Fixed rules that likely will cause false negatives by fix

rules/windows/process_creation/win_local_system_owner_account_discovery.yml

@@ -25,7 +25,7 @@ detection:
       - Image|endswith: '\cmd.exe'
         CommandLine|contains|all: 
             - '/c'
-            - 'dir'
+            - 'dir '
             - '\Users\'
     filter_1:
         CommandLine|contains:

rules/windows/process_creation/win_susp_eventlog_clear.yml

@@ -20,16 +20,16 @@ detection:
         Image|endswith: '\wevtutil.exe'
     selection_wevtutil_command:
         CommandLine|contains:  
-            - ' clear-log ' # clears specified log
+            - 'clear-log' # clears specified log
             - ' cl '        # short version of 'clear-log'
-            - ' set-log '   # modifies config of specified log. could be uset to set it to a tiny size
+            - 'set-log'   # modifies config of specified log. could be uset to set it to a tiny size
             - ' sl '        # short version of 'set-log'
     selection_other_ps:
         Image|endswith: '\powershell.exe'
         CommandLine|contains: 
-            - ' Clear-EventLog '
-            - ' Remove-EventLog '
-            - ' Limit-EventLog '
+            - 'Clear-EventLog'
+            - 'Remove-EventLog'
+            - 'Limit-EventLog'
     selection_other_wmic:
         Image|endswith: '\wmic.exe'
         CommandLine|contains: ' ClearEventLog '

rules/windows/process_creation/win_susp_fsutil_usage.yml

@@ -22,8 +22,8 @@ detection:
         OriginalFileName: 'fsutil.exe'
     selection:
         CommandLine|contains: 
-            - ' deletejournal '  # usn deletejournal ==> generally ransomware or attacker
-            - ' createjournal '  # usn createjournal ==> can modify config to set it to a tiny size
+            - 'deletejournal'  # usn deletejournal ==> generally ransomware or attacker
+            - 'createjournal'  # usn createjournal ==> can modify config to set it to a tiny size
     condition: (1 of binary_*) and selection
 falsepositives:
     - Admin activity