Added Metasploit rules.

[lucky-luk3]

• Metasploit local exploit suggester module
• Metasploit Hashdump module

Both are created from events observed in laboratory environment when those modules where used.

[ghost]

All CLA requirements met.

[Cyb3rWard0g]

Hello @lucky-luk3 !

Thank you for sharing your rules! A few comments:

• There is already a rule for T1136.001:
  • https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/discovery/T1087.001_LocalAccount_Commands.xml
• In this first rule, https://github.com/microsoft/MSTIC-Sysmon/blob/32e8a6285c976f3072de90d5a34be3fbd0a6611e/linux/configs/attack-based/discovery/T087.001_Metasploit_Hashdump.xml, would it make sense to simple add CommandLine contains id as a way to discover local identity? That way we cover different scenarios of id being used for local account discovery.
• In this other rule: https://github.com/microsoft/MSTIC-Sysmon/blob/32e8a6285c976f3072de90d5a34be3fbd0a6611e/linux/configs/attack-based/discovery/T1592_Metasploit_Local_Exploit_Suggester.xml , you have a lot of paths such as /proc/cpuinfo or /etc/os-release using cat commands. Maybe we can simply add those paths to a rule with CommandLine contains. Also, we can name this rule something like T1592_GatherVictimHostInfo_CommonCommands instead of T1592_Metasploit_Local_Exploit_Suggester.xml?.

What do you think?

[lucky-luk3]

Thanks @Cyb3rWard0g for you suggestions! :)
I did the setup like this because I believed it was the best way to reduce false positives and detect the execution of metasploit.
The commands are not very specific and I thought that this way it would be better, but I agree with your suggestions :)
I will change it.