From 26c1c233052c3ee1e9564ac2ca7b32030ca2ed7e Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 20 Jan 2022 10:45:30 +0100 Subject: [PATCH] fix: typo --- rules/windows/file_event/win_fe_creation_new_shim_database.yml | 2 +- rules/windows/file_event/win_fe_creation_scr_binary_file.yml | 2 +- .../file_event/win_fe_creation_unquoted_service_path.yml | 2 +- rules/windows/file_event/win_fe_writing_local_admin_share.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/file_event/win_fe_creation_new_shim_database.yml b/rules/windows/file_event/win_fe_creation_new_shim_database.yml index e98d18a5a..c00f31c4e 100644 --- a/rules/windows/file_event/win_fe_creation_new_shim_database.yml +++ b/rules/windows/file_event/win_fe_creation_new_shim_database.yml @@ -17,7 +17,7 @@ detection: TargetFilename|contains: '\Windows\apppatch\Custom\' condition: selection falsepositives: - - Unkown + - Unknown level: medium tags: - attack.persistence diff --git a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml index bc300a247..5d16e8fb9 100644 --- a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml +++ b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml @@ -21,7 +21,7 @@ detection: - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection condition: selection and not 1 of filter* falsepositives: - - Unkown + - Unknown level: medium tags: - attack.persistence diff --git a/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml b/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml index 2907976d7..5b2dfdcb1 100644 --- a/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml +++ b/rules/windows/file_event/win_fe_creation_unquoted_service_path.yml @@ -17,7 +17,7 @@ detection: TargetFilename: 'C:\program.exe' condition: selection falsepositives: - - Unkown + - Unknown level: high tags: - attack.persistence diff --git a/rules/windows/file_event/win_fe_writing_local_admin_share.yml b/rules/windows/file_event/win_fe_writing_local_admin_share.yml index f24754360..5df4b850e 100644 --- a/rules/windows/file_event/win_fe_writing_local_admin_share.yml +++ b/rules/windows/file_event/win_fe_writing_local_admin_share.yml @@ -18,7 +18,7 @@ detection: - '\ADMIN$\' condition: selection falsepositives: - - Unkown + - Unknown level: medium tags: - attack.lateral_movement