forfiles, bash detection

rules/windows/builtin/win_susp_process_creations.yml

@@ -11,6 +11,7 @@ reference:
     - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
     - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
     - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
+    - https://twitter.com/vector_sec/status/896049052642533376
 author: Florian Roth
 logsource:
     product: windows
@@ -67,6 +68,8 @@ detection:
             - '*AddInProcess*'
             # NotPowershell (nps) attack
             - '*msbuild*'
+            - '*forfiles*'
+            - '*bash*'
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment