Add image_load_side_load_jsschhlp

rules/windows/image_load/image_load_side_load_jsschhlp.yml

@@ -0,0 +1,26 @@
+title: Potential DLL Sideloading Via JsSchHlp
+id: 68654bf0-4412-43d5-bfe8-5eaa393cd939
+status: experimental
+description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
+references:
+    - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/
+author: frack113
+date: 2022/12/14
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith: '\JSESPR.dll'
+    filter:
+        ImageLoaded|startswith: 'C:\Program Files\Common Files\Justsystem\JsSchHlp\'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: medium