From 1a598282f4033e51e060b1014600970fdc64f72a Mon Sep 17 00:00:00 2001
From: zaphod <18658828+zaphodef@users.noreply.github.com>
Date: Wed, 13 May 2020 11:57:10 +0200
Subject: [PATCH] Add 'Add-Content' to powershell_ntfs_ads_access

---
 rules/windows/powershell/powershell_ntfs_ads_access.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_ntfs_ads_access.yml
index 422ed4ead..e2c531b76 100644
--- a/rules/windows/powershell/powershell_ntfs_ads_access.yml
+++ b/rules/windows/powershell/powershell_ntfs_ads_access.yml
@@ -16,6 +16,7 @@ logsource:
 detection:
     keyword1:
         - "set-content"
+        - "add-content"
     keyword2:
         - "-stream"
     condition: keyword1 and keyword2