Change status for old rules

rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml

@@ -1,22 +1,23 @@
 title: Accessing WinAPI in PowerShell. Code Injection.
 id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
-status: experimental
+status: test
 description: Detecting Code injection with PowerShell in another process
 author: Nikita Nazarov, oscd.community
-date: 2020/10/06
 references:
-    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
-tags:
-    - attack.execution
-    - attack.t1059.001
+  - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+date: 2020/10/06
+modified: 2021/11/27
 logsource:
-    product: windows
-    category: create_remote_thread
-    definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
+  product: windows
+  category: create_remote_thread
+  definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
 detection:
-    selection:
-        SourceImage|endswith: '\powershell.exe'
-    condition: selection
+  selection:
+    SourceImage|endswith: '\powershell.exe'
+  condition: selection
 falsepositives:
-    - Unknown
+  - Unknown
 level: high
+tags:
+  - attack.execution
+  - attack.t1059.001