Added Sigma Rules

rules/Sigma/process_creation_susp_web_request_cmd.yml

@@ -0,0 +1,41 @@
+title: Windows Suspicious Use Of Web Request in CommandLine
+author: James Pemberton / @4A616D6573
+date: 2019/10/24
+description: Detects the use of various web request with commandline tools or Windows
+    PowerShell command,methods (including aliases)
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        CommandLine: '*Invoke-WebRequest*'
+    SELECTION_3:
+        CommandLine: '*iwr *'
+    SELECTION_4:
+        CommandLine: '*wget *'
+    SELECTION_5:
+        CommandLine: '*curl *'
+    SELECTION_6:
+        CommandLine: '*Net.WebClient*'
+    SELECTION_7:
+        CommandLine: '*Start-BitsTransfer*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6 or SELECTION_7))
+falsepositives:
+- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
+id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/09/21
+references:
+- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
+- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: process_creation_susp_web_request_cmd.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+