From f34bf9d9c84ffcae07adb0f02bc53ad9ee2ecd78 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 30 Nov 2017 15:13:36 +0100
Subject: [PATCH] Reduced false positives with PowerShell casing anomaly rule

---
 yara/gen_case_anomalies.yar | 1 +
 1 file changed, 1 insertion(+)

diff --git a/yara/gen_case_anomalies.yar b/yara/gen_case_anomalies.yar
index 615e9ed..453a2c2 100644
--- a/yara/gen_case_anomalies.yar
+++ b/yara/gen_case_anomalies.yar
@@ -25,6 +25,7 @@ rule PowerShell_Case_Anomaly {
       $sn2 = "Powershell" fullword ascii wide
       $sn3 = "PowerShell" fullword ascii wide
       $sn4 = "POWERSHELL" fullword ascii wide
+      $sn5 = "powerShell" fullword ascii wide
 
       // PowerShell with \x19\x00\x00
       $a1 = "wershell -e " nocase wide ascii