feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*'

rules/windows/powershell/powershell_script/powershell_automated_collection.yml

@@ -3,7 +3,7 @@ id: c1dda054-d638-4c16-afc8-53e007f3fbc5
 status: experimental
 author: frack113
 date: 2021/07/28
-modified: 2021/10/16
+modified: 2021/12/02
 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
@@ -31,7 +31,7 @@ detection:
             - 'Get-ChildItem'
             - ' -Recurse '
             - ' -Include '
-    condition: all of them
+    condition: all of selection*
 falsepositives:
     - Unknown
 level: medium

rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml

@@ -3,7 +3,7 @@ id: d93129cd-1ee0-479f-bc03-ca6f129882e3
 status: experimental
 author: frack113
 date: 2021/08/03
-modified: 2021/10/16
+modified: 2021/12/02
 description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
@@ -22,7 +22,7 @@ detection:
         ScriptBlockText|contains: 
             - MSAcpi_ThermalZoneTemperature
             - Win32_ComputerSystem
-    condition: all of them
+    condition: all of selection*
 falsepositives:
     - Unknown
 level: medium

rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml

@@ -14,20 +14,20 @@ tags:
     - attack.t1086  # an old one
 author: Sami Ruohonen
 date: 2018/07/24
-modified: 2021/10/16
+modified: 2021/12/02
 logsource:
     product: windows
     category: ps_script
     definition: Script block logging must be enabled
 detection:
-    content:
+    selection_content:
         ScriptBlockText|contains:
             - "set-content"
             - "add-content"
-    stream:
+    selection_stream:
         ScriptBlockText|contains:
             - "-stream"
-    condition: all of them
+    condition: all of selection*
 falsepositives:
     - unknown
 level: high

rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml

@@ -11,25 +11,25 @@ tags:
     - attack.t1086  #an old one
 author: Florian Roth (rule)
 date: 2017/03/12
-modified: 2021/10/18
+modified: 2021/12/02
 logsource:
     product: windows
     category: ps_script
 detection:
-    encoded:
+    selection_encoded:
         ScriptBlockText|contains:
             - ' -enc '
             - ' -EncodedCommand '
-    hidden:
+    selection_hidden:
         ScriptBlockText|contains:
             - ' -w hidden '
             - ' -window hidden '
             - ' -windowstyle hidden '
-    noninteractive:
+    selection_noninteractive:
         ScriptBlockText|contains:
             - ' -noni '
             - ' -noninteractive '
-    condition: all of them
+    condition: all of selection*
 falsepositives:
     - Penetration tests
     - Very special / sneaky PowerShell scripts

rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml

@@ -3,7 +3,7 @@ id: a9723fcc-881c-424c-8709-fd61442ab3c3
 status: experimental
 author: frack113
 date: 2021/07/30
-modified: 2021/10/16
+modified: 2021/12/02
 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
@@ -22,7 +22,7 @@ detection:
             - 'Get-Process '
     selection_redirect:
         ScriptBlockText|contains: '> $env:TEMP\'
-    condition: all of them 
+    condition: all of selection*
 falsepositives:
     - Unknown
 level: medium