From b6bac087ef163cbd73a2cb46c9bc603f91d5c736 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 5 Aug 2022 18:45:44 +0100
Subject: [PATCH] Update posh_ps_tamper_defender_remove_mppreference.yml

---
 .../posh_ps_tamper_defender_remove_mppreference.yml           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
index 82a9866e3..dc5a6bedb 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
@@ -15,9 +15,9 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_remove:
-        CommandLine|contains: 'Remove-MpPreference'
+        ScriptBlockText|contains: 'Remove-MpPreference'
     selection_tamper:
-        CommandLine|contains:
+        ScriptBlockText|contains:
             - '-ControlledFolderAccessProtectedFolders '
             - '-AttackSurfaceReductionRules_Ids '
             - '-AttackSurfaceReductionRules_Actions '