Update incorrect mitre tags

rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml

@@ -22,5 +22,5 @@ falsepositives:
     - Certain software or administrative tasks may trigger false positives.
 level: low
 tags:
-    - attack.peripheral_device_discovery
+    - attack.discovery
     - attack.t1120

rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml

@@ -3,22 +3,20 @@ id: 575dce0c-8139-4e30-9295-1ee75969f7fe
 description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target
 status: experimental
 references:
-    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs 
+    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
 author: blueteamer8699
 date: 2022/01/03
 tags:
     - attack.discovery
-    - attack.group_policy_discovery
     - attack.execution
-    - attack.command_and_scripting_interpreter
-    - attack.visual_basic
+    - attack.t1615
     - attack.t1059.005
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'cscript.exe'
             - 'gatherNetworkInfo.vbs'
     condition: selection

rules/windows/process_creation/proc_creation_win_malware_formbook.yml

@@ -4,49 +4,49 @@ status: test
 description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
 author: Florian Roth, oscd.community, Jonhnathan Ribeiro
 references:
-  - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
-  - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
-  - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
-  - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
+    - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
+    - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
+    - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
+    - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
 date: 2019/09/30
-modified: 2021/11/27
+modified: 2022/10/06
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
+    selection1:
         # Parent command line should not contain a space value
         # This avoids false positives not caused by process injection
         # e.g. wscript.exe /B sysmon-install.vbs
-    ParentCommandLine|startswith:
-      - 'C:\Windows\System32\'
-      - 'C:\Windows\SysWOW64\'
-    ParentCommandLine|endswith: '.exe'
-  selection2:
-    - CommandLine|contains|all:
-      - '/c'
-      - 'del'
-      - 'C:\Users\'
-      - '\AppData\Local\Temp\'
-    - CommandLine|contains|all:
-      - '/c'
-      - 'del'
-      - 'C:\Users\'
-      - '\Desktop\'
-    - CommandLine|contains|all:
-      - '/C'
-      - 'type nul >'
-      - 'C:\Users\'
-      - '\Desktop\'
-  selection3:
-    CommandLine|endswith: '.exe'
-  condition: selection and selection2 and selection3
+        ParentCommandLine|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+        ParentCommandLine|endswith: '.exe'
+    selection2:
+        - CommandLine|contains|all:
+            - '/c'
+            - 'del'
+            - 'C:\Users\'
+            - '\AppData\Local\Temp\'
+        - CommandLine|contains|all:
+            - '/c'
+            - 'del'
+            - 'C:\Users\'
+            - '\Desktop\'
+        - CommandLine|contains|all:
+            - '/C'
+            - 'type nul >'
+            - 'C:\Users\'
+            - '\Desktop\'
+    selection3:
+        CommandLine|endswith: '.exe'
+    condition: all of selection*
 fields:
-  - CommandLine
-  - ParentCommandLine
+    - CommandLine
+    - ParentCommandLine
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.develop_capabilities
-  - attack.t1587.001
+    - attack.resource_development
+    - attack.t1587.001

rules/windows/process_creation/proc_creation_win_susp_csexec.yml

@@ -20,7 +20,7 @@ falsepositives:
     - Unknown
 level: high
 tags:
-    - attack.develop_capabilities
+    - attack.resource_development
     - attack.t1587.001
     - attack.execution
     - attack.t1569.002

rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml

@@ -1,4 +1,4 @@
-title: PsExec/PAExec Flags 
+title: PsExec/PAExec Flags
 id: 207b0396-3689-42d9-8399-4222658efc99
 status: experimental
 description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line
@@ -8,30 +8,32 @@ references:
     - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
 author: Florian Roth
 date: 2021/05/22
-modified: 2021/11/23
+modified: 2022/10/06
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_flags_1: # Escalation to LOCAL_SYSTEM
-        CommandLine|endswith: 
+    selection_flags_1:
+        # Escalation to LOCAL_SYSTEM
+        CommandLine|endswith:
             - ' -s cmd.exe'
             - ' -s -i cmd.exe'
     selection_flags_2:
-        CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks
+        # Accepting EULA in commandline - often used in automated attacks
+        CommandLine|contains|all:
             - 'accepteula'
             - ' -u '
             - ' -p '
             - ' \\'
     filter:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'paexec'
             - 'PsExec'
-    condition: ( selection_flags_1 or selection_flags_2 ) and not filter
+    condition: 1 of selection_flags_* and not filter
 falsepositives:
     - Weird admins that rename their tools
-    - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing 
+    - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
 level: high
 tags:
-    - attack.develop_capabilities
+    - attack.resource_development
     - attack.t1587.001

rules/windows/sysmon/sysmon_process_hollowing.yml

@@ -6,10 +6,11 @@ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
 date: 2022/01/25
 modified: 2022/02/01
 references:
-  - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 
-  - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
+    - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
+    - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
 tags:
-    - attack.process_injection
+    - attack.defense_evasion
+    - attack.privilege_escalation
     - attack.t1055.012
 logsource:
     product: windows
@@ -18,7 +19,7 @@ detection:
     selection:
         Type: Image is replaced
     filters:
-        Image|contains: 
+        Image|contains:
             - ':\Program Files\'
             - ':\Program Files (x86)'
         Image|endswith: