rule: split up registry debugger registration rule into two

rules/windows/process_creation/win_install_reg_debugger_backdoor.yml

@@ -0,0 +1,29 @@
+title: Suspicious Debugger Registration Cmdline
+status: experimental
+description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). 
+references: 
+    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1015
+author: Florian Roth
+date: 2019/09/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine:
+            - '*\CurrentVersion\Image File Execution Options\sethc.exe*'
+            - '*\CurrentVersion\Image File Execution Options\utilman.exe*'
+            - '*\CurrentVersion\Image File Execution Options\osk.exe*'
+            - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
+            - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
+            - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
+    condition: selection
+falsepositives:
+    - Penetration Tests
+level: high
+        

rules/windows/sysmon/sysmon_reg_debugger_backdoor.yml

@@ -1,4 +1,4 @@
-title: Suspicious Debugger Registration
+title: Suspicious Debugger Registration Registry
 status: experimental
 description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor)
 references: 
@@ -13,16 +13,7 @@ logsource:
     product: windows
     service: sysmon
 detection:
-    selection_proc:
-        EventID: 1
-        CommandLine:
-            - '*\CurrentVersion\Image File Execution Options\sethc.exe*'
-            - '*\CurrentVersion\Image File Execution Options\utilman.exe*'
-            - '*\CurrentVersion\Image File Execution Options\osk.exe*'
-            - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
-            - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
-            - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
-    selection_reg:
+    selection:
         EventID:
             - 12
             - 13
@@ -33,7 +24,7 @@ detection:
             - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
             - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
             - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
-    condition: selection_proc or selection_reg
+    condition: selection
 falsepositives:
     - Penetration Tests
 level: high