From 192047f46da031e662c19fb9818d2e442147885c Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Mon, 27 Mar 2023 11:50:53 -0300
Subject: [PATCH] [Rule Tuning] Potential Antimalware Scan Interface Bypass via
 PowerShell (#2663)

---
 rules/windows/defense_evasion_amsi_bypass_powershell.toml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml
index ab373dbfb..8128e0bd9 100644
--- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml
+++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/03/02"
+updated_date = "2023/03/24"
 
 [rule]
 author = ["Elastic"]
@@ -81,9 +81,9 @@ event.category:"process" and host.os.type:windows and
  (powershell.file.script_block_text : 
         ("System.Management.Automation.AmsiUtils" or 
 				 amsiInitFailed or 
-				 Invoke-AmsiBypass or 
-				 Bypass.AMSI or 
-				 amsi.dll or 
+				 "Invoke-AmsiBypass" or 
+				 "Bypass.AMSI" or 
+				 "amsi.dll" or 
 				 AntimalwareProvider  or 
 				 amsiSession or 
 				 amsiContext or