From cbbb953d7f1ec4a2dafc824f4808ff92a3e4f491 Mon Sep 17 00:00:00 2001
From: Cian Mc Govern <cian@cianmcgovern.com>
Date: Fri, 2 Jul 2021 22:02:43 +0100
Subject: [PATCH] Move ipv6 check to selection fields as filter is negated

---
 .../network_connection/sysmon_powershell_network_connection.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml
index 4a110b53e..7f922e323 100755
--- a/rules/windows/network_connection/sysmon_powershell_network_connection.yml
+++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml
@@ -18,6 +18,7 @@ detection:
     selection:
         Image|endswith: '\powershell.exe'
         Initiated: 'true'
+        DestinationIsIpv6: 'false'
     filter:
         DestinationIp|startswith:
             - '10.'
@@ -39,7 +40,6 @@ detection:
             - '172.30.'
             - '172.31.'
             - '127.0.0.1'
-        DestinationIsIpv6: 'false'
         User: 'NT AUTHORITY\SYSTEM'
     condition: selection and not filter
 falsepositives: