ルール更新 (#224)

rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml

@@ -0,0 +1,29 @@
+
+title: PowerShell Decompress Commands
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+description: A General detection for specific decompress commands in PowerShell logs.
+  This could be an adversary decompressing files.
+detection:
+  SELECTION_1:
+    Payload: '*Expand-Archive*'
+  condition: SELECTION_1
+falsepositives:
+- unknown
+id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
+level: informational
+logsource:
+  category: ps_module
+  definition: PowerShell Module Logging must be enabled
+  product: windows
+modified: 2021/10/16
+references:
+- https://github.com/OTRF/detection-hackathon-apt29/issues/8
+- https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html
+related:
+- id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
+  type: derived
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140