create process on Windows

rule:
  meta:
    name: create process on Windows
    namespace: host-interaction/process/create
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    mbc:
      - Process::Create Process [C0017]
    examples:
      - 9324D1A8AE37A36AE560C37448C9705A:0x406DB0
      - Practical Malware Analysis Lab 01-04.exe_:0x4011FC
      - 692f7fd6d198e804d6af98eb9e390d61:0x6000003
  features:
    - or:
      - api: kernel32.WinExec
      - api: kernel32.CreateProcess
      - api: shell32.ShellExecute
      - api: shell32.ShellExecuteEx
      - api: advapi32.CreateProcessAsUser
      - api: advapi32.CreateProcessWithLogon
      - api: advapi32.CreateProcessWithToken
      - api: kernel32.CreateProcessInternal
      - api: ntdll.NtCreateUserProcess
      - api: ntdll.NtCreateProcess
      - api: ntdll.NtCreateProcessEx
      - api: ntdll.ZwCreateProcess
      - api: ZwCreateProcessEx
      - api: ntdll.ZwCreateUserProcess
      - api: ntdll.RtlCreateUserProcess
      - api: System.Diagnostics.Process::Start