Merge pull request #890 from rtkbkish/file-event-fixes

Fixes for rules in the sysmon file_event category

rules/windows/file_event/sysmon_hack_dumpert.yml

@@ -10,9 +10,6 @@ date: 2020/02/04
 tags:
     - attack.credential_access
     - attack.t1003
-logsource:
-    category: file_event
-    product: windows
 falsepositives:
     - Very unlikely
 level: critical
@@ -26,8 +23,8 @@ detection:
     condition: selection
 ---
 logsource:
+    category: file_event
     product: windows
-    service: sysmon
 detection:
     selection: 
         TargetFilename: C:\Windows\Temp\dumpert.dmp

rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml

@@ -10,7 +10,7 @@ logsource:
 detection:
     selection:
         Image: '*\mstsc.exe'
-        TargetFileName: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
+        TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
     condition: selection
 falsepositives:
     - unknown

rules/windows/file_event/sysmon_wmi_persistence_script_event_consumer_write.yml

@@ -11,7 +11,7 @@ tags:
     - attack.persistence
 logsource:
     product: windows
-    category: file_created
+    category: file_event
 detection:
     selection:
         Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'