From 2a62b35fd6fb4e7b440af2011ca4a85894c40457 Mon Sep 17 00:00:00 2001
From: securepeacock <92804416+securepeacock@users.noreply.github.com>
Date: Thu, 2 Jun 2022 01:30:48 -0400
Subject: [PATCH] Create proc_creation_win_lolbin_fsianycpu.yml

---
 .../proc_creation_win_lolbin_fsianycpu.yml    | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml

diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml b/rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml
new file mode 100644
index 000000000..3549e6a7a
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_fsianycpu.yml
@@ -0,0 +1,24 @@
+title: Use of FsiAnyCpu.exe
+id: b96b2031-7c17-4473-afe7-a30ce714db29
+status: experimental
+description: The FSharp Interpreter, FsiAnyCpu.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.
+author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
+references:
+  - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+  - https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
+  - https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/
+date: 2022/06/02
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    - Image|endswith: fsianycpu.exe
+    - OriginalFileName: fsianycpu.exe
+  condition: selection
+falsepositives:
+  - Legitimate use by a software developer.
+level: medium
+tags:
+  - attack.execution
+  - attack.t1059