Update and rename proc_creation_win_rundll32_not_from_c_drive.yml to … (#3609)

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>

rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml

@@ -1,12 +1,13 @@
-title: Rundll32 From Abnormal Drive
+title: LOLBIN From Abnormal Drive
 id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
 status: experimental
-description: Detects rundll32.exe executing from an abnormal drive such as a mounted ISO.
-references:
-    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
+description: Detects LOLBINs executing from an abnormal drive such as a mounted ISO.
 author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
 date: 2022/01/25
 modified: 2022/02/14
+references: 
+    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
+    - https://www.scythe.io/library/threat-emulation-qakbot
 tags:
     - attack.t1218.001
 logsource:
@@ -14,8 +15,15 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: '\rundll32.exe'
-    filter:
+            - '\rundll32.exe'
+            - '\calc.exe'
+            - '\mshta.exe'
+            - '\cscript.exe'
+            - '\wscript.exe'
+            - '\regsvr32.exe'
+            - '\installutil.exe'
+            - '\cmstp.exe'
+    filter_currentdirectory:
         - CurrentDirectory|contains: 'C:\'
         - CurrentDirectory: ''
     filter_null: