ルール更新 (#224)

rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml

@@ -0,0 +1,24 @@
+
+title: PrintNightmare Powershell Exploitation
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects Commandlet name for PrintNightmare exploitation.
+detection:
+  SELECTION_1:
+    ScriptBlockText: '*Invoke-Nightmare*'
+  condition: SELECTION_1
+falsepositives:
+- Unknown
+id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
+level: high
+logsource:
+  category: ps_script
+  definition: Script Block Logging must be enable
+  product: windows
+modified: 2021/10/16
+references:
+- https://github.com/calebstewart/CVE-2021-1675
+status: test
+tags:
+- attack.privilege_escalation
+- attack.t1548