From fa7036430e034d4b91bfe9e28300542e6f012afb Mon Sep 17 00:00:00 2001
From: Vasiliy Burov <vasebur@gmail.com>
Date: Thu, 15 Oct 2020 19:39:24 +0300
Subject: [PATCH] Update powershell_cmdline_special_characters.yml

---
 .../powershell_cmdline_special_characters.yml         | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml
index 9420909b3..7db7e2be8 100644
--- a/rules/windows/powershell/powershell_cmdline_special_characters.yml
+++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml
@@ -17,11 +17,12 @@ logsource:
 detection:
     selection:
         Image|endswith: '\powershell.exe'
-        CommandLine|re: '.*`.*`.*`.*`.*`.*'
-        CommandLine|re: '.*^.*^.*^.*^.*^.*'
-        CommandLine|re: '.*{.*{.*{.*{.*{.*'
-        CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*'
-        CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*'
+        CommandLine|re:
+            - '.*`.*`.*`.*`.*`.*'
+            - '.*^.*^.*^.*^.*^.*'
+            - '.*{.*{.*{.*{.*{.*'
+            - '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*'
+            - '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*'
     condition: selection
 falsepositives:
     - Unlikely