fixed lacked copy rule #28

Rules/SIGMA/other/win_wmi_persistence.ps1

@@ -1,19 +1,23 @@
+# Get-WinEvent -LogName Microsoft-Windows-WMI-Activity/Operational | where { ((($_.ID -eq "5861" -and ($_.message -match ".*ActiveScriptEventConsumer.*" -or $_.message -match ".*CommandLineEventConsumer.*" -or $_.message -match ".*CommandLineTemplate.*")) -or $_.ID -eq "5859")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message
+# Get-WinEvent -LogName Security | where { ($_.ID -eq "4662" -and $_.message -match "ObjectType.*WMI Namespace" -and $_.message -match "ObjectName.*.*subscription.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message
 
 function Add-Rule {
     param (
         [bool] $isLiveAnalysis
     )
     $ruleName = "win_wmi_persistence";
-    $detectedMessage = "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs."
+    $detectedMessage = "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.";
 
     $detectRule = {
         function Search-DetectableEvents {
             param (
                 $event
             )
 
-            $result = $event |  where {((($_.ID -eq "5861" -and ($_.message -match ".*ActiveScriptEventConsumer.*" -or $_.message -match ".*CommandLineEventConsumer.*" -or $_.message -match ".*CommandLineTemplate.*")) -or $_.ID -eq "5859")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message Get-WinEvent -LogName Security | where {($_.ID -eq "4662" -and $_.message -match "ObjectType.*WMI Namespace" -and $_.message -match "ObjectName.*.*subscription.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message;
-            if ($result.Count -ne 0) {
+            $result = $event | where { ((($_.ID -eq "5861" -and ($_.message -match ".*ActiveScriptEventConsumer.*" -or $_.message -match ".*CommandLineEventConsumer.*" -or $_.message -match ".*CommandLineTemplate.*")) -or $_.ID -eq "5859")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
+            $result2 = $event | where { ($_.ID -eq "4662" -and $_.message -match "ObjectType.*WMI Namespace" -and $_.message -match "ObjectName.*.*subscription.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message
+
+            if (($result.Count -ne 0) -or ($result2.Count -ne 0)) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName"  
                 Write-Host

Rules/SIGMA/process_creation/win_xsl_script_processing.ps1

@@ -5,15 +5,16 @@ function Add-Rule {
         [bool] $isLiveAnalysis
     )
     $ruleName = "win_xsl_script_processing";
-    $detectedMessage = "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries"
+    $detectedMessage = "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries";
 
     $detectRule = {
         function Search-DetectableEvents {
             param (
                 $event
             )
 
-            $result = $event | !firstpipe!
+            $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\wmic.exe" -and $_.message -match "CommandLine.*.*/format.*") -or $_.message -match "Image.*.*\msxsl.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message;
+
             if ($result.Count -ne 0) {
                 Write-Host
                 Write-Host "Detected! RuleName:$ruleName"