From f461becc58007173effb81de55c8ceebc1a97452 Mon Sep 17 00:00:00 2001
From: Anton Kutepov <61383585+aw350m33d@users.noreply.github.com>
Date: Tue, 2 Mar 2021 23:34:34 +0300
Subject: [PATCH] Added missed changes in win_net_ntlm_downgrade and merged
 duplicate rules

---
 .../builtin/win_net_ntlm_downgrade.yml        |  2 +-
 .../process_creation/win_susp_finger.yml      | 23 -------------------
 .../win_webshell_detection.yml                |  2 +-
 3 files changed, 2 insertions(+), 25 deletions(-)
 delete mode 100644 rules/windows/process_creation/win_susp_finger.yml

diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml
index 8987fb7d8..2883f3df2 100644
--- a/rules/windows/builtin/win_net_ntlm_downgrade.yml
+++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml
@@ -50,4 +50,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/process_creation/win_susp_finger.yml b/rules/windows/process_creation/win_susp_finger.yml
deleted file mode 100644
index a6451adfc..000000000
--- a/rules/windows/process_creation/win_susp_finger.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-title: Suspicious Use Finger.exe
-id: 248f5697-2f46-4005-9bb6-b4fc643332a9
-status: experimental
-description: finger.exe for data exfiltration or download file
-references:
-    - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
-author: omkar72, oscd.community
-date: 2020/10/11
-tags:
-    - attack.defense_evasion
-    - attack.t1218
-    - attack.command_and_control
-    - attack.t1071
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\finger.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml
index 99241d3bb..09d432656 100644
--- a/rules/windows/process_creation/win_webshell_detection.yml
+++ b/rules/windows/process_creation/win_webshell_detection.yml
@@ -2,7 +2,7 @@ title: Webshell Detection With Command Line Keywords
 id: bed2a484-9348-4143-8a8a-b801c979301c
 description: Detects certain command line parameters often used during reconnaissance activity via web shells
 author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
-reference:
+references:
     - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
     - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
 date: 2017/01/01