diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml index f8e06f0a8..974b20c8e 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml @@ -52,7 +52,7 @@ detection: - 'Net.WebClient' - '.Download' filter_chocolatey: - - '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1' + - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" condition: (all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient) and not 1 of filter_* falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml index a9c683b3b..fbaf6fd1a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml @@ -61,7 +61,7 @@ detection: - 'Net.WebClient' - '.Download' filter_chocolatey: - ContextInfo|contains: '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1' + ContextInfo|contains: "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" condition: 1 of selection* and not 1 of filter* falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index e5f445760..bba531dd6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -26,7 +26,7 @@ detection: filter: - ParentImage: - 'C:\ProgramData\chocolatey\choco.exe' - - ScriptBlockText|contains: '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')' + - ScriptBlockText|contains: "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')" condition: cmdlet and option and not filter falsepositives: - Administrator script diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml index 4b18384aa..23e923351 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml @@ -61,7 +61,7 @@ detection: - 'Net.WebClient' - '.Download' filter_chocolatey: - ScriptBlockText|contains: '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1' + ScriptBlockText|contains: "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" condition: 1 of select* and not 1 of filter* falsepositives: - Penetration tests