Merge pull request SigmaHQ#1358 from jaegeral/spelling

fixed various spelling errors all over rules and source code

README.md

@@ -32,7 +32,7 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec
 
 # Use Cases
 
-* Describe your detection method in Sigma to make it sharable
+* Describe your detection method in Sigma to make it shareable
 * Write your SIEM searches in Sigma to avoid a vendor lock-in
 * Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
@@ -64,7 +64,7 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2
 
 ## Rule Usage 
 
-1. Download or clone the respository
+1. Download or clone the repository
 2. Check the `./rules` sub directory for an overview on the rule base
 3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
 4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml`
@@ -137,7 +137,7 @@ optional arguments:
   --config CONFIG, -c CONFIG
                         Configurations with field name and index mapping for
                         target environment. Multiple configurations are merged
-                        into one. Last config is authorative in case of
+                        into one. Last config is authoritative in case of
                         conflicts.
   --output OUTPUT, -o OUTPUT
                         Output file or filename prefix if multiple files are

contrib/sigma2sumologic.py

@@ -218,7 +218,7 @@ def get_rule_as_sumologic(file):
     except Exception as e:
         if args.debug:
             traceback.print_exc()
-        logger.exception("error seaching sumo  " + str(file) + "----" + str(e))
+        logger.exception("error searching sumo  " + str(file) + "----" + str(e))
         with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error.txt'), "w") as f:
             # f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
             f.write(" ERROR: %s\n\nQUERY: %s" % (e, sumo_query))

rules/cloud/aws_ec2_startup_script_change.yml

@@ -1,7 +1,7 @@
 title: AWS EC2 Startup Shell Script Change
 id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
 status: experimental
-description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
+description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
 author: faloker
 date: 2020/02/12
 modified: 2020/09/01

rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml

@@ -2,7 +2,7 @@ title: Modification of ld.so.preload
 id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
 status: experimental
 description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
 date: 2019/10/24
 modified: 2019/11/11
 references:

rules/linux/auditd/lnx_auditd_web_rce.yml

@@ -1,7 +1,7 @@
 title: Webshell Remote Command Execution
 id: c0d3734d-330f-4a03-aae2-65dacc6a8222
 status: experimental
-description: Detects posible command execution by web application/web shell
+description: Detects possible command execution by web application/web shell
 author: Ilyas Ochkov, Beyu Denis, oscd.community
 date: 2019/10/12
 modified: 2019/11/04

rules/linux/lnx_buffer_overflows.yml

@@ -16,5 +16,5 @@ detection:
         - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
     condition: keywords
 falsepositives:
-    - Unkown
+    - Unknown
 level: high

rules/linux/lnx_file_or_folder_permissions.yml

@@ -17,7 +17,7 @@ detection:
             - 'chown'
     condition: selection
 falsepositives:
-    - User interracting with files permissions (normal/daily behaviour)
+    - User interacting with files permissions (normal/daily behaviour)
 level: low
 tags:
     - attack.defense_evasion

rules/linux/lnx_shell_susp_rev_shells.yml

@@ -1,7 +1,7 @@
 title: Suspicious Reverse Shell Command Line
 id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab
 status: experimental
-description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
+description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
 author: Florian Roth
 date: 2019/04/02
 references:

rules/proxy/proxy_ua_apt.yml

@@ -44,7 +44,7 @@ detection:
         - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
         - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*'  # KerrDown UA https://goo.gl/s2WU6o
         - 'Mozilla/5.0 (Windows NT 9; *'  # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
-        - 'hots scot'  # Unkown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
+        - 'hots scot'  # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
         - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)'  # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
         - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36'  # Hidden Cobra malware
         - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)'  # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657

rules/proxy/proxy_ua_frameworks.yml

@@ -1,7 +1,7 @@
 title: Exploit Framework User Agent
 id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
 status: experimental
-description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs
+description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
 author: Florian Roth
 date: 2017/07/08
 modified: 2020/09/03

rules/proxy/proxy_ua_hacktool.yml

@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
       c-useragent:
-        # Vulnerbility scanner and brute force tools
+        # Vulnerability scanner and brute force tools
         - '*(hydra)*'
         - '* arachni/*'
         - '* BFAC *'

rules/windows/builtin/win_account_backdoor_dcsync_rights.yml

@@ -25,5 +25,5 @@ detection:
          - '89e95b76-444d-4c62-991a-0facbeda640c'
     condition: selection
 falsepositives:
-    - New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.
+    - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.
 level: critical

rules/windows/builtin/win_global_catalog_enumeration.yml

@@ -1,5 +1,5 @@
 title: Enumeration via the Global Catalog 
-description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width.
+description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.
 author: Chakib Gzenayi (@Chak092), Hosni Mribah
 id: 619b020f-0fd7-4f23-87db-3f51ef837a34
 date: 2020/05/11

rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml

@@ -23,5 +23,5 @@ fields:
     - UserName
     - SubjectAccountName
 falsepositives:
-    - Unkown
+    - Unknown
 level: high

rules/windows/builtin/win_ntfs_vuln_exploit.yml

@@ -1,6 +1,6 @@
 title: NTFS Vulnerability Exploitation
 id: f14719ce-d3ab-4e25-9ce6-2899092260b0
-description: This the exploitation of a NTFS vulnerabilty as reported without many details via Twitter
+description: This the exploitation of a NTFS vulnerability as reported without many details via Twitter
 author: Florian Roth
 date: 2021/01/11
 references:

rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml

@@ -20,5 +20,5 @@ detection:
           LogonProcessName: 'User32LogonProcesss'
     condition: selection
 falsepositives:
-    - Unkown
+    - Unknown
 level: critical

rules/windows/builtin/win_susp_local_anon_logon_created.yml

@@ -1,7 +1,7 @@
 title: Suspicious Windows ANONYMOUS LOGON Local Account Created
 id: 1bbf25b9-8038-4154-a50b-118f2a32be27
 status: experimental
-description: Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
+description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
 references:
     - https://twitter.com/SBousseaden/status/1189469425482829824
 author: James Pemberton / @4A616D6573

rules/windows/builtin/win_susp_lsass_dump.yml

@@ -20,5 +20,5 @@ detection:
         ObjectType: 'SAM_DOMAIN'
     condition: selection
 falsepositives:
-    - Unkown
+    - Unknown
 level: high

rules/windows/builtin/win_susp_time_modification.yml

@@ -7,7 +7,7 @@ references:
     - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
     - Live environment caused by malware
 date: 2019/02/05
-midified: 2020/01/27
+modified: 2020/01/27
 tags:
     - attack.defense_evasion
     - attack.t1099          # an old one

rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml

@@ -1,6 +1,6 @@
-title: Transfering Files with Credential Data via Network Shares
+title: Transferring Files with Credential Data via Network Shares
 id: 910ab938-668b-401b-b08c-b596e80fdca5
-description: Transfering files with well-known filenames (sensitive files with credential data) using network shares
+description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/10/22
 references:
@@ -28,6 +28,6 @@ detection:
             - '\security'
     condition: selection
 falsepositives:
-    - Transfering sensitive files for legitimate administration work by legitimate administrator
+    - Transferring sensitive files for legitimate administration work by legitimate administrator
 level: medium
 status: experimental

rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml

@@ -21,5 +21,5 @@ detection:
           Keywords: '0x8010000000000000'     #failure
     condition: selection
 falsepositives:
-    - Unkown
+    - Unknown
 level: high

rules/windows/file_event/sysmon_webshell_creation_detect.yml

@@ -40,7 +40,7 @@ detection:
             - '\AppData\Local\Temp\'
             - '\Windows\Temp\'
     # kind of ugly but sigmac seems not to handle double parenthesis "(("
-    # we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
+    # we should prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
     condition: (selection_2 and selection_3 and not false_positives) or (selection_4 and selection_5 and not false_positives) or (selection_6 and not false_positives)
 falsepositives:
     - Legitimate administrator or developer creating legitimate executable files in a web application folder

rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml

@@ -1,4 +1,4 @@
-title: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word
+title: Windows Management Instrumentation DLL Loaded Via Microsoft Word
 id: a457f232-7df9-491d-898f-b5aabd2cbe2f
 status: experimental
 description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands

rules/windows/malware/mal_azorult_reg.yml

@@ -1,4 +1,4 @@
-title: Registy Entries For Azorult Malware
+title: Registry Entries For Azorult Malware
 id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
 description: Detects the presence of a registry key created during Azorult execution
 status: experimental

rules/windows/powershell/powershell_alternate_powershell_hosts.yml

@@ -22,7 +22,7 @@ detection:
     filter:
         - ContextInfo: 'powershell.exe'
         - Message: 'powershell.exe'
-        # Both fields contain key=value pairs where the key HostApplication ist relevant but
+        # Both fields contain key=value pairs where the key HostApplication is relevant but
         # can't be referred directly as event field.
     condition: selection and not filter
 falsepositives:

rules/windows/powershell/powershell_nishang_malicious_commandlets.yml

@@ -13,7 +13,7 @@ author: Alec Costello
 logsource:
     product: windows
     service: powershell
-    definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277
+    definition: It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277
 detection:
     keywords:
         - Add-ConstrainedDelegationBackdoor

rules/windows/process_creation/win_apt_ke3chang_regadd.yml

@@ -1,7 +1,7 @@
 title: Ke3chang Registry Key Modifications
 id: 7b544661-69fc-419f-9a59-82ccc328f205
 status: experimental
-description: Detects Registry modifcations performaed by Ke3chang malware in campaigns running in 2019 and 2020
+description: Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020
 references:
     - https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
     - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/

rules/windows/process_creation/win_bootconf_mod.yml

@@ -3,7 +3,7 @@ id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
 description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive
     technique.
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2019/10/24
 modified: 2019/11/11
 references:

rules/windows/process_creation/win_crime_snatch_ransomware.yml

@@ -24,5 +24,5 @@ fields:
     - User
     - Image
 falsepositives:
-    - Scripts that shutdown the system immediatly and reboot them in safe mode are unlikely
+    - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
 level: critical

rules/windows/process_creation/win_exploit_cve_2019_1378.yml

@@ -1,7 +1,7 @@
 title: Exploiting SetupComplete.cmd CVE-2019-1378
 id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
 status: experimental
-description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378 
+description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 
 references:
     - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
 author: Florian Roth

rules/windows/process_creation/win_exploit_cve_2019_1388.yml

@@ -1,7 +1,7 @@
 title: Exploiting CVE-2019-1388
 id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
 status: experimental
-description: Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
+description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
 references:
     - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
     - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege

rules/windows/process_creation/win_hh_chm.yml

@@ -2,7 +2,7 @@ title: HH.exe Execution
 id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84
 description: Identifies usage of hh.exe executing recently modified .chm files.
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community
+author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml
     - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html

rules/windows/process_creation/win_indirect_cmd.yml

@@ -2,7 +2,7 @@ title: Indirect Command Execution
 id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
 description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml
     - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html

rules/windows/process_creation/win_interactive_at.yml

@@ -2,7 +2,7 @@ title: Interactive AT Job
 id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
 description: Detect an interactive AT job, which may be used as a form of privilege escalation
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml
     - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html

rules/windows/process_creation/win_lsass_dump.yml

@@ -2,7 +2,7 @@ title: LSASS Memory Dumping
 id: ffa6861c-4461-4f59-8a41-578c39f3f23e
 description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
 date: 2019/10/24
 modified: 2019/11/11
 references:

rules/windows/process_creation/win_mshta_javascript.yml

@@ -2,7 +2,7 @@ title: Mshta JavaScript Execution
 id: 67f113fa-e23d-4271-befa-30113b3e08b1
 description: Identifies suspicious mshta.exe commands
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2019/10/24
 modified: 2020/09/01
 references:

rules/windows/process_creation/win_possible_applocker_bypass.yml

@@ -37,5 +37,5 @@ detection:
     condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
-    - Using installutil to add features for .NET applications (primarly would occur in developer environments)
+    - Using installutil to add features for .NET applications (primarily would occur in developer environments)
 level: low

rules/windows/process_creation/win_powershell_audio_capture.yml

@@ -2,7 +2,7 @@ title: Audio Capture via PowerShell
 id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
 description: Detects audio capture via PowerShell Cmdlet
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2019/10/24
 modified: 2019/11/11
 references:

rules/windows/process_creation/win_remote_time_discovery.yml

@@ -2,7 +2,7 @@ title: Discovery of a System Time
 id: b243b280-65fe-48df-ba07-6ddea7646427
 description: "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system."
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2019/10/24
 modified: 2019/11/11
 references:

rules/windows/process_creation/win_soundrec_audio_capture.yml

@@ -2,7 +2,7 @@ title: Audio Capture via SoundRecorder
 id: 83865853-59aa-449e-9600-74b9d89a6d6e
 description: Detect attacker collecting audio via SoundRecorder application
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
+author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2019/10/24
 modified: 2019/11/11
 references:

rules/windows/process_creation/win_susp_conhost.yml

@@ -1,4 +1,4 @@
-title: Conhost Parent Proces Executions
+title: Conhost Parent Process Executions
 id: 7dc2dedd-7603-461a-bc13-15803d132355
 status: experimental
 description: Detects the conhost execution as parent process. Can be used to evaded defense mechanism.

rules/windows/process_creation/win_susp_csc.yml

@@ -27,5 +27,5 @@ detection:
             - '*\mshta.exe'
     condition: selection
 falsepositives:
-    - Unkown
+    - Unknown
 level: high

rules/windows/process_creation/win_susp_execution_path.yml

@@ -1,7 +1,7 @@
 title: Execution in Non-Executable Folder
 id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
 status: experimental
-description: Detects a suspicious exection from an uncommon folder
+description: Detects a suspicious execution from an uncommon folder
 author: Florian Roth
 date: 2019/01/16
 tags:

rules/windows/process_creation/win_susp_msiexec_web_install.yml

@@ -1,7 +1,7 @@
 title: MsiExec Web Install
 id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
 status: experimental
-description: Detects suspicious msiexec process starts with web addreses as parameter
+description: Detects suspicious msiexec process starts with web addresses as parameter
 references:
     - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
 tags: