Merge pull request #3685 from phantinuss/master

Fix FPs

rules/windows/file/file_event/file_event_win_creation_system_file.yml

@@ -4,7 +4,7 @@ status: test
 description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
 author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali
 date: 2020/05/26
-modified: 2022/11/08
+modified: 2022/11/09
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -91,6 +91,7 @@ detection:
             - 'C:\Windows\System32\'
             - 'C:\Windows\SysWOW64\'
             - 'C:\Windows\WinSxS\'
+            - 'C:\Windows\SoftwareDistribution\'
             - '\SystemRoot\System32\'
         Image|endswith:
             - '\Windows\System32\dism.exe'

rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml

@@ -6,7 +6,7 @@ references:
     - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ
 author: frack113
 date: 2022/02/16
-modified: 2022/06/02
+modified: 2022/11/09
 tags:
     - attack.defense_evasion
 logsource:
@@ -24,7 +24,9 @@ detection:
             - '-u '
     filter:
         ParentImage: 'C:\Windows\System32\winlogon.exe'
-    condition: selection and not filter
+    filter_null:
+        ParentImage: '-'
+    condition: selection and not 1 of filter*
 falsepositives:
     - Unknown
 level: medium