Merge pull request #1302 from Neo23x0/rule-devel

TA505 Dropper, minor fix in PowerShell Rule

rules/windows/powershell/powershell_nishang_malicious_commandlets.yml

@@ -88,7 +88,6 @@ detection:
         - NotAllNameSpaces
         - exfill
         - FakeDC
-        - Exploit
     condition: keywords
 falsepositives:
     - Penetration testing

rules/windows/process_creation/win_apt_ta505_dropper.yml

@@ -0,0 +1,22 @@
+title: TA505 Dropper Load Pattern
+id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
+status: experimental
+description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
+references:
+    - https://twitter.com/ForensicITGuy/status/1334734244120309760
+tags:
+    - attack.execution
+    - attack.g0092
+logsource:
+    category: process_creation
+    product: windows
+author: Florian Roth
+date: 2020/12/08
+detection:
+    selection:
+        Image|endswith: '\mshta.exe'
+        ParentImage|endswith: '\wmiprvse.exe'
+    condition: selection
+falsepositives:
+    - unknown
+level: critical