From da8fcabe0cd43078a917ebddd0b5176013dcc9df Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Wed, 10 Nov 2021 19:49:25 +0100
Subject: [PATCH] Fix TargetFilename case

---
 ...ript_creation_by_office_using_file_ext.yml | 45 ++++++++++---------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml
index 107cdd31277..6c4745fe30a 100644
--- a/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml
+++ b/rules/windows/file_event/file_event_script_creation_by_office_using_file_ext.yml
@@ -13,29 +13,30 @@ tags:
     - attack.defense_evasion
 status: experimental
 date: 2021/08/23
+modified: 2021/11/10
 logsource:
-  product: windows
-  category: file_event
+    product: windows
+    category: file_event
 detection:
-  #useful_information: Please add more file extensions to the logic of your choice. 
-  selection1:
-    Image|endswith:
-      - 'winword.exe'
-      - 'excel.exe'
-      - 'powerpnt.exe'
-  selection2:
-    TargetFileName|endswith:
-    - ".exe"
-    - ".dll"
-    - ".ocx"
-    - ".com"
-    - ".ps1"
-    - ".vbs"
-    - ".sys"
-    - ".bat"
-    - ".scr"
-    - ".proj"
-  condition: selection1 and selection2
+    #useful_information: Please add more file extensions to the logic of your choice. 
+    selection1:
+        Image|endswith:
+            - 'winword.exe'
+            - 'excel.exe'
+            - 'powerpnt.exe'
+    selection2:
+        TargetFilename|endswith:
+            - ".exe"
+            - ".dll"
+            - ".ocx"
+            - ".com"
+            - ".ps1"
+            - ".vbs"
+            - ".sys"
+            - ".bat"
+            - ".scr"
+            - ".proj"
+    condition: selection1 and selection2
 falsepositives:
-- Unknown
+    - Unknown
 level: high