feat(rules): New Potential privilege escalation via DeadPotato exploit rule

rules/privilege_escalation_potential_privilege_escalation_via_deadpotato_exploit.yml

@@ -0,0 +1,33 @@
+name: Potential privilege escalation via DeadPotato exploit
+id: 3911130a-b71c-4994-a7c3-5ae07dc0abe0
+version: 1.0.0
+description: |
+  Detects potential privilege escalation activity consistent with the DeadPotato
+  exploit. Attackers can abuse the DCOM RPCSS service flaw to start an elevated
+  process allowing unrestricted access over the machine for critical operations to
+  be freely performed.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1068
+  technique.name: Exploitation for Privilege Escalation
+  technique.ref: https://attack.mitre.org/techniques/T1068/
+references:
+  - https://github.com/lypd0/DeadPotato
+
+condition: >
+  sequence
+  maxspan 1m
+    |connect_socket and
+     ps.name = 'svchost.exe' and ps.args intersects ('-k', 'RPCSS') and
+     net.dport = 135 and (net.dip = 127.0.0.1 or net.dip = '::1')
+    |
+    |spawn_process and
+     ps.token.integrity_level = 'SYSTEM' and
+     ps.exe not imatches '?:\\WINDOWS\\system32\\conhost.exe'
+    |
+
+severity: high
+
+min-engine-version: 3.0.0