fix: FPs noticed with Aurora

rules/windows/file_event/sysmon_creation_system_file.yml

@@ -4,7 +4,7 @@ status: test
 description: Detects the creation of an executable with a system process name in a suspicious folder
 author: Sander Wiebing, Tim Shelton
 date: 2020/05/26
-modified: 2022/02/07
+modified: 2022/02/22
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -47,7 +47,9 @@ detection:
             - 'C:\Windows\winsxs\'
             - 'C:\Windows\WinSxS\'
             - '\SystemRoot\System32\'
-        Image|endswith: '\Windows\System32\dism.exe'
+        Image|endswith: 
+            - '\Windows\System32\dism.exe'
+            - '\TiWorker.exe'
     filter2:
         TargetFilename|startswith: 'C:\$WINDOWS.~BT\'
         Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe'