Fix

rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml

@@ -7,6 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
 author: frack113
 date: 2022/01/12
+modified: 2022/11/02
 tags:
     - attack.persistence
     - attack.t1546
@@ -17,9 +18,14 @@ logsource:
 detection:
     selection:
         ScriptBlockText|contains:
-            - Get-WmiObject
-            - gwmi
-    condition: selection
+            - 'Get-WmiObject'
+            - 'gwmi'
+    filter_cl_utility:
+        Path|endswith: '\CL_Utility.ps1'
+        ScriptBlockText|contains|all:
+            - 'function Get-FreeSpace'
+            - 'SELECT * FROM Win32_LogicalDisk WHERE MediaType=12'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Legitimate PowerShell scripts
 level: low