Add: sigma rules (#175)

rules/sigma/windows/process_creation/win_renamed_binary.yml

@@ -0,0 +1,73 @@
+
+title: Renamed Binary
+author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community
+  (improvements), Andreas Hunkeler (@Karneades)
+date: 2019/06/15
+description: Detects the execution of a renamed binary often used by attackers or
+  malware leveraging new Sysmon OriginalFileName datapoint.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    OriginalFileName:
+    - cmd.exe
+    - powershell.exe
+    - powershell_ise.exe
+    - psexec.exe
+    - psexec.c
+    - cscript.exe
+    - wscript.exe
+    - mshta.exe
+    - regsvr32.exe
+    - wmic.exe
+    - certutil.exe
+    - rundll32.exe
+    - cmstp.exe
+    - msiexec.exe
+    - 7z.exe
+    - winrar.exe
+    - wevtutil.exe
+    - net.exe
+    - net1.exe
+    - netsh.exe
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\powershell_ise.exe'
+    - '*\psexec.exe'
+    - '*\psexec64.exe'
+    - '*\cscript.exe'
+    - '*\wscript.exe'
+    - '*\mshta.exe'
+    - '*\regsvr32.exe'
+    - '*\wmic.exe'
+    - '*\certutil.exe'
+    - '*\rundll32.exe'
+    - '*\cmstp.exe'
+    - '*\msiexec.exe'
+    - '*\7z.exe'
+    - '*\winrar.exe'
+    - '*\wevtutil.exe'
+    - '*\net.exe'
+    - '*\net1.exe'
+    - '*\netsh.exe'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- Custom applications use renamed binaries adding slight change to binary name. Typically
+  this is easy to spot and add to whitelist
+id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2020/09/06
+references:
+- https://attack.mitre.org/techniques/T1036/
+- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
+- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1036
+- attack.t1036.003