ルール更新 (#224)

rules/sigma/process_creation/win_mshta_spawn_shell.yml

@@ -0,0 +1,46 @@
+
+title: MSHTA Spawning Windows Shell
+author: Michael Haag
+date: 2019/01/16
+description: Detects a Windows command line executable started from MSHTA
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: '*\mshta.exe'
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\sh.exe'
+    - '*\bash.exe'
+    - '*\reg.exe'
+    - '*\regsvr32.exe'
+  SELECTION_4:
+    Image:
+    - '*\BITSADMIN*'
+  condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
+falsepositives:
+- Printer software / driver installations
+- HP software
+fields:
+- CommandLine
+- ParentCommandLine
+id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/01
+references:
+- https://www.trustedsec.com/july-2015/malicious-htas/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1170
+- attack.t1218.005
+- car.2013-02-003
+- car.2013-03-001
+- car.2014-04-003