From 90e8eba530c6d64bb3f8bc74501d7f54df3d2971 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 22 Jan 2019 16:37:36 +0100
Subject: [PATCH] rule: false positive reduction in PowerShell rules

---
 .../powershell/powershell_malicious_commandlets.yml        | 2 +-
 rules/windows/powershell/powershell_malicious_keywords.yml | 7 +------
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml
index 2105d06bf..7b741ebfb 100644
--- a/rules/windows/powershell/powershell_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_malicious_commandlets.yml
@@ -1,6 +1,7 @@
 title: Malicious PowerShell Commandlets
 status: experimental
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
+modified: 2019/01/22
 references:
     - https://adsecurity.org/?p=2921
 tags:
@@ -40,7 +41,6 @@ detection:
         - Get-VulnAutoRun
         - Get-VulnSchTask
         - Get-UnattendedInstallFile
-        - Get-WebConfig
         - Get-ApplicationHost
         - Get-RegAlwaysInstallElevated
         - Get-Unconstrained
diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml
index 63c08a3d8..0323a1dcd 100644
--- a/rules/windows/powershell/powershell_malicious_keywords.yml
+++ b/rules/windows/powershell/powershell_malicious_keywords.yml
@@ -1,6 +1,7 @@
 title: Malicious PowerShell Keywords
 status: experimental
 description: Detects keywords from well-known PowerShell exploitation frameworks
+modified: 2019/01/22
 references:
     - https://adsecurity.org/?p=2921
 tags:
@@ -15,18 +16,12 @@ detection:
     keywords:
         - AdjustTokenPrivileges
         - IMAGE_NT_OPTIONAL_HDR64_MAGIC
-        - Management.Automation.RuntimeException
         - Microsoft.Win32.UnsafeNativeMethods
         - ReadProcessMemory.Invoke
-        - Runtime.InteropServices
         - SE_PRIVILEGE_ENABLED
-        - System.Security.Cryptography
-        - System.Runtime.InteropServices
         - LSA_UNICODE_STRING
         - MiniDumpWriteDump
         - PAGE_EXECUTE_READ
-        - Net.Sockets.SocketFlags
-        - Reflection.Assembly
         - SECURITY_DELEGATION
         - TOKEN_ADJUST_PRIVILEGES
         - TOKEN_ALL_ACCESS