fix: rules causing too many false positives

rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml

@@ -17,7 +17,7 @@ falsepositives:
 level: high
 detection:
     selection_1:
-        - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
     condition: selection and selection_1
 ---
 logsource:

rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml

@@ -17,10 +17,10 @@ logsource:
 detection:
     selection_1:
         EventID: 4104
-        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c/c' # FPs with |\/r
     selection_2:
         EventID: 4103
-        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
     condition: selection_1 or selection_2
 falsepositives:
     - Unknown

rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml

@@ -33,5 +33,5 @@ fields:
     - Image
 falsepositives:
     - System administrator Usage
-    - Penetration test 
-level: high
+    - Penetration test
+level: medium 

rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml

@@ -16,7 +16,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
     condition: selection
 falsepositives:
     - Unknown

rules/windows/process_creation/win_susp_rar_flags.yml

@@ -11,8 +11,7 @@ tags:
     - attack.collection
     - attack.t1560.001
     - attack.exfiltration # an old one  
-    - attack.t1002        # an old one  
-
+    - attack.t1002        # an old one
 logsource:
     category: process_creation
     product: windows