Update proc_creation_win_susp_squirrel_lolbin.yml

rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml

@@ -28,25 +28,24 @@ detection:
         CommandLine|contains|all:
             - 'C:\Users\'
             - '\AppData\Local\Discord\Update.exe'
-            - ' --processStart Discord.exe'
+            - ' --processStart'
+            - 'Discord.exe'
     filter_github_desktop:
-        - CommandLine|contains|all:
+        CommandLine|contains|all:
             - 'C:\Users\'
-            - '\AppData\Local\GitHubDesktop\Update.exe --createShortcut GitHubDesktop.exe'
-        - CommandLine|contains|all:
-            - 'C:\Users\'
-            - '\AppData\Local\GitHubDesktop\Update.exe --processStartAndWait GitHubDesktop.exe'
-    filter_teams:
-        - CommandLine|contains|all:
-            - 'C:\Users\'
-            - '\AppData\Local\Microsoft\Teams\Update.exe'
-            - '--processStart'
-            - 'Teams.exe'
-        - CommandLine|contains|all:
-            - 'C:\Users\'
-            - '\AppData\Local\Microsoft\Teams\Update.exe'
+            - '\AppData\Local\GitHubDesktop\Update.exe'
+            - 'GitHubDesktop.exe'
+        CommandLine|contains:
             - '--createShortcut'
+            - '--processStartAndWait'
+    filter_teams:
+        CommandLine|contains|all:
+            - 'C:\Users\'
+            - '\AppData\Local\Microsoft\Teams\Update.exe'
             - 'Teams.exe'
+        CommandLine|contains:
+            - '--processStart'
+            - '--createShortcut'
     condition: all of selection* and not 1 of filter_*
 falsepositives:
     - 1Clipboard
@@ -81,4 +80,4 @@ falsepositives:
     - Gitkraken
     - Slack
     - Teams
-level: medium
+level: medium