Added Sigma Rules

rules/Sigma/sysmon_win_binary_susp_com.yml

@@ -0,0 +1,36 @@
+title: Microsoft Binary Suspicious Communication Endpoint
+author: Florian Roth
+date: 2018/08/30
+description: Detects an executable in the Windows folder accessing suspicious domains
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        Initiated: 'true'
+    SELECTION_3:
+        DestinationHostname: '*dl.dropboxusercontent.com'
+    SELECTION_4:
+        DestinationHostname: '*.pastebin.com'
+    SELECTION_5:
+        DestinationHostname: '*.githubusercontent.com'
+    SELECTION_6:
+        Image: C:\Windows\\*
+    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and SELECTION_6)
+falsepositives:
+- Unknown
+id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
+level: high
+logsource:
+    category: network_connection
+    product: windows
+references:
+- https://twitter.com/M_haggis/status/900741347035889665
+- https://twitter.com/M_haggis/status/1032799638213066752
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1105
+yml_filename: sysmon_win_binary_susp_com.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+