From bd13c7b77b59e6ca719de455192c61ec4184ecc2 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Wed, 1 Dec 2021 21:27:31 +0000
Subject: [PATCH] fixing yaml formatting

---
 .../powershell_script/powershell_malicious_commandlets.yml   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
index 5491b7ab9..dcd74c258 100644
--- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
@@ -114,8 +114,9 @@ detection:
             - "Invoke-Mimikittenz"
             - "Invoke-AllChecks"
     false_positives:
-        ScriptBlockText|contains: Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
-        ScriptBlockText|contains: C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1  # false positive form Amazon EC2
+        ScriptBlockText|contains
+            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+            - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1  # false positive form Amazon EC2
     condition: select_Malicious and not false_positives
 falsepositives:
     - Penetration testing