fix: FPs that only show up in Aurora

Sysmon configs are often too restricted

rules/windows/image_load/image_load_wsman_provider_image_load.yml

@@ -3,7 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
 status: experimental
 date: 2020/06/24
-modified: 2021/11/17
+modified: 2021/11/23
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.execution
@@ -30,10 +30,12 @@ detection:
             - Microsoft.WSMan.Management.dll
     filter_ps:
         Image|endswith: '\powershell.exe'
+    filter_bits: # not available in Sysmon data, but Aurora logs
+        CommandLine|contains: 'svchost.exe -k netsvcs -p -s BITS'
     respond_server:
         Image|endswith: '\svchost.exe'
         OriginalFileName: 'WsmWmiPl.dll'
-    condition: (request_client and not filter_ps) or respond_server
+    condition: (request_client and not filter_ps and not filter_bits) or respond_server
 falsepositives:
     - Unknown
 level: medium

rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml

@@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
 status: experimental
 date: 2020/10/20
-modified: 2021/11/20
+modified: 2021/11/23
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.credential_access
@@ -28,6 +28,7 @@ detection:
         Image|startswith: 
             - 'C:\Windows\System32\'
             - 'C:\Windows\explorer.exe'
+            - 'C:\Program Files\'
     condition: selection and not filter
 falsepositives:
     - other legitimate processes loading those DLLs in your environment.