fix: apply suggestions from code review

Co-authored-by: phantinuss <[email protected]>

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml

@@ -8,7 +8,7 @@ related:
     - id: 9f22ccd5-a435-453b-af96-bf99cbb594d4
       type: similar
 status: experimental
-description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these API to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
+description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)

rules/windows/image_load/image_load_credui_uncommon_process_load.yml

@@ -1,7 +1,7 @@
-title: CredUI.DLL Load By Uncommon Process
+title: CredUI.DLL Loaded By Uncommon Process
 id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
 status: experimental
-description: Detects load of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
+description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
 references:
     - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password

rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml

@@ -4,7 +4,7 @@ related:
     - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
       type: similar
 status: experimental
-description: Detects use of WinAPI Functions in PowerShell scripts
+description: Detects use of WinAPI functions in PowerShell scripts
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community

rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml

@@ -17,7 +17,7 @@ detection:
         - Image|endswith: '\curl.exe'
         - OriginalFileName: 'curl.exe'
     selection_header:
-        CommandLine|re: '\s-H\s' # Must be Regex as its case sensitive
+        CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive
         CommandLine|contains: 'User-Agent:'
     condition: all of selection_*
 falsepositives:

rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml

@@ -1,7 +1,7 @@
-title: Suspicious File Download From Direct IP Via Curl.EXE
+title: Suspicious File Download From IP Via Curl.EXE
 id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
 status: experimental
-description: Detects potential suspicious file download from direct ip domains using curl.exe
+description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe
 references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers
     - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
@@ -27,34 +27,34 @@ detection:
             - '--output'
     selection_ext:
         CommandLine|endswith:
-            - ".ps1"
+            - '.ps1'
             - ".ps1'"
             - '.ps1"'
-            - ".dat"
+            - '.dat'
             - ".dat'"
             - '.dat"'
-            - ".msi"
+            - '.msi'
             - ".msi'"
             - '.msi"'
-            - ".bat"
+            - '.bat'
             - ".bat'"
             - '.bat"'
-            - ".exe"
+            - '.exe'
             - ".exe'"
             - '.exe"'
-            - ".vbs"
+            - '.vbs'
             - ".vbs'"
             - '.vbs"'
-            - ".vbe"
+            - '.vbe'
             - ".vbe'"
             - '.vbe"'
-            - ".hta"
+            - '.hta'
             - ".hta'"
             - '.hta"'
-            - ".dll"
+            - '.dll'
             - ".dll'"
             - '.dll"'
-            - ".psm1"
+            - '.psm1'
             - ".psm1'"
             - '.psm1"'
     condition: all of selection_*

rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml

@@ -1,7 +1,7 @@
 title: Suspicious File Download From File Sharing Domain Via Curl.EXE
 id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
 status: experimental
-description: Detects potential suspicious file download from file sharing domains using curl.exe
+description: Detects potentially suspicious file download from file sharing domains using curl.exe
 references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers
     - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv

rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml

@@ -1,7 +1,7 @@
 title: Insecure Proxy/DOH Transfer Via Curl.EXE
 id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77
 status: experimental
-description: Detects execution of "curl.exe" with the "insecure" flag over Proxy or DOH.
+description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
 references:
     - https://curl.se/docs/manpage.html
 author: Nasreddine Bencherchali (Nextron Systems)

rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml

@@ -4,7 +4,7 @@ related:
     - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
       type: derived
 status: experimental
-description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potential suspicious location to run for a specific VM state
+description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
 references:
     - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
 author: Nasreddine Bencherchali (Nextron Systems)

rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml

@@ -1,7 +1,7 @@
-title: Suspicious File Download From Direct IP Via Wget.EXE
+title: Suspicious File Download From IP Via Wget.EXE
 id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35
 status: experimental
-description: Detects potential suspicious file download from direct ip domains using Wget.exe
+description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
 references:
     - https://www.gnu.org/software/wget/manual/wget.html
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -24,34 +24,34 @@ detection:
         - CommandLine|contains: '--output-document'
     selection_ext:
         CommandLine|endswith:
-            - ".ps1"
+            - '.ps1'
             - ".ps1'"
             - '.ps1"'
-            - ".dat"
+            - '.dat'
             - ".dat'"
             - '.dat"'
-            - ".msi"
+            - '.msi'
             - ".msi'"
             - '.msi"'
-            - ".bat"
+            - '.bat'
             - ".bat'"
             - '.bat"'
-            - ".exe"
+            - '.exe'
             - ".exe'"
             - '.exe"'
-            - ".vbs"
+            - '.vbs'
             - ".vbs'"
             - '.vbs"'
-            - ".vbe"
+            - '.vbe'
             - ".vbe'"
             - '.vbe"'
-            - ".hta"
+            - '.hta'
             - ".hta'"
             - '.hta"'
-            - ".dll"
+            - '.dll'
             - ".dll'"
             - '.dll"'
-            - ".psm1"
+            - '.psm1'
             - ".psm1'"
             - '.psm1"'
     condition: all of selection_*

rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml

@@ -1,7 +1,7 @@
 title: Suspicious File Download From File Sharing Domain Via Wget.EXE
 id: a0d7e4d2-bede-4141-8896-bc6e237e977c
 status: experimental
-description: Detects potential suspicious file download from file sharing domains using wget.exe
+description: Detects potentially suspicious file downloads from file sharing domains using wget.exe
 references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers
     - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
@@ -48,34 +48,34 @@ detection:
         - CommandLine|contains: '--output-document'
     selection_ext:
         CommandLine|endswith:
-            - ".ps1"
+            - '.ps1'
             - ".ps1'"
             - '.ps1"'
-            - ".dat"
+            - '.dat'
             - ".dat'"
             - '.dat"'
-            - ".msi"
+            - '.msi'
             - ".msi'"
             - '.msi"'
-            - ".bat"
+            - '.bat'
             - ".bat'"
             - '.bat"'
-            - ".exe"
+            - '.exe'
             - ".exe'"
             - '.exe"'
-            - ".vbs"
+            - '.vbs'
             - ".vbs'"
             - '.vbs"'
-            - ".vbe"
+            - '.vbe'
             - ".vbe'"
             - '.vbe"'
-            - ".hta"
+            - '.hta'
             - ".hta'"
             - '.hta"'
-            - ".dll"
+            - '.dll'
             - ".dll'"
             - '.dll"'
-            - ".psm1"
+            - '.psm1'
             - ".psm1'"
             - '.psm1"'
     condition: all of selection_*