ルール更新 (#224)

rules/sigma/process_creation/win_xsl_script_processing.yml

@@ -0,0 +1,34 @@
+
+title: XSL Script Processing
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Extensible Stylesheet Language (XSL) files are commonly used to describe
+  the processing and rendering of data within XML files. Rule detects when adversaries
+  abuse this functionality to execute arbitrary files while potentially bypassing
+  application whitelisting defenses.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\wmic.exe'
+  SELECTION_3:
+    CommandLine: '*/format*'
+  SELECTION_4:
+    Image: '*\msxsl.exe'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
+- msxsl.exe is not installed by default, so unlikely.
+id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1220
+- attack.execution