From ab5556ae8caaef4e446cbd01324c0525cbb2b38f Mon Sep 17 00:00:00 2001
From: Karneades <karneades@protonmail.com>
Date: Tue, 29 Oct 2019 19:59:43 +0100
Subject: [PATCH] fix: change keyword and bound it to a field

---
 rules/windows/powershell/powershell_suspicious_keywords.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml
index 42acef2ad..bbfbe5a2c 100644
--- a/rules/windows/powershell/powershell_suspicious_keywords.yml
+++ b/rules/windows/powershell/powershell_suspicious_keywords.yml
@@ -14,7 +14,8 @@ logsource:
     definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
 detection:
     keywords:
-        - System.Reflection.Assembly.Load
+        Message:
+            - "*[System.Reflection.Assembly]::Load*"
     condition: keywords
 falsepositives:
     - Penetration tests