Create proc_creation_win_lolbin_fsianycpu.yml

rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml

@@ -0,0 +1,24 @@
+title: Use of FsiAnyCpu.exe
+id: b96b2031-7c17-4473-afe7-a30ce714db29
+status: experimental
+description: The FSharp Interpreter, FsiAnyCpu.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.
+author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
+references:
+  - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+  - https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/
+date: 2022/06/02
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    - Image|endswith: fsianycpu.exe
+    - OriginalFileName: fsianycpu.exe
+  condition: selection
+falsepositives:
+  - Legitimate use by a software developer.
+level: medium
+tags:
+  - attack.execution
+  - attack.t1059