fix: wording

rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml

@@ -4,7 +4,7 @@ related:
     - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
       type: similar
 status: experimental
-description: Detects DNS queries to "ufile.io". Which was seen abused by malware and threat actor as a method for data exfiltration
+description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
 references:
     - https://thedfirreport.com/2021/12/13/diavol-ransomware/
 author: Nasreddine Bencherchali (Nextron Systems)

rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml

@@ -1,7 +1,7 @@
 title: Windows Update Error
 id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59
 status: stable
-description: Detects windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KB aren't installed.
+description: Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KB aren't installed.
 author: frack113
 date: 2021/12/04
 modified: 2023/09/07

rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml

@@ -1,7 +1,7 @@
 title: DNS Server Discovery Via LDAP Query
 id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
 status: experimental
-description: Detect DNS server discovery via LDAP query requests from uncommon applications
+description: Detects DNS server discovery via LDAP query requests from uncommon applications
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
     - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04

rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml

@@ -1,4 +1,4 @@
-title: TeamViewer Domain Query By Non TeamViewer Application
+title: TeamViewer Domain Query By Non-TeamViewer Application
 id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e
 status: test
 description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)

rules/windows/dns_query/dns_query_win_ufile_io_query.yml

@@ -4,7 +4,7 @@ related:
     - id: 090ffaad-c01a-4879-850c-6d57da98452d
       type: similar
 status: experimental
-description: Detects DNS queries to "ufile.io". Which was seen abused by malware and threat actor as a method for data exfiltration
+description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
 references:
     - https://thedfirreport.com/2021/12/13/diavol-ransomware/
 author: yatinwad, TheDFIRReport

rules/windows/driver_load/driver_load_win_mal_drivers_names.yml

@@ -1,7 +1,7 @@
 title: Malicious Driver Load By Name
 id: 39b64854-5497-4b57-a448-40977b8c9679
 status: experimental
-description: Detects the load of known malicious drivers via their names only..
+description: Detects the load of known malicious drivers via their names only.
 references:
     - https://loldrivers.io/
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -87,6 +87,6 @@ detection:
             - '\daxin_blank4.sys'
     condition: selection
 falsepositives:
-    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
+    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non-vulnerable version.
     - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
 level: medium

rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml

@@ -4,7 +4,7 @@ related:
     - id: 3a525307-d100-48ae-b3b9-0964699d7f97
       type: similar
 status: experimental
-description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determin the source of the crash.
+description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
 references:
     - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -29,5 +29,5 @@ detection:
             - '.hdmp'
     condition: selection
 falsepositives:
-    - Some admin PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
+    - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
 level: medium

rules/windows/image_load/image_load_susp_dll_load_system_process.yml

@@ -1,7 +1,7 @@
 title: DLL Load By System Process From Suspicious Locations
 id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
 status: experimental
-description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious or under privileged location such as "C:\Users\Public"
+description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
 references:
     - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
 author: Nasreddine Bencherchali (Nextron Systems)

rules/windows/image_load/image_load_susp_python_image_load.yml

@@ -1,7 +1,7 @@
-title: Python Image Load By Non Python Process
+title: Python Image Load By Non-Python Process
 id: cbb56d62-4060-40f7-9466-d8aaf3123f83
 status: experimental
-description: Detects the image load of Python Core by a non python process. Might be indicative of a Python script bundled with Py2Exe.
+description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.
 references:
     - https://www.py2exe.org/
     - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/

rules/windows/network_connection/net_connection_win_powershell_network_connection.yml

@@ -1,7 +1,7 @@
 title: PowerShell Initiated Network Connection
 id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
 status: experimental
-description: Detects a Powershell process that initiate a network connections. Check for suspicious target ports and target systems.
+description: Detects a PowerShell process that initiates network connections. Check for suspicious target ports and target systems.
 references:
     - https://www.youtube.com/watch?v=DLtJTxMWZ2o
 author: Florian Roth (Nextron Systems)

rules/windows/network_connection/net_connection_win_python.yml

@@ -1,7 +1,7 @@
 title: Python Initiated Connection
 id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6
 status: experimental
-description: Detects a python process intitating a network connection. While this often related to package installation, it can also indicate a potential malicious scripts communicating with a C&C server.
+description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
     - https://pypi.org/project/scapy/

rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml

@@ -4,7 +4,7 @@ related:
     - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
       type: derived
 status: test
-description: Detects execution of chromium based browser in headless mode
+description: Detects execution of Chromium based browser in headless mode
 references:
     - https://twitter.com/mrd0x/status/1478234484881436672?s=12
     - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html

rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml

@@ -4,7 +4,7 @@ related:
     - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
       type: derived
 status: test
-description: Detects uncommon or suspicious child process of "eventvwr.exe" which might indicate a UAC bypass attempt
+description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
 references:
     - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
     - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100

rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml

@@ -2,8 +2,8 @@ title: WebDav Client Execution Via Rundll32.EXE
 id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
 status: test
 description: |
-    Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie.
-    This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).
+    Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie".
+    This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
 references:
     - https://github.com/OTRF/detection-hackathon-apt29/issues/17
     - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md

rules/windows/sysmon/sysmon_file_block_executable.yml

@@ -1,7 +1,7 @@
 title: Sysmon Blocked Executable
 id: 23b71bc5-953e-4971-be4c-c896cda73fc2
 status: experimental
-description: Triggers on any Sysmon "FileBlockExecutable" event. Which should indicates a violation of the block policy set
+description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
 references:
     - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
 author: Nasreddine Bencherchali (Nextron Systems)