All Rules use 'TargetFilename' instead of 'TargetFileName'.

This commit fixes the incorrect spelling.
rkondracki · Jun 3, 2020 · 4ed5120 · 4ed5120
1 parent 0cbc099
commit 4ed5120
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 6 deletions.
diff --git a/other/godmode_sigma_rule.yml b/other/godmode_sigma_rule.yml
@@ -104,7 +104,7 @@ logsource:
 detection:
     selection_file_creation:
         EventID: 11
-        TargetFileName|contains: 
+        TargetFilename|contains: 
             - '.dmp'  # dump process memory
             - 'Desktop\how'  # Ransomware
             - 'Desktop\decrypt'  # Ransomware

diff --git a/rules-unsupported/sysmon_process_reimaging.yml b/rules-unsupported/sysmon_process_reimaging.yml
@@ -5,7 +5,7 @@ description: Detects process reimaging defense evasion technique
 # where
 #             selection1: ImageFileName != selection1: OriginalFileName
 #             selection1: ParentProcessGuid = selection2: ProcessGuid
-#             selection1: Image = selection2: TargetFileName
+#             selection1: Image = selection2: TargetFilename
 # and new field ImageFileName is coming from enrichment
 #             selection1: Image = ^.+\\<ImageFileName>$
 # Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
@@ -45,4 +45,4 @@ detection:
         EventID: 11
 fields:
     - ProcessGuid
-    - TargetFileName
+    - TargetFilename
diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml
@@ -29,5 +29,5 @@ logsource:
 detection:
     selection:
         EventID: 11
-        TargetFileName|contains: '*\lsass.dmp'
+        TargetFilename|contains: '*\lsass.dmp'
     condition: 1 of them
diff --git a/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
@@ -20,7 +20,7 @@ detection:
     condition: selection
 fields:
     - ComputerName
-    - TargetFileName
+    - TargetFilename
 falsepositives:
     - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator
 level: medium

diff --git a/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml b/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml
@@ -11,7 +11,7 @@ detection:
     selection:
         EventID: 11
         Image: '*\mstsc.exe'
-        TargetFileName: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
+        TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
     condition: selection
 falsepositives:
     - unknown