fix: small typos

2023-01-04 17:51:34 +01:00
parent 711ba956e3
commit e43371ffcf
2 changed files with 7 additions and 12 deletions
@@ -9,7 +9,7 @@ references:
    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
-modified: 2022/11/29
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -18,9 +18,9 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: 'Requirements: PowerShell Module Logging must be enabled'd
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
-    selection_4103:
+    selection:
        Payload|contains|all:
            - 'set'
            - '&&'
@@ -28,7 +28,7 @@ detection:
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
-    condition: selection_4103
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -7,14 +7,14 @@ references:
    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
 author: frack113
 date: 2021/07/13
-modified: 2022/12/02
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.t1218
 logsource:
    product: windows
    category: ps_module
-    definition: 'Requirements: PowerShell Module Logging must be enabled'd
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_cmd:
        ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand '
@@ -24,12 +24,7 @@ detection:
            - '-ModulePath '
            - '-ScriptBlock '
            - '-RemoteFXvGPUDisablementFilePath'
-    condition: selection_cmd and selection_opt
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: medium