Merge pull request #3445 from wagga40/master

Fix a lot of typos in rules text and comments
2022-08-29 20:37:14 +02:00
parent 130ec65dde 9db9d25b68
commit d9a5265ce7
16 changed files with 18 additions and 18 deletions
@@ -24,5 +24,5 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-    - Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware.
+    - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
 level: high
@@ -1,4 +1,4 @@
-title: Creation In User Word Statup Folder
+title: Creation In User Word Startup Folder
 id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
 status: experimental
 description: Detects the creation of an file in user Word Startup
@@ -1,7 +1,7 @@
 title: VMware Xfer Loading DLL from Nondefault Path
 id: 9313dc13-d04c-46d8-af4a-a930cc55d93b
 status: experimental
-description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitary DLL
+description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
 author: Nasreddine Bencherchali
 date: 2022/08/02
 references:
@@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
 status: experimental
 description: Detects Commandlet names and arguments from the Nishang exploitation framework
 date: 2019/05/16
-modified: 2021/10/16
+modified: 2022/08/29
 references:
    - https://github.com/samratashok/nishang
 tags:
@@ -66,7 +66,7 @@ detection:
            - Invoke-PSGcat
            - Invoke-PsGcatAgent
            - Remove-PoshRat
-            - Add-Persistance
+            - Add-Persistence
            - ExetoText
            - Invoke-Decode
            - Invoke-Encode
@@ -1,7 +1,7 @@
 title: Suspicious Dosfuscation Character in Commandline
 id: a77c1610-fc73-4019-8e29-0f51efc04a51
 status: experimental
-description: Posssible Payload Obfuscation
+description: Possible Payload Obfuscation
 references:
    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
 author: frack113
@@ -1,7 +1,7 @@
 title: Suspicious CMD Shell Redirect
 id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
 status: experimental
-description: Detects inline windows shell commands redirecting output via the ">" symbol to a suspicous location
+description: Detects inline windows shell commands redirecting output via the ">" symbol to a suspicious location
 author: Nasreddine Bencherchali
 references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
@@ -19,5 +19,5 @@ detection:
            - '-register'
    condition: selection
 falsepositives:
-    - Legitimate usage of the script. Always investigate what's being registred to confirm if it's benign
+    - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign
 level: medium
@@ -4,7 +4,7 @@ related:
    - id: 349d891d-fef0-4fe4-bc53-eee623a15969
      type: similar
 status: experimental
-description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Iamge detection
+description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
 author: frack113, Nasreddine Bencherchali
 references:
    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
@@ -1,7 +1,7 @@
 title: Net WebClient Casing Anomalies
 id: c86133ad-4725-4bd0-8170-210788e0a7ba
 status: experimental
-description: Detects PowerShell command line contents that include a suspicious anormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
+description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
 author: Florian Roth
 references:
    - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
@@ -46,5 +46,5 @@ fields:
    - ParentCommandLine
    - Details
 falsepositives:
-    - Legitimate use by adminstrator
-level: high
+    - Legitimate use by administrator
+level: high
@@ -5,7 +5,7 @@ description: |
    An adversary might use WMI to check if a certain Remote Service is running on a remote device.
    When the test completes, a service information will be displayed on the screen if it exists.
    A common feedback message is that "No instance(s) Available" if the service queried is not running.
-    A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable
+    A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
 author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
@@ -1,7 +1,7 @@
 title: WMIC Unquoted Services Path Lookup
 id: 68bcd73b-37ef-49cb-95fc-edc809730be6
 status: experimental
-description: Detects wmic known recon method to look for unquoted serivce paths, often used by pentest and attackers enum scripts
+description: Detects wmic known recon method to look for unquoted service paths, often used by pentest and attackers enum scripts
 author: Nasreddine Bencherchali
 references:
    - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
@@ -1,7 +1,7 @@
 title: UEFI Persistence Via Wpbbin - ProcessCreation
 id: 4abc0ec4-db5a-412f-9632-26659cddf145
 status: experimental
-description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the refernece section
+description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
 author: Nasreddine Bencherchali
 date: 2022/07/18
 references:
@@ -1,6 +1,6 @@
 title: Disable UAC Using Registry
 id: 48437c39-9e5f-47fb-af95-3d663c3f2919
-description: Detects when an attacker tries to disable User Account Conrol (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
+description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
 author: frack113
 date: 2022/01/05
 modified: 2022/08/06
@@ -1,6 +1,6 @@
 title: Change the Fax Dll
 id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513
-description: Detect possible persistance using Fax DLL load when service restart
+description: Detect possible persistence using Fax DLL load when service restart
 status: experimental
 references:
    - https://twitter.com/dottor_morte/status/1544652325570191361
@@ -16,7 +16,7 @@ detection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify'
    condition: selection
 falsepositives:
-    - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurence in an environment and should be investigated either way
+    - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way
 level: high
 tags:
    - attack.persistence