From 3aa2a73ba73a32f7b8875a572ab9b410fb4f19e0 Mon Sep 17 00:00:00 2001
From: nsaddler <n-saddler@mail.ru>
Date: Sun, 18 Oct 2020 10:38:40 +0300
Subject: [PATCH] Update powershell_CL_Invocation_LOLScript.yml

---
 .../windows/powershell/powershell_CL_Invocation_LOLScript.yml  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
index c7e482c88..7c1fc3063 100644
--- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
+++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
@@ -26,7 +26,8 @@ detection:
           - 'SyncInvoke'
     timeframe: 1m
     condition: 
-        - selection or (selection2 | count(ScriptBlockText) by Computer > 2)
+        - selection
+        - selection2 | count(ScriptBlockText) by Computer > 2
       # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe
       # or
       # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1