style: renamed rule files to all lower case

rules/windows/builtin/win_alert_lsass_access.yml

@@ -0,0 +1,23 @@
+title: LSASS Access Detected via Attack Surface Reduction
+description: Detects Access to LSASS Process
+status: experimental
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
+author: Markus Neis
+date: 2018/08/26
+tags:
+    - attack.credential_access
+    - attack.t1003
+# Defender Attack Surface Reduction
+logsource:
+    product: windows_defender
+    description: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
+detection:
+    selection:
+        EventID: 1121
+        Path: '*\lsass.exe'
+    condition: selection
+falsepositives:
+    - Google Chrome GoogleUpdate.exe
+    - Some Taskmgr.exe related activity
+level: high

rules/windows/sysmon/sysmon_lethalhta.yml

@@ -0,0 +1,19 @@
+title: MSHTA spwaned by SVCHOST as seen in LethalHTA 
+status: experimental
+description: Detects MSHTA.EXE spwaned by SVCHOST described in report
+references:
+    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
+author: Markus Neis
+date: 2018/06/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage: '*\svchost.exe'
+        Image: '*\mshta.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml

@@ -0,0 +1,24 @@
+title: Powershell AMSI Bypass via .NET Reflection  
+status: experimental
+description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
+references:
+    - https://twitter.com/mattifestation/status/735261176745988096
+    - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
+author: Markus Neis
+date: 2018/08/17
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        CommandLine:
+            - '*System.Management.Automation.AmsiUtils*'
+    selection2:
+        CommandLine:
+            - '*amsiInitFailed*'            
+    condition: selection1 and selection2
+    falsepositives:
+    - Potential Admin Activity 
+level: high
+

rules/windows/sysmon/sysmon_powershell_dll_execution.yml

@@ -0,0 +1,31 @@
+title: Detection of PowerShell Execution via DLL
+status: experimental
+description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll
+references:
+    - https://github.com/p3nt4/PowerShdll/blob/master/README.md
+tags:
+    - attack.execution
+    - attack.t1086
+author: Markus Neis
+date: 2018/08/25
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        Image:
+            - '*\rundll32.exe'
+    selection2:
+        EventID: 1
+        Description:
+            - '*Windows-Hostprozess (Rundll32)*'
+    selection3:
+        EventID: 1
+        CommandLine:
+            - '*Default.GetString*'
+            - '*FromBase64String*'
+    condition: (selection1 or selection2) and selection3
+falsepositives:
+    - Unknown
+level: high