fix

rules/windows/process_creation/minidumpwritedump.yml

@@ -6,7 +6,7 @@ tags:
   - attack.credential_access
   - attack.t1003
 status: experimental
-author:  Aleksey Potapov, oscd.community
+author: Aleksey Potapov, oscd.community
 date: 2019/10/22
 logsource:
   category: process_creation
@@ -14,7 +14,7 @@ logsource:
 detection:
   selection:
     Image: '*\rundll32.exe'
-		CommandLine: '*comsvcs.dll*minidump*'
+    CommandLine: '*comsvcs.dll*minidump*'
   condition: selection
 falsepositives:
   - unknown

rules/windows/process_creation/renamed_binary_description.yml

@@ -13,7 +13,7 @@ logsource:
   product: windows
   service: sysmon
 detection:
-	selection:
+  selection:
     Description:
       - "active directory editor"
       - "sysinternals process dump utility"
@@ -34,27 +34,27 @@ detection:
       - "windows ® installer"
       - "7-zip console"
 
-	filter:
-		Image:
-			- '*\adexplorer.exe'
-			- '*\procdump.exe'
-			- '*\msbuild.exe'
-			- '*\dotnet.exe'
-			- '*\cmd.exe'
-			- '*\powershell.exe'
-			- '*\psexec.exe'
-			- '*\installutil.exe'
-			- '*\cscript.exe'
-			- '*\wscript.exe'
-			- '*\mshta.exe'
-			- '*\regsvr32.exe'
-			- '*\wmic.exe'
-			- '*\certutil.exe'
-			- '*\rundll32.exe'
-			- '*\cmstp.exe'
-			- '*\msiexec.exe'
-			- '*\7z.exe'
-	condition: selection and not filter
+  filter:
+    Image:
+      - '*\adexplorer.exe'
+      - '*\procdump.exe'
+      - '*\msbuild.exe'
+      - '*\dotnet.exe'
+      - '*\cmd.exe'
+      - '*\powershell.exe'
+      - '*\psexec.exe'
+      - '*\installutil.exe'
+      - '*\cscript.exe'
+      - '*\wscript.exe'
+      - '*\mshta.exe'
+      - '*\regsvr32.exe'
+      - '*\wmic.exe'
+      - '*\certutil.exe'
+      - '*\rundll32.exe'
+      - '*\cmstp.exe'
+      - '*\msiexec.exe'
+      - '*\7z.exe'
+  condition: selection and not filter
 falsepositives:
-	- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
+  - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
 level: medium

rules/windows/sysmon/cobalt_execute_assembly.yml

@@ -6,7 +6,7 @@ tags:
   - attack.defense_evasion
   - attack.t1055
 status: experimental
-author:  Aleksey Potapov, oscd.community
+author: Aleksey Potapov, oscd.community
 date: 2019/10/22
 logsource:
   product: windows

rules/windows/sysmon/win_sysmon_driver_unload.yml

@@ -16,7 +16,7 @@ detection:
   selection:
     EventID: 4688
     ProcessName: '*\fltMC.exe'
-    CommandLine:  '*unload*Sys*'
+    CommandLine: '*unload*Sys*'
   selection1:
     EventID: 4673
     PrivilegeList: '*\SeLoadDriverPrivilege'