ルール更新 (#224)

rules/sigma/powershell/powershell_script/powershell_web_request.yml

@@ -0,0 +1,36 @@
+
+title: Windows PowerShell Web Request
+author: James Pemberton / @4A616D6573
+date: 2019/10/24
+description: Detects the use of various web request methods (including aliases) via
+  Windows PowerShell command
+detection:
+  SELECTION_1:
+    ScriptBlockText:
+    - '*Invoke-WebRequest*'
+    - '*iwr *'
+    - '*wget *'
+    - '*curl *'
+    - '*Net.WebClient*'
+    - '*Start-BitsTransfer*'
+  condition: SELECTION_1
+falsepositives:
+- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
+id: 1139d2e2-84b1-4226-b445-354492eba8ba
+level: medium
+logsource:
+  category: ps_script
+  definition: Script block logging must be enabled
+  product: windows
+modified: 2021/10/16
+references:
+- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
+- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
+related:
+- id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
+  type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086