Add Sysmon 28-29 rules

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

rules/windows/sysmon/sysmon_file_block_shredding.yml

@@ -0,0 +1,20 @@
+title: Sysmon Blocked File Shredding
+id: c3e5c1b1-45e9-4632-b242-27939c170239
+status: experimental
+description: Triggers on any Sysmon file block shredding event. Which should indicates a violation of the shredding policy set
+references:
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
+author: frack113
+date: 2023/07/20
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 28  # this is fine, we want to match any FileBlockShredding event
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

rules/windows/sysmon/sysmon_file_executable.yml

@@ -0,0 +1,21 @@
+title: Sysmon File Executable Detected
+id: 693a44e9-7f26-4cb6-b787-214867672d3a
+status: experimental
+description: Triggers on any Sysmon file executable event. Which should indicates a violation of the shredding policy set
+references:
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
+    - https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
+author: frack113
+date: 2023/07/20
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 29  # this is fine, we want to match any FileBlockShredding event
+    condition: selection
+falsepositives:
+    - Unlikely
+level: medium