diff --git a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index fb409b13b..7ab2c9449 100644 --- a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index dcb92bd05..c5153e216 100644 --- a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -19,7 +19,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index fb57e9607..48f64acc0 100644 --- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index e30c7fe3f..d1c7e5644 100644 --- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -17,7 +17,7 @@ references: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection2: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 2902ece65..61e99ec3a 100644 --- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -17,7 +17,7 @@ references: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection2: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index 604505ae0..a825ff6df 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index 2dcd9ad2c..c94e328d8 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_3: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index d531c87e4..ac8200149 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index e47caf118..3fb82c2ef 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index e4f1400ce..9faa95dfe 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index 823699781..bff58af6c 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index 65fff0f15..ef94a8c32 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 482721a0f..6e5b5d32c 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index ab47039d3..aecbcfcf0 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index deee26edc..e97a7449e 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 06d3381a5..4273a2711 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_powercat.yml b/rules/windows/powershell/powershell_module/powershell_powercat.yml index f024c450c..3feb349e0 100644 --- a/rules/windows/powershell/powershell_module/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_module/powershell_powercat.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml index c77953871..39a6161cd 100644 --- a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml index 214610d72..18f9e127c 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_id: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index 267532036..761d66b53 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_4103: EventID: 4103