feat: new rule for events.asp technique

rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml

@@ -0,0 +1,31 @@
+title: Potential Persistence Via Event Viewer Events.asp
+id: a1e11042-a74a-46e6-b07c-c4ce8ecc239b
+status: test
+description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
+references:
+    - https://twitter.com/nas_bench/status/1626648985824788480
+    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/17
+tags:
+    - attack.persistence
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        # Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs
+        # Also "MicrosoftRedirectionProgramCommandLineParameters" key
+        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
+    filter_default_redirect_program:
+        Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
+        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
+        Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe'
+    filter_default_redirect_program_cli:
+        Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
+        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters'
+        Details: '-url hcp://services/centers/support?topic=%%s'
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Unknown
+level: medium