Add threat hunting rule for single-character binary execution

Detects execution of binaries with single-character names (e.g., r.exe, a.exe)
which are commonly used by attackers to evade detection or as quick implants.

Reference: CERT Polska Energy Sector Incident Report 2025

Author: norbert791

rules-threat-hunting/linux/process_creation/proc_creation_lnx_single_char_binary_execution.yml

@@ -0,0 +1,30 @@
+title: Single Character Binary Execution
+id: d9f65919-9d42-4f5a-86a4-7d894258e5a7
+related:
+    - id: 87376963-de41-4a56-8694-7412118697eb
+      type: similar
+    - id: bab56d17-5154-416f-bea0-a725fdd18f42
+      type: similar
+status: experimental
+description: |
+    Detects execution of binaries with single-character names (e.g., 'a', 'x').
+    Attackers may use short filenames to evade detection, reduce forensic footprint, or as quick implants.
+references:
+    - https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf
+author: Norbert Jasniewicz (AlphaSOC)
+date: 2026-02-14
+tags:
+    - attack.defense-evasion
+    - attack.t1036
+    - detection.threat-hunting
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/?'
+    condition: selection
+falsepositives:
+    - Legitimate software using single-character executable names
+    - Some compilers may generate single character binaries by default
+level: low

rules-threat-hunting/macos/process_creation/proc_creation_macos_single_char_binary_execution.yml

@@ -0,0 +1,30 @@
+title: Single Character Binary Execution
+id: bab56d17-5154-416f-bea0-a725fdd18f42
+related:
+    - id: 87376963-de41-4a56-8694-7412118697eb
+      type: similar
+    - id: d9f65919-9d42-4f5a-86a4-7d894258e5a7
+      type: similar
+status: experimental
+description: |
+    Detects execution of binaries with single-character names (e.g., 'a', 'o').
+    Attackers may use short filenames to evade detection, reduce forensic footprint, or as quick implants.
+references:
+    - https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf
+author: Norbert Jasniewicz (AlphaSOC)
+date: 2026-02-14
+tags:
+    - attack.defense-evasion
+    - attack.t1036
+    - detection.threat-hunting
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/?'
+    condition: selection
+falsepositives:
+    - Legitimate software using single-character executable names
+    - Some compilers may generate single character binaries by default
+level: low

rules-threat-hunting/windows/process_creation/proc_creation_win_single_char_binary_execution.yml

@@ -0,0 +1,30 @@
+title: Single Character Binary Execution
+id: 87376963-de41-4a56-8694-7412118697eb
+related:
+    - id: bab56d17-5154-416f-bea0-a725fdd18f42
+      type: similar
+    - id: d9f65919-9d42-4f5a-86a4-7d894258e5a7
+      type: similar
+status: experimental
+description: |
+    Detects execution of binaries with single-character names (e.g., 'r.exe').
+    Attackers may use short filenames to evade detection, reduce forensic footprint, or as quick implants.
+references:
+    - https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf
+author: Norbert Jasniewicz (AlphaSOC)
+date: 2026-02-14
+tags:
+    - attack.defense-evasion
+    - attack.t1036
+    - detection.threat-hunting
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '\\?.exe'
+    condition: selection
+falsepositives:
+    - Legitimate software using single-character executable names
+    - Some compilers may generate single character binaries by default
+level: low