rule: the actual changes to hwp rule

rules/windows/process_creation/win_hwp_exploits.yml

@@ -22,9 +22,9 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine: '*\rundll32.exe *,#*'
+        ParentImage: '*\Hwp.exe'
+        Image: '*\gbb.exe'
     condition: selection
 falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-    - Windows contol panel elements have been identified as source (mmc)
+    - Unknown
 level: high