Feature/addruletype to sigma rule#230 (#235)

* added ruletype to SIGMA rule #230 * added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00
parent bc230f7cd5
commit 0cfa806baf
1087 changed files with 1186 additions and 90 deletions
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml
@@ -31,3 +31,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml
@@ -30,3 +30,4 @@ status: experimental
 tags:
 - attack.command_and_control
 - attack.t1095
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml
@@ -31,3 +31,4 @@ tags:
 - attack.lateral_movement
 - attack.t1021.006
 - attack.t1028
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
@@ -38,3 +38,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml
@@ -32,3 +32,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1074.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml
@@ -28,3 +28,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.impact
 - attack.t1490
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml
@@ -28,3 +28,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml
@@ -31,3 +31,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml
@@ -27,3 +27,4 @@ tags:
 - attack.execution
 - attack.t1086
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml
@@ -29,3 +29,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1562.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml
@@ -29,3 +29,4 @@ tags:
 - attack.t1059.001
 - attack.lateral_movement
 - attack.t1021.003
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml
@@ -27,3 +27,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml
@@ -28,3 +28,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml
@@ -38,3 +38,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml
@@ -37,3 +37,4 @@ tags:
 - attack.defense_evasion
 - attack.t1070.003
 - attack.t1146
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml
@@ -27,3 +27,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1140
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml
@@ -27,3 +27,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1115
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml
@@ -40,3 +40,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml
@@ -27,3 +27,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_powercat.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_powercat.yml
@@ -27,3 +27,4 @@ status: experimental
 tags:
 - attack.command_and_control
 - attack.t1095
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml
@@ -28,3 +28,4 @@ tags:
 - attack.lateral_movement
 - attack.t1021.006
 - attack.t1028
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml
@@ -35,3 +35,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml
@@ -32,3 +32,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1074.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml
@@ -27,3 +27,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml
@@ -35,3 +35,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml
@@ -92,3 +92,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml
+++ b/rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml
@@ -27,3 +27,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml
@@ -70,3 +70,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1106
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml
@@ -27,3 +27,4 @@ tags:
 - attack.discovery
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_automated_collection.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_automated_collection.yml
@@ -38,3 +38,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1119
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml
@@ -29,3 +29,4 @@ tags:
 - attack.t1069.001
 - attack.t1069.002
 - attack.t1069
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml
@@ -25,3 +25,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1216
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml
@@ -25,3 +25,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1216
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml
@@ -26,3 +26,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1216
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml
@@ -26,3 +26,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1216
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_create_local_user.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_create_local_user.yml
@@ -26,3 +26,4 @@ tags:
 - attack.persistence
 - attack.t1136.001
 - attack.t1136
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_data_compressed.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_data_compressed.yml
@@ -29,3 +29,4 @@ tags:
 - attack.exfiltration
 - attack.t1560
 - attack.t1002
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml
@@ -30,3 +30,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1497.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml
@@ -23,3 +23,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml
@@ -28,3 +28,4 @@ status: experimental
 tags:
 - attack.exfiltration
 - attack.t1048.003
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml
@@ -22,3 +22,4 @@ status: test
 tags:
 - attack.privilege_escalation
 - attack.t1548
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml
@@ -37,3 +37,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml
@@ -24,3 +24,4 @@ tags:
 - attack.t1027
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_keylogging.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_keylogging.yml
@@ -28,3 +28,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1056.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml
@@ -121,3 +121,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml
@@ -44,3 +44,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml
@@ -24,3 +24,4 @@ references:
 status: experimental
 tags:
 - attack.t1003
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml
@@ -94,3 +94,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml
@@ -33,3 +33,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml
@@ -147,3 +147,4 @@ status: experimental
 tags:
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml
@@ -25,3 +25,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_psattack.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_psattack.yml
@@ -23,3 +23,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml
@@ -27,3 +27,4 @@ status: experimental
 tags:
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml
@@ -30,3 +30,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml
@@ -26,3 +26,4 @@ status: experimental
 tags:
 - attack.execution
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_software_discovery.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_software_discovery.yml
@@ -31,3 +31,4 @@ status: experimental
 tags:
 - attack.discovery
 - attack.t1518
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml
@@ -28,3 +28,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1564.004
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml
@@ -29,3 +29,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1074.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml
@@ -27,3 +27,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml
@@ -26,3 +26,4 @@ status: experimental
 tags:
 - attack.credential_access
 - attack.t1552.004
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml
@@ -24,3 +24,4 @@ status: experimental
 tags:
 - attack.credential_access
 - attack.t1003.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml
@@ -35,3 +35,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml
@@ -92,3 +92,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml
@@ -37,3 +37,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml
@@ -28,3 +28,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1114.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml
@@ -26,3 +26,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1070.005
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml
@@ -28,3 +28,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1119
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml
@@ -23,3 +23,4 @@ status: experimental
 tags:
 - attack.discovery
 - attack.t1120
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml
@@ -26,3 +26,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1564.003
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml
@@ -27,3 +27,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_timestomp.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_timestomp.yml
@@ -32,3 +32,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1070.006
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml
@@ -31,3 +31,4 @@ status: experimental
 tags:
 - attack.privilege_escalation
 - attack.t1546.013
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_web_request.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_web_request.yml
@@ -34,3 +34,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml
@@ -31,3 +31,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1562.004
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml
@@ -33,3 +33,4 @@ tags:
 - attack.persistence
 - attack.t1547.004
 - attack.t1004
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.privilege_escalation
 - attack.t1546.003
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_script/powershell_wmimplant.yml
+++ b/rules/sigma/powershell/powershell_script/powershell_wmimplant.yml
@@ -42,3 +42,4 @@ tags:
 - attack.t1047
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA