From 28a06fd25fbdff313d94d50be1291311df99cf5d Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 20 Mar 2025 08:13:28 +0000
Subject: [PATCH] Update defense_evasion_posh_assembly_load.toml (#4543)

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
---
 rules/windows/defense_evasion_posh_assembly_load.toml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml
index eed53ccae..4808f0345 100644
--- a/rules/windows/defense_evasion_posh_assembly_load.toml
+++ b/rules/windows/defense_evasion_posh_assembly_load.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2025/02/03"
+updated_date = "2025/03/19"
 
 [transform]
 [[transform.osquery]]
@@ -133,8 +133,7 @@ event.category:process and host.os.type:windows and
   powershell.file.script_block_text : (
     "[System.Reflection.Assembly]::Load" or
     "[Reflection.Assembly]::Load" or
-    "Assembly.Load(" or
-    "System.Reflection"
+    "Assembly.Load("
   ) and
   not powershell.file.script_block_text : (
         ("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and