Added Sigma Rules

rules/Sigma/win_remote_powershell_session_process.yml

@@ -0,0 +1,37 @@
+title: Remote PowerShell Session Host Process (WinRM)
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM
+    host process) as a parent or child process (sign of an active PowerShell remote
+    session).
+detection:
+    SELECTION_1:
+        EventID: 1
+    SELECTION_2:
+        Image: '*\wsmprovhost.exe'
+    SELECTION_3:
+        ParentImage: '*\wsmprovhost.exe'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Legitimate usage of remote Powershell, e.g. for monitoring purposes.
+fields:
+- ComputerName
+- User
+- CommandLine
+id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+modified: 2021/05/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001
+- attack.t1021.006
+yml_filename: win_remote_powershell_session_process.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
+