From 0df87d76f2c73af42d1792d6e94d5d5aab958c34 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 10 Oct 2022 22:49:34 +0200
Subject: [PATCH] fix: duplicate, list with one entry

---
 .../proc_creation_win_pchunter_execution.yml  | 24 -------------------
 .../proc_creation_win_susp_pchunter.yml       |  5 ++--
 .../proc_creation_win_susp_process_hacker.yml |  2 +-
 3 files changed, 4 insertions(+), 27 deletions(-)
 delete mode 100644 rules/windows/process_creation/proc_creation_win_pchunter_execution.yml

diff --git a/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml b/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml
deleted file mode 100644
index a95004187..000000000
--- a/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-title: PCHunter Execution
-id: df5daa7b-c2d5-4a4d-972b-5f85febe56bc
-status: experimental
-description: Detects the execution PCHunter based on image and Original File Name fields.
-references:
-    - http://www.xuetr.com/
-    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
-author: Nasreddine Bencherchali
-date: 2022/10/05
-tags:
-    - attack.defense_evasion
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        - Image|endswith:
-            - '\PCHunter32.exe'
-            - '\PCHunter64.exe'
-        - OriginalFileName: 'PCHunter.exe'
-    condition: selection
-falsepositives:
-    - Unlikely
-level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml
index 72290f0d1..d233a8713 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml
@@ -5,7 +5,8 @@ status: experimental
 references:
     - http://www.xuetr.com/
     - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
-author: Florian Roth
+    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
+author: Florian Roth, Nasreddine Bencherchali
 date: 2022/10/10
 logsource:
     category: process_creation
@@ -19,7 +20,7 @@ detection:
         - OriginalFileName: 'PCHunter.exe'
         - Description: 'Epoolsoft Windows Information View Tools'
     selection_hashes:
-        - Hashes|contains:
+        Hashes|contains:
             - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
             - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
             - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml
index 1d545d897..b54f27a17 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml
@@ -20,7 +20,7 @@ detection:
         - Description: 'Process Hacker'
         - Product: 'Process Hacker'
     selection_hashes:
-        - Hashes|contains:
+        Hashes|contains:
             - 'MD5=68F9B52895F4D34E74112F3129B3B00D'
             - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
             - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'