fix: several FPs against a fresh installed Windows with example applications and basic user interaction 3

rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detecting use WinAPI Functions in PowerShell
 author: Nikita Nazarov, oscd.community
 date: 2020/10/06
-modified: 2021/10/16
+modified: 2022/02/11
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 tags:
@@ -38,7 +38,7 @@ detection:
             - 'ReadProcessMemory'
             - 'CreateRemoteThread'
             - 'AdjustTokenPrivileges'
-            - 'WriteByte'
+            # - 'WriteByte'  # FP with .NET System.IO.FileStream
             - 'WriteInt32'
             - 'OpenThreadToken'
             - 'PtrToString'

rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml

@@ -11,7 +11,7 @@ tags:
     - attack.t1059.001
 author: frack113
 date: 2021/10/20
-modified: 2021/11/26
+modified: 2022/02/11
 logsource:
     product: windows
     category: ps_script
@@ -24,8 +24,9 @@ detection:
             - 'bypass'
             - 'RemoteSigned'
     filter:
-        ParentImage: 
+        - ParentImage:
             - 'C:\ProgramData\chocolatey\choco.exe'
+        - ScriptBlockText|contains: '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')'
     condition: cmdlet and option and not filter
 falsepositives:
     - Administrator script

rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml

@@ -10,7 +10,7 @@ tags:
     - attack.t1059.001
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2021/10/18
+modified: 2022/02/11
 logsource:
     product: windows
     category: ps_script
@@ -28,7 +28,7 @@ detection:
             - ' -w '
             - 'hidden'
             - '-noni'
-            - '-nop' 
+            - '-nop'
             - ' -c '
             - 'iex'
             - 'New-Object'
@@ -60,7 +60,9 @@ detection:
             - 'New-Object'
             - 'Net.WebClient'
             - '.Download'
-    condition: 1 of select*
+    filter_chocolatey:
+        ScriptBlockText|contains: '(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'
+    condition: 1 of select* and not 1 of filter*
 falsepositives:
     - Penetration tests
 level: high