From 7b15acf9dd6cd786cf4c8e580cb47d2c5ce55871 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 27 Feb 2025 14:36:15 +0000
Subject: [PATCH] Update defense_evasion_amsi_bypass_powershell.toml (#4477)

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
---
 rules/windows/defense_evasion_amsi_bypass_powershell.toml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml
index 2c9133389..20ebea80e 100644
--- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml
+++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/17"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/02/21"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -131,9 +131,7 @@ event.category:"process" and host.os.type:windows and
 		    "AllocHGlobal((9076" or
 		    "[cHAr](65)+[cHaR]([byTe]0x6d)+[ChaR]([ByTe]0x73)+[CHaR]([BYte]0x69"
     ) or
-    powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or
     powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") or
-    powershell.file.script_block_text:("::AllocHGlobal((" and ("System.Management.Automation.$([" or "System.$([cHAr]" or "[cHaR]([byTe]")) or
     powershell.file.script_block_text:("::AllocHGlobal((" and ".SetValue(" and "-replace" and ".NoRMALiZe(")
   ) and
   not powershell.file.script_block_text : (