Merge pull request #1556 from frack113/PR_617_V2

Fix all the rules to pass the test

rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml

@@ -0,0 +1,41 @@
+action: global
+title: Abusing Windows Telemetry For Persistence
+id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
+status: Experimental
+description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
+references:
+    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.t1112
+    - attack.t1053
+author: Sreeman
+date: 2020/09/29
+modified: 2021/06/11
+fields:
+    - EventID
+    - CommandLine
+    - TargetObject
+    - Details
+falsepositives:
+    - none
+level: high
+---
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    selection:
+        TargetObject|contains:
+            - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\
+        Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$'
+    condition: selection
+---
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|re: '(?i).*schtasks.*(-|/)r.*\\Application Experience\\Microsoft Compatibility Appraiser.*'
+    condition: selection