From e0c53c1948bdcc54a260d6222b55539fb9ca57ad Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Fri, 18 Nov 2022 16:35:48 +0000
Subject: [PATCH] FP: ignore calling function Convert-GuidToCompressedGuid,
 part of amazon ssm worker

---
 .../proc_creation_win_powershell_xor_commandline.yml         | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml
index c68ff242a..2ecee013f 100644
--- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml
+++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
 author: Sami Ruohonen, Harish Segar (improvement), Tim Shelton
 date: 2018/09/05
-modified: 2022/01/10
+modified: 2022/11/18
 tags:
     - attack.defense_evasion
     - attack.t1059.001
@@ -26,7 +26,8 @@ detection:
             - '-join`'
             - 'char'
     false_positives:
-        ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe
+        ParentImage: 'C:\Program Files\Amazon\SSM\ssm-document-worker.exe'
+        CommandLine|contains: 'function Convert-GuidToCompressedGuid'
     condition: selection and filter and not false_positives
 falsepositives:
     - Unknown