Added Sigma Rules

rules/Sigma/sysmon_abusing_debug_privilege.yml

@@ -0,0 +1,60 @@
+title: Abused Debug Privilege by Arbitrary Parent Processes
+author: Semanur Guneysu @semanurtg, oscd.community
+date: 2020/10/28
+description: Detection of unusual child processes by different system processes
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_10:
+        Image: '*\powershell.exe'
+    SELECTION_11:
+        Image: '*\cmd.exe'
+    SELECTION_12:
+        User: NT AUTHORITY\SYSTEM*
+    SELECTION_13:
+        User: AUTORITE NT\Sys*
+    SELECTION_14:
+        CommandLine: '* route *'
+    SELECTION_15:
+        CommandLine: '* ADD *'
+    SELECTION_2:
+        ParentImage: '*\winlogon.exe'
+    SELECTION_3:
+        ParentImage: '*\services.exe'
+    SELECTION_4:
+        ParentImage: '*\lsass.exe'
+    SELECTION_5:
+        ParentImage: '*\csrss.exe'
+    SELECTION_6:
+        ParentImage: '*\smss.exe'
+    SELECTION_7:
+        ParentImage: '*\wininit.exe'
+    SELECTION_8:
+        ParentImage: '*\spoolsv.exe'
+    SELECTION_9:
+        ParentImage: '*\searchindexer.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9) and (SELECTION_10
+        or SELECTION_11) and (SELECTION_12 or SELECTION_13)) and  not (SELECTION_14
+        and SELECTION_15))
+falsepositives:
+- unknown
+fields:
+- ParentImage
+- Image
+- User
+- CommandLine
+id: d522eca2-2973-4391-a3e0-ef0374321dae
+level: high
+logsource:
+    category: process_creation
+    product: windows
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
+status: experimental
+tags:
+- attack.privilege_escalation
+- attack.t1548
+yml_filename: sysmon_abusing_debug_privilege.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+