fix: FPs found in testing environment

rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml

@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
 author: Florian Roth
 date: 2021/04/23
-modified: 2022/10/09
+modified: 2023/01/24
 tags:
     - attack.credential_access
     - attack.t1552.004
@@ -18,7 +18,9 @@ logsource:
 detection:
     selection:
         ScriptBlockText|contains: 'Export-PfxCertificate'
-    condition: selection
+    filter_moduleexport:
+        ScriptBlockText|contains: 'CmdletsToExport = @('
+    condition: selection and not 1 of filter*
 falsepositives:
     - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
 level: high

rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml

@@ -9,7 +9,7 @@ references:
     - https://github.com/danielbohannon/Invoke-Obfuscation
 author: frack113
 date: 2022/12/27
-modified: 2023/01/03
+modified: 2023/01/24
 tags:
     - attack.defense_evasion
     - attack.t1027.009
@@ -26,7 +26,7 @@ detection:
         #   ${e`Nv:pATh}
         - ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
         #- ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
-        - ScriptBlockText|re: '"(\{\d\})+"\s*-f'
+        - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f'  # trigger on at least two placeholders. One might be used for legitimate string formatting
         - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
     filter:
         ScriptBlockText|contains: 'it will return true or false instead'  # Chocolatey install script https://github.com/chocolatey/chocolatey