From a67c19c08b80810db920b3f54c0d9520f1b8de39 Mon Sep 17 00:00:00 2001
From: Ryan Plas <ryan.plas@stage2sec.com>
Date: Mon, 12 Oct 2020 09:00:08 -0400
Subject: [PATCH] Split up powershell detection

---
 .../win_non_priv_reg_or_ps.yml                | 29 ++++++++++---------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml
index df59804b6..8ff4bf024 100644
--- a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml
+++ b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml
@@ -14,27 +14,28 @@ logsource:
     product: windows
 detection:
     integrity_level:
-        IntegrityLevel: Medium
+        IntegrityLevel: 'Medium'
     reg:
         CommandLine|contains|all:
-            - reg
-            - add
-    powershell:
-        CommandLine|contains: powershell
+            - 'reg'
+            - 'add'
+    powershell_1:
+        CommandLine|contains: 'powershell'
+    powershell_2:
         CommandLine|contains:
-            - set-itemproperty
-            - " sp "
-            - new-itemproperty
+            - 'set-itemproperty'
+            - ' sp '
+            - 'new-itemproperty'
     registry_folder:
         CommandLine|contains|all: 
-            - ControlSet
-            - Services
+            - 'ControlSet'
+            - 'Services'
     registry_key:
         CommandLine|contains:
-            - ImagePath
-            - FailureCommand
-            - ServiceDLL
-    condition: integrity_level and (reg or powershell) and registry_folder and registry_key
+            - 'ImagePath'
+            - 'FailureCommand'
+            - 'ServiceDLL'
+    condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key
 fields:
     - EventID
     - IntegrityLevel