refactor: split rule up into two, more susp sub procs

rules/windows/process_creation/process_creation_shell_spawn_by_java.yml

@@ -0,0 +1,24 @@
+title: Shells Spawn by Java
+id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
+description: Detects shell spawn from Java host process, which could a maintenance task or some kind of exploitation (e.g. log4j exploitation)
+status: experimental
+author: Andreas Hunkeler (@Karneades)
+date: 2021/12/17
+modified: 2021/12/18
+tags:
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\java.exe'
+        Image|endswith:
+            - '\cmd.exe'
+    condition: selection
+falsepositives:
+    - Legitimate calls to system binaries
+    - Company specific internal usage
+level: medium

rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml

@@ -0,0 +1,42 @@
+title: Suspicious Shells Spawn by Java
+id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
+description: Detects suspicious shell spawn from Java host process (e.g. log4j exploitation)
+status: experimental
+author: Andreas Hunkeler (@Karneades), Florian Roth
+date: 2021/12/17
+modified: 2021/12/18
+tags:
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\java.exe'
+        Image|endswith:
+            - '\sh.exe'
+            - '\bash.exe'
+            - '\powershell.exe'
+            - '\schtasks.exe'
+            - '\certutil.exe'
+            - '\whoami.exe'
+            - '\bitsadmin.exe'
+            - '\wscript.exe'
+            - '\cscript.exe'
+            - '\scrcons.exe'
+            - '\regsvr32.exe'
+            - '\hh.exe'
+            - '\wmic.exe'        # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
+            - '\mshta.exe'
+            - '\rundll32.exe'
+            - '\forfiles.exe'
+            - '\scriptrunner.exe'
+            - '\mftrace.exe'
+            - '\AppVLP.exe'
+    condition: selection
+falsepositives:
+    - Legitimate calls to system binaries
+    - Company specific internal usage
+level: high

rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml

@@ -1,30 +0,0 @@
-title: Suspicious Shells Spawn by Java
-id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
-description: Detects suspicious shell spawn from Java host process (e.g. log4j exploitation)
-status: experimental
-author: Andreas Hunkeler (@Karneades)
-date: 2021/12/17
-tags:
-    - attack.initial_access
-    - attack.persistence
-    - attack.privilege_escalation
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\java.exe'
-        Image:
-            - '*\cmd.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\powershell.exe'
-            - '*\schtasks.exe'
-            - '*\certutil.exe'
-            - '*\whoami.exe'
-            - '*\bitsadmin.exe'
-    condition: selection
-falsepositives:
-    - Legitimate calls to system binaries
-    - Company specific internal usage
-level: high