Added Sigma Rules

rules/Sigma/sysmon_remote_powershell_session_network.yml

@@ -0,0 +1,36 @@
+title: Remote PowerShell Session
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects remote PowerShell connections by monitoring network outbound
+    connections to ports 5985 or 5986 from a non-network service account.
+detection:
+    SELECTION_1:
+        EventID: 3
+    SELECTION_2:
+        DestinationPort: 5985
+    SELECTION_3:
+        DestinationPort: 5986
+    SELECTION_4:
+        User: NT AUTHORITY\NETWORK SERVICE
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and  not (SELECTION_4))
+falsepositives:
+- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
+id: c539afac-c12a-46ed-b1bd-5a5567c9f045
+level: high
+logsource:
+    category: network_connection
+    product: windows
+modified: 2020/08/24
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+- attack.lateral_movement
+- attack.t1021.006
+- attack.t1028
+yml_filename: sysmon_remote_powershell_session_network.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
+