diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
index 8b414ae90..36caa1cbb 100644
--- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
@@ -10,7 +10,7 @@ tags:
     - attack.t1086  #an old one
 author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
 date: 2017/03/05
-modified: 2021/10/16
+modified: 2021/11/29
 logsource:
     product: windows
     category: ps_script
@@ -115,6 +115,7 @@ detection:
             - "Invoke-AllChecks"
     false_positives:
         ScriptBlockText|contains: Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+        ScriptBlockText:contains: "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1"  # false positive form Amazon EC2
     condition: select_Malicious and not false_positives
 falsepositives:
     - Penetration testing