From 1faef2fa97e5eda2884b054f3f1db7eb59256c7b Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Wed, 24 Aug 2022 09:23:35 +0900
Subject: [PATCH] fix backend bool conversion errors

---
 .../driver_load_vuln_avast_anti_rootkit_driver.yml            | 3 ++-
 .../net_connection_win_remote_powershell_session_network.yml  | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml
index c74c764eb..f1e5c9bbd 100644
--- a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml
+++ b/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml
@@ -6,6 +6,7 @@ author: Nasreddine Bencherchali
 references:
     - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
 date: 2022/07/28
+modified: 2022/08/24
 logsource:
     product: windows
     category: driver_load
@@ -22,7 +23,7 @@ detection:
     driver_img:
         ImageLoaded|endswith: '\aswArPot.sys'
     driver_status:
-        - Signed: false
+        - Signed: 'false'
         - SignatureStatus: Expired
     condition: 1 of selection* or all of driver_*
 falsepositives:
diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml
index 465b440ff..0b2e6f4f2 100755
--- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml
+++ b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml
@@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g
 references:
   - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
 date: 2019/09/12
-modified: 2022/08/16
+modified: 2022/08/24
 logsource:
   category: network_connection
   product: windows
@@ -15,7 +15,7 @@ detection:
     DestinationPort:
       - 5985
       - 5986
-    Initiated: true  # only matches of the initiating system can be evaluated
+    Initiated: 'true'  # only matches of the initiating system can be evaluated
   filter:
     - User|contains: # covers many language settings for Network Service, please expand
       - 'NETWORK SERVICE'