feat: new findstr rule for passwords recon (SigmaHQ#4251)

rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml

@@ -0,0 +1,34 @@
+title: Potential Password Reconnaissance Via Findstr.EXE
+id: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5
+status: experimental
+description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
+references:
+    - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/
+    - https://adsecurity.org/?p=2288
+author: Josh Nickels
+date: 2023/05/18
+tags:
+    - attack.credential_access
+    - attack.t1552.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\findstr.exe'
+        - OriginalFileName: 'FINDSTR.EXE'
+    selection_cli:
+        CommandLine|contains:
+            - 'contraseña' # Spanish
+            - 'hasło' # Polish
+            - 'heslo' # Czech
+            - 'parola' # Italian
+            - 'passe' # French
+            - 'passw' # German, English
+            - 'senha' # Portuguese
+            - 'senord' # Swedish
+            - '密碼' # Cantonese
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium