fix: wrong mapping of Windows Audit Log EventID 4688

reverts some changes introduced by commit c5fa73c328
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended

rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml

@@ -13,7 +13,7 @@ tags:
     - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2021/11/09
+modified: 2022/03/30
 logsource:
   product: windows
   category: process_creation
@@ -21,7 +21,7 @@ detection:
   #useful_information: add more LOLBins to the rules logic of your choice.
   selection1:
     - Image|endswith: '\wbem\WMIC.exe'
-    - ParentCommandLine|contains: 'wmic '
+    - CommandLine|contains: 'wmic '
     - OriginalFileName: 'wmic.exe'
     - Description: 'WMI Commandline Utility'
   selection2:
@@ -37,7 +37,7 @@ detection:
       - excel.exe
       - powerpnt.exe
   selection4:
-    ParentCommandLine|contains|all: 
+    CommandLine|contains|all:
       - 'process'
       - 'create'
       - 'call'

rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml

@@ -13,32 +13,32 @@ tags:
     - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2021/11/09
+modified: 2022/03/30
 logsource:
   product: windows
   category: process_creation
 detection:
   #useful_information: add more LOLBins to the rules logic of your choice.
   selection1:
-    ParentCommandLine:
-      - '*regsvr32*'
-      - '*rundll32*'
-      - '*msiexec*'
-      - '*mshta*'
-      - '*verclsid*'
+    CommandLine|contains:
+      - 'regsvr32'
+      - 'rundll32'
+      - 'msiexec'
+      - 'mshta'
+      - 'verclsid'
   selection2:
     - Image|endswith: '\wbem\WMIC.exe'
-    - ParentCommandLine|contains: 'wmic '
+    - CommandLine|contains: 'wmic '
   selection3:
     ParentImage|endswith:
       - winword.exe
       - excel.exe
       - powerpnt.exe
   selection4:
-    ParentCommandLine|contains|all: 
+    CommandLine|contains|all:
       - 'process'
       - 'create'
-      - 'call' 
+      - 'call'
   condition: selection1 and selection2 and selection3 and selection4
 falsepositives:
 - Unknown

rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml

@@ -13,7 +13,7 @@ tags:
     - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2021/11/09
+modified: 2022/03/30
 logsource:
   product: windows
   category: process_creation
@@ -21,7 +21,7 @@ detection:
  #useful_information: Add more office applications to the rule logic of choice
   selection1:
     - Image|endswith: '\wbem\WMIC.exe'
-    - ParentCommandLine|contains: 'wmic '
+    - CommandLine|contains: 'wmic '
   selection2:
     ParentImage:
       - winword.exe

rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml

@@ -17,11 +17,11 @@ logsource:
     category: process_creation
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - '/UpdateDeploymentProvider'
             - '/RunHandlerComServer'
             - '.dll'
-        Image|endswith: 
+        Image|endswith:
             - '\wuauclt.exe'
     filter:
         CommandLine|contains:

tools/config/generic/windows-audit.yml

@@ -44,5 +44,5 @@ fieldmappings:
     Image: NewProcessName
     ParentImage: ParentProcessName
     Details: NewValue
-    ParentCommandLine: ProcessCommandLine
+    #CommandLine: ProcessCommandLine  # No need to map, as real name of ProcessCommandLine is already CommandLine
     LogonId: SubjectLogonId