diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index ad857762a..2928e37a7 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -7,7 +7,7 @@ author: Florian Roth (rule), Jack Croock (method) logsource: product: windows service: security - description: The volume of Event ID 4661 ist high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems + description: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems detection: selection: - EventID: 4661 diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 1e6e4ede1..1bd365f63 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -10,5 +10,5 @@ detection: ImageLoaded: '*\Temp\*' condition: selection falsepositives: - - there is a relevant set of false positives depending on applications in the envirnment + - there is a relevant set of false positives depending on applications in the environment level: medium diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index f31d0bf06..7cbc0c82e 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -1,6 +1,6 @@ title: Processes created by MMC status: experimental -description: Processes started by MMC could by a sign of lateral movement using MMC application COM object +description: Processes started by MMC could be a sign of lateral movement using MMC application COM object references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: