Add: sigma rules (#175)

rules/sigma/windows/create_stream_hash/sysmon_ads_executable.yml

@@ -0,0 +1,34 @@
+
+title: Executable in ADS
+author: Florian Roth, @0xrawsec
+date: 2018/06/03
+description: Detects the creation of an ADS data stream that contains an executable
+  (non-empty imphash)
+detection:
+  SELECTION_1:
+    EventID: 15
+  SELECTION_2:
+    Imphash: '00000000000000000000000000000000'
+  SELECTION_3:
+    Imphash|re: ^$
+  condition: (SELECTION_1 and  not ((SELECTION_2) or (SELECTION_3)))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+- Image
+id: b69888d4-380c-45ce-9cf9-d9ce46e67821
+level: critical
+logsource:
+  category: create_stream_hash
+  definition: 'Requirements: Sysmon config with Imphash logging activated'
+  product: windows
+modified: 2020/08/26
+references:
+- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.s0139
+- attack.t1564.004

rules/sigma/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml

@@ -0,0 +1,28 @@
+
+title: Exports Registry Key To an Alternate Data Stream
+author: Oddvar Moe, Sander Wiebing, oscd.community
+date: 2020/10/07
+description: Exports the target Registry key and hides it in the specified alternate
+  data stream.
+detection:
+  SELECTION_1:
+    EventID: 15
+  SELECTION_2:
+    Image: '*\regedit.exe'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- TargetFilename
+id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
+level: high
+logsource:
+  category: create_stream_hash
+  product: windows
+references:
+- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml
+- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.004