Delete renamed_binary_description.yml

agreed on improvements. will be added later

rules/windows/process_creation/renamed_binary_description.yml

@@ -1,60 +0,0 @@
-title: Renamed Binary
-status: experimental
-description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon Description datapoint.
-author: Aleksey Potapov, oscd.community
-date: 2019/10/22
-references:
-  - https://attack.mitre.org/techniques/T1036/
-tags:
-  - attack.t1036
-  - attack.defense_evasion
-logsource:
-  category: process_creation
-  product: windows
-  service: sysmon
-detection:
-  selection:
-    Description:
-      - "active directory editor"
-      - "sysinternals process dump utility"
-      - "msbuild.exe"
-      - ".net core host"
-      - "windows command processor"
-      - "windows powershell"
-      - "execute processes remotely"
-      - ".net framework installation utility"
-      - "microsoft ® console based script host"
-      - "microsoft ® windows based script host"
-      - "microsoft (r) html application host"
-      - "microsoft(c) register server"
-      - "wmi commandline utility"
-      - "certutil.exe"
-      - "windows host process (rundll32)"
-      - "microsoft connection manager profile Installer"
-      - "windows ® installer"
-      - "7-zip console"
-
-  filter:
-    Image:
-      - '*\adexplorer.exe'
-      - '*\procdump.exe'
-      - '*\msbuild.exe'
-      - '*\dotnet.exe'
-      - '*\cmd.exe'
-      - '*\powershell.exe'
-      - '*\psexec.exe'
-      - '*\installutil.exe'
-      - '*\cscript.exe'
-      - '*\wscript.exe'
-      - '*\mshta.exe'
-      - '*\regsvr32.exe'
-      - '*\wmic.exe'
-      - '*\certutil.exe'
-      - '*\rundll32.exe'
-      - '*\cmstp.exe'
-      - '*\msiexec.exe'
-      - '*\7z.exe'
-  condition: selection and not filter
-falsepositives:
-  - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
-level: medium