From 7a4eb6cb58f3329cf9070a7ca4f0df068db895ad Mon Sep 17 00:00:00 2001
From: Qasim Qlf <qlfqasim@gmail.com>
Date: Fri, 26 Jan 2024 16:19:13 +0500
Subject: [PATCH] Merge PR #4693 from @qasimqlf - Update selection to remove
 overlap

chore: PowerShell ShellCode - Remove "selection" as it was overlapping with "selection2"
---
 .../powershell/powershell_script/posh_ps_shellcode_b64.yml  | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml
index 91f9e597e..c0726ebd3 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/cyb3rops/status/1063072865992523776
 author: David Ledbetter (shellcode), Florian Roth (Nextron Systems)
 date: 2018/11/17
-modified: 2022/12/25
+modified: 2024/01/25
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -19,12 +19,10 @@ logsource:
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
-        ScriptBlockText|contains: 'AAAAYInlM'
-    selection2:
         ScriptBlockText|contains:
             - 'OiCAAAAYInlM'
             - 'OiJAAAAYInlM'
-    condition: selection and selection2
+    condition: selection
 falsepositives:
     - Unknown
 level: high