From b78386d3725829c4bbcd1357c9904e040b96eb0d Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Thu, 26 May 2022 14:45:00 +0000
Subject: [PATCH] FP: ignore Amazon aws powershell

---
 .../powershell_script/posh_ps_malicious_commandlets.yml     | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
index b45c6ed55..e3b99e89c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
@@ -112,11 +112,13 @@ detection:
             - 'Invoke-SMBScanner'
             - 'Invoke-Mimikittenz'
             - 'Invoke-AllChecks'
-    false_positives:
+    false_positive1:
         ScriptBlockText|contains:
             - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
             - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1  # false positive form Amazon EC2
-    condition: select_Malicious and not false_positives
+    false_positive2:
+        ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved'
+    condition: select_Malicious and not false_positive*
 falsepositives:
     - Unknown
 level: high