Add: sigma rules (#175)

rules/sigma/windows/process_creation/sysmon_hack_wce.yml

@@ -0,0 +1,37 @@
+
+title: Windows Credential Editor
+author: Florian Roth
+date: 2019/12/31
+description: Detects the use of Windows Credential Editor (WCE)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    EventID: 1
+  SELECTION_3:
+    Imphash:
+    - a53a02b997935fd8eedcb5f7abab9b9f
+    - e96a73c7bf33a464c510ede582318bf2
+  SELECTION_4:
+    CommandLine: '*.exe -S'
+  SELECTION_5:
+    ParentImage: '*\services.exe'
+  SELECTION_6:
+    Image: '*\clussvc.exe'
+  condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or (SELECTION_4 and SELECTION_5)))
+    and  not (SELECTION_6))
+falsepositives:
+- Another service that uses a single -s command line switch
+id: 7aa7009a-28b9-4344-8c1f-159489a390df
+level: critical
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/07/15
+references:
+- https://www.ampliasecurity.com/research/windows-credentials-editor/
+tags:
+- attack.credential_access
+- attack.t1003
+- attack.t1003.001
+- attack.s0005