perf(rules): Improve Vulnerable or malicious driver dropped rule

rabbitstack · rabbitstack · commit 7a2528670f57 · 2024-09-11T19:42:12.000+02:00
Introduce `file.is_driver` condition to stop
evaluating the subsequent conditions inside the
paren expression as they may consume unneeded CPU cycles.
diff --git a/rules/privilege_escalation_vulnerable_or_malicious_driver_dropped.yml b/rules/privilege_escalation_vulnerable_or_malicious_driver_dropped.yml
@@ -16,7 +16,7 @@ references:
   - https://www.loldrivers.io/
 
 condition: >
-  create_file
+  create_file and file.is_driver
     and
   (file.is_driver_vulnerable or file.is_driver_malicious)
 
