change to category: ps_script

rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml

@@ -3,7 +3,7 @@ id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
 status: experimental
 description: Detects Commandlet names from ShellIntel exploitation scripts.
 date: 2021/08/09
-modified: 2021/08/21
+modified: 2021/10/16
 references:
     - https://github.com/Shellntel/scripts/
 tags:
@@ -12,11 +12,10 @@ tags:
 author: Max Altgelt, Tobias Michalski
 logsource:
     product: windows
-    service: powershell
+    category: ps_script
     definition: Script Block Logging must be enable
 detection:
   selection:
-      EventID: 4104
       ScriptBlockText|contains:
         - Invoke-SMBAutoBrute
         - Invoke-GPOLinks