Remove Additional backslash and update logic

rules/windows/process_creation/win_exploit_cve_2019_1378.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378 
 references:
     - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
-author: Florian Roth
+author: Florian Roth, oscd.community, Jonhnathan Ribeiro
 date: 2019/11/15
 modified: 2020/08/29
 tags:
@@ -19,15 +19,19 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentCommandLine|endswith: 
-            - '\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd'
-            - '\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd'
+        ParentCommandLine|contains|all: 
+            - '\cmd.exe'
+            - '/c'
+            - 'C:\Windows\Setup\Scripts\'
+        ParentCommandLine|endswith:
+            - 'SetupComplete.cmd'
+            - 'PartnerSetupComplete.cmd'
     filter:
         Image|startswith: 
-            - 'C:\Windows\System32\\'
-            - 'C:\Windows\SysWOW64\\'
-            - 'C:\Windows\WinSxS\\'
-            - 'C:\Windows\Setup\\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\WinSxS\'
+            - 'C:\Windows\Setup\'
     condition: selection and not filter
 falsepositives:
     - Unknown