Added rule for Gamaredon UltraVNC Execution

rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml

@@ -0,0 +1,26 @@
+title: Gamaredon UltraVNC Execution
+id: 871b9555-69ca-4993-99d3-35a59f9f3599
+status: experimental
+author: Bhabesh Raj
+date: 2022/03/04
+description: Gamaredon is known to use UltraVNC via command line for gaining remote access.
+references:
+    - https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
+    - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
+tags:
+    - attack.lateral_movement
+    - attack.g0047
+    - attack.t1021.005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - '-autoreconnect '
+            - '-connect '
+            - '-id:'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: high