From 2e5e4a20d20bbf6f46809a471b5f2a2d19a09d76 Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Sat, 28 Nov 2020 09:26:18 +0100
Subject: [PATCH] Update powershell_clear_powershell_history.yml

---
 .../powershell_clear_powershell_history.yml   | 41 +++++++++++++------
 1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml
index 79828fc2d..695c01d00 100644
--- a/rules/windows/powershell/powershell_clear_powershell_history.yml
+++ b/rules/windows/powershell/powershell_clear_powershell_history.yml
@@ -3,7 +3,8 @@ id: dfba4ce1-e0ea-495f-986e-97140f31af2d
 status: experimental
 description: Detects keywords that could indicate clearing PowerShell history
 date: 2019/10/25
-author: Ilyas Ochkov, oscd.community, Jonhnathan Ribeiro
+modified: 2020/11/28
+author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
 references:
     - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
 tags:
@@ -14,20 +15,36 @@ logsource:
     product: windows
     service: powershell
 detection:
-    selection1:
-        Message|contains:
+    selection_1:
+        EventID: 4104
+    selection_2:
+        ScriptBlockText|contains:
             - 'del'
-            - 'Set-PSReadlineOption'
             - 'Remove-Item'
             - 'rm'
-    selection2:
-        Message|contains:
+        ScriptBlockText|contains|all:
             - '(Get-PSReadlineOption).HistorySavePath'
-    selection3:
-        Message|contains:
-        - '–HistorySaveStyle'
-        - 'SaveNothing'
-    condition: selection1 and (selection2 or selection3)
+    selection_3:
+        ScriptBlockText|contains|all:
+            - 'Set-PSReadlineOption'
+            - '–HistorySaveStyle'
+            - 'SaveNothing'
+    selection_4:
+        EventID: 4103
+    selection_5:
+        Payload|contains:
+            - 'del'
+            - 'Remove-Item'
+            - 'rm'
+        Payload|contains|all:
+            - '(Get-PSReadlineOption).HistorySavePath'
+    selection_6:
+        Payload|contains|all:
+            - 'Set-PSReadlineOption'
+            - '–HistorySaveStyle'
+            - 'SaveNothing'
+    condition: selection_1 and ( selection_2 or selection_3 ) or 
+               selection_4 and ( selection_5 or selection_6 ) 
 falsepositives:
-    - some PS-scripts
+    - Legitimate PowerShell scripts
 level: medium