diff --git a/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
index 36157d523..4f0c9e3ca 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
@@ -26,9 +26,7 @@ detection:
         CommandLine|contains: 'C:\'
     filter_env_vars:
         CommandLine|contains: '%'
-    filter_env_vars:
-        CommandLine|contains: '%'
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Rare legitimate execution from a mounted drive by an administrator
-level: high
\ No newline at end of file
+level: medium