From e43371ffcf025da9b826933c7399b13b60d50650 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 4 Jan 2023 17:51:34 +0100
Subject: [PATCH] fix: small typos

---
 .../posh_pm_invoke_obfuscation_via_use_mhsta.yml      |  8 ++++----
 ...posh_pm_susp_athremotefxvgpudisablementcommand.yml | 11 +++--------
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml
index 59bc6bb6c..97918504e 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
-modified: 2022/11/29
+modified: 2023/01/04
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -18,9 +18,9 @@ tags:
 logsource:
     product: windows
     category: ps_module
-    definition: 'Requirements: PowerShell Module Logging must be enabled'd
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
-    selection_4103:
+    selection:
         Payload|contains|all:
             - 'set'
             - '&&'
@@ -28,7 +28,7 @@ detection:
             - 'vbscript:createobject'
             - '.run'
             - '(window.close)'
-    condition: selection_4103
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
index 25ada0368..0585ac797 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
@@ -7,14 +7,14 @@ references:
     - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
 author: frack113
 date: 2021/07/13
-modified: 2022/12/02
+modified: 2023/01/04
 tags:
     - attack.defense_evasion
     - attack.t1218
 logsource:
     product: windows
     category: ps_module
-    definition: 'Requirements: PowerShell Module Logging must be enabled'd
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
     selection_cmd:
         ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand '
@@ -24,12 +24,7 @@ detection:
             - '-ModulePath '
             - '-ScriptBlock '
             - '-RemoteFXvGPUDisablementFilePath'
-    condition: selection_cmd and selection_opt
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: medium