From d5fa226180fd5ed5f6ec3f554d23e1faeef35004 Mon Sep 17 00:00:00 2001
From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com>
Date: Tue, 31 Aug 2021 21:54:32 -0600
Subject: [PATCH] Updated Rule

Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated author
- updated description in detection section.
- Removed the service: Sysmon, updated selection1.
---
 ...creations_with_Wmiprvse_parent_process.yml | 24 +++++++++----------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml
index 3acabbeab..f08b2b5a9 100644
--- a/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml
+++ b/rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml
@@ -1,25 +1,23 @@
-title: LOLBins process creations with Wmiprvse parent process(sysmon)
+title: LOLBins Process Created With WmiPrvSE
 description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. 
 references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-author: "Idea by: Vadim Khrykov"
+    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)"
 tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defence_evasion
+    - attack.t1204.002
+    - attack.t1047
+    - attack.t1218.010
+    - attack.execution
+    - attack.defence_evasion
 status: experimental
 Date: 2021/23/8
 logsource:
   product: Windows
-  service: Sysmon
   category: process_creation
 detection:
-  description: add more LOLBins to the rules logic of your choice.
+  #useful_information: add more LOLBins to the rules logic of your choice.
   selection1:
-    EventLog: Microsoft-Windows-Sysmon/Operational
     EventID: 1
   selection2:
     Image|endswith:
@@ -34,4 +32,4 @@ detection:
   condition: selection1 AND selection2 AND selection3
 falsepositives:
 - "FPs are possible here, but some LOLBins weren't excluded for obvious reasons."
-level: high
\ No newline at end of file
+level: high