ルール更新 (#224)

rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml

@@ -0,0 +1,37 @@
+
+title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+author: frack113
+date: 2021/07/13
+description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
+  that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
+detection:
+  SELECTION_1:
+    ContextInfo: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
+  SELECTION_2:
+    ContextInfo:
+    - '*-ModuleName *'
+    - '*-ModulePath *'
+    - '*-ScriptBlock *'
+    - '*-RemoteFXvGPUDisablementFilePath*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Unknown
+fields:
+- ComputerName
+- User
+- CommandLine
+- ParentCommandLine
+id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+level: medium
+logsource:
+  category: ps_module
+  definition: PowerShell Module Logging must be enabledd
+  product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218