diff --git a/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml b/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml new file mode 100644 index 000000000..58e939a46 --- /dev/null +++ b/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml @@ -0,0 +1,28 @@ +title: PST Export Alert Using New-ComplianceSearchAction +id: 6897cd82-6664-11ed-9022-0242ac120002 +related: + - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 + type: similar +status: experimental +description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud. +references: + - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps +author: Nikita Khalimonenkov +date: 2022/11/17 +tags: + - attack.collection + - attack.t1114 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + Payload|contains|all: + - 'New-ComplianceSearchAction' + - 'Export' + - 'pst' + condition: selection +falsepositives: + - Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored. +level: medium diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml index 3df62679c..3e9ad2a3d 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/12/02 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -22,7 +22,16 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" + # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " + ServiceFileName|contains|all: + - 'cmd' + - '"set' + - '-f' + ServiceFileName|contains: + - '/c' + - '/r' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml index e973cca18..c14da7c1d 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/10/09 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -22,7 +22,21 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # ServiceFileName|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" + # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" + ServiceFileName|contains|all: + - '&&set' + - 'cmd' + - '/c' + - '-f' + ServiceFileName|contains: + - '{0}' + - '{1}' + - '{2}' + - '{3}' + - '{4}' + - '{5}' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml index f8d2db6ff..4cc044bd0 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/11/30 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -16,11 +16,24 @@ logsource: product: windows service: system detection: - selection: + selection_main: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection + # ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -" + # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )" + ImagePath|contains|all: + - 'cmd' + - 'powershell' + ImagePath|contains: + - '/c' + - '/r' + selection_other: + - ImagePath|contains: 'noexit' + - ImagePath|contains|all: + - 'input' + - '$' + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml index 78f25a0dd..b2403a616 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/11/30 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -19,7 +19,16 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" + # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " + ImagePath|contains|all: + - 'cmd' + - '"set' + - '-f' + ImagePath|contains: + - '/c' + - '/r' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml index cfa7bdf7b..8a4091b6a 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/11/30 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -19,7 +19,16 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + # ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + # Example 1: C:\wiNdOWs\SystEm32\cMD.EXe /c "sET XnK= Invoke-Expression (New-Object Net.WebClient).DownloadString && sET PZVh=ECho ${EXECutIoNcOnTExT}.inVokecommaNd.iNvoKeSCrIPt( ([eNvirOnMEnT]::GETenVIrOnmENtVARIABLe('XNk','pRoceSS'))) ^| poweRSHelL -NoE - && C:\wiNdOWs\SystEm32\cMD.EXe /c%PzVh%" + # Example 2: C:\winDowS\SysteM32\Cmd /C "set sHM=Invoke-Expression (New-Object Net.WebClient).DownloadString && SEt gBc=ECHO $eXECutionconTeXt.inVoKECOmmanD.InVoKESCripT( ([ENVirOnment]::geTenVIrONMEnTvaRIAble('shM','PRoCEss')) ) ^| C:\WiNDoWS\SYSwoW64\WindoWSpoWerSHelL\V1.0\pOwersheLl.EXe ^^^&( $PShOME[4]+$psHOMe[30]+'X') ( $InPUt) && C:\winDowS\SysteM32\Cmd /C %gbc%" + ImagePath|contains|all: + - 'set' + - '&&' + ImagePath|contains: + - 'environment' + - 'invoke' + - 'input' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml index 06b4062f3..76e3dac8c 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/11/30 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -19,7 +19,21 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" + # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" + ImagePath|contains|all: + - '&&set' + - 'cmd' + - '/c' + - '-f' + ImagePath|contains: + - '{0}' + - '{1}' + - '{2}' + - '{3}' + - '{4}' + - '{5}' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index f1ec39f84..50a292386 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -16,7 +16,7 @@ logsource: definition: Script block logging must be enabled detection: selection_cmdlet: - - ScriptBlockText|contains: Invoke-DNSExfiltrator + - ScriptBlockText|contains: 'Invoke-DNSExfiltrator' - ScriptBlockText|contains|all: - ' -i ' - ' -d ' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml index dc88b8395..10a74f43a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml @@ -16,7 +16,7 @@ logsource: definition: Script Block Logging must be enabled detection: selection: - ScriptBlockText|contains: Invoke-Nightmare + ScriptBlockText|contains: 'Invoke-Nightmare' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml b/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml index 4fb641a8c..5383a87ae 100644 --- a/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml +++ b/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml @@ -16,6 +16,7 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1027 + - attack.t1620 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml b/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml index 29a7e3df0..b58372b9f 100644 --- a/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml +++ b/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/mrd0x/status/1511489821247684615 author: Florian Roth date: 2022/04/06 +modified: 2022/11/18 tags: - attack.defense_evasion - attack.t1036 @@ -15,15 +16,14 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\DumpMinitool.exe' - selection_original_name: - OriginalName: 'DumpMinitool.exe' - selection_flags: + selection_img: + - Image|endswith: '\DumpMinitool.exe' + - OriginalFileName: 'DumpMinitool.exe' + selection_cli: CommandLine|contains|all: - ' --processId ' - ' --dumpType Full' - condition: 1 of selection* + condition: 1 of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml b/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml new file mode 100644 index 000000000..6dc58c473 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml @@ -0,0 +1,30 @@ +title: Suspicious Msbuild Execution By Uncommon Parent Process +id: 33be4333-2c6b-44f4-ae28-102cdbde0a31 +status: experimental +description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process +references: + - https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/ + - https://www.echotrail.io/insights/search/msbuild.exe +author: frack113 +date: 2022/11/17 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\MSBuild.exe' + - OriginalFileName: 'MSBuild.exe' + filter_parent: + ParentImage|endswith: + - '\devenv.exe' + - '\cmd.exe' + - '\msbuild.exe' + - '\python.exe' + - '\explorer.exe' + - '\nuget.exe' + condition: selection and not filter_parent +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml b/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml new file mode 100644 index 000000000..d9229ef1c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml @@ -0,0 +1,34 @@ +title: Suspicious Powercfg Execution To Change Lock Screen Timeout +id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b +status: experimental +description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html + - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options +author: frack113 +date: 2022/11/18 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_power: + - Image|endswith: '\powercfg.exe' + - OriginalFileName: 'PowerCfg.exe' + selection_standby: + # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK + - CommandLine|contains|all: + - '/setacvalueindex ' + - 'SCHEME_CURRENT' + - 'SUB_VIDEO' + - 'VIDEOCONLOCK' + # powercfg -change -standby-timeout-dc 3000 + # powercfg -change -standby-timeout-ac 3000 + - CommandLine|contains|all: + - '-change ' + - '-standby-timeout-' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/tests/test_rules.py b/tests/test_rules.py index 630033e27..a76aa41bb 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -871,7 +871,8 @@ class TestRules(unittest.TestCase): def test_field_name_typo(self): # add "OriginalFilename" after Aurora switched to SourceFilename # add "ProviderName" after special case powershell classic is resolved - typos = ["ServiceFilename", "TargetFileName", "SourceFileName", "Commandline", "Targetobject"] + # typos is a list of tuples where each tuple contains ("The typo", "The correct version") + typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")] faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part(file_path=file, part_name="detection") @@ -880,8 +881,8 @@ class TestRules(unittest.TestCase): if isinstance(detection[search_identifier], dict): for field in detection[search_identifier]: for typo in typos: - if typo in field: - print(Fore.RED + "Rule {} has a common typo ({}) in selection ({}/{})".format(file, typo, search_identifier, field)) + if typo[0] in field: + print(Fore.RED + "Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})".format(file, typo[0], typo[1], search_identifier, field)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with common typos in field names.")