ルール更新 (#224)

rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml

@@ -0,0 +1,31 @@
+
+title: AzureHound PowerShell Commands
+author: Austin Songer (@austinsonger)
+date: 2021/10/23
+description:
+detection:
+  SELECTION_1:
+    ScriptBlockText:
+    - '*Invoke-AzureHound*'
+  condition: SELECTION_1
+falsepositives:
+- Penetration testing
+id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
+level: high
+logsource:
+  category: ps_script
+  definition: Script Block Logging must be enable
+  product: windows
+references:
+- https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
+- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
+status: experimental
+tags:
+- attack.discovery
+- attack.t1482
+- attack.t1087
+- attack.t1087.001
+- attack.t1087.002
+- attack.t1069.001
+- attack.t1069.002
+- attack.t1069