fix: fixed casing and long rule titles

2020-01-30 17:26:09 +01:00
parent 43af93a678
commit d42e87edd7
63 changed files with 87 additions and 88 deletions
@@ -1,4 +1,4 @@
-title: Django framework exceptions
+title: Django Framework Exceptions
 id: fd435618-981e-4a7c-81f8-f78ce480d616
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
@@ -1,4 +1,4 @@
-title: Ruby on Rails framework exceptions
+title: Ruby on Rails Framework Exceptions
 id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
@@ -1,4 +1,4 @@
-title: Spring framework exceptions
+title: Spring Framework Exceptions
 id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
@@ -1,5 +1,5 @@
 action: global
-title: GALLIUM artefacts
+title: GALLIUM Artefacts
 id: 440a56bf-7873-4439-940a-1c8a671073c2
 status: experimental
 description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
@@ -1,4 +1,4 @@
-title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems
+title: Edit of .bash_profile and .bashrc
 id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
 status: experimental
 description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
@@ -18,7 +18,7 @@ detection:
        type: 'PATH'
        name:
            - '/home/*/.bashrc'
-            - '/home/*/.bash_profile' 
+            - '/home/*/.bash_profile'
            - '/home/*/.profile'
            - '/etc/profile'
            - '/etc/shells'
@@ -1,4 +1,4 @@
-title: Masquerading as Linux crond process
+title: Masquerading as Linux Crond Process
 id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
 status: experimental
 description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and
@@ -1,4 +1,4 @@
-title: Detects Suspicious Commands on Linux systems
+title: Suspicious Commands Linux
 id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
 status: experimental
 description: Detects relevant commands often related to malware or hacking activity
@@ -18,7 +18,7 @@ detection:
        type: 'EXECVE'
        a0: 'chmod'
        a1: 'u+s'
-    cmd3: 
+    cmd3:
        type: 'EXECVE'
        a0: 'cp'
        a1: '/bin/ksh'
@@ -29,4 +29,4 @@ detection:
    condition: 1 of them
 falsepositives:
    - Admin activity
-level: medium
+level: medium
@@ -1,4 +1,4 @@
-title: Multiple Failed Logins with Different Accounts from Single Source System
+title: Failed Logins with Different Accounts from Single Source System
 id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
 author: Florian Roth
 date: 2017/02/16
@@ -1,4 +1,4 @@
-title: DNS TXT Answer with possible execution strings
+title: DNS TXT Answer with Possible Execution Strings
 id: 8ae51330-899c-4641-8125-e39f2e07da72
 status: experimental
 description: Detects strings used in command execution in DNS TXT Answer
@@ -1,4 +1,4 @@
-title: CobaltStrike Malleable Amazon browsing traffic profile
+title: CobaltStrike Malleable Amazon Browsing Traffic Profile
 id: 953b895e-5cc9-454b-b183-7f3db555452e
 status: experimental
 description: Detects Malleable Amazon Profile
@@ -1,4 +1,4 @@
-title: CobaltStrike Malleable OneDrive browsing traffic profile
+title: CobaltStrike Malleable OneDrive Browsing Traffic Profile
 id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
 status: experimental
 description: Detects Malleable OneDrive Profile
@@ -1,4 +1,4 @@
-title: Multiple suspicious Response Codes caused by Single Client
+title: Multiple Suspicious Resp Codes Caused by Single Client
 id: 6fdfc796-06b3-46e8-af08-58f3505318af
 description: Detects possible exploitation activity or bugs in a web application
 author: Thomas Patzke
@@ -1,4 +1,4 @@
-title: Persistence and Execution at scale via GPO scheduled task
+title: Persistence and Execution at Scale via GPO Scheduled Task
 id: a8f29a7b-b137-4446-80a0-b804272f3da2
 description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale
 author: Samir Bousseaden
@@ -1,4 +1,4 @@
-title: Remote Task Creation via ATSVC named pipe
+title: Remote Task Creation via ATSVC Named Pipe
 id: f6de6525-4509-495a-8a82-1f8b0ed73a00
 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
 author: Samir Bousseaden
@@ -1,4 +1,4 @@
-title: Possible Impacket SecretDump remote activity
+title: Possible Impacket SecretDump Remote Activity
 id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
 description: Detect AD credential dumping using impacket secretdump HKTL
 author: Samir Bousseaden
@@ -1,4 +1,4 @@
-title: First time seen remote named pipe
+title: First Time Seen Remote Named Pipe
 id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
 description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec
    using named pipes
@@ -1,4 +1,4 @@
-title: Scanner PoC for CVE-2019-0708 RDP RCE vuln
+title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
 id: 8400629e-79a9-4737-b387-5db940ab2367
 description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to  CVE-2019-0708 RDP RCE aka BlueKeep
 references:
@@ -1,4 +1,4 @@
-title: RDP Login from localhost
+title: RDP Login from Localhost
 id: 51e33403-2a37-4d66-a574-1fda1782cc31
 description: RDP login with localhost source address may be a tunnelled login
 references:
@@ -1,4 +1,4 @@
-title: Potential RDP exploit CVE-2019-0708
+title: Potential RDP Exploit CVE-2019-0708
 id: aaa5b30d-f418-420b-83a0-299cb6024885
 description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
 references:
@@ -1,4 +1,4 @@
-title: Multiple Failed Logins with Different Accounts from Single Source System
+title: Failed Logins with Different Accounts from Single Source System
 id: e98374a6-e2d9-4076-9b5c-11bdb2569995
 description: Detects suspicious failed logins with different user accounts from a single source system
 author: Florian Roth
@@ -1,4 +1,4 @@
-title: Suspicious PsExec execution
+title: Suspicious PsExec Execution
 id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
 description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker
    uses a different psexec client other than sysinternal one
@@ -1,4 +1,4 @@
-title: Suspicious access to sensitive file extensions
+title: Suspicious Access to Sensitive File Extensions
 id: 91c945bc-2ad1-4799-a591-4d00198a1215
 description: Detects known sensitive file extensions
 author: Samir Bousseaden
@@ -1,4 +1,4 @@
-title: Remote Service Activity Detected via SVCCTL named pipe
+title: Remote Service Activity via SVCCTL Named Pipe
 id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
 description: Detects remote remote service activity via remote access to the svcctl named pipe
 author: Samir Bousseaden
@@ -1,4 +1,4 @@
-title: Detects local user creation
+title: Local User Creation
 id: 66b6be3d-55d0-4f47-9855-d69df21740ea
 description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows
    server logs and not on your DC logs.
@@ -1,4 +1,4 @@
-title: PowerShell called from an Executable Version Mismatch
+title: PowerShell Called from an Executable Version Mismatch
 id: c70e019b-1479-4b65-b0cc-cd0c6093a599
 status: experimental
 description: Detects PowerShell called from an executable by the version mismatch method
@@ -1,4 +1,4 @@
-title: Hiding files with attrib.exe
+title: Hiding Files with Attrib.exe
 id: 4281cb20-2994-4580-aa63-c8b86d019934
 status: experimental
 description: Detects usage of attrib.exe to hide files from users.
@@ -1,4 +1,4 @@
-title: Droppers exploiting CVE-2017-11882
+title: Droppers Exploiting CVE-2017-11882
 id: 678eb5f4-8597-4be6-8be7-905e4234b53a
 status: experimental
 description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
@@ -1,4 +1,4 @@
-title: Windows Kernel and 3rd-party drivers exploits. Token stealing
+title: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing
 id: 8065b1b4-1778-4427-877f-6bf948b26d38
 description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
 references:
@@ -23,4 +23,4 @@ falsepositives:
 level: critical
 enrichment:
    - EN_0001_cache_sysmon_event_id_1_info                # http://bit.ly/314zc6x
-    - EN_0002_enrich_sysmon_event_id_1_with_parent_info   # http://bit.ly/2KmSC0l
+    - EN_0002_enrich_sysmon_event_id_1_with_parent_info   # http://bit.ly/2KmSC0l
@@ -1,7 +1,7 @@
-title: MSHTA spwaned by SVCHOST as seen in LethalHTA
+title: MSHTA Spwaned by SVCHOST
 id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
 status: experimental
-description: Detects MSHTA.EXE spwaned by SVCHOST described in report
+description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report
 references:
    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
 tags:
@@ -1,4 +1,4 @@
-title: Executable used by PlugX in Uncommon Location - Sysmon Version
+title: Executable Used by PlugX in Uncommon Location
 id: aeab5ec5-be14-471a-80e8-e344418305c2
 status: experimental
 description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
@@ -59,7 +59,7 @@ detection:
    selection_msseces:
        Image: '*\msseces.exe'
    filter_msseces:
-        Image: 
+        Image:
            - '*\Microsoft Security Center\\*'
            - '*\Microsoft Security Client\\*'
            - '*\Microsoft Security Essentials\\*'
@@ -1,5 +1,5 @@
 action: global
-title: SILENTTRINITY stager execution
+title: SILENTTRINITY Stager Execution
 id: 03552375-cc2c-4883-bbe4-7958d5a980be
 status: experimental
 description: Detects SILENTTRINITY stager use
@@ -1,4 +1,4 @@
-title: Possible Ransomware or unauthorized MBR modifications
+title: Possible Ransomware or Unauthorized MBR Modifications
 id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
 status: experimental
 description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
@@ -1,4 +1,4 @@
-title: Application whitelisting bypass via bginfo
+title: Application Whitelisting Bypass via Bginfo
 id: aaf46cdc-934e-4284-b329-34aa701e3771
 status: experimental
 description: Execute VBscript code that is referenced within the *.bgi file.
@@ -1,4 +1,4 @@
-title: Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner
+title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
 id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
 status: experimental
 description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
@@ -1,4 +1,4 @@
-title: Command Line Execution with suspicious URL and AppData Strings
+title: Command Line Execution with Suspicious URL and AppData Strings
 id: 1ac8666b-046f-4201-8aba-1951aaec03a3
 status: experimental
 description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs
@@ -1,4 +1,4 @@
-title: Process dump via comsvcs DLL
+title: Process Dump via Comsvcs DLL
 id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
 status: experimental
 description: Detects process memory dump via comsvcs.dll and rundll32
@@ -1,7 +1,7 @@
-title: ZOHO dctask64 Process Injection
+title: ZOHO Dctask64 Process Injection
 id: 6345b048-8441-43a7-9bed-541133633d7a
 status: experimental
-description: Detects suspicious process injection using ZOHO's dctask64.exe 
+description: Detects suspicious process injection using ZOHO's dctask64.exe
 references:
    - https://twitter.com/gN3mes1s/status/1222088214581825540
    - https://twitter.com/gN3mes1s/status/1222095963789111296
@@ -1,4 +1,4 @@
-title: Devtoolslauncher.exe executes specified binary
+title: Devtoolslauncher.exe Executes Specified Binary
 id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
 status: experimental
 description: The Devtoolslauncher.exe executes other binary
@@ -1,4 +1,4 @@
-title: Application Whitelisting bypass via dnx.exe
+title: Application Whitelisting Bypass via Dnx.exe
 id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
 status: experimental
 description: Execute C# code located in the consoleapp folder
@@ -1,4 +1,4 @@
-title: Application Whitelisting bypass via dxcap.exe
+title: Application Whitelisting Bypass via Dxcap.exe
 id: 60f16a96-db70-42eb-8f76-16763e333590
 status: experimental
 description: Detects execution of of Dxcap.exe
@@ -1,4 +1,4 @@
-title: Suspicious eventlog clear or configuration using wevtutil
+title: Suspicious Eventlog Clear or Configuration Using Wevtutil
 id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
 description: Detects clearing or configuration of eventlogs uwing wevtutil. Might be used by ransomwares during the attack (seen by NotPetya and others)
 author: Ecco
@@ -25,7 +25,7 @@ detection:
    selection_disable_2:
        CommandLine: '* set-log *'
    condition: (1 of selection_binary_*) and (1 of selection_clear_* or 1 of selection_disable_*)
-    
+
 falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
@@ -1,4 +1,4 @@
-title: Fsutil suspicious invocation
+title: Fsutil Suspicious Invocation
 id: add64136-62e5-48ea-807e-88638d02df1e
 description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen
    by NotPetya and others)
@@ -16,12 +16,12 @@ detection:
    binary_2:
        OriginalFileName: 'fsutil.exe'
    selection:
-        CommandLine: 
+        CommandLine:
            - '* deletejournal *'  # usn deletejournal ==> generally ransomware or attacker
            - '* createjournal *'  # usn createjournal ==> can modify config to set it to a tiny size
- 
+
    condition: (1 of binary_*) and selection
-    
+
 falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
@@ -1,4 +1,4 @@
-title: Malicious payload download via Office binaries
+title: Malicious Payload Download via Office Binaries
 id: 0c79148b-118e-472b-bdb7-9b57b444cc19
 status: experimental
 description: Downloads payload from remote server
@@ -18,7 +18,7 @@ logsource:
    product: windows
 detection:
    selection:
-        Image|endswith: 
+        Image|endswith:
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\excel.exe'
@@ -1,4 +1,4 @@
-title: Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe
+title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
 id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
 description: Detects defence evasion attempt via odbcconf.exe execution to load DLL
 status: experimental
@@ -18,7 +18,7 @@ logsource:
 detection:
    selection_1:
        Image|endswith: '\odbcconf.exe'
-        CommandLine|contains: 
+        CommandLine|contains:
            - '-f'
            - 'regsvr'
    selection_2:
@@ -1,4 +1,4 @@
-title: OpenWith.exe executes specified binary
+title: OpenWith.exe Executes Specified Binary
 id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
 status: experimental
 description: The OpenWith.exe executes other binary
@@ -1,4 +1,4 @@
-title: Malicious Base64 encoded PowerShell Keywords in command lines
+title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
 id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
 status: experimental
 description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
@@ -1,4 +1,4 @@
-title: Suspicious PowerShell Invocation based on Parent Process
+title: Suspicious PowerShell Invocation Based on Parent Process
 id: 95eadcb2-92e4-4ed1-9031-92547773a6db
 status: experimental
 description: Detects suspicious powershell invocations from interpreters or unusual programs
@@ -1,4 +1,4 @@
-title: psr.exe capture screenshots
+title: Psr.exe Capture Screenshots
 id: 2158f96f-43c2-43cb-952a-ab4580f32382
 status: experimental
 description: The psr.exe captures desktop screenshots and saves them on the local machine
@@ -19,6 +19,6 @@ detection:
    selection:
        Image|endswith: '\Psr.exe'
        CommandLine|contains: '/start'
-    condition: selection 
+    condition: selection
 falsepositives:
    - Unknown
@@ -1,4 +1,4 @@
-title: Renamed ZOHO dctask64
+title: Renamed ZOHO Dctask64
 id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
 status: experimental
 description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
@@ -1,4 +1,4 @@
-title: Suspect svchost Activity
+title: Suspect Svchost Activity
 id: 16c37b52-b141-42a5-a3ea-bbe098444397
 status: experimental
 description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
@@ -26,4 +26,4 @@ fields:
    - ParentCommandLine
 falsepositives:
    - rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf
-level: critical
+level: critical
@@ -1,4 +1,4 @@
-title: Suspicious WMI execution
+title: Suspicious WMI Execution
 id: 526be59f-a573-4eea-b5f7-f0973207634d
 status: experimental
 description: Detects WMI executing suspicious commands
@@ -1,4 +1,4 @@
-title: Sysmon driver unload
+title: Sysmon Driver Unload
 id: 4d7cda18-1b12-4e52-b45c-d28653210df8
 status: experimental
 author: Kirill Kiryanov, oscd.community
@@ -1,4 +1,4 @@
-title: Windows 10 scheduled task SandboxEscaper 0-day
+title: Windows 10 Scheduled Task SandboxEscaper 0-day
 id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
 status: experimental
 description: Detects Task Scheduler .job import arbitrary DACL write\par
@@ -1,4 +1,4 @@
-title: DHCP Callout DLL installation
+title: DHCP Callout DLL Installation
 id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
 status: experimental
 description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the
@@ -19,7 +19,7 @@ logsource:
 detection:
    selection:
        EventID: 13
-        TargetObject: 
+        TargetObject:
            - '*\Services\DHCPServer\Parameters\CalloutDlls'
            - '*\Services\DHCPServer\Parameters\CalloutEnabled'
    condition: selection
@@ -1,4 +1,4 @@
-title: Suspect svchost memory access
+title: Suspect Svchost Memory Asccess
 id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
 status: experimental
 description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
@@ -1,4 +1,4 @@
-title: RDP over Reverse SSH Tunnel
+title: RDP Over Reverse SSH Tunnel
 id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
 status: experimental
 description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
@@ -19,7 +19,7 @@ detection:
        EventID: 3
        Image: '*\svchost.exe'
        Initiated: 'true'
-        SourcePort: 3389 
+        SourcePort: 3389
        DestinationIp:
            - '127.*'
            - '::1'
@@ -1,4 +1,4 @@
-title: Windows Registry Persistence - COM key linking
+title: Windows Registry Persistence COM Key Linking
 id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
 status: experimental
 description: Detects COM object hijacking via TreatAs subkey
@@ -20,6 +20,6 @@ detection:
        TargetObject|contains: '_Classes\CLSID\'
        TargetObject|endswith: '\TreatAs'
    condition: selection
-falsepositives: 
+falsepositives:
    - Maybe some system utilities in rare cases use linking keys for backward compability
 level: medium
@@ -1,4 +1,4 @@
-title: Security Support Provider (SSP) added to LSA configuration
+title: Security Support Provider (SSP) Added to LSA Configuration
 id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
 status: experimental
 description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
@@ -16,7 +16,7 @@ logsource:
 detection:
    selection_registry:
        EventID: 13
-        TargetObject: 
+        TargetObject:
            - 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages'
            - 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages'
    exclusion_images:
@@ -26,4 +26,3 @@ detection:
 falsepositives:
    - Unlikely
 level: critical
-
@@ -1,4 +1,4 @@
-title: Suspicious File Characteristics due to Missing Fields
+title: Suspicious File Characteristics Due to Missing Fields
 id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
 description: Detects Executables without FileVersion,Description,Product,Company likely created with py2exe
 status: experimental
@@ -24,7 +24,7 @@ detection:
        Product: '\?'
    selection3:
        Description: '\?'
-        Company: '\?' 
+        Company: '\?'
    condition: 1 of them
 fields:
    - CommandLine
@@ -1,4 +1,4 @@
-title: Suspicious Windows Mangement Instrumentation DLL Loaded Via Microsoft Word
+title: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word
 id: a457f232-7df9-491d-898f-b5aabd2cbe2f
 status: experimental
 description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
@@ -1,4 +1,4 @@
-title: Hijack legit RDP session to move laterally
+title: Hijack Legit RDP Session to Move Laterally
 id: 52753ea4-b3a0-4365-910d-36cff487b789
 status: experimental
 description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
@@ -1,4 +1,4 @@
-title: UAC Bypass via sdclt
+title: UAC Bypass via Sdclt
 id: 5b872a46-3b90-45c1-8419-f675db8053aa
 status: experimental
 description: Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
@@ -1,4 +1,4 @@
-title: Windows webshell creation
+title: Windows Webshell Creation
 id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
 status: experimental
 description: Posible webshell file creation on a static web site
@@ -19,12 +19,12 @@ detection:
        EventID: 11
    selection_2:
        TargetFilename|contains: '\inetpub\wwwroot\'
-    selection_3:        
+    selection_3:
        TargetFilename|contains:
            - '.asp'
            - '.ashx'
            - '.ph'
-    selection_4: 
+    selection_4:
        TargetFilename|contains:
            - '\www\'
            - '\htdocs\'
@@ -32,10 +32,10 @@ detection:
    selection_5:
        TargetFilename|contains: '.ph'
    selection_6:
-        - TargetFilename|contains|all: 
+        - TargetFilename|contains|all:
            - '\'
            - '.jsp'
-        - TargetFilename|contains|all: 
+        - TargetFilename|contains|all:
            - '\cgi-bin\'
            - '.pl'
    condition: selection_1 and ( selection_2 and selection_3 ) or