From 5e2e776bce5f37c701e3f06d2af045689e4fa989 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Thu, 26 May 2022 18:38:12 +0000
Subject: [PATCH] Adjusting condition

---
 .../process_creation/proc_creation_win_susp_execution_path.yml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml
index 0581a29be..354ef0877 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml
@@ -39,7 +39,7 @@ detection:
             - '\Windows\Tasks\'
         - Image|startswith: 'C:\Perflogs\'
     false_positive:
-        - Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\'
+        Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\'
     condition: selection and not false_positive
 fields:
     - CommandLine