From d19df2e4f7e7fa22ba5a441763d078d2aa851276 Mon Sep 17 00:00:00 2001
From: Yugoslavskiy Daniil <yugoslavskiy@gmail.com>
Date: Sun, 15 Dec 2019 00:17:22 +0100
Subject: [PATCH] fix issues with wrong tagging

---
 rules/windows/process_creation/win_net_user_add.yml          | 2 +-
 rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml | 2 +-
 rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml       | 2 +-
 rules/windows/sysmon/sysmon_suspicious_remote_thread.yml     | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml
index 7dbef3b56..3eae4864e 100644
--- a/rules/windows/process_creation/win_net_user_add.yml
+++ b/rules/windows/process_creation/win_net_user_add.yml
@@ -8,7 +8,7 @@ author: Endgame, JHasenbusch (adapted to sigma for oscd.community)
 date: 2018/10/30
 modified: 2019/11/11
 tags:
-    - attack.persistance
+    - attack.persistence
     - attack.credential_access
     - attack.t1136
 logsource:
diff --git a/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml b/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml
index e83e22ac4..f8be7fd72 100644
--- a/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml
+++ b/rules/windows/sysmon/sysmon_in_memory_assembly_execution.yml
@@ -7,7 +7,7 @@ references:
     - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
 tags:
     - attack.privilege_escalation
-    - attack.T1055
+    - attack.t1055
 logsource:
     product: windows
     service: sysmon
diff --git a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml b/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml
index 6a17f0d23..f90dc057f 100644
--- a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml
+++ b/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml
@@ -10,7 +10,7 @@ references:
     - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
 tags:
     - attack.credential_access
-    - attack.T1003
+    - attack.t1003
 logsource:
     product: windows
     service: sysmon
diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
index c585b2eee..69dbccaad 100644
--- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
+++ b/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
@@ -14,7 +14,7 @@ logsource:
     service: sysmon
 tags:
     - attack.privilege_escalation
-    - attack.T1055
+    - attack.t1055
 detection:
     selection: 
         EventID: 8