fix: test errors

nasbench · nasbench · commit 2883c2e71412 · 2023-03-07T14:23:44.000+01:00
diff --git a/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml b/rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml
@@ -24,7 +24,7 @@ detection:
         CommandLine|contains:
             - '.dmp'
             - '.dump'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml
@@ -26,7 +26,7 @@ detection:
             - 'findstr.exe lsass'
             - 'findstr "lsass'
             - 'findstr.exe "lsass'
-    condition: all of selection_finstr_* or selection_special
+    condition: all of selection_findstr_* or selection_special
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml
@@ -27,8 +27,7 @@ detection:
             - 'PowerShell.EXE'
             - 'pwsh.dll'
     selection_pwsh_cli:
-        CommandLine|contains:
-            - 'Get-ChildItem '
+        CommandLine|contains: 'Get-ChildItem '
     selection_findstr:
         - Image|endswith: '\findstr.exe'
         - OriginalFileName: 'FINDSTR.EXE'
diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml
@@ -1,4 +1,4 @@
-title: Potential Product Reconnaissance Via Wmic.EXE
+title: Potential Product Class Reconnaissance Via Wmic.EXE
 id: e568650b-5dcd-4658-8f34-ded0b1e13992
 status: experimental
 description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
@@ -7,6 +7,7 @@ references:
     - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
 author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
 date: 2023/02/14
+modified: 2023/03/07
 tags:
     - attack.execution
     - attack.t1047
diff --git a/tests/test_rules.py b/tests/test_rules.py
@@ -945,8 +945,7 @@ def test_title(self):
                 faulty_rules.append(file)
             wrong_casing = []
             for word in title.split(" "):
-                #if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not "/" in word and not word[0].isdigit():
-                if word.islower() and not word.lower() in allowed_lowercase_words:
+                if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not "/" in word and not word[0].isdigit():
                     wrong_casing.append(word)
             if len(wrong_casing) > 0:
                 print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format(
