Fix Issues & Updates

[nasbench]

This PR fixes the following issues

• Fix Rule enhancement: Add "user" field to rule: WinEvent Scheduled Task Created Within Public Path #3684
• Fix [BUG] Common Ransomware Extensions - Regex Matching Double File Extension #3702
• Fix [BUG] False Positive in Analytic: Detect Rundll32 Application Control Bypass - setupapi #3605
• Fix Minor error in message field reference for linux_service_started_or_enabled #3714

It also updates/adds these rules

• Deprecate Detect Rundll32 Application Control Bypass - advpack, Detect Rundll32 Application Control Bypass - setupapi and Detect Rundll32 Application Control Bypass - syssetup in favor of a unified rule Windows Application Whitelisting Bypass Attempt via Rundll32 since they are all related. - cc @MHaggis

• Deprecate Windows Change Default File Association For No File Ext and replace it by Windows Change File Association Command To Notepad. The reason is that the original rule was incorrectly looking file without extensions, but in reality the TTP is a TA after encrypting files with a certain extensions (in this case .enc they add a handler for that extensions to open all files with notepad and the ransom note). cc @t-contreras

• Updates Add or Set Windows Defender Exclusion with additional flags, namely ControlledFolderAccessAllowedApplications and AttackSurfaceReductionOnlyExclusions

• Reduce the Attempt To Add Certificate To Untrusted Store analytic to an Anomaly because this is found to be common by some installers.

• Fix the regex in Common Ransomware Extensions to account for double extension files.

• Updated Linux Java Spawning Shell and Windows Java Spawning Shells by removing apache and w3wp.exe respectively as they are unrelated to those rules. I did create Web or Application Server Spawning a Shell as a generic rule covering both linux and windows instances with a lot more web server and app server names.

• Updated USN Journal Deletion in order to filter for the deletion keyword at the search level not after the results for better performance.

• Updated Windows Archived Collected Data In TEMP Folder to used specific folders instead of just \\temp\\ to avoid accidental FPs. As well as reducing it to an Anomaly rule since I found multiple cases where a match was found.

• Updated Windows AutoIt3 Execution - Added an OFN field and removed the overlap of the string.

• Updated Windows Certutil Root Certificate Addition by focusing on specific paths in order to avoid FPs. Since installers were found doing this as per elastic rule and VT results.

• Added the --output-dir flag to the rule Windows Curl Download to Suspicious Path

• Updated Windows Information Discovery Fsutil with additional flags, namely the volume sub-command that allows the discovery of disk information and was used by a TA before.

• Added pwsh.exe as a possible value to Windows Remote Management Execute Shell

• Enhanced Windows Renamed Powershell Execution by adding OFN fields, powershell_ise.exe and split the logic to be more accurate.

• Split the string logic in Windows Rundll32 Apply User Settings Changes to be more generic and avoid easy bypass using spaces.

• Updated Windows Scheduled Task Created Via XML with additional flags and OFN field as well as updated the different metadata sections.

• Added new analytic Windows Symlink Evaluation Change via Fsutil

[patel-bhavin]

Looking good @nasbench : I set the deprecated version to 5.18.0 to keep the removal consistent with even numbered release