From 402f171a891e050ddee7d0e91c8ad80abc55ef41 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 23 Jul 2022 12:08:29 +0200
Subject: [PATCH] Update proc_creation_win_pdqdeploy_runner_susp_children.yml

---
 .../proc_creation_win_pdqdeploy_runner_susp_children.yml         | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml
index 6711b1abc..6a0426f14 100644
--- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml
+++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml
@@ -23,7 +23,6 @@ detection:
             - '\rundll32.exe'
             - '\mshta.exe'
             - '\csc.exe'
-            - '\powershell.exe'
         - Image|contains:
             - 'C:\Users\Public\'
             - '\AppData\Local\Temp'