Added Sigma Rules

rules/Sigma/powershell_shellintel_malicious_commandlets.yml

@@ -0,0 +1,32 @@
+title: Malicious ShellIntel PowerShell Commandlets
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+description: Detects Commandlet names from ShellIntel exploitation scripts.
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Invoke-SMBAutoBrute*'
+    SELECTION_2:
+        ScriptBlockText: '*Invoke-GPOLinks*'
+    SELECTION_3:
+        ScriptBlockText: '*Out-Minidump*'
+    SELECTION_4:
+        ScriptBlockText: '*Invoke-Potato*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
+falsepositives:
+- Unknown
+id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
+level: high
+logsource:
+    category: ps_script
+    definition: Script Block Logging must be enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/Shellntel/scripts/
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: powershell_shellintel_malicious_commandlets.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+