refactor: extended rule

rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml

@@ -1,6 +1,6 @@
 title: DumpMinitool Usage
 id: dee0a7a3-f200-4112-a99b-952196d81e42
-description: Detects the use of a Visual Studio bundled tool named DumpMinitool.exe 
+description: Detects the use of a Visual Studio bundled tool named DumpMinitool.exe
 status: experimental
 references:
     - https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg

rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml

@@ -1,9 +1,9 @@
 title: Suspicious DumpMinitool Usage
 id: eb1c4225-1c23-4241-8dd4-051389fde4ce
-description: Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinidump.exe 
+description: Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe 
 status: experimental
 references:
-    - https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg
+    - https://twitter.com/mrd0x/status/1511415432888131586
     - https://twitter.com/mrd0x/status/1511489821247684615
 author: Florian Roth
 date: 2022/04/06
@@ -22,9 +22,13 @@ detection:
         Image|contains: 
             - '\Microsoft Visual Studio\'
             - '\Extensions\'  # https://github.com/microsoft/vstest/blob/main/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159
-    selection_flags:
+    susp_flags:
         CommandLine|contains: '.txt'
-    condition: ( selection and not filter_folder ) or ( all of selection* )
+    cmd_has_flags:
+        CommandLine|contains: ' Full' 
+    filter_cmd_misses_flags:
+        CommandLine|contains: '--dumpType'
+    condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )
 falsepositives:
     - Unknown
 level: high