Merge branch 'patch-2' of https://github.com/neu5ron/sigma into neu5ron-patch-2

rules/windows/builtin/win_susp_bcdedit.yml

@@ -0,0 +1,39 @@
+---
+action: global
+title: Possible Ransomware or unauthorized MBR modifications
+status: experimental
+description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
+references:
+    - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
+author: @neu5ron
+date: 2019/02/07
+detection:
+    condition: selection
+level: medium
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        NewProcessName:  '*\fsutil.exe'
+        ProcessCommandLine: 
+            - '*delete*'
+            - '*deletevalue*'
+            - '*import*'
+---
+# Sysmon: Process Creation (ID 1)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image:  '*\fsutil.exe'
+        ProcessCommandLine: 
+            - '*delete*'
+            - '*deletevalue*'
+            - '*import*'