Added Sigma Rules

rules/Sigma/powershell_suspicious_invocation_generic_in_scriptblocktext.yml

@@ -0,0 +1,41 @@
+title: Suspicious PowerShell Invocations - Generic
+author: Florian Roth (rule)
+date: 2017/03/12
+description: Detects suspicious PowerShell invocation command parameters
+detection:
+    SELECTION_1:
+        ScriptBlockText: '* -enc *'
+    SELECTION_2:
+        ScriptBlockText: '* -EncodedCommand *'
+    SELECTION_3:
+        ScriptBlockText: '* -w hidden *'
+    SELECTION_4:
+        ScriptBlockText: '* -window hidden *'
+    SELECTION_5:
+        ScriptBlockText: '* -windowstyle hidden *'
+    SELECTION_6:
+        ScriptBlockText: '* -noni *'
+    SELECTION_7:
+        ScriptBlockText: '* -noninteractive *'
+    condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 or SELECTION_4 or SELECTION_5)
+        and (SELECTION_6 or SELECTION_7))
+falsepositives:
+- Penetration tests
+- Very special / sneaky PowerShell scripts
+id: ed965133-513f-41d9-a441-e38076a0798f
+level: high
+logsource:
+    category: ps_script
+    product: windows
+modified: 2021/10/18
+related:
+-   id: 3d304fda-78aa-43ed-975c-d740798a49c1
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_suspicious_invocation_generic_in_scriptblocktext.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+