fix: add more filters and update image field

rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml

@@ -15,7 +15,12 @@ logsource:
     product: windows
 detection:
     selection_metadata:
-        - Image|endswith: '\powershell.exe'
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
         - Description: 'Windows PowerShell'
         - Product: 'PowerShell Core 6'
     selection_cli:
@@ -30,9 +35,12 @@ detection:
         ParentImage: 'C:\Program Files\Amazon\SSM\ssm-document-worker.exe'
     filter_powershell_script:
         CommandLine|contains|all:
+            # Script part of Amazon SSM worker (But the parent is empty - see example linked below)
             # Example: https://github.com/SigmaHQ/sigma/pull/3717#issue-1455440560
             - 'function Convert-GuidToCompressedGuid'
             - 'ValueFromPipelineByPropertyName'
+            - '::ParseExact('
+            - 'KB[000000-999999]'
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown