Added Sigma Rules

rules/Sigma/powershell_classic_remote_powershell_session.yml

@@ -0,0 +1,35 @@
+title: Remote PowerShell Session
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+description: Detects remote PowerShell sessions
+detection:
+    SELECTION_1:
+        HostName: ServerRemoteHost
+    SELECTION_2:
+        HostApplication: '*wsmprovhost.exe*'
+    condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legitimate use remote PowerShell sessions
+id: 60167e5c-84b2-4c95-a7ac-86281f27c445
+level: high
+logsource:
+    category: ps_classic_start
+    definition: fields have to be extract from event
+    product: windows
+modified: 2021/10/16
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+related:
+-   id: 96b9f619-aa91-478f-bacb-c3e50f8df575
+    type: derived
+status: test
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+yml_filename: powershell_classic_remote_powershell_session.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_classic
+