2821.txt", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", + "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -29748,9 +29780,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -29818,8 +29850,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -29854,6 +29886,7 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml" ], "tags": [ @@ -29952,11 +29985,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://woshub.com/manage-windows-firewall-powershell/", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -29989,8 +30022,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -30146,10 +30179,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -30305,8 +30338,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -30372,10 +30405,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" ], @@ -30469,8 +30502,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -30546,8 +30579,8 @@ "logsource.product": "windows", "refs": [ "https://adsecurity.org/?p=2604", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -30613,8 +30646,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -30988,6 +31021,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0", + "https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" ], "tags": [ @@ -31020,8 +31055,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://t.co/ezOTGy1a1G", "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -31289,8 +31324,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", - "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -31350,8 +31385,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -31546,8 +31581,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -31854,8 +31889,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -31964,8 +31999,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -32099,8 +32134,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -32133,8 +32168,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -32168,8 +32203,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -32417,9 +32452,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -32555,8 +32590,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -32690,8 +32725,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -32758,8 +32793,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -32784,7 +32819,7 @@ { "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/28", "falsepositive": [ "Mimikatz can be useful for testing the security of networks" @@ -32827,8 +32862,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537919885031772161", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://twitter.com/nas_bench/status/1537919885031772161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ @@ -33047,10 +33082,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -33116,8 +33151,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], @@ -33141,8 +33176,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -33384,8 +33419,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" ], "tags": [ @@ -33418,10 +33453,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://twitter.com/ScumBots/status/1610626724257046529", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -33555,8 +33590,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": [ @@ -33576,47 +33611,6 @@ "uuid": "3c7d1587-3b13-439f-9941-7d14313dbdfe", "value": "Potential COM Objects Download Cradles Usage - PS Script" }, - { - "description": "Dnscat exfiltration tool execution", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" - ], - "filename": "posh_ps_dnscat_execution.yml", - "level": "critical", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048", - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a6d67db4-6220-436d-8afc-f3842fe05d43", - "value": "Dnscat Execution" - }, { "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "meta": { @@ -33630,24 +33624,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/besimorhino/powercat", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/calebstewart/CVE-2021-1675", - "https://adsecurity.org/?p=2921", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/samratashok/nishang", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://adsecurity.org/?p=2921", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/samratashok/nishang", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -33779,8 +33773,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", + "https://www.shellhacks.com/clear-history-powershell/", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], @@ -33907,6 +33901,7 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml" ], "tags": [ @@ -33929,7 +33924,7 @@ { "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/16", "falsepositive": [ "Unknown" @@ -34157,8 +34152,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -34325,8 +34320,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -34392,8 +34387,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -34599,9 +34594,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], "tags": [ @@ -34734,8 +34729,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io", "Personal research, statistical analysis", + "https://lolbas-project.github.io", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml" ], "tags": [ @@ -34792,8 +34787,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io", "Personal research, statistical analysis", + "https://lolbas-project.github.io", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml" ], "tags": [ @@ -34870,8 +34865,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", - "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", + "https://github.com/denandz/KeeFarce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ @@ -35038,8 +35033,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml" ], "tags": [ @@ -35173,6 +35168,7 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_susp_temp_use.yml" ], "tags": [ @@ -35239,8 +35235,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://systeminformer.sourceforge.io/", "https://github.com/winsiderss/systeminformer", + "https://systeminformer.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml" ], "tags": [ @@ -35461,74 +35457,6 @@ "uuid": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "value": "Vulnerable Driver Load" }, - { - "description": "Detects a PowerShell process that initiates network connections. Check for suspicious target ports and target systems.", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2017/03/13", - "falsepositive": [ - "Administrative scripts", - "Microsoft IP range", - "Additional filters are required. Adjust to your environment (e.g. extend filters with company's ip range')" - ], - "filename": "net_connection_win_powershell_network_connection.yml", - "level": "low", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://www.youtube.com/watch?v=DLtJTxMWZ2o", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1f21ec3f-810d-4b0e-8045-322202e22b4b", - "value": "PowerShell Initiated Network Connection" - }, - { - "description": "Detects network connections from \"dfsvc.exe\" used to handled ClickOnce applications to uncommon ports", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/06/12", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_dfsvc_uncommon_ports.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203" - ] - }, - "related": [ - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4c5fba4a-9ef6-4f16-823d-606246054741", - "value": "Dfsvc.EXE Network Connection To Uncommon Ports" - }, { "description": "Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", "meta": { @@ -35542,8 +35470,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://cydefops.com/vscode-data-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml" ], @@ -35565,7 +35493,7 @@ "value": "Network Connection Initiated To Visual Studio Code Tunnels Domain" }, { - "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", + "description": "Detects a network connection initiated by the certutil.exe utility.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", "meta": { "author": "frack113, Florian Roth (Nextron Systems)", "creation_date": "2022/09/02", @@ -35598,7 +35526,7 @@ "value": "Connection Initiated Via Certutil.EXE" }, { - "description": "Detects network connections made by the Add-In deployment cache updating utility (AddInutil.exe), which could indicate command and control communication.", + "description": "Detects a network connection initiated by the Add-In deployment cache updating utility \"AddInutil.exe\".\nThis could indicate a potential command and control communication as this tool doesn't usually initiate network activity.\n", "meta": { "author": "Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)", "creation_date": "2023/09/18", @@ -35636,7 +35564,7 @@ "author": "frack113", "creation_date": "2021/12/10", "falsepositive": [ - "Legitimate python script" + "Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying." ], "filename": "net_connection_win_python.yml", "level": "medium", @@ -35665,64 +35593,47 @@ "value": "Python Initiated Connection" }, { - "description": "Detects suspicious network connection by Notepad", + "description": "Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.\nThis could potentially indicates a remote PowerShell connection.\n", "meta": { - "author": "EagleEye Team", - "creation_date": "2020/05/14", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/09/12", "falsepositive": [ - "Unknown" + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" ], - "filename": "net_connection_win_notepad_network_connection.yml", + "filename": "net_connection_win_susp_remote_powershell_session.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", - "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" + "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml" ], "tags": [ - "attack.command_and_control", "attack.execution", - "attack.defense_evasion", - "attack.t1055" + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" ] }, "related": [ { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b", - "value": "Notepad Making Network Connection" - }, - { - "description": "Detects office suit applications communicating to target systems on uncommon ports", - "meta": { - "author": "X__Junior (Nextron Systems)", - "creation_date": "2023/07/12", - "falsepositive": [ - "Other ports can be used, apply additional filters accordingly" - ], - "filename": "net_connection_win_office_susp_ports.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_susp_ports.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control" - ] - }, - "uuid": "3b5ba899-9842-4bc2-acc2-12308498bf42", - "value": "Suspicious Office Outbound Connections" + "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "value": "Potential Remote PowerShell Session Initiated" }, { "description": "Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses", @@ -35759,49 +35670,6 @@ "uuid": "7610a4ea-c06d-495f-a2ac-0a696abcfd3b", "value": "Outbound Network Connection To Public IP Via Winlogon" }, - { - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "meta": { - "author": "Sorina Ionescu, X__Junior (Nextron Systems)", - "creation_date": "2022/08/17", - "falsepositive": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." - ], - "filename": "net_connection_win_dead_drop_resolvers.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://content.fireeye.com/apt-41/rpt-apt41", - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" - ] - }, - "related": [ - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", - "value": "Potential Dead Drop Resolvers" - }, { "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", "meta": { @@ -35858,40 +35726,6 @@ "uuid": "20384606-a124-4fec-acbb-8bd373728613", "value": "Suspicious Network Connection Binary No CommandLine" }, - { - "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/05", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_hh.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.001" - ] - }, - "related": [ - { - "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "468a8cea-2920-4909-a593-0cbe1d96674a", - "value": "HH.EXE Network Connections" - }, { "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", "meta": { @@ -35960,7 +35794,31 @@ "value": "Rundll32 Internet Connection" }, { - "description": "Detects network connections initiated by Regsvr32.exe", + "description": "Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.", + "meta": { + "author": "X__Junior (Nextron Systems)", + "creation_date": "2023/07/12", + "falsepositive": [ + "Other ports can be used, apply additional filters accordingly" + ], + "filename": "net_connection_win_office_uncommon_ports.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control" + ] + }, + "uuid": "3b5ba899-9842-4bc2-acc2-12308498bf42", + "value": "Office Application Initiated Network Connection Over Uncommon Ports" + }, + { + "description": "Detects a network connection initiated by \"Regsvr32.exe\"", "meta": { "author": "Dmitriy Lifanov, oscd.community", "creation_date": "2019/10/25", @@ -35972,8 +35830,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -36002,49 +35860,6 @@ "uuid": "c7e91a02-d771-4a6d-a700-42587e0b1095", "value": "Network Connection Initiated By Regsvr32.EXE" }, - { - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/09/12", - "falsepositive": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" - ], - "filename": "net_connection_win_remote_powershell_session_network.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "value": "Remote PowerShell Session (Network)" - }, { "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", "meta": { @@ -36100,8 +35915,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -36131,41 +35946,6 @@ "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "value": "RDP to HTTP or HTTPS Target Ports" }, - { - "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", - "meta": { - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", - "creation_date": "2021/11/10", - "falsepositive": [ - "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", - "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", - "It is highly recommended to baseline your activity and tune out common business use cases." - ], - "filename": "net_connection_win_excel_outbound_network_connection.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://corelight.com/blog/detecting-cve-2021-42292", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203" - ] - }, - "related": [ - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", - "value": "Excel Network Connections" - }, { "description": "Detects programs that connect to uncommon destination ports", "meta": { @@ -36234,112 +36014,6 @@ "uuid": "9976fa64-2804-423c-8a5b-646ade840773", "value": "Suspicious Outbound SMTP Connections" }, - { - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "meta": { - "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2018/08/30", - "falsepositive": [ - "Unknown", - "@subTee in your network" - ], - "filename": "net_connection_win_binary_susp_com.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/M_haggis/status/1032799638213066752", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://twitter.com/M_haggis/status/900741347035889665", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1105" - ] - }, - "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", - "value": "Microsoft Binary Suspicious Communication Endpoint" - }, - { - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/11/03", - "falsepositive": [ - "Legitimate use of ngrok" - ], - "filename": "net_connection_win_ngrok_tunnel.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" - ] - }, - "related": [ - { - "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", - "value": "Communication To Ngrok Tunneling Service" - }, { "description": "Detects initiated network connections to crypto mining pools", "meta": { @@ -36348,15 +36022,15 @@ "falsepositive": [ "Unlikely" ], - "filename": "net_connection_win_crypto_mining_pools.yml", + "filename": "net_connection_win_susp_crypto_mining_pools.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", - "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml" + "https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files", + "https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_crypto_mining_pools.yml" ], "tags": [ "attack.impact", @@ -36375,6 +36049,41 @@ "uuid": "fa5b1358-b040-4403-9868-15f7d9ab6329", "value": "Network Communication With Crypto Mining Pool" }, + { + "description": "Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.\nThis rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.\nThis rule will require an initial baseline and tuning that is specific to your organization.\n", + "meta": { + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton", + "creation_date": "2021/11/10", + "falsepositive": [ + "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", + "Office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.", + "It is highly recommended to baseline your activity and tune out common business use cases." + ], + "filename": "net_connection_win_office_outbound_non_local_ip.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://corelight.com/blog/detecting-cve-2021-42292", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", + "value": "Office Application Initiated Network Connection To Non-Local IP" + }, { "description": "Detects a possible remote connections to Silenttrinity c2", "meta": { @@ -36432,7 +36141,7 @@ "value": "Suspicious Epmap Connection" }, { - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", + "description": "Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.\nAn initial baseline is required before using this utility to exclude third party RDP tooling that you might use.\n", "meta": { "author": "Markus Neis", "creation_date": "2019/05/15", @@ -36466,41 +36175,28 @@ "value": "Outbound RDP Connections Over Non-Standard Tools" }, { - "description": "Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)", + "description": "Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\nThis might indicate potential process injection activity from a beacon or similar mechanisms.\n", "meta": { - "author": "Gavin Knapp", - "creation_date": "2023/05/01", + "author": "X__Junior (Nextron Systems)", + "creation_date": "2023/07/12", "falsepositive": [ - "Legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning." + "Other ports can be used, apply additional filters accordingly" ], - "filename": "net_connection_win_google_api_non_browser_access.yml", + "filename": "net_connection_win_wordpad_uncommon_ports.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/looCiprian/GC2-sheet", - "https://youtu.be/n2dFlSaBBKo", - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", - "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", - "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml" + "https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1102" + "attack.defense_evasion", + "attack.command_and_control" ] }, - "related": [ - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7e9cf7b6-e827-11ed-a05b-0242ac120003", - "value": "Suspicious Non-Browser Network Communication With Google API" + "uuid": "786cdae8-fefb-4eb2-9227-04e34060db01", + "value": "Suspicious Wordpad Outbound Connections" }, { "description": "Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", @@ -36510,15 +36206,15 @@ "falsepositive": [ "Legitimate use of Devtunnels will also trigger this." ], - "filename": "net_connection_win_devtunnel_connection.yml", + "filename": "net_connection_win_susp_devtunnel_connection.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://cydefops.com/devtunnels-unleashed", + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml" ], "tags": [ "attack.exfiltration", @@ -36645,6 +36341,40 @@ "uuid": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", "value": "Suspicious Outbound Kerberos Connection" }, + { + "description": "Detects an initiated network connection by \"Msiexec.exe\" over port 80 or 443.\nAdversaries might abuse \"msiexec.exe\" to install and execute remotely hosted packages.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Some rare installers were seen communicating with external servers for additional information. While its a very rare occurrence in some environments an initial baseline might be required." + ], + "filename": "net_connection_win_msiexec_http.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec_http.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", + "value": "Msiexec.EXE Initiated Network Connection Over HTTP" + }, { "description": "Detects programs with network connections running in suspicious files system locations", "meta": { @@ -36678,42 +36408,6 @@ "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", "value": "Suspicious Program Location with Network Connections" }, - { - "description": "Detects an executable accessing ngrok domains, which could be a sign of forbidden data exfiltration by malicious actors", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/07/16", - "falsepositive": [ - "Legitimate use of ngrok domains" - ], - "filename": "net_connection_win_ngrok_domains.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", - "https://ngrok.com/", - "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", - "https://ngrok.com/blog-post/new-ngrok-domains", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_domains.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.001" - ] - }, - "related": [ - { - "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "18249279-932f-45e2-b37a-8925f2597670", - "value": "Communication To Ngrok Domains" - }, { "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", "meta": { @@ -36727,7 +36421,7 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://twitter.com/cyb3rops/status/1096842275437625346", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml" ], "tags": [ @@ -36757,41 +36451,6 @@ "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "value": "RDP Over Reverse SSH Tunnel" }, - { - "description": "Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2", - "meta": { - "author": "Gavin Knapp", - "creation_date": "2023/02/16", - "falsepositive": [ - "Legitimate applications communicating with the Reddit API e.g. web browsers not in the exclusion list, app with an RSS etc." - ], - "filename": "net_connection_win_reddit_api_non_browser_access.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/kleiton0x7e/status/1600567316810551296", - "https://github.com/kleiton0x00/RedditC2", - "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1102" - ] - }, - "related": [ - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d7b09985-95a3-44be-8450-b6eadf49833e", - "value": "Suspicious Non-Browser Network Communication With Reddit API" - }, { "description": "Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as \"OffensiveNotion C2\"", "meta": { @@ -36805,8 +36464,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", "https://github.com/mttaggart/OffensiveNotion", + "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml" ], "tags": [ @@ -36827,7 +36486,80 @@ "value": "Potentially Suspicious Network Connection To Notion API" }, { - "description": "Detects network connections initiated by IMEWDBLD. This might indicate potential abuse to download arbitrary files via this utility", + "description": "Detects a network connection that is initiated by the \"notepad.exe\" process.\nThis might be a sign of process injection from a beacon process or something similar.\nNotepad rarely initiates a network communication except when printing documents for example.\n", + "meta": { + "author": "EagleEye Team", + "creation_date": "2020/05/14", + "falsepositive": [ + "Printing documents via notepad might cause communication with the printer via port 9100 or similar." + ], + "filename": "net_connection_win_notepad.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet", + "https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.execution", + "attack.defense_evasion", + "attack.t1055" + ] + }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "value": "Network Connection Initiated Via Notepad.EXE" + }, + { + "description": "Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)\n", + "meta": { + "author": "Gavin Knapp", + "creation_date": "2023/05/01", + "falsepositive": [ + "Legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning." + ], + "filename": "net_connection_win_susp_google_api_non_browser_access.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", + "https://github.com/looCiprian/GC2-sheet", + "https://youtu.be/n2dFlSaBBKo", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", + "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102" + ] + }, + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7e9cf7b6-e827-11ed-a05b-0242ac120003", + "value": "Suspicious Non-Browser Network Communication With Google API" + }, + { + "description": "Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.\n", "meta": { "author": "frack113", "creation_date": "2022/01/22", @@ -36839,8 +36571,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -36861,21 +36593,55 @@ "value": "Network Connection Initiated By IMEWDBLD.EXE" }, { - "description": "Detects Dllhost that communicates with public IP addresses", + "description": "Detects a network connection initiated by a binary to \"api.mega.co.nz\".\nAttackers were seen abusing file sharing websites similar to \"mega.nz\" in order to upload/download additional payloads.\n", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/12/06", + "falsepositive": [ + "Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool." + ], + "filename": "net_connection_win_domain_mega_nz.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", + "value": "Network Connection Initiated To Mega.nz" + }, + { + "description": "Detects dllhost initiating a network connection to a non-local IP address.\nAside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.\nAn initial baseline is recommended before deployment.\n", "meta": { "author": "bartblaze", "creation_date": "2020/07/13", "falsepositive": [ "Communication to other corporate systems that use IP addresses from public address spaces" ], - "filename": "net_connection_win_dllhost_net_connections.yml", + "filename": "net_connection_win_dllhost_non_local_ip.yml", "level": "medium", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" + "https://redcanary.com/blog/child-processes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml" ], "tags": [ "attack.defense_evasion", @@ -36901,7 +36667,7 @@ } ], "uuid": "cfed2f44-16df-4bf3-833a-79405198b277", - "value": "Dllhost Internet Connection" + "value": "Dllhost.EXE Initiated Network Connection To Non-Local IP Address" }, { "description": "Detects suspicious network connection by Cmstp", @@ -36942,7 +36708,7 @@ "author": "Max Altgelt (Nextron Systems)", "creation_date": "2022/04/14", "falsepositive": [ - "Unknown" + "Unlikely" ], "filename": "net_connection_win_eqnedt.yml", "level": "high", @@ -37017,10 +36783,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -37040,6 +36806,74 @@ "uuid": "edf3485d-dac4-4d50-90e4-b0e5813f7e60", "value": "Suspicious Network Connection to IP Lookup Service APIs" }, + { + "description": "Detects an executable initiating a network connection to \"ngrok\" tunneling domains.\nAttackers were seen using this \"ngrok\" in order to store their second stage payloads and malware.\nWhile communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.\n", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/11/03", + "falsepositive": [ + "Legitimate use of the ngrok service." + ], + "filename": "net_connection_win_domain_ngrok_tunnel.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" + ] + }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", + "value": "Communication To Ngrok Tunneling Service Initiated" + }, { "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", "meta": { @@ -37053,8 +36887,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": [ @@ -37075,21 +36909,23 @@ "value": "Suspicious Dropbox API Usage" }, { - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "description": "Detects an executable initiating a network connection to \"ngrok\" domains.\nAttackers were seen using this \"ngrok\" in order to store their second stage payloads and malware.\nWhile communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.\n", "meta": { "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/12/06", + "creation_date": "2022/07/16", "falsepositive": [ - "Legitimate use of mega.nz uploaders and tools" + "Legitimate use of the ngrok service." ], - "filename": "net_connection_win_mega_nz.yml", + "filename": "net_connection_win_domain_ngrok.yml", "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", - "https://megatools.megous.com/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" + "https://ngrok.com/blog-post/new-ngrok-domains", + "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://ngrok.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_domain_ngrok.yml" ], "tags": [ "attack.exfiltration", @@ -37105,42 +36941,92 @@ "type": "related-to" } ], - "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "value": "Communication To Mega.nz" + "uuid": "18249279-932f-45e2-b37a-8925f2597670", + "value": "Process Initiated Network Connection To Ngrok Domain" }, { - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "description": "Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.\nIn this context attackers leverage known websites such as \"facebook\", \"youtube\", etc. In order to pass through undetected.\n", "meta": { - "author": "frack113", - "creation_date": "2022/01/16", + "author": "Sorina Ionescu, X__Junior (Nextron Systems)", + "creation_date": "2022/08/17", "falsepositive": [ - "Legitimate msiexec over networks" + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.", + "Ninite contacting githubusercontent.com" ], - "filename": "net_connection_win_msiexec.yml", - "level": "medium", + "filename": "net_connection_win_susp_dead_drop_resolvers.yml", + "level": "high", "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml" + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", + "https://github.com/kleiton0x00/RedditC2", + "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", + "https://twitter.com/kleiton0x7e/status/1600567316810551296", + "https://content.fireeye.com/apt-41/rpt-apt41", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dead_drop_resolvers.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" ] }, "related": [ { - "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", - "value": "Msiexec Initiated Connection" + "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "value": "Potential Dead Drop Resolvers" + }, + { + "description": "Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.", + "meta": { + "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2018/08/30", + "falsepositive": [ + "Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule." + ], + "filename": "net_connection_win_susp_file_sharing_domains_susp_folders.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/M_haggis/status/900741347035889665", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "value": "Microsoft Binary Suspicious Communication Endpoint" }, { "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", @@ -37168,6 +37054,41 @@ "uuid": "07a99744-56ac-40d2-97b7-2095967b0e03", "value": "Potential Privilege Escalation Attempt Via .Exe.Local Technique" }, + { + "description": "Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.\nThese files are used by the \"iexpress.exe\" utility in order to create self extracting packages.\nAttackers were seen abusing this utility and creating PE files with embedded \".sed\" entries.\n", + "meta": { + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", + "creation_date": "2024/02/05", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_sed_file_creation.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://en.wikipedia.org/wiki/IExpress", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sed_file_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "760e75d8-c3b5-409b-a9bf-6130b4c4603f", + "value": "Self Extraction Directive File Created In Potentially Suspicious Location" + }, { "description": "Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.", "meta": { @@ -37181,12 +37102,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://www.google.com/search?q=procdump+lsass", - "https://github.com/CCob/MirrorDump", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://www.google.com/search?q=procdump+lsass", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/helpsystems/nanodump", + "https://github.com/CCob/MirrorDump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ @@ -37219,9 +37140,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], "tags": [ @@ -37320,10 +37241,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/GossiTheDog/HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/FireFart/hivenightmare/", - "https://github.com/GossiTheDog/HiveNightmare", - "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -37357,8 +37278,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -37382,8 +37303,8 @@ "logsource.product": "windows", "refs": [ "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ @@ -37433,11 +37354,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/luc4m/status/1073181154126254080", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -37503,8 +37424,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -37617,8 +37538,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" ], "tags": [ @@ -37642,11 +37563,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://twitter.com/MaD_c4t/status/1623414582382567424", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], @@ -37670,9 +37591,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], @@ -37741,8 +37662,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://aboutdfir.com/the-key-to-identify-psexec/", "https://twitter.com/davisrichardg/status/1616518800584704028", + "https://aboutdfir.com/the-key-to-identify-psexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml" ], "tags": [ @@ -37819,11 +37740,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/luc4m/status/1073181154126254080", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -37889,10 +37810,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", - "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://github.com/Yaxser/Backstab", + "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -38100,9 +38021,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "Internal Research", "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", - "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], "tags": [ @@ -38201,9 +38122,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", - "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", + "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", "http://addbalance.com/word/startup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], @@ -38283,8 +38204,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", + "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" ], "tags": [ @@ -38317,8 +38238,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "http://www.irongeek.com/homoglyph-attack-generator.php", + "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml" ], "tags": [ @@ -38430,10 +38351,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", - "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", + "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", + "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -38825,11 +38746,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://twitter.com/pfiatde/status/1681977680688738305", + "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", - "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", + "https://twitter.com/pfiatde/status/1681977680688738305", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -38863,10 +38784,10 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -38933,26 +38854,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/adrecon/AzureADRecon", "https://github.com/besimorhino/powercat", - "https://github.com/HarmJ0y/DAMP", + "https://github.com/samratashok/nishang", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/adrecon/ADRecon", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/samratashok/nishang", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -39128,8 +39049,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "Internal Research", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml" ], "tags": [ @@ -39162,8 +39083,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -39184,7 +39105,7 @@ "value": "PCRE.NET Package Temp Files" }, { - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n", "meta": { "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2020/05/26", @@ -39197,6 +39118,7 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml" ], "tags": [ @@ -39689,9 +39611,9 @@ "logsource.product": "windows", "refs": [ "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -39724,8 +39646,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], @@ -39759,8 +39681,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], @@ -39818,8 +39740,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -39860,8 +39782,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -39894,8 +39816,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -39995,8 +39917,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -40052,8 +39974,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", + "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" ], "tags": [ @@ -40577,8 +40499,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -40601,11 +40523,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/search?q=CVE-2021-36934", "https://github.com/FireFart/hivenightmare", + "https://github.com/cube0x0/CVE-2021-36934", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -40967,8 +40889,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -41059,8 +40981,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml" ], "tags": [ @@ -41093,6 +41015,7 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml" ], "tags": [ @@ -41125,8 +41048,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", + "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml" ], "tags": [ @@ -41308,8 +41231,8 @@ "logsource.product": "windows", "refs": [ "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], @@ -41466,8 +41389,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ @@ -41490,8 +41413,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], @@ -41626,10 +41549,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", - "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", - "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", + "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -41662,8 +41585,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "PT ESC rule and personal experience", "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md", + "PT ESC rule and personal experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" ], "tags": [ @@ -41696,8 +41619,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://www.joesandbox.com/analysis/465533/0/html", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -41974,12 +41897,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -42064,8 +41987,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -42122,8 +42045,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://twitter.com/cyb3rops/status/1552932770464292864", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -42192,8 +42115,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -42213,6 +42136,41 @@ "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", "value": "Suspicious Appended Extension" }, + { + "description": "Detects the creation of a binary file with the \".sed\" extension. The \".sed\" extension stand for Self Extraction Directive files.\nThese files are used by the \"iexpress.exe\" utility in order to create self extracting packages.\nAttackers were seen abusing this utility and creating PE files with embedded \".sed\" entries.\nUsually \".sed\" files are simple ini files and not PE binaries.\n", + "meta": { + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk", + "creation_date": "2024/02/05", + "falsepositive": [ + "Unknown" + ], + "filename": "file_executable_detected_win_susp_embeded_sed_file.yml", + "level": "medium", + "logsource.category": "file_executable_detected", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://en.wikipedia.org/wiki/IExpress", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ab90dab8-c7da-4010-9193-563528cfa347", + "value": "Potentially Suspicious Self Extraction Directive File Created" + }, { "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", "meta": { @@ -42464,8 +42422,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://linuxhint.com/view-tomcat-logs-windows/", "Internal Research", + "https://linuxhint.com/view-tomcat-logs-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml" ], "tags": [ @@ -42498,6 +42456,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ + "Internal Research", + "https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" ], "tags": [ @@ -42563,8 +42523,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", "Internal Research", + "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml" ], "tags": [ @@ -42587,7 +42547,7 @@ { "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { - "author": "Tim Rauch (Nextron Systems)", + "author": "Tim Rauch (Nextron Systems), Elastic (idea)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -42666,8 +42626,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/lclevy/firepwd", + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml" ], "tags": [ @@ -42700,8 +42660,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -42734,8 +42694,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_access.yml" ], "tags": [ @@ -42768,8 +42728,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://www.passcape.com/windows_password_recovery_dpapi_credhist", + "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" ], "tags": [ @@ -42825,7 +42785,7 @@ { "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { - "author": "Tim Rauch (Nextron Systems)", + "author": "Tim Rauch (Nextron Systems), Elastic (idea)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -42901,10 +42861,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], @@ -42972,8 +42932,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/neonprimetime/status/1436376497980428318", - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -43006,8 +42966,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://cydefops.com/vscode-data-exfiltration", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" ], @@ -43074,8 +43034,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04", "https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml" ], "tags": [ @@ -43242,8 +43202,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_appinstaller.yml" ], "tags": [ @@ -43276,8 +43236,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_cloudflared_communication.yml" ], "tags": [ @@ -43310,8 +43270,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml" ], "tags": [ @@ -43386,8 +43346,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://cydefops.com/devtunnels-unleashed", + "https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2", "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml" ], @@ -43421,12 +43381,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -43605,8 +43565,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], @@ -43790,12 +43750,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -43873,59 +43833,10 @@ "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "value": "WhoAmI as Parameter" }, - { - "description": "Execution of well known tools for data exfiltration and tunneling", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate Administrator using tools" - ], - "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1041", - "attack.t1572", - "attack.t1071.001" - ] - }, - "related": [ - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", - "value": "Exfiltration and Tunneling Tools Execution" - }, { "description": "Detects suspicious parent process for cmd.exe", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/21", "falsepositive": [ "Unknown" @@ -44067,7 +43978,7 @@ { "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/28", "falsepositive": [ "Unknown" @@ -44110,9 +44021,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/countuponsec/status/910977826853068800", "https://twitter.com/countuponsec/status/910969424215232518", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", - "https://twitter.com/countuponsec/status/910977826853068800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -44225,8 +44136,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.echotrail.io/insights/search/wusa.exe/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" ], "tags": [ @@ -44249,8 +44160,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -44271,18 +44182,19 @@ "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" }, { - "description": "Detects the stopping of a Windows service", + "description": "Detects the stopping of a Windows service via the \"sc.exe\" utility", "meta": { "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/03/05", "falsepositive": [ - "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" + "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly" ], "filename": "proc_creation_win_sc_stop_service.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml" ], "tags": [ @@ -44420,8 +44332,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ @@ -44488,12 +44400,12 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -44527,13 +44439,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://ngrok.com/docs", "https://twitter.com/xorJosh/status/1598646907802451969", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -44566,8 +44478,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -44635,13 +44547,13 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -44683,9 +44595,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/hFireF0X/status/897640081053364225", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -44767,8 +44679,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://twitter.com/nas_bench/status/1535431474429808642", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml" ], "tags": [ @@ -44797,6 +44709,39 @@ "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "value": "Arbitrary Command Execution Using WSL" }, + { + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "meta": { + "author": "John Lambert (rule)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_base64_hidden_flag.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" + }, { "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", "meta": { @@ -44845,10 +44790,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://zero2auto.com/2020/05/19/netwalker-re/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://redcanary.com/blog/yellow-cockatoo/", "https://mez0.cc/posts/cobaltstrike-powershell-exec/", + "https://redcanary.com/blog/yellow-cockatoo/", + "https://zero2auto.com/2020/05/19/netwalker-re/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -44898,8 +44843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-december-2021", "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://redcanary.com/blog/intelligence-insights-december-2021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml" ], "tags": [ @@ -45006,8 +44951,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], @@ -45223,8 +45168,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -45290,9 +45235,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" ], "tags": [ @@ -45393,6 +45338,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml" ], "tags": [ @@ -45448,16 +45394,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -45490,9 +45436,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" ], "tags": [ @@ -45525,8 +45471,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1457676633809330184", "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://twitter.com/0gtweet/status/1457676633809330184", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -45559,9 +45505,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -45637,8 +45583,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://twitter.com/0gtweet/status/1638069413717975046", + "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml" ], "tags": [ @@ -45738,9 +45684,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -45990,9 +45936,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://twitter.com/0gtweet/status/1628720819537936386", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], "tags": [ @@ -46026,8 +45972,8 @@ "logsource.product": "windows", "refs": [ "Internal Research", - "https://linux.die.net/man/1/bash", "https://lolbas-project.github.io/lolbas/Binaries/Bash/", + "https://linux.die.net/man/1/bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml" ], "tags": [ @@ -46193,9 +46139,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://twitter.com/bryon_/status/975835709587075072", "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], "tags": [ @@ -46270,6 +46216,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml" ], "tags": [ @@ -46287,10 +46234,10 @@ } ], "uuid": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", - "value": "Execution in Outlook Temp Folder" + "value": "Suspicious Execution From Outlook Temporary Folder" }, { - "description": "Detects the stopping of a Windows service", + "description": "Detects the stopping of a Windows service via the \"net\" utility.", "meta": { "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/03/05", @@ -46302,6 +46249,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://ss64.com/nt/net-service.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_stop_service.yml" ], "tags": [ @@ -46368,10 +46316,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": [ @@ -46607,10 +46555,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -46685,8 +46633,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", + "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml" ], "tags": [ @@ -46728,8 +46676,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" ], "tags": [ @@ -46796,8 +46744,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" ], "tags": [ @@ -46830,8 +46778,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml" ], "tags": [ @@ -47006,8 +46954,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], @@ -47090,8 +47038,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -47124,8 +47072,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml" ], "tags": [ @@ -47195,6 +47143,29 @@ "uuid": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "value": "Perl Inline Command Execution" }, + { + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/07/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_base64_encoded_obfusc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "value": "Suspicious Obfuscated PowerShell Code" + }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { @@ -47449,10 +47420,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": [ @@ -47487,8 +47458,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], "tags": [ @@ -47508,41 +47479,6 @@ "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "value": "HackTool - TruffleSnout Execution" }, - { - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", - "meta": { - "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", - "creation_date": "2021/08/09", - "falsepositive": [ - "Some rare backup scenarios" - ], - "filename": "proc_creation_win_malware_conti_shadowcopy.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "related": [ - { - "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "value": "Sensitive Registry Access via Volume Shadow Copy" - }, { "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", "meta": { @@ -47557,10 +47493,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", - "https://twitter.com/EricaZelic/status/1614075109827874817", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://twitter.com/EricaZelic/status/1614075109827874817", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -47596,6 +47532,48 @@ "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "value": "Suspicious Use of PsLogList" }, + { + "description": "Detects wscript/cscript executions of scripts located in user directories", + "meta": { + "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Some installers might generate a similar behavior. An initial baseline is required" + ], + "filename": "proc_creation_win_wscript_cscript_dropper.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://redcanary.com/blog/gootloader/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cea72823-df4d-4567-950c-0b579eaf0846", + "value": "Potential Dropper Script Execution Via WScript/CScript" + }, { "description": "Detects the creation of a new service using the \"sc.exe\" utility.", "meta": { @@ -47677,9 +47655,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995837734379032576", "https://twitter.com/pabraeken/status/999090532839313408", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], "tags": [ @@ -47746,8 +47724,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://twitter.com/0gtweet/status/1206692239839289344", + "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" ], "tags": [ @@ -47780,8 +47758,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -47816,6 +47794,7 @@ "refs": [ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -47838,9 +47817,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], "tags": [ @@ -47873,9 +47852,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", - "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -47909,8 +47888,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://www.uptycs.com/blog/lolbins-are-no-laughing-matter", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" ], "tags": [ @@ -47963,39 +47942,6 @@ "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", "value": "Suspicious Reg Add BitLocker" }, - { - "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Various applications", - "Tools that include ping or nslookup command invocations" - ], - "filename": "proc_creation_win_susp_execution_path_webserver.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "related": [ - { - "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "35efb964-e6a5-47ad-bbcd-19661854018d", - "value": "Execution in Webserver Root Folder" - }, { "description": "Detects uncommon child processes of Appvlp.EXE\nAppvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", "meta": { @@ -48043,9 +47989,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/right-to-left-override/", "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://unicode-explorer.com/c/202E", - "https://redcanary.com/blog/right-to-left-override/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ @@ -48121,10 +48067,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", - "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -48224,14 +48170,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -48273,8 +48219,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], @@ -48408,8 +48354,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", "https://ss64.com/nt/cmd.html", + "https://twitter.com/cyb3rops/status/1562072617552678912", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ @@ -48442,8 +48388,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -48527,9 +48473,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -48630,11 +48576,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/vysecurity/status/885545634958385153", "https://twitter.com/Hexacorn/status/885570278637678592", - "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://twitter.com/Hexacorn/status/885553465417756673", - "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -48707,7 +48653,7 @@ { "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -48793,8 +48739,8 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -49032,8 +48978,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://securelist.com/locked-out/68960/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], @@ -49103,9 +49049,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -49140,8 +49086,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ @@ -49567,9 +49513,9 @@ "logsource.product": "windows", "refs": [ "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://github.com/defaultnamehere/cookie_crimes/", "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", - "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -49633,8 +49579,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" ], "tags": [ @@ -49676,8 +49622,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" ], "tags": [ @@ -49710,8 +49656,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1179811992841797632", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml" ], "tags": [ @@ -49744,9 +49690,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ @@ -49813,8 +49759,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -49837,8 +49783,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml" ], "tags": [ @@ -49907,8 +49853,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -49977,8 +49923,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" ], "tags": [ @@ -50079,6 +50025,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml" ], "tags": [ @@ -50153,10 +50100,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ReaQta/status/1222548288731217921", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://twitter.com/ReaQta/status/1222548288731217921", + "https://www.activecyber.us/activelabs/windows-uac-bypass", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -50190,8 +50137,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://docs.python.org/3/using/cmdline.html#cmdoption-c", + "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], @@ -50225,8 +50172,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -50436,15 +50383,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://github.com/Neo23x0/Raccine#the-process", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/Neo23x0/Raccine#the-process", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -50507,40 +50454,6 @@ "uuid": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", "value": "Fsutil Drive Enumeration" }, - { - "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", - "meta": { - "author": "frack113", - "creation_date": "2021/12/06", - "falsepositive": [ - "Legitimate query of a service by an administrator to get more information such as the state or PID", - "Keybase process \"kbfsdokan.exe\" query the dokan1 service with the following commandline \"sc query dokan1\"" - ], - "filename": "proc_creation_win_sc_query.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1007" - ] - }, - "related": [ - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "57712d7a-679c-4a41-a913-87e7175ae429", - "value": "SC.EXE Query Execution" - }, { "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", "meta": { @@ -50554,11 +50467,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gtfobins.github.io/gtfobins/ssh/", - "https://man.openbsd.org/ssh_config#ProxyCommand", "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", + "https://gtfobins.github.io/gtfobins/ssh/", "https://man.openbsd.org/ssh_config#LocalCommand", + "https://man.openbsd.org/ssh_config#ProxyCommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ @@ -50591,8 +50504,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -50733,9 +50646,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -50759,9 +50672,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -50804,10 +50717,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Internal Research", "https://twitter.com/Max_Mal_/status/1633863678909874176", "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/_JohnHammond/status/1588155401752788994", - "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" ], "tags": [ @@ -50939,13 +50852,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://www.cobaltstrike.com/help-opsec", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://www.cobaltstrike.com/help-opsec", + "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -50978,12 +50891,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://twitter.com/_JohnHammond/status/1708910264261980634", - "https://twitter.com/egre55/status/1087685529016193025", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -51009,7 +50922,7 @@ "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/12", "falsepositive": [ - "Administrative activity" + "Unknown" ], "filename": "proc_creation_win_ssh_rdp_tunneling.yml", "level": "high", @@ -51049,8 +50962,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml" ], "tags": [ @@ -51243,8 +51156,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/impersonate", "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", + "https://github.com/sensepost/impersonate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ @@ -51321,6 +51234,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml" ], "tags": [ @@ -51345,8 +51259,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" ], "tags": [ @@ -51414,8 +51328,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", - "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ @@ -51644,8 +51558,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://twitter.com/cglyer/status/1183756892952248325", + "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" ], "tags": [ @@ -51711,8 +51625,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], @@ -51940,8 +51854,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", - "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -51966,8 +51880,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -52000,9 +51914,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://twitter.com/0gtweet/status/1583356502340870144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], @@ -52044,9 +51958,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], @@ -52163,47 +52077,6 @@ "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "value": "HackTool - Covenant PowerShell Launcher" }, - { - "description": "Detects wscript/cscript executions of scripts located in user directories", - "meta": { - "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", - "creation_date": "2019/01/16", - "falsepositive": [ - "Winzip", - "Other self-extractors" - ], - "filename": "proc_creation_win_malware_script_dropper.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ] - }, - "related": [ - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "cea72823-df4d-4567-950c-0b579eaf0846", - "value": "WScript or CScript Dropper" - }, { "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", "meta": { @@ -52332,8 +52205,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" ], "tags": [ @@ -52435,8 +52308,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": [ @@ -52513,8 +52386,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml" ], "tags": [ @@ -52584,9 +52457,9 @@ "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", - "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", + "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -52687,9 +52560,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -52790,10 +52663,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ForensicITGuy/status/1334734244120309760", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://twitter.com/ForensicITGuy/status/1334734244120309760", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -52844,9 +52717,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -52879,8 +52752,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" ], "tags": [ @@ -52969,9 +52842,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -53247,11 +53120,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -53336,8 +53209,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", "Internal Research", + "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": [ @@ -53388,8 +53261,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml" ], "tags": [ @@ -53399,6 +53272,31 @@ "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "value": "File Encryption/Decryption Via Gpg4win From Suspicious Locations" }, + { + "description": "Detects the execution of an AnyDesk binary with a version prior to 8.0.8.\nPrior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.\nUse this rule to detect instances of older versions of Anydesk using the compromised certificate\nThis is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.\n", + "meta": { + "author": "Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2024/02/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://anydesk.com/en/changelog/windows", + "https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml" + ], + "tags": [ + "attack.execution", + "attack.initial_access" + ] + }, + "uuid": "41f407b5-3096-44ea-a74f-96d04fbc41be", + "value": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate" + }, { "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", "meta": { @@ -53469,9 +53367,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" ], "tags": [ @@ -53491,6 +53389,41 @@ "uuid": "ccb5742c-c248-4982-8c5c-5571b9275ad3", "value": "Recon Command Output Piped To Findstr.EXE" }, + { + "description": "Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)\n", + "meta": { + "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_sensitive_file_access_shadowcopy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", + "value": "Sensitive File Access Via Volume Shadow Copy Backup" + }, { "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", "meta": { @@ -53504,9 +53437,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/Hexacorn/status/1420053502554951689", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -53581,10 +53514,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], @@ -53661,8 +53594,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], @@ -53730,12 +53663,12 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -53768,10 +53701,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -53847,8 +53780,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://github.com/electron/rcedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], @@ -54080,8 +54013,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml" ], "tags": [ @@ -54131,10 +54064,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -54286,9 +54219,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", "https://github.com/outflanknl/NetshHelperBeacon", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ @@ -54323,13 +54256,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vletoux/pingcastle", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", + "https://github.com/vletoux/pingcastle", + "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", - "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", - "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml" ], "tags": [ @@ -54362,9 +54295,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml" ], "tags": [ @@ -54433,7 +54366,7 @@ { "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/28", "falsepositive": [ "Unknown" @@ -54533,6 +54466,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml" ], "tags": [ @@ -54633,9 +54567,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://twitter.com/nas_bench/status/1537896324837781506", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://twitter.com/nas_bench/status/1537896324837781506", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], @@ -54669,12 +54603,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", - "https://positive.security/blog/ms-officecmd-rce", - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://positive.security/blog/ms-officecmd-rce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml" ], "tags": [ @@ -54779,8 +54713,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml" ], "tags": [ @@ -54846,8 +54780,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -54880,10 +54814,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], "tags": [ @@ -55032,9 +54966,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password", - "https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml" ], "tags": [ @@ -55100,8 +55034,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/mattifestation/status/1196390321783025666", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], @@ -55144,8 +55078,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], @@ -55179,10 +55113,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], "tags": [ @@ -55261,8 +55195,8 @@ "refs": [ "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://adsecurity.org/?p=2604", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -55402,8 +55336,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml" ], "tags": [ @@ -55520,8 +55454,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" ], "tags": [ @@ -55588,9 +55522,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.gpg4win.de/documentation.html", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], "tags": [ @@ -55637,9 +55571,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -55729,8 +55663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml" ], "tags": [ @@ -55796,8 +55730,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://www.radmin.fr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ @@ -55821,7 +55755,7 @@ { "description": "Detects attempts to disable the Windows Firewall using PowerShell", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/14", "falsepositive": [ "Unknown" @@ -55864,10 +55798,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/wunderwuzzi23/firefox-cookiemonster", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/defaultnamehere/cookie_crimes/", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -55924,7 +55858,7 @@ { "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/27", "falsepositive": [ "Other programs that cause these patterns (please report)" @@ -56002,9 +55936,9 @@ "logsource.product": "windows", "refs": [ "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -56070,9 +56004,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml" ], "tags": [ @@ -56160,7 +56094,7 @@ "value": "Suspicious Key Manager Access" }, { - "description": "Detects the stopping of a Windows service", + "description": "Detects the stopping of a Windows service via the PowerShell Cmdlet \"Stop-Service\"", "meta": { "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/03/05", @@ -56172,6 +56106,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml" ], "tags": [ @@ -56238,8 +56173,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -56361,6 +56296,39 @@ "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "value": "Suspicious Command Patterns In Scheduled Task Creation" }, + { + "description": "Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/08/05", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "proc_creation_win_powershell_remove_mppreference.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", + "value": "Tamper Windows Defender Remove-MpPreference" + }, { "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", "meta": { @@ -56374,8 +56342,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" ], "tags": [ @@ -56517,9 +56485,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -56587,8 +56555,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml" ], "tags": [ @@ -56663,8 +56631,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml" ], "tags": [ @@ -56746,8 +56714,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml" ], "tags": [ @@ -56849,8 +56817,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ @@ -56883,8 +56851,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ @@ -56953,8 +56921,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml" ], "tags": [ @@ -56987,9 +56955,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", - "https://www.php.net/manual/en/features.commandline.php", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.php.net/manual/en/features.commandline.php", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -57045,9 +57013,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" ], "tags": [ @@ -57081,8 +57049,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.d7xtech.com/free-software/runx/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" ], "tags": [ @@ -57116,10 +57084,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", - "https://twitter.com/mrd0x/status/1511415432888131586", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", + "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], "tags": [ @@ -57193,11 +57161,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ @@ -57286,8 +57254,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nmap.org/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://nmap.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml" ], "tags": [ @@ -57345,9 +57313,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0404/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://twitter.com/vxunderground/status/1423336151860002816", + "https://attack.mitre.org/software/S0404/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml" ], "tags": [ @@ -57388,8 +57356,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" ], "tags": [ @@ -57533,8 +57501,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -57567,8 +57535,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120", + "https://twitter.com/cglyer/status/1182389676876980224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -57601,8 +57569,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml" ], "tags": [ @@ -57672,9 +57640,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ @@ -57707,14 +57675,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -57923,9 +57891,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44", "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" ], "tags": [ @@ -58001,8 +57969,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ @@ -58069,8 +58037,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], @@ -58091,6 +58059,39 @@ "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", "value": "Use Short Name Path in Command Line" }, + { + "description": "Detects the enumeration of a specific DLL or EXE being used by a binary via \"tasklist.exe\".\nThis is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.\nIn order to dump the process memory or perform other nefarious actions.\n", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2024/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_tasklist_module_enumeration.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", + "https://pentestlab.blog/tag/svchost/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml" + ], + "tags": [ + "attack.t1003" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "34275eb8-fa19-436b-b959-3d9ecd53fa1f", + "value": "Loaded Module Enumeration Via Tasklist.EXE" + }, { "description": "Detects the execution of a renamed \"cloudflared\" binary.", "meta": { @@ -58104,11 +58105,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", - "https://github.com/cloudflare/cloudflared/releases", - "https://www.intrinsec.com/akira_ransomware/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://github.com/cloudflare/cloudflared", + "https://www.intrinsec.com/akira_ransomware/", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", + "https://github.com/cloudflare/cloudflared/releases", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml" ], "tags": [ @@ -58231,8 +58232,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" ], "tags": [ @@ -58255,13 +58256,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/Hexacorn/status/1224848930795552769", "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", - "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/Wietze/status/1542107456507203586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -58337,8 +58338,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" ], "tags": [ @@ -58372,11 +58373,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/christophetd/status/1164506034720952320", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://twitter.com/christophetd/status/1164506034720952320", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -58477,12 +58478,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -58523,8 +58524,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ @@ -58544,46 +58545,6 @@ "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", "value": "IIS Native-Code Module Command Line Installation" }, - { - "description": "Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript", - "meta": { - "author": "Michael Haag", - "creation_date": "2019/01/16", - "falsepositive": [ - "Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy." - ], - "filename": "proc_creation_win_wscript_cscript_script_exec.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ] - }, - "related": [ - { - "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", - "value": "WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript" - }, { "description": "Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities", "meta": { @@ -58598,11 +58559,11 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1433344116071583746", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/eral4m/status/1479106975967240209", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/eral4m/status/1479080793003671557", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/Hexacorn/status/885258886428725250", + "https://twitter.com/eral4m/status/1479106975967240209", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -58635,8 +58596,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://adsecurity.org/?p=2288", + "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -58703,9 +58664,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -58917,9 +58878,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -58977,7 +58938,7 @@ { "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -59020,9 +58981,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -59249,8 +59210,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://twitter.com/mrd0x/status/1463526834918854661", + "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml" ], "tags": [ @@ -59320,11 +59281,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://blog.alyac.co.kr/1901", - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://blog.alyac.co.kr/1901", + "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -59365,7 +59326,7 @@ { "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -59508,9 +59469,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml" ], "tags": [ @@ -59543,8 +59504,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], @@ -59601,9 +59562,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://twitter.com/nas_bench/status/1534957360032120833", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -59687,8 +59648,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cw1997/NATBypass", "https://github.com/HiwinCN/HTran", + "https://github.com/cw1997/NATBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml" ], "tags": [ @@ -59722,9 +59683,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -59791,9 +59752,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml" ], "tags": [ @@ -60027,8 +59988,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml" ], "tags": [ @@ -60095,8 +60056,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], @@ -60121,9 +60082,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -60274,6 +60235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/yarrick/iodine", + "https://github.com/iagox86/dnscat2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" ], "tags": [ @@ -60310,6 +60273,40 @@ "uuid": "98a96a5a-64a0-4c42-92c5-489da3866cb0", "value": "DNS Exfiltration and Tunneling Tools Execution" }, + { + "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", + "meta": { + "author": "Endgame, JHasenbusch (ported for oscd.community)", + "creation_date": "2018/10/30", + "falsepositive": [ + "Legitimate use of net.exe utility by legitimate user" + ], + "filename": "proc_creation_win_net_view_share_and_sessions_enum.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "related": [ + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "62510e69-616b-4078-b371-847da438cc03", + "value": "Share And Session Enumeration Using Net.EXE" + }, { "description": "Detects suspicious child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript", "meta": { @@ -60441,8 +60438,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml" ], "tags": [ @@ -60542,9 +60539,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -60577,10 +60574,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", - "https://www.intrinsec.com/akira_ransomware/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", + "https://www.intrinsec.com/akira_ransomware/", + "https://github.com/cloudflare/cloudflared", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml" ], "tags": [ @@ -60613,9 +60610,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", - "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", + "https://unit42.paloaltonetworks.com/chromeloader-malware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_extraction.yml" ], "tags": [ @@ -60706,8 +60703,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml" ], "tags": [ @@ -60782,10 +60779,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -60826,7 +60823,7 @@ { "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "meta": { - "author": "Florian Roth (Nextron Systems)", + "author": "Florian Roth (Nextron Systems), Elastic (idea)", "creation_date": "2022/09/13", "falsepositive": [ "Unknown" @@ -60903,8 +60900,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml" ], "tags": [ @@ -61003,13 +61000,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -61067,8 +61064,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/carlospolop/PEASS-ng", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml" ], "tags": [ @@ -61117,8 +61114,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" ], "tags": [ @@ -61151,8 +61148,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://twitter.com/subTee/status/1216465628946563073", + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml" ], "tags": [ @@ -61220,8 +61217,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "Internal Research", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" ], "tags": [ @@ -61254,9 +61251,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], @@ -61290,9 +61287,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], "tags": [ @@ -61410,9 +61407,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -61512,8 +61509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": [ @@ -61546,8 +61543,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml" ], "tags": [ @@ -61639,8 +61636,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", + "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml" ], "tags": [ @@ -61673,10 +61670,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -61732,8 +61729,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml" ], "tags": [ @@ -61801,9 +61798,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], "tags": [ @@ -61848,8 +61845,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -61948,9 +61945,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -62016,9 +62013,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ @@ -62098,11 +62095,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://twitter.com/pfiatde/status/1681977680688738305", + "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", - "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", + "https://twitter.com/pfiatde/status/1681977680688738305", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -62277,11 +62274,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://twitter.com/egre55/status/1087685529016193025", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -62314,8 +62312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://tools.thehacker.recipes/mimikatz/modules", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml" ], "tags": [ @@ -62474,7 +62472,7 @@ { "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/27", "falsepositive": [ "Unknown" @@ -62594,9 +62592,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], "tags": [ @@ -62664,9 +62662,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", - "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", "Internal Research", + "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt", + "https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml" ], "tags": [ @@ -62689,9 +62687,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], "tags": [ @@ -62724,8 +62722,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml" ], "tags": [ @@ -62758,9 +62756,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -62827,8 +62825,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/logman.html", "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://ss64.com/nt/logman.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ @@ -62869,11 +62867,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1355171195654709249", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/cglyer/status/1355171195654709249", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -62906,9 +62904,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/frgnca/AudioDeviceCmdlets", - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -62941,9 +62939,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -63010,10 +63008,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://nodejs.org/api/cli.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -63047,8 +63045,8 @@ "logsource.product": "windows", "refs": [ "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -63115,8 +63113,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -63172,7 +63170,7 @@ { "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", "meta": { - "author": "Tim Rauch", + "author": "Tim Rauch, Elastic (idea)", "creation_date": "2022/09/20", "falsepositive": [ "Unknown" @@ -63182,8 +63180,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml" ], "tags": [ @@ -63355,13 +63353,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://positive.security/blog/ms-officecmd-rce", - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://taggart-tech.com/quasar-electron/", "https://github.com/mttaggart/quasar", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", - "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://positive.security/blog/ms-officecmd-rce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -63460,9 +63458,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "http://www.xuetr.com/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], "tags": [ @@ -63641,39 +63639,6 @@ "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", "value": "File Download Via Windows Defender MpCmpRun.EXE" }, - { - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "meta": { - "author": "John Lambert (rule)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", - "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" - }, { "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", "meta": { @@ -63764,8 +63729,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1616702107242971144", "https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r", + "https://twitter.com/malmoeb/status/1616702107242971144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" ], "tags": [ @@ -63822,9 +63787,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], "tags": [ @@ -64040,8 +64005,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -64074,8 +64039,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], @@ -64100,8 +64065,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], @@ -64135,10 +64100,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ @@ -64205,8 +64170,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://www.echotrail.io/insights/search/mshta.exe", "https://en.wikipedia.org/wiki/HTML_Application", + "https://www.echotrail.io/insights/search/mshta.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ @@ -64239,10 +64204,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", + "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", - "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -64277,10 +64242,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", - "https://twitter.com/gN3mes1s/status/1206874118282448897", - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], @@ -64390,9 +64355,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -64615,8 +64580,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -64649,8 +64614,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml" ], "tags": [ @@ -64859,8 +64824,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", + "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" ], "tags": [ @@ -64880,6 +64845,39 @@ "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", "value": "Dropping Of Password Filter DLL" }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_net_use_network_connections_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", + "value": "System Network Connections Discovery Via Net.EXE" + }, { "description": "Detects potential \"ShellDispatch.dll\" functionality abuse to execute arbitrary binaries via \"ShellExecute\"", "meta": { @@ -64918,10 +64916,10 @@ "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://twitter.com/max_mal_/status/1542461200797163522", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", + "https://twitter.com/max_mal_/status/1542461200797163522", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -65024,12 +65022,12 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -65172,8 +65170,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.intrinsec.com/apt27-analysis/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.intrinsec.com/apt27-analysis/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], @@ -65291,9 +65289,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", - "https://unit42.paloaltonetworks.com/chromeloader-malware/", "https://lolbas-project.github.io/lolbas/Binaries/Tar/", + "https://unit42.paloaltonetworks.com/chromeloader-malware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tar_compression.yml" ], "tags": [ @@ -65335,8 +65333,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", + "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml" ], "tags": [ @@ -65366,7 +65364,7 @@ "value": "Suspicious Plink Port Forwarding" }, { - "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", + "description": "Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.\nThis could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.\n", "meta": { "author": "Sreeman", "creation_date": "2021/06/11", @@ -65378,6 +65376,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml" ], "tags": [ @@ -65410,9 +65409,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml" ], "tags": [ @@ -65445,9 +65444,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -65481,8 +65480,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", - "https://twitter.com/mrd0x/status/1461041276514623491", "https://twitter.com/tccontre18/status/1480950986650832903", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -65515,8 +65514,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" ], "tags": [ @@ -65550,9 +65549,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], @@ -65586,8 +65585,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], @@ -65662,8 +65661,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], @@ -65699,10 +65698,10 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", - "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -65744,9 +65743,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml" ], "tags": [ @@ -65903,8 +65902,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -65938,6 +65937,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml" ], "tags": [ @@ -65995,9 +65995,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -66046,12 +66046,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -66086,8 +66086,8 @@ "refs": [ "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/antonioCoco/RogueWinRM", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -66148,9 +66148,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ @@ -66183,8 +66183,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://twitter.com/bohops/status/1635288066909966338", + "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml" ], "tags": [ @@ -66286,8 +66286,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" ], "tags": [ @@ -66329,8 +66329,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/malcomvetter/CSExec", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://github.com/malcomvetter/CSExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml" ], "tags": [ @@ -66403,6 +66403,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml" ], "tags": [ @@ -66445,8 +66446,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://twitter.com/nas_bench/status/1535431474429808642", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ @@ -66624,8 +66625,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478116126005641220", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://twitter.com/mrd0x/status/1478116126005641220", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml" ], "tags": [ @@ -66727,9 +66728,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/fireeye/DueDLLigence", - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -66795,8 +66796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" ], "tags": [ @@ -66863,7 +66864,7 @@ "value": "Suspicious File Download From IP Via Wget.EXE" }, { - "description": "Detects the creation of scheduled tasks in user session", + "description": "Detects the creation of scheduled tasks by user accounts via the \"schtasks\" utility.", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2019/01/16", @@ -66876,6 +66877,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml" ], "tags": [ @@ -66898,7 +66900,41 @@ } ], "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", - "value": "Scheduled Task Creation" + "value": "Scheduled Task Creation Via Schtasks.EXE" + }, + { + "description": "Detects the execution of SharpMove, a .NET utility performing multiple tasks such as \"Task Creation\", \"SCM\" query, VBScript execution using WMI via its PE metadata and command line options.\n", + "meta": { + "author": "Luca Di Bartolomeo (CrimpSec)", + "creation_date": "2024/01/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_sharpmove.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/0xthirteen/SharpMove/", + "https://pentestlab.blog/tag/sharpmove/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "055fb54c-a8f4-4aee-bd44-f74cf30a0d9d", + "value": "HackTool - SharpMove Tool Execution" }, { "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", @@ -67017,10 +67053,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", - "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" ], @@ -67147,9 +67183,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml" ], "tags": [ @@ -67274,9 +67310,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://atomicredteam.io/defense-evasion/T1220/", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://twitter.com/mattifestation/status/986280382042595328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], @@ -67493,10 +67529,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://vms.drweb.fr/virus/?i=24144899", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://vms.drweb.fr/virus/?i=24144899", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -67623,9 +67659,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -67649,8 +67685,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], @@ -67820,8 +67856,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ @@ -67941,29 +67977,6 @@ "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", "value": "MMC Spawning Windows Shell" }, - { - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/07/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_powershell_encoded_obfusc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", - "value": "Suspicious Obfuscated PowerShell Code" - }, { "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence", "meta": { @@ -67977,8 +67990,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", + "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" ], "tags": [ @@ -68021,9 +68034,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -68058,10 +68071,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -68128,12 +68141,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/Hackndo/lsassy", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/CCob/MirrorDump", + "https://github.com/Hackndo/lsassy", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/helpsystems/nanodump", + "https://github.com/CCob/MirrorDump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], "tags": [ @@ -68232,8 +68245,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/bopin2020/status/1366400799199272960", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml" ], "tags": [ @@ -68309,9 +68322,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], "tags": [ @@ -68344,10 +68357,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -68413,13 +68426,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vletoux/pingcastle", + "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", "https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450", + "https://github.com/vletoux/pingcastle", + "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", + "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", "https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680", - "https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8", - "https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699", - "https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml" ], "tags": [ @@ -68452,9 +68465,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_felamos/status/1204705548668555264", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", - "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml" ], "tags": [ @@ -68577,40 +68590,6 @@ "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", "value": "Detected Windows Software Discovery" }, - { - "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", - "meta": { - "author": "Endgame, JHasenbusch (ported for oscd.community)", - "creation_date": "2018/10/30", - "falsepositive": [ - "Legitimate use of net.exe utility by legitimate user" - ], - "filename": "proc_creation_win_net_share_and_sessions_enum.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ] - }, - "related": [ - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "62510e69-616b-4078-b371-847da438cc03", - "value": "Share And Session Enumeration Using Net.EXE" - }, { "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", "meta": { @@ -68778,10 +68757,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", - "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -68814,10 +68793,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -69019,9 +68998,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://twitter.com/0gtweet/status/1564968845726580736", + "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -69063,17 +69042,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -69124,10 +69103,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://twitter.com/cyb3rops/status/1186631731543236608", "https://github.com/Neo23x0/DLLRunner", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", - "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml" ], "tags": [ @@ -69293,8 +69272,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], @@ -69328,8 +69307,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ @@ -69412,10 +69391,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -69448,12 +69427,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/04/13/hot-potato/", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://github.com/ohpe/juicy-potato", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://www.localpotato.com/", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/ohpe/juicy-potato", + "https://pentestlab.blog/2017/04/13/hot-potato/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -69560,8 +69539,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://www.autoitscript.com/site/", + "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml" ], "tags": [ @@ -69596,9 +69575,9 @@ "refs": [ "https://twitter.com/0gtweet/status/1628720819537936386", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -69666,8 +69645,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msxsl_execution.yml" ], "tags": [ @@ -69857,11 +69836,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/1326228491302563846", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", - "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://twitter.com/mattifestation/status/1326228491302563846", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -70073,8 +70052,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/Hackplayers/evil-winrm", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" ], "tags": [ @@ -70209,8 +70188,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" ], "tags": [ @@ -70270,8 +70249,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -70338,9 +70317,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ @@ -70395,39 +70374,6 @@ "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", "value": "Suspicious Execution of Powershell with Base64" }, - { - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/05/24", - "falsepositive": [ - "Other tools that work with encoded scripts in the command line instead of script files" - ], - "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "related": [ - { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "value": "Suspicious PowerShell Encoded Command Patterns" - }, { "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", "meta": { @@ -70579,8 +70525,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml" ], "tags": [ @@ -70740,8 +70686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "http://www.irongeek.com/homoglyph-attack-generator.php", + "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml" ], "tags": [ @@ -70782,8 +70728,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/quarkslab/quarkspwdump", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/quarkslab/quarkspwdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ @@ -70899,8 +70845,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" ], "tags": [ @@ -71228,10 +71174,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -71298,8 +71244,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml" ], "tags": [ @@ -71439,9 +71385,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], "tags": [ @@ -71474,8 +71420,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", + "https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], @@ -71517,6 +71463,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml" ], "tags": [ @@ -71549,11 +71496,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", + "https://twitter.com/aceresponder/status/1636116096506818562", "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", - "https://twitter.com/aceresponder/status/1636116096506818562", "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", - "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -71587,8 +71534,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1618021838407495681", "https://twitter.com/nas_bench/status/1618021415852335105", + "https://twitter.com/nas_bench/status/1618021838407495681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ @@ -71663,8 +71610,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" ], "tags": [ @@ -71697,8 +71644,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" ], "tags": [ @@ -71731,9 +71678,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", - "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -71775,10 +71722,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://twitter.com/vysecurity/status/974806438316072960", - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/873181705024266241", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], "tags": [ @@ -71799,7 +71746,7 @@ "value": "Capture Credentials with Rpcping.exe" }, { - "description": "Detects the creation of a process from Windows task manager", + "description": "Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2018/03/13", @@ -71811,6 +71758,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/ReneFreingruber/status/1172244989335810049", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml" ], "tags": [ @@ -71828,7 +71776,7 @@ } ], "uuid": "3d7679bd-0c00-440c-97b0-3f204273e6c7", - "value": "Taskmgr as Parent" + "value": "New Process Created Via Taskmgr.EXE" }, { "description": "Detects the use of Advanced Port Scanner.", @@ -71886,8 +71834,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", - "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" ], "tags": [ @@ -71910,9 +71858,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -72045,9 +71993,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -72190,9 +72138,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml" ], "tags": [ @@ -72221,39 +72169,6 @@ "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", "value": "Microsoft Workflow Compiler Execution" }, - { - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "meta": { - "author": "frack113", - "creation_date": "2021/12/10", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_net_network_connections_discovery.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ] - }, - "related": [ - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", - "value": "System Network Connections Discovery Via Net.EXE" - }, { "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", "meta": { @@ -72267,9 +72182,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://www.revshells.com/", "https://nmap.org/ncat/", + "https://www.revshells.com/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -72302,11 +72217,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://twitter.com/egre55/status/1087685529016193025", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ @@ -72339,8 +72254,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml" ], "tags": [ @@ -72407,9 +72322,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/for.html", "https://ss64.com/ps/foreach-object.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/nt/for.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ @@ -72535,7 +72450,7 @@ "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/08/04", "falsepositive": [ - "Administrative activity" + "Unknown" ], "filename": "proc_creation_win_plink_susp_tunneling.yml", "level": "high", @@ -72560,7 +72475,7 @@ } ], "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", - "value": "Potential RDP Tunneling Via SSH Plink" + "value": "Potential RDP Tunneling Via Plink" }, { "description": "Detects the addition of a new LogonScript to the registry value \"UserInitMprLogonScript\" for potential persistence", @@ -72641,8 +72556,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/fr0s7_/status/1712780207105404948", + "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], @@ -72666,8 +72581,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -72687,6 +72602,39 @@ "uuid": "48917adc-a28e-4f5d-b729-11e75da8941f", "value": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, + { + "description": "Detects the enumeration and query of interesting and in some cases sensitive services on the system via \"sc.exe\".\nAttackers often try to enumerate the services currently running on a system in order to find different attack vectors.\n", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2024/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sc_query_interesting_services.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/", + "https://pentestlab.blog/tag/svchost/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml" + ], + "tags": [ + "attack.t1003" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e83e8899-c9b2-483b-b355-5decc942b959", + "value": "Interesting Service Enumeration Via Sc.EXE" + }, { "description": "Detects the usage of \"reg.exe\" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection", "meta": { @@ -72700,9 +72648,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", - "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], "tags": [ @@ -72736,8 +72684,8 @@ "logsource.product": "windows", "refs": [ "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", - "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://kb.acronis.com/content/60892", + "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ @@ -72817,8 +72765,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", + "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml" ], "tags": [ @@ -72842,10 +72790,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], "tags": [ @@ -72993,8 +72941,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1641712700605513729", "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", + "https://twitter.com/Oddvarmoe/status/1641712700605513729", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" ], "tags": [ @@ -73019,9 +72967,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" @@ -73085,39 +73033,6 @@ "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", "value": "Suspicious Certreq Command to Download" }, - { - "description": "Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/08/05", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "related": [ - { - "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", - "value": "Tamper Windows Defender Remove-MpPreference" - }, { "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", "meta": { @@ -73335,8 +73250,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ @@ -73438,8 +73353,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml" ], "tags": [ @@ -73496,8 +73411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.scythe.io/library/threat-emulation-qakbot", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], @@ -73690,9 +73605,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" @@ -73738,9 +73654,9 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -73805,7 +73721,7 @@ { "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", "meta": { - "author": "Tim Rauch, Janantha Marasinghe", + "author": "Tim Rauch, Janantha Marasinghe, Elastic (original idea)", "creation_date": "2022/11/08", "falsepositive": [ "Unknown" @@ -73816,8 +73732,8 @@ "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -73884,8 +73800,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], "tags": [ @@ -74053,8 +73969,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], "tags": [ @@ -74110,9 +74026,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", "https://twitter.com/bohops/status/994405551751815170", - "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], "tags": [ @@ -74199,6 +74115,41 @@ "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "value": "Potential PowerShell Obfuscation Via Reversed Commands" }, + { + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/09/01", + "falsepositive": [ + "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + ], + "filename": "proc_creation_win_net_user_default_accounts_manipulation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5b768e71-86f2-4879-b448-81061cbae951", + "value": "Suspicious Manipulation Of Default Accounts Via Net.EXE" + }, { "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", "meta": { @@ -74559,10 +74510,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ @@ -74722,8 +74673,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://processhacker.sourceforge.io/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" ], "tags": [ @@ -74762,41 +74713,6 @@ "uuid": "811e0002-b13b-4a15-9d00-a613fce66e42", "value": "PUA - Process Hacker Execution" }, - { - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/09/01", - "falsepositive": [ - "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" - ], - "filename": "proc_creation_win_net_default_accounts_manipulation.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5b768e71-86f2-4879-b448-81061cbae951", - "value": "Suspicious Manipulation Of Default Accounts Via Net.EXE" - }, { "description": "load malicious registered COM objects", "meta": { @@ -74810,8 +74726,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -75010,9 +74926,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], "tags": [ @@ -75045,9 +74961,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", "https://github.com/grayhatkiller/SharpExShell", + "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], "tags": [ @@ -75080,8 +74996,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], @@ -75115,8 +75031,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ @@ -75172,8 +75088,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" ], "tags": [ @@ -75206,8 +75122,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", + "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://www.exploit-db.com/exploits/37525", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], @@ -75325,8 +75241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" ], "tags": [ @@ -75478,39 +75394,6 @@ "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "value": "Potential Data Exfiltration Activity Via CommandLine Tools" }, - { - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", - "meta": { - "author": "frack113", - "creation_date": "2021/12/11", - "falsepositive": [ - "Administrator, hotline ask to user" - ], - "filename": "proc_creation_win_tasklist_basic_execution.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1057" - ] - }, - "related": [ - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "63332011-f057-496c-ad8d-d2b6afb27f96", - "value": "Suspicious Tasklist Discovery Command" - }, { "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced", "meta": { @@ -75644,11 +75527,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -75723,10 +75606,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], @@ -75760,8 +75643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://abuse.io/lockergoga.txt", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], @@ -75838,8 +75721,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", "https://www.virusradar.com/en/Win32_Kasidet.AD/description", + "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" ], "tags": [ @@ -75905,8 +75788,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://redcanary.com/blog/raspberry-robin/", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/issues/1009", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], @@ -76234,8 +76117,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], "tags": [ @@ -76277,6 +76160,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml" ], "tags": [ @@ -76299,9 +76183,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", - "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], "tags": [ @@ -76335,8 +76219,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], @@ -76383,9 +76267,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], "tags": [ @@ -76483,8 +76367,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ @@ -76526,8 +76410,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ @@ -76609,9 +76493,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], "tags": [ @@ -76644,8 +76528,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" ], "tags": [ @@ -76711,24 +76595,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/besimorhino/powercat", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/calebstewart/CVE-2021-1675", - "https://adsecurity.org/?p=2921", - "https://github.com/adrecon/AzureADRecon", + "https://github.com/samratashok/nishang", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/Kevin-Robertson/Powermad", + "https://adsecurity.org/?p=2921", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/samratashok/nishang", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -76851,8 +76735,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://twitter.com/_st0pp3r_/status/1583914244344799235", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], @@ -76886,9 +76770,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml" ], "tags": [ @@ -77014,8 +76898,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" ], "tags": [ @@ -77117,9 +77001,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels", + "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml" ], "tags": [ @@ -77293,8 +77177,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", - "https://twitter.com/mrd0x/status/1461041276514623491", "https://twitter.com/tccontre18/status/1480950986650832903", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -77328,8 +77212,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", - "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" ], "tags": [ @@ -77425,8 +77309,8 @@ "logsource.product": "windows", "refs": [ "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ @@ -77495,8 +77379,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -77704,8 +77588,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" ], "tags": [ @@ -77771,9 +77655,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], "tags": [ @@ -77794,7 +77678,7 @@ "value": "HH.EXE Execution" }, { - "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", "meta": { "author": "Sreeman", "creation_date": "2020/04/17", @@ -77806,6 +77690,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml" ], "tags": [ @@ -77823,7 +77708,7 @@ } ], "uuid": "4e762605-34a8-406d-b72e-c1a089313320", - "value": "Fake Instance Of Hxtsr.exe" + "value": "Potential Fake Instance Of Hxtsr.EXE Executed" }, { "description": "Detects port forwarding activity via SSH.exe", @@ -77888,9 +77773,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.gpg4win.de/documentation.html", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], "tags": [ @@ -77913,10 +77798,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], "tags": [ @@ -77994,6 +77879,49 @@ "uuid": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", "value": "Persistence Via TypedPaths - CommandLine" }, + { + "description": "An adversary might use WMI to discover information about the system, such as the volume name, size,\nfree space, and other disk information. This can be done using the `wmic` command-line utility and has been\nobserved being used by threat actors such as Volt Typhoon.\n", + "meta": { + "author": "Stephen Lincoln `@slincoln-aiq`(AttackIQ)", + "creation_date": "2024/02/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_recon_volume.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml" + ], + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1047", + "attack.t1082" + ] + }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c79da740-5030-45ec-a2e0-479e824a562c", + "value": "System Disk And Volume Reconnaissance Via Wmic.EXE" + }, { "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "meta": { @@ -78040,9 +77968,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ @@ -78109,9 +78037,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/jpillora/chisel/", + "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], "tags": [ @@ -78144,8 +78072,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml" ], "tags": [ @@ -78211,11 +78139,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/980659399495741441", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://twitter.com/bohops/status/980659399495741441", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -78282,117 +78210,6 @@ "uuid": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "value": "Execution of Suspicious File Type Extension" }, - { - "description": "Detects execution of Net.exe, whether suspicious or benign.", - "meta": { - "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." - ], - "filename": "proc_creation_win_net_susp_execution.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", - "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1007", - "attack.t1049", - "attack.t1018", - "attack.t1135", - "attack.t1201", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1087.001", - "attack.t1087.002", - "attack.lateral_movement", - "attack.t1021.002", - "attack.s0039" - ] - }, - "related": [ - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", - "value": "Net.exe Execution" - }, { "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "meta": { @@ -78406,9 +78223,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -78441,10 +78258,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", + "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode", "https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", - "https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior", + "https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml" ], "tags": [ @@ -78478,8 +78295,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/993298228840992768", - "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -78498,6 +78315,39 @@ "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", "value": "Malicious Windows Script Components File Execution by TAEF Detection" }, + { + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/05/24", + "falsepositive": [ + "Other tools that work with encoded scripts in the command line instead of script files" + ], + "filename": "proc_creation_win_powershell_base64_encoded_cmd_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "value": "Suspicious PowerShell Encoded Command Patterns" + }, { "description": "Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", "meta": { @@ -78637,8 +78487,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], "tags": [ @@ -78735,9 +78585,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ @@ -78748,7 +78598,7 @@ "value": "Active Directory Structure Export Via Csvde.EXE" }, { - "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.\nWhen the job runs on the system the command specified in the BITS job will be executed.\nThis can be abused by actors to create a backdoor within the system and for persistence.\nIt will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.\n", "meta": { "author": "Sreeman", "creation_date": "2020/10/29", @@ -78760,9 +78610,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -78795,10 +78645,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535322450858233858", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", - "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/nas_bench/status/1535322450858233858", + "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -79038,8 +78888,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -79072,8 +78922,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1550836225652686848", "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -79172,8 +79022,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml" ], "tags": [ @@ -79240,13 +79090,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/zcgonvh/NTDSDumpEx", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://pentestlab.blog/tag/ntds-dit/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -79386,6 +79236,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://hatching.io/blog/powershell-analysis/", + "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", + "https://lab52.io/blog/winter-vivern-all-summer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -79452,10 +79305,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", - "https://twitter.com/M_haggis/status/1699056847154725107", "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://twitter.com/M_haggis/status/1699056847154725107", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -79613,12 +79466,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", - "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", + "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior", "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", - "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", + "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml" ], "tags": [ @@ -79651,9 +79504,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_download.yml" ], "tags": [ @@ -79776,8 +79629,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -79843,9 +79696,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" ], "tags": [ @@ -79880,8 +79733,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -79908,13 +79761,14 @@ "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "creation_date": "2019/10/24", "falsepositive": [ - "Legitimate OpenVPN TAP insntallation" + "Legitimate OpenVPN TAP installation" ], "filename": "proc_creation_win_tapinstall_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml" ], "tags": [ @@ -79980,9 +79834,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], "tags": [ @@ -80015,12 +79869,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", - "https://www.attackiq.com/2023/09/20/emulating-rhysida/", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", - "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", + "https://www.attackiq.com/2023/09/20/emulating-rhysida/", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper", "https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior", + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml" ], "tags": [ @@ -80250,8 +80104,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], @@ -80419,11 +80273,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cloudflare/cloudflared", - "https://github.com/cloudflare/cloudflared/releases", - "https://www.intrinsec.com/akira_ransomware/", "https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/", + "https://github.com/cloudflare/cloudflared", + "https://www.intrinsec.com/akira_ransomware/", "https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/", + "https://github.com/cloudflare/cloudflared/releases", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml" ], "tags": [ @@ -80489,8 +80343,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://twitter.com/mrd0x/status/1463526834918854661", + "https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml" ], "tags": [ @@ -80589,8 +80443,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://twitter.com/mrd0x/status/1465058133303246867", + "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" ], "tags": [ @@ -80732,8 +80586,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], @@ -80994,8 +80848,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://www.echotrail.io/insights/search/msbuild.exe", + "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" ], "tags": [ @@ -81019,9 +80873,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://ss64.com/bash/rar.html", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], "tags": [ @@ -81054,15 +80908,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.group-ib.com/blog/apt41-world-tour-2021/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], "tags": [ @@ -81144,8 +80998,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/netero1010/TrustedPath-UACBypass-BOF", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -81178,8 +81032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" ], "tags": [ @@ -81376,6 +81230,42 @@ "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "value": "Renamed ProcDump Execution" }, + { + "description": "Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.\nThis behavior has been observed in-the-wild by different threat actors.\n", + "meta": { + "author": "Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2024/02/05", + "falsepositive": [ + "Administrators building packages using iexpress.exe" + ], + "filename": "proc_creation_win_iexpress_susp_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", + "https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior", + "https://en.wikipedia.org/wiki/IExpress", + "https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b2b048b0-7857-4380-b0fb-d3f0ab820b71", + "value": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" + }, { "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", "meta": { @@ -81422,8 +81312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/992008180904419328", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -81756,8 +81646,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.anydesk.com/Automatic_Deployment", "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml" ], "tags": [ @@ -81790,10 +81680,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -81826,8 +81716,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/rikvduijn/status/853251879320662017", "https://twitter.com/felixw3000/status/853354851128025088", + "https://twitter.com/rikvduijn/status/853251879320662017", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml" ], "tags": [ @@ -81937,8 +81827,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", + "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], @@ -82029,9 +81919,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", + "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], @@ -82108,16 +81998,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -82150,11 +82040,11 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], @@ -82232,9 +82122,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -82267,12 +82157,14 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control" + ] }, "uuid": "5c82f0b9-3c6d-477f-a318-0e14a1df73e0", "value": "Okta Security Threat Detected" @@ -82324,8 +82216,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -82358,8 +82250,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -82426,8 +82318,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -82450,8 +82342,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -82474,8 +82366,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -82498,8 +82390,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -82522,8 +82414,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -82546,8 +82438,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -82603,8 +82495,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -82628,8 +82520,8 @@ "logsource.product": "okta", "refs": [ "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", - "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", "https://developer.okta.com/docs/reference/api/system-log/", + "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -82662,9 +82554,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", "https://dataconomy.com/2023/10/23/okta-data-breach/", "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", - "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml" ], "tags": [ @@ -82687,8 +82579,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -82711,8 +82603,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -82735,8 +82627,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -82773,8 +82665,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -82898,11 +82790,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.sygnia.co/golden-saml-advisory", - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://o365blog.com/post/aadbackdoor/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.sygnia.co/golden-saml-advisory", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ @@ -83544,9 +83436,9 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -83583,8 +83475,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml" ], "tags": [ @@ -83770,11 +83662,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://github.com/elastic/detection-rules/pull/1267", - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -84119,8 +84011,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", "https://cloud.google.com/access-context-manager/docs/audit-logging", + "https://cloud.google.com/logging/docs/audit/understanding-audit-logs", "https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_access_policy_deleted.yml" ], @@ -84155,8 +84047,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -84239,9 +84131,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ @@ -84298,8 +84190,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -84332,8 +84224,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -84402,13 +84294,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -85251,8 +85143,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], @@ -85385,9 +85277,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -85544,6 +85436,7 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml" ], "tags": [ @@ -86226,8 +86119,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://blooteem.com/march-2022", + "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml" ], "tags": [ @@ -86934,8 +86827,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" ], "tags": [ @@ -87005,8 +86898,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml" ], "tags": [ @@ -87039,8 +86932,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" ], "tags": [ @@ -87178,8 +87071,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" ], "tags": [ @@ -87281,8 +87174,8 @@ "logsource.product": "azure", "refs": [ "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], "tags": [ @@ -87318,8 +87211,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" ], "tags": [ @@ -87355,8 +87248,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" ], "tags": [ @@ -87392,8 +87285,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml" ], "tags": [ @@ -88872,8 +88765,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -89034,10 +88927,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -89409,10 +89302,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -89437,10 +89330,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -89533,10 +89426,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -89559,8 +89452,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -89646,8 +89539,8 @@ "refs": [ "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -89684,10 +89577,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -89930,10 +89823,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -89959,10 +89852,10 @@ "logsource.product": "azure", "refs": [ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -89995,8 +89888,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml" ], "tags": [ @@ -90105,8 +89998,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -90175,11 +90068,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/sql-injection-payload-list", "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://brightsec.com/blog/sql-injection-payloads/", + "https://github.com/payloadbox/sql-injection-payload-list", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": [ @@ -90213,8 +90106,8 @@ "logsource.product": "No established product", "refs": [ "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", - "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -90247,8 +90140,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml" ], "tags": [ @@ -90281,11 +90174,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -90322,8 +90215,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/payloadbox/xss-payload-list", + "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_xss_in_access_logs.yml" ], "tags": [ @@ -90391,8 +90284,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], @@ -90460,9 +90353,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://www.exploit-db.com/exploits/19525", "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", - "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -90665,8 +90558,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://twitter.com/jhencinski/status/1102695118455349248", + "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -90778,8 +90671,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml" ], @@ -90990,9 +90883,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -91034,6 +90927,7 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml" ], "tags": [ @@ -91083,14 +90977,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "https://perishablepress.com/blacklist/ua-2013.txt", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://twitter.com/crep1x/status/1635034100213112833", - "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -91124,8 +91018,8 @@ "logsource.product": "No established product", "refs": [ "https://blog.talosintelligence.com/ipfs-abuse/", - "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", + "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -91158,6 +91052,7 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml" ], "tags": [ @@ -91201,8 +91096,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://rclone.org/", "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://rclone.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ @@ -91269,8 +91164,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", + "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_cryptominer.yml" ], "tags": [ @@ -91303,6 +91198,7 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml" ], "tags": [ @@ -91404,8 +91300,8 @@ "logsource.product": "No established product", "refs": [ "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", - "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", + "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -91522,8 +91418,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-port-scanner.com/", "https://www.advanced-ip-scanner.com/", + "https://www.advanced-port-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml" ], "tags": [ @@ -91589,8 +91485,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://www.spamhaus.org/statistics/tlds/", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" @@ -91642,8 +91538,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_cobalt_amazon.yml" ], "tags": [ @@ -91851,8 +91747,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -92072,8 +91968,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462", + "https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_webdav_search_ms.yml" ], "tags": [ @@ -92148,8 +92044,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -92308,8 +92204,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/osacompile.html", "https://redcanary.com/blog/applescript/", + "https://ss64.com/osx/osacompile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml" ], "tags": [ @@ -92343,8 +92239,8 @@ "logsource.product": "macos", "refs": [ "https://ss64.com/osx/csrutil.html", - "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://objective-see.org/blog/blog_0x6D.html", + "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_status.yml" ], @@ -92378,9 +92274,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sw_vers.html", - "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", "https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior", + "https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior", + "https://ss64.com/osx/sw_vers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml" ], "tags": [ @@ -92414,8 +92310,8 @@ "logsource.product": "macos", "refs": [ "https://ss64.com/osx/csrutil.html", - "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://objective-see.org/blog/blog_0x6D.html", + "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml" ], @@ -92449,8 +92345,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -92525,10 +92421,10 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", - "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", - "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", "https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior", + "https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior", + "https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml" ], "tags": [ @@ -92594,8 +92490,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://redcanary.com/blog/applescript/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" ], "tags": [ @@ -92694,9 +92590,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/dsenableroot.html", - "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", + "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", + "https://ss64.com/osx/dsenableroot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -92831,8 +92727,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/MythicAgents/typhon/", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -92940,8 +92836,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.manpagez.com/man/8/PlistBuddy/", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://www.manpagez.com/man/8/PlistBuddy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" ], "tags": [ @@ -93024,8 +92920,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", - "https://linux.die.net/man/1/dd", "https://linux.die.net/man/1/truncate", + "https://linux.die.net/man/1/dd", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -93092,11 +92988,11 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", "https://objective-see.org/blog/blog_0x62.html", "https://ss64.com/mac/system_profiler.html", - "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", - "https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af", "https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml" ], @@ -93979,8 +93875,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], @@ -94138,8 +94034,8 @@ "logsource.product": "macos", "refs": [ "https://github.com/MythicAgents/typhon/", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -94196,13 +94092,15 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], - "tags": "No established tags" + "tags": [ + "attack.initial_access" + ] }, "uuid": "1a395cbc-a84a-463a-9086-ed8a70e573c7", "value": "Default Credentials Usage" @@ -94218,9 +94116,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -94241,12 +94139,14 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], - "tags": "No established tags" + "tags": [ + "attack.credential_access" + ] }, "uuid": "7e4bfe58-4a47-4709-828d-d86c78b7cc1f", "value": "Cleartext Protocol Usage Via Netflow" @@ -94448,8 +94348,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -94679,8 +94579,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/xclip", "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", + "https://linux.die.net/man/1/xclip", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -94746,9 +94646,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -94816,9 +94716,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://www.glitch-cat.com/p/green-lambert-and-attack", "https://objective-see.org/blog/blog_0x68.html", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", - "https://www.glitch-cat.com/p/green-lambert-and-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], "tags": [ @@ -94851,9 +94751,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://imagemagick.org/", "https://linux.die.net/man/1/import", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -94953,10 +94853,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://mn3m.info/posts/suid-vs-capabilities/", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", - "https://man7.org/linux/man-pages/man8/getcap.8.html", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -95065,8 +94965,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Self Experience", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -95331,8 +95231,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/wget", "https://gtfobins.github.io/gtfobins/wget/", + "https://linux.die.net/man/1/wget", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -95465,8 +95365,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -95707,10 +95607,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/chage", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://linux.die.net/man/1/chage", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -95810,10 +95710,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://linux.die.net/man/8/pam_tty_audit", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -95920,9 +95820,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -95955,9 +95855,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://book.hacktricks.xyz/shells/shells/linux", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -96114,8 +96014,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://redcanary.com/blog/ebpf-malware/", + "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" ], "tags": [ @@ -96238,6 +96138,7 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_log_entries.yml" ], "tags": [ @@ -96261,8 +96162,8 @@ "logsource.product": "linux", "refs": [ "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", - "https://linux.die.net/man/8/useradd", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", + "https://linux.die.net/man/8/useradd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -96303,8 +96204,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", + "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ @@ -96427,10 +96328,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "http://pastebin.com/FtygZ1cg", "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", - "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -96872,10 +96773,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -96909,10 +96810,10 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -97025,8 +96926,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -97059,8 +96960,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -97270,10 +97171,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -97387,8 +97288,8 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/vimdiff/", - "https://gtfobins.github.io/gtfobins/rvim/", "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -97421,10 +97322,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -97522,10 +97423,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -97624,10 +97525,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxhint.com/uninstall-debian-packages/", - "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", - "https://linuxhint.com/uninstall_yum_package/", "https://sysdig.com/blog/mitre-defense-evasion-falco", + "https://linuxhint.com/uninstall_yum_package/", + "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", + "https://linuxhint.com/uninstall-debian-packages/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -97737,13 +97638,13 @@ "refs": [ "https://github.com/t3l3machus/Villain", "https://github.com/Ne0nd0g/merlin", - "https://github.com/t3l3machus/hoaxshell", "https://github.com/pathtofile/bad-bpf", - "https://github.com/carlospolop/PEASS-ng", + "https://github.com/1N3/Sn1per", "https://github.com/Gui774ume/ebpfkit", "https://github.com/HavocFramework/Havoc", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/t3l3machus/hoaxshell", "https://github.com/Pennyw0rth/NetExec/", - "https://github.com/1N3/Sn1per", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ @@ -97844,8 +97745,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], @@ -97983,8 +97884,8 @@ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://twitter.com/d1r4c/status/1279042657508081664", "https://curl.se/docs/manpage.html", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -98084,9 +97985,9 @@ "logsource.product": "linux", "refs": [ "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://linux.die.net/man/8/userdel", "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/userdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -98152,9 +98053,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/projectdiscovery/naabu", "https://github.com/Tib3rius/AutoRecon", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/projectdiscovery/naabu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], "tags": [ @@ -98220,8 +98121,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", + "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" ], "tags": [ @@ -98287,8 +98188,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml" ], "tags": [ @@ -98412,9 +98313,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" ], @@ -98438,10 +98339,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -98464,8 +98365,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" ], "tags": [ @@ -98589,8 +98490,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -98656,8 +98557,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" ], "tags": [ @@ -98690,10 +98591,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -98726,8 +98627,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://bpftrace.org/", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -98836,8 +98737,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/arget13/DDexec", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", + "https://github.com/arget13/DDexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" ], "tags": [ @@ -98905,8 +98806,8 @@ "refs": [ "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linux.die.net/man/8/groupdel", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/groupdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -98973,9 +98874,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/carlospolop/PEASS-ng", "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", - "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -99075,8 +98976,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml" ], "tags": [ @@ -99117,8 +99018,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", "https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/", + "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml" ], "tags": [ @@ -99151,8 +99052,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" ], "tags": [ @@ -99227,8 +99128,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://linux.die.net/man/1/bash", + "https://www.revshells.com/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" ], @@ -99252,8 +99153,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" ], "tags": [ @@ -99309,9 +99210,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" ], @@ -99387,8 +99288,8 @@ "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", - "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" ], "tags": [ @@ -99429,8 +99330,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml" ], "tags": [ @@ -99690,11 +99591,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.infosecademy.com/netcat-reverse-shells/", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", - "https://www.revshells.com/", "https://man7.org/linux/man-pages/man1/ncat.1.html", + "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.infosecademy.com/netcat-reverse-shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -99727,9 +99628,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", "https://www.computerhope.com/unix/unohup.htm", - "https://gtfobins.github.io/gtfobins/nohup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -99818,8 +99719,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml" ], "tags": [ @@ -99876,8 +99777,8 @@ "logsource.product": "linux", "refs": [ "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", - "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], "tags": [ @@ -99986,9 +99887,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", - "https://bpftrace.org/", "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", + "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -100045,9 +99946,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", - "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], "tags": [ @@ -100139,8 +100040,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], @@ -100174,10 +100075,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -100210,8 +100111,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -100244,8 +100145,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" ], "tags": [ @@ -100378,8 +100279,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/apache/spark/pull/36315/files", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://github.com/apache/spark/pull/36315/files", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -100414,9 +100315,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], "tags": [ @@ -100449,10 +100350,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", - "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -100518,8 +100419,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -100597,5 +100498,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20240128 + "version": 20240212 } diff --git a/clusters/stealer.json b/clusters/stealer.json index 1cb8de1..f268a30 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -223,7 +223,77 @@ }, "uuid": "0266302b-52d3-44da-ab63-a8a6f16de737", "value": "Sordeal-Stealer" + }, + { + "description": "Mars stealer is an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins. Mars Stealer written in ASM/C using WinApi, weight is 95 kb. Uses special techniques to hide WinApi calls, encrypts strings, collects information in the memory, supports secure SSL-connection with C&C, doesn’t use CRT, STD.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer", + "https://3xp0rt.com/posts/mars-stealer/", + "https://cyberint.com/blog/research/mars-stealer/", + "https://isc.sans.edu/diary/rss/28468", + "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", + "https://blog.morphisec.com/threat-research-mars-stealer", + "https://cert.gov.ua/article/38606", + "https://www.malwarebytes.com/blog/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique", + "https://blog.sekoia.io/mars-a-red-hot-information-stealer/", + "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", + "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer", + "https://resources.infosecinstitute.com/topics/malware-analysis/mars-stealer-malware-analysis/", + "https://www.microsoft.com/en-us/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer", + "https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html", + "https://www.kelacyber.com/information-stealers-a-new-landscape/", + "https://cyble.com/blog/fake-atomic-wallet-website-distributing-mars-stealer/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", + "https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view", + "https://threatmon.io/mars-stealer-malware-analysis-2022/", + "https://threatmon.io/storage/mars-stealer-malware-analysis-2022.pdf", + "https://3xp0rt.com/posts/mars-stealer/forum.png" + ] + }, + "related": [ + { + "dest-uuid": "54b61c7e-8ced-4b90-a295-62102bfd4f32", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ], + "type": "successor-of" + } + ], + "uuid": "64e51712-89d6-4c91-98ac-8907eafe98c6", + "value": "Mars Stealer" + }, + { + "description": "The Oski stealer is a malicious information stealer, which was first introduced in November 2019. As the name implies, the Oski stealer steals personal and sensitive information from its target. “Oski” is derived from an old Nordic word meaning Viking warrior, which is quite fitting considering this popular info-stealer is extremely effective at pillaging privileged information from its victims.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski", + "https://twitter.com/albertzsigovits/status/1160874557454131200", + "https://www.bitdefender.com/blog/labs/", + "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer", + "https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601", + "https://yoroi.company/en/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", + "https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view", + "https://www.rapid7.com/solutions/unified-mdr-xdr-vm/", + "https://3xp0rt.com/posts/mars-stealer/", + "https://cyberint.com/blog/research/mars-stealer/", + "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468" + ] + }, + "uuid": "54b61c7e-8ced-4b90-a295-62102bfd4f32", + "value": "Oski Stealer" + }, + { + "description": "WARPWIRE is a JavaScript-based credential stealer", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ] + }, + "uuid": "b581b182-505a-4243-9569-c175513c4441", + "value": "WARPWIRE" } ], - "version": 13 + "version": 15 } diff --git a/clusters/surveillance-vendor.json b/clusters/surveillance-vendor.json index 6834234..ff058e6 100644 --- a/clusters/surveillance-vendor.json +++ b/clusters/surveillance-vendor.json @@ -33,8 +33,15 @@ "official-refs": [ "https://www.nsogroup.com/" ], + "products": [ + "PEGASUS" + ], "refs": [ "https://en.wikipedia.org/wiki/NSO_Group" + ], + "synonyms": [ + "Q-Cyber", + "Circles" ] }, "uuid": "49d8e89f-401d-4d3d-9155-5758a346a4a1", @@ -184,6 +191,9 @@ { "description": "Cytrox’s Israeli companies were founded in 2017 as Cytrox EMEA Ltd. and Cytrox Software Ltd. Perhaps taking a page from Candiru’s corporate obfuscation playbook, both of those companies were renamed in 2019 to Balinese Ltd. and Peterbald Ltd., respectively. We also observed one entity in Hungary, Cytrox Holdings Zrt, which was also formed in 2017.", "meta": { + "products": [ + "DevilsTongue" + ], "refs": [ "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/" ], @@ -201,10 +211,16 @@ { "description": "RCS Lab S.p.A., Italian vendor likely using Tykelab Srl as a front company.", "meta": { + "products": [ + "Hermit" + ], "refs": [ "https://www.rcslab.it/en/index.html", "https://www.lookout.com/blog/hermit-spyware-discovery", "https://www.vice.com/en/article/nz75wd/european-surveillance-companies-agt-rcs-sell-syria-tools-of-oppression" + ], + "synonyms": [ + "RCS Lab" ] }, "uuid": "28ed79b6-a11d-4e41-af80-ece8f0e0c2d3", @@ -236,6 +252,13 @@ { "description": "The Intellexa alliance is an evolving group of companies and brands that have been involved in developing and marketing a wide range of surveillance products including advanced spyware, mass surveillance platforms, and tactical systems for targeting and intercepting nearby devices. The corporate entities of the alliance span various jurisdictions, both within and outside the EU. The exact nature of links between these companies is shrouded in secrecy as corporate entities, and the structures between them, are constantly morphing, renaming, rebranding, and evolving.", "meta": { + "products": [ + "Nova", + "Triton", + "Helios", + "ALIEN", + "PREDATOR" + ], "refs": [ "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf", "https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/", @@ -369,6 +392,9 @@ "https://www.atlanticcouncil.org/wp-content/uploads/2021/11/Surveillance-Technology-at-the-Fair.pdf", "https://securityaffairs.com/125083/intelligence/nexa-technologies-indicted.html", "https://wearenexa.com/aboutus/" + ], + "synonyms": [ + "Nexa Technologies" ] }, "uuid": "eb6af48e-82ea-11ee-a4dc-325096b39f47", @@ -601,5 +627,5 @@ "value": "Raxir" } ], - "version": 4 + "version": 6 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 09c327c..836beb2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -372,7 +372,8 @@ "TUNGSTEN BRIDGE", "T-APT-02", "G0012", - "ATK52" + "ATK52", + "Zigzag Hail" ] }, "related": [ @@ -1034,7 +1035,8 @@ "https://unit42.paloaltonetworks.com/atoms/granite-taurus", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" ], "synonyms": [ "STONE PANDAD", @@ -1048,7 +1050,8 @@ "BRONZE RIVERSIDE", "ATK41", "G0045", - "Granite Taurus" + "Granite Taurus", + "TA429" ] }, "related": [ @@ -1160,7 +1163,8 @@ "BRONZE IDLEWOOD", "NICKEL", "G0004", - "Red Vulture" + "Red Vulture", + "Nylon Typhoon" ], "targeted-sector": [ "Government, Administration" @@ -1611,7 +1615,8 @@ "https://attack.mitre.org/groups/G0081/", "https://www.secureworks.com/research/threat-profiles/bronze-hobart", "https://www.mandiant.com/resources/insights/apt-groups", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html" ], "synonyms": [ "PIRATE PANDA", @@ -1619,7 +1624,8 @@ "Tropic Trooper", "BRONZE HOBART", "G0081", - "Red Orthrus" + "Red Orthrus", + "Earth Centaur" ], "targeted-sector": [ "Military", @@ -1931,7 +1937,8 @@ "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://www.cfr.org/interactive/cyber-operations/apt-33", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://dragos.com/adversaries.html" + "https://dragos.com/adversaries.html", + "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" ], "synonyms": [ "APT 33", @@ -1941,7 +1948,9 @@ "HOLMIUM", "COBALT TRINITY", "G0064", - "ATK35" + "ATK35", + "Peach Sandstorm", + "TA451" ], "victimology": "Petrochemical, Aerospace, Saudi Arabia" }, @@ -2407,7 +2416,8 @@ "APT-C-20", "UAC-0028", "FROZENLAKE", - "Sofacy" + "Sofacy", + "Forest Blizzard" ], "targeted-sector": [ "Military", @@ -2636,7 +2646,8 @@ "ITG12", "Blue Python", "SUMMIT", - "UNC4210" + "UNC4210", + "Secret Blizzard" ], "targeted-sector": [ "Government, Administration", @@ -2731,7 +2742,8 @@ "ATK6", "ITG15", "BROMINE", - "Blue Kraken" + "Blue Kraken", + "Ghost Blizzard" ], "targeted-sector": [ "Energy" @@ -2813,7 +2825,8 @@ "IRIDIUM", "Blue Echidna", "FROZENBARENTS", - "UAC-0113" + "UAC-0113", + "Seashell Blizzard" ], "targeted-sector": [ "Electric", @@ -2910,7 +2923,8 @@ "https://threatintel.blog/OPBlueRaven-Part2/", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous", - "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape" + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/" ], "synonyms": [ "CARBON SPIDER", @@ -2920,7 +2934,10 @@ "G0046", "G0008", "Coreid", - "Carbanak" + "Carbanak", + "Sangria Tempest", + "ELBRUS", + "Carbon Spider" ] }, "related": [ @@ -3082,11 +3099,13 @@ "value": "UNION SPIDER" }, { + "description": "Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.", "meta": { "attribution-confidence": "50", "country": "KP", "refs": [ - "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf", + "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" ], "synonyms": [ "OperationTroy", @@ -3094,7 +3113,9 @@ "GOP", "WHOis Team", "Andariel", - "Subgroup: Andariel" + "Subgroup: Andariel", + "Onyx Sleet", + "PLUTONIUM" ] }, "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7", @@ -3196,7 +3217,10 @@ "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "https://attack.mitre.org/groups/G0082", - "https://attack.mitre.org/groups/G0032" + "https://attack.mitre.org/groups/G0032", + "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/", + "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds", + "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" ], "synonyms": [ "Operation DarkSeoul", @@ -3227,7 +3251,16 @@ "ATK3", "G0032", "ATK117", - "G0082" + "G0082", + "Citrine Sleet", + "DEV-0139", + "DEV-1222", + "Diamond Sleet", + "ZINC", + "Sapphire Sleet", + "COPERNICIUM", + "TA404", + "Lazarus group" ] }, "related": [ @@ -3447,7 +3480,9 @@ "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials", "https://s.tencent.com/research/report/669.html", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", - "https://www.secureworks.com/research/threat-profiles/copper-fieldstone" + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", + "https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/" ], "synonyms": [ "C-Major", @@ -3458,7 +3493,8 @@ "APT 36", "TMP.Lapis", "Green Havildar", - "COPPER FIELDSTONE" + "COPPER FIELDSTONE", + "Earth Karkaddan" ], "targeted-sector": [ "Activists", @@ -3872,7 +3908,8 @@ "White Giant", "GOLD FRANKLIN", "ATK88", - "G0037" + "G0037", + "Camouflage Tempest" ] }, "related": [ @@ -3981,7 +4018,8 @@ "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/", - "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/" + "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", + "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" ], "synonyms": [ "Twisted Kitten", @@ -3993,7 +4031,10 @@ "IRN2", "ATK40", "G0049", - "Evasive Serpens" + "Evasive Serpens", + "Hazel Sandstorm", + "EUROPIUM", + "TA452" ], "targeted-sector": [ "Chemical", @@ -4561,7 +4602,9 @@ "Shuckworm", "Trident Ursa", "UAC-0010", - "Winterflounder" + "Winterflounder", + "Aqua Blizzard", + "Actinium" ] }, "related": [ @@ -4831,7 +4874,8 @@ "TIN WOODLAWN", "BISMUTH", "ATK17", - "G0050" + "G0050", + "Canvas Cyclone" ], "targeted-sector": [ "Dissidents", @@ -5123,6 +5167,7 @@ "value": "Cyber Berkut" }, { + "description": "Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", @@ -5146,7 +5191,11 @@ "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html", + "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf", + "https://www.recordedfuture.com/multi-year-chinese-apt-campaign-targets-south-korean-academic-government-political-entities" ], "synonyms": [ "CactusPete", @@ -5155,7 +5204,9 @@ "COPPER", "Red Beifang", "G0131", - "PLA Unit 65017" + "PLA Unit 65017", + "Earth Akhlut", + "TAG-74" ] }, "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", @@ -5178,13 +5229,16 @@ "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://www.mandiant.com/resources/insights/apt-groups", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi" + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", + "http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" ], "synonyms": [ "KEYHOLE PANDA", "MANGANESE", "BRONZE FLEETWOOD", - "TEMP.Bottle" + "TEMP.Bottle", + "Mulberry Typhoon", + "Poisoned Flight" ], "targeted-sector": [ "Electronic", @@ -5559,7 +5613,10 @@ "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report", - "https://asec.ahnlab.com/en/57873/" + "https://asec.ahnlab.com/en/57873/", + "https://asec.ahnlab.com/en/61082/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/", + "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/" ], "synonyms": [ "Velvet Chollima", @@ -5567,7 +5624,9 @@ "Thallium", "Operation Stolen Pencil", "G0086", - "APT43" + "APT43", + "Emerald Sleet", + "THALLIUM" ], "targeted-sector": [ "Research - Innovation", @@ -6161,7 +6220,8 @@ "https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/", "https://attack.mitre.org/groups/G0069/", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", - "https://unit42.paloaltonetworks.com/atoms/boggyserpens/" + "https://unit42.paloaltonetworks.com/atoms/boggyserpens/", + "https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/" ], "synonyms": [ "TEMP.Zagros", @@ -6171,7 +6231,9 @@ "COBALT ULSTER", "G0069", "ATK51", - "Boggy Serpens" + "Boggy Serpens", + "Mango Sandstorm", + "TA450" ] }, "related": [ @@ -6384,7 +6446,8 @@ "Red Ladon", "ITG09", "MUDCARP", - "ISLANDDREAMS" + "ISLANDDREAMS", + "Gingham Typhoon" ] }, "related": [ @@ -6916,7 +6979,10 @@ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html" + "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html", + "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", + "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european", + "https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/" ], "synonyms": [ "BRONZE PRESIDENT", @@ -6924,7 +6990,10 @@ "Red Lich", "TEMP.HEX", "BASIN", - "Earth Preta" + "Earth Preta", + "TA416", + "Stately Taurus", + "LuminousMoth" ] }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", @@ -7088,8 +7157,16 @@ { "description": "An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.", "meta": { + "country": "IR", "refs": [ - "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/" + "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/", + "https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html", + "https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/", + "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/" + ], + "synonyms": [ + "Bouncing Golf", + "APT-C-50" ] }, "uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee", @@ -7371,7 +7448,8 @@ "G0092", "ATK103", "Hive0065", - "CHIMBORAZO" + "CHIMBORAZO", + "Spandex Tempest" ] }, "related": [ @@ -7453,12 +7531,21 @@ "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", "http://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf", - "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf" + "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", + "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [ "TEMP.MixMaster", "GOLD BLACKBURN", - "FIN12" + "FIN12", + "Periwinkle Tempest", + "DEV-0193", + "Storm-0193", + "Trickbot LLC", + "UNC2053", + "Pistachio Tempest", + "DEV-0237" ] }, "related": [ @@ -7562,7 +7649,8 @@ "REMIX KITTEN", "COBALT HICKMAN", "G0087", - "Radio Serpens" + "Radio Serpens", + "TA454" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", @@ -7880,12 +7968,15 @@ "https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian", "https://www.secureworks.com/research/threat-profiles/cobalt-dickens", - "https://community.riskiq.com/article/44eb0802" + "https://community.riskiq.com/article/44eb0802", + "https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect" ], "synonyms": [ "COBALT DICKENS", "Mabna Institute", - "TA407" + "TA407", + "TA4900", + "Yellow Nabu" ] }, "uuid": "5059b44d-2753-4977-b987-4922f09afe6b", @@ -7920,13 +8011,17 @@ "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" ], "synonyms": [ "ZIRCONIUM", "JUDGMENT PANDA", "BRONZE VINEWOOD", - "Red keres" + "Red keres", + "Violet Typhoon", + "TA412", + "Zirconium" ] }, "related": [ @@ -8375,7 +8470,9 @@ "value": "TA428" }, { + "description": "Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.", "meta": { + "country": "IR", "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", @@ -8387,7 +8484,8 @@ "COBALT LYCEUM", "HEXANE", "Spirlin", - "siamesekitten" + "siamesekitten", + "Storm-0133" ] }, "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", @@ -8646,18 +8744,23 @@ { "description": "Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).", "meta": { + "country": "RU", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://adversary.crowdstrike.com/adversary/twisted-spider/", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic", - "http://www.secureworks.com/research/threat-profiles/gold-village" + "http://www.secureworks.com/research/threat-profiles/gold-village", + "https://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html" ], "synonyms": [ "Maze Team", "TWISTED SPIDER", - "GOLD VILLAGE" + "GOLD VILLAGE", + "Storm-0216", + "DEV-0216", + "Twisted Spider" ] }, "uuid": "39925aa0-c7bf-4b9b-97d6-7d600329453d", @@ -9055,15 +9158,18 @@ { "description": "GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.", "meta": { + "country": "CN", "refs": [ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://www.youtube.com/watch?v=fBFm2fiEPTg", "https://troopers.de/troopers22/talks/7cv8pz/", - "https://unit42.paloaltonetworks.com/atoms/alloytaurus/" + "https://unit42.paloaltonetworks.com/atoms/alloytaurus/", + "https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/" ], "synonyms": [ "Red Dev 4", - "Alloy Taurus" + "Alloy Taurus", + "Granite Typhoon" ] }, "related": [ @@ -9098,10 +9204,20 @@ "refs": [ "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", - "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/" + "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/", + "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.hivepro.com/wp-content/uploads/2022/08/Vulnerabilities-Threats-that-Matter-25th-to-31st-July.pdf", + "https://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2" ], "synonyms": [ - "DeathStalker" + "DeathStalker", + "TA4563", + "EvilNum", + "Jointworm", + "KNOCKOUT SPIDER" ] }, "uuid": "b6f3150f-2240-4c57-9dda-5144c5077058", @@ -9125,7 +9241,9 @@ "synonyms": [ "PIONEER KITTEN", "PARISITE", - "UNC757" + "UNC757", + "Lemon Sandstorm", + "RUBIDIUM" ] }, "related": [ @@ -9253,13 +9371,16 @@ "https://github.com/fireeye/sunburst_countermeasures", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html", - "https://unit42.paloaltonetworks.com/atoms/solarphoenix/" + "https://unit42.paloaltonetworks.com/atoms/solarphoenix/", + "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/", + "https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/" ], "synonyms": [ "DarkHalo", "StellarParticle", "NOBELIUM", - "Solar Phoenix" + "Solar Phoenix", + "Midnight Blizzard" ] }, "related": [ @@ -9360,7 +9481,8 @@ "ATK233", "G0125", "Operation Exchange Marauder", - "Red Dev 13" + "Red Dev 13", + "Silk Typhoon" ] }, "related": [ @@ -9420,7 +9542,9 @@ "synonyms": [ "UNC1151", "TA445", - "PUSHCHA" + "PUSHCHA", + "Storm-0257", + "DEV-0257" ] }, "related": [ @@ -9504,16 +9628,6 @@ "uuid": "3570552c-c46f-428e-9472-744a14e6ece7", "value": "GOLD DUPONT" }, - { - "description": "KNOCKOUT SPIDER has conducted low-volume spear-phishing campaigns focused on companies involved in cryptocurrency.", - "meta": { - "refs": [ - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" - ] - }, - "uuid": "0fb7b53a-77d5-44c5-b500-1d612f262172", - "value": "KNOCKOUT SPIDER" - }, { "description": "SOLAR SPIDER’s phishing campaigns deliver the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia and Southeast Asia.", "meta": { @@ -10042,7 +10156,9 @@ "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "synonyms": [ - "Moses Staff" + "Moses Staff", + "Marigold Sandstorm", + "DEV-0500" ] }, "related": [ @@ -10100,7 +10216,8 @@ "synonyms": [ "LAPSUS$", "DEV-0537", - "SLIPPY SPIDER" + "SLIPPY SPIDER", + "Strawberry Tempest" ] }, "related": [ @@ -10195,6 +10312,7 @@ { "description": "A group targeting UA state organizations using the GraphSteel and GrimPlant malware.", "meta": { + "country": "RU", "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel", "https://cert.gov.ua/article/38374", @@ -10203,7 +10321,8 @@ "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://unit42.paloaltonetworks.com/atoms/nascentursa/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer", - "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" + "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "synonyms": [ "UNC2589", @@ -10211,7 +10330,10 @@ "UAC-0056", "Nascent Ursa", "Nodaria", - "FROZENVISTA" + "FROZENVISTA", + "Storm-0587", + "DEV-0587", + "Saint Bear" ] }, "uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f", @@ -10412,7 +10534,11 @@ "cfr-type-of-incident": "Espionage", "country": "LB", "refs": [ - "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" + "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/", + "https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements" + ], + "synonyms": [ + "Plaid Rain" ] }, "related": [ @@ -10458,13 +10584,16 @@ "Ukraine" ], "cfr-type-of-incident": "Sabotage", + "country": "RU", "refs": [ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://unit42.paloaltonetworks.com/atoms/ruinousursa/" + "https://unit42.paloaltonetworks.com/atoms/ruinousursa/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" ], "synonyms": [ - "Ruinous Ursa" + "Ruinous Ursa", + "Cadet Blizzard" ] }, "related": [ @@ -10520,7 +10649,12 @@ "https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt", "https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt", "https://www.youtube.com/watch?v=QXGO4RJaUPQ", - "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf" + "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", + "https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/", + "https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html" + ], + "synonyms": [ + "GamblingPuppet" ] }, "uuid": "9d82077b-7e95-4b22-8762-3224797ff5f0", @@ -10580,7 +10714,8 @@ "BRONZE UNIVERSITY", "AQUATIC PANDA", "Red Dev 10", - "RedHotel" + "RedHotel", + "Charcoal Typhoon" ] }, "related": [ @@ -10716,11 +10851,17 @@ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", - "https://twitter.com/cglyer/status/1480734487000453121" + "https://twitter.com/cglyer/status/1480734487000453121", + "https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group", + "https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/", + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader" ], "synonyms": [ "SLIME34", - "DEV-0401" + "DEV-0401", + "Cinnamon Tempest", + "Emperor Dragonfly" ] }, "related": [ @@ -10979,6 +11120,9 @@ "meta": { "refs": [ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" + ], + "synonyms": [ + "Wine Tempest" ] }, "related": [ @@ -12170,7 +12314,9 @@ "Scattered Swine", "Scatter Swine", "Octo Tempest", - "0ktapus" + "0ktapus", + "Storm-0971", + "DEV-0971" ] }, "uuid": "3b238f3a-c67a-4a9e-b474-dc3897e00129", @@ -12960,7 +13106,11 @@ "meta": { "refs": [ "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", - "https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/" + "https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/", + "https://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss&utm_medium=rss&utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links" + ], + "synonyms": [ + "Operation Poisoned News" ] }, "uuid": "533af03d-e160-4312-a92f-0500055f2b56", @@ -13171,6 +13321,10 @@ "country": "IR", "refs": [ "https://twitter.com/CyberAmyHB/status/1532398956918890500" + ], + "synonyms": [ + "Smoke Sandstorm", + "BOHRIUM" ] }, "uuid": "111efc97-6a93-487b-8cb3-1e890ac51066", @@ -13487,7 +13641,8 @@ "https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/" ], "synonyms": [ - "DEV-0322" + "DEV-0322", + "Circle Typhoon" ] }, "uuid": "aca6b3d2-1c3b-4674-9de8-975e35723bcf", @@ -14035,7 +14190,15 @@ "meta": { "country": "CN", "refs": [ - "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" + "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/", + "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", + "https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/", + "https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/", + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ], + "synonyms": [ + "UNC5221" ] }, "uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3", @@ -14113,7 +14276,733 @@ }, "uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb", "value": "Cotton Sandstorm" + }, + { + "description": "Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operations targeting individuals and companies in China, Japan, and the United Kingdom. Blackwood utilizes sophisticated techniques such as adversary-in-the-middle attacks to deliver their custom implant, NSPX30, through updates of legitimate software. They also have the capability to hide the location of their command and control servers by intercepting traffic generated by the implant.", + "meta": { + "country": "CN", + "refs": [ + "https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/", + "https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/" + ] + }, + "uuid": "46e26e5c-ad74-45aa-a654-1afef67f4566", + "value": "Blackwood" + }, + { + "description": "Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the Austrian spyware distributor DSIRF.", + "meta": { + "country": "AT", + "refs": [ + "https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation", + "https://socradar.io/threats-of-commercialized-malware-knotweed/", + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/" + ], + "synonyms": [ + "KNOTWEED", + "DSIRF" + ] + }, + "uuid": "79a347d9-1938-4550-8836-98e4ed95f77c", + "value": "Denim Tsunami" + }, + { + "description": "Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube. They target individuals in various industries, including human rights, finance, and consulting. Blue Tsunami engages in social engineering and uses techniques such as honeypot profiles, fake jobs, and fake companies to gather human intelligence for their clients. LinkedIn and Microsoft recently took down numerous fake accounts and company pages linked to Blue Tsunami.", + "meta": { + "country": "IL", + "refs": [ + "https://precisionpconline.com/a-unified-front-against-cyber-mercenaries/", + "https://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/" + ], + "synonyms": [ + "Black Cube" + ] + }, + "uuid": "46104ded-49f5-4440-bd25-e05c1126f0ba", + "value": "Blue Tsunami" + }, + { + "description": "Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the company's network and used it to compromise downstream customers in the defense, energy, and legal sectors in Israel. The group also utilized custom implants, including a remote access Trojan disguised as RuntimeBroker.exe or svchost.exe, to establish persistence on victim hosts.", + "meta": { + "country": "IR", + "refs": [ + "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/" + ], + "synonyms": [ + "DEV-0228" + ] + }, + "uuid": "a4004712-f74b-4c8c-b1fb-bb7229bc2da1", + "value": "Cuboid Sandstorm" + }, + { + "description": "Pearl Sleet is a nation state activity group based in North Korea that has been active since at least 2012. They primarily target defectors from North Korea, media organizations in carrying out their cyber espionage activities.", + "meta": { + "country": "KP", + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431" + ], + "synonyms": [ + "DEV-0215", + "LAWRENCIUM" + ] + }, + "uuid": "ef0d776a-51de-4965-ba1c-69ed256e0e5d", + "value": "Pearl Sleet" + }, + { + "description": "Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream. QuaDream sells a platform called REIGN to governments for law enforcement purposes, which includes exploits, malware, and infrastructure for data exfiltration from mobile devices. Carmine Tsunami is associated with the iOS malware called KingsPawn and has targeted civil society victims, including journalists, political opposition figures, and NGO workers, in various regions. They utilize domain registrars and inexpensive cloud hosting providers, often using single domains per IP address and deploying free Let's Encrypt SSL certificates.", + "meta": { + "country": "IL", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/", + "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/" + ], + "synonyms": [ + "DEV-0196", + "QuaDream" + ] + }, + "uuid": "fa76ce6a-f434-4d4a-817f-c4bd0a3f803c", + "value": "Carmine Tsunami" + }, + { + "description": "Mustard Tempest is a threat actor that primarily uses malvertising as their main technique to gain access to and profile networks. They deploy FakeUpdates, disguised as browser updates or software packages, to lure targets into downloading a ZIP file containing a JavaScript file. Once executed, the JavaScript framework acts as a loader for other malware campaigns, often Cobalt Strike payloads. Mustard Tempest has been associated with the cybercrime syndicate Mustard Tempest, also known as EvilCorp, and has been involved in ransomware attacks using payloads such as WastedLocker, PhoenixLocker, and Macaw.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + ], + "synonyms": [ + "DEV-0206", + "Purple Vallhund" + ] + }, + "uuid": "3ce9610b-2435-4c41-80d1-3f95a5ff2984", + "value": "Mustard Tempest" + }, + { + "description": "UNC4990 is a financially motivated threat actor that has been active since at least 2020. They primarily target users in Italy and rely on USB devices for initial infection. The group has evolved their tactics over time, using encoded text files on popular websites like GitHub and Vimeo to host payloads. They have been observed using sophisticated backdoors like QUIETBOARD and EMPTYSPACE, and have targeted organizations in various industries, particularly in Italy.", + "meta": { + "country": "IT", + "refs": [ + "https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware" + ] + }, + "uuid": "7db46444-2d27-4922-8a21-98f8509476dc", + "value": "UNC4990" + }, + { + "description": "Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.", + "meta": { + "refs": [ + "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/", + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/", + "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/", + "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", + "https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/" + ], + "synonyms": [ + "SOURGUM", + "Candiru" + ] + }, + "uuid": "062938a2-6fa1-4217-ad73-f5e0b5186966", + "value": "Caramel Tsunami" + }, + { + "description": "Storm-0867 is a threat actor that has been active since 2012 and has targeted various industries and regions. They employ sophisticated phishing campaigns, utilizing social engineering techniques and a phishing as a service platform called Caffeine. Their attacks involve intercepting and manipulating communication between users and legitimate services, allowing them to steal passwords, hijack sign-in sessions, bypass multifactor authentication, and modify authentication methods.", + "meta": { + "country": "EG", + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/defender-experts-chronicles-a-deep-dive-into-storm-0867/ba-p/3911769" + ], + "synonyms": [ + "DEV-0867" + ] + }, + "uuid": "dc1d0202-8976-4d15-810d-4af0feff6af9", + "value": "Storm-0867" + }, + { + "description": "Velvet Tempest is a threat actor associated with the BlackCat ransomware group. They have been observed deploying multiple ransomware payloads, including BlackCat, and have targeted various industries such as energy, fashion, tobacco, IT, and manufacturing. Velvet Tempest relies on access brokers to gain network access and utilizes tools like Cobalt Strike Beacons and PsExec for lateral movement and payload staging. They exfiltrate stolen data using a tool called StealBit and frequently disable unprotected antivirus products.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "http://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" + ], + "synonyms": [ + "DEV-0504" + ] + }, + "uuid": "209b1452-7062-46f8-9037-3be5f7eda54f", + "value": "Velvet Tempest" + }, + { + "description": "DEV-0665 is a threat actor associated with the HermeticWiper attacks. Their objective is to disrupt, degrade, and destroy specific resources within a targeted country.", + "meta": { + "country": "RU", + "refs": [ + "https://twitter.com/ESETresearch/status/1503436420886712321", + "https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html" + ], + "synonyms": [ + "DEV-0665" + ] + }, + "uuid": "9c0f0db1-b773-42ff-a6f7-d4b6c1d28ca4", + "value": "Sunglow Blizzard" + }, + { + "description": "Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation", + "https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/" + ], + "synonyms": [ + "DEV-0832", + "Vice Society" + ] + }, + "uuid": "c4132d43-2405-43ca-9940-a6f78e007861", + "value": "Vanilla Tempest" + }, + { + "description": "Lilac Typhoon is a threat actor attributed to China. They have been identified as exploiting the Atlassian Confluence RCE vulnerability CVE-2022-26134, which allows for remote code execution. This vulnerability has been used in cryptojacking campaigns and is included in commercial exploit frameworks. Lilac Typhoon has also been involved in deploying various payloads such as Cobalt Strike, web shells, botnets, coin miners, and ransomware.", + "meta": { + "country": "CN", + "refs": [ + "https://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/", + "https://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down", + "https://twitter.com/MsftSecIntel/status/1535417776290111489" + ], + "synonyms": [ + "DEV-0234" + ] + }, + "uuid": "b80be7a7-6d06-4da7-8ae0-302a198e7c73", + "value": "Lilac Typhoon" + }, + { + "description": "Ruby Sleet is a threat actor linked to North Korea's Ministry of State Security. Cerium has been involved in spear-phishing campaigns, compromising devices, and conducting cyberattacks alongside other North Korean threat actors. They have also targeted companies involved in COVID-19 research and vaccine development.", + "meta": { + "country": "KP", + "refs": [ + "https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/" + ], + "synonyms": [ + "CERIUM" + ] + }, + "uuid": "03ff54cf-f7d4-4606-a531-2ca6d4fa6a54", + "value": "Ruby Sleet" + }, + { + "description": "Microsoft has tracked Raspberry Typhoon (RADIUM) as the primary threat group targeting nations that ring the South China Sea. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms. Since January 2023, Raspberry Typhoon has been particularly persistent. When targeting government ministries or infrastructure, Raspberry Typhoon typically conducts intelligence collection and malware execution. In many countries, targets vary from defense and intelligence-related ministries to economic and trade-related ministries", + "meta": { + "country": "CN", + "refs": [ + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW" + ], + "synonyms": [ + "RADIUM" + ] + }, + "uuid": "37f012df-54d8-4b3d-a288-af47240430ea", + "value": "Raspberry Typhoon" + }, + { + "description": "Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads. They use ChromeLoader to infect victims' computers with malware, often delivered as ISO image files that victims are tricked into downloading. The attackers aim to profit from clicks generated by malicious browser extensions or node-WebKit installed on the victim's device. Microsoft and other cybersecurity organizations have issued warnings about this ongoing and prevalent campaign.", + "meta": { + "refs": [ + "https://twitter.com/MsftSecIntel/status/1570911625841983489" + ], + "synonyms": [ + "DEV-0796" + ] + }, + "uuid": "dd012c50-4f4f-4485-ac52-294a341f03e5", + "value": "Phlox Tempest" + }, + { + "description": "Storm-1295 is a threat actor group that operates the Greatness phishing-as-a-service platform. They utilize synchronous relay servers to present targets with a replica of a sign-in page, resembling traditional phishing attacks. Their adversary-in-the-middle capability allows Storm-1295 to offer their services to other attackers. Active since mid-2022, Storm-1295 is tracked by Microsoft and is known for their involvement in the Greatness PhaaS platform.", + "meta": { + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740", + "https://twitter.com/MsftSecIntel/status/1696273952870367320" + ], + "synonyms": [ + "DEV-1295" + ] + }, + "uuid": "5f485e47-18ad-4302-85a1-0a390fe90dc1", + "value": "Storm-1295" + }, + { + "description": "Storm-1167 is a threat actor tracked by Microsoft, known for their use of an AiTM phishing kit. They were responsible for launching an attack that led to Business Email Compromise activity.", + "meta": { + "country": "ID", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/" + ], + "synonyms": [ + "DEV-1167" + ] + }, + "uuid": "17fb8267-44a3-405b-b6b9-ba7fdeb56693", + "value": "Storm-1167" + }, + { + "description": "Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.", + "meta": { + "country": "KP", + "refs": [ + "https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/", + "https://paper.seebug.org/3031/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11", + "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/" + ], + "synonyms": [ + "OSMIUM", + "Konni" + ] + }, + "uuid": "5f71a9ea-511d-4fdd-9807-271ef613f488", + "value": "Opal Sleet" + }, + { + "description": "Storm-1044 has been identified as part of a cyber campaign in collaboration with Twisted Spider. They employ a strategic approach, targeting specific endpoints using an initial access trojan called DanaBot. Once they gain access, Storm-1044 initiates lateral movement through Remote Desktop Protocol sign-in attempts, passing control to Twisted Spider. Twisted Spider then compromises the endpoints by introducing the CACTUS ransomware. Microsoft has detected ongoing malvertising attacks involving Storm-1044, leading to the deployment of CACTUS ransomware.", + "meta": { + "refs": [ + "https://twitter.com/MsftSecIntel/status/1730383711437283757" + ], + "synonyms": [ + "DEV-1044" + ] + }, + "uuid": "5ec7a98e-9725-4f87-8a6e-91e2b4ba04ac", + "value": "Storm-1044" + }, + { + "description": "Agonizing Serpens is an Iranian-linked APT group that has been active since 2020. They are known for their destructive wiper and fake-ransomware attacks, primarily targeting Israeli organizations in the education and technology sectors. The group has strong connections to Iran's Ministry of Intelligence and Security and has been observed using various tools and techniques to bypass security measures. They aim to steal sensitive information, including PII and intellectual property, and inflict damage by wiping endpoints.", + "meta": { + "country": "IR", + "refs": [ + "https://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/", + "https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/", + "https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/", + "https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors", + "https://www.enigmasoftware.com/moneybirdransomware-removal/", + "https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/" + ], + "synonyms": [ + "AMERICIUM", + "BlackShadow", + "DEV-0022", + "Agrius", + "Agonizing Serpens" + ] + }, + "uuid": "0876c327-c82a-45f7-82fa-267c312ceb05", + "value": "Pink Sandstorm" + }, + { + "description": "Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoor. The extent of their autonomy or collaboration with other Iranian threat actors is currently unclear.", + "meta": { + "country": "IR", + "refs": [ + "https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns", + "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/" + ], + "synonyms": [ + "DEV-1084" + ] + }, + "uuid": "2cc32087-f242-4091-8634-4554635b7a58", + "value": "Storm-1084" + }, + { + "description": "Storm-1099 is a sophisticated Russia-affiliated influence actor that has been conducting pro-Russia influence operations targeting international supporters of Ukraine since Spring 2022. They are known for their website forgery operation called \"Doppelganger\" and have been actively spreading false information. They have been involved in pushing the claim that Hamas acquired Ukrainian weapons for an attack on Israel. Storm-1099 has also been implicated in amplifying images of graffiti in Paris, suggesting possible Russian involvement and aligning with Russia's Active Measures playbook.", + "meta": { + "country": "RU", + "refs": [ + "https://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/" + ] + }, + "uuid": "b05a2a56-08dc-4827-9aef-aaade91016a4", + "value": "Storm-1099" + }, + { + "description": "Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/" + ] + }, + "uuid": "375988ab-91b9-419e-8646-a4783b931288", + "value": "Storm-1286" + }, + { + "description": "DEV-1101 is a threat actor tracked by Microsoft who is responsible for developing and advertising phishing kits, specifically AiTM phishing kits. These kits are capable of bypassing multifactor authentication and are available for purchase or rent by other cybercriminals. DEV-1101 offers an open-source kit with various enhancements, such as mobile device management and CAPTCHA evasion. Their tool has been used in high-volume phishing campaigns by multiple actors, including DEV-0928, and is sold for $300 with VIP licenses available for $1,000.", + "meta": { + "refs": [ + "http://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/" + ], + "synonyms": [ + "DEV-1101" + ] + }, + "uuid": "8081af2c-442f-4487-9cf7-022cbe010b8f", + "value": "Storm-1101" + }, + { + "description": "Storm-0381 is a threat actor identified by Microsoft as a Russian cybercrime group. They are known for their use of malvertising to deploy Magniber, a type of ransomware.", + "meta": { + "country": "RU", + "refs": [ + "https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023" + ], + "synonyms": [ + "DEV-0381" + ] + }, + "uuid": "874860fe-5aee-4c94-aee1-2166c225c41e", + "value": "Storm-0381" + }, + { + "description": "H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs \"double extortion\" tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.", + "meta": { + "country": "KP", + "refs": [ + "https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a", + "https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware", + "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/", + "https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware" + ], + "synonyms": [ + "DEV-0530", + "H0lyGh0st" + ] + }, + "uuid": "47945864-c233-46e7-8b96-b427b97b0ebf", + "value": "Storm-0530" + }, + { + "description": "Storm-0539 is a financially motivated threat actor that has been active since at least 2021. They primarily target retail organizations for gift card fraud and theft. Their tactics include phishing via emails or SMS to distribute malicious links that redirect users to phishing pages designed to steal credentials and session tokens. Once access is gained, Storm-0539 registers a device for secondary authentication prompts, bypassing multi-factor authentication and gaining persistence in the environment. They also collect emails, contact lists, and network configurations for further attacks against the same organizations.", + "meta": { + "refs": [ + "https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/", + "https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-november-2023/ba-p/3970796" + ] + }, + "uuid": "760b350c-522e-432d-80c5-7aab0eaf8873", + "value": "Storm-0539" + }, + { + "description": "Storm-1152, a cybercriminal group, was recently taken down by Microsoft for illegally reselling Outlook accounts. They operated by creating approximately 750 million fraudulent Microsoft accounts and earned millions of dollars in illicit revenue. Storm-1152 also offered CAPTCHA-solving services and was connected to ransomware and extortion groups. Microsoft obtained a court order to seize their infrastructure and domains, disrupting their operations.", + "meta": { + "country": "VN", + "refs": [ + "https://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/", + "https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/" + ] + }, + "uuid": "e18dca82-0524-4338-9a66-e13e67c81ac4", + "value": "Storm-1152" + }, + { + "description": "Storm-1567 is the threat actor behind the Ransomware-as-a-Service Akira. They attacked Swedish organizations in March 2023. This ransomware utilizes the ChaCha encryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft's Defender for Endpoint successfully blocked a large-scale hacking campaign carried out by Storm-1567, highlighting the effectiveness of their security solution.", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/", + "https://securelist.com/crimeware-report-fakesg-akira-amos/111483/", + "https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html", + "https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape", + "https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/" + ], + "synonyms": [ + "Akira" + ] + }, + "uuid": "3a912680-6f38-4fe7-9941-744f0e2280b3", + "value": "Storm-1567" + }, + { + "description": "Nwgen is a group that focuses on data exfiltration and ransomware activities. They have been found to share techniques with other threat groups such as Karakurt, Lapsus$, and Yanluowang. Nwgen has been observed carrying out attacks and deploying ransomware, encrypting files and demanding a ransom of $150,000 in Monero cryptocurrency for the decryption software.", + "meta": { + "refs": [ + "https://www.enigmasoftware.com/nwgenransomware-removal/", + "https://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/", + "https://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721", + "https://twitter.com/cglyer/status/1546297609215696897" + ], + "synonyms": [ + "DEV-0829", + "Nwgen Team" + ] + }, + "uuid": "3e595289-05b8-43fc-bd88-f8650436447f", + "value": "Storm-0829" + }, + { + "description": "Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs/" + ] + }, + "uuid": "eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6", + "value": "Storm-1674" + }, + { + "description": "Cybercriminals have launched a phishing campaign targeting senior executives in U.S. firms, using the EvilProxy phishing toolkit for credential harvesting and account takeover attacks. This campaign, initiated in July 2023, primarily targets sectors such as banking, financial services, insurance, property management, real estate, and manufacturing. The attackers exploit an open redirection vulnerability on the job search platform \"indeed.com,\" redirecting victims to malicious phishing pages impersonating Microsoft. EvilProxy functions as a reverse proxy, intercepting credentials, two-factor authentication codes, and session cookies to hijack accounts. The threat actors, known as Storm-0835 by Microsoft, have hundreds of customers who pay monthly fees for their services, making attribution difficult. The attacks involve sending phishing emails with deceptive links to Indeed, redirecting victims to EvilProxy pages for credential harvesting.", + "meta": { + "refs": [ + "https://www.linkedin.com/pulse/cyber-criminals-using-evilproxy-phishing-kit-target-senior-soral/" + ] + }, + "uuid": "2da09284-be56-49cd-ad18-993a6eb17af2", + "value": "Storm-0835" + }, + { + "description": "Storm-1575 is a threat actor identified by Microsoft as being involved in phishing campaigns using the Dadsec platform. They utilize hundreds of Domain Generated Algorithm domains to host credential harvesting pages and target global organizations to steal Microsoft 365 credentials.", + "meta": { + "refs": [ + "https://www.bridewell.com/insights/blogs/detail/analysing-widespread-microsoft365-credential-harvesting-campaign", + "https://twitter.com/MsftSecIntel/status/1712936244987019704?lang=en" + ] + }, + "uuid": "2485a9cb-b41c-43bd-8b1c-c64e919c0a4e", + "value": "Storm-1575" + }, + { + "description": "Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The lures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent page. There they are prompted to grant a third-party application read-only user permissions to their O365 account via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account resources like the user’s contacts and mail. Requesting read-only permissions for such account resources could be used to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other accounts such as those at financial institutions. While organizations with global presence have received messages from this group, they appear to choose recipients who are likely Spanish speakers. \n\n", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta2552-uses-oauth-access-token-phishing-exploit-read-only-risks" + ] + }, + "uuid": "e9de47f0-3e68-465c-b91e-7a2b7371955c", + "value": "TA2552" + }, + { + "description": "TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy. They primarily focus on organizations in North America, Europe, and Southeast Asia. This threat actor impersonates Philippine government entities and uses themes related to the government to gain remote access to target computers. Their objectives include information gathering, installing follow-on malware, and engaging in business email compromise activities.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread" + ], + "synonyms": [ + "Balikbayan Foxes" + ] + }, + "uuid": "625c3fb4-16fc-4992-9ff2-4fad869750ac", + "value": "TA2722" + }, + { + "description": "In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay. ", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages" + ] + }, + "uuid": "33bfb09d-c6f4-4403-b434-1d4d4733ec52", + "value": "TA2719" + }, + { + "description": "Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East. They have been involved in watering hole attacks, compromising high-profile websites to inject malicious JavaScript code. The group has been linked to another commercial spyware company called Candiru, suggesting they may utilize multiple spyware technologies. There are similarities in the infrastructure and tactics used by Karkadann in their campaigns.", + "meta": { + "refs": [ + "https://securelist.com/apt-trends-report-q2-2022/106995/", + "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/" + ], + "synonyms": [ + "Piwiks" + ] + }, + "uuid": "8146ba06-cef2-4a94-b26e-1a4041e04c7d", + "value": "Karkadann" + }, + { + "description": "Tomiris is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.", + "meta": { + "refs": [ + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" + ] + }, + "uuid": "2f854548-1af0-4f55-acab-4f85ce9f162c", + "value": "Tomiris" + }, + { + "description": "ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.", + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/ksb-2019-review-of-the-year/95394/", + "https://securelist.com/apt-trends-report-q3-2019/94530/", + "https://securelist.com/apt-review-of-the-year/89117/" + ] + }, + "uuid": "07791d89-64b6-46df-9f67-ccde8c2cbb20", + "value": "ShaggyPanther" + }, + { + "description": "Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan. They rely on consistent TTPs, including payload and communication patterns, while occasionally incorporating new techniques such as geo-fencing and hiding executables within certificate files. Their tool of choice is AresRAT, which they deliver through platforms like Heroku and Dropbox. Recently, they have shifted their focus to government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine, and China.", + "meta": { + "refs": [ + "https://securelist.com/apt-trends-report-q1-2020/96826/", + "https://securelist.com/apt-trends-report-q1-2022/106351/" + ] + }, + "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", + "value": "Fishing Elephant" + }, + { + "description": "RevengeHotels is a targeted cybercrime campaign that has been active since 2015, primarily targeting hotels, hostels, and tourism companies. The threat actor uses remote access Trojan malware to infiltrate hotel front desks and steal credit card data from guests and travelers. The campaign has impacted hotels in multiple countries, including Brazil, Argentina, Chile, and Mexico. The threat actor employs social engineering techniques and sells credentials from infected systems to other cybercriminals for remote access.", + "meta": { + "refs": [ + "https://securelist.com/revengehotels/95229/" + ] + }, + "uuid": "083acee6-6969-4c74-80c2-5d442936aa97", + "value": "RevengeHotels" + }, + { + "description": "GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.", + "meta": { + "country": "CN", + "refs": [ + "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation", + "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/" + ] + }, + "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb", + "value": "GhostEmperor" + }, + { + "description": "Operation Triangulation is an ongoing APT campaign targeting iOS devices with zero-click iMessage exploits. The threat actor behind the campaign has been active since at least 2019 and continues to operate. The attack chain involves the delivery of a malicious iMessage attachment that launches a series of exploits, ultimately leading to the deployment of the TriangleDB implant. Kaspersky researchers have discovered and reported multiple vulnerabilities used in the campaign, with patches released by Apple.", + "meta": { + "refs": [ + "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/", + "https://securelist.com/operation-triangulation-catching-wild-triangle/110916/", + "https://securelist.com/triangulation-validators-modules/110847/", + "https://securelist.com/operation-triangulation/109842/" + ] + }, + "uuid": "220001c6-c976-4cad-a356-4d8c2dd2b1c1", + "value": "Operation Triangulation" + }, + { + "description": "Operation Ghoul is a profit-driven threat actor that targeted over 130 organizations in 30 countries, primarily in the industrial and engineering sectors. They employed high-quality social engineering techniques, such as spear-phishing emails disguised as payment advice from a UAE bank, to distribute malware. The group's main motivation is financial gain through the sale of stolen intellectual property and business intelligence, as well as attacks on banking accounts. Their attacks were effective, particularly against companies that were unprepared to detect them.", + "meta": { + "refs": [ + "https://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/", + "https://securelist.com/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/75718/" + ] + }, + "uuid": "624cc006-1131-4e53-a53c-3958cfbe233f", + "value": "Operation Ghoul" + }, + { + "description": "CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishing, custom malware with anti-detection features, and potentially shared infrastructure with other actors.", + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/apt-review-of-the-year/89117/" + ] + }, + "uuid": "97f40858-1582-4a59-a990-866813982830", + "value": "CardinalLizard" + }, + { + "description": "Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar until a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. Kaspersky then expanded some of the findings on the group and provided insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victims machine. Kaspersky were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point.", + "meta": { + "country": "IR", + "refs": [ + "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" + ] + }, + "uuid": "f34962a4-a792-4f23-af23-a8bf0f053fcf", + "value": "Ferocious Kitten" + }, + { + "description": "The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organisations.", + "meta": { + "country": "CN", + "refs": [ + "https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-backdoor-on-us-government-commission-network", + "https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html" + ] + }, + "uuid": "3e9b98d9-0c61-4050-bafa-486622de0080", + "value": "Operation Red Signature" + }, + { + "description": "Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan. They use spearphishing emails with malicious attachments to gain initial access to their targets' systems. Earth Yako's objectives and patterns suggest a possible connection to a Chinese APT group, but conclusive proof of their nationality is lacking. They have been observed using various malware delivery methods and techniques, such as the use of Winword.exe for DLL Hijacking.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html" + ], + "synonyms": [ + "Operation RestyLink", + "Enelink" + ] + }, + "uuid": "2875aff1-2a0f-4e82-ae42-607a3a74d129", + "value": "Earth Yako" + }, + { + "description": "What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats. Trend Micro covered the Delphi component in the context of the Confucius and Patchwork connection. They mentioned Urpage as a third unnamed threat actor connected to the two.", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html" + ] + }, + "uuid": "4e137d53-b9cf-4b9a-88c2-f29dd27ac302", + "value": "Urpage" + }, + { + "description": "Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a Mac alternative called Dok, to bypass two-factor authentication and hijack network traffic. They have also been observed using phishing emails to spread their malware. The group is believed to be Russian-speaking and has continuously improved their malicious codes over the years.", + "meta": { + "country": "RU", + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/" + ], + "synonyms": [ + "Retefe Gang", + "Retefe Group" + ] + }, + "uuid": "a1527821-fe84-44ec-ad29-8d3040463bc9", + "value": "Operation Emmental" + }, + { + "description": "TA2725 is a threat actor that has been tracked since March 2022. They primarily target organizations in Brazil and Mexico using Brazilian banking malware and phishing techniques. Recently, they have expanded their operations to also target victims in Spain and Mexico simultaneously. TA2725 typically uses GoDaddy virtual hosting for their URL redirector and hosts malicious files on legitimate cloud hosting providers like Amazon AWS, Google Cloud, or Microsoft Azure. They have been known to spoof legitimate companies, such as ÉSECÈ Group, to deceive their victims.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/copacabana-barcelona-cross-continental-threat-brazilian-banking-malware" + ] + }, + "uuid": "1697dace-fe21-452c-acee-bef62fc5e386", + "value": "TA2725" + }, + { + "description": "Recent campaigns suggest Hamas-linked actors may be advancing their\nTTPs to include intricate social engineering lures specially crafted to\nappeal to a niche group of high value targets. In September 2023, a Palestine-based group likely linked to Hamas targeted Israeli software engineers\nusing an elaborate social engineering ruse that ultimately installed malware\nand stole cookies. The attackers, which Google’s Threat Analysis Group (TAG) tracks as BLACKATOM, posed as employees of legitimate companies\nand reached out via LinkedIn to invite targets to apply for software development freelance opportunities. Targets included software engineers in\nthe Israeli military, as well as Israel’s aerospace and defense industry", + "meta": { + "country": "PS", + "refs": [ + "https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf" + ] + }, + "uuid": "264687b8-82f4-43b5-b7bb-dc3e0b9246bc", + "value": "Blackatom" } ], - "version": 297 + "version": 300 } diff --git a/clusters/tool.json b/clusters/tool.json index 65d792e..4e4eaeb 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -9230,11 +9230,12 @@ "value": "metasploit" }, { - "description": "A swiss army knife for pentesting networks.", + "description": "A swiss army knife for pentesting networks. CRACKMAPEXEC is a post-exploitation tool against Microsoft Windows environments. It is recognized for its lateral movement capabilities.", "meta": { "refs": [ "https://github.com/byt3bl33d3r/CrackMapExec", - "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf" + "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" ], "synonyms": [], "type": [ @@ -10794,7 +10795,96 @@ ], "uuid": "cdd432b0-8899-4e7d-ad4a-b18741ade11d", "value": "RevClient" + }, + { + "description": "Colibri Loader is a piece of malware that first appeared on underground forums in August 2021 and was advertised to “people who have large volumes of traffic and lack of time to work out the material“. As it names suggests, it is meant to deliver and manage payloads onto infected computers.", + "meta": { + "refs": [ + "https://www.malwarebytes.com/blog/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique" + ] + }, + "related": [ + { + "dest-uuid": "64e51712-89d6-4c91-98ac-8907eafe98c6", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ], + "type": "delivers" + } + ], + "uuid": "63615901-dd49-4541-801f-327a6963c88b", + "value": "Colibri Loader" + }, + { + "description": "A mitigation bypass technique was recently identified that led to the deployment of a custom webshell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024. At this time, Mandiant assesses the mitigation bypass activity is highly targeted, limited, and is distinct from the post-advisory mass exploitation activity. BUSHWALK is written in Perl and is embedded into a legitimate CS file, querymanifest.cgi. BUSHWALK provides a threat actor the ability to execute arbitrary commands or write files to a server. BUSHWALK executes its malicious Perl function, validateVersion, if the web request platform parameter is SafariiOS. It uses Base64 and RC4 to decode and decrypt the threat actor’s payload in the web request’s command parameter.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ] + }, + "uuid": "0752d766-2c2a-43ce-aebd-6a4e214cd43c", + "value": "BUSHWALK" + }, + { + "description": "The original LIGHTWIRE webshell sample contains a simpler obfuscation routine. It will initialize an RC4 object and then immediately use the RC4 object to decrypt the issued command./nMandiant has identified an additional variant of the LIGHTWIRE web shell that inserts itself into a legitimate component of the VPN gateway, compcheckresult.cgi./nThe new sample utilizes the same GET parameters as the original LIGHTWIRE sample./nThe new variant of LIGHTWIRE features a different obfuscation routine. It first assigns a string scalar variable to $useCompOnly. Next, it will use the Perl tr operator to transform the string using a character-by-character translation. The key is then Base64-decoded and used to RC4 decrypt the incoming request. Finally, the issued command is executed by calling eval.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ] + }, + "uuid": "5b9d5714-9eb9-4e3b-b437-26a9b50a633e", + "value": "LIGHTWIRE" + }, + { + "description": "CHAINLINE is a Python webshell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution./nCHAINLINE was identified in the CAV Python package in the following path: /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/health.py. This is the same Python package modified to support the WIREFIRE web shell./nUnlike WIREFIRE, which modifies an existing file, CHAINLINE creates a new file called health.py, which is not a legitimate filename in the CAV Python package. The existence of this filename or an associated compiled Python cache file may indicate the presence of CHAINLINE./nUNC5221 registered a new API resource path to support the access of CHAINLINE at the REST endpoint /api/v1/cav/client/health. This was accomplished by importing the maliciously created Health API resource and then calling the add_resource() class method on the FLASK-RESTful Api object within /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/__init__.py.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ] + }, + "uuid": "87e353c6-e0e8-427a-b55f-61cbd2853c57", + "value": "CHAINLINE" + }, + { + "description": "FRAMESTING is a Python webshell embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution./nFRAMESTING was identified in the CAV Python package in the following path: /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py. Note that this is the same Python package modified to support the WIREFIRE and CHAINLINE web shells./nWhen installed, the threat actor can access FRAMESTING web shell at the REST endpoint /api/v1/cav/client/categories with a POST request. Note that the legitimate categories endpoint only accepts GET requests./nThe web shell employs two methods of accepting commands from an attacker. It first attempts to retrieve the command stored in the value of a cookie named DSID from the current HTTP request. If the cookie is not present or is not of the expected length, it will attempt to decompress zlib data within the request's POST data. Lastly, FRAMESTING will then pass the decrypted POST data into a Python exec() statement to dynamically execute additional Python code./nNote that DSID is also the name of a cookie used by Ivanti Connect Secure appliances for maintaining user VPN sessions. FRAMESTING likely uses the same cookie name to blend in with network traffic.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ] + }, + "uuid": "a9470d3d-ecfd-408b-ba1e-f3ca65791e0d", + "value": "FRAMESTING" + }, + { + "description": "IMPACKET is a Python library that allows for interaction with various network protocols. It is particularly effective in environments that rely on Active Directory and related Microsoft Windows network services.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ] + }, + "uuid": "7b02521e-422e-49a2-96fc-ad6c13057a6c", + "value": "IMPACKET" + }, + { + "description": "IODINE is a network traffic tunneler that allows for tunneling of IPv4 traffic over DNS.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ] + }, + "uuid": "94ae63e7-7f92-4657-812c-2f27bf50ca21", + "value": "IODINE" + }, + { + "description": "ENUM4LINUX is a Linux Perl script for enumerating data from Windows and Samba hosts.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" + ] + }, + "uuid": "c44c5c54-435a-453a-a128-43ca18b82c37", + "value": "ENUM4LINUX" } ], - "version": 171 + "version": 172 } diff --git a/galaxies/atrm.json b/galaxies/atrm.json index 6731d04..d56184e 100644 --- a/galaxies/atrm.json +++ b/galaxies/atrm.json @@ -9,12 +9,12 @@ "Privilege Escalation", "Persistence", "Credential Access", - "Exfiltration" + "Impact" ] }, "name": "Azure Threat Research Matrix", "namespace": "atrm", "type": "atrm", "uuid": "b541a056-154c-41e7-8a56-41db3f871c00", - "version": 1 + "version": 2 } diff --git a/tools/mkdocs/.gitignore b/tools/mkdocs/.gitignore new file mode 100644 index 0000000..027d2e0 --- /dev/null +++ b/tools/mkdocs/.gitignore @@ -0,0 +1,4 @@ +/site/docs/* +!/site/docs/01_attachements + +/site/site diff --git a/tools/mkdocs/REQUIREMENTS b/tools/mkdocs/REQUIREMENTS deleted file mode 100644 index f42f6c8..0000000 --- a/tools/mkdocs/REQUIREMENTS +++ /dev/null @@ -1,4 +0,0 @@ -validators - -mkdocs-git-committers-plugin -mkdocs-rss-plugin diff --git a/tools/mkdocs/build.sh b/tools/mkdocs/build.sh index 71ff4d3..b69a704 100644 --- a/tools/mkdocs/build.sh +++ b/tools/mkdocs/build.sh @@ -1,6 +1,21 @@ #!/bin/bash +requirements_path="requirements.txt" + +pip freeze > installed.txt +diff -u <(sort $requirements_path) <(sort installed.txt) + +if [ $? -eq 0 ]; then + echo "All dependencies are installed with correct versions." +else + echo "Dependencies missing or with incorrect versions. Please install all dependencies from $requirements_path into your environment." + rm installed.txt # Clean up + exit 1 +fi + +rm installed.txt # Clean up + python3 generator.py -cd site +cd ./site/ || exit mkdocs build rsync --include ".*" -v -rz --checksum site/ circl@cppz.circl.lu:/var/www/misp-galaxy.org diff --git a/tools/mkdocs/generator.py b/tools/mkdocs/generator.py index 93224fa..ceaa900 100644 --- a/tools/mkdocs/generator.py +++ b/tools/mkdocs/generator.py @@ -12,6 +12,7 @@ CLUSTER_PATH = "../../clusters" SITE_PATH = "./site/docs" GALAXY_PATH = "../../galaxies" + FILES_TO_IGNORE = [] # if you want to skip a specific cluster in the generation # Variables for statistics @@ -61,7 +62,10 @@ We encourage collaboration and contributions to the [MISP Galaxy JSON files](htt class Galaxy: - def __init__(self, cluster_list: List[dict], authors, description, name, json_file_name): + def __init__( + self, cluster_list: List[dict], authors, description, name, json_file_name + ): + self.cluster_list = cluster_list self.authors = authors self.description = description @@ -142,6 +146,7 @@ class Cluster: self.galaxie = galaxie self.related_clusters = [] + global public_clusters_dict if self.galaxie: public_clusters_dict[self.uuid] = self.galaxie @@ -296,6 +301,7 @@ class Cluster: related_clusters = [ cluster for cluster in related_clusters if cluster not in to_remove ] + self.related_clusters = related_clusters return related_clusters @@ -525,7 +531,7 @@ def main(): if not os.path.exists(SITE_PATH): os.mkdir(SITE_PATH) - for galaxy in galaxies[:7]: + for galaxy in galaxies: galaxy.write_entry(SITE_PATH, cluster_dict) index_output = create_index(galaxies) diff --git a/tools/mkdocs/requirements.txt b/tools/mkdocs/requirements.txt new file mode 100644 index 0000000..0ea1f28 --- /dev/null +++ b/tools/mkdocs/requirements.txt @@ -0,0 +1,48 @@ +Babel==2.14.0 +bracex==2.4 +certifi==2023.11.17 +cffi==1.16.0 +charset-normalizer==3.3.2 +click==8.1.7 +colorama==0.4.6 +cryptography==42.0.1 +Deprecated==1.2.14 +ghp-import==2.1.0 +gitdb==4.0.11 +GitPython==3.1.41 +graphviz==0.20.1 +idna==3.6 +Jinja2==3.1.3 +Markdown==3.5.2 +MarkupSafe==2.1.4 +mergedeep==1.3.4 +mkdocs==1.5.3 +mkdocs-awesome-pages-plugin==2.9.2 +mkdocs-git-committers-plugin==0.2.3 +mkdocs-material==9.5.6 +mkdocs-material-extensions==1.3.1 +mkdocs-rss-plugin==1.12.0 +natsort==8.4.0 +packaging==23.2 +paginate==0.5.6 +pathspec==0.12.1 +platformdirs==4.1.0 +pycparser==2.21 +PyGithub==2.2.0 +Pygments==2.17.2 +PyJWT==2.8.0 +pymdown-extensions==10.7 +PyNaCl==1.5.0 +python-dateutil==2.8.2 +PyYAML==6.0.1 +pyyaml_env_tag==0.1 +regex==2023.12.25 +requests==2.31.0 +six==1.16.0 +smmap==5.0.1 +typing_extensions==4.9.0 +urllib3==2.1.0 +validators==0.22.0 +watchdog==3.0.0 +wcmatch==8.5 +wrapt==1.16.0 diff --git a/tools/mkdocs/site/docs/01_attachements/javascripts/graph.js b/tools/mkdocs/site/docs/01_attachements/javascripts/graph.js new file mode 100644 index 0000000..7c55c5f --- /dev/null +++ b/tools/mkdocs/site/docs/01_attachements/javascripts/graph.js @@ -0,0 +1,313 @@ +document$.subscribe(function () { + + const NODE_RADIUS = 8; + const NODE_COLOR = "#69b3a2"; + const Parent_Node_COLOR = "#ff0000"; + + + function parseFilteredTable(tf, allData) { + var data = []; + tf.getFilteredData().forEach((row, i) => { + sourcePath = allData[row[0] - 2].sourcePath; + targetPath = allData[row[0] - 2].targetPath; + data.push({ + source: row[1][0], + sourcePath: sourcePath, + target: row[1][1], + targetPath: targetPath, + level: row[1][2] + }); + }); + return data; + } + + function parseTable(table) { + var data = []; + table.querySelectorAll("tr").forEach((row, i) => { + if (i > 1) { + var cells = row.querySelectorAll("td"); + var sourceAnchor = cells[0].querySelector("a"); + var sourcePath = sourceAnchor ? sourceAnchor.getAttribute("href") : null; + var targetAnchor = cells[1].querySelector("a"); + var targetPath = targetAnchor ? targetAnchor.getAttribute("href") : null; + data.push({ + source: cells[0].textContent, + target: cells[1].textContent, + sourcePath: sourcePath, + targetPath: targetPath, + level: cells[2].textContent + }); + } + }); + return data; + } + + function processNewData(newData) { + var nodePaths = {}; + newData.forEach(d => { + nodePaths[d.source] = d.sourcePath || null; + nodePaths[d.target] = d.targetPath || null; + }); + var newNodes = Array.from(new Set(newData.flatMap(d => [d.source, d.target]))) + .map(id => ({ + id, + path: nodePaths[id] + })); + + var newLinks = newData.map(d => ({ source: d.source, target: d.target })); + return { newNodes, newLinks }; + } + + function filterTableAndGraph(tf, simulation, data) { + var filteredData = parseFilteredTable(tf, data); + var { newNodes, newLinks } = processNewData(filteredData); + + simulation.update({ newNodes: newNodes, newLinks: newLinks }); + } + + function createForceDirectedGraph(data, elementId) { + var nodePaths = {}; + data.forEach(d => { + nodePaths[d.source] = d.sourcePath || null; + nodePaths[d.target] = d.targetPath || null; + }); + + var nodes = Array.from(new Set(data.flatMap(d => [d.source, d.target]))) + .map(id => ({ + id, + path: nodePaths[id] + })); + + var links = data.map(d => ({ source: d.source, target: d.target })); + + var tooltip = d3.select("body").append("div") + .attr("class", "tooltip") // Add relevant classes for styling + .style("opacity", 0); + + // Set up the dimensions of the graph + var width = 800, height = 1000; + + var svg = d3.select(elementId).append("svg") + .attr("width", width) + .attr("height", height); + + // Create a force simulation + linkDistance = Math.sqrt((width * height) / nodes.length); + + var simulation = d3.forceSimulation(nodes) + .force("link", d3.forceLink(links).id(d => d.id).distance(linkDistance)) + .force("charge", d3.forceManyBody().strength(-50)) + .force("center", d3.forceCenter(width / 2, height / 2)) + .alphaDecay(0.02); // A lower value, adjust as needed + + // Create links + var link = svg.append("g") + .attr("stroke", "#999") + .attr("stroke-opacity", 0.6) + .selectAll("line") + .data(links) + .enter().append("line") + .attr("stroke-width", d => Math.sqrt(d.value)); + + // Create nodes + var node = svg.append("g") + .attr("stroke", "#fff") + .attr("stroke-width", 1.5) + .selectAll("circle") + .data(nodes) + .enter().append("circle") + .attr("r", function (d, i) { + return i === 0 ? NODE_RADIUS + 5 : NODE_RADIUS; + }) + .attr("fill", function (d, i) { + return i === 0 ? Parent_Node_COLOR : NODE_COLOR; + }); + + // Apply tooltip on nodes + node.on("mouseover", function (event, d) { + tooltip.transition() + .duration(200) + .style("opacity", .9); + tooltip.html(d.id) + .style("left", (event.pageX) + "px") + .style("top", (event.pageY - 28) + "px"); + }) + .on("mousemove", function (event) { + tooltip.style("left", (event.pageX) + "px") + .style("top", (event.pageY - 28) + "px"); + }) + .on("mouseout", function (d) { + tooltip.transition() + .duration(500) + .style("opacity", 0); + }); + + // Apply links on nodes + node.on("dblclick", function (event, d) { + location.href = d.path; + }); + + // Define drag behavior + var drag = d3.drag() + .on("start", dragstarted) + .on("drag", dragged) + .on("end", dragended); + + // Apply drag behavior to nodes + node.call(drag); + + function dragstarted(event, d) { + if (!event.active) simulation.alphaTarget(0.3).restart(); + d.fx = d.x; + d.fy = d.y; + } + + function dragged(event, d) { + d.fx = event.x; + d.fy = event.y; + } + + function dragended(event, d) { + // Do not reset the fixed positions + if (!event.active) simulation.alphaTarget(0); + } + + // Update positions on each simulation 'tick' + simulation.on("tick", () => { + nodes.forEach(d => { + d.x = Math.max(NODE_RADIUS, Math.min(width - NODE_RADIUS, d.x)); + d.y = Math.max(NODE_RADIUS, Math.min(height - NODE_RADIUS, d.y)); + }); + link + .attr("x1", d => d.source.x) + .attr("y1", d => d.source.y) + .attr("x2", d => d.target.x) + .attr("y2", d => d.target.y); + + node + .attr("cx", d => d.x) + .attr("cy", d => d.y); + }); + + return Object.assign(svg.node(), { + update({ newNodes, newLinks }) { + const oldNodesMap = new Map(node.data().map(d => [d.id, d])); + nodes = newNodes.map(d => Object.assign(oldNodesMap.get(d.id) || {}, d)); + + // Update nodes with new data + node = node.data(nodes, d => d.id) + .join( + enter => enter.append("circle") + .attr("r", function (d, i) { + return i === 0 ? NODE_RADIUS + 5 : NODE_RADIUS; + }) + .attr("fill", function (d, i) { + return i === 0 ? Parent_Node_COLOR : NODE_COLOR; + }), + update => update, + exit => exit.remove() + ); + + node.call(drag); + + // Apply tooltip on nodes + node.on("mouseover", function (event, d) { + tooltip.transition() + .duration(200) + .style("opacity", .9); + tooltip.html(d.id) + .style("left", (event.pageX) + "px") + .style("top", (event.pageY - 28) + "px"); + }) + .on("mousemove", function (event) { + tooltip.style("left", (event.pageX) + "px") + .style("top", (event.pageY - 28) + "px"); + }) + .on("mouseout", function (d) { + tooltip.transition() + .duration(500) + .style("opacity", 0); + }); + + // Apply links on nodes + node.on("dblclick", function (event, d) { + console.log("Node: " + d.id); + console.log(d); + console.log("Source Path: " + d.sourcePath); + location.href = d.path; + }); + + // Process new links + const oldLinksMap = new Map(link.data().map(d => [`${d.source.id},${d.target.id}`, d])); + links = newLinks.map(d => Object.assign(oldLinksMap.get(`${d.source.id},${d.target.id}`) || {}, d)); + + // Update links with new data + link = link.data(links, d => `${d.source.id},${d.target.id}`) + .join( + enter => enter.append("line") + .attr("stroke-width", d => Math.sqrt(d.value)), + update => update, + exit => exit.remove() + ); + + // Restart the simulation with new data + simulation.nodes(nodes); + simulation.force("link").links(links); + simulation.alpha(1).restart(); + } + }); + } + + // Find all tables that have a th with the class .graph and generate Force-Directed Graphs + document.querySelectorAll("table").forEach((table, index) => { + var graphHeader = table.querySelector("th.graph"); + if (graphHeader) { + var tf = new TableFilter(table, { + base_path: "../../../../01_attachements/modules/tablefilter/", + highlight_keywords: true, + col_2: "checklist", + col_widths: ["350px", "350px", "100px"], + col_types: ["string", "string", "number"], + grid_layout: false, + responsive: false, + watermark: ["Filter table ...", "Filter table ..."], + auto_filter: { + delay: 100 //milliseconds + }, + filters_row_index: 1, + state: false, + rows_counter: true, + status_bar: true, + themes: [{ + name: "transparent", + }], + btn_reset: { + tooltip: "Reset", + toolbar_position: "right", + }, + toolbar: true, + extensions: [{ + name: "sort", + }, + { + name: 'filtersVisibility', + description: 'Sichtbarkeit der Filter', + toolbar_position: 'right', + }], + }); + + tf.init(); + var data = parseTable(table); + var graphId = "graph" + index; + var div = document.createElement("div"); + div.id = graphId; + table.parentNode.insertBefore(div, table); + var simulation = createForceDirectedGraph(data, "#" + graphId); + + // Listen for table filtering events + tf.emitter.on(['after-filtering'], function () { + filterTableAndGraph(tf, simulation, data); + }); + } + }); +}); diff --git a/tools/mkdocs/site/docs/01_attachements/javascripts/statistics.js b/tools/mkdocs/site/docs/01_attachements/javascripts/statistics.js new file mode 100644 index 0000000..eb3c1d3 --- /dev/null +++ b/tools/mkdocs/site/docs/01_attachements/javascripts/statistics.js @@ -0,0 +1,168 @@ +document$.subscribe(function () { + + function parseTable(table) { + var data = []; + table.querySelectorAll("tr").forEach((row, i) => { + if (i > 0) { + var cells = row.querySelectorAll("td"); + data.push({ name: cells[1].textContent, value: Number(cells[2].textContent) }); + } + }); + return data; + } + + function createPieChart(data, elementId) { + // Set up the dimensions of the graph + var width = 500, height = 500; + + // Append SVG for the graph + var svg = d3.select(elementId).append("svg") + .attr("width", width) + .attr("height", height); + + // Set up the dimensions of the graph + var radius = Math.min(width, height) / 2 - 20; + + // Append a group to the SVG + var g = svg.append("g") + .attr("transform", "translate(" + width / 2 + "," + height / 2 + ")"); + + // Set up the color scale + var color = d3.scaleOrdinal() + .domain(data.map(d => d.name)) + .range(d3.quantize(t => d3.interpolateSpectral(t * 0.8 + 0.1), data.length).reverse()); + + // Compute the position of each group on the pie + var pie = d3.pie() + .value(d => d.value); + var data_ready = pie(data); + + // Build the pie chart + g.selectAll('whatever') + .data(data_ready) + .enter() + .append('path') + .attr('d', d3.arc() + .innerRadius(0) + .outerRadius(radius) + ) + .attr('fill', d => color(d.data.name)) + .attr("stroke", "black") + .style("stroke-width", "2px") + .style("opacity", 0.7); + + // Add labels + g.selectAll('whatever') + .data(data_ready) + .enter() + .append('text') + .text(d => d.data.name) + .attr("transform", d => "translate(" + d3.arc().innerRadius(0).outerRadius(radius).centroid(d) + ")") + .style("text-anchor", "middle") + .style("font-size", 17); + } + + function createBarChart(data, elementId, mode) { + // Set up the dimensions of the graph + var svgWidth = 1000, svgHeight = 1000; + var margin = { top: 20, right: 200, bottom: 350, left: 60 }, // Increase bottom margin for x-axis labels + width = svgWidth - margin.left - margin.right, + height = svgHeight - margin.top - margin.bottom; + + // Append SVG for the graph + var svg = d3.select(elementId).append("svg") + .attr("width", svgWidth) + .attr("height", svgHeight) + .append("g") + .attr("transform", "translate(" + margin.left + "," + margin.top + ")"); + + // Set up the scales + var x = d3.scaleBand() + .range([0, width]) + .padding(0.2) + .domain(data.map(d => d.name)); + + var maxYValue = d3.max(data, d => d.value); + if (mode == "log") { + var minYValue = d3.min(data, d => d.value); + if (minYValue <= 0) { + console.error("Logarithmic scale requires strictly positive values"); + return; + } + } + var y = mode == "log" ? d3.scaleLog().range([height, 0]).domain([1, maxYValue]) : d3.scaleLinear().range([height, 0]).domain([0, maxYValue + maxYValue * 0.1]); + + // Set up the color scale + var color = d3.scaleOrdinal() + .range(d3.schemeCategory10); + + // Set up the axes + var xAxis = d3.axisBottom(x) + .tickSize(0) + .tickPadding(6); + + var yAxis = d3.axisLeft(y); + + // Add the bars + svg.selectAll(".bar") + .data(data) + .enter().append("rect") + .attr("class", "bar") + .attr("x", d => x(d.name)) + .attr("y", d => { + if (mode == "log") { + return y(Math.max(1, d.value)); + } else if (mode == "linear") { + return y(d.value); + } + }) + .attr("width", x.bandwidth()) + .attr("height", d => { + if (mode == "log") { + return height - y(Math.max(1, d.value)); + } else if (mode == "linear") { + return height - y(d.value); + } + }) + .attr("fill", d => color(d.name)); + + + // Add and rotate x-axis labels + svg.append("g") + .attr("transform", "translate(0," + height + ")") + .call(xAxis) + .selectAll("text") + .style("text-anchor", "end") + .attr("dx", "-.8em") + .attr("dy", ".15em") + .attr("transform", "rotate(-65)"); // Rotate the labels + + // Add the y-axis + svg.append("g") + .call(yAxis); + } + + + document.querySelectorAll("table").forEach((table, index) => { + var pieChart = table.querySelector("th.pie-chart"); + var barChart = table.querySelector("th.bar-chart"); + var logBarChart = table.querySelector("th.log-bar-chart"); + graphId = "graph" + index; + var div = document.createElement("div"); + div.id = graphId; + table.parentNode.insertBefore(div, table); + if (pieChart) { + var data = parseTable(table); + createPieChart(data, "#" + graphId); + } + if (barChart) { + var data = parseTable(table); + createBarChart(data, "#" + graphId, "linear"); + } + if (logBarChart) { + var data = parseTable(table); + createBarChart(data, "#" + graphId, "log"); + } + }) + +}); diff --git a/tools/mkdocs/site/docs/01_attachements/javascripts/tablefilter.js b/tools/mkdocs/site/docs/01_attachements/javascripts/tablefilter.js new file mode 100644 index 0000000..295d125 --- /dev/null +++ b/tools/mkdocs/site/docs/01_attachements/javascripts/tablefilter.js @@ -0,0 +1,53 @@ +document$.subscribe(function () { + var tables = document.querySelectorAll("article table") + tables.forEach(function (table) { + var excludeTable = table.querySelector("td.no-filter, th.no-filter"); + if (!excludeTable) { + var tf = new TableFilter(table, { + base_path: "https://unpkg.com/tablefilter@0.7.3/dist/tablefilter/", + highlight_keywords: true, + // col_0: "select", + // col_1: "select", + col_2: "checklist", + col_widths: ["350px", "350px", "100px"], + col_types: ["string", "string", "number"], + grid_layout: false, + responsive: false, + watermark: ["Filter table ...", "Filter table ..."], + + auto_filter: { + delay: 100 //milliseconds + }, + filters_row_index: 1, + state: true, + // alternate_rows: true, + rows_counter: true, + status_bar: true, + + themes: [{ + name: "transparent", + }], + + btn_reset: { + tooltip: "Reset", + toolbar_position: "right", + }, + // no_results_message: { + // content: "No matching records found", + // }, + toolbar: true, + extensions: [{ + name: "sort", + }, + { + name: 'filtersVisibility', + description: 'Sichtbarkeit der Filter', + toolbar_position: 'right', + },], + }) + tf.init() + } + }) +}) + + diff --git a/tools/mkdocs/site/docs/01_attachements/modules/d3.min.js b/tools/mkdocs/site/docs/01_attachements/modules/d3.min.js new file mode 100644 index 0000000..8d56002 --- /dev/null +++ b/tools/mkdocs/site/docs/01_attachements/modules/d3.min.js @@ -0,0 +1,2 @@ +// https://d3js.org v7.8.5 Copyright 2010-2023 Mike Bostock +!function(t,n){"object"==typeof exports&&"undefined"!=typeof module?n(exports):"function"==typeof define&&define.amd?define(["exports"],n):n((t="undefined"!=typeof globalThis?globalThis:t||self).d3=t.d3||{})}(this,(function(t){"use strict";function n(t,n){return null==t||null==n?NaN:tn?1:t>=n?0:NaN}function e(t,n){return null==t||null==n?NaN:nt?1:n>=t?0:NaN}function r(t){let r,o,a;function u(t,n,e=0,i=t.length){if(e>>1;o(t[r],n)<0?e=r+1:i=r}while(en(t(e),r),a=(n,e)=>t(n)-e):(r=t===n||t===e?t:i,o=t,a=t),{left:u,center:function(t,n,e=0,r=t.length){const i=u(t,n,e,r-1);return i>e&&a(t[i-1],n)>-a(t[i],n)?i-1:i},right:function(t,n,e=0,i=t.length){if(e>>1;o(t[r],n)<=0?e=r+1:i=r}while(e{n(t,e,(r<<=2)+0,(i<<=2)+0,o<<=2),n(t,e,r+1,i+1,o),n(t,e,r+2,i+2,o),n(t,e,r+3,i+3,o)}}));function d(t){return function(n,e,r=e){if(!((e=+e)>=0))throw new RangeError("invalid rx");if(!((r=+r)>=0))throw new RangeError("invalid ry");let{data:i,width:o,height:a}=n;if(!((o=Math.floor(o))>=0))throw new RangeError("invalid width");if(!((a=Math.floor(void 0!==a?a:i.length/o))>=0))throw new RangeError("invalid height");if(!o||!a||!e&&!r)return n;const u=e&&t(e),c=r&&t(r),f=i.slice();return u&&c?(p(u,f,i,o,a),p(u,i,f,o,a),p(u,f,i,o,a),g(c,i,f,o,a),g(c,f,i,o,a),g(c,i,f,o,a)):u?(p(u,i,f,o,a),p(u,f,i,o,a),p(u,i,f,o,a)):c&&(g(c,i,f,o,a),g(c,f,i,o,a),g(c,i,f,o,a)),n}}function p(t,n,e,r,i){for(let o=0,a=r*i;o{if(!((o-=a)>=i))return;let u=t*r[i];const c=a*t;for(let t=i,n=i+c;t{if(!((a-=u)>=o))return;let c=n*i[o];const f=u*n,s=f+u;for(let t=o,n=o+f;t=n&&++e;else{let r=-1;for(let i of t)null!=(i=n(i,++r,t))&&(i=+i)>=i&&++e}return e}function _(t){return 0|t.length}function b(t){return!(t>0)}function m(t){return"object"!=typeof t||"length"in t?t:Array.from(t)}function x(t,n){let e,r=0,i=0,o=0;if(void 0===n)for(let n of t)null!=n&&(n=+n)>=n&&(e=n-i,i+=e/++r,o+=e*(n-i));else{let a=-1;for(let u of t)null!=(u=n(u,++a,t))&&(u=+u)>=u&&(e=u-i,i+=e/++r,o+=e*(u-i))}if(r>1)return o/(r-1)}function w(t,n){const e=x(t,n);return e?Math.sqrt(e):e}function M(t,n){let e,r;if(void 0===n)for(const n of t)null!=n&&(void 0===e?n>=n&&(e=r=n):(e>n&&(e=n),r=o&&(e=r=o):(e>o&&(e=o),r0){for(o=t[--i];i>0&&(n=o,e=t[--i],o=n+e,r=e-(o-n),!r););i>0&&(r<0&&t[i-1]<0||r>0&&t[i-1]>0)&&(e=2*r,n=o+e,e==n-o&&(o=n))}return o}}class InternMap extends Map{constructor(t,n=N){if(super(),Object.defineProperties(this,{_intern:{value:new Map},_key:{value:n}}),null!=t)for(const[n,e]of t)this.set(n,e)}get(t){return super.get(A(this,t))}has(t){return super.has(A(this,t))}set(t,n){return super.set(S(this,t),n)}delete(t){return super.delete(E(this,t))}}class InternSet extends Set{constructor(t,n=N){if(super(),Object.defineProperties(this,{_intern:{value:new Map},_key:{value:n}}),null!=t)for(const n of t)this.add(n)}has(t){return super.has(A(this,t))}add(t){return super.add(S(this,t))}delete(t){return super.delete(E(this,t))}}function A({_intern:t,_key:n},e){const r=n(e);return t.has(r)?t.get(r):e}function S({_intern:t,_key:n},e){const r=n(e);return t.has(r)?t.get(r):(t.set(r,e),e)}function E({_intern:t,_key:n},e){const r=n(e);return t.has(r)&&(e=t.get(r),t.delete(r)),e}function N(t){return null!==t&&"object"==typeof t?t.valueOf():t}function k(t){return t}function C(t,...n){return F(t,k,k,n)}function P(t,...n){return F(t,Array.from,k,n)}function z(t,n){for(let e=1,r=n.length;et.pop().map((([n,e])=>[...t,n,e]))));return t}function $(t,n,...e){return F(t,k,n,e)}function D(t,n,...e){return F(t,Array.from,n,e)}function R(t){if(1!==t.length)throw new Error("duplicate key");return t[0]}function F(t,n,e,r){return function t(i,o){if(o>=r.length)return e(i);const a=new InternMap,u=r[o++];let c=-1;for(const t of i){const n=u(t,++c,i),e=a.get(n);e?e.push(t):a.set(n,[t])}for(const[n,e]of a)a.set(n,t(e,o));return n(a)}(t,0)}function q(t,n){return Array.from(n,(n=>t[n]))}function U(t,...n){if("function"!=typeof t[Symbol.iterator])throw new TypeError("values is not iterable");t=Array.from(t);let[e]=n;if(e&&2!==e.length||n.length>1){const r=Uint32Array.from(t,((t,n)=>n));return n.length>1?(n=n.map((n=>t.map(n))),r.sort(((t,e)=>{for(const r of n){const n=O(r[t],r[e]);if(n)return n}}))):(e=t.map(e),r.sort(((t,n)=>O(e[t],e[n])))),q(t,r)}return t.sort(I(e))}function I(t=n){if(t===n)return O;if("function"!=typeof t)throw new TypeError("compare is not a function");return(n,e)=>{const r=t(n,e);return r||0===r?r:(0===t(e,e))-(0===t(n,n))}}function O(t,n){return(null==t||!(t>=t))-(null==n||!(n>=n))||(tn?1:0)}var B=Array.prototype.slice;function Y(t){return()=>t}const L=Math.sqrt(50),j=Math.sqrt(10),H=Math.sqrt(2);function X(t,n,e){const r=(n-t)/Math.max(0,e),i=Math.floor(Math.log10(r)),o=r/Math.pow(10,i),a=o>=L?10:o>=j?5:o>=H?2:1;let u,c,f;return i<0?(f=Math.pow(10,-i)/a,u=Math.round(t*f),c=Math.round(n*f),u/fn&&--c,f=-f):(f=Math.pow(10,i)*a,u=Math.round(t/f),c=Math.round(n/f),u*fn&&--c),c0))return[];if((t=+t)===(n=+n))return[t];const r=n=i))return[];const u=o-i+1,c=new Array(u);if(r)if(a<0)for(let t=0;t0?(t=Math.floor(t/i)*i,n=Math.ceil(n/i)*i):i<0&&(t=Math.ceil(t*i)/i,n=Math.floor(n*i)/i),r=i}}function K(t){return Math.max(1,Math.ceil(Math.log(v(t))/Math.LN2)+1)}function Q(){var t=k,n=M,e=K;function r(r){Array.isArray(r)||(r=Array.from(r));var i,o,a,u=r.length,c=new Array(u);for(i=0;i=h)if(t>=h&&n===M){const t=V(l,h,e);isFinite(t)&&(t>0?h=(Math.floor(h/t)+1)*t:t<0&&(h=(Math.ceil(h*-t)+1)/-t))}else d.pop()}for(var p=d.length,g=0,y=p;d[g]<=l;)++g;for(;d[y-1]>h;)--y;(g||y0?d[i-1]:l,v.x1=i0)for(i=0;i=n)&&(e=n);else{let r=-1;for(let i of t)null!=(i=n(i,++r,t))&&(e=i)&&(e=i)}return e}function tt(t,n){let e,r=-1,i=-1;if(void 0===n)for(const n of t)++i,null!=n&&(e=n)&&(e=n,r=i);else for(let o of t)null!=(o=n(o,++i,t))&&(e=o)&&(e=o,r=i);return r}function nt(t,n){let e;if(void 0===n)for(const n of t)null!=n&&(e>n||void 0===e&&n>=n)&&(e=n);else{let r=-1;for(let i of t)null!=(i=n(i,++r,t))&&(e>i||void 0===e&&i>=i)&&(e=i)}return e}function et(t,n){let e,r=-1,i=-1;if(void 0===n)for(const n of t)++i,null!=n&&(e>n||void 0===e&&n>=n)&&(e=n,r=i);else for(let o of t)null!=(o=n(o,++i,t))&&(e>o||void 0===e&&o>=o)&&(e=o,r=i);return r}function rt(t,n,e=0,r=1/0,i){if(n=Math.floor(n),e=Math.floor(Math.max(0,e)),r=Math.floor(Math.min(t.length-1,r)),!(e<=n&&n<=r))return t;for(i=void 0===i?O:I(i);r>e;){if(r-e>600){const o=r-e+1,a=n-e+1,u=Math.log(o),c=.5*Math.exp(2*u/3),f=.5*Math.sqrt(u*c*(o-c)/o)*(a-o/2<0?-1:1);rt(t,n,Math.max(e,Math.floor(n-a*c/o+f)),Math.min(r,Math.floor(n+(o-a)*c/o+f)),i)}const o=t[n];let a=e,u=r;for(it(t,e,n),i(t[r],o)>0&&it(t,e,r);a0;)--u}0===i(t[e],o)?it(t,e,u):(++u,it(t,u,r)),u<=n&&(e=u+1),n<=u&&(r=u-1)}return t}function it(t,n,e){const r=t[n];t[n]=t[e],t[e]=r}function ot(t,e=n){let r,i=!1;if(1===e.length){let o;for(const a of t){const t=e(a);(i?n(t,o)>0:0===n(t,t))&&(r=a,o=t,i=!0)}}else for(const n of t)(i?e(n,r)>0:0===e(n,n))&&(r=n,i=!0);return r}function at(t,n,e){if(t=Float64Array.from(function*(t,n){if(void 0===n)for(let n of t)null!=n&&(n=+n)>=n&&(yield n);else{let e=-1;for(let r of t)null!=(r=n(r,++e,t))&&(r=+r)>=r&&(yield r)}}(t,e)),(r=t.length)&&!isNaN(n=+n)){if(n<=0||r<2)return nt(t);if(n>=1)return J(t);var r,i=(r-1)*n,o=Math.floor(i),a=J(rt(t,o).subarray(0,o+1));return a+(nt(t.subarray(o+1))-a)*(i-o)}}function ut(t,n,e=o){if((r=t.length)&&!isNaN(n=+n)){if(n<=0||r<2)return+e(t[0],0,t);if(n>=1)return+e(t[r-1],r-1,t);var r,i=(r-1)*n,a=Math.floor(i),u=+e(t[a],a,t);return u+(+e(t[a+1],a+1,t)-u)*(i-a)}}function ct(t,n,e=o){if(!isNaN(n=+n)){if(r=Float64Array.from(t,((n,r)=>o(e(t[r],r,t)))),n<=0)return et(r);if(n>=1)return tt(r);var r,i=Uint32Array.from(t,((t,n)=>n)),a=r.length-1,u=Math.floor(a*n);return rt(i,u,0,a,((t,n)=>O(r[t],r[n]))),(u=ot(i.subarray(0,u+1),(t=>r[t])))>=0?u:-1}}function ft(t){return Array.from(function*(t){for(const n of t)yield*n}(t))}function st(t,n){return[t,n]}function lt(t,n,e){t=+t,n=+n,e=(i=arguments.length)<2?(n=t,t=0,1):i<3?1:+e;for(var r=-1,i=0|Math.max(0,Math.ceil((n-t)/e)),o=new Array(i);++r+t(n)}function kt(t,n){return n=Math.max(0,t.bandwidth()-2*n)/2,t.round()&&(n=Math.round(n)),e=>+t(e)+n}function Ct(){return!this.__axis}function Pt(t,n){var e=[],r=null,i=null,o=6,a=6,u=3,c="undefined"!=typeof window&&window.devicePixelRatio>1?0:.5,f=t===xt||t===Tt?-1:1,s=t===Tt||t===wt?"x":"y",l=t===xt||t===Mt?St:Et;function h(h){var d=null==r?n.ticks?n.ticks.apply(n,e):n.domain():r,p=null==i?n.tickFormat?n.tickFormat.apply(n,e):mt:i,g=Math.max(o,0)+u,y=n.range(),v=+y[0]+c,_=+y[y.length-1]+c,b=(n.bandwidth?kt:Nt)(n.copy(),c),m=h.selection?h.selection():h,x=m.selectAll(".domain").data([null]),w=m.selectAll(".tick").data(d,n).order(),M=w.exit(),T=w.enter().append("g").attr("class","tick"),A=w.select("line"),S=w.select("text");x=x.merge(x.enter().insert("path",".tick").attr("class","domain").attr("stroke","currentColor")),w=w.merge(T),A=A.merge(T.append("line").attr("stroke","currentColor").attr(s+"2",f*o)),S=S.merge(T.append("text").attr("fill","currentColor").attr(s,f*g).attr("dy",t===xt?"0em":t===Mt?"0.71em":"0.32em")),h!==m&&(x=x.transition(h),w=w.transition(h),A=A.transition(h),S=S.transition(h),M=M.transition(h).attr("opacity",At).attr("transform",(function(t){return isFinite(t=b(t))?l(t+c):this.getAttribute("transform")})),T.attr("opacity",At).attr("transform",(function(t){var n=this.parentNode.__axis;return l((n&&isFinite(n=n(t))?n:b(t))+c)}))),M.remove(),x.attr("d",t===Tt||t===wt?a?"M"+f*a+","+v+"H"+c+"V"+_+"H"+f*a:"M"+c+","+v+"V"+_:a?"M"+v+","+f*a+"V"+c+"H"+_+"V"+f*a:"M"+v+","+c+"H"+_),w.attr("opacity",1).attr("transform",(function(t){return l(b(t)+c)})),A.attr(s+"2",f*o),S.attr(s,f*g).text(p),m.filter(Ct).attr("fill","none").attr("font-size",10).attr("font-family","sans-serif").attr("text-anchor",t===wt?"start":t===Tt?"end":"middle"),m.each((function(){this.__axis=b}))}return h.scale=function(t){return arguments.length?(n=t,h):n},h.ticks=function(){return e=Array.from(arguments),h},h.tickArguments=function(t){return arguments.length?(e=null==t?[]:Array.from(t),h):e.slice()},h.tickValues=function(t){return arguments.length?(r=null==t?null:Array.from(t),h):r&&r.slice()},h.tickFormat=function(t){return arguments.length?(i=t,h):i},h.tickSize=function(t){return arguments.length?(o=a=+t,h):o},h.tickSizeInner=function(t){return arguments.length?(o=+t,h):o},h.tickSizeOuter=function(t){return arguments.length?(a=+t,h):a},h.tickPadding=function(t){return arguments.length?(u=+t,h):u},h.offset=function(t){return arguments.length?(c=+t,h):c},h}var zt={value:()=>{}};function $t(){for(var t,n=0,e=arguments.length,r={};n=0&&(n=t.slice(e+1),t=t.slice(0,e)),t&&!r.hasOwnProperty(t))throw new Error("unknown type: "+t);return{type:t,name:n}}))),a=-1,u=o.length;if(!(arguments.length<2)){if(null!=n&&"function"!=typeof n)throw new Error("invalid callback: "+n);for(;++a0)for(var e,r,i=new Array(e),o=0;o=0&&"xmlns"!==(n=t.slice(0,e))&&(t=t.slice(e+1)),Ut.hasOwnProperty(n)?{space:Ut[n],local:t}:t}function Ot(t){return function(){var n=this.ownerDocument,e=this.namespaceURI;return e===qt&&n.documentElement.namespaceURI===qt?n.createElement(t):n.createElementNS(e,t)}}function Bt(t){return function(){return this.ownerDocument.createElementNS(t.space,t.local)}}function Yt(t){var n=It(t);return(n.local?Bt:Ot)(n)}function Lt(){}function jt(t){return null==t?Lt:function(){return this.querySelector(t)}}function Ht(t){return null==t?[]:Array.isArray(t)?t:Array.from(t)}function Xt(){return[]}function Gt(t){return null==t?Xt:function(){return this.querySelectorAll(t)}}function Vt(t){return function(){return this.matches(t)}}function Wt(t){return function(n){return n.matches(t)}}var Zt=Array.prototype.find;function Kt(){return this.firstElementChild}var Qt=Array.prototype.filter;function Jt(){return Array.from(this.children)}function tn(t){return new Array(t.length)}function nn(t,n){this.ownerDocument=t.ownerDocument,this.namespaceURI=t.namespaceURI,this._next=null,this._parent=t,this.__data__=n}function en(t,n,e,r,i,o){for(var a,u=0,c=n.length,f=o.length;un?1:t>=n?0:NaN}function cn(t){return function(){this.removeAttribute(t)}}function fn(t){return function(){this.removeAttributeNS(t.space,t.local)}}function sn(t,n){return function(){this.setAttribute(t,n)}}function ln(t,n){return function(){this.setAttributeNS(t.space,t.local,n)}}function hn(t,n){return function(){var e=n.apply(this,arguments);null==e?this.removeAttribute(t):this.setAttribute(t,e)}}function dn(t,n){return function(){var e=n.apply(this,arguments);null==e?this.removeAttributeNS(t.space,t.local):this.setAttributeNS(t.space,t.local,e)}}function pn(t){return t.ownerDocument&&t.ownerDocument.defaultView||t.document&&t||t.defaultView}function gn(t){return function(){this.style.removeProperty(t)}}function yn(t,n,e){return function(){this.style.setProperty(t,n,e)}}function vn(t,n,e){return function(){var r=n.apply(this,arguments);null==r?this.style.removeProperty(t):this.style.setProperty(t,r,e)}}function _n(t,n){return t.style.getPropertyValue(n)||pn(t).getComputedStyle(t,null).getPropertyValue(n)}function bn(t){return function(){delete this[t]}}function mn(t,n){return function(){this[t]=n}}function xn(t,n){return function(){var e=n.apply(this,arguments);null==e?delete this[t]:this[t]=e}}function wn(t){return t.trim().split(/^|\s+/)}function Mn(t){return t.classList||new Tn(t)}function Tn(t){this._node=t,this._names=wn(t.getAttribute("class")||"")}function An(t,n){for(var e=Mn(t),r=-1,i=n.length;++r=0&&(this._names.splice(n,1),this._node.setAttribute("class",this._names.join(" ")))},contains:function(t){return this._names.indexOf(t)>=0}};var Gn=[null];function Vn(t,n){this._groups=t,this._parents=n}function Wn(){return new Vn([[document.documentElement]],Gn)}function Zn(t){return"string"==typeof t?new Vn([[document.querySelector(t)]],[document.documentElement]):new Vn([[t]],Gn)}Vn.prototype=Wn.prototype={constructor:Vn,select:function(t){"function"!=typeof t&&(t=jt(t));for(var n=this._groups,e=n.length,r=new Array(e),i=0;i=m&&(m=b+1);!(_=y[m])&&++m=0;)(r=i[o])&&(a&&4^r.compareDocumentPosition(a)&&a.parentNode.insertBefore(r,a),a=r);return this},sort:function(t){function n(n,e){return n&&e?t(n.__data__,e.__data__):!n-!e}t||(t=un);for(var e=this._groups,r=e.length,i=new Array(r),o=0;o1?this.each((null==n?gn:"function"==typeof n?vn:yn)(t,n,null==e?"":e)):_n(this.node(),t)},property:function(t,n){return arguments.length>1?this.each((null==n?bn:"function"==typeof n?xn:mn)(t,n)):this.node()[t]},classed:function(t,n){var e=wn(t+"");if(arguments.length<2){for(var r=Mn(this.node()),i=-1,o=e.length;++i=0&&(n=t.slice(e+1),t=t.slice(0,e)),{type:t,name:n}}))}(t+""),a=o.length;if(!(arguments.length<2)){for(u=n?Ln:Yn,r=0;r()=>t;function fe(t,{sourceEvent:n,subject:e,target:r,identifier:i,active:o,x:a,y:u,dx:c,dy:f,dispatch:s}){Object.defineProperties(this,{type:{value:t,enumerable:!0,configurable:!0},sourceEvent:{value:n,enumerable:!0,configurable:!0},subject:{value:e,enumerable:!0,configurable:!0},target:{value:r,enumerable:!0,configurable:!0},identifier:{value:i,enumerable:!0,configurable:!0},active:{value:o,enumerable:!0,configurable:!0},x:{value:a,enumerable:!0,configurable:!0},y:{value:u,enumerable:!0,configurable:!0},dx:{value:c,enumerable:!0,configurable:!0},dy:{value:f,enumerable:!0,configurable:!0},_:{value:s}})}function se(t){return!t.ctrlKey&&!t.button}function le(){return this.parentNode}function he(t,n){return null==n?{x:t.x,y:t.y}:n}function de(){return navigator.maxTouchPoints||"ontouchstart"in this}function pe(t,n,e){t.prototype=n.prototype=e,e.constructor=t}function ge(t,n){var e=Object.create(t.prototype);for(var r in n)e[r]=n[r];return e}function ye(){}fe.prototype.on=function(){var t=this._.on.apply(this._,arguments);return t===this._?this:t};var ve=.7,_e=1/ve,be="\\s*([+-]?\\d+)\\s*",me="\\s*([+-]?(?:\\d*\\.)?\\d+(?:[eE][+-]?\\d+)?)\\s*",xe="\\s*([+-]?(?:\\d*\\.)?\\d+(?:[eE][+-]?\\d+)?)%\\s*",we=/^#([0-9a-f]{3,8})$/,Me=new RegExp(`^rgb\\(${be},${be},${be}\\)$`),Te=new RegExp(`^rgb\\(${xe},${xe},${xe}\\)$`),Ae=new RegExp(`^rgba\\(${be},${be},${be},${me}\\)$`),Se=new RegExp(`^rgba\\(${xe},${xe},${xe},${me}\\)$`),Ee=new RegExp(`^hsl\\(${me},${xe},${xe}\\)$`),Ne=new RegExp(`^hsla\\(${me},${xe},${xe},${me}\\)$`),ke={aliceblue:15792383,antiquewhite:16444375,aqua:65535,aquamarine:8388564,azure:15794175,beige:16119260,bisque:16770244,black:0,blanchedalmond:16772045,blue:255,blueviolet:9055202,brown:10824234,burlywood:14596231,cadetblue:6266528,chartreuse:8388352,chocolate:13789470,coral:16744272,cornflowerblue:6591981,cornsilk:16775388,crimson:14423100,cyan:65535,darkblue:139,darkcyan:35723,darkgoldenrod:12092939,darkgray:11119017,darkgreen:25600,darkgrey:11119017,darkkhaki:12433259,darkmagenta:9109643,darkolivegreen:5597999,darkorange:16747520,darkorchid:10040012,darkred:9109504,darksalmon:15308410,darkseagreen:9419919,darkslateblue:4734347,darkslategray:3100495,darkslategrey:3100495,darkturquoise:52945,darkviolet:9699539,deeppink:16716947,deepskyblue:49151,dimgray:6908265,dimgrey:6908265,dodgerblue:2003199,firebrick:11674146,floralwhite:16775920,forestgreen:2263842,fuchsia:16711935,gainsboro:14474460,ghostwhite:16316671,gold:16766720,goldenrod:14329120,gray:8421504,green:32768,greenyellow:11403055,grey:8421504,honeydew:15794160,hotpink:16738740,indianred:13458524,indigo:4915330,ivory:16777200,khaki:15787660,lavender:15132410,lavenderblush:16773365,lawngreen:8190976,lemonchiffon:16775885,lightblue:11393254,lightcoral:15761536,lightcyan:14745599,lightgoldenrodyellow:16448210,lightgray:13882323,lightgreen:9498256,lightgrey:13882323,lightpink:16758465,lightsalmon:16752762,lightseagreen:2142890,lightskyblue:8900346,lightslategray:7833753,lightslategrey:7833753,lightsteelblue:11584734,lightyellow:16777184,lime:65280,limegreen:3329330,linen:16445670,magenta:16711935,maroon:8388608,mediumaquamarine:6737322,mediumblue:205,mediumorchid:12211667,mediumpurple:9662683,mediumseagreen:3978097,mediumslateblue:8087790,mediumspringgreen:64154,mediumturquoise:4772300,mediumvioletred:13047173,midnightblue:1644912,mintcream:16121850,mistyrose:16770273,moccasin:16770229,navajowhite:16768685,navy:128,oldlace:16643558,olive:8421376,olivedrab:7048739,orange:16753920,orangered:16729344,orchid:14315734,palegoldenrod:15657130,palegreen:10025880,paleturquoise:11529966,palevioletred:14381203,papayawhip:16773077,peachpuff:16767673,peru:13468991,pink:16761035,plum:14524637,powderblue:11591910,purple:8388736,rebeccapurple:6697881,red:16711680,rosybrown:12357519,royalblue:4286945,saddlebrown:9127187,salmon:16416882,sandybrown:16032864,seagreen:3050327,seashell:16774638,sienna:10506797,silver:12632256,skyblue:8900331,slateblue:6970061,slategray:7372944,slategrey:7372944,snow:16775930,springgreen:65407,steelblue:4620980,tan:13808780,teal:32896,thistle:14204888,tomato:16737095,turquoise:4251856,violet:15631086,wheat:16113331,white:16777215,whitesmoke:16119285,yellow:16776960,yellowgreen:10145074};function Ce(){return this.rgb().formatHex()}function Pe(){return this.rgb().formatRgb()}function ze(t){var n,e;return t=(t+"").trim().toLowerCase(),(n=we.exec(t))?(e=n[1].length,n=parseInt(n[1],16),6===e?$e(n):3===e?new qe(n>>8&15|n>>4&240,n>>4&15|240&n,(15&n)<<4|15&n,1):8===e?De(n>>24&255,n>>16&255,n>>8&255,(255&n)/255):4===e?De(n>>12&15|n>>8&240,n>>8&15|n>>4&240,n>>4&15|240&n,((15&n)<<4|15&n)/255):null):(n=Me.exec(t))?new qe(n[1],n[2],n[3],1):(n=Te.exec(t))?new qe(255*n[1]/100,255*n[2]/100,255*n[3]/100,1):(n=Ae.exec(t))?De(n[1],n[2],n[3],n[4]):(n=Se.exec(t))?De(255*n[1]/100,255*n[2]/100,255*n[3]/100,n[4]):(n=Ee.exec(t))?Le(n[1],n[2]/100,n[3]/100,1):(n=Ne.exec(t))?Le(n[1],n[2]/100,n[3]/100,n[4]):ke.hasOwnProperty(t)?$e(ke[t]):"transparent"===t?new qe(NaN,NaN,NaN,0):null}function $e(t){return new qe(t>>16&255,t>>8&255,255&t,1)}function De(t,n,e,r){return r<=0&&(t=n=e=NaN),new qe(t,n,e,r)}function Re(t){return t instanceof ye||(t=ze(t)),t?new qe((t=t.rgb()).r,t.g,t.b,t.opacity):new qe}function Fe(t,n,e,r){return 1===arguments.length?Re(t):new qe(t,n,e,null==r?1:r)}function qe(t,n,e,r){this.r=+t,this.g=+n,this.b=+e,this.opacity=+r}function Ue(){return`#${Ye(this.r)}${Ye(this.g)}${Ye(this.b)}`}function Ie(){const t=Oe(this.opacity);return`${1===t?"rgb(":"rgba("}${Be(this.r)}, ${Be(this.g)}, ${Be(this.b)}${1===t?")":`, ${t})`}`}function Oe(t){return isNaN(t)?1:Math.max(0,Math.min(1,t))}function Be(t){return Math.max(0,Math.min(255,Math.round(t)||0))}function Ye(t){return((t=Be(t))<16?"0":"")+t.toString(16)}function Le(t,n,e,r){return r<=0?t=n=e=NaN:e<=0||e>=1?t=n=NaN:n<=0&&(t=NaN),new Xe(t,n,e,r)}function je(t){if(t instanceof Xe)return new Xe(t.h,t.s,t.l,t.opacity);if(t instanceof ye||(t=ze(t)),!t)return new Xe;if(t instanceof Xe)return t;var n=(t=t.rgb()).r/255,e=t.g/255,r=t.b/255,i=Math.min(n,e,r),o=Math.max(n,e,r),a=NaN,u=o-i,c=(o+i)/2;return u?(a=n===o?(e-r)/u+6*(e0&&c<1?0:a,new Xe(a,u,c,t.opacity)}function He(t,n,e,r){return 1===arguments.length?je(t):new Xe(t,n,e,null==r?1:r)}function Xe(t,n,e,r){this.h=+t,this.s=+n,this.l=+e,this.opacity=+r}function Ge(t){return(t=(t||0)%360)<0?t+360:t}function Ve(t){return Math.max(0,Math.min(1,t||0))}function We(t,n,e){return 255*(t<60?n+(e-n)*t/60:t<180?e:t<240?n+(e-n)*(240-t)/60:n)}pe(ye,ze,{copy(t){return Object.assign(new this.constructor,this,t)},displayable(){return this.rgb().displayable()},hex:Ce,formatHex:Ce,formatHex8:function(){return this.rgb().formatHex8()},formatHsl:function(){return je(this).formatHsl()},formatRgb:Pe,toString:Pe}),pe(qe,Fe,ge(ye,{brighter(t){return t=null==t?_e:Math.pow(_e,t),new qe(this.r*t,this.g*t,this.b*t,this.opacity)},darker(t){return t=null==t?ve:Math.pow(ve,t),new qe(this.r*t,this.g*t,this.b*t,this.opacity)},rgb(){return this},clamp(){return new qe(Be(this.r),Be(this.g),Be(this.b),Oe(this.opacity))},displayable(){return-.5<=this.r&&this.r<255.5&&-.5<=this.g&&this.g<255.5&&-.5<=this.b&&this.b<255.5&&0<=this.opacity&&this.opacity<=1},hex:Ue,formatHex:Ue,formatHex8:function(){return`#${Ye(this.r)}${Ye(this.g)}${Ye(this.b)}${Ye(255*(isNaN(this.opacity)?1:this.opacity))}`},formatRgb:Ie,toString:Ie})),pe(Xe,He,ge(ye,{brighter(t){return t=null==t?_e:Math.pow(_e,t),new Xe(this.h,this.s,this.l*t,this.opacity)},darker(t){return t=null==t?ve:Math.pow(ve,t),new Xe(this.h,this.s,this.l*t,this.opacity)},rgb(){var t=this.h%360+360*(this.h<0),n=isNaN(t)||isNaN(this.s)?0:this.s,e=this.l,r=e+(e<.5?e:1-e)*n,i=2*e-r;return new qe(We(t>=240?t-240:t+120,i,r),We(t,i,r),We(t<120?t+240:t-120,i,r),this.opacity)},clamp(){return new Xe(Ge(this.h),Ve(this.s),Ve(this.l),Oe(this.opacity))},displayable(){return(0<=this.s&&this.s<=1||isNaN(this.s))&&0<=this.l&&this.l<=1&&0<=this.opacity&&this.opacity<=1},formatHsl(){const t=Oe(this.opacity);return`${1===t?"hsl(":"hsla("}${Ge(this.h)}, ${100*Ve(this.s)}%, ${100*Ve(this.l)}%${1===t?")":`, ${t})`}`}}));const Ze=Math.PI/180,Ke=180/Math.PI,Qe=.96422,Je=1,tr=.82521,nr=4/29,er=6/29,rr=3*er*er,ir=er*er*er;function or(t){if(t instanceof ur)return new ur(t.l,t.a,t.b,t.opacity);if(t instanceof pr)return gr(t);t instanceof qe||(t=Re(t));var n,e,r=lr(t.r),i=lr(t.g),o=lr(t.b),a=cr((.2225045*r+.7168786*i+.0606169*o)/Je);return r===i&&i===o?n=e=a:(n=cr((.4360747*r+.3850649*i+.1430804*o)/Qe),e=cr((.0139322*r+.0971045*i+.7141733*o)/tr)),new ur(116*a-16,500*(n-a),200*(a-e),t.opacity)}function ar(t,n,e,r){return 1===arguments.length?or(t):new ur(t,n,e,null==r?1:r)}function ur(t,n,e,r){this.l=+t,this.a=+n,this.b=+e,this.opacity=+r}function cr(t){return t>ir?Math.pow(t,1/3):t/rr+nr}function fr(t){return t>er?t*t*t:rr*(t-nr)}function sr(t){return 255*(t<=.0031308?12.92*t:1.055*Math.pow(t,1/2.4)-.055)}function lr(t){return(t/=255)<=.04045?t/12.92:Math.pow((t+.055)/1.055,2.4)}function hr(t){if(t instanceof pr)return new pr(t.h,t.c,t.l,t.opacity);if(t instanceof ur||(t=or(t)),0===t.a&&0===t.b)return new pr(NaN,0=1?(e=1,n-1):Math.floor(e*n),i=t[r],o=t[r+1],a=r>0?t[r-1]:2*i-o,u=r()=>t;function Cr(t,n){return function(e){return t+e*n}}function Pr(t,n){var e=n-t;return e?Cr(t,e>180||e<-180?e-360*Math.round(e/360):e):kr(isNaN(t)?n:t)}function zr(t){return 1==(t=+t)?$r:function(n,e){return e-n?function(t,n,e){return t=Math.pow(t,e),n=Math.pow(n,e)-t,e=1/e,function(r){return Math.pow(t+r*n,e)}}(n,e,t):kr(isNaN(n)?e:n)}}function $r(t,n){var e=n-t;return e?Cr(t,e):kr(isNaN(t)?n:t)}var Dr=function t(n){var e=zr(n);function r(t,n){var r=e((t=Fe(t)).r,(n=Fe(n)).r),i=e(t.g,n.g),o=e(t.b,n.b),a=$r(t.opacity,n.opacity);return function(n){return t.r=r(n),t.g=i(n),t.b=o(n),t.opacity=a(n),t+""}}return r.gamma=t,r}(1);function Rr(t){return function(n){var e,r,i=n.length,o=new Array(i),a=new Array(i),u=new Array(i);for(e=0;eo&&(i=n.slice(o,i),u[a]?u[a]+=i:u[++a]=i),(e=e[0])===(r=r[0])?u[a]?u[a]+=r:u[++a]=r:(u[++a]=null,c.push({i:a,x:Yr(e,r)})),o=Hr.lastIndex;return o180?n+=360:n-t>180&&(t+=360),o.push({i:e.push(i(e)+"rotate(",null,r)-2,x:Yr(t,n)})):n&&e.push(i(e)+"rotate("+n+r)}(o.rotate,a.rotate,u,c),function(t,n,e,o){t!==n?o.push({i:e.push(i(e)+"skewX(",null,r)-2,x:Yr(t,n)}):n&&e.push(i(e)+"skewX("+n+r)}(o.skewX,a.skewX,u,c),function(t,n,e,r,o,a){if(t!==e||n!==r){var u=o.push(i(o)+"scale(",null,",",null,")");a.push({i:u-4,x:Yr(t,e)},{i:u-2,x:Yr(n,r)})}else 1===e&&1===r||o.push(i(o)+"scale("+e+","+r+")")}(o.scaleX,o.scaleY,a.scaleX,a.scaleY,u,c),o=a=null,function(t){for(var n,e=-1,r=c.length;++e=0&&n._call.call(void 0,t),n=n._next;--yi}function Ci(){xi=(mi=Mi.now())+wi,yi=vi=0;try{ki()}finally{yi=0,function(){var t,n,e=pi,r=1/0;for(;e;)e._call?(r>e._time&&(r=e._time),t=e,e=e._next):(n=e._next,e._next=null,e=t?t._next=n:pi=n);gi=t,zi(r)}(),xi=0}}function Pi(){var t=Mi.now(),n=t-mi;n>bi&&(wi-=n,mi=t)}function zi(t){yi||(vi&&(vi=clearTimeout(vi)),t-xi>24?(t<1/0&&(vi=setTimeout(Ci,t-Mi.now()-wi)),_i&&(_i=clearInterval(_i))):(_i||(mi=Mi.now(),_i=setInterval(Pi,bi)),yi=1,Ti(Ci)))}function $i(t,n,e){var r=new Ei;return n=null==n?0:+n,r.restart((e=>{r.stop(),t(e+n)}),n,e),r}Ei.prototype=Ni.prototype={constructor:Ei,restart:function(t,n,e){if("function"!=typeof t)throw new TypeError("callback is not a function");e=(null==e?Ai():+e)+(null==n?0:+n),this._next||gi===this||(gi?gi._next=this:pi=this,gi=this),this._call=t,this._time=e,zi()},stop:function(){this._call&&(this._call=null,this._time=1/0,zi())}};var Di=$t("start","end","cancel","interrupt"),Ri=[],Fi=0,qi=1,Ui=2,Ii=3,Oi=4,Bi=5,Yi=6;function Li(t,n,e,r,i,o){var a=t.__transition;if(a){if(e in a)return}else t.__transition={};!function(t,n,e){var r,i=t.__transition;function o(t){e.state=qi,e.timer.restart(a,e.delay,e.time),e.delay<=t&&a(t-e.delay)}function a(o){var f,s,l,h;if(e.state!==qi)return c();for(f in i)if((h=i[f]).name===e.name){if(h.state===Ii)return $i(a);h.state===Oi?(h.state=Yi,h.timer.stop(),h.on.call("interrupt",t,t.__data__,h.index,h.group),delete i[f]):+fFi)throw new Error("too late; already scheduled");return e}function Hi(t,n){var e=Xi(t,n);if(e.state>Ii)throw new Error("too late; already running");return e}function Xi(t,n){var e=t.__transition;if(!e||!(e=e[n]))throw new Error("transition not found");return e}function Gi(t,n){var e,r,i,o=t.__transition,a=!0;if(o){for(i in n=null==n?null:n+"",o)(e=o[i]).name===n?(r=e.state>Ui&&e.state=0&&(t=t.slice(0,n)),!t||"start"===t}))}(n)?ji:Hi;return function(){var a=o(this,t),u=a.on;u!==r&&(i=(r=u).copy()).on(n,e),a.on=i}}(e,t,n))},attr:function(t,n){var e=It(t),r="transform"===e?ni:Ki;return this.attrTween(t,"function"==typeof n?(e.local?ro:eo)(e,r,Zi(this,"attr."+t,n)):null==n?(e.local?Ji:Qi)(e):(e.local?no:to)(e,r,n))},attrTween:function(t,n){var e="attr."+t;if(arguments.length<2)return(e=this.tween(e))&&e._value;if(null==n)return this.tween(e,null);if("function"!=typeof n)throw new Error;var r=It(t);return this.tween(e,(r.local?io:oo)(r,n))},style:function(t,n,e){var r="transform"==(t+="")?ti:Ki;return null==n?this.styleTween(t,function(t,n){var e,r,i;return function(){var o=_n(this,t),a=(this.style.removeProperty(t),_n(this,t));return o===a?null:o===e&&a===r?i:i=n(e=o,r=a)}}(t,r)).on("end.style."+t,lo(t)):"function"==typeof n?this.styleTween(t,function(t,n,e){var r,i,o;return function(){var a=_n(this,t),u=e(this),c=u+"";return null==u&&(this.style.removeProperty(t),c=u=_n(this,t)),a===c?null:a===r&&c===i?o:(i=c,o=n(r=a,u))}}(t,r,Zi(this,"style."+t,n))).each(function(t,n){var e,r,i,o,a="style."+n,u="end."+a;return function(){var c=Hi(this,t),f=c.on,s=null==c.value[a]?o||(o=lo(n)):void 0;f===e&&i===s||(r=(e=f).copy()).on(u,i=s),c.on=r}}(this._id,t)):this.styleTween(t,function(t,n,e){var r,i,o=e+"";return function(){var a=_n(this,t);return a===o?null:a===r?i:i=n(r=a,e)}}(t,r,n),e).on("end.style."+t,null)},styleTween:function(t,n,e){var r="style."+(t+="");if(arguments.length<2)return(r=this.tween(r))&&r._value;if(null==n)return this.tween(r,null);if("function"!=typeof n)throw new Error;return this.tween(r,function(t,n,e){var r,i;function o(){var o=n.apply(this,arguments);return o!==i&&(r=(i=o)&&function(t,n,e){return function(r){this.style.setProperty(t,n.call(this,r),e)}}(t,o,e)),r}return o._value=n,o}(t,n,null==e?"":e))},text:function(t){return this.tween("text","function"==typeof t?function(t){return function(){var n=t(this);this.textContent=null==n?"":n}}(Zi(this,"text",t)):function(t){return function(){this.textContent=t}}(null==t?"":t+""))},textTween:function(t){var n="text";if(arguments.length<1)return(n=this.tween(n))&&n._value;if(null==t)return this.tween(n,null);if("function"!=typeof t)throw new Error;return this.tween(n,function(t){var n,e;function r(){var r=t.apply(this,arguments);return r!==e&&(n=(e=r)&&function(t){return function(n){this.textContent=t.call(this,n)}}(r)),n}return r._value=t,r}(t))},remove:function(){return this.on("end.remove",function(t){return function(){var n=this.parentNode;for(var e in this.__transition)if(+e!==t)return;n&&n.removeChild(this)}}(this._id))},tween:function(t,n){var e=this._id;if(t+="",arguments.length<2){for(var r,i=Xi(this.node(),e).tween,o=0,a=i.length;o()=>t;function Qo(t,{sourceEvent:n,target:e,selection:r,mode:i,dispatch:o}){Object.defineProperties(this,{type:{value:t,enumerable:!0,configurable:!0},sourceEvent:{value:n,enumerable:!0,configurable:!0},target:{value:e,enumerable:!0,configurable:!0},selection:{value:r,enumerable:!0,configurable:!0},mode:{value:i,enumerable:!0,configurable:!0},_:{value:o}})}function Jo(t){t.preventDefault(),t.stopImmediatePropagation()}var ta={name:"drag"},na={name:"space"},ea={name:"handle"},ra={name:"center"};const{abs:ia,max:oa,min:aa}=Math;function ua(t){return[+t[0],+t[1]]}function ca(t){return[ua(t[0]),ua(t[1])]}var fa={name:"x",handles:["w","e"].map(va),input:function(t,n){return null==t?null:[[+t[0],n[0][1]],[+t[1],n[1][1]]]},output:function(t){return t&&[t[0][0],t[1][0]]}},sa={name:"y",handles:["n","s"].map(va),input:function(t,n){return null==t?null:[[n[0][0],+t[0]],[n[1][0],+t[1]]]},output:function(t){return t&&[t[0][1],t[1][1]]}},la={name:"xy",handles:["n","w","e","s","nw","ne","sw","se"].map(va),input:function(t){return null==t?null:ca(t)},output:function(t){return t}},ha={overlay:"crosshair",selection:"move",n:"ns-resize",e:"ew-resize",s:"ns-resize",w:"ew-resize",nw:"nwse-resize",ne:"nesw-resize",se:"nwse-resize",sw:"nesw-resize"},da={e:"w",w:"e",nw:"ne",ne:"nw",se:"sw",sw:"se"},pa={n:"s",s:"n",nw:"sw",ne:"se",se:"ne",sw:"nw"},ga={overlay:1,selection:1,n:null,e:1,s:null,w:-1,nw:-1,ne:1,se:1,sw:-1},ya={overlay:1,selection:1,n:-1,e:null,s:1,w:null,nw:-1,ne:-1,se:1,sw:1};function va(t){return{type:t}}function _a(t){return!t.ctrlKey&&!t.button}function ba(){var t=this.ownerSVGElement||this;return t.hasAttribute("viewBox")?[[(t=t.viewBox.baseVal).x,t.y],[t.x+t.width,t.y+t.height]]:[[0,0],[t.width.baseVal.value,t.height.baseVal.value]]}function ma(){return navigator.maxTouchPoints||"ontouchstart"in this}function xa(t){for(;!t.__brush;)if(!(t=t.parentNode))return;return t.__brush}function wa(t){var n,e=ba,r=_a,i=ma,o=!0,a=$t("start","brush","end"),u=6;function c(n){var e=n.property("__brush",g).selectAll(".overlay").data([va("overlay")]);e.enter().append("rect").attr("class","overlay").attr("pointer-events","all").attr("cursor",ha.overlay).merge(e).each((function(){var t=xa(this).extent;Zn(this).attr("x",t[0][0]).attr("y",t[0][1]).attr("width",t[1][0]-t[0][0]).attr("height",t[1][1]-t[0][1])})),n.selectAll(".selection").data([va("selection")]).enter().append("rect").attr("class","selection").attr("cursor",ha.selection).attr("fill","#777").attr("fill-opacity",.3).attr("stroke","#fff").attr("shape-rendering","crispEdges");var r=n.selectAll(".handle").data(t.handles,(function(t){return t.type}));r.exit().remove(),r.enter().append("rect").attr("class",(function(t){return"handle handle--"+t.type})).attr("cursor",(function(t){return ha[t.type]})),n.each(f).attr("fill","none").attr("pointer-events","all").on("mousedown.brush",h).filter(i).on("touchstart.brush",h).on("touchmove.brush",d).on("touchend.brush touchcancel.brush",p).style("touch-action","none").style("-webkit-tap-highlight-color","rgba(0,0,0,0)")}function f(){var t=Zn(this),n=xa(this).selection;n?(t.selectAll(".selection").style("display",null).attr("x",n[0][0]).attr("y",n[0][1]).attr("width",n[1][0]-n[0][0]).attr("height",n[1][1]-n[0][1]),t.selectAll(".handle").style("display",null).attr("x",(function(t){return"e"===t.type[t.type.length-1]?n[1][0]-u/2:n[0][0]-u/2})).attr("y",(function(t){return"s"===t.type[0]?n[1][1]-u/2:n[0][1]-u/2})).attr("width",(function(t){return"n"===t.type||"s"===t.type?n[1][0]-n[0][0]+u:u})).attr("height",(function(t){return"e"===t.type||"w"===t.type?n[1][1]-n[0][1]+u:u}))):t.selectAll(".selection,.handle").style("display","none").attr("x",null).attr("y",null).attr("width",null).attr("height",null)}function s(t,n,e){var r=t.__brush.emitter;return!r||e&&r.clean?new l(t,n,e):r}function l(t,n,e){this.that=t,this.args=n,this.state=t.__brush,this.active=0,this.clean=e}function h(e){if((!n||e.touches)&&r.apply(this,arguments)){var i,a,u,c,l,h,d,p,g,y,v,_=this,b=e.target.__data__.type,m="selection"===(o&&e.metaKey?b="overlay":b)?ta:o&&e.altKey?ra:ea,x=t===sa?null:ga[b],w=t===fa?null:ya[b],M=xa(_),T=M.extent,A=M.selection,S=T[0][0],E=T[0][1],N=T[1][0],k=T[1][1],C=0,P=0,z=x&&w&&o&&e.shiftKey,$=Array.from(e.touches||[e],(t=>{const n=t.identifier;return(t=ne(t,_)).point0=t.slice(),t.identifier=n,t}));Gi(_);var D=s(_,arguments,!0).beforestart();if("overlay"===b){A&&(g=!0);const n=[$[0],$[1]||$[0]];M.selection=A=[[i=t===sa?S:aa(n[0][0],n[1][0]),u=t===fa?E:aa(n[0][1],n[1][1])],[l=t===sa?N:oa(n[0][0],n[1][0]),d=t===fa?k:oa(n[0][1],n[1][1])]],$.length>1&&I(e)}else i=A[0][0],u=A[0][1],l=A[1][0],d=A[1][1];a=i,c=u,h=l,p=d;var R=Zn(_).attr("pointer-events","none"),F=R.selectAll(".overlay").attr("cursor",ha[b]);if(e.touches)D.moved=U,D.ended=O;else{var q=Zn(e.view).on("mousemove.brush",U,!0).on("mouseup.brush",O,!0);o&&q.on("keydown.brush",(function(t){switch(t.keyCode){case 16:z=x&&w;break;case 18:m===ea&&(x&&(l=h-C*x,i=a+C*x),w&&(d=p-P*w,u=c+P*w),m=ra,I(t));break;case 32:m!==ea&&m!==ra||(x<0?l=h-C:x>0&&(i=a-C),w<0?d=p-P:w>0&&(u=c-P),m=na,F.attr("cursor",ha.selection),I(t));break;default:return}Jo(t)}),!0).on("keyup.brush",(function(t){switch(t.keyCode){case 16:z&&(y=v=z=!1,I(t));break;case 18:m===ra&&(x<0?l=h:x>0&&(i=a),w<0?d=p:w>0&&(u=c),m=ea,I(t));break;case 32:m===na&&(t.altKey?(x&&(l=h-C*x,i=a+C*x),w&&(d=p-P*w,u=c+P*w),m=ra):(x<0?l=h:x>0&&(i=a),w<0?d=p:w>0&&(u=c),m=ea),F.attr("cursor",ha[b]),I(t));break;default:return}Jo(t)}),!0),ae(e.view)}f.call(_),D.start(e,m.name)}function U(t){for(const n of t.changedTouches||[t])for(const t of $)t.identifier===n.identifier&&(t.cur=ne(n,_));if(z&&!y&&!v&&1===$.length){const t=$[0];ia(t.cur[0]-t[0])>ia(t.cur[1]-t[1])?v=!0:y=!0}for(const t of $)t.cur&&(t[0]=t.cur[0],t[1]=t.cur[1]);g=!0,Jo(t),I(t)}function I(t){const n=$[0],e=n.point0;var r;switch(C=n[0]-e[0],P=n[1]-e[1],m){case na:case ta:x&&(C=oa(S-i,aa(N-l,C)),a=i+C,h=l+C),w&&(P=oa(E-u,aa(k-d,P)),c=u+P,p=d+P);break;case ea:$[1]?(x&&(a=oa(S,aa(N,$[0][0])),h=oa(S,aa(N,$[1][0])),x=1),w&&(c=oa(E,aa(k,$[0][1])),p=oa(E,aa(k,$[1][1])),w=1)):(x<0?(C=oa(S-i,aa(N-i,C)),a=i+C,h=l):x>0&&(C=oa(S-l,aa(N-l,C)),a=i,h=l+C),w<0?(P=oa(E-u,aa(k-u,P)),c=u+P,p=d):w>0&&(P=oa(E-d,aa(k-d,P)),c=u,p=d+P));break;case ra:x&&(a=oa(S,aa(N,i-C*x)),h=oa(S,aa(N,l+C*x))),w&&(c=oa(E,aa(k,u-P*w)),p=oa(E,aa(k,d+P*w)))}ht+e))}function za(t,n){var e=0,r=null,i=null,o=null;function a(a){var u,c=a.length,f=new Array(c),s=Pa(0,c),l=new Array(c*c),h=new Array(c),d=0;a=Float64Array.from({length:c*c},n?(t,n)=>a[n%c][n/c|0]:(t,n)=>a[n/c|0][n%c]);for(let n=0;nr(f[t],f[n])));for(const e of s){const r=n;if(t){const t=Pa(1+~c,c).filter((t=>t<0?a[~t*c+e]:a[e*c+t]));i&&t.sort(((t,n)=>i(t<0?-a[~t*c+e]:a[e*c+t],n<0?-a[~n*c+e]:a[e*c+n])));for(const r of t)if(r<0){(l[~r*c+e]||(l[~r*c+e]={source:null,target:null})).target={index:e,startAngle:n,endAngle:n+=a[~r*c+e]*d,value:a[~r*c+e]}}else{(l[e*c+r]||(l[e*c+r]={source:null,target:null})).source={index:e,startAngle:n,endAngle:n+=a[e*c+r]*d,value:a[e*c+r]}}h[e]={index:e,startAngle:r,endAngle:n,value:f[e]}}else{const t=Pa(0,c).filter((t=>a[e*c+t]||a[t*c+e]));i&&t.sort(((t,n)=>i(a[e*c+t],a[e*c+n])));for(const r of t){let t;if(e=0))throw new Error(`invalid digits: ${t}`);if(n>15)return qa;const e=10**n;return function(t){this._+=t[0];for(let n=1,r=t.length;nRa)if(Math.abs(s*u-c*f)>Ra&&i){let h=e-o,d=r-a,p=u*u+c*c,g=h*h+d*d,y=Math.sqrt(p),v=Math.sqrt(l),_=i*Math.tan(($a-Math.acos((p+l-g)/(2*y*v)))/2),b=_/v,m=_/y;Math.abs(b-1)>Ra&&this._append`L${t+b*f},${n+b*s}`,this._append`A${i},${i},0,0,${+(s*h>f*d)},${this._x1=t+m*u},${this._y1=n+m*c}`}else this._append`L${this._x1=t},${this._y1=n}`;else;}arc(t,n,e,r,i,o){if(t=+t,n=+n,o=!!o,(e=+e)<0)throw new Error(`negative radius: ${e}`);let a=e*Math.cos(r),u=e*Math.sin(r),c=t+a,f=n+u,s=1^o,l=o?r-i:i-r;null===this._x1?this._append`M${c},${f}`:(Math.abs(this._x1-c)>Ra||Math.abs(this._y1-f)>Ra)&&this._append`L${c},${f}`,e&&(l<0&&(l=l%Da+Da),l>Fa?this._append`A${e},${e},0,1,${s},${t-a},${n-u}A${e},${e},0,1,${s},${this._x1=c},${this._y1=f}`:l>Ra&&this._append`A${e},${e},0,${+(l>=$a)},${s},${this._x1=t+e*Math.cos(i)},${this._y1=n+e*Math.sin(i)}`)}rect(t,n,e,r){this._append`M${this._x0=this._x1=+t},${this._y0=this._y1=+n}h${e=+e}v${+r}h${-e}Z`}toString(){return this._}};function Ia(){return new Ua}Ia.prototype=Ua.prototype;var Oa=Array.prototype.slice;function Ba(t){return function(){return t}}function Ya(t){return t.source}function La(t){return t.target}function ja(t){return t.radius}function Ha(t){return t.startAngle}function Xa(t){return t.endAngle}function Ga(){return 0}function Va(){return 10}function Wa(t){var n=Ya,e=La,r=ja,i=ja,o=Ha,a=Xa,u=Ga,c=null;function f(){var f,s=n.apply(this,arguments),l=e.apply(this,arguments),h=u.apply(this,arguments)/2,d=Oa.call(arguments),p=+r.apply(this,(d[0]=s,d)),g=o.apply(this,d)-Ea,y=a.apply(this,d)-Ea,v=+i.apply(this,(d[0]=l,d)),_=o.apply(this,d)-Ea,b=a.apply(this,d)-Ea;if(c||(c=f=Ia()),h>Ca&&(Ma(y-g)>2*h+Ca?y>g?(g+=h,y-=h):(g-=h,y+=h):g=y=(g+y)/2,Ma(b-_)>2*h+Ca?b>_?(_+=h,b-=h):(_-=h,b+=h):_=b=(_+b)/2),c.moveTo(p*Ta(g),p*Aa(g)),c.arc(0,0,p,g,y),g!==_||y!==b)if(t){var m=v-+t.apply(this,arguments),x=(_+b)/2;c.quadraticCurveTo(0,0,m*Ta(_),m*Aa(_)),c.lineTo(v*Ta(x),v*Aa(x)),c.lineTo(m*Ta(b),m*Aa(b))}else c.quadraticCurveTo(0,0,v*Ta(_),v*Aa(_)),c.arc(0,0,v,_,b);if(c.quadraticCurveTo(0,0,p*Ta(g),p*Aa(g)),c.closePath(),f)return c=null,f+""||null}return t&&(f.headRadius=function(n){return arguments.length?(t="function"==typeof n?n:Ba(+n),f):t}),f.radius=function(t){return arguments.length?(r=i="function"==typeof t?t:Ba(+t),f):r},f.sourceRadius=function(t){return arguments.length?(r="function"==typeof t?t:Ba(+t),f):r},f.targetRadius=function(t){return arguments.length?(i="function"==typeof t?t:Ba(+t),f):i},f.startAngle=function(t){return arguments.length?(o="function"==typeof t?t:Ba(+t),f):o},f.endAngle=function(t){return arguments.length?(a="function"==typeof t?t:Ba(+t),f):a},f.padAngle=function(t){return arguments.length?(u="function"==typeof t?t:Ba(+t),f):u},f.source=function(t){return arguments.length?(n=t,f):n},f.target=function(t){return arguments.length?(e=t,f):e},f.context=function(t){return arguments.length?(c=null==t?null:t,f):c},f}var Za=Array.prototype.slice;function Ka(t,n){return t-n}var Qa=t=>()=>t;function Ja(t,n){for(var e,r=-1,i=n.length;++rr!=d>r&&e<(h-f)*(r-s)/(d-s)+f&&(i=-i)}return i}function nu(t,n,e){var r,i,o,a;return function(t,n,e){return(n[0]-t[0])*(e[1]-t[1])==(e[0]-t[0])*(n[1]-t[1])}(t,n,e)&&(i=t[r=+(t[0]===n[0])],o=e[r],a=n[r],i<=o&&o<=a||a<=o&&o<=i)}function eu(){}var ru=[[],[[[1,1.5],[.5,1]]],[[[1.5,1],[1,1.5]]],[[[1.5,1],[.5,1]]],[[[1,.5],[1.5,1]]],[[[1,1.5],[.5,1]],[[1,.5],[1.5,1]]],[[[1,.5],[1,1.5]]],[[[1,.5],[.5,1]]],[[[.5,1],[1,.5]]],[[[1,1.5],[1,.5]]],[[[.5,1],[1,.5]],[[1.5,1],[1,1.5]]],[[[1.5,1],[1,.5]]],[[[.5,1],[1.5,1]]],[[[1,1.5],[1.5,1]]],[[[.5,1],[1,1.5]]],[]];function iu(){var t=1,n=1,e=K,r=u;function i(t){var n=e(t);if(Array.isArray(n))n=n.slice().sort(Ka);else{const e=M(t,ou);for(n=G(...Z(e[0],e[1],n),n);n[n.length-1]>=e[1];)n.pop();for(;n[1]o(t,n)))}function o(e,i){const o=null==i?NaN:+i;if(isNaN(o))throw new Error(`invalid value: ${i}`);var u=[],c=[];return function(e,r,i){var o,u,c,f,s,l,h=new Array,d=new Array;o=u=-1,f=au(e[0],r),ru[f<<1].forEach(p);for(;++o=r,ru[s<<2].forEach(p);for(;++o0?u.push([t]):c.push(t)})),c.forEach((function(t){for(var n,e=0,r=u.length;e0&&o0&&a=0&&o>=0))throw new Error("invalid size");return t=r,n=o,i},i.thresholds=function(t){return arguments.length?(e="function"==typeof t?t:Array.isArray(t)?Qa(Za.call(t)):Qa(t),i):e},i.smooth=function(t){return arguments.length?(r=t?u:eu,i):r===u},i}function ou(t){return isFinite(t)?t:NaN}function au(t,n){return null!=t&&+t>=n}function uu(t){return null==t||isNaN(t=+t)?-1/0:t}function cu(t,n,e,r){const i=r-n,o=e-n,a=isFinite(i)||isFinite(o)?i/o:Math.sign(i)/Math.sign(o);return isNaN(a)?t:t+a-.5}function fu(t){return t[0]}function su(t){return t[1]}function lu(){return 1}const hu=134217729,du=33306690738754706e-32;function pu(t,n,e,r,i){let o,a,u,c,f=n[0],s=r[0],l=0,h=0;s>f==s>-f?(o=f,f=n[++l]):(o=s,s=r[++h]);let d=0;if(lf==s>-f?(a=f+o,u=o-(a-f),f=n[++l]):(a=s+o,u=o-(a-s),s=r[++h]),o=a,0!==u&&(i[d++]=u);lf==s>-f?(a=o+f,c=a-o,u=o-(a-c)+(f-c),f=n[++l]):(a=o+s,c=a-o,u=o-(a-c)+(s-c),s=r[++h]),o=a,0!==u&&(i[d++]=u);for(;l=33306690738754716e-32*f?c:-function(t,n,e,r,i,o,a){let u,c,f,s,l,h,d,p,g,y,v,_,b,m,x,w,M,T;const A=t-i,S=e-i,E=n-o,N=r-o;m=A*N,h=hu*A,d=h-(h-A),p=A-d,h=hu*N,g=h-(h-N),y=N-g,x=p*y-(m-d*g-p*g-d*y),w=E*S,h=hu*E,d=h-(h-E),p=E-d,h=hu*S,g=h-(h-S),y=S-g,M=p*y-(w-d*g-p*g-d*y),v=x-M,l=x-v,_u[0]=x-(v+l)+(l-M),_=m+v,l=_-m,b=m-(_-l)+(v-l),v=b-w,l=b-v,_u[1]=b-(v+l)+(l-w),T=_+v,l=T-_,_u[2]=_-(T-l)+(v-l),_u[3]=T;let k=function(t,n){let e=n[0];for(let r=1;r=C||-k>=C)return k;if(l=t-A,u=t-(A+l)+(l-i),l=e-S,f=e-(S+l)+(l-i),l=n-E,c=n-(E+l)+(l-o),l=r-N,s=r-(N+l)+(l-o),0===u&&0===c&&0===f&&0===s)return k;if(C=vu*a+du*Math.abs(k),k+=A*s+N*u-(E*f+S*c),k>=C||-k>=C)return k;m=u*N,h=hu*u,d=h-(h-u),p=u-d,h=hu*N,g=h-(h-N),y=N-g,x=p*y-(m-d*g-p*g-d*y),w=c*S,h=hu*c,d=h-(h-c),p=c-d,h=hu*S,g=h-(h-S),y=S-g,M=p*y-(w-d*g-p*g-d*y),v=x-M,l=x-v,wu[0]=x-(v+l)+(l-M),_=m+v,l=_-m,b=m-(_-l)+(v-l),v=b-w,l=b-v,wu[1]=b-(v+l)+(l-w),T=_+v,l=T-_,wu[2]=_-(T-l)+(v-l),wu[3]=T;const P=pu(4,_u,4,wu,bu);m=A*s,h=hu*A,d=h-(h-A),p=A-d,h=hu*s,g=h-(h-s),y=s-g,x=p*y-(m-d*g-p*g-d*y),w=E*f,h=hu*E,d=h-(h-E),p=E-d,h=hu*f,g=h-(h-f),y=f-g,M=p*y-(w-d*g-p*g-d*y),v=x-M,l=x-v,wu[0]=x-(v+l)+(l-M),_=m+v,l=_-m,b=m-(_-l)+(v-l),v=b-w,l=b-v,wu[1]=b-(v+l)+(l-w),T=_+v,l=T-_,wu[2]=_-(T-l)+(v-l),wu[3]=T;const z=pu(P,bu,4,wu,mu);m=u*s,h=hu*u,d=h-(h-u),p=u-d,h=hu*s,g=h-(h-s),y=s-g,x=p*y-(m-d*g-p*g-d*y),w=c*f,h=hu*c,d=h-(h-c),p=c-d,h=hu*f,g=h-(h-f),y=f-g,M=p*y-(w-d*g-p*g-d*y),v=x-M,l=x-v,wu[0]=x-(v+l)+(l-M),_=m+v,l=_-m,b=m-(_-l)+(v-l),v=b-w,l=b-v,wu[1]=b-(v+l)+(l-w),T=_+v,l=T-_,wu[2]=_-(T-l)+(v-l),wu[3]=T;const $=pu(z,mu,4,wu,xu);return xu[$-1]}(t,n,e,r,i,o,f)}const Tu=Math.pow(2,-52),Au=new Uint32Array(512);class Su{static from(t,n=zu,e=$u){const r=t.length,i=new Float64Array(2*r);for(let o=0;o>1;if(n>0&&"number"!=typeof t[0])throw new Error("Expected coords to contain numbers.");this.coords=t;const e=Math.max(2*n-5,0);this._triangles=new Uint32Array(3*e),this._halfedges=new Int32Array(3*e),this._hashSize=Math.ceil(Math.sqrt(n)),this._hullPrev=new Uint32Array(n),this._hullNext=new Uint32Array(n),this._hullTri=new Uint32Array(n),this._hullHash=new Int32Array(this._hashSize).fill(-1),this._ids=new Uint32Array(n),this._dists=new Float64Array(n),this.update()}update(){const{coords:t,_hullPrev:n,_hullNext:e,_hullTri:r,_hullHash:i}=this,o=t.length>>1;let a=1/0,u=1/0,c=-1/0,f=-1/0;for(let n=0;nc&&(c=e),r>f&&(f=r),this._ids[n]=n}const s=(a+c)/2,l=(u+f)/2;let h,d,p,g=1/0;for(let n=0;n0&&(d=n,g=e)}let _=t[2*d],b=t[2*d+1],m=1/0;for(let n=0;nr&&(n[e++]=i,r=this._dists[i])}return this.hull=n.subarray(0,e),this.triangles=new Uint32Array(0),void(this.halfedges=new Uint32Array(0))}if(Mu(y,v,_,b,x,w)<0){const t=d,n=_,e=b;d=p,_=x,b=w,p=t,x=n,w=e}const M=function(t,n,e,r,i,o){const a=e-t,u=r-n,c=i-t,f=o-n,s=a*a+u*u,l=c*c+f*f,h=.5/(a*f-u*c),d=t+(f*s-u*l)*h,p=n+(a*l-c*s)*h;return{x:d,y:p}}(y,v,_,b,x,w);this._cx=M.x,this._cy=M.y;for(let n=0;n0&&Math.abs(f-o)<=Tu&&Math.abs(s-a)<=Tu)continue;if(o=f,a=s,c===h||c===d||c===p)continue;let l=0;for(let t=0,n=this._hashKey(f,s);t=0;)if(y=g,y===l){y=-1;break}if(-1===y)continue;let v=this._addTriangle(y,c,e[y],-1,-1,r[y]);r[c]=this._legalize(v+2),r[y]=v,T++;let _=e[y];for(;g=e[_],Mu(f,s,t[2*_],t[2*_+1],t[2*g],t[2*g+1])<0;)v=this._addTriangle(_,c,g,r[c],-1,r[_]),r[c]=this._legalize(v+2),e[_]=_,T--,_=g;if(y===l)for(;g=n[y],Mu(f,s,t[2*g],t[2*g+1],t[2*y],t[2*y+1])<0;)v=this._addTriangle(g,c,y,-1,r[y],r[g]),this._legalize(v+2),r[g]=v,e[y]=y,T--,y=g;this._hullStart=n[c]=y,e[y]=n[_]=c,e[c]=_,i[this._hashKey(f,s)]=c,i[this._hashKey(t[2*y],t[2*y+1])]=y}this.hull=new Uint32Array(T);for(let t=0,n=this._hullStart;t0?3-e:1+e)/4}(t-this._cx,n-this._cy)*this._hashSize)%this._hashSize}_legalize(t){const{_triangles:n,_halfedges:e,coords:r}=this;let i=0,o=0;for(;;){const a=e[t],u=t-t%3;if(o=u+(t+2)%3,-1===a){if(0===i)break;t=Au[--i];continue}const c=a-a%3,f=u+(t+1)%3,s=c+(a+2)%3,l=n[o],h=n[t],d=n[f],p=n[s];if(Nu(r[2*l],r[2*l+1],r[2*h],r[2*h+1],r[2*d],r[2*d+1],r[2*p],r[2*p+1])){n[t]=p,n[a]=l;const r=e[s];if(-1===r){let n=this._hullStart;do{if(this._hullTri[n]===s){this._hullTri[n]=t;break}n=this._hullPrev[n]}while(n!==this._hullStart)}this._link(t,r),this._link(a,e[o]),this._link(o,s);const u=c+(a+1)%3;i=e&&n[t[a]]>o;)t[a+1]=t[a--];t[a+1]=r}else{let i=e+1,o=r;Pu(t,e+r>>1,i),n[t[e]]>n[t[r]]&&Pu(t,e,r),n[t[i]]>n[t[r]]&&Pu(t,i,r),n[t[e]]>n[t[i]]&&Pu(t,e,i);const a=t[i],u=n[a];for(;;){do{i++}while(n[t[i]]u);if(o=o-e?(Cu(t,n,i,r),Cu(t,n,e,o-1)):(Cu(t,n,e,o-1),Cu(t,n,i,r))}}function Pu(t,n,e){const r=t[n];t[n]=t[e],t[e]=r}function zu(t){return t[0]}function $u(t){return t[1]}const Du=1e-6;class Ru{constructor(){this._x0=this._y0=this._x1=this._y1=null,this._=""}moveTo(t,n){this._+=`M${this._x0=this._x1=+t},${this._y0=this._y1=+n}`}closePath(){null!==this._x1&&(this._x1=this._x0,this._y1=this._y0,this._+="Z")}lineTo(t,n){this._+=`L${this._x1=+t},${this._y1=+n}`}arc(t,n,e){const r=(t=+t)+(e=+e),i=n=+n;if(e<0)throw new Error("negative radius");null===this._x1?this._+=`M${r},${i}`:(Math.abs(this._x1-r)>Du||Math.abs(this._y1-i)>Du)&&(this._+="L"+r+","+i),e&&(this._+=`A${e},${e},0,1,1,${t-e},${n}A${e},${e},0,1,1,${this._x1=r},${this._y1=i}`)}rect(t,n,e,r){this._+=`M${this._x0=this._x1=+t},${this._y0=this._y1=+n}h${+e}v${+r}h${-e}Z`}value(){return this._||null}}class Fu{constructor(){this._=[]}moveTo(t,n){this._.push([t,n])}closePath(){this._.push(this._[0].slice())}lineTo(t,n){this._.push([t,n])}value(){return this._.length?this._:null}}class qu{constructor(t,[n,e,r,i]=[0,0,960,500]){if(!((r=+r)>=(n=+n)&&(i=+i)>=(e=+e)))throw new Error("invalid bounds");this.delaunay=t,this._circumcenters=new Float64Array(2*t.points.length),this.vectors=new Float64Array(2*t.points.length),this.xmax=r,this.xmin=n,this.ymax=i,this.ymin=e,this._init()}update(){return this.delaunay.update(),this._init(),this}_init(){const{delaunay:{points:t,hull:n,triangles:e},vectors:r}=this;let i,o;const a=this.circumcenters=this._circumcenters.subarray(0,e.length/3*2);for(let r,u,c=0,f=0,s=e.length;c1;)i-=2;for(let t=2;t0){if(n>=this.ymax)return null;(i=(this.ymax-n)/r)0){if(t>=this.xmax)return null;(i=(this.xmax-t)/e)this.xmax?2:0)|(nthis.ymax?8:0)}_simplify(t){if(t&&t.length>4){for(let n=0;n2&&function(t){const{triangles:n,coords:e}=t;for(let t=0;t1e-10)return!1}return!0}(t)){this.collinear=Int32Array.from({length:n.length/2},((t,n)=>n)).sort(((t,e)=>n[2*t]-n[2*e]||n[2*t+1]-n[2*e+1]));const t=this.collinear[0],e=this.collinear[this.collinear.length-1],r=[n[2*t],n[2*t+1],n[2*e],n[2*e+1]],i=1e-8*Math.hypot(r[3]-r[1],r[2]-r[0]);for(let t=0,e=n.length/2;t0&&(this.triangles=new Int32Array(3).fill(-1),this.halfedges=new Int32Array(3).fill(-1),this.triangles[0]=r[0],o[r[0]]=1,2===r.length&&(o[r[1]]=0,this.triangles[1]=r[1],this.triangles[2]=r[1]))}voronoi(t){return new qu(this,t)}*neighbors(t){const{inedges:n,hull:e,_hullIndex:r,halfedges:i,triangles:o,collinear:a}=this;if(a){const n=a.indexOf(t);return n>0&&(yield a[n-1]),void(n=0&&i!==e&&i!==r;)e=i;return i}_step(t,n,e){const{inedges:r,hull:i,_hullIndex:o,halfedges:a,triangles:u,points:c}=this;if(-1===r[t]||!c.length)return(t+1)%(c.length>>1);let f=t,s=Iu(n-c[2*t],2)+Iu(e-c[2*t+1],2);const l=r[t];let h=l;do{let r=u[h];const l=Iu(n-c[2*r],2)+Iu(e-c[2*r+1],2);if(l9999?"+"+Ku(n,6):Ku(n,4))+"-"+Ku(t.getUTCMonth()+1,2)+"-"+Ku(t.getUTCDate(),2)+(o?"T"+Ku(e,2)+":"+Ku(r,2)+":"+Ku(i,2)+"."+Ku(o,3)+"Z":i?"T"+Ku(e,2)+":"+Ku(r,2)+":"+Ku(i,2)+"Z":r||e?"T"+Ku(e,2)+":"+Ku(r,2)+"Z":"")}function Ju(t){var n=new RegExp('["'+t+"\n\r]"),e=t.charCodeAt(0);function r(t,n){var r,i=[],o=t.length,a=0,u=0,c=o<=0,f=!1;function s(){if(c)return Hu;if(f)return f=!1,ju;var n,r,i=a;if(t.charCodeAt(i)===Xu){for(;a++=o?c=!0:(r=t.charCodeAt(a++))===Gu?f=!0:r===Vu&&(f=!0,t.charCodeAt(a)===Gu&&++a),t.slice(i+1,n-1).replace(/""/g,'"')}for(;amc(n,e).then((n=>(new DOMParser).parseFromString(n,t)))}var Sc=Ac("application/xml"),Ec=Ac("text/html"),Nc=Ac("image/svg+xml");function kc(t,n,e,r){if(isNaN(n)||isNaN(e))return t;var i,o,a,u,c,f,s,l,h,d=t._root,p={data:r},g=t._x0,y=t._y0,v=t._x1,_=t._y1;if(!d)return t._root=p,t;for(;d.length;)if((f=n>=(o=(g+v)/2))?g=o:v=o,(s=e>=(a=(y+_)/2))?y=a:_=a,i=d,!(d=d[l=s<<1|f]))return i[l]=p,t;if(u=+t._x.call(null,d.data),c=+t._y.call(null,d.data),n===u&&e===c)return p.next=d,i?i[l]=p:t._root=p,t;do{i=i?i[l]=new Array(4):t._root=new Array(4),(f=n>=(o=(g+v)/2))?g=o:v=o,(s=e>=(a=(y+_)/2))?y=a:_=a}while((l=s<<1|f)==(h=(c>=a)<<1|u>=o));return i[h]=d,i[l]=p,t}function Cc(t,n,e,r,i){this.node=t,this.x0=n,this.y0=e,this.x1=r,this.y1=i}function Pc(t){return t[0]}function zc(t){return t[1]}function $c(t,n,e){var r=new Dc(null==n?Pc:n,null==e?zc:e,NaN,NaN,NaN,NaN);return null==t?r:r.addAll(t)}function Dc(t,n,e,r,i,o){this._x=t,this._y=n,this._x0=e,this._y0=r,this._x1=i,this._y1=o,this._root=void 0}function Rc(t){for(var n={data:t.data},e=n;t=t.next;)e=e.next={data:t.data};return n}var Fc=$c.prototype=Dc.prototype;function qc(t){return function(){return t}}function Uc(t){return 1e-6*(t()-.5)}function Ic(t){return t.x+t.vx}function Oc(t){return t.y+t.vy}function Bc(t){return t.index}function Yc(t,n){var e=t.get(n);if(!e)throw new Error("node not found: "+n);return e}Fc.copy=function(){var t,n,e=new Dc(this._x,this._y,this._x0,this._y0,this._x1,this._y1),r=this._root;if(!r)return e;if(!r.length)return e._root=Rc(r),e;for(t=[{source:r,target:e._root=new Array(4)}];r=t.pop();)for(var i=0;i<4;++i)(n=r.source[i])&&(n.length?t.push({source:n,target:r.target[i]=new Array(4)}):r.target[i]=Rc(n));return e},Fc.add=function(t){const n=+this._x.call(null,t),e=+this._y.call(null,t);return kc(this.cover(n,e),n,e,t)},Fc.addAll=function(t){var n,e,r,i,o=t.length,a=new Array(o),u=new Array(o),c=1/0,f=1/0,s=-1/0,l=-1/0;for(e=0;es&&(s=r),il&&(l=i));if(c>s||f>l)return this;for(this.cover(c,f).cover(s,l),e=0;et||t>=i||r>n||n>=o;)switch(u=(nh||(o=c.y0)>d||(a=c.x1)=v)<<1|t>=y)&&(c=p[p.length-1],p[p.length-1]=p[p.length-1-f],p[p.length-1-f]=c)}else{var _=t-+this._x.call(null,g.data),b=n-+this._y.call(null,g.data),m=_*_+b*b;if(m=(u=(p+y)/2))?p=u:y=u,(s=a>=(c=(g+v)/2))?g=c:v=c,n=d,!(d=d[l=s<<1|f]))return this;if(!d.length)break;(n[l+1&3]||n[l+2&3]||n[l+3&3])&&(e=n,h=l)}for(;d.data!==t;)if(r=d,!(d=d.next))return this;return(i=d.next)&&delete d.next,r?(i?r.next=i:delete r.next,this):n?(i?n[l]=i:delete n[l],(d=n[0]||n[1]||n[2]||n[3])&&d===(n[3]||n[2]||n[1]||n[0])&&!d.length&&(e?e[h]=d:this._root=d),this):(this._root=i,this)},Fc.removeAll=function(t){for(var n=0,e=t.length;n1?r[0]+r.slice(2):r,+t.slice(e+1)]}function Zc(t){return(t=Wc(Math.abs(t)))?t[1]:NaN}var Kc,Qc=/^(?:(.)?([<>=^]))?([+\-( ])?([$#])?(0)?(\d+)?(,)?(\.\d+)?(~)?([a-z%])?$/i;function Jc(t){if(!(n=Qc.exec(t)))throw new Error("invalid format: "+t);var n;return new tf({fill:n[1],align:n[2],sign:n[3],symbol:n[4],zero:n[5],width:n[6],comma:n[7],precision:n[8]&&n[8].slice(1),trim:n[9],type:n[10]})}function tf(t){this.fill=void 0===t.fill?" ":t.fill+"",this.align=void 0===t.align?">":t.align+"",this.sign=void 0===t.sign?"-":t.sign+"",this.symbol=void 0===t.symbol?"":t.symbol+"",this.zero=!!t.zero,this.width=void 0===t.width?void 0:+t.width,this.comma=!!t.comma,this.precision=void 0===t.precision?void 0:+t.precision,this.trim=!!t.trim,this.type=void 0===t.type?"":t.type+""}function nf(t,n){var e=Wc(t,n);if(!e)return t+"";var r=e[0],i=e[1];return i<0?"0."+new Array(-i).join("0")+r:r.length>i+1?r.slice(0,i+1)+"."+r.slice(i+1):r+new Array(i-r.length+2).join("0")}Jc.prototype=tf.prototype,tf.prototype.toString=function(){return this.fill+this.align+this.sign+this.symbol+(this.zero?"0":"")+(void 0===this.width?"":Math.max(1,0|this.width))+(this.comma?",":"")+(void 0===this.precision?"":"."+Math.max(0,0|this.precision))+(this.trim?"~":"")+this.type};var ef={"%":(t,n)=>(100*t).toFixed(n),b:t=>Math.round(t).toString(2),c:t=>t+"",d:function(t){return Math.abs(t=Math.round(t))>=1e21?t.toLocaleString("en").replace(/,/g,""):t.toString(10)},e:(t,n)=>t.toExponential(n),f:(t,n)=>t.toFixed(n),g:(t,n)=>t.toPrecision(n),o:t=>Math.round(t).toString(8),p:(t,n)=>nf(100*t,n),r:nf,s:function(t,n){var e=Wc(t,n);if(!e)return t+"";var r=e[0],i=e[1],o=i-(Kc=3*Math.max(-8,Math.min(8,Math.floor(i/3))))+1,a=r.length;return o===a?r:o>a?r+new Array(o-a+1).join("0"):o>0?r.slice(0,o)+"."+r.slice(o):"0."+new Array(1-o).join("0")+Wc(t,Math.max(0,n+o-1))[0]},X:t=>Math.round(t).toString(16).toUpperCase(),x:t=>Math.round(t).toString(16)};function rf(t){return t}var of,af=Array.prototype.map,uf=["y","z","a","f","p","n","µ","m","","k","M","G","T","P","E","Z","Y"];function cf(t){var n,e,r=void 0===t.grouping||void 0===t.thousands?rf:(n=af.call(t.grouping,Number),e=t.thousands+"",function(t,r){for(var i=t.length,o=[],a=0,u=n[0],c=0;i>0&&u>0&&(c+u+1>r&&(u=Math.max(1,r-c)),o.push(t.substring(i-=u,i+u)),!((c+=u+1)>r));)u=n[a=(a+1)%n.length];return o.reverse().join(e)}),i=void 0===t.currency?"":t.currency[0]+"",o=void 0===t.currency?"":t.currency[1]+"",a=void 0===t.decimal?".":t.decimal+"",u=void 0===t.numerals?rf:function(t){return function(n){return n.replace(/[0-9]/g,(function(n){return t[+n]}))}}(af.call(t.numerals,String)),c=void 0===t.percent?"%":t.percent+"",f=void 0===t.minus?"−":t.minus+"",s=void 0===t.nan?"NaN":t.nan+"";function l(t){var n=(t=Jc(t)).fill,e=t.align,l=t.sign,h=t.symbol,d=t.zero,p=t.width,g=t.comma,y=t.precision,v=t.trim,_=t.type;"n"===_?(g=!0,_="g"):ef[_]||(void 0===y&&(y=12),v=!0,_="g"),(d||"0"===n&&"="===e)&&(d=!0,n="0",e="=");var b="$"===h?i:"#"===h&&/[boxX]/.test(_)?"0"+_.toLowerCase():"",m="$"===h?o:/[%p]/.test(_)?c:"",x=ef[_],w=/[defgprs%]/.test(_);function M(t){var i,o,c,h=b,M=m;if("c"===_)M=x(t)+M,t="";else{var T=(t=+t)<0||1/t<0;if(t=isNaN(t)?s:x(Math.abs(t),y),v&&(t=function(t){t:for(var n,e=t.length,r=1,i=-1;r0&&(i=0)}return i>0?t.slice(0,i)+t.slice(n+1):t}(t)),T&&0==+t&&"+"!==l&&(T=!1),h=(T?"("===l?l:f:"-"===l||"("===l?"":l)+h,M=("s"===_?uf[8+Kc/3]:"")+M+(T&&"("===l?")":""),w)for(i=-1,o=t.length;++i(c=t.charCodeAt(i))||c>57){M=(46===c?a+t.slice(i+1):t.slice(i))+M,t=t.slice(0,i);break}}g&&!d&&(t=r(t,1/0));var A=h.length+t.length+M.length,S=A>1)+h+t+M+S.slice(A);break;default:t=S+h+t+M}return u(t)}return y=void 0===y?6:/[gprs]/.test(_)?Math.max(1,Math.min(21,y)):Math.max(0,Math.min(20,y)),M.toString=function(){return t+""},M}return{format:l,formatPrefix:function(t,n){var e=l(((t=Jc(t)).type="f",t)),r=3*Math.max(-8,Math.min(8,Math.floor(Zc(n)/3))),i=Math.pow(10,-r),o=uf[8+r/3];return function(t){return e(i*t)+o}}}}function ff(n){return of=cf(n),t.format=of.format,t.formatPrefix=of.formatPrefix,of}function sf(t){return Math.max(0,-Zc(Math.abs(t)))}function lf(t,n){return Math.max(0,3*Math.max(-8,Math.min(8,Math.floor(Zc(n)/3)))-Zc(Math.abs(t)))}function hf(t,n){return t=Math.abs(t),n=Math.abs(n)-t,Math.max(0,Zc(n)-Zc(t))+1}t.format=void 0,t.formatPrefix=void 0,ff({thousands:",",grouping:[3],currency:["$",""]});var df=1e-6,pf=1e-12,gf=Math.PI,yf=gf/2,vf=gf/4,_f=2*gf,bf=180/gf,mf=gf/180,xf=Math.abs,wf=Math.atan,Mf=Math.atan2,Tf=Math.cos,Af=Math.ceil,Sf=Math.exp,Ef=Math.hypot,Nf=Math.log,kf=Math.pow,Cf=Math.sin,Pf=Math.sign||function(t){return t>0?1:t<0?-1:0},zf=Math.sqrt,$f=Math.tan;function Df(t){return t>1?0:t<-1?gf:Math.acos(t)}function Rf(t){return t>1?yf:t<-1?-yf:Math.asin(t)}function Ff(t){return(t=Cf(t/2))*t}function qf(){}function Uf(t,n){t&&Of.hasOwnProperty(t.type)&&Of[t.type](t,n)}var If={Feature:function(t,n){Uf(t.geometry,n)},FeatureCollection:function(t,n){for(var e=t.features,r=-1,i=e.length;++r=0?1:-1,i=r*e,o=Tf(n=(n*=mf)/2+vf),a=Cf(n),u=Vf*a,c=Gf*o+u*Tf(i),f=u*r*Cf(i);as.add(Mf(f,c)),Xf=t,Gf=o,Vf=a}function ds(t){return[Mf(t[1],t[0]),Rf(t[2])]}function ps(t){var n=t[0],e=t[1],r=Tf(e);return[r*Tf(n),r*Cf(n),Cf(e)]}function gs(t,n){return t[0]*n[0]+t[1]*n[1]+t[2]*n[2]}function ys(t,n){return[t[1]*n[2]-t[2]*n[1],t[2]*n[0]-t[0]*n[2],t[0]*n[1]-t[1]*n[0]]}function vs(t,n){t[0]+=n[0],t[1]+=n[1],t[2]+=n[2]}function _s(t,n){return[t[0]*n,t[1]*n,t[2]*n]}function bs(t){var n=zf(t[0]*t[0]+t[1]*t[1]+t[2]*t[2]);t[0]/=n,t[1]/=n,t[2]/=n}var ms,xs,ws,Ms,Ts,As,Ss,Es,Ns,ks,Cs,Ps,zs,$s,Ds,Rs,Fs={point:qs,lineStart:Is,lineEnd:Os,polygonStart:function(){Fs.point=Bs,Fs.lineStart=Ys,Fs.lineEnd=Ls,rs=new T,cs.polygonStart()},polygonEnd:function(){cs.polygonEnd(),Fs.point=qs,Fs.lineStart=Is,Fs.lineEnd=Os,as<0?(Wf=-(Kf=180),Zf=-(Qf=90)):rs>df?Qf=90:rs<-df&&(Zf=-90),os[0]=Wf,os[1]=Kf},sphere:function(){Wf=-(Kf=180),Zf=-(Qf=90)}};function qs(t,n){is.push(os=[Wf=t,Kf=t]),nQf&&(Qf=n)}function Us(t,n){var e=ps([t*mf,n*mf]);if(es){var r=ys(es,e),i=ys([r[1],-r[0],0],r);bs(i),i=ds(i);var o,a=t-Jf,u=a>0?1:-1,c=i[0]*bf*u,f=xf(a)>180;f^(u*JfQf&&(Qf=o):f^(u*Jf<(c=(c+360)%360-180)&&cQf&&(Qf=n)),f?tjs(Wf,Kf)&&(Kf=t):js(t,Kf)>js(Wf,Kf)&&(Wf=t):Kf>=Wf?(tKf&&(Kf=t)):t>Jf?js(Wf,t)>js(Wf,Kf)&&(Kf=t):js(t,Kf)>js(Wf,Kf)&&(Wf=t)}else is.push(os=[Wf=t,Kf=t]);nQf&&(Qf=n),es=e,Jf=t}function Is(){Fs.point=Us}function Os(){os[0]=Wf,os[1]=Kf,Fs.point=qs,es=null}function Bs(t,n){if(es){var e=t-Jf;rs.add(xf(e)>180?e+(e>0?360:-360):e)}else ts=t,ns=n;cs.point(t,n),Us(t,n)}function Ys(){cs.lineStart()}function Ls(){Bs(ts,ns),cs.lineEnd(),xf(rs)>df&&(Wf=-(Kf=180)),os[0]=Wf,os[1]=Kf,es=null}function js(t,n){return(n-=t)<0?n+360:n}function Hs(t,n){return t[0]-n[0]}function Xs(t,n){return t[0]<=t[1]?t[0]<=n&&n<=t[1]:ngf&&(t-=Math.round(t/_f)*_f),[t,n]}function ul(t,n,e){return(t%=_f)?n||e?ol(fl(t),sl(n,e)):fl(t):n||e?sl(n,e):al}function cl(t){return function(n,e){return xf(n+=t)>gf&&(n-=Math.round(n/_f)*_f),[n,e]}}function fl(t){var n=cl(t);return n.invert=cl(-t),n}function sl(t,n){var e=Tf(t),r=Cf(t),i=Tf(n),o=Cf(n);function a(t,n){var a=Tf(n),u=Tf(t)*a,c=Cf(t)*a,f=Cf(n),s=f*e+u*r;return[Mf(c*i-s*o,u*e-f*r),Rf(s*i+c*o)]}return a.invert=function(t,n){var a=Tf(n),u=Tf(t)*a,c=Cf(t)*a,f=Cf(n),s=f*i-c*o;return[Mf(c*i+f*o,u*e+s*r),Rf(s*e-u*r)]},a}function ll(t){function n(n){return(n=t(n[0]*mf,n[1]*mf))[0]*=bf,n[1]*=bf,n}return t=ul(t[0]*mf,t[1]*mf,t.length>2?t[2]*mf:0),n.invert=function(n){return(n=t.invert(n[0]*mf,n[1]*mf))[0]*=bf,n[1]*=bf,n},n}function hl(t,n,e,r,i,o){if(e){var a=Tf(n),u=Cf(n),c=r*e;null==i?(i=n+r*_f,o=n-c/2):(i=dl(a,i),o=dl(a,o),(r>0?io)&&(i+=r*_f));for(var f,s=i;r>0?s>o:s1&&n.push(n.pop().concat(n.shift()))},result:function(){var e=n;return n=[],t=null,e}}}function gl(t,n){return xf(t[0]-n[0])=0;--o)i.point((s=f[o])[0],s[1]);else r(h.x,h.p.x,-1,i);h=h.p}f=(h=h.o).z,d=!d}while(!h.v);i.lineEnd()}}}function _l(t){if(n=t.length){for(var n,e,r=0,i=t[0];++r=0?1:-1,E=S*A,N=E>gf,k=y*w;if(c.add(Mf(k*S*Cf(E),v*M+k*Tf(E))),a+=N?A+S*_f:A,N^p>=e^m>=e){var C=ys(ps(d),ps(b));bs(C);var P=ys(o,C);bs(P);var z=(N^A>=0?-1:1)*Rf(P[2]);(r>z||r===z&&(C[0]||C[1]))&&(u+=N^A>=0?1:-1)}}return(a<-df||a0){for(l||(i.polygonStart(),l=!0),i.lineStart(),t=0;t1&&2&c&&h.push(h.pop().concat(h.shift())),a.push(h.filter(wl))}return h}}function wl(t){return t.length>1}function Ml(t,n){return((t=t.x)[0]<0?t[1]-yf-df:yf-t[1])-((n=n.x)[0]<0?n[1]-yf-df:yf-n[1])}al.invert=al;var Tl=xl((function(){return!0}),(function(t){var n,e=NaN,r=NaN,i=NaN;return{lineStart:function(){t.lineStart(),n=1},point:function(o,a){var u=o>0?gf:-gf,c=xf(o-e);xf(c-gf)0?yf:-yf),t.point(i,r),t.lineEnd(),t.lineStart(),t.point(u,r),t.point(o,r),n=0):i!==u&&c>=gf&&(xf(e-i)df?wf((Cf(n)*(o=Tf(r))*Cf(e)-Cf(r)*(i=Tf(n))*Cf(t))/(i*o*a)):(n+r)/2}(e,r,o,a),t.point(i,r),t.lineEnd(),t.lineStart(),t.point(u,r),n=0),t.point(e=o,r=a),i=u},lineEnd:function(){t.lineEnd(),e=r=NaN},clean:function(){return 2-n}}}),(function(t,n,e,r){var i;if(null==t)i=e*yf,r.point(-gf,i),r.point(0,i),r.point(gf,i),r.point(gf,0),r.point(gf,-i),r.point(0,-i),r.point(-gf,-i),r.point(-gf,0),r.point(-gf,i);else if(xf(t[0]-n[0])>df){var o=t[0]0,i=xf(n)>df;function o(t,e){return Tf(t)*Tf(e)>n}function a(t,e,r){var i=[1,0,0],o=ys(ps(t),ps(e)),a=gs(o,o),u=o[0],c=a-u*u;if(!c)return!r&&t;var f=n*a/c,s=-n*u/c,l=ys(i,o),h=_s(i,f);vs(h,_s(o,s));var d=l,p=gs(h,d),g=gs(d,d),y=p*p-g*(gs(h,h)-1);if(!(y<0)){var v=zf(y),_=_s(d,(-p-v)/g);if(vs(_,h),_=ds(_),!r)return _;var b,m=t[0],x=e[0],w=t[1],M=e[1];x0^_[1]<(xf(_[0]-m)gf^(m<=_[0]&&_[0]<=x)){var S=_s(d,(-p+v)/g);return vs(S,h),[_,ds(S)]}}}function u(n,e){var i=r?t:gf-t,o=0;return n<-i?o|=1:n>i&&(o|=2),e<-i?o|=4:e>i&&(o|=8),o}return xl(o,(function(t){var n,e,c,f,s;return{lineStart:function(){f=c=!1,s=1},point:function(l,h){var d,p=[l,h],g=o(l,h),y=r?g?0:u(l,h):g?u(l+(l<0?gf:-gf),h):0;if(!n&&(f=c=g)&&t.lineStart(),g!==c&&(!(d=a(n,p))||gl(n,d)||gl(p,d))&&(p[2]=1),g!==c)s=0,g?(t.lineStart(),d=a(p,n),t.point(d[0],d[1])):(d=a(n,p),t.point(d[0],d[1],2),t.lineEnd()),n=d;else if(i&&n&&r^g){var v;y&e||!(v=a(p,n,!0))||(s=0,r?(t.lineStart(),t.point(v[0][0],v[0][1]),t.point(v[1][0],v[1][1]),t.lineEnd()):(t.point(v[1][0],v[1][1]),t.lineEnd(),t.lineStart(),t.point(v[0][0],v[0][1],3)))}!g||n&&gl(n,p)||t.point(p[0],p[1]),n=p,c=g,e=y},lineEnd:function(){c&&t.lineEnd(),n=null},clean:function(){return s|(f&&c)<<1}}}),(function(n,r,i,o){hl(o,t,e,i,n,r)}),r?[0,-t]:[-gf,t-gf])}var Sl,El,Nl,kl,Cl=1e9,Pl=-Cl;function zl(t,n,e,r){function i(i,o){return t<=i&&i<=e&&n<=o&&o<=r}function o(i,o,u,f){var s=0,l=0;if(null==i||(s=a(i,u))!==(l=a(o,u))||c(i,o)<0^u>0)do{f.point(0===s||3===s?t:e,s>1?r:n)}while((s=(s+u+4)%4)!==l);else f.point(o[0],o[1])}function a(r,i){return xf(r[0]-t)0?0:3:xf(r[0]-e)0?2:1:xf(r[1]-n)0?1:0:i>0?3:2}function u(t,n){return c(t.x,n.x)}function c(t,n){var e=a(t,1),r=a(n,1);return e!==r?e-r:0===e?n[1]-t[1]:1===e?t[0]-n[0]:2===e?t[1]-n[1]:n[0]-t[0]}return function(a){var c,f,s,l,h,d,p,g,y,v,_,b=a,m=pl(),x={point:w,lineStart:function(){x.point=M,f&&f.push(s=[]);v=!0,y=!1,p=g=NaN},lineEnd:function(){c&&(M(l,h),d&&y&&m.rejoin(),c.push(m.result()));x.point=w,y&&b.lineEnd()},polygonStart:function(){b=m,c=[],f=[],_=!0},polygonEnd:function(){var n=function(){for(var n=0,e=0,i=f.length;er&&(h-o)*(r-a)>(d-a)*(t-o)&&++n:d<=r&&(h-o)*(r-a)<(d-a)*(t-o)&&--n;return n}(),e=_&&n,i=(c=ft(c)).length;(e||i)&&(a.polygonStart(),e&&(a.lineStart(),o(null,null,1,a),a.lineEnd()),i&&vl(c,u,n,o,a),a.polygonEnd());b=a,c=f=s=null}};function w(t,n){i(t,n)&&b.point(t,n)}function M(o,a){var u=i(o,a);if(f&&s.push([o,a]),v)l=o,h=a,d=u,v=!1,u&&(b.lineStart(),b.point(o,a));else if(u&&y)b.point(o,a);else{var c=[p=Math.max(Pl,Math.min(Cl,p)),g=Math.max(Pl,Math.min(Cl,g))],m=[o=Math.max(Pl,Math.min(Cl,o)),a=Math.max(Pl,Math.min(Cl,a))];!function(t,n,e,r,i,o){var a,u=t[0],c=t[1],f=0,s=1,l=n[0]-u,h=n[1]-c;if(a=e-u,l||!(a>0)){if(a/=l,l<0){if(a0){if(a>s)return;a>f&&(f=a)}if(a=i-u,l||!(a<0)){if(a/=l,l<0){if(a>s)return;a>f&&(f=a)}else if(l>0){if(a0)){if(a/=h,h<0){if(a0){if(a>s)return;a>f&&(f=a)}if(a=o-c,h||!(a<0)){if(a/=h,h<0){if(a>s)return;a>f&&(f=a)}else if(h>0){if(a0&&(t[0]=u+f*l,t[1]=c+f*h),s<1&&(n[0]=u+s*l,n[1]=c+s*h),!0}}}}}(c,m,t,n,e,r)?u&&(b.lineStart(),b.point(o,a),_=!1):(y||(b.lineStart(),b.point(c[0],c[1])),b.point(m[0],m[1]),u||b.lineEnd(),_=!1)}p=o,g=a,y=u}return x}}var $l={sphere:qf,point:qf,lineStart:function(){$l.point=Rl,$l.lineEnd=Dl},lineEnd:qf,polygonStart:qf,polygonEnd:qf};function Dl(){$l.point=$l.lineEnd=qf}function Rl(t,n){El=t*=mf,Nl=Cf(n*=mf),kl=Tf(n),$l.point=Fl}function Fl(t,n){t*=mf;var e=Cf(n*=mf),r=Tf(n),i=xf(t-El),o=Tf(i),a=r*Cf(i),u=kl*e-Nl*r*o,c=Nl*e+kl*r*o;Sl.add(Mf(zf(a*a+u*u),c)),El=t,Nl=e,kl=r}function ql(t){return Sl=new T,Lf(t,$l),+Sl}var Ul=[null,null],Il={type:"LineString",coordinates:Ul};function Ol(t,n){return Ul[0]=t,Ul[1]=n,ql(Il)}var Bl={Feature:function(t,n){return Ll(t.geometry,n)},FeatureCollection:function(t,n){for(var e=t.features,r=-1,i=e.length;++r0&&(i=Ol(t[o],t[o-1]))>0&&e<=i&&r<=i&&(e+r-i)*(1-Math.pow((e-r)/i,2))df})).map(c)).concat(lt(Af(o/d)*d,i,d).filter((function(t){return xf(t%g)>df})).map(f))}return v.lines=function(){return _().map((function(t){return{type:"LineString",coordinates:t}}))},v.outline=function(){return{type:"Polygon",coordinates:[s(r).concat(l(a).slice(1),s(e).reverse().slice(1),l(u).reverse().slice(1))]}},v.extent=function(t){return arguments.length?v.extentMajor(t).extentMinor(t):v.extentMinor()},v.extentMajor=function(t){return arguments.length?(r=+t[0][0],e=+t[1][0],u=+t[0][1],a=+t[1][1],r>e&&(t=r,r=e,e=t),u>a&&(t=u,u=a,a=t),v.precision(y)):[[r,u],[e,a]]},v.extentMinor=function(e){return arguments.length?(n=+e[0][0],t=+e[1][0],o=+e[0][1],i=+e[1][1],n>t&&(e=n,n=t,t=e),o>i&&(e=o,o=i,i=e),v.precision(y)):[[n,o],[t,i]]},v.step=function(t){return arguments.length?v.stepMajor(t).stepMinor(t):v.stepMinor()},v.stepMajor=function(t){return arguments.length?(p=+t[0],g=+t[1],v):[p,g]},v.stepMinor=function(t){return arguments.length?(h=+t[0],d=+t[1],v):[h,d]},v.precision=function(h){return arguments.length?(y=+h,c=Wl(o,i,90),f=Zl(n,t,y),s=Wl(u,a,90),l=Zl(r,e,y),v):y},v.extentMajor([[-180,-90+df],[180,90-df]]).extentMinor([[-180,-80-df],[180,80+df]])}var Ql,Jl,th,nh,eh=t=>t,rh=new T,ih=new T,oh={point:qf,lineStart:qf,lineEnd:qf,polygonStart:function(){oh.lineStart=ah,oh.lineEnd=fh},polygonEnd:function(){oh.lineStart=oh.lineEnd=oh.point=qf,rh.add(xf(ih)),ih=new T},result:function(){var t=rh/2;return rh=new T,t}};function ah(){oh.point=uh}function uh(t,n){oh.point=ch,Ql=th=t,Jl=nh=n}function ch(t,n){ih.add(nh*t-th*n),th=t,nh=n}function fh(){ch(Ql,Jl)}var sh=oh,lh=1/0,hh=lh,dh=-lh,ph=dh,gh={point:function(t,n){tdh&&(dh=t);nph&&(ph=n)},lineStart:qf,lineEnd:qf,polygonStart:qf,polygonEnd:qf,result:function(){var t=[[lh,hh],[dh,ph]];return dh=ph=-(hh=lh=1/0),t}};var yh,vh,_h,bh,mh=gh,xh=0,wh=0,Mh=0,Th=0,Ah=0,Sh=0,Eh=0,Nh=0,kh=0,Ch={point:Ph,lineStart:zh,lineEnd:Rh,polygonStart:function(){Ch.lineStart=Fh,Ch.lineEnd=qh},polygonEnd:function(){Ch.point=Ph,Ch.lineStart=zh,Ch.lineEnd=Rh},result:function(){var t=kh?[Eh/kh,Nh/kh]:Sh?[Th/Sh,Ah/Sh]:Mh?[xh/Mh,wh/Mh]:[NaN,NaN];return xh=wh=Mh=Th=Ah=Sh=Eh=Nh=kh=0,t}};function Ph(t,n){xh+=t,wh+=n,++Mh}function zh(){Ch.point=$h}function $h(t,n){Ch.point=Dh,Ph(_h=t,bh=n)}function Dh(t,n){var e=t-_h,r=n-bh,i=zf(e*e+r*r);Th+=i*(_h+t)/2,Ah+=i*(bh+n)/2,Sh+=i,Ph(_h=t,bh=n)}function Rh(){Ch.point=Ph}function Fh(){Ch.point=Uh}function qh(){Ih(yh,vh)}function Uh(t,n){Ch.point=Ih,Ph(yh=_h=t,vh=bh=n)}function Ih(t,n){var e=t-_h,r=n-bh,i=zf(e*e+r*r);Th+=i*(_h+t)/2,Ah+=i*(bh+n)/2,Sh+=i,Eh+=(i=bh*t-_h*n)*(_h+t),Nh+=i*(bh+n),kh+=3*i,Ph(_h=t,bh=n)}var Oh=Ch;function Bh(t){this._context=t}Bh.prototype={_radius:4.5,pointRadius:function(t){return this._radius=t,this},polygonStart:function(){this._line=0},polygonEnd:function(){this._line=NaN},lineStart:function(){this._point=0},lineEnd:function(){0===this._line&&this._context.closePath(),this._point=NaN},point:function(t,n){switch(this._point){case 0:this._context.moveTo(t,n),this._point=1;break;case 1:this._context.lineTo(t,n);break;default:this._context.moveTo(t+this._radius,n),this._context.arc(t,n,this._radius,0,_f)}},result:qf};var Yh,Lh,jh,Hh,Xh,Gh=new T,Vh={point:qf,lineStart:function(){Vh.point=Wh},lineEnd:function(){Yh&&Zh(Lh,jh),Vh.point=qf},polygonStart:function(){Yh=!0},polygonEnd:function(){Yh=null},result:function(){var t=+Gh;return Gh=new T,t}};function Wh(t,n){Vh.point=Zh,Lh=Hh=t,jh=Xh=n}function Zh(t,n){Hh-=t,Xh-=n,Gh.add(zf(Hh*Hh+Xh*Xh)),Hh=t,Xh=n}var Kh=Vh;let Qh,Jh,td,nd;class ed{constructor(t){this._append=null==t?rd:function(t){const n=Math.floor(t);if(!(n>=0))throw new RangeError(`invalid digits: ${t}`);if(n>15)return rd;if(n!==Qh){const t=10**n;Qh=n,Jh=function(n){let e=1;this._+=n[0];for(const r=n.length;e4*n&&g--){var m=a+h,x=u+d,w=c+p,M=zf(m*m+x*x+w*w),T=Rf(w/=M),A=xf(xf(w)-1)n||xf((v*k+_*C)/b-.5)>.3||a*h+u*d+c*p2?t[2]%360*mf:0,k()):[y*bf,v*bf,_*bf]},E.angle=function(t){return arguments.length?(b=t%360*mf,k()):b*bf},E.reflectX=function(t){return arguments.length?(m=t?-1:1,k()):m<0},E.reflectY=function(t){return arguments.length?(x=t?-1:1,k()):x<0},E.precision=function(t){return arguments.length?(a=dd(u,S=t*t),C()):zf(S)},E.fitExtent=function(t,n){return ud(E,t,n)},E.fitSize=function(t,n){return cd(E,t,n)},E.fitWidth=function(t,n){return fd(E,t,n)},E.fitHeight=function(t,n){return sd(E,t,n)},function(){return n=t.apply(this,arguments),E.invert=n.invert&&N,k()}}function _d(t){var n=0,e=gf/3,r=vd(t),i=r(n,e);return i.parallels=function(t){return arguments.length?r(n=t[0]*mf,e=t[1]*mf):[n*bf,e*bf]},i}function bd(t,n){var e=Cf(t),r=(e+Cf(n))/2;if(xf(r)0?n<-yf+df&&(n=-yf+df):n>yf-df&&(n=yf-df);var e=i/kf(Nd(n),r);return[e*Cf(r*t),i-e*Tf(r*t)]}return o.invert=function(t,n){var e=i-n,o=Pf(r)*zf(t*t+e*e),a=Mf(t,xf(e))*Pf(e);return e*r<0&&(a-=gf*Pf(t)*Pf(e)),[a/r,2*wf(kf(i/o,1/r))-yf]},o}function Cd(t,n){return[t,n]}function Pd(t,n){var e=Tf(t),r=t===n?Cf(t):(e-Tf(n))/(n-t),i=e/r+t;if(xf(r)=0;)n+=e[r].value;else n=1;t.value=n}function Gd(t,n){t instanceof Map?(t=[void 0,t],void 0===n&&(n=Wd)):void 0===n&&(n=Vd);for(var e,r,i,o,a,u=new Qd(t),c=[u];e=c.pop();)if((i=n(e.data))&&(a=(i=Array.from(i)).length))for(e.children=i,o=a-1;o>=0;--o)c.push(r=i[o]=new Qd(i[o])),r.parent=e,r.depth=e.depth+1;return u.eachBefore(Kd)}function Vd(t){return t.children}function Wd(t){return Array.isArray(t)?t[1]:null}function Zd(t){void 0!==t.data.value&&(t.value=t.data.value),t.data=t.data.data}function Kd(t){var n=0;do{t.height=n}while((t=t.parent)&&t.height<++n)}function Qd(t){this.data=t,this.depth=this.height=0,this.parent=null}function Jd(t){return null==t?null:tp(t)}function tp(t){if("function"!=typeof t)throw new Error;return t}function np(){return 0}function ep(t){return function(){return t}}qd.invert=function(t,n){for(var e,r=n,i=r*r,o=i*i*i,a=0;a<12&&(o=(i=(r-=e=(r*(zd+$d*i+o*(Dd+Rd*i))-n)/(zd+3*$d*i+o*(7*Dd+9*Rd*i)))*r)*i*i,!(xf(e)df&&--i>0);return[t/(.8707+(o=r*r)*(o*(o*o*o*(.003971-.001529*o)-.013791)-.131979)),r]},Od.invert=Md(Rf),Bd.invert=Md((function(t){return 2*wf(t)})),Yd.invert=function(t,n){return[-n,2*wf(Sf(t))-yf]},Qd.prototype=Gd.prototype={constructor:Qd,count:function(){return this.eachAfter(Xd)},each:function(t,n){let e=-1;for(const r of this)t.call(n,r,++e,this);return this},eachAfter:function(t,n){for(var e,r,i,o=this,a=[o],u=[],c=-1;o=a.pop();)if(u.push(o),e=o.children)for(r=0,i=e.length;r=0;--r)o.push(e[r]);return this},find:function(t,n){let e=-1;for(const r of this)if(t.call(n,r,++e,this))return r},sum:function(t){return this.eachAfter((function(n){for(var e=+t(n.data)||0,r=n.children,i=r&&r.length;--i>=0;)e+=r[i].value;n.value=e}))},sort:function(t){return this.eachBefore((function(n){n.children&&n.children.sort(t)}))},path:function(t){for(var n=this,e=function(t,n){if(t===n)return t;var e=t.ancestors(),r=n.ancestors(),i=null;t=e.pop(),n=r.pop();for(;t===n;)i=t,t=e.pop(),n=r.pop();return i}(n,t),r=[n];n!==e;)n=n.parent,r.push(n);for(var i=r.length;t!==e;)r.splice(i,0,t),t=t.parent;return r},ancestors:function(){for(var t=this,n=[t];t=t.parent;)n.push(t);return n},descendants:function(){return Array.from(this)},leaves:function(){var t=[];return this.eachBefore((function(n){n.children||t.push(n)})),t},links:function(){var t=this,n=[];return t.each((function(e){e!==t&&n.push({source:e.parent,target:e})})),n},copy:function(){return Gd(this).eachBefore(Zd)},[Symbol.iterator]:function*(){var t,n,e,r,i=this,o=[i];do{for(t=o.reverse(),o=[];i=t.pop();)if(yield i,n=i.children)for(e=0,r=n.length;e(t=(rp*t+ip)%op)/op}function up(t,n){for(var e,r,i=0,o=(t=function(t,n){let e,r,i=t.length;for(;i;)r=n()*i--|0,e=t[i],t[i]=t[r],t[r]=e;return t}(Array.from(t),n)).length,a=[];i0&&e*e>r*r+i*i}function lp(t,n){for(var e=0;e1e-6?(E+Math.sqrt(E*E-4*S*N))/(2*S):N/E);return{x:r+w+M*k,y:i+T+A*k,r:k}}function gp(t,n,e){var r,i,o,a,u=t.x-n.x,c=t.y-n.y,f=u*u+c*c;f?(i=n.r+e.r,i*=i,a=t.r+e.r,i>(a*=a)?(r=(f+a-i)/(2*f),o=Math.sqrt(Math.max(0,a/f-r*r)),e.x=t.x-r*u-o*c,e.y=t.y-r*c+o*u):(r=(f+i-a)/(2*f),o=Math.sqrt(Math.max(0,i/f-r*r)),e.x=n.x+r*u-o*c,e.y=n.y+r*c+o*u)):(e.x=n.x+e.r,e.y=n.y)}function yp(t,n){var e=t.r+n.r-1e-6,r=n.x-t.x,i=n.y-t.y;return e>0&&e*e>r*r+i*i}function vp(t){var n=t._,e=t.next._,r=n.r+e.r,i=(n.x*e.r+e.x*n.r)/r,o=(n.y*e.r+e.y*n.r)/r;return i*i+o*o}function _p(t){this._=t,this.next=null,this.previous=null}function bp(t,n){if(!(o=(t=function(t){return"object"==typeof t&&"length"in t?t:Array.from(t)}(t)).length))return 0;var e,r,i,o,a,u,c,f,s,l,h;if((e=t[0]).x=0,e.y=0,!(o>1))return e.r;if(r=t[1],e.x=-r.r,r.x=e.r,r.y=0,!(o>2))return e.r+r.r;gp(r,e,i=t[2]),e=new _p(e),r=new _p(r),i=new _p(i),e.next=i.previous=r,r.next=e.previous=i,i.next=r.previous=e;t:for(c=3;c1&&!zp(t,n););return t.slice(0,n)}function zp(t,n){if("/"===t[n]){let e=0;for(;n>0&&"\\"===t[--n];)++e;if(0==(1&e))return!0}return!1}function $p(t,n){return t.parent===n.parent?1:2}function Dp(t){var n=t.children;return n?n[0]:t.t}function Rp(t){var n=t.children;return n?n[n.length-1]:t.t}function Fp(t,n,e){var r=e/(n.i-t.i);n.c-=r,n.s+=e,t.c+=r,n.z+=e,n.m+=e}function qp(t,n,e){return t.a.parent===n.parent?t.a:e}function Up(t,n){this._=t,this.parent=null,this.children=null,this.A=null,this.a=this,this.z=0,this.m=0,this.c=0,this.s=0,this.t=null,this.i=n}function Ip(t,n,e,r,i){for(var o,a=t.children,u=-1,c=a.length,f=t.value&&(i-e)/t.value;++uh&&(h=u),y=s*s*g,(d=Math.max(h/y,y/l))>p){s-=u;break}p=d}v.push(a={value:s,dice:c1?n:1)},e}(Op);var Lp=function t(n){function e(t,e,r,i,o){if((a=t._squarify)&&a.ratio===n)for(var a,u,c,f,s,l=-1,h=a.length,d=t.value;++l1?n:1)},e}(Op);function jp(t,n,e){return(n[0]-t[0])*(e[1]-t[1])-(n[1]-t[1])*(e[0]-t[0])}function Hp(t,n){return t[0]-n[0]||t[1]-n[1]}function Xp(t){const n=t.length,e=[0,1];let r,i=2;for(r=2;r1&&jp(t[e[i-2]],t[e[i-1]],t[r])<=0;)--i;e[i++]=r}return e.slice(0,i)}var Gp=Math.random,Vp=function t(n){function e(t,e){return t=null==t?0:+t,e=null==e?1:+e,1===arguments.length?(e=t,t=0):e-=t,function(){return n()*e+t}}return e.source=t,e}(Gp),Wp=function t(n){function e(t,e){return arguments.length<2&&(e=t,t=0),t=Math.floor(t),e=Math.floor(e)-t,function(){return Math.floor(n()*e+t)}}return e.source=t,e}(Gp),Zp=function t(n){function e(t,e){var r,i;return t=null==t?0:+t,e=null==e?1:+e,function(){var o;if(null!=r)o=r,r=null;else do{r=2*n()-1,o=2*n()-1,i=r*r+o*o}while(!i||i>1);return t+e*o*Math.sqrt(-2*Math.log(i)/i)}}return e.source=t,e}(Gp),Kp=function t(n){var e=Zp.source(n);function r(){var t=e.apply(this,arguments);return function(){return Math.exp(t())}}return r.source=t,r}(Gp),Qp=function t(n){function e(t){return(t=+t)<=0?()=>0:function(){for(var e=0,r=t;r>1;--r)e+=n();return e+r*n()}}return e.source=t,e}(Gp),Jp=function t(n){var e=Qp.source(n);function r(t){if(0==(t=+t))return n;var r=e(t);return function(){return r()/t}}return r.source=t,r}(Gp),tg=function t(n){function e(t){return function(){return-Math.log1p(-n())/t}}return e.source=t,e}(Gp),ng=function t(n){function e(t){if((t=+t)<0)throw new RangeError("invalid alpha");return t=1/-t,function(){return Math.pow(1-n(),t)}}return e.source=t,e}(Gp),eg=function t(n){function e(t){if((t=+t)<0||t>1)throw new RangeError("invalid p");return function(){return Math.floor(n()+t)}}return e.source=t,e}(Gp),rg=function t(n){function e(t){if((t=+t)<0||t>1)throw new RangeError("invalid p");return 0===t?()=>1/0:1===t?()=>1:(t=Math.log1p(-t),function(){return 1+Math.floor(Math.log1p(-n())/t)})}return e.source=t,e}(Gp),ig=function t(n){var e=Zp.source(n)();function r(t,r){if((t=+t)<0)throw new RangeError("invalid k");if(0===t)return()=>0;if(r=null==r?1:+r,1===t)return()=>-Math.log1p(-n())*r;var i=(t<1?t+1:t)-1/3,o=1/(3*Math.sqrt(i)),a=t<1?()=>Math.pow(n(),1/t):()=>1;return function(){do{do{var t=e(),u=1+o*t}while(u<=0);u*=u*u;var c=1-n()}while(c>=1-.0331*t*t*t*t&&Math.log(c)>=.5*t*t+i*(1-u+Math.log(u)));return i*u*a()*r}}return r.source=t,r}(Gp),og=function t(n){var e=ig.source(n);function r(t,n){var r=e(t),i=e(n);return function(){var t=r();return 0===t?0:t/(t+i())}}return r.source=t,r}(Gp),ag=function t(n){var e=rg.source(n),r=og.source(n);function i(t,n){return t=+t,(n=+n)>=1?()=>t:n<=0?()=>0:function(){for(var i=0,o=t,a=n;o*a>16&&o*(1-a)>16;){var u=Math.floor((o+1)*a),c=r(u,o-u+1)();c<=a?(i+=u,o-=u,a=(a-c)/(1-c)):(o=u-1,a/=c)}for(var f=a<.5,s=e(f?a:1-a),l=s(),h=0;l<=o;++h)l+=s();return i+(f?h:o-h)}}return i.source=t,i}(Gp),ug=function t(n){function e(t,e,r){var i;return 0==(t=+t)?i=t=>-Math.log(t):(t=1/t,i=n=>Math.pow(n,t)),e=null==e?0:+e,r=null==r?1:+r,function(){return e+r*i(-Math.log1p(-n()))}}return e.source=t,e}(Gp),cg=function t(n){function e(t,e){return t=null==t?0:+t,e=null==e?1:+e,function(){return t+e*Math.tan(Math.PI*n())}}return e.source=t,e}(Gp),fg=function t(n){function e(t,e){return t=null==t?0:+t,e=null==e?1:+e,function(){var r=n();return t+e*Math.log(r/(1-r))}}return e.source=t,e}(Gp),sg=function t(n){var e=ig.source(n),r=ag.source(n);function i(t){return function(){for(var i=0,o=t;o>16;){var a=Math.floor(.875*o),u=e(a)();if(u>o)return i+r(a-1,o/u)();i+=a,o-=u}for(var c=-Math.log1p(-n()),f=0;c<=o;++f)c-=Math.log1p(-n());return i+f}}return i.source=t,i}(Gp);const lg=1/4294967296;function hg(t,n){switch(arguments.length){case 0:break;case 1:this.range(t);break;default:this.range(n).domain(t)}return this}function dg(t,n){switch(arguments.length){case 0:break;case 1:"function"==typeof t?this.interpolator(t):this.range(t);break;default:this.domain(t),"function"==typeof n?this.interpolator(n):this.range(n)}return this}const pg=Symbol("implicit");function gg(){var t=new InternMap,n=[],e=[],r=pg;function i(i){let o=t.get(i);if(void 0===o){if(r!==pg)return r;t.set(i,o=n.push(i)-1)}return e[o%e.length]}return i.domain=function(e){if(!arguments.length)return n.slice();n=[],t=new InternMap;for(const r of e)t.has(r)||t.set(r,n.push(r)-1);return i},i.range=function(t){return arguments.length?(e=Array.from(t),i):e.slice()},i.unknown=function(t){return arguments.length?(r=t,i):r},i.copy=function(){return gg(n,e).unknown(r)},hg.apply(i,arguments),i}function yg(){var t,n,e=gg().unknown(void 0),r=e.domain,i=e.range,o=0,a=1,u=!1,c=0,f=0,s=.5;function l(){var e=r().length,l=an&&(e=t,t=n,n=e),function(e){return Math.max(t,Math.min(n,e))}}(a[0],a[t-1])),r=t>2?Mg:wg,i=o=null,l}function l(n){return null==n||isNaN(n=+n)?e:(i||(i=r(a.map(t),u,c)))(t(f(n)))}return l.invert=function(e){return f(n((o||(o=r(u,a.map(t),Yr)))(e)))},l.domain=function(t){return arguments.length?(a=Array.from(t,_g),s()):a.slice()},l.range=function(t){return arguments.length?(u=Array.from(t),s()):u.slice()},l.rangeRound=function(t){return u=Array.from(t),c=Vr,s()},l.clamp=function(t){return arguments.length?(f=!!t||mg,s()):f!==mg},l.interpolate=function(t){return arguments.length?(c=t,s()):c},l.unknown=function(t){return arguments.length?(e=t,l):e},function(e,r){return t=e,n=r,s()}}function Sg(){return Ag()(mg,mg)}function Eg(n,e,r,i){var o,a=W(n,e,r);switch((i=Jc(null==i?",f":i)).type){case"s":var u=Math.max(Math.abs(n),Math.abs(e));return null!=i.precision||isNaN(o=lf(a,u))||(i.precision=o),t.formatPrefix(i,u);case"":case"e":case"g":case"p":case"r":null!=i.precision||isNaN(o=hf(a,Math.max(Math.abs(n),Math.abs(e))))||(i.precision=o-("e"===i.type));break;case"f":case"%":null!=i.precision||isNaN(o=sf(a))||(i.precision=o-2*("%"===i.type))}return t.format(i)}function Ng(t){var n=t.domain;return t.ticks=function(t){var e=n();return G(e[0],e[e.length-1],null==t?10:t)},t.tickFormat=function(t,e){var r=n();return Eg(r[0],r[r.length-1],null==t?10:t,e)},t.nice=function(e){null==e&&(e=10);var r,i,o=n(),a=0,u=o.length-1,c=o[a],f=o[u],s=10;for(f0;){if((i=V(c,f,e))===r)return o[a]=c,o[u]=f,n(o);if(i>0)c=Math.floor(c/i)*i,f=Math.ceil(f/i)*i;else{if(!(i<0))break;c=Math.ceil(c*i)/i,f=Math.floor(f*i)/i}r=i}return t},t}function kg(t,n){var e,r=0,i=(t=t.slice()).length-1,o=t[r],a=t[i];return a-t(-n,e)}function Fg(n){const e=n(Cg,Pg),r=e.domain;let i,o,a=10;function u(){return i=function(t){return t===Math.E?Math.log:10===t&&Math.log10||2===t&&Math.log2||(t=Math.log(t),n=>Math.log(n)/t)}(a),o=function(t){return 10===t?Dg:t===Math.E?Math.exp:n=>Math.pow(t,n)}(a),r()[0]<0?(i=Rg(i),o=Rg(o),n(zg,$g)):n(Cg,Pg),e}return e.base=function(t){return arguments.length?(a=+t,u()):a},e.domain=function(t){return arguments.length?(r(t),u()):r()},e.ticks=t=>{const n=r();let e=n[0],u=n[n.length-1];const c=u0){for(;l<=h;++l)for(f=1;fu)break;p.push(s)}}else for(;l<=h;++l)for(f=a-1;f>=1;--f)if(s=l>0?f/o(-l):f*o(l),!(su)break;p.push(s)}2*p.length{if(null==n&&(n=10),null==r&&(r=10===a?"s":","),"function"!=typeof r&&(a%1||null!=(r=Jc(r)).precision||(r.trim=!0),r=t.format(r)),n===1/0)return r;const u=Math.max(1,a*n/e.ticks().length);return t=>{let n=t/o(Math.round(i(t)));return n*ar(kg(r(),{floor:t=>o(Math.floor(i(t))),ceil:t=>o(Math.ceil(i(t)))})),e}function qg(t){return function(n){return Math.sign(n)*Math.log1p(Math.abs(n/t))}}function Ug(t){return function(n){return Math.sign(n)*Math.expm1(Math.abs(n))*t}}function Ig(t){var n=1,e=t(qg(n),Ug(n));return e.constant=function(e){return arguments.length?t(qg(n=+e),Ug(n)):n},Ng(e)}function Og(t){return function(n){return n<0?-Math.pow(-n,t):Math.pow(n,t)}}function Bg(t){return t<0?-Math.sqrt(-t):Math.sqrt(t)}function Yg(t){return t<0?-t*t:t*t}function Lg(t){var n=t(mg,mg),e=1;return n.exponent=function(n){return arguments.length?1===(e=+n)?t(mg,mg):.5===e?t(Bg,Yg):t(Og(e),Og(1/e)):e},Ng(n)}function jg(){var t=Lg(Ag());return t.copy=function(){return Tg(t,jg()).exponent(t.exponent())},hg.apply(t,arguments),t}function Hg(t){return Math.sign(t)*t*t}const Xg=new Date,Gg=new Date;function Vg(t,n,e,r){function i(n){return t(n=0===arguments.length?new Date:new Date(+n)),n}return i.floor=n=>(t(n=new Date(+n)),n),i.ceil=e=>(t(e=new Date(e-1)),n(e,1),t(e),e),i.round=t=>{const n=i(t),e=i.ceil(t);return t-n(n(t=new Date(+t),null==e?1:Math.floor(e)),t),i.range=(e,r,o)=>{const a=[];if(e=i.ceil(e),o=null==o?1:Math.floor(o),!(e0))return a;let u;do{a.push(u=new Date(+e)),n(e,o),t(e)}while(uVg((n=>{if(n>=n)for(;t(n),!e(n);)n.setTime(n-1)}),((t,r)=>{if(t>=t)if(r<0)for(;++r<=0;)for(;n(t,-1),!e(t););else for(;--r>=0;)for(;n(t,1),!e(t););})),e&&(i.count=(n,r)=>(Xg.setTime(+n),Gg.setTime(+r),t(Xg),t(Gg),Math.floor(e(Xg,Gg))),i.every=t=>(t=Math.floor(t),isFinite(t)&&t>0?t>1?i.filter(r?n=>r(n)%t==0:n=>i.count(0,n)%t==0):i:null)),i}const Wg=Vg((()=>{}),((t,n)=>{t.setTime(+t+n)}),((t,n)=>n-t));Wg.every=t=>(t=Math.floor(t),isFinite(t)&&t>0?t>1?Vg((n=>{n.setTime(Math.floor(n/t)*t)}),((n,e)=>{n.setTime(+n+e*t)}),((n,e)=>(e-n)/t)):Wg:null);const Zg=Wg.range,Kg=1e3,Qg=6e4,Jg=36e5,ty=864e5,ny=6048e5,ey=2592e6,ry=31536e6,iy=Vg((t=>{t.setTime(t-t.getMilliseconds())}),((t,n)=>{t.setTime(+t+n*Kg)}),((t,n)=>(n-t)/Kg),(t=>t.getUTCSeconds())),oy=iy.range,ay=Vg((t=>{t.setTime(t-t.getMilliseconds()-t.getSeconds()*Kg)}),((t,n)=>{t.setTime(+t+n*Qg)}),((t,n)=>(n-t)/Qg),(t=>t.getMinutes())),uy=ay.range,cy=Vg((t=>{t.setUTCSeconds(0,0)}),((t,n)=>{t.setTime(+t+n*Qg)}),((t,n)=>(n-t)/Qg),(t=>t.getUTCMinutes())),fy=cy.range,sy=Vg((t=>{t.setTime(t-t.getMilliseconds()-t.getSeconds()*Kg-t.getMinutes()*Qg)}),((t,n)=>{t.setTime(+t+n*Jg)}),((t,n)=>(n-t)/Jg),(t=>t.getHours())),ly=sy.range,hy=Vg((t=>{t.setUTCMinutes(0,0,0)}),((t,n)=>{t.setTime(+t+n*Jg)}),((t,n)=>(n-t)/Jg),(t=>t.getUTCHours())),dy=hy.range,py=Vg((t=>t.setHours(0,0,0,0)),((t,n)=>t.setDate(t.getDate()+n)),((t,n)=>(n-t-(n.getTimezoneOffset()-t.getTimezoneOffset())*Qg)/ty),(t=>t.getDate()-1)),gy=py.range,yy=Vg((t=>{t.setUTCHours(0,0,0,0)}),((t,n)=>{t.setUTCDate(t.getUTCDate()+n)}),((t,n)=>(n-t)/ty),(t=>t.getUTCDate()-1)),vy=yy.range,_y=Vg((t=>{t.setUTCHours(0,0,0,0)}),((t,n)=>{t.setUTCDate(t.getUTCDate()+n)}),((t,n)=>(n-t)/ty),(t=>Math.floor(t/ty))),by=_y.range;function my(t){return Vg((n=>{n.setDate(n.getDate()-(n.getDay()+7-t)%7),n.setHours(0,0,0,0)}),((t,n)=>{t.setDate(t.getDate()+7*n)}),((t,n)=>(n-t-(n.getTimezoneOffset()-t.getTimezoneOffset())*Qg)/ny))}const xy=my(0),wy=my(1),My=my(2),Ty=my(3),Ay=my(4),Sy=my(5),Ey=my(6),Ny=xy.range,ky=wy.range,Cy=My.range,Py=Ty.range,zy=Ay.range,$y=Sy.range,Dy=Ey.range;function Ry(t){return Vg((n=>{n.setUTCDate(n.getUTCDate()-(n.getUTCDay()+7-t)%7),n.setUTCHours(0,0,0,0)}),((t,n)=>{t.setUTCDate(t.getUTCDate()+7*n)}),((t,n)=>(n-t)/ny))}const Fy=Ry(0),qy=Ry(1),Uy=Ry(2),Iy=Ry(3),Oy=Ry(4),By=Ry(5),Yy=Ry(6),Ly=Fy.range,jy=qy.range,Hy=Uy.range,Xy=Iy.range,Gy=Oy.range,Vy=By.range,Wy=Yy.range,Zy=Vg((t=>{t.setDate(1),t.setHours(0,0,0,0)}),((t,n)=>{t.setMonth(t.getMonth()+n)}),((t,n)=>n.getMonth()-t.getMonth()+12*(n.getFullYear()-t.getFullYear())),(t=>t.getMonth())),Ky=Zy.range,Qy=Vg((t=>{t.setUTCDate(1),t.setUTCHours(0,0,0,0)}),((t,n)=>{t.setUTCMonth(t.getUTCMonth()+n)}),((t,n)=>n.getUTCMonth()-t.getUTCMonth()+12*(n.getUTCFullYear()-t.getUTCFullYear())),(t=>t.getUTCMonth())),Jy=Qy.range,tv=Vg((t=>{t.setMonth(0,1),t.setHours(0,0,0,0)}),((t,n)=>{t.setFullYear(t.getFullYear()+n)}),((t,n)=>n.getFullYear()-t.getFullYear()),(t=>t.getFullYear()));tv.every=t=>isFinite(t=Math.floor(t))&&t>0?Vg((n=>{n.setFullYear(Math.floor(n.getFullYear()/t)*t),n.setMonth(0,1),n.setHours(0,0,0,0)}),((n,e)=>{n.setFullYear(n.getFullYear()+e*t)})):null;const nv=tv.range,ev=Vg((t=>{t.setUTCMonth(0,1),t.setUTCHours(0,0,0,0)}),((t,n)=>{t.setUTCFullYear(t.getUTCFullYear()+n)}),((t,n)=>n.getUTCFullYear()-t.getUTCFullYear()),(t=>t.getUTCFullYear()));ev.every=t=>isFinite(t=Math.floor(t))&&t>0?Vg((n=>{n.setUTCFullYear(Math.floor(n.getUTCFullYear()/t)*t),n.setUTCMonth(0,1),n.setUTCHours(0,0,0,0)}),((n,e)=>{n.setUTCFullYear(n.getUTCFullYear()+e*t)})):null;const rv=ev.range;function iv(t,n,e,i,o,a){const u=[[iy,1,Kg],[iy,5,5e3],[iy,15,15e3],[iy,30,3e4],[a,1,Qg],[a,5,3e5],[a,15,9e5],[a,30,18e5],[o,1,Jg],[o,3,108e5],[o,6,216e5],[o,12,432e5],[i,1,ty],[i,2,1728e5],[e,1,ny],[n,1,ey],[n,3,7776e6],[t,1,ry]];function c(n,e,i){const o=Math.abs(e-n)/i,a=r((([,,t])=>t)).right(u,o);if(a===u.length)return t.every(W(n/ry,e/ry,i));if(0===a)return Wg.every(Math.max(W(n,e,i),1));const[c,f]=u[o/u[a-1][2]=12)]},q:function(t){return 1+~~(t.getMonth()/3)},Q:k_,s:C_,S:Zv,u:Kv,U:Qv,V:t_,w:n_,W:e_,x:null,X:null,y:r_,Y:o_,Z:u_,"%":N_},m={a:function(t){return a[t.getUTCDay()]},A:function(t){return o[t.getUTCDay()]},b:function(t){return c[t.getUTCMonth()]},B:function(t){return u[t.getUTCMonth()]},c:null,d:c_,e:c_,f:d_,g:T_,G:S_,H:f_,I:s_,j:l_,L:h_,m:p_,M:g_,p:function(t){return i[+(t.getUTCHours()>=12)]},q:function(t){return 1+~~(t.getUTCMonth()/3)},Q:k_,s:C_,S:y_,u:v_,U:__,V:m_,w:x_,W:w_,x:null,X:null,y:M_,Y:A_,Z:E_,"%":N_},x={a:function(t,n,e){var r=d.exec(n.slice(e));return r?(t.w=p.get(r[0].toLowerCase()),e+r[0].length):-1},A:function(t,n,e){var r=l.exec(n.slice(e));return r?(t.w=h.get(r[0].toLowerCase()),e+r[0].length):-1},b:function(t,n,e){var r=v.exec(n.slice(e));return r?(t.m=_.get(r[0].toLowerCase()),e+r[0].length):-1},B:function(t,n,e){var r=g.exec(n.slice(e));return r?(t.m=y.get(r[0].toLowerCase()),e+r[0].length):-1},c:function(t,e,r){return T(t,n,e,r)},d:zv,e:zv,f:Uv,g:Nv,G:Ev,H:Dv,I:Dv,j:$v,L:qv,m:Pv,M:Rv,p:function(t,n,e){var r=f.exec(n.slice(e));return r?(t.p=s.get(r[0].toLowerCase()),e+r[0].length):-1},q:Cv,Q:Ov,s:Bv,S:Fv,u:Mv,U:Tv,V:Av,w:wv,W:Sv,x:function(t,n,r){return T(t,e,n,r)},X:function(t,n,e){return T(t,r,n,e)},y:Nv,Y:Ev,Z:kv,"%":Iv};function w(t,n){return function(e){var r,i,o,a=[],u=-1,c=0,f=t.length;for(e instanceof Date||(e=new Date(+e));++u53)return null;"w"in o||(o.w=1),"Z"in o?(i=(r=sv(lv(o.y,0,1))).getUTCDay(),r=i>4||0===i?qy.ceil(r):qy(r),r=yy.offset(r,7*(o.V-1)),o.y=r.getUTCFullYear(),o.m=r.getUTCMonth(),o.d=r.getUTCDate()+(o.w+6)%7):(i=(r=fv(lv(o.y,0,1))).getDay(),r=i>4||0===i?wy.ceil(r):wy(r),r=py.offset(r,7*(o.V-1)),o.y=r.getFullYear(),o.m=r.getMonth(),o.d=r.getDate()+(o.w+6)%7)}else("W"in o||"U"in o)&&("w"in o||(o.w="u"in o?o.u%7:"W"in o?1:0),i="Z"in o?sv(lv(o.y,0,1)).getUTCDay():fv(lv(o.y,0,1)).getDay(),o.m=0,o.d="W"in o?(o.w+6)%7+7*o.W-(i+5)%7:o.w+7*o.U-(i+6)%7);return"Z"in o?(o.H+=o.Z/100|0,o.M+=o.Z%100,sv(o)):fv(o)}}function T(t,n,e,r){for(var i,o,a=0,u=n.length,c=e.length;a=c)return-1;if(37===(i=n.charCodeAt(a++))){if(i=n.charAt(a++),!(o=x[i in pv?n.charAt(a++):i])||(r=o(t,e,r))<0)return-1}else if(i!=e.charCodeAt(r++))return-1}return r}return b.x=w(e,b),b.X=w(r,b),b.c=w(n,b),m.x=w(e,m),m.X=w(r,m),m.c=w(n,m),{format:function(t){var n=w(t+="",b);return n.toString=function(){return t},n},parse:function(t){var n=M(t+="",!1);return n.toString=function(){return t},n},utcFormat:function(t){var n=w(t+="",m);return n.toString=function(){return t},n},utcParse:function(t){var n=M(t+="",!0);return n.toString=function(){return t},n}}}var dv,pv={"-":"",_:" ",0:"0"},gv=/^\s*\d+/,yv=/^%/,vv=/[\\^$*+?|[\]().{}]/g;function _v(t,n,e){var r=t<0?"-":"",i=(r?-t:t)+"",o=i.length;return r+(o[t.toLowerCase(),n])))}function wv(t,n,e){var r=gv.exec(n.slice(e,e+1));return r?(t.w=+r[0],e+r[0].length):-1}function Mv(t,n,e){var r=gv.exec(n.slice(e,e+1));return r?(t.u=+r[0],e+r[0].length):-1}function Tv(t,n,e){var r=gv.exec(n.slice(e,e+2));return r?(t.U=+r[0],e+r[0].length):-1}function Av(t,n,e){var r=gv.exec(n.slice(e,e+2));return r?(t.V=+r[0],e+r[0].length):-1}function Sv(t,n,e){var r=gv.exec(n.slice(e,e+2));return r?(t.W=+r[0],e+r[0].length):-1}function Ev(t,n,e){var r=gv.exec(n.slice(e,e+4));return r?(t.y=+r[0],e+r[0].length):-1}function Nv(t,n,e){var r=gv.exec(n.slice(e,e+2));return r?(t.y=+r[0]+(+r[0]>68?1900:2e3),e+r[0].length):-1}function kv(t,n,e){var r=/^(Z)|([+-]\d\d)(?::?(\d\d))?/.exec(n.slice(e,e+6));return r?(t.Z=r[1]?0:-(r[2]+(r[3]||"00")),e+r[0].length):-1}function Cv(t,n,e){var r=gv.exec(n.slice(e,e+1));return r?(t.q=3*r[0]-3,e+r[0].length):-1}function Pv(t,n,e){var r=gv.exec(n.slice(e,e+2));return r?(t.m=r[0]-1,e+r[0].length):-1}function zv(t,n,e){var r=gv.exec(n.slice(e,e+2));return r?(t.d=+r[0],e+r[0].length):-1}function $v(t,n,e){var r=gv.exec(n.slice(e,e+3));return r?(t.m=0,t.d=+r[0],e+r[0].length):-1}function Dv(t,n,e){var r=gv.exec(n.slice(e,e+2));return r?(t.H=+r[0],e+r[0].length):-1}function Rv(t,n,e){var r=gv.exec(n.slice(e,e+2));return r?(t.M=+r[0],e+r[0].length):-1}function Fv(t,n,e){var r=gv.exec(n.slice(e,e+2));return r?(t.S=+r[0],e+r[0].length):-1}function qv(t,n,e){var r=gv.exec(n.slice(e,e+3));return r?(t.L=+r[0],e+r[0].length):-1}function Uv(t,n,e){var r=gv.exec(n.slice(e,e+6));return r?(t.L=Math.floor(r[0]/1e3),e+r[0].length):-1}function Iv(t,n,e){var r=yv.exec(n.slice(e,e+1));return r?e+r[0].length:-1}function Ov(t,n,e){var r=gv.exec(n.slice(e));return r?(t.Q=+r[0],e+r[0].length):-1}function Bv(t,n,e){var r=gv.exec(n.slice(e));return r?(t.s=+r[0],e+r[0].length):-1}function Yv(t,n){return _v(t.getDate(),n,2)}function Lv(t,n){return _v(t.getHours(),n,2)}function jv(t,n){return _v(t.getHours()%12||12,n,2)}function Hv(t,n){return _v(1+py.count(tv(t),t),n,3)}function Xv(t,n){return _v(t.getMilliseconds(),n,3)}function Gv(t,n){return Xv(t,n)+"000"}function Vv(t,n){return _v(t.getMonth()+1,n,2)}function Wv(t,n){return _v(t.getMinutes(),n,2)}function Zv(t,n){return _v(t.getSeconds(),n,2)}function Kv(t){var n=t.getDay();return 0===n?7:n}function Qv(t,n){return _v(xy.count(tv(t)-1,t),n,2)}function Jv(t){var n=t.getDay();return n>=4||0===n?Ay(t):Ay.ceil(t)}function t_(t,n){return t=Jv(t),_v(Ay.count(tv(t),t)+(4===tv(t).getDay()),n,2)}function n_(t){return t.getDay()}function e_(t,n){return _v(wy.count(tv(t)-1,t),n,2)}function r_(t,n){return _v(t.getFullYear()%100,n,2)}function i_(t,n){return _v((t=Jv(t)).getFullYear()%100,n,2)}function o_(t,n){return _v(t.getFullYear()%1e4,n,4)}function a_(t,n){var e=t.getDay();return _v((t=e>=4||0===e?Ay(t):Ay.ceil(t)).getFullYear()%1e4,n,4)}function u_(t){var n=t.getTimezoneOffset();return(n>0?"-":(n*=-1,"+"))+_v(n/60|0,"0",2)+_v(n%60,"0",2)}function c_(t,n){return _v(t.getUTCDate(),n,2)}function f_(t,n){return _v(t.getUTCHours(),n,2)}function s_(t,n){return _v(t.getUTCHours()%12||12,n,2)}function l_(t,n){return _v(1+yy.count(ev(t),t),n,3)}function h_(t,n){return _v(t.getUTCMilliseconds(),n,3)}function d_(t,n){return h_(t,n)+"000"}function p_(t,n){return _v(t.getUTCMonth()+1,n,2)}function g_(t,n){return _v(t.getUTCMinutes(),n,2)}function y_(t,n){return _v(t.getUTCSeconds(),n,2)}function v_(t){var n=t.getUTCDay();return 0===n?7:n}function __(t,n){return _v(Fy.count(ev(t)-1,t),n,2)}function b_(t){var n=t.getUTCDay();return n>=4||0===n?Oy(t):Oy.ceil(t)}function m_(t,n){return t=b_(t),_v(Oy.count(ev(t),t)+(4===ev(t).getUTCDay()),n,2)}function x_(t){return t.getUTCDay()}function w_(t,n){return _v(qy.count(ev(t)-1,t),n,2)}function M_(t,n){return _v(t.getUTCFullYear()%100,n,2)}function T_(t,n){return _v((t=b_(t)).getUTCFullYear()%100,n,2)}function A_(t,n){return _v(t.getUTCFullYear()%1e4,n,4)}function S_(t,n){var e=t.getUTCDay();return _v((t=e>=4||0===e?Oy(t):Oy.ceil(t)).getUTCFullYear()%1e4,n,4)}function E_(){return"+0000"}function N_(){return"%"}function k_(t){return+t}function C_(t){return Math.floor(+t/1e3)}function P_(n){return dv=hv(n),t.timeFormat=dv.format,t.timeParse=dv.parse,t.utcFormat=dv.utcFormat,t.utcParse=dv.utcParse,dv}t.timeFormat=void 0,t.timeParse=void 0,t.utcFormat=void 0,t.utcParse=void 0,P_({dateTime:"%x, %X",date:"%-m/%-d/%Y",time:"%-I:%M:%S %p",periods:["AM","PM"],days:["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],shortDays:["Sun","Mon","Tue","Wed","Thu","Fri","Sat"],months:["January","February","March","April","May","June","July","August","September","October","November","December"],shortMonths:["Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"]});var z_="%Y-%m-%dT%H:%M:%S.%LZ";var $_=Date.prototype.toISOString?function(t){return t.toISOString()}:t.utcFormat(z_),D_=$_;var R_=+new Date("2000-01-01T00:00:00.000Z")?function(t){var n=new Date(t);return isNaN(n)?null:n}:t.utcParse(z_),F_=R_;function q_(t){return new Date(t)}function U_(t){return t instanceof Date?+t:+new Date(+t)}function I_(t,n,e,r,i,o,a,u,c,f){var s=Sg(),l=s.invert,h=s.domain,d=f(".%L"),p=f(":%S"),g=f("%I:%M"),y=f("%I %p"),v=f("%a %d"),_=f("%b %d"),b=f("%B"),m=f("%Y");function x(t){return(c(t)Fr(t[t.length-1]),rb=new Array(3).concat("d8b365f5f5f55ab4ac","a6611adfc27d80cdc1018571","a6611adfc27df5f5f580cdc1018571","8c510ad8b365f6e8c3c7eae55ab4ac01665e","8c510ad8b365f6e8c3f5f5f5c7eae55ab4ac01665e","8c510abf812ddfc27df6e8c3c7eae580cdc135978f01665e","8c510abf812ddfc27df6e8c3f5f5f5c7eae580cdc135978f01665e","5430058c510abf812ddfc27df6e8c3c7eae580cdc135978f01665e003c30","5430058c510abf812ddfc27df6e8c3f5f5f5c7eae580cdc135978f01665e003c30").map(H_),ib=eb(rb),ob=new Array(3).concat("af8dc3f7f7f77fbf7b","7b3294c2a5cfa6dba0008837","7b3294c2a5cff7f7f7a6dba0008837","762a83af8dc3e7d4e8d9f0d37fbf7b1b7837","762a83af8dc3e7d4e8f7f7f7d9f0d37fbf7b1b7837","762a839970abc2a5cfe7d4e8d9f0d3a6dba05aae611b7837","762a839970abc2a5cfe7d4e8f7f7f7d9f0d3a6dba05aae611b7837","40004b762a839970abc2a5cfe7d4e8d9f0d3a6dba05aae611b783700441b","40004b762a839970abc2a5cfe7d4e8f7f7f7d9f0d3a6dba05aae611b783700441b").map(H_),ab=eb(ob),ub=new Array(3).concat("e9a3c9f7f7f7a1d76a","d01c8bf1b6dab8e1864dac26","d01c8bf1b6daf7f7f7b8e1864dac26","c51b7de9a3c9fde0efe6f5d0a1d76a4d9221","c51b7de9a3c9fde0eff7f7f7e6f5d0a1d76a4d9221","c51b7dde77aef1b6dafde0efe6f5d0b8e1867fbc414d9221","c51b7dde77aef1b6dafde0eff7f7f7e6f5d0b8e1867fbc414d9221","8e0152c51b7dde77aef1b6dafde0efe6f5d0b8e1867fbc414d9221276419","8e0152c51b7dde77aef1b6dafde0eff7f7f7e6f5d0b8e1867fbc414d9221276419").map(H_),cb=eb(ub),fb=new Array(3).concat("998ec3f7f7f7f1a340","5e3c99b2abd2fdb863e66101","5e3c99b2abd2f7f7f7fdb863e66101","542788998ec3d8daebfee0b6f1a340b35806","542788998ec3d8daebf7f7f7fee0b6f1a340b35806","5427888073acb2abd2d8daebfee0b6fdb863e08214b35806","5427888073acb2abd2d8daebf7f7f7fee0b6fdb863e08214b35806","2d004b5427888073acb2abd2d8daebfee0b6fdb863e08214b358067f3b08","2d004b5427888073acb2abd2d8daebf7f7f7fee0b6fdb863e08214b358067f3b08").map(H_),sb=eb(fb),lb=new Array(3).concat("ef8a62f7f7f767a9cf","ca0020f4a58292c5de0571b0","ca0020f4a582f7f7f792c5de0571b0","b2182bef8a62fddbc7d1e5f067a9cf2166ac","b2182bef8a62fddbc7f7f7f7d1e5f067a9cf2166ac","b2182bd6604df4a582fddbc7d1e5f092c5de4393c32166ac","b2182bd6604df4a582fddbc7f7f7f7d1e5f092c5de4393c32166ac","67001fb2182bd6604df4a582fddbc7d1e5f092c5de4393c32166ac053061","67001fb2182bd6604df4a582fddbc7f7f7f7d1e5f092c5de4393c32166ac053061").map(H_),hb=eb(lb),db=new Array(3).concat("ef8a62ffffff999999","ca0020f4a582bababa404040","ca0020f4a582ffffffbababa404040","b2182bef8a62fddbc7e0e0e09999994d4d4d","b2182bef8a62fddbc7ffffffe0e0e09999994d4d4d","b2182bd6604df4a582fddbc7e0e0e0bababa8787874d4d4d","b2182bd6604df4a582fddbc7ffffffe0e0e0bababa8787874d4d4d","67001fb2182bd6604df4a582fddbc7e0e0e0bababa8787874d4d4d1a1a1a","67001fb2182bd6604df4a582fddbc7ffffffe0e0e0bababa8787874d4d4d1a1a1a").map(H_),pb=eb(db),gb=new Array(3).concat("fc8d59ffffbf91bfdb","d7191cfdae61abd9e92c7bb6","d7191cfdae61ffffbfabd9e92c7bb6","d73027fc8d59fee090e0f3f891bfdb4575b4","d73027fc8d59fee090ffffbfe0f3f891bfdb4575b4","d73027f46d43fdae61fee090e0f3f8abd9e974add14575b4","d73027f46d43fdae61fee090ffffbfe0f3f8abd9e974add14575b4","a50026d73027f46d43fdae61fee090e0f3f8abd9e974add14575b4313695","a50026d73027f46d43fdae61fee090ffffbfe0f3f8abd9e974add14575b4313695").map(H_),yb=eb(gb),vb=new Array(3).concat("fc8d59ffffbf91cf60","d7191cfdae61a6d96a1a9641","d7191cfdae61ffffbfa6d96a1a9641","d73027fc8d59fee08bd9ef8b91cf601a9850","d73027fc8d59fee08bffffbfd9ef8b91cf601a9850","d73027f46d43fdae61fee08bd9ef8ba6d96a66bd631a9850","d73027f46d43fdae61fee08bffffbfd9ef8ba6d96a66bd631a9850","a50026d73027f46d43fdae61fee08bd9ef8ba6d96a66bd631a9850006837","a50026d73027f46d43fdae61fee08bffffbfd9ef8ba6d96a66bd631a9850006837").map(H_),_b=eb(vb),bb=new Array(3).concat("fc8d59ffffbf99d594","d7191cfdae61abdda42b83ba","d7191cfdae61ffffbfabdda42b83ba","d53e4ffc8d59fee08be6f59899d5943288bd","d53e4ffc8d59fee08bffffbfe6f59899d5943288bd","d53e4ff46d43fdae61fee08be6f598abdda466c2a53288bd","d53e4ff46d43fdae61fee08bffffbfe6f598abdda466c2a53288bd","9e0142d53e4ff46d43fdae61fee08be6f598abdda466c2a53288bd5e4fa2","9e0142d53e4ff46d43fdae61fee08bffffbfe6f598abdda466c2a53288bd5e4fa2").map(H_),mb=eb(bb),xb=new Array(3).concat("e5f5f999d8c92ca25f","edf8fbb2e2e266c2a4238b45","edf8fbb2e2e266c2a42ca25f006d2c","edf8fbccece699d8c966c2a42ca25f006d2c","edf8fbccece699d8c966c2a441ae76238b45005824","f7fcfde5f5f9ccece699d8c966c2a441ae76238b45005824","f7fcfde5f5f9ccece699d8c966c2a441ae76238b45006d2c00441b").map(H_),wb=eb(xb),Mb=new Array(3).concat("e0ecf49ebcda8856a7","edf8fbb3cde38c96c688419d","edf8fbb3cde38c96c68856a7810f7c","edf8fbbfd3e69ebcda8c96c68856a7810f7c","edf8fbbfd3e69ebcda8c96c68c6bb188419d6e016b","f7fcfde0ecf4bfd3e69ebcda8c96c68c6bb188419d6e016b","f7fcfde0ecf4bfd3e69ebcda8c96c68c6bb188419d810f7c4d004b").map(H_),Tb=eb(Mb),Ab=new Array(3).concat("e0f3dba8ddb543a2ca","f0f9e8bae4bc7bccc42b8cbe","f0f9e8bae4bc7bccc443a2ca0868ac","f0f9e8ccebc5a8ddb57bccc443a2ca0868ac","f0f9e8ccebc5a8ddb57bccc44eb3d32b8cbe08589e","f7fcf0e0f3dbccebc5a8ddb57bccc44eb3d32b8cbe08589e","f7fcf0e0f3dbccebc5a8ddb57bccc44eb3d32b8cbe0868ac084081").map(H_),Sb=eb(Ab),Eb=new Array(3).concat("fee8c8fdbb84e34a33","fef0d9fdcc8afc8d59d7301f","fef0d9fdcc8afc8d59e34a33b30000","fef0d9fdd49efdbb84fc8d59e34a33b30000","fef0d9fdd49efdbb84fc8d59ef6548d7301f990000","fff7ecfee8c8fdd49efdbb84fc8d59ef6548d7301f990000","fff7ecfee8c8fdd49efdbb84fc8d59ef6548d7301fb300007f0000").map(H_),Nb=eb(Eb),kb=new Array(3).concat("ece2f0a6bddb1c9099","f6eff7bdc9e167a9cf02818a","f6eff7bdc9e167a9cf1c9099016c59","f6eff7d0d1e6a6bddb67a9cf1c9099016c59","f6eff7d0d1e6a6bddb67a9cf3690c002818a016450","fff7fbece2f0d0d1e6a6bddb67a9cf3690c002818a016450","fff7fbece2f0d0d1e6a6bddb67a9cf3690c002818a016c59014636").map(H_),Cb=eb(kb),Pb=new Array(3).concat("ece7f2a6bddb2b8cbe","f1eef6bdc9e174a9cf0570b0","f1eef6bdc9e174a9cf2b8cbe045a8d","f1eef6d0d1e6a6bddb74a9cf2b8cbe045a8d","f1eef6d0d1e6a6bddb74a9cf3690c00570b0034e7b","fff7fbece7f2d0d1e6a6bddb74a9cf3690c00570b0034e7b","fff7fbece7f2d0d1e6a6bddb74a9cf3690c00570b0045a8d023858").map(H_),zb=eb(Pb),$b=new Array(3).concat("e7e1efc994c7dd1c77","f1eef6d7b5d8df65b0ce1256","f1eef6d7b5d8df65b0dd1c77980043","f1eef6d4b9dac994c7df65b0dd1c77980043","f1eef6d4b9dac994c7df65b0e7298ace125691003f","f7f4f9e7e1efd4b9dac994c7df65b0e7298ace125691003f","f7f4f9e7e1efd4b9dac994c7df65b0e7298ace125698004367001f").map(H_),Db=eb($b),Rb=new Array(3).concat("fde0ddfa9fb5c51b8a","feebe2fbb4b9f768a1ae017e","feebe2fbb4b9f768a1c51b8a7a0177","feebe2fcc5c0fa9fb5f768a1c51b8a7a0177","feebe2fcc5c0fa9fb5f768a1dd3497ae017e7a0177","fff7f3fde0ddfcc5c0fa9fb5f768a1dd3497ae017e7a0177","fff7f3fde0ddfcc5c0fa9fb5f768a1dd3497ae017e7a017749006a").map(H_),Fb=eb(Rb),qb=new Array(3).concat("edf8b17fcdbb2c7fb8","ffffcca1dab441b6c4225ea8","ffffcca1dab441b6c42c7fb8253494","ffffccc7e9b47fcdbb41b6c42c7fb8253494","ffffccc7e9b47fcdbb41b6c41d91c0225ea80c2c84","ffffd9edf8b1c7e9b47fcdbb41b6c41d91c0225ea80c2c84","ffffd9edf8b1c7e9b47fcdbb41b6c41d91c0225ea8253494081d58").map(H_),Ub=eb(qb),Ib=new Array(3).concat("f7fcb9addd8e31a354","ffffccc2e69978c679238443","ffffccc2e69978c67931a354006837","ffffccd9f0a3addd8e78c67931a354006837","ffffccd9f0a3addd8e78c67941ab5d238443005a32","ffffe5f7fcb9d9f0a3addd8e78c67941ab5d238443005a32","ffffe5f7fcb9d9f0a3addd8e78c67941ab5d238443006837004529").map(H_),Ob=eb(Ib),Bb=new Array(3).concat("fff7bcfec44fd95f0e","ffffd4fed98efe9929cc4c02","ffffd4fed98efe9929d95f0e993404","ffffd4fee391fec44ffe9929d95f0e993404","ffffd4fee391fec44ffe9929ec7014cc4c028c2d04","ffffe5fff7bcfee391fec44ffe9929ec7014cc4c028c2d04","ffffe5fff7bcfee391fec44ffe9929ec7014cc4c02993404662506").map(H_),Yb=eb(Bb),Lb=new Array(3).concat("ffeda0feb24cf03b20","ffffb2fecc5cfd8d3ce31a1c","ffffb2fecc5cfd8d3cf03b20bd0026","ffffb2fed976feb24cfd8d3cf03b20bd0026","ffffb2fed976feb24cfd8d3cfc4e2ae31a1cb10026","ffffccffeda0fed976feb24cfd8d3cfc4e2ae31a1cb10026","ffffccffeda0fed976feb24cfd8d3cfc4e2ae31a1cbd0026800026").map(H_),jb=eb(Lb),Hb=new Array(3).concat("deebf79ecae13182bd","eff3ffbdd7e76baed62171b5","eff3ffbdd7e76baed63182bd08519c","eff3ffc6dbef9ecae16baed63182bd08519c","eff3ffc6dbef9ecae16baed64292c62171b5084594","f7fbffdeebf7c6dbef9ecae16baed64292c62171b5084594","f7fbffdeebf7c6dbef9ecae16baed64292c62171b508519c08306b").map(H_),Xb=eb(Hb),Gb=new Array(3).concat("e5f5e0a1d99b31a354","edf8e9bae4b374c476238b45","edf8e9bae4b374c47631a354006d2c","edf8e9c7e9c0a1d99b74c47631a354006d2c","edf8e9c7e9c0a1d99b74c47641ab5d238b45005a32","f7fcf5e5f5e0c7e9c0a1d99b74c47641ab5d238b45005a32","f7fcf5e5f5e0c7e9c0a1d99b74c47641ab5d238b45006d2c00441b").map(H_),Vb=eb(Gb),Wb=new Array(3).concat("f0f0f0bdbdbd636363","f7f7f7cccccc969696525252","f7f7f7cccccc969696636363252525","f7f7f7d9d9d9bdbdbd969696636363252525","f7f7f7d9d9d9bdbdbd969696737373525252252525","fffffff0f0f0d9d9d9bdbdbd969696737373525252252525","fffffff0f0f0d9d9d9bdbdbd969696737373525252252525000000").map(H_),Zb=eb(Wb),Kb=new Array(3).concat("efedf5bcbddc756bb1","f2f0f7cbc9e29e9ac86a51a3","f2f0f7cbc9e29e9ac8756bb154278f","f2f0f7dadaebbcbddc9e9ac8756bb154278f","f2f0f7dadaebbcbddc9e9ac8807dba6a51a34a1486","fcfbfdefedf5dadaebbcbddc9e9ac8807dba6a51a34a1486","fcfbfdefedf5dadaebbcbddc9e9ac8807dba6a51a354278f3f007d").map(H_),Qb=eb(Kb),Jb=new Array(3).concat("fee0d2fc9272de2d26","fee5d9fcae91fb6a4acb181d","fee5d9fcae91fb6a4ade2d26a50f15","fee5d9fcbba1fc9272fb6a4ade2d26a50f15","fee5d9fcbba1fc9272fb6a4aef3b2ccb181d99000d","fff5f0fee0d2fcbba1fc9272fb6a4aef3b2ccb181d99000d","fff5f0fee0d2fcbba1fc9272fb6a4aef3b2ccb181da50f1567000d").map(H_),tm=eb(Jb),nm=new Array(3).concat("fee6cefdae6be6550d","feeddefdbe85fd8d3cd94701","feeddefdbe85fd8d3ce6550da63603","feeddefdd0a2fdae6bfd8d3ce6550da63603","feeddefdd0a2fdae6bfd8d3cf16913d948018c2d04","fff5ebfee6cefdd0a2fdae6bfd8d3cf16913d948018c2d04","fff5ebfee6cefdd0a2fdae6bfd8d3cf16913d94801a636037f2704").map(H_),em=eb(nm);var rm=hi(Tr(300,.5,0),Tr(-240,.5,1)),im=hi(Tr(-100,.75,.35),Tr(80,1.5,.8)),om=hi(Tr(260,.75,.35),Tr(80,1.5,.8)),am=Tr();var um=Fe(),cm=Math.PI/3,fm=2*Math.PI/3;function sm(t){var n=t.length;return function(e){return t[Math.max(0,Math.min(n-1,Math.floor(e*n)))]}}var lm=sm(H_("44015444025645045745055946075a46085c460a5d460b5e470d60470e6147106347116447136548146748166848176948186a481a6c481b6d481c6e481d6f481f70482071482173482374482475482576482677482878482979472a7a472c7a472d7b472e7c472f7d46307e46327e46337f463480453581453781453882443983443a83443b84433d84433e85423f854240864241864142874144874045884046883f47883f48893e49893e4a893e4c8a3d4d8a3d4e8a3c4f8a3c508b3b518b3b528b3a538b3a548c39558c39568c38588c38598c375a8c375b8d365c8d365d8d355e8d355f8d34608d34618d33628d33638d32648e32658e31668e31678e31688e30698e306a8e2f6b8e2f6c8e2e6d8e2e6e8e2e6f8e2d708e2d718e2c718e2c728e2c738e2b748e2b758e2a768e2a778e2a788e29798e297a8e297b8e287c8e287d8e277e8e277f8e27808e26818e26828e26828e25838e25848e25858e24868e24878e23888e23898e238a8d228b8d228c8d228d8d218e8d218f8d21908d21918c20928c20928c20938c1f948c1f958b1f968b1f978b1f988b1f998a1f9a8a1e9b8a1e9c891e9d891f9e891f9f881fa0881fa1881fa1871fa28720a38620a48621a58521a68522a78522a88423a98324aa8325ab8225ac8226ad8127ad8128ae8029af7f2ab07f2cb17e2db27d2eb37c2fb47c31b57b32b67a34b67935b77937b87838b9773aba763bbb753dbc743fbc7340bd7242be7144bf7046c06f48c16e4ac16d4cc26c4ec36b50c46a52c56954c56856c66758c7655ac8645cc8635ec96260ca6063cb5f65cb5e67cc5c69cd5b6ccd5a6ece5870cf5773d05675d05477d1537ad1517cd2507fd34e81d34d84d44b86d54989d5488bd6468ed64590d74393d74195d84098d83e9bd93c9dd93ba0da39a2da37a5db36a8db34aadc32addc30b0dd2fb2dd2db5de2bb8de29bade28bddf26c0df25c2df23c5e021c8e020cae11fcde11dd0e11cd2e21bd5e21ad8e219dae319dde318dfe318e2e418e5e419e7e419eae51aece51befe51cf1e51df4e61ef6e620f8e621fbe723fde725")),hm=sm(H_("00000401000501010601010802010902020b02020d03030f03031204041405041606051806051a07061c08071e0907200a08220b09240c09260d0a290e0b2b100b2d110c2f120d31130d34140e36150e38160f3b180f3d19103f1a10421c10441d11471e114920114b21114e22115024125325125527125829115a2a115c2c115f2d11612f116331116533106734106936106b38106c390f6e3b0f703d0f713f0f72400f74420f75440f764510774710784910784a10794c117a4e117b4f127b51127c52137c54137d56147d57157e59157e5a167e5c167f5d177f5f187f601880621980641a80651a80671b80681c816a1c816b1d816d1d816e1e81701f81721f817320817521817621817822817922827b23827c23827e24828025828125818326818426818627818827818928818b29818c29818e2a81902a81912b81932b80942c80962c80982d80992d809b2e7f9c2e7f9e2f7fa02f7fa1307ea3307ea5317ea6317da8327daa337dab337cad347cae347bb0357bb2357bb3367ab5367ab73779b83779ba3878bc3978bd3977bf3a77c03a76c23b75c43c75c53c74c73d73c83e73ca3e72cc3f71cd4071cf4070d0416fd2426fd3436ed5446dd6456cd8456cd9466bdb476adc4869de4968df4a68e04c67e24d66e34e65e44f64e55064e75263e85362e95462ea5661eb5760ec5860ed5a5fee5b5eef5d5ef05f5ef1605df2625df2645cf3655cf4675cf4695cf56b5cf66c5cf66e5cf7705cf7725cf8745cf8765cf9785df9795df97b5dfa7d5efa7f5efa815ffb835ffb8560fb8761fc8961fc8a62fc8c63fc8e64fc9065fd9266fd9467fd9668fd9869fd9a6afd9b6bfe9d6cfe9f6dfea16efea36ffea571fea772fea973feaa74feac76feae77feb078feb27afeb47bfeb67cfeb77efeb97ffebb81febd82febf84fec185fec287fec488fec68afec88cfeca8dfecc8ffecd90fecf92fed194fed395fed597fed799fed89afdda9cfddc9efddea0fde0a1fde2a3fde3a5fde5a7fde7a9fde9aafdebacfcecaefceeb0fcf0b2fcf2b4fcf4b6fcf6b8fcf7b9fcf9bbfcfbbdfcfdbf")),dm=sm(H_("00000401000501010601010802010a02020c02020e03021004031204031405041706041907051b08051d09061f0a07220b07240c08260d08290e092b10092d110a30120a32140b34150b37160b39180c3c190c3e1b0c411c0c431e0c451f0c48210c4a230c4c240c4f260c51280b53290b552b0b572d0b592f0a5b310a5c320a5e340a5f3609613809623909633b09643d09653e0966400a67420a68440a68450a69470b6a490b6a4a0c6b4c0c6b4d0d6c4f0d6c510e6c520e6d540f6d550f6d57106e59106e5a116e5c126e5d126e5f136e61136e62146e64156e65156e67166e69166e6a176e6c186e6d186e6f196e71196e721a6e741a6e751b6e771c6d781c6d7a1d6d7c1d6d7d1e6d7f1e6c801f6c82206c84206b85216b87216b88226a8a226a8c23698d23698f24699025689225689326679526679727669827669a28659b29649d29649f2a63a02a63a22b62a32c61a52c60a62d60a82e5fa92e5eab2f5ead305dae305cb0315bb1325ab3325ab43359b63458b73557b93556ba3655bc3754bd3853bf3952c03a51c13a50c33b4fc43c4ec63d4dc73e4cc83f4bca404acb4149cc4248ce4347cf4446d04545d24644d34743d44842d54a41d74b3fd84c3ed94d3dda4e3cdb503bdd513ade5238df5337e05536e15635e25734e35933e45a31e55c30e65d2fe75e2ee8602de9612bea632aeb6429eb6628ec6726ed6925ee6a24ef6c23ef6e21f06f20f1711ff1731df2741cf3761bf37819f47918f57b17f57d15f67e14f68013f78212f78410f8850ff8870ef8890cf98b0bf98c0af98e09fa9008fa9207fa9407fb9606fb9706fb9906fb9b06fb9d07fc9f07fca108fca309fca50afca60cfca80dfcaa0ffcac11fcae12fcb014fcb216fcb418fbb61afbb81dfbba1ffbbc21fbbe23fac026fac228fac42afac62df9c72ff9c932f9cb35f8cd37f8cf3af7d13df7d340f6d543f6d746f5d949f5db4cf4dd4ff4df53f4e156f3e35af3e55df2e661f2e865f2ea69f1ec6df1ed71f1ef75f1f179f2f27df2f482f3f586f3f68af4f88ef5f992f6fa96f8fb9af9fc9dfafda1fcffa4")),pm=sm(H_("0d088710078813078916078a19068c1b068d1d068e20068f2206902406912605912805922a05932c05942e05952f059631059733059735049837049938049a3a049a3c049b3e049c3f049c41049d43039e44039e46039f48039f4903a04b03a14c02a14e02a25002a25102a35302a35502a45601a45801a45901a55b01a55c01a65e01a66001a66100a76300a76400a76600a76700a86900a86a00a86c00a86e00a86f00a87100a87201a87401a87501a87701a87801a87a02a87b02a87d03a87e03a88004a88104a78305a78405a78606a68707a68808a68a09a58b0aa58d0ba58e0ca48f0da4910ea3920fa39410a29511a19613a19814a099159f9a169f9c179e9d189d9e199da01a9ca11b9ba21d9aa31e9aa51f99a62098a72197a82296aa2395ab2494ac2694ad2793ae2892b02991b12a90b22b8fb32c8eb42e8db52f8cb6308bb7318ab83289ba3388bb3488bc3587bd3786be3885bf3984c03a83c13b82c23c81c33d80c43e7fc5407ec6417dc7427cc8437bc9447aca457acb4679cc4778cc4977cd4a76ce4b75cf4c74d04d73d14e72d24f71d35171d45270d5536fd5546ed6556dd7566cd8576bd9586ada5a6ada5b69db5c68dc5d67dd5e66de5f65de6164df6263e06363e16462e26561e26660e3685fe4695ee56a5de56b5de66c5ce76e5be76f5ae87059e97158e97257ea7457eb7556eb7655ec7754ed7953ed7a52ee7b51ef7c51ef7e50f07f4ff0804ef1814df1834cf2844bf3854bf3874af48849f48948f58b47f58c46f68d45f68f44f79044f79143f79342f89441f89540f9973ff9983ef99a3efa9b3dfa9c3cfa9e3bfb9f3afba139fba238fca338fca537fca636fca835fca934fdab33fdac33fdae32fdaf31fdb130fdb22ffdb42ffdb52efeb72dfeb82cfeba2cfebb2bfebd2afebe2afec029fdc229fdc328fdc527fdc627fdc827fdca26fdcb26fccd25fcce25fcd025fcd225fbd324fbd524fbd724fad824fada24f9dc24f9dd25f8df25f8e125f7e225f7e425f6e626f6e826f5e926f5eb27f4ed27f3ee27f3f027f2f227f1f426f1f525f0f724f0f921"));function gm(t){return function(){return t}}const ym=Math.abs,vm=Math.atan2,_m=Math.cos,bm=Math.max,mm=Math.min,xm=Math.sin,wm=Math.sqrt,Mm=1e-12,Tm=Math.PI,Am=Tm/2,Sm=2*Tm;function Em(t){return t>=1?Am:t<=-1?-Am:Math.asin(t)}function Nm(t){let n=3;return t.digits=function(e){if(!arguments.length)return n;if(null==e)n=null;else{const t=Math.floor(e);if(!(t>=0))throw new RangeError(`invalid digits: ${e}`);n=t}return t},()=>new Ua(n)}function km(t){return t.innerRadius}function Cm(t){return t.outerRadius}function Pm(t){return t.startAngle}function zm(t){return t.endAngle}function $m(t){return t&&t.padAngle}function Dm(t,n,e,r,i,o,a){var u=t-e,c=n-r,f=(a?o:-o)/wm(u*u+c*c),s=f*c,l=-f*u,h=t+s,d=n+l,p=e+s,g=r+l,y=(h+p)/2,v=(d+g)/2,_=p-h,b=g-d,m=_*_+b*b,x=i-o,w=h*g-p*d,M=(b<0?-1:1)*wm(bm(0,x*x*m-w*w)),T=(w*b-_*M)/m,A=(-w*_-b*M)/m,S=(w*b+_*M)/m,E=(-w*_+b*M)/m,N=T-y,k=A-v,C=S-y,P=E-v;return N*N+k*k>C*C+P*P&&(T=S,A=E),{cx:T,cy:A,x01:-s,y01:-l,x11:T*(i/x-1),y11:A*(i/x-1)}}var Rm=Array.prototype.slice;function Fm(t){return"object"==typeof t&&"length"in t?t:Array.from(t)}function qm(t){this._context=t}function Um(t){return new qm(t)}function Im(t){return t[0]}function Om(t){return t[1]}function Bm(t,n){var e=gm(!0),r=null,i=Um,o=null,a=Nm(u);function u(u){var c,f,s,l=(u=Fm(u)).length,h=!1;for(null==r&&(o=i(s=a())),c=0;c<=l;++c)!(c=l;--h)u.point(v[h],_[h]);u.lineEnd(),u.areaEnd()}y&&(v[s]=+t(d,s,f),_[s]=+n(d,s,f),u.point(r?+r(d,s,f):v[s],e?+e(d,s,f):_[s]))}if(p)return u=null,p+""||null}function s(){return Bm().defined(i).curve(a).context(o)}return t="function"==typeof t?t:void 0===t?Im:gm(+t),n="function"==typeof n?n:gm(void 0===n?0:+n),e="function"==typeof e?e:void 0===e?Om:gm(+e),f.x=function(n){return arguments.length?(t="function"==typeof n?n:gm(+n),r=null,f):t},f.x0=function(n){return arguments.length?(t="function"==typeof n?n:gm(+n),f):t},f.x1=function(t){return arguments.length?(r=null==t?null:"function"==typeof t?t:gm(+t),f):r},f.y=function(t){return arguments.length?(n="function"==typeof t?t:gm(+t),e=null,f):n},f.y0=function(t){return arguments.length?(n="function"==typeof t?t:gm(+t),f):n},f.y1=function(t){return arguments.length?(e=null==t?null:"function"==typeof t?t:gm(+t),f):e},f.lineX0=f.lineY0=function(){return s().x(t).y(n)},f.lineY1=function(){return s().x(t).y(e)},f.lineX1=function(){return s().x(r).y(n)},f.defined=function(t){return arguments.length?(i="function"==typeof t?t:gm(!!t),f):i},f.curve=function(t){return arguments.length?(a=t,null!=o&&(u=a(o)),f):a},f.context=function(t){return arguments.length?(null==t?o=u=null:u=a(o=t),f):o},f}function Lm(t,n){return nt?1:n>=t?0:NaN}function jm(t){return t}qm.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._point=0},lineEnd:function(){(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,n):this._context.moveTo(t,n);break;case 1:this._point=2;default:this._context.lineTo(t,n)}}};var Hm=Gm(Um);function Xm(t){this._curve=t}function Gm(t){function n(n){return new Xm(t(n))}return n._curve=t,n}function Vm(t){var n=t.curve;return t.angle=t.x,delete t.x,t.radius=t.y,delete t.y,t.curve=function(t){return arguments.length?n(Gm(t)):n()._curve},t}function Wm(){return Vm(Bm().curve(Hm))}function Zm(){var t=Ym().curve(Hm),n=t.curve,e=t.lineX0,r=t.lineX1,i=t.lineY0,o=t.lineY1;return t.angle=t.x,delete t.x,t.startAngle=t.x0,delete t.x0,t.endAngle=t.x1,delete t.x1,t.radius=t.y,delete t.y,t.innerRadius=t.y0,delete t.y0,t.outerRadius=t.y1,delete t.y1,t.lineStartAngle=function(){return Vm(e())},delete t.lineX0,t.lineEndAngle=function(){return Vm(r())},delete t.lineX1,t.lineInnerRadius=function(){return Vm(i())},delete t.lineY0,t.lineOuterRadius=function(){return Vm(o())},delete t.lineY1,t.curve=function(t){return arguments.length?n(Gm(t)):n()._curve},t}function Km(t,n){return[(n=+n)*Math.cos(t-=Math.PI/2),n*Math.sin(t)]}Xm.prototype={areaStart:function(){this._curve.areaStart()},areaEnd:function(){this._curve.areaEnd()},lineStart:function(){this._curve.lineStart()},lineEnd:function(){this._curve.lineEnd()},point:function(t,n){this._curve.point(n*Math.sin(t),n*-Math.cos(t))}};class Qm{constructor(t,n){this._context=t,this._x=n}areaStart(){this._line=0}areaEnd(){this._line=NaN}lineStart(){this._point=0}lineEnd(){(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line}point(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,n):this._context.moveTo(t,n);break;case 1:this._point=2;default:this._x?this._context.bezierCurveTo(this._x0=(this._x0+t)/2,this._y0,this._x0,n,t,n):this._context.bezierCurveTo(this._x0,this._y0=(this._y0+n)/2,t,this._y0,t,n)}this._x0=t,this._y0=n}}class Jm{constructor(t){this._context=t}lineStart(){this._point=0}lineEnd(){}point(t,n){if(t=+t,n=+n,0===this._point)this._point=1;else{const e=Km(this._x0,this._y0),r=Km(this._x0,this._y0=(this._y0+n)/2),i=Km(t,this._y0),o=Km(t,n);this._context.moveTo(...e),this._context.bezierCurveTo(...r,...i,...o)}this._x0=t,this._y0=n}}function tx(t){return new Qm(t,!0)}function nx(t){return new Qm(t,!1)}function ex(t){return new Jm(t)}function rx(t){return t.source}function ix(t){return t.target}function ox(t){let n=rx,e=ix,r=Im,i=Om,o=null,a=null,u=Nm(c);function c(){let c;const f=Rm.call(arguments),s=n.apply(this,f),l=e.apply(this,f);if(null==o&&(a=t(c=u())),a.lineStart(),f[0]=s,a.point(+r.apply(this,f),+i.apply(this,f)),f[0]=l,a.point(+r.apply(this,f),+i.apply(this,f)),a.lineEnd(),c)return a=null,c+""||null}return c.source=function(t){return arguments.length?(n=t,c):n},c.target=function(t){return arguments.length?(e=t,c):e},c.x=function(t){return arguments.length?(r="function"==typeof t?t:gm(+t),c):r},c.y=function(t){return arguments.length?(i="function"==typeof t?t:gm(+t),c):i},c.context=function(n){return arguments.length?(null==n?o=a=null:a=t(o=n),c):o},c}const ax=wm(3);var ux={draw(t,n){const e=.59436*wm(n+mm(n/28,.75)),r=e/2,i=r*ax;t.moveTo(0,e),t.lineTo(0,-e),t.moveTo(-i,-r),t.lineTo(i,r),t.moveTo(-i,r),t.lineTo(i,-r)}},cx={draw(t,n){const e=wm(n/Tm);t.moveTo(e,0),t.arc(0,0,e,0,Sm)}},fx={draw(t,n){const e=wm(n/5)/2;t.moveTo(-3*e,-e),t.lineTo(-e,-e),t.lineTo(-e,-3*e),t.lineTo(e,-3*e),t.lineTo(e,-e),t.lineTo(3*e,-e),t.lineTo(3*e,e),t.lineTo(e,e),t.lineTo(e,3*e),t.lineTo(-e,3*e),t.lineTo(-e,e),t.lineTo(-3*e,e),t.closePath()}};const sx=wm(1/3),lx=2*sx;var hx={draw(t,n){const e=wm(n/lx),r=e*sx;t.moveTo(0,-e),t.lineTo(r,0),t.lineTo(0,e),t.lineTo(-r,0),t.closePath()}},dx={draw(t,n){const e=.62625*wm(n);t.moveTo(0,-e),t.lineTo(e,0),t.lineTo(0,e),t.lineTo(-e,0),t.closePath()}},px={draw(t,n){const e=.87559*wm(n-mm(n/7,2));t.moveTo(-e,0),t.lineTo(e,0),t.moveTo(0,e),t.lineTo(0,-e)}},gx={draw(t,n){const e=wm(n),r=-e/2;t.rect(r,r,e,e)}},yx={draw(t,n){const e=.4431*wm(n);t.moveTo(e,e),t.lineTo(e,-e),t.lineTo(-e,-e),t.lineTo(-e,e),t.closePath()}};const vx=xm(Tm/10)/xm(7*Tm/10),_x=xm(Sm/10)*vx,bx=-_m(Sm/10)*vx;var mx={draw(t,n){const e=wm(.8908130915292852*n),r=_x*e,i=bx*e;t.moveTo(0,-e),t.lineTo(r,i);for(let n=1;n<5;++n){const o=Sm*n/5,a=_m(o),u=xm(o);t.lineTo(u*e,-a*e),t.lineTo(a*r-u*i,u*r+a*i)}t.closePath()}};const xx=wm(3);var wx={draw(t,n){const e=-wm(n/(3*xx));t.moveTo(0,2*e),t.lineTo(-xx*e,-e),t.lineTo(xx*e,-e),t.closePath()}};const Mx=wm(3);var Tx={draw(t,n){const e=.6824*wm(n),r=e/2,i=e*Mx/2;t.moveTo(0,-e),t.lineTo(i,r),t.lineTo(-i,r),t.closePath()}};const Ax=-.5,Sx=wm(3)/2,Ex=1/wm(12),Nx=3*(Ex/2+1);var kx={draw(t,n){const e=wm(n/Nx),r=e/2,i=e*Ex,o=r,a=e*Ex+e,u=-o,c=a;t.moveTo(r,i),t.lineTo(o,a),t.lineTo(u,c),t.lineTo(Ax*r-Sx*i,Sx*r+Ax*i),t.lineTo(Ax*o-Sx*a,Sx*o+Ax*a),t.lineTo(Ax*u-Sx*c,Sx*u+Ax*c),t.lineTo(Ax*r+Sx*i,Ax*i-Sx*r),t.lineTo(Ax*o+Sx*a,Ax*a-Sx*o),t.lineTo(Ax*u+Sx*c,Ax*c-Sx*u),t.closePath()}},Cx={draw(t,n){const e=.6189*wm(n-mm(n/6,1.7));t.moveTo(-e,-e),t.lineTo(e,e),t.moveTo(-e,e),t.lineTo(e,-e)}};const Px=[cx,fx,hx,gx,mx,wx,kx],zx=[cx,px,Cx,Tx,ux,yx,dx];function $x(){}function Dx(t,n,e){t._context.bezierCurveTo((2*t._x0+t._x1)/3,(2*t._y0+t._y1)/3,(t._x0+2*t._x1)/3,(t._y0+2*t._y1)/3,(t._x0+4*t._x1+n)/6,(t._y0+4*t._y1+e)/6)}function Rx(t){this._context=t}function Fx(t){this._context=t}function qx(t){this._context=t}function Ux(t,n){this._basis=new Rx(t),this._beta=n}Rx.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){switch(this._point){case 3:Dx(this,this._x1,this._y1);case 2:this._context.lineTo(this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,n):this._context.moveTo(t,n);break;case 1:this._point=2;break;case 2:this._point=3,this._context.lineTo((5*this._x0+this._x1)/6,(5*this._y0+this._y1)/6);default:Dx(this,t,n)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=n}},Fx.prototype={areaStart:$x,areaEnd:$x,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._y0=this._y1=this._y2=this._y3=this._y4=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x2,this._y2),this._context.closePath();break;case 2:this._context.moveTo((this._x2+2*this._x3)/3,(this._y2+2*this._y3)/3),this._context.lineTo((this._x3+2*this._x2)/3,(this._y3+2*this._y2)/3),this._context.closePath();break;case 3:this.point(this._x2,this._y2),this.point(this._x3,this._y3),this.point(this._x4,this._y4)}},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._x2=t,this._y2=n;break;case 1:this._point=2,this._x3=t,this._y3=n;break;case 2:this._point=3,this._x4=t,this._y4=n,this._context.moveTo((this._x0+4*this._x1+t)/6,(this._y0+4*this._y1+n)/6);break;default:Dx(this,t,n)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=n}},qx.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._y0=this._y1=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3;var e=(this._x0+4*this._x1+t)/6,r=(this._y0+4*this._y1+n)/6;this._line?this._context.lineTo(e,r):this._context.moveTo(e,r);break;case 3:this._point=4;default:Dx(this,t,n)}this._x0=this._x1,this._x1=t,this._y0=this._y1,this._y1=n}},Ux.prototype={lineStart:function(){this._x=[],this._y=[],this._basis.lineStart()},lineEnd:function(){var t=this._x,n=this._y,e=t.length-1;if(e>0)for(var r,i=t[0],o=n[0],a=t[e]-i,u=n[e]-o,c=-1;++c<=e;)r=c/e,this._basis.point(this._beta*t[c]+(1-this._beta)*(i+r*a),this._beta*n[c]+(1-this._beta)*(o+r*u));this._x=this._y=null,this._basis.lineEnd()},point:function(t,n){this._x.push(+t),this._y.push(+n)}};var Ix=function t(n){function e(t){return 1===n?new Rx(t):new Ux(t,n)}return e.beta=function(n){return t(+n)},e}(.85);function Ox(t,n,e){t._context.bezierCurveTo(t._x1+t._k*(t._x2-t._x0),t._y1+t._k*(t._y2-t._y0),t._x2+t._k*(t._x1-n),t._y2+t._k*(t._y1-e),t._x2,t._y2)}function Bx(t,n){this._context=t,this._k=(1-n)/6}Bx.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:Ox(this,this._x1,this._y1)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,n):this._context.moveTo(t,n);break;case 1:this._point=2,this._x1=t,this._y1=n;break;case 2:this._point=3;default:Ox(this,t,n)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var Yx=function t(n){function e(t){return new Bx(t,n)}return e.tension=function(n){return t(+n)},e}(0);function Lx(t,n){this._context=t,this._k=(1-n)/6}Lx.prototype={areaStart:$x,areaEnd:$x,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._x3=t,this._y3=n;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=n);break;case 2:this._point=3,this._x5=t,this._y5=n;break;default:Ox(this,t,n)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var jx=function t(n){function e(t){return new Lx(t,n)}return e.tension=function(n){return t(+n)},e}(0);function Hx(t,n){this._context=t,this._k=(1-n)/6}Hx.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:Ox(this,t,n)}this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var Xx=function t(n){function e(t){return new Hx(t,n)}return e.tension=function(n){return t(+n)},e}(0);function Gx(t,n,e){var r=t._x1,i=t._y1,o=t._x2,a=t._y2;if(t._l01_a>Mm){var u=2*t._l01_2a+3*t._l01_a*t._l12_a+t._l12_2a,c=3*t._l01_a*(t._l01_a+t._l12_a);r=(r*u-t._x0*t._l12_2a+t._x2*t._l01_2a)/c,i=(i*u-t._y0*t._l12_2a+t._y2*t._l01_2a)/c}if(t._l23_a>Mm){var f=2*t._l23_2a+3*t._l23_a*t._l12_a+t._l12_2a,s=3*t._l23_a*(t._l23_a+t._l12_a);o=(o*f+t._x1*t._l23_2a-n*t._l12_2a)/s,a=(a*f+t._y1*t._l23_2a-e*t._l12_2a)/s}t._context.bezierCurveTo(r,i,o,a,t._x2,t._y2)}function Vx(t,n){this._context=t,this._alpha=n}Vx.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 2:this._context.lineTo(this._x2,this._y2);break;case 3:this.point(this._x2,this._y2)}(this._line||0!==this._line&&1===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){if(t=+t,n=+n,this._point){var e=this._x2-t,r=this._y2-n;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(e*e+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._line?this._context.lineTo(t,n):this._context.moveTo(t,n);break;case 1:this._point=2;break;case 2:this._point=3;default:Gx(this,t,n)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var Wx=function t(n){function e(t){return n?new Vx(t,n):new Bx(t,0)}return e.alpha=function(n){return t(+n)},e}(.5);function Zx(t,n){this._context=t,this._alpha=n}Zx.prototype={areaStart:$x,areaEnd:$x,lineStart:function(){this._x0=this._x1=this._x2=this._x3=this._x4=this._x5=this._y0=this._y1=this._y2=this._y3=this._y4=this._y5=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){switch(this._point){case 1:this._context.moveTo(this._x3,this._y3),this._context.closePath();break;case 2:this._context.lineTo(this._x3,this._y3),this._context.closePath();break;case 3:this.point(this._x3,this._y3),this.point(this._x4,this._y4),this.point(this._x5,this._y5)}},point:function(t,n){if(t=+t,n=+n,this._point){var e=this._x2-t,r=this._y2-n;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(e*e+r*r,this._alpha))}switch(this._point){case 0:this._point=1,this._x3=t,this._y3=n;break;case 1:this._point=2,this._context.moveTo(this._x4=t,this._y4=n);break;case 2:this._point=3,this._x5=t,this._y5=n;break;default:Gx(this,t,n)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var Kx=function t(n){function e(t){return n?new Zx(t,n):new Lx(t,0)}return e.alpha=function(n){return t(+n)},e}(.5);function Qx(t,n){this._context=t,this._alpha=n}Qx.prototype={areaStart:function(){this._line=0},areaEnd:function(){this._line=NaN},lineStart:function(){this._x0=this._x1=this._x2=this._y0=this._y1=this._y2=NaN,this._l01_a=this._l12_a=this._l23_a=this._l01_2a=this._l12_2a=this._l23_2a=this._point=0},lineEnd:function(){(this._line||0!==this._line&&3===this._point)&&this._context.closePath(),this._line=1-this._line},point:function(t,n){if(t=+t,n=+n,this._point){var e=this._x2-t,r=this._y2-n;this._l23_a=Math.sqrt(this._l23_2a=Math.pow(e*e+r*r,this._alpha))}switch(this._point){case 0:this._point=1;break;case 1:this._point=2;break;case 2:this._point=3,this._line?this._context.lineTo(this._x2,this._y2):this._context.moveTo(this._x2,this._y2);break;case 3:this._point=4;default:Gx(this,t,n)}this._l01_a=this._l12_a,this._l12_a=this._l23_a,this._l01_2a=this._l12_2a,this._l12_2a=this._l23_2a,this._x0=this._x1,this._x1=this._x2,this._x2=t,this._y0=this._y1,this._y1=this._y2,this._y2=n}};var Jx=function t(n){function e(t){return n?new Qx(t,n):new Hx(t,0)}return e.alpha=function(n){return t(+n)},e}(.5);function tw(t){this._context=t}function nw(t){return t<0?-1:1}function ew(t,n,e){var r=t._x1-t._x0,i=n-t._x1,o=(t._y1-t._y0)/(r||i<0&&-0),a=(e-t._y1)/(i||r<0&&-0),u=(o*i+a*r)/(r+i);return(nw(o)+nw(a))*Math.min(Math.abs(o),Math.abs(a),.5*Math.abs(u))||0}function rw(t,n){var e=t._x1-t._x0;return e?(3*(t._y1-t._y0)/e-n)/2:n}function iw(t,n,e){var r=t._x0,i=t._y0,o=t._x1,a=t._y1,u=(o-r)/3;t._context.bezierCurveTo(r+u,i+u*n,o-u,a-u*e,o,a)}function ow(t){this._context=t}function aw(t){this._context=new uw(t)}function uw(t){this._context=t}function cw(t){this._context=t}function fw(t){var n,e,r=t.length-1,i=new Array(r),o=new Array(r),a=new Array(r);for(i[0]=0,o[0]=2,a[0]=t[0]+2*t[1],n=1;n=0;--n)i[n]=(a[n]-i[n+1])/o[n];for(o[r-1]=(t[r]+i[r-1])/2,n=0;n1)for(var e,r,i,o=1,a=t[n[0]],u=a.length;o=0;)e[n]=n;return e}function dw(t,n){return t[n]}function pw(t){const n=[];return n.key=t,n}function gw(t){var n=t.map(yw);return hw(t).sort((function(t,e){return n[t]-n[e]}))}function yw(t){for(var n,e=-1,r=0,i=t.length,o=-1/0;++eo&&(o=n,r=e);return r}function vw(t){var n=t.map(_w);return hw(t).sort((function(t,e){return n[t]-n[e]}))}function _w(t){for(var n,e=0,r=-1,i=t.length;++r=0&&(this._t=1-this._t,this._line=1-this._line)},point:function(t,n){switch(t=+t,n=+n,this._point){case 0:this._point=1,this._line?this._context.lineTo(t,n):this._context.moveTo(t,n);break;case 1:this._point=2;default:if(this._t<=0)this._context.lineTo(this._x,n),this._context.lineTo(t,n);else{var e=this._x*(1-this._t)+t*this._t;this._context.lineTo(e,this._y),this._context.lineTo(e,n)}}this._x=t,this._y=n}};var bw=t=>()=>t;function mw(t,{sourceEvent:n,target:e,transform:r,dispatch:i}){Object.defineProperties(this,{type:{value:t,enumerable:!0,configurable:!0},sourceEvent:{value:n,enumerable:!0,configurable:!0},target:{value:e,enumerable:!0,configurable:!0},transform:{value:r,enumerable:!0,configurable:!0},_:{value:i}})}function xw(t,n,e){this.k=t,this.x=n,this.y=e}xw.prototype={constructor:xw,scale:function(t){return 1===t?this:new xw(this.k*t,this.x,this.y)},translate:function(t,n){return 0===t&0===n?this:new xw(this.k,this.x+this.k*t,this.y+this.k*n)},apply:function(t){return[t[0]*this.k+this.x,t[1]*this.k+this.y]},applyX:function(t){return t*this.k+this.x},applyY:function(t){return t*this.k+this.y},invert:function(t){return[(t[0]-this.x)/this.k,(t[1]-this.y)/this.k]},invertX:function(t){return(t-this.x)/this.k},invertY:function(t){return(t-this.y)/this.k},rescaleX:function(t){return t.copy().domain(t.range().map(this.invertX,this).map(t.invert,t))},rescaleY:function(t){return t.copy().domain(t.range().map(this.invertY,this).map(t.invert,t))},toString:function(){return"translate("+this.x+","+this.y+") scale("+this.k+")"}};var ww=new xw(1,0,0);function Mw(t){for(;!t.__zoom;)if(!(t=t.parentNode))return ww;return t.__zoom}function Tw(t){t.stopImmediatePropagation()}function Aw(t){t.preventDefault(),t.stopImmediatePropagation()}function Sw(t){return!(t.ctrlKey&&"wheel"!==t.type||t.button)}function Ew(){var t=this;return t instanceof SVGElement?(t=t.ownerSVGElement||t).hasAttribute("viewBox")?[[(t=t.viewBox.baseVal).x,t.y],[t.x+t.width,t.y+t.height]]:[[0,0],[t.width.baseVal.value,t.height.baseVal.value]]:[[0,0],[t.clientWidth,t.clientHeight]]}function Nw(){return this.__zoom||ww}function kw(t){return-t.deltaY*(1===t.deltaMode?.05:t.deltaMode?1:.002)*(t.ctrlKey?10:1)}function Cw(){return navigator.maxTouchPoints||"ontouchstart"in this}function Pw(t,n,e){var r=t.invertX(n[0][0])-e[0][0],i=t.invertX(n[1][0])-e[1][0],o=t.invertY(n[0][1])-e[0][1],a=t.invertY(n[1][1])-e[1][1];return t.translate(i>r?(r+i)/2:Math.min(0,r)||Math.max(0,i),a>o?(o+a)/2:Math.min(0,o)||Math.max(0,a))}Mw.prototype=xw.prototype,t.Adder=T,t.Delaunay=Lu,t.FormatSpecifier=tf,t.InternMap=InternMap,t.InternSet=InternSet,t.Node=Qd,t.Path=Ua,t.Voronoi=qu,t.ZoomTransform=xw,t.active=function(t,n){var e,r,i=t.__transition;if(i)for(r in n=null==n?null:n+"",i)if((e=i[r]).state>qi&&e.name===n)return new po([[t]],Zo,n,+r);return null},t.arc=function(){var t=km,n=Cm,e=gm(0),r=null,i=Pm,o=zm,a=$m,u=null,c=Nm(f);function f(){var f,s,l=+t.apply(this,arguments),h=+n.apply(this,arguments),d=i.apply(this,arguments)-Am,p=o.apply(this,arguments)-Am,g=ym(p-d),y=p>d;if(u||(u=f=c()),hMm)if(g>Sm-Mm)u.moveTo(h*_m(d),h*xm(d)),u.arc(0,0,h,d,p,!y),l>Mm&&(u.moveTo(l*_m(p),l*xm(p)),u.arc(0,0,l,p,d,y));else{var v,_,b=d,m=p,x=d,w=p,M=g,T=g,A=a.apply(this,arguments)/2,S=A>Mm&&(r?+r.apply(this,arguments):wm(l*l+h*h)),E=mm(ym(h-l)/2,+e.apply(this,arguments)),N=E,k=E;if(S>Mm){var C=Em(S/l*xm(A)),P=Em(S/h*xm(A));(M-=2*C)>Mm?(x+=C*=y?1:-1,w-=C):(M=0,x=w=(d+p)/2),(T-=2*P)>Mm?(b+=P*=y?1:-1,m-=P):(T=0,b=m=(d+p)/2)}var z=h*_m(b),$=h*xm(b),D=l*_m(w),R=l*xm(w);if(E>Mm){var F,q=h*_m(m),U=h*xm(m),I=l*_m(x),O=l*xm(x);if(g1?0:t<-1?Tm:Math.acos(t)}((B*L+Y*j)/(wm(B*B+Y*Y)*wm(L*L+j*j)))/2),X=wm(F[0]*F[0]+F[1]*F[1]);N=mm(E,(l-X)/(H-1)),k=mm(E,(h-X)/(H+1))}else N=k=0}T>Mm?k>Mm?(v=Dm(I,O,z,$,h,k,y),_=Dm(q,U,D,R,h,k,y),u.moveTo(v.cx+v.x01,v.cy+v.y01),kMm&&M>Mm?N>Mm?(v=Dm(D,R,q,U,l,-N,y),_=Dm(z,$,I,O,l,-N,y),u.lineTo(v.cx+v.x01,v.cy+v.y01),N=0))throw new RangeError("invalid r");let e=t.length;if(!((e=Math.floor(e))>=0))throw new RangeError("invalid length");if(!e||!n)return t;const r=y(n),i=t.slice();return r(t,i,0,e,1),r(i,t,0,e,1),r(t,i,0,e,1),t},t.blur2=l,t.blurImage=h,t.brush=function(){return wa(la)},t.brushSelection=function(t){var n=t.__brush;return n?n.dim.output(n.selection):null},t.brushX=function(){return wa(fa)},t.brushY=function(){return wa(sa)},t.buffer=function(t,n){return fetch(t,n).then(_c)},t.chord=function(){return za(!1,!1)},t.chordDirected=function(){return za(!0,!1)},t.chordTranspose=function(){return za(!1,!0)},t.cluster=function(){var t=Ld,n=1,e=1,r=!1;function i(i){var o,a=0;i.eachAfter((function(n){var e=n.children;e?(n.x=function(t){return t.reduce(jd,0)/t.length}(e),n.y=function(t){return 1+t.reduce(Hd,0)}(e)):(n.x=o?a+=t(n,o):0,n.y=0,o=n)}));var u=function(t){for(var n;n=t.children;)t=n[0];return t}(i),c=function(t){for(var n;n=t.children;)t=n[n.length-1];return t}(i),f=u.x-t(u,c)/2,s=c.x+t(c,u)/2;return i.eachAfter(r?function(t){t.x=(t.x-i.x)*n,t.y=(i.y-t.y)*e}:function(t){t.x=(t.x-f)/(s-f)*n,t.y=(1-(i.y?t.y/i.y:1))*e})}return i.separation=function(n){return arguments.length?(t=n,i):t},i.size=function(t){return arguments.length?(r=!1,n=+t[0],e=+t[1],i):r?null:[n,e]},i.nodeSize=function(t){return arguments.length?(r=!0,n=+t[0],e=+t[1],i):r?[n,e]:null},i},t.color=ze,t.contourDensity=function(){var t=fu,n=su,e=lu,r=960,i=500,o=20,a=2,u=3*o,c=r+2*u>>a,f=i+2*u>>a,s=Qa(20);function h(r){var i=new Float32Array(c*f),s=Math.pow(2,-a),h=-1;for(const o of r){var d=(t(o,++h,r)+u)*s,p=(n(o,h,r)+u)*s,g=+e(o,h,r);if(g&&d>=0&&d=0&&pt*r)))(n).map(((t,n)=>(t.value=+e[n],p(t))))}function p(t){return t.coordinates.forEach(g),t}function g(t){t.forEach(y)}function y(t){t.forEach(v)}function v(t){t[0]=t[0]*Math.pow(2,a)-u,t[1]=t[1]*Math.pow(2,a)-u}function _(){return c=r+2*(u=3*o)>>a,f=i+2*u>>a,d}return d.contours=function(t){var n=h(t),e=iu().size([c,f]),r=Math.pow(2,2*a),i=t=>{t=+t;var i=p(e.contour(n,t*r));return i.value=t,i};return Object.defineProperty(i,"max",{get:()=>J(n)/r}),i},d.x=function(n){return arguments.length?(t="function"==typeof n?n:Qa(+n),d):t},d.y=function(t){return arguments.length?(n="function"==typeof t?t:Qa(+t),d):n},d.weight=function(t){return arguments.length?(e="function"==typeof t?t:Qa(+t),d):e},d.size=function(t){if(!arguments.length)return[r,i];var n=+t[0],e=+t[1];if(!(n>=0&&e>=0))throw new Error("invalid size");return r=n,i=e,_()},d.cellSize=function(t){if(!arguments.length)return 1<=1))throw new Error("invalid cell size");return a=Math.floor(Math.log(t)/Math.LN2),_()},d.thresholds=function(t){return arguments.length?(s="function"==typeof t?t:Array.isArray(t)?Qa(Za.call(t)):Qa(t),d):s},d.bandwidth=function(t){if(!arguments.length)return Math.sqrt(o*(o+1));if(!((t=+t)>=0))throw new Error("invalid bandwidth");return o=(Math.sqrt(4*t*t+1)-1)/2,_()},d},t.contours=iu,t.count=v,t.create=function(t){return Zn(Yt(t).call(document.documentElement))},t.creator=Yt,t.cross=function(...t){const n="function"==typeof t[t.length-1]&&function(t){return n=>t(...n)}(t.pop()),e=(t=t.map(m)).map(_),r=t.length-1,i=new Array(r+1).fill(0),o=[];if(r<0||e.some(b))return o;for(;;){o.push(i.map(((n,e)=>t[e][n])));let a=r;for(;++i[a]===e[a];){if(0===a)return n?o.map(n):o;i[a--]=0}}},t.csv=wc,t.csvFormat=rc,t.csvFormatBody=ic,t.csvFormatRow=ac,t.csvFormatRows=oc,t.csvFormatValue=uc,t.csvParse=nc,t.csvParseRows=ec,t.cubehelix=Tr,t.cumsum=function(t,n){var e=0,r=0;return Float64Array.from(t,void 0===n?t=>e+=+t||0:i=>e+=+n(i,r++,t)||0)},t.curveBasis=function(t){return new Rx(t)},t.curveBasisClosed=function(t){return new Fx(t)},t.curveBasisOpen=function(t){return new qx(t)},t.curveBumpX=tx,t.curveBumpY=nx,t.curveBundle=Ix,t.curveCardinal=Yx,t.curveCardinalClosed=jx,t.curveCardinalOpen=Xx,t.curveCatmullRom=Wx,t.curveCatmullRomClosed=Kx,t.curveCatmullRomOpen=Jx,t.curveLinear=Um,t.curveLinearClosed=function(t){return new tw(t)},t.curveMonotoneX=function(t){return new ow(t)},t.curveMonotoneY=function(t){return new aw(t)},t.curveNatural=function(t){return new cw(t)},t.curveStep=function(t){return new sw(t,.5)},t.curveStepAfter=function(t){return new sw(t,1)},t.curveStepBefore=function(t){return new sw(t,0)},t.descending=e,t.deviation=w,t.difference=function(t,...n){t=new InternSet(t);for(const e of n)for(const n of e)t.delete(n);return t},t.disjoint=function(t,n){const e=n[Symbol.iterator](),r=new InternSet;for(const n of t){if(r.has(n))return!1;let t,i;for(;({value:t,done:i}=e.next())&&!i;){if(Object.is(n,t))return!1;r.add(t)}}return!0},t.dispatch=$t,t.drag=function(){var t,n,e,r,i=se,o=le,a=he,u=de,c={},f=$t("start","drag","end"),s=0,l=0;function h(t){t.on("mousedown.drag",d).filter(u).on("touchstart.drag",y).on("touchmove.drag",v,ee).on("touchend.drag touchcancel.drag",_).style("touch-action","none").style("-webkit-tap-highlight-color","rgba(0,0,0,0)")}function d(a,u){if(!r&&i.call(this,a,u)){var c=b(this,o.call(this,a,u),a,u,"mouse");c&&(Zn(a.view).on("mousemove.drag",p,re).on("mouseup.drag",g,re),ae(a.view),ie(a),e=!1,t=a.clientX,n=a.clientY,c("start",a))}}function p(r){if(oe(r),!e){var i=r.clientX-t,o=r.clientY-n;e=i*i+o*o>l}c.mouse("drag",r)}function g(t){Zn(t.view).on("mousemove.drag mouseup.drag",null),ue(t.view,e),oe(t),c.mouse("end",t)}function y(t,n){if(i.call(this,t,n)){var e,r,a=t.changedTouches,u=o.call(this,t,n),c=a.length;for(e=0;e+t,t.easePoly=wo,t.easePolyIn=mo,t.easePolyInOut=wo,t.easePolyOut=xo,t.easeQuad=_o,t.easeQuadIn=function(t){return t*t},t.easeQuadInOut=_o,t.easeQuadOut=function(t){return t*(2-t)},t.easeSin=Ao,t.easeSinIn=function(t){return 1==+t?1:1-Math.cos(t*To)},t.easeSinInOut=Ao,t.easeSinOut=function(t){return Math.sin(t*To)},t.every=function(t,n){if("function"!=typeof n)throw new TypeError("test is not a function");let e=-1;for(const r of t)if(!n(r,++e,t))return!1;return!0},t.extent=M,t.fcumsum=function(t,n){const e=new T;let r=-1;return Float64Array.from(t,void 0===n?t=>e.add(+t||0):i=>e.add(+n(i,++r,t)||0))},t.filter=function(t,n){if("function"!=typeof n)throw new TypeError("test is not a function");const e=[];let r=-1;for(const i of t)n(i,++r,t)&&e.push(i);return e},t.flatGroup=function(t,...n){return z(P(t,...n),n)},t.flatRollup=function(t,n,...e){return z(D(t,n,...e),e)},t.forceCenter=function(t,n){var e,r=1;function i(){var i,o,a=e.length,u=0,c=0;for(i=0;if+p||os+p||ac.index){var g=f-u.x-u.vx,y=s-u.y-u.vy,v=g*g+y*y;vt.r&&(t.r=t[n].r)}function c(){if(n){var r,i,o=n.length;for(e=new Array(o),r=0;r[u(t,n,r),t])));for(a=0,i=new Array(f);a=u)){(t.data!==n||t.next)&&(0===l&&(p+=(l=Uc(e))*l),0===h&&(p+=(h=Uc(e))*h),p(t=(Lc*t+jc)%Hc)/Hc}();function l(){h(),f.call("tick",n),e1?(null==e?u.delete(t):u.set(t,p(e)),n):u.get(t)},find:function(n,e,r){var i,o,a,u,c,f=0,s=t.length;for(null==r?r=1/0:r*=r,f=0;f1?(f.on(t,e),n):f.on(t)}}},t.forceX=function(t){var n,e,r,i=qc(.1);function o(t){for(var i,o=0,a=n.length;o=.12&&i<.234&&r>=-.425&&r<-.214?u:i>=.166&&i<.234&&r>=-.214&&r<-.115?c:a).invert(t)},s.stream=function(e){return t&&n===e?t:(r=[a.stream(n=e),u.stream(e),c.stream(e)],i=r.length,t={point:function(t,n){for(var e=-1;++ejs(r[0],r[1])&&(r[1]=i[1]),js(i[0],r[1])>js(r[0],r[1])&&(r[0]=i[0])):o.push(r=i);for(a=-1/0,n=0,r=o[e=o.length-1];n<=e;r=i,++n)i=o[n],(u=js(r[1],i[0]))>a&&(a=u,Wf=i[0],Kf=r[1])}return is=os=null,Wf===1/0||Zf===1/0?[[NaN,NaN],[NaN,NaN]]:[[Wf,Zf],[Kf,Qf]]},t.geoCentroid=function(t){ms=xs=ws=Ms=Ts=As=Ss=Es=0,Ns=new T,ks=new T,Cs=new T,Lf(t,Gs);var n=+Ns,e=+ks,r=+Cs,i=Ef(n,e,r);return i=0))throw new RangeError(`invalid digits: ${t}`);i=n}return null===n&&(r=new ed(i)),a},a.projection(t).digits(i).context(n)},t.geoProjection=yd,t.geoProjectionMutator=vd,t.geoRotation=ll,t.geoStereographic=function(){return yd(Bd).scale(250).clipAngle(142)},t.geoStereographicRaw=Bd,t.geoStream=Lf,t.geoTransform=function(t){return{stream:id(t)}},t.geoTransverseMercator=function(){var t=Ed(Yd),n=t.center,e=t.rotate;return t.center=function(t){return arguments.length?n([-t[1],t[0]]):[(t=n())[1],-t[0]]},t.rotate=function(t){return arguments.length?e([t[0],t[1],t.length>2?t[2]+90:90]):[(t=e())[0],t[1],t[2]-90]},e([0,0,90]).scale(159.155)},t.geoTransverseMercatorRaw=Yd,t.gray=function(t,n){return new ur(t,0,0,null==n?1:n)},t.greatest=ot,t.greatestIndex=function(t,e=n){if(1===e.length)return tt(t,e);let r,i=-1,o=-1;for(const n of t)++o,(i<0?0===e(n,n):e(n,r)>0)&&(r=n,i=o);return i},t.group=C,t.groupSort=function(t,e,r){return(2!==e.length?U($(t,e,r),(([t,e],[r,i])=>n(e,i)||n(t,r))):U(C(t,r),(([t,r],[i,o])=>e(r,o)||n(t,i)))).map((([t])=>t))},t.groups=P,t.hcl=dr,t.hierarchy=Gd,t.histogram=Q,t.hsl=He,t.html=Ec,t.image=function(t,n){return new Promise((function(e,r){var i=new Image;for(var o in n)i[o]=n[o];i.onerror=r,i.onload=function(){e(i)},i.src=t}))},t.index=function(t,...n){return F(t,k,R,n)},t.indexes=function(t,...n){return F(t,Array.from,R,n)},t.interpolate=Gr,t.interpolateArray=function(t,n){return(Ir(n)?Ur:Or)(t,n)},t.interpolateBasis=Er,t.interpolateBasisClosed=Nr,t.interpolateBlues=Xb,t.interpolateBrBG=ib,t.interpolateBuGn=wb,t.interpolateBuPu=Tb,t.interpolateCividis=function(t){return t=Math.max(0,Math.min(1,t)),"rgb("+Math.max(0,Math.min(255,Math.round(-4.54-t*(35.34-t*(2381.73-t*(6402.7-t*(7024.72-2710.57*t)))))))+", "+Math.max(0,Math.min(255,Math.round(32.49+t*(170.73+t*(52.82-t*(131.46-t*(176.58-67.37*t)))))))+", "+Math.max(0,Math.min(255,Math.round(81.24+t*(442.36-t*(2482.43-t*(6167.24-t*(6614.94-2475.67*t)))))))+")"},t.interpolateCool=om,t.interpolateCubehelix=li,t.interpolateCubehelixDefault=rm,t.interpolateCubehelixLong=hi,t.interpolateDate=Br,t.interpolateDiscrete=function(t){var n=t.length;return function(e){return t[Math.max(0,Math.min(n-1,Math.floor(e*n)))]}},t.interpolateGnBu=Sb,t.interpolateGreens=Vb,t.interpolateGreys=Zb,t.interpolateHcl=ci,t.interpolateHclLong=fi,t.interpolateHsl=oi,t.interpolateHslLong=ai,t.interpolateHue=function(t,n){var e=Pr(+t,+n);return function(t){var n=e(t);return n-360*Math.floor(n/360)}},t.interpolateInferno=dm,t.interpolateLab=function(t,n){var e=$r((t=ar(t)).l,(n=ar(n)).l),r=$r(t.a,n.a),i=$r(t.b,n.b),o=$r(t.opacity,n.opacity);return function(n){return t.l=e(n),t.a=r(n),t.b=i(n),t.opacity=o(n),t+""}},t.interpolateMagma=hm,t.interpolateNumber=Yr,t.interpolateNumberArray=Ur,t.interpolateObject=Lr,t.interpolateOrRd=Nb,t.interpolateOranges=em,t.interpolatePRGn=ab,t.interpolatePiYG=cb,t.interpolatePlasma=pm,t.interpolatePuBu=zb,t.interpolatePuBuGn=Cb,t.interpolatePuOr=sb,t.interpolatePuRd=Db,t.interpolatePurples=Qb,t.interpolateRainbow=function(t){(t<0||t>1)&&(t-=Math.floor(t));var n=Math.abs(t-.5);return am.h=360*t-100,am.s=1.5-1.5*n,am.l=.8-.9*n,am+""},t.interpolateRdBu=hb,t.interpolateRdGy=pb,t.interpolateRdPu=Fb,t.interpolateRdYlBu=yb,t.interpolateRdYlGn=_b,t.interpolateReds=tm,t.interpolateRgb=Dr,t.interpolateRgbBasis=Fr,t.interpolateRgbBasisClosed=qr,t.interpolateRound=Vr,t.interpolateSinebow=function(t){var n;return t=(.5-t)*Math.PI,um.r=255*(n=Math.sin(t))*n,um.g=255*(n=Math.sin(t+cm))*n,um.b=255*(n=Math.sin(t+fm))*n,um+""},t.interpolateSpectral=mb,t.interpolateString=Xr,t.interpolateTransformCss=ti,t.interpolateTransformSvg=ni,t.interpolateTurbo=function(t){return t=Math.max(0,Math.min(1,t)),"rgb("+Math.max(0,Math.min(255,Math.round(34.61+t*(1172.33-t*(10793.56-t*(33300.12-t*(38394.49-14825.05*t)))))))+", "+Math.max(0,Math.min(255,Math.round(23.31+t*(557.33+t*(1225.33-t*(3574.96-t*(1073.77+707.56*t)))))))+", "+Math.max(0,Math.min(255,Math.round(27.2+t*(3211.1-t*(15327.97-t*(27814-t*(22569.18-6838.66*t)))))))+")"},t.interpolateViridis=lm,t.interpolateWarm=im,t.interpolateYlGn=Ob,t.interpolateYlGnBu=Ub,t.interpolateYlOrBr=Yb,t.interpolateYlOrRd=jb,t.interpolateZoom=ri,t.interrupt=Gi,t.intersection=function(t,...n){t=new InternSet(t),n=n.map(vt);t:for(const e of t)for(const r of n)if(!r.has(e)){t.delete(e);continue t}return t},t.interval=function(t,n,e){var r=new Ei,i=n;return null==n?(r.restart(t,n,e),r):(r._restart=r.restart,r.restart=function(t,n,e){n=+n,e=null==e?Ai():+e,r._restart((function o(a){a+=i,r._restart(o,i+=n,e),t(a)}),n,e)},r.restart(t,n,e),r)},t.isoFormat=D_,t.isoParse=F_,t.json=function(t,n){return fetch(t,n).then(Tc)},t.lab=ar,t.lch=function(t,n,e,r){return 1===arguments.length?hr(t):new pr(e,n,t,null==r?1:r)},t.least=function(t,e=n){let r,i=!1;if(1===e.length){let o;for(const a of t){const t=e(a);(i?n(t,o)<0:0===n(t,t))&&(r=a,o=t,i=!0)}}else for(const n of t)(i?e(n,r)<0:0===e(n,n))&&(r=n,i=!0);return r},t.leastIndex=ht,t.line=Bm,t.lineRadial=Wm,t.link=ox,t.linkHorizontal=function(){return ox(tx)},t.linkRadial=function(){const t=ox(ex);return t.angle=t.x,delete t.x,t.radius=t.y,delete t.y,t},t.linkVertical=function(){return ox(nx)},t.local=Qn,t.map=function(t,n){if("function"!=typeof t[Symbol.iterator])throw new TypeError("values is not iterable");if("function"!=typeof n)throw new TypeError("mapper is not a function");return Array.from(t,((e,r)=>n(e,r,t)))},t.matcher=Vt,t.max=J,t.maxIndex=tt,t.mean=function(t,n){let e=0,r=0;if(void 0===n)for(let n of t)null!=n&&(n=+n)>=n&&(++e,r+=n);else{let i=-1;for(let o of t)null!=(o=n(o,++i,t))&&(o=+o)>=o&&(++e,r+=o)}if(e)return r/e},t.median=function(t,n){return at(t,.5,n)},t.medianIndex=function(t,n){return ct(t,.5,n)},t.merge=ft,t.min=nt,t.minIndex=et,t.mode=function(t,n){const e=new InternMap;if(void 0===n)for(let n of t)null!=n&&n>=n&&e.set(n,(e.get(n)||0)+1);else{let r=-1;for(let i of t)null!=(i=n(i,++r,t))&&i>=i&&e.set(i,(e.get(i)||0)+1)}let r,i=0;for(const[t,n]of e)n>i&&(i=n,r=t);return r},t.namespace=It,t.namespaces=Ut,t.nice=Z,t.now=Ai,t.pack=function(){var t=null,n=1,e=1,r=np;function i(i){const o=ap();return i.x=n/2,i.y=e/2,t?i.eachBefore(xp(t)).eachAfter(wp(r,.5,o)).eachBefore(Mp(1)):i.eachBefore(xp(mp)).eachAfter(wp(np,1,o)).eachAfter(wp(r,i.r/Math.min(n,e),o)).eachBefore(Mp(Math.min(n,e)/(2*i.r))),i}return i.radius=function(n){return arguments.length?(t=Jd(n),i):t},i.size=function(t){return arguments.length?(n=+t[0],e=+t[1],i):[n,e]},i.padding=function(t){return arguments.length?(r="function"==typeof t?t:ep(+t),i):r},i},t.packEnclose=function(t){return up(t,ap())},t.packSiblings=function(t){return bp(t,ap()),t},t.pairs=function(t,n=st){const e=[];let r,i=!1;for(const o of t)i&&e.push(n(r,o)),r=o,i=!0;return e},t.partition=function(){var t=1,n=1,e=0,r=!1;function i(i){var o=i.height+1;return i.x0=i.y0=e,i.x1=t,i.y1=n/o,i.eachBefore(function(t,n){return function(r){r.children&&Ap(r,r.x0,t*(r.depth+1)/n,r.x1,t*(r.depth+2)/n);var i=r.x0,o=r.y0,a=r.x1-e,u=r.y1-e;a0&&(d+=l);for(null!=n?p.sort((function(t,e){return n(g[t],g[e])})):null!=e&&p.sort((function(t,n){return e(a[t],a[n])})),u=0,f=d?(v-h*b)/d:0;u0?l*f:0)+b,g[c]={data:a[c],index:u,value:l,startAngle:y,endAngle:s,padAngle:_};return g}return a.value=function(n){return arguments.length?(t="function"==typeof n?n:gm(+n),a):t},a.sortValues=function(t){return arguments.length?(n=t,e=null,a):n},a.sort=function(t){return arguments.length?(e=t,n=null,a):e},a.startAngle=function(t){return arguments.length?(r="function"==typeof t?t:gm(+t),a):r},a.endAngle=function(t){return arguments.length?(i="function"==typeof t?t:gm(+t),a):i},a.padAngle=function(t){return arguments.length?(o="function"==typeof t?t:gm(+t),a):o},a},t.piecewise=di,t.pointRadial=Km,t.pointer=ne,t.pointers=function(t,n){return t.target&&(t=te(t),void 0===n&&(n=t.currentTarget),t=t.touches||[t]),Array.from(t,(t=>ne(t,n)))},t.polygonArea=function(t){for(var n,e=-1,r=t.length,i=t[r-1],o=0;++eu!=f>u&&a<(c-e)*(u-r)/(f-r)+e&&(s=!s),c=e,f=r;return s},t.polygonHull=function(t){if((e=t.length)<3)return null;var n,e,r=new Array(e),i=new Array(e);for(n=0;n=0;--n)f.push(t[r[o[n]][2]]);for(n=+u;n(n=1664525*n+1013904223|0,lg*(n>>>0))},t.randomLogNormal=Kp,t.randomLogistic=fg,t.randomNormal=Zp,t.randomPareto=ng,t.randomPoisson=sg,t.randomUniform=Vp,t.randomWeibull=ug,t.range=lt,t.rank=function(t,e=n){if("function"!=typeof t[Symbol.iterator])throw new TypeError("values is not iterable");let r=Array.from(t);const i=new Float64Array(r.length);2!==e.length&&(r=r.map(e),e=n);const o=(t,n)=>e(r[t],r[n]);let a,u;return(t=Uint32Array.from(r,((t,n)=>n))).sort(e===n?(t,n)=>O(r[t],r[n]):I(o)),t.forEach(((t,n)=>{const e=o(t,void 0===a?t:a);e>=0?((void 0===a||e>0)&&(a=t,u=n),i[t]=u):i[t]=NaN})),i},t.reduce=function(t,n,e){if("function"!=typeof n)throw new TypeError("reducer is not a function");const r=t[Symbol.iterator]();let i,o,a=-1;if(arguments.length<3){if(({done:i,value:e}=r.next()),i)return;++a}for(;({done:i,value:o}=r.next()),!i;)e=n(e,o,++a,t);return e},t.reverse=function(t){if("function"!=typeof t[Symbol.iterator])throw new TypeError("values is not iterable");return Array.from(t).reverse()},t.rgb=Fe,t.ribbon=function(){return Wa()},t.ribbonArrow=function(){return Wa(Va)},t.rollup=$,t.rollups=D,t.scaleBand=yg,t.scaleDiverging=function t(){var n=Ng(L_()(mg));return n.copy=function(){return B_(n,t())},dg.apply(n,arguments)},t.scaleDivergingLog=function t(){var n=Fg(L_()).domain([.1,1,10]);return n.copy=function(){return B_(n,t()).base(n.base())},dg.apply(n,arguments)},t.scaleDivergingPow=j_,t.scaleDivergingSqrt=function(){return j_.apply(null,arguments).exponent(.5)},t.scaleDivergingSymlog=function t(){var n=Ig(L_());return n.copy=function(){return B_(n,t()).constant(n.constant())},dg.apply(n,arguments)},t.scaleIdentity=function t(n){var e;function r(t){return null==t||isNaN(t=+t)?e:t}return r.invert=r,r.domain=r.range=function(t){return arguments.length?(n=Array.from(t,_g),r):n.slice()},r.unknown=function(t){return arguments.length?(e=t,r):e},r.copy=function(){return t(n).unknown(e)},n=arguments.length?Array.from(n,_g):[0,1],Ng(r)},t.scaleImplicit=pg,t.scaleLinear=function t(){var n=Sg();return n.copy=function(){return Tg(n,t())},hg.apply(n,arguments),Ng(n)},t.scaleLog=function t(){const n=Fg(Ag()).domain([1,10]);return n.copy=()=>Tg(n,t()).base(n.base()),hg.apply(n,arguments),n},t.scaleOrdinal=gg,t.scalePoint=function(){return vg(yg.apply(null,arguments).paddingInner(1))},t.scalePow=jg,t.scaleQuantile=function t(){var e,r=[],i=[],o=[];function a(){var t=0,n=Math.max(1,i.length);for(o=new Array(n-1);++t0?o[n-1]:r[0],n=i?[o[i-1],r]:[o[n-1],o[n]]},u.unknown=function(t){return arguments.length?(n=t,u):u},u.thresholds=function(){return o.slice()},u.copy=function(){return t().domain([e,r]).range(a).unknown(n)},hg.apply(Ng(u),arguments)},t.scaleRadial=function t(){var n,e=Sg(),r=[0,1],i=!1;function o(t){var r=function(t){return Math.sign(t)*Math.sqrt(Math.abs(t))}(e(t));return isNaN(r)?n:i?Math.round(r):r}return o.invert=function(t){return e.invert(Hg(t))},o.domain=function(t){return arguments.length?(e.domain(t),o):e.domain()},o.range=function(t){return arguments.length?(e.range((r=Array.from(t,_g)).map(Hg)),o):r.slice()},o.rangeRound=function(t){return o.range(t).round(!0)},o.round=function(t){return arguments.length?(i=!!t,o):i},o.clamp=function(t){return arguments.length?(e.clamp(t),o):e.clamp()},o.unknown=function(t){return arguments.length?(n=t,o):n},o.copy=function(){return t(e.domain(),r).round(i).clamp(e.clamp()).unknown(n)},hg.apply(o,arguments),Ng(o)},t.scaleSequential=function t(){var n=Ng(O_()(mg));return n.copy=function(){return B_(n,t())},dg.apply(n,arguments)},t.scaleSequentialLog=function t(){var n=Fg(O_()).domain([1,10]);return n.copy=function(){return B_(n,t()).base(n.base())},dg.apply(n,arguments)},t.scaleSequentialPow=Y_,t.scaleSequentialQuantile=function t(){var e=[],r=mg;function i(t){if(null!=t&&!isNaN(t=+t))return r((s(e,t,1)-1)/(e.length-1))}return i.domain=function(t){if(!arguments.length)return e.slice();e=[];for(let n of t)null==n||isNaN(n=+n)||e.push(n);return e.sort(n),i},i.interpolator=function(t){return arguments.length?(r=t,i):r},i.range=function(){return e.map(((t,n)=>r(n/(e.length-1))))},i.quantiles=function(t){return Array.from({length:t+1},((n,r)=>at(e,r/t)))},i.copy=function(){return t(r).domain(e)},dg.apply(i,arguments)},t.scaleSequentialSqrt=function(){return Y_.apply(null,arguments).exponent(.5)},t.scaleSequentialSymlog=function t(){var n=Ig(O_());return n.copy=function(){return B_(n,t()).constant(n.constant())},dg.apply(n,arguments)},t.scaleSqrt=function(){return jg.apply(null,arguments).exponent(.5)},t.scaleSymlog=function t(){var n=Ig(Ag());return n.copy=function(){return Tg(n,t()).constant(n.constant())},hg.apply(n,arguments)},t.scaleThreshold=function t(){var n,e=[.5],r=[0,1],i=1;function o(t){return null!=t&&t<=t?r[s(e,t,0,i)]:n}return o.domain=function(t){return arguments.length?(e=Array.from(t),i=Math.min(e.length,r.length-1),o):e.slice()},o.range=function(t){return arguments.length?(r=Array.from(t),i=Math.min(e.length,r.length-1),o):r.slice()},o.invertExtent=function(t){var n=r.indexOf(t);return[e[n-1],e[n]]},o.unknown=function(t){return arguments.length?(n=t,o):n},o.copy=function(){return t().domain(e).range(r).unknown(n)},hg.apply(o,arguments)},t.scaleTime=function(){return hg.apply(I_(uv,cv,tv,Zy,xy,py,sy,ay,iy,t.timeFormat).domain([new Date(2e3,0,1),new Date(2e3,0,2)]),arguments)},t.scaleUtc=function(){return hg.apply(I_(ov,av,ev,Qy,Fy,yy,hy,cy,iy,t.utcFormat).domain([Date.UTC(2e3,0,1),Date.UTC(2e3,0,2)]),arguments)},t.scan=function(t,n){const e=ht(t,n);return e<0?void 0:e},t.schemeAccent=G_,t.schemeBlues=Hb,t.schemeBrBG=rb,t.schemeBuGn=xb,t.schemeBuPu=Mb,t.schemeCategory10=X_,t.schemeDark2=V_,t.schemeGnBu=Ab,t.schemeGreens=Gb,t.schemeGreys=Wb,t.schemeOrRd=Eb,t.schemeOranges=nm,t.schemePRGn=ob,t.schemePaired=W_,t.schemePastel1=Z_,t.schemePastel2=K_,t.schemePiYG=ub,t.schemePuBu=Pb,t.schemePuBuGn=kb,t.schemePuOr=fb,t.schemePuRd=$b,t.schemePurples=Kb,t.schemeRdBu=lb,t.schemeRdGy=db,t.schemeRdPu=Rb,t.schemeRdYlBu=gb,t.schemeRdYlGn=vb,t.schemeReds=Jb,t.schemeSet1=Q_,t.schemeSet2=J_,t.schemeSet3=tb,t.schemeSpectral=bb,t.schemeTableau10=nb,t.schemeYlGn=Ib,t.schemeYlGnBu=qb,t.schemeYlOrBr=Bb,t.schemeYlOrRd=Lb,t.select=Zn,t.selectAll=function(t){return"string"==typeof t?new Vn([document.querySelectorAll(t)],[document.documentElement]):new Vn([Ht(t)],Gn)},t.selection=Wn,t.selector=jt,t.selectorAll=Gt,t.shuffle=dt,t.shuffler=pt,t.some=function(t,n){if("function"!=typeof n)throw new TypeError("test is not a function");let e=-1;for(const r of t)if(n(r,++e,t))return!0;return!1},t.sort=U,t.stack=function(){var t=gm([]),n=hw,e=lw,r=dw;function i(i){var o,a,u=Array.from(t.apply(this,arguments),pw),c=u.length,f=-1;for(const t of i)for(o=0,++f;o0)for(var e,r,i,o,a,u,c=0,f=t[n[0]].length;c0?(r[0]=o,r[1]=o+=i):i<0?(r[1]=a,r[0]=a+=i):(r[0]=0,r[1]=i)},t.stackOffsetExpand=function(t,n){if((r=t.length)>0){for(var e,r,i,o=0,a=t[0].length;o0){for(var e,r=0,i=t[n[0]],o=i.length;r0&&(r=(e=t[n[0]]).length)>0){for(var e,r,i,o=0,a=1;afunction(t){t=`${t}`;let n=t.length;zp(t,n-1)&&!zp(t,n-2)&&(t=t.slice(0,-1));return"/"===t[0]?t:`/${t}`}(t(n,e,r)))),e=n.map(Pp),i=new Set(n).add("");for(const t of e)i.has(t)||(i.add(t),n.push(t),e.push(Pp(t)),h.push(Np));d=(t,e)=>n[e],p=(t,n)=>e[n]}for(a=0,i=h.length;a=0&&(f=h[t]).data===Np;--t)f.data=null}if(u.parent=Sp,u.eachBefore((function(t){t.depth=t.parent.depth+1,--i})).eachBefore(Kd),u.parent=null,i>0)throw new Error("cycle");return u}return r.id=function(t){return arguments.length?(n=Jd(t),r):n},r.parentId=function(t){return arguments.length?(e=Jd(t),r):e},r.path=function(n){return arguments.length?(t=Jd(n),r):t},r},t.style=_n,t.subset=function(t,n){return _t(n,t)},t.sum=function(t,n){let e=0;if(void 0===n)for(let n of t)(n=+n)&&(e+=n);else{let r=-1;for(let i of t)(i=+n(i,++r,t))&&(e+=i)}return e},t.superset=_t,t.svg=Nc,t.symbol=function(t,n){let e=null,r=Nm(i);function i(){let i;if(e||(e=i=r()),t.apply(this,arguments).draw(e,+n.apply(this,arguments)),i)return e=null,i+""||null}return t="function"==typeof t?t:gm(t||cx),n="function"==typeof n?n:gm(void 0===n?64:+n),i.type=function(n){return arguments.length?(t="function"==typeof n?n:gm(n),i):t},i.size=function(t){return arguments.length?(n="function"==typeof t?t:gm(+t),i):n},i.context=function(t){return arguments.length?(e=null==t?null:t,i):e},i},t.symbolAsterisk=ux,t.symbolCircle=cx,t.symbolCross=fx,t.symbolDiamond=hx,t.symbolDiamond2=dx,t.symbolPlus=px,t.symbolSquare=gx,t.symbolSquare2=yx,t.symbolStar=mx,t.symbolTimes=Cx,t.symbolTriangle=wx,t.symbolTriangle2=Tx,t.symbolWye=kx,t.symbolX=Cx,t.symbols=Px,t.symbolsFill=Px,t.symbolsStroke=zx,t.text=mc,t.thresholdFreedmanDiaconis=function(t,n,e){const r=v(t),i=at(t,.75)-at(t,.25);return r&&i?Math.ceil((e-n)/(2*i*Math.pow(r,-1/3))):1},t.thresholdScott=function(t,n,e){const r=v(t),i=w(t);return r&&i?Math.ceil((e-n)*Math.cbrt(r)/(3.49*i)):1},t.thresholdSturges=K,t.tickFormat=Eg,t.tickIncrement=V,t.tickStep=W,t.ticks=G,t.timeDay=py,t.timeDays=gy,t.timeFormatDefaultLocale=P_,t.timeFormatLocale=hv,t.timeFriday=Sy,t.timeFridays=$y,t.timeHour=sy,t.timeHours=ly,t.timeInterval=Vg,t.timeMillisecond=Wg,t.timeMilliseconds=Zg,t.timeMinute=ay,t.timeMinutes=uy,t.timeMonday=wy,t.timeMondays=ky,t.timeMonth=Zy,t.timeMonths=Ky,t.timeSaturday=Ey,t.timeSaturdays=Dy,t.timeSecond=iy,t.timeSeconds=oy,t.timeSunday=xy,t.timeSundays=Ny,t.timeThursday=Ay,t.timeThursdays=zy,t.timeTickInterval=cv,t.timeTicks=uv,t.timeTuesday=My,t.timeTuesdays=Cy,t.timeWednesday=Ty,t.timeWednesdays=Py,t.timeWeek=xy,t.timeWeeks=Ny,t.timeYear=tv,t.timeYears=nv,t.timeout=$i,t.timer=Ni,t.timerFlush=ki,t.transition=go,t.transpose=gt,t.tree=function(){var t=$p,n=1,e=1,r=null;function i(i){var c=function(t){for(var n,e,r,i,o,a=new Up(t,0),u=[a];n=u.pop();)if(r=n._.children)for(n.children=new Array(o=r.length),i=o-1;i>=0;--i)u.push(e=n.children[i]=new Up(r[i],i)),e.parent=n;return(a.parent=new Up(null,0)).children=[a],a}(i);if(c.eachAfter(o),c.parent.m=-c.z,c.eachBefore(a),r)i.eachBefore(u);else{var f=i,s=i,l=i;i.eachBefore((function(t){t.xs.x&&(s=t),t.depth>l.depth&&(l=t)}));var h=f===s?1:t(f,s)/2,d=h-f.x,p=n/(s.x+h+d),g=e/(l.depth||1);i.eachBefore((function(t){t.x=(t.x+d)*p,t.y=t.depth*g}))}return i}function o(n){var e=n.children,r=n.parent.children,i=n.i?r[n.i-1]:null;if(e){!function(t){for(var n,e=0,r=0,i=t.children,o=i.length;--o>=0;)(n=i[o]).z+=e,n.m+=e,e+=n.s+(r+=n.c)}(n);var o=(e[0].z+e[e.length-1].z)/2;i?(n.z=i.z+t(n._,i._),n.m=n.z-o):n.z=o}else i&&(n.z=i.z+t(n._,i._));n.parent.A=function(n,e,r){if(e){for(var i,o=n,a=n,u=e,c=o.parent.children[0],f=o.m,s=a.m,l=u.m,h=c.m;u=Rp(u),o=Dp(o),u&&o;)c=Dp(c),(a=Rp(a)).a=n,(i=u.z+l-o.z-f+t(u._,o._))>0&&(Fp(qp(u,n,r),n,i),f+=i,s+=i),l+=u.m,f+=o.m,h+=c.m,s+=a.m;u&&!Rp(a)&&(a.t=u,a.m+=l-s),o&&!Dp(c)&&(c.t=o,c.m+=f-h,r=n)}return r}(n,i,n.parent.A||r[0])}function a(t){t._.x=t.z+t.parent.m,t.m+=t.parent.m}function u(t){t.x*=n,t.y=t.depth*e}return i.separation=function(n){return arguments.length?(t=n,i):t},i.size=function(t){return arguments.length?(r=!1,n=+t[0],e=+t[1],i):r?null:[n,e]},i.nodeSize=function(t){return arguments.length?(r=!0,n=+t[0],e=+t[1],i):r?[n,e]:null},i},t.treemap=function(){var t=Yp,n=!1,e=1,r=1,i=[0],o=np,a=np,u=np,c=np,f=np;function s(t){return t.x0=t.y0=0,t.x1=e,t.y1=r,t.eachBefore(l),i=[0],n&&t.eachBefore(Tp),t}function l(n){var e=i[n.depth],r=n.x0+e,s=n.y0+e,l=n.x1-e,h=n.y1-e;l=e-1){var s=u[n];return s.x0=i,s.y0=o,s.x1=a,void(s.y1=c)}var l=f[n],h=r/2+l,d=n+1,p=e-1;for(;d>>1;f[g]c-o){var _=r?(i*v+a*y)/r:a;t(n,d,y,i,o,_,c),t(d,e,v,_,o,a,c)}else{var b=r?(o*v+c*y)/r:c;t(n,d,y,i,o,a,b),t(d,e,v,i,b,a,c)}}(0,c,t.value,n,e,r,i)},t.treemapDice=Ap,t.treemapResquarify=Lp,t.treemapSlice=Ip,t.treemapSliceDice=function(t,n,e,r,i){(1&t.depth?Ip:Ap)(t,n,e,r,i)},t.treemapSquarify=Yp,t.tsv=Mc,t.tsvFormat=lc,t.tsvFormatBody=hc,t.tsvFormatRow=pc,t.tsvFormatRows=dc,t.tsvFormatValue=gc,t.tsvParse=fc,t.tsvParseRows=sc,t.union=function(...t){const n=new InternSet;for(const e of t)for(const t of e)n.add(t);return n},t.unixDay=_y,t.unixDays=by,t.utcDay=yy,t.utcDays=vy,t.utcFriday=By,t.utcFridays=Vy,t.utcHour=hy,t.utcHours=dy,t.utcMillisecond=Wg,t.utcMilliseconds=Zg,t.utcMinute=cy,t.utcMinutes=fy,t.utcMonday=qy,t.utcMondays=jy,t.utcMonth=Qy,t.utcMonths=Jy,t.utcSaturday=Yy,t.utcSaturdays=Wy,t.utcSecond=iy,t.utcSeconds=oy,t.utcSunday=Fy,t.utcSundays=Ly,t.utcThursday=Oy,t.utcThursdays=Gy,t.utcTickInterval=av,t.utcTicks=ov,t.utcTuesday=Uy,t.utcTuesdays=Hy,t.utcWednesday=Iy,t.utcWednesdays=Xy,t.utcWeek=Fy,t.utcWeeks=Ly,t.utcYear=ev,t.utcYears=rv,t.variance=x,t.version="7.8.5",t.window=pn,t.xml=Sc,t.zip=function(){return gt(arguments)},t.zoom=function(){var t,n,e,r=Sw,i=Ew,o=Pw,a=kw,u=Cw,c=[0,1/0],f=[[-1/0,-1/0],[1/0,1/0]],s=250,l=ri,h=$t("start","zoom","end"),d=500,p=150,g=0,y=10;function v(t){t.property("__zoom",Nw).on("wheel.zoom",T,{passive:!1}).on("mousedown.zoom",A).on("dblclick.zoom",S).filter(u).on("touchstart.zoom",E).on("touchmove.zoom",N).on("touchend.zoom touchcancel.zoom",k).style("-webkit-tap-highlight-color","rgba(0,0,0,0)")}function _(t,n){return(n=Math.max(c[0],Math.min(c[1],n)))===t.k?t:new xw(n,t.x,t.y)}function b(t,n,e){var r=n[0]-e[0]*t.k,i=n[1]-e[1]*t.k;return r===t.x&&i===t.y?t:new xw(t.k,r,i)}function m(t){return[(+t[0][0]+ +t[1][0])/2,(+t[0][1]+ +t[1][1])/2]}function x(t,n,e,r){t.on("start.zoom",(function(){w(this,arguments).event(r).start()})).on("interrupt.zoom end.zoom",(function(){w(this,arguments).event(r).end()})).tween("zoom",(function(){var t=this,o=arguments,a=w(t,o).event(r),u=i.apply(t,o),c=null==e?m(u):"function"==typeof e?e.apply(t,o):e,f=Math.max(u[1][0]-u[0][0],u[1][1]-u[0][1]),s=t.__zoom,h="function"==typeof n?n.apply(t,o):n,d=l(s.invert(c).concat(f/s.k),h.invert(c).concat(f/h.k));return function(t){if(1===t)t=h;else{var n=d(t),e=f/n[2];t=new xw(e,c[0]-n[0]*e,c[1]-n[1]*e)}a.zoom(null,t)}}))}function w(t,n,e){return!e&&t.__zooming||new M(t,n)}function M(t,n){this.that=t,this.args=n,this.active=0,this.sourceEvent=null,this.extent=i.apply(t,n),this.taps=0}function T(t,...n){if(r.apply(this,arguments)){var e=w(this,n).event(t),i=this.__zoom,u=Math.max(c[0],Math.min(c[1],i.k*Math.pow(2,a.apply(this,arguments)))),s=ne(t);if(e.wheel)e.mouse[0][0]===s[0]&&e.mouse[0][1]===s[1]||(e.mouse[1]=i.invert(e.mouse[0]=s)),clearTimeout(e.wheel);else{if(i.k===u)return;e.mouse=[s,i.invert(s)],Gi(this),e.start()}Aw(t),e.wheel=setTimeout((function(){e.wheel=null,e.end()}),p),e.zoom("mouse",o(b(_(i,u),e.mouse[0],e.mouse[1]),e.extent,f))}}function A(t,...n){if(!e&&r.apply(this,arguments)){var i=t.currentTarget,a=w(this,n,!0).event(t),u=Zn(t.view).on("mousemove.zoom",(function(t){if(Aw(t),!a.moved){var n=t.clientX-s,e=t.clientY-l;a.moved=n*n+e*e>g}a.event(t).zoom("mouse",o(b(a.that.__zoom,a.mouse[0]=ne(t,i),a.mouse[1]),a.extent,f))}),!0).on("mouseup.zoom",(function(t){u.on("mousemove.zoom mouseup.zoom",null),ue(t.view,a.moved),Aw(t),a.event(t).end()}),!0),c=ne(t,i),s=t.clientX,l=t.clientY;ae(t.view),Tw(t),a.mouse=[c,this.__zoom.invert(c)],Gi(this),a.start()}}function S(t,...n){if(r.apply(this,arguments)){var e=this.__zoom,a=ne(t.changedTouches?t.changedTouches[0]:t,this),u=e.invert(a),c=e.k*(t.shiftKey?.5:2),l=o(b(_(e,c),a,u),i.apply(this,n),f);Aw(t),s>0?Zn(this).transition().duration(s).call(x,l,a,t):Zn(this).call(v.transform,l,a,t)}}function E(e,...i){if(r.apply(this,arguments)){var o,a,u,c,f=e.touches,s=f.length,l=w(this,i,e.changedTouches.length===s).event(e);for(Tw(e),a=0;a>>0==t&&4294967295!=t}function iterateOverSparseArray(t,e,n,r){for(var i,s=getSparseArrayIndexes(t,n,r),a=0,o=s.length;a>=1)&&(t+=t);return n}(i||"0",e-s.replace(/\.\d+/,"").length)+s,(n||t<0)&&(s=(t<0?"-":"+")+s),s}var N=Math.abs,F=(Math.pow,Math.min,Math.max,Math.ceil),R=Math.floor,D=(Math.round,String.fromCharCode);(function privatePropertyAccessor(t){var n="_sugar_"+t;return function(t,e){return 1u.specificity||(u.specificity=t)}(r),(s=e%1)&&(function handleFraction(t,e,n){if(e){var r=h[_(e)],i=E(t.multiplier/r.multiplier*n);u[r.name]=i}}(n,r,s),e=p(e)),"weekday"!==t?(i=r===S&&28=(e||i());case 1:return o<=(e||i())}}()&&function disambiguateHigherUnit(){var t=h[d];c=l,setUnit(t.name,1,t,d)}(),o}},function(t,e,n){"use strict";var r=n(13),a=n(33),o=n(167),u=n(64),c=r.DAY_INDEX;t.exports=function iterateOverDateParams(i,s,t,e){function run(t,e,n){var r=o(i,t);a(r)&&s(t,r,e,n)}u(function(t,e){var n=run(t.name,t,e);return!1!==n&&e===c&&(n=run("weekday",t,e)),n},t,e)}},function(t,e,n){"use strict";var r=n(14),i=n(13),s=n(110),a=n(43),o=n(37),u=i.WEEK_INDEX,c=r.localeManager;t.exports=function moveToEndOfUnit(t,e,n,r){return e===u&&s(t,c.get(n).getFirstDayOfWeek()),o(t,a(e),r,!0)}},function(t,e,n){"use strict";var r=n(14),i=n(13),s=n(43),a=n(67),o=n(37),u=i.WEEK_INDEX,c=r.localeManager;t.exports=function moveToBeginningOfUnit(t,e,n){return e===u&&a(t,c.get(n).getFirstDayOfWeek()),o(t,s(e))}},function(t,e,n){"use strict";var r=n(183),i=n(185),s=r.defineInstance;t.exports=function defineInstanceSimilar(t,e,n,r){s(t,i(e,n),r)}},function(t,e,n){"use strict";var r=n(400);t.exports=function rangeIsValid(t){return r(t.start)&&r(t.end)&&typeof t.start==typeof t.end}},function(t,e,n){"use strict";n.r(e);var a=n(9).root.document;e.default={write:function write(t,e,n){var r="";n&&(r="; expires="+(r=new Date((new Date).getTime()+36e5*n)).toGMTString()),a.cookie=t+"="+escape(e)+r},read:function read(t){var e="",n=t+"=";if(0<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more
':n.text,e.instrHtml=Object(l.defaultsStr)(n.html,null),e.btnText=Object(l.defaultsStr)(n.btn_text,"?"),e.btnHtml=Object(l.defaultsStr)(n.btn_html,null),e.btnCssClass=Object(l.defaultsStr)(n.btn_css_class,"helpBtn"),e.contCssClass=Object(l.defaultsStr)(n.container_css_class,"helpCont"),e.btn=null,e.cont=null,e.contAdjustLeftPosition=Object(l.defaultsNb)(n.container_adjust_left_position,25),e.boundMouseup=null,e.defaultHtml='

TableFilter v'+t.version+'

'+d+"
©2015-"+t.year+' Max Guglielmi
',e.toolbarPosition=Object(l.defaultsStr)(n.toolbar_position,f.RIGHT),e.emitter.on(["init-help"],function(){return e.init()}),e}return function _createClass(t,e,n){return e&&_defineProperties(t.prototype,e),n&&_defineProperties(t,n),t}(Help,[{key:"onMouseup",value:function onMouseup(t){for(var e=Object(u.targetEvt)(t);e&&e!==this.cont&&e!==this.btn;)e=e.parentNode;e!==this.cont&&e!==this.btn&&this.toggle()}},{key:"init",value:function init(){var t=this;if(!this.initialized){this.emitter.emit("initializing-feature",this,!Object(c.isNull)(this.tgtId));var e=this.tf,n=Object(o.createElm)("span"),r=Object(o.createElm)("div");this.boundMouseup=this.onMouseup.bind(this),(this.tgtId?Object(o.elm)(this.tgtId):e.feature("toolbar").container(this.toolbarPosition)).appendChild(n);var i=this.contTgtId?Object(o.elm)(this.contTgtId):n;if(this.btnHtml){n.innerHTML=this.btnHtml;var s=n.firstChild;Object(u.addEvt)(s,"click",function(){return t.toggle()}),i.appendChild(r)}else{i.appendChild(r);var a=Object(o.createElm)("a",["href","javascript:void(0);"]);a.className=this.btnCssClass,a.appendChild(Object(o.createText)(this.btnText)),n.appendChild(a),Object(u.addEvt)(a,"click",function(){return t.toggle()})}this.instrHtml?(this.contTgtId&&i.appendChild(r),r.innerHTML=this.instrHtml,this.contTgtId||(r.className=this.contCssClass)):(r.innerHTML=this.instrText,r.className=this.contCssClass),r.innerHTML+=this.defaultHtml,Object(u.addEvt)(r,"click",function(){return t.toggle()}),this.cont=r,this.btn=n,this.initialized=!0,this.emitter.emit("feature-initialized",this)}}},{key:"toggle",value:function toggle(){if(this.isEnabled()){Object(u.removeEvt)(a.root,"mouseup",this.boundMouseup);var t=this.cont.style.display;""===t||t===s.NONE?(this.cont.style.display="inline",0'),e.placeholderCssClass=Object(l.defaultsStr)(n.placeholder_css_class,"popUpPlaceholder"),e.containerCssClass=Object(l.defaultsStr)(n.div_css_class,"popUpFilter"),e.adjustToContainer=Object(l.defaultsBool)(n.adjust_to_container,!0),e.onBeforeOpen=Object(l.defaultsFn)(n.on_before_popup_filter_open,s.EMPTY_FN),e.onAfterOpen=Object(l.defaultsFn)(n.on_after_popup_filter_open,s.EMPTY_FN),e.onBeforeClose=Object(l.defaultsFn)(n.on_before_popup_filter_close,s.EMPTY_FN),e.onAfterClose=Object(l.defaultsFn)(n.on_after_popup_filter_close,s.EMPTY_FN),e.fltSpans=[],e.fltIcons=[],e.filtersCache=null,e.fltElms=Object(l.defaultsArr)(e.filtersCache,[]),e.prfxDiv="popup_",e.activeFilterIdx=-1,e}return function _createClass(t,e,n){return e&&_defineProperties(t.prototype,e),n&&_defineProperties(t,n),t}(PopupFilter,[{key:"onClick",value:function onClick(t){var e=Object(u.targetEvt)(t).parentNode,n=parseInt(e.getAttribute("ci"),10);if(this.closeAll(n),this.toggle(n),this.adjustToContainer){var r=this.fltElms[n],i=.95*this.tf.getHeaderElement(n).clientWidth;r.style.width=parseInt(i,10)+"px"}Object(u.cancelEvt)(t),Object(u.stopEvt)(t)}},{key:"onMouseup",value:function onMouseup(t){if(-1!==this.activeFilterIdx){var e=Object(u.targetEvt)(t),n=this.fltElms[this.activeFilterIdx];if(this.fltIcons[this.activeFilterIdx]!==e){for(;e&&e!==n;)e=e.parentNode;e!==n&&this.close(this.activeFilterIdx)}}}},{key:"init",value:function init(){var n=this;if(!this.initialized){var t=this.tf;t.externalFltIds=[""],t.filtersRowIndex=0,t.headersRow<=1&&isNaN(t.config().headers_row_index)&&(t.headersRow=0),t.gridLayout&&(t.headersRow--,this.buildIcons()),this.emitter.on(["before-filtering"],function(){return n.setIconsState()}),this.emitter.on(["after-filtering"],function(){return n.closeAll()}),this.emitter.on(["cell-processed"],function(t,e){return n.changeState(e,!0)}),this.emitter.on(["filters-row-inserted"],function(){return n.buildIcons()}),this.emitter.on(["before-filter-init"],function(t,e){return n.build(e)}),this.initialized=!0}}},{key:"reset",value:function reset(){this.enable(),this.init(),this.buildIcons(),this.buildAll()}},{key:"buildIcons",value:function buildIcons(){var n=this,r=this.tf;r.headersRow++,r.eachCol(function(t){var e=Object(o.createElm)("span",["ci",t]);e.innerHTML=n.iconHtml,r.getHeaderElement(t).appendChild(e),Object(u.addEvt)(e,"click",function(t){return n.onClick(t)}),n.fltSpans[t]=e,n.fltIcons[t]=e.firstChild},function(t){return r.getFilterType(t)===a.NONE})}},{key:"buildAll",value:function buildAll(){for(var t=0;t'),e.toolbarPosition=Object(o.defaultsStr)(n.toolbar_position,c.RIGHT),e.container=null,e.element=null,e}return function _createClass(t,e,n){return e&&_defineProperties(t.prototype,e),n&&_defineProperties(t,n),t}(ClearButton,[{key:"onClick",value:function onClick(){this.isEnabled()&&this.tf.clearFilters()}},{key:"init",value:function init(){var t=this,e=this.tf;if(!this.initialized){this.emitter.emit("initializing-feature",this,!Object(u.isNull)(this.targetId));var n=Object(s.createElm)("span");if((this.targetId?Object(s.elm)(this.targetId):e.feature("toolbar").container(this.toolbarPosition)).appendChild(n),this.html){n.innerHTML=this.html;var r=n.firstChild;Object(a.addEvt)(r,"click",function(){return t.onClick()})}else{var i=Object(s.createElm)("a",["href","javascript:void(0);"]);i.className=this.cssClass,i.appendChild(Object(s.createText)(this.text)),n.appendChild(i),Object(a.addEvt)(i,"click",function(){return t.onClick()})}this.element=n.firstChild,this.container=n,this.initialized=!0,this.emitter.emit("feature-initialized",this)}}},{key:"destroy",value:function destroy(){this.initialized&&(Object(s.removeElm)(this.element),Object(s.removeElm)(this.container),this.element=null,this.container=null,this.initialized=!1)}}]),ClearButton}();r.meta={altName:"btnReset"}},function(t,e,n){"use strict";n.r(e),n.d(e,"AlternateRows",function(){return r});var i=n(10),s=n(2),a=n(1),o=n(5);function _typeof(t){return(_typeof="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function _typeof(t){return typeof t}:function _typeof(t){return t&&"function"==typeof Symbol&&t.constructor===Symbol&&t!==Symbol.prototype?"symbol":typeof t})(t)}function _defineProperties(t,e){for(var n=0;n"),t.btnPrevPageText=Object(o.defaultsStr)(n.btn_prev_page_text,"<"),t.btnLastPageText=Object(o.defaultsStr)(n.btn_last_page_text,">|"),t.btnFirstPageText=Object(o.defaultsStr)(n.btn_first_page_text,"|<"),t.btnNextPageHtml=Object(o.defaultsStr)(n.btn_next_page_html,e.enableIcons?'':null),t.btnPrevPageHtml=Object(o.defaultsStr)(n.btn_prev_page_html,e.enableIcons?'':null),t.btnFirstPageHtml=Object(o.defaultsStr)(n.btn_first_page_html,e.enableIcons?'':null),t.btnLastPageHtml=Object(o.defaultsStr)(n.btn_last_page_html,e.enableIcons?'':null),t.pageText=Object(o.defaultsStr)(n.page_text," Page "),t.ofText=Object(o.defaultsStr)(n.of_text," of "),t.nbPgSpanCssClass=Object(o.defaultsStr)(n.nb_pages_css_class,"nbpg"),t.hasBtns=Object(o.defaultsBool)(n.btns,!0),t.pageSelectorType=Object(o.defaultsStr)(n.page_selector_type,v.SELECT),t.toolbarPosition=Object(o.defaultsStr)(n.toolbar_position,f.CENTER),t.onBeforeChangePage=Object(o.defaultsFn)(n.on_before_change_page,g.EMPTY_FN),t.onAfterChangePage=Object(o.defaultsFn)(n.on_after_change_page,g.EMPTY_FN),t.slcResultsTxt=null,t.btnNextCont=null,t.btnPrevCont=null,t.btnLastCont=null,t.btnFirstCont=null,t.pgCont=null,t.pgBefore=null,t.pgAfter=null;var r=e.refRow,i=e.getRowsNb(!0);t.nbPages=Math.ceil((i-r)/t.pageLength);var s=_assertThisInitialized(t);return t.evt={slcIndex:function slcIndex(){return s.pageSelectorType===v.SELECT?s.pageSlc.options.selectedIndex:parseInt(s.pageSlc.value,10)-1},nbOpts:function nbOpts(){return s.pageSelectorType===v.SELECT?parseInt(s.pageSlc.options.length,10)-1:s.nbPages-1},next:function next(){var t=s.evt.slcIndex()=t.nbFilterableRows&&(this.startPagingRow=t.nbFilterableRows-this.pageLength),this.setPagingInfo(),n===v.SELECT)){var o=r.options.length-1<=a?r.options.length-1:a;r.options[o].selected=!0}i.emit("after-page-length-change",t,this.pageLength)}}},{key:"resetPage",value:function resetPage(){var t=this.tf;if(this.isEnabled()){this.emitter.emit("before-reset-page",t);var e=t.feature("store").getPageNb();""!==e&&this.changePage(e-1),this.emitter.emit("after-reset-page",t,e)}}},{key:"resetPageLength",value:function resetPageLength(){var t=this.tf;if(this.isEnabled()){this.emitter.emit("before-reset-page-length",t);var e=t.feature("store").getPageLength();""!==e&&(this.pageLengthSlc.options[e].selected=!0,this.changeResultsPerPage()),this.emitter.emit("after-reset-page-length",t,e)}}},{key:"changePageHandler",value:function changePageHandler(t,e){this.setPage(e)}},{key:"changePageResultsHandler",value:function changePageResultsHandler(t,e){this.changeResultsPerPage(e)}},{key:"destroy",value:function destroy(){if(this.initialized){var t=this.evt;this.pageSlc&&(this.pageSelectorType===v.SELECT?Object(b.removeEvt)(this.pageSlc,"change",t.slcPagesChange):this.pageSelectorType===v.INPUT&&Object(b.removeEvt)(this.pageSlc,"keypress",t._detectKey),Object(y.removeElm)(this.pageSlc)),this.btnNextCont&&(Object(b.removeEvt)(this.btnNextCont,"click",t.next),Object(y.removeElm)(this.btnNextCont),this.btnNextCont=null),this.btnPrevCont&&(Object(b.removeEvt)(this.btnPrevCont,"click",t.prev),Object(y.removeElm)(this.btnPrevCont),this.btnPrevCont=null),this.btnLastCont&&(Object(b.removeEvt)(this.btnLastCont,"click",t.last),Object(y.removeElm)(this.btnLastCont),this.btnLastCont=null),this.btnFirstCont&&(Object(b.removeEvt)(this.btnFirstCont,"click",t.first),Object(y.removeElm)(this.btnFirstCont),this.btnFirstCont=null),this.pgBefore&&(Object(y.removeElm)(this.pgBefore),this.pgBefore=null),this.pgAfter&&(Object(y.removeElm)(this.pgAfter),this.pgAfter=null),this.pgCont&&(Object(y.removeElm)(this.pgCont),this.pgCont=null),this.hasResultsPerPage&&this.removeResultsPerPage(),this.emitter.off(["after-filtering"],Object(b.bound)(this.resetPagingInfo,this)),this.emitter.off(["change-page"],Object(b.bound)(this.changePageHandler,this)),this.emitter.off(["change-page-results"],Object(b.bound)(this.changePageResultsHandler,this)),this.pageSlc=null,this.nbPages=0,this.initialized=!1}}}]),Paging}()},function(t,e){e.remove=function removeDiacritics(t){return t.replace(/[^\u0000-\u007e]/g,function(t){return r[t]||t})};for(var n=[{base:" ",chars:" "},{base:"0",chars:"߀"},{base:"A",chars:"ⒶAÀÁÂẦẤẪẨÃĀĂẰẮẴẲȦǠÄǞẢÅǺǍȀȂẠẬẶḀĄȺⱯ"},{base:"AA",chars:"Ꜳ"},{base:"AE",chars:"ÆǼǢ"},{base:"AO",chars:"Ꜵ"},{base:"AU",chars:"Ꜷ"},{base:"AV",chars:"ꜸꜺ"},{base:"AY",chars:"Ꜽ"},{base:"B",chars:"ⒷBḂḄḆɃƁ"},{base:"C",chars:"ⒸCꜾḈĆCĈĊČÇƇȻ"},{base:"D",chars:"ⒹDḊĎḌḐḒḎĐƊƉᴅꝹ"},{base:"Dh",chars:"Ð"},{base:"DZ",chars:"DZDŽ"},{base:"Dz",chars:"DzDž"},{base:"E",chars:"ɛⒺEÈÉÊỀẾỄỂẼĒḔḖĔĖËẺĚȄȆẸỆȨḜĘḘḚƐƎᴇ"},{base:"F",chars:"ꝼⒻFḞƑꝻ"},{base:"G",chars:"ⒼGǴĜḠĞĠǦĢǤƓꞠꝽꝾɢ"},{base:"H",chars:"ⒽHĤḢḦȞḤḨḪĦⱧⱵꞍ"},{base:"I",chars:"ⒾIÌÍÎĨĪĬİÏḮỈǏȈȊỊĮḬƗ"},{base:"J",chars:"ⒿJĴɈȷ"},{base:"K",chars:"ⓀKḰǨḲĶḴƘⱩꝀꝂꝄꞢ"},{base:"L",chars:"ⓁLĿĹĽḶḸĻḼḺŁȽⱢⱠꝈꝆꞀ"},{base:"LJ",chars:"LJ"},{base:"Lj",chars:"Lj"},{base:"M",chars:"ⓂMḾṀṂⱮƜϻ"},{base:"N",chars:"ꞤȠⓃNǸŃÑṄŇṆŅṊṈƝꞐᴎ"},{base:"NJ",chars:"NJ"},{base:"Nj",chars:"Nj"},{base:"O",chars:"ⓄOÒÓÔỒỐỖỔÕṌȬṎŌṐṒŎȮȰÖȪỎŐǑȌȎƠỜỚỠỞỢỌỘǪǬØǾƆƟꝊꝌ"},{base:"OE",chars:"Œ"},{base:"OI",chars:"Ƣ"},{base:"OO",chars:"Ꝏ"},{base:"OU",chars:"Ȣ"},{base:"P",chars:"ⓅPṔṖƤⱣꝐꝒꝔ"},{base:"Q",chars:"ⓆQꝖꝘɊ"},{base:"R",chars:"ⓇRŔṘŘȐȒṚṜŖṞɌⱤꝚꞦꞂ"},{base:"S",chars:"ⓈSẞŚṤŜṠŠṦṢṨȘŞⱾꞨꞄ"},{base:"T",chars:"ⓉTṪŤṬȚŢṰṮŦƬƮȾꞆ"},{base:"Th",chars:"Þ"},{base:"TZ",chars:"Ꜩ"},{base:"U",chars:"ⓊUÙÚÛŨṸŪṺŬÜǛǗǕǙỦŮŰǓȔȖƯỪỨỮỬỰỤṲŲṶṴɄ"},{base:"V",chars:"ⓋVṼṾƲꝞɅ"},{base:"VY",chars:"Ꝡ"},{base:"W",chars:"ⓌWẀẂŴẆẄẈⱲ"},{base:"X",chars:"ⓍXẊẌ"},{base:"Y",chars:"ⓎYỲÝŶỸȲẎŸỶỴƳɎỾ"},{base:"Z",chars:"ⓏZŹẐŻŽẒẔƵȤⱿⱫꝢ"},{base:"a",chars:"ⓐaẚàáâầấẫẩãāăằắẵẳȧǡäǟảåǻǎȁȃạậặḁąⱥɐɑ"},{base:"aa",chars:"ꜳ"},{base:"ae",chars:"æǽǣ"},{base:"ao",chars:"ꜵ"},{base:"au",chars:"ꜷ"},{base:"av",chars:"ꜹꜻ"},{base:"ay",chars:"ꜽ"},{base:"b",chars:"ⓑbḃḅḇƀƃɓƂ"},{base:"c",chars:"cⓒćĉċčçḉƈȼꜿↄ"},{base:"d",chars:"ⓓdḋďḍḑḓḏđƌɖɗƋᏧԁꞪ"},{base:"dh",chars:"ð"},{base:"dz",chars:"dzdž"},{base:"e",chars:"ⓔeèéêềếễểẽēḕḗĕėëẻěȅȇẹệȩḝęḙḛɇǝ"},{base:"f",chars:"ⓕfḟƒ"},{base:"ff",chars:"ff"},{base:"fi",chars:"fi"},{base:"fl",chars:"fl"},{base:"ffi",chars:"ffi"},{base:"ffl",chars:"ffl"},{base:"g",chars:"ⓖgǵĝḡğġǧģǥɠꞡꝿᵹ"},{base:"h",chars:"ⓗhĥḣḧȟḥḩḫẖħⱨⱶɥ"},{base:"hv",chars:"ƕ"},{base:"i",chars:"ⓘiìíîĩīĭïḯỉǐȉȋịįḭɨı"},{base:"j",chars:"ⓙjĵǰɉ"},{base:"k",chars:"ⓚkḱǩḳķḵƙⱪꝁꝃꝅꞣ"},{base:"l",chars:"ⓛlŀĺľḷḹļḽḻſłƚɫⱡꝉꞁꝇɭ"},{base:"lj",chars:"lj"},{base:"m",chars:"ⓜmḿṁṃɱɯ"},{base:"n",chars:"ⓝnǹńñṅňṇņṋṉƞɲʼnꞑꞥлԉ"},{base:"nj",chars:"nj"},{base:"o",chars:"ⓞoòóôồốỗổõṍȭṏōṑṓŏȯȱöȫỏőǒȍȏơờớỡởợọộǫǭøǿꝋꝍɵɔᴑ"},{base:"oe",chars:"œ"},{base:"oi",chars:"ƣ"},{base:"oo",chars:"ꝏ"},{base:"ou",chars:"ȣ"},{base:"p",chars:"ⓟpṕṗƥᵽꝑꝓꝕρ"},{base:"q",chars:"ⓠqɋꝗꝙ"},{base:"r",chars:"ⓡrŕṙřȑȓṛṝŗṟɍɽꝛꞧꞃ"},{base:"s",chars:"ⓢsśṥŝṡšṧṣṩșşȿꞩꞅẛʂ"},{base:"ss",chars:"ß"},{base:"t",chars:"ⓣtṫẗťṭțţṱṯŧƭʈⱦꞇ"},{base:"th",chars:"þ"},{base:"tz",chars:"ꜩ"},{base:"u",chars:"ⓤuùúûũṹūṻŭüǜǘǖǚủůűǔȕȗưừứữửựụṳųṷṵʉ"},{base:"v",chars:"ⓥvṽṿʋꝟʌ"},{base:"vy",chars:"ꝡ"},{base:"w",chars:"ⓦwẁẃŵẇẅẘẉⱳ"},{base:"x",chars:"ⓧxẋẍ"},{base:"y",chars:"ⓨyỳýŷỹȳẏÿỷẙỵƴɏỿ"},{base:"z",chars:"ⓩzźẑżžẓẕƶȥɀⱬꝣ"}],r={},i=0;io().getTime();case"past"===e:return t.getTime()"),this.lwOperator=Object(a.defaultsStr)(s.lower_operator,"<"),this.leOperator=Object(a.defaultsStr)(s.lower_equal_operator,"<="),this.geOperator=Object(a.defaultsStr)(s.greater_equal_operator,">="),this.dfOperator=Object(a.defaultsStr)(s.different_operator,"!"),this.lkOperator=Object(a.defaultsStr)(s.like_operator,"*"),this.eqOperator=Object(a.defaultsStr)(s.equal_operator,"="),this.stOperator=Object(a.defaultsStr)(s.start_with_operator,"{"),this.enOperator=Object(a.defaultsStr)(s.end_with_operator,"}"),this.separator=Object(a.defaultsStr)(s.separator,","),this.rowsCounter=Object(K.isObj)(s.rows_counter)||Boolean(s.rows_counter),this.statusBar=Object(K.isObj)(s.status_bar)||Boolean(s.status_bar),this.loader=Object(K.isObj)(s.loader)||Boolean(s.loader),this.displayBtn=Boolean(s.btn),this.btnText=Object(a.defaultsStr)(s.btn_text,this.enableIcons?"":"Go"),this.btnCssClass=Object(a.defaultsStr)(s.btn_css_class,this.enableIcons?"btnflt_icon":"btnflt"),this.btnReset=Object(K.isObj)(s.btn_reset)||Boolean(s.btn_reset),this.onBeforeReset=Object(a.defaultsFn)(s.on_before_reset,K.EMPTY_FN),this.onAfterReset=Object(a.defaultsFn)(s.on_after_reset,K.EMPTY_FN),this.paging=Object(K.isObj)(s.paging)||Boolean(s.paging),this.nbHiddenRows=0,this.autoFilter=Object(K.isObj)(s.auto_filter)||Boolean(s.auto_filter),this.autoFilterDelay=Object(K.isObj)(s.auto_filter)&&Object(K.isNumber)(s.auto_filter.delay)?s.auto_filter.delay:q.AUTO_FILTER_DELAY,this.isUserTyping=null,this.autoFilterTimer=null,this.highlightKeywords=Boolean(s.highlight_keywords),this.noResults=Object(K.isObj)(s.no_results_message)||Boolean(s.no_results_message),this.state=Object(K.isObj)(s.state)||Boolean(s.state),this.dateType=!0,this.locale=Object(a.defaultsStr)(s.locale,"en"),this.thousandsSeparator=Object(a.defaultsStr)(s.thousands_separator,","),this.decimalSeparator=Object(a.defaultsStr)(s.decimal_separator,"."),this.colTypes=Object(K.isArray)(s.col_types)?s.col_types:[],this.prfxTf="TF",this.prfxFlt="flt",this.prfxValButton="btn",this.prfxResponsive="resp",this.stickyCssClass="sticky",this.extensions=Object(a.defaultsArr)(s.extensions,[]),this.enableDefaultTheme=Boolean(s.enable_default_theme),this.hasThemes=this.enableDefaultTheme||Object(K.isArray)(s.themes),this.themes=Object(a.defaultsArr)(s.themes,[]),this.themesPath=this.getThemesPath(),this.responsive=Boolean(s.responsive),this.toolbar=Object(K.isObj)(s.toolbar)||Boolean(s.toolbar),this.stickyHeaders=Boolean(s.sticky_headers),this.Mod={},this.ExtRegistry={},this.instantiateFeatures(P)}return function _createClass(t,e,n){return e&&_defineProperties(t.prototype,e),n&&_defineProperties(t,n),t}(TableFilter,[{key:"init",value:function init(){var n=this;if(!this.initialized){this.import(this.stylesheetId,this.getStylesheetPath(),null,"link");var t,e=this.Mod;if(this.loadThemes(),this.initFeatures([d.DateType,h.Help,p.State,v.MarkActiveColumns,m.GridLayout,y.Loader,g.HighlightKeyword,b.PopupFilter]),this.fltGrid){var r=this._insertFiltersRow();this.nbCells=this.getCellsNb(this.refRow),this.nbFilterableRows=this.getRowsNb();for(var i=this.singleFlt?1:this.nbCells,s=0;s=Object(G.parse)(t.replace(o,""),s);else if(v)b=rObject(G.parse)(t.replace(c,""),s);else if(w)b=!Object(Y.contains)(t.replace(l,""),e,!1,this.caseSensitive);else if(k)b=Object(Y.contains)(t.replace(f,""),e,!1,this.caseSensitive);else if(x)b=Object(Y.contains)(t.replace(d,""),e,!0,this.caseSensitive);else if(j)b=0===e.indexOf(t.replace(h,""));else if(S){var V=t.replace(p,"");b=e.lastIndexOf(V,e.length-1)===e.length-1-(V.length-1)&&-1 tr").length:e:t?e:e-this.refRow}},{key:"getWorkingRows",value:function getWorkingRows(){return S.querySelectorAll("table#".concat(this.id," > tbody > tr"))}},{key:"getCellValue",value:function getCellValue(t){var e=t.cellIndex,n=this.cellParser;return-1!==n.cols.indexOf(e)?n.parse(this,t,e):Object(l.getText)(t)}},{key:"getCellData",value:function getCellData(t){var e=t.cellIndex,n=this.getCellValue(t);if(this.hasType(e,[q.FORMATTED_NUMBER]))return Object(G.parse)(n,this.getDecimal(e));if(this.hasType(e,[q.NUMBER]))return Number(n);if(this.hasType(e,[q.DATE])){var r=this.Mod.dateType;return r.parse(n,r.getLocale(e))}return n}},{key:"getData",value:function getData(t,e){var n=0=a[1]&&n<=(a[2]||a[1])})),n=C(r))),n?(n=s?v(n):(u.push(o),"("+n+")"),e&&(n=k(o,n,e)),i&&(n+="?"),n):"")}function formatToSrc(t){return t=(t=t.replace(/ /g," ?")).replace(/\{([^,]+?)\}/g,function(t,e){var n=e.split("|");return 1>>0==t&&4294967295!=t}},function(t,e,n){"use strict";var r=n(51).HALF_WIDTH_COMMA;t.exports=function commaSplit(t){return t.split(r)}},function(t,e,n){"use strict";t.exports="Boolean Number String Date RegExp Function Array Error Set Map"},function(t,e,n){"use strict";var r=n(98),i=n(63),s=n(144),a=n(145);t.exports=function isPlainObject(t,e){return i(t)&&r(t,"Object",e)&&a(t)&&s(t)}},function(t,e,n){"use strict";var i=n(16).hasOwn;t.exports=function hasOwnEnumeratedProperties(t){var e=Object.prototype;for(var n in t){var r=t[n];if(!i(t,n)&&r!==e[n])return!1}return!0}},function(t,e,n){"use strict";var r=n(16).hasOwn;t.exports=function hasValidPlainObjectPrototype(t){var e="constructor"in t;return!e&&!("toString"in t)||e&&!r(t,"constructor")&&r(t.constructor.prototype,"isPrototypeOf")}},function(t,e,n){"use strict";t.exports=function getOrdinalSuffix(t){if(11<=t&&t<=13)return"th";switch(t%10){case 1:return"st";case 2:return"nd";case 3:return"rd";default:return"th"}}},function(t,e,n){"use strict";t.exports=function getArrayWithOffset(t,e,n,r){var i;return 1>=1)&&(t+=t);return n}},function(t,e,n){"use strict";var r=n(14),c=n(35),l=n(36),f=n(71),d=r.localeManager;t.exports=function getWeekYear(t,e,n){var r,i,s,a,o,u;return r=c(t),0!==(i=l(t))&&11!==i||(n||(s=(u=d.get(e)).getFirstDayOfWeek(e),a=u.getFirstDayOfWeekYear(e)),o=f(t,!1,s,a),0===i&&0===o?r-=1:11===i&&1===o&&(r+=1)),r}},function(t,e,n){"use strict";var r=n(34),i=n(13),s=n(69),a=i.DAY_INDEX;t.exports=function getDaysSince(t,e){return s(t,e,r[a])}},function(t,e,n){"use strict";var r=n(14),i=n(26),s=n(116),a=r.localeManager;t.exports=function getMeridiemToken(t,e){var n=s(t);return a.get(e).ampm[i(n/12)]||""}},function(t,e,n){"use strict";var r=n(303),i=n(51),s=n(304),o=i.OPEN_BRACE,u=i.CLOSE_BRACE;t.exports=function createFormatMatcher(c,l,f){var i=r,a=s(function compile(t){var e,n=[],r=0;i.lastIndex=0;for(;e=i.exec(t);)getSubstring(n,t,r,e.index),getToken(n,e),r=i.lastIndex;return getSubstring(n,t,r,t.length),n});function getToken(t,e){var n,r,i,s,a=e[2],o=e[3],u=e[5];e[4]&&l?(r=u,n=l):a?(r=a,n=c):i=o&&l?o:e[1]||e[0],n&&(function assertPassesPrecheck(t,e,n){if(t&&!t(e,n))throw new TypeError("Invalid token "+(e||n)+" in format string")}(f,a,u),s=function(t,e){return n(t,r,e)}),t.push(s||function getLiteral(t){return function(){return t}}(i))}function getSubstring(t,e,n,r){if(ni(e).getTime()-(n||0)}}),t.exports=r.Date.isAfter},function(t,e,n){"use strict";var r=n(0),i=n(27);r.Date.defineInstance({isBefore:function(t,e,n){return t.getTime()=this.start&&t.start<=this.end&&t.end>=this.start&&t.end<=this.end:t>=this.start&&t<=this.end)}})},function(t,e,n){"use strict";n(30)},function(t,e,n){"use strict";var a=n(125),r=n(72),i=n(19),o=n(26),u=n(32),c=n(73),l=n(68),f=n(21);t.exports=function buildDateRangeUnits(){var s={};u(r.split("|"),function(t,e){var n,r,i=t+"s";r=e<4?function(){return c(this,t,!0)}:(n=a[l(i)],function(){return o((this.end-this.start)/n)}),s[i]=r}),f(i,s)}},function(t,e,n){"use strict";var r=n(401),i=n(122);t.exports=function isValidRangeMember(t){var e=i(t);return(!!e||0===e)&&r(t)}},function(t,e,n){"use strict";t.exports=function valueIsNotInfinite(t){return t!==-1/0&&t!==1/0}},function(t,e,n){"use strict";var r=n(102);t.exports=function incrementNumber(t,e,n){return r(t+e,n)}},function(t,e,n){"use strict";var r=n(101);t.exports=function incrementString(t,e){return r(t.charCodeAt(0)+e)}},function(t,e,n){"use strict";var r=n(15),i=n(405),s=r.max;t.exports=function getGreaterPrecision(t,e){return s(i(t),i(e))}},function(t,e,n){"use strict";var r=n(406);t.exports=function getPrecision(t){var e=r(t.toString());return e[1]?e[1].length:0}},function(t,e,n){"use strict";var r=n(51).HALF_WIDTH_PERIOD;t.exports=function periodSplit(t){return t.split(r)}},function(t,e,n){"use strict";var r=n(19),i=n(73);n(21)(r,{every:function(t,e){return i(this,t,!1,e)}})},function(t,e,n){"use strict";n(30)},function(t,e,n){"use strict";var r=n(19);n(21)(r,{intersect:function(t){return t.start>this.end||t.endt.start?this.start:t.start,this.endt.end?this.end:t.end)}})},function(t,e,n){"use strict";n(30)},function(t,e,n){"use strict";n(30)},function(t,e,n){"use strict";n(423),n(424),n(425),n(426),n(427),n(428),n(429),n(430),n(431),n(432),n(433),n(434),n(435),n(436),n(437),n(438),n(439),t.exports=n(0)},function(t,e,n){"use strict";n(11)("ca",{plural:!0,units:"milisegon:|s,segon:|s,minut:|s,hor:a|es,di:a|es,setman:a|es,mes:|os,any:|s",months:"gen:er|,febr:er|,mar:ç|,abr:il|,mai:g|,jun:y|,jul:iol|,ag:ost|,set:embre|,oct:ubre|,nov:embre|,des:embre|",weekdays:"diumenge|dg,dilluns|dl,dimarts|dt,dimecres|dc,dijous|dj,divendres|dv,dissabte|ds",numerals:"zero,un,dos,tres,quatre,cinc,sis,set,vuit,nou,deu",tokens:"el,la,de",short:"{dd}/{MM}/{yyyy}",medium:"{d} {month} {yyyy}",long:"{d} {month} {yyyy} {time}",full:"{weekday} {d} {month} {yyyy} {time}",stamp:"{dow} {d} {mon} {yyyy} {time}",time:"{H}:{mm}",past:"{sign} {num} {unit}",future:"{sign} {num} {unit}",duration:"{num} {unit}",timeMarkers:"a las",ampm:"am,pm",modifiers:[{name:"day",src:"abans d'ahir",value:-2},{name:"day",src:"ahir",value:-1},{name:"day",src:"avui",value:0},{name:"day",src:"demà|dema",value:1},{name:"sign",src:"fa",value:-1},{name:"sign",src:"en",value:1},{name:"shift",src:"passat",value:-1},{name:"shift",src:"el proper|la propera",value:1}],parse:["{sign} {num} {unit}","{num} {unit} {sign}","{0?}{1?} {unit:5-7} {shift}","{0?}{1?} {shift} {unit:5-7}"],timeParse:["{shift} {weekday}","{weekday} {shift}","{date?} {2?} {months}\\.? {2?} {year?}"]})},function(t,e,n){"use strict";n(11)("da",{plural:!0,units:"millisekund:|er,sekund:|er,minut:|ter,tim:e|er,dag:|e,ug:e|er|en,måned:|er|en+maaned:|er|en,år:||et+aar:||et",months:"jan:uar|,feb:ruar|,mar:ts|,apr:il|,maj,jun:i|,jul:i|,aug:ust|,sep:tember|,okt:ober|,nov:ember|,dec:ember|",weekdays:"søn:dag|+son:dag|,man:dag|,tir:sdag|,ons:dag|,tor:sdag|,fre:dag|,lør:dag|+lor:dag|",numerals:"nul,en|et,to,tre,fire,fem,seks,syv,otte,ni,ti",tokens:"den,for",articles:"den",short:"{dd}-{MM}-{yyyy}",medium:"{d}. {month} {yyyy}",long:"{d}. {month} {yyyy} {time}",full:"{weekday} d. {d}. {month} {yyyy} {time}",stamp:"{dow} {d} {mon} {yyyy} {time}",time:"{H}:{mm}",past:"{num} {unit} {sign}",future:"{sign} {num} {unit}",duration:"{num} {unit}",ampm:"am,pm",modifiers:[{name:"day",src:"forgårs|i forgårs|forgaars|i forgaars",value:-2},{name:"day",src:"i går|igår|i gaar|igaar",value:-1},{name:"day",src:"i dag|idag",value:0},{name:"day",src:"i morgen|imorgen",value:1},{name:"day",src:"over morgon|overmorgen|i over morgen|i overmorgen|iovermorgen",value:2},{name:"sign",src:"siden",value:-1},{name:"sign",src:"om",value:1},{name:"shift",src:"i sidste|sidste",value:-1},{name:"shift",src:"denne",value:0},{name:"shift",src:"næste|naeste",value:1}],parse:["{months} {year?}","{num} {unit} {sign}","{sign} {num} {unit}","{1?} {num} {unit} {sign}","{shift} {unit:5-7}"],timeParse:["{day|weekday}","{date} {months?}\\.? {year?}"],timeFrontParse:["{shift} {weekday}","{0?} {weekday?},? {date}\\.? {months?}\\.? {year?}"]})},function(t,e,n){"use strict";n(11)("de",{plural:!0,units:"Millisekunde:|n,Sekunde:|n,Minute:|n,Stunde:|n,Tag:|en,Woche:|n,Monat:|en,Jahr:|en|e",months:"Jan:uar|,Feb:ruar|,M:är|ärz|ar|arz,Apr:il|,Mai,Juni,Juli,Aug:ust|,Sept:ember|,Okt:ober|,Nov:ember|,Dez:ember|",weekdays:"So:nntag|,Mo:ntag|,Di:enstag|,Mi:ttwoch|,Do:nnerstag|,Fr:eitag|,Sa:mstag|",numerals:"null,ein:|e|er|en|em,zwei,drei,vier,fuenf,sechs,sieben,acht,neun,zehn",tokens:"der",short:"{dd}.{MM}.{yyyy}",medium:"{d}. {Month} {yyyy}",long:"{d}. {Month} {yyyy} {time}",full:"{Weekday}, {d}. {Month} {yyyy} {time}",stamp:"{Dow} {d} {Mon} {yyyy} {time}",time:"{H}:{mm}",past:"{sign} {num} {unit}",future:"{sign} {num} {unit}",duration:"{num} {unit}",timeMarkers:"um",ampm:"am,pm",modifiers:[{name:"day",src:"vorgestern",value:-2},{name:"day",src:"gestern",value:-1},{name:"day",src:"heute",value:0},{name:"day",src:"morgen",value:1},{name:"day",src:"übermorgen|ubermorgen|uebermorgen",value:2},{name:"sign",src:"vor:|her",value:-1},{name:"sign",src:"in",value:1},{name:"shift",src:"letzte:|r|n|s",value:-1},{name:"shift",src:"nächste:|r|n|s+nachste:|r|n|s+naechste:|r|n|s+kommende:n|r",value:1}],parse:["{months} {year?}","{sign} {num} {unit}","{num} {unit} {sign}","{shift} {unit:5-7}"],timeParse:["{shift?} {day|weekday}","{weekday?},? {date}\\.? {months?}\\.? {year?}"],timeFrontParse:["{shift} {weekday}","{weekday?},? {date}\\.? {months?}\\.? {year?}"]})},function(t,e,n){"use strict";n(11)("es",{plural:!0,units:"milisegundo:|s,segundo:|s,minuto:|s,hora:|s,día|días|dia|dias,semana:|s,mes:|es,año|años|ano|anos",months:"ene:ro|,feb:rero|,mar:zo|,abr:il|,may:o|,jun:io|,jul:io|,ago:sto|,sep:tiembre|,oct:ubre|,nov:iembre|,dic:iembre|",weekdays:"dom:ingo|,lun:es|,mar:tes|,mié:rcoles|+mie:rcoles|,jue:ves|,vie:rnes|,sáb:ado|+sab:ado|",numerals:"cero,uno,dos,tres,cuatro,cinco,seis,siete,ocho,nueve,diez",tokens:"el,la,de",short:"{dd}/{MM}/{yyyy}",medium:"{d} de {Month} de {yyyy}",long:"{d} de {Month} de {yyyy} {time}",full:"{weekday}, {d} de {month} de {yyyy} {time}",stamp:"{dow} {d} {mon} {yyyy} {time}",time:"{H}:{mm}",past:"{sign} {num} {unit}",future:"{sign} {num} {unit}",duration:"{num} {unit}",timeMarkers:"a las",ampm:"am,pm",modifiers:[{name:"day",src:"anteayer",value:-2},{name:"day",src:"ayer",value:-1},{name:"day",src:"hoy",value:0},{name:"day",src:"mañana|manana",value:1},{name:"sign",src:"hace",value:-1},{name:"sign",src:"dentro de",value:1},{name:"shift",src:"pasad:o|a",value:-1},{name:"shift",src:"próximo|próxima|proximo|proxima",value:1}],parse:["{months} {2?} {year?}","{sign} {num} {unit}","{num} {unit} {sign}","{0?}{1?} {unit:5-7} {shift}","{0?}{1?} {shift} {unit:5-7}"],timeParse:["{shift?} {day|weekday} {shift?}","{date} {2?} {months?}\\.? {2?} {year?}"],timeFrontParse:["{shift?} {weekday} {shift?}","{date} {2?} {months?}\\.? {2?} {year?}"]})},function(t,e,n){"use strict";n(11)("fi",{plural:!0,units:"millisekun:ti|tia|nin|teja|tina,sekun:ti|tia|nin|teja|tina,minuut:ti|tia|in|teja|tina,tun:ti|tia|nin|teja|tina,päiv:ä|ää|än|iä|änä,viik:ko|koa|on|olla|koja|kona,kuukau:si|tta|den+kuussa,vuo:si|tta|den|sia|tena|nna",months:"tammi:kuuta||kuu,helmi:kuuta||kuu,maalis:kuuta||kuu,huhti:kuuta||kuu,touko:kuuta||kuu,kesä:kuuta||kuu,heinä:kuuta||kuu,elo:kuuta||kuu,syys:kuuta||kuu,loka:kuuta||kuu,marras:kuuta||kuu,joulu:kuuta||kuu",weekdays:"su:nnuntai||nnuntaina,ma:anantai||anantaina,ti:istai||istaina,ke:skiviikko||skiviikkona,to:rstai||rstaina,pe:rjantai||rjantaina,la:uantai||uantaina",numerals:"nolla,yksi|ensimmäinen,kaksi|toinen,kolm:e|as,neljä:|s,vii:si|des,kuu:si|des,seitsemä:n|s,kahdeksa:n|s,yhdeksä:n|s,kymmene:n|s",short:"{d}.{M}.{yyyy}",medium:"{d}. {month} {yyyy}",long:"{d}. {month} {yyyy} klo {time}",full:"{weekday} {d}. {month} {yyyy} klo {time}",stamp:"{dow} {d} {mon} {yyyy} {time}",time:"{H}.{mm}",timeMarkers:"klo,kello",timeSeparator:".",ordinalSuffix:".",relative:function(e,n,t,r){var i=this.units;function numberWithUnit(t){return e+" "+i[8*t+n]}function baseUnit(){return numberWithUnit(1===e?0:1)}switch(r){case"duration":return baseUnit();case"past":return baseUnit()+" sitten";case"future":return numberWithUnit(2)+" kuluttua"}},modifiers:[{name:"day",src:"toissa päivänä",value:-2},{name:"day",src:"eilen|eilistä",value:-1},{name:"day",src:"tänään",value:0},{name:"day",src:"huomenna|huomista",value:1},{name:"day",src:"ylihuomenna|ylihuomista",value:2},{name:"sign",src:"sitten|aiemmin",value:-1},{name:"sign",src:"päästä|kuluttua|myöhemmin",value:1},{name:"edge",src:"lopussa",value:2},{name:"edge",src:"ensimmäinen|ensimmäisenä",value:-2},{name:"shift",src:"edel:linen|lisenä",value:-1},{name:"shift",src:"viime",value:-1},{name:"shift",src:"tä:llä|ssä|nä|mä",value:0},{name:"shift",src:"seuraava|seuraavana|tuleva|tulevana|ensi",value:1}],parse:["{months} {year?}","{shift} {unit:5-7}"],timeParse:["{shift?} {day|weekday}","{weekday?},? {date}\\.? {months?}\\.? {year?}"],timeFrontParse:["{shift?} {day|weekday}","{num?} {unit} {sign}","{weekday?},? {date}\\.? {months?}\\.? {year?}"]})},function(t,e,n){"use strict";n(11)("fr",{plural:!0,units:"milliseconde:|s,seconde:|s,minute:|s,heure:|s,jour:|s,semaine:|s,mois,an:|s|née|nee",months:"janv:ier|,févr:ier|+fevr:ier|,mars,avr:il|,mai,juin,juil:let|,août,sept:embre|,oct:obre|,nov:embre|,déc:embre|+dec:embre|",weekdays:"dim:anche|,lun:di|,mar:di|,mer:credi|,jeu:di|,ven:dredi|,sam:edi|",numerals:"zéro,un:|e,deux,trois,quatre,cinq,six,sept,huit,neuf,dix",tokens:"l'|la|le,er",short:"{dd}/{MM}/{yyyy}",medium:"{d} {month} {yyyy}",long:"{d} {month} {yyyy} {time}",full:"{weekday} {d} {month} {yyyy} {time}",stamp:"{dow} {d} {mon} {yyyy} {time}",time:"{H}:{mm}",past:"{sign} {num} {unit}",future:"{sign} {num} {unit}",duration:"{num} {unit}",timeMarkers:"à",ampm:"am,pm",modifiers:[{name:"day",src:"hier",value:-1},{name:"day",src:"aujourd'hui",value:0},{name:"day",src:"demain",value:1},{name:"sign",src:"il y a",value:-1},{name:"sign",src:"dans|d'ici",value:1},{name:"shift",src:"derni:èr|er|ère|ere",value:-1},{name:"shift",src:"prochain:|e",value:1}],parse:["{months} {year?}","{sign} {num} {unit}","{0?} {unit:5-7} {shift}"],timeParse:["{day|weekday} {shift?}","{weekday?},? {0?} {date}{1?} {months}\\.? {year?}"],timeFrontParse:["{0?} {weekday} {shift}","{weekday?},? {0?} {date}{1?} {months}\\.? {year?}"]})},function(t,e,n){"use strict";n(11)("it",{plural:!0,units:"millisecond:o|i,second:o|i,minut:o|i,or:a|e,giorn:o|i,settiman:a|e,mes:e|i,ann:o|i",months:"gen:naio|,feb:braio|,mar:zo|,apr:ile|,mag:gio|,giu:gno|,lug:lio|,ago:sto|,set:tembre|,ott:obre|,nov:embre|,dic:embre|",weekdays:"dom:enica|,lun:edì||edi,mar:tedì||tedi,mer:coledì||coledi,gio:vedì||vedi,ven:erdì||erdi,sab:ato|",numerals:"zero,un:|a|o|',due,tre,quattro,cinque,sei,sette,otto,nove,dieci",tokens:"l'|la|il",short:"{dd}/{MM}/{yyyy}",medium:"{d} {month} {yyyy}",long:"{d} {month} {yyyy} {time}",full:"{weekday}, {d} {month} {yyyy} {time}",stamp:"{dow} {d} {mon} {yyyy} {time}",time:"{H}:{mm}",past:"{num} {unit} {sign}",future:"{num} {unit} {sign}",duration:"{num} {unit}",timeMarkers:"alle",ampm:"am,pm",modifiers:[{name:"day",src:"ieri",value:-1},{name:"day",src:"oggi",value:0},{name:"day",src:"domani",value:1},{name:"day",src:"dopodomani",value:2},{name:"sign",src:"fa",value:-1},{name:"sign",src:"da adesso",value:1},{name:"shift",src:"scors:o|a",value:-1},{name:"shift",src:"prossim:o|a",value:1}],parse:["{months} {year?}","{num} {unit} {sign}","{0?} {unit:5-7} {shift}","{0?} {shift} {unit:5-7}"],timeParse:["{day|weekday} {shift?}","{weekday?},? {date} {months?}\\.? {year?}"],timeFrontParse:["{day|weekday} {shift?}","{weekday?},? {date} {months?}\\.? {year?}"]})},function(t,e,n){"use strict";n(11)("ja",{ampmFront:!0,numeralUnits:!0,allowsFullWidth:!0,timeMarkerOptional:!0,firstDayOfWeek:0,firstDayOfWeekYear:1,units:"ミリ秒,秒,分,時間,日,週間|週,ヶ月|ヵ月|月,年|年度",weekdays:"日:曜日||曜,月:曜日||曜,火:曜日||曜,水:曜日||曜,木:曜日||曜,金:曜日||曜,土:曜日||曜",numerals:"〇,一,二,三,四,五,六,七,八,九",placeholders:"十,百,千,万",timeSuffixes:",秒,分,時,日,,月,年度?",short:"{yyyy}/{MM}/{dd}",medium:"{yyyy}年{M}月{d}日",long:"{yyyy}年{M}月{d}日{time}",full:"{yyyy}年{M}月{d}日{time} {weekday}",stamp:"{yyyy}年{M}月{d}日 {H}:{mm} {dow}",time:"{tt}{h}時{mm}分",past:"{num}{unit}{sign}",future:"{num}{unit}{sign}",duration:"{num}{unit}",ampm:"午前,午後",modifiers:[{name:"day",src:"一昨々日|前々々日",value:-3},{name:"day",src:"一昨日|おととい|前々日",value:-2},{name:"day",src:"昨日|前日",value:-1},{name:"day",src:"今日|当日|本日",value:0},{name:"day",src:"明日|翌日|次日",value:1},{name:"day",src:"明後日|翌々日",value:2},{name:"day",src:"明々後日|翌々々日",value:3},{name:"sign",src:"前",value:-1},{name:"sign",src:"後",value:1},{name:"edge",src:"始|初日|頭",value:-2},{name:"edge",src:"末|尻",value:2},{name:"edge",src:"末日",value:1},{name:"shift",src:"一昨々|前々々",value:-3},{name:"shift",src:"一昨|前々|先々",value:-2},{name:"shift",src:"先|昨|去|前",value:-1},{name:"shift",src:"今|本|当",value:0},{name:"shift",src:"来|明|翌|次",value:1},{name:"shift",src:"明後|翌々|次々|再来|さ来",value:2},{name:"shift",src:"明々後|翌々々",value:3}],parse:["{month}{edge}","{num}{unit}{sign}","{year?}{month}","{year}"],timeParse:["{day|weekday}","{shift}{unit:5}{weekday?}","{shift}{unit:7}{month}{edge}","{shift}{unit:7}{month?}{date?}","{shift}{unit:6}{edge?}{date?}","{year?}{month?}{date}"]})},function(t,e,n){"use strict";n(11)("ko",{ampmFront:!0,numeralUnits:!0,units:"밀리초,초,분,시간,일,주,개월|달,년|해",weekdays:"일:요일|,월:요일|,화:요일|,수:요일|,목:요일|,금:요일|,토:요일|",numerals:"영|제로,일|한,이,삼,사,오,육,칠,팔,구,십",short:"{yyyy}.{MM}.{dd}",medium:"{yyyy}년 {M}월 {d}일",long:"{yyyy}년 {M}월 {d}일 {time}",full:"{yyyy}년 {M}월 {d}일 {weekday} {time}",stamp:"{yyyy}년 {M}월 {d}일 {H}:{mm} {dow}",time:"{tt} {h}시 {mm}분",past:"{num}{unit} {sign}",future:"{num}{unit} {sign}",duration:"{num}{unit}",timeSuffixes:",초,분,시,일,,월,년",ampm:"오전,오후",modifiers:[{name:"day",src:"그저께",value:-2},{name:"day",src:"어제",value:-1},{name:"day",src:"오늘",value:0},{name:"day",src:"내일",value:1},{name:"day",src:"모레",value:2},{name:"sign",src:"전",value:-1},{name:"sign",src:"후",value:1},{name:"shift",src:"지난|작",value:-1},{name:"shift",src:"이번|올",value:0},{name:"shift",src:"다음|내",value:1}],parse:["{num}{unit} {sign}","{shift?} {unit:5-7}","{year?} {month}","{year}"],timeParse:["{day|weekday}","{shift} {unit:5?} {weekday}","{year?} {month?} {date} {weekday?}"]})},function(t,e,n){"use strict";n(11)("nl",{plural:!0,units:"milliseconde:|n,seconde:|n,minu:ut|ten,uur,dag:|en,we:ek|ken,maand:|en,jaar",months:"jan:uari|,feb:ruari|,maart|mrt,apr:il|,mei,jun:i|,jul:i|,aug:ustus|,sep:tember|,okt:ober|,nov:ember|,dec:ember|",weekdays:"zondag|zo,maandag|ma,dinsdag|di,woensdag|wo|woe,donderdag|do,vrijdag|vr|vrij,zaterdag|za",numerals:"nul,een,twee,drie,vier,vijf,zes,zeven,acht,negen,tien",short:"{dd}-{MM}-{yyyy}",medium:"{d} {month} {yyyy}",long:"{d} {Month} {yyyy} {time}",full:"{weekday} {d} {Month} {yyyy} {time}",stamp:"{dow} {d} {Mon} {yyyy} {time}",time:"{H}:{mm}",past:"{num} {unit} {sign}",future:"{num} {unit} {sign}",duration:"{num} {unit}",timeMarkers:"'s,om",modifiers:[{name:"day",src:"gisteren",value:-1},{name:"day",src:"vandaag",value:0},{name:"day",src:"morgen",value:1},{name:"day",src:"overmorgen",value:2},{name:"sign",src:"geleden",value:-1},{name:"sign",src:"vanaf nu",value:1},{name:"shift",src:"laatste|vorige|afgelopen",value:-1},{name:"shift",src:"volgend:|e",value:1}],parse:["{months} {year?}","{num} {unit} {sign}","{0?} {unit:5-7} {shift}","{0?} {shift} {unit:5-7}"],timeParse:["{shift?} {day|weekday}","{weekday?},? {date} {months?}\\.? {year?}"],timeFrontParse:["{shift?} {day|weekday}","{weekday?},? {date} {months?}\\.? {year?}"]})},function(t,e,n){"use strict";n(11)("no",{plural:!0,units:"millisekund:|er,sekund:|er,minutt:|er,tim:e|er,dag:|er,uk:e|er|en,måned:|er|en+maaned:|er|en,år:||et+aar:||et",months:"januar,februar,mars,april,mai,juni,juli,august,september,oktober,november,desember",weekdays:"søndag|sondag,mandag,tirsdag,onsdag,torsdag,fredag,lørdag|lordag",numerals:"en|et,to,tre,fire,fem,seks,sju|syv,åtte,ni,ti",tokens:"den,for",articles:"den",short:"d. {d}. {month} {yyyy}",long:"den {d}. {month} {yyyy} {H}:{mm}",full:"{Weekday} den {d}. {month} {yyyy} {H}:{mm}:{ss}",past:"{num} {unit} {sign}",future:"{sign} {num} {unit}",duration:"{num} {unit}",ampm:"am,pm",modifiers:[{name:"day",src:"forgårs|i forgårs|forgaars|i forgaars",value:-2},{name:"day",src:"i går|igår|i gaar|igaar",value:-1},{name:"day",src:"i dag|idag",value:0},{name:"day",src:"i morgen|imorgen",value:1},{name:"day",src:"overimorgen|overmorgen|over i morgen",value:2},{name:"sign",src:"siden",value:-1},{name:"sign",src:"om",value:1},{name:"shift",src:"i siste|siste",value:-1},{name:"shift",src:"denne",value:0},{name:"shift",src:"neste",value:1}],parse:["{num} {unit} {sign}","{sign} {num} {unit}","{1?} {num} {unit} {sign}","{shift} {unit:5-7}"],timeParse:["{date} {month}","{shift} {weekday}","{0?} {weekday?},? {date?} {month}\\.? {year}"]})},function(t,e,n){"use strict";n(11)("pl",{plural:!0,units:"milisekund:a|y|,sekund:a|y|,minut:a|y|,godzin:a|y|,dzień|dni|dni,tydzień|tygodnie|tygodni,miesiąc|miesiące|miesięcy,rok|lata|lat",months:"sty:cznia||czeń,lut:ego||y,mar:ca||zec,kwi:etnia||ecień,maj:a|,cze:rwca||rwiec,lip:ca||iec,sie:rpnia||rpień,wrz:eśnia||esień,paź:dziernika||dziernik,lis:topada||topad,gru:dnia||dzień",weekdays:"nie:dziela||dzielę,pon:iedziałek|,wt:orek|,śr:oda||odę,czw:artek|,piątek|pt,sobota|sb|sobotę",numerals:"zero,jeden|jedną,dwa|dwie,trzy,cztery,pięć,sześć,siedem,osiem,dziewięć,dziesięć",tokens:"w|we,roku",short:"{dd}.{MM}.{yyyy}",medium:"{d} {month} {yyyy}",long:"{d} {month} {yyyy} {time}",full:"{weekday}, {d} {month} {yyyy} {time}",stamp:"{dow} {d} {mon} {yyyy} {time}",time:"{H}:{mm}",timeMarkers:"o",ampm:"am,pm",modifiers:[{name:"day",src:"przedwczoraj",value:-2},{name:"day",src:"wczoraj",value:-1},{name:"day",src:"dzisiaj|dziś",value:0},{name:"day",src:"jutro",value:1},{name:"day",src:"pojutrze",value:2},{name:"sign",src:"temu|przed",value:-1},{name:"sign",src:"za",value:1},{name:"shift",src:"zeszły|zeszła|ostatni|ostatnia",value:-1},{name:"shift",src:"następny|następna|następnego|przyszły|przyszła|przyszłego",value:1}],relative:function(t,e,n,r){var i;if(4===e){if(1===t&&"past"===r)return"wczoraj";if(1===t&&"future"===r)return"jutro";if(2===t&&"past"===r)return"przedwczoraj";if(2===t&&"future"===r)return"pojutrze"}var s=+t.toFixed(0).slice(-1),a=+t.toFixed(0).slice(-2);switch(!0){case 1===t:i=0;break;case 12<=a&&a<=14:i=2;break;case 2<=s&&s<=4:i=1;break;default:i=2}var o=this.units[8*i+e],u=t+" ";switch("past"!==r&&"future"!==r||1!==t||(o=o.replace(/a$/,"ę")),o=u+o,r){case"duration":return o;case"past":return o+" temu";case"future":return"za "+o}},parse:["{num} {unit} {sign}","{sign} {num} {unit}","{months} {year?}","{shift} {unit:5-7}","{0} {shift?} {weekday}"],timeFrontParse:["{day|weekday}","{date} {months} {year?} {1?}","{0?} {shift?} {weekday}"]})},function(t,e,n){"use strict";n(11)("pt",{plural:!0,units:"milisegundo:|s,segundo:|s,minuto:|s,hora:|s,dia:|s,semana:|s,mês|mêses|mes|meses,ano:|s",months:"jan:eiro|,fev:ereiro|,mar:ço|,abr:il|,mai:o|,jun:ho|,jul:ho|,ago:sto|,set:embro|,out:ubro|,nov:embro|,dez:embro|",weekdays:"dom:ingo|,seg:unda-feira|,ter:ça-feira|,qua:rta-feira|,qui:nta-feira|,sex:ta-feira|,sáb:ado||ado",numerals:"zero,um:|a,dois|duas,três|tres,quatro,cinco,seis,sete,oito,nove,dez",tokens:"a,de",short:"{dd}/{MM}/{yyyy}",medium:"{d} de {Month} de {yyyy}",long:"{d} de {Month} de {yyyy} {time}",full:"{Weekday}, {d} de {Month} de {yyyy} {time}",stamp:"{Dow} {d} {Mon} {yyyy} {time}",time:"{H}:{mm}",past:"{num} {unit} {sign}",future:"{sign} {num} {unit}",duration:"{num} {unit}",timeMarkers:"às",ampm:"am,pm",modifiers:[{name:"day",src:"anteontem",value:-2},{name:"day",src:"ontem",value:-1},{name:"day",src:"hoje",value:0},{name:"day",src:"amanh:ã|a",value:1},{name:"sign",src:"atrás|atras|há|ha",value:-1},{name:"sign",src:"daqui a",value:1},{name:"shift",src:"passad:o|a",value:-1},{name:"shift",src:"próximo|próxima|proximo|proxima",value:1}],parse:["{months} {1?} {year?}","{num} {unit} {sign}","{sign} {num} {unit}","{0?} {unit:5-7} {shift}","{0?} {shift} {unit:5-7}"],timeParse:["{shift?} {day|weekday}","{0?} {shift} {weekday}","{date} {1?} {months?} {1?} {year?}"],timeFrontParse:["{shift?} {day|weekday}","{date} {1?} {months?} {1?} {year?}"]})},function(t,e,n){"use strict";n(11)("ru",{firstDayOfWeekYear:1,units:"миллисекунд:а|у|ы|,секунд:а|у|ы|,минут:а|у|ы|,час:||а|ов,день|день|дня|дней,недел:я|ю|и|ь|е,месяц:||а|ев|е,год|год|года|лет|году",months:"янв:аря||.|арь,фев:раля||р.|раль,мар:та||т,апр:еля||.|ель,мая|май,июн:я||ь,июл:я||ь,авг:уста||.|уст,сен:тября||т.|тябрь,окт:ября||.|ябрь,ноя:бря||брь,дек:абря||.|абрь",weekdays:"воскресенье|вс,понедельник|пн,вторник|вт,среда|ср,четверг|чт,пятница|пт,суббота|сб",numerals:"ноль,од:ин|ну,дв:а|е,три,четыре,пять,шесть,семь,восемь,девять,десять",tokens:"в|на,г\\.?(?:ода)?",short:"{dd}.{MM}.{yyyy}",medium:"{d} {month} {yyyy} г.",long:"{d} {month} {yyyy} г., {time}",full:"{weekday}, {d} {month} {yyyy} г., {time}",stamp:"{dow} {d} {mon} {yyyy} {time}",time:"{H}:{mm}",timeMarkers:"в",ampm:" утра, вечера",modifiers:[{name:"day",src:"позавчера",value:-2},{name:"day",src:"вчера",value:-1},{name:"day",src:"сегодня",value:0},{name:"day",src:"завтра",value:1},{name:"day",src:"послезавтра",value:2},{name:"sign",src:"назад",value:-1},{name:"sign",src:"через",value:1},{name:"shift",src:"прошл:ый|ой|ом",value:-1},{name:"shift",src:"следующ:ий|ей|ем",value:1}],relative:function(t,e,n,r){var i,s,a=t.toString().slice(-1);switch(!0){case 11<=t&&t<=15:s=3;break;case 1==a:s=1;break;case 2<=a&&a<=4:s=2;break;default:s=3}switch(i=t+" "+this.units[8*s+e],r){case"duration":return i;case"past":return i+" назад";case"future":return"через "+i}},parse:["{num} {unit} {sign}","{sign} {num} {unit}","{months} {year?}","{0?} {shift} {unit:5-7}"],timeParse:["{day|weekday}","{0?} {shift} {weekday}","{date} {months?} {year?} {1?}"],timeFrontParse:["{0?} {shift} {weekday}","{date} {months?} {year?} {1?}"]})},function(t,e,n){"use strict";n(11)("sv",{plural:!0,units:"millisekund:|er,sekund:|er,minut:|er,timm:e|ar,dag:|ar,veck:a|or|an,månad:|er|en+manad:|er|en,år:||et+ar:||et",months:"jan:uari|,feb:ruari|,mar:s|,apr:il|,maj,jun:i|,jul:i|,aug:usti|,sep:tember|,okt:ober|,nov:ember|,dec:ember|",weekdays:"sön:dag|+son:dag|,mån:dag||dagen+man:dag||dagen,tis:dag|,ons:dag|,tor:sdag|,fre:dag|,lör:dag||dag",numerals:"noll,en|ett,två|tva,tre,fyra,fem,sex,sju,åtta|atta,nio,tio",tokens:"den,för|for",articles:"den",short:"{yyyy}-{MM}-{dd}",medium:"{d} {month} {yyyy}",long:"{d} {month} {yyyy} {time}",full:"{weekday} {d} {month} {yyyy} {time}",stamp:"{dow} {d} {mon} {yyyy} {time}",time:"{H}:{mm}",past:"{num} {unit} {sign}",future:"{sign} {num} {unit}",duration:"{num} {unit}",ampm:"am,pm",modifiers:[{name:"day",src:"förrgår|i förrgår|iförrgår|forrgar|i forrgar|iforrgar",value:-2},{name:"day",src:"går|i går|igår|gar|i gar|igar",value:-1},{name:"day",src:"dag|i dag|idag",value:0},{name:"day",src:"morgon|i morgon|imorgon",value:1},{name:"day",src:"över morgon|övermorgon|i över morgon|i övermorgon|iövermorgon|over morgon|overmorgon|i over morgon|i overmorgon|iovermorgon",value:2},{name:"sign",src:"sedan|sen",value:-1},{name:"sign",src:"om",value:1},{name:"shift",src:"i förra|förra|i forra|forra",value:-1},{name:"shift",src:"denna",value:0},{name:"shift",src:"nästa|nasta",value:1}],parse:["{months} {year?}","{num} {unit} {sign}","{sign} {num} {unit}","{1?} {num} {unit} {sign}","{shift} {unit:5-7}"],timeParse:["{day|weekday}","{shift} {weekday}","{0?} {weekday?},? {date} {months?}\\.? {year?}"],timeFrontParse:["{day|weekday}","{shift} {weekday}","{0?} {weekday?},? {date} {months?}\\.? {year?}"]})},function(t,e,n){"use strict";n(11)("zh-CN",{ampmFront:!0,numeralUnits:!0,allowsFullWidth:!0,timeMarkerOptional:!0,units:"毫秒,秒钟,分钟,小时,天,个星期|周,个月,年",weekdays:"星期日|日|周日|星期天,星期一|一|周一,星期二|二|周二,星期三|三|周三,星期四|四|周四,星期五|五|周五,星期六|六|周六",numerals:"〇,一,二,三,四,五,六,七,八,九",placeholders:"十,百,千,万",short:"{yyyy}-{MM}-{dd}",medium:"{yyyy}年{M}月{d}日",long:"{yyyy}年{M}月{d}日{time}",full:"{yyyy}年{M}月{d}日{weekday}{time}",stamp:"{yyyy}年{M}月{d}日{H}:{mm}{dow}",time:"{tt}{h}点{mm}分",past:"{num}{unit}{sign}",future:"{num}{unit}{sign}",duration:"{num}{unit}",timeSuffixes:",秒,分钟?,点|时,日|号,,月,年",ampm:"上午,下午",modifiers:[{name:"day",src:"大前天",value:-3},{name:"day",src:"前天",value:-2},{name:"day",src:"昨天",value:-1},{name:"day",src:"今天",value:0},{name:"day",src:"明天",value:1},{name:"day",src:"后天",value:2},{name:"day",src:"大后天",value:3},{name:"sign",src:"前",value:-1},{name:"sign",src:"后",value:1},{name:"shift",src:"上|去",value:-1},{name:"shift",src:"这",value:0},{name:"shift",src:"下|明",value:1}],parse:["{num}{unit}{sign}","{shift}{unit:5-7}","{year?}{month}","{year}"],timeParse:["{day|weekday}","{shift}{weekday}","{year?}{month?}{date}"]})},function(t,e,n){"use strict";n(11)("zh-TW",{ampmFront:!0,numeralUnits:!0,allowsFullWidth:!0,timeMarkerOptional:!0,units:"毫秒,秒鐘,分鐘,小時,天,個星期|週,個月,年",weekdays:"星期日|日|週日|星期天,星期一|一|週一,星期二|二|週二,星期三|三|週三,星期四|四|週四,星期五|五|週五,星期六|六|週六",numerals:"〇,一,二,三,四,五,六,七,八,九",placeholders:"十,百,千,万",short:"{yyyy}/{MM}/{dd}",medium:"{yyyy}年{M}月{d}日",long:"{yyyy}年{M}月{d}日{time}",full:"{yyyy}年{M}月{d}日{weekday}{time}",stamp:"{yyyy}年{M}月{d}日{H}:{mm}{dow}",time:"{tt}{h}點{mm}分",past:"{num}{unit}{sign}",future:"{num}{unit}{sign}",duration:"{num}{unit}",timeSuffixes:",秒,分鐘?,點|時,日|號,,月,年",ampm:"上午,下午",modifiers:[{name:"day",src:"大前天",value:-3},{name:"day",src:"前天",value:-2},{name:"day",src:"昨天",value:-1},{name:"day",src:"今天",value:0},{name:"day",src:"明天",value:1},{name:"day",src:"後天",value:2},{name:"day",src:"大後天",value:3},{name:"sign",src:"前",value:-1},{name:"sign",src:"後",value:1},{name:"shift",src:"上|去",value:-1},{name:"shift",src:"這",value:0},{name:"shift",src:"下|明",value:1}],parse:["{num}{unit}{sign}","{shift}{unit:5-7}","{year?}{month}","{year}"],timeParse:["{day|weekday}","{shift}{weekday}","{year?}{month?}{date}"]})}])}); \ No newline at end of file diff --git a/tools/mkdocs/site/docs/01_attachements/modules/tablefilter/tf-1-2aa33b10e0e549020c12.js b/tools/mkdocs/site/docs/01_attachements/modules/tablefilter/tf-1-2aa33b10e0e549020c12.js new file mode 100644 index 0000000..305abc2 --- /dev/null +++ b/tools/mkdocs/site/docs/01_attachements/modules/tablefilter/tf-1-2aa33b10e0e549020c12.js @@ -0,0 +1 @@ +(window.webpackJsonp=window.webpackJsonp||[]).push([[1],{440:function(t,e,n){var r={"./array":20,"./array.js":20,"./const":4,"./const.js":4,"./cookie":60,"./cookie.js":60,"./dom":2,"./dom.js":2,"./emitter":89,"./emitter.js":89,"./event":5,"./event.js":5,"./extensions/advancedGrid/adapterEzEditTable":441,"./extensions/advancedGrid/adapterEzEditTable.js":441,"./extensions/advancedGrid/advancedGrid":443,"./extensions/advancedGrid/advancedGrid.js":443,"./extensions/colOps/colOps":444,"./extensions/colOps/colOps.js":444,"./extensions/colsVisibility/colsVisibility":445,"./extensions/colsVisibility/colsVisibility.js":445,"./extensions/filtersVisibility/filtersVisibility":446,"./extensions/filtersVisibility/filtersVisibility.js":446,"./extensions/sort/adapterSortabletable":442,"./extensions/sort/adapterSortabletable.js":442,"./extensions/sort/sort":447,"./extensions/sort/sort.js":447,"./feature":10,"./feature.js":10,"./modules/alternateRows":85,"./modules/alternateRows.js":85,"./modules/baseDropdown":48,"./modules/baseDropdown.js":48,"./modules/checkList":91,"./modules/checkList.js":91,"./modules/clearButton":84,"./modules/clearButton.js":84,"./modules/dateType":74,"./modules/dateType.js":74,"./modules/dropdown":90,"./modules/dropdown.js":90,"./modules/gridLayout":77,"./modules/gridLayout.js":77,"./modules/hash":92,"./modules/hash.js":92,"./modules/help":75,"./modules/help.js":75,"./modules/highlightKeywords":79,"./modules/highlightKeywords.js":79,"./modules/loader":78,"./modules/loader.js":78,"./modules/markActiveColumns":81,"./modules/markActiveColumns.js":81,"./modules/noResults":86,"./modules/noResults.js":86,"./modules/paging":87,"./modules/paging.js":87,"./modules/popupFilter":80,"./modules/popupFilter.js":80,"./modules/rowsCounter":82,"./modules/rowsCounter.js":82,"./modules/state":76,"./modules/state.js":76,"./modules/statusBar":83,"./modules/statusBar.js":83,"./modules/storage":93,"./modules/storage.js":93,"./modules/toolbar":18,"./modules/toolbar.js":18,"./number":22,"./number.js":22,"./root":9,"./root.js":9,"./settings":1,"./settings.js":1,"./sort":31,"./sort.js":31,"./string":8,"./string.js":8,"./tablefilter":127,"./tablefilter.js":127,"./types":3,"./types.js":3};function webpackContext(t){var e=webpackContextResolve(t);return n(e)}function webpackContextResolve(t){if(n.o(r,t))return r[t];var e=new Error("Cannot find module '"+t+"'");throw e.code="MODULE_NOT_FOUND",e}webpackContext.keys=function webpackContextKeys(){return Object.keys(r)},webpackContext.resolve=webpackContextResolve,(t.exports=webpackContext).id=440},441:function(t,e,n){"use strict";n.r(e),n.d(e,"default",function(){return r});var o=n(10),f=n(2),i=n(4),s=n(1),a=n(9);function _typeof(t){return(_typeof="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function _typeof(t){return typeof t}:function _typeof(t){return t&&"function"==typeof Symbol&&t.constructor===Symbol&&t!==Symbol.prototype?"symbol":typeof t})(t)}function _defineProperties(t,e){for(var n=0;nm)if(a.rowIndex>=n[r-1])e=n[r-1];else{var h=y+f;e=r-1o[s-1]&&ao[0]&&r.setPage("previous")}};if(b.paging&&(b.feature("paging").onAfterChangePage=function(t){var e=t.tf.extension("advancedGrid")._ezEditTable.Selection,n=e.GetActiveRow();n&&n.scrollIntoView(!1);var r=e.GetActiveCell();r&&r.scrollIntoView(!1)}),"row"===e.default_selection){var s=e.on_before_selected_row;e.on_before_selected_row=function(){var t=arguments;i(t[0],t[1]),s&&s.call(null,t[0],t[1],t[2])};var a=e.on_after_selected_row;e.on_after_selected_row=function(){var t=arguments;o(t[0],t[1],t[2]),a&&a.call(null,t[0],t[1],t[2])}}else{var l=e.on_before_selected_cell;e.on_before_selected_cell=function(){var t=arguments;i(t[0],t[1]),l&&l.call(null,t[0],t[1],t[2])};var c=e.on_after_selected_cell;e.on_after_selected_cell=function(){var t=arguments;o(t[0],t[1],t[2]),c&&c.call(null,t[0],t[1],t[2])}}}if(n){var u=e.on_added_dom_row;if(e.on_added_dom_row=function(){var t=arguments;b.nbFilterableRows++,b.paging?(b.nbFilterableRows++,b.paging=!1,b.feature("paging").destroy(),b.feature("paging").reset()):b.emitter.emit("rows-changed",b,this),b.alternateRows&&b.feature("alternateRows").init(),u&&u.call(null,t[0],t[1],t[2])},e.actions&&e.actions.delete){var d=e.actions.delete.on_after_submit;e.actions.delete.on_after_submit=function(){var t=arguments;b.nbFilterableRows--,b.paging?(b.nbFilterableRows--,b.paging=!1,b.feature("paging").destroy(),b.feature("paging").reset(!1)):b.emitter.emit("rows-changed",b,this),b.alternateRows&&b.feature("alternateRows").init(),d&&d.call(null,t[0],t[1])}}}try{this._ezEditTable=new EditTable(b.id,e,t),this._ezEditTable.Init()}catch(t){throw new Error('Failed to instantiate EditTable object.\n \n"ezEditTable" dependency not found.')}this.initialized=!0}},{key:"reset",value:function reset(){var t=this._ezEditTable;t&&(this.cfg.selection&&t.Selection.Set(),this.cfg.editable&&t.Editable.Set())}},{key:"toggle",value:function toggle(){var t=this._ezEditTable;t.editable?t.Editable.Remove():t.Editable.Set(),t.selection?t.Selection.Remove():t.Selection.Set()}},{key:"_toggleForInputFilter",value:function _toggleForInputFilter(){var t=this.tf;if(t.getActiveFilterId()){var e=t.getColumnIndexFromFilterId(t.getActiveFilterId());t.getFilterType(e)===i.INPUT&&this.toggle()}}},{key:"destroy",value:function destroy(){var t=this;if(this.initialized){var e=this._ezEditTable;e&&(this.cfg.selection&&(e.Selection.ClearSelections(),e.Selection.Remove()),this.cfg.editable&&e.Editable.Remove()),this.emitter.off(["filter-focus","filter-blur"],function(){return t._toggleForInputFilter()}),this.initialized=!1}}}]),AdapterEzEditTable}();r.meta={altName:"advancedGrid"}},442:function(t,e,n){"use strict";n.r(e),n.d(e,"default",function(){return r});var o=n(10),a=n(3),c=n(2),u=n(5),i=n(22),d=n(4),s=n(1);function _typeof(t){return(_typeof="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function _typeof(t){return typeof t}:function _typeof(t){return t&&"function"==typeof Symbol&&t.constructor===Symbol&&t!==Symbol.prototype?"symbol":typeof t})(t)}function _defineProperties(t,e){for(var n=0;n',n.icnCollapseHtml='Collapse filters',n.defaultText="Toggle filters",n.targetId=e.target_id||null,n.enableIcon=Object(l.defaultsBool)(e.enable_icon,!0),n.btnText=Object(l.defaultsStr)(e.btn_text,""),n.collapseBtnHtml=n.enableIcon?n.icnCollapseHtml+n.btnText:n.btnText||n.defaultText,n.expandBtnHtml=n.enableIcon?n.icnExpandHtml+n.btnText:n.btnText||n.defaultText,n.btnHtml=Object(l.defaultsStr)(e.btn_html,null),n.btnCssClass=Object(l.defaultsStr)(e.btn_css_class,"btnExpClpFlt"),n.contCssClass=Object(l.defaultsStr)(e.cont_css_class,"expClpFlt"),n.filtersRowIndex=Object(l.defaultsNb)(e.filters_row_index,t.getFiltersRowIndex()),n.visibleAtStart=Object(l.defaultsNb)(e.visible_at_start,!0),n.toolbarPosition=Object(l.defaultsStr)(e.toolbar_position,c.RIGHT),n.onBeforeShow=Object(l.defaultsFn)(e.on_before_show,i.EMPTY_FN),n.onAfterShow=Object(l.defaultsFn)(e.on_after_show,i.EMPTY_FN),n.onBeforeHide=Object(l.defaultsFn)(e.on_before_hide,i.EMPTY_FN),n.onAfterHide=Object(l.defaultsFn)(e.on_after_hide,i.EMPTY_FN),t.import(e.name+"Style",t.getStylePath()+n.stylesheet,null,"link"),n.enable(),n}return function _createClass(t,e,n){return e&&_defineProperties(t.prototype,e),n&&_defineProperties(t,n),t}(FiltersVisibility,[{key:"init",value:function init(){var n=this;this.initialized||(this.emitter.emit("initializing-extension",this,!Object(i.isNull)(this.targetId)),this.buildUI(),this.initialized=!0,this.emitter.on(["show-filters"],function(t,e){return n.show(e)}),this.emitter.emit("filters-visibility-initialized",this.tf,this),this.emitter.emit("extension-initialized",this))}},{key:"buildUI",value:function buildUI(){var t=this,e=this.tf,n=Object(s.createElm)("span");n.className=this.contCssClass;var r,o=this.targetId?Object(s.elm)(this.targetId):e.feature("toolbar").container(this.toolbarPosition);if(this.targetId)o.appendChild(n);else{var i=o.firstChild;i.parentNode.insertBefore(n,i)}this.btnHtml?(n.innerHTML=this.btnHtml,r=n.firstChild):((r=Object(s.createElm)("a",["href","javascript:void(0);"])).className=this.btnCssClass,r.title=this.btnText||this.defaultText,r.innerHTML=this.collapseBtnHtml,n.appendChild(r)),Object(a.addEvt)(r,"click",function(){return t.toggle()}),this.contEl=n,this.btnEl=r,this.visibleAtStart||this.toggle()}},{key:"toggle",value:function toggle(){var t=this.tf,e=""===(t.gridLayout?t.feature("gridLayout").headTbl:t.dom()).rows[this.filtersRowIndex].style.display;this.show(!e)}},{key:"show",value:function show(t){var e=!(0e){var n=t[1].slice(0,e);if(5<=+t[1].substr(e,1)){for(var r="";"0"===n.charAt(0);)r+="0",n=n.substr(1);(n=r+(n=+n+1+"")).length>e&&(t[0]=+t[0]+ +n.charAt(0)+"",n=n.substring(1))}t[1]=n}return t}(t,o.round),null!=o.truncate&&(t[1]=function truncate(t,e){t&&(t+="");return t&&t.length>e?t.substr(0,e):t}(t[1],o.truncate)),0 descending, false -> ascending\r\nSortableTable.prototype.defaultDescending = false;\r\n\r\n// shared between all instances. This is intentional to allow external files\r\n// to modify the prototype\r\nSortableTable.prototype._sortTypeInfo = {};\r\n\r\nSortableTable.prototype.setTable = function (oTable) {\r\n\tif ( this.tHead )\r\n\t\tthis.uninitHeader();\r\n\tthis.element = oTable;\r\n\tthis.setTHead( oTable.tHead );\r\n\tthis.setTBody( oTable.tBodies[0] );\r\n};\r\n\r\nSortableTable.prototype.setTHead = function (oTHead) {\r\n\tif (this.tHead && this.tHead != oTHead )\r\n\t\tthis.uninitHeader();\r\n\tthis.tHead = oTHead;\r\n\tthis.initHeader( this.sortTypes );\r\n};\r\n\r\nSortableTable.prototype.setTBody = function (oTBody) {\r\n\tthis.tBody = oTBody;\r\n};\r\n\r\nSortableTable.prototype.setSortTypes = function ( oSortTypes ) {\r\n\tif ( this.tHead )\r\n\t\tthis.uninitHeader();\r\n\tthis.sortTypes = oSortTypes || [];\r\n\tif ( this.tHead )\r\n\t\tthis.initHeader( this.sortTypes );\r\n};\r\n\r\n// adds arrow containers and events\r\n// also binds sort type to the header cells so that reordering columns does\r\n// not break the sort types\r\nSortableTable.prototype.initHeader = function (oSortTypes) {\r\n\tif (!this.tHead) return;\r\n\tvar cells = this.tHead.rows[0].cells;\r\n\tvar doc = this.tHead.ownerDocument || this.tHead.document;\r\n\tthis.sortTypes = oSortTypes || [];\r\n\tvar l = cells.length;\r\n\tvar img, c;\r\n\tfor (var i = 0; i < l; i++) {\r\n\t\tc = cells[i];\r\n\t\tif (this.sortTypes[i] != null && this.sortTypes[i] != "None") {\r\n\t\t\timg = doc.createElement("IMG");\r\n\t\t\timg.src = "images/blank.png";\r\n\t\t\tc.appendChild(img);\r\n\t\t\tif (this.sortTypes[i] != null)\r\n\t\t\t\tc._sortType = this.sortTypes[i];\r\n\t\t\tif (typeof c.addEventListener != "undefined")\r\n\t\t\t\tc.addEventListener("click", this._headerOnclick, false);\r\n\t\t\telse if (typeof c.attachEvent != "undefined")\r\n\t\t\t\tc.attachEvent("onclick", this._headerOnclick);\r\n\t\t\telse\r\n\t\t\t\tc.onclick = this._headerOnclick;\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tc.setAttribute( "_sortType", oSortTypes[i] );\r\n\t\t\tc._sortType = "None";\r\n\t\t}\r\n\t}\r\n\tthis.updateHeaderArrows();\r\n};\r\n\r\n// remove arrows and events\r\nSortableTable.prototype.uninitHeader = function () {\r\n\tif (!this.tHead) return;\r\n\tvar cells = this.tHead.rows[0].cells;\r\n\tvar l = cells.length;\r\n\tvar c;\r\n\tfor (var i = 0; i < l; i++) {\r\n\t\tc = cells[i];\r\n\t\tif (c._sortType != null && c._sortType != "None") {\r\n\t\t\tc.removeChild(c.lastChild);\r\n\t\t\tif (typeof c.removeEventListener != "undefined")\r\n\t\t\t\tc.removeEventListener("click", this._headerOnclick, false);\r\n\t\t\telse if (typeof c.detachEvent != "undefined")\r\n\t\t\t\tc.detachEvent("onclick", this._headerOnclick);\r\n\t\t\tc._sortType = null;\r\n\t\t\tc.removeAttribute( "_sortType" );\r\n\t\t}\r\n\t}\r\n};\r\n\r\nSortableTable.prototype.updateHeaderArrows = function () {\r\n\tif (!this.tHead) return;\r\n\tvar cells = this.tHead.rows[0].cells;\r\n\tvar l = cells.length;\r\n\tvar img;\r\n\tfor (var i = 0; i < l; i++) {\r\n\t\tif (cells[i]._sortType != null && cells[i]._sortType != "None") {\r\n\t\t\timg = cells[i].lastChild;\r\n\t\t\tif (i == this.sortColumn)\r\n\t\t\t\timg.className = "sort-arrow " + (this.descending ? "descending" : "ascending");\r\n\t\t\telse\r\n\t\t\t\timg.className = "sort-arrow";\r\n\t\t}\r\n\t}\r\n};\r\n\r\nSortableTable.prototype.headerOnclick = function (e) {\r\n\t// find TD element\r\n\tvar el = e.target || e.srcElement;\r\n\twhile (el.tagName != "TD")\r\n\t\tel = el.parentNode;\r\n\r\n\tthis.sort(SortableTable.msie ? SortableTable.getCellIndex(el) : el.cellIndex);\r\n};\r\n\r\n// IE returns wrong cellIndex when columns are hidden\r\nSortableTable.getCellIndex = function (oTd) {\r\n\tvar cells = oTd.parentNode.childNodes\r\n\tvar l = cells.length;\r\n\tvar i;\r\n\tfor (i = 0; cells[i] != oTd && i < l; i++)\r\n\t\t;\r\n\treturn i;\r\n};\r\n\r\nSortableTable.prototype.getSortType = function (nColumn) {\r\n\treturn this.sortTypes[nColumn] || "String";\r\n};\r\n\r\n// only nColumn is required\r\n// if bDescending is left out the old value is taken into account\r\n// if sSortType is left out the sort type is found from the sortTypes array\r\n\r\nSortableTable.prototype.sort = function (nColumn, bDescending, sSortType) {\r\n\tif (!this.tBody) return;\r\n\tif (sSortType == null)\r\n\t\tsSortType = this.getSortType(nColumn);\r\n\r\n\t// exit if None\r\n\tif (sSortType == "None")\r\n\t\treturn;\r\n\r\n\tif (bDescending == null) {\r\n\t\tif (this.sortColumn != nColumn)\r\n\t\t\tthis.descending = this.defaultDescending;\r\n\t\telse\r\n\t\t\tthis.descending = !this.descending;\r\n\t}\r\n\telse\r\n\t\tthis.descending = bDescending;\r\n\r\n\tthis.sortColumn = nColumn;\r\n\r\n\tif (typeof this.onbeforesort == "function")\r\n\t\tthis.onbeforesort();\r\n\r\n\tvar f = this.getSortFunction(sSortType, nColumn);\r\n\tvar a = this.getCache(sSortType, nColumn);\r\n\tvar tBody = this.tBody;\r\n\r\n\ta.sort(f);\r\n\r\n\tif (this.descending)\r\n\t\ta.reverse();\r\n\r\n\tif (SortableTable.removeBeforeSort) {\r\n\t\t// remove from doc\r\n\t\tvar nextSibling = tBody.nextSibling;\r\n\t\tvar p = tBody.parentNode;\r\n\t\tp.removeChild(tBody);\r\n\t}\r\n\r\n\t// insert in the new order\r\n\tvar l = a.length;\r\n\tfor (var i = 0; i < l; i++)\r\n\t\ttBody.appendChild(a[i].element);\r\n\r\n\tif (SortableTable.removeBeforeSort) {\r\n\t\t// insert into doc\r\n\t\tp.insertBefore(tBody, nextSibling);\r\n\t}\r\n\r\n\tthis.updateHeaderArrows();\r\n\r\n\tthis.destroyCache(a);\r\n\r\n\tif (typeof this.onsort == "function")\r\n\t\tthis.onsort();\r\n};\r\n\r\nSortableTable.prototype.asyncSort = function (nColumn, bDescending, sSortType) {\r\n\tvar oThis = this;\r\n\tthis._asyncsort = function () {\r\n\t\toThis.sort(nColumn, bDescending, sSortType);\r\n\t};\r\n\twindow.setTimeout(this._asyncsort, 1);\r\n};\r\n\r\nSortableTable.prototype.getCache = function (sType, nColumn) {\r\n\tif (!this.tBody) return [];\r\n\tvar rows = this.tBody.rows;\r\n\tvar l = rows.length;\r\n\tvar a = new Array(l);\r\n\tvar r;\r\n\tfor (var i = 0; i < l; i++) {\r\n\t\tr = rows[i];\r\n\t\ta[i] = {\r\n\t\t\tvalue:\t\tthis.getRowValue(r, sType, nColumn),\r\n\t\t\telement:\tr\r\n\t\t};\r\n\t};\r\n\treturn a;\r\n};\r\n\r\nSortableTable.prototype.destroyCache = function (oArray) {\r\n\tvar l = oArray.length;\r\n\tfor (var i = 0; i < l; i++) {\r\n\t\toArray[i].value = null;\r\n\t\toArray[i].element = null;\r\n\t\toArray[i] = null;\r\n\t}\r\n};\r\n\r\nSortableTable.prototype.getRowValue = function (oRow, sType, nColumn) {\r\n\t// if we have defined a custom getRowValue use that\r\n\tif (this._sortTypeInfo[sType] && this._sortTypeInfo[sType].getRowValue)\r\n\t\treturn this._sortTypeInfo[sType].getRowValue(oRow, nColumn);\r\n\r\n\tvar s;\r\n\tvar c = oRow.cells[nColumn];\r\n\tif (typeof c.innerText != "undefined")\r\n\t\ts = c.innerText;\r\n\telse\r\n\t\ts = SortableTable.getInnerText(c);\r\n\treturn this.getValueFromString(s, sType);\r\n};\r\n\r\nSortableTable.getInnerText = function (oNode) {\r\n\tvar s = "";\r\n\tvar cs = oNode.childNodes;\r\n\tvar l = cs.length;\r\n\tfor (var i = 0; i < l; i++) {\r\n\t\tswitch (cs[i].nodeType) {\r\n\t\t\tcase 1: //ELEMENT_NODE\r\n\t\t\t\ts += SortableTable.getInnerText(cs[i]);\r\n\t\t\t\tbreak;\r\n\t\t\tcase 3:\t//TEXT_NODE\r\n\t\t\t\ts += cs[i].nodeValue;\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\treturn s;\r\n};\r\n\r\nSortableTable.prototype.getValueFromString = function (sText, sType) {\r\n\tif (this._sortTypeInfo[sType])\r\n\t\treturn this._sortTypeInfo[sType].getValueFromString( sText );\r\n\treturn sText;\r\n\t/*\r\n\tswitch (sType) {\r\n\t\tcase "Number":\r\n\t\t\treturn Number(sText);\r\n\t\tcase "CaseInsensitiveString":\r\n\t\t\treturn sText.toUpperCase();\r\n\t\tcase "Date":\r\n\t\t\tvar parts = sText.split("-");\r\n\t\t\tvar d = new Date(0);\r\n\t\t\td.setFullYear(parts[0]);\r\n\t\t\td.setDate(parts[2]);\r\n\t\t\td.setMonth(parts[1] - 1);\r\n\t\t\treturn d.valueOf();\r\n\t}\r\n\treturn sText;\r\n\t*/\r\n\t};\r\n\r\nSortableTable.prototype.getSortFunction = function (sType, nColumn) {\r\n\tif (this._sortTypeInfo[sType])\r\n\t\treturn this._sortTypeInfo[sType].compare;\r\n\treturn SortableTable.basicCompare;\r\n};\r\n\r\nSortableTable.prototype.destroy = function () {\r\n\tthis.uninitHeader();\r\n\tvar win = this.document.parentWindow;\r\n\tif (win && typeof win.detachEvent != "undefined") {\t// only IE needs this\r\n\t\twin.detachEvent("onunload", this._onunload);\r\n\t}\r\n\tthis._onunload = null;\r\n\tthis.element = null;\r\n\tthis.tHead = null;\r\n\tthis.tBody = null;\r\n\tthis.document = null;\r\n\tthis._headerOnclick = null;\r\n\tthis.sortTypes = null;\r\n\tthis._asyncsort = null;\r\n\tthis.onsort = null;\r\n};\r\n\r\n// Adds a sort type to all instance of SortableTable\r\n// sType : String - the identifier of the sort type\r\n// fGetValueFromString : function ( s : string ) : T - A function that takes a\r\n// string and casts it to a desired format. If left out the string is just\r\n// returned\r\n// fCompareFunction : function ( n1 : T, n2 : T ) : Number - A normal JS sort\r\n// compare function. Takes two values and compares them. If left out less than,\r\n// <, compare is used\r\n// fGetRowValue : function( oRow : HTMLTRElement, nColumn : int ) : T - A function\r\n// that takes the row and the column index and returns the value used to compare.\r\n// If left out then the innerText is first taken for the cell and then the\r\n// fGetValueFromString is used to convert that string the desired value and type\r\n\r\nSortableTable.prototype.addSortType = function (sType, fGetValueFromString, fCompareFunction, fGetRowValue) {\r\n\tthis._sortTypeInfo[sType] = {\r\n\t\ttype:\t\t\t\tsType,\r\n\t\tgetValueFromString:\tfGetValueFromString || SortableTable.idFunction,\r\n\t\tcompare:\t\t\tfCompareFunction || SortableTable.basicCompare,\r\n\t\tgetRowValue:\t\tfGetRowValue\r\n\t};\r\n};\r\n\r\n// this removes the sort type from all instances of SortableTable\r\nSortableTable.prototype.removeSortType = function (sType) {\r\n\tdelete this._sortTypeInfo[sType];\r\n};\r\n\r\nSortableTable.basicCompare = function compare(n1, n2) {\r\n\tif (n1.value < n2.value)\r\n\t\treturn -1;\r\n\tif (n2.value < n1.value)\r\n\t\treturn 1;\r\n\treturn 0;\r\n};\r\n\r\nSortableTable.idFunction = function (x) {\r\n\treturn x;\r\n};\r\n\r\nSortableTable.toUpperCase = function (s) {\r\n\treturn s.toUpperCase();\r\n};\r\n\r\nSortableTable.toDate = function (s) {\r\n\tvar parts = s.split("-");\r\n\tvar d = new Date(0);\r\n\td.setFullYear(parts[0]);\r\n\td.setDate(parts[2]);\r\n\td.setMonth(parts[1] - 1);\r\n\treturn d.valueOf();\r\n};\r\n\r\n\r\n// add sort types\r\nSortableTable.prototype.addSortType("Number", Number);\r\nSortableTable.prototype.addSortType("CaseInsensitiveString", SortableTable.toUpperCase);\r\nSortableTable.prototype.addSortType("Date", SortableTable.toDate);\r\nSortableTable.prototype.addSortType("String");\r\n// None is a special case\r\n'}}]); \ No newline at end of file diff --git a/tools/mkdocs/site/docs/01_attachements/stylesheets/graph.css b/tools/mkdocs/site/docs/01_attachements/stylesheets/graph.css new file mode 100644 index 0000000..4955ea1 --- /dev/null +++ b/tools/mkdocs/site/docs/01_attachements/stylesheets/graph.css @@ -0,0 +1,10 @@ +.tooltip { + position: absolute; + text-align: center; + padding: 8px; + background: lightgrey; + border: 0px; + border-radius: 4px; + pointer-events: none; + color: black; +} \ No newline at end of file diff --git a/tools/mkdocs/site/mkdocs.yml b/tools/mkdocs/site/mkdocs.yml index 23a61dd..3c204e4 100644 --- a/tools/mkdocs/site/mkdocs.yml +++ b/tools/mkdocs/site/mkdocs.yml @@ -23,6 +23,7 @@ theme: - navigation.footer - search.highlight - search.share + - navigation.instant.preview palette: # Palette toggle for automatic mode @@ -46,7 +47,10 @@ theme: markdown_extensions: - admonition - pymdownx.details - - pymdownx.superfences + - pymdownx.superfences: + custom_fences: + - name: mermaid + class: mermaid - tables - attr_list - pymdownx.emoji: @@ -61,8 +65,23 @@ extra: link: https://github.com/misp generator: false +extra_javascript: + # - javascripts/tablefilter.js + # - "https://unpkg.com/tablefilter@0.7.3/dist/tablefilter/tablefilter.js" + # - "https://d3js.org/d3.v6.min.js" + - 01_attachements/javascripts/graph.js + - 01_attachements/javascripts/statistics.js + # - node_modules/tablefilter/dist/tablefilter/tablefilter.js + # - node_modules/d3/dist/d3.min.js + - 01_attachements/modules/d3.min.js + - 01_attachements/modules/tablefilter/tablefilter.js + +extra_css: + - 01_attachements/stylesheets/graph.css + plugins: - search - rss + - awesome-pages #- git-committers: # branch: main