fix: Correct broken rules, add documentation

rules/linux/lnx_file_copy.yml

@@ -9,17 +9,14 @@ references:
 logsource:
     product: linux
 detection:
-    keywords:
-        - Scp|contains:
-          - 'scp'
-        - Rsync|contains:
-          - 'rsync -r'
-        - Sftp|contains:
-          - 'sftp'
+    tools:
+        - 'scp '
+        - 'rsync '
+        - 'sftp '
     filter:
         - '@'
         - ':'
-    condition: keywords and filter
+    condition: tools and filter
 falsepositives:
     - Legitimate administration activities
 level: low

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -17,6 +17,11 @@ logsource:
 detection:
     selection:
         EventID: 4738
+    # According to Microsoft, the bit values are listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720
+    # However, that seems to be a simple copy from https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+    # and the actual flags that are used are quite different and, unfortunately, not documented.
+    # https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/ contains a number of EVTX files with relevant events, which can be used to extract
+    # the following values.
     olduac_des: # 0x8000
         OldUacValue|endswith:
             - 8???

rules/windows/other/win_defender_disabled.yml

@@ -54,4 +54,4 @@ detection:
     keywords:
         - 'Windows Defender Antivirus Service'
         - 'stopped'
-    condition: selection3 and keywords
+    condition: selection3 and all of keywords