From 2a2bcbd870fa23aa2654a386122ca62666d4eeba Mon Sep 17 00:00:00 2001
From: Justin Ibarra <brokensound77@users.noreply.github.com>
Date: Tue, 31 Aug 2021 15:59:06 -0800
Subject: [PATCH] [Rule tuning] Fix spacing in reference URLs (#1455)

(cherry picked from commit 655f7d91d06def5f3a513ae4615b71f12885d914)
---
 ...e_evasion_privacy_controls_tcc_database_modification.toml | 4 ++--
 .../persistence_docker_shortcuts_plist_modification.toml     | 5 ++---
 rules/macos/persistence_finder_sync_plugin_pluginkit.toml    | 5 ++---
 rules/ml/ml_linux_anomalous_kernel_module_arguments.toml     | 3 +--
 ...rivilege_escalation_unusual_parentchild_relationship.toml | 4 ++--
 5 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
index 452ae6d73..1c809f2a9 100644
--- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
+++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/08/25"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ license = "Elastic License v2"
 name = "Potential Privacy Control Bypass via TCCDB Modification"
 references = [
     "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
-    "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db Modifier.sh",
+    "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
     "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8",
 ]
 risk_score = 47
diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml
index 5f3c00982..e46352a3c 100644
--- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml
+++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/08/25"
 
 [rule]
 author = ["Elastic"]
@@ -16,8 +16,7 @@ license = "Elastic License v2"
 name = "Persistence via Docker Shortcut Modification"
 references = [
     """
-    https://github.com/specterops/presentations/raw/master/Leo
-    Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
+    https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
     """,
 ]
 risk_score = 47
diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml
index d3e8050fd..15a791837 100644
--- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml
+++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/08/25"
 
 [rule]
 author = ["Elastic"]
@@ -17,8 +17,7 @@ license = "Elastic License v2"
 name = "Finder Sync Plugin Registered and Enabled"
 references = [
     """
-    https://github.com/specterops/presentations/raw/master/Leo
-    Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
+    https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
     """,
 ]
 risk_score = 47
diff --git a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
index 9f84e59b7..8762da02f 100644
--- a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
+++ b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/03"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/08/25"
 
 [rule]
 anomaly_threshold = 25
@@ -21,7 +21,6 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "linux_rare_kernel_module_arguments"
 name = "Anomalous Kernel Module Activity"
-references = ["references"]
 risk_score = 21
 rule_id = "37b0816d-af40-40b4-885f-bb162b3c88a9"
 severity = "low"
diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
index f6494c246..bc091a645 100644
--- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
+++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/08/25"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ language = "eql"
 license = "Elastic License v2"
 name = "Unusual Parent-Child Relationship"
 references = [
-    "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png",
+    "https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes%20TH.map.png",
     "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/",
 ]
 risk_score = 47