rework: impossible rule with Sysmon

rules/windows/network_connection/sysmon_susp_plink_non_standard_port.yml

@@ -1,27 +0,0 @@
-title: Suspicious Plink Non-Standard Port
-id: 576131ea-77e3-4f8e-ab39-f0bcbcc7c68c
-status: experimental
-description: Detects suspicious Plink use to a port that is not Port 22/tcp (default for SSH)
-references:
-    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
-    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
-author: Florian Roth
-date: 2021/01/19
-tags:
-    - attack.command_and_control
-    - attack.t1572
-    - attack.lateral_movement
-    - attack.t1021.001
-logsource:
-    category: network_connection
-    product: windows
-detection:
-    selection:
-        Description: 'Command-line SSH, Telnet, and Rlogin client'
-        Initiated: 'true'
-    filter:
-        DestinationPort: 22
-    condition: selection and not filter
-falsepositives:
-    - Environments in which SSH servers don't run on port 22/tcp
-level: high

rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml

@@ -13,12 +13,11 @@ tags:
     - attack.lateral_movement
     - attack.t1021.001
 logsource:
-    category: network_connection
+    category: process_creation
     product: windows
 detection:
     selection:
         Description: 'Command-line SSH, Telnet, and Rlogin client'
-        Initiated: 'true'
         CommandLine|contains: ' -R '
     condition: selection
 falsepositives: