add win_susp_cdb.yml

rules/windows/process_creation/win_susp_cdb.yml

@@ -0,0 +1,21 @@
+title: Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner
+status: experimental
+description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
+    - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
+author: Beyu Denis
+date: 2019/10/26
+tags:
+    - attack.persistence
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+detection:
+  selection:
+    Image: '*\cdb.exe'
+    CommandLine: '* -cf *.wds -o *'
+  condition: selection
+falsepositives:
+    - Unknown