Added Sigma Rules

rules/Sigma/win_xsl_script_processing.yml

@@ -0,0 +1,36 @@
+title: XSL Script Processing
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Extensible Stylesheet Language (XSL) files are commonly used to describe
+    the processing and rendering of data within XML files. Rule detects when adversaries
+    abuse this functionality to execute arbitrary files while potentially bypassing
+    application whitelisting defenses.
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\wmic.exe'
+    SELECTION_3:
+        CommandLine: '*/format*'
+    SELECTION_4:
+        Image: '*\msxsl.exe'
+    condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4))
+falsepositives:
+- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
+- msxsl.exe is not installed by default, so unlikely.
+id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2019/11/04
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1220
+- attack.execution
+yml_filename: win_xsl_script_processing.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+