From 91c4c4ecc51de7a7ac5e2fb3e11dd45f4ddfbb2a Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 21 May 2020 13:38:11 +0200
Subject: [PATCH] refactor: slightly improved Greenbug rule

---
 rules/windows/process_creation/win_apt_greenbug_may20.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml
index 765f79a4..8c630baa 100644
--- a/rules/windows/process_creation/win_apt_greenbug_may20.yml
+++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml
@@ -6,6 +6,7 @@ references:
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
 author: Florian Roth
 date: 2020/05/20
+modified: 2020/05/21
 tags:
     - attack.g0049
 logsource:
@@ -17,9 +18,7 @@ detection:
             - 'bitsadmin /transfer'
             - 'CSIDL_APPDATA'
     selection2:
-        CommandLine|contains|all: 
-            - 'PowerShell.exe'
-            - '-ExecutionPolicy Bypass'
+        CommandLine|contains: 
             - 'CSIDL_SYSTEM_DRIVE'
     selection3: 
         CommandLine|contains: