From 134c3ff3aa04bdc99f024d5f4666d6463546fd27 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 4 Aug 2023 11:30:44 +0200
Subject: [PATCH] Update
 rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 .../process_creation/proc_creation_win_csc_susp_parent.yml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml
index 3bb491e34..1f5e3cb53 100644
--- a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml
+++ b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml
@@ -36,7 +36,7 @@ detection:
             - '-Encoded '
             - 'FromBase64String'
     selection_parent_susp_location:
-        - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%[Aa]pp[Dd]ata%|%[Ll]ocal[Aa]pp[Dd]ata%|\[Aa]pp[Dd]ata\([Ll]ocal|[Rr]oaming|[Ll]ocal[Ll]ow)\[^\]{1,26}\.'
+        - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
         - ParentCommandLine|contains:
             - ':\Users\Public\'
             - ':\PerfLogs\'