Merge pull request #2956 from elhoim/rundll_spawn_explorer

New rule Rundll spawn explorer

rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml

@@ -0,0 +1,24 @@
+title: RunDLL32 Spawmning Explorer
+id: caa06de8-fdef-4c91-826a-7f9e163eef4b
+description: Detects RunDLL32.exe spawmning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
+author: elhoim
+status: experimental
+date: 2022/04/27
+references: 
+  - https://redcanary.com/blog/intelligence-insights-november-2021/
+tags:
+  - attack.defense_evasion
+  - attack.t1218.011
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    ParentImage|endswith:
+      - '\rundll32.exe'
+    Image|endswith:
+      - '\explorer.exe'
+  condition: selection
+falsepositives:
+  - Unknown
+level: high