From 6da13f19a63e2aa9410dbcccf6d7bebb2e703975 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 17 Mar 2022 14:26:12 +0100
Subject: [PATCH] fix registry FP

---
 .../powershell_script/posh_ps_remove_item_path.yml         | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
index cda5dcbf2..71161eb22 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
@@ -7,6 +7,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
 date: 2022/01/15
+modified: 2022/03/17
 logsource:
     product: windows
     category: ps_script
@@ -16,7 +17,11 @@ detection:
         ScriptBlockText|contains|all:
             - Remove-Item
             - '-Path '
-    condition: selection
+    filter_reg:
+        ScriptBlockText|contains:
+            - 'HKCU:\'
+            - 'HKLM:\'
+    condition: selection and not filter_reg
 falsepositives:
     - Legitimate PowerShell scripts
 level: low