Update win_plugx_susp_exe_locations.yml

rules/windows/process_creation/win_plugx_susp_exe_locations.yml

@@ -7,6 +7,7 @@ references:
     - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
 author: Florian Roth
 date: 2017/06/12
+modified: 2020/11/28
 tags:
     - attack.s0013
     - attack.defense_evasion
@@ -85,7 +86,18 @@ detection:
             - '\Windows Kit'
             - '\Windows Resource Kit\'
             - '\Microsoft.NET\'
-    condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
+    condition: ( selection_cammute and not filter_cammute ) or 
+               ( selection_chrome_frame and not filter_chrome_frame ) or 
+               ( selection_devemu and not filter_devemu ) or 
+               ( selection_gadget and not filter_gadget ) or 
+               ( selection_hcc and not filter_hcc ) or 
+               ( selection_hkcmd and not filter_hkcmd ) or 
+               ( selection_mc and not filter_mc ) or 
+               ( selection_msmpeng and not filter_msmpeng ) or 
+               ( selection_msseces and not filter_msseces ) or 
+               ( selection_oinfo and not filter_oinfo ) or 
+               ( selection_oleview and not filter_oleview ) or 
+               ( selection_rc and not filter_rc )
 fields:
     - CommandLine
     - ParentCommandLine