Added Sigma Rules

rules/Sigma/sysmon_powershell_execution_pipe.yml

@@ -0,0 +1,28 @@
+title: T1086 PowerShell Execution
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+description: Detects execution of PowerShell
+detection:
+    SELECTION_1:
+        EventID: 17
+    SELECTION_2:
+        EventID: 18
+    SELECTION_3:
+        PipeName: \PSHost*
+    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3)
+falsepositives:
+- Unknown
+id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
+level: informational
+logsource:
+    category: pipe_created
+    product: windows
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+yml_filename: sysmon_powershell_execution_pipe.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
+