Fix lint indentation

SigmaHQ · Nov 30, 2023 · dc170a5 · dc170a5
1 parent 15972bb
commit dc170a5
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 64 deletions.
diff --git a/...threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/...threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml
@@ -2,43 +2,43 @@ title: Invocation Of Crypto-classes From The "Cryptography" PowerShell Namespace
 id: ad856965-f44d-42a8-945e-bbf7bd03d05a
 status: experimental
 description: |
-  The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
-  This analytic detects the invocation of said classes that can be used for e.g. decrypting malicious payload for defense evasion.
+    The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
+    This analytic detects the invocation of said classes that can be used for e.g. decrypting malicious payload for defense evasion.
 references:
-  - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
-  - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
-  - https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
+    - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
+    - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
+    - https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
 author: Andreas Braathen (mnemonic.io)
 date: 2023/12/01
 modified: 2023/12/01
 tags:
-  - attack.defense_evasion
-  - attack.t1059.001
-  - attack.t1027.010
-  - detection.threat_hunting
+    - attack.defense_evasion
+    - attack.t1059.001
+    - attack.t1027.010
+    - detection.threat_hunting
 logsource:
-  product: windows
-  category: process_creation
+    product: windows
+    category: process_creation
 detection:
-  selection_img:
-    - Image|endswith:
-      - '\powershell.exe'
-      - '\pwsh.exe'
-    - OriginalFileName:
-      - 'PowerShell.EXE'
-      - 'pwsh.dll'
-  selection_cmdlet_namespace:
-    CommandLine|contains: 'System.Security.Cryptography.'
-  selection_cmdlet_classes:
-    CommandLine|contains:
-      - '.AesCryptoServiceProvider'
-      - '.RSACryptoServiceProvider'
-      - '.TripleDESCryptoServiceProvider'
-      - '.RC2CryptoServiceProvider'
-      - '.DSACryptoServiceProvider'
-      - '.DESCryptoServiceProvider'
-      - '.Rijndael'
-  condition: all of selection_*
+    selection_img:
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+    selection_cmdlet_namespace:
+        CommandLine|contains: 'System.Security.Cryptography.'
+    selection_cmdlet_classes:
+        CommandLine|contains:
+            - '.AesCryptoServiceProvider'
+            - '.RSACryptoServiceProvider'
+            - '.TripleDESCryptoServiceProvider'
+            - '.RC2CryptoServiceProvider'
+            - '.DSACryptoServiceProvider'
+            - '.DESCryptoServiceProvider'
+            - '.Rijndael'
+    condition: all of selection_*
 falsepositives:
-  - Classes are legitimately used, but less so when e.g. parent with low prevalence or decryption of content in temporary folders.
+    - Classes are legitimately used, but less so when e.g. parent with low prevalence or decryption of content in temporary folders.
 level: medium
diff --git a/...threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/...threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml
@@ -2,45 +2,45 @@ title: Registry creation with Crypto-classes From The "Cryptography" PowerShell
 id: 1c2a3268-3881-414a-80af-a5b313b14c0e
 status: experimental
 description: |
-  The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
-  This analytic detects creation of registry runkeys with said classes that can be used for e.g. decrypting malicious payload for defense evasion.
+    The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
+    This analytic detects creation of registry runkeys with said classes that can be used for e.g. decrypting malicious payload for defense evasion.
 references:
-  - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
-  - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/
+    - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
+    - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/
 author: Andreas Braathen (mnemonic.io)
 date: 2023/12/01
 modified: 2023/12/01
 tags:
-  - attack.defense_evasion
-  - attack.t1059.001
-  - attack.t1027.010
-  - attack.t1547.001
-  - detection.threat_hunting
+    - attack.defense_evasion
+    - attack.t1059.001
+    - attack.t1027.010
+    - attack.t1547.001
+    - detection.threat_hunting
 logsource:
-  product: windows
-  category: registry_set
+    product: windows
+    category: registry_set
 detection:
-  selection_key:
-    EventType: SetValue
-    TargetObject|contains:
-      - '\Shell\Open\Command'
-  selection_value_img:
-    Details|contains:
-      - 'powershell'
-      - 'pwsh'
-  selection_value_namespace:
-    Details|contains:
-      - 'System.Security.Cryptography.'
-  selection_value_classes:
-    Details|contains:
-      - '.AesCryptoServiceProvider'
-      - '.RSACryptoServiceProvider'
-      - '.TripleDESCryptoServiceProvider'
-      - '.RC2CryptoServiceProvider'
-      - '.DSACryptoServiceProvider'
-      - '.DESCryptoServiceProvider'
-      - '.Rijndael'
-  condition: all of selection_*
+    selection_key:
+        EventType: SetValue
+        TargetObject|contains:
+            - '\Shell\Open\Command'
+    selection_value_img:
+        Details|contains:
+            - 'powershell'
+            - 'pwsh'
+    selection_value_namespace:
+        Details|contains:
+            - 'System.Security.Cryptography.'
+    selection_value_classes:
+        Details|contains:
+            - '.AesCryptoServiceProvider'
+            - '.RSACryptoServiceProvider'
+            - '.TripleDESCryptoServiceProvider'
+            - '.RC2CryptoServiceProvider'
+            - '.DSACryptoServiceProvider'
+            - '.DESCryptoServiceProvider'
+            - '.Rijndael'
+    condition: all of selection_*
 falsepositives:
-  - Classes are legitimately used, but less so when e.g. parent with low prevalence or decryption of content in temporary folders.
+    - Classes are legitimately used, but less so when e.g. parent with low prevalence or decryption of content in temporary folders.
 level: medium