fix: FP with Elastic securitySolution.chunk.7.js

Neo23x0 · Jul 29, 2021 · 70321c7 · 70321c7
1 parent 4d8b8b2
commit 70321c7
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/yara/gen_p0wnshell.yar b/yara/gen_p0wnshell.yar
@@ -45,8 +45,12 @@ rule Hacktool_Strings_p0wnedShell {
       $x7 = "Invoke-Mimikatz" fullword ascii
       $x8 = "Invoke_Shellcode()" fullword ascii
       $x9 = "Invoke-ReflectivePEInjection" ascii
+
+      $fp1 = "Sentinel Labs, Inc." wide
+      $fp2 = "Copyright Elasticsearch B.V." ascii wide
    condition:
-      1 of them
+      1 of ($x*) 
+      and not 1 of ($fp*)
 }
 
 rule p0wnedPotato {