Update rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml

@@ -36,7 +36,7 @@ detection:
             - '-Encoded '
             - 'FromBase64String'
     selection_parent_susp_location:
-        - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%[Aa]pp[Dd]ata%|%[Ll]ocal[Aa]pp[Dd]ata%|\[Aa]pp[Dd]ata\([Ll]ocal|[Rr]oaming|[Ll]ocal[Ll]ow)\[^\]{1,26}\.'
+        - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
         - ParentCommandLine|contains:
             - ':\Users\Public\'
             - ':\PerfLogs\'