fix

rules/windows/process_creation/minidumpwritedump.yml

@@ -14,7 +14,7 @@ logsource:
 detection:
     selection:
         Image: '*\rundll32.exe'
-		CommandLine: '*comsvcs.dll*minidump*'
+        CommandLine: '*comsvcs.dll*minidump*'
     condition: selection
 falsepositives:
     - unknown

rules/windows/process_creation/renamed_binary_description.yml

@@ -11,7 +11,7 @@ tags:
 logsource:
     category: process_creation
     product: windows
-	service: sysmon
+    service: sysmon
 detection:
     selection:
         Description:
@@ -28,22 +28,22 @@ detection:
             - "microsoft (r) html application host"
             - "microsoft(c) register server"
             - "wmi commandline utility"
-			- "certutil.exe"
+            - "certutil.exe"
             - "windows host process (rundll32)"
             - "microsoft connection manager profile Installer"
             - "windows ® installer"
-			- "7-zip console"
+            - "7-zip console"
 			
     filter:
         Image:
-		    - '*\adexplorer.exe'
-			- '*\procdump.exe'
-			- '*\msbuild.exe'
-			- '*\dotnet.exe'
+            - '*\adexplorer.exe'
+            - '*\procdump.exe'
+            - '*\msbuild.exe'
+            - '*\dotnet.exe'
             - '*\cmd.exe'
             - '*\powershell.exe'
             - '*\psexec.exe'
-			- '*\installutil.exe'
+            - '*\installutil.exe'
             - '*\cscript.exe'
             - '*\wscript.exe'
             - '*\mshta.exe'

rules/windows/sysmon/cobalt_execute_assembly.yml

@@ -15,9 +15,9 @@ detection:
     selection:
         EventID: 8
         TargetProcessAddress:
-		 - '*0B80'
-		 - '*0C7C'
-		 - '*0C88'
+         - '*0B80'
+         - '*0C7C'
+         - '*0C88'
     condition: selection
 falsepositives:
     - unknown