From f57bb708bb0ca7da3871ded56dd4e78ad0b95953 Mon Sep 17 00:00:00 2001
From: nNipsx <86789668+nNipsx-Sec@users.noreply.github.com>
Date: Thu, 3 Mar 2022 11:04:26 +0700
Subject: [PATCH] Update another command line of Get-WmiObject (gwmi)

---
 .../powershell/powershell_script/posh_ps_detect_vm_env.yml    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
index 331b1d12e..8ec1bdb03 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
@@ -17,7 +17,9 @@ logsource:
     definition: EnableScriptBlockLogging must be set to enable
 detection:
     selection_action:
-        ScriptBlockText|contains: Get-WmiObject
+        ScriptBlockText|contains: 
+            - Get-WmiObject
+            - gwmi
     selection_module:
         ScriptBlockText|contains: 
             - MSAcpi_ThermalZoneTemperature