ルール更新 (#224)

rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml

@@ -0,0 +1,30 @@
+
+title: PowerShell Downgrade Attack
+author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
+date: 2017/03/22
+description: Detects PowerShell downgrade attack by comparing the host versions with
+  the actually used engine version 2.0
+detection:
+  SELECTION_1:
+    EngineVersion: 2.*
+  SELECTION_2:
+    HostVersion: 2.*
+  condition: (SELECTION_1 and  not (SELECTION_2))
+falsepositives:
+- Penetration Test
+- Unknown
+id: 6331d09b-4785-4c13-980f-f96661356249
+level: medium
+logsource:
+  category: ps_classic_start
+  definition: fields have to be extract from event
+  product: windows
+modified: 2021/10/16
+references:
+- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1059.001
+- attack.t1086