ルール更新 (#224)

rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml

@@ -0,0 +1,28 @@
+
+title: Suspicious PowerShell WindowStyle Option
+author: frack113
+date: 2021/10/20
+description: Adversaries may use hidden windows to conceal malicious activity from
+  the plain sight of users. In some cases, windows that would typically be displayed
+  when an application carries out an operation can be hidden
+detection:
+  SELECTION_1:
+    ScriptBlockText: '*powershell*'
+  SELECTION_2:
+    ScriptBlockText: '*WindowStyle*'
+  SELECTION_3:
+    ScriptBlockText: '*Hidden*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Unknown
+id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
+level: medium
+logsource:
+  category: ps_script
+  product: windows
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1564.003