From 41a7bdb250f9ede2d170764ff204e6af7c751e33 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 2 Oct 2022 10:23:36 +0200
Subject: [PATCH] Update proc_creation_win_susp_lolbin_non_c_drive.yml

---
 .../proc_creation_win_susp_lolbin_non_c_drive.yml             | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
index 36157d523..4f0c9e3ca 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml
@@ -26,9 +26,7 @@ detection:
         CommandLine|contains: 'C:\'
     filter_env_vars:
         CommandLine|contains: '%'
-    filter_env_vars:
-        CommandLine|contains: '%'
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Rare legitimate execution from a mounted drive by an administrator
-level: high
\ No newline at end of file
+level: medium