From 7aa831eac30eba85b2a1fcb9e246715e3bae87f2 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Sat, 28 Nov 2020 13:25:28 -0300
Subject: [PATCH] Remove additional backslash

---
 rules/windows/process_creation/win_susp_sysprep_appdata.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml
index daf98b204..56694bf67 100644
--- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml
+++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml
@@ -17,7 +17,7 @@ detection:
     selection:
         CommandLine|contains|all:
             - 'sysprep.exe'
-            - '\AppData\\'
+            - '\AppData\'
     condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment