From 70321c75bc0a62cf1c9814603e53e1c6167459df Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 29 Jul 2021 15:04:44 +0200
Subject: [PATCH] fix: FP with Elastic securitySolution.chunk.7.js

---
 yara/gen_p0wnshell.yar | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/yara/gen_p0wnshell.yar b/yara/gen_p0wnshell.yar
index 631b8192..6ee436b5 100644
--- a/yara/gen_p0wnshell.yar
+++ b/yara/gen_p0wnshell.yar
@@ -45,8 +45,12 @@ rule Hacktool_Strings_p0wnedShell {
       $x7 = "Invoke-Mimikatz" fullword ascii
       $x8 = "Invoke_Shellcode()" fullword ascii
       $x9 = "Invoke-ReflectivePEInjection" ascii
+
+      $fp1 = "Sentinel Labs, Inc." wide
+      $fp2 = "Copyright Elasticsearch B.V." ascii wide
    condition:
-      1 of them
+      1 of ($x*) 
+      and not 1 of ($fp*)
 }
 
 rule p0wnedPotato {