Update proc_creation_win_susp_lolbin_non_c_drive.yml

2022-10-02 10:23:36 +02:00
parent 6af0e0c24f
commit 41a7bdb250
1 changed files with 1 additions and 3 deletions
@@ -26,9 +26,7 @@ detection:
        CommandLine|contains: 'C:\'
    filter_env_vars:
        CommandLine|contains: '%'
-    filter_env_vars:
-        CommandLine|contains: '%'
    condition: all of selection_* and not 1 of filter_*
 falsepositives:
    - Rare legitimate execution from a mounted drive by an administrator
-level: high
+level: medium