Cleaned up signature descriptions and metadata.

queries/windows/account_manipulation.yml

@@ -1,22 +1,20 @@
 title: Account Manipulation
-description: Both Atomic tests for account manipulation rely on PowerShell AD module,
-  so we can catch both with one query. We have the query encapsulated so that we can
-  filter it at the end by Parent Process, as some Logon Scripts and Configuration
-  Items (SCOM, SCCM) may also cause noise. You may want to additionally filter out
-  certain SrcProcUser to reduce noise. What cannot be helped, CommandScript detection
-  on import of Powershell AD cmdlets.
+description: Detect account manipulation with the PowerShell AD module, filtered by Parent Process, as some Logon Scripts and Configuration Items (SCOM, SCCM) may also cause noise.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
    tactic: Persistence
    technique: T1098
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: ( SrcProcCmdLine In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
   OR SrcProcCmdScript In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
   OR SrcProcCmdLine RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" OR SrcProcCmdScript
   RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" ) AND SrcProcParentName Not In
   ("WmiPrvSE.exe","AppVClient.exe","svchost.exe","CompatTelRunner.exe")
-false_positives: null
-tags: null
+false_positives: 
+   - logon scripts
+   - Configuration Manager CI/BL Items
+tags:
+references: