From a6f00d6acc57ec9f41c6dd9f5fe86778aeda47e7 Mon Sep 17 00:00:00 2001
From: nsaddler <n-saddler@mail.ru>
Date: Sun, 18 Oct 2020 02:48:21 +0300
Subject: [PATCH] Update powershell_CL_Invocation_LOLScript.yml

---
 .../powershell/powershell_CL_Invocation_LOLScript.yml       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
index 3a97e90fb..c7e482c88 100644
--- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
+++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml
@@ -26,10 +26,10 @@ detection:
           - 'SyncInvoke'
     timeframe: 1m
     condition: 
-        - selection
+        - selection or (selection2 | count(ScriptBlockText) by Computer > 2)
       # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe
-        - selection2 | count(ScriptBlockText) by Computer > 2
+      # or
       # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
       # PS > SyncInvoke c:\Evil.exe
 falsepositives: Unknown
-level: high
\ No newline at end of file
+level: high