fix: small metadata updates

rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml

@@ -1,26 +1,23 @@
-title: Files And Subdirectories Listing Using Dir
+title: File Enumeration Via Dir Command
 id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
 status: test
-description: Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories
+description: |
+    Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
 author: frack113
 date: 2021/12/13
-modified: 2024/03/05
+modified: 2024/03/06
 tags:
     - attack.discovery
     - attack.t1217
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_dir:
-        CommandLine|contains: 'dir '
-    selection_cli_1:
-        CommandLine|contains|windash: ' -s'
-    selection_cli_2:
-        CommandLine|contains|windash: ' -b'
-    condition: all of selection_*
+    selection:
+        CommandLine|contains|windash: 'dir*-s'
+    condition: selection
 falsepositives:
-    - Unknown
+    - Likely
 level: low

rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml

@@ -1,12 +1,13 @@
-title: Suspicious Ping/Copy Command Combination
+title: Potentially Suspicious Ping/Copy Command Combination
 id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
 status: experimental
-description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware.
+description: |
+    Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
 references:
     - Internal Research
 author: X__Junior (Nextron Systems)
 date: 2023/07/18
-modified: 2024/03/05
+modified: 2024/03/06
 tags:
     - attack.defense_evasion
     - attack.t1070.004

rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml

@@ -1,7 +1,9 @@
 title: New Generic Credentials Added Via Cmdkey.EXE
 id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
 status: test
-description: Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.
+description: |
+    Detects usage of "cmdkey.exe" to add generic credentials.
+    As an example, this can be used before connecting to an RDP session via command line interface.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
@@ -17,12 +19,12 @@ detection:
     selection_img:
         - Image|endswith: '\cmdkey.exe'
         - OriginalFileName: 'cmdkey.exe'
-    selection_cli_1:
-        CommandLine|contains|windash: ' -g'
-    selection_cli_2:
-        CommandLine|contains|windash: ' -u'
-    selection_cli_3:
-        CommandLine|contains|windash: ' -p'
+    selection_cli_generic:
+        CommandLine|contains|windash: ' -g' # Generic
+    selection_cli_user:
+        CommandLine|contains|windash: ' -u' # User
+    selection_cli_password:
+        CommandLine|contains|windash: ' -p' # Password
     condition: all of selection_*
 falsepositives:
     - Legitimate usage for administration purposes

tests/sigma_cli_conf.yml

@@ -70,6 +70,7 @@ exclusions:
     fb502828-2db0-438e-93e6-801c7548686d: escaped_wildcard
     59e938ff-0d6d-4dc3-b13f-36cc28734d4e: escaped_wildcard
     2e7bbd54-2f26-476e-b4a1-ba5f1a012614: escaped_wildcard
+    7c9340a9-e2ee-4e43-94c5-c54ebbea1006: escaped_wildcard
     # number_as_string
     5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string
     85b88e05-dadc-430b-8a9e-53ff1cd30aae: number_as_string