From f80d8a83da1cb04847dab763cf5f083ad2203c5e Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 27 Jul 2022 12:52:51 +0100
Subject: [PATCH] Fix typos

---
 .../proc_creation_win_non_priv_reg_or_ps.yml              | 2 +-
 .../proc_creation_win_windows_terminal_susp_children.yml  | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml b/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml
index 97d0e95f2..cae04aba2 100644
--- a/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml
+++ b/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml
@@ -1,7 +1,7 @@
 title: Non-privileged Usage of Reg or Powershell
 id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
 status: test
-description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry
+description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
 author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
 references:
     - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml
index 15a6c57fc..0240caa6e 100644
--- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml
+++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml
@@ -6,8 +6,8 @@ references:
     - https://persistence-info.github.io/Data/windowsterminalprofile.html
     - https://twitter.com/nas_bench/status/1550836225652686848
 author: Nasreddine Bencherchali
-date: 2019/04/03
-modified: 2022/07/14
+date: 2022/07/25
+modified: 2022/07/27
 logsource:
     category: process_creation
     product: windows
@@ -38,7 +38,7 @@ detection:
             - 'DownloadString('
             - ' /c '
             - ' /k '
-    filter_builtin_vscode_shell:
+    filter_builtin_visual_studio_shell:
         CommandLine|contains|all:
             - 'Import-Module'
             - 'Microsoft.VisualStudio.DevShell.dll'
@@ -49,7 +49,7 @@ detection:
             - '\LocalState\settings.json'
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
-    - Legitimate "Windows Terminal" profiles
+    - Other legitimate "Windows Terminal" profiles
 level: medium
 tags:
     - attack.execution