From 2cd376c70cae25e8213b4cfc702e2c7beedb6458 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 16 Sep 2022 20:04:55 +0200
Subject: [PATCH] fix pass

---
 .../powershell_script/posh_ps_sensitive_file_discovery.yml   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml
index b4a5a05cd..5815a0ca6 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml
@@ -23,8 +23,9 @@ detection:
         ScriptBlockText|contains: '-recurse'
     selection_file:
         ScriptBlockText|contains:
-            - 'pass'
-            - 'kdbx'
+            - '.pass'
+            - '.kdbx'
+            - '.kdb'
     condition: all of selection_*
 falsepositives:
     - Unknown