Updating artifacts

elastic · Oct 17, 2023 · 7310e50 · 7310e50
1 parent aeb097e
commit 7310e50
Show file tree

Hide file tree

Showing 127 changed files with 2,257 additions and 1,687 deletions.
diff --git a/behavior/rules/collection_getasynckeystate_api_call_from_suspicious_process.toml b/behavior/rules/collection_getasynckeystate_api_call_from_suspicious_process.toml
@@ -0,0 +1,77 @@
+[rule]
+description = """
+Identifies attempts to enumerate the state of keyboard keys by an unusual process. Adversaries may log user keystrokes
+to intercept credentials or other information from the user as the user types them.
+"""
+id = "be7140ba-4633-46a7-ac59-91cc85e5e252"
+license = "Elastic License v2"
+name = "GetAsyncKeyState API Call from Suspicious Process"
+os_list = ["windows"]
+reference = [
+    "https://attack.mitre.org/techniques/T1056/001/",
+    "https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getasynckeystate",
+]
+version = "1.0.6"
+
+query = '''
+sequence by process.entity_id with maxspan=5m
+ [process where event.action == "start" and
+  (
+   (process.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk") and not process.executable : "C:\\*") or
+   (process.Ext.relative_file_creation_time <= 500 and (process.code_signature.trusted == false or process.code_signature.exists == false)) or
+   process.name : ("rundll32.exe", "regsvr32.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe") or
+   process.pe.original_file_name : ("python*.exe", "AutoIt*.exe") or
+   (process.Ext.relative_file_creation_time <= 500 and
+    process.executable :
+                ("?:\\Users\\Public\\*",
+                 "?:\\Users\\*\\Downloads\\*",
+                 "?:\\Windows\\Temp\\*",
+                 "?:\\Windows\\Tasks\\*",
+                 "?:\\ProgramData\\*",
+                 "?:\\Windows\\Microsoft.NET\\*")) or
+    process.executable : ("?:\\Users\\*\\AppData\\Local\\Temp\\7z*\\",
+                         "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*",
+                         "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*\\*",
+                         "?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*") or
+   (process.parent.name : "svchost.exe" and process.parent.args : "Schedule")
+  ) and
+  not process.executable :
+              ("?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
+              "?:\\Program Files (x86)\\*.exe",
+              "?:\\Program Files\\*.exe")
+  ]
+ [api where process.Ext.api.name == "GetAsyncKeyState" and
+  process.Ext.api.parameters.background_callcount >= 400 and process.Ext.api.parameters.ms_since_last_keyevent >= 100]
+'''
+
+min_endpoint_version = "8.10.0"
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[optional_actions]]
+action = "rollback"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1056"
+name = "Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/"
+[[threat.technique.subtechnique]]
+id = "T1056.001"
+name = "Keylogging"
+reference = "https://attack.mitre.org/techniques/T1056/001/"
+
+
+
+[threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[internal]
+min_endpoint_version = "8.10.0"
diff --git a/behavior/rules/collection_suspicious_input_capture_via_getasynckeystate_api.toml b/behavior/rules/collection_suspicious_input_capture_via_getasynckeystate_api.toml
@@ -0,0 +1,51 @@
+[rule]
+description = """
+Identifies multiple attempts to enumerate the state of keyboard keys by the same process and in a short period of time.
+Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.
+"""
+id = "2ed0570d-3fa4-45b1-b4f2-d7fcc827daf1"
+license = "Elastic License v2"
+name = "Suspicious Input Capture via GetAsyncKeyState API"
+os_list = ["windows"]
+reference = [
+    "https://attack.mitre.org/techniques/T1056/001/",
+    "https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getasynckeystate",
+]
+version = "1.0.6"
+
+query = '''
+sequence by process.entity_id with maxspan=3s
+ [api where process.Ext.api.name == "GetAsyncKeyState"]
+ [api where process.Ext.api.name == "GetAsyncKeyState"]
+ [api where process.Ext.api.name == "GetAsyncKeyState"]
+ [api where process.Ext.api.name == "GetAsyncKeyState"]
+ [api where process.Ext.api.name == "GetAsyncKeyState"]
+'''
+
+min_endpoint_version = "8.10.0"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1056"
+name = "Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/"
+[[threat.technique.subtechnique]]
+id = "T1056.001"
+name = "Keylogging"
+reference = "https://attack.mitre.org/techniques/T1056/001/"
+
+
+
+[threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[internal]
+min_endpoint_version = "8.10.0"
diff --git a/...r/rules/command_and_control_connection_to_dynamic_dns_provider_by_an_unsigned_binary.toml b/...r/rules/command_and_control_connection_to_dynamic_dns_provider_by_an_unsigned_binary.toml
@@ -7,14 +7,18 @@ id = "75b80e66-90d0-4ab6-9e6b-976f7d690906"
 license = "Elastic License v2"
 name = "Connection to Dynamic DNS Provider by an Unsigned Binary"
 os_list = ["windows"]
-version = "1.0.29"
+version = "1.0.30"
 
 query = '''
 sequence by process.entity_id with maxspan=1m
  /* execution of an unsigned PEfollowed by dns request to dynamic dns provider */
   [process where event.action == "start" and user.id : "S-1-5-21-*" and
    not process.code_signature.trusted == true and
-   process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*", "?:\\Windows\\Tasks\\*")]
+   process.executable : ("?:\\Users\\*", "?:\\ProgramData\\*", "?:\\Windows\\Temp\\*", "?:\\Windows\\Tasks\\*") and 
+   not process.hash.sha256 : 
+              ("6cebce1ed45f77ca971281862cc9c9d0085dbc3504a9f1f9a717496cce51c829", 
+               "43bd0fa458004d384a31b9147218be267b978506784dd4da141d46195a3ea4d9", 
+               "18886da5d34be1f92ddf333c26f8c3a2b0be4da60a7ac4d795da233cbcd9e3bb")]
   [dns where
     dns.question.name :
          (

diff --git a/behavior/rules/command_and_control_connection_to_webservice_by_a_signed_binary_proxy.toml b/behavior/rules/command_and_control_connection_to_webservice_by_a_signed_binary_proxy.toml
@@ -7,15 +7,15 @@ id = "c567240c-445b-4000-9612-b5531e21e050"
 license = "Elastic License v2"
 name = "Connection to WebService by a Signed Binary Proxy"
 os_list = ["windows"]
-version = "1.0.37"
+version = "1.0.38"
 
 query = '''
 sequence by process.entity_id with maxspan=5m
   [process where event.action == "start" and user.id : "S-1-5-21-*" and
     (
      process.name : ("wscript.exe", "cscript.exe", "regsvr32.exe", "mshta.exe", "rundll32.exe", "vbc.exe",
                      "msbuild.exe", "wmic.exe", "cmstp.exe", "RegAsm.exe", "installutil.exe","RegSvcs.exe",
-                     "msxsl.exe", "xwizard.exe", "csc.exe", "curl.exe", "dfsvc.exe", "net.exe") or
+                     "msxsl.exe", "xwizard.exe", "csc.exe", "curl.exe", "net.exe") or
      process.pe.original_file_name : ("wscript.exe", "cscript.exe", "regsvr32.exe", "mshta.exe", "rundll32.exe", 
                                       "vbc.exe", "msbuild.exe", "wmic.exe", "cmstp.exe", "RegAsm.exe", "installutil.exe", 
                                       "RegSvcs.exe", "msxsl.exe", "xwizard.exe", "csc.exe", "curl.exe", "net.exe") or
@@ -46,7 +46,10 @@ sequence by process.entity_id with maxspan=5m
                           "?:\\WINDOWS\\SYSTEM32\\EDGEHTML.dll,#141",
                           "?:\\WINDOWS\\System32\\shell32.dll,SHCreateLocalServerRunDll",
                           "?:\\PROGRA~2\\MICROS~2\\Office*\\*.CPL*",
-                          "?:\\Windows\\System32\\mshtml.dll,PrintHTML"))
+                          "?:\\Windows\\System32\\mshtml.dll,PrintHTML", 
+                          "?:\\PROGRA~?\\MICROS~?\\Office??\\MLCFG32.CPL,@0", 
+                          "AppXDeploymentExtensions.OneCore.dll,ShellRefresh")) and 
+      not process.parent.executable : ("C:\\Program Files\\Logi\\LogiBolt\\LogiBolt.exe", "C:\\Program Files (x86)\\Avaya\\Avaya one-X Agent\\OneXAgentUI.exe")
   ]
   [dns where
     dns.question.name :
@@ -129,8 +132,9 @@ sequence by process.entity_id with maxspan=5m
         "i.ibb.co"
     ) and
     /* common to use powershell script by Microsoft Cloud sysadmins */
-    not (process.name : ("powershell.exe", "pwsh.exe") and
-         dns.question.name : ("graph.microsoft.com", "*.sharepoint.com", "login.microsoftonline.com", "login.live.com", "raw.githubusercontent.com"))
+    not (process.name : ("powershell.exe", "pwsh.exe", "javaw.exe") and
+         dns.question.name : ("graph.microsoft.com", "*.sharepoint.com", "login.microsoftonline.com", "login.live.com", "raw.githubusercontent.com")) and 
+    not (dns.question.name : "rev-resolve.azurewebsites.net" and process.name : "wscript.exe")
   ]
 '''
 

diff --git a/behavior/rules/command_and_control_connection_to_webservice_by_an_unsigned_binary.toml b/behavior/rules/command_and_control_connection_to_webservice_by_an_unsigned_binary.toml
@@ -7,7 +7,7 @@ id = "2c3efa34-fecd-4b3b-bdb6-30d547f2a1a4"
 license = "Elastic License v2"
 name = "Connection to WebService by an Unsigned Binary"
 os_list = ["windows"]
-version = "1.0.35"
+version = "1.0.36"
 
 query = '''
 sequence by process.entity_id with maxspan=5m
@@ -119,7 +119,8 @@ sequence by process.entity_id with maxspan=5m
   ]
 '''
 
-min_endpoint_version = "8.4.0"
+min_endpoint_version = "8.10.0"
+reputation = true
 [[actions]]
 action = "kill_process"
 field = "process.entity_id"
@@ -154,4 +155,4 @@ name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
 [internal]
-min_endpoint_version = "8.4.0"
+min_endpoint_version = "8.10.0"
diff --git a/behavior/rules/command_and_control_ingress_tool_transfer_via_curl.toml b/behavior/rules/command_and_control_ingress_tool_transfer_via_curl.toml
@@ -7,7 +7,7 @@ id = "336ada1c-69f8-46e8-bdd2-790c85429696"
 license = "Elastic License v2"
 name = "Ingress Tool Transfer via CURL"
 os_list = ["windows"]
-version = "1.0.24"
+version = "1.0.25"
 
 query = '''
 process where event.action == "start" and
@@ -32,7 +32,7 @@ process where event.action == "start" and
   not (process.parent.name : ("cmd.exe", "powershell.exe") and process.parent.args_count == 1) and
   not process.parent.executable : "?:\\Users\\*\\AppData\\Local\\Temp\\nsc*.tmp\\*.exe" and
   not process.command_line : "*curl -o \\\\.\\nul -v -I -L -s --connect-timeout*" and
-  not process.args : ("https://mirror.init7.net/ctan/systems*", "https://*.ctan.org*") and
+  not process.args : ("https://mirror.init7.net/ctan/systems*", "https://*.ctan.org*", "texlive/curl") and
 
   /* avoid breaking privileged install */
   not user.id : "S-1-5-18"

diff --git a/behavior/rules/command_and_control_ingress_tool_transfer_via_powershell.toml b/behavior/rules/command_and_control_ingress_tool_transfer_via_powershell.toml
@@ -7,7 +7,7 @@ id = "5abd98fb-ffbe-4cd6-9592-3cda7b155ff5"
 license = "Elastic License v2"
 name = "Ingress Tool Transfer via PowerShell"
 os_list = ["windows"]
-version = "1.0.16"
+version = "1.0.17"
 
 query = '''
 process where event.action == "start" and not user.id : "S-1-5-18" and
@@ -27,7 +27,14 @@ process where event.action == "start" and not user.id : "S-1-5-18" and
 
   not process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and
   not (process.code_signature.subject_name : "Chocolatey Software, Inc." and process.code_signature.trusted == true) and
-  not process.executable : ("?:\\ProgramData\\Microsoft\\VisualStudio\\Packages\\*", "?:\\ProgramData\\chocolatey\\lib\\*")
+  not process.executable : ("?:\\ProgramData\\Microsoft\\VisualStudio\\Packages\\*", 
+                            "?:\\ProgramData\\chocolatey\\lib\\*", 
+                            "?:\\Users\\*\\AppData\\Local\\Temp\\ns*.tmp\\*.exe") and 
+  not process.hash.sha256 : 
+                 ("1aac95f980af717c580b1b32885f51e67f0c3631ca0e7cfb2908b75df9a3501c", 
+                  "c73c4ac2a7cdc48829fe0f9d7ec91ca41c8b434490d4eb3205aad69c7aa3b921", 
+                  "3655b300361f205778b3d998a158b7ffb962ede315d92c25c0735b7925b26d8e", 
+                  "2aac5c0da14cce02f809e0619c17dcc42ed995898dfb43f8312a924dd6b62a8a")
 '''
 
 min_endpoint_version = "8.4.0"

diff --git a/behavior/rules/credential_access_access_to_browser_credentials_from_suspicious_memory.toml b/behavior/rules/credential_access_access_to_browser_credentials_from_suspicious_memory.toml
@@ -7,7 +7,7 @@ id = "808395cd-fb50-4eba-846c-aabcf212c256"
 license = "Elastic License v2"
 name = "Access to Browser Credentials from Suspicious Memory"
 os_list = ["windows"]
-version = "1.0.19"
+version = "1.0.20"
 
 query = '''
 file where event.type == "access" and process.pid != 4 and
@@ -33,7 +33,10 @@ file where event.type == "access" and process.pid != 4 and
          process.code_signature.subject_name :
                                 ("Trichilia Consultants Limited", "Bitdefender SRL", "Opera Norway AS", "FireEye, Inc.",
                                  "Mozilla Corporation", "Google LLC", "Rapid7 LLC", "Cybereason, Inc", "Watchdata Technologies Pte. Ltd.", 
-                                 "Cylance, Inc.", "Bromium, Inc.")) and
+                                 "Cylance, Inc.", "Bromium, Inc.", "ONELAUNCH TECHNOLOGIES INC.", "philandro Software GmbH", 
+                                 "Eric R. Zimmerman", "CISCO SYSTEMS CANADA CO", "Cisco Systems, Inc.", "Fiserv", "Fiserv, Inc.", 
+                                 "Garmin International, Inc.")) and 
+    not (process.code_signature.trusted == true and process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and 
     not process.executable : "?:\\Program Files (x86)\\VMware\\Plug-in Service\\certutil.exe" and
     not _arraysearch(process.thread.Ext.call_stack, $entry,
                      $entry.symbol_info : ("?:\\Program Files\\*.dll*",
@@ -44,7 +47,8 @@ file where event.type == "access" and process.pid != 4 and
                                            "?:\\Windows\\System32\\umppc*.dll*",
                                            "?:\\Windows\\FireEye\\AppMonitorDll*.dll*",
                                            "?:\\Windows\\apppatch\\AppPatch*\\exploitblocker.dll*",
-                                           "?:\\windows\\system32\\hmpalert.dll!*"))
+                                           "?:\\windows\\system32\\hmpalert.dll!*", 
+                                           "\\Device\\Mup\\*"))
 '''
 
 min_endpoint_version = "8.7.0"

diff --git a/behavior/rules/credential_access_autologons_access_attempt_via_registry.toml b/behavior/rules/credential_access_autologons_access_attempt_via_registry.toml
@@ -8,7 +8,7 @@ license = "Elastic License v2"
 name = "AutoLogons Access Attempt via Registry"
 os_list = ["windows"]
 reference = ["https://github.com/GhostPack/SharpUp/blob/master/SharpUp/Checks/RegistryAutoLogons.cs#L26"]
-version = "1.0.8"
+version = "1.0.9"
 
 query = '''
 registry where event.action == "query" and process.executable != null and
@@ -23,6 +23,7 @@ registry where event.action == "query" and process.executable != null and
              "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe",
              "?:\\Windows\\System32\\MusNotification.exe", 
              "?:\\Windows\\SysWOW64\\MusNotification.exe",
+             "?:\\Windows\\System32\\wsmprovhost.exe",
              "?:\\Windows\\regedit.exe", 
              "?:\\Program Files\\*.exe", 
              "?:\\Program Files (x86)\\*.exe", 

diff --git a/behavior/rules/credential_access_failed_attempts_to_access_sensitive_files.toml b/behavior/rules/credential_access_failed_attempts_to_access_sensitive_files.toml
@@ -8,7 +8,7 @@ license = "Elastic License v2"
 name = "Failed Attempts to Access Sensitive Files"
 os_list = ["windows"]
 reference = ["https://github.com/GhostPack/Seatbelt", "https://github.com/AlessandroZ/LaZagne"]
-version = "1.0.21"
+version = "1.0.22"
 
 query = '''
 any where event.category in ("registry", "file") and
@@ -38,10 +38,14 @@ any where event.category in ("registry", "file") and
 	           "?:\\Program Files (x86)\\*.exe",
 	           "?:\\Windows\\System32\\SearchProtocolHost.exe",
 	           "?:\\Windows\\System32\\svchost.exe",
-	           "?:\\Windows\\System32\\OpenSSH\\ssh.exe") and
+	           "?:\\Windows\\System32\\OpenSSH\\ssh.exe", 
+	           "?:\\Windows\\System32\\OpenWith.exe", 
+	           "\\Device\\Mup*") and
 	 not (process.code_signature.subject_name :
 	          ("Rapid7 LLC", "Mozilla Corporation", "Commvault Systems, Inc.", "Google LLC", "Bitdefender SRL",
-	           "McAfee, Inc.", "Serengeti Systems Incorporated", "nordvpn s.a.", "Kaspersky Lab", "JetBrains s.r.o.") and
+	           "McAfee, Inc.", "Serengeti Systems Incorporated", "nordvpn s.a.", "Kaspersky Lab", "JetBrains s.r.o.", 
+	           "Illusive Networks LTD", "Ghisler Software GmbH", "Keeper Security Inc.", "Eric R. Zimmerman", 
+	           "Galactic Advisors, Inc.") and
          process.code_signature.trusted == true) and
      not (process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and
          user.id : "S-1-5-18" and process.code_signature.trusted == true)

diff --git a/behavior/rules/credential_access_security_account_manager_(sam)_file_access.toml b/behavior/rules/credential_access_security_account_manager_(sam)_file_access.toml
@@ -11,7 +11,7 @@ reference = [
     "https://adsecurity.org/?page_id=1821",
     "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump",
 ]
-version = "1.0.32"
+version = "1.0.33"
 
 query = '''
 file where event.action == "open" and 
@@ -41,11 +41,16 @@ file where event.action == "open" and
               "?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\*.exe",
               "?:\\Windows\\System32\\SrTasks.exe",
               "?:\\Windows\\System32\\rstrui.exe",
-              "?:\\Windows\\System32\\RecoveryDrive.exe") and
+              "?:\\Windows\\System32\\RecoveryDrive.exe", 
+              "?:\\Windows\\System32\\MRT.exe", 
+              "?:\\rsyncd\\bin\\rsync.exe", 
+              "?:\\PCBP\\wbps.exe", 
+              "?:\\Windows\\System32\\Robocopy.exe") and
  /* mounted OS install */
  not file.path : "?:\\?*\\Windows\\System32\\*" and 
  
- not (process.code_signature.subject_name : "ESET, spol. s r.o." and process.code_signature.trusted == true) and 
+ not (process.code_signature.subject_name : ("ESET, spol. s r.o.", "Commvault Systems, Inc.", "Eric R. Zimmerman") and 
+      process.code_signature.trusted == true) and 
  
  /* 8.6+ logs also failed access attempt which generate some noise */
  not event.outcome == "failure"

diff --git a/behavior/rules/credential_access_security_account_manager_(sam)_registry_access.toml b/behavior/rules/credential_access_security_account_manager_(sam)_registry_access.toml
@@ -11,16 +11,14 @@ reference = [
     "https://adsecurity.org/?page_id=1821",
     "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump",
 ]
-version = "1.0.30"
+version = "1.0.31"
 
 query = '''
 sequence by process.entity_id
   [process where event.action == "start" and
    not process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and
    not (process.name : "cscript.exe" and process.command_line : "*Tanium*collectAdInfo.vbs*" and
         process.Ext.token.integrity_level_name == "system") and
-   not (process.code_signature.subject_name : ("Check Point Software Technologies Ltd.", "AO Kaspersky Lab", "HCL America Inc.") and
-        process.code_signature.trusted == true) and
    not (process.executable : "?:\\Windows\\Provisioning\\Autopilot\\DiagonsticAnalysis.pif" and
         process.args : "?:\\Windows\\Provisioning\\Microsoft-Desktop-Provisioning-Diagnostic.dat") and
    not (process.parent.executable : "?:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\*\\ir_agent.exe" and process.name : "reg.exe") and
@@ -30,9 +28,13 @@ sequence by process.entity_id
    not process.hash.sha256 : "52f145a4ccc0f540a130bedbf04370a842daff1ee8d8361c75a8e0d21a88cf5a" and
    not (process.executable : ("?:\\Windows\\SysWOW64\\msiexec.exe", "?:\\windows\\system32\\msiexec.exe") and
         process.parent.executable : "?:\\windows\\sys*\\msiexec.exe" and process.args : "-Embedding" and process.parent.args : "/V") and
-   not (process.code_signature.subject_name : ("Trend Micro, Inc.", "Komodo Laboratories LLC", "Speckled Jay LLC", "Tenable Inc.", "HCL America Inc.") and
-        process.code_signature.trusted == true) and
-   not process.hash.sha256 : ("8016595ed2344c5322ea8eac1ffd490994417b5c4c745668aa5731ba9129e9fd", "f7e5566741042ce7a10cf2847279a0dd845ea813fdcb090cd4ee2359584c1496")
+   not (process.code_signature.trusted == true and 
+        process.code_signature.subject_name : ("Trend Micro, Inc.", "Komodo Laboratories LLC", "Speckled Jay LLC", "Tenable Inc.", "HCL America Inc.", 
+                                               "Kaspersky Lab*", "Check Point Software Technologies Ltd.", "AO Kaspersky Lab", "HCL America Inc.")) and
+   not process.hash.sha256 : 
+                ("8016595ed2344c5322ea8eac1ffd490994417b5c4c745668aa5731ba9129e9fd", 
+                 "f7e5566741042ce7a10cf2847279a0dd845ea813fdcb090cd4ee2359584c1496", 
+                 "c9283a6b825629e698915b5d948f669c325ea1eb5310a6ff03c640a77e5d6b46")
    ]
   [registry where event.action == "query" and
    registry.path : "HKLM\\SAM\\SAM\\Domains\\Account\\*" and