Feature/addruletype to sigma rule#230 (#235)

* added ruletype to SIGMA rule #230 * added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00
parent bc230f7cd5
commit 0cfa806baf
1087 changed files with 1186 additions and 90 deletions
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml
@@ -31,3 +31,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml
@@ -30,3 +30,4 @@ status: experimental
 tags:
 - attack.command_and_control
 - attack.t1095
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml
@@ -31,3 +31,4 @@ tags:
 - attack.lateral_movement
 - attack.t1021.006
 - attack.t1028
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml
@@ -38,3 +38,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1218
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml
@@ -32,3 +32,4 @@ status: experimental
 tags:
 - attack.collection
 - attack.t1074.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml
@@ -28,3 +28,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml
@@ -33,3 +33,4 @@ status: experimental
 tags:
 - attack.impact
 - attack.t1490
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml
@@ -28,3 +28,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml
@@ -31,3 +31,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml
@@ -27,3 +27,4 @@ tags:
 - attack.execution
 - attack.t1086
 - attack.t1059.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml
@@ -29,3 +29,4 @@ status: experimental
 tags:
 - attack.defense_evasion
 - attack.t1562.001
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml
@@ -29,3 +29,4 @@ tags:
 - attack.t1059.001
 - attack.lateral_movement
 - attack.t1021.003
+ruletype: SIGMA
--- a/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml
+++ b/rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml
@@ -27,3 +27,4 @@ tags:
 - attack.execution
 - attack.t1059.001
 - attack.t1086
+ruletype: SIGMA