From a68a404bd89ddc445241dfa71b65fb4dfcd03710 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Tue, 1 Oct 2024 13:00:38 +0100
Subject: [PATCH] Update defense_evasion_posh_assembly_load.toml (#4112)

---
 rules/windows/defense_evasion_posh_assembly_load.toml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml
index 182702c17..7ee9ef5c1 100644
--- a/rules/windows/defense_evasion_posh_assembly_load.toml
+++ b/rules/windows/defense_evasion_posh_assembly_load.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "KQL handles backslash and ? characters differently in 8.12+."
 min_stack_version = "8.12.0"
-updated_date = "2024/07/17"
+updated_date = "2024/09/30"
 
 [transform]
 [[transform.osquery]]
@@ -144,7 +144,10 @@ event.category:process and host.os.type:windows and
   ) and
   not powershell.file.script_block_text : (
         "Microsoft.PowerShell.Workflow.ServiceCore" and "ExtractPluginProperties([string]$pluginDir"
-  ) and
+  ) and 
+  
+  not powershell.file.script_block_text : ("reflection.assembly]::Load('System." or "LoadWithPartialName('Microsoft." or "::Load(\"Microsoft." or "Microsoft.Build.Utilities.Core.dll") and 
+  
   not user.id : "S-1-5-18"
 '''