ルール更新 (#224)

rules/sigma/powershell/powershell_script/powershell_automated_collection.yml

@@ -0,0 +1,40 @@
+
+title: Automated Collection Command PowerShell
+author: frack113
+date: 2021/07/28
+description: Once established within a system or network, an adversary may use automated
+  techniques for collecting internal data.
+detection:
+  SELECTION_1:
+    ScriptBlockText:
+    - '*.doc*'
+    - '*.docx*'
+    - '*.xls*'
+    - '*.xlsx*'
+    - '*.ppt*'
+    - '*.pptx*'
+    - '*.rtf*'
+    - '*.pdf*'
+    - '*.txt*'
+  SELECTION_2:
+    ScriptBlockText: '*Get-ChildItem*'
+  SELECTION_3:
+    ScriptBlockText: '* -Recurse *'
+  SELECTION_4:
+    ScriptBlockText: '* -Include *'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Unknown
+id: c1dda054-d638-4c16-afc8-53e007f3fbc5
+level: medium
+logsource:
+  category: ps_script
+  definition: Script block logging must be enabled
+  product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+status: experimental
+tags:
+- attack.collection
+- attack.t1119