From a4e2c0feba5e593d53f706b99d302a60cf2bc9de Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 10 Sep 2021 18:13:36 +0200
Subject: [PATCH] Revert "refactor: exclude case in which upper ticks are used"

This reverts commit f00aaf8461f97abec19f81aa4fc0edaa76ff6cf1.
---
 .../process_creation/win_susp_control_cve_2021_40444.yml      | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
index 2a02b7ad7..312b047b7 100644
--- a/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
+++ b/rules/windows/process_creation/win_susp_control_cve_2021_40444.yml
@@ -20,9 +20,7 @@ detection:
             - '\powerpnt.exe'
             - '\excel.exe'
     filter:
-        CommandLine|endswith: 
-            - '\control.exe input.dll'
-            - '\control.exe" input.dll'
+        CommandLine|endswith: '\control.exe input.dll'
     condition: selection and not filter
 falsepositives:
     - Unknown