Added Sigma Rules

rules/Sigma/process_creation_protocolhandler_suspicious_file.yml

@@ -0,0 +1,36 @@
+title: ProtocolHandler.exe Downloaded Suspicious File
+author: frack113
+date: 2021/07/13
+description: Emulates attack via documents through protocol handler in Microsoft Office.
+    On successful execution you should see Microsoft Word launch a blank file.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\protocolhandler.exe'
+    SELECTION_3:
+        CommandLine: '*"ms-word*'
+    SELECTION_4:
+        CommandLine: '*.docx"*'
+    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218
+yml_filename: process_creation_protocolhandler_suspicious_file.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+