Merge pull request #3439 from SigmaHQ/aurora-false-positive-fixing

fix: FP with VSCode extensions

rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml

@@ -7,6 +7,7 @@ references:
     - https://twitter.com/cyb3rops/status/1562072617552678912
     - https://ss64.com/nt/cmd.html
 date: 2022/08/23
+modified: 2022/08/28
 tags:
     - attack.execution
     - attack.t1059.001
@@ -46,6 +47,9 @@ detection:
             - 'cmd /c '
             - 'cmd.exe /k '
             - 'cmd /k '
+    filter_falsepositives:
+        - CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
+        - CommandLine|endswith: 'cmd.exe/c .'
     condition: 1 of selection* and not 1 of filter*
 falsepositives:
     - Unknown