Two new Sysmon rules for Office Macro/PS detection

rules/windows/sysmon/sysmon_office_macro_cmd.yml

@@ -0,0 +1,19 @@
+title: Office Macro Starts Cmd
+status: experimental
+description: Detects a Windows command line executable started from Microsoft Word or Excel 
+reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
+author: Florian Roth
+logsource:
+    product: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage: 
+            - '*\WINWORD.EXE'
+            - '*\EXCEL.EXE'
+        Image: '*\cmd.exe'
+    condition: selection
+falsepositives:
+    - unknown
+level: high
+

rules/windows/sysmon/sysmon_powershell_download.yml

@@ -0,0 +1,18 @@
+title: PowerShell Download from URL
+status: experimental
+description: Detetcs a Powershell process that contains download commands in its command line string
+author: Florian Roth
+logsource:
+    product: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image: '*\powershell.exe'
+        CommandLine: 
+            - '*new-object system.net.webclient).downloadstring(*'
+            - '*new-object system.net.webclient).downloadfile(*'
+    condition: selection
+falsepositives:
+    - unknown
+level: medium
+