fix: several FPs against a fresh installed Windows with example applications and basic user interaction 3

rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml

@@ -10,7 +10,7 @@ tags:
     - attack.t1059.001
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2021/10/18
+modified: 2022/02/11
 logsource:
     product: windows
     category: ps_module
@@ -28,7 +28,7 @@ detection:
             - ' -w '
             - 'hidden'
             - '-noni'
-            - '-nop' 
+            - '-nop'
             - ' -c '
             - 'iex'
             - 'New-Object'
@@ -60,7 +60,9 @@ detection:
             - 'New-Object'
             - 'Net.WebClient'
             - '.Download'
-    condition: 1 of selection*
+    filter_chocolatey:
+        ContextInfo|contains: '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'
+    condition: 1 of selection* and not 1 of filter*
 falsepositives:
     - Penetration tests
 level: high