From 01956f131221689c48fd057dc092287381c1b1d5 Mon Sep 17 00:00:00 2001
From: ecco <none@none.com>
Date: Fri, 6 Sep 2019 03:54:19 -0400
Subject: [PATCH] powershell false positives

---
 rules/windows/powershell/powershell_malicious_commandlets.yml | 4 +++-
 rules/windows/sysmon/sysmon_renamed_powershell.yml            | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml
index c8d01d632..fcc15429f 100644
--- a/rules/windows/powershell/powershell_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_malicious_commandlets.yml
@@ -108,7 +108,9 @@ detection:
         - Invoke-ReverseDNSLookup
         - Invoke-SMBScanner
         - Invoke-Mimikittenz
-    condition: keywords
+    false_positives:
+        - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+    condition: keywords and not false_positives
 falsepositives:
     - Penetration testing
 level: high
diff --git a/rules/windows/sysmon/sysmon_renamed_powershell.yml b/rules/windows/sysmon/sysmon_renamed_powershell.yml
index a910de1c5..3810b8f41 100644
--- a/rules/windows/sysmon/sysmon_renamed_powershell.yml
+++ b/rules/windows/sysmon/sysmon_renamed_powershell.yml
@@ -16,6 +16,7 @@ detection:
         Company: 'Microsoft Corporation'
     filter:
         Image: '*\powershell.exe'
+        Image: '*\powershell_ise.exe'
     condition: selection and not filter
 falsepositives:
     - Unknown