LoFP / programs using powershell directly without invocation of a dedicated interpreter.

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image|contains:
  - :\Program Files\PowerShell\7-preview\pwsh.exe
  - :\Program Files\PowerShell\7\pwsh.exe
  - :\Windows\system32\dsac.exe
  - :\Windows\system32\inetsrv\w3wp.exe
  - :\Windows\System32\sdiagnhost.exe
  - :\Windows\system32\ServerManager.exe
  - :\Windows\system32\wbem\wmiprvse.exe
  - :\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
  - :\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  - :\Windows\System32\wsmprovhost.exe
  - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
  - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
filter_main_null:
  Image: null
filter_main_sqlserver:
  Image|contains|all:
  - :\Program Files
  - \Microsoft SQL Server\
  Image|endswith: \Tools\Binn\SQLPS.exe
filter_optional_citrix:
  Image|contains: :\Program Files\Citrix\
filter_optional_exchange:
  Image|contains: :\Program Files\Microsoft\Exchange Server\
selection:
  PipeName|startswith: \PSHost

condition: selection and not 1 of filter_*
filter_adace:
  ContextInfo|contains: C:\Windows\system32\dsac.exe
filter_citrix:
  ContextInfo|contains: ConfigSyncRun.exe
filter_help_update:
  Payload|contains:
  - Update-Help
  - Failed to update Help for the module
filter_powershell:
  ContextInfo|contains:
  - = powershell
  - = C:\Windows\System32\WindowsPowerShell\v1.0\powershell
  - = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
  - = C:/Windows/System32/WindowsPowerShell/v1.0/powershell
  - = C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell
filter_sdiagnhost:
  ContextInfo|contains: = C:\WINDOWS\System32\sdiagnhost.exe -Embedding
filter_winrm:
  ContextInfo|contains: C:\Windows\system32\wsmprovhost.exe -Embedding
selection:
  ContextInfo|contains: '*'