fix

rules/windows/process_creation/minidumpwritedump.yml

@@ -13,8 +13,8 @@ logsource:
     product: windows
 detection:
     selection:
-        Image:'*\rundll32.exe'
-        CommandLine:'*comsvcs.dll*minidump*'
+        Image: '*\rundll32.exe'
+        CommandLine: '*comsvcs.dll*minidump*'
     condition: selection
 falsepositives:
     - unknown

rules/windows/process_creation/renamed_binary_description.yml

@@ -15,24 +15,24 @@ logsource:
 detection:
     selection:
         Description:
-            - "active directory editor"
-            - "sysinternals process dump utility"
-            - "msbuild.exe"
-            - ".net core host"
-            - "windows command processor"
-            - "windows powershell"
-            - "execute processes remotely"
-            - ".net framework installation utility"
-            - "microsoft ® console based script host"
-            - "microsoft ® windows based script host"
-            - "microsoft (r) html application host"
-            - "microsoft(c) register server"
-            - "wmi commandline utility"
-            - "certutil.exe"
-            - "windows host process (rundll32)"
-            - "microsoft connection manager profile Installer"
-            - "windows ® installer"
-            - "7-zip console"
+            -"active directory editor"
+            -"sysinternals process dump utility"
+            -"msbuild.exe"
+            -".net core host"
+            -"windows command processor"
+            -"windows powershell"
+            -"execute processes remotely"
+            -".net framework installation utility"
+            -"microsoft ® console based script host"
+            -"microsoft ® windows based script host"
+            -"microsoft (r) html application host"
+            -"microsoft(c) register server"
+            -"wmi commandline utility"
+            -"certutil.exe"
+            -"windows host process (rundll32)"
+            -"microsoft connection manager profile Installer"
+            -"windows ® installer"
+            -"7-zip console"
     filter:
         Image:
             -'*\adexplorer.exe'

rules/windows/sysmon/win_sysmon_driver_onload.yml

@@ -15,8 +15,8 @@ logsource:
 detection:
   selection:
     EventID: 4688
-    ProcessName:'*\fltMC.exe'
-    CommandLine:'*unload*Sys*'
+    ProcessName: '*\fltMC.exe'
+    CommandLine: '*unload*Sys*'
   selection1:
     EventID: 4673
     PrivilegeList: '*\SeLoadDriverPrivilege'