From 1e2cd1655e6e03287cde82e7132dbfb53529f361 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 16 Dec 2022 17:59:24 +0100
Subject: [PATCH] fix: add more filters and update image field

---
 .../proc_creation_win_powershell_xor_commandline.yml   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml
index 6d37c0cf8..70e2f2766 100644
--- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml
+++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml
@@ -15,7 +15,12 @@ logsource:
     product: windows
 detection:
     selection_metadata:
-        - Image|endswith: '\powershell.exe'
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
         - Description: 'Windows PowerShell'
         - Product: 'PowerShell Core 6'
     selection_cli:
@@ -30,9 +35,12 @@ detection:
         ParentImage: 'C:\Program Files\Amazon\SSM\ssm-document-worker.exe'
     filter_powershell_script:
         CommandLine|contains|all:
+            # Script part of Amazon SSM worker (But the parent is empty - see example linked below)
             # Example: https://github.com/SigmaHQ/sigma/pull/3717#issue-1455440560
             - 'function Convert-GuidToCompressedGuid'
             - 'ValueFromPipelineByPropertyName'
+            - '::ParseExact('
+            - 'KB[000000-999999]'
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown