From a6463b435c01a8509d1603152153dfb9cbb9a486 Mon Sep 17 00:00:00 2001
From: Justin Ibarra <brokensound77@users.noreply.github.com>
Date: Sat, 12 Dec 2020 20:11:17 -0600
Subject: [PATCH] [Rule Tuning] Replace line comments with block comments
 (#710)

---
 .../persistence_startup_folder_scripts.toml   | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml
index 6b12134f8..d1a9b2aa3 100644
--- a/rules/windows/persistence_startup_folder_scripts.toml
+++ b/rules/windows/persistence_startup_folder_scripts.toml
@@ -17,18 +17,18 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
 type = "eql"
 
 query = '''
-file where event.type != "deletion" and user.domain != "NT AUTHORITY"
-  and (
-    // detect shortcuts created by wscript.exe or cscript.exe
-      file.path : "C:\\*\\Programs\\Startup\\*.lnk" and
-      process.name : ("wscript.exe", "cscript.exe")
-      ) or
-     // detect vbs or js files created by any process
-     file.path : ("C:\\*\\Programs\\Startup\\*.vbs", 
-                  "C:\\*\\Programs\\Startup\\*.vbe", 
-                  "C:\\*\\Programs\\Startup\\*.wsh", 
-                  "C:\\*\\Programs\\Startup\\*.wsf", 
-                  "C:\\*\\Programs\\Startup\\*.js")
+file where event.type != "deletion" and user.domain != "NT AUTHORITY" and
+  
+  /* detect shortcuts created by wscript.exe or cscript.exe */
+  (file.path : "C:\\*\\Programs\\Startup\\*.lnk" and
+     process.name : ("wscript.exe", "cscript.exe")) or
+
+  /* detect vbs or js files created by any process */
+  file.path : ("C:\\*\\Programs\\Startup\\*.vbs", 
+               "C:\\*\\Programs\\Startup\\*.vbe", 
+               "C:\\*\\Programs\\Startup\\*.wsh", 
+               "C:\\*\\Programs\\Startup\\*.wsf", 
+               "C:\\*\\Programs\\Startup\\*.js")
 '''