formatting

Hunting Queries/SecurityEvent/NishangReverseTCPShellBase64.yaml

@@ -12,15 +12,15 @@ tactics:
 relevantTechniques:
   - T1011
 query: |
-SecurityEvent
-| where EventID == 4688
-| where Process in("powershell.exe","powershell_ise.exe") and CommandLine contains "-e" 
-| mvexpand SS = split(CommandLine, " ") 
-| where SS matches regex "[A-Za-z0-9+/]{50,}[=]{0,2}" 
-| extend DecodeString = base64_decodestring(tostring(SS)) 
-| extend FinalString = replace("\\0", "", DecodeString) 
-| where FinalString has "tcpclient" and FinalString contains "$" and (FinalString contains "invoke" or FinalString contains "iex") 
-| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
+  SecurityEvent
+  | where EventID == 4688
+  | where Process in("powershell.exe","powershell_ise.exe") and CommandLine contains "-e" 
+  | mvexpand SS = split(CommandLine, " ") 
+  | where SS matches regex "[A-Za-z0-9+/]{50,}[=]{0,2}" 
+  | extend DecodeString = base64_decodestring(tostring(SS)) 
+  | extend FinalString = replace("\\0", "", DecodeString) 
+  | where FinalString has "tcpclient" and FinalString contains "$" and (FinalString contains "invoke" or FinalString contains "iex") 
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
 entityMappings:
   - entityType: Account
     fieldMappings: