Converted Sysmon/1 and Security/4688 to generic process creation rules

rules/windows/process_creation/win_vul_java_remote_debugging.yml

@@ -0,0 +1,19 @@
+title: Java Running with Remote Debugging
+description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
+author: Florian Roth
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    CommandLine: '*transport=dt_socket,address=*'
+  exclusion:
+    - CommandLine: '*address=127.0.0.1*'
+    - CommandLine: '*address=localhost*'
+  condition: selection and not exclusion
+fields:
+  - CommandLine
+  - ParentCommandLine
+falsepositives:
+  - unknown
+level: medium