From 8471faea15a94c860cc3bf90664c7e83e0e376b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?BlueT=20-=20Matthew=20Lien=20-=20=E7=B7=B4=E5=96=86?=
 =?UTF-8?q?=E6=98=8E?= <BlueT@BlueT.org>
Date: Wed, 26 Apr 2023 07:05:09 +0800
Subject: [PATCH 1/2] fix web_cve_2021_26858_iis_rce.yml (all of -> "|all")

https://github.com/SigmaHQ/sigma/pull/3952
https://github.com/SigmaHQ/sigma-specification/discussions/53
---
 .../web_cve_2021_26858_iis_rce.yml                | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml b/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml
index e85114085..7748c530c 100644
--- a/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml
+++ b/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml
@@ -21,13 +21,14 @@ detection:
             - 'VirtualDirectory'
         cs-username|endswith: '$'
     keywords:
-        - 'POST'
-        - 200
-        - '/ecp/DDI/DDIService.svc/SetObject'
-        - 'schema=Reset'
-        - 'VirtualDirectory'
-        - '$'
-    condition: selection or all of keywords
+        "|all":
+            - 'POST'
+            - 200
+            - '/ecp/DDI/DDIService.svc/SetObject'
+            - 'schema=Reset'
+            - 'VirtualDirectory'
+            - '$'
+    condition: selection or keywords
 falsepositives:
     - Unlikely
 level: critical

From 797a8d07844f55b11979d3931a8ff3af167e5168 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 26 Apr 2023 10:42:38 +0200
Subject: [PATCH 2/2] Update web_cve_2021_26858_iis_rce.yml

---
 rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml b/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml
index 7748c530c..10570812f 100644
--- a/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml
+++ b/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml
@@ -6,7 +6,7 @@ references:
     - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
 author: frack113
 date: 2021/08/10
-modified: 2023/01/04
+modified: 2023/04/26
 logsource:
     product: windows
     service: iis
@@ -21,7 +21,7 @@ detection:
             - 'VirtualDirectory'
         cs-username|endswith: '$'
     keywords:
-        "|all":
+        '|all':
             - 'POST'
             - 200
             - '/ecp/DDI/DDIService.svc/SetObject'