joesecurity · mgmacias95 · Jan 21, 2021 · Jan 26, 2021
diff --git a/rules/filedroppedbyeqnedt32exe.yml b/rules/filedroppedbyeqnedt32exe.yml
@@ -15,11 +15,11 @@ detection:
         EventID: 11
         Image: '*\EQUATION\EQNEDT32.EXE*'
         TargetFilename:
-			- '*\\*.exe*'
-			- '*\\*.dll*'
-			- '*\\*.vbs*'
-			- '*\\*.js*'
-			- '*\\*.hta*'
-			- '*\\*.bat*'
+            - '*\\*.exe*'
+            - '*\\*.dll*'
+            - '*\\*.vbs*'
+            - '*\\*.js*'
+            - '*\\*.hta*'
+            - '*\\*.bat*'
     condition: selection
 level: critical
diff --git a/rules/get2downloader.yml b/rules/get2downloader.yml
@@ -3,7 +3,7 @@ status: experimental
 description: Get2 downloader associated with TA505
 author: Joe Security
 references:
-    -https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
+    - https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
 id: 200003
 threatname: Get2Downloader
 behaviorgroup: 2

diff --git a/rules/koadicpostexploitationrootkit.yml b/rules/koadicpostexploitationrootkit.yml
@@ -13,9 +13,9 @@ logsource:
       category: process_creation
       product: windows
 detection:
-      selection:      
+      selection:
           CommandLine:
-              - *chcp 437 & schtasks /query /tn K0adic*
-              - *chcp 437 & schtasks /create /tn K0adic*
+              - '*chcp 437 & schtasks /query /tn K0adic*'
+              - '*chcp 437 & schtasks /create /tn K0adic*'
       condition: selection
 level: critical
diff --git a/rules/nanocore.yml b/rules/nanocore.yml
@@ -13,6 +13,6 @@ logsource:
 detection:
     selection:
         EventID: 11
-        TargetFilename: '*\AppData\Roaming\\*-*-*-*-*\run.dat*'			
+        TargetFilename: '*\AppData\Roaming\\*-*-*-*-*\run.dat*'
     condition: selection
 level: critical
diff --git a/rules/powershelldownloadingfilefromurlshortenersite.yml b/rules/powershelldownloadingfilefromurlshortenersite.yml
@@ -13,7 +13,7 @@ logsource:
       category: process_creation
       product: windows
 detection:
-      selection:      
+      selection:
           CommandLine:
               - '*powershell*downloadfile*/tinyurl.*'
               - '*powershell*downloadfile*/bitly.*'
@@ -25,11 +25,11 @@ detection:
               - '*powershell*new-object net.*https://shorturl.*'
               - '*powershell*new-object net.*https://rebrandly.*'
               - '*powershell*new-object net.*https://cutt.*'
-              - '*powershell*net.web*https://tinyurl.*
-              - '*powershell*net.web*https://bitly.*
-              - '*powershell*net.web*https://shorturl.*
-              - '*powershell*net.web*https://rebrandly.*
+              - '*powershell*net.web*https://tinyurl.*'
+              - '*powershell*net.web*https://bitly.*'
+              - '*powershell*net.web*https://shorturl.*'
+              - '*powershell*net.web*https://rebrandly.*'
               - '*powershell*net.web*https://cutt.*'
-          
+
       condition: selection
 level: critical
diff --git a/rules/powershelllaunchregsvr32.yml b/rules/powershelllaunchregsvr32.yml
@@ -4,7 +4,7 @@ description: Powershell launch regsvr32
 author: Joe Security
 date: 2020-03-10
 id: 200062
-threatname: 
+threatname:
 behaviorgroup: 7
 classification: 8
 mitreattack:
@@ -13,8 +13,8 @@ logsource:
       category: process_creation
       product: windows
 detection:
-      selection:      
+      selection:
           CommandLine:
-              - *powershell*regsvr32*
+              - '*powershell*regsvr32*'
       condition: selection
 level: critical
diff --git a/rules/powershellsleepandlaunchexecutable.yml b/rules/powershellsleepandlaunchexecutable.yml
@@ -4,7 +4,7 @@ description: Powershell sleep and launch executable
 author: Joe Security
 date: 2020-03-17
 id: 200065
-threatname: 
+threatname:
 behaviorgroup: 5
 classification: 8
 mitreattack:
@@ -13,8 +13,8 @@ logsource:
       category: process_creation
       product: windows
 detection:
-      selection:      
+      selection:
           CommandLine:
-              - *powershell -c sleep -s *;saps *.exe*
+              - '*powershell -c sleep -s *;saps *.exe*'
       condition: selection
 level: critical
diff --git a/rules/remcos.yml b/rules/remcos.yml
@@ -15,10 +15,10 @@ detection:
         EventID: 11
         TargetFilename:
             - '*\AppData\Roaming\remcos\logs*.dat*'
-		    
+
     selection1:
         EventID: 13
         TargetObject:
-            - '*\Software\Remcos*exepath*'		
+            - '*\Software\Remcos*exepath*'
     condition: selection or selection1
 level: critical
diff --git a/rules/shedulehiddenpowershellscript.yml b/rules/shedulehiddenpowershellscript.yml
@@ -4,7 +4,7 @@ description: Shedule hidden powershell script
 author: Joe Security
 date: 2020-03-12
 id: 200063
-threatname: 
+threatname:
 behaviorgroup: 2
 classification: 8
 mitreattack:
@@ -13,8 +13,8 @@ logsource:
       category: process_creation
       product: windows
 detection:
-      selection:      
+      selection:
           CommandLine:
-              - *schtasks.exe*/create*powershell*hidden*
+              - '*schtasks.exe*/create*powershell*hidden*'
       condition: selection
 level: critical
diff --git a/rules/wscriptdownloadfileintotemplocationfromwordpresssite.yml b/rules/wscriptdownloadfileintotemplocationfromwordpresssite.yml
@@ -4,7 +4,7 @@ description: Wscript download file into temp location from wordpress site
 author: Joe Security
 date: 2020-03-10
 id: 200061
-threatname: 
+threatname:
 behaviorgroup: 10
 classification: 1
 mitreattack:
@@ -13,8 +13,8 @@ logsource:
       category: process_creation
       product: windows
 detection:
-      selection:      
+      selection:
           CommandLine:
-              - *cmd /c wscript.exe *\AppData\Local\Temp*/wp-data/*              
+              - '*cmd /c wscript.exe *\AppData\Local\Temp*/wp-data/*'
       condition: selection
 level: critical